After Harbor Supervisor service upgrade from version 2.11.2 to version 2.13.1 the Harbor FQDN is not anymore reachable with browser error "upstream connect error or disconnect/reset before headers. reset reason: connection timeout"
search cancel

After Harbor Supervisor service upgrade from version 2.11.2 to version 2.13.1 the Harbor FQDN is not anymore reachable with browser error "upstream connect error or disconnect/reset before headers. reset reason: connection timeout"

book

Article ID: 435121

calendar_today

Updated On:

Products

VMware vSphere Kubernetes Service

Issue/Introduction

After upgrading Habor Supervisor service from version 2.11.2 to version 2.13.1 Harbor FQDN is not anymore reachable

 

Browser error: "upstream connect error or disconnect/reset before headers. reset reason: connection timeout"

 

Ping to Harbor FQDN is working

nslookup of Harbor FQDN is showing the correct IP

 

curl -kv https://<harbor-fqdn>


* Host #######:443 was resolved.
* IPv6: (none)
* IPv4: #######
*   Trying #######:443...
* ALPN: curl offers http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519 / RSASSA-PSS
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=harbor
*  start date: Oct  1 09:39:14 2025 GMT
*  expire date: Sep 29 09:39:14 2035 GMT
*  issuer: CN=Harbor CA
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* Connected to #######  (#######) port 443
* using HTTP/1.x
> GET / HTTP/1.1
> Host: #######
> User-Agent: curl/8.12.0
> Accept: */*
>
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 503 Service Unavailable
< content-length: 91
< content-type: text/plain
< vary: Accept-Encoding
< date: Thu, 26 Mar 2026 10:09:49 GMT
< server: envoy
<
* Connection #0 to ####### left intact
upstream connect error or disconnect/reset before headers. reset reason: connection timeout

 

 

All Harbor pods are healthy

 

k get all -n svc-harbor-domain-######
NAME                                     READY   STATUS    RESTARTS   AGE
pod/harbor-core-#######         1/1      Running   0          6d17h
pod/harbor-database-0           1/1      Running   0          7d18h
pod/harbor-exporter-#######     1/1      Running   0          6d17h
pod/harbor-jobservice-#######   1/1      Running   0          6d17h
pod/harbor-portal-#######       1/1      Running   0          6d17h
pod/harbor-redis-0              1/1      Running   0          7d18h
pod/harbor-registry-#######     2/2      Running   0          6d17h
pod/harbor-trivy-0              1/1      Running   0          7d18h

 

Environment

VMware vCenter 8.0 U3

Cause

Starting from Harbor version 2.12.4 a new required parameter "createNetworkPolicy" was added

This parameter was not available in Harbor version 2.11.2 

 

Resolution

Reconfigure the Harbor Supervisor service in vCenter under "Workload Management" - "Services" - "Harbor" - "Manage Service" 

 

Add the following parameter  to the "YAML Service Config":

 

# This should always set to true for Supervisor service version 2.12.4 or higher

createNetworkPolicy: true

 

Note: This value is present in the default harbor-data-values-v2.13.1 yaml 

 

Additional Information

Harbor v2.13.1 Configuration
https://github.com/vsphere-tmm/Supervisor-Services/blob/main/harbor/README-v2.13.1.md  

Powered by Wolken Software