What to check when accessing AH Swagger throws error "503 service unavailable" and cannot make any api call to openapi

Issue Description

Cannot access the Automation Hub Swagger page using https://{fqdn}/{org}/{tenant}/automationhub_/api/v1/api-doc/ and the browser shows error “upstream connect error or disconnect/reset before headers”.

Making API calls to openapi, for example, to get the users: https://{fqdn}/{org}/{tenant}/automationhub_/api/v1/openapi/users is also not possible.

The logs of the ah-frontdoor-service pod are throwing error 503 Service Unavailable and the HTTP requests do not reach the open api pod.

Root Cause

The issue is caused by the ah-frontdoor-service-egress network policy, which prohibits egress from the ah-frontdoor pod to the ah-openapi pod, and a completely missing ingress networkpolicy for the ah-openapi pod.

Resolution

To fix it try the following:

• change the egress policy of the ah-frontdoor-service, and add the following segment:

- ports:

- port: 3002

protocol: TCP

to:

- podSelector:

matchLabels:

app.kubernetes.io/name: ah-open-api-service

• create an ingress policy for the open-api-service:

- ports:

- port: 3002

protocol: TCP

to:

- podSelector:

matchLabels:

app.kubernetes.io/name: ah-open-api-service

In order for these policies to remain active, disable auto-sync on the fabric-installer and network apps, in ArgoCD.