Onboarding Kubernetes clusters with the VMware Aria Automation for Secure Clouds API

You can onboard Kubernetes clusters through VMware Aria Automation for Secure Clouds's public API if it is your preference. All API commands utilize the collector-apis endpoint in the Cloud Accounts Service API.

Before you startTime

Before you can onboard any Kubernetes clusters with the API, you need:

  • An environment with kubectl installed.
  • The relevant provider CLI.
  • A shell terminal with curl installed or an API development tool capable of making REST API calls, such as Postman.
  • An API access token for the VMware Aria Automation for Secure Clouds platform.

Local access to your provider CLI is required to set kubectl's current context to your clusters in the public cloud. You can also run CLI commands from your provider's cloud shell if preferred, though you may need to install kubectl there first.

Review detected clusters

Use this command to retrieve the cluster you want to onboard:

curl POST \
https://api.securestate.vmware.com/v1/collectors/query \
-H 'Authorization: Bearer {access_token}' \
-d ' {
  "filters": {
    "op": "EQ",
    "values": [
    {
        "op": "EQ",
        "key": "name",
        "values": ["<cluster name>"]
      }
    ]
  }
}'

Replace cluster name with the name of your cluster in the body. If there are multiple clusters you need to onboard, you can send the request with an empty body to view all clusters the service has detected.

A successful response for a cluster that hasn't yet been onboarded should look like this:

{
    "id": "{collector ID}",
    "name": "{cluster name}",
    "type": "Kubernetes",
    "cspOrgId": "{CSP Org ID}",
    "provider": "{provider}",
    "cloudAccountId": "{cloud account ID}",
    "status": "Discovered",
    "location": "{region code}",
    "credentials": null,
    "properties": {
        "kubernetesVersion": "{k8s version}",
        "managed": true
    },
    "createdTime": "{timestamp}",
    "lastUpdatedTime": "{timestamp}"
}

Get cluster credentials

The next API call retrieves the credentials you need to install a rules collector on your cluster to read its data. Copy all the information from your previous response that you see in this request body:

curl POST \
https://api.securestate.vmware.com/v1/collectors \
-H 'Authorization: Bearer {access_token}' \
-d '{
    "id": "{collector ID}",
    "name": "{cluster name}",
    "type": "Kubernetes",
    "cspOrgId": "{CSP Org ID}",
    "provider": "{provider}",
    "cloudAccountId": "{cloud account ID}",
    "status": "Discovered",
    "location": "{region code}",
    "properties": {
        "kubernetesVersion": "{k8s version}",
        "managed": true
    }
}'

You should see a successful response:

{
   "id":"{collector ID}",
   "name":"{cluster name}",
   "type":"Kubernetes",
   "cspOrgId":"{CSP Org ID}",
   "provider":"{provider}",
   "cloudAccountId":"{cloud account ID}",
   "status":"Pending",
   "location":"{region code}",
   "credentials":{
      "properties":{
         "clientId":"{client ID}",
         "clientSecret":"{client secret}"
      },
      "credentialsType":"cspCredentialPair",
      "creationTime":"{timestamp}"
   },
   "properties":{
      "kubernetesVersion":"{k8s version}",
      "managed":true
   },
   "createdTime":"{timestamp}",
   "lastUpdatedTime":"{timestamp}"
}

You should see your cluster's status changed to Pending. Copy the clientSecret value and keep it in a secure location; it is only displayed once.

Note: The id value changes whenever the cluster's status updates (From Discovered to Pending, then from Pending to Ready). Always use the most recent collector ID when making API calls.

Create configuration file

Use this command to retrieve the content used to create a configuration file:

curl GET \
https://api.securestate.vmware.com/v1/collectors/{collector ID}/installer \
-H 'Authorization: Bearer {access_token}'

Save or copy the response as a YAML file, named to your preference.

Note: Every YAML configuration file is unique to the specific cluster and collector you're trying to attach. Do not re-use YAML configuration files from previous attempts, even if it's from the same cluster.

Install collector

Add the client secret and YAML file name to the following kubectl commands them:

kubectl create namespace chss-k8s && kubectl create secret generic collector-client-secret --from-literal=COLLECTOR_CLIENT_SECRET='{client secret}' -n chss-k8s

kubectl apply -f {filename.yaml}

Your cluster should now go from the Pending to Ready status. Verify through the API or UI.

Detach a cluster

To detach a cluster, run the following command:

curl DELETE \
https://api.securestate.vmware.com/v1/collectors/{collector ID} \
-H 'Authorization: Bearer {access_token}'

You should see the cluster status returned to Discovered. Verify though the app or UI.

Although this process uninstalls the collector, the chss-k8s namespace remains in place and should be removed before attempting to re-attach the cluster. Run this command to delete the namespace:

kubectl delete namespace chss-k8s
check-circle-line exclamation-circle-line close-line
Scroll to top icon