Best Practices: This is the recommended process for building and using a new CCC along with all required components for Guest Cluster configuration:
1. Clone the existing default TanzuKubernetesCluster ClusterClass for initial CCC creation. This will ensure all configuration variables are present and will minimize time spent investigating variations in the configuration. 2. NOTE that any changes to the CCC will be pushed to Guest Clusters owned by the CCC. Ensure modifications to existing CCC's are minor and ideally have been tested prior to application. 3. If large scale changes are required on the CCC, it is recommended to create a new one with a new associated Guest Cluster for testing prior to application on any existing CCC's/workloads. 4. Ensure you have created all required PREREQUISITES to minimize time spent investigating Guest Cluster deployments. 5. Deploy a Guest Cluster from the custom ClusterClass using default values FIRST, then apply any changes to the CCC to ensure the basic configuration is sound.
High Level Process:
1. Create Prerequisites: vSphere Namespace, Attach StoragePolicy, Attach VMClass, Attach ContentLibrary 2. Clone CustomerClusterClass from existing ClusterClass 3. Create Supervisor Objects required for Guest Cluster initial Deployment 4. Create Guest Cluster 5. Create Supervisor Objects for Guest Cluster Management 6. Create Guest Cluster Security Policies for User Authentication 7. Synchronize SSO roles configured in vSphere Client Namespace view into Guest Cluster for management
Detailed Custom ClusterClass creation steps:
PREREQUISITES
Create Custom ClusterClass by cloning the default CC:
# kubectl -n custom-ns get clusterclass tanzukubernetescluster -o json | jq '.metadata.name="custom-cc"' | kubectl apply -f -
Create Supervisor Objects Required for Guest Cluster Initial Deployment
1. Download and extract the contents of attached file CCC_config_yamls.tar.gz to the jumpbox used to connect to the Supervisor Cluster
2. Create a Self Signed Extension issuer cert in the custom-ns namespace:
# kubectl -n custom-ns apply -f self-signed-extensions-issuer.yaml
3. For below example, we will use the default cluster name ccc-cluster, the steps demonstrate how to change this if needed.
Create ExtensionCACertificate: Edit the the "extension-ca-certificate.yaml" file and change ccc-cluster-extensions-ca to the chosen cluster name in the metadata.name and the spec.issuerRef.name fields. We will use cluster name "ccc-cluster" by default, if using a cluster named "test", we would change the file accordingly:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: test-extensions-ca
spec:
commonName: kubernetes-extensions
duration: 87600h0m0s
isCA: true
issuerRef:
kind: Issuer
name: self-signed-extensions-issuer
secretName: test-extensions-ca
usages:
- digital signature
- cert sign
- crl sign
Create an Extension CA certificate and secret using the yaml modified in the previous step:
# kubectl -n custom-ns apply -f extension-ca-certificate.yaml
You should see a secret with name ccc-cluster-extensions-ca created
Create ExtensionsCAIssuer: Edit the the "extensions-ca-issuer.yaml" file and change ccc-cluster-extensions-ca to the chosen cluster name in the metadata.name and the spec.ca.secretName fields. We will use cluster name "ccc-cluster" by default, if using a cluster named "test", we would change the file accordingly:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: test-extensions-ca-issuer
spec:
ca:
secretName: test-extensions-ca
Create an Issuer certificate using the yaml modified in the previous step:
# kubectl -n custom-ns apply -f extensions-ca-issuer.yaml
Create AuthServiceCertificate: Edit the the "auth-svc-cert.yaml" file and change ccc-cluster-extensions-ca to the chosen cluster name in the metadata.name, spec.issuerRef.name and the spec.secretName fields. We will use cluster name "ccc-cluster" by default, if using a cluster named "test", we would change the file accordingly:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: test-auth-svc-cert
spec:
commonName: authsvc
dnsNames:
- authsvc
- localhost
- 127.0.0.1
duration: 87600h0m0s
issuerRef:
kind: Issuer
name: test-extensions-ca-issuer
secretName: test-auth-svc-cert
usages:
- server auth
- digital signature
Apply the yaml modified in the previous step to complete creation:
# kubectl -n custom-ns apply -f auth-svc-cert.yaml
You should see a secret with name ccc-cluster-auth-svc-cert created
1. Create the ClusterEncryptionConfig secret:
2. Gather NTP from Supervisor Cluster if desired:
# kubectl -n vmware-system-vmop get configmap vmoperator-network-config -o jsonpath={.data.ntpservers}
3. Modify cluster-with-ccc.yaml file with desired settings:
4. Deploy the Cluster:
# kubectl -n custom-ns apply -f cluster-with-ccc.yaml
NOTE: The Guest Cluster will deploy machine and VM objects after this step, HOWEVER, they will stay in provisioning state until completion of the Create Supervisor Objects for Guest Cluster Management in the steps below.
