Admin workstation configuration file

This page describes the fields in the admin workstation configuration file.

Generating a template for your configuration file

To generate a template for your admin workstation configuration file, you need the gkeadm tool.

To download the gkeadm command-line tool and make it executable:

gsutil cp gs://gke-on-prem-release-public/gkeadm/1.5.1-gke.8/linux/gkeadm ./
chmod +x gkeadm

To generate a template:

./gkeadm create config --config=[OUTPUT_FILENAME]

where [OUTPUT_FILENAME] is a path of your choice for the generated template. If you omit this flag, gkeadm names the file admin-ws-config.yaml and puts it in the current directory.

Filling in your configuration file

In your configuration file, enter field values as described in the following sections.

gcp

This section holds information about your component access service account.

gcp.whitelistedServiceAccountKeyPath

String. The path of the JSON key file for your component access service account. For information on creating a JSON key file, see component access service account.

For example:

gcp:
  whitelistedServiceAccountKeyPath: "my-key-folder/component-access-key.json"

vCenter

This section holds information about your vSphere environment.

vCenter.credentials.address

String. The IP address or the hostname of your vCenter server.

Before you fill in the address field, download and inspect the serving certificate of your vCenter server. Enter the following command to download the certificate and save it to a file named vcenter.pem.

true | openssl s_client -connect [VCENTER_IP]:443 -showcerts 2>/dev/null | sed -ne '/-BEGIN/,/-END/p' > vcenter.pem

where [VCENTER_IP] is the IP address of your vCenter Server.

Open the certificate file to see the Subject Common Name and the Subject Alternative Name:

openssl x509 -in vcenter.pem -text -noout

The output shows the Subject Common Name (CN). This might be an IP address, or it might be a hostname. For example:

Subject: ... CN = 203.0.113.100
Subject: ... CN = my-host.my-domain.example

The output might also include one or more DNS names under Subject Alternative Name:

X509v3 Subject Alternative Name:
    DNS:vcenter.my-domain.example

Choose the Subject Common Name or one of the DNS names under Subject Alternative Name to use as the value of vcenter.credentials.address in your configuration file. For example:

vCenter:
  credentials:
    address: "203.0.113.1"
    ...
vCenter:
  credentials:
    address: "my-host.my-domain.example"
    ...

vCenter.credentials.username

String. A vCenter Server user account. The user account should have the Administrator role or equivalent privileges. See vSphere requirements.

For example:

vCenter:
  credentials:
    username: "administrator@vsphere.local"

vCenter.credentials.password

String. The password for the vCenter Server user account. For example:

vCenter:
  credentials:
    password: "#STyZ2T#Ko2o"

vCenter.datacenter

String. The name of your vCenter datacenter. For example:

vCenter:
  datacenter: "MY-DATACENTER"

vCenter.datastore

String. The name of your vCenter datastore. For example:

vCenter:
  datastore: "MY-DATASTORE"

vCenter.cluster

String. The name of your vCenter cluster. For example:

vCenter:
  cluster: "MY-CLUSTER"

vCenter.network

String. The name of the vCenter network where you want to create your admin workstation. For example:

vCenter:
  network: "MY-VM-NETWORK"

vCenter.resourcePool

String. If you are using a non-default resource pool, provide the name of your vCenter resource pool. For example:

vCenter:
  resourcePool: "MY-POOL"

If you are using the default resource pool, provide the following value:

vCenter:
  resourcePpool: "[MY_CLUSTER]/Resources"

where [MY_CLUSTER] is the name of your vCenter cluster.

See Specifying the root resource pool for a standalone host.

vCenter.caCertPath

String. When a client, like GKE on-prem, sends a request to your vCenter server, the server must prove its identity to the client by presenting a certificate or a certificate bundle. To verify the certificate or bundle, GKE on-prem must have the root certificate in the chain of trust.

Set vCenter.caCertPath to the path of the root certificate. For example:

vCenter:
  caCertPath: "/usr/local/google/home/me/certs/vcenter-ca-cert.pem"

Your VMware installation has a certificate authority (CA) that issues a certificate to your vCenter server. The root certificate in the chain of trust is a self-signed certificate created by VMware.

If you do not want to use the VMWare CA, which is the default, you can configure VMware to use a different certificate authority.

If your vCenter server uses a certificate issued by the default VMware CA, download the certificate as follows:

curl -k "https://[SERVER_ADDRESS]/certs/download.zip" > download.zip

where [SERVER_ADDRESS] is the address of your vCenter server.

Install the unzip command and unzip the certificate file:

sudo apt-get install unzip
unzip downloads.zip

If the unzip command doesn't work the first time, enter the command again.

