Configure a Kubernetes Cloud

Configuring a Kubernetes cloud is a three step process:

Add a Kubernetes Cloud

To add a Kubernetes cloud follow these steps.

  1. Navigate to Admin > Clouds. This brings you to the Clouds page. If you, or another tenant admin in your tenant, has already added clouds to your tenant, they will be listed here. Click the Add Cloud link in the upper right.
  2. After clicking Add Cloud, the Add Cloud dialog box is displayed. Enter the cloud name and select the cloud provider.
  3. Since you are selecting select a Kubernetes cloud provider, a new data entry field appears at the bottom of the dialog box called Kubernetes Cluster API Endpoint, as shown in the figure below. You must enter the URL of the Kubernetes API endpoint in this field before the Next button is enabled. When done click Next.

  4. After clicking Next, the second page of the Add Clouds dialog box, Connectivity Settings, appears with a single toggle displayed
    • Cloud Endpoint Directly Accessible

    as shown in the figure below.

    Setting this toggle to No causes a second toggle to be displayed: CloudCenter Suite Directly Accessible from Cloud Remote

    Note

    If you set the Cloud Endpoint Directly Accessible toggle to No, you will need to install the Cloud Remote component in a VM-based private cloud that is accessible to the target Kubernetes cloud.

    Follow the table below for guidance on setting these toggles.

    Toggle settingsUse caseNetwork Diagram
    Cloud Endpoint Directly Accessible = YesCloudCenter Suite cluster can initiate a connection to the Kubernetes API endpoint

    Cloud Remote is not required


    Cloud Endpoint Directly Accessible = No
    AND
    CloudCenter Suite Directly Accessible from Cloud Remote = Yes
    CloudCenter Suite cluster cannot initiate a connection to the Kubernetes API endpoint
    AND
    Cloud Remote can initiate the connection to the CloudCenter Suite cluster


    Cloud Endpoint Directly Accessible = No
    AND
    CloudCenter Suite Directly Accessible from Cloud Remote = No

    CloudCenter Suite cluster cannot initiate a connection to the cloud region API endpoint
    AND
    Cloud Remote cannot initiate the connection to the CloudCenter Suite cluster

    Click Done to save the configuration and close the dialog box.  This brings you back to the Clouds page and the cloud you just created will be added to the bottom of the list on the left side of the page.

Configure a Kubernetes Region

A Kubernetes cloud has one region that you configure from the Kubernetes cloud Details tab. Follow this procedure:

  1. Navigate to Clouds page: Admin > Clouds. Find the your newly created Kubernetes cloud from the cloud list on the left half of the screen and click its Configure Cloud link. This displays the Details tab for this cloud.
  2. Click the Edit Kubernetes Settings link in the upper right to open the Configure Cloud Settings dialog box.
  3. Adjust the field values in the dialog box per the instructions in the following table:

    FieldUsage
    Kubernetes cluster API EndpointThis field is set to the value you set for the API endpoint when you created this Kubernetes cloud. You can edit it here but should only do so if the API endpoint address of your Kubernetes cloud has changed since you added it to CloudCenter Suite.
    API version overrideThis tells CloudCenter Suite to use an API version other than the default version for certain Kubernetes resources. This field should normally be left blank. If errors occur in your deployments, contact support regarding using a different version for selected resources. This is a semicolon separated list of key value pairs in the format: <resource_name_1>:<api_version_1>; <resource_name_2>:<api_version_2>; etc. Possible examples are as follows:
    • Example 1:
      Secret:
      custom_api_version;Service:custom_api_version;PersistentVolumeClaim:custom_api_version;NetworkPolicy:custom_api_version;Pod:custom_api_version;Deployment:custom_api_version

    • Example 2:
      PersistentVolumeClaim:custom_api_version;NetworkPolicy:custom_api_version;Pod:custom_api_version;Deployment:custom_api_version

    • Example 3:
      PersistentVolumeClaim:custom_api_version;NetworkPolicy:custom_api_version

    Namespace(s)If at least one of the cloud accounts that you add to this cloud has admin privileges for the cloud (recommended), CloudCenter Suite will automatically find all namespaces in the cloud. You can leave this field blank. If none of your cloud accounts for this cloud have sufficient privileges to retrieve the list of namespaces in the cluster, use this field to manually enter the comma separated list of namespaces.


    When you are done editing the settings in the dialog box, click Save.

  4. Scroll down to the Region Connectivity section for the region and click on the Configure Region link in the upper right to open the Configure Region dialog box. The toggle settings should be the same as when you set them in the connectivity page of the Add Cloud dialog box. If all of the connectivity toggles in the Region Connectivity dialog box are set to Yes, then Cloud Remote is NOT needed for this cloud region. In this case, you would normally leave all region connectivity settings at their current values and continue to the next settings section. 
  5. If any of the connectivity toggles in the Region Connectivity dialog box are set to No, then you must install and configure Cloud Remote for this region. Since Cloud Remote is a VM-based appliance, when used to support a Kubernetes cloud it must be installed in a VM-based cloud region that is accessible from the Kubernetes cloud. Typically, this would be the same cloud region that hosts the nodes supporting the Kubernetes cloud. Choose the option that is appropriate for your Kubernetes target cloud:

     Steps to configure Cloud Remote in a vCenter cloud to support a Kubernetes cloud

    Configure Cloud Remote in a vCenter region to support a Kubernetes target cloud as follows:

