Upgrade fails due to misconfigurations / user errors within the Active Directory
search cancel

Upgrade fails due to misconfigurations / user errors within the Active Directory

book

Article ID: 372548

calendar_today

Updated On:

Products

VMware Telco Cloud Automation

Issue/Introduction

Upgrading to VMware Telco Cloud Automation (TCA) fails if there are some misconfigurations / user errors within the Active Directory (AD).

This could also happen while a user is configuring AD for TCA 3.1.1.

Environment

3.1.1

Cause

TCA syncs users and groups locally (using Keycloak DB) to avoid making user-group-membership queries to an external AD.

During this sync, Keycloak would throw an error if any AD object is misconfigured.

eg: userPrincipalName for one user on the AD could be misconfigured.

Resolution

Procedure 1

If you corrects the AD record the issue is resolved. This procedure is recommended when the issue is identified during TCA Upgrade.

Procedure 2

Note: This procedure is recommended for avoiding the problem altogether

Patch needs to be applied to TCA to ensure that you do not encounter this problem in the environment.

The strategy for the patch is to disable the sync and allow AD to be configured even if some accounts are misconfigured.

This patch changes the behaviour for TCA in the following manner:

TCA 3.1.1 GA (without Patch)

TCA 3.1 GA (with Patch)

AD configuration happens with Periodic Sync for AD objects

AD configuration happens with no periodic sync

Users are synced to TCA

Users are not synced to TCA. They are queried on demand

Groups are synced to TCA

Groups are not synced to TCA. They are queried on demand

Validation for ensuring that the Admin User Group exists

No such validation exists. It is the responsibility of the user to ensure that the Admin User Group exists


Misconfiguration of an AD user's attributes will be validated during login, and may cause login to fail.

​​How to apply the patch

Note: Consider taking a backup / snapshot of the TCA VM, this will help in reverting to the previous state if any issues are encountered while performing the patching operation.

Services that will be upgraded via the patch are:

  1. tca-api (web-engine)

  2. tca-platform-manager (appliance management)

The patch needs to be applied on both TCA-Manager and TCA-CP appliances

Please follow the following steps to apply the patch for upgrading the above 2 services:

  1. Download the patch .tar file (attached: patch-changes_1721644575047.tar and rename to patch-changes.tar)

  2. SSH into the TCA appliance (TCA-M and TCA-CP) and switch the user to root.

  3. Copy the patch-changes.tar patch bundle to the /tmp directory of the TCA appliance

  4. ​​Extract the patch-changes.tar file:

    ​​tar -xvf patch-changes.tar 

  5. Change to the patch-changes folder:

    cd patch-changes

  6. Execute the patch-tca.sh patch file. Please ensure there are no CaaS / CNF
    LCM operations in progress before running the script.

    ./patch-tca.sh

  7. Monitor the patch status for completion. One can also review the contents of the tca-patch.log within the same directory from which the script was run.

  8. Wait for tca-api and tca-platform-manager pods to be up and running after the patch script is run.
    Commands for querying pods within TCA-M
    $ kubectl get pods -n tca-mgr | grep tca-api
     tca-api-9cd796ddb-dsszs                          1/1     Running 0         34m

    $ kubectl get pods -n tca-mgr | grep tca-platform.
     tca-platform-manager-96bcf4c9d-n4p7n             1/1     Running 0         34m

    Commands for querying pods within TCA-CP
    $ kubectl get pods -n tca-cp-cn | grep tca-api
    tca-api-5c6ff96f6d-glpcc                             1/1     Running 0         3



Attachments

patch-changes_1721644575047.tar get_app
Powered by Wolken Software