Documentation
Reference for vSphere account ¶
If you encounter issues deploying a cluster to vSphere, review the following troubleshooting and reference content.
Required Permissions for the vSphere Account ¶
The vCenter Single Sign On account that you provide to Tanzu Comunity Edition when you deploy a management cluster must have the correct permissions in order to perform the required operations in vSphere.
It is not recommended to provide a vSphere administrator account to Tanzu Community Edition, because this provides Tanzu Community Edition with far greater permissions than it needs. The best way to assign permissions to Tanzu Community Edition is to create a role and a user account, and then to grant that user account that role on vSphere objects.
In the vSphere Client, go to Administration > Access Control > Roles, and create a new role, for example
TCE
, with the following permissions:vSphere Object Required Permission Cns Searchable Datastore Allocate space, Browse datastore, Low level file operations Global (if using Velero for backup and restore) Disable methods, Enable methods, Licenses Network Assign network Profile-driven storage Profile-driven storage view Resource Assign virtual machine to resource pool Sessions Message, Validate session vApp Import vSphere Object Required Permission Virtual machine Change Configuration > Add existing disk Change Configuration > Add new disk Change Configuration > Add or remove device Change Configuration > Advanced configuration Change Configuration > Change CPU count Change Configuration > Change Memory Change Configuration > Change Settings Change Configuration > Configure Raw device Change Configuration > Extend virtual disk Change Configuration > Modify device settings Change Configuration > Remove disk Change Configuration > Toggle disk change tracking* Edit Inventory > Create from existing Edit Inventory > Remove Interaction > Power On Interaction > Power Off Provisioning > Allow read-only disk access* Provisioning > Allow virtual machine download* Provisioning > Deploy template Snapshot Management > Create snapshot* Snapshot Management > Remove snapshot* *Required to activate the Velero plugin, as described in Back Up and Restore Clusters. You can add these permissions when needed later. In Administration > Single Sign On > Users and Groups, create a new user account in the appropriate domain, for example
tce-user
.In the Hosts and Clusters, VMs and Templates, Storage, and Networking views, right-click the objects that your Tanzu Community Edition deployment will use, select Add Permission, and assign the
tce-user
with theTCE
role to each object.- Hosts and Clusters
- The root vCenter Server object
- The Datacenter and all of the Host and Cluster folders, from the Datacenter object down to the cluster that manages the Tanzu Community Edition deployment
- Target hosts and clusters
- Target resource pools, with propagate to children selected
- VMs and Templates
- The deployed Tanzu Community Edition base image templates
- Target VM and Template folders, with propagate to children selected
- Storage
- Datastores and all storage folders, from the Datacenter object down to the datastores that will be used for Tanzu Community Edition deployments
- Networking
- Networks or distributed port groups to which clusters will be assigned
- Distributed switches
- Hosts and Clusters
If you intend to use Velero to back up and restore management or workload clusters, you must also set the permissions listed in Credentials and Privileges for VMDK Access in the Virtual Disk Development Kit Programming Guide.
Static VIPs and Load Balancers for vSphere ¶
Each management cluster and workload cluster that you deploy to vSphere requires one static virtual IP address for external requests to the cluster’s API server. You must be able to assign this IP address, so it cannot be within your DHCP range, but it must be in the same subnet as the DHCP range.
The cluster control plane’s Kube-vip pod uses this static virtual IP address to serve API requests, and the API server certificate includes the address to activate secure TLS communication. In workload clusters, Kube-vip runs in a basic, Layer-2 failover mode, assigning the virtual IP address to one control plane node at a time. In this mode, Kube-vip does not function as a true load balancer for control plane traffic.
Tanzu Community Edition also does not use Kube-vip as a load balancer for workloads in workload clusters. Kube-vip is used solely by the cluster’s API server.
To load-balance workloads on vSphere, use NSX Advanced Load Balancer, also known as Avi Load Balancer, Essentials Edition. You must deploy the NSX Advanced Load Balancer in your vSphere instance before you deploy management clusters.
Obtain vSphere Certificate Thumbprints ¶
If your vSphere environment uses untrusted, self-signed certificates to authenticate connections, you must verify the thumbprint of the vCenter Server when you deploy a management cluster. If your vSphere environment uses trusted certificates that are signed by a known Certificate Authority (CA), you do not need to verify the thumbprint.
You can use either SSH and OpenSSL or the Platform Services Controller to obtain certificate thumbprints.
vCenter Server Appliance ¶
You can use SSH and OpenSSL to obtain the certificate thumbprint for a vCenter Server Appliance instance.
Use SSH to connect to the vCenter Server Appliance as
root
user.ssh root@vcsa_address
Use
openssl
to view the certificate thumbprint.openssl x509 -in /etc/vmware-vpx/ssl/rui.crt -fingerprint -sha1 -noout
Copy the certificate thumbprint so that you can verify it when you deploy a management cluster.
Platform Services Controller ¶
On vSphere 6.7u3, you can obtain a vCenter Server certificate thumbprint by logging into the Platform Services Controller for that vCenter Server instance. If you are deploying a management cluster to vSphere 7, there is no Platform Services Controller.
Log in to the Platform Services Controller interface.
- Embedded Platform Services Controller: https://vcenter_server_address/psc
- Standalone Platform Services Controller: https://psc_address/psc
Select Certificate Management and enter a vCenter Single Sign-On password.
Select Machine Certificates, select a certificate, and click Show Details.
Copy the certificate thumbprint so that you can verify it when you deploy a management cluster.
Thick provisioning versus thin provisioning ¶
If you select thick provisioning as the disk format, when Tanzu Community Edition creates cluster node VMs from the template, the full size of each node’s disk is reserved. This can rapidly consume storage if you deploy many clusters or clusters with many nodes. However, if you select thin provisioning, as you deploy clusters this can give a false impression of the amount of storage that is available. If you select thin provisioning, there might be enough storage available at the time that you deploy clusters, but storage might run out as the clusters run and accumulate data.