Contour package installed into a workload cluster shows in Failed or ReconcileFailed state.

While connected to the workload cluster context where the failing contour package is present, the following symptoms are observed:

• The contour packageinstall (pkgi) shows in ReconcileFailed state:
  

  kubectl get pkgi -A | grep contour

• Performing a describe on the failing contour pkgi shows the following error message:
  

  kubectl describe pkgi -n <contour pkgi namespace> <contour pkgi>
  
  Useful Error Message:  Preparing template values: secrets "<missing secret name>" not found

This issue can occur regardless of whether or not the affected cluster is managed by Tanzu Mission Control (TMC)

vSphere Supervisor

The secret object containing the contour package values is missing from the environment.

Contour shows as Failed state because kapp-controller which manages packageinstalls (pkgi) routinely checks packages and associated secrets for health reconciliation.

If there are no errors with the contour or envoy pods, ingress controller functionality and endpoints will not be affected by this issue.

The missing secret needs to be recreated in the environment.

This secret contains the values YAML that was used originally to set up the contour package on initial installation in the environment.

In Tanzu Mission Control, this is encoded in the data key value pair.

In VKS Standard Packages, the data key value pair points to the name of the YAML file.