Creating an admin workstation with a static IP address

This page explains how to create an admin workstation that you can use to install GKE on-prem.

In this topic, you create an admin workstation that has a static IP address.

If you want to create an admin workstation that uses Dynamic Host Configuration Protocol (DHCP) to get its IP address, see Creating an admin workstation using DHCP.

If you run your commands on Linux, there is an alternative to following the steps in this topic. The alternative is to use the gkeadm tool which automates much of the admin workstation creation.

Overview

The admin workstation is a vSphere VM that contains all the tools you need to create and manage GKE on-prem clusters. To create the admin workstation, you perform the following steps described in this topic:

  • Download the admin workstation Open Virtual Appliance (OVA) file, a compressed image of the admin workstation VM.
  • Use govc, the command line interface to vSphere, to import the OVA to vSphere as a VM template.
  • Copy and populate HashiCorp Terraform configuration files.
  • Use Terraform version 0.11 to create the admin workstation VM.

Creating a key for your allowlisted service account

If you don't already have a JSON key file for your allowlisted service account, create one now:

  1. gcloud auth login
  2. gcloud iam service-accounts keys create whitelisted-key.json \
    --iam-account [ALLOWLISTED_SERVICE_ACCOUNT_EMAIL]
    

where [ALLOWLISTED_SERVICE_ACCOUNT_EMAIL] is the email address of your allowlisted service account.

Downloading the admin workstation OVA

The admin workstation OVA includes all of the cluster components, command line tools, and other entities needed to install and manage GKE on-prem clusters.

Activate your allowlisted service account:

gcloud auth activate-service-account --key-file [KEY_ALLOWLISTED_ACCOUNT]

where [KEY_ALLOWLISTED_ACCOUNT] is the path of the JSON key file for your allowlisted service account.

Download the latest version of the admin workstation OVA and its signature file:

gcloud storage cp gs://gke-on-prem-release/admin-appliance/1.4.3-gke.3/gke-on-prem-admin-appliance-vsphere-1.4.3-gke.3.{ova,ova.1.sig} ./

Verifying the OVA using openssl

Verify the OVA file you downloaded against the public key using openssl:

openssl dgst -verify - -signature gke-on-prem-admin-appliance-vsphere-1.4.3-gke.3.ova.1.sig gke-on-prem-admin-appliance-vsphere-1.4.3-gke.3.ova <<'EOF'
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZrGCUaJJr1H8a36sG4UUoXvlXvZ
wQfk16sxprI2gOJ2vFFggdq3ixF2h4qNBt0kI7ciDhgpwS8t+/960IsIgw==
-----END PUBLIC KEY-----
EOF

Expected output of this command is Verified OK.

Using govc to import the OVA to vSphere and mark it as a VM template

In the following sections, you:

  1. Create some variables declaring elements of your vCenter Server and vSphere environment.
  2. Import the admin workstation OVA to vSphere and mark it as a VM template.

Creating variables for govc

Before you import the admin workstation OVA to vSphere, you need to provide govc some variables declaring elements of your vCenter Server and vSphere environment:

export GOVC_URL=https://[VCENTER_SERVER_ADDRESS]/sdk
export GOVC_USERNAME=[VCENTER_SERVER_USERNAME]
export GOVC_PASSWORD=[VCENTER_SERVER_PASSWORD]
export GOVC_DATASTORE=[VSPHERE_DATASTORE]
export GOVC_DATACENTER=[VSPHERE_DATACENTER]
export GOVC_INSECURE=true

You can choose to use vSphere's default resource pool or create your own:

# If you want to use a resource pool you've configured yourself, export this variable:
export GOVC_RESOURCE_POOL=[VSPHERE_CLUSTER]/Resources/[VSPHERE_RESOURCE_POOL]
# If you want to use vSphere's default resource pool, export this variable instead:
export GOVC_RESOURCE_POOL=[VSPHERE_CLUSTER]/Resources

where:

  • [VCENTER_SERVER_ADDRESS] is your vCenter Server's IP address or hostname.
  • [VCENTER_SERVER_USERNAME] is the username of an account that holds the Administrator role or equivalent privileges in vCenter Server.
  • [VCENTER_SERVER_PASSWORD] is the vCenter Server account's password.
  • [VSPHERE_DATASTORE] is the name of the datastore you've configured in your vSphere environment.
  • [VSPHERE_DATACENTER] is the name of the datacenter you've configured in your vSphere environment.
  • [VSPHERE_CLUSTER] is the name of the cluster you've configured in your vSphere environment.
  • For using a non-default resource pool,
  • [VSPHERE_RESOURCE_POOL] is the name of the resource pool you've configured to your vSphere environment.

