This topic describes how to generate and register the NSX Manager superuser principal identity certificate and key for VMware Tanzu Kubernetes Grid Integrated Edition (TKGI).
You must generate and register the NSX Manager superuser principal identity certificate and key for two situations:
The NSX-T Manager superuser for TKGI has the Enterprise Administrator role and permissions. See Role-Based Access Control in the VMware documentation for more information.
Review these prerequisites if you are installing TKGI on vSphere with NSX-T for the first time.
If you are rotating the NSX-T Manager certificate for an existing TKGI installation, see Rotate the Principal Identity Certificate and Key, below.
To create, delete, and modify NSX-T networking resources, Ops Manager tiles, and APIs use a VMware NSX Manager account with the Enterprise Administrator role and permissions.
Users configure Ops Manager to authenticate to NSX Manager for different purposes in different tiles:
The TKGI API accesses the NSX-T Manager through an Enterprise Administrator account. This superuser account lets TKGI use NSX-T to create, delete, and modify networking resources for Kubernetes cluster nodes.
When you configure Tanzu Kubernetes Grid Integrated Edition with NSX-T as the container networking interface, you must provide the certificate and private key for the NSX-T Manager Enterprise Administrator account in the Networking pane of the Tanzu Kubernetes Grid Integrated Edition tile.
See the NSX Manager Super User Principal Identity Certificate field in the following screenshot:
View a larger version of this image.
For more information, see the Networking section of Installing Tanzu Kubernetes Grid Integrated Edition on vSphere with NSX‑T.
There are two options for generating the principal identity certificate and private key:
After you have generated the principal identity certificate and key, you must register both with the NSX-T Manager using an HTTPS POST operation on the NSX-T API. There is no user interface for this operation.
This option uses Bash shell scripts to generate and register the NSX-T Manager superuser principal identity certificate and key. When you configure Tanzu Kubernetes Grid Integrated Edition for deployment, copy and paste the contents of pks-nsx-t-superuser.crt
and pks-nsx-t-superuser.key
to the NSX Manager Super User Principal Identity Certificate field in the Networking pane of the Tanzu Kubernetes Grid Integrated Edition tile.
Note: The Linux VM must have OpenSSL installed and have network access to the NSX-T Manager. For example, you can use the TKGI client VM where you install the TKGI CLI.
Provided below is the create_certificate.sh
script that generates a certificate and private key, and then uploads the certificate to the NSX-T Manager. Complete the following steps to run this script:
vi create_certificate.sh
or nano create_certificate.sh
.Modify the file you created to have the following script contents:
#!/bin/bash
#create_certificate.sh
NSX_MANAGER="NSX-MANAGER-IP"
NSX_USER="NSX-MANAGER-USERNAME"
PI_NAME="pks-nsx-t-superuser"
NSX_SUPERUSER_CERT_FILE="pks-nsx-t-superuser.crt"
NSX_SUPERUSER_KEY_FILE="pks-nsx-t-superuser.key"
stty -echo
printf "Password: "
read NSX_PASSWORD
stty echo
openssl req \
-newkey rsa:2048 \
-x509 \
-nodes \
-keyout "$NSX_SUPERUSER_KEY_FILE" \
-new \
-out "$NSX_SUPERUSER_CERT_FILE" \
-subj /CN=pks-nsx-t-superuser \
-extensions client_server_ssl \
-config <(
cat /etc/ssl/openssl.cnf \
<(printf '[client_server_ssl]\nextendedKeyUsage = clientAuth\n')
) \
-sha256 \
-days 730
cert_request=$(cat <<END
{
"display_name": "$PI_NAME",
"pem_encoded": "$(awk '{printf "%s\\n", $0}' $NSX_SUPERUSER_CERT_FILE)"
}
END
)
curl -k -X POST \
"https://${NSX_MANAGER}/api/v1/trust-management/certificates?action=import" \
-u "$NSX_USER:$NSX_PASSWORD" \
-H 'content-type: application/json' \
-d "$cert_request"
Where:
NSX-MANAGER-IP
is the IP address of the NSX Management Cluster VIP or NSX Management Load Balancer IP.NSX-MANAGER-USERNAME
is the Username for NSX Manager.create_certificate.sh
file.bash create_certificate.sh
.NSX_MANAGER_PASSWORD
for the NSX-T user you specified in the script.pks-nsx-t-superuser.crt
, and private key, pks-nsx-t-superuser.key
, are generated in the directory where you ran the script.CERTIFICATE-ID
value is returned to the console.Provided below is the create_pi.sh
script that creates the principal identity and registers it with the NSX-T Manager. This script requires the CERTIFICATE_ID
returned from the create_certificate.sh
script.
