WilliamLam.com

How to create a kubernetes service account for vSphere with Tanzu?

by // Leave a Comment

Before you can interact and consume resources from a vSphere with Tanzu enabled cluster, users must first login and one way to accomplish this is by using the kubectl-vsphere plugin.

Once authenticated, a JWT (JSON Web Token), pronounced jot token, will be issued along with other values which will be appended to your local ~/.kube/config file. Users will then be able to perform kubectl operations based on the roles they have been assigned for a given vSphere Namespace. In case you did not know, these JWT tokens are only valid for 10 hours and after that, you will need to login again to retrieve a new JWT token.

We can also confirm this by decoding our JWT token found within the ~/.kube/config file and using jwt.io website. Once decoded, we can see when the token was issued using iat (Issued At) and when the token will expired using exp (Expiration Time) as shown in the screenshot below.

The default 10 hour expiry is currently not configurable which can be a challenge for anyone looking to setup unattended automation or GitOps with vSphere with Tanzu.

An alternative solution is to create a Kubernetes (k8s) service account, which by default does not contain a token expiry. Using this information and my recent Deep Dive into vSphere Namespace Roles, I was able to create a service account that can perform the same set of vSphere with Tanzu operations without having to re-login every 10 hours.

[Read more...]

Does vCenter Server recycle VM MAC Addresses after Cross vCenter vMotion?

by // 6 Comments

I recently received a question from a customer who was concerned that after a VM has been migrated from one vCenter Server to another using Cross vCenter vMotion, that the original source VM MAC Address could potentially be recycled and re-used at a later point. Back in 2015, I actually wrote about this very topic and the concerns around VM MAC Address duplication after a Cross vCenter vMotion, which I highly encourage folks to check out if you have not seen this article already.

While re-reading the article, I realized that the article had primarily focused on vCenter Servers that were in Linked Mode or under the same vSphere Single Sign-On (SSO) domain and although I did mention the Cross vCenter vMotion across across different vSphere SSO domains scenario, it looks like the details were a tad bit light.

To quickly summarize, when a VM is migrated from a source vCenter Server to the designation vCenter Server, the VM's MAC Address is added to a MAC Address "block list" on the source vCenter Server. This ensures that the VM MAC Address will not be reallocated by the source vCenter Server which would cause a network conflict. This has been the default behavior since vSphere 6.0 and no additional configuration change is required by customers.

[Read more...]

Can you really deploy the vCenter Server Appliance (VCSA) without DNS and NTP?

by // 4 Comments

The simple answer is Yes. Now, you might be wondering why anyone would want to put themselves through the pain without setting up proper DNS and NTP?

Well, not all environments have the luxury of having either outbound connectivity and/or access to basic infrastructure services like DNS and NTP. This may come as a surprise to some, but there are customers out there that need to operate in very unique and constrained environments. One such example of this is typically from customers that need to deploy vSphere in a "dark site" where local infrastructure services like DNS and NTP are not available.


I recently re-validated this deployment model using the latest vSphere 7.0 Update 3 release running on an Intel NUC 11 which had no outbound connectivity and it was only connected to my laptop, which also had no outbound connectivity or access to DNS or NTP. Since this question recently came up from a customer who was looking to automate this, so I ran through the deployment workflow using the VCSA CLI Installer but this should also be possible with VCSA UI Installer as the same options are supported.

OK, so how do you make this work?

[Read more...]