Use this guide only when the standard registry change procedure is unavailable.
If, after the license token expired, the Deckhouse Kubernetes Platform (DKP) pods were restarted, their logs will show a registry connection error when pulling DKP images. To switch the cluster to a new token, run the following steps on any master node:
-
Save the current
deckhouse-registry
secret configuration to a temporary file:d8 k -n d8-system get secret deckhouse-registry -o yaml > /tmp/deckhouse-registry.yaml
-
In the temporary file
/tmp/deckhouse-registry.yaml
, replace the.dockerconfigjson
field with a Base64-encoded string containing the registry connection parameters. You can generate the required string with the commands below, substituting your ownMYPASSWORD
andMYREGISTRY
values:declare MYUSER='license-token' declare MYPASSWORD='example-token' declare MYREGISTRY='example-regsitry.deckhouse.ru' MYAUTH=$(echo -n "$MYUSER:$MYPASSWORD" | base64 -w0) MYRESULTSTRING=$(echo -n "{\"auths\":{\"$MYREGISTRY\":{\"username\":\"$MYUSER\",\"password\":\"$MYPASSWORD\",\"auth\":\"$MYAUTH\"}}}" | base64 -w0) echo "$MYRESULTSTRING"
-
Allow updating the stale secret:
d8 k delete validatingadmissionpolicybindings.admissionregistration.k8s.io heritage-label-objects.deckhouse.io
-
Import the updated configuration:
d8 k -n d8-system apply -f /tmp/deckhouse-registry.yaml
-
Find the problematic
deckhouse
Pod on the current master node and delete it:d8 k get pods -n d8-system -o wide d8 k delete pod -n d8-system -o deckhouse-<id>
-
Make sure the new
deckhouse
Pod has started successfully:d8 k get pods -n d8-system
-
If necessary, delete any remaining
deckhouse
Pods that are in an incorrect state. -
Repeat the standard procedure for changing the registry, substituting your token, the required registry address, and the edition instead of
example
:d8 k -n d8-system exec -ti svc/deckhouse-leader -c deckhouse -- deckhouse-controller helper change-registry --user licence-token --password MY-PASSWORD registry-example.deckhouse.ru/deckhouse/example