WilliamLam.com

MS-A2 VCF 9.0 Lab: Configuring External IdP for Multiple VCF Automation Organizations

by // Leave a Comment

This post is part of a short series that builds on our minimal VMware Cloud Foundation (VCF) 9.0 deployment (2x Minisforum MS-A2) and showcases how to fully leverage the exciting new capabilities in the VCF 9 platform, all while maintaining a minimal resource footprint, which is ideal for lab and learning purposes.

In this blog post, we will walk through the setup of connecting a VCF Automation (VCFA) Organization to an external identity provider (IdP) using a free and self-hosted solution called Keycloak, which I am also using for setting up VCF Single Sign-On (SSO) capability. Depending on your goals for your VCFA lab environment, the ability to explore different IdP policies (e.g. MFA, etc) for an organization to experimenting with VCFA roles and access controls, will ultimately depend on the capabilities of your IdP


Since I am using Keycloak as my IdP, I can create what is known as a realm, which allows me to manage a collection of users and groups. From a single Keycloak Realm, I can then create multiple OIDC Application Clients that can then be used to provide authentication to both my VCFA Provider Admin Portal (via VCF SSO) as well as to the different VCFA User Organizations as depicted in the visual below, all backed by a single realm.


Keycloak allows customization of the IdP login screen, which is a pretty common feature of most IdP. For Keycloak specifically, the login customization is defined on per-realm basis, so you would need to create multiple realms that would then contain an OIDC Application Client for your desired VCFA Organizations which is depicted in the diagram below.


For MFA policies such as mandating a second factor or enforcing passkeys (YubiKey, Apple FaceID, Apple TouchID, etc), while these can be defined at a realm-level, you can override this on per OIDC Application Client. The above illustration is purely for simple lab setup, you can certainly setup a more complex environment with different IdPs that is connected to each VCFA Organization which will closely mirror environment like a Cloud Service Provider (CSP) than a typical Enterprise who might only have a single IdP.

Note: Keycloak has an extensive framework for building custom themes, I am using this KoreUI theme package, which I was able to hack up to build the customization screens you see in the very first screenshot.

Here are some additional VCF Automation IdP Resources that might be of interests if you would like to learn more:

Requirements:

[Read more...]

Quick Tip - Workaround for High CPU usage for ccs-k3s-app in VCF 9.0 Automation 

by // 5 Comments

On a few occasions, I have noticed that after the initial deployment of VMware Cloud Foundation (VCF) 9.0 that also includes VCF Automation (VCFA), the VCFA VM can experience a sustained CPU usage spikes exceeding 30 GHz.


Interestingly, VCFA continues to function fine and I am still able to connect to both VCFA Provider Admin/Organization Portals and perform tasks. In fact, I would not have noticed if it was not for the fans on my MS-A2 spinning like crazy and was able to track it down to ESXi host running the VCFA VM.

[Read more...]

MS-A2 VCF 9.0 Lab: Configuring VCF Automation

by // Leave a Comment

This post is part of a short series that builds on our minimal VMware Cloud Foundation (VCF) 9.0 deployment (2x Minisforum MS-A2) and showcases how to fully leverage the exciting new capabilities in the VCF 9 platform, all while maintaining a minimal resource footprint, which is ideal for lab and learning purposes.

In this blog post, we will walk through the initial setup of VCF Automation (VCFA) using the Provider Admin Portal and creating your first VCFA Organization that will allow users to request and consume resources from the vSphere Supervisor and NSX VPC Networking that we had configured earlier.


Here are some additional VCF Automation Resources that might be of interests if you would like to learn more:

Requirements:

[Read more...]