Upgrade

This chapter details how to update an existing Keysafe 5 install to the latest version.

When upgrading Keysafe 5 it is recommended to first update the Helm charts installed in the central platform and then update all Keysafe 5 agent installs on host machines being managed by Keysafe 5.

Ensure all pods are healthy prior to performing an upgrade, unhealthy pods can prevent helm from fully completing an upgrade.

Helm Chart Upgrade

To upgrade the release of a Helm Chart we do a helm upgrade command, see Helm Upgrade

List all installed releases using helm list -A.

$ helm list -A
NAME            	NAMESPACE	    REVISION	UPDATED                                	STATUS  	CHART                         	APP VERSION
keysafe5-backend	nshieldkeysafe5	1       	2022-11-16 08:16:29.732978771 +0100 BST	deployed	nshield-keysafe5-backend-1.0.0	1.0.0
keysafe5-istio  	nshieldkeysafe5	1       	2022-11-16 08:17:55.928175078 +0100 BST	deployed	nshield-keysafe5-istio-1.0.0  	1.0.0
mongo-chart     	mongons  	    1       	2022-11-16 08:15:09.736442947 +0100 BST	deployed	mongodb-12.1.31               	5.0.10
rabbit-chart    	rabbitns 	    1       	2022-11-16 08:15:08.003622417 +0100 BST	deployed	rabbitmq-11.1.2               	3.11.3

To upgrade or modify the existing my-release deployment:

  1. Obtain the current configuration of the currently installed helm chart release.

  2. Run a helm upgrade command, overriding any existing configuration values using the --set directive.

The example shown below is for the helm-keysafe5-backend Chart but the same process applies also to helm-keysafe5-ui and helm-keysafe5-istio.

Documentation for each configurable value in the Keysafe 5 Helm charts can be found by untarring the chart.tgz and viewing the contents of either README.md or the default values.yaml file.

$ helm -n nshieldkeysafe5 get values --all --output yaml keysafe5-backend > keysafe5-backend-values.yaml

$ helm upgrade --install keysafe5-backend \
  --namespace=nshieldkeysafe5 \
  --values keysafe5-backend-values.yaml \
  --set example.ConfigKey=updatedValue \
  helm-keysafe5-backend/

List all installed releases using helm list to see the upgraded Helm chart.

$ helm list -A
NAME            	NAMESPACE	    REVISION	UPDATED                                	STATUS  	CHART                         	APP VERSION
keysafe5-backend	nshieldkeysafe5	2       	2022-11-16 08:39:26.109532848 +0100 BST	deployed	nshield-keysafe5-backend-1.1.1	1.1.1
keysafe5-istio  	nshieldkeysafe5	1       	2022-11-16 08:17:55.928175078 +0100 BST	deployed	nshield-keysafe5-istio-1.0.0  	1.0.0
mongo-chart     	mongons  	    1       	2022-11-16 08:15:09.736442947 +0100 BST	deployed	mongodb-12.1.31               	5.0.10
rabbit-chart    	rabbitns 	    1       	2022-11-16 08:15:08.003622417 +0100 BST	deployed	rabbitmq-11.1.2               	3.11.3

To view the release history for a Helm Chart using the helm history command.

$ helm history -n nshieldkeysafe5 keysafe5-backend
REVISION	UPDATED                 	STATUS    	CHART                         	APP VERSION	DESCRIPTION
1       	Wed Oct 19 08:16:29 2022	superseded	nshield-keysafe5-backend-1.0.0	1.0.0      	Install complete
2       	Wed Oct 19 08:39:26 2022	deployed  	nshield-keysafe5-backend-1.1.1	1.1.1      	Upgrade complete

To revert to a previous installed release, use the helm rollback command.

$ helm -n nshieldkeysafe5 rollback keysafe5-backend 1

$ helm history -n nshieldkeysafe5 keysafe5-backend
REVISION	UPDATED                 	STATUS    	CHART                         	APP VERSION	DESCRIPTION
1       	Wed Oct 19 08:16:29 2022	superseded	nshield-keysafe5-backend-1.0.0	1.0.0      	Install complete
2       	Wed Oct 19 08:39:26 2022	deployed  	nshield-keysafe5-backend-1.1.1	1.1.1      	Upgrade complete
3       	Wed Oct 19 08:59:20 2022	deployed  	nshield-keysafe5-backend-1.0.0	1.0.0      	Rollback to 1

Upgrade from Keysafe 5 1.0

To upgrade from Keysafe 5 1.0, see the following example commands.