    1. Download the Cloud Remote appliance OVA from software.cisco.com.
    2. Launch the Cloud Remote appliance from the OVA you downloaded as follows:
      1. Login to the vCenter console using the vSphere web client with Flash, or with the vSphere Windows client. Do not use the HTML5 web client.
      2. Navigate to the folder or resource pool where you want to deploy the OVA. Right click on that resource pool or folder and select Deploy OVF Template.
      3. From the Deploy OVF Template dialog box, for Source, select Local file and click Browse to find the OVA file you downloaded.
      4. Complete the fields for Name and location, Host / Cluster, Resource Pool, Storage, and Disk Format appropriate for your environment.
      5. For the Network Mapping section, make sure to properly map the Management network (public) and VM Network network (private) to the appropriate network names in your environment.
      6. For the Properties section, make sure to check the box labeled Does the VM need a second interface? if the Cloud Remote appliance needs to be multi-homed on a public network and a private network.
      7. Confirm your settings and click Finish to launch the VM.
    3. Optional but recommended for production environments: Deploy two additional instances of the appliance to form a cluster for HA. Cloud Remote includes support for clustering of multiple nodes. You will "add" these two additional instances to the first instance after the first instance is configured.  See Cloud Remote (Conditional) > Scaling for details.
    4. Once the first instance of the appliance has been launched, use the vSphere client to note its IP public and private addresses. You will need this information later on in order login to the Cloud Remote web UI and to complete the Region Connectivity settings in the CloudCenter Suite Web UI. Also note the IP addresses of any other appliances you launch.
    5. Setup the appropriate firewall rules. You will need to open various ports on each instance of the appliance. To do this, use the tools provided by the cloud provider to create a new security group for your Cloud Remote cluster; then, associate each appliance in the cluster with that security group. Use the tables below for guidance on what port rules should be added to that security group.

      Port rules for a single node Cloud Remote deployment:
      PortProtocolSourceUsage
      22TCPLimit to address space of users needing SSH access for debugging and changing default portsSSH
      443TCPLimit to address space of users needing access to the Cloud Remote web UI for setup and scalingHTTPS (Cloud Remote web UI)
      5671TCPLimit to address of the CloudCenter Suite cluster's local AMQP serviceAMQP
      15671TCPLimit to address space of users needing web access for debugging the remote AMQP serviceHTTPS (AMQP Management)

      The Cloud Remote web UI  and AMQP ports listed above are the defaults used by Cloud Remote. You may change these port numbers using the Change Ports shell script (see Cloud Remote (Conditional) > Custom Port Numbers (Conditional)) once the appliance is fully configured and communicating with the CloudCenter Suite cluster. If you plan to modify any of these three port numbers, update the firewall rules accordingly.

      For a multi-node Cloud Remote cluster deployment, these additional port rules should be added to the same security group used for the single node configuration:

      PortProtocolSource
      2377TCP<cr_sec_group> *
      25672TCP<cr_sec_group>
      7946UDP<cr_sec_group>
      4369TCP<cr_sec_group>
      9010TCP<cr_sec_group>
      4789UDP<cr_sec_group>

       * <cr_sec_group> represents the security group that all Cloud Remote nodes are joined to.

    6. Switch back to the Workload Manager or Cost Optimizer UI and click Configure Region link in the upper left of the Region Connectivity section to bring up the Configure Region dialog box. The toggle settings should be the same as when you set them in the connectivity page of the Add Cloud dialog box. You may need to update the Local AMQP IP Address or the Remote AMQP IP Address fields per the table below.
      Toggle SettingsFieldValue

      Cloud Endpoint Directly Accessible = No
      AND
      CloudCenter Directly Accessible from Cloud Remote = Yes

      Local AMQP IP Address

      Pre-populated with the address and port number of the "local" AMQP server running in the CloudCenter Suite cluster.

      If Cloud Remote is accessing the CloudCenter Suite cluster through a user-supplied proxy server or NAT firewall, overwrite this field with the corresponding local AMQP IP address and port number provided by the user-supplied proxy server or NAT firewall and accessible to Cloud Remote.

      Cloud Endpoint Directly Accessible = No
      AND
      CloudCenter Directly Accessible from Cloud Remote = No
      Remote AMQP IP Address

      Enter <Cloud_Remote_IP>:<amqp_port>, where
      <Cloud_Remote_IP> = the IP address Cloud Remote which is accessible to the CloudCenter Suite cluster, and
      <amqp_port> = 5671 OR the custom AMQP port number
      you would later set with the Change Ports shell script on the Cloud Remote appliance (see Cloud Remote (Conditional) > Custom Port Numbers (Conditional)).

      If there is no user-supplied NAT firewall or proxy server between the CloudCenter Suite cluster and Cloud Remote, the IP address would be the public IP address of Cloud Remote.

      If there is a NAT firewall or proxy server between the CloudCenter Suite cluster and Cloud Remote, instead, enter the corresponding public IP address and port number that the firewall or proxy server presents to the internet on behalf of the "remote" AMQP server running in Cloud Remote.

      When done, click OK to save the setting and dismiss the dialog box.

    7. After saving the Region Configuration settings, the next step is downloading the connectivity configuration file and copying its encryption key. Click the Download Configuration link in the upper right of the Region Connectivity section, as shown in the figure below.

      Clicking Download Configuration causes two things to happen:

      • A file named artifacts.zip will be downloaded by your browser. Make note of the location of this zip file as you will need to upload it to Cloud Remote through the Cloud Remote web UI (see below).
      • The Region Connectivity section header briefly displays the encryption key for the zip file, as shown in figure below. The key is the text after ":- ". You must copy this key within one minute of it being displayed as you will need to enter this key in the Cloud Remote web UI (see below). The key is only displayed for one minute. If you miss the chance to copy it, you must download a new copy of the zip file and copy the new key.


