Troubleshoot Tanzu Developer Portal

This topic tells you how to troubleshoot issues encountered when installing Tanzu Developer Portal. The topic is divided into sections:

General issues
Runtime Resources tab issues
Accelerators page issues
Supporting ImageVulnerabilityScan issues
Security Analysis plug-in issues
Supply Chain Choreographer plug-in issues
DORA plug-in issues

General issues

The following are general issues:

Tanzu Developer Portal reports that the port range is not valid

Symptom

You provided a full URL in a backend.reading.allow entry, as in this example tap-values.yaml snippet:

tap_gui:
  app_config:
    backend:
      reading:
        allow:
          - host: http://gitlab.example.com/some-group/some-repo/-/blob/main/catalog-info.yaml

and you see the following error message:

Backend failed to start up, Error: Port range is not valid: //gitlab.example.com/some-group/some-repo/-/blob/main/catalog-info.yaml

Cause

Tanzu Developer Portal expects a host name to be passed into the field backend.reading.allow[].host.

Solution

Edit your tap-values.yaml file as in the following example:

tap_gui:
  app_config:
    backend:
      reading:
        allow:
          - host: gitlab.example.com
            paths: ['/some-group/some-repo/']

Tanzu Developer Portal does not load the catalog

Symptom

You are able to visit Tanzu Developer Portal, but it does not load the catalog and you see the following error message.

> Error: Could not fetch catalog entities.
> TypeError: Failed to fetch

When viewing your network tab you see that your browser has not downloaded mixed content. This might look different on different browsers.

Chrome: In the Status column you see (blocked:mixed-content)
Firefox: In the Transferred column you see Mixed Block

Cause

As of Tanzu Application Platform v1.5, Tanzu Developer Portal provides TLS connections by default. Because of this, if you visit a Tanzu Developer Portal site your connection is automatically upgraded to https.

You might have manually set the fields app.baseUrl, backend.baseUrl, and backend.cors.origin in your tap-values.yaml file. Tanzu Developer Portal uses the baseUrl to determine how to create links to fetch from its APIs. The combination of these two factors causes your browser to attempt to fetch mixed content.

Solution

The solution is to delete these fields or update your values in tap-values.yaml to reflect that your Tanzu Developer Portal instance is serving https, as in the following example:

tap_gui:
  app_config:
    app:
      baseUrl: https://tap-gui.INGRESS-DOMAIN/
    backend:
      baseUrl: https://tap-gui.INGRESS-DOMAIN/
      cors:
        origin: https://tap-gui.INGRESS-DOMAIN/

Where INGRESS-DOMAIN is the ingress domain you have configured for Tanzu Application Platform.

The installer determines acceptable values based on your tap_gui.ingressDomain or shared.ingress_domain and the TLS status of the installation.

Updating a supply chain causes an error (Can not create edge…)

Symptom

Updating a supply chain causes an error (Can not create edge...) when an existing workload is clicked in the Workloads table and that supply chain is no longer present.

Solution

Recreate the same workload to execute through the new or updated supply chain.

Catalog not found

Symptom

When you pull up Tanzu Developer Portal, you get the error Catalog Not Found.

Cause

The catalog plug-in can’t read the Git location of your catalog definition files.

Solution

Ensure you have built your own Backstage-compatible catalog or that you have downloaded one of the Tanzu Developer Portal catalogs from the Broadcom Support Portal.
Ensure you defined the catalog in the values file that you input as part of installation. To update this location, change the definition file:
- Change the Tanzu Application Platform profile file if installed by using a profile.
- Change the standalone Tanzu Developer Portal values file if you’re only installing that package on its own.
```
    namespace: tap-gui
    service_type: SERVICE-TYPE
    app_config:
      catalog:
        locations:
          - type: url
            target: https://GIT-CATALOG-URL/catalog-info.yaml
```

Provide the proper integration information for the Git location you specified earlier.

    namespace: tap-gui
    service_type: SERVICE-TYPE
    app_config:
      app:
        baseUrl: https://EXTERNAL-IP:PORT
      integrations:
        gitlab: # Other integrations available
          - host: GITLAB-HOST
            apiBaseUrl: https://GITLAB-URL/api/v4
            token: GITLAB-TOKEN

You can substitute for other integrations as defined in the Backstage documentation.

No configured authentication provider

Symptom

When you load Tanzu Developer Portal in a browser, the following message appears:

No configured authentication providers. Please configure at least one.

Cause

You have not configured any authentication providers and you have not allowed guest access.

Solution

Configure an authentication provider or allow guest access.

Issues updating the values file

Symptom

After updating the configuration of Tanzu Developer Portal, either by using a profile or as a standalone package installation, you don’t know whether the configuration has reloaded.

