Skip to content

Latest commit



149 lines (105 loc) · 5.09 KB

File metadata and controls

149 lines (105 loc) · 5.09 KB

Debugging, Hints and Tips for Solving Common Problems with Tornjak

Here is a collection of various tips and hints for debugging deployment and runtime of Tornjak

The hints collection is grouped in the following sections:

Tornjak Deployment

Problem: SPIRE with Tornjak pod does not start. Status is CrashLoopBackOff. The spire-server container log shows:

time="2022-11-11T22:47:23Z" level=info msg="Opening SQL database" db_type=sqlite3 subsystem_name=sql
time="2022-11-11T22:47:23Z" level=info msg="Running migrations..." schema=17 subsystem_name=sql version_info=1.1.5
time="2022-11-11T22:47:23Z" level=info msg="Migrating version" schema=17 subsystem_name=sql version_info=17
time="2022-11-11T22:47:23Z" level=error msg="Fatal run error" error="datastore-sql: migrating from schema version 17 requires a previous SPIRE release; please follow the upgrade strategy at doc/"
time="2022-11-11T22:47:23Z" level=error msg="Server crashed" error="datastore-sql: migrating from schema version 17 requires a previous SPIRE release; please follow the upgrade strategy at doc/"

Description: The existing DB schema used by SPIRE is not compatible with the current SPIRE version. The database is persisted on the host, even between SPIRE restarts.

Solution: Simply stop the SPIRE server (remove it) then delete the current DB on the host, and restart SPIRE so DB can be recreated with a correct version.

When pvc is used to persist SPIRE data, delete it:

kubectl -n spire-server get pvc
kubectl -n spire-server delete pvc spire-data-spire-server-0

The pvc will get recreated on the next deployment

Otherwise, you can use this simple DB clean tool to attach to the SPIRE server and remove the files manually:

Use the handy utility:

kubectl -n spire-server create -f
kubectl -n spire-server exec -it spire-server-0 -- sh

# once inside: 
cd /run/spire/data/
rm *

# delete the tool:
kubectl -n spire-server delete -f

# restart the SPIRE+Tornjak Deployment

Problem: Pod with Tornjak front-end fails to start. Kubectl "Events" page shows the following:

Startup probe failed: Get "": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

Above message is accessible by (assuming spire namespace, [POD] is a placeholder for the front-end Pod name):

kubectl -n spire-server describe po [POD]


(Often encountered using Minikube) Frontend does not compile in time. Cluster environment may be too weak to satisfy the startup probe within the allotted time.


Increase the failureThreshold in the Tornjak deployment file (look for deployment.yaml) under startupProbe:

failureThreshold: 15


Agent log file shows an error:

time="2021-10-01T15:26:14Z" level=info msg="SVID is not found. Starting node attestation" subsystem_name=attestor trust_domain_id="spiffe://"
time="2021-10-01T15:26:44Z" level=error msg="Agent crashed" error="create attestation client: failed to dial dns:/// context deadline exceeded: connection error: desc = \"transport: authentication handshake failed: x509svid: could not verify leaf certificate: x509: certificate signed by unknown authority (possibly because of \\\"crypto/rsa: verification error\\\" while trying to verify candidate authority certificate \\\"SPIFFE\\\")\""


Incorrect keys or certificates required for attestation. Either spire-bundle needs to be refreshed or the kubeconfigs secret updated on the SPIRE server.

Solution: To update the "spire-bundle", get the spire-bundle configmap from the SPIRE server, update the namespace to match the agent cluster, then deploy it agent namespace.

On the SPIRE server (assuming spire-server namespace):

kubectl -n spire-server get configmap spire-bundle -oyaml | kubectl patch --type json --patch '[{"op": "replace", "path": "/metadata/namespace", "value":"spire"}]' -f - --dry-run=client -oyaml > spire-bundle.yaml

On the SPIRE agent cluster (assuming spire namespace):

kubectl -n spire create -f spire-bundle.yaml

There is no need to restart the agents. Once the updated spire-bundle is in place the agents will pick up the changes on the next restart.

Tornjak Configuration

User Management