Enabling Contour service on Supervisor fails with error: Deployment is not progressing: ProgressDeadlineExceeded (message: ReplicaSet "contour-xxxx" has timed out progressing
search cancel

Enabling Contour service on Supervisor fails with error: Deployment is not progressing: ProgressDeadlineExceeded (message: ReplicaSet "contour-xxxx" has timed out progressing

book

Article ID: 390856

calendar_today

Updated On:

Products

VMware vSphere Kubernetes Service

Issue/Introduction

  • Deployment of service on the supervisor node fails to retrieve images from the VMware repository, resulting in an image pull error during pod deployment.

root@##################### [ ~ ]# kubectl get pods -A | grep -v Run
NAMESPACE NAME READY STATUS RESTARTS AGE
svc-contour-domain-c### contour-#######-###### 0/1 ErrImagePull 0 20m

  • Describe pod command may return following error. 

kubectl describe pod -n svc-contour-domain-cxxx contour-#####-##### 


Status: Pending
Reason: ErrImagePull
Message: failed to pull images: failed to get images: Image  svc-contour-domain-c####/contour-########-#####  has failed. Error: Failed to resolve on node NodeName.domain.local. Reason: Http request failed. Code 400: ErrorType(2) failed to do request: Head "projects.packages.broadcom.com/vsphere/supervisor/packages/2025.1.23/vks-standard-packages@sha256:######################": proxyconnect tcp: dial tcp #.#.#.#:8080: i/o timeout: ErrImagePull

<ESX_HOST>: Failed to resolve image: Http request failed. Code 400: ErrorType(2) failed to do request: Head "https://projects.packages.broadcom.com/v2/vsphere/iaas/lci-service/9.0.1/lci-service/manifests/sha256:##########################################################": proxyconnect tcp: read tcp <IP>:<PORT>-><IP>:<PORT>: read: connection reset by peer

 

Environment

vSphere with Tanzu 
NSX 4.x

Cause

This issue can happen if Frontend or Workload network configured on Supervisor is not routed to access default image repository.

Resolution

  • Frontend or Workload network is used to fetch images, and it must be allowed to access image repository "https://projects.packages.broadcom.com". 
    • To validate if you can reach image repository from Supervisor Workload network,

root@################# [ ~ ]# curl --interface eth1 https://projects.packages.broadcom.com -vvv

*   Trying #.#.#.#:443...

    • In order to resolve the issue, allow access to repository from Frontend/Workload network gateway on your network or Proxy server if configured.

Once the configuration has been updated, validate using the same command (above).

Sample:

# root@############### [ ~ ]# curl --interface eth1 projects.packages.broadcom.com -vvv

Connected to projects.packages.broadcom.com (#.#.#.#) port 443 (#0)

Additional Information

For Supervisor setup with VDS also refer: vSphere Pod Traffic to ClusterIP Time-outs

If you're unable to implement the resolution's connectivity requirements to projects.packages.broadcom.com, you can implement an air-gapped solution to store the images locally. Reference VKS Deployment Guide for Air-Gapped Environments

Powered by Wolken Software