    8. After you have set the region connectivity settings in CloudCenter Suite, and downloaded the zip file and copied the encryption key, login to Cloud Remote web UI.
      1. Open another browser tab and login to https://<Cloud Remote_ip> with the default credentials: admin / cisco. 
      2. You will immediately be required to change your password. Do so. 
      3. You are now brought to the Cloud Remote home page as shown in the figure below.
      4. Click the Apply Configuration button in the page header.
      5. Clicking Apply Configuration cause. This prompts you to select a configuration file and enter the encryption key as shown in the figure below.
      6. Paste the encryption key you saved from the CloudCenter Suite web UI into the Encryption Key field in the dialog box.
      7. Click Select File and browse to the artifacts.zip file that you downloaded through the CloudCenter Suite web UI and select it.
      8. Click Confirm.
      9. Once the zip file is successfully transmitted and accepted, the Cloud Remote appliance attempts to establish communication with the CloudCenter Suite cluster and the Cloud Remote web UI home page is updated to show the name of the region it is connecting to in the upper right (see figure below).
      10. Now, switch your focus back to the Region Connectivity section of the target cloud region in the CloudCenter Suite web UI. The status indicator in the Region Connectivity section header will change from Not Configured to Running once connectivity between  Cloud Remote and the CloudCenter Suite cluster is completely established (see figure below).
        After completing these steps, Workload Manager and Cost Optimizer can both use Cloud Remote for communicating with the target cloud region.

     Steps to configure Cloud Remote in an OpenStack cloud region to support a Kubernetes cloud

    Configure Cloud Remote in a OpenStack region to support a Kubernetes target cloud as follows:

    1. Download the Cloud Remote appliance qcow2 file from software.cisco.com.
    2. Through the OpenStack console, import and launch the Cloud Remote appliance. This process is similar to importing and launching the CloudCenter Suite installer appliance for OpenStack.
    3. Optional but recommended for production environments: Deploy two additional instances of the appliance to form a cluster for HA. Cloud Remote includes support for clustering of multiple nodes. You will "add" these two additional instances to the first instance after the first instance is configured.  See Cloud Remote (Conditional) > Scaling for details.
    4. Once the first instance of the appliance has been launched, use the OpenStack console to note its IP public and private addresses. You will need this information later on in order login to the Cloud Remote web UI and to complete the Region Connectivity settings in the CloudCenter Suite Web UI. Also note the IP addresses of any other appliances you launch.
    5. Setup the appropriate firewall rules. You will need to open various ports on each instance of the appliance. To do this, use the tools provided by the cloud provider to create a new security group for your Cloud Remote cluster; then, associate each appliance in the cluster with that security group. Use the tables below for guidance on what port rules should be added to that security group.

      Port rules for a single node Cloud Remote deployment:
      PortProtocolSourceUsage
      22TCPLimit to address space of users needing SSH access for debugging and changing default portsSSH
      443TCPLimit to address space of users needing access to the Cloud Remote web UI for setup and scalingHTTPS (Cloud Remote web UI)
      5671TCPLimit to address of the CloudCenter Suite cluster's local AMQP serviceAMQP
      15671TCPLimit to address space of users needing web access for debugging the remote AMQP serviceHTTPS (AMQP Management)

      The Cloud Remote web UI  and AMQP ports listed above are the defaults used by Cloud Remote. You may change these port numbers using the Change Ports shell script (see Cloud Remote (Conditional) > Custom Port Numbers (Conditional)) once the appliance is fully configured and communicating with the CloudCenter Suite cluster. If you plan to modify any of these three port numbers, update the firewall rules accordingly.

      For a multi-node Cloud Remote cluster deployment, these additional port rules should be added to the same security group used for the single node configuration:

      PortProtocolSource
      2377TCP<cr_sec_group> *
      25672TCP<cr_sec_group>
      7946UDP<cr_sec_group>
      4369TCP<cr_sec_group>
      9010TCP<cr_sec_group>
      4789UDP<cr_sec_group>

       * <cr_sec_group> represents the security group that all Cloud Remote nodes are joined to.

    6. Switch back to the Workload Manager or Cost Optimizer UI and click Configure Region link in the upper left of the Region Connectivity section to bring up the Configure Region dialog box. The toggle settings should be the same as when you set them in the connectivity page of the Add Cloud dialog box. You may need to update the Local AMQP IP Address or the Remote AMQP IP Address fields per the table below.
      Toggle SettingsFieldValue

      Cloud Endpoint Directly Accessible = No
      AND
      CloudCenter Directly Accessible from Cloud Remote = Yes

      Local AMQP IP Address

      Pre-populated with the address and port number of the "local" AMQP server running in the CloudCenter Suite cluster.

      If Cloud Remote is accessing the CloudCenter Suite cluster through a user-supplied proxy server or NAT firewall, overwrite this field with the corresponding local AMQP IP address and port number provided by the user-supplied proxy server or NAT firewall and accessible to Cloud Remote.

      Cloud Endpoint Directly Accessible = No
      AND
      CloudCenter Directly Accessible from Cloud Remote = No
      Remote AMQP IP Address

      Enter <Cloud_Remote_IP>:<amqp_port>, where
      <Cloud_Remote_IP> = the IP address Cloud Remote which is accessible to the CloudCenter Suite cluster, and
      <amqp_port> = 5671 OR the custom AMQP port number
      you would later set with the Change Ports shell script on the Cloud Remote appliance (see Cloud Remote (Conditional) > Custom Port Numbers (Conditional)).

      If there is no user-supplied NAT firewall or proxy server between the CloudCenter Suite cluster and Cloud Remote, the IP address would be the public IP address of Cloud Remote.

      If there is a NAT firewall or proxy server between the CloudCenter Suite cluster and Cloud Remote, instead, enter the corresponding public IP address and port number that the firewall or proxy server presents to the internet on behalf of the "remote" AMQP server running in Cloud Remote.

      When done, click OK to save the setting and dismiss the dialog box.

    7. After saving the Region Configuration settings, the next step is downloading the connectivity configuration file and copying its encryption key. Click the Download Configuration link in the upper right of the Region Connectivity section, as shown in the figure below.

