Supervisor Service installation fails with "Compatibility check timed out. Please try again."
search cancel

Supervisor Service installation fails with "Compatibility check timed out. Please try again."

book

Article ID: 414873

calendar_today

Updated On:

Products

VMware vSphere Kubernetes Service

Issue/Introduction

  • WCP logs on the vCenter server /var/log/vmware/wcp/wcpsvc.log : 

YYYY-MM-DD debug wcp [interop/interop.go:221] [opID=68d###c1] CheckSupervisorSvcCompatibility for running supervisor with desired Supervisor service &{secret-store.vsphere.vmware.com secret-store.vsphere.vmware.com 9.0.0+78f##4     0001-01-01 00:00:00 +0000 UTC  [] [] [] [] [] {       } false}
YYYY-MM-DD debug wcp [precheck/constraints.go:235] [opID=68d###c1] Running Supervisor version: 9.0.0.0100 is fully compatible with incoming Supervisor Service secret-store.vsphere.vmware.com in version 9.0.0+78f##4
YYYY-MM-DD debug wcp [appplatform/kube_supervisor_service_version_carvel.go:1416] [opID=68d###c1] isEnabled: true, disabledCaps: [], err: <nil>
YYYY-MM-DD debug wcp [capabilities/capabilities.go:193] [opID=68d###c1] Capability supports_secure_Supervisor_Service_platform for Supervisor 'domain-c#' is true
YYYY-MM-DD error wcp [precheck/constraints.go:324] [opID=68d###c1] failed to get ServiceSignatureVerification CR. Err: Unable to determine the signature verification result for Service Version 9.0.0+78f##4: multiple versions of signature verification results found.
YYYY-MM-DD error wcp [supervisor/precheck.go:107] [opID=68d###c1] Compatibility check failed for the service (secret-store.vsphere.vmware.com) version (9.0.0+78f##4): Unable to determine the signature verification result for Service Version 9.0.0+78f##4: multiple versions of signature verification results found.

  • Login to Supervisor namespace and review the servicesignatureverifications, 

kubectl get servicesignatureverifications.appplatform.wcp.vmware.com -A 

NAMESPACE                           NAME                                                         AGE
vmware-system-supervisor-services   argocd-service.1.#.1-2489##02-signature-verification-rf7h4   38d
vmware-system-supervisor-services   ca-clusterissuer.0.0.#-signature-verification-csf8f          13d
vmware-system-supervisor-services   cci-ns.9.#.1-signature-verification-s87cq                    38d
vmware-system-supervisor-services   harbor.2.##.1-signature-verification-p8b5v                   38d
vmware-system-supervisor-services   secret-store.9.0.0-signature-verification-ng8rk              4d19h
vmware-system-supervisor-services   secret-store.9.0.0-signature-verification-rbfmz              13d

The output above clearly indicates the presence of multiple ServiceSignatureVerification resources associated with the same secret-store.9.0.0 Supervisor Service. 

Environment

vCenter Server 9.0

Cause

ServiceSignatureVerifications in VKS are Kubernetes custom resources that verify the cryptographic signatures of Supervisor Services to ensure their authenticity and compatibility before deployment.

The compatibility check fails because there are multiple valid ServiceSignatureVerification resources for the same service, causing ambiguity in determining which verification to trust; this results in the check timing out and the installation failing.

Resolution

Issue is resolved in vCenter Server 9.0.1 release. 

Workaround: 

  1. Delete the older conflicting ServiceSignatureVerification record to resolve the ambiguity and allow the compatibility check to pass:
    • kubectl delete servicesignatureverifications.appplatform.wcp.vmware.com secret-store.9.0.0-signature-verification-rbfmz -n vmware-system-supervisor-services
      This removes duplicate verification entries, ensuring the system trusts a single source and enabling the Secret Store Supervisor service installation to complete successfully.
  2. Resume the installation process of the Secret Store Supervisor Service
Powered by Wolken Software