This topic tells you how to troubleshoot issues encountered when installing Tanzu Developer Portal. The topic is divided into sections:
The following are general issues:
You provided a full URL in a backend.reading.allow
entry, as in this example tap-values.yaml
snippet:
tap_gui:
app_config:
backend:
reading:
allow:
- host: http://gitlab.example.com/some-group/some-repo/-/blob/main/catalog-info.yaml
and you see the following error message:
Backend failed to start up, Error: Port range is not valid: //gitlab.example.com/some-group/some-repo/-/blob/main/catalog-info.yaml
Tanzu Developer Portal expects a host name to be passed into the field backend.reading.allow[].host
.
Edit your tap-values.yaml
file as in the following example:
tap_gui:
app_config:
backend:
reading:
allow:
- host: gitlab.example.com
paths: ['/some-group/some-repo/']
You are able to visit Tanzu Developer Portal, but it does not load the catalog and you see the following error message.
> Error: Could not fetch catalog entities.
> TypeError: Failed to fetch
When viewing your network tab you see that your browser has not downloaded mixed content. This might look different on different browsers.
As of Tanzu Application Platform v1.5, Tanzu Developer Portal provides TLS connections by default. Because of this, if you visit a Tanzu Developer Portal site your connection is automatically upgraded to https.
You might have manually set the fields app.baseUrl
, backend.baseUrl
, and backend.cors.origin
in your tap-values.yaml
file. Tanzu Developer Portal uses the baseUrl
to determine how to create links to fetch from its APIs. The combination of these two factors causes your browser to attempt to fetch mixed content.
The solution is to delete these fields or update your values in tap-values.yaml
to reflect that your Tanzu Developer Portal instance is serving https, as in the following example:
tap_gui:
app_config:
app:
baseUrl: https://tap-gui.INGRESS-DOMAIN/
backend:
baseUrl: https://tap-gui.INGRESS-DOMAIN/
cors:
origin: https://tap-gui.INGRESS-DOMAIN/
Where INGRESS-DOMAIN
is the ingress domain you have configured for Tanzu Application Platform.
The installer determines acceptable values based on your tap_gui.ingressDomain
or shared.ingress_domain
and the TLS status of the installation.
Updating a supply chain causes an error (Can not create edge...
) when an existing workload is clicked in the Workloads table and that supply chain is no longer present.
Recreate the same workload to execute through the new or updated supply chain.
When you pull up Tanzu Developer Portal, you get the error Catalog Not Found
.
The catalog plug-in can’t read the Git location of your catalog definition files.
Ensure you defined the catalog in the values file that you input as part of installation. To update this location, change the definition file:
namespace: tap-gui
service_type: SERVICE-TYPE
app_config:
catalog:
locations:
- type: url
target: https://GIT-CATALOG-URL/catalog-info.yaml
Provide the proper integration information for the Git location you specified earlier.
namespace: tap-gui
service_type: SERVICE-TYPE
app_config:
app:
baseUrl: https://EXTERNAL-IP:PORT
integrations:
gitlab: # Other integrations available
- host: GITLAB-HOST
apiBaseUrl: https://GITLAB-URL/api/v4
token: GITLAB-TOKEN
You can substitute for other integrations as defined in the Backstage documentation.
When you load Tanzu Developer Portal in a browser, the following message appears:
No configured authentication providers. Please configure at least one.
You have not configured any authentication providers and you have not allowed guest access.
Configure an authentication provider or allow guest access.
After updating the configuration of Tanzu Developer Portal, either by using a profile or as a standalone package installation, you don’t know whether the configuration has reloaded.
Get the name you need by running:
kubectl get pods -n tap-gui
For example:
$ kubectl get pods -n tap-gui
NAME READY STATUS RESTARTS AGE
server-6b9ff657bd-hllq9 1/1 Running 0 13m
Read the log of the pod to see if the configuration reloaded by running:
kubectl logs NAME -n tap-gui
Where NAME
is the value you recorded earlier, such as server-6b9ff657bd-hllq9
.
Search for a line similar to this one:
2021-10-29T15:08:49.725Z backstage info Reloaded config from app-config.yaml, app-config.yaml
If need be, delete and re-instantiate the pod.
CautionDepending on your database configuration, deleting, and re-instantiating the pod might cause the loss of user preferences and manually registered entities. If you have configured an external PostgreSQL database,
tap-gui
pods are not stateful. In most cases, state is held in ConfigMaps, Secrets, or the database. For more information, see Configuring the Tanzu Developer Portal database and Register components.
To delete and re-instantiate the pod, run:
kubectl delete pod -l app=backstage -n tap-gui
You have a problem with Tanzu Developer Portal, such as Catalog: Not Found
, and don’t have enough information to diagnose it.
Get timestamped logs from the running pod and review the logs:
Pull the logs by using the pod label by running:
kubectl logs -l app=backstage -n tap-gui
Review the logs.
One or both of the following is true:
Your ad-blocking browser extension or standalone ad-blocking software is causing interference.
Add Tanzu Developer Portal to your ad-blocking allowlist. Alternatively, deactivate the ad-blocking software or turn off Pendo telemetry collection.
Here are some common troubleshooting steps for errors presented in the Runtime Resources tab.
When accessing the Runtime Resource Visibility tab, the system displays Error communicating with TAP GUI back end.
When accessing the Runtime Resource Visibility tab, the system displays
One or more resources are missing. This could be due to a label mismatch. \
Please make sure your resources have the label(s) "LABEL_SELECTOR".
No communications error has occurred, but no resources were found.
Confirm that you are using the correct label:
Verify the Component definition includes the annotation backstage.io/kubernetes-label-selector
.