      Clicking Download Configuration causes two things to happen:

      • A file named artifacts.zip will be downloaded by your browser. Make note of the location of this zip file as you will need to upload it to Cloud Remote through the Cloud Remote web UI (see below).
      • The Region Connectivity section header briefly displays the encryption key for the zip file, as shown in figure below. The key is the text after ":- ". You must copy this key within one minute of it being displayed as you will need to enter this key in the Cloud Remote web UI (see below). The key is only displayed for one minute. If you miss the chance to copy it, you must download a new copy of the zip file and copy the new key.


    8. After you have set the region connectivity settings in CloudCenter Suite, and downloaded the zip file and copied the encryption key, login to Cloud Remote web UI.
      1. Open another browser tab and login to https://<Cloud Remote_ip> with the default credentials: admin / cisco. 
      2. You will immediately be required to change your password. Do so. 
      3. You are now brought to the Cloud Remote home page as shown in the figure below.
      4. Click the Apply Configuration button in the page header.
      5. Clicking Apply Configuration cause. This prompts you to select a configuration file and enter the encryption key as shown in the figure below.
      6. Paste the encryption key you saved from the CloudCenter Suite web UI into the Encryption Key field in the dialog box.
      7. Click Select File and browse to the artifacts.zip file that you downloaded through the CloudCenter Suite web UI and select it.
      8. Click Confirm.
      9. Once the zip file is successfully transmitted and accepted, the Cloud Remote appliance attempts to establish communication with the CloudCenter Suite cluster and the Cloud Remote web UI home page is updated to show the name of the region it is connecting to in the upper right (see figure below).
      10. Now, switch your focus back to the Region Connectivity section of the target cloud region in the CloudCenter Suite web UI. The status indicator in the Region Connectivity section header will change from Not Configured to Running once connectivity between  Cloud Remote and the CloudCenter Suite cluster is completely established (see figure below).
        After completing these steps, Workload Manager and Cost Optimizer can both use Cloud Remote for communicating with the target cloud region.

     Steps to configure Cloud Remote in an AWS cloud region to support a Kubernetes cloud

    Configure Cloud Remote in an AWS region to support a Kubernetes target cloud as follows:
    1. Obtain the Cloud Remote shared AMI form Cisco support and launch it. Follow the same guidance for obtaining and launching the CloudCenter Suite installer appliance for AWS.
    2. Optional but recommended for production environments: Deploy two additional instances of the appliance to form a cluster for HA. Cloud Remote includes support for clustering of multiple nodes. You will "add" these two additional instances to the first instance after the first instance is configured.  See Cloud Remote (Conditional) > Scaling for details.
    3. Once the first instance of the appliance has been launched, use your cloud console to note its IP public and private addresses. You will need this information later on in order login to the Cloud Remote web UI and to complete the Region Connectivity settings in the CloudCenter Suite Web UI. Also note the IP addresses of any other instances you launch.
    4. Setup the appropriate firewall rules. You will need to open various ports on each instance of the appliance. To do this, use the tools provided by the cloud provider to create a new security group for your Cloud Remote cluster; then, associate each appliance in the cluster with that security group. Use the tables below for guidance on what port rules should be added to that security group.

      Port rules for a single node Cloud Remote deployment:
      PortProtocolSourceUsage
      22TCPLimit to address space of users needing SSH access for debugging and changing default portsSSH
      443TCPLimit to address space of users needing access to the Cloud Remote web UI for setup and scalingHTTPS (Cloud Remote web UI)
      5671TCPLimit to address of the CloudCenter Suite cluster's local AMQP serviceAMQP
      15671TCPLimit to address space of users needing web access for debugging the remote AMQP serviceHTTPS (AMQP Management)

      The Cloud Remote web UI  and AMQP ports listed above are the defaults used by Cloud Remote. You may change these port numbers using the Change Ports shell script (see Cloud Remote (Conditional) > Custom Port Numbers (Conditional)) once the appliance is fully configured and communicating with the CloudCenter Suite cluster. If you plan to modify any of these three port numbers, update the firewall rules accordingly.

      For a multi-node Cloud Remote cluster deployment, these additional port rules should be added to the same security group used for the single node configuration:

      PortProtocolSource
      2377TCP<cr_sec_group> *
      25672TCP<cr_sec_group>
      7946UDP<cr_sec_group>
      4369TCP<cr_sec_group>
      9010TCP<cr_sec_group>
      4789UDP<cr_sec_group>

       * <cr_sec_group> represents the security group that all Cloud Remote nodes are joined to.

    5. Switch back to the Workload Manager or Cost Optimizer UI and click Configure Region link in the upper left of the Region Connectivity section to bring up the Configure Region dialog box. The toggle settings should be the same as when you set them in the connectivity page of the Add Cloud dialog box. You must update some of the address fields in the dialog box according to the scenarios summarized in the table below.
      Toggle SettingsFieldValue

      Worker VMs Directly Connect with CloudCenter = No
      AND
      CloudCenter Directly Accessible from Cloud Remote = Yes

      Local AMQP IP Address

      Pre-populated with the address and port number of the "local" AMQP server running in the CloudCenter Suite cluster. This address must be accessible to Cloud Remote

      If Cloud Remote is accessing the CloudCenter Suite cluster through a user-supplied proxy server or NAT firewall, overwrite this field with the corresponding local AMQP IP address and port number provided by the user-supplied proxy server or NAT firewall and accessible to Cloud Remote.

      Worker VMs Directly Connect with CloudCenter = No
      AND
      CloudCenter Directly Accessible from Cloud Remote = No
      Remote AMQP IP Address

      Enter <Cloud_Remote_IP>:<amqp_port>, where
      <Cloud_Remote_IP> = the IP address Cloud Remote which is accessible to the CloudCenter Suite cluster, and
      <amqp_port> = 5671 OR the custom AMQP port number you would later set with the Change Ports shell script on the Cloud Remote appliance (see Cloud Remote (Conditional) >
      Custom Port Numbers (Conditional)).

