How to clean up NSX Protected objects created by TKGi
search cancel

How to clean up NSX Protected objects created by TKGi

book

Article ID: 372159

calendar_today

Updated On:

Products

VMware Tanzu Kubernetes Grid Integrated Edition

Issue/Introduction

A cluster creation or deletion failed, and you need to clean up the stale protected NSX objects.

Note! This procedure should never be used on a working TKGI cluster. It is only safe to use if the cluster creation or deletion has failed and a complete cluster cleanup (deletion) is required.

Environment

TKGi v1.12 later

Resolution

Login to pivotal-container-service VM

bosh vms
deployment=pivotal-container-service-ed37ab637cc53362ef60
bosh -d $deployment ssh pivotal-container-service/0

 

Preparation for pksnsxcli

cd /var/vcap/packages/pks-nsx-t-cli/bin

# Constant Values
NSX_CLIENT_CERT=/var/vcap/jobs/pks-nsx-t-osb-proxy/config/nsx_t_superuser_cert.pem
NSX_CLIENT_KEY=/var/vcap/jobs/pks-nsx-t-osb-proxy/config/nsx_t_superuser_key.pem

# Set for your environment
NSX_MANAGER_IPADDR=192.0.2.xxx

# Use "tkgi clusters" or See "NSX UI --> Networking --> Tier-1 Logical Routers --> pks-xxxx"
CLUSTER_UUID=pks-0b75af48-ae88-4a61-94c5-f7606d45c8b4

# NSX UI --> Networking --> Tier-0 Logical Routers --> ID
T0_ROUTER_ID=d08b1ad8-a9ef-480f-bd2e-379bdbf1e958

# Check connection with NSX (Ignore WARN message)
./pksnsxcli check --nsx-manager-host=$NSX_MANAGER_IPADDR -c $NSX_CLIENT_CERT -k $NSX_CLIENT_KEY --insecure
#> WARN[2024-07-11T04:50:41Z] NSX-T communication config: server tls authentication is disabled

# Dry-run
./pksnsxcli cleanup --nsx-manager-host=$NSX_MANAGER_IPADDR -c $NSX_CLIENT_CERT -k $NSX_CLIENT_KEY --insecure --cluster $CLUSTER_UUID --pks=true --force=true --api-type=Manager --t0-router-id $T0_ROUTER_ID --read-only=true


For Manager API, use below.

./pksnsxcli cleanup --nsx-manager-host=$NSX_MANAGER_IPADDR -c $NSX_CLIENT_CERT -k $NSX_CLIENT_KEY --insecure --cluster $CLUSTER_UUID --pks=true --force=true --api-type=Manager --t0-router-id $T0_ROUTER_ID --read-only=false 

For policy api, use below. 

./pksnsxcli cleanup --nsx-manager-host=$NSX_MANAGER_IPADDR  -c /var/vcap/jobs/pks-nsx-t-osb-proxy/config/nsx_t_superuser_cert.pem -k /var/vcap/jobs/pks-nsx-t-osb-proxy/config/nsx_t_superuser_key.pem --insecure --cluster <cluster-uuid> --pks=true --read-only=false --force=true --api-type=Policy

 

Check the result via NSX UI

  • Networking --> Tier-1 router
  • Networking --> Load Balancing
    • Load Balancers
    • Virtual Servers
    • Server Pools
  • Networking --> IP Address Pools
    • IP Pools