It gives me great pleasure to announce the availability of Data Services Manager version 2.1. The team have been working tirelessly on this release to deliver on new features and functionality. In this post, I will cover a number of the big ticket items found in this release. In later posts, I will delve into these features in more detail, so watch this space. Visit the DSM section of the Broadcom Support Portal to download the product. VMware Cloud Foundation customers are automatically entitled to DSM, and in this release we are making it even easier to stand up your…
I recently worked with one of our customers to configure MinIO object storage on-premises. The plan was to create a number of S3 compatible buckets to provide image, backup and log repositories for VMware Data Services Manager v2.0.x. For security reasons, the customer wanted to create an intermediate certificate of authority (CA), and use that to sign the leaf certificates rather than sign them with a root CA. This is common practice. However, the customer hit the above issue when trying to use the MinIO object store buckets with the leaf certs created from the intermediate cert. I decided to…
Over the last month or so, I have looked at various ways of securing Tanzu Kubernetes Grid (TKG) clusters. One recent post covered the integration of LDAP through Dex and Pinniped so you can control who can access the the non-admin context of your TKG cluster. I’ve also looked at how TKG clusters that do not have direct access to the internet can use a HTTP/HTTPS proxy. Similarly, I looked at some tips when deploying TKG in an air-gapped environment, pulling all the necessary images from our external image registry and pushing them to a local Harbor registry. In another…
In this article, I will walk through the steps involved in securing application Ingress access on TKG v1.4. To achieve this, I will use 2 packages that are available with TKG v1.4, Cert Manager and Contour. We will deploy a sample application kuard – Kubernetes Up and Running demo, and show how we can use these packages to automatically generated certificates to establish trust between our client (browser) and the application (kuard) which will be accessed via an Ingress. For the purposes of this article, I will create my own local Certificate Authority. If you have access to a valid…
We are nearing the end of our journey with Getting Started with VMware Cloud Foundation (VCF). In this post, we will go through the deployment of Enterprise PKS v1.5 on a Workload Domain created in VCF v3.9. We’ve been through a number of steps to get to this point, all of which can be found here. Now we have some of the major prerequisites in place, notably NSX-T Edge networking and PKS Certificates, so we can proceed with the Enterprise PKS deployment. However, there are still a few additional prerequisites needed before we can start. Let’s review those first of…
I decided to dedicate a post to taking care of the Enterprise PKS prerequisites when deploying on VMware Cloud Foundation, namely the creation of the various certificates needed for trusted communication between the Enterprise PKS components (Operations Manager, BOSH, PKS and Harbor) and the rest of the environment. Unfortunately, the official VCF 3.9 documentation is a little light on the subject, simply stating that you should ‘Generate CA-Signed Certificates for Operations Manager, BOSH Director, Enterprise PKS control plane, and Harbor Registry‘. Therefore I decided that since it took me a bit of time to get these certificates setup for PKS…
After deploying and configuring the Harbor tile in Pivotal Ops Manager, I ran into a couple of issues with certificates. The first was encountered when I was trying to login to harbor from an Ubuntu VM where I was running all of my PKS and BOSH commands. It was also the VM where I pulled my container images, and the VM from which I now wanted to push them into Harbor. Harbor is our registry server for storing container images. Here is what I got on trying to login: cormac@pks-cli:~$ sudo docker login -u admin harbor.rainpole.com Password: Error response from…