Troubleshoot Tanzu Developer Portal

This topic tells you how to troubleshoot issues encountered when installing Tanzu Developer Portal. The topic is divided into sections:

General issues

The following are general issues:

Tanzu Developer Portal reports that the port range is not valid

Symptom

You provided a full URL in a backend.reading.allow entry, as in this example tap-values.yaml snippet:

tap_gui:
  app_config:
    backend:
      reading:
        allow:
          - host: http://gitlab.example.com/some-group/some-repo/-/blob/main/catalog-info.yaml

and you see the following error message:

Backend failed to start up, Error: Port range is not valid: //gitlab.example.com/some-group/some-repo/-/blob/main/catalog-info.yaml

Cause

Tanzu Developer Portal expects a host name to be passed into the field backend.reading.allow[].host.

Solution

Edit your tap-values.yaml file as in the following example:

tap_gui:
  app_config:
    backend:
      reading:
        allow:
          - host: gitlab.example.com
            paths: ['/some-group/some-repo/']

Tanzu Developer Portal does not load the catalog

Symptom

You are able to visit Tanzu Developer Portal, but it does not load the catalog and you see the following error message.

> Error: Could not fetch catalog entities.
> TypeError: Failed to fetch

When viewing your network tab you see that your browser has not downloaded mixed content. This might look different on different browsers.

Chrome
In the Status column you see (blocked:mixed-content) Screenshot of the blocked content status in the Chrome web browser.
Firefox
In the Transferred column you see Mixed Block Screenshot of the blocked content status in the Firefox web browser.

Cause

As of Tanzu Application Platform v1.5, Tanzu Developer Portal provides TLS connections by default. Because of this, if you visit a Tanzu Developer Portal site your connection is automatically upgraded to https.

You might have manually set the fields app.baseUrl, backend.baseUrl, and backend.cors.origin in your tap-values.yaml file. Tanzu Developer Portal uses the baseUrl to determine how to create links to fetch from its APIs. The combination of these two factors causes your browser to attempt to fetch mixed content.

Solution

The solution is to delete these fields or update your values in tap-values.yaml to reflect that your Tanzu Developer Portal instance is serving https, as in the following example:

tap_gui:
  app_config:
    app:
      baseUrl: https://tap-gui.INGRESS-DOMAIN/
    backend:
      baseUrl: https://tap-gui.INGRESS-DOMAIN/
      cors:
        origin: https://tap-gui.INGRESS-DOMAIN/

Where INGRESS-DOMAIN is the ingress domain you have configured for Tanzu Application Platform.

The installer determines acceptable values based on your tap_gui.ingressDomain or shared.ingress_domain and the TLS status of the installation.

Updating a supply chain causes an error (Can not create edge…)

Symptom

Updating a supply chain causes an error (Can not create edge...) when an existing workload is clicked in the Workloads table and that supply chain is no longer present.

Solution

Recreate the same workload to execute through the new or updated supply chain.

Catalog not found

Symptom

When you pull up Tanzu Developer Portal, you get the error Catalog Not Found.

Cause

The catalog plug-in can’t read the Git location of your catalog definition files.

Solution

  1. Ensure you have built your own Backstage-compatible catalog or that you have downloaded one of the Tanzu Developer Portal catalogs from the Broadcom Support Portal.
  2. Ensure you defined the catalog in the values file that you input as part of installation. To update this location, change the definition file:

    • Change the Tanzu Application Platform profile file if installed by using a profile.
    • Change the standalone Tanzu Developer Portal values file if you’re only installing that package on its own.
        namespace: tap-gui
        service_type: SERVICE-TYPE
        app_config:
          catalog:
            locations:
              - type: url
                target: https://GIT-CATALOG-URL/catalog-info.yaml
    
  3. Provide the proper integration information for the Git location you specified earlier.

        namespace: tap-gui
        service_type: SERVICE-TYPE
        app_config:
          app:
            baseUrl: https://EXTERNAL-IP:PORT
          integrations:
            gitlab: # Other integrations available
              - host: GITLAB-HOST
                apiBaseUrl: https://GITLAB-URL/api/v4
                token: GITLAB-TOKEN
    

You can substitute for other integrations as defined in the Backstage documentation.

No configured authentication provider

Symptom

When you load Tanzu Developer Portal in a browser, the following message appears:

No configured authentication providers. Please configure at least one.

Cause

You have not configured any authentication providers and you have not allowed guest access.

Solution

Configure an authentication provider or allow guest access.

Issues updating the values file

Symptom

After updating the configuration of Tanzu Developer Portal, either by using a profile or as a standalone package installation, you don’t know whether the configuration has reloaded.

