Welcome back!!! We are at Part 2 of the blog series on NAPP deployment with an HTTP/HTTPS web proxy. In the previous article, we configured the Artica HTTPS web proxy server and applied the proxy settings on the NSX manager instance. Now let’s move on and deploy the NAPP instance with the web proxy using the NAPP Automation Appliance. If you missed the previous article, please check it out below:
Part 1 : HTTPS Web Proxy Configuration
https://vxplanet.com/2024/08/22/nsx-application-platform-deployment-with-an-http-https-web-proxy-part-1/
Let’s get started:
Table of Contents
Deploying NAPP with Proxy configuration
The procedure to deploy NAPP using the NAPP automation appliance is pretty much similar to what we have discussed in our previous articles, except at step 5 where we supply the proxy details.
Let’s login to the NAPP automation appliance UI and start the NAPP deployment workflow.
We will choose the management cluster VxDC01-C01-MGMT and the default vSAN storage policy.
We will supply the details of management, frontend (VIP) and workload networks that we already prepared in Part 1.
NAPP 4.2 supports up to 5 NAPP instances under a single supervisor cluster. For this blog post, let’s choose the number of instances as 1.
Now we will supply the details of the HTTPS web proxy server that we built in Part 1. Since this is an HTTPS proxy, we will download the proxy CA certificate from the proxy server in pem format and input in the form. NAPP automation appliance will push this configuration to the TKGS guest cluster that it deploys. The workflow will also add the management, frontend and workload network to the No-Proxy settings on the TKGS guest cluster nodes.
We will supply the NSX manager details and the workflow proceeds after performing a consistency check on the proxy settings that is supplied in the form with the settings configured in NSX manager. If there is an inconsistency, the wizard prompts to fix it before proceeding, as shown below:
Remember, we discussed that NSX 4.2 supports evaluation form factor, and we will choose evaluation form factor for our deployment.
Let’s proceed and confirm that all the prechecks complete successfully.
The workflow will now configure the management cluster as a supervisor cluster, and deploy the TKGS guest cluster for NAPP. The evaluation form factor will deploy 1 x TKGS control plane node and 1 X TKGS worker node.
We will proceed to NAPP deployment and confirm that the workflow has succeeded.
Let’s login to the NAPP dashboard and make sure that the platform is healthy and we don’t have any open alarms.
Success!!! At this moment, we have a successful NAPP deployment with the HTTPS web proxy.
Verifying the proxy configuration
Let’s SSH to the NAPP automation appliance and review the TKGS cluster specification yaml file in the /opt/napp/ directory. This is the yaml spec used to deploy the TKGS guest cluster, and we see that it has the proxy settings added.
Now let’s SSH to the TKGS guest cluster worker node and confirm that it has the proxy settings applied. The steps to SSH to a TKGS guest cluster is documented at:
https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-with-tanzu-tkg/GUID-D61629B7-DCC0-4FAA-BCED-C67FFF9D1E9D.html
The proxy settings for the TKGS guest cluster is configured at /etc/systemd/system/containerd.service.d/http-proxy.env
Now lets confirm that we see logs in the Artica Proxy server for the requests from the TKGS nodes.
Success!!!
Modifying proxy settings in the deployed NAPP instance
It’s possible that we get requests for modifying proxy settings in the NSX manager and NAPP instance for several reasons like proxy migrations, IP/DNS changes, service account password changes and so on. For example, in our blog post, let’s reconfigure the Artica proxy listener on HTTP port 8080.
We will now update NSX manager with the new proxy settings:
Depending on the number of NAPP instances deployed by the NAPP automation appliance, it’s possible that we might need changes to the proxy settings on one instance or on all instances. Let’s discuss two scenarios:
- Modifying the proxy settings on all instances
The new proxy settings can be supplied to the deployment workflow UI and clicking on “Update & Redeploy” will perform a rolling update on all the TKGS guest clusters for NAPP.
We see that a new TKGS node (control plane and worker) is deployed, existing pods are drained to the new node and the old node is deleted.
and checking the proxy settings on the new TKGS node, we see that the updated values are applied.
- Modifying the proxy settings on a single instance
To update the proxy settings on a single NAPP instance, we need to use the NAPP automation cli. Locate the TKGS guest cluster deployment spec under /opt/napp/ using the NAPP instance ID (in our case, this is napp-deploy-cluster-vxdc01-yml), update it with the new proxy settings and then apply the spec to the supervisor cluster namespace. This will perform a rolling update of the TKGS cluster for the specific NAPP instance.
Note : Do not use the Automation Appliance UI anymore, as it will overwrite the settings done via the CLI
Now that’s a wrap!!! Proxy support for NAPP was one of the main enhancements released in NAPP 4.2. Stay tuned for more enhancements yet to come in the upcoming releases.
I hope the blog series was informative. Thanks for reading.
Continue reading? Here are the other parts of this series:
Part 1 : HTTPS Web Proxy Configuration
https://vxplanet.com/2024/08/22/nsx-application-platform-deployment-with-an-http-https-web-proxy-part-1/
References
NAPP automated deployment using NAPP-AA
NAPP manual deployment with VMware AVI load balancer
