Manage NSX ALB Advanced Load Balancer

Tanzu Kubernetes Grid lets you perform various management operations on your NSX Advanced Load Balancer (ALB) deployment.

Modify the Avi Controller Certificates

In Tanzu Kubernetes Grid (TKG), the Avi Kubernetes Operator (AKO) component manages the Avi Controller certificate that clusters use to access NSX ALB.

The Avi Controller certificate periodically expires and must be rotated. After the Avi Controller certificate has been rotated in Avi itself, update the certificate in AKO so that clusters can continue accessing NSX ALB:

  1. Ensure that a current certificate exists in Avi Controller.
  2. Re-encode the Avi Controller certificate data into a base64-encoded string.

  3. Patch the certificate secret with the new string:

    kubectl patch secret/avi-controller-ca -n tkg-system-networking -p '{"data": {"certificateAuthorityData": "<base64 encoded string>"}}'

Modify the Avi Controller Credentials

To update the Avi Controller credentials:

  1. Re-encode the credentials into a base64-encoded string.

  2. Patch the certificate secret with the new string:

    kubectl edit secret avi-controller-credentials -n tkg-system-networking

  3. Within your default text editor that pops up, update the credentials with the new base64 encoded credentials.

Update the Avi Controller IP Address or FQDN in the Management Cluster and its Workload Clusters

In Tanzu Kubernetes Grid, you can update the Avi Controller IP address or FQDN in an existing management cluster and its workload clusters.

Prerequisites

  • Ensure that you have assigned a security certificate to the Avi Controller, as described in Assign a Certificate to the Controller. The Subject Alternative Name field in the certificate must have the new IP address or FQDN of the Avi Controller.

  • In the management cluster context, run the kubectl get pods command, and note the name of the AKO Operator pod in the output. For example, ako-operator-controller-manager-7b74d8b9f9-nlz6n.

Procedure

  1. In the Tanzu CLI, run the following command to add the new certificate:

    kubectl edit secret avi-controller-ca -n tkg-system-networking

  2. On the Controller UI, complete the following steps:

    a. Go to Administration > Controller > Nodes, and click Edit.

    b. In the Controller Cluster IP field, update the IP Address or the FQDN.

  3. In the akodeploymentconfig CR Object for the workload cluster, replace the value that corresponds to the controller field with the new IP address or FQDN of the Avi Controller:

    kubectl edit adc install-ako-for-all

  4. In the akodeploymentconfig CR Object in the management cluster, replace the value that corresponds to the controller field with the new IP address or FQDN of the Avi Controller:

    kubectl edit adc install-ako-for-management-cluster

  5. Delete the AKO Operator pod:

    kubectl delete pod AKO-OPERATOR-POD -n tkg-system-networking

    Where AKO-OPERATOR-POD is the name of the AKO Operator pod, for example, ako-operator-controller-manager-7b74d8b9f9-nlz6n.

  6. Delete the AKO pod:

    kubectl delete pod ako-0 -n avi-system

The AKO and the AKO Operator pods restart, and the new IP address or the FQDN is updated on the management cluster and its workload clusters.

View the AKODeploymentConfig CR Object for a Cluster

To know which AKODeploymentConfig CR Object is used on the current cluster, run the following command:

kubectl --context={management cluster kubeconfig context} get cluster --show-labels

In the output, look at the networking.tkg.tanzu.vmware.com/avi=<AKODeploymentConfig-NAME> field to view the AKODeploymentConfig object that has been selected by the cluster.

Validate the NSX Advanced Load Balancer Configuration Input

During the NSX Advanced Load Balancer configuration, Tanzu Kubernetes Grid validates the input that you specify for the configuration fields. Errors are logged when the system detects incorrect inputs. If the AVI_ENABLE field is set to true when deploying a management cluster, the Tanzu CLI performs a validation on the input that you specify for the following fields:

  • AVI_CONTROLLER
  • AVI_USERNAME
  • AVI_PASSWORD
  • AVI_CA_DATA_B64
  • AVI_CLOUD_NAME
  • AVI_SERVICE_ENGINE_GROUP
  • AVI_DATA_NETWORK
  • AVI_DATA_NETWORK_CIDR
  • AVI_MANAGEMENT_CLUSTER_SERVICE_ENGINE_GROUP
  • AVI_MANAGEMENT_CLUSTER_CONTROL_PLANE_VIP_NETWORK_NAME
  • AVI_MANAGEMENT_CLUSTER_VIP_NETWORK_NAME
  • AVI_CONTROL_PLANE_NETWORK
  • AVI_MANAGEMENT_CLUSTER_CONTROL_PLANE_VIP_NETWORK_CIDR
  • AVI_MANAGEMENT_CLUSTER_VIP_NETWORK_CIDR
  • AVI_CONTROL_PLANE_NETWORK_CIDR

When you create an AKODeploymentConfig object, Tanzu Kubernetes Grid checks whether:

  • The ‘clusterSelector’ field is not empty (Applicable to the non-default AKODeploymentConfig object)
  • The spec.AdminCredentialRef, spec.CertificateAuthorityRef, and spec.Controller fields have the correct input to connect to the Avi Controller.
  • The spec.CloudName exists or it uses the AVI client that was initialized.
  • The spec.ServiceEngineGroup exists or it uses the AVI client that was initialized.
  • The spec.ControlPlaneNetwork.Name exists or it uses the AVI client that was initialized.
  • The spec.DataNetwork.Name exists or it uses the AVI client that was initialized.
  • The spec.ControlPlaneNetwork.Name has an IPAM profile configured or it does not use the AVI client that was initialized.
  • The spec.ControlPlaneNetwork.CIDR has a valid format.
  • The spec.DataNetwork.CIDR has a valid format.

When you update an AKODeploymentConfig object, Tanzu Kubernetes Grid checks whether spec.ClusterSelector and spec.ControlPlaneNetwork are unchanged. You cannot delete the install-ako-for-management-cluster AKODeploymentConfig file.

check-circle-line exclamation-circle-line close-line
Scroll to top icon