Upgrade
This chapter details how to update an existing Keysafe 5 install to the latest version.
When upgrading Keysafe 5 it is recommended to first update the Helm charts installed in the central platform and then update all Keysafe 5 agent installs on host machines being managed by Keysafe 5.
Ensure all pods are healthy prior to performing an upgrade, unhealthy pods can prevent helm from fully completing an upgrade. |
Helm Chart Upgrade
To upgrade the release of a Helm Chart we do a helm upgrade
command, see Helm Upgrade
List all installed releases using helm list -A
.
$ helm list -A
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
keysafe5-backend nshieldkeysafe5 1 2022-11-16 08:16:29.732978771 +0100 BST deployed nshield-keysafe5-backend-1.0.0 1.0.0
keysafe5-istio nshieldkeysafe5 1 2022-11-16 08:17:55.928175078 +0100 BST deployed nshield-keysafe5-istio-1.0.0 1.0.0
mongo-chart mongons 1 2022-11-16 08:15:09.736442947 +0100 BST deployed mongodb-12.1.31 5.0.10
rabbit-chart rabbitns 1 2022-11-16 08:15:08.003622417 +0100 BST deployed rabbitmq-11.1.2 3.11.3
To upgrade or modify the existing my-release
deployment:
-
Obtain the current configuration of the currently installed helm chart release.
-
Run a
helm upgrade
command, overriding any existing configuration values using the--set
directive.
The example shown below is for the helm-keysafe5-backend Chart but the same process applies also to helm-keysafe5-ui and helm-keysafe5-istio.
Documentation for each configurable value in the Keysafe 5 Helm charts can be found by untarring the chart.tgz and viewing the contents of either README.md or the default values.yaml file. |
$ helm -n nshieldkeysafe5 get values --all --output yaml keysafe5-backend > keysafe5-backend-values.yaml
$ helm upgrade --install keysafe5-backend \
--namespace=nshieldkeysafe5 \
--values keysafe5-backend-values.yaml \
--set example.ConfigKey=updatedValue \
helm-keysafe5-backend/
List all installed releases using helm list
to see the upgraded Helm chart.
$ helm list -A
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
keysafe5-backend nshieldkeysafe5 2 2022-11-16 08:39:26.109532848 +0100 BST deployed nshield-keysafe5-backend-1.1.1 1.1.1
keysafe5-istio nshieldkeysafe5 1 2022-11-16 08:17:55.928175078 +0100 BST deployed nshield-keysafe5-istio-1.0.0 1.0.0
mongo-chart mongons 1 2022-11-16 08:15:09.736442947 +0100 BST deployed mongodb-12.1.31 5.0.10
rabbit-chart rabbitns 1 2022-11-16 08:15:08.003622417 +0100 BST deployed rabbitmq-11.1.2 3.11.3
To view the release history for a Helm Chart using the helm history
command.
$ helm history -n nshieldkeysafe5 keysafe5-backend
REVISION UPDATED STATUS CHART APP VERSION DESCRIPTION
1 Wed Oct 19 08:16:29 2022 superseded nshield-keysafe5-backend-1.0.0 1.0.0 Install complete
2 Wed Oct 19 08:39:26 2022 deployed nshield-keysafe5-backend-1.1.1 1.1.1 Upgrade complete
To revert to a previous installed release, use the helm rollback
command.
$ helm -n nshieldkeysafe5 rollback keysafe5-backend 1
$ helm history -n nshieldkeysafe5 keysafe5-backend
REVISION UPDATED STATUS CHART APP VERSION DESCRIPTION
1 Wed Oct 19 08:16:29 2022 superseded nshield-keysafe5-backend-1.0.0 1.0.0 Install complete
2 Wed Oct 19 08:39:26 2022 deployed nshield-keysafe5-backend-1.1.1 1.1.1 Upgrade complete
3 Wed Oct 19 08:59:20 2022 deployed nshield-keysafe5-backend-1.0.0 1.0.0 Rollback to 1
Upgrade from Keysafe 5 1.0
To upgrade from Keysafe 5 1.0, see the following example commands.