      If there is no user-supplied NAT firewall or proxy server between the CloudCenter Suite cluster and Cloud Remote, the IP address would be the public IP address of Cloud Remote.

      If there is a NAT firewall or proxy server between the CloudCenter Suite cluster and Cloud Remote, instead, enter the corresponding public IP address and port number that the firewall or proxy server presents to the internet on behalf of the "remote" AMQP server running in Cloud Remote.


      Worker VMs Directly Connect with CloudCenter = NoWorker AMQP IP Address

      Enter <Cloud_Remote_IP>:<amqp_port>, where
      <Cloud_Remote_IP> = the Cloud Remote IP address accessible to the worker VMs, and
      <amqp_port> = 5671 OR the custom AMQP port number you would later set with the Change Ports shell script on the Cloud Remote appliance (see Cloud Remote (Conditional) > Custom Port Numbers (Conditional)).

      Worker VMs Directly Connect with CloudCenter = NoGuacamole IP AddressEnter <Cloud_Remote_IP>:<guac_port>, where
      <Cloud_Remote_IP> = the Cloud Remote IP address accessible to CloudCenter Suite users, and
      <guac_port> = 8443 OR the custom Guacamole port number you would later set with the Change Ports shell script on the Cloud Remote appliance (see Cloud Remote (Conditional) > Custom Port Numbers (Conditional)).

      When done, click OK to save the setting and dismiss the dialog box.

    6. After saving the Region Configuration settings, the next step is downloading the connectivity configuration file and copying its encryption key. Click the Download Configuration link in the upper right of the Region Connectivity section, as shown in the figure below.

      Clicking Download Configuration causes two things to happen:

      • A file named artifacts.zip will be downloaded by your browser. Make note of the location of this zip file as you will need to upload it to Cloud Remote through the Cloud Remote web UI (see below).
      • The Region Connectivity section header briefly displays the encryption key for the zip file, as shown in figure below. The key is the text after ":- ". You must copy this key within one minute of it being displayed as you will need to enter this key in the Cloud Remote web UI (see below). The key is only displayed for one minute. If you miss the chance to copy it, you must download a new copy of the zip file and copy the new key.


    7. After you have set the region connectivity settings in CloudCenter Suite, and downloaded the zip file and copied the encryption key, login to Cloud Remote web UI.
      1. Open another browser tab and login to https://<Cloud Remote_ip> with the default credentials: admin / cisco. 
      2. You will immediately be required to change your password. Do so. 
      3. You are now brought to the Cloud Remote home page as shown in the figure below.
      4. Click the Apply Configuration button in the page header.
      5. Clicking Apply Configuration cause. This prompts you to select a configuration file and enter the encryption key as shown in the figure below.
      6. Paste the encryption key you saved from the CloudCenter Suite web UI into the Encryption Key field in the dialog box.
      7. Click Select File and browse to the artifacts.zip file that you downloaded through the CloudCenter Suite web UI and select it.
      8. Click Confirm.
      9. Once the zip file is successfully transmitted and accepted, the Cloud Remote appliance attempts to establish communication with the CloudCenter Suite cluster and the Cloud Remote web UI home page is updated to show the name of the region it is connecting to in the upper right (see figure below).
      10. Now, switch your focus back to the Region Connectivity section of the target cloud region in the CloudCenter Suite web UI. The status indicator in the Region Connectivity section header will change from Not Configured to Running once connectivity between  Cloud Remote and the CloudCenter Suite cluster is completely established (see figure below).
        After completing these steps, Workload Manager and Cost Optimizer can both use Cloud Remote for communicating with the target cloud region.

     Steps to configure Cloud Remote in an AzureRM cloud region to support a Kubernetes cloud

    Configure Cloud Remote in an AzureRM region to support a Kubernetes target cloud as follows:
    1. Download the Cloud Remote appliance zip file for AzureRM from software.cisco.com and then unzip it to reveal the VHD file.
    2. Upload the Cloud Remote appliance VHD file to AzureRM using the AzureRM CLI, then launch the appliance from the AzureRM console web UI. This process is similar to uploading and launching the CloudCenter Suite installer appliance for AzureRM.

      You must use the AzureRM CLI to perform this upload.

    3. Optional but recommended for production environments: Deploy two additional instances of the appliance to form a cluster for HA. Cloud Remote includes support for clustering of multiple nodes. You will "add" these two additional instances to the first instance after the first instance is configured.  See Cloud Remote (Conditional) > Scaling for details.
    4. Once the first instance of the appliance has been launched, use the AzureRM console to note its IP public and private addresses. You will need this information later on in order login to the Cloud Remote web UI and to complete the Region Connectivity settings in the CloudCenter Suite Web UI. Also note the IP addresses of any other appliances you launch.
    5. Setup the appropriate firewall rules. You will need to open various ports on each instance of the appliance. To do this, use the tools provided by the cloud provider to create a new security group for your Cloud Remote cluster; then, associate each appliance in the cluster with that security group. Use the tables below for guidance on what port rules should be added to that security group.

      Port rules for a single node Cloud Remote deployment:
      PortProtocolSourceUsage
      22TCPLimit to address space of users needing SSH access for debugging and changing default portsSSH
      443TCPLimit to address space of users needing access to the Cloud Remote web UI for setup and scalingHTTPS (Cloud Remote web UI)
      8443TCPLimit to address space of users needing SSH or RDP access to their managed VMsUser to Guacamole
      5671TCPLimit to address space of the managed VMs and the address of the CloudCenter Suite cluster's local AMQP serviceAMQP
      15671TCPLimit to address space of users needing web access for debugging the remote AMQP serviceHTTPS (AMQP Management)
      7789TCPLimit to address space of the managed VMsWorker VM to Guacamole

      The Cloud Remote web UI, User-to-Guacamole, and AMQP ports listed above are the defaults used by Cloud Remote. You may change these port numbers using the Change Ports shell script (see Cloud Remote (Conditional) > Custom Port Numbers (Conditional)) once the appliance is fully configured and communicating with the CloudCenter Suite cluster. If you plan to modify any of these three port numbers, update the firewall rules accordingly.

