Skip to main content

vSphere Kubernetes shared Virtual Services show 80% health in the AVI dashboard

·5 mins
AVI VMware vExpert LoadBalancer SSL TLS Kubernetes AKO NSX
Photo by Maxim Abramov on Unsplash
It has bugged me for some time that the shared Virtual Services in my lab’s AVI dashboard show a health score of 80%. Whilst it may not affect functionality, or even performance, security is a concern when it comes to IT systems that host data and applications. Which is why I decided to delve into this issue and find out why it exists and how it can be fixed.

My lab is built on VMware vSphere and the Workload Management feature is enabled and uses NSX Advanced Load Balancer (formerly known as “AVI”) to provide the ingress to the applications that are hosted there. AVI, via the AVI Kubernetes Operator (AKO) does a great job of creating configurations for applications that request them. Usually I use Helm charts to deploy and manage those applications.

One thing that has bugged me in the time that I have been using this setup however are the health scores of the shared Virtual Services. They max out at 80% and, as a result, show as yellow in the dashboard instead of green.

Screenshot showing the AVI dashboard with lower than desired health scores.
Figure 1: The AVI dashboard with 80% health scores for the shared Virtual Services.

Ignore the red Virtual Services, they’re red for a reason and not the subject of this post!

Drilling down into the health score for one of these services shows that the issue is related to SSL, and specifically because the trust for the certificate being used cannot be verified.

Screenshot showing the reason that one health score is affected.
Figure 2: The AVI health score for the shared Virtual Service is down at 80% because the SSL chain cannot be verified.

If we look at the configuration of the Virtual Service, we can see that it is using the System-Default-Cert certificate. This was configured by AKO automatically. But the certificate itself was created when AVI was first installed. It is a self-signed certificate.

Screenshot showing the Virtual Service configuration.
Figure 3: The shared Virtual Service is configured to use the System-Default-Cert.

By exporting the System-Default-Cert certificate and popping it into an SSL check tool, we can see that there’s not much to it. I don’t know if there are any specific requirements or constraints on a replacement certificate so I’m going to try and generate one that’s a close match.

Screenshot showing the original certificate's properties.
Figure 4: The original System-Default-Cert certificate is pretty simple.

Great, so how do we fix this? One option would be to manually reconfigure each of the shared Virtual Services to use a CA-signed certificate. However, since AVI (and these Virtual Services specifically) is being controlled by another system, I would expect my efforts to be undone. Another option might be to find out what is controlling these configurations and try to change which certificate it selects. I’m not sure where to start with that. The other option is to replace the System-Default-Cert certificate with a CA-signed one.

This final route is the one that I will follow as it’s supported, even if it isn’t quite as straightforward as I’d like. The process is documented in the product documentation as Renew Default (Self-Signed) Certificates on Avi Load Balancer.

Before attempting this, I downloaded (exported) the existing certificate and private key, just in case!

I won’t just copy and paste the instructions here, but in summary you must:

  1. Follow the instructions in Install the Avi Load Balancer CLI Shell to setup the AVI CLI. If you can get it to work, that is. I encountered issues with the version of urllib3 in Python.
  2. Generate a new certificate. I created one in my HashiCorp Vault CA. The generated certificate has the same common name as the original certificate (“System Default Cert”).
  3. Save the generated certificate and private key to separate text files (e.g. system-default.cer and system-default.key respectively).
  4. Use the CLI to connect to and authenticate with the AVI controller. If you have trouble with the AVI CLI Shell, as I did, you can also use scp to copy the certificate files to the controller and access the CLI on the controller itself via SSH.
  5. Use the documented steps to import the new certificate.
Screenshot showing the generation of a new certificate using Vault.
Figure 5: Generating a new certificate and key pair is very simple with HashiCorp Vault.

With the generated certificate and key uploaded to the AVI controller, I applied the new default certificate using the shell via SSH.

Screenshot showing the application of the certificate via the CLI in SSH.
Figure 6: Applying the newly minted certificate as the ‘System’Default-Cert’.

Via the AVI UI, you can now clearly see that the System-Default-Cert has been replaced with a signed certificate as planned.

Screenshot showing the modified System-Default-Cert visible in the AVI UI.
Figure 7: The ‘System-Default-Cert’ is no longer self-signed.

One final change that needs to be made, is that we need to enable HSTS (HTTP Strict Transport Security) on the System-HTTP Application Profile as this is the profile associated with these shared Virtual Services. HSTS, in case you didn’t know, is a mechanism to tell client browsers that they should automatically interract via SSL/TLS. It’s used to prevent protocol downgrade attacks etc.

Screenshot showing HSTS is enabled in the System-HTTP Application Profile in the AVI UI.
Figure 8: HSTS should be enabled in the ‘System-HTTP’ Application Profile.

Now, before you rush off to check the health of your Virtual Services, be warned that it can take some time for the health score to increase as it’s a score averaged over a period of time. Be patient.

However, as you can see below, the score is going up from 80%. Which is all that my OCD wanted!

Screenshot showing increased health scores in the AVI UI.
Figure 9: The health scores of the shared Virtual Services are rising.

Hope this helps!

Related

Startup plan for vSphere clusters hosting a Kubernetes Supervisor
·5 mins
vSphere VMware vExpert Homelab Kubernetes
A runbook of steps to complete to startup a vSphere cluster that hosts a Kubernetes Supervisor.
Shutdown plan for vSphere clusters hosting a Kubernetes Supervisor
·6 mins
vSphere VMware vExpert Homelab Kubernetes
A runbook of steps to complete to shutdown a vSphere cluster that hosts a Kubernetes Supervisor.
What now?
·2 mins
Personal VMware vExpert
I have been quiet on here for a while. This post explains why, and (more importantly) what’s next! It’s exciting!