virtuallyGhetto

vSphere

Configure non-secure Harbor registry with Tanzu Kubernetes Grid (TKG)

by 3 Comments

In an earlier blog post, I shared the steps to to configure Harbor with a proper signed SSL certificate that would serve as  private container registry for Tanzu Kubernetes Grid (TKG) CLI running in an air-gapped environment.

Although Harbor can easily be configured to support custom CA signed certificate, self-sign certificate and even just using HTTP, there are several additional steps and dependencies that is required if you wish to use a non-secure container registry with TKG CLI. This definitely was a bunch of trial/error and hopefully this can be made easier in the future to easily enable non-secure registry support with TKG CLI out of the box for development and testing purpose.

I also want to give a huge thanks to Jun Wang from our Modern Application Business Unit (MAPU), he was instrumental in helping me out and ultimately his tip on updating the containerd configuration was the last piece to the puzzle so that the K8s images deployed would use our insecure Harbor registry for pulling container images.

[Read more...] about Configure non-secure Harbor registry with Tanzu Kubernetes Grid (TKG)

Deploy Harbor in an Air-Gapped environment for Tanzu Kubernetes Grid (TKG)

by 1 Comment

When using Tanzu Kubernetes Grid (TKG) and the new TKG CLI, outbound internet connectivity is required as part of the initial setup on the machine running TKG CLI but also on the TKG Management Cluster which is automatically stood up as part of the deployment. For demo and testing purposes, this is usually not a problem but for anyone looking to run this in a Production or datacenter environment, direct internet access is generally not available.

TKG does support air-gapped environments today by requiring a private container registry that has been configured with all the required containers. Once your registry has been setup, you will also need to update the TKG YAML manifest files to specify your private registry as by default, it will point to registry.tkg.vmware.run. You can use any container registry that is supported with Kubernetes including the popular Harbor solution. One thing to note is that your private registry must have a proper signed SSL certificate, custom CA certificates or self-signed certificates are not officially supported today with TKG.

Since I recently had to set this up for a project I am working on, which I hope to talk about in a future blog post, I thought it would be useful to share the instructions on how to setup and configure Harbor to be used in-conjunction with TKG as well as any other solution that requires a container registry running in your own environment. In my deployment, I will be using Let's Encrypt for generating the required SSL certificate, but you can use any existing service for performing this operation. I will also be installing Harbor on Photon OS, but you can use any operating system of your choice that Harbor is supported on.


Pre-Requisites 

  • Access to a public DNS domain which you have ownership of (e.g. adding new records)
  • Access to your internal DNS server to add a custom DNS zone lookup entry (e.g. registry.<yourdomain>.com)

[Read more...] about Deploy Harbor in an Air-Gapped environment for Tanzu Kubernetes Grid (TKG)

Automated vSphere 7 and vSphere with Kubernetes Lab Deployment Script

by 91 Comments

I know many of you have been asking me about my vSphere with Kubernetes automation script which I had been sharing snippets of on Twitter. For the past couple of weeks, I have been hard at work making the required changes between the vSphere 7 Beta and GA workflows, some additional testing and of course documentation. Hopefully the wait was worth it (I think it is) and if you enjoy the script or have benefited, please consider adding 🌟to the Github repo to show your support! Thanks and enjoy

The Github repository:

Before getting started, please carefully read through the requirements section along with the complete sample end-to-end execution if you are new to vSphere with Kubernetes. You will need to have a VMware Cloud Foundation (VCF) 4.0 license before you can get started and specifically an NSX-T Advance license which is one of the required parameters within the script. If you do not have access to a VCF 4 license, I strongly recommend taking part in the recent VMUG Advantage Homelab Group Buy effort which I had started to easily get access to the latest VMware releases along with a nice 15% discount!

The script supports deploying both a standard vSphere 7 environment with just VCSA, ESXi and vSAN as well as the complete solution which includes NSX-T to support vSphere with Kubernetes. For more details, please refer to the FAQ.

Integrating vCenter Event Broker Appliance (VEBA) with vRealize Orchestrator 

by Leave a Comment

VMware vRealize Orchestrator (vRO) is still used by many of our customers to automate various infrastructure tasks whether that is running it in standalone mode connected to a vCenter Server(s) or powering the extensibility of vRealize Automation. For customers who have already built an extensive collection of vRO workflows, it certainly makes sense that they would like to reuse the Automation they have already created.

