VCF Identity Broker proxy configuration script fails to connect to EntraID in VCF Operations 9.0.2
search cancel

VCF Identity Broker proxy configuration script fails to connect to EntraID in VCF Operations 9.0.2

book

Article ID: 436607

calendar_today

Updated On:

Products

VCF Operations

Issue/Introduction

When running the configure-customer-proxy.py script to configure an external proxy on a VCF Identity Broker (VIDB) appliance in VCF 9.0.2, the following symptoms occur:

  • The script execution logs show: ✅ Proxy setup completed successfully !! .
  • Despite the success message, external connectivity (e.g., to https://login.microsoft.com for EntraID) remains unavailable.
  • The /etc/squid/squid.conf file inside the proxy-service pod is not updated with the proxy server details under the # Anonymize the proxy server section.
  • The pod fails to pull the required image with the following error: Failed to pull image "registry.vmsp-platform.svc.cluster.local:5000/images/proxy-service:6.6.0-2" .

Environment

VCF Operations 9.0.2

Cause

This issue is caused by a product defect in VCF 9.0.2 where the vmsp-hooks configuration incorrectly references an unavailable image version: proxy-service:6.6.0-2

Resolution

Engineering are aware of the issue and it will be resolved in an upcoming release.

Workaround

For environments running VCF 9.0.2, follow these manual steps to patch the image reference to version 6.6.0-3:

  1. SSH into the VIDB appliance as vmware-system-user .
  2. Switch to the root user:
    sudo su -
  3. Export the Kubernetes configuration:
    export KUBECONFIG=/etc/kubernetes/admin.conf
  4. Verify the correct image exists in the registry: a. Port forward the registry and note the PID:
    kubectl port-forward svc/registry -n vmsp-platform &PF_PID=$!
    b. List the tags for the images/proxy-service to confirm 6.6.0-3 is present:
    curl -k https://localhost:5005/v2/images/proxy-service/tags/list | jq -r
    c. Stop the port forwarding:
    kill $PF_PID
  5. Disable drift detection to prevent the change from being overridden:
    kubectl annotate hookset proxyservice helm.toolkit.fluxcd.io/driftDetection=disabled -n vmsp-platform --overwrite
  6. Patch the new image version:
    kubectl patch hookset proxyservice -n vmsp-platform --type merge -p '{"spec":{"hooks":{"k8sJobs":{"config":{"image":"registry.vmsp-platform.svc.cluster.local:5000/images/proxy-service:6.6.0-3"}}}}}'
  7. Re-trigger the proxy configuration script
Powered by Wolken Software