A cluster creation or deletion failed, and you need to clean up the stale protected NSX objects.
Note! This procedure should never be used on a working TKGI cluster. It is only safe to use if the cluster creation or deletion has failed and a complete cluster cleanup (deletion) is required.
TKGi v1.12 later
Login to pivotal-container-service VM
bosh vms
deployment=pivotal-container-service-ed37ab637cc53362ef60
bosh -d $deployment ssh pivotal-container-service/0
Preparation for pksnsxcli
cd /var/vcap/packages/pks-nsx-t-cli/bin
# Constant Values
NSX_CLIENT_CERT=/var/vcap/jobs/pks-nsx-t-osb-proxy/config/nsx_t_superuser_cert.pem
NSX_CLIENT_KEY=/var/vcap/jobs/pks-nsx-t-osb-proxy/config/nsx_t_superuser_key.pem
# Set for your environment
NSX_MANAGER_IPADDR=192.0.2.xxx
# Use "tkgi clusters" or See "NSX UI --> Networking --> Tier-1 Logical Routers --> pks-xxxx"
CLUSTER_UUID=pks-0b75af48-ae88-4a61-94c5-f7606d45c8b4
# NSX UI --> Networking --> Tier-0 Logical Routers --> ID
T0_ROUTER_ID=d08b1ad8-a9ef-480f-bd2e-379bdbf1e958
# Check connection with NSX (Ignore WARN message)
./pksnsxcli check --nsx-manager-host=$NSX_MANAGER_IPADDR -c $NSX_CLIENT_CERT -k $NSX_CLIENT_KEY --insecure
#> WARN[2024-07-11T04:50:41Z] NSX-T communication config: server tls authentication is disabled
# Dry-run
./pksnsxcli cleanup --nsx-manager-host=$NSX_MANAGER_IPADDR -c $NSX_CLIENT_CERT -k $NSX_CLIENT_KEY --insecure --cluster $CLUSTER_UUID --pks=true --force=true --api-type=Manager --t0-router-id $T0_ROUTER_ID --read-only=true
For Manager API, use below.
./pksnsxcli cleanup --nsx-manager-host=$NSX_MANAGER_IPADDR -c $NSX_CLIENT_CERT -k $NSX_CLIENT_KEY --insecure --cluster $CLUSTER_UUID --pks=true --force=true --api-type=Manager --t0-router-id $T0_ROUTER_ID --read-only=false
For policy api, use below.
./pksnsxcli cleanup --nsx-manager-host=$NSX_MANAGER_IPADDR -c /var/vcap/jobs/pks-nsx-t-osb-proxy/config/nsx_t_superuser_cert.pem -k /var/vcap/jobs/pks-nsx-t-osb-proxy/config/nsx_t_superuser_key.pem --insecure --cluster <cluster-uuid> --pks=true --read-only=false --force=true --api-type=Policy
Check the result via NSX UI