For customers that want to easily subscribe to specific vCenter Server event(s) and trigger specific Automation workflows, the vCenter Event Broker Appliance (VEBA) Fling has been a very popular solution. Customers no longer have to write or manage the code to retrieve specific event(s) from vCenter Server, instead they can focus on the really interesting part of the workflow which is automation or "business logic" that does something specific with a given vCenter Server event. Some common examples including notification using Slack or SMS, vSphere automation such as applying a vSphere Tag or hardening a VM configuration to alerting using PagerDuty to ticket creation in ServiceNow or Salesforce.com, the list goes on and on.

The great news is that vRO customers can also benefit from VEBA while leveraging their existing vRO workflows. VEBA can integrate with any vRO workflow by simply having a function, written using any language of your choice, that calls into the vRO's REST API to trigger a specific vRO workflow. To demonstrate this integration, I have built VEBA function using PowerShell which executes a vSphere Tagging vRO workflow which can be found here and below is a video on how this works.

Big updates to the vCenter Event Broker Appliance (VEBA) Fling

by 1 Comment

The vCenter Event Broker Appliance (VEBA) team has been working hard over the last couple of months on some pretty exciting enhancements and today we are pleased to announce the release of VEBA v0.3 which can be download from the VMware Fling site. Although this is a "dot" release, do not let that fool you as this release contains a large number updates including a major re-architecture in how events are consumed and processed at the core of VEBA.

While this re-architecture does introduce some breaking changes, it does unlock a number of new capabilities that our current users have been asking for. It also provides us with a solid foundation for delivering on future enhancements such as multi-vCenter Server support and additional event sources from NSX-T, vSAN and other VMware Cloud Services to just name a few. Today, the "V" in VEBA stands for vCenter, but in the future, I do see it changing to just "VMware" as it can support so many other solutions.

Having said that, some of the breaking changes also improves the overall user experience, especially as it relates to defining and consuming vCenter Server events as well as troubleshooting and debugging. The team is super excited to get this release in the hands of our community and we look forward to hearing your feedback!

What's New:

  • Introduction of the VMware Event Router which provides a modular and flexible architecture for decoupling the stream "Providers" such as vCenter Server from the actual stream "Processors" like OpenFaaS. More details including its architecture and design can be found here

[Read more...] about Big updates to the vCenter Event Broker Appliance (VEBA) Fling

How to automate the creation multiple routable VLANs on single L2 network using VyOS

by 4 Comments

My personal homelab has a very simple network topology, everything is connected to a single flat network. This has served me well over the years, but sometimes it can prevent me from deploying more complex scenarios. Most recently while working with NSX-T and Project Pacific, I had a need for additional VLANs which my home router does not support. There are a number of software solutions that can be used including the popular pfSense, which I have used before.

Over the Winter break, a colleague introduced me to VyOS, which is another popular software firewall and router solution. I had not heard of VyOS before but later realized it was derived from Vyatta, which I had heard of, but development of that solution had stopped and VyOS is now the open source version of that software. Having never played with VyoS before, I thought this might be a good learning opopournity and started to dabble with VyOS over the holiday. At a high level, I have VyOS connected to two networks: Outside network as VyOS refers which is your local LAN and Inside network as VyOS refers which is an is an isolated vSphere Portgroup (VSS/VDS) that is not connected to anything and configured to pass all traffic (4095). From here, you can create multiple VLANs in VyOS which can then be untagged using Virtual Guest Tagging (VGT) by placing a Nested ESXi VM on the same isolated portgroup and then creating the respective portgroups within the Nested ESXi VM mapping to the VyOS VLANs you have created.

One of the nice benefits of this solution is that you can create multiple "Isolated" yet routable networks that can still reach your primary LAN network and still have  to access core infrastructure services running like Active Directory, DNS, etc. which was one of my requirements.  After figuring out how VyOS works and applying that to my specific use case, I thought why not build some basic automation to setup this solution as I probably will forget how I setup everything. Initially I was using the VyOS OVA but later found out it was an extremely out of date there was no public version of the latest VyOS release in OVA form. I decided to use their latest rolling release and apply some vSphere API Automation to not only install VyOS but also fully configure based on template containing VyOS commands. I know the latest version of VyOS now includes a REST API but its a bit of a chicken/egg to enable and not very friendly to use compared to the solution I have built.

[Read more...] about How to automate the creation multiple routable VLANs on single L2 network using VyOS