Troubleshooting

Sections

Use this section to troubleshoot issues with your Puppet Comply installation.

Reset your Comply password

If you forget your password, you can reset it in the user admin console.

  1. SSH into your Comply node and run the following commands to retrieve the admin username and password:
    kubectl exec $(kubectl get pod -l app.kubernetes.io/name=comply-auth -o jsonpath="{.items[0].metadata.name}") -- /bin/bash -c 'cat /etc/keycloak/admin-user'
    kubectl exec $(kubectl get pod -l app.kubernetes.io/name=comply-auth -o jsonpath="{.items[0].metadata.name}") -- /bin/bash -c 'cat /etc/keycloak/admin-password'
  2. Navigate to https://<COMPLY-HOSTNAME>/auth/admin using the FQDN of your Comply node.
  3. Login using the credentials from step 1.
  4. Navigate to Users.
  5. Click View all users and select the user account you want to update, and click Edit.
  6. Select the Credentials tab and the reset password.

Reset the platform admin console

As part of the installation process, the platform admin console generates a password for you. You can update this password to one of your choosing after installation.

  1. To reset the platform admin console password, run:
    kubectl -n default kots reset-password
    The system prompts you to enter a new password of your choosing.
  2. If the command fails with an unknown command "kots" for "kubectl" error it's because /usr/local/bin is not in the path. To address this error, either update the path to include /usr/local/bin, or run:
    /usr/local/bin/kubectl-kots reset-password default

Access logs

If you run into issues with Puppet Comply, you can download the relevant log files. The Comply logs are stored in the platform admin console.

  1. Navigate to the platform admin console — https://<PLATFORM-ADMIN-CONSOLE-ADDRESS>:8800.
  2. Select the Troubleshoot tab, and click Analyse Comply.
  3. Download the bundle of log files.

Resolve Comply domain

If the Puppet Comply gatekeeper is unable to resolve the Comply domain, try the following troubleshooting steps.

When you assign a hostname to Comply, it needs to be resolved by the pods in your Kubernetes cluster. A preflight check verifies the domain you specified in the configuration is resolvable. You must ensure that the nodes can resolve their own hostnames, through either local host mapping or a reachable DNS server.
  1. To verify your whether your hostname is resolvable, run the following commands:
    kubectl exec $(kubectl get pod -l app=kotsadm -o jsonpath="{.items[0].metadata.name}") -- /bin/sh -c 'curl --SI <hostname>'
    If the hostname was resolved, the command returns an exit code 0 with no output.
    If the hostname cannot be resolved, the command returns an exit code 6. Proceed to step 2 to add DNS entries.
  2. To add DNS entries for CoreDNS, run the following command to open the CoreDNS configuration maps:
    kubectl -n kube-system edit configmaps coredns
  3. Add a hosts entry below kubernetes. This is where you configure the DNS entry for Comply. For example:
    kubernetes cluster.local in-addr.arpa ip6.arpa {
       pods insecure
       fallthrough in-addr.arpa ip6.arpa
       ttl 30
    }
    hosts {
      10.23.24.25 comply.mycompany.net comply // IP_address canonical_hostname [aliases...]
      fallthrough
    }
    prometheus :9153
  4. Run the command from step 1 to verify whether the DNS entry was updated:
    kubectl exec $(kubectl get pod -l app=kotsadm -o jsonpath="{.items[0].metadata.name}") -- /bin/sh -c 'curl --SI <hostname>'
  5. Re-run the preflight checks.
How helpful was this page?

If you leave us your email, we may contact you regarding your feedback. For more information on how Puppet uses your personal information, see our privacy policy.

Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.