Search Results for: decryptK8Pwd.py

How to create a kubernetes service account for vSphere with Tanzu?

11.29.2021 by William Lam // 4 Comments

Before you can interact and consume resources from a vSphere with Tanzu enabled cluster, users must first login and one way to accomplish this is by using the kubectl-vsphere plugin.

Once authenticated, a JWT (JSON Web Token), pronounced jot token, will be issued along with other values which will be appended to your local ~/.kube/config file. Users will then be able to perform kubectl operations based on the roles they have been assigned for a given vSphere Namespace. In case you did not know, these JWT tokens are only valid for 10 hours and after that, you will need to login again to retrieve a new JWT token.

We can also confirm this by decoding our JWT token found within the ~/.kube/config file and using jwt.io website. Once decoded, we can see when the token was issued using iat (Issued At) and when the token will expired using exp (Expiration Time) as shown in the screenshot below.

The default 10 hour expiry is currently not configurable which can be a challenge for anyone looking to setup unattended automation or GitOps with vSphere with Tanzu.

An alternative solution is to create a Kubernetes (k8s) service account, which by default does not contain a token expiry. Using this information and my recent Deep Dive into vSphere Namespace Roles, I was able to create a service account that can perform the same set of vSphere with Tanzu operations without having to re-login every 10 hours.

Note (06/07/22) - The "Edit" vSphere Namespace Role now includes the ability to create K8s service account and rolebinding without having to go into Supervisor Cluster Control Plane VM

[Read more...]

Quick Tip - Accessing the VM Console for VMs deployed using vSphere with Tanzu VM Service

05.20.2021 by William Lam // 2 Comments

One constraint of the new vSphere with Tanzu VM Service, which was introduced in vSphere 7.0 Update 2a is that the VM Console of the deployed VM is not accessible by end users including vSphere Administrators.

When things are working fine, this is generally not needed but when something goes wrong such as debugging or troubleshooting guest customization or networking issues, then having access to the VM Console is a must! In speaking with the VM Service PM, this is already being tracked in their backlog and hopefully we will have a solution for this in the future.

For now, there is a quick workaround which I have personally used it myself while deploying Nested ESXi VMs using the VM Service. Since this question has come up a few times now, I wanted to document the specific instructions and make it easy for anyone who may have a need for this. 100% Credit goes to Florian Grehl who shared this solution on his blog but on a completely unrelated topic.

UPDATE (05/20/21) - Florian also shared via Twitter, another and quicker way to access the VM Console is if you have direct ESXi host access, you can access the VM Console that way as well. I am usually logged into vCenter Server anyhow, so I prefer method outlined below.

[Read more...]

Using Terraform to deploy a Tanzu Kubernetes Grid (TKG) Cluster in vSphere with Tanzu

11.10.2020 by William Lam // 4 Comments

A few months back I saw that HashiCorp had released a new Kubernetes (K8s) Provider for Terraform, currently in Alpha state, which enable users to deploy K8s resources using the popular Infrastructure-as-Code (IaC) tool. I thought this would be pretty cool if it works with our vSphere with Tanzu solution, since the Tanzu Kubernetes Grid (TKG) Service uses ClusterAPI via a custom VM Operator to deploy TKG Guest Clusters which is just a fancy way of saying it uses K8s API to deploy more K8s 🙂

UPDATE (04/27/21) - vSphere 7.0 Update 2a has resolved the admission webhook issue and users can now deploy TKG Guest Cluster using K8s Provider for Terraform

The setting up the new K8s provider was pretty straight forward and after spending a few minutes in figuring out how to convert my existing TKG YAML to the required HCL format for Terraform to understand, I was able to to run a terraform "plan" but quickly ran into the following error:

failed: admission webhook "default.mutating.tanzukubernetescluster.run.tanzu.vmware.com" does not support dry run

It looks like our tanzukubernetescluster admission webhooks does not currently support dry run operations which can be quite useful but also common when using Terraform. I figured this was the end of that idea and I ended up just filing a feature enhancement internally for adding this support in the future as I can see this being quite useful for our customers.

After finishing up recent pet project of getting a fully functional vSphere with Tanzu on a homelab budget and just using 32GB of memory, I decided to take another look at this and discovered the required tweak to get this working was super trivial, literally a single line change.

Disclaimer: This is not officially supported by VMware, use at your own risk.

[Read more...]