Troubleshooting

The following table provides information to help you troubleshoot potential issues that you might encounter when using the integration of Red Hat OpenShift / ESO with Secret Server.

Issue Description Troubleshooting steps

Issue	Description	Troubleshooting steps
A secret is stuck in `SecretSyncedError` status.	The following are the symptoms of this issue: The synchronization status of the secret is `SecretSyncedError`. READY field: `False`. A Kubernetes Secret was not created for the secret.	To show the details of the secret, run the following command: `oc describe externalsecret database-credentials -n my-app` To check the ESO logs for errors, run the following command: `oc logs -n external-secrets deployment/external-secrets \| grep -i error` Do one of the following: If the logs contain "Error: Connection Timeout," network policies block egress traffic to the Secret Server backend. Perform the following steps: To view the details of the `allow-external-secrets-https-egress` network policy, run the following command: `oc get networkpolicy allow-external-secrets-https-egress -n external-secrets` To test connectivity to Secret Server, run the following command: `oc exec -n external-secrets deployment/external-secrets -- curl -v -m 5 https://your-tenant.secretservercloud.com/` If connectivity fails, apply the network policies as described in Step 2: Configuring Network Policies. If the logs contain "Error: Authentication Failed," invalid Secret Server credentials in the `ClusterSecretStore` configuration. For more information, see Integrating Kubernetes ESO with Delinea. Run the following commands to delete the Kubernes secret with the invalid credentials and provide the valid credentials in a Kubernetes secret: `oc get secret secretserver-credentials -n openshift-operators` `oc delete secret secretserver-credentials -n openshift-operators` `oc create secret generic secretserver-credentials \` `--from-literal=username='correct-username' \` `--from-literal=password='correct-password' \` `-n openshift-operators`
No controller pods are running	The following are the symptoms of this issue: Running `oc get pods -n external-secrets` shows no pods. An `ExternalSecretsConfig` resource exists, but no controller pods were deployed.	To delete the existing `ExternalSecretsConfig` resource and recreate an `ExternalSecretsConfig` resource and apply the YAML file for `ExternalSecretsConfig`, run the following commands: `oc get externalsecretsconfig cluster -o yaml` `oc logs -n openshift-operators deployment/external-secrets-operator` `oc delete externalsecretsconfig cluster` `oc apply -f externalsecretsconfig.yaml` To check that the controller pods are deployed, run the following command: `oc get pods -n external-secrets -w`

A secret is stuck in SecretSyncedError status.

The following are the symptoms of this issue:

The synchronization status of the secret is SecretSyncedError.
READY field: False.
A Kubernetes Secret was not created for the secret.

To show the details of the secret, run the following command:

oc describe externalsecret database-credentials -n my-app
To check the ESO logs for errors, run the following command:

oc logs -n external-secrets deployment/external-secrets | grep -i error
Do one of the following:
- If the logs contain "Error: Connection Timeout," network policies block egress traffic to the Secret Server backend. Perform the following steps:
  1. To view the details of the allow-external-secrets-https-egress network policy, run the following command:
    
    oc get networkpolicy allow-external-secrets-https-egress -n external-secrets
  2. To test connectivity to Secret Server, run the following command:
    
    oc exec -n external-secrets deployment/external-secrets -- curl -v -m 5 https://your-tenant.secretservercloud.com/
  3. If connectivity fails, apply the network policies as described in Step 2: Configuring Network Policies.
- If the logs contain "Error: Authentication Failed," invalid Secret Server credentials in the ClusterSecretStore configuration. For more information, see Integrating Kubernetes ESO with Delinea.
  
  Run the following commands to delete the Kubernes secret with the invalid credentials and provide the valid credentials in a Kubernetes secret:
  
  oc get secret secretserver-credentials -n openshift-operators
  
  oc delete secret secretserver-credentials -n openshift-operators
  
  oc create secret generic secretserver-credentials \
  
  --from-literal=username='correct-username' \
  
  --from-literal=password='correct-password' \
  
  -n openshift-operators

No controller pods are running

The following are the symptoms of this issue:

Running oc get pods -n external-secrets shows no pods.
An ExternalSecretsConfig resource exists, but no controller pods were deployed.

To delete the existing ExternalSecretsConfig resource and recreate an ExternalSecretsConfig resource and apply the YAML file for ExternalSecretsConfig, run the following commands:

oc get externalsecretsconfig cluster -o yaml

oc logs -n openshift-operators deployment/external-secrets-operator

oc delete externalsecretsconfig cluster

oc apply -f externalsecretsconfig.yaml
To check that the controller pods are deployed, run the following command:

oc get pods -n external-secrets -w

Diagnostic Commands Reference

The following table provides a reference for the useful diagnostic commands in Red Hat OpenShift / ESO.

To do this	Run this command
Check all ESO resources	`oc get externalsecrets,secretstores,clustersecretstores -A`
View the status of ESO	`oc get csv -n openshift-operators \| grep external-secrets`
Check all network policies	`oc get networkpolicies -n external-secrets`
View all controller pods	`oc get pods -n external-secrets -o wide`