Merge pull request #28832 from codyhoag/vsphere-winc

OSDOCS-1766 WINC vSphere support

Author: codyhoag

_topic_map.yml

@@ -1632,6 +1632,8 @@ Topics:
     File: creating-windows-machineset-aws
   - Name: Creating a Windows MachineSet object on Azure
     File: creating-windows-machineset-azure
+  - Name: Creating a Windows MachineSet object on vSphere
+    File: creating-windows-machineset-vsphere
 - Name: Scheduling Windows container workloads
   File: scheduling-windows-workloads
 - Name: Windows node upgrades

modules/configuring-hybrid-ovnkubernetes.adoc

@@ -75,11 +75,13 @@ spec: <1>
         hybridClusterNetwork: <4>
         - cidr: 10.132.0.0/14
           hostPrefix: 23
+        hybridOverlayVXLANPort: 9898 <5>
 status: {}
 ----
 <1> The parameters for the `spec` parameter are only an example. Specify your configuration for the Cluster Network Operator in the custom resource.
 <2> Specify the CIDR configuration used when adding nodes.
 <3> Specify `OVNKubernetes` as the Container Network Interface (CNI) cluster network provider.
 <4> Specify the CIDR configuration used for nodes on the additional overlay network. The `hybridClusterNetwork` CIDR cannot overlap with the `clusterNetwork` CIDR.
+<5> Specify a custom VXLAN port for the additional overlay network. This is required for running Windows nodes in a cluster installed on vSphere; the custom port can be any open port excluding the default `4789` port. For more information on this requirement, see the Microsoft documentation on link:https://docs.microsoft.com/en-us/virtualization/windowscontainers/kubernetes/common-problems#pod-to-pod-connectivity-between-hosts-is-broken-on-my-kubernetes-cluster-running-on-vsphere[Pod to pod connectivity between hosts is broken]. 
 
 . Optional: Back up the `<installation_directory>/manifests/cluster-network-03-config.yml` file. The installation program deletes the `manifests/` directory when creating the cluster.

