WilliamLam.com

Search Results for: decryptK8Pwd.py

vSphere Pods using VDS based Supervisor in vSphere with Tanzu?

by // 12 Comments

vSphere with Tanzu has received an exciting update with the release of vSphere 8.0 Update 1, which removes the restriction for requiring NSX-based networking to deploy Supervisor Services. This is really cool because customers with only a VDS based Supervisor can now also get the benefits of the various Supervisor Services that vSphere with Tanzu supports!


For those not aware, Supervisor Services are deployed as vSphere Pods, which is a super tiny VM that boots up a Photon OS kernel and is configured with just enough resources to run one or more Linux containers. In earlier releases of vSphere with Tanzu, vSphere Pods required an NSX based Supervisor, but with this restriction removed in vSphere 8.0 Update 1, it seems like deploying vSphere Pods should also be possible with just a VDS based Supervisor? 🤔

[Read more...]

How to create a kubernetes service account for vSphere with Tanzu?

by // 4 Comments

Before you can interact and consume resources from a vSphere with Tanzu enabled cluster, users must first login and one way to accomplish this is by using the kubectl-vsphere plugin.

Once authenticated, a JWT (JSON Web Token), pronounced jot token, will be issued along with other values which will be appended to your local ~/.kube/config file. Users will then be able to perform kubectl operations based on the roles they have been assigned for a given vSphere Namespace. In case you did not know, these JWT tokens are only valid for 10 hours and after that, you will need to login again to retrieve a new JWT token.

We can also confirm this by decoding our JWT token found within the ~/.kube/config file and using jwt.io website. Once decoded, we can see when the token was issued using iat (Issued At) and when the token will expired using exp (Expiration Time) as shown in the screenshot below.

The default 10 hour expiry is currently not configurable which can be a challenge for anyone looking to setup unattended automation or GitOps with vSphere with Tanzu.

An alternative solution is to create a Kubernetes (k8s) service account, which by default does not contain a token expiry. Using this information and my recent Deep Dive into vSphere Namespace Roles, I was able to create a service account that can perform the same set of vSphere with Tanzu operations without having to re-login every 10 hours.

Note (06/07/22) - The "Edit" vSphere Namespace Role now includes the ability to create K8s service account and rolebinding without having to go into Supervisor Cluster Control Plane VM

[Read more...]

Quick Tip - Accessing the VM Console for VMs deployed using vSphere with Tanzu VM Service

by // 2 Comments

One constraint of the new vSphere with Tanzu VM Service, which was introduced in vSphere 7.0 Update 2a is that the VM Console of the deployed VM is not accessible by end users including vSphere Administrators.


When things are working fine, this is generally not needed but when something goes wrong such as debugging or troubleshooting guest customization or networking issues, then having access to the VM Console is a must! In speaking with the VM Service PM, this is already being tracked in their backlog and hopefully we will have a solution for this in the future.

For now, there is a quick workaround which I have personally used it myself while deploying Nested ESXi VMs using the VM Service. Since this question has come up a few times now, I wanted to document the specific instructions and make it easy for anyone who may have a need for this. 100% Credit goes to Florian Grehl who shared this solution on his blog but on a completely unrelated topic.

UPDATE (05/20/21) - Florian also shared via Twitter, another and quicker way to access the VM Console is if you have direct ESXi host access, you can access the VM Console that way as well. I am usually logged into vCenter Server anyhow, so I prefer method outlined below.

[Read more...]