The svc-auto-attach.vksm.broadcom.com pkgi is failing with "unexpected status code 502 Bad Gateway" in VCF 9.0
search cancel

The svc-auto-attach.vksm.broadcom.com pkgi is failing with "unexpected status code 502 Bad Gateway" in VCF 9.0

book

Article ID: 422276

calendar_today

Updated On:

Products

VMware vSphere Kubernetes Service

Issue/Introduction

When creating the VKS-M Supervisor Auto-Attach Service the install gets stuck with the following error message on the GUI and on the PKGI object on the supervisor cluster.

 

  usefulErrorMessage: "vendir: Error: Syncing directory '0':\n  Syncing directory
    '.' with imgpkgBundle contents:\n    Fetching image:\n      Error while preparing
    a transport to talk with the registry:\n        Unable to create round tripper:\n
    \         GET https://mgmt-image-proxy.kube-system.svc.cluster.local/v2/: unexpected
    status code 502 Bad Gateway: <html>\r\n<head><title>502 Bad Gateway</title></head>\r\n<body>\r\n<center><h1>502
    Bad Gateway</h1></center>\r\n<hr><center>nginx/1.26.2</center>\r\n</body>\r\n</html>\r\n;
    Get \"http://mgmt-image-proxy.kube-system.svc.cluster.local/v2/\": dial tcp ***.***.***.***:80:
    connect: connection refused\n"

 

The kubectl-plugin-vsphere pod logs will show the following error.

2025/12/09 22:43:00 [error] 7#0: *112064 upstream SSL certificate verify error: (21:unable to verify the first certificate) while SSL handshaking to upstream, client:
***.***.***.***, server: mgmt-image-proxy.kube-system.svc.cluster.local, request: "GET /v2/ HTTP/1.1", upstream: "https://***.***.***.***:443/v2/", host: "mgmt-image-proxy.kub
e-system.svc.cluster.local"

 

NOTE: If there is only the 502 bad gateway error, but not the "unable to verify the first certificate" error, then the following doc needs to be followed to make sure that the proxy is configured. 
https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vcf-9-0-and-later/9-0/organization-management/managing-vks-clusters-with-vks-cluster-management/installation-and-enablement-of-vks-cluster-management/proxy-configuration.html 

 

Environment

Affects VCF 9.0 and 9.0.1 releases.

Cause

Issue is specific to the leaf cert missing from the config map that the supervisor service is using. 

Resolution

Issue will be fixed in the next major release of VCF-A. 

 

To workaround this issue, add the leaf certificate to this config map under data->trusted_certificates

k get cm -n vmware-system-mgmt-proxy  image-registry -oyaml

 

In order to gather the leaf certificate, run 

openssl s_client -connect <Ip_from_error>:443 -showcerts 

 

In rare cases where a cert is malformed, the openssl command may only show the base and rootCA cert. In this case, you can grab the chain from the vcfa endpoint via windows or from the vcfa cert ui. Make sure that the config map has all 3 certs in it. 

 

Powered by Wolken Software