modules/creating-the-vsphere-windows-vm-golden-image.adoc

@@ -0,0 +1,146 @@
+// Module included in the following assemblies:
+//
+// * windows_containers/creating_windows_machinesets/creating-windows-machineset-vsphere.adoc
+
+[id="creating-the-vsphere-windows-vm-golden-image_{context}"]
+= Creating the vSphere Windows VM golden image
+
+Create a vSphere Windows virtual machine (VM) golden image.
+
+.Prerequisites
+
+* You have installed a cluster on vSphere.
+
+.Procedure
+
+. Create the VM from an updated version of the Windows Server 1909 VM image that includes the following link:https://support.microsoft.com/en-us/help/4565351/windows-10-update-kb4565351[Microsoft patch].
+
+. Create the `C:\Users\Administrator.ssh\authorized_keys` file in the Windows VM containing the public key that corresponds to the private key that resides in the secret you created in the `openshift-windows-machine-config-operator` namespace. The private key of the secret was created when first installing the Windows Machine Config Operator (WMCO) to give {product-title} access to Windows VMs. The `authorized_keys` file is used to configure SSH in the Windows VM.
+
+. Configure SSH on the Windows VM by running the following Powershell script:
++
+[source,posh]
+----
+# Powershell script to configure SSH on vSphere Windows VMs
+Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
+$firewallRuleName = "ContainerLogsPort"
+$containerLogsPort = "10250"
+New-NetFirewallRule -DisplayName $firewallRuleName -Direction Inbound -Action Allow -Protocol TCP -LocalPort $containerLogsPort -EdgeTraversalPolicy Allow
+Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
+Install-Module -Force OpenSSHUtils
+Set-Service -Name ssh-agent -StartupType 'Automatic'
+Set-Service -Name sshd -StartupType 'Automatic'
+Start-Service ssh-agent
+Start-Service sshd
+$pubKeyConf = (Get-Content -path C:\ProgramData\ssh\sshd_config) -replace '#PubkeyAuthentication yes','PubkeyAuthentication yes'
+$pubKeyConf | Set-Content -Path C:\ProgramData\ssh\sshd_config
+$passwordConf = (Get-Content -path C:\ProgramData\ssh\sshd_config) -replace '#PasswordAuthentication yes','PasswordAuthentication yes'
+$passwordConf | Set-Content -Path C:\ProgramData\ssh\sshd_config
+$authFileConf = (Get-Content -path C:\ProgramData\ssh\sshd_config) -replace 'AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys','#AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys'
+$authFileConf | Set-Content -Path C:\ProgramData\ssh\sshd_config
+$pubKeyLocationConf = (Get-Content -path C:\ProgramData\ssh\sshd_config) -replace 'Match Group administrators','#Match Group administrators'
+$pubKeyLocationConf | Set-Content -Path C:\ProgramData\ssh\sshd_config
+Restart-Service sshd
+New-item -Path $env:USERPROFILE -Name .ssh -ItemType Directory -force
+----
+
+. Install and configure VMware Tools version 11.0.6 or greater on the Windows VM. See the link:https://docs.vmware.com/en/VMware-Tools/index.html[VMware Tools documentation] for more information.
+
+. After installing VMware Tools on the Windows VM, verify the following:
+.. The `C:\ProgramData\VMware\VMware Tools\tools.conf` file has the following entry:
++
+[source,ini]
+----
+exclude-nics=
+----
++
+This entry ensures the following:
++
+* The cloned vNIC generated on the Windows VM by the hybrid-overlay is not ignored.
+* The VM has an IP address in vCenter.
+
+.. The VMTools Windows service is running.
+
+. Pull all of the required Windows container base images needed for your applications. The images you pull
+are dependent on the Windows kernel you are using. See Microsoft's documentation on link:https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/container-base-images[pulling Windows container base images] for more information.
+
+. Run the link:https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/sysprep--generalize--a-windows-installation[Windows Sysprep tool] on the Windows VM:
++
+[source,terminal]
+----
+C:\> sysprep.exe /generalize /oobe /shutdown /unattend:<path_to_unattend.xml>
+----
++
+An example `unattend.xml` is provided, which maintains all the changes needed for the WMCO. For example, the `unattend.xml` file must ensure the Administrator's home directory stays intact with the SSH public key. You must customize the example to fit your needs.
++
+.Example `unattend.xml`
+[%collapsible]
+====
+[source,xml]
+----
+<?xml version="1.0" encoding="UTF-8"?>
+<!--A sample unattend.xml which helps in setting admin password and running scripts on first boot-->
+<unattend xmlns="urn:schemas-microsoft-com:unattend">
+   <settings pass="specialize">
+      <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http:// www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-International-Core" processorArchitecture="am d64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
+         <InputLocale>0409:00000409</InputLocale>
+         <SystemLocale>en-US</SystemLocale>
+         <UILanguage>en-US</UILanguage>
+         <UILanguageFallback>en-US</UILanguageFallback>
+         <UserLocale>en-US</UserLocale>
+      </component>
+      <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Security-SPP-UX" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
+         <SkipAutoActivation>true</SkipAutoActivation>
+      </component>
+      <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-SQMApi" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
+         <CEIPEnabled>0</CEIPEnabled>
+      </component>
+      <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
+         <ComputerName>windows-host</ComputerName>
+         <ProductKey>My_Product_key</ProductKey>
+      </component>
+   </settings>
+   <settings pass="oobeSystem">
+      <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
+         <AutoLogon>
+            <Password>
+               <Value>MyPassword</Value>
+               <PlainText>true</PlainText>
+            </Password>
+            <Enabled>true</Enabled>
+            <Username>Administrator</Username>
+         </AutoLogon>
+         <OOBE>
+            <HideEULAPage>true</HideEULAPage>
+            <HideLocalAccountScreen>true</HideLocalAccountScreen>
+            <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen>
+            <HideOnlineAccountScreens>true</HideOnlineAccountScreens>
+            <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE>
+            <NetworkLocation>Work</NetworkLocation>
+            <ProtectYourPC>1</ProtectYourPC>
+            <SkipMachineOOBE>true</SkipMachineOOBE>
+            <SkipUserOOBE>true</SkipUserOOBE>
+         </OOBE>
+         <RegisteredOrganization>Organization</RegisteredOrganization>
+         <RegisteredOwner>Owner</RegisteredOwner>
+         <DisableAutoDaylightTimeSet>false</DisableAutoDaylightTimeSet>
+         <TimeZone>Eastern Standard Time</TimeZone>
+         <UserAccounts>
+            <AdministratorPassword>
+               <Value>MyPassword</Value>
+               <PlainText>true</PlainText>
+            </AdministratorPassword>
+            <LocalAccounts>
+               <LocalAccount wcm:action="add">
+                  <Description>Administrator</Description>
+                  <DisplayName>Administrator</DisplayName>
+                  <Group>Administrators</Group>
+                  <Name>Administrator</Name>
+               </LocalAccount>
+            </LocalAccounts>
+         </UserAccounts>
+      </component>
+   </settings>
+</unattend>
+----
+====

