I also noticed that there is a new LDAP configuration validation mechanism in the installer interface. TKG facilitates cluster access to non-admin users through identity management, either via LDAP or OIDC. This validation step is very useful as there are a significant number of LDAP fields that need to be populated in the installer if you want to use the LDAP Identify Manager provided by Pinniped and Dex. This is a great way to validate that the settings are correct before proceeding with the deployment.
Note: After deploying TKG v1.4, be sure to update the Carvel tools, i.e. ytt, kapp, kbld and imgpkg, as per the TKG v1.4 documentation. It was only once I updated these tools that the UI enhancements became visible.
NSX Advanced Load Balancer
Let’s look at the changes in the UI for allowing the NSX ALB to provide both control plane endpoints as well as load balancing for the workload clusters. Now when you deploy a TKG management cluster to vSphere via the UI, the section which handles the control plane endpoints has the following changes. You can continue to use kube-vip as the control plane endpoint provider as shown below. If you do select kube-vip, then you will need to provide an IP Address for the control plane endpoint, as before:
However, if you change the control plane endpoint provider to NSX ALB, then providing an IP Address for the control plane endpoint becomes optional, as this will be handled by the NSX ALB and the IP Address will be allocated from the range of IP Addresses that have been allocated for VIPs (Virtual IPs) within the NSX ALB itself.
Now you can use the NSX ALB for all load balancing services in TKG v1.4. For the purposes of illustration, here is the control plane service from the management cluster as viewed in the NSX ALB dashboard soon after the control plane initialized:
Similarly, once you begin to deploy TKG workload cluster, their control plane services should also appear here.
The second feature that caught my eye was the ability to now verify that the LDAP configuration that has been put in place is indeed valid. As mentioned, this is part of the Identity Management feature, which allows you to integrated with LDAP or OIDC so that you do not have to grant admin access to developer for the clusters. Through Pinniped and Dex, developers can be given access with various levels of privilege. For LDAP, there are a significant number of fields to populate, so it is great that you can now validate the configuration before proceeding with the deployment. Here is an example of the different fields that you probably want to populate for an LDAP setup:
And now when you click on the VERIFY LDAP CONFIGURATION button, it provides you with a popup window that tests the Identity Management settings. Here I have added a user cormac who is a “developer” that I want to grant access to the cluster later on through a ClusterRoleBinding. This validates that I am able to find this user in LDAP with the settings that have been added to LDAP Identity Management.
There are just a few of the new features that I picked out from the TKG v1.4 release. There are numerous others, so please check out the release notes for the full list, including new features for TKG in AWS and Azure as well.