Self-Service Namespace Management

You can use the vSphere with Tanzu automation APIs to create a vSphere Namespace with specific resource quotas, set permissions, and assign storage policies. DevOps engineers can then use the namespace as a template for self-provisioning namespaces on the cluster.

Starting with vSphere 7.0 Update 2a, the Namespace Self-Service feature is available in vSphere with Tanzu. The service enables Kubernetes users to create vSphere Namespaces from templates configured through the automation APIs or vSphere Client. To activate the Namespace Self-Service on a cluster, use one of the following options:

Create a self-service namespace template and then activate the Namespace Self-Service on the cluster.
Create or update a self-service namespace template simultaneously with activating the Namespace Self-Service on the cluster.

Currently, only one namespace self-service template is allowed per vSphere Namespace. After a DevOps engineer creates a namespace from the template, the namespace can also be deleted through kubectl. You can verify whether a namespace is created from a template by retrieving the value of the self_service_namespace / getSelfServiceNamespace() flag of the namespace instance information object.

To create a template for a self-service namespace, call the create(java.lang.String cluster, NamespaceTemplatesTypes.CreateSpec spec) method of the NamespaceTemplates interface. You can also use the POST https://<vCenter_server_IP>/api/vcenter/namespaces/namespace-templates/clusters/<cluster_ID> HTTP request. In both cases you must use as parameters the cluster ID and the namespace template create specification.

You define the following configuration settings and resource limitations of the template:

Parameter	Description
template / setTemplate(java.lang.String template)	The identifier of the namespace template must be a unique name across all clusters on the vCenter Server instance. The name must be compliant with DNS.
resource_spec / setResourceSpec(Structure resourceSpec)	The resource quotas, such as CPU and memory, that are reserved for the namespace on the vCenter Server instance. The CPU limit is set in MHz and the minimum value is 10MHz. The memory and storage limits are set in MiB. For more options to configure resource limits for the namespace, see the ResourceQuotaOptionsV1 class in the API Reference documentation.
storage_specs / setStorageSpecs(java.util.List<InstancesTypes.StorageSpec> storageSpecs)	The amount of storage in MiB utilized for each storage policy that you associate with the namespace. You must specify at least one policy.
networks / setNetworks(java.util.List<java.lang.String> networks)	Optional. The networks associated with the namespace. Currently, you can set only one network for the namespace. Pass `null` as argument if the Supervisor Cluster is configured with NSX-T Data Center support. If you pass `null` for a namespace template on a cluster configured with a vSphere networking stack, the namespace is automatically associated with the Supervisor management workload network.
permissions / setPermissions(java.util.List<NamespaceTemplatesTypes.Subject> permissions)	Optional. The permissions that allow DevOps engineers to use the template to self-provision namespaces through kubectl. If set to `null`, only users with the Administrator role can use the template.

Once you have the template created, you can activate the Namespace Self-Service on the cluster. Call the activate(java.lang.String cluster) method of the NamespaceSelfService interface or use the POST https://<vCenter_server_IP>/api/vcenter/namespaces/namespace-self-service/<cluster_ID>?action=activate HTTP request. If you want to restrict DevOps users to use the namespace template on a cluster, you can deactivate the Namespace Self-Service feature. Then users will be able to delete only the namespaces already created from the template.

You can use the activateWithTemplate option provided by the NamespaceSelfService interface. Call the activateWithTemplate(java.lang.String cluster, NamespaceSelfServiceTypes.ActivateTemplateSpec spec) method of the NamespaceSelfService interface or use the POST https://<vCenter_server_IP>/api/vcenter/namespaces/namespace-self-service/<cluster_ID>?action=activateWithTemplate HTTP request. Depending on the availability of a template on the cluster, this method either creates a new namespace template or activates the deactivated service and at the same time updates the existing template.