Upon enabling OpenID Connect (OIDC) and after a successful login, the header returning in response has many claims in the jwt token and is too big for Load Balancer (LB) limits, as a result it is getting dropped. LB returns the following error: "502 Bad Gateway"


Note: All versions of Tanzu Kubernetes Grid Integrated Edition (TKGI) are susceptible.

The fix requires NCP support of configurable LB request_header_size and response_header_size.

The current the workaround is as follows:

1. Log in to NSX Manager and find the ID of the Application Profile used for VMware Enterprise PKS (e.g. ncp-pks-a51bd843-d6b9-4e1d-9073-e84bb82cdcde-LbHttpProfile).

2. Issue a REST API call to get the Application Profile and save to a file:

curl -k -u '<nsx_manager_username>:<nsx_manager_password>' https://<nsx_manager_ip>/api/v1/loadbalancer/application-profiles/<app-profile-id> > lb_app_profile.json

3. Open the Application Profile .json file and edit request_header_size to 4096 and response_header_size to 16384. Save and close the file.

4. Issue a REST API call to update the Application Profile:

curl -X PUT -H "Content-Type:application/json" -H "X-Allow-Overwrite:True" -ku '<nsx_manager_username>:<nsx_manager_password>' https://<nsx_manager_ip>/api/v1/loadbalancer/application-profiles/<app-profile-id> -T lb_app_profile.json