      For a multi-node Cloud Remote cluster deployment, these additional port rules should be added to the same security group used for the single node configuration:

      PortProtocolSource
      2377TCP<cr_sec_group> *
      25672TCP<cr_sec_group>
      7946UDP<cr_sec_group>
      4369TCP<cr_sec_group>
      9010TCP<cr_sec_group>
      4789UDP<cr_sec_group>

       * <cr_sec_group> represents the security group that all Cloud Remote nodes are joined to.


    6. Switch back to the Workload Manager or Cost Optimizer UI and click Configure Region link in the upper left of the Region Connectivity section to bring up the Configure Region dialog box. The toggle settings should be the same as when you set them in the connectivity page of the Add Cloud dialog box. You may need to update the Local AMQP IP Address or the Remote AMQP IP Address fields per the table below.
      Toggle SettingsFieldValue

      Cloud Endpoint Directly Accessible = No
      AND
      CloudCenter Directly Accessible from Cloud Remote = Yes

      Local AMQP IP Address

      Pre-populated with the address and port number of the "local" AMQP server running in the CloudCenter Suite cluster.

      If Cloud Remote is accessing the CloudCenter Suite cluster through a user-supplied proxy server or NAT firewall, overwrite this field with the corresponding local AMQP IP address and port number provided by the user-supplied proxy server or NAT firewall and accessible to Cloud Remote.

      Cloud Endpoint Directly Accessible = No
      AND
      CloudCenter Directly Accessible from Cloud Remote = No
      Remote AMQP IP Address

      Enter <Cloud_Remote_IP>:<amqp_port>, where
      <Cloud_Remote_IP> = the IP address Cloud Remote which is accessible to the CloudCenter Suite cluster, and
      <amqp_port> = 5671 OR the custom AMQP port number
      you would later set with the Change Ports shell script on the Cloud Remote appliance (see Cloud Remote (Conditional) > Custom Port Numbers (Conditional)).

      If there is no user-supplied NAT firewall or proxy server between the CloudCenter Suite cluster and Cloud Remote, the IP address would be the public IP address of Cloud Remote.

      If there is a NAT firewall or proxy server between the CloudCenter Suite cluster and Cloud Remote, instead, enter the corresponding public IP address and port number that the firewall or proxy server presents to the internet on behalf of the "remote" AMQP server running in Cloud Remote.

      When done, click OK to save the setting and dismiss the dialog box.

    7. After saving the Region Configuration settings, the next step is downloading the connectivity configuration file and copying its encryption key. Click the Download Configuration link in the upper right of the Region Connectivity section, as shown in the figure below.

      Clicking Download Configuration causes two things to happen:

      • A file named artifacts.zip will be downloaded by your browser. Make note of the location of this zip file as you will need to upload it to Cloud Remote through the Cloud Remote web UI (see below).
      • The Region Connectivity section header briefly displays the encryption key for the zip file, as shown in figure below. The key is the text after ":- ". You must copy this key within one minute of it being displayed as you will need to enter this key in the Cloud Remote web UI (see below). The key is only displayed for one minute. If you miss the chance to copy it, you must download a new copy of the zip file and copy the new key.


    8. After you have set the region connectivity settings in CloudCenter Suite, and downloaded the zip file and copied the encryption key, login to Cloud Remote web UI.
      1. Open another browser tab and login to https://<Cloud Remote_ip> with the default credentials: admin / cisco. 
      2. You will immediately be required to change your password. Do so. 
      3. You are now brought to the Cloud Remote home page as shown in the figure below.
      4. Click the Apply Configuration button in the page header.
      5. Clicking Apply Configuration cause. This prompts you to select a configuration file and enter the encryption key as shown in the figure below.
      6. Paste the encryption key you saved from the CloudCenter Suite web UI into the Encryption Key field in the dialog box.
      7. Click Select File and browse to the artifacts.zip file that you downloaded through the CloudCenter Suite web UI and select it.
      8. Click Confirm.
      9. Once the zip file is successfully transmitted and accepted, the Cloud Remote appliance attempts to establish communication with the CloudCenter Suite cluster and the Cloud Remote web UI home page is updated to show the name of the region it is connecting to in the upper right (see figure below).
      10. Now, switch your focus back to the Region Connectivity section of the target cloud region in the CloudCenter Suite web UI. The status indicator in the Region Connectivity section header will change from Not Configured to Running once connectivity between  Cloud Remote and the CloudCenter Suite cluster is completely established (see figure below).
        After completing these steps, Workload Manager and Cost Optimizer can both use Cloud Remote for communicating with the target cloud region.

     Steps to configure Cloud Remote in a Google cloud region to support a Kubernetes cloud

    Configure Cloud Remote in a Google region to support a Kubernetes target cloud as follows:
    1. Request the Cloud Remote shared VMI form Cisco support by opening a CloudCenter Support case. In your request, specify the following details:

      1. Your GCP account number

      2. Your GCP project ID number
      3. Your CloudCenter Suite version

      4. Your Customer ID (CID)

      5. Your customer name

      6. Specify if your setup is in production or for a POC

      7. Your Contact Email

    2. After you open a case, your support case is updated with the shared VMI ID. Proceed to the next step only after your support case is updated with the VMI ID.

    3. Navigate to the GCP dashboard and search for the VMI ID name provided in the CloudCenter Support case in the list of images for your project.

