Create a troubleshooting guide for Application Connector

docs/application-connector/10-01-overview.md

@@ -0,0 +1,8 @@
+---
+title: Overview
+type: Troubleshooting
+---
+
+The troubleshooting section aims to identify the most common recurring problems with the Application Connector, as well as the most suitable solutions to these problems.
+
+If you cannot find a solution to your problem, do not hesitate to create a [GitHub](https://github.com/kyma-project/kyma/issues) issue or reach out to the **#application-connector** [Slack channel](http://slack.kyma-project.io/) to get direct support from the community.

docs/application-connector/10-02-application-gateway-troubleshooting.md

@@ -0,0 +1,80 @@
+---
+title: Error when calling a registered service
+type: Troubleshooting
+---
+
+If you call a registered service and receive an error, follow these steps to detect the source of the problem:
+
+
+1. Check the logs
+
+    Check the logs from Application Gateway Pod to verify that the call reached Application Gateway.   
+    To fetch these logs, run this command:
+    ```
+    kubectl -n kyma-integration logs -l app={APP_NAME}-application-gateway -c {APP_NAME}-application-gateway
+    ```
+    The request that reached the Pod is logged by Application Gateway.
+
+2. Check for Access Service
+
+    If the call you tried to make is not in the logs, check if an [Access Service](#architecture-application-connector-components-access-service) exists for the service you are trying to call.
+    ```
+    kubectl -n kyma-integration get svc app-{APP_NAME}-{SERVICE_ID}
+    ```
+3. Re-register the service
+
+    If Access Service does not exist, run this command to deregister the service you tried to call:
+
+    <div tabs name="deregistration">
+      <details>
+      <summary>
+      With a trusted certificate
+      </summary>
+
+      ```
+      curl -X DELETE https://gateway.{CLUSTER_DOMAIN}/{APP_NAME}/v1/metadata/services/{SERVICE_ID} --cert {CERTIFICATE_FILE} --key {KEY_FILE}
+      ```
+      </details>
+      <details>
+      <summary>
+      Without a trusted certificate
+      </summary>
+
+      ```
+      curl -X DELETE https://gateway.{CLUSTER_DOMAIN}/{APP_NAME}/v1/metadata/services/{SERVICE_ID} --cert {CERTIFICATE_FILE} --key {KEY_FILE} -k
+      ```
+      </details>
+    </div>
+
+    Then, register the service and try calling again. Registering the service again recreates the Access Service.  
+    To register a service, see [this tutorial](components/application-connector/#tutorials-register-a-service-register-a-service).
+
+
+4. Check the API URL
+
+    If your call reaches the Application Gateway and the Access Service exists, but you still receive an error, check if the API URL in the service definition matches the API URL of the actual service you are trying to call.  
+    To check the target URL of the API, fetch the Service definition from Application Registry:
+
+    <div tabs name="verification">
+      <details>
+      <summary>
+      With a trusted certificate
+      </summary>
+
+      ```
+      curl https://gateway.{CLUSTER_DOMAIN}/{APP_NAME}/v1/metadata/services/{SERVICE_ID} --cert {CERTIFICATE_FILE} --key {KEY_FILE}
+      ```
+      </details>
+      <details>
+      <summary>
+      Without a trusted certificate
+      </summary>
+
+      ```
+      curl https://gateway.{CLUSTER_DOMAIN}/{APP_NAME}/v1/metadata/services/{SERVICE_ID} --cert {CERTIFICATE_FILE} --key {KEY_FILE} -k
+      ```
+      </details>
+    </div>
+
+    A successful call returns a `json` response with the service definition that contains the target URL.  
+    Call the target URL directly to verify that the value of `api.targetUrl` is correct.

docs/application-connector/10-03-application-registry-troubleshooting.md

@@ -0,0 +1,42 @@
+---
+title: Certificate-related errors when trying to access Application Registry
+type: Troubleshooting
+---
+
+## Application Registry - No certificate
+
+If you try to access Application Registry without a client certificate, you get this error:
+```
+error:1401E410:SSL routines:CONNECT_CR_FINISHED:sslv3 alert handshake failure
+```
+To access Application Registry you need to pass a client certificate with the HTTP request.  
+To generate a client certificate, see [this tutorial](#tutorials-get-the-client-certificate). 
+
+## Application Registry - Expired certificate
+
+If you try to access Application Registry using an expired client certificate, you get this error:
+```
+error:1401E415:SSL routines:CONNECT_CR_FINISHED:sslv3 alert certificate expired
+```
+To access Application Registry you need to pass a valid client certificate with the request.  
+To generate a new client certificate, see [this tutorial](#tutorials-get-the-client-certificate).  
+
+## Application Registry - Invalid subject
+
+If you try to access Application Registry with the wrong certificate, you get this error:
+```
+{"code":403,"error":"No valid subject found"}
+```
+Make sure that your certificate is generated for the Application that you are trying to access.  
+To get the certificate subject, run:
+```
+openssl req -noout -subject -in {PATH_TO_CSR_FILE}
+```
+You get the certificate subject as a response:
+```
+subject=/OU=OrgUnit/O=Organization/L=Waldorf/ST=Waldorf/C=DE/CN={APPLICATION_NAME}
+```
+Check that the common name `CN` matches the name of your Application.  
+If it does not, generate a new certificate for your Application. 
+
+To generate a new client certificate, see [this tutorial](#tutorials-get-the-client-certificate).

docs/application-connector/10-04-connector-service-troubleshooting.md

@@ -0,0 +1,34 @@
+---
+title: Errors when generating or renewing a certificate
+type: Troubleshooting
+---
+
+## Invalid Certificate Signing Request (CSR)
+
+If you try to generate a client certificate, you may get this error:
+```json
+{
+  "code":403,
+  "error":"CSR: Invalid common name provided."
+}
+```
+
+This error is caused by applying wrong subject information to your Certificate Signing Request.  
+To ensure CSR was generated properly, check the values returned by the Connector Service with the call that fetched CSR information:
+```json
+{
+  ...
+  "certificate":{
+    "subject":"O=Organization,OU=OrgUnit,L=Waldorf,ST=Waldorf,C=DE,CN=CNAME",
+    "extensions":"",
+    "key-algorithm":"rsa2048"
+  }
+}
+```
+
+Subject values present in CSR should match the subject in the response that you got.
+
+To check the subject of the generated CSR, run this command:
+```
+openssl req -noout -subject -in {PATH_TO_CSR_FILE}
+```

docs/application-connector/tmp.md

@@ -0,0 +1,80 @@
+---
+title: Error when calling a registered service
+type: Troubleshooting
+---
+
+If you call a registered service and receive an error, follow these steps to detect the source of the problem.
+
+
+1. Check the logs
+
+  Check the logs from Application Gateway Pod to verify that the call reached Application Gateway.   
+  To fetch these logs, run this command:
+  ```
+  kubectl -n kyma-integration logs -l app={APP_NAME}-application-gateway -c {APP_NAME}-application-gateway
+  ```
+  The request that reached the Pod is logged by Application Gateway.
+
+2. Check for Access Service
+
+  If the call you tried to make is not in the logs, check if [Access Service](components/application-connector/#architecture-application-connector-components-access-service) for the service you are trying to call exists.
+  ```
+  kubectl -n kyma-integration get svc app-{APP_NAME}-{SERVICE_ID}
+  ```
+3. Re-register the service
+
+  If Access Service does not exist, run this command to deregister the service you tried to call:
+
+  <div tabs name="deregistration">
+    <details>
+    <summary>
+    With a trusted certificate
+    </summary>
+
+    ```
+    curl -X DELETE https://gateway.{CLUSTER_DOMAIN}/{APP_NAME}/v1/metadata/services/{SERVICE_ID} --cert {CERTIFICATE_FILE} --key {KEY_FILE}
+    ```
+    </details>
+    <details>
+    <summary>
+    Without a trusted certificate
+    </summary>
+
+    ```
+    curl -X DELETE https://gateway.{CLUSTER_DOMAIN}/{APP_NAME}/v1/metadata/services/{SERVICE_ID} --cert {CERTIFICATE_FILE} --key {KEY_FILE} -k
+    ```
+    </details>
+  </div>
+
+  Then, register the service and try calling again. The service re-registration recreates Access Service.  
+  To register a service, see [this tutorial](components/application-connector/#tutorials-register-a-service-register-a-service).
+
+
+4. Check the API URL
+
+  If your call reaches Application Gateway and Access Service exists, but you still receive an error, check if the API URL in the service definition matches the API URL of the actual service you are trying to call.  
+  To check the target URL of the API, fetch the Service definition from Application Registry:
+
+  <div tabs name="verification">
+    <details>
+    <summary>
+    With a trusted certificate
+    </summary>
+
+    ```
+    curl https://gateway.{CLUSTER_DOMAIN}/{APP_NAME}/v1/metadata/services/{SERVICE_ID} --cert {CERTIFICATE_FILE} --key {KEY_FILE}
+    ```
+    </details>
+    <details>
+    <summary>
+    Without a trusted certificate
+    </summary>
+
+    ```
+    curl https://gateway.{CLUSTER_DOMAIN}/{APP_NAME}/v1/metadata/services/{SERVICE_ID} --cert {CERTIFICATE_FILE} --key {KEY_FILE} -k
+    ```
+    </details>
+  </div>
+
+  A successful call returns a `json` response with the service definition that contains the target URL.  
+  Access the target URL directly to verify that the value of `api.targetUrl` is correct.