authServicePublicKeys: '{"issuer_url":"https://<VCENTER_FQDN>/openidconnect/vsphere.local","client_id":"vmware-tes:vc:vns:k8s:2dee51bb-ee4c-48b8-8baf-af1107973ef2","keyset":{"keys":[{"alg":"RS256","e":"AQAB","kid":"46FED7FE37DD23BAA07834827EACF15AF598FD92","kty":"RSA","n":"t6IupxaZT-i8RO7tMmWcqmksDNSiaU6L7sv6vLl8iW1cj1IDJVXLoAAFiuhv39UmMNNSt8adNcFzQIULU7E_phtEabbCJ1Ojmz-J42mOdb_GMqqDAPcQOOajH_Iq1q9PwN4KNpUoNsPdCBGlKGD7g1-fmp585i72U9BNpB0qdE1GRsjazueZEYNNWQenvWJsT5Q_-bp9uWzrSTz304B20R62g8RmbPt6zsnDt4vV1LajyTn_PnIaMxIb7el1Ss1LTNrZ0b6tOiQ0G4kDkX0eifZn3UBqJknmnGN7QK0xBrxYy7BBslRH3L06VCalyyGrAPxN46eO5jWf9T568iMrElTu9uPQ1zOjhJpJMZRyxCoXKVqhVnW-B5xOfJuKkomyU7gg0Ijn-1989YFZLC_ZdETyT6sSq_pOZrCrbY2QifqxR82b7FeTcuZ1sh4fJmisu1GbIKoGsuzXD-J9hRUbUM5sdXyJ2AaO108gTAAUH_FVCPGsVIGxJVS6MoP-33Yd","use":"sig","x5c":["MIIFKz.......O0uQ=="]}]}}'
ceritificate: |
-----BEGIN CERTIFICATE-----
MIIDPTCCAiWgAwIBAgIQMibGSjeuJelQoPxCof/+xzANBgkqhkiG9w0BAQsFADAg
MR4wHAYDVQQDExVrdWJlcm5ldGVzLWV4dGVuc2lvbnMwHhcNMjMwNDA4MDUxMDQ5
WhcNMzMwNDA1MDUxMDQ5WjASMRAwDgYDVQQDEwdhdXRoc3ZjMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnsKLZEJ3pXb/QjaZXFXfazplyRRmRzg6E1VW
BHaeX3qLEKXKvdmAT807hZtyUVaSrxwjXoQDshuwNtSjDfKSCGsOiZWGPimidBFk
U/zM2qrb+Ez0ygSI4L/Et3tMy/iSTB6TyIUUH6t4R7JWY56xZRCqXOJt5aUnEjDK
+lBqxyfcXSf+4syHXckiTv+IvstqjPhcKcZs1Rij+44B8bUSeNpP0cHz1i2HSxwF
CP1lD0gHA76/fd7Rp8fn/5nQl0OGZsZDwMwrs+UFY44iDBFz6VoX0qvOVbB0sZGm
TsVaMu124zmafKUM0eyuUQhT90Pt0725NVlrjmYudplfd6rFVwIDAQABo4GAMH4w
DgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQC
MAAwHwYDVR0jBBgwFoAUx2TZ+AHswjOx5OcKFuhHrZPBxDwwKAYDVR0RBCEwH4IH
YXV0aHN2Y4IJbG9jYWxob3N0ggkxMjcuMC4wLjEwDQYJKoZIhvcNAQELBQADggEB
AKeyw9dyPX8JWJyJaUSwpbZSgAP8s6WSI7jQ+xHPFDpzKpACDTrTKA+SbxWZsD8U
TclWkw4V/MEQiVZnKPARs6/mQ6Y5JnlpxxB/g+YOh+eNnRIdrIqN9Uc918J2aULJ
xDH4H9YbFm78Cr8iw7R/UEc8HV7/oVs12ojsKA7nWv9T1+vxY7xqKaH/+r+6M8Kw
seDpmyBtDpfAe3viOsMMZQ6H+RkymaA+MnNu6TUAfrSRHHIA/VXZcH13G59t0qua
sESk/RDTB1UAvi8PD3zcbEKZuRxuo4IAJqFFbAabwULhjUo0UwT+dIJo1gLf5/ep
VoIRJS7j6VT98WbKyZp5B4I=
-----END CERTIFICATE-----
privateKey: LS0tLS1CRUdJTiBSU.....LS0tLQo=
1. Gather required values for the GuestClusterAuthSvcDataValues secret and append them into values.yaml file (reference the above example)
2. Hash the values.yaml file with base64 to gather output for the guest-cluster-auth-service-data-values.yaml file