Solution

  1. Get the name you need by running:

    kubectl get pods -n tap-gui
    

    For example:

    $ kubectl get pods -n tap-gui
    NAME                      READY   STATUS    RESTARTS   AGE
    server-6b9ff657bd-hllq9   1/1     Running   0          13m
    
  2. Read the log of the pod to see if the configuration reloaded by running:

    kubectl logs NAME -n tap-gui
    

    Where NAME is the value you recorded earlier, such as server-6b9ff657bd-hllq9.

  3. Search for a line similar to this one:

    2021-10-29T15:08:49.725Z backstage info Reloaded config from app-config.yaml, app-config.yaml
    
  4. If need be, delete and re-instantiate the pod.

    Caution

    Depending on your database configuration, deleting, and re-instantiating the pod might cause the loss of user preferences and manually registered entities. If you have configured an external PostgreSQL database, tap-gui pods are not stateful. In most cases, state is held in ConfigMaps, Secrets, or the database. For more information, see Configuring the Tanzu Developer Portal database and Register components.

    To delete and re-instantiate the pod, run:

    kubectl delete pod -l app=backstage -n tap-gui
    

Pull logs from Tanzu Developer Portal

Symptom

You have a problem with Tanzu Developer Portal, such as Catalog: Not Found, and don’t have enough information to diagnose it.

Solution

Get timestamped logs from the running pod and review the logs:

  1. Pull the logs by using the pod label by running:

    kubectl logs -l app=backstage -n tap-gui
    
  2. Review the logs.

Ad-blocking software interference

Symptom

One or both of the following is true:

Cause

Your ad-blocking browser extension or standalone ad-blocking software is causing interference.

Solution

Add Tanzu Developer Portal to your ad-blocking allowlist. Alternatively, deactivate the ad-blocking software or turn off Pendo telemetry collection.

Runtime Resources tab issues

Here are some common troubleshooting steps for errors presented in the Runtime Resources tab.

Error communicating with Tanzu Application Platform web server

Symptom

When accessing the Runtime Resource Visibility tab, the system displays Error communicating with TAP GUI back end.

Causes

  • An interrupted Internet connection
  • Error with the back end service

Solution

  1. Confirm that you have Internet access.
  2. Confirm that the back-end service is running correctly.
  3. Confirm the cluster configuration is correct.

No data available

Symptom

When accessing the Runtime Resource Visibility tab, the system displays

One or more resources are missing. This could be due to a label mismatch. \
Please make sure your resources have the label(s) "LABEL_SELECTOR".

Cause

No communications error has occurred, but no resources were found.

Solution

Confirm that you are using the correct label:

  1. Verify the Component definition includes the annotation backstage.io/kubernetes-label-selector.

  2. Confirm your Kubernetes resources correspond to that label drop-down menu.

Errors retrieving resources

Symptom

When opening the Runtime Resource Visibility tab, the system displays One or more resources might be missing because of cluster query errors.

The reported errors might not indicate a real problem. A build cluster might not have runtime CRDs installed, such as Knative Service, and a run cluster might not have build CRDs installed, such as a Cartographer workload. In these cases, 403 and 404 errors might be false positives.

You might receive the following error messages because these resources might not be required for your specific Tanzu Application Platform profile. These error messages are known issues:

  • Access error when querying cluster CLUSTER_NAME for resource KUBERNETES_RESOURCE_PATH (status: 401). Contact your administrator.
  • Access error when querying cluster CLUSTER_NAME for resource KUBERNETES_RESOURCE_PATH (status: 403). Contact your administrator.
  • Knative is not installed on CLUSTER_NAME (status: 404). Contact your administrator.
  • Error when querying cluster CLUSTER_NAME for resource KUBERNETES_RESOURCE_PATH (status: 404). Contact your administrator.

Accelerators page issues

Here are some common troubleshooting steps for errors displayed on the Accelerators page.

No accelerators

Symptom

When the app_config.backend.reading.allow section is configured in the tap-values.yaml file during the tap-gui package installation, there are no accelerators on the Accelerators page.

Cause

This section in tap-values.yaml overrides the default configuration that gives Tanzu Developer Portal access to the accelerators.

Solution

As a workaround, provide a value for Application Accelerator in this section. For example:

app_config:
  # Existing tap-values yaml above
  backend:
    reading:
      allow:
      - host: acc-server.accelerator-system.svc.cluster.local

Supporting ImageVulnerabilityScan issues

The following troubleshooting issues concern ImageVulnerabilityScan.

No Vulnerability data

Symptom

SCST - Scan 2.0 is enabled and there is no vulnerability data on the Security Analysis and Supply Chain Choreographer dashboards.

Cause

Tanzu Developer Portal lacks the required access to detect the new ImageVulnerabilityScan custom resource.

Solution

As a workaround, you can apply a ytt overlay to add permissions to the Kubernetes role that is used to access the ImageVulnerabilityScan resource. For more information about how overlays work with Tanzu Application Platform, see Customize your package installation.

