tanzu-cli 1.4.1 on Linux context create hangs on kubernetes-release

[dsputnikk]

Bug description
I am essentially here: https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-with-tanzu-tkg/GUID-E5A804FA-BB03-436F-BF01-14CBF13DBB9D.html . Attemping to create a context against my Tanzu environment.

This works on Windows with tanzu-cli 1.4.1 down to generating me my kubeconfig. The same exact process, same endpoints, hangs on linux.

There is a load of CPU activity from the kswap0 process during this hang. My only way to exit is to eventually ctrl c out of it as the system becomes quite unresponsive.

Expected behavior
Plugins are installed and drops back out to shell, ready to move on to listing/connecting to a tanzu namespace.

Steps to reproduce the bug / Relevant debug output

dnf install tanzu-cli
tanzu plugin install --group vmware-tkg/default (installs pinniped auth)
tanzu context create MyContext --endpoint https://10.80.1.2


[hang on Linux Alma 9] @ - Installing plugin 'kubernetes-release:v0.29.0' with target 'kubernetes'

…
[or succeeds in Win 11]

Output of tanzu version

version: v1.4.1
buildDate: 2024-08-14
sha: bbde4b21
arch: amd64

on both OS'es

Environment where the bug was observed (cloud, OS, etc)
Win11 or Alma 9.1

[dsputnikk]

I attempted to add 8GB of memory and rerun. It's almost as if there is a memory leak somewhere.

I am watching "free -h" during this step and in a matter of 20 seconds it eats up all available memory when hitting this step.

I have tried removing all tanzu related folders, and the effect is the same

rm -rf ~/.config/tanzu* ~/.cache/tanzu* ~/.local/share/tanzu*

[dsputnikk]

To add to my confusion, I tried upgrading Alma and Tanzu-CLI to latest 1.5 from the new repo.

Using the same context command I now get a hard error:

bash# tanzu context create mytanzu --endpoint https://10.80.1.2 --insecure-skip-tls-verify
[x] : error while validating the Context object: context name cannot be empty

Same result in interactive:

tanzu context create
? Select context creation type Kubernetes (Cluster Endpoint)
? Enter control plane endpoint https://10.80.1.2
? Give the context a name mytanzu
[x] : error while validating the Context object: context name cannot be empty

Update Edit:

I have now tried this on a fresh WSL Ubuntu instance with latest kubectl and both Tanzu 1.5 and 1.4.1. The outputs remain the same, 1.4.1 hangs and chews up memory. 1.5 errors out.

I am very confused :(

[dsputnikk]

Furthermore, on windows if I upgrade tanzu-cli to v1.5.1 I get this when creating the same exact context (which works on windows v1.4.1):

E:\>tanzu context create MyContext --endpoint https://10.80.1.2
[x] : error while validating the Context object: context name cannot be empty

E:\Program Files\Microsoft Visual Studio\2022\Enterprise>tanzu version
version: v1.5.1
buildDate: 2024-10-10
sha: db29379
arch: amd64

[dsputnikk]

I have tried following the air-gapped instructions, and the result is the same.

[dsputnikk]

More anallysis

vcenter version including build: VMware® vSphere® vSphere Client version 8.0.2.00000 Build 22617221
Supervisor version: v1.26.4+vmware.wcp.1-vsc0.1.6-22282210

### On Windows Tanzu-CLI v1.4.1 - MOSTLY success

E:\>tanzu version

version: v1.4.1
buildDate: 2024-08-14
sha: bbde4b21
arch: amd64

tanzu plugin install --group vmware-tkg/default:v2.2.0

tanzu context create WSOne4Tanzu --endpoint https://10.80.1.2

[ok] successfully created a kubernetes context using the kubeconfig C:\Users\MyUser\.kube\config
[i] Fetching recommended plugins for active context 'WSOne4Tanzu'...
[i] Installing the following plugins recommended by context 'WSOne4Tanzu':
  NAME        TARGET      INSTALLING
  namespaces  kubernetes  v1.0.0
[i] Installed plugin 'namespaces:v1.0.0' with target 'kubernetes'
[ok] Successfully installed all recommended plugins.

E:\>tanzu namespaces get   I NOTE THIS DID NOT RETURN ANYTHING
You have access to the following namespaces:

E:\>tanzu cluster list --namespace tanzu-cluster MY EXPECTED TKC CLUSTER FETCHED SUCCESSFULLY USING IDP AS LOGON METHOD
Some initialization of the CLI is required.
Let's set things up for you.  This will just take a few seconds.

Refreshing the 12 installed plugins...

Initialization done!
==
  NAME          NAMESPACE       STATUS   CONTROLPLANE  WORKERS  KUBERNETES               ROLES   PLAN  TKR
  tkg-cluster  tanzu-cluster  running  3/3           1/1      v1.26.5+vmware.2-fips.1  <none>        v1.26.5---vmware.2-fips.1-tkg.1

### On Windows Tanzu-CLIv1.5.1 - FAIL

E:\>tanzu version

version: v1.5.1
buildDate: 2024-10-10
sha: db29379
arch: amd64

E:\>tanzu context create WSOne4Tanzu --endpoint https://10.80.1.2
[x] : error while validating the Context object: context name cannot be empty

### On Linux Tanzu-CLI v1.4.1 - FAIL

┌─[remote@tanzuwork] - [~] - [Tue Oct 15, 20:48]
└─[$] <> tanzu version                                                                                                                                                              
version: v1.4.1
buildDate: 2024-08-14
sha: bbde4b21
arch: amd64
┌─[remote@tanzuwork] - [~] - [Tue Oct 15, 20:48]
└─[$] <> tanzu context create mytanzu --endpoint https://10.80.1.2                                                                                                       
Some initialization of the CLI is required.
Let's set things up for you.  This will just take a few seconds.