# base64 -i values.yaml -w 0
3. Edit the guest-cluster-auth-service-data-values.yaml file (downloaded from CCC_config_yamls.tar.gz), replace "ccc-cluster" values in the metadata.labels.cluster-name and metadata.name fields with the chosen cluster name, then replace the data.values.yaml hash string with the value outputted from the command in step 2 above
4. Apply the GuestClusterAuthSvcDataValues file
# kubectl -n custom-ns apply -f guest-cluster-auth-service-data-values.yaml
5. Edit Cluster Bootstrap to reference the secret created above:
# kubectl -n custom-ns edit clusterbootstrap ccc-cluster
EXAMPLE:
- refName: guest-cluster-auth-service.tanzu.vmware.com.1.0.0+tkg.2-zshippable
valuesFrom:
secretRef: ccc-cluster-guest-cluster-auth-service-data-values
1. Gather existing rolebindings from SV cluster:
# kubectl -n custom-ns get rolebinding -o yaml
2. From the returned list of rolebinding objects, identify ones with roleRef.name equal to "edit"
EXAMPLE:
- apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: "2023-04-14T17:23:36Z"
labels:
managedBy: vSphere
name: wcp:custom-ns:group:SSODOMAIN.COM:testuser
namespace: custom-ns
resourceVersion: "3243943"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/custom-ns/rolebindings/wcp:custom-ns:group:vsphere.local:administrators
uid: e0371d9b-5ec3-4553-952f-34bde3fb5d06
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: edit
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: sso:[email protected]
3. Edit the sync-cluster-edit-rolebinding.yaml file from CCC_config_yamls.tar.gz to add any extra roldbindings other than the default [email protected]
EXAMPLE:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
run.tanzu.vmware.com/vmware-system-synced-from-supervisor: "yes"
name: vmware-system-auth-sync-wcp:custom-ns:group:vsphere.local:administrators
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: sso:[email protected]
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
run.tanzu.vmware.com/vmware-system-synced-from-supervisor: "yes"
name: vmware-system-auth-sync-wcp:custom-ns:group:SSODOMAIN.COM:testuser
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: sso:[email protected]
NOTE: In the metadata.name, the user role is prepended with vmware-system-auth-sync- for all users. The metadata.name and subjects.name entries will require modification for all non-default roles.
4. Apply the sync-cluster-edit-rolebinding.yaml config to synchronize rolebindings:
# KUBECONFIG=ccc-cluster-kubeconfig kubectl apply -f sync-cluster-edit-rolebinding.yaml