Harbor Supervisor Service UI Unreachable ERR_CONNECTION_REFUSED
search cancel

Harbor Supervisor Service UI Unreachable ERR_CONNECTION_REFUSED

book

Article ID: 425673

calendar_today

Updated On:

Products

VMware vSphere Kubernetes Service VMware NSX Advanced Load Balancer

Issue/Introduction

After you enable the Registry Service (Integrated Harbor) on the vSphere Supervisor, you encounter the following:

  • The Harbor UI is unreachable from the external network.
  • Attempts to connect result in ERR_CONNECTION_REFUSED or connection resets.
  • You verify that Harbor and Contour pods are running, but the LoadBalancer service does not facilitate traffic.


 

Environment

vSphere Supervisor 8.x
NSX Advanced Load Balancer (AVI)
Integrated Harbor Registry Service

Cause

The issue occurs because the AVI Virtual Service (VS) associated with the Contour ingress controller is in a "Down" state.
This happens when health checks from the AVI Service Engines to the backend Supervisor nodes are blocked or failing, preventing the load balancer from forwarding traffic to the Envoy proxies.

Resolution

To resolve this issue, you must ensure network reachability for AVI health checks:

  1. Validate Service Status: Confirm that the Contour and Harbor pods are running in their respective namespaces: 

    kubectl get pod -A -o wide | grep -i contour 
    kubectl get pod -A -o wide | grep -i harbor

    Another way to confirm is to curl locally on Supervisor CP node.

    curl command: curl -v -k --resolve harbor-tkg.####.local:8443:[IP_ADDRESS] https://harbor-tkg.####.local:8443/

    Expected output is html page.
    ....
    ....
    <!DOCTYPE html>
    <html>
        <head>
           
            <title>Harbor</title>
            <base href="/"/>
           
            <link rel="icon" type="image/x-icon" href="favicon.ico?v=2"/>
        <link rel="stylesheet" href="styles.ac415221c96d2bef.css"></head>
        <body>
            <harbor-app>
                <div class="spinner spinner-lg app-loading app-loading-fixed">
                    Loading...
                </div>
            </harbor-app>
        <script src="runtime.4eab865dc31b6057.js" type="module"></script><script src="polyfills.d87db3092ff69ed9.js" type="module"></script><script src="scripts.3846d86d42cdb753.js" defer></script><script src="main.809b8a57d8709ff8.js" type="module"></script></body>
    </html>

  2. Verify HTTPProxy Status: Ensure the Harbor HTTPProxy is valid: 

    kubectl get httpproxy -A

  3. Identify LoadBalancer IP: Identify the external IP assigned to the Envoy service: 

    kubectl get services -n svc-contour-domain-####

  4. Check AVI Virtual Service: Log in to the AVI (NSX Advanced Load Balancer) controller UI. Check the status of the Virtual Service corresponding to the Envoy service. If it is "Down" due to health check failure, proceed to step 5.

  5. Adjust Network Access Control: Work with your network team to allow traffic from the AVI Service Engine management/data interfaces to the Supervisor cluster nodes on the ports used for health checks (typically 80/443 or the specific NodePorts).

  6. Verify Connectivity: Once the health checks succeed and the AVI Virtual Service status changes to "UP," test access to the Harbor UI using your browser.

Powered by Wolken Software