vSphere with Kubernetes

How to create a kubernetes service account for vSphere with Tanzu?

11.29.2021 by William Lam // 4 Comments

Before you can interact and consume resources from a vSphere with Tanzu enabled cluster, users must first login and one way to accomplish this is by using the kubectl-vsphere plugin.

Once authenticated, a JWT (JSON Web Token), pronounced jot token, will be issued along with other values which will be appended to your local ~/.kube/config file. Users will then be able to perform kubectl operations based on the roles they have been assigned for a given vSphere Namespace. In case you did not know, these JWT tokens are only valid for 10 hours and after that, you will need to login again to retrieve a new JWT token.

We can also confirm this by decoding our JWT token found within the ~/.kube/config file and using jwt.io website. Once decoded, we can see when the token was issued using iat (Issued At) and when the token will expired using exp (Expiration Time) as shown in the screenshot below.

The default 10 hour expiry is currently not configurable which can be a challenge for anyone looking to setup unattended automation or GitOps with vSphere with Tanzu.

An alternative solution is to create a Kubernetes (k8s) service account, which by default does not contain a token expiry. Using this information and my recent Deep Dive into vSphere Namespace Roles, I was able to create a service account that can perform the same set of vSphere with Tanzu operations without having to re-login every 10 hours.

Note (06/07/22) - The "Edit" vSphere Namespace Role now includes the ability to create K8s service account and rolebinding without having to go into Supervisor Cluster Control Plane VM

[Read more...]

Packer reference for VMware Harbor Virtual Appliance

07.08.2021 by William Lam // 2 Comments

I recently had a need to setup a container registry for a project that I was working on and Harbor was of course my default choice. Although Harbor is pretty easy to setup, I did not want to manually go through the installation each time I needed Harbor and I figured it was time to build my own Harbor Virtual Appliance (OVA), just like I have shown in the past with these reference implementations here and here.

UPDATE (02/03/23) - VMware has productized and is now shipping an official VMware Harbor Virtual Appliance (OVA) as part of the latest Tanzu Kubernetes Grid (2.1) release.

Nice to finally see @project_harbor team release official OVA Appliance w/latest @VMwareTanzu Kubernetes Grid 2.1 release https://t.co/gZIW8SckH9

I still remember team reaching out about productizing what I had built back in 2021 🥳https://t.co/IyquqwZgEK

H/T @vmw_rguske pic.twitter.com/vwWsCtOSBe

— William Lam (@lamw.bsky.social | @*protected email*) (@lamw) February 3, 2023

For those interested, you can find the reference implementation for building a Harbor Virtual Appliance at https://github.com/lamw/harbor-appliance

When deploying the Harbor Appliance, you will find the basic OVF properties that I have encoded including networking, credentials, debugging and advanced settings. Hopefully should be pretty straight forward for anyone who has deployed an OVA before to vSphere.

[Read more...]

Is vSphere with Kubernetes available for evaluation?

07.14.2020 by William Lam // 1 Comment

Yes. Given the frequency that this question has come up, I thought it would be useful to share some more details on how you can start playing with the new vSphere with Kubernetes (K8s) capability which was introduced as part of the vSphere 7.0 release. vSphere w/K8s requires NSX-T and although vSphere (ESXi and vCenter Server Appliance) has supported a 60 day evaluation period, NSX-T historically did not support any self-service evaluation. In addition, there were also some confusion in how vSphere w/K8s was bundled today from a packaging standpoint which is offered as part of the VMware Cloud Foundation (VCF) 4.0 SKU.

Putting aside the pricing and packaging aspects, customers can indeed evaluate vSphere w/K8s using one of the following two options below:

Option 1: 60 Day Eval

Sign up for the vSphere 7.0 (ESXi & VCSA) evaluation (https://my.vmware.com/en/web/vmware/evalcenter?p=vsphere-eval-7) and NSX-T 3.0 evaluation (https://my.vmware.com/web/vmware/evalcenter?p=nsx-t-eval). After signing up you will receive evaluation keys that can be used when setting up vSphere w/K8s. If you want to quickly go from 0 to Kubernetes, be sure to check out my vSphere with K8s Automation Lab Deployment which can give you a running environment in under 30min!

Option 2: 365 Day Eval

Sign up for VMUG Advantage which includes VMUGEval that provides licenses for vSphere 7.0, NSX-T 3.0, VCF 4.0 and many other VMware products for an entire year for non-production usage. After signing up you will receive license keys that will be valid for 1 year which can then be used when setting up vSphere w/K8s. With VMUG Advantage, you can consume vSphere w/K8s the "manual" method, using my vSphere with K8s Automation Lab Deployment or using SDDC Manager which is part of VCF 4.0 to automatically deployed the required SDDC infrastructure so that can then enable vSphere w/K8s.

Here is a screenshot of my vSphere w/K8s environment which was deployed using my Sphere with K8s Automation Lab Deployment script and using the evaluation keys which I had just signed up!

Option 3: Infinite Day Eval

VMware Hands-on-Lab is another great option which is completely free and you only need a web browser! You can check out HOL-2113-01-SDC for more details.