FAQs and Troubleshooting

Command Line Cheat Sheet

List of kubectl commands for configuring and troubleshooting issues pertaining to KUBE+ in-cluster components


kubectl get all --all-namespaces
kubectl get namespace <namespace_name>
kubectl delete namespace <namespace_name>
kubectl get pod
kubectl get pods -n=[namespace_name]
kubectl delete pod <pod_name>
kubectl get secrets
kubectl describe secret <secret_name>
kubectl delete secret <secret_name>
kubectl apply -f manifest_file.yaml
kubectl logs -f <pod_name>
kubectl logs -c <container_name> <pod_name>
kubectl logs <pod_name> pod.log

Table 1. Command Line Cheat Sheet Table
S. No.	Command	Purpose
1	`kubectl get all --all-namespaces`	lists resources (pods, services, deployments, etc.) in all namespaces.
2	`kubectl get namespace <namespace_name>`	Retrieves information about a specific namespace in a Kubernetes cluster.
3	`kubectl delete namespace <namespace_name>`	Deletes a specific namespace and all the resources contained within it in a Kubernetes cluster.
4	`kubectl get pod`	List all the pods in the current Kubernetes namespace.
5	`kubectl get pods -n=[namespace_name]`	lists all the pods in a specific namespace in a Kubernetes cluster. Replace "[namespace_name]" with the actual name of the namespace you want to target. This command displays information about the pods in that namespace
6	`kubectl delete pod <pod_name>`	Deletes a specific pod in a Kubernetes cluster.
7	`kubectl get secrets`	Lists all the secrets available in the current Kubernetes namespace.
8	`kubectl describe secret <secret_name>`	Displays detailed information about a specific secret in a Kubernetes cluster.
9	`kubectl delete secret <secret_name>`	Deletes a specific secret in a Kubernetes cluster.
10	`kubectl apply -f manifest_file.yaml`	Applies a configuration to an object by filename or stdin.
11	`kubectl logs -f <pod_name>`	Prints the logs for a pod and it will continuously stream the logs as new log entries that are generated in real-time. This is useful for monitoring and troubleshooting applications running in Kubernetes pods..
12	`kubectl logs -c <container_name> <pod_name>`	Prints the logs from a specific container within a pod in a Kubernetes cluster.
13	`kubectl logs <pod_name> pod.log`	Redirects and saves the logs from a specific pod in a Kubernetes cluster to a file named ‘pod.log’.

How to configure HA?

You can configure HA by increasing the number of pods running, By default this is set to one.
"certOrchestrator.replicaCount" field needs to be overridden in the deployment.
Can use --set flag to override the same as below using helm
- --set ertOrchestrator.replicaCount=2 (example to increase the number of pods to two )
Always only one pod will be a leader, other pods will be non-leader, when the leader is down, an election will happen to elect the leader among the existing non-leader + new pod ( created due to the kill of old leader ), based on the election one of the pod will become Leader.

How to check if your pod is up and running?

You can monitor the pod livenessProbe under the below path from the cert-orchestrator pod

path: /healthz

port: 8081

How to configure monitoring for your pod running in a cluster?

See How to check if your pod is up and running?

How to add tolerations to the deployment pod?

Tolerations can be overridden using helm. Please refer the helm chart configuration.

What is the permission to be allowed in the cluster for running your pod?

cert-orchestrator
- configmaps
create, get
- namespaces
  - get, list
nodes
- get, list, watch
pods
- get, list
secrets
- create, delete, get, list, patch, update, watch
cert-orchestrator.certplus.appviewx:casettingclusters
- create, delete, get, list, patch, update, watch
cert-orchestrator.certplus.appviewx:casettingclusters/status
- get, patch, update
cert-orchestrator.certplus.appviewx:casettings
- create, delete, get, list, patch, update, watch
cert-orchestrator.certplus.appviewx:casettings/status
- get, patch, update
cert-orchestrator.certplus.appviewx:certreqs
- create, delete, get, list, patch, update, watch
cert-orchestrator.certplus.appviewx:certreqs/status
- get, patch, update
cert-orchestrator.certplus.appviewx:certs
- create, delete, get, list, patch, update, watch
cert-orchestrator.certplus.appviewx:certs/finalizers
- update
cert-orchestrator.certplus.appviewx:certs/status
- get, patch, update
cert-orchestrator.certplus.appviewx:discoveryrequests
- create, delete, get, list, patch, update watch
cert-orchestrator.certplus.appviewx:discoveryrequests/finalizers
- update
cert-orchestrator.certplus.appviewx:discoveryrequests/status
- get, patch, update
cert-orchestrator.certplus.appviewx:renewaljobs
- create, delete, get, list, patch, update, watch
cert-orchestrator.certplus.appviewx:renewaljobs/status
- get, patch, update
cert-orchestrator.certplus.appviewx:signers
- create, delete, get, list, patch, update, watch
cert-orchestrator.certplus.appviewx:signers/finalizers
- update
cert-orchestrator.certplus.appviewx:signers/status
- get, patch, update
certificates.k8s.io:certificatesigningrequests
- get, list, patch, update, watch
certificates.k8s.io:certificatesigningrequests/status
- get, patch, update
certificates.k8s.io:[SIGNER_NAME]/istio:signers
- sign
coordination.k8s.io:leases
- create, delete, get, list, update, watch
events
- create, patch
networking.k8s.io:ingresses
- get, list,watch
secrets-store.csi.x-k8s.io:secretproviderclasses
- create, delete, get, list, patch, update, watch
secrets-store.csi.x-k8s.io:secretproviderclasses/finalizers
- update
secrets-store.csi.x-k8s.io:secretproviderclasses/status
- get, patch, update
appviewx-infra-orchestrator
- cert-orchestrator.certplus.appviewx:discoveryrequests
  - create, get
appviewx-csi-provider
- serviceaccounts/token
  - create
- secrets
  - create, get
- cert-orchestrator.certplus.appviewx:certs
  - create, get