Note: Perform these steps on the same Linux VM where you ran the create_certificate.sh
script.
vi create_pi.sh
or nano create_pi.sh
.create_pi.sh
file you created.Modify the file you created to have the following script contents:
#!/bin/bash
#create_pi.sh
NSX_MANAGER="NSX-MANAGER-IP"
NSX_USER="NSX-MANAGER-USERNAME"
CERTIFICATE_ID='CERTIFICATE-ID'
PI_NAME="pks-nsx-t-superuser"
NSX_SUPERUSER_CERT_FILE="pks-nsx-t-superuser.crt"
NSX_SUPERUSER_KEY_FILE="pks-nsx-t-superuser.key"
NODE_ID=$(cat /proc/sys/kernel/random/uuid)
stty -echo
printf "Password: "
read NSX_PASSWORD
stty echo
pi_request=$(cat <<END
{
"display_name": "$PI_NAME",
"name": "$PI_NAME",
"permission_group": "superusers",
"certificate_id": "$CERTIFICATE_ID",
"node_id": "$NODE_ID"
}
END
)
curl -k -X POST \
"https://${NSX_MANAGER}/api/v1/trust-management/principal-identities" \
-u "$NSX_USER:$NSX_PASSWORD" \
-H 'content-type: application/json' \
-d "$pi_request"
curl -k -X GET \
"https://${NSX_MANAGER}/api/v1/trust-management/principal-identities" \
--cert $(pwd)/"$NSX_SUPERUSER_CERT_FILE" \
--key $(pwd)/"$NSX_SUPERUSER_KEY_FILE"
Where:
NSX-MANAGER-IP
is the IP address of the NSX-T Management Cluster VIP or NSX Management Load Balancer IP.NSX-MANAGER-USERNAME
is the Username for NSX-T Manager.CERTIFICATE-ID
is the response from the create_certificate.sh
script.create_pi.sh
script.bash create_pi.sh
.NSX_MANAGER_PASSWORD
for the NSX-T user you specified in the script.Verify results: Review the NSX-T Manager System > Users > Role Assignments screen. Confirm the principal identity pks-nsx-t-superuser
is registered with the role Enterprise Admin
.
To generate the certificate and key automatically in the Networking pane in the Tanzu Kubernetes Grid Integrated Edition tile, follow the steps below:
*.nsx.tkgi.vmware.local
.To copy the certificate and key you generated to a Linux VM, follow the steps below:
Note: The Linux VM must have OpenSSL installed and have network access to the NSX-T Manager. For example, you can use the TKGI client VM where you install the TKGI CLI.
pks-nsx-t-superuser.crt
. Copy the generated certificate into the file.pks-nsx-t-superuser.key
. Copy the generated private key into the file.On the Linux VM where you created the certificate and key files, export the environment variables below. Change the NSX_MANAGER_IP
, NSX_MANAGER_USERNAME
, and NSX_MANAGER_PASSWORD
values to match your environment. Use the NSX-T Management Cluster VIP or load balancer for the NSX_MANAGER_IP
.
export NSX_MANAGER="NSX_MANAGER_IP"
export NSX_USER="NSX_MANAGER_USERNAME"
export NSX_PASSWORD='NSX_MANAGER_PASSWORD'
export PI_NAME="pks-nsx-t-superuser"
export NSX_SUPERUSER_CERT_FILE="pks-nsx-t-superuser.crt"
export NSX_SUPERUSER_KEY_FILE="pks-nsx-t-superuser.key"
export NODE_ID=$(cat /proc/sys/kernel/random/uuid)
On the same Linux VM, run the following commands to register the certificate with NSX-T Manager:
$ cert_request=$(cat <<END
{
“display_name”: “$PI_NAME”,
“pem_encoded”: “$(awk ‘{printf “%s\n”, $0}’ $NSX_SUPERUSER_CERT_FILE)”
}
END
)
$ curl -k -X POST
“https://${NSX_MANAGER}/api/v1/trust-management/certificates?action=import”
-u “$NSX_USER:$NSX_PASSWORD”
-H ‘content-type: application/json’
-d “$cert_request”
Verify that the response includes the CERTIFICATE_ID
value. You use this value in the following step.
On the same Linux VM, export the CERTIFICATE_ID
environment variable, where the value is the response from the previous step:
export CERTIFICATE_ID="CERTIFICATE_ID"
Register the principal identity with NSX-T Manager by running the following commands:
$ pi_request=$(cat <<END
{
“display_name”: “$PI_NAME”,
“name”: “$PI_NAME”,
“role”: “superusers”,
“certificate_id”: “$CERTIFICATE_ID”,
“node_id”: “$NODE_ID”,
“certificate_pem”: “$(awk ‘{printf “%s\n”, $0}’ $NSX_SUPERUSER_CERT_FILE)”
}
END
)
$ curl -k -X POST
“https://${NSX_MANAGER}/api/v1/trust-management/principal-identities”
-u “$NSX_USER:$NSX_PASSWORD”
-H ‘content-type: application/json’
-d “$pi_request”
To verify that the certificate and key can be used with NSX-T, run the following command:
$ curl -k -X GET \
"https://${NSX_MANAGER}/api/v1/trust-management/principal-identities" \
--cert $(pwd)/"$NSX_SUPERUSER_CERT_FILE" \
--key $(pwd)/"$NSX_SUPERUSER_KEY_FILE"
To rotate the NSX-T Principal Identity super user certificate, see How to renew the nsx-t-superuser-certificate used by Principal Identity user in the VMware Knowledge Base.
If you have completed this procedure as part of installing TKGI for the first time, proceed to Installing TKGI on vSphere with NSX-T.