DSM API Guide for VCF Automation Provider Administrator

DSM API Guide for VCF Automation Provider Administrator

DSM API Guide for VCF Automation Provider Administrator

Overview

As a Provider Administrator, you are responsible for configuring the DSM infrastructure that tenant organizations consume. This includes creating SQL Server clusters, defining Active Directory domains, and creating Data Service Policies that govern what resources tenant users can access.

For the full API reference, see the DSM Kubernetes API.

Prerequisites

Before configuring DSM in VCF Automation, the Provider Administrator must complete these steps:

  1. Connect DSM appliance(s) to the VCF Automation managed region(s)

  2. Install DSM Consumption Operator Supervisor Service to the regional Supervisor(s) in vCenter

  3. (Optional) Create a VCF Automation organization named DataServiceProvider, add region quota to it, create project namespaces within it, and then manually create Supervisor Infrastructure Policies via the DSM vSphere Client plug-in in vCenter. This is a one-time operation at the global level. This organization is dedicated for Provider Administrators to manage regional infrastructure for data service consumption. Customer tenants share regional infrastructure from this organization.

For more information on configuring VMware Data Services Manager in VCF Automation, see Using VMware Data Services Manager with VMware Cloud Foundation Automation as a Provider

Provider Administrator Capabilities

A VCF Automation Provider Administrator can perform the following operations:

  • Create, retrieve, update, delete (namespaced in dsm-system): SQLServerCluster, ActiveDirectoryDomain, DataServicePolicy

  • Retrieve (namespaced in dsm-system): BackupLocation

  • Retrieve (non-namespaced): DataServiceVersion, InfrastructurePolicy, SupervisorInfrastructurePolicy

Authentication

DSM Kubernetes APIs require a VCF Automation access token for authentication. For details on obtaining tokens (including via SSO or your organization’s identity provider), refer to the VCF Automation documentation.

The following example uses the VCF Automation Provider Login API to authenticate as the system administrator. The credentials are encoded as username@system:password in Base64 and passed in the Authorization header.

Property Value

Method & Path

POST https://{vcfa_host}/cloudapi/1.0.0/sessions/provider

Headers

Accept: application/json;version={api_version} and Authorization: Basic {base64(username@system:password)}

Note: Replace {api_version} with the supported API version. For details, see VCF Automation OpenAPI Principles.

Extract the access token from the response header x-vmware-vcloud-access-token.

Note: The access token is short-lived. If it has expired, the server responds with a 401 Unauthorized error. Re-authenticate to obtain a fresh token.

Configure DSM API Client

VCF Automation Data Service exposes a proxy that gives provider administrators access to DSM Kubernetes APIs. The proxy endpoint URL follows this pattern:

https://{vcfa_host}/proxy/external-endpoint/api/dsm/regions/{region_name}

Option 1: kubectl with kubeconfig

Construct a kubeconfig file using the VCF Automation access token and the DSM proxy endpoint URL:

apiVersion: v1
kind: Config
clusters:
- cluster:
    server: https://{vcfa_host}/proxy/external-endpoint/api/dsm/regions/{region_name}
    insecure-skip-tls-verify: true
  name: vcfa-dsm
contexts:
- context:
    cluster: vcfa-dsm
    user: vcfa-user
    namespace: dsm-system
  name: vcfa-dsm
current-context: vcfa-dsm
users:
- name: vcfa-user
  user:
    token: {vcfa_access_token}

Use kubectl (the Kubernetes command-line tool) to verify that the kubeconfig is correctly configured. The following command lists Data Service Policies, SQL Server Clusters, and Backup Locations in the dsm-system namespace:

export KUBECONFIG=vcfa-admin-kubeconfig.yaml
kubectl get dataservicepolicy,sqlservercluster,backuplocation -n dsm-system

Option 2: Direct REST API

The VCF Automation Proxy API can also be used to manage DSM resources directly. The DSM Kubernetes API is accessed through the proxy URL pattern shown above.

The following example lists all DataServicePolicy resources in the dsm-system namespace — equivalent to running kubectl get dataservicepolicy -n dsm-system. You can similarly substitute other resource types and namespaces to retrieve other DSM resources.

List DataServicePolicies (example)

Property Value

Method & Path

GET https://{vcfa_host}/proxy/external-endpoint/api/dsm/regions/{region_name}/apis/infrastructure.dataservices.vmware.com/v1alpha1/namespaces/dsm-system/dataservicepolicies

Headers

Authorization: Bearer {vcfa_access_token}

Path Parameters

vcfa_host — VCF Automation hostname and region_name — DSM enabled region name

DSM System Resources

Provider administrators manage the following resource types. Full field specifications are available on the DSM Kubernetes API.

Namespaced in dsm-system: - SQLServerCluster — SQL Server cluster - DataServicePolicy — policies that control what tenant namespaces can provision - ActiveDirectoryDomain — Active Directory configurations for SQL Server authentication - BackupLocation — backup storage configurations (retrieve only)

Non-namespaced: - DataServiceVersion — available DSM database versions - InfrastructurePolicy — common infrastructure policies - SupervisorInfrastructurePolicy — infrastructure policies sourced from the Supervisor

API Samples

Create SQL Server Cluster

Before creating a SQL Server cluster, identify the expected InfrastructurePolicy or SupervisorInfrastructurePolicy (non-namespaced) for compute placement, and the DataServiceVersion (non-namespaced) entries for supported SQL Server versions.

To provision a SQLServerCluster resource, please refer to the API samples provided in the API Samples documentation.

To provision an ActiveDirectoryDomain resource, please refer to the API samples provided in the API Samples documentation.

Create Data Service Policy

A DataServicePolicy defines what resources a tenant namespace can use.

For the full DataServicePolicy field reference, see the DSM Kubernetes API.

The matchCriteria field scopes a DataServicePolicy to specific tenant organizations using the VCF Automation organization ID. The following example uses the VCF Automation Orgs API to look up that ID by organization display name.

Query Orgs (example)

Property Value

Method & Path

GET https://{vcfa_host}/cloudapi/1.0.0/orgs

Headers

Accept: application/json;version={api_version};multisite=global and Authorization: Bearer {vcfa_access_token}

Query Parameters

filter — FIQL filter expression, e.g. displayName==*{org_name}*

Note: Replace {api_version} with the supported API version. For details, see VCF Automation OpenAPI Principles.

Success Response (200 OK):

{
  "resultTotal": 1,
  "values": [
    {
      "id": "urn:vcloud:org:da260cd4-25c2-4687-bfaf-3c1035564abf",
      "name": "my-org",
      "displayName": "My Organization",
      "isEnabled": true
    }
  ]
}

Use the id value from the response as the value in matchCriteria.

To provision a DataServicePolicy resource, please refer to the API samples provided in the API Samples documentation.

Note: All DataServicePolicy resources created for VCF Automation must include the label dsm.vmware.com/created-in: vcfa. This label identifies the policy as VCF Automation-managed and is required for proper integration.

Note: The matchCriteria must use the key vcfa.vmware.com/org with the organization ID as the value. This ensures the policy is applied only to namespaces belonging to the specified organization.