Troubleshooting Guide¶
Common issues and solutions when using the cluster-bootstrap CLI.
Prerequisites¶
kubectl not found¶
Error: kubectl not found or not accessible
Solution:
1. Install kubectl: https://kubernetes.io/docs/tasks/tools/
2. Verify installation: kubectl version --client
3. Ensure it's in your PATH: which kubectl
Helm not found¶
Error: helm not found or not accessible
Solution:
1. Install Helm: https://helm.sh/docs/intro/install/
2. Verify installation: helm version
SOPS not found¶
Error: sops not found or not accessible (when using SOPS encryption)
Solution:
1. Install SOPS: brew install sops or from https://github.com/mozilla/sops
2. Verify installation: sops --version
Age not found¶
Error: age not found or not accessible (when using age encryption)
Solution:
1. Install age: brew install age or from https://github.com/FiloSottile/age
2. Verify installation: age-keygen --version
Git-crypt not found¶
Error: git-crypt not found or not accessible (when using git-crypt encryption)
Solution:
1. Install git-crypt: brew install git-crypt or from https://github.com/AGWA/git-crypt
2. Verify installation: git-crypt --version
Kubeconfig & Cluster Connection¶
Cannot connect to cluster¶
Error: failed to connect to cluster: connection refused
Solution:
1. Verify cluster is running: kubectl cluster-info
2. Check current context: kubectl config current-context
3. Verify kubeconfig: kubectl config view
4. Try explicitly setting kubeconfig:
./cluster-bootstrap-cli/cluster-bootstrap-cli bootstrap dev --kubeconfig ~/.kube/config --context my-cluster
Context not found¶
Error: context nonexistent-context not found in kubeconfig
Solution:
1. List available contexts: kubectl config get-contexts
2. Use correct context name:
Invalid kubeconfig file¶
Error: failed to load kubeconfig /path/to/config: permission denied
Solution:
1. Check file permissions: ls -la ~/.kube/config
2. Should be readable by owner: chmod 600 ~/.kube/config
3. Verify path exists and is accessible
Permissions & RBAC¶
Permission denied when creating resources¶
Error: permission denied: cannot create resource "pods"...
Solution:
1. Check your current user: kubectl auth whoami
2. Check available permissions:
argocd namespace
- Create/update applications (if using ArgoCD CRDs)
4. Ask your cluster administrator for appropriate permissions
Secret file permissions¶
Error: file permissions too permissive for secret: ...mode: 644 (should be 600)
Solution: 1. Fix file permissions:
2. All secret files should only be readable by the ownerSecrets & Encryption¶
Secrets file not found¶
Error: secrets-file does not exist: secrets.dev.enc.yaml
Solution: 1. Create the secrets file first:
2. Or explicitly provide the file:./cluster-bootstrap-cli/cluster-bootstrap-cli bootstrap dev --secrets-file ./custom-secrets.enc.yaml
Invalid secrets file format¶
Error: failed to parse secrets file: invalid YAML
Solution:
1. Check file syntax: cat secrets.dev.enc.yaml | head (for git-crypt)
2. For SOPS: ensure it's properly encrypted/decrypted
3. Validate YAML: kubectl apply --dry-run=client -f secrets.dev.yaml
Cannot decrypt secrets¶
Error: failed to decrypt secrets: age: decryption failed
Solution - Age:
1. Verify age key file exists: ls ~/.age/key.txt
2. Set age key path explicitly:
Solution - Git-crypt:
1. Verify git-crypt is initialized: git-crypt status
2. Ensure git-crypt key is present: git-crypt unlock
3. Check .gitattributes has pattern: grep secrets .gitattributes
Helm Installation¶
Helm install/upgrade timeout¶
Error: Helm install timed out: context deadline exceeded
Solution: 1. Increase timeout (currently 5 min try increasing resources):
2. Check pod status during install: 3. Check logs:Image pull failed¶
Error: ImagePullBackOff: failed to pull image
Solution: 1. Verify image is accessible:
2. Check image pull secrets (if using private registry): 3. Check node logs: 4. Add image pull secret to argocd valuesRelease already exists¶
Error: release argocd already exists. Use --force to force
Solution: 1. ArgoCD is already installed. Skip installation:
2. Or uninstall existing release:ArgoCD & Application¶
Application CRD not found¶
Error: ArgoCD CRD not found: ApplicationCRD not found
Solution: 1. Verify ArgoCD is installed:
2. Install ArgoCD if missing: 3. Wait for CRDs to be created:App of Apps not syncing¶
Issue: Application created but not syncing
Solution: 1. Check application status:
2. Check ArgoCD server logs: 3. Verify Git repository access: - SSH key secret:kubectl get secret repo-ssh-key -n argocd -o yaml
- Test SSH: ssh -T [email protected]
4. Check app repository URL: kubectl get secret repo-ssh-key -n argocd -o jsonpath='{.data.url}' | base64 -d
Repository not found (with subdirectory setup)¶
Error: ComparisonError: Failed to load target state: failed to generate manifest for source 1 of 1: rpc error: code = Unknown desc = failed to list refs: repository not found
Cause: When your project is in a subdirectory (e.g., /k8s), ArgoCD can't find the component paths because they're missing the subdirectory prefix.
