WilliamLam.com

Closer look at vSphere Permissions for vSphere with Tanzu 

by // 3 Comments

Questions regarding vSphere Permissions for vSphere with Tanzu has been frequently brought up more lately and the majority of questions that I have seen, has primarily focused on the behavior of the vSphere UI Inventory. After taking a closer look and experimenting with a few permutations within my lab, I realized that most folks were simply focusing on what they were most familiar with, which is using the vSphere UI to interact with vSphere.

Although vSphere with Tanzu is tightly integrated with vSphere and the vSphere UI is certainly a primary interface, it is certainly not the only interface nor is it always the interface for end users like a developer. Depending on the needs of your end users and how your organization wishes to grant access to a vSphere Namespace, there are actually a few options that are available to you. In fact, users can interact with vSphere with Tanzu without ever logging into the vSphere UI and that is completely valid and may even be desirable for some organizations.

Note: The custom kubectl plugin for vSphere (kubectl-vsphere) which is needed to interact with vSphere with Tanzu can be downloaded by simply opening a browser (or use wget) to following URL: https://[SUPERVISOR-CLUSTER-IP]/wcp/plugin/[OS]-amd64/vsphere-plugin.zip, where OS is darwin, linux or windows (e.g. https://172.17.33.33/wcp/plugin/darwin-amd64/vsphere-plugin.zip)

Below are the results of my testing using the various vSphere Roles and Groups including the various behavior across the different consumption interfaces including the vSphere UI. To help better illustrate the results, I am also using some example personas, these are purely used as an example and may differ based on your organizational needs.

Persona: VI/Cloud Admin

In this scenario, the user is a vSphere Administrator and has the following memberships:

  • vSphere Role: Administrator
  • vSphere SSO Group: Administrators
  • vSphere Namespace: SSO User and/or Active Directory User

The user will be able to view and manage all vSphere infrastructure including the vSphere Namespaces and the respective workloads including TKG Workload Clusters and/or VMs via the VM Service.

Here is a summary of this users access:

[Read more...]

Introduction to the new ESXi Configuration Store CLI (configstorecli)

by // 10 Comments

I was looking into a customer inquiry this morning and found myself looking at the configstorecli, which is an ESXi Shell CLI that enables access to the new ESXi Configuration Store (ConfigStore). The goal of the ConfigStore, initially introduced in ESXi 7.0 Update 1, is to centrally manage all configurations for an ESXi host instead of relying on different methods including a variety of configuration files. There is actually not much documentation out there for configstorecli, other than this blog post by Duncan and these two VMware KBs (here and here).

While searching online, I ended up clicking Duncan's blog as I figured it probably has the best information and I do recall this topic awhile back on the change in behavior for renaming a standard virtual switch. I started to play with the configstore CLI and what was not immediately clear was how to actually use it, especially identifying some of the parameters it was looking for. I figured I might as well share some of my findings as I explore configstorecli a bit more.

My first observation is that the Config Store is a JSON document store and each configuration is stored as individual JSON documents. Before you can access a specific configuration, you first need to understand the schema. To view the entire schema, run the following command:

configstorecli schema list

Since the output is JSON, you can actually save the contents to a file on your desktop and use any JSON supported tool such as jq to explore further. In the example below, I have loaded an online copy of the configstorecli output from ESXi 7.0 Update 2 using my Chrome browser, which has this JSON Viewer extension installed. The benefit with a visual tool, is that you can easily expand or collapse specific nodes within the JSON document.

[Read more...]

Exploration of Tanzu Kubernetes Grid (TKG) multi-vCenter Server templating using YTT

by // Leave a Comment

The motivation behind this blog post originates from a really cool blog post by Mike Brown who shared an interesting Telco use case for wanting to running Tanzu Kubernetes Grid (TKG) on VMware Cloud on AWS (VMConAWS) and centrally managing TKG Workload Clusters, which would run at each individual Edge/Cell Site location.

While reading through Mike's blog post, I noticed one of the steps was to edit the generated YAML from the TKG Management Cluster which would then be used to deploy the individual TKG Workload Clusters. This would need to happen for each new deployment 😮 and of course, this could be very error prone and frustrating for end users. Here is an example of what the YAML file looks like which is over 1K+ lines!

This screams for automation and I had been looking for a reason to try out YTT again, which is a YAML templating tool that is part of the open source project Carvel. Although I had played with YTT before, it did not feel intuitive, especially for a new user who was trying to solve a quick problem. I figured this was my opportunity to take another look at YTT.

After a couple of hours and a lot of trial/error, I ended up with a partial solution and realized that I would not be able to figure this out given there were even more complicated sections within the YAML. I felt the bar to getting started with YTT was still too high and it may not be the right tool for this particular situation. I opted for a quicker solution using sed, which I had experience with before, but I also know that depending on the problem, sed can be just as complex and I also dislike regular expressions  🙂

[Read more...]