Find the certificate file in certs/lin.

proxyUrl

String: If the machine you are using to run gkeadm uses a proxy server for access to the internet, set this field to the URL of the proxy server. For example:

proxyUrl: "https://my-proxy.example.local"

adminWorkstation

This section holds information about your admin workstation.

adminWorkstation.name

String. A name for your admin workstation. This field is populated with a generated value. You can keep the generated value or provide a different name of your choice. For example:

adminWorkstation
  name: "gke-admin-ws-200617-113711"

adminWorkstation.cpus

Integer. The number of virtual CPUs for your admin workstation. For example:

adminWorkstation:
  cpus: 4

adminWorkstation.memoryMB

Integer. The number of megabytes of memory for your admin workstation. For example:

adminworkstation:
  memoryMB: 8192

adminWorkstation.diskGB

Integer. The size, in gigabytes, of the boot disk for the admin workstation. We recommend at least 50 GB. For example:

adminWorkstation:
  diskGB: 50

adminWorkstation.dataDiskName

String. A name for the persistent disk to be mounted to the home directory. This field is populated with a generated value. You can keep the generated value or provide a name of your choice. Must end with .vmdk. Any directory in the supplied path must be created before deployment. If no value is set for this field, it defaults to:

gke-on-prem-admin-workstation-data-disk/[ADMIN_WORKSTATION_NAME]-data-disk.vmdk

For example:

adminWorkstation:
  dataDiskName: "gke-on-prem-admin-workstation-data-disk/gke-admin-ws-200617-113711-data-disk.vmdk"

adminWorkstation.dataDiskMB

Integer. The size in megabytes of the data disk. If no value is set for this field, it defaults to 512. For example:

adminWorkstation:
  dataDiskMB: 512

adminWorkstation.network.ipAllocationMode

String. If you want your admin workstation to get its IP address from a DHCP server, set this to "dhcp". If you want your admin workstation to have a static IP address of your choice, set this to "static". For example:

adminWorkstation:
  network:
    ipAllocationMode: "static"

adminWorkstation.network.hostconfig

If you set ipAllocationMode to "static", fill in the fields in this section.

If you set ipAllocationMode to "dhcp", remove this section or leave it commented out.

adminWorkstation.network.hostConfig.ip

String. An IP address of your choice for your admin workstation. For example:

adminWorkstation:
  network:
    hostconfig:
      ip: "172.16.5.1"

adminWorkstation.network.hostConfig.gateway

String. The IP address of the default gateway for the network that contains your admin workstation. For example:

adminWorkstation:
  network:
    hostconfig:
      gateway: "172.16.6.254"

adminWorkstation.network.hostConfig.netmask

String. The netmask for the network that contains your admin workstation. For example:

adminWorkstation:
  network:
    hostConfig:
      netmask: "255.255.248.0"

adminWorkstation.network.hostConfig.dns

String array. An array of IP addresses for DNS servers that your admin workstation can use. For example:

adminWorkstation:
  network:
    hostconfig:
      dns:
      - "172.16.255.1"
      - "172.16.255.2"

adminWorkstation.proxyUrl

String. If your network is behind a proxy server, and you want both your admin workstation and your GKE on-prem clusters to use the same proxy server, then set adminworkstation.proxyURL to the URL of the proxy server. For example:

adminworkstation:
  proxyUrl: "http://aw-proxy.example"

adminWorkstation.ntpServer

String. The hostname or IP address of the Network Time Protocol server that your admin workstation should use. For example:

adminWorkstation:
  ntpServer: "216.239.35.0"

If you leave this empty, GKE on-prem uses "ntp.ubuntu.com".

Example of a completed configuration file

Here is an example of a completed admin workstation configuration file::

gcp:
  whitelistedServiceAccountKeyPath: "my-key-folder/whitelisted-key.json"
vCenter:
  credentials:
    address: "203.0.113.1"
    username: "administrator.vsphere.local"
    password: "#STyZ2T#Ko2o"
  datacenter: "MY-DATACENTER"
  datastore: "MY-DATASTORE"
  cluster: "MY-CLUSTER"
  network: "MY-VM-NETWORK"
  resourcePool: "MY-POOL"
  caCertPath: "/usr/local/google/home/me/certs/the-root.cert"
proxyUrl: ""
adminWorkstation:
  name: "my-admin-workstation"
  cpus: 4
  memoryMB: 8192
  diskGB: 50
  dataDiskName: "gke-on-prem-admin-workstation-data-disk/gke-admin-ws-200617-113711-data-disk.vmdk"
  dataDiskMB: 512
  network:
    ipAllocationMode: "static"
    hostConfig:
      ip: "172.16.5.1"
      gateway: "172.16.6.254"
      netmask: "255.255.248.0"
      dns:
      - "172.16.255.1"
      - "172.16.255.2
  proxyUrl: ""
  ntpServer: "216.239.35.0"