modules/enabling-internal-api-server-vsphere.adoc

@@ -0,0 +1,21 @@
+// Module included in the following assemblies:
+//
+// * windows_containers/creating_windows_machinesets/creating-windows-machineset-vsphere.adoc
+
+[id="enabling-internal-api-server-vsphere_{context}"]
+= Enabling communication with the internal API server for the WMCO on vSphere
+
+The Windows Machine Config Operator (WMCO) downloads the Ignition config files from the internal API server endpoint. You must enable communication with the internal API server so that your Windows virtual machine (VM) can download the Ignition config files, and the kubelet on the configured VM can communicate with the internal API server.
+
+.Prerequisites
+
+* You have installed a cluster on vSphere.
+
+.Procedure
+
+* Add a new DNS entry for `api-int.<cluster_name>.<base_domain>` that points to the external API server URL `api.<cluster_name>.<base_domain>`. This can be a CNAME or an additional A record.
+
+[NOTE]
+====
+The external API endpoint was already created as part of the initial cluster installation on vSphere.
+====

modules/machine-api-overview.adoc

@@ -7,6 +7,7 @@
 // * machine_management/creating_machinesets/creating-machineset-vsphere.adoc
 // * windows_containers/creating_windows_machinesets/creating-windows-machineset-aws.adoc
 // * windows_containers/creating_windows_machinesets/creating-windows-machineset-azure.adoc
+// * windows_containers/creating_windows_machinesets/creating-windows-machineset-vsphere.adoc
 
 [id="machine-api-overview_{context}"]
 = Machine API overview

modules/machineset-creating.adoc

@@ -9,13 +9,17 @@
 // * post_installation_configuration/cluster-tasks.adoc
 // * windows_containers/creating_windows_machinesets/creating-windows-machineset-aws.adoc
 // * windows_containers/creating_windows_machinesets/creating-windows-machineset-azure.adoc
+// * windows_containers/creating_windows_machinesets/creating-windows-machineset-vsphere.adoc
 
 ifeval::["{context}" == "creating-windows-machineset-aws"]
 :win:
 endif::[]
 ifeval::["{context}" == "creating-windows-machineset-azure"]
 :win:
 endif::[]
+ifeval::["{context}" == "creating-windows-machineset-vsphere"]
+:win:
+endif::[]
 
 ifeval::["{context}" == "creating-machineset-vsphere"]
 :vsphere:
@@ -202,3 +206,6 @@ endif::[]
 ifeval::["{context}" == "creating-windows-machineset-azure"]
 :!win:
 endif::[]
+ifeval::["{context}" == "creating-windows-machineset-vsphere"]
+:!win:
+endif::[]