Solution:
1. Update apps/values.yaml to include the base path:
repo:
url: [email protected]:yourorg/yourrepo.git
targetRevision: main
basePath: "k8s" # Add this line with your subdirectory name
-
Ensure you bootstrapped with the correct flags:
-
Sync the App of Apps to pick up the changes:
How it works:
- --base-dir ./k8s - tells the CLI where to find local files (Chart.yaml, values, secrets)
- --app-path k8s/apps - sets the App of Apps path in ArgoCD
- repo.basePath: "k8s" - ensures component paths are prefixed (e.g., k8s/components/argocd instead of components/argocd)
Debugging¶
Enable verbose output¶
Command:
This enables: - Configuration details - Stage timings - Resource creation details (without exposing secrets) - Detailed error messages
Dry-run mode¶
Command:
This shows manifests that would be created without applying them.
Output to file:
./cluster-bootstrap-cli/cluster-bootstrap-cli bootstrap dev --dry-run --dry-run-output /tmp/bootstrap.json
Check cluster connectivity¶
# Connection test
kubectl cluster-info
kubectl get nodes
kubectl auth whoami
# RBAC test
kubectl auth can-i create namespaces
kubectl auth can-i create secrets -n argocd
Check ArgoCD status¶
# ArgoCD components
kubectl get pods -n argocd
kubectl rollout status deploy/argocd-server -n argocd
kubectl rollout status statefulset/argocd-application-controller -n argocd
# ArgoCD UI access
kubectl port-forward svc/argocd-server -n argocd 8080:443
# Then visit https://localhost:8080
Common Patterns¶
Bootstrap with custom app path¶
If your apps are in a different directory:
Or with auto-detection (if Chart.yaml + templates/application.yaml exist):
Bootstrap with repo in subdirectory¶
When your manifests are in a subdirectory (e.g., k8s/):
-
Update
apps/values.yaml: -
Run bootstrap:
Bootstrap with specific git-crypt key¶
./cluster-bootstrap-cli/cluster-bootstrap-cli bootstrap dev \
--encryption git-crypt \
--gitcrypt-key-file ./git-crypt-key
Store Vault token after bootstrap¶
./cluster-bootstrap-cli/cluster-bootstrap-cli vault-token --token <root-token>
# Or via stdin
echo "<root-token>" | ./cluster-bootstrap-cli/cluster-bootstrap-cli vault-token
# Or via prompt
./cluster-bootstrap-cli/cluster-bootstrap-cli vault-token
Getting Help¶
- Check verbose output: Use
-vflag for detailed information - Check logs:
kubectl logsfor component logs - Dry-run: Use
--dry-runto see what would be created - Test connectivity: Verify
kubectl cluster-infoandkubectl auth whoami - Review configuration: Check
.sops.yamland values files
Report Issues¶
If you encounter an issue:
- Reproduce with verbose output:
./cluster-bootstrap-cli/cluster-bootstrap-cli -v bootstrap dev - Collect dry-run output:
./cluster-bootstrap-cli/cluster-bootstrap-cli bootstrap dev --dry-run --dry-run-output /tmp/debug.json - Check cluster resources:
kubectl get all -n argocd - Share logs without exposing secrets
- Report to: https://github.com/user-cube/cluster-bootstrap/issues