search

afewell / HOL-2563-01-TNZ-L

repo for assets used in preparation for HOL
0 stars 0 forks source link

HOL-2563-01-TNZ-L-v0.3 release #2

Open afewell opened 1 month ago

afewell commented 1 month ago

Latest Update: Mohammed is proceeding with a manual installation path and will take over the HOL-2563-01-TNZ-L-v0.x release path. Art is continuing separately with an automated installation path and will create a separate release train beginning with HOL-2563-01-TNZ-L-AF-v0.3. Both forks share a common base in the HOL-2563-01-TNZ-L-v0.2 template and diverge in subsequent releases.

It is unclear and doesnt really matter if Mohammed chooses to use this repository to track notes so these tickets may not be updated as it pertains to the mainline v0.x releases, however the AF-v0.x train will continue using this site to document releases.

New goals ... I want to do this install automated so I am going to start with trying some bootstrapping with automation. I will update the release notes below after I have done some more experimentation.

Automation Bootstrapping Notes

Plan

The full concourse-pat implementation is not optimal for local bootstrapping, but it looks like running the toolkit container, concourse containers, credhub container, and minio VM

All notes beneath this line as well as any subsequent release plans are outdated and only used for reference until I complete updated planning and clean up the notes for the updated/changed release plan

Release Planning Notes Goals for the 0.3 release:

  1. the Ops Manager, NSX Plugin and TAS software bundles should be downloaded into the vAPP
  2. The OpsMan OVA should be loaded to the VCF Image catalog
  3. Download and install BOSH CLI on Linux Main Console (LMC)
  4. Use Homebrew to install Tanzu Operations Manager CLI on LMC
  5. UAAC CLI
  6. fly cli
  7. concourse?
  8. Platform automation toolkit?

After these updates are made, the vApp should be shut down and saved to the catalog as v0.3.

Release Notes Features Included in this Release TBD Explicit Steps to move from previous to current release

  1. Load the saved v0.1 template from catalog (do not turn on)

  2. Edit the vapp networking default firewall rule to allow/permit traffic

  3. power on the vapp and remote console to LMC

  4. on LMC, open terminal and execute /hol/Tools/proxyfilteroff.sh

  5. Navigate to network.tanzu.vmware.com (or broadcom portal?) and download:

    1. API Portal for VMware Tanzu Product Installer v1.5.0
    2. Ubuntu Jammy Stemcell for vSphere 1.445
    3. VMware Tanzu Application Service for VM's, Release 6.0.4+LTS-T:
      1. Small Footprint TAS 6.0.4-build.3+LTS-T
      2. CF CLI 8.7.9
    4. VMware Tanzu Operations Manager: Tanzu Ops Manager for vSphere - 3.0.29+LTS-T
afewell commented 1 month ago

To start, I loaded up the saved copy of the 0.1 template from the catalog, and before I started I checked the networking settings. I observed the vappnet-single network connection was still configured for outbound network/internet access, but the default firewall rule was reset to deny, I assume this means I may need to reconfigure the firewall rule on each new load of a vapp from the catalog even if it was saved as identical.

  1. Load the v0.1 template from the catalog
  2. in vcd networking>services, edit the default firwall rule to allow traffic.
afewell commented 1 month ago

Reviewing TAS course on Tanzu Academy to ascertain the configuration variables used in their vApp:

  1. Bosh director internal IP 192.168.1.10
  2. BOSH_ENVIRONMENT is 192.168.1.11 ... I dont know what this is? --- looks like I think opsman itself is .10 and it deploys the deployment "p-bosh" which is a vm on .11, I think its the bosh director?
  3. Bosh external address 10.20.20.10
  4. They are using nip.io for the external fqdn (10.20.20.10.nip.io)
  5. T0 Firewall Rules: image
  6. They deployed an nginx release with bosh, and its address was 192.168.1.12 so apparently this is the network where deployments go
  7. NSX-T Tile Configuration
    • NSX Manager Tab
      1. nsx manager address: sa-nsxmgr-01.vclass.local
      2. Set for basic authentication with static username and password
      3. NSX Manager ca certs: they mentioned they covered how to get it in a previous video
    • NCP Tab
      1. TAS Foundation name: sandbox
      2. transport zone: overlay-tx (Transport zone can be found in the config of the logical switches)
      3. on their "uplink-vlan-ls" logical switch, the vlan is set to 0 and the transport zone is set to vlan-tz
      4. Tier-0 router: T0-Router (Name can be found in nsx mgr gui under routers)
      5. Add IP Blocks of container networks (can be found in nsx mgr gui, search for "block"): a. IP Block Name: sandbox-pas-container-ip-block b. CIDR: unspecified (do not need to specify as its defined in the IP Block)
      6. IP Pools (details found nsx mgr gui > adv net & sec tab > Inventory > Groups > IP Pools): a. sandbox-external-ip-pool
      7. everything else default
  8. Small footprint TAS tile configuration:
    • Assign AZ's and Networks tab
      1. Network: pas (not infrastructure or services)
      2. save
    • Domains tab
      1. System domain: sys.10.20.20.20.nip.io
      2. Apps domain: apps.10.20.20.20.nip.io
      3. save
    • Networking tab
      1. Certificates and private keys for gorouter: he mentioned they created these in previous step/video via script
      2. TLS Termination Point: Gorouter
      3. HAProxy forwards all requests to the Gorouter over TLS: Disable
      4. Container Network Interface Plugin: External
      5. Save
    • App Containers tab > Use defaults
    • App Developer Controls Tab
      1. Default app memory quota per org: 20480
      2. save
    • App Security Groups tab
      1. Type X: X
    • Authentication and Enterprise SSO tab > Use Defaults
    • UAA tab
      1. SAML Service Provider Credentials: They reused self-signed cert/key they created in previous video for tas
      2. save
    • CredHub tab
      1. Internal encryption provider keys
      2. Name: default
      3. Key (they said they used the string suggestion from the documentation)
      4. "Primary" field checked
    • Internal MySQL tab
      1. Email Address: admin@example.com (or any fake address)
      2. save
    • Advanced Features Tab > CF CLI Connection timeout: 1
    • Errands tab
      1. under post deploy errands, turn everything off except 3 which should be left on: "Smoke Test Errand", "Usage Service Errand", "Apps Manager Errand"
      2. save
    • Resource Config tab
      1. for Database: set persistent disk to 30gb
      2. for File Storage: set persistent disk to 30gb
      3. Set backup restore node to 0 instances
      4. set mysql monitor to 0 instances
      5. Router: Configure the logical load balancer with the json for server pools: 
        {
"server_pools": [
{
"name": "sandbox-pas-web-pool",
"port": "80"
},
{
"name": "sandbox-pas-web-pool",
"port": "80"
}
]
}
      6. Control: Configure the Logical Load Balancer field with the json for server pools for ssh: 
        {
"server_pools": [
{
"name": "sandbox-pas-ssh-pool",
"port": "2222"
}
]
}
  9. This completes all tile configuration
  10. Review and apply changes