Validate Kubernetes Cluster Health
Validation
Section titled “Validation”Step 1: Validate the cluster
Section titled “Step 1: Validate the cluster”kubectl get nodeskubectl get pods -AStep 2: Validate GitOps sync
Section titled “Step 2: Validate GitOps sync”kubectl get apps -n argocdStep 3: Validate Tailnet ingress
Section titled “Step 3: Validate Tailnet ingress”kubectl get gatewayclasskubectl get gateways -n tailscalekubectl get certificates -n tailscalekubectl get pods -n tailscalekubectl get pods -n envoy-gatewaykubectl get svc -n tailscale-dnskubectl get httproute -AIf a route is not accepting, describe it to see conditions:
kubectl describe httproute <name> -n <namespace>Hubble UI is available at https://hubble.sudhanva.me from a Tailnet client once the HTTPRoute syncs.
Validate split-horizon DNS
Section titled “Validate split-horizon DNS”On a tailnet client, docs.sudhanva.me should resolve to the Tailscale Gateway IP:
dig +short docs.sudhanva.me @100.100.100.100curl -I https://docs.sudhanva.meIf you have other apps exposed through the Gateway, validate one of them as well:
dig +short home.sudhanva.me @100.100.100.100curl -I https://home.sudhanva.meOff the tailnet, it should resolve to Cloudflare:
dig +short docs.sudhanva.me @1.1.1.1curl -I https://docs.sudhanva.meStep 4: Validate External Secrets
Section titled “Step 4: Validate External Secrets”If infra-external-secrets is Degraded, verify the Vault token secret and ClusterSecretStore:
kubectl -n external-secrets get secret vault-eso-tokenkubectl -n external-secrets get clustersecretstore vault -o yamlkubectl -n external-dns get externalsecret cloudflare-api-token -o yamlStep 5: Run local checks before push
Section titled “Step 5: Run local checks before push”pre-commit run --all-fileskubectl get nodeskubectl get pods -A