Troubleshoot the workload clusters
You might have a need to login to your workload clusters to troubleshoot some issues related to:
- DNS
- Certificates
- External connectivity, etc
So how do we do this?
Troubleshooting by connecting to the vCenter - Non routable workload cluster IP’s
-
You can ssh into your vCenter using the root crdentials:
ssh root@vcenter.example.com -o PubkeyAuthentication=no
- Once in, switch the mode to
shell
mode.Command> shell Shell access is granted to root root@vcenter [ ~ ]#
-
Now let’s get the IP and password to login to the Supervisior Cluster Node. To do this, run the following:
/usr/lib/vmware-wcp/decryptK8Pwd.py
which will result with an output like the following:
root@vcenter [ ~ ]# /usr/lib/vmware-wcp/decryptK8Pwd.py Read key from file Connected to PSQL Cluster: domain-c47:41454ea7-90e7-4c4f-8d79-0fa666784761 IP: 10.16.0.16 PWD: FObx+Q06okhCYjcQvOXy2CgVydgXEyc7dBf6X18zhQLBddrvex4SbUAgXDdCTdxtFRXoooOO/U4Nd9wMGy6qklhWPLWnnZ4CAKCCUfr27SPbRfEKOFA0f46RbDYc2lLDaIsgqOJB/kL/CTNMN5HG/Xw3qWKP3owySsSsSD4Po8= ------------------------------------------------------------
-
Using the IP and password combination, let’s login to the supervisior cluster using the root user. Note, don’t decode the password, use it as is.
ssh root@10.16.0.16
which will give you output similar to below:
root@vcenter [ ~ ]# ssh root@10.16.0.16 FIPS mode initialized Password: Last login: Tue Nov 1 21:06:25 2022 from 10.16.0.10 22:33:00 up 2:40, 0 users, load average: 0.13, 0.34, 0.42 tdnf update info not available yet!
-
Let’s now load the KUBECONFIG to connect to the namespace for the workload cluster. To do this, execute:
export KUBECONFIG=/etc/kubernetes/admin.conf
-
Next grab the ssh password to connect to the workload cluster
kubectl get secret -n <namespace> <workload-cluster-name>-ssh-password -o jsonpath={.data.ssh-passwordkey} | base64 --decode
-
Now we have all the information to login to thr workload cluster nodes.
ssh vmware-system-user@<workload-cluster-node-ip>
Now you are in, and you can troubleshoot the problem.
Troubleshooting by connecting to the Routable workload cluster IP’s
If your workload clusters are on routable IP’s then you can do this.
-
Connect to the cluster using kubectl cli
k vsphere login --server api.tkg.example.com --insecure-skip-tls-verify --vsphere-username administrator@vsphere.local --tanzu-kubernetes-cluster-namespace <workload namespace>
k config use-context <workload namespace>
-
Next grab the ssh password to connect to the workload cluster
kubectl get secret -n <namespace> <workload-cluster-name>-ssh-password -o jsonpath={.data.ssh-passwordkey} | base64 --decode
-
Now we have all the information to login to thr workload cluster nodes.
ssh vmware-system-user@<workload-cluster-node-ip>
Now you are in, and you can troubleshoot the problem.