    4. Launch an instance using the shared VMI. 

      1. Click on the image name. This takes you to the page for the image


      2. Click on Create Instance to display the Instance properties page

      3. Complete these fields:

        1. Instance name

        2. Region and zone

        3. Machine type: select 2 vCPU, 7.5 GB RAM

        4. Click the checkbox to allow HTTPS access

        5. Click the Security tab (under the Allow HTTPS traffic checkbox). In the SSH key field, add your organization's public ssh key followed by a space and then the username you want to use to login to the Cloud Remote appliance. Click the Add Item button when done.

      4. Click Create to launch the instance.

    5. Optional but recommended for production environments: Deploy two additional instances of the appliance to form a cluster for HA. Cloud Remote includes support for clustering of multiple nodes. You will "add" these two additional instances to the first instance after the first instance is configured.  See Cloud Remote (Conditional) > Scaling for details.

    6. Once the first instance of the appliance has been launched, use the GCP console to note its IP public and private addresses. You will need this information later on in order login to the Cloud Remote web UI and to complete the Region Connectivity settings in the CloudCenter Suite Web UI. Also, note the IP addresses of any other appliances you launch.

    7. Setup the appropriate firewall rules. You will need to open various ports on each instance of the appliance. To do this, use the tools provided by the cloud provider to create a new security group for your Cloud Remote cluster; then, associate each appliance in the cluster with that security group. Use the tables below for guidance on what port rules should be added to that security group.

      Port rules for a single node Cloud Remote deployment:
      PortProtocolSourceUsage
      22TCPLimit to address space of users needing SSH access for debugging and changing default portsSSH
      443TCPLimit to address space of users needing access to the Cloud Remote web UI for setup and scalingHTTPS (Cloud Remote web UI)
      5671TCPLimit to address of the CloudCenter Suite cluster's local AMQP serviceAMQP
      15671TCPLimit to address space of users needing web access for debugging the remote AMQP serviceHTTPS (AMQP Management)

      The Cloud Remote web UI  and AMQP ports listed above are the defaults used by Cloud Remote. You may change these port numbers using the Change Ports shell script (see Cloud Remote (Conditional) > Custom Port Numbers (Conditional)) once the appliance is fully configured and communicating with the CloudCenter Suite cluster. If you plan to modify any of these three port numbers, update the firewall rules accordingly.

      For a multi-node Cloud Remote cluster deployment, these additional port rules should be added to the same security group used for the single node configuration:

      PortProtocolSource
      2377TCP<cr_sec_group> *
      25672TCP<cr_sec_group>
      7946UDP<cr_sec_group>
      4369TCP<cr_sec_group>
      9010TCP<cr_sec_group>
      4789UDP<cr_sec_group>

       * <cr_sec_group> represents the security group that all Cloud Remote nodes are joined to.

    8. Switch back to the Workload Manager or Cost Optimizer UI and click Configure Region link in the upper left of the Region Connectivity section to bring up the Configure Region dialog box. The toggle settings should be the same as when you set them in the connectivity page of the Add Cloud dialog box. You may need to update the Local AMQP IP Address or the Remote AMQP IP Address fields per the table below.
      Toggle SettingsFieldValue

      Cloud Endpoint Directly Accessible = No
      AND
      CloudCenter Directly Accessible from Cloud Remote = Yes

      Local AMQP IP Address

      Pre-populated with the address and port number of the "local" AMQP server running in the CloudCenter Suite cluster.

      If Cloud Remote is accessing the CloudCenter Suite cluster through a user-supplied proxy server or NAT firewall, overwrite this field with the corresponding local AMQP IP address and port number provided by the user-supplied proxy server or NAT firewall and accessible to Cloud Remote.

      Cloud Endpoint Directly Accessible = No
      AND
      CloudCenter Directly Accessible from Cloud Remote = No
      Remote AMQP IP Address

      Enter <Cloud_Remote_IP>:<amqp_port>, where
      <Cloud_Remote_IP> = the IP address Cloud Remote which is accessible to the CloudCenter Suite cluster, and
      <amqp_port> = 5671 OR the custom AMQP port number
      you would later set with the Change Ports shell script on the Cloud Remote appliance (see Cloud Remote (Conditional) > Custom Port Numbers (Conditional)).

      If there is no user-supplied NAT firewall or proxy server between the CloudCenter Suite cluster and Cloud Remote, the IP address would be the public IP address of Cloud Remote.

      If there is a NAT firewall or proxy server between the CloudCenter Suite cluster and Cloud Remote, instead, enter the corresponding public IP address and port number that the firewall or proxy server presents to the internet on behalf of the "remote" AMQP server running in Cloud Remote.

      When done, click OK to save the setting and dismiss the dialog box.

    9. After saving the Region Configuration settings, the next step is downloading the connectivity configuration file and copying its encryption key. Click the Download Configuration link in the upper right of the Region Connectivity section, as shown in the figure below.

      Clicking Download Configuration causes two things to happen:

      • A file named artifacts.zip will be downloaded by your browser. Make note of the location of this zip file as you will need to upload it to Cloud Remote through the Cloud Remote web UI (see below).
      • The Region Connectivity section header briefly displays the encryption key for the zip file, as shown in figure below. The key is the text after ":- ". You must copy this key within one minute of it being displayed as you will need to enter this key in the Cloud Remote web UI (see below). The key is only displayed for one minute. If you miss the chance to copy it, you must download a new copy of the zip file and copy the new key.


