The TMC-SM WebUI is not accessible when externalTrafficPolicy of the contour-envoy service is set to 'Local'
search cancel

The TMC-SM WebUI is not accessible when externalTrafficPolicy of the contour-envoy service is set to 'Local'

book

Article ID: 412656

calendar_today

Updated On:

Products

VMware Tanzu Mission Control VMware vSphere Kubernetes Service

Issue/Introduction

When the Contour package is installed with TMC-SM, the externalTrafficPolicy of the contour-envoy service is set to 'Local' by default.  Under some LoadBalancer setups that setting will cause flapping connections to backend servers when checking from the LoadBalancer UI and the target service(TMC-SM WebUI) won't be accessible. 

Environment

VMware vSphere Kubernetes Service

Tanzu Mission Control Self Managed (TMC-SM)

Contour Package

Cause

The root cause why "externalTrafficPolcy: Local"  with contour-envoy service is causing the connectivity issue under some LoadBalancer setup is not clearly known yet.

Resolution

 The workaround here is to change the externalTrafficPolicy to 'Cluster' from default value 'Local'  following steps below 

  1. Create a YTT overlay secret of PackageInstall to set spec.externalTrafficPolicy to “Cluster” in the service contour-envoy:

     
    $ kubectl apply -f contour-svc-overlay.yaml
apiVersion: v1
kind: Secret
metadata:
  name: tmc-sm-contour-overlay
  namespace: tmc-local
stringData:
  tmc-pkgi-overlay.yml: |
    #@ load("@ytt:overlay", "overlay")
    #@overlay/match by=overlay.subset({"apiVersion":"packaging.carvel.dev/v1alpha1", "kind":"PackageInstall", "metadata": {"name": "contour"}}),expects="1+"
    ---
    metadata:
      #@overlay/match missing_ok=True
      annotations:
        #@overlay/match missing_ok=True
        ext.packaging.carvel.dev/ytt-paths-from-secret-name.0: contour-svc-overlay
---
apiVersion: v1
kind: Secret
metadata:
  name: contour-svc-overlay
  namespace: tmc-local
stringData:
  contour-svc-overlay.yml: |
    #@ load("@ytt:overlay", "overlay")
    #@overlay/match by=overlay.subset({"apiVersion":"v1", "kind":"Service",  "metadata": {"name": "contour-envoy"}}),expects="1+"
    ---
    spec:
      #@overlay/match expects="1+"
      externalTrafficPolicy: Cluster

  2.  Patch the PackageInstall tanzu-mission-control with the extension annotation:

     
    $ kubectl patch pkgi tanzu-mission-control --type='merge' -p '{"metadata": {"annotations": {"ext.packaging.carvel.dev/ytt-paths-from-secret-name.0": "tmc-sm-contour-overlay"}}}' -n tmc-local

  3. Check the configuration of service contour-envoy, the spec.externalTrafficPolicy has been updated to Cluster:

     
    $ kubectl -n tmc-local get svc contour-envoy -oyaml
Powered by Wolken Software