Solution

Get the name you need by running:

kubectl get pods -n tap-gui

For example:

$ kubectl get pods -n tap-gui
NAME                      READY   STATUS    RESTARTS   AGE
server-6b9ff657bd-hllq9   1/1     Running   0          13m

Read the log of the pod to see if the configuration reloaded by running:
```
kubectl logs NAME -n tap-gui
```
Where NAME is the value you recorded earlier, such as server-6b9ff657bd-hllq9.

Search for a line similar to this one:

2021-10-29T15:08:49.725Z backstage info Reloaded config from app-config.yaml, app-config.yaml

If need be, delete and re-instantiate the pod.

Caution
Depending on your database configuration, deleting, and re-instantiating the pod might cause the loss of user preferences and manually registered entities. If you have configured an external PostgreSQL database, tap-gui pods are not stateful. In most cases, state is held in ConfigMaps, Secrets, or the database. For more information, see Configuring the Tanzu Developer Portal database and Register components.

To delete and re-instantiate the pod, run:
```
kubectl delete pod -l app=backstage -n tap-gui
```

Pull logs from Tanzu Developer Portal

Symptom

You have a problem with Tanzu Developer Portal, such as Catalog: Not Found, and don’t have enough information to diagnose it.

Solution

Get timestamped logs from the running pod and review the logs:

Pull the logs by using the pod label by running:
```
kubectl logs -l app=backstage -n tap-gui
```
Review the logs.

Ad-blocking software interference

Symptom

One or both of the following is true:

You cannot access some, or all, of Tanzu Developer Portal.
Telemetry collection within the VMware Customer Experience Improvement Program is failing.

Cause

Your ad-blocking browser extension or standalone ad-blocking software is causing interference.

Solution

Add Tanzu Developer Portal to your ad-blocking allowlist. Alternatively, deactivate the ad-blocking software or turn off Pendo telemetry collection.

Runtime Resources tab issues

Here are some common troubleshooting steps for errors presented in the Runtime Resources tab.

Error communicating with Tanzu Application Platform web server

Symptom

When accessing the Runtime Resource Visibility tab, the system displays Error communicating with TAP GUI back end.

Causes

An interrupted Internet connection
Error with the back end service

Solution

Confirm that you have Internet access.
Confirm that the back-end service is running correctly.
Confirm the cluster configuration is correct.

No data available

Symptom

When accessing the Runtime Resource Visibility tab, the system displays

One or more resources are missing. This could be due to a label mismatch. \
Please make sure your resources have the label(s) "LABEL_SELECTOR".

Cause

No communications error has occurred, but no resources were found.

Solution

Confirm that you are using the correct label:

Verify the Component definition includes the annotation backstage.io/kubernetes-label-selector.
Confirm your Kubernetes resources correspond to that label drop-down menu.

Errors retrieving resources

Symptom

When opening the Runtime Resource Visibility tab, the system displays One or more resources might be missing because of cluster query errors.

The reported errors might not indicate a real problem. A build cluster might not have runtime CRDs installed, such as Knative Service, and a run cluster might not have build CRDs installed, such as a Cartographer workload. In these cases, 403 and 404 errors might be false positives.

You might receive the following error messages because these resources might not be required for your specific Tanzu Application Platform profile. These error messages are known issues:

Access error when querying cluster CLUSTER_NAME for resource KUBERNETES_RESOURCE_PATH (status: 401). Contact your administrator.
Access error when querying cluster CLUSTER_NAME for resource KUBERNETES_RESOURCE_PATH (status: 403). Contact your administrator.
Knative is not installed on CLUSTER_NAME (status: 404). Contact your administrator.
Error when querying cluster CLUSTER_NAME for resource KUBERNETES_RESOURCE_PATH (status: 404). Contact your administrator.

Accelerators page issues

Here are some common troubleshooting steps for errors displayed on the Accelerators page.

No accelerators

Symptom

When the app_config.backend.reading.allow section is configured in the tap-values.yaml file during the tap-gui package installation, there are no accelerators on the Accelerators page.

Cause

This section in tap-values.yaml overrides the default configuration that gives Tanzu Developer Portal access to the accelerators.

Solution

As a workaround, provide a value for Application Accelerator in this section. For example:

app_config:
  # Existing tap-values yaml above
  backend:
    reading:
      allow:
      - host: acc-server.accelerator-system.svc.cluster.local

Supporting ImageVulnerabilityScan issues

The following troubleshooting issues concern ImageVulnerabilityScan.

No Vulnerability data

Symptom

SCST - Scan 2.0 is enabled and there is no vulnerability data on the Security Analysis and Supply Chain Choreographer dashboards.

Cause

Tanzu Developer Portal lacks the required access to detect the new ImageVulnerabilityScan custom resource.

Solution

As a workaround, you can apply a ytt overlay to add permissions to the Kubernetes role that is used to access the ImageVulnerabilityScan resource. For more information about how overlays work with Tanzu Application Platform, see Customize your package installation.

