Use this guide only when the standard registry change procedure is unavailable.
If, after the license token expired, the Deckhouse Kubernetes Platform (DKP) pods were restarted, their logs will show a registry connection error when pulling DKP images. To switch the cluster to a new token, run the following steps on any master node:
-
Save the current
deckhouse-registrysecret configuration to a temporary file:d8 k -n d8-system get secret deckhouse-registry -o yaml > /tmp/deckhouse-registry.yaml -
In the temporary file
/tmp/deckhouse-registry.yaml, replace the.dockerconfigjsonfield with a Base64-encoded string containing the registry connection parameters. You can generate the required string with the commands below, substituting your ownMYPASSWORDandMYREGISTRYvalues:declare MYUSER='license-token' declare MYPASSWORD='example-token' declare MYREGISTRY='example-regsitry.deckhouse.ru' MYAUTH=$(echo -n "$MYUSER:$MYPASSWORD" | base64 -w0) MYRESULTSTRING=$(echo -n "{\"auths\":{\"$MYREGISTRY\":{\"username\":\"$MYUSER\",\"password\":\"$MYPASSWORD\",\"auth\":\"$MYAUTH\"}}}" | base64 -w0) echo "$MYRESULTSTRING" -
Allow updating the stale secret:
d8 k delete validatingadmissionpolicybindings.admissionregistration.k8s.io heritage-label-objects.deckhouse.io -
Import the updated configuration:
d8 k -n d8-system apply -f /tmp/deckhouse-registry.yaml -
Find the problematic
deckhousePod on the current master node and delete it:d8 k get pods -n d8-system -o wide d8 k delete pod -n d8-system deckhouse-<id> -
Make sure the new
deckhousePod has started successfully:d8 k get pods -n d8-system -
If necessary, delete any remaining
deckhousePods that are in an incorrect state. -
Repeat the standard procedure for changing the registry, substituting your token, the required registry address, and the edition instead of
example:d8 k -n d8-system exec -ti svc/deckhouse-leader -c deckhouse -- deckhouse-controller helper change-registry --user licence-token --password MY-PASSWORD registry-example.deckhouse.ru/deckhouse/example