The Pure Storage Plugin for the vSphere Client (which will be shortened in this article to the vSphere Plugin) provides the ability to VMware users to have insight into and control of their Pure Storage FlashArray environment while directly logged into the vSphere Client. The Pure Storage plugin extends the vSphere Client interface to include environmental statistics and objects that underpin the VMware objects in use and to provision new resources as needed.
In order to use the plugin, it must be authenticated with the FlashArray(s) in-use in the vSphere environment. It is only necessary to authenticate the FlashArrays you would like to have insight to and/or manage. Each FlashArray must be individually authenticated though the same credentials can be used repeatedly if they are valid for more than one array.
Additionally, the vSphere Plugin can be authenticated with the Pure1 REST API. This is required for Pure1-related features in the plugin and can help assist in mass-registration of FlashArrays with the plugin. No provisioning workflows are blocked when Pure1 is not authenticated, though intelligent provisioning and other insights are disabled.
To authenticate a Pure1 connection the following is required:
- TCP Port 443 access to pure1.purestorage.com from vCenter
- No network access is required from ESXi
- Currently if a proxy is required to route to an external network, Pure1 connectivity is not supported.
To authenticate a FlashArray connection the following is required:
- TCP Port 443 access to the virtual IP address (this can be virtual IP address 0 or 1) of the target FlashArray from vCenter
- No network access is required from ESXi
Authenticating a Pure1 Connection
Authentication of the plugin with Pure1 is recommended, but not required. Authenticating Pure1 with the vSphere plugin allow for further insights and provisioning assistance, as well as mass-FlashArray authentication and, likely, in the future more features. So for these reasons, authentication is recommended.
Authentication is a significantly different than the standard "username and password"-based authentication to provide a more secure authentication mechanism to a public REST API endpoint (Pure1). Instead of asking for a username or password, Pure1 asks for what is called a JWT (a JSON Web Token) which is a fancy term for authentication information that has been partially encrypted using a RSA 256 private key. Pure1 has the public key which allows for the token to be decrypted which is then used to create a session token.
There is a variety of ways to do this, and the list below is not exhaustive. The overall process is as follows:
- Create a public/private key pair
- Add the public key to Pure1
- Copy the application ID
- Generate a JWT with the application ID and your private key
- Paste the JWT into the vSphere Client
First ensure that you have at least the 126.96.36.199 release of the Pure1 PowerShell Module installed. Instructions to install PowerShell on Linux/MacOS here.
For PowerShell-based management, there is a PowerShell Gallery hosted module called PureStorage.Pure1. For more information (or to open bugs or feature requests) on the PowerShell Module, see here:
Create a new key pair and enter a password when prompted.
Then retrieve the public key (enter the private key password):
Now copy that key:
Public/private keys can come in the form of certificate in Windows-based systems. The simplest way to create a key pair is through the creation of a self-signed local certificate. This can be achieved through the Pure1 PowerShell module available through the PowerShell Gallery.
To install the module, open PowerShell and install the module from the PowerShell gallery:
Next create a new certificate and return the public key:
New-PureOneCertificate | Get-PureOnePublicKey
Copy the entire key, including the dashes and BEGIN PUBLIC KEY and END PUBLIC KEY:
Add the Public Key to Pure1
Once you have a public key, it needs to be entered into the Pure1 web site to create an application ID. Login to pure1.purestorage.com as an admin. If you do not see the Administration section on the left-hand side, you are not logged in as an administrative user. If you are not, find your Pure1 admin and have them generate the token. If you do not know your admin, reach out to Pure Storage support.
Click on API Registrations the Register Application:
Give the application a descriptive name and paste in the public key. This must start with -----BEGIN PUBLIC KEY----- and end with -----END PUBLIC KEY-----. You may specify either the admin role or read only. As of the 4.3.x release of the vSphere Plugin, there is no need for administrative API access.