Creating variables for your proxy

If you are using a proxy, export variables for its the HTTP and HTTPS address, where [PROXY_ADDRESS] is the proxy's IP address or hostname:

export HTTP_PROXY=http://[PROXY_ADDRESS]
export HTTPS_PROXY=https://[PROXY_ADDRESS]

Importing the OVA to vSphere: Standard switch

If you are using a vSphere Standard Switch, import the OVA to vSphere using this command:

govc import.ova -options - gke-on-prem-admin-appliance-vsphere-1.4.3-gke.3.ova <<EOF
{
  "DiskProvisioning": "thin",
  "MarkAsTemplate": true
}
EOF

Importing the OVA to vSphere: Distributed switch

If you are using a vSphere Distributed Switch, import the OVA to vSphere using this command, where [YOUR_DISTRIBUTED_PORT_GROUP_NAME] is the name of your distributed port group:

govc import.ova -options - gke-on-prem-admin-appliance-vsphere-1.4.3-gke.3.ova <<EOF
{
  "DiskProvisioning": "thin",
  "MarkAsTemplate": true,
  "NetworkMapping": [
      {
          "Name": "VM Network",
          "Network": "[YOUR_DISTRIBUTED_PORT_GROUP_NAME]"
      }
  ]
}
EOF

Copying the Terraform configuration files

Create a directory for your Terraform files:

mkdir [TERRAFORM_DIR]

where [TERRAFORM_DIR] is the path of a directory where you want to keep your Terraform files.

Copy the following TF and TFVARS files and save them to [TERRAFORM_DIR]/terraform.tf and [TERRAFORM_DIR]/terraform.tfvars, respectively.

The TF file is the Terraform HCL config that performs the VM creation.

The Terraform files given here apply to an admin workstation that has a static IP address. If you want to create an admin workstation that uses DHCP to get its IP address, use the Terraform files given in Creating an admin workstation using DHCP.

Creating an SSH key

Create an SSH key, so that you can SSH into the admin workstation from your local laptop or workstation. On Linux-based operating systems, you can use ssh-keygen:

ssh-keygen -t rsa -f ~/.ssh/vsphere_workstation -N ""

Modifying the TFVARS file

Open terraform.tfvars in a text editor and provide values for the following variables. You can find many of these values by logging in to the vCenter Client:

vcenter_user

Provide a vCenter Server user account as a string. The user account should have the Administrator role or equivalent privileges (see vSphere requirements).

For example:

vcenter_user = "administrator@vsphere.local"

vcenter_password

Provide the vCenter Server user account's password as a string. For example:

vcenter_password = "#STyZ2T#Ko2o"

vcenter_server

Provide your vCenter Server's address (IP or hostname) as a string. For example:

vcenter_server = "198.51.100.2"

ssh_public_key_path

Provide the path to your SSH public key. You created this in a previous step:

ssh_public_key_path = "~/.ssh/vsphere_workstation.pub"

vm_name

Provide a name of your choice for the admin workstation. For example:

vm_name = "my-admin-workstation"

datastore

Provide the name of your vSphere datastore as a string. For example:

datastore = "MY-DATASTORE"

datacenter

Provide the name of your vSphere datacenter as a string. For example:

datacenter = "MY-DATACENTER"

cluster

Provide the name of your vSphere cluster as a string. For example.

cluster = "MY-CLUSTER"

resource_pool

If you are using a non-default resource pool, provide the name of your vSphere resource pool as a string. For example:

resource_pool = "MY-POOL"

If you are using the default resource pool, provide the following value:

resource_pool = "[MY_CLUSTER]/Resources"

where [MY_CLUSTER] is the name of your vSphere cluster.

