google-anthos

Anthos on VMWare deploy seesaw, health check in error 403 Forbidden

We are installing Anthos on VMWare platform and now we have an error in the Admin Cluster deployment procedure of the Seesaw Loadbalancer in HA.

The Deploy of two Seesaw VMs has been created with success, but when checking the health check we get the following error 403:

ubuntu@anth-mgt-wksadmin:~$ gkectl create loadbalancer --config admin-cluster.yaml -v5
Reading config with version "v1"
- Validation Category: OS Images
- [SUCCESS] Admin cluster OS images exist
 
- Validation Category: Admin Cluster VCenter
- [SUCCESS] Credentials
- [SUCCESS] DRS enabled
- [SUCCESS] Hosts for AntiAffinityGroups
- [SUCCESS] vCenter Version
- [SUCCESS] ESXi Version
- [SUCCESS] Datacenter
- [SUCCESS] Datastore
- [SUCCESS] Resource pool
- [SUCCESS] Folder
- [SUCCESS] Network
 
- Validation Category: Bundled LB
- [FAILURE] Seesaw validation: admin cluster lb health check failed: LB "10.25.94.229" is not healthy: received 403 Forbidden
 
- Validation Category: Network Configuration
- [SUCCESS] CIDR, VIP and static IP (availability and overlapping)

- Validation Category: GCP
- [SUCCESS] GCP service
- [SUCCESS] GCP service account

Some validation results were FAILURE or UNKNOWN. Check report above.
Preflight check failed with preflight check failed
Exit with error:

also this simple test give the same result

root@jump-mgm-wks:~# wget http://10.25.94.229
--2021-07-27 13:56:04--  http://10.25.94.229/
Connecting to 10.173.119.123:8080... connected.
Proxy request sent, awaiting response... 403 Forbidden
2021-07-27 13:56:04 ERROR 403: Forbidden.

We get also this error on log:

ubuntu@anth-mgt-bigip1:/var/log/seesaw$ cat  seesaw_ha.anth-mgt-bigip1.root.log.ERROR.20210727-123208.1738
Log file created at: 2021/07/27 12:32:08
Running on machine: anth-mgt-bigip1
Binary: Built with gc go1.15.11 for linux/amd64
Log line format: [IWEF]mmdd hh:mm:ss.uuuuuu threadid file:line] msg
E0727 12:32:08.331013    1738 main.go:86] config: Failed to retrieve Config: HAConfig: Dial failed: dial unix /var/run/seesaw/engine/engine.sock: connect: no such file or directory
Solution

  • Solved after the recreation of the admin workstation with the following parameter.

    gkectl delete loadbalancer --config admin-cluster.yaml --seesaw-group-file seesaw-for-gke-admin.yaml

    now save the following files from ubuntu home director of the admin workstation to the jump-mgm-wks in /backup

    amin-cluster.yaml
admin-cluster-ipblock.yaml
admin-seesaw-ipblock.yaml

gkeadm delete admin-workstation
 
gkeadm create admin-workstation --auto-create-service-accounts

gkectl create loadbalancer --config admin-cluster.yaml