Configuring access to the Cloud Consumption Interface for new Aria Automation users

A vSphere+ administrator must configure access for users to work with the Cloud Consumption Interface (CCI) in Automation Service Broker. CCI enables users to create Supervisor namespaces and any associated IaaS and partner DevOps services.

Cloud Consumption Interface Enablement Overview

The following diagram outlines the high-level workflow required to set up access to CCI for vSphere+ users who are new to VMware Aria Automation. The bullets following the diagram provide more details and, where appropriate, links to applicable documentation.

Enabling CCI workflow.

Step 1 - Onboard vCenter to vSphere+: A vSphere administrator must establish a connection between a vCenter instance that contains clusters to which you want to provide access and vSphere+. See Connect Your vCenter Server to a vCenter Cloud Gateway for more information.
Step 2 - Enable one or more Supervisor clusters: A vSphere administrator must configure applicable Supervisor clusters. See Configuring and Managing a Supervisor Cluster for more information.
Step 3 - Enable Developer Experience: When an administrator clicks Finish on the vSphere+ developer experience form, it initiates a workflow that sets up sample projects and related constructs for users to work with either traditional or Supervisor clusters or both, depending on the specific configuration. Note that while CCI leverages supervisor clusters, other VMware Aria Automation use-cases rely on traditional clusters. See Using and Managing vSphere+ for more information.
Step 4 - Cloud Consumption Interface is configured for users: VMware Aria Automation is available to users in the VMware Cloud Services Console. This chapter describes the infrastructure that is created and how users can access it.
Step 5 - Consumers use Cloud Consumption Interface: Users can access designated projects and the associated Supervisor Namespaces and Supervisor Namespace Classes. They can use these namespace classes as templates for new namespaces. CCI provides a customized kubectl cci plug-in for command line control over admin and user tasks. See the following chapters of this document for more information.

For more information about Supervisor clusters and Namespaces and how they work with vSPhere and Tanzu, see https://docs.vmware.com/en/VMware-vSphere-with-Tanzu/index.html

Additional Configuration Notes

Cloud Consumption Interface single sign-on requires customers to use a local Active Directory that has been federated to VMware Cloud and Cloud Services Console as part of the vSphere+ installation process. Federating the Active Directory domain allows support for maintaining user identity during Supervisor Namespace and IaaS service UI or command line operations, as well as any vSphere+ operations via vSphere+ services.

See Set up Enterprise Federation with VMware Cloud Services in the vSphere+ Getting Started with vSphere+ documentation for more information about how vSphere+ uses federation.

Users access CCI services and resources via a dedicated Kubernetes proxy. To maintain user identity as the proxy accesses the vCenter Kubernetes APIs, CCI uses a single sign-on flow similar to that used by vSphere+.

The Automation Service Broker User role includes the necessary privileges to access the Supervisor namespaces as an SSO user. Only users assigned this role can access services within namespaces created on vSphere+ vCenters.

Enabling Developer Experience for vSphere+ users

vSphere+ administrators can use the vSphere+ Console to activate the developer experience which includes entitlement to VMware Aria Automation Free Tier if customer dont have it already.

When the administrator completes configuration in vSphere+, a configuration workflow runs automatically that entitles the selected users and groups to use VMware Aria Automation Free Tier, including Cloud Assembly and Automation Service Broker. Also, it configures all the necessary components to enable and configure Cloud Consumption Interface within VMware Aria Automation Free Tier. The result is a curated sample VMware Aria Automation environment with which users can provision workloads.