Click Upload to finish the process. Find the application ID and copy it, or have the admin provide it to you. It will start with pure1:apikey:
Generating a JWT
Once you have an application ID you can create the JWT. A JWT can be generated in a myriad of ways below are the methods using Python or PowerShell
Generating a JWT with Python
The JWT can be generated with Python using the linked code snipped from GitHub:
Upload this script to a host that has Python installed. You can optionally directly download the script via:
curl https://gist.githubusercontent.com/codyhosterman/697ebfd72c4f7f7276afc3b74e3b5e40/raw/fce3ec83467344dd4192e831cf53694e0bfc8f21/pure1_token_factory.py >> pure1_token_factory.py
Then install the requirements via pip, if pip is not installed, run:
sudo apt install python3-pip
Install the requirements (which are saved in a hosted requirements file):
pip3 install -r https://pure1-scripting.s3-us-west-1.amazonaws.com/requirements.txt
If you cannot download the requirements file, create it manually:
Then place the requirement.txt file with following contents:
PyJWT paramiko>=2.7.1 requests cryptography six
Then install the requirements:
pip3 install -r requirements.txt
Now pass in the private key (find your .pem file) to the script and application ID:
sudo python3 ./pure1_token_factory.py pure1:apikey:iRT5OwhslZVLWNGG private.pem
This will return the JWT. Copy the whole JWT.
Generating a JWT with PowerShell
Once you have your application ID, take your previously created private key, pass both into the New-PureOneJWT command. Enter the private key password in the operation or interactively (as shown below):
New-PureOneJwt -pureAppID pure1:apikey:aebVzb4k3Gq7oQE7
Once you have your application ID, pass it into the New-PureOneJWT command:
Adding a JWT to the vSphere Client
Login to the vSphere Client, click on the top menu and choose Pure Storage.
Click on the Authenticate with Pure1 button in the top right corner:
Paste in the JWT into the box that appears:
Click Authenticate. This will authenticate into Pure1. You will then be able to see Pure1 features in the plugin, like tag display and the load meter chart:
Editing a Pure1 Connection
There is no difference to creating a new Pure1 connection and editing one. If you would like to change the JWT being used, follow the same process. The only minor difference is that the Authenticate with Pure1 button will now say Connected with Pure1. Click on that to upload a new JWT.
Removing a Pure1 Connection
There is no method to remove a specific JWT in the vSphere Plugin today. Though you can de-authenticate the public key that pairs with the private key used to generate it.
Login to Pure1.purestorage.com and click on API registration. Find the application you wish to de-authenticate.
Navigate to the far right and click on the trashcan icon:
Confirm the deletion. This will de-authenticate any integration using the correlated private key from authenticating (or any JWT that has been derived from it).
Authenticating a FlashArray Connection
One or more FlashArrays can be added to the vSphere Plugin.
Adding a FlashArray Manually
To add a single FlashArray, login to the vSphere Client and click on the Menu drop-down and choose Pure Storage.
Click on the +Add button shown under the Pure Storage icon.
Choose Add a Single Array:
- Array name. This does not have to be the actual FlashArray's domain name, but it is recommended. This name is not verified--but should be descriptive either way.
- Array URL. In the form of an IP address or fully-qualified domain name representing a FlashArray virtual address. FQDN is always preferred.
- Username. A username of either a local user or a directory attached user.
- Password. The corresponding password of selected user.
The virtual address can be verified from the array on Settings > Network > Subnets & Interfaces:
FQDN can be verified with nslookup or similar tools:
Adding One or More FlashArrays through Pure1
For environments with many FlashArrays, or environments where you may not know the addresses of all FlashArray, an administrator can leverage the Pure1 Connection to register a fleet of FlashArrays at once.
Go to the Pure Storage Plugin home screen and click Add.
Click on the Import Arrays from Pure1 tab. The plugin will reach out to Pure1 and retrieve all FlashArray and Cloud Block Store arrays registered in the target Pure1 organization. The plugin will then:
- Pull all of the FlashArray or Cloud Block Storage VIR0 (virtual IP 0) addresses and the array names from the Pure1 REST API
- Attempt a DNS lookup for the FQDN. If there is no address found the IP will be used for the URL, if one is found it will use the FQDN
- Test network connectivity to the discovered FQDNs or IPs. If an array is not available on the network it will not be filtered out, but will be marked as offline.
- Filter arrays out that are already authenticated in the plugin
You then have the option to individually add credentials for each array or if they all share the same credentials, select the Use the same credentials for all arrays box. If that is selected you only have to enter in the credentials for the first array.
If you an array is marked with the following icon:
It means the array address is not reachable from vCenter.
Once you have added credentials, select the arrays that you would like to authenticate.