modules/windows-machineset-vsphere.adoc

@@ -0,0 +1,77 @@
+// Module included in the following assemblies:
+//
+// * windows_containers/creating_windows_machinesets/creating-windows-machineset-vsphere.adoc
+
+[id="windows-machineset-vsphere_{context}"]
+= Sample YAML for a Windows MachineSet object on vSphere
+
+This sample YAML defines a Windows `MachineSet` object running on VMware vSphere that the Windows Machine Config Operator (WMCO) can react upon.
+
+[source,yaml]
+----
+apiVersion: machine.openshift.io/v1beta1
+kind: MachineSet
+metadata:
+  labels:
+    machine.openshift.io/cluster-api-cluster: <infrastructure_id> <1>
+  name: <windows_machine_set_name> <2>
+  namespace: openshift-machine-api
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      machine.openshift.io/cluster-api-cluster: <infrastructure_id> <1>
+      machine.openshift.io/cluster-api-machineset: <windows_machine_set_name> <2>
+  template:
+    metadata:
+      labels:
+        machine.openshift.io/cluster-api-cluster: <infrastructure_id> <1>
+        machine.openshift.io/cluster-api-machine-role: worker
+        machine.openshift.io/cluster-api-machine-type: worker
+        machine.openshift.io/cluster-api-machineset: <windows_machine_set_name> <2>
+        machine.openshift.io/os-id: Windows <3>
+    spec:
+      metadata:
+        labels:
+          node-role.kubernetes.io/worker: "" <4>
+      providerSpec:
+        value:
+          apiVersion: vsphereprovider.openshift.io/v1beta1
+          credentialsSecret:
+            name: vsphere-cloud-credentials
+          diskGiB: 128
+          kind: VSphereMachineProviderSpec
+          memoryMiB: 16384
+          network:
+            devices:
+            - networkName: "<vm_network_name>" <5>
+          numCPUs: 4
+          numCoresPerSocket: 1
+          snapshot: ""
+          template: <windows_vm_template_name> <6>
+          userDataSecret:
+            name: windows-user-data <7>
+          workspace:
+             datacenter: <vcenter_datacenter_name> <8>
+             datastore: <vcenter_datastore_name> <9>
+             folder: <vcenter_vm_folder_path> <10>
+             resourcePool: <vsphere_resource_pool> <11>
+             server: <vcenter_server_ip> <12>
+----
+<1> Specify the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster. You can obtain the infrastructure ID by running the following command:
++
+[source,terminal]
+----
+$ oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster
+----
+<2> Specify the Windows machine set name. The machine set name cannot be more than 9 characters long, due to the way machine names are generated in vSphere.
+<3> Configure the machine set as a Windows machine.
+<4> Configure the Windows node as a compute machine.
+<5> Specify the vSphere VM network to deploy the machine set to.
+<6> Specify the full path of the Windows vSphere VM template to use, such as `/Datacenter/vm/ocp4-llplx/windows-golden-image`. The name must be unique.
+<7> The `windows-user-data` is created by the WMCO when the first Windows machine is configured. After that, the `windows-user-data` is available for all subsequent machine sets to consume.
+<8> Specify the vCenter Datacenter to deploy the machine set on.
+<9> Specify the vCenter Datastore to deploy the machine set on.
+<10> Specify the path to the vSphere VM folder in vCenter, such as `/dc1/vm/user-inst-5ddjd`.
+<11> Optional: Specify the vSphere resource pool for your Windows VMs.
+<12> Specify the vCenter server IP or fully qualified domain name.

windows_containers/creating_windows_machinesets/creating-windows-machineset-vsphere.adoc

@@ -0,0 +1,36 @@
+[id="creating-windows-machineset-vsphere"]
+= Creating a Windows MachineSet object on vSphere
+include::modules/common-attributes.adoc[]
+:context: creating-windows-machineset-vsphere
+
+toc::[]
+
+You can create a Windows `MachineSet` object to serve a specific purpose in your {product-title} cluster on VMware vSphere. For example, you might create infrastructure Windows machine sets and related machines so that you can move supporting Windows workloads to the new Windows machines.
+
+[discrete]
+== Prerequisites
+
+* You installed the Windows Machine Config Operator (WMCO) using Operator Lifecycle Manager (OLM).
+* You are using a supported Windows Server as the operating system image with the Docker-formatted container runtime add-on enabled.
+
+[IMPORTANT]
+====
+Currently, the Docker-formatted container runtime is used in Windows nodes. Kubernetes is deprecating Docker as a container runtime; you can reference the Kubernetes documentation for more information on link:https://kubernetes.io/blog/2020/12/02/dont-panic-kubernetes-and-docker/[Docker deprecation]. Containerd will be the new supported container runtime for Windows nodes in a future release of Kubernetes.
+====
+
+include::modules/machine-api-overview.adoc[leveloffset=+1]
+
+[id="preparing-vsphere-for-windows-containers"]
+== Preparing your vSphere environment for Windows container workloads
+
+You must prepare your vSphere environment for Windows container workloads by creating the vSphere Windows VM golden image and enabling communication with the internal API server for the WMCO.
+
+include::modules/creating-the-vsphere-windows-vm-golden-image.adoc[leveloffset=+2]
+include::modules/enabling-internal-api-server-vsphere.adoc[leveloffset=+2]
+
+include::modules/windows-machineset-vsphere.adoc[leveloffset=+1]
+include::modules/machineset-creating.adoc[leveloffset=+1]
+
+== Additional resources
+
+* For more information on managing machine sets, see the _Machine management_ section.

windows_containers/understanding-windows-container-workloads.adoc

@@ -11,7 +11,7 @@ Windows container workloads are supported for clusters running on the following
 
 * Amazon Web Services (AWS)
 * Microsoft Azure
-//* VMware vSphere
+* VMware vSphere
 
 The following Windows Server operating systems are supported for {product-title} {product-version}: