Document recovery token generation (#2579) (#2601)

* document recovery token generation * run console anywhere to generate token Co-authored-by: Alex Fornuto <afornuto@pomerium.com>
2025-05-31 18:07:17 +02:00 · 2021-09-15 20:34:04 +00:00 · 2021-09-15 20:34:04 +00:00 · ca704e17f1
commit ca704e17f1
parent d373a54698
5 changed files with 28 additions and 0 deletions
--- a/docs/enterprise/install/helm.md
+++ b/docs/enterprise/install/helm.md
@ -162,3 +162,7 @@ kubectl delete svc pomerium-proxy

 [Pomerium using Helm]: /docs/install/helm.md
 [cert-manager]: https://cert-manager.io/docs/
+
+### Generate Recovery Token
+
+!!!include(generate-recovery-token.md)!!!
--- a/docs/enterprise/install/img/recovery-token.png
+++ b/docs/enterprise/install/img/recovery-token.png
@ -0,0 +1 @@
+../../../partials/img/recovery-token.png
--- a/docs/enterprise/install/quickstart.md
+++ b/docs/enterprise/install/quickstart.md
@ -212,3 +212,9 @@ audience: console.localhost.pomerium.com
 ## Next Steps

 Pomerium Enterprise assumes access to a [Prometheus](https://prometheus.io/) data store for metrics. See [Prometheus Metrics](/enterprise/prometheus.md) to learn how to configure access.
+
+## Troubleshooting
+
+### Generate Recovery Token
+
+!!!include(generate-recovery-token.md)!!!
--- a/docs/partials/generate-recovery-token.md
+++ b/docs/partials/generate-recovery-token.md
@ -0,0 +1,17 @@
+There could arise several situations that prevent Pomerium from authenticating users to Pomerium Enterprise. In these situations, you may be presented with the recovery sign in page:
+
+![Pomerium Enterprise Recovery Sign In](./img/recovery-token.png)
+
+This page requires a recovery token. To generate a token, run the `pomerium-console generate-recovery token` with the following flags:
+
+| Flag                        | Description |
+| --------------------------- | ----------- |
+| `--database-encryption-key` | base64-encoded encryption key for encrypting sensitive data in the database. |
+| `--database-url`            | The database to connect to (default "`postgresql://pomerium:pomerium@localhost:5432/dashboard?sslmode=disable`"). |
+| `--namespace`               | The namespace to use (default "`9d8dbd2c-8cce-4e66-9c1f-c490b4a07243`" for Global). |
+| `--out`                     | Where to save the JWT. If not specified, it will be printed to stdout. |
+| `--ttl`                     | The amount of time before the recovery token expires. Requires a unit (example: `30s`, `5m`).|
+
+::: tip
+You can run the `pomerium-console` binary from any device with access to the database.
+:::
--- a/docs/partials/img/recovery-token.png
+++ b/docs/partials/img/recovery-token.png