Connection and authorization

Resource preparation

To manage resources in VCD using the “Deckhouse Kubernetes Platform”, the following resources must be configured in the system:

• Organization
• VirtualDataCenter
• vApp (for the “Standard” placement scheme)
• StoragePolicy
• SizingPolicy
• Network (for the “Standard” placement scheme)
• EdgeRouter
• Catalog

The Organization, VirtualDataCenter, StoragePolicy, SizingPolicy, EdgeRouter, and Catalog resources must be provided by your VMware Cloud Director service provider.

The Network (internal network) can be configured by your VMware Cloud Director service provider or by yourself. When using the “StandardWithNetwork” placement scheme, the network is created automatically. Below is a method for manually setting up an internal network.

User permissions

The user accessing the VMware Cloud Director API must have the following permissions:

• Role “Organization Administrator” with an additional rule “Preserve All ExtraConfig Elements During OVF Import and Export”;
• The “Preserve All ExtraConfig Elements During OVF Import and Export” rule must also be included in the user’s “Right Bundle”.

Adding a network

1. Go to the “Networking” tab and click “NEW”:

   

2. Select the desired “Data Center”:

   

3. In the “Network type” step, select “Routed”:

   

4. Connect the “EdgeRouter” to the network:

   

5. Specify the network name and CIDR:

   

6. Do not add “Static IP Pools” since DHCP will be used:

   

7. Specify DNS server addresses:

   

DHCP setup

To dynamically provision nodes, enable the DHCP server for the internal network.

1. Go to the “Networking” tab and open the created network:

   

2. In the opened window, select “IP Management” → “DHCP” → “Activate”:

   

3. In the “General settings” tab, configure parameters as shown in the example:

   

4. Add a pool:

   

5. Specify DNS server addresses:

   

Adding a vApp

1. Go to “Data Centers” → “vApps” → “NEW” → “New vApp”:

   

2. Specify a name and enable the vApp:

   

Adding a network to a vApp

After creating the vApp, attach the created internal network to it.

1. Go to “Data Centers” → “vApps” and open the desired vApp:

   

2. Go to the “Networks” tab and click “NEW”:

   

3. In the pop-up window, select “Direct” type and choose the network:

   

Incoming traffic

Incoming traffic must be directed to the edge router (ports “80”, “443”) using DNAT rules to the allocated address in the internal network.
This address is managed by MetalLB in L2 mode on dedicated frontend nodes.

Configuring DNAT/SNAT rules on the Edge Gateway

1. Go to “Networking” → “Edge Gateways”, open the edge gateway:

   

2. Go to “Services” → “NAT”:

   

3. Add the following rules:

   

   The first two rules are for incoming traffic, and the third is for SSH access to the control plane node (required for installation).

4. To allow virtual machines to access the internet, configure SNAT rules as in the example:

   

   This rule allows VMs from the “192.168.199.0/24” subnet to access the internet.

Firewall setup

After configuring DNAT, configure the firewall. Start by setting up IP sets.

1. Go to “Security” → “IP Sets”:

   

2. Create the following IP set (assuming the MetalLB address will be “.10” and the control plane node “.2”):

   

3. Add the following firewall rules:

   

Virtual machine template

In the example, an “OVA” file provided by Ubuntu is used, with two modifications.
These modifications are required for proper provisioning of CloudPermanent nodes and to allow attaching disks created by CSI.

Preparing the template from an OVA file

1. Download the OVA file:

   

2. Go to “Libraries” → “Catalogs” → “Organization Catalog”:

   

3. Upload the downloaded template to the catalog:

   

4. Create a VM from the template:

   

To connect to the VM:

1. Start the VM.
2. Wait until it gets an IP address.

3. Forward port “22” to the VM:

   

Log into the VM via SSH and run:

rm /etc/netplan/99-netcfg-vmware.yaml
echo -e '\n[deployPkg]\nwait-cloudinit-timeout=1800\n' >> /etc/vmware-tools/tools.conf
echo 'disable_vmware_customization: true' > /etc/cloud/cloud.cfg.d/91_vmware_cust.cfg
dpkg-reconfigure cloud-init

In the dialog window, leave only the checkbox for OVF: Reads data from OVF transports. Disable all other options:

Make sure that the datasource_list parameter is specified in the cloud-init configuration. You can verify this using the following command:

cat /etc/cloud/cloud.cfg.d/90_dpkg.cfg

If the output is empty, execute the following command:

echo "datasource_list: [ OVF, VMware, None ]" > /etc/cloud/cloud.cfg.d/90_dpkg.cfg

Run the remaining commands:

truncate -s 0 /etc/machine-id
rm /var/lib/dbus/machine-id
ln -s /etc/machine-id /var/lib/dbus/machine-id
cloud-init clean --logs --seed
passwd -d ubuntu
passwd -d root
rm /home/ubuntu/.ssh/authorized_keys
history -c

shutdown -P now

Configuring the template in VCD

1. Power off the virtual machine and delete all filled “Guest Properties” fields:

   

   

2. Create a virtual machine template:

   

   

3. In the created template, go to the “Metadata” tab and add six fields:

   • guestinfo.metadata
   • guestinfo.metadata.encoding
   • guestinfo.userdata
   • guestinfo.userdata.encoding
   • disk.enableUUID
   • guestinfo.hostname

   

   

4. In the vCenter management panel, enable the disk.EnableUUID parameter for the template:

   

   

   

   

   

Storage usage

• VCD supports CSI. Disks are created as VCD Independent Disks.
• The guest property disk.EnableUUID must be enabled for the VM templates in use.
• Deckhouse Kubernetes Platform supports disk resizing starting from version v1.59.1.