The following table describes the infrastructure that is created based on cluster selections by an administrator in vSphere+.

vSphere+ Cluster Selection	Infrastructure created in VMware Aria Automation Free Tier
Traditional Clusters	Adds a vCenter cloud account. Creates a cloud zone for every datacenter that contains traditional clusters to be onboarded. If there are multiple clusters in a datacenter, they are added to the cloud zone for that data center. Creates a new project called `Default`. Adds the cloud zones to the project. Adds vSphere + VI administrators as Project administrators. Adds vCenter/Cloud Services Console users as Project Users Assigns vSphere + VI administrators the VMware Aria Automation Assembler and Consumption admin role. Assign vCenter/Cloud Services Console users the Automation Service Broker user role.
Supervisor Clusters	Adds a vCenter cloud account. See the VMware Aria Automation documentation for information about cloud accounts. Creates one CCI system project `vmware-system-cci` per organization. Creates one project called “supervisor” per organization. Adds vSphere + VI admin(s) as Project Administrator. Adds vCenter/Cloud Services Console users as Project Users, using project role binding. See the VMware Aria Automation documentation for more information about projects. Adds default region called `onprem` - one per organization. A region is a grouping mechanism for Supervisor namespaces. Adds a default supervisor namespace class called `basic`. Adds region binding config to tie the region `onprem` / Project `supervisor` to Supervisor clusters. Supervisor clusters are selected based on the match expression. Add Supervisor namespace class binding to tie Supervisor namespace class named `basic` to the newly created project named `supervisor`. Adds Supervisor namespace class config to specify the Storage policies, Content Libraries and VM Service parameters for the Supervisor namespace. Supervisor clusters are selected based on the match expression.

vSphere+ Cluster Selection

Infrastructure created in VMware Aria Automation Free Tier

Traditional Clusters

Adds a vCenter cloud account.
Creates a cloud zone for every datacenter that contains traditional clusters to be onboarded. If there are multiple clusters in a datacenter, they are added to the cloud zone for that data center.
Creates a new project called Default.
Adds the cloud zones to the project.
Adds vSphere + VI administrators as Project administrators.
Adds vCenter/Cloud Services Console users as Project Users
Assigns vSphere + VI administrators the VMware Aria Automation Assembler and Consumption admin role.
Assign vCenter/Cloud Services Console users the Automation Service Broker user role.

Supervisor Clusters

Adds a vCenter cloud account. See the VMware Aria Automation documentation for information about cloud accounts.
Creates one CCI system project vmware-system-cci per organization.
Creates one project called “supervisor” per organization.
- Adds vSphere + VI admin(s) as Project Administrator.
- Adds vCenter/Cloud Services Console users as Project Users, using project role binding.
- See the VMware Aria Automation documentation for more information about projects.
Adds default region called onprem - one per organization. A region is a grouping mechanism for Supervisor namespaces.
Adds a default supervisor namespace class called basic.
Adds region binding config to tie the region onprem / Project supervisor to Supervisor clusters. Supervisor clusters are selected based on the match expression.
Add Supervisor namespace class binding to tie Supervisor namespace class named basic to the newly created project named supervisor.
Adds Supervisor namespace class config to specify the Storage policies, Content Libraries and VM Service parameters for the Supervisor namespace. Supervisor clusters are selected based on the match expression.

When the automatic configuration workflow completes, users have access to VMware Aria Automation components in VMware Cloud Services.

There are some limitations on the number of resources that administrators can create. See Free Tier Limitations for more information about limits.

There are three VMware Aria Automation access scenarios for VMware Aria Automation Free Tier users, depending on the user project membership and whether the project has access to cloud zones, Kubernetes zones or both. These scenarios are outlined below.

If project users are members of project that is only configured with Kubernetes zones, when they activate Automation Service Broker, they will see the Supervisor Namespaces node for CCI on the left menu for the Consume tab, but they will not see or have access to the Catalog or Deployments nodes on the Automation Service Broker left menu pane.
If project users are members of a project that is configured with both cloud zones and Kubernetes zones, when they activate Automation Service Broker, they will see the Catalog and Deployments nodes on the left menu, but they will not see or have access to CCI via the Supervisor Namespaces node.
If project users are members of a project that is configured with both cloud zones and Kubernetes zones, they have access to the Supervisor Namespaces node and to the Catalog and Deployments nodes on the Automation Service Broker left menu.