Security Intelligence activation fails
search cancel

Security Intelligence activation fails

book

Article ID: 369158

calendar_today

Updated On:

Products

VMware vDefend Firewall with Advanced Threat Prevention VMware vDefend Firewall

Issue/Introduction

Intelligence activation was failing with the below prechecks :

 

(1) Triggering precheck failed due to: rendered manifests contain a resource that already exists. Unable to continue with install: Certificate "nsx-intelligence-precheck-tls-cert" in namespace "nsxi-platform" exists and cannot be imported into the current release: invalid ownership metadata; annotation validation error: missing key "meta.helm.sh/release-name": must be set to "intelligence-precheck"; annotation validation error: missing key "meta.helm.sh/release-namespace": must be set to "nsxi-platform"

 

(2) Failed to install helm chart due to: rendered manifests contain a resource that already exists. Unable to continue with install: Secret \\\"data-collection-truststore\\\" in namespace \\\"nsxi-platform\\\" exists and cannot be imported into the current release: invalid ownership metadata; annotation validation error: missing key \\\"meta.helm.sh/release-name\\\": must be set to \\\"intelligence\\\"; annotation validation error: missing key \\\"meta.helm.sh/release-namespace\\\": must be set to \\\"nsxi-platform\\\"\""

 

 

Environment

This bug will only occur in edge case scenarios, primarily:

* NAPP + NSXi are installed w/ version 4.1.1 or lower
* NSXi is uninstalled
* NAPP is upgraded to 4.2.0
* NSXi is installed again.

Resolution

Scenario 1 :  For the below error 

Failed to install helm chart due to: rendered manifests contain a resource that already exists. Unable to continue with install: Secret "data-collection-truststore" in namespace "nsxi-platform" exists and cannot be imported into the current release: invalid ownership metadata; annotation validation error: missing key "meta.helm.sh/release-name": must be set to "intelligence"; annotation validation error: missing key "meta.helm.sh/release-namespace": must be set to "nsxi-platform"""

If someone hits this issue, a workaround for now is to run :

napp-k delete secrets -l app.kubernetes.io/instance=intelligence

 

 

 

Scenario 2 : For the below error :

Triggering precheck failed due to: rendered manifests contain a resource that already exists. Unable to continue with install: Certificate "nsx-intelligence-precheck-tls-cert" in namespace "nsxi-platform" exists and cannot be imported into the current release: invalid ownership metadata; annotation validation error: missing key "meta.helm.sh/release-name": must be set to "intelligence-precheck"; annotation validation error: missing key "meta.helm.sh/release-namespace": must be set to "nsxi-platform"

 

The failure encountered here is for intelligence precheck chart, so the command is tweaked to:
 

 

(a) napp-k delete certificate -l app.kubernetes.io/instance=intelligence

Confirm that the cert was deleted:

(b) napp-k get certificate | grep nsx-intelligence-precheck-tls-cert

this should return empty list

(c) if it still exists - then delete it by name:

napp-k delete certificate nsx-intelligence-precheck-tls-cert

Additional Information

This is fixed in version 4.2

Powered by Wolken Software