My TMC Local is not working as I am waiting for a newer version compatible with CSE 4.1. But I was trying to use Acces Roles to manage/limit K8s API access (e.g: limit certain users to certain namesp...
See more...
My TMC Local is not working as I am waiting for a newer version compatible with CSE 4.1. But I was trying to use Acces Roles to manage/limit K8s API access (e.g: limit certain users to certain namespaces)
What I noticed was that you need either tmc-admin` or `tmc-member` roles to log onto TMC CLI (the command line interface for TMC), which allows you to access the k8s API via kubectl. Having tmc-admin` or `tmc-member` roles automatically gives full (admin) access to TMC managed K8s clusters and I am therefore unable to limit certain users or groups (i.e.: useer `johndoe` should only be able to list namesapces fro k8s cluster xyz).
I hope this makes sense. If not, lets wait for a new version of TMC that supports CSE 4.1. Will reinstall and can get into a meeting.
Is there a newer version of TMC local that is compatible with CSE 4.1?
I tried to install it but it is complaining that no CSE server is available
```
root@PhotonOS-001 [ ~ ]# /mnt/cdrom/linux....
See more...
Is there a newer version of TMC local that is compatible with CSE 4.1?
I tried to install it but it is complaining that no CSE server is available
```
root@PhotonOS-001 [ ~ ]# /mnt/cdrom/linux.run create instance --name $TMC_SM_INSTANCE_NAME --host $VCD_HOSTNAME --username $VCD_USERNAME --certificate-file /tmp/vcd.pem --encryption-key ${TMC_SM_ENCRYPTION_KEY} --input-kube-cluster-name=${TMC_SM_KUBE_CLUSTER_NAME} --input-cert-provider=cluster-issuer --input-cert-cluster-issuer-name=selfsigned-ca-clusterissuer --input-dns-zone=${TMC_SM_DNS_ZONE} --input-contour-envoy-load-balancer-ip=${TMC_SM_LOAD_BALANCER_IP} --input-harbor-url=${TMC_SM_HARBOR_URL} --input-harbor-username=${TMC_SM_HARBOR_USERNAME} --accept INFO [0019] Creating Solution instance entity instance=vmware.vcd-tmc-0.1.0-21897297-tmc INFO [0019] Triggering action action=hook event=PreCreate INFO [0020] Run EventPreCreate Hook action=hook event=PreCreate INFO [0020] Run EventPreCreate Hook successfully action=hook event=PreCreate INFO [0021] Creating element name=rde INFO [0021] Creating element name=tmc-admin-global-role INFO [0022] Creating element name=tmc-member-global-role INFO [0023] Creating element name=rights-bundle INFO [0023] Triggering action action=hook event=PostCreate INFO [0024] Run EventPostCreate Hook action=hook event=PostCreate INFO [0024] Copy the rights from global roles [Kubernetes Cluster Author] to the global role [tmc:member] action=hook event=PostCreate INFO [0025] Update rights of global role tmc:member action=hook event=PostCreate INFO [0025] Copy the rights from global roles [Organization Administrator Kubernetes Cluster Author] to the global role [tmc:admin] action=hook event=PostCreate INFO [0025] Update rights of global role tmc:admin action=hook event=PostCreate INFO [0025] Get Solution Org action=hook event=PostCreate INFO [0025] Solution Org: CSE action=hook event=PostCreate INFO [0025] Search CSE4 Cluster action=hook event=PostCreate ERROR [0025] Failed to find any cse cluster in org CSE action=hook event=PostCreate ERROR [0026] Failed to create instance 'tmc' name=tmc ERROR [0026] Failed to find any cse cluster in org CSE: exit status 6: failed to execute trigger hook errorCode=5012110011142353
```
I think the answer to the root CA issue is to add teh certificate to " Cluster Certificates (Optional) " in the "CSE Management" window. Will try and see if it works.
I managed to delete it manually by:
"curl -ks -H "Accept: application/json;version=37.0" -H "Content-Type: application/json" -H "Authorization: Bearer ${VCLOUD_ACCESS_TOKEN}" -X DELETE https://$VCD...
See more...
I managed to delete it manually by:
"curl -ks -H "Accept: application/json;version=37.0" -H "Content-Type: application/json" -H "Authorization: Bearer ${VCLOUD_ACCESS_TOKEN}" -X DELETE https://$VCD_HOSTNAME/cloudapi/1.0.0/entities/urn:vcloud:entity:vmware:solutions_add_on_instance:72f202b9-a8a9-46ac-8ebd-9fa4490d0f0b"
The next problem is that the CSI 4.1 Plugin does not have a certificate session during cluster creation. I will need to find a way to add the certificate after cluster creation
I am not sure if "CSE4" is referring to a VM or vApp or if that is just some hardcoded name and of no consequence to the search.
I am asking cause I have just updated CSE to 4.1 and delete the prev...
See more...
I am not sure if "CSE4" is referring to a VM or vApp or if that is just some hardcoded name and of no consequence to the search.
I am asking cause I have just updated CSE to 4.1 and delete the previous vApp/VM (IIRC both called CSE4).
Would be great to have some help with this as I need to remove this instance and reinstall it.
root@PhotonOS-001 [ ~ ]# /mnt/cdrom/linux.run delete instance --name $TMC_SM_INSTANCE_NAME --accept --host $VCD_HOSTNAME --username $VCD_USERNAME --certificate-file /tmp/vcd.pem --encryption-key ${TMC_SM_ENCRYPTION_KEY} --accept --password $VCD_EXT_PASSWORD INFO [0019] Triggering action action=hook event=PreDelete INFO [0021] All global roles are ready to delete action=hook event=PreDelete INFO [0021] cluster:tmc action=hook event=PreDelete INFO [0021] Get Solution Org action=hook event=PreDelete INFO [0021] Solution Org: CSE action=hook event=PreDelete INFO [0021] Search CSE4 Cluster action=hook event=PreDelete ERROR [0021] Failed to find any cse cluster in org CSE action=hook event=PreDelete ERROR [0021] Failed to delete instance 'tmc' name=tmc ERROR [0021] Failed to find any cse cluster in org CSE: exit status 23: failed to execute trigger hook errorCode=5012120012191213
Currently, I can login to TMC CLI in the following ways:
1) Using LDAP accountswith `Cloud Administrator` role
2) Using LDAP account with role `tmc:admin`
3) Using local accounts `tmc-amin`, `t...
See more...
Currently, I can login to TMC CLI in the following ways:
1) Using LDAP accountswith `Cloud Administrator` role
2) Using LDAP account with role `tmc:admin`
3) Using local accounts `tmc-amin`, `tmc-member` or any other local accounts with role `tmc:admin` or `tmc:member` assigned to them
I cannot authenticate to TMC CLI from LDAP/local accounts/groups for which I have authentication configured TMC GUI Access section. See screenshot that shows current access policy.
To me, it seems like the `tmc-admin` or `tmc-member` roles are necessary to log ont TMC CLI and subsequentially accesst the K8s API via says kubectl However, having those roles gives automatically admin access to TMC managed K8s clusters which defeats the purpose of RBAC.
Am I missing something?
I am unable to reconcile the tanzau-standard repo due to a certificate error. How can I import or trust the authority for the harbor host to overcome this issue?
I am getting this error: "API Error: Failed to list cluster's integrations: Not Implemented: please try again later (unimplemented)" as a red banner. Any hints how to solve this? Thanks.