See Specifying the root resource pool for a standalone host.

network

Provide the vSphere network where you want to create your admin workstation, as a string. For example:

network = "MY-VM-NETWORK"

vm_template

Provide the VM template name as a string. You created imported the OVA and marked it as a template in a previous step. Notice that the template name does not have the .ova extension.

vm_template = "gke-on-prem-admin-appliance-vsphere-1.4.3-gke.3"

ipv4_address

Provide an IPv4 static IP address for the admin workstation. For example:

ipv4_address = "203.0.113.1"

ipv4_netmask_prefix_length

Provide the number of bits in the subnet mask of the network where you want to create your admin workstation. For example:

ipv4_netmask_prefix_length = "22"

ipv4_gateway

Provide the IP address of the default gateway of the subnet in which the admin workstation is to be created. For example:

ipv4_gateway = "198.51.100.1

dns_nameservers

Provide DNS nameservers to be used by the admin workstation, separated by commas. For example:

dns_nameservers = "8.8.8.8,8.8.4.4"

Creating the admin workstation

Now you are ready to create the admin workstation VM. Use Terraform version 0.11 for the steps in this section.

  1. Go to the directory that contains your Terraform configuration files (TF and TFVARS):

  2. Initialize Terraform in the directory and apply the configuration. This might take a few minutes:

    terraform init && terraform apply -auto-approve -input=false

SSH in to your admin workstation

  1. Go to the directory that contains your Terraform configuration files.

  2. Retrieve the IP address of the admin workstation:

    terraform output ip_address

    Make note of the admin workstation's IP address.

  3. SSH in to the admin workstation by using your SSH key and the IP address:

    ssh -i ~/.ssh/vsphere_workstation ubuntu@[ADMIN_WORKSTATION_IP_ADDRESS]
    

Verifying that the admin workstation is set up correctly

Verify that gkectl and docker are installed on your admin workstation:

gkectl version
docker version

Configuring the NTP server on your admin workstation

By default, the admin workstation uses ntp.ubuntu.com as its Network Time Protocol (NTP) server. If your organization uses a different time server, configure your admin workstation to use the same NTP server as the rest of your organization.

Enter the following commands to configure the NTP server on your admin workstation:

sudo mkdir -p /etc/systemd/timesyncd.conf.d/

sudo bash -c "cat >> /etc/systemd/timesyncd.conf.d/cloud-init.conf" << EOF
[Time]
NTP=[NTP_SERVER]
EOF

sudo systemctl restart systemd-timesyncd
timedatectl status

where [NTP_SERVER] is the hostname or IP address of your NTP server.

To verify that your NTP server is working, enter the following command:

timedatectl

The output is similar to this:

                      Local time: Tue 2019-12-17 00:21:50 UTC
                  Universal time: Tue 2019-12-17 00:21:50 UTC
                        RTC time: Tue 2019-12-17 00:21:50
                       Time zone: Etc/UTC (UTC, +0000)
       System clock synchronized: yes
systemd-timesyncd.service active: yes
                 RTC in local TZ: no

Troubleshooting

AccessDeniedException while downloading OVA

Symptoms

Attempting to download the admin workstation OVA and signature returns the following error:

AccessDeniedException: 403 whitelisted-service-account@project.iam.gserviceaccount.com does not have storage.objects.list access to gke-on-prem-release
Potential causes

Your allowlisted service account is not activated.

Resolution

Make sure you have activated your allowlisted service account. If the issue persists, reach out to Google for assistance.

openssl can't validate admin workstation OVA

Symptoms

Running openssl dgst against the admin workstation OVA file doesn't return Verified OK

Potential causes

An issue is present in the OVA file that prevents successful validation.

Resolution

Try downloading and deploying the admin workstation OVA again, as instructed in Download the admin workstation OVA . If the issue persists, reach out to Google for assistance.

For more information, refer to Troubleshooting.