If you are unable to retrieve images from the kURL registry, it’s possible that the certificates have expired. These are automatically rotated in modern versions of ekco, but if you’re running older versions, it’s possible that rotation is necessary. You can look to see if the kURL registry certificates are expired when running:
kubectl -n kurl get secret registry-pki -o=jsonpath='{.data.registry\.crt}' | base64 -d | openssl x509 -noout -dates
You can use the following script to rotate the certificates:
If the kURL cluster in question has ECKO addon >= 0.5.0, registry certificates ought to be automatically renewed. If that process fails for some reason, you can restart ekco to have it renew certificates following the steps below
- Restart the pod using this command. We also want to increase the log level to allow troubleshooting. Logs can be inspected using
kubectl logs -n kurl deployment/ekc-operator command
kubectl set env -n kurl deployment/ekc-operator -c ekc-operator LOG_LEVEL=debug
- Confirm that certificates were updated by checking the certificate served by the registry
echo "" | openssl s_client -connect $(kubectl get svc -n kurl registry -ojsonpath={'.spec.clusterIP'}):443 -servername registry -CAfile /etc/kubernetes/pki/ca.crt | openssl x509 -noout -dates -subject
- If the certificates were renewed, revert ecko’s log level
kubectl set env -n kurl deployment/ekc-operator -c ekc-operator LOG_LEVEL=info