@@ -91,3 +91,126 @@ The Tanzu CLI prompts the user for CEIP participation on their first use of any
9191except for ` tanzu version ` , ` tanzu ceip-participation set ` and ` tanzu config set ` commands.
9292Users installing/using the CLI through CI or by any automation means should be able to skip the prompt by
9393calling ` tanzu ceip-participation set <true/false> ` as their first command to set the CEIP participation status.
94+
95+ ## Installing and using the Tanzu CLI in internet-restricted environments
96+
97+ ### Installing the Tanzu CLI
98+
99+ You can install the Tanzu CLI in the internet-restricted environments by downloading the Tanzu CLI Binary
100+ from Github Release and copy it to the internet-restricted environment. Once copied follow the steps
101+ mentioned [ here] ( #from-the-binary-releases-in-the-github-project ) to install the Tanzu CLI.
102+
103+ ### Installing Tanzu CLI plugins in internet-restricted environments
104+
105+ The Tanzu CLI allows users to install and run CLI plugins in internet-restricted
106+ environments (which means air-gapped environments, with no physical connection
107+ to the Internet). To run the Tanzu CLI in internet-restricted environments a
108+ private Docker-compatible container registry such as
109+ [ Harbor] ( https://goharbor.io/ ) , [ Docker] ( https://docs.docker.com/registry/ ) , or
110+ [ Artifactory] ( https://jfrog.com/artifactory/ ) is required.
111+
112+ Once the private registry is set up, the operator of the private registry can
113+ migrate plugins from the publicly available registry to the private registry
114+ using the below-mentioned steps:
115+
116+ 1 . Download the plugin-inventory image along with all selected plugin images
117+ as a ` tar.gz ` file on the local disk of a machine which has internet access
118+ using the ` tanzu plugin download-bundle ` command.
119+ 2 . Copy this ` tar.gz ` file to the air-gapped network (using a USB drive or
120+ other mechanism).
121+ 3 . Upload the plugin bundle ` tar.gz ` to the air-gapped private registry using
122+ the ` tanzu plugin upload-bundle ` command.
123+
124+ #### Downloading plugin bundle
125+
126+ You can download all plugins within the default central repository by running
127+ the following command:
128+
129+ ``` sh
130+ tanzu plugin download-bundle --to-tar /tmp/plugin_bundle_complete.tar.gz
131+ ```
132+
133+ However, If you want to just migrate plugins within specific plugin groups
134+ (e.g. ` vmware-tkg/default:v2.1.0 ` ) you can run the below command to download
135+ the plugin bundle containing only plugins from specified groups:
136+
137+ ``` sh
138+ tanzu plugin download-bundle --group vmware-tkg/default:v2.1.0 --to-tar /tmp/plugin_bundle_tkg_v2_1_0.tar.gz
139+ ```
140+
141+ To migrate plugins from the specific plugin repository and not use the default
142+ plugin repository you can provide a ` --image ` flag with the above command. Example:
143+
144+ ``` sh
145+ tanzu plugin download-bundle
146+ --image custom.repo.example.com/tanzu-cli/plugins/plugin-inventory:latest
147+ --group vmware-tkg/default:v2.1.0
148+ --to-tar /tmp/plugin_bundle_tkg_v2_1_0.tar.gz
149+ ```
150+
151+ #### Uploading plugin bundle to the private registry
152+
153+ Once you download the plugin bundle as a ` tar.gz ` file and copy the file to the
154+ air-gapped network, you can run the following command to migrate plugins to the
155+ private registry (e.g. ` registry.example.com/tanzu-cli/plugin ` ).
156+
157+ Note: If you private registry is using self-signed certificates please configure
158+ certs for the registry as mentioned [ here] ( #interacting-with-a-central-repository-hosted-on-a-registry-with-self-signed-ca-or-with-expired-ca ) .
159+
160+ ``` sh
161+ tanzu plugin upload-bundle --tar /tmp/plugin_bundle_complete.tar.gz --to-repo ` registry.example.com/tanzu-cli/plugin`
162+ ```
163+
164+ The above-mentioned command uploads the plugin bundle to the provided private
165+ repository location with the image name ` plugin-inventory:latest ` . So for the
166+ above example, the plugin inventory image will be published to
167+ ` registry.example.com/tanzu-cli/plugin/plugin-inventory:latest ` .
168+
169+ Please note that ` tanzu plugin upload-bundle ` uploads the plugins by adding them
170+ to any plugin-inventory already present in the private registry. That means if you have already uploaded
171+ any plugins to the specified private repository, it will keep the existing
172+ plugins and append new plugins from the plugin bundle provided.
173+
174+ You can use this image and configure the default discovery source to point to
175+ this image by running the following command:
176+
177+ ``` sh
178+ tanzu plugin source update default --uri registry.example.com/tanzu-cli/plugin/plugin-inventory:latest
179+ ```
180+
181+ Now, the Tanzu CLI should be able to discover plugins from this newly configured
182+ private plugin discovery source. Verify that plugins are discoverable by
183+ running the ` tanzu plugin search ` , ` tanzu plugin group search ` , and
184+ ` tanzu plugin install ` commands.
185+
186+ ### Interacting with a central repository hosted on a registry with self-signed CA or with expired CA
187+
188+ If a user has configured a central repository on a custom registry (e.g. air-gaped environment) with a self-signed CA or
189+ if the
190+ registry CA
191+ certificate is expired, the user can execute the ` tanzu config cert ` family of commands to configure the certificate for
192+ the registry host.
193+
194+ ``` shell
195+
196+ # If the registry host is self-signed add CA certificate for the registry
197+ tanzu config cert add --host test.registry.com --ca-certificate path/to/ca/cert
198+
199+ # If the registry is self-signed and is serving on non-default port add CA certificate for the registry
200+ tanzu config cert add --host test.registry.com:8443 --ca-certificate path/to/ca/cert
201+
202+ # If the registry is self-signed or CA cert is expired, add cert configuration for the registry host with
203+ # skip-cert-verify option
204+ tanzu config cert add --host test.registry.com --skip-cert-verify true
205+
206+ # Set to allow insecure (http) connection while interacting with host
207+ tanzu config cert add --host test.registry.com --insecure true
208+
209+ ```
210+
211+ The CLI uses the certificate configuration added for the registry host (using ` tanzu config cert add ` command ) while
212+ interacting with the registry.
213+
214+ Users can update or delete the certificate configuration using the ` tanzu config cert update `
215+ and ` tanzu config cert delete ` commands.
216+ Also, users can list the certificate configuration using the ` tanzu config cert list ` command.
0 commit comments