vSphere

PowerCLI Module for managing vCenter Single Sign-On (SSO)

10/05/2020 by William Lam 8 Comments

A few years back I had submitted a PowerCLI Feature Request (PCLI-44) via the public PowerCLI Ideas platform requesting for a PowerCLI module that would support vCenter Single Sign-On (SSO) Administrative functionality such as managing SSO Users, Groups, Password, Lockout Policy and Identity Sources.

This was one of the most popular Idea voted by the PowerCLI community, which also stressed the need for such functionality which I came across on a regular basis on some of the Automation I was writing. In the past, I have written numerous blog articles in working around this limitation as the vCenter SSO Admin APIs were not and leveraging Guest Operations API, one could still automate various SSO operations using the various SSO CLIs that is included within the vCenter Server Appliance (VCSA).

Today, I received a notification from the PowerCLI Ideas platform that this feature as "Shipped" and it looks like the PowerCLI team has just released an Open Source Module called VMware.vSphere.SsoAdmin that includes the following 12 cmdlets:

Add-ActiveDirectoryIdentitySource
Connect-SsoAdminServer
Disconnect-SsoAdminServer
Get-SsoGroup
Get-SsoLockoutPolicy
Get-SsoPasswordPolicy
Get-SsoPersonUser
Get-SsoTokenLifetime
New-SsoPersonUser
Remove-SsoPersonUser
Set-SsoLockoutPolicy
Set-SsoPasswordPolicy
Set-SsoPersonUser
Set-SsoTokenLifetime

To get started with the new PowerCLI SSO Module, take a look at the instructions below.

Full OVA/OVF property support coming to Terraform provider for vSphere

06/11/2020 by William Lam 13 Comments

Terraform is one of the most popular Infrastructure as Code (IaC) tool out there today and it should come as no surprise there is Terraform provider for vSphere which many of our customers have been using. In fact, VMware just recently released a couple more new providers (here and here) supporting VMware Cloud on AWS and NSX-T solutions respectively.

Although I have used Terraform and the vSphere provider in the past, it has not been my tool of choice for automation as it still lacks a number of basic vSphere capabilities which I require on a regular basis. The most common one being the ability to deploy a Virtual Appliance (OVA/OVF) which has been my biggest barrier and I know this has been a highly requested feature from the community as well.

In early May of this year, I noticed that v1.18 of the vSphere provider finally added support for OVA/OVF deployment and I was pretty excited to give this a try and may even have been the first to kick the tires on this feature? Although OVA/OVF support was added, it looks like support for customizing OVF properties which is commonly included as part of an OVA/OVF would only possible if you are cloning from an existing imported OVA/OVF image. One of the most common use case is to import an OVF/OVA from either your local computer or from a URL and it looks like this use case was not possible.

I filed two Github issues, one for supporting OVF properties for initial OVA/OVF deployment and another regarding a bug I ran into when importing OVA/OVF from a remote URL. Just yesterday, I got the good news that my feature request has been completed and I was given an early drop of the vSphere provider to try out this feature. I may have also hinted to the Engineering team to use my popular Nested ESXi Appliance OVA as a reference test implementation as I knew this was something many customers will want to deploy 🙂

UPDATE (06/23/20) - Support for OVA/OVF properties is now available as part of 1.20 of the Terraform Provider for vSphere

New VEBA release, new website and new mascot!

05/12/2020 by William Lam Leave a Comment

Today I am very happy to share a number of updates with the community regarding the popular VMware Event Broker Appliance (VEBA) Fling. Each release has always been a team effort, but but I am especially proud of this release as it demonstrates how large the team has grown in the past 6 months and their impactful contributions to this solution to help our VMware customers and partners. Michael and I could not be more prouder and the feedback both internally and externally has been nothing but amazing and we are just getting started when it comes to event-driven automation for the SDDC!

New VEBA Release

Here are some of the key features in our latest v0.4 release. If you wish to see a detailed change log, please refer to the VEBA github releases page.

New VEBA Direct Console UI (DCUI)
New Incident Management example functions
New Golang example function
Deploy VEBA to a existing Kubernetes Cluster (documentation)
Updated VEBA base OS to latest Photon OS 3.0 Rev2
Replace Weave with Antrea CNI
Support customization of Docker bridge network (default: 172.17.0.1/16) via OVF property
Monitor VEBA Appliance using vRealize Operations (documentation)

Below are two features that I think is worth highlighting:

Thanks to Frankie Gold, we now have a slick new VEBA DCUI which replaces the old static /etc/issue entry which was only updated once after a successful deployment. If you decided to change the hostname, these changes would not be reflected. The new VEBA DCUI is dynamic and will display the latest configuration from the system including the configured system resources. In addition, it also uses the new /etc/veba-release file found within VEBA appliance which provides information about the version of VEBA, commit ID along with the event processor that was configured.