Refreshing the 7 installed plugins...

Initialization done!
==
[i] Detected a vSphere Supervisor being used
Error: unknown flag: --concierge-is-cluster-scoped
[x] : failed to create context "mytanzu" for a kubernetes cluster, Failed to invoke API on cluster : Get "https://10.80.1.2:6443/version?timeout=1m0s": getting credentials: exec: executable tanzu failed with exit code 1

### On Linux Tanzu-CLI v1.4.1 without using group install first - FAIL

└─[$] <> tanzu context create mytanzu --endpoint https://10.80.1.2        
[x] : the 'pinniped-auth' plugin is not installed. This plugin is required to authenticate with TKG/vSphere with Kubernetes(TKGs), please install the plugin and retry
└─[$] <> tanzu plugin install pinniped-auth                                                     
[i] The tanzu cli essential plugins have not been installed and are being installed now. The install may take a few seconds.
[i] Installing plugins from plugin group 'vmware-tanzucli/essentials:v1.0.0'
[i] Installed plugin 'telemetry:v1.1.0' with target 'global'
[i] Installed plugin 'pinniped-auth:v3.2.0' with target 'global'
[ok] successfully installed 'pinniped-auth' plugin

└─[$] <> tanzu context create mytanzu --endpoint https://10.80.1.2              
E1015 20:56:53.415029   17897 login.go:578]  "msg"="could not open browser" "error"="exec: \"xdg-open,x-www-browser,www-browser\": executable file not found in $PATH"  
Log in by visiting this link:

    https://10.8.1.2/wcp/pinniped/oauth2/authorize?access_type=offline&client_id=pinniped-cli&code_challenge=P1QiYwVNXpIxOBFUgVN8qhRnFi3_KNDYjjf8VZOs4&code_challenge_method=S256&nonce=c64568fOBFUe798caad&redirect_uri=http%3A%2F%2F127.0.0.1%3A37425%2Fcallback&response_mode=form_post&response_type=code&scope=groups+offline_access+openid+pinniped%3Arequest-audience+username&state=3effb26008eeOBFU064349c5bc4

    Optionally, paste your authorization code: [...]

I click on the link at this point

[ok] successfully created a kubernetes context using the kubeconfig /home/remote/.kube/tanzusuper
[i] Fetching recommended plugins for active context 'mytanzu'...
[i] Installing the following plugins recommended by context 'mytanzu':
  NAME                TARGET      INSTALLING  
  cluster             kubernetes  v0.29.0    
  feature             kubernetes  v0.29.0    
  kubernetes-release  kubernetes  v0.29      
  namespaces          kubernetes  v1.0.0      
[i] Installed plugin 'cluster:v0.29.0' with target 'kubernetes'
[i] Installed plugin 'feature:v0.29.0' with target 'kubernetes'
- Installing plugin 'kubernetes-release:v0.29.0' with target 'kubernetes'  <-------------------- AND THEN IT HANGS HERE, CHEWING AWAY 10+ gigs of available RAM until the machine becomes unresponsive.I 

I HAVE ALSO TRIED THIS ON A FRESH UBUNTU INSTALL WITH SAME RESULTS

### On Linux Tanzu-CLI v1.5.1 - FAIL:

─[$] <> tanzu version                                                                                                                                                                 
version: v1.5.1
buildDate: 2024-10-10
sha: db29379
arch: amd64
┌─[remote@tanzuwork] - [~] - [Tue Oct 15, 20:45]
└─[$] <> tanzu context create mytanzu --endpoint https://10.80.1.2                                                                                                       
Some initialization of the CLI is required.
Let's set things up for you.  This will just take a few seconds.

Refreshing the 7 installed plugins...

Initialization done!
==
[i] Failed to test for vSphere supervisor: Get "/wcp/loginbanner": unsupported protocol scheme ""
[x] : error creating kubeconfig with tanzu pinniped-auth login plugin: Get "/wcp/loginbanner": unsupported protocol scheme ""

My only reason for needing to login using tanzu as opposed to normal kubectl (which works):

kubectl vsphere login --vsphere-username [email protected] --server=https://10.80.1.2 --tanzu-kubernetes-cluster-namespace=tanzu-namespace --tanzu-kubernetes-cluster-name tkg-cluster

... is because I'm using an external IdP workflow (which is clearly OK if 1.4.1 on windows works). To my knowledge there is no other way to do auth to an external IdP without the tanzu client.

[dsputnikk]

Its worth nothing that if I save config-ng.yaml from a tanzu context create using v1.4.1 and then copy it back after installing tanzu-cli 1.5.1, I can retrieve cluster objects just fine.

[Jeremy-Boyle]

I also get error while validating the Context object: context name cannot be empty

With the latest changes and tanzu cli 1.5.1

[Jeremy-Boyle]

The only work around that i have for this is the following to get a valid oidc auth working with tanzu-cli

# This will fail out and create a new context in your kubeconfig
tanzu context create  context-name --endpoint https://some.fqdn.com
# Rename the newly created context name to something useful
kubectl config rename-context tanzu-cli-{guid-id}@{guid-id} new-context-name
# Add it to tanzu context create
tanzu context create context-name --kubeconfig ~/.kube/config --kubecontext new-context-name

[Jeremy-Boyle]

Hi @dsputnikk I see the issue with the code, our org has a active support ticket opened for this internally , ill work on doing a MR and explanation.