I have the same setup with AVI as LB.
Contour does need certmanager, but i think it's getting the cert from the certmanager in Supervisor
Getting similar msg,
root@423625c20ed0f98c5cd2af175161d3ca [ ~ ]# k logs -n svc-contour-domain-c10 contour-6c48758f7d-gvdx7 contour
time="2024-11-22T14:02:58Z" level=info msg="maxprocs: Leaving GOMAXPROCS=1: CPU quota undefined"
time="2024-11-22T14:02:58Z" level=info msg="args: [serve --incluster --xds-address=0.0.0.0 --xds-port=8001 --stats-address=0.0.0.0 --http-address=0.0.0.0 --envoy-service-http-address=0.0.0.0 --envoy-service-https-address=0.0.0.0 --health-address=0.0.0.0 --contour-cafile=/certs/ca.crt --contour-cert-file=/certs/tls.crt --contour-key-file=/certs/tls.key --config-path=/config/contour.yaml]"
time="2024-11-22T14:03:08Z" level=fatal msg="unable to initialize Server dependencies required to start Contour" error="unable to set up controller manager: failed to determine if *v1.Secret is namespaced: failed to get restmapping: failed to get server groups: Get \"https://10.96.0.1:443/api\": net/http: TLS handshake timeout"
k get pods give crashloopbackoff

k describe po -n svc-contour-domain-c10 contour-6c48758f7d-gvdx7

the certmanager is in the supervisor. Contour definately needs certmanager.

Original Message:
Sent: Mar 27, 2024 04:15 PM
From: jeffsmaia
Subject: Problem to deploy Contour service on vSphere with Tanzu 8
Problem to deploy Contour on vSphere with Tanzu 8
I'm installing vSphere with Tanzu on vSphere 8. The installation goes well and the deploy of Tanzu is finished successfully.
But when I tried to install the Contour service I get an error "Reason: ReconcileFailed. Message: I0327 15:52:38.347544 16294 request.go:690] Waited for 1.048310726s due to client-side throttling, not priority and fairness, request: GET:https://10.96.0.1:443/apis/topology.tanzu.vmware.com/v1alpha1 kapp: Error: waiting on reconcile deployment/contour (apps/v1) namespace: svc-contour-domain-c8: Finished unsuccessfully (Deployment is not progressing: ProgressDeadlineExceeded (message: ReplicaSet "contour-7cb4c7bbd5" has timed out progressing.)).".
So I've looked into the containers e saw an error on contour pods: "time="2024-03-27T15:54:57Z" level=info msg="args: [serve --incluster --xds-address=0.0.0.0 --xds-port=8001 --stats-address=0.0.0.0 --http-address=0.0.0.0 --envoy-service-http-address=0.0.0.0 --envoy-service-https-address=0.0.0.0 --health-address=0.0.0.0 --contour-cafile=/certs/ca.crt --contour-cert-file=/certs/tls.crt --contour-key-file=/certs/tls.key --config-path=/config/contour.yaml]"
time="2024-03-27T15:54:57Z" level=error msg="Failed to get API Group-Resources" caller="cluster.go:161" context=kubernetes error="Get \"https://10.96.0.1:443/api?timeout=32s\": x509: certificate is valid for 172.35.70.102, not 10.96.0.1"
time="2024-03-27T15:54:57Z" level=fatal msg="unable to initialize Server dependencies required to start Contour" error="unable to set up controller manager: Get \"https://10.96.0.1:443/api?timeout=32s\": x509: certificate is valid for 172.35.70.102, not 10.96.0.1"".
It's a nested environment for a lab (study).
I have 3 hosts, 3 portgroups for management, workload and frontend (all with different networks).
Tanzu was deployed with NSX-ALB for loadbalance.
The management network is 10.3.5.128/26
The workload network is 172.35.60.0/24
The frontend network is 172.35.70.0/24
All three networks communicate with each other.
How can I correct this configuration?