Troubleshooting Microgateway CNI Helm test

As of Airlock Microgateway 4.2, Airlock Microgateway CNI is installed via Helm. To verify whether the installation was successful, a helm test is integrated into the Airlock Microgateway installation procedure (see also Airlock Microgateway CNI installation). This article explains what to do when this helm test fails.

The helm test checks whether the previously installed Airlock Microgateway CNI plugin is up and running as expected.
On successful, the message Success is displayed at the bottom of the test log. On failure, the log will contain a failure message.

  • Possible failure messages:
  • CNI DaemonSet rollout did not complete within timeout
  • CNI binary was not installed
  • CNI kubeconfig was not created
  • Configuration for plugin airlock-microgateway-cni.<fullname> was not found

Troubleshooting

General measures

To gain insight into the cause of the failing helm test, perform the following checks:

  1. Check the status of the Microgateway CNI DaemonSet to find out whether it is running as expected.
  2. copy
    kubectl describe daemonset -n kube-system airlock-microgateway-cni 
  3. Check the status of the Microgateway CNI plugin Pod.
  4. copy
    kubectl describe pod -n kube-system airlock-microgateway-cni-<suffix> 
  5. Additionally, check the log messages of the Microgateway CNI plugin Pod.
  6. copy
    kubectl logs -n kube-system airlock-microgateway-cni-<suffix>

Further steps, based on the information gathered from the checks

  1. If the cause of the failing helm test seems to lie in your system resources, capacities, and/or permissions, adapt your system such that it meets the requirements.
    For more information, go to Requirements and limitations and Basic requirements.
  2. One specific reason for the helm test to fail could be concurrent CNI plugins of other products that run in your environment. These plugins may interfere with the Airlock Microgateway CNI plugin and overwrite its values/settings. Ensure that the installation meets the basic requirements.
  3. If the cause of the failing helm test seems to lie in configuration issues, check the Helm chart values for Airlock Microgateway CNI. Check that your setup resembles the Helm chart values. If this is not the case, adjust either your setup or the Helm chart values. Some typical error cases are described below.
    • The folder structure may not match the defaults for the storage of the CNI plugin binaries and the config files (Helm chart values config.cniBinDir and config.cniNetDir, respectively). If required, either adapt the defaults or the folder structure.
    • The repository from which to pull the Airlock Microgateway CNI image may not have been set correctly. The corresponding value in the Helm chart is image.repository.
      Alternatively, you may have used a custom image registry, for which you must copy the Microgateway CNI image and adjust the corresponding default Helm chart values. Check the correctness of your settings as this (manual) process can easily lead to errors or typos. For more information, go to Using a custom image registry.
    • It is possible to deploy the Microgateway CNI plugin on dedicated nodes in your Kubernetes cluster, by specifying the values nodeSelector and/or node affinity in the Helm chart. By default, these values are not set. If you did specify the values, check for correctness.
    • To use Airlock Microgateway in an OpenShift cluster or via the Google Kubernetes Engine (GKE) service, some default values in the Helm chart must be adapted. For this, Airlock Microgateway provides specific preset value files (openshift-values.yaml and gke-values.yaml, respectively).
      Check for the correct preset value file for your cluster type. Note that the setup may require the preset values to be adapted to meet your demands.
      • Links to the preset value files:
      • https://github.com/airlock/microgateway/blob/4.3.0/deploy/charts/airlock-microgateway-cni/openshift-values.yaml
      • https://github.com/airlock/microgateway/blob/4.3.0/deploy/charts/airlock-microgateway-cni/gke-values.yaml

    For more information on network routing issues, go to Troubleshooting for network routing issues in the application pod.

Further information and links