Whats is the permission given for SA (cluster role and cluster role binding)?

Refer the response for What is the permission to be allowed in the cluster for running your pod?.

How to configure resource requirements?

Refer the Helm chart configuration under certOrchestrator.resources.

Table 2. cert-orchestrator : Helm chart configuration parameters
Qualifier	Parameter	Definition	Allowed Values
`certOrchestrator`	enabled	Enable certOrchestrator.	true / false
	`renewalEnabled`	Enable renewal.	true / false
	`namespace`	Namespace for the cert-orchestrator installation.	Valid namespace name
`certOrchestrator.discovery`	`enabled`	Enable Discovery	true / false
	`isGroupAutoGenerate`	Allow auto group creation at AppViewX.	true / false
	`credentialSecretName`	Secret with credentials to be used for Discovery with AppViewX.	Valid Secret Name
	`credentialSecretNamespace`	Namespace for the above.	Valid namespace Name
`certOrchestrator.global`	`logLevel`	Log level for the cert-orchestrator terminal log.	0 to 7
	`clusterName`	Name of the cluster for the current installation.	Valid Cluster Name
	`k8sVendor`	Type of vendor where the cert-orchestrator runs.	Valid vendor Name
`certOrchestrator.image`	`repository`	Repository name for the image	Valid image name with repo
	`tag`	tag for the image	Valid image tag
	`pullPolicy`	Image Pull Policy	Always, Never or IfNotPresent. Defaults to IfNotPresent
`certOrchestrator.resources`	`limits.cpu`	Describes the maximum amount of CPU allowed.	Default is 1000m, See Kubernetes - meaning of CPU
	`limits.memory`	Describes the maximum amount of Memory allowed.	Default is 1Gi. see Kubernetes - meaning of Memory
`certOrchestrator.resources`	`requests.cpu`	Describes the minimum amount of CPU required.	Default is 500m, see Kubernetes - meaning of CPU
	`requests.memory`	Describes the minimum amount of Memory required.	Default is 500Mi. See Kubernetes - meaning of Memory
`certOrchestrator`	`tolerations`	Describes the tolerations allowed for the pods to schedule.

Table 3. appviewx-csi-provider : Helm chart configuration parameters
Qualifier	Parameter	Definition	Allowed Values
`appviewxCSIProvider`	enabled	Enable `appviewxCSIProvider`.	true / false
`appviewxCSIProvider.image`	`repository`	Repository name for the image.	Valid image name with repo.
	`tag`	Tag for the image.	Valid image tag
	`pullPolicy`	Image Pull Policy	Always, Never or IfNotPresent. Defaults to IfNotPresent
`certOrchestrator`	`tolerations`	Describes the tolerations allowed for the pods to schedule.

Table 4. appviewx-signer : Helm chart configuration parameters
Qualifier	Parameter	Definition	Allowed Values
`appviewxSigner`	enabled	Enable `appviewxSigner`.	true / false

Table 5. appviewx-infra-orchestrator : Helm chart configuration parameters
Qualifier	Parameter	Definition	Allowed Values
`appviewxInfraOrchestrator`	enabled	Enable certOrchestrator.	true / false
	`tick`	Sync frequency for the certificate scan.	Valid time period string. Example : "60m"
`appviewxInfraOrchestrator.image`	`repository`	Repository name for the image.	Valid image name with repo
	`tag`	Tag for the image.	Valid image tag
	`pullPolicy`	Image Pull Policy	Always, Never or IfNotPresent. Defaults to IfNotPresent
`appviewxInfraOrchestrator`	`tolerations`	Describes the tolerations allowed for the pods to schedule.