Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-02-08 02:55:33 -05:00
Code Issues Packages Projects Releases Wiki Activity

wrote docs for emergency ssh access workflow

Browse Source
This commit is contained in:
miampf 2025-01-09 16:52:19 +01:00
parent de2c0db08f
commit 996acc937d
No known key found for this signature in database
GPG Key ID: EF039364B5B6886C
1 changed files with 45 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
docs/docs/workflows/troubleshooting.md
View File

@ -56,8 +56,6 @@ A solution is to add the [required permissions](../getting-started/install.md#re
If your setup requires a change in the ordering of credentials, please open an issue and explain your desired behavior. If your setup requires a change in the ordering of credentials, please open an issue and explain your desired behavior.
### Nodes fail to join with error `untrusted measurement value` ### Nodes fail to join with error `untrusted measurement value`
This error indicates that a node's [attestation statement](../architecture/attestation.md) contains measurements that don't match the trusted values expected by the [JoinService](../architecture/microservices.md#joinservice). This error indicates that a node's [attestation statement](../architecture/attestation.md) contains measurements that don't match the trusted values expected by the [JoinService](../architecture/microservices.md#joinservice).
@ -128,24 +126,56 @@ Debugging via a shell on a node is [directly supported by Kubernetes](https://ku
1. Figure out which node to connect to: 1. Figure out which node to connect to:
```bash ```bash
kubectl get nodes kubectl get nodes
# or to see more information, such as IPs: # or to see more information, such as IPs:
kubectl get nodes -o wide kubectl get nodes -o wide
``` ```
2. Connect to the node: 2. Connect to the node:
```bash ```bash
kubectl debug node/constell-worker-xksa0-000000 -it --image=busybox kubectl debug node/constell-worker-xksa0-000000 -it --image=busybox
``` ```
You will be presented with a prompt. You will be presented with a prompt.
The nodes file system is mounted at `/host`. The nodes file system is mounted at `/host`.
3. Once finished, clean up the debug pod: 3. Once finished, clean up the debug pod:
```bash ```bash
kubectl delete pod node-debugger-constell-worker-xksa0-000000-bjthj kubectl delete pod node-debugger-constell-worker-xksa0-000000-bjthj
``` ```
### Emergency SSH access
Emergency SSH access to nodes can be useful to diagnose issues or download important data even in the event that the kubernetes API is not accessible anymore.
1. Enter the `constellation-terraform` directory in your constellation workspace and allow emergency SSH access to the cluster:
```bash
cd constellation-terraform
echo "emergency_ssh = true" >> ./terraform.tfvars
terraform apply
```
2. Sign an existing SSH keypair with your master secret:
```bash
cd ../ # go back to your constellation workspace
constellation ssh --key your_public_key.pub
```
A certificate will be written into the `constellation-terraform` directory.
The certificate is valid for 24 hours and allows you to access your constellation nodes using
[certificate based authentication](https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Certificate-based_Authentication).
3. Finally, you can connect to any constellation node:
```bash
ssh -F ./constellation-terraform/ssh_config -i your_private_key <PRIVATE_NODE_IP>
```
You can obtain the private IP via your CSPs web UI.