Use this section to troubleshoot issues with your Puppet Comply installation.

Reset your Comply password

If you forget your password, you can reset it in the user admin console.

  1. SSH into your Comply node and run the following commands to retrieve the admin username and password:
    kubectl exec $(kubectl get pod -l -o jsonpath="{.items[0]}") -- /bin/bash -c 'cat /etc/keycloak/admin-user'
    kubectl exec $(kubectl get pod -l -o jsonpath="{.items[0]}") -- /bin/bash -c 'cat /etc/keycloak/admin-password'
  2. Navigate to https://<COMPLY-HOSTNAME>/auth/admin using the FQDN of your Comply node.
  3. Login using the credentials from step 1.
  4. Navigate to Users.
  5. Click View all users and select the user account you want to update, and click Edit.
  6. Select the Credentials tab and the reset password.

Reset the platform admin console

As part of the installation process, the platform admin console generates a password for you. You can update this password to one of your choosing after installation.

  1. To reset the platform admin console password, run:
    kubectl -n default kots reset-password
    The system prompts you to enter a new password of your choosing.
  2. If the command fails with an unknown command "kots" for "kubectl" error it's because /usr/local/bin is not in the path. To address this error, either update the path to include /usr/local/bin, or run:
    /usr/local/bin/kubectl-kots reset-password default

Access logs

If you run into issues with Puppet Comply, you can download the relevant log files. The Comply logs are stored in the platform admin console.

  1. Navigate to the platform admin console — https://<PLATFORM-ADMIN-CONSOLE-ADDRESS>:8800.
  2. Select the Troubleshoot tab, and click Analyse Comply.
  3. Download the bundle of log files.

Resolve Comply domain

If the Puppet Comply gatekeeper is unable to resolve the Comply domain, try the following troubleshooting steps.

When you assign a hostname to Comply, it needs to be resolved by the pods in your Kubernetes cluster. A preflight check verifies the domain you specified in the configuration is resolvable. You must ensure that the nodes can resolve their own hostnames, through either local host mapping or a reachable DNS server.
  1. To verify your whether your hostname is resolvable, run the following commands:
    kubectl exec $(kubectl get pod -l app=kotsadm -o jsonpath="{.items[0]}") -- /bin/sh -c 'curl --SI <hostname>'
    If the hostname was resolved, the command returns an exit code 0 with no output.
    If the hostname cannot be resolved, the command returns an exit code 6. Proceed to step 2 to add DNS entries.
  2. To add DNS entries for CoreDNS, run the following command to open the CoreDNS configuration maps:
    kubectl -n kube-system edit configmaps coredns
  3. Add a hosts entry below kubernetes. This is where you configure the DNS entry for Comply. For example:
    kubernetes cluster.local {
       pods insecure
       ttl 30
    hosts { comply // IP_address canonical_hostname [aliases...]
    prometheus :9153
  4. Run the command from step 1 to verify whether the DNS entry was updated:
    kubectl exec $(kubectl get pod -l app=kotsadm -o jsonpath="{.items[0]}") -- /bin/sh -c 'curl --SI <hostname>'
  5. Re-run the preflight checks.

Update the platform admin console's TLS certificate

A self-signed TLS certificate secures the connection between your browser and the platform admin console. Once the initial platform admin console setup process is complete, you can upload new certificates by enabling changes to the installation's Kubernetes secrets.

Use this process if you choose not to add a TLS certificate when installing the platform admin console, or if you need to update your existing TLS certificate.

  1. Enable changes to your installation's kotsadm-tls Kubernetes secret by running:
    kubectl -n default annotate secret kotsadm-tls acceptAnonymousUploads=1
  2. Restart the kurl-proxy pod to deploy the change by running:
    kubectl delete pods $(kubectl get pods -A | grep kurl-proxy | awk '{print $2}')
  3. Once the kurl-rpoxy pod restarts and is back up and running, navigate to https://<HOSTNAME>:8800/tls and upload your new TLS certificate.
How helpful was this page?

If you leave us your email, we may contact you regarding your feedback. For more information on how Puppet uses your personal information, see our privacy policy.

Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.