As part of the DCUI development planning, I was reminded of this fun little VMware Easter Egg. I thought it would be fun to include a few of our own and also give a nod back to this old school easter egg which sadly is no longer in the product. The default color scheme is green (cyan) and if you go into the VM Console and type "veba", you will activate an alternate color scheme as shown in the screenshot below. To return to the original color scheme, just type "veba" again to deactivate.

There is actually a couple more interesting 🐣easter eggs which I had asked Frankie to include ... I wonder who will be the first to find and share them? Maybe the first few folks who share details about the easter egg on it Twitter will get one of the new VEBA sticker!

UPDATE (05/13/20) - Congrats to Allan Kjaer on finding the first VEBA DCUI Easter Egg #1 which is typing the word "pride" (this is a nod back to the original easter egg found in Fusion, see reference above)

Congrats to @Allan_Kjaer on finding the first hidden 🐣#EasterEgg in latest #VEBA release. Type “pride” to activate/deactivate new color scheme

Very impressive Allan, as I thought this would have taken longer & was a nice nod to original @VMwareFusion Easter Egg 😊 pic.twitter.com/d06skOglj5

— William Lam (@lamw) May 13, 2020

Congrats David Bibby on finding the second and final VEBA DCUI Easter Egg #2 which is typing the word "otto" (name of VEBA's mascot) which will activate VEBA DCUI console with rendering of Otto 🙂 To deactivate and return to the default screen, simply type "otto" again.

Congrats @bib_ds on finding the last and final #VEBA #EasterEgg which is dedicated to our new mascot #OttoTheOrca

I’m sure colleagues will take a second look when they see 🐳 in the VM Summary page 😉 https://t.co/JaDUFkQ7fi

— William Lam (@lamw) May 13, 2020

Virtually Speaking Podcast: MacOS Virtualization and MacStadium

05/11/2020 by William Lam Leave a Comment

Last week I had the pleasure to be on the Virtually Speaking Podcast (#1 Virtualization Podcast) to talk a little about the history and the use cases driving MacOS Virtualization in the Enterprise. In fact, this affects most if not every single organization that develops either an Apple MacOS and/or iOS application which includes VMware.

We also had a very special guest, Preston Lasebikan, a Systems Architect for MacStadium who gave us some insights into how they are supporting major Enterprise customers such as Dropbox, Capital One, Shopify, Box and many others using their Apple Mac Infrastructure which runs on VMware vSphere. If you never heard of MacStadium before, they are the largest service provider of Apple Mac Infrastructure as a Service in the world and there is a high probability your organization is already using them with you even knowing.

Click on the image below to listen 👇

Configure non-secure Harbor registry with Tanzu Kubernetes Grid (TKG)

05/09/2020 by William Lam 3 Comments

In an earlier blog post, I shared the steps to to configure Harbor with a proper signed SSL certificate that would serve as private container registry for Tanzu Kubernetes Grid (TKG) CLI running in an air-gapped environment.

Although Harbor can easily be configured to support custom CA signed certificate, self-sign certificate and even just using HTTP, there are several additional steps and dependencies that is required if you wish to use a non-secure container registry with TKG CLI. This definitely was a bunch of trial/error and hopefully this can be made easier in the future to easily enable non-secure registry support with TKG CLI out of the box for development and testing purpose.

I also want to give a huge thanks to Jun Wang from our Modern Application Business Unit (MAPU), he was instrumental in helping me out and ultimately his tip on updating the containerd configuration was the last piece to the puzzle so that the K8s images deployed would use our insecure Harbor registry for pulling container images.

Deploy Harbor in an Air-Gapped environment for Tanzu Kubernetes Grid (TKG)

04/24/2020 by William Lam 1 Comment

When using Tanzu Kubernetes Grid (TKG) and the new TKG CLI, outbound internet connectivity is required as part of the initial setup on the machine running TKG CLI but also on the TKG Management Cluster which is automatically stood up as part of the deployment. For demo and testing purposes, this is usually not a problem but for anyone looking to run this in a Production or datacenter environment, direct internet access is generally not available.

TKG does support air-gapped environments today by requiring a private container registry that has been configured with all the required containers. Once your registry has been setup, you will also need to update the TKG YAML manifest files to specify your private registry as by default, it will point to registry.tkg.vmware.run. You can use any container registry that is supported with Kubernetes including the popular Harbor solution. One thing to note is that your private registry must have a proper signed SSL certificate, custom CA certificates or self-signed certificates are not officially supported today with TKG.

Since I recently had to set this up for a project I am working on, which I hope to talk about in a future blog post, I thought it would be useful to share the instructions on how to setup and configure Harbor to be used in-conjunction with TKG as well as any other solution that requires a container registry running in your own environment. In my deployment, I will be using Let's Encrypt for generating the required SSL certificate, but you can use any existing service for performing this operation. I will also be installing Harbor on Photon OS, but you can use any operating system of your choice that Harbor is supported on.

Pre-Requisites

Access to a public DNS domain which you have ownership of (e.g. adding new records)
Access to your internal DNS server to add a custom DNS zone lookup entry (e.g. registry.<yourdomain>.com)