Wednesday Tidbit: Enable Basic Auth in NSX-ALB (Avi) to enable Tanzu Kubernetes Grid

For a while now I’ve been a big fan of VMware’s Tanzu Kubernetes Grid Integrated, formally Pivotal’s Kubernetes Service. However whilst great in the beginning, newer technologies such as Cluster API have overtaken things like Bosh.

Whilst it could be frustratingly difficult to setup, VMware made serioues efforts to simplify this with solutions such as the Management Console. However after recently struggling with this and trying to create NSX-T Principal Identity certificates during setup, I decided it was time to walk away and go “all in” with TKG.

Tanzu Kubernetes Grid

After the initial fiddly bits (in my case, getting Docker to work nicely on Ubuntu), firing up the management cluster using the UI was trivially easy.

I first opted for using kube-vip as my control plane endpoint provider. After a sucessful installation, I decided I wanted to use NSX Advanced Load Balancer (formaly known as Avi Vantage) for my load-balancer.

I re-ran the installation, entered in the NSX ALB credentials, verified it saw my cloud and networks, and continued on.

However, it didn’t matter how many times I tried to perform the installation, it would always fail without even creating the control plane VMs. The logs were lacking in clarity as to the cause.


After pouring over the initial documentation at, it appears VMware have missed a critical step.

To enable the TKG installer to install and configure an endpoint provider in NSX ALB, Basic Authentcation needs to be enabled.

To do this, in ALB click on the Administration tab, then expand Settings, and click Access Settings. Click the pencil icon on the right and then check the box for Allow Basic Authentication:

Makes all the difference

Frustrating I only found this out while reading Cormac Hogan‘s blog, so kudos to him.

Wednesday Tidbit: Ensure you add Perl to your Linux Templates for vRealize Automation 8.x

Recently I deployed a new vRealize Automation environment into HobbitCloud using vRealize Suite Lifecycle Manager. The Day 2 configuration was done using Ansible, and configured items such as the Cloud Zones, Projects, Image Mappings etc.

As with all my desktop and server images, I had automated the build of my CentOS 8 image using HashiCorp Packer and GitLab by simply committing the latest ISO to my repository.

My Cloud Templates were also stored in source control (also my on-premises GitLab environment), so once Ansible had configured the integration the started to sync. However when I came to deploy a CentOS-based workload to one of my compute workload domains, it failed as it was unable to get an IP address.


For open-vm-tools to be able to get a IP address from a vRealize Automation network profile, you need to ensure Perl is installed in the base image.

Wednesday Tidbit: Automate VMware OSOT for your VDI Images

The other day I tweeted a short bit of code on how to automate the zeroing-out of your VDI images using SDelete:

I got quite a few DMs afterwards asking if it was possible to do the same with VMware’s OS Optimization Tool.

So without further ado, here’s the code I use as the last step in my Packer builds before closing them down for svMotioning:

$ErrorActionPreference = "Stop"
$webserver = "webserver.contoso.local"
$url = "http://" + $webserver
$files = @("VMwareOSOptimizationTool.exe","VMwareOSOptimizationTool.exe.config","my_osot.xml")
$exe = $files[0]
$arg = "-o -t " + $files[2]
# Verify connectivity
if (Test-Connection $webserver Quiet){
# Get the OSOT files
ForEach ($file in $files)
Invoke-WebRequest Uri ($url + "/" + $file) OutFile $env:TEMP\$file
} else {
throw "No connection to server. Aborting."
# Change to temp folder
Set-Location $env:TEMP
# Run OSOT
Start-Process $exe ArgumentList $arg Passthru Wait ErrorAction stop
Write-Error "Failed to run OSOT"
Write-Error $_.Exception
Exit -1
# Delete files
ForEach ($file in $files)
Remove-Item Path $env:TEMP\$file Confirm:$false

view raw


hosted with ❤ by GitHub

Please remember to swap out your web server and to specify your own XML file. You could also YOLO it and use one of the built-in templates…

Bill OReilly Well Do It Live GIF - BillOReilly WellDoItLive Mad GIFs

…but don’t be surprised when you cripple half your apps 🙂

Wednesday Tidbit: PowerShell’s Import-PFXCertificate Removes the Private Key

I’ve been working on a complex automation solution recently in lab, and one task was to import a certificate to be used by VMware Horizon.

Those familiar with Horizon will know that any certificate used will need to have its corresponding private key which will also need to be exportable. The certificate also needs to have a friendly name of “vdm”. Continue reading

Wednesday Tidbit: Cycling through XML in vRealize Orchestrator

A few months ago a client asked me to create an NSX application load-balancer programmatically, and then make it available to their vRealize Automation consumers in through the self-service catalog. In building-block fashion, they requested that this wasn’t a composite blueprint, but rather through XaaS. While the former would definitely take less time, the latter was not that difficult either once I got started. Continue reading