Tanzu

 View Only
  • 1.  Problem to deploy Contour service on vSphere with Tanzu 8

    Posted Mar 27, 2024 04:16 PM

    Problem to deploy Contour on vSphere with Tanzu 8

    I'm installing vSphere with Tanzu on vSphere 8. The installation goes well and the deploy of Tanzu is finished successfully.


    But when I tried to install the Contour service I get an error "Reason: ReconcileFailed. Message: I0327 15:52:38.347544 16294 request.go:690] Waited for 1.048310726s due to client-side throttling, not priority and fairness, request: GET:https://10.96.0.1:443/apis/topology.tanzu.vmware.com/v1alpha1 kapp: Error: waiting on reconcile deployment/contour (apps/v1) namespace: svc-contour-domain-c8: Finished unsuccessfully (Deployment is not progressing: ProgressDeadlineExceeded (message: ReplicaSet "contour-7cb4c7bbd5" has timed out progressing.)).".

    So I've looked into the containers e saw an error on contour pods: "time="2024-03-27T15:54:57Z" level=info msg="args: [serve --incluster --xds-address=0.0.0.0 --xds-port=8001 --stats-address=0.0.0.0 --http-address=0.0.0.0 --envoy-service-http-address=0.0.0.0 --envoy-service-https-address=0.0.0.0 --health-address=0.0.0.0 --contour-cafile=/certs/ca.crt --contour-cert-file=/certs/tls.crt --contour-key-file=/certs/tls.key --config-path=/config/contour.yaml]"
    time="2024-03-27T15:54:57Z" level=error msg="Failed to get API Group-Resources" caller="cluster.go:161" context=kubernetes error="Get \"https://10.96.0.1:443/api?timeout=32s\": x509: certificate is valid for 172.35.70.102, not 10.96.0.1"
    time="2024-03-27T15:54:57Z" level=fatal msg="unable to initialize Server dependencies required to start Contour" error="unable to set up controller manager: Get \"https://10.96.0.1:443/api?timeout=32s\": x509: certificate is valid for 172.35.70.102, not 10.96.0.1"".

    It's a nested environment for a lab (study).

    I have 3 hosts, 3 portgroups for management, workload and frontend (all with different networks).

    Tanzu was deployed with NSX-ALB for loadbalance.

    The management network is 10.3.5.128/26
    The workload network is 172.35.60.0/24
    The frontend network is 172.35.70.0/24

    All three networks communicate with each other.

    How can I correct this configuration?



  • 2.  RE: Problem to deploy Contour service on vSphere with Tanzu 8

    Posted Mar 28, 2024 08:42 PM

    It seems to be a problem with a certificate: "certificate is valid for 172.35.70.102, not 10.96.0.1"

    Did you install CERT-MANAGER before Contour?

     



  • 3.  RE: Problem to deploy Contour service on vSphere with Tanzu 8

    Posted Apr 01, 2024 12:56 PM

    No, I didn't install cert manager. I do not see it as a prerequisite from documentation. https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-with-tanzu-services-workloads/GUID-D0DEC184-00E6-4592-A044-A504840A48F5.html

    When I installed through bootstrap machine(tkgm) I did all the installation correctly (ca-cert manager, contour, external dns , harbor....) but in the vsphere ui installation (tkgs), I couldn't find the cert manager as a previous step.



  • 4.  RE: Problem to deploy Contour service on vSphere with Tanzu 8

    Posted Apr 01, 2024 01:20 PM

    Could you try? I'm pretty sure that cert-manager is a prerequisite for contour.

     



  • 5.  RE: Problem to deploy Contour service on vSphere with Tanzu 8

    Broadcom Employee
    Posted Nov 22, 2024 09:29 AM
    Edited by Tian Peng Yap Nov 22, 2024 09:30 AM

    I have the same setup with AVI as LB.

    Contour does need certmanager, but i think it's getting the cert from the certmanager in Supervisor

    Getting similar msg,

    root@423625c20ed0f98c5cd2af175161d3ca [ ~ ]# k logs -n svc-contour-domain-c10 contour-6c48758f7d-gvdx7 contour
    time="2024-11-22T14:02:58Z" level=info msg="maxprocs: Leaving GOMAXPROCS=1: CPU quota undefined"
    time="2024-11-22T14:02:58Z" level=info msg="args: [serve --incluster --xds-address=0.0.0.0 --xds-port=8001 --stats-address=0.0.0.0 --http-address=0.0.0.0 --envoy-service-http-address=0.0.0.0 --envoy-service-https-address=0.0.0.0 --health-address=0.0.0.0 --contour-cafile=/certs/ca.crt --contour-cert-file=/certs/tls.crt --contour-key-file=/certs/tls.key --config-path=/config/contour.yaml]"
    time="2024-11-22T14:03:08Z" level=fatal msg="unable to initialize Server dependencies required to start Contour" error="unable to set up controller manager: failed to determine if *v1.Secret is namespaced: failed to get restmapping: failed to get server groups: Get \"https://10.96.0.1:443/api\": net/http: TLS handshake timeout"

    k get pods give crashloopbackoff

     

    k describe po -n svc-contour-domain-c10 contour-6c48758f7d-gvdx7


    the certmanager is in the supervisor. Contour definately needs certmanager.