Note that if you choose the top "select all" box in the upper left of the table:
It will only select all of the arrays on that particular page. You must click the next arrow and repeat to authenticate all discovered arrays. This ensures that the user confirms and verifies all selected arrays before completion.
When you have selected all of the desired arrays, click Add in the lower right hand corner.
The plugin will attempt to authenticate all arrays and will report all of the arrays that succeeded and any that failed:
If there are arrays with errors, hover over the information tooltip (circle with an exclamation mark) for more information.
Click Done with finished.
Editing a FlashArray Connection
To edit a FlashArray connection, select the connection and click Edit.
From here, you can alter the alias, the URL, the username, and/or the password. Enter your change(s) and click Submit. To make ANY change you do need to re-enter the username and password--this can be the existing credentials or new ones.
In the above case the array name (alias) was changed, and the existing credentials were re-used:
Removing a FlashArray Connection
To remove a FlashArray Connection, select the desired connection and click the Remove button:
Confirm the removal of the connection:
No existing storage will be affected, but the FlashArray represented by that connection can no longer be managed within the plugin unless it is re-authenticated.
Click Remove to complete the process.
User Accounts and Privileges
In order to authenticate either Pure1 or one or more FlashArrays to the vSphere Plugin certain vCenter privileges are required. In order to authenticate to Pure1 or a FlashArray specific privileges are required for the access accounts. These requirements are documented below.
Required vCenter Privileges
In order to add a FlashArray connection into the vSphere Plugin, the logged in user adding the connection must be assigned a role with the following privileges:
- Global > 'Manage Custom Attributes'
- Global > 'Set Custom Attribute'
Note this is just the privileges required for authenticating a FlashArray or Pure1 connection--this does not fulfill the requirements to use the plugin fully. Please refer to the individual feature documentation for required vCenter permissions.
Required Pure1 Privileges
When you authenticate with the Pure1 REST API it is not username/password-based, as described above. The JWT used to authenticate the plugin can be created from a private key that has an associated public key with either admin or read-only permissions. There are currently no features in the vSphere Plugin that requires administrative access to the Pure1 REST API. This may change in the future as more active control is added into Pure1.
Required FlashArray Privileges
In order to enable the use of a FlashArray in the VMware environment, vSphere administrators must authenticate the vSphere Plugin with the desired FlashArray(s). Users can choose to create local FlashArray users or use LDAP-connected users. It is recommended to provision a specific account for plugin access to the FlashArray (sometimes referred to as a system account) that doesn't necessarily reflect a specific person, but either a group or a use (username: vSpherePlugin for instance).
For the process to create a new local account on the FlashArray, please refer the the FlashArray user guide for your respective version of Purity:
The vSphere Plugin supports a few permission levels for the registered user:
- Array Admin--this will provide the logged in users with access to all of the advertised features in the plugin. This is a supported level, but not recommended. This elevated permission set is not needed by the plugin.
- Storage Admin--this is the recommend level of permissions. Storage admin level of permissions provides users of the vSphere Plugin with all required permissions.
- Read Only--if you want end-users to be able to view information about their storage environment (performance, data reduction, snapshots, capacity information, etc) you may provision a read only user account. This will block the ability to make any storage changes (change, add, remove, storage resources) with the plugin on the array(s) authenticated with this level of role.
Currently, all logged in users of the vSphere Client will share the same permissions of a given FlashArray or Pure1--in other words--once you authenticate a FlashArray in the vSphere Plugin, all authenticated users in vSphere will share that authentication. All operations executed in the plugin against a FlashArray will appear as the same authenticated user account in the FlashArray audit trail.
As an example, if a FlashArray is added with the username of "vsphereplugin":
Then user email@example.com logs in:
And creates a VMFS snapshot:
|1) Clicks Create Snapshot button||2) Calls the snapshot newSnapcody|
We see in the audit trail on the FlashArray:
The user is vsphereplugin.
Then user firstname.lastname@example.org logs in:
And creates a VMFS snapshot:
|1) Clicks Create Snapshot button||2) Calls the snapshot newSnapjanice|
We see in the audit trail on the FlashArray:
The user is also vsphereplugin. Since all users share the same authentication it is recommended to not authenticate with an account that is assigned to a certain person, but instead a group or application account.