VMware NSX

Hello All,

I am trying to install NSX-T application platform. I am using vSphere with Tanzu as my Kubernetes Cluster. Also, I am sing the public registry for pulling the docker images.

I am getting the error.

NSX Application Platform deployment failed! Contour chart installation failed

Hi,

At which stage you are getting this error? Could you please share the logs or screenshots?

You might be able to see why it fails with kubectl

kubectl get pods -owide  -n projectcontour
And see if a pod is in Error state
kubectl describe pods <POD name>  -n projectcontour

Screenshots and logs would be useful

Hello p0wertje ,

Firstly, I don't have much skills in Tanzu or K*s. I am following VMware Docs and Blogs (Thanks to Shank Mohan). 

I am getting the below error while I am using the command  kubectl get pods -owide  -n projectcontour

Warning SyncLoadBalancerFailed 3m3s (x2 over 3m8s) service-controller Error syncing load balancer: failed to ensure load balancer: VirtualMachineService IP not found

And the log for the kubectl describe pods <POD name>  -n projectcontour is attached. 

Thanks a ton again all.

Attachment(s)

contour failure.txt   2 KB 1 version

Does 
kubectl get services -n projectcontour
Show an external IP on projectcontour-envoy?

It might be this: (taken from shanks website)
The Service Name needs to be correct or else the deployment will fail almost immediately. From what I can see, a DNS lookup is performed with the FQDN entered, and whatever IP address comes back is added as the ingress / contour / envoy load balancer IP. So ensure you create an appropriate DNS entry and IP address. In my case, I have created a DNS entry in the vip-tkg range.

The service name you use when installing NAPP needs to resolve to an IP that is in the VIP range you configured (i assume you use AVI, since you follow the blog)
NSX Application Platform Part 3: NSX-T, NSX-ALB (Avi), and Tanzu (lab2prod.com.au)

Hello,

Yes, I do see the external IP when I am using get service with kubectl command.

Also, the VIP is being created in the AVI. 

And this is in the vip-tkg range

What I see when I use the kubectl describe services -n projectcontour projectcontour-envoy, I can see the below error. I am not sure if this is causing the issues

What is AVI saying why it is down ?

Hi,

Because it is unable to reach the back end pool remembers. 

The service looks fine.
The Warning you get is the first it shows. Then it moves to ensuring and last ensured
How are the pods ?

kubectl get pods -owide  -n projectcontour

The pods looks OK.

I am running a bit out of ideas.

Maybe a stupid question (but I got to ask) Is it not the nsx firewall blocking things?

Hello, 

I had the same doubt so that I moved the networking from NSX-T to vCenter. Still the same. Now I have Any to Any allow policy in NSX-T. 

If you are using AVI for LB, name resolution / IPAM in AVI and VIP / workload is reachable, did you ensure that the static route in AVI is correctly configured? 

It sounds like a routing issue.

Hello Shank,

The routing is in place. The VS and VIP are working fine for the workload cluster.  I can reach and manage the workload cluster through Avi VIP. 

172.25.93.0/24 --> this is my workload segment

172.25.92.1 --> this is the DG for VIP network. 

I am getting the below error in the contour. It looks like an commination issue within the service network. 

Can you please advise how to get the logs specific to contour pods? As I said before I have very limited knowledge in K8s. 

Thanks a lot. 

You can get the logs by using 
kubectl logs <POD name>  -n projectcontour

Hello,

I am attaching the contour pods logs. It looks like some internal error. 

Attachment(s)

Contour Logs.txt   83 KB 1 version

To me it still seems like a routing / network issue based on the error you are getting. What topology are you deploying, NSX/ vDS/ AVI, have you tested connectivity between nodes, ensured all the basics for NSX functionality are in place?

Hello Shank,

Yes. I do have the basic NSX-T infrastructure properly working. I can reach the Supervisor cluster VIP from external network. The supervisor cluster VIP is connected to a NSX-T segment. Also, I can reach the VIP of the new TKC deployed for NAPP. The VIP for the NAPP is being created in the AVI but not completing the backend pods deployment. 

Hello Shank &  p0wertje,

The problem is been fixed.

Assumption: As I stated, I was getting some internal error in the contour pods. So, assumed it has something to do with the container images of contour. 

Solution: I have upgraded my NSX-T from 3.2.0 to 3.2.1 and used the VMware Registry to pull the container images. Once it is done, the installation went through without any issues.

Thanks a lot to you guys for spending a lot of time. And it guided me to the right path.

Contour is ingress, which means an LB issue.