As a VMware Aria Automation cloud administrator, you can use a command line interface to enable Cloud Consumption Interface (CCI) access and configure governance constructs. The command line interface uses the Kubernetes command-line tool, or kubectl.
- If user access to CCI is configured using vSphere+, users can only access the default projects created by vSphere+. You can use the CLI to configure access to additional projects and cloud accounts.
- If you are an administrator of existing VMware Aria Automation instances, you can use the CLI to access CCI without initiating it through vSphere+.
For a complete list of actions that you can perform using the CLI, see Kubernetes API Reference for the Cloud Consumption Interface.
Prerequisites
- Verify that a vSphere administrator has granted users access to VMware Aria Automation by activating the Developer Experience in vSphere+. See Configuring access to the Cloud Consumption Interface for new Aria Automation users.
- Verify that a Supervisor Cluster is enabled on a vCenter instance and is registered with VMware Aria Automation.
- Verify that you are at least an organization member in VMware Aria Automation with the Administrator service role for Automation Assembler or Automation Service Broker.
- Verify that you have:
- Downloaded the CCI kubectl plug-in.
- Obtained an API token for the admin user.
- Used your token to log in to the CCI server and changed the default context to CCI.
Create a project and project role bindings
To group VMware Aria Automation users and set access to infrastructure resources, you create a project and project role bindings.
- Create a project.
kubectl create -f project.yaml
Exampleproject.yamlfile.apiVersion: project.cci.vmware.com/v1alpha1 kind: Project metadata: name: <project_name> spec: description: <description_of_project> sharedResources: true
- Create a project role binding to assign roles to users or groups within a created project.
kubectl create -f projectrolebinding.yaml
The following exampleprojectrolebinding.yamlfile adds a user with the admin project role. Project role values are: admin, view, or edit.apiVersion: authorization.cci.vmware.com/v1alpha1 kind: ProjectRoleBinding metadata: name: cci:user:vmware.com:<user_alias> namespace: <project_name> roleRef: apiGroup: authorization.cci.vmware.com kind: ProjectRole name: admin subjects: - kind: User name: <[email protected]>
Create a region
You create a region so that you can assign Supervisors to that region.
kubectl create -f region.yaml
region.yaml file.
apiVersion: topology.cci.vmware.com/v1alpha1 kind: Region metadata: name: <region_name> spec: description: <description_of_region>
Associate a Supervisor with a region
To associate a Supervisor with a region, you find the Supervisor that you want to update then add the region and labels that will be used for namespace placement.
- To find the Supervisor that you want to update, list the supervisors. Supervisor resources are visible after vCenter data-collection.
kubectl -n cci-config get supervisors
The following is an example result.NAME AGE demo-self-service:domain-c50 75d adminannie-vcenter:domain-c8 5d18h scale-test-vc-01:domain-c8 56d
- Update the Supervisor named
adminannie-vcenter:domain-c8.kubectl -n cci-config edit supervisor adminannie-vc:domain-c8
Example of Supervisor withmetadata.labelskey-value pairs and regionsspec.regionNames.apiVersion: infrastructure.cci.vmware.com/v1alpha1 kind: Supervisor metadata: labels: environment: testing fipsMode: strict name: adminannie-vc:domain-c8 namespace: cci-config uid: ccd3d154-6404-47b7-8786-bb2d49ad9f5d spec: cloudAccountName: adminannie-vc externalId: domain-c8 externalName: wcp-test-dc-cluster regionNames: - eu-west1
Create a region binding and region binding config
You create a region binding and region binding config so that users in a project can create Supervisor Namespaces on Supervisors in a region.
- Create a region binding.
kubectl create -f regionbinding.yaml
Exampleregionbinding.yamlfile.apiVersion: topology.cci.vmware.com/v1alpha1 kind: RegionBinding metadata: name: <region_name> namespace: <project_name>
A region binding does not include any Supervisor placement settings, so you must also create a Region Binding Config.
- Create a Region Binding Config for every region binding created. You can include match expressions that are used for additional filtering of Supervisors. Supervisor labels are used to allow Supervisor Namespace placement on a subset of the Supervisors in a region.
kubectl create -f regionbindingconfig.yaml
In the following exampleregionbindingconfig.yamlfile, any supervisors that match the testing environment label can host the Supervisor Namespaces created in that project and region.apiVersion: topology.cci.vmware.com/v1alpha1 kind: RegionBindingConfig metadata: name: <region_name> namespace: <project_name> spec: supervisorSelector: matchExpressions: - key: environment operator: In values: - testing
Create a Supervisor Namespace Class
To define namespace templates with optional parameters that can be used to customize the namespace settings during creation, you create a Supervisor Namespace Class. Then you can create a Supervisor Namespace Class Config with match expressions that are used for additional filtering of Supervisors that are used for Supervisor Namespace placement.
- Create a Supervisor Namespace Class.
kubectl create -f supervisornamespaceclass.yaml
In the following examplesupervisornamespaceclass.yamlfile, the optional input underparametersreflect Namespace Class parameters that users provide when creating the namespace. All input must have default values. The values are used to customize the storage classes, limits, and additional constraints.apiVersion: infrastructure.cci.vmware.com/v1alpha1 kind: SupervisorNamespaceClass metadata: name: <class_name> spec: description: supervisor namespace class parameters: - name: podCountLimit type: Integer minimum: 100 maximum: 1000 default: 500The Supervisor Namespace Class does not contain any Supervisor placement settings, so you must also create a Supervisor Namespace Class Config.
- Create a Supervisor Namespace Class Config.
kubectl create -f supervisornamespaceclassconfig.yaml
In the following examplesupervisornamespaceclassconfig.yamlfile, thesupervisorSelectoris used to match supervisor labels.apiVersion: infrastructure.cci.vmware.com/v1alpha1 kind: SupervisorNamespaceClassConfig metadata: name: <class_name> spec: storageClasses: - name: management-storage-policy-thin vmClasses: - name: big-vm-class - name: small-vm-class contentSources: - name: global-content-library type: ContentLibrary # Below limits are an EXAMPLE! Setting them may cause unexpected behavior in your namespace # Either set reasonable limits, or remove the below section to get unlimited resources limits: - name: pod_count limit: "((parameters.podCountLimit))" supervisorSelector: matchExpressions: - key: environment operator: In values: - testing
Associate a Namespace Class with a project
To allow the creation of a Supervisor Namespace using the Supervisor Namespace Class in a project, you create a Supervisor Namespace Class Binding.
kubectl create -f supervisornamespaceclassbinding.yaml
supervisornamespaceclassbinding.yaml file.
namespacespecifies the name of the project name that you want to associate with the Supervisor Namespace Class.overrideParametersare optional. They are used to force a parameter value while ignoring the user provided parameter values when the Supervisor Namespace is created. Valid types are Integer, String, or Boolean.
apiVersion: infrastructure.cci.vmware.com/v1alpha1
kind: SupervisorNamespaceClassBinding
metadata:
name: <class_name>
namespace: <project_name>
spec:
overrideParameters:
- name: podCountLimit
type: Integer
const: 1000
