As there is no method currently via Usage Meter or Aria Operations Chargeback to currently collect usage information for the VMware Cloud Director Extension for VMware Tanzu Mission Control, this article will give the providers a mechanism to partially automate this process in their environment.

• Usage must be reported for each month.
• The attached get-vcd-tmcsm-usage.sh script may be executed once at the end of each month to determine the GB RAM to be reported.

NOTE
Any questions or issues regarding this script may be reported to the tmc-sm channel.
https://vmwarecloudprovider.slack.com/archives/C062SRC6XED.

The get-vcd-tmcsm-usage.sh script is built to give providers data about their customer's usage of Tanzu Mission Control (TMC).
The script may be executed for a single organization or across all organizations.

The output is a line of JSON (JSONL) for each organization with a summary of the resources being managed.

The summary groups cluster information by phase and health to give providers insight into the various states of managed clusters.

VCD Service Accounts

TMC Self-managed does not include a provider API.
A temporary user must be created in each organization in order to call the TMC API for that organization.

VCD service accounts are the appropriate method to achieve this as their tokens may only be used once.
The credentials for this account are only good for the life of the script and the accounts are removed when the script exits.

VCD OIDC Relying Parties

OIDC Relying Parties were introduced to VCD in 10.4.2 as a way for external applications to use VCD as an OAuth Proxy.

• TMC uses OAuth to verify a user's identity and their assigned VCD roles.
• A VCD OIDC Relying Party is created when TMC is deployed as a solution add-on.

The service account is used to retrieve an OAuth 2 access and ID token from the OIDC Relying Party connected to TMC.
These tokens are passed to the TMC API to retrieve details for attached clusters.
 

Order of Operations

The script executes these steps for a single organization. When executed for all organizations, the script is called once per organization with the results being printed directly to the console.

1. Lookup the organization. Exit if it cannot be found.
2. Lookup the tmc:admin role in the organization. Exit if it cannot be found.
3. Retrieve the global TMC RDE to get details about the deployed TMC solution.
4. Remove the service account if it is already present
5. Create a new service account with the tmc:admin role
6. Use the service account token to retrieve an OAuth2 token from the OIDC Relying Party.
7. Retrieve cluster details from the TMC API with the OAuth2 token.
8. Print summarized cluster details to the console.
9. Remove the service account.

Environment Variables

# REQUIRED
export VCD_URL=           # https://vcd.cloud.local/api
export VCD_USER=          # administrator
export VCD_PASSWORD=

# OPTIONAL
export https_proxy=       # 10.2.3.4:3128

CLI Options

<org_name>             # Print usage for this organization
-A,--all-orgs          # Iterate over all organizations and print usage

-k,--insecure          # https://curl.se/docs/manpage.html#-k
--cacert path          # https://curl.se/docs/manpage.html#--cacert
--capath path          # https://curl.se/docs/manpage.html#--capath

--debug                # Print all commands to the console. Warning: this will expose passwords and API tokens.

-h
-v,--version

Note: Add --cacert /path/to/ca-certificates.pem if you are using self-signed certificates for VCD or TMC-SM. You may alternatively use -k if you want to skip certificate validation.

Execution

Run the script to export usage reports for all organizations

get-vcd-tmcsm-usage.sh -A > reports.json

Use jq to aggregate the memory of all clusters in the HEALTHY, WARNING or UNHEALTHY state. This number may be reported as your GB usage for the month.

cat reports.json | jq -s '
[
  .[]
  | select(.usage != null)
  | .usage[]
  | select(
      .health == "HEALTHY" or
      .health == "WARNING" or
      .health == "UNHEALTHY"
    ).allocatedMemory.allocatable
] | add'

Report this usage according to your contract for RAM-based products.

Impact/Risks:

• The provider is responsible for making sure all usage reports are present before aggregating the results.
• The script will iterate over each organization and generate a usage report.
• The script must be run with the username and password for a System Administrator.
  • This enables the script to create temporary service accounts in each organization as part of the reporting process.