Loading

How to Manually Renew the Credentials for the Image Registry in RTF

Veröffentlichungsdatum: Aug 4, 2025
Aufgabe

GOAL

RTF pulls container images from a remote private registry. A cron job keeps renewing the credentials required to pull the images. In some situations, you may not want to wait for new cron job to be triggered to refresh the credentials and want to manually trigger the cron to renew the credentials. This article explains how to achieve this.  

Schritte
Run the script from Github remotely on a controller node (use the "-x http://<user>:<pass>@<proxy-ip>:<proxy-port>" option in the curl command to specify proxy if required). It will trigger the cron job and print out logs. "completed" means the job is executed successfully, and "failed" indicates something went wrong. In case of failure, please check the logs for details.

Run the following command as root user outside of gravity: 
> curl -s https://raw.githubusercontent.com/mulesoft-labs/rtf-utilities/master/scripts/refresh_creds.sh | bash
job.batch/refresh-creds-8a9228 created
job.batch/refresh-creds-8a9228 condition met
Job refresh-creds-8a9228 [completed]
Updating namespace "6c3c3e41-e5a1-4423-81bc-xxxxxx"
secret/awsecr-cred configured
Updating namespace "89c3f719-a117-4c66-9017-xxxxxx"
secret/awsecr-cred configured
Updating namespace "c62b4c29-3361-4436-a7e9-xxxxxx"
secret/awsecr-cred configured
Updating namespace "rtf"
secret/awsecr-cred configured
job.batch "refresh-creds-8a9228" deleted
Alternatively,  you can copy the script from Github and run it on a controller node. 
> chmod +x ./refresh_creds.sh
> ./refresh_creds.sh



Known issues

If you are using a proxy and still have the same error after running the above script, you will need to manually edit the registry-creds cronjob to add a block for HTTPS_PROXY
  
kubectl get cronjob registry-creds -n rtf -o yaml > registry-creds-bk.yaml

kubectl edit cronjob/registry-creds -n rtf

After the evn variable HTTP_PROXY copy the same block and name it HTTPS_PROXY but still use the HTTP_PROXY key

Before: 
- name: HTTP_PROXY
              valueFrom:
                secretKeyRef:
                  key: HTTP_PROXY
                  name: custom-properties
                  optional: true
            - name: NO_PROXY
              valueFrom:
                secretKeyRef:
                  key: HTTP_NO_PROXY
                  name: custom-properties
                  optional: true

After:
  
- name: HTTP_PROXY
              valueFrom:
                secretKeyRef:
                  key: HTTP_PROXY
                  name: custom-properties
                  optional: true
            - name: HTTPS_PROXY
              valueFrom:
                secretKeyRef:
                  key: HTTP_PROXY
                  name: custom-properties
                  optional: true
            - name: NO_PROXY
              valueFrom:
                secretKeyRef:
                  key: HTTP_NO_PROXY
                  name: custom-properties
                  optional: true


 

Cgroups

A known cgroup memory leaking issue can cause the credentials refresh job not to run, either automatic or manually, and credentials will expire. Please refer to RTF - How to Resolve the Cgroup Memory Leaking Issue in Runtime Fabric, you will need to upgrade the kernel and appliance. 
Note: Even if you are on updated kernel and appliance the affected node may need a reboot to allow this job to complete successfully.

RTF Agent Upgrade

WARNING: If you are upgrading your RTF agent version, see that the "rtf-upgrade" job in "ImagePullBackoff" or "ErrImagePull", and see that the "rtf-upgrade" job is missing in the local Docker registry (How to List Images in Local Docker Registry in RTF or PCE), you will need to run the following command to push the "rtf-upgrade" job into the cluster repository: 
docker push leader.telekube.local:5000/rtf-upgrade

 
Nummer des Knowledge-Artikels

001116883

 
Laden
Salesforce Help | Article