Confirm your Kubernetes resources correspond to that label drop-down menu.
When opening the Runtime Resource Visibility tab, the system displays One or more resources might be missing because of cluster query errors.
The reported errors might not indicate a real problem. A build cluster might not have runtime CRDs installed, such as Knative Service, and a run cluster might not have build CRDs installed, such as a Cartographer workload. In these cases, 403 and 404 errors might be false positives.
You might receive the following error messages because these resources might not be required for your specific Tanzu Application Platform profile. These error messages are known issues:
Access error when querying cluster CLUSTER_NAME for resource KUBERNETES_RESOURCE_PATH (status: 401). Contact your administrator.
Access error when querying cluster CLUSTER_NAME for resource KUBERNETES_RESOURCE_PATH (status: 403). Contact your administrator.
Knative is not installed on CLUSTER_NAME (status: 404). Contact your administrator.
Error when querying cluster CLUSTER_NAME for resource KUBERNETES_RESOURCE_PATH (status: 404). Contact your administrator.
Here are some common troubleshooting steps for errors displayed on the Accelerators page.
When the app_config.backend.reading.allow
section is configured in the tap-values.yaml
file during the tap-gui
package installation, there are no accelerators on the Accelerators page.
This section in tap-values.yaml
overrides the default configuration that gives Tanzu Developer Portal access to the accelerators.
As a workaround, provide a value for Application Accelerator in this section. For example:
app_config:
# Existing tap-values yaml above
backend:
reading:
allow:
- host: acc-server.accelerator-system.svc.cluster.local
The following troubleshooting issues concern ImageVulnerabilityScan
.
SCST - Scan 2.0 is enabled and there is no vulnerability data on the Security Analysis and Supply Chain Choreographer dashboards.
Tanzu Developer Portal lacks the required access to detect the new ImageVulnerabilityScan
custom resource.
As a workaround, you can apply a ytt overlay to add permissions to the Kubernetes role that is used to access the ImageVulnerabilityScan
resource. For more information about how overlays work with Tanzu Application Platform, see Customize your package installation.
Create a secret.yml
file with a Secret
that contains your ytt overlay. For example:
kind: Secret
metadata:
name: add-tap-portal-ivs-permissions
namespace: tap-install
annotations:
kapp.k14s.io/change-group: "tap-overlays"
type: Opaque
stringData:
add-tap-portal-ivs-permissions.yaml: |
#@ load("@ytt:overlay", "overlay")
#@overlay/match by=overlay.subset({"metadata":{"name":"k8s-reader"}, "kind": "ClusterRole"})
---
rules:
#@overlay/append
- apiGroups:
- app-scanning.apps.tanzu.vmware.com
resources:
- imagevulnerabilityscans
verbs:
- get
- watch
- list
Apply the Secret
to your cluster by running:
kubectl apply -f secret.yml
Update your values file to include a package_overlays
field:
package_overlays:
- name: tap-gui
secrets:
- name: add-tap-portal-ivs-permissions
Update Tanzu Developer Portal with the new Tanzu Application Platform values by running:
tanzu package installed update tap -p tap.tanzu.vmware.com -n tap-install --values-file tap-values.yaml
SCST - Scan 2.0 is enabled and the scanner name in the Security Analysis and Supply Chain Choreographer dashboards does not appear.
The ImageVulnerabilityScan
custom resource lacks the required annotation for Tanzu Developer Portal to detect it.
Add the app-scanning.apps.tanzu.vmware.com/scanner-name
annotation to ImageVulnerabilityScan
:
apiVersion: app-scanning.apps.tanzu.vmware.com/v1alpha1
kind: ImageVulnerabilityScan
metadata:
annotations:
app-scanning.apps.tanzu.vmware.com/scanner-name: SCANNER-NAME
Where SCANNER-NAME
is the name that is reported in Tanzu Developer Portal.
These are troubleshooting issues for the Security Analysis plug-in.
The Impacted Workloads table is empty on the CVE and Package Details pages.
The relevant CVE belongs to a workload that has only completed one type of vulnerability scan (either image or source).
A fix is planned for Tanzu Developer Portal v1.5.1.
These are troubleshooting issues for the Supply Chain Choreographer plug-in.
In the Supply Chain Choreographer plug-in, you see the error message An error occurred while loading data from the Metadata Store
.
There are multiple potential causes. The most common cause is tap-values.yaml
missing the configuration that enables Tanzu Developer Portal to communicate with Supply Chain Security Tools - Store.
See Supply Chain Choreographer - Enable CVE scan results for the necessary configuration to add to tap-values.yaml
. After adding the configuration, update your Tanzu Application Platform deployment or Tanzu Developer Portal deployment with the new values.
The auto configuration between Tanzu Developer Portal and SCST - Store prevents the SBOM feature from working. The SBOM feature was introduced in Tanzu Application Platform v1.6.
Backstage expects allowedHeaders
values for SCST - Store to reply with proper XML and JSON SBOM responses. The allowedHeaders
values are missing.
Edit your tap-values.yaml
file so that allowedHeaders
and the accompanying values are included:
tap_gui:
app_config:
proxy:
/metadata-store:
target: https://metadata-store-app.metadata-store:8443/api/v1
changeOrigin: true
secure: false
allowedHeaders: ['Accept', 'Report-Type-Format']
headers:
Authorization: "Bearer ACCESS-TOKEN"
X-Custom-Source: project-star
Where ACCESS-TOKEN
is the token you obtained after creating a read-write service account. For more information, see Manually connect Tanzu Developer Portal to Metadata Store.