Manage NSX ALB Advanced Load Balancer

Tanzu Kubernetes Grid lets you perform various management operations on your NSX Advanced Load Balancer (ALB) deployment.

Modify the Avi Controller Certificates

The Avi controller certificate expires periodically. In Tanzu Kubernetes Grid, you can update the Avi controller certificate when it expires. Before updating the certificate in the clusters, ensure that the certificate exists in Avi Controller.

To update the Avi Controller certificate:

1. Re-encode the certificate data into a base64-encoded string.

2. Patch the certificate secret with the new string:

   kubectl patch secret/avi-controller-ca --context <CLUSTER-CONTEXT> -n tkg-system-networking -p '{"data": {"certificateAuthorityData": "<ca-data>"}}' <"CERTIFICATE-STRING">
   

Modify the Avi Controller Credentials

To update the Avi Controller credentials:

1. Re-encode the credentials into a base64-encoded string.

2. Patch the certificate secret with the new string:

   kubectl edit secret avi-controller-credentials -n tkg-system-networking
   
   

3. Within your default text editor that pops up, update the credentials with the new base64 encoded credentials.

View the AKODeploymentConfig CR Object for a Cluster

To know which AKODeploymentConfig CR Object is used on the current cluster, run the following command:

kubectl --context={management cluster kubeconfig context} get cluster --show-labels

In the output, look at the networking.tkg.tanzu.vmware.com/avi=<AKODeploymentConfig-NAME> field to view the AKODeploymentConfig object that has been selected by the cluster.

Validate the NSX Advanced Load Balancer Configuration Input

During the NSX Advanced Load Balancer configuration, Tanzu Kubernetes Grid validates the input that you specify for the configuration fields. Errors are logged when the system detects incorrect inputs. If the AVI_ENABLE field is set to true when deploying a management cluster, the Tanzu CLI performs a validation on the input that you specify for the following fields:

• AVI_CONTROLLER
• AVI_USERNAME
• AVI_PASSWORD
• AVI_CA_DATA_B64
• AVI_CLOUD_NAME
• AVI_SERVICE_ENGINE_GROUP
• AVI_DATA_NETWORK
• AVI_DATA_NETWORK_CIDR
• AVI_MANAGEMENT_CLUSTER_SERVICE_ENGINE_GROUP
• AVI_MANAGEMENT_CLUSTER_CONTROL_PLANE_VIP_NETWORK_NAME
• AVI_MANAGEMENT_CLUSTER_VIP_NETWORK_NAME
• AVI_CONTROL_PLANE_NETWORK
• AVI_MANAGEMENT_CLUSTER_CONTROL_PLANE_VIP_NETWORK_CIDR
• AVI_MANAGEMENT_CLUSTER_VIP_NETWORK_CIDR
• AVI_CONTROL_PLANE_NETWORK_CIDR

When you create an AKODeploymentConfig object, Tanzu Kubernetes Grid checks whether:

• The ‘clusterSelector’ field is not empty (Applicable to the non-default AKODeploymentConfig object)
• The spec.AdminCredentialRef, spec.CertificateAuthorityRef, and spec.Controller fields have the correct input to connect to the AVI Controller.
• The spec.CloudName exists or it uses the AVI client that was initialized.
• The spec.ServiceEngineGroup exists or it uses the AVI client that was initialized.
• The spec.ControlPlaneNetwork.Name exists or it uses the AVI client that was initialized.
• The spec.DataNetwork.Name exists or it uses the AVI client that was initialized.
• The spec.ControlPlaneNetwork.Name has an IPAM profile configured or it does not use the AVI client that was initialized.
• The spec.ControlPlaneNetwork.CIDR has a valid format.
• The spec.DataNetwork.CIDR has a valid format.

When you update an AKODeploymentConfig object, Tanzu Kubernetes Grid checks whether spec.ClusterSelector and spec.ControlPlaneNetwork are unchanged. You cannot delete the install-ako-for-management-cluster AKODeploymentConfig file.