Create a secret.yml file with a Secret that contains your ytt overlay. For example:

kind: Secret
metadata:
  name: add-tap-portal-ivs-permissions
  namespace: tap-install
  annotations:
    kapp.k14s.io/change-group: "tap-overlays"
type: Opaque
stringData:
  add-tap-portal-ivs-permissions.yaml: |
    #@ load("@ytt:overlay", "overlay")
    #@overlay/match by=overlay.subset({"metadata":{"name":"k8s-reader"}, "kind": "ClusterRole"})
    ---
    rules:
      #@overlay/append
        - apiGroups:
          - app-scanning.apps.tanzu.vmware.com
          resources:
          - imagevulnerabilityscans
          verbs:
          - get
          - watch
          - list

Apply the Secret to your cluster by running:
```
kubectl apply -f secret.yml
```

Update your values file to include a package_overlays field:

package_overlays:
- name: tap-gui
secrets:
- name: add-tap-portal-ivs-permissions

Update Tanzu Developer Portal with the new Tanzu Application Platform values by running:

tanzu package installed update tap -p tap.tanzu.vmware.com -n tap-install --values-file tap-values.yaml

Scanner name not shown in Tanzu Developer Portal for SCST - Scan 2.0

Symptom

SCST - Scan 2.0 is enabled and the scanner name in the Security Analysis and Supply Chain Choreographer dashboards does not appear.

Cause

The ImageVulnerabilityScan custom resource lacks the required annotation for Tanzu Developer Portal to detect it.

Solution

Add the app-scanning.apps.tanzu.vmware.com/scanner-name annotation to ImageVulnerabilityScan:

apiVersion: app-scanning.apps.tanzu.vmware.com/v1alpha1
kind: ImageVulnerabilityScan
metadata:
  annotations:
    app-scanning.apps.tanzu.vmware.com/scanner-name: SCANNER-NAME

Where SCANNER-NAME is the name that is reported in Tanzu Developer Portal.

Security Analysis plug-in issues

These are troubleshooting issues for the Security Analysis plug-in.

Empty Impacted Workloads table

Symptom

The Impacted Workloads table is empty on the CVE and Package Details pages.

Cause

The relevant CVE belongs to a workload that has only completed one type of vulnerability scan (either image or source).

Solution

A fix is planned for Tanzu Developer Portal v1.5.1.

Supply Chain Choreographer plug-in issues

These are troubleshooting issues for the Supply Chain Choreographer plug-in.

An error occurred while loading data from the Metadata Store

Symptom

In the Supply Chain Choreographer plug-in, you see the error message An error occurred while loading data from the Metadata Store.

Cause

There are multiple potential causes. The most common cause is tap-values.yaml missing the configuration that enables Tanzu Developer Portal to communicate with Supply Chain Security Tools - Store.

Solution

See Supply Chain Choreographer - Enable CVE scan results for the necessary configuration to add to tap-values.yaml. After adding the configuration, update your Tanzu Application Platform deployment or Tanzu Developer Portal deployment with the new values.

SBOMs do not download when automatically configuring Tanzu Developer Portal for SCST - Store

Symptom

The auto configuration between Tanzu Developer Portal and SCST - Store prevents the SBOM feature from working. The SBOM feature was introduced in Tanzu Application Platform v1.6.

Cause

Backstage expects allowedHeaders values for SCST - Store to reply with proper XML and JSON SBOM responses. The allowedHeaders values are missing.

Solution

Edit your tap-values.yaml file so that allowedHeaders and the accompanying values are included:

tap_gui:
  app_config:
    proxy:
      /metadata-store:
        target: https://metadata-store-app.metadata-store:8443/api/v1
        changeOrigin: true
        secure: false
        allowedHeaders: ['Accept', 'Report-Type-Format']
        headers:
          Authorization: "Bearer ACCESS-TOKEN"
          X-Custom-Source: project-star

Where ACCESS-TOKEN is the token you obtained after creating a read-write service account. For more information, see Manually connect Tanzu Developer Portal to Metadata Store.

DORA plug-in issues

These are troubleshooting issues for the DORA plug-in.

DORA plug-in displays a Request failed with 401 error when clicking on the tab

Symptom

When you click the DORA tab in the software catalog the following error appears:

Request failed with 401 , {"error":{"name":"AuthenticationError","message":"No Backstage token"},\
"request":{"method":"POST","url":"/api/kubernetes/resources/custom/query"},"response":{"statusCode":401}}

Cause

The DORA plug-in expects at least one configured Backstage authentication provider. This feature does not work with Guest mode enabled.

Solution

Add an authentication provider to your Tanzu Developer Portal configuration and then re-apply tap-values.yaml. For how to configure an authentication provider, see Set up authentication for Tanzu Developer Portal.