Skip to content

How to update contour service from LoadBalancer to NodePort when deployed via packages

There are scenarios where there is a need to test bypassing the Loadbalancer and check if other types of services are working in an environment. The steps in this post can be used to test that when using contour as your ingress controller. These steps should be tried when troubleshooting the issue in a test environment or using a test workload or service. Changing service type in the production environment will have routing impacts directly on the workloads.

Before update

kubectl get svc -n tanzu-system-ingress
NAME      TYPE           CLUSTER-IP       EXTERNAL-IP     PORT(S)                      AGE
contour   ClusterIP      100.71.59.217    <none>          8001/TCP                     33h
envoy     LoadBalancer   100.67.156.232   10.225.52.180   80:30588/TCP,443:30379/TCP   33h

Get package version

tanzu package installed list -n tanzu-system-ingress

NAME     PACKAGE-NAME              PACKAGE-VERSION        STATUS
contour  contour.tanzu.vmware.com  1.18.2+vmware.1-tkg.1  Reconcile succeeded

Get deployed package values and make changes to the YAML file

kubectl get secrets -n tanzu-system-ingress contour-tanzu-system-ingress-values -o jsonpath="{.data.contour\.tanzu\.vmware\.com-data-values\.yaml}" | base64 -d > contour.tanzu.vmware.com-data-values.yaml

Service changed from LoadBalancer to NodePort

image

Update package

tanzu package installed update contour \
--version 1.18.2+vmware.1-tkg.1 \
--values-file contour-values.yaml \
--namespace tanzu-system-ingress

Force package reconciliation

Package reconciliation can take some time. Instead of waiting for reconciliation to kick in you can force package reconciliation using

# Pause
kubectl patch pkgi -n tanzu-system-ingress contour -p '{"spec":{"paused":true}}' --type=merge

# Unpause
kubectl patch pkgi -n tanzu-system-ingress contour -p '{"spec":{"paused":false}}' --type=merge

Service post-deployment

kubectl get svc -n tanzu-system-ingress
NAME      TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                      AGE
contour   ClusterIP   100.71.59.217    <none>        8001/TCP                     33h
envoy     NodePort    100.67.156.232   <none>        80:30588/TCP,443:30379/TCP   33h

Updating HTTPProxy objects

Once the envoy service type is updated the HTTPProxy objects created initially will still point to the load balancer IP. For the HTTPProxy service to be updated with the correct settings delete the HTTP Proxy object when it is managed by a package and it will reconcile. Below is an example of what an updated HTTPProxy example for Harbor looks like. Notice loadBalancer: {} section does not have the LB IP anymore.

kubectl get httpproxy -n tanzu-system-registry harbor-httpproxy -o yaml

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  annotations:
    kapp.k14s.io/identity: v1;tanzu-system-registry/projectcontour.io/HTTPProxy/harbor-httpproxy;projectcontour.io/v1
  creationTimestamp: "2022-08-17T18:44:40Z"
  generation: 1
  labels:
    app: harbor
    kapp.k14s.io/app: "1660759412416984475"
    kapp.k14s.io/association: v1.755bbe7e9347230f5ca6d6a637c88392
  name: harbor-httpproxy
  namespace: tanzu-system-registry
  resourceVersion: "39394"
  uid: 3ad7128d-05fc-48c3-935c-742f986d686d
spec:
  routes:
  - conditions:
    - prefix: /
    services:
    - name: harbor-portal
      port: 443
  <-----------TRUNCATED-------->
  virtualhost:
    fqdn: harbor.com
    tls:
      secretName: harbor-tls
status:
  conditions:
  - lastTransitionTime: "2022-08-17T18:44:40Z"
    message: Valid HTTPProxy
    observedGeneration: 1
    reason: Valid
    status: "True"
    type: Valid
  currentStatus: valid
  description: Valid HTTPProxy
  loadBalancer: {}