    10. After you have set the region connectivity settings in CloudCenter Suite, and downloaded the zip file and copied the encryption key, login to Cloud Remote web UI.
      1. Open another browser tab and login to https://<Cloud Remote_ip> with the default credentials: admin / cisco. 
      2. You will immediately be required to change your password. Do so. 
      3. You are now brought to the Cloud Remote home page as shown in the figure below.
      4. Click the Apply Configuration button in the page header.
      5. Clicking Apply Configuration cause. This prompts you to select a configuration file and enter the encryption key as shown in the figure below.
      6. Paste the encryption key you saved from the CloudCenter Suite web UI into the Encryption Key field in the dialog box.
      7. Click Select File and browse to the artifacts.zip file that you downloaded through the CloudCenter Suite web UI and select it.
      8. Click Confirm.
      9. Once the zip file is successfully transmitted and accepted, the Cloud Remote appliance attempts to establish communication with the CloudCenter Suite cluster and the Cloud Remote web UI home page is updated to show the name of the region it is connecting to in the upper right (see figure below).
      10. Now, switch your focus back to the Region Connectivity section of the target cloud region in the CloudCenter Suite web UI. The status indicator in the Region Connectivity section header will change from Not Configured to Running once connectivity between  Cloud Remote and the CloudCenter Suite cluster is completely established (see figure below).
        After completing these steps, Workload Manager and Cost Optimizer can both use Cloud Remote for communicating with the target cloud region.

  6. Instance Types: A Kubernetes cloud region does not include any instance type out-of-box. You must manually add instance types to your Kubernetes cloud if you want Workload Manager to deploy jobs to it. See Instance Types Settings for more details.

Add a Kubernetes Cloud Account

Prerequisites

Be aware that these screen captures may change based on the Kubernetes container changes. They are provided in this section as a point of reference.

Before adding a cloud account to a Kubernetes cloud in CloudCenter Suite, verify the following Kubernetes requirements:

  • A valid Kubernetes service account.

  • cluster-admin cluster role binding exists on the API server (see the Kubernetes Documentation).

  • A valid Service Account Token. You can retrieve the Service Account Token from Kubernetes using one of two methods:

    • Kubernetes Dashboard Method:

      1. Access the Kubernetes web UI and scroll the left menu bar down to Config and Storage and click Secrets. The list of secrets for the cluster is shown on the right panel:

      2. Click the link corresponding to the Service Account Token to view the token details screen:

      3. Click the eyeball icon to the left of the token at the end of the Data section to reveal the token. Copy and paste to the Service Account Token field in the CloudCenter Suite's Add Cloud Account dialog box (see Configuration Process below).

        The service account token must be in base64 format before pasting into the Add Cloud Accounts page. Retrieving the token form the Kubernetes Web UI assures this to be true.

    • The kubectl Command Method:

      1. Issue the following commands in sequence – the last command returns the token.

        export NAMESPACE="default"
        
        export SERVICE_ACCOUNT_NAME="bob-the-bot3"
        
        kubectl create serviceaccount $SERVICE_ACCOUNT_NAME -n $NAMESPACE
        serviceaccount "bob-the-bot3" created
        
        kubectl create clusterrolebinding <name> --clusterrole=cluster-admin -serviceaccount=$NAMESPACE:$SERVICE_ACCOUNT_NAME
        
        export SECRET_NAME=$(kubectl get serviceaccount $SERVICE_ACCOUNT_NAME -n $NAMESPACE -o 'jsonpath={.secrets[0].name}' 2>/dev/null)
        
        kubectl get secret $SECRET_NAME -n $NAMESPACE -o "jsonpath={.data.token}" | openssl enc -d -base64 -
      2. Copy and paste this token to the Service Account Token field in the CloudCenter Suite's Add Cloud Account dialog box (see Configuration Process below).

Configuration Process

To add a cloud account a Kubernetes cloud, follow this procedure.

  1. Locate the Kubernetes cloud in the Clouds page click the Add Cloud Account link. This displays the Add Cloud Account dialog box as shown in the figure below.

  2. Assign a new cloud account name.

    Tip

    The name should not contain any space, dash, or special characters.

  3. Add the following Cloud Credentials: 

    Field

    Description

    Service Account Name

    The email address or username that you used to login to the Kubernetes cluster.

    Service Account Token

    The token used to access the Kubernetes service account as specified in the Prerequisites section above.

    When done, click ConnectCloudCenter Suite will now attempt to validate your account credentials.

  4. After the credentials are verified, the Connect button changes to an Edit button and two new fields appear Enable Account For and Enable Reporting By Org Structure, as shown in the figure below.



    1. Set the Enable Account For dropdown per the table below.

      ValueUsage
      ProvisioningWorkload Manager can deploy jobs using this account.
      ReportingCost Optimizer and Workload Manager will track cloud costs for this account. Typical usage: master cloud accounts which are used for billing aggregation.
      Provisioning, ReportingDefault. Account is used for both provisioning and reporting.
    2. For AWS and Google clouds only: Set the Enable Reporting By Org Structure toggle to On to cause Cost Optimizer to import the cost hierarchy created in the cloud provider portal. This saves the time of manually creating a comparable cost hierarchy within Cost Optimizer. See Cost Groups Configuration for more information on cost hierarchies in Cost Optimizer.

  5. Click the Save button when done.

After you add cloud accounts, they will appear in the Cloud Accounts list in the Accounts tab for the cloud as shown in the figure below.

The cloud account list contains columns for data you entered into the Add Cloud Account dialog box: Account Name, Description, Enabled For; and two additional columns: Billing Units and Actions. The third column, Billing Units, is dual function. If the cloud account contains only one billing unit, the ID for that billing unit is displayed. If the cloud account contains multiple billing units, such as an AWS master account, the number of billing units in that account is displayed followed by the text "Billing Units". 

A billing unit is the most granular level of cloud cost recording in CloudCenter Suite. The definition of billing unit varies by cloud provider as shown in the table below.

Cloud ProviderBilling Unit
AWSAccount ID
AzureRMSubscription ID
GoogleProject ID
vCenterCloud Group Prefix - Datacenter Name
OpenStackProject ID
KubernetesNamespace UID

The last column, Actions, contains links to let you edit or deleted the cloud account, or manage instance types for the cloud account.



  • No labels
© 2017-2019 Cisco Systems, Inc. All rights reserved