  1. Create a secret.yml file with a Secret that contains your ytt overlay. For example:

    kind: Secret
    metadata:
      name: add-tap-portal-ivs-permissions
      namespace: tap-install
      annotations:
        kapp.k14s.io/change-group: "tap-overlays"
    type: Opaque
    stringData:
      add-tap-portal-ivs-permissions.yaml: |
        #@ load("@ytt:overlay", "overlay")
        #@overlay/match by=overlay.subset({"metadata":{"name":"k8s-reader"}, "kind": "ClusterRole"})
        ---
        rules:
          #@overlay/append
            - apiGroups:
              - app-scanning.apps.tanzu.vmware.com
              resources:
              - imagevulnerabilityscans
              verbs:
              - get
              - watch
              - list
    
  2. Apply the Secret to your cluster by running:

    kubectl apply -f secret.yml
    
  3. Update your values file to include a package_overlays field:

    package_overlays:
    - name: tap-gui
    secrets:
    - name: add-tap-portal-ivs-permissions
    
  4. Update Tanzu Developer Portal with the new Tanzu Application Platform values by running:

    tanzu package installed update tap -p tap.tanzu.vmware.com -n tap-install --values-file tap-values.yaml
    

Scanner name not shown in Tanzu Developer Portal for SCST - Scan 2.0

Symptom

SCST - Scan 2.0 is enabled and the scanner name in the Security Analysis and Supply Chain Choreographer dashboards does not appear.

Cause

The ImageVulnerabilityScan custom resource lacks the required annotation for Tanzu Developer Portal to detect it.

Solution

Add the app-scanning.apps.tanzu.vmware.com/scanner-name annotation to ImageVulnerabilityScan:

apiVersion: app-scanning.apps.tanzu.vmware.com/v1alpha1
kind: ImageVulnerabilityScan
metadata:
  annotations:
    app-scanning.apps.tanzu.vmware.com/scanner-name: SCANNER-NAME

Where SCANNER-NAME is the name that is reported in Tanzu Developer Portal.

Security Analysis plug-in issues

These are troubleshooting issues for the Security Analysis plug-in.

Empty Impacted Workloads table

Symptom

The Impacted Workloads table is empty on the CVE and Package Details pages.

Cause

The relevant CVE belongs to a workload that has only completed one type of vulnerability scan (either image or source).

Solution

A fix is planned for Tanzu Developer Portal v1.5.1.

Supply Chain Choreographer plug-in issues

These are troubleshooting issues for the Supply Chain Choreographer plug-in.

An error occurred while loading data from the Metadata Store

Symptom

In the Supply Chain Choreographer plug-in, you see the error message An error occurred while loading data from the Metadata Store.

Screenshot of Tanzu Developer Portal displaying the error message about loading data from the metadata store.

Cause

There are multiple potential causes. The most common cause is tap-values.yaml missing the configuration that enables Tanzu Developer Portal to communicate with Supply Chain Security Tools - Store.

Solution

See Supply Chain Choreographer - Enable CVE scan results for the necessary configuration to add to tap-values.yaml. After adding the configuration, update your Tanzu Application Platform deployment or Tanzu Developer Portal deployment with the new values.

SBOMs do not download when automatically configuring Tanzu Developer Portal for SCST - Store

Symptom

The auto configuration between Tanzu Developer Portal and SCST - Store prevents the SBOM feature from working. The SBOM feature was introduced in Tanzu Application Platform v1.6.

Cause

Backstage expects allowedHeaders values for SCST - Store to reply with proper XML and JSON SBOM responses. The allowedHeaders values are missing.

Solution

Edit your tap-values.yaml file so that allowedHeaders and the accompanying values are included:

tap_gui:
  app_config:
    proxy:
      /metadata-store:
        target: https://metadata-store-app.metadata-store:8443/api/v1
        changeOrigin: true
        secure: false
        allowedHeaders: ['Accept', 'Report-Type-Format']
        headers:
          Authorization: "Bearer ACCESS-TOKEN"
          X-Custom-Source: project-star

Where ACCESS-TOKEN is the token you obtained after creating a read-write service account. For more information, see Manually connect Tanzu Developer Portal to Metadata Store.

Deliverables are not shown in the Supply Chain view of a workload

Symptom

When viewing the supply chain for a workload, the UI doesn’t show deliverables that are associated with the workload.

Causes

There are two likely causes:

  1. The deliverable does not have the same name as the workload.
  2. The logged-in user does not have access to the namespaces where the deliverables are deployed.

Solution

To resolve this issue:

  1. Ensure that when you apply a deliverable to the cluster, it has the same name as the workload that created it.

  2. Ensure that the logged-in user has the correct namespace or cluster scope permissions for the namespaces containing the deliverables. For limited scope users, verify that the user has selected the correct namespaces in the Workloads view of the Supply Chain UI.

check-circle-line exclamation-circle-line close-line
Scroll to top icon