Loading...
Loading...
A user is unable to onboard a NativeEdge Gateway Assets (either the 3200 or 5200 Models) This issue only applies to systems which arrive with Factory Operating System 1.0.
NativeEdge Gateway Assets may ship with Factory Operating System (FOS) 1.0. Onboarding to Dell Automation Platform 1.0 and later requires a Server Name Indication (SNI) header to be sent when attempting to onboard. FOS 1.0 does not have a SNI header in the request. With the SNI present, the client request is received by the HAProxy frontend, the SNI is successfully matched, and the traffic is routed to the appropriate backend. Without SNI, the HAProxy frontend cannot perform SNI matching, so the request is routed to the default SSL backend, which results in a 400 Bad Request response.
There are two methods to work around the issue. Workaround 1: This method requires the user to generate a USB factory reset image per asset and factory reset the asset. Doing this updates the FOS to a newer version and avoid having to change HAProxy configuration. Please note this must be done PER device. This workaround has been validated on both the Kubernetes Installation of DAP. Workaround 2: This workaround requires the standard HAProxy setup and to have the Dell Automation Platform Portal (DAPP)/Orchestrator (DAPO) installation to be completed initially. This workaround is applied at the orchestrator level and does not require a USB reset to be done per device. This workaround has been validated on the Kubernetes installation of DAP The below steps are to redeploy HAProxy with a workaround that will redirect the empty SNI header request to the default backend which is our orchestrator. Backup your DAPP/DAPO Virtual machine Determine your version of HAProxy: helm list -A Determine the namespace that you have the DAPO installed: kubectl get ns -A Common results here are hzp or dapo. Uninstall the original HAProxy installation: helm uninstall haproxy -n haproxy We create a config map that holds the custom frontend HAProxy configuration that overrides the default, depending on the version found in step 2. In this custom configuration, we are setting the default_backend to either <dapo_namespace>_svc_<nginx_service_name>_nginx-443-443 e.g. ,hzp_svc_nginx-gw_nginx-443-443 (HAProxy ingress controller v3.1.11 and above.) e.g. dapo_svc_nginx-gw_nginx-443-443 (HAProxy ingress controller v3.1.10 and above.) (DAPO version 2.0 onwards) Or <dapo_namespace>_<nginx_service_name>_nginx-443-443 e.g., hzp_nginx-gw_nginx-443-443 (HAProxy ingress controller v3.1.10 and below.) e.g. dapo_nginx-gw_nginx-443-443 (HAProxy ingress controller v3.1.10 and below.) (DAPO version 2.0 onwards) Create Config Map - DAPO 1.0, 1.1, 1.2 example #create a config file cat > haproxy-auxiliary.cfg <<EOF frontend gw-ssl mode tcp bind 0.0.0.0:8443 name v4 bind [::]:8443 name v6 v4v6 log-format '%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs SNI: %[var(sess.sni)]' tcp-request content reject if !{ req_ssl_hello_type 1 } tcp-request inspect-delay 5000 tcp-request content set-var(sess.sni) req_ssl_sni tcp-request content set-var(txn.sni_match) req_ssl_sni,map(/etc/haproxy/maps/sni.map) tcp-request content set-var(txn.sni_match) req_ssl_sni,regsub(^[^.]*,,),map(/etc/haproxy/maps/sni.map) use_backend %[var(txn.sni_match),field(1,.)] default_backend hzp_nginx-gw_nginx-443-443EOF Create a config map to use the haproxy-auxillary.cfg created in step 2. kubectl create configmap haproxy-auxiliary-configmap -n haproxy --from-file = haproxy-auxiliary.cfg Setup Haproxy with extraArgs with additional volume mount config and poststart hook in the yaml file. helm install haproxy haproxytech/kubernetes - ingress - - namespace haproxy - - create - namespace - f haproxy - values.yaml Create a haproxy-values.yaml: cat <<EOF > haproxy-values.yaml controller: image: pullPolicy: Always imagePullSecrets: - name: docker-secret service: type: LoadBalancer externalTrafficPolicy: Local config: ssl-passthrough: "true" hostNetwork: true kind: DaemonSet defaultTLSSecret: enabled: false extraArgs: - --https-bind-port=8081 extraVolumes: - name: haproxy-auxiliary-volume configMap: name: haproxy-auxiliary-configmap extraVolumeMounts: - name: haproxy-auxiliary-volume mountPath: /etc/haproxy/haproxyauxcfg subPath: haproxy-auxiliary.cfg lifecycle: postStart: exec: command: - /bin/sh - -c - | while ! [ -f /etc/haproxy/maps/sni.map ]; do sleep 10 done ln -sf /etc/haproxy/haproxyauxcfg /etc/haproxy/haproxy-aux.cfg EOF Note : In this workaround, we are installing with extra arg https port 8081. This makes the default haproxy ssl frontend to use 8081 instead of default 8443 since 8443 is our custom frontend now. The port 8443 is the port being port forward to 443 which is all https request to the server. Once the pod comes up, validate you can log in as normal. Retry the onboarding of the NativeEdge Gateway.
Click on a version to see all relevant bugs
Dell Integration
Learn more about where this data comes from
BugZero Plan
Streamline upgrades with automated vendor bug scrubs
BugZero Prevent
Wish you caught this bug sooner? Get proactive today.