WilliamLam.com

Tanzu Kubernetes Grid (TKG) Demo Appliance 1.3.1

by // Leave a Comment

It has been awhile since I have updated my Tanzu Kubernetes Grid (TKG) Demo Appliance Fling and I know a number of folks have been asking for an update. Today, I am happy to share that the TKG Demo Appliance v1.3.1 Fling is now available!

What's New:

  • Support for the latest TKG 1.3.1 (Patch 1) release
  • Support for TKG Workload Cluster using K8s v1.20.5 & v1.19.9
  • Support for TKG Workload Cluster upgrade workflow from K8s v1.19.9 to v1.20.5
  • Updated TKG Workshop Guide http://vmwa.re/tkg-on-vmc-guide (downloads in pre-req docs)
  • Example VMware Cloud on AWS and vSphere TKG Workload Cluster Deployment YAML Samples
  • Updated to latest version of Harbor (2.2.2), Docker Compose (1.29.2), Octant (0.20.0), TMC (0.2.1-170959eb) and Helm (3.6.0)

[Read more...]

Using Packer vsphere-iso provider with VMware Cloud on AWS

by // 1 Comment

I am a huge fan of HashiCorp Packer, which makes automating Virtual Machine images for vSphere including OVF, OVA and vSphere Content Library Templates extremely easy. Packer supports two vSphere Providers, the first being vmware-iso which requires SSH access to an ESXi host and the second called vsphere-iso which does not require ESXi access but instead connects to vCenter Server using the vSphere API, which is the preferred method for vSphere Automation.

I started working with Packer and the vmware-iso several years ago and because there is not 100% parity between the two vSphere providers, I have not really looked at the vsphere-iso provider or even attempted to transition over. I was recently working on some automation within my VMware Cloud on AWS(VMConAWS) SDDC and since this is a VMware managed service, customers do not have access to the underlying ESXi hosts nor SSH access. I thought this would be a good time to explore the vsphere-iso provider and see if I can make it work in a couple of different networking scenarios.

For customers that normally establish either a Direct Connect (DX) or VPN (Policy or Route-based) from their on-premises environment to their SDDC, there is nothing special that needs to be setup to use Packer. However, if you are like me who may not always have these types of connectivity setup or if you wish to use Packer directly over the internet to your SDDC, then some additional configurations will be needed.

Packer Connectivity Scenarios

In both scenarios below, DX/VPN is not configure or relied upon to the VMConAWS SDDC.

[Read more...]

Decoding Services Roles/Permissions from a VMware Cloud Services Platform (CSP) Token

by // Leave a Comment

To programmatically access the various VMware Cloud Services (CSP) such as VMware Cloud on AWS as an example, a user must first generate a CSP Refresh Token using the CSP Console.


When creating a new CSP Refresh Token, you have the option to scope access to a specific set organization roles and service roles which will enable you to limit the permissions of this token to specific CSP Services. In the example below, I have created a new token which is scoped to the organization owner role along with two VMware Cloud on AWS Service Roles: Administrator (Delete Restricted) and NSX Cloud Admin to be able to grant access to a VMware Cloud on AWS SDDC.


One common issue that I see folks run into when working with some of the CSP Services including VMware Cloud on AWS from a programmatic standpoint is that they did not properly create a token with the correct permissions which usually will lead to some type of invalid request.

For popular services like VMware Cloud on AWS, it is usually pretty easy to track down, especially if the user who is using the CSP Refresh Token is the same person who created it. However, if you are not the person who created the original token or if you have forgotten or you may have access to multiple token, it can be a little bit difficult to troubleshoot.

The good news and probably lesser known detail about how CSP Refresh Tokens work is that you can actually decode these tokens to understand what specific scopes were used to create the initial token. Below are two methods to decode these tokens, both CSP Refresh Tokens (generated from the CSP UI) as well as CSP Access Token, which is returned when you request access providing your CSP Refresh Token.

[Read more...]