During TKG deployment from NAPPAA, WaitForCertificate step fails because HAProxy VM fails to get the right IP address on or after ESXi 8.0U3b. 

Symptoms:

TKG deployment from NAPPAA fails at WaitForCertificate step.

HAProxy VM shows wrong IP assigned on vCenter UI, it doesn't show the IP address which was set by the user in NAPPAA Environment Config (first page in NAPPAA).
SSH into HAProxy VM from NAPPAA VM fails due to incorrect IP address

ESXi 8.0U3b, all NAPP Automation Appliance versions

This is a caused by a known issue in ESX/vSphere 8.0U3b and onward. There was a change to the default behavior of cloud-init guestInfo variables that results in the HAProxy appliance being unable to configure its networking at boot.

SSH into NAPPAA VM, /var/log/napp-automation/napp-deploy.log will show the following timeout error:

{"function":"WaitForCertificate","level":"info","msg":"Timeout waiting for HA Proxy certificates","time":"2024-11-13T03:07:21Z"}
{"function":"RunTanzuHandler","level":"info","msg":"TKG deployment is completed with error. Error was: Timeout waiting for HA Proxy certificates","time":"2024-11-13T03:07:21Z"}

Before starting TKG deployment from NAPPAA:

  1. Cleanup the failed TKG deployment by clicking on "CLEANUP" button from NAPPAA UI.
 

  2. Upload replace-haproxy-ovf.sh script attached to this KB to NAPPAA VM, any location is fine.  Example → /opt/napp/replace-haproxy-ovf.sh. Do not edit the script.

  3. Confirm the hash of the file: sha256sum replace-haproxy-ovf.sh 

    d4fcf1d526e6e9633416516909c027b76acd544b5483dd5032ba450918bc2c71  replace-haproxy-ovf.sh
    If it differs, then re-upload the script.
 

  4. SSH into NAPPAA VM with "root" user

  5. cd <replace-haproxy-ovf.sh script folder>

  6. chmod +x replace-haproxy-ovf.sh

  7. /bin/bash replace-haproxy-ovf.sh

  8. Redeploy TKG by clicking on "UPDATE & REDEPLOY" button from NAPPAA UI.