The paths to Docker images should be updated to point to where you have stored the shipped Docker images. The Helm chart directories pointed to when upgrading should be the directory for the Helm chart version that you are upgrading to. |
helm -n nshieldkeysafe5 get values --all --output yaml keysafe5-backend > keysafe5-backend-values.yaml
helm upgrade --install keysafe5-backend \
--namespace=nshieldkeysafe5 \
--values keysafe5-backend-values.yaml \
--set hsm_mgmt.image=private.registry.local/keysafe5/hsm-mgmt:1.1.1 \
--set hsm_mgmt.pullPolicy=Always \
--set sw_mgmt.image=private.registry.local/keysafe5/sw-mgmt:1.1.1 \
--set sw_mgmt.pullPolicy=Always \
helm-keysafe5-backend/
helm -n nshieldkeysafe5 get values --all --output yaml keysafe5-ui > keysafe5-ui-values.yaml
helm upgrade --install keysafe5-ui \
--namespace=nshieldkeysafe5 \
--values keysafe5-ui-values.yaml \
--set ui.image=private.registry.local/keysafe5/mgmt-ui:1.1.1 \
--set ui.pullPolicy=Always \
helm-keysafe5-ui/
helm -n nshieldkeysafe5 get values --all --output yaml keysafe5-istio > keysafe5-istio-values.yaml
helm upgrade --install keysafe5-istio \
--namespace=nshieldkeysafe5 \
--values keysafe5-istio-values.yaml \
helm-keysafe5-istio/
Agent Upgrade
To update the Keysafe 5 agent installed on a machine:
-
Take a backup of the agent config directory located at
%NFAST_DATA_HOME%/keysafe5/conf
. -
Uninstall the existing Keysafe 5 agent as detailed in the Keysafe 5 Installation Guide for the currently installed version of the product.
-
Install the new Keysafe 5 agent as detailed in KeySafe 5 Agent Installation.
-
Restore existing agent configuration and restart the agent.
Upgrading supporting software
Upgrade from Keysafe 5 1.0 recommended versions
Keysafe 5 1.0 recommended MongoDB 4.4 and RabbitMQ 3.9. This section details how to upgrade the software from these versions to the latest recommended compatible versions.
MongoDB 4.4 to 5.0
To update a non-Kubernetes existing Mongo 4.4 install to a Mongo 5.0 see the offical documentation at Upgrade a Replica Set to 5.0
To update a Mongo 4.4 install deployed via Bitnami Helm Charts:
# Obtain details of currently deployed helm charts
# Substitute chart and namespace values in the commands below as required
helm list -A
# Fetch current MongoDB helm chart deployed values
helm -n mongons get values --all --output yaml mongo-chart > mongo-chart-values.yaml
# Obtain the names of the existing mongo secrets
# Substitute secret names in the commands below as required
kubectl get secrets -n mongons
# Make copies of the existing secrets, this is required as the existing ones will be removed during the upgrade process
kubectl get secret mongo-chart-mongodb-ca -n=mongons -o yaml \
| sed 's/mongo-chart-mongodb-ca/mongo-chart-mongodb-ca-upgrade/' \
| kubectl apply -f -
kubectl get secret mongo-chart-mongodb -n=mongons -o yaml \
| sed 's/mongo-chart-mongodb/mongo-chart-mongodb-upgrade/' \
| kubectl apply -f -
# Upgrade helm chart based on existing deployed values
helm upgrade --install mongo-chart \
--namespace=mongons \
--values mongo-chart-values.yaml \
--set image.tag=5.0.13-debian-11-r16 \
--set auth.existingSecret=mongo-chart-mongodb-upgrade \
--set tls.autoGenerated=false \
--set tls.existingSecret=mongo-chart-mongodb-ca-upgrade \
--wait --timeout 5m \
bitnami/mongodb --version 12.1.31
# Obtain details of newly deployed helm charts
helm list -A
RabbitMQ 3.9 to 3.11
To update a non-Kubernetes existing RabbitMQ install, see the offical documentation at Upgrading RabbitMQ.
To update a RabbitMQ 3.9 install deployed via Bitnami Helm Charts:
# Obtain details of currently deployed helm charts
# Substitute chart and namespace values in the commands below as required
helm list -A
# Fetch current rabbitmq helm chart deployed values
helm -n rabbitns get values --all --output yaml rabbit-chart > rabbit-chart-values.yaml
# Upgrade helm chart based on existing deployed values
helm upgrade --install rabbit-chart \
--namespace=rabbitns \
--values rabbit-chart-values.yaml \
--set image.tag=3.11.3-debian-11-r2 \
--set service.type=LoadBalancer \
--set extraPlugins="rabbitmq_auth_mechanism_ssl" \
--wait --timeout 10m \
bitnami/rabbitmq --version 11.1.2
# Obtain details of newly deployed helm charts
helm list -A
Istio
The version of Istio installed aligns with the software version of istioctl
.
For details of how to upgrade Istio, see Upgrade Istio.