Table of Contents
Introduction
Over the last few years, VCD has evolved as a true developer ready cloud. To start with, VCD enabled Service Providers to offer multi-tenant/multi-cluster Kubernetes as-a-Service through Container Service Extension and lately enabled integration with Tanzu Mission Control to simplify the Kubernetes management and visibility across environments through a single pane of glass.
Software as a Service (SaaS) has emerged as a game-changer, offering a flexible and scalable approach to software delivery that aligns perfectly with the demands of modern businesses. To cater to this need, VCD integrates with the App Launchpad service that offers a self-service portal to tenants to deploy and manage their applications easily. It allows users to deploy and manage applications on top of the infrastructure provisioned through the VCD portal and provides a user-friendly interface for application provisioning.
The main challenge with App Launchpad was the need for administrators to handle catalog items individually, resulting in increased overhead. Additionally, setting up and configuring the App Launchpad separately in the environment and publishing it to the respective tenants through the App Launchpad plugin added complexity.
VMware launched the Content Hub feature in VCD 10.5.0 to alleviate this complexity. In this post, I will go over this feature in-depth and walk through the process of configuring Content Hub and deploying sample apps.
What is VCD Content Hub?
Content Hub is an inbuilt feature of VCD that provides a unified interface to consume VM and container-based applications. It is an out-of-the-box feature and does not require installing any additional components. It merges the existing VMware Cloud Director Catalog and App Launchpad into a unified experience for tenants and providers. So you can think of VCD Content Hub as a replacement for the App Launchpad. The Content Hub feature effortlessly incorporates external content sources, such as VMware Marketplace and Helmchart Repositories, into the VCD environment.
The below image from VMware’s official documentation shows a high-level overview of the VCD Content Hub architecture.
Let’s discuss the installation workflow now.
The overall installation workflow can be summarized as shown below and the upcoming section of this blog post will cover each stage of the workflow.
Content Hub Service Provider Configuration
Service Provider integrates Content Hub with VMware Marketplace and one or more Helm repositories and then shares the repos with the tenants. Service Providers can create multiple catalog content resources for VMware Marketplace and external Helm chart repositories.
Integrate Content Hub with VMware Marketplace
Login to VCD and navigate to the Content Hub tab. To create the Marketplace resource, click on the option “Add Vmware Marketplace”.
Click on the New button to proceed with the configuration.
Enter the following:
- Name: A user friendly meaningful name for the marketplace resource.
- URL: https://gtw.marketplace.cloud.vmware.com/api/v1
- Token ID: Your Marketplace Token
If you don’t have a token handy or do not know how to generate a token, see vmware documentation on Generate API Tokens
After you Click Save, the VMware Marketplace connection appears in the list of resources.
Integrate Content Hub with Help Repositories
You must create a Helm chart repository resource and distribute it with one or more tenant organizations if you want tenants to import applications into VCD catalogs from an external Helm chart repository.
To add a helm repository, click on the “Add Helm Chart Repositories” button.
Enter the following:
- Name: A user friendly meaningful name for the Helm repo.
- URL: URL of the helm chart repository.
- Authentication Type: Basic or Anonymous.
Verify that the helm repository that you are configuring contains an index.yaml file. For example, if the repository is located at https://example.com/charts, the index file must be available at https://example.com/charts/index.yaml. If the repository requires authentication, you must select basic authorization, and enter the credentials.
I added a few sample helm repositories in my lab.
Share VMware Marketplace Resource with Tenants
Service Providers must share the VMware Marketplace resources with tenant organizations to enable them to add VM/Container applications from the marketplace.
Select the Tenant’s organizations with whom you want to share the marketplace resource.
Note: You can only share the marketplace resource in Read-Only mode with the tenants.
Repeat the process to share Helm repositories with the tenants.
Modifying Rights Bundles and Global Roles
A new set of User Roles has been introduced to facilitate users in accessing and managing the Content Hub. Assigning the appropriate user roles to individuals within the organization to grant them access and utilize the Content Hub feature effectively is crucial.
Modifying Organization Admin Role
Modify the Organization Admin role to include the permissions to manage Content Hub operations.
Note: Tenants will not be allowed to create Marketplace resources even with the “Edit the External Source in Content Hub” rights. Also, with the “Share the Content Hub External Source“, Tenants can share catalogs among users not with other Tenants. Only the Service Provider can share catalogs across tenants.
Modifying Kubernetes Cluster Owner Role
The Kubernetes Cluster Owner Role gets created when you deploy Container Service Extension in VCD. The tenant user tied to this role deploys and has administrative control over the Kubernetes cluster.
The Kubernetes Cluster Owner must install the Kubernetes operator in the K8 clusters where container applications will be deployed from the VMware Marketplace and Helm chart repositories. The Kubernetes operator uses the API token of the Kubernetes cluster owner for communication with VCD and for carrying out container application management operations.
To enable the installation of the Kubernetes operator, the Service provider must first assign additional permissions to the Kubernetes Cluster Owner role. The additional required permissions are:
|
1 2 3 4 5 6 7 8 9 |
Manage Container App Reconcile Container App Full Control: VMWARE: KUBECLUSTEREXTENSION View: VMWARE: KUBECLUSTEREXTENSION Full Control: VMWARE:CAPVCDCLUSTER |
Modifying Default Rights Bundle
The VCD product documentation doesn’t talk about modifying this right bundle, but in my lab, I found that the Launch container app button was not highlighting because it was missing the right “Manage Container Applications”. I worked with the VCD Engineering team to figure this out.
