Step 1 – Create a CSE Service Account
Perform these steps using the
administrator@system account or an equivalent system administrator role.
Setup a Service Account in the Provider (system) organization with the role
CSE Admin Role.
In my environment I created a user to use as a service account named
svc-cse. You’ll notice that this user has been assigned the
CSE Admin Role.
CSE Admin Role is created automatically by CSE when you use the
CSE Management UI as a Provider administrator, just do these steps using the
Step 2 – Create a token for the Service Account
Log out of VCD and log back into the
Provider organization as the service account you created in Step 1 above. Once logged in, it should look like the following screenshot, notice that the
svc-cse user is logged into the
Click on the downward arrow at the top right of the screen, next to the user
svc-cse and select User Preferences.
Under Access Tokens, create a new token and copy the token to a safe place. This is what you use to deploy the CSE appliance later.
Log out of VCD and log back in as
adminstrator@system to the
Step 3 – Deploy CSE appliance
Create a new tenant Organization where you will run CSE. This new organization is dedicated to VCD extensions such as CSE and is managed by the service provider.
For example you can name this new organization something like “
solutions-org“. Create an Org VDC within this organization and also the necessary network infrastructure such as a T1 router and an organization network with internet access.
Still logged into the Provider organization, open another tab by clicking on the
Open in Tenant Portal link to your “
solutions-org” organization. You must deploy the CSE vApp as a Provider.
Now you can deploy the CSE vApp.
Use the Add vApp From Catalog workflow.
Accept the EULA and continue with the workflow.
When you get the Step 8 of the Create vApp from Template, ensure that you setup the OVF properties like my screenshot below:
The important thing to note is to ensure that you are using the correct service account username and use the token from Step 2 above.
Also since you must have the service account in the
Provider organization, leave the default
system organization for CSE service account’s org.
The last value is very important, it must by set to the tenant organization that will run the CSE appliance, in our case it is the “
Once the OVA is deployed you can boot it up or if you want to customize the root password then do so before you start the vApp. If not, the default credentials are
Rights required for deploying TKG clusters
Ensure that the user that is logged into a tenant organization has the correct rights to deploy a TKG cluster. This user must have at a minimum the rights in the
Kubernetes Cluster Author Global Role.
You’ll also need to upgrade App Launchpad to the latest version
alp-2.1.2-20764259 to support CSE 4.0 deployed clusters.
Also ensure that the App-Launchpad-Service role has the rights to manage CAPVCD clusters.
Otherwise you may encounter the following issue:
VCD API Protected by Web Application Firewalls
If you are using a web application firewall (WAF) in front of your VCD cells and you are blocking access to the provider side APIs. You will need to add the SNAT IP address of the T1 from the
solutions-org into the WAF whitelist.
The CSE appliance will need access to the VCD provider side APIs.
I wrote about using a WAF in front of VCD in the past to protect provider side APIs. You can read those posts here and here.