WilliamLam.com

Publishing and consuming custom events with VMware Event Broker Appliance (VEBA)

by // Leave a Comment

One of the really exciting features that will be included in the upcoming release of the VMware Event Broker Appliance (VEBA) v0.7 release (currently in Tech Preview) is the support for incoming webhooks! This will allow customers to easily build event-driven automation for non-vSphere based events and even non-VMware events while still maintaining a consistent consumption experience. If you are interested in learning more about the upcoming VEBA v0.7 release, Michael Gasch and myself will be doing a LIVE VMworld Session - VEBA Revolutions - Unleashing the Power of Event-Driven Automation #CODE2773 that you should definitely add to your schedule builder!

Webhook support can easily be enabled during the initial VEBA appliance deployment using a few new OVF properties or configured through the VMware Event Router configuration when deploying to an existing Kubernetes cluster using kubectl or Helm. Once the webhook endpoint is running, users can simply publish their custom events as a conformant CloudEvent and VEBA will ensure these custom events are immediately available for consumption by function authors. This means any product and/or service that can construct a custom HTTP payload including headers will be able to take advantage of this new VEBA feature! I also want to mention that this is NOT the only way to produce custom events that VEBA can ingest, but is certainly one simple way.

To help make this concept more concrete, I wanted to see how we could integrate VMware Cloud events into VEBA by using this new webhook mechanism and using the VMware Cloud Notification Gateway. Below is a diagram to help illustrate what is happens when a VMware Cloud event is generated and how it can be consumed by VEBA. The beauty of this type of a solution is the "Event Producer" does not have to know anything about the "Event Consumer" or how they might consume the data. The producer simply pushes events into VEBA and if there is a consumer who cares about a specific event and wishes to do something about it, they can create a function that will listen for a specific event(s) and perform an operation like sending to Slack as an example.

  1. Event is produced by VMware Cloud and pushed by the VMware Cloud Notification Gateway (NGW)
  2. A conformant CloudEvent payload is constructed from VMware Cloud event by NGW service
  3. NGW forwards the custom CloudEvent to VEBA's webhook endpoint (https://[VEBA-FQDN]/webhook)
  4. VEBA functions can now react to these custom CloudEvents (e.g. SDDC Provisioned Event)

[Read more...]

Decoding Services Roles/Permissions from a VMware Cloud Services Platform (CSP) Token

by // 1 Comment

To programmatically access the various VMware Cloud Services (CSP) such as VMware Cloud on AWS as an example, a user must first generate a CSP Refresh Token using the CSP Console.


When creating a new CSP Refresh Token, you have the option to scope access to a specific set organization roles and service roles which will enable you to limit the permissions of this token to specific CSP Services. In the example below, I have created a new token which is scoped to the organization owner role along with two VMware Cloud on AWS Service Roles: Administrator (Delete Restricted) and NSX Cloud Admin to be able to grant access to a VMware Cloud on AWS SDDC.


One common issue that I see folks run into when working with some of the CSP Services including VMware Cloud on AWS from a programmatic standpoint is that they did not properly create a token with the correct permissions which usually will lead to some type of invalid request.

For popular services like VMware Cloud on AWS, it is usually pretty easy to track down, especially if the user who is using the CSP Refresh Token is the same person who created it. However, if you are not the person who created the original token or if you have forgotten or you may have access to multiple token, it can be a little bit difficult to troubleshoot.

The good news and probably lesser known detail about how CSP Refresh Tokens work is that you can actually decode these tokens to understand what specific scopes were used to create the initial token. Below are two methods to decode these tokens, both CSP Refresh Tokens (generated from the CSP UI) as well as CSP Access Token, which is returned when you request access providing your CSP Refresh Token.

[Read more...]

TKG Demo Appliance on VMware Cloud on DellEMC

by // Leave a Comment

We have been getting interests from customers on wanting to run Tanzu Kubernetes Grid (TKG) on our VMware Cloud on DellEMC (VMConDellEMC) offering and I was asked to see if my Tanzu Kubernetes Grid (TKG) Demo Appliance would also work on this VMware Cloud solution, especially as it works great on both VMware Cloud on AWS as well as existing premises vSphere 6.7 Update 3 or later environments.

With the help from our VMConDellEMC team, I got access to an SDDC and was able to validate that everything works as outlined in my TKG workshop guide. I have also updated the pre-req documentation to include a specific section for setting up VMConDellEMC SDDC, most of which is similiar to existing networking requirements. Once you have your customer uplink network configured to your VMConDellEMC SDDC, you will be able to reach the TKG Demo Appliance running on the NSX-T Segment. The thing about the setup is that TKG Demo Appliance is built in an air-gap fashion, so no internet access is required, which by default, the TKG CLI will assume. This is great way to quickly get started with TKG and playing with Kubernetes!


This was actually my first time using VMConDellEMC and I thought I would push the limits a bit and deploying a slightly larger TKG Workload Cluster than I normally would, especially since I got access to a 5-Node SDDC 😀

[Read more...]