Also, you have to publish the right bundle “vmware:kubeClusterExtension Entitlement” to the tenants.
Content Hub Tenant Operations
Install Kubernetes Operator
Login to VCD as a Kubernetes Cluster Owner and navigate to Content Hub > Manage Resources > Kubernetes Operator and click on Install Operator and select the K8 cluster from the list where the operator will be installed.
- If your environment (K8 cluster) has access to the internet, select the VMware Registry.
- For an airgap environment or environments that use a custom repository, select the Custom Registry option and point the location to the project where you have uploaded the contenthub package repo.
Click on the Install Operator button after you select the location and version of the contenthub package repo.
Wait for the operator installation to complete. This typically takes 5 minutes.
The operator installation status shows not reachable intermittently, but it’s not an issue.
After a few minutes, the status shows Ready.
During the operator installation, the system creates two namespaces namely ‘vcd-contenthub-system’ and ‘vcd-contenthub-workloads’. The first namespace contains the k8 resources for the Kubernetes Operator and the second namespace is initially empty. It will be populated when you deploy container applications at a later stage.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
[root@ta-linjump ~]# kubectl get ns | grep vcd vcd-contenthub-system Active 5d19h vcd-contenthub-workloads Active 5d19h [root@ta-linjump ~]# kubectl get all -n vcd-contenthub-system NAME READY STATUS RESTARTS AGE pod/vcd-contenthub-controller-manager-667fdfc69-mq8ck 1/1 Running 0 3d13h NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/vcd-contenthub-controller-manager 1/1 1 1 5d19h NAME DESIRED CURRENT READY AGE replicaset.apps/vcd-contenthub-controller-manager-667fdfc69 1 1 1 5d19h |
Create & Share Catalog with Tenant Users
Before Tenants can deploy the container/vm applications from the marketplace/helm repo, the tenant admin needs to create a catalog and add contents in the catalog that users will consume. The catalog can be shared with one or more users of the tenant organization.
Login as tenant portal with organization admin credentials and navigate to Content Hub > Catalogs and click on new to create a catalog.
Name the catalog and Click OK to create it.
Click on the three vertical ellipses to open the catalog settings and select Share.
Select the users with which the catalog will be shared and choose the appropriate access level.
Add Content to the Catalog
To add vm/container images to the shared catalog, navigate to the Content tab, click the Add button, and select “From VMware Marketplace or Helm Chart repository”
Select the shared catalog and click Next.
Select the source from where you want to add content.
Select the marketplace resource and click Next.
Select the type of application and the application images that you want to import into the catalog.
Accept EULA for the selected application images and click Next.
Click Import to start importing the application images.
Click on the close button to finish the import wizard.
Applications are now ready to be launched.
Deploy Container Applications
Before you start deploying container applications, you need to create a clusterrole binding, otherwise, you will see an error similar to as shown below:
|
1 2 3 4 5 |
revision 1: unable to build kubernetes objects from release manifest: error validating "": error validating data: failed to check CRD: failed to list CRDs: customresourcedefinitions.apiextensions.k8s.io is forbidden: User "system:serviceaccount:vcd-contenthub-system:vcd-contenthub-package-install" cannot list resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope |
This is called out in the VCD documentation
Content Hub does not support the deployment of Helm chart container applications that require the creation of resources at the Kubernetes cluster level.
To create a cluster rolebinding, you can use the below yaml
|
1 2 3 4 5 6 7 8 9 10 11 12 |
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: vcd-contenthub-package-install-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: vcd-contenthub-package-install-role subjects: - kind: ServiceAccount name: vcd-contenthub-package-install namespace: vcd-contenthub-system |
Note: Automatic creation of cluster rolebinding will be supported in the upcoming VCD release.
Login to VCD as a Kubernetes Cluster Owner user, navigate to the Content Hub > Content > Application Images tab, and click on the Launch button to deploy the desired container application to the k8 cluster.
Select the application version and the target k8 cluster and click Launch Application.
In a matter of minutes, your deployed application will be ready.
You can monitor the application deployment from the VCD task pane.
Click on the DETAILS option to see details of the application, like Status, Access URLs, etc.
You will be able to see k8 objects in the ‘vcd-contenthub-workloads’ namespace now.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
[root@ta-linjump ~]# kubectl get all -n vcd-contenthub-workloads NAME READY STATUS RESTARTS AGE pod/apache-test-686c6cdb7b-h54v6 1/1 Running 0 7m45s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/apache-test LoadBalancer 100.68.228.139 192.168.190.5 80:31719/TCP,443:30563/TCP 7m45s NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/apache-test 1/1 1 1 7m45s NAME DESIRED CURRENT READY AGE replicaset.apps/apache-test-686c6cdb7b 1 1 1 7m45s |
Troubleshooting Tip: If you encounter any issues with Kubernetes Operator deployment or deploying any application, always check the logs of the ‘vcd-contenthub-controller-manager’ pod in the ‘vcd-contenthub-system’ namespace.
You can also deploy VM-based applications from the catalog. The workflow is slightly different as the target platform is infrastructure, not the k8 cluster.
And that’s it for this post.
I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing.