Troubleshooting
This troubleshooting section provides guidance for diagnosing and resolving common issues encountered when deploying IBM Verify Identity Access with Gitops.
Common issues and solutions
- Issue 1: Pod not starting
-
To fix the issue:
- Check the pod status:
kubectl get pods -n ivia-production kubectl describe pod <pod-name> -n ivia-production
- Image pull errors: Verify
imagePullSecretis correct. - Configuration errors: Check logs for auto-configuration failures.
- Resource constraints: Check if nodes have sufficient resources.
- Check the pod status:
- Issue 2: Configuration not applied
-
To fix the issue, check all the following:
- Check the ConfigMap:
kubectl get configmap ivia-autoconf -n ivia-production -o yam - Check that the checksum annotation is correctly configured:
kubectl get deployment ivia-wrp -n ivia-production -o yaml | grep checksum - Perform a force restart:
# Increment version in ibmvia-autoconf.yaml # Then upgrade the release helm upgrade ivia-production oci://icr.io/ivia/ivia-autoconf-helm \ --namespace ivia-production \ --values values.yaml \ --set-file autoconf.content=ibmvia-autoconf.yaml
- Check the ConfigMap:
- Issue 3: Certificate issues
-
To check certificate errors:
- Check the certificate status:
kubectl get certificate -n ivia-production kubectl describe certificate ivia-config-certificate -n ivia-production - Check the cert-manager logs:
kubectl logs -n cert-manager -l app=cert-manager -f
- Check the certificate status:
- Issue 4: ArgoCD sync failures
-
To fix the sync failures, check the following:
- Check the application status:
argocd app get ivia-production - To view the sync errors:
kubectl get application ivia-production -n argocd -o yaml - Sync manually while enabling Prune:
argocd app sync ivia-production --prune
- Check the application status:
- Issue 5: Logs and Debugging
-
To fix the issue:
- Check the configuration service logs:
kubectl logs -n ivia-production -l app=ivia-config -f - Check the Web reverse proxy (WRP) logs:
kubectl logs -n ivia-production -l app=ivia-wrp -f - Check the runtime logs:
kubectl logs -n ivia-production -l app=ivia-runtime -f - Check cluster events for the specified namespace, sorted by the most recent timestamp:
kubectl get events -n ivia-production --sort-by='.lastTimestamp'
- Check the configuration service logs: