WilliamLam.com

Quick Tip - How to deploy NSX Advanced Load Balancer (NSX-ALB) with a single Service Engine

by // 1 Comment

I saw an interesting question today from Robert Kloosterhuis in the private vExpert App Modernization Slack Channel who working with vSphere with Tanzu using NSX Advanced Load Balancer (NSX-ALB) and wanted to know if it was possible to deploy NSX-ALB with just a single Service Engine (SE)?

The default behavior of NSX-ALB is to deploy two SE for availability purpose but for testing and/or homelab usage, it could certainly help with resources and time to spin up an environment using NSX-ALB. I was also curious if this was possible and reached out to NSX-ALB Engineering team and within a few minutes, I got a response that not only was this possible to do but pretty easy to configure.

To modify this default behavior, we need to update the Service Engine group prior to SE VMs being deployed. To do so, login to NSX-ALB UI and under Infrastructure->Service Engine Group and then click on the Advanced tab and change the default Buffer Service Engines value of 1 to 0 which will will have NSX-ALB deploy just a single SE VM rather than the default two.


To confirm that our NSX-ALB have been configured correctly, I have enabled vSphere with Tanzu using NSX-ALB and as you can see from the screenshot below, only a single SE VM has been deployed rather than the default behavior of two SE.

Quick Tip - Resizing vSphere with Tanzu Supervisor Control Plane VMs

by // 1 Comment

During the enablement of vSphere with Tanzu, users can specify the size (Tiny, Small, Medium and Large) which will then dictate the amount of CPU and Memory that is allocated for the Supervisor Control Plane VMs.


After vSphere with Tanzu has been successfully enabled, you will find that only a subset of the settings can be re-configured but the Size is not one of those settings.


There was a question recently asking if you could resize the resources for the Supervisor Control Plane VMs? Although the vSphere UI does not allow you to modify the Control Plane Size value, the vSphere with Tanzu REST API can be used to perform this operation.

[Read more...]

Heads Up - Verify the SSL certificate trust for your vSphere with Tanzu Content Library

by // Leave a Comment

I just learned that SSL certificate for VMware's vSphere with Tanzu Content Library (https://wp-content.vmware.com/v2/latest/lib.json) had just been updated a few days ago and this will have an impact for anyone who had subscribed to the Content Library prior to the certificate update.

Since I had setup the subscribed Content Library several months back, all the OVAs at the time were already sync'ed and there are no immediate errors when the "Fetch Content Library" task is performed (which will be fixed in a future release). However, I was seeing some strange issues with deploying specific versions of Kubernetes and I did not think much of it and deploying another version was fine, so I figured maybe it was just my setup. I also had another lab, so I ended up using that environment most recently.

It is only until you click on a specific Content Library Item and perform a manual sync will you see the following error, which indicates you are affected:

A general system error occurred: HTTP request error: cannot authenticate SSL certificate for host wp-content.vmware.com.


The quickest way to check whether you are affected is by looking at the configured SSL Thumbprint of your subscribed Content Library and comparing that to the vSphere with Tanzu Content Library endpoint.


Unfortunately, the configured SSL Thumbprint for the subscribed Content Library is not visible in the vSphere UI, but this information is available in the vSphere Content Library API.

I just put together this quick PowerCLI snippet which will retrieve the SSL Thumbprint for your subscribed Content Library and compare to the current thumbprint. If it does not match, you will get an error message printing out the current SSL Thumbprint.

Connect-CisServer -Server vcsa.primp-industries.local -User *protected email* -Password VMware1!

$SubscribedCLName = "TKG-Content-Library"
$TKGCLThumbprint = "01:8D:FD:13:A6:9E:CA:AC:CB:7C:67:18:C1:47:11:8C:64:91:5D:C9"

$contentLibraryService = Get-CisService com.vmware.content.library
$LibraryIDs = $contentLibraryService.list()

foreach($libraryID in $LibraryIDs) {
        $library = $contentLibraryService.get($libraryID)
        if($library.name -eq $SubscribedCLName) {
            $ContentLibrary = $Library
            break
        }
}

if($ContentLibrary.subscription_info.ssl_thumbprint -ne $TKGCLThumbprint.toLower()) {
    Write-Error "SSL Thumbprint $($ContentLibrary.subscription_info.ssl_thumbprint) for $SubscribedCLName does not currently match!`n"
}

The fix is straight forward, simply edit the settings of your subscribed Content Library, do not make any changes and then click on OK. Since the configured SSL Thumbprint no longer matches the hosted Content Library, you will be prompted with an action to confirm the new thumbprint and then you can save the settings.


As of right now, the SSL Certificate for the hosted vSphere with Tanzu Content Library is valid until July 7, 2022 and I expect that VMware will replace the TLS certificate prior to that date and this operation will need to be performed again. Since this issue was initially reported internally, I have also asked to see if an official VMware KB to be published.