Troubleshooting

Obtaining Central platform service Logs

The KeySafe 5 application is configured to log to stdout. This means you can view logs by running standard kubectl commands.

To get the KeySafe 5 backend services logs run kubectl get pods

By default, the KeySafe 5 backend Helm chart will create multiple replicas of each service. The below example commands only retrieves the logs from the first replica of each service.

kubectl -n nshieldkeysafe5 logs nshield-keysafe5-0 agent-mgmt
kubectl -n nshieldkeysafe5 logs nshield-keysafe5-0 codesafe-mgmt
kubectl -n nshieldkeysafe5 logs nshield-keysafe5-0 hsm-mgmt
kubectl -n nshieldkeysafe5 logs nshield-keysafe5-0 sw-mgmt

To get the KeySafe 5 WebUI logs.

UI_POD=$(kubectl -n nshieldkeysafe5 get pods -l app=keysafe5-ui-app -o jsonpath='{.items[0].metadata.name}')
kubectl logs -n nshieldkeysafe5 $UI_POD

Because all logs are directed to stdout, you can integrate the application logs with third-party log monitoring tools such as Prometheus or Splunk.

Kubernetes resource debug

If a Kubernetes resource is not working as expected, use kubectl describe to display any errors with that resource.

$ kubectl describe -n nshieldkeysafe5 pod nshield-keysafe5-0
[. . .]
Warning  FailedMount  6s (x8 over 70s)  kubelet            MountVolume.SetUp failed for volume "keysafe5-messagebus-tls-volume" : secret "agentcomms-client-certificates" not found

You can also use kubectl get events to detect errors.

kubectl get events --all-namespaces

For more information on debugging Kubernetes applications, see the Kubernetes documentation here.