Enabling VKS with AVI load balancer fails: "Timed out waiting for LB service update. This operation is part of the cluster enablement and will be retried"
search cancel

Enabling VKS with AVI load balancer fails: "Timed out waiting for LB service update. This operation is part of the cluster enablement and will be retried"

book

Article ID: 402414

calendar_today

Updated On:

Products

VMware vSphere Kubernetes Service

Issue/Introduction

  • Enabling  VKS with AVI load balancer fails with the below messages.

    • Initialized vSphere resources
    • Deployed Control Plane VMs
    • Configured Control Plane VMs
    • Configured Load Balancer fronting the Kubernetes API Server
    • Timed out waiting for LB service update. This operation is part of the cluster enablement and will be retried.
    • Configured Core Supervisor Services

Environment

  • VMware vSphere Kubernetes Services

Cause

  • The certificate for AVI is incorrect.

    • The subjectAltName field should contain both the IP address and the FQDN of the AVI controller.
    • If the subjectAltName includes only the IP address or only the FQDN, enabling VKS will fail.

  • To check the value of SubjectAltName, run the command :

$ echo | openssl s_client -connect <avi_ip>:443 2>/dev/null | openssl x509 -noout -ext subjectAltName

   X509v3  Subject  Alternative Name:
    DNS: IP  Address:##.##.##.##

Resolution

  • Ensure that the subjectAltName field in the certificate for AVI includes both the IP address and the FQDN, as shown in the example below:

$ echo | openssl s_client -connect <avi_ip>:443 2>/dev/null | openssl x509 -noout -ext subjectAltName
 
   X509v3  Subject  Alternative Name:
    DNS:host1.example.com,  IP  Address:##.##.##.##

Powered by Wolken Software