The paths to Docker images should be updated to point to where you have stored the shipped Docker images. The Helm chart directories pointed to when upgrading should be the directory for the Helm chart version that you are upgrading to.
helm -n nshieldkeysafe5 get values --all --output yaml keysafe5-backend > keysafe5-backend-values.yaml
helm upgrade --install keysafe5-backend \
  --namespace=nshieldkeysafe5 \
  --values keysafe5-backend-values.yaml \
  --set hsm_mgmt.image=private.registry.local/keysafe5/hsm-mgmt:1.1.1 \
  --set hsm_mgmt.pullPolicy=Always \
  --set sw_mgmt.image=private.registry.local/keysafe5/sw-mgmt:1.1.1 \
  --set sw_mgmt.pullPolicy=Always \
  helm-keysafe5-backend/

helm -n nshieldkeysafe5 get values --all --output yaml keysafe5-ui > keysafe5-ui-values.yaml
helm upgrade --install keysafe5-ui \
  --namespace=nshieldkeysafe5 \
  --values keysafe5-ui-values.yaml \
  --set ui.image=private.registry.local/keysafe5/mgmt-ui:1.1.1 \
  --set ui.pullPolicy=Always \
  helm-keysafe5-ui/

helm -n nshieldkeysafe5 get values --all --output yaml keysafe5-istio > keysafe5-istio-values.yaml
helm upgrade --install keysafe5-istio \
  --namespace=nshieldkeysafe5 \
  --values keysafe5-istio-values.yaml \
  helm-keysafe5-istio/

Agent Upgrade

To update the Keysafe 5 agent installed on a machine:

  • Take a backup of the agent config directory located at %NFAST_DATA_HOME%/keysafe5/conf.

  • Uninstall the existing Keysafe 5 agent as detailed in the Keysafe 5 Installation Guide for the currently installed version of the product.

  • Install the new Keysafe 5 agent as detailed in KeySafe 5 Agent Installation.

  • Restore existing agent configuration and restart the agent.

Upgrading supporting software

Keysafe 5 1.0 recommended MongoDB 4.4 and RabbitMQ 3.9. This section details how to upgrade the software from these versions to the latest recommended compatible versions.

MongoDB 4.4 to 5.0

To update a non-Kubernetes existing Mongo 4.4 install to a Mongo 5.0 see the offical documentation at Upgrade a Replica Set to 5.0

To update a Mongo 4.4 install deployed via Bitnami Helm Charts:

# Obtain details of currently deployed helm charts
# Substitute chart and namespace values in the commands below as required
helm list -A

# Fetch current MongoDB helm chart deployed values
helm -n mongons get values --all --output yaml mongo-chart > mongo-chart-values.yaml

# Obtain the names of the existing mongo secrets
# Substitute secret names in the commands below as required
kubectl get secrets -n mongons

# Make copies of the existing secrets, this is required as the existing ones will be removed during the upgrade process
kubectl get secret mongo-chart-mongodb-ca -n=mongons -o yaml \
  | sed 's/mongo-chart-mongodb-ca/mongo-chart-mongodb-ca-upgrade/' \
  | kubectl apply -f -
kubectl get secret mongo-chart-mongodb -n=mongons -o yaml \
  | sed 's/mongo-chart-mongodb/mongo-chart-mongodb-upgrade/' \
  | kubectl apply -f -

# Upgrade helm chart based on existing deployed values
helm upgrade --install mongo-chart \
    --namespace=mongons \
    --values mongo-chart-values.yaml \
    --set image.tag=5.0.13-debian-11-r16 \
    --set auth.existingSecret=mongo-chart-mongodb-upgrade \
    --set tls.autoGenerated=false \
    --set tls.existingSecret=mongo-chart-mongodb-ca-upgrade \
    --wait --timeout 5m \
    bitnami/mongodb --version 12.1.31

# Obtain details of newly deployed helm charts
helm list -A

RabbitMQ 3.9 to 3.11

To update a non-Kubernetes existing RabbitMQ install, see the offical documentation at Upgrading RabbitMQ.

To update a RabbitMQ 3.9 install deployed via Bitnami Helm Charts:

# Obtain details of currently deployed helm charts
# Substitute chart and namespace values in the commands below as required
helm list -A

# Fetch current rabbitmq helm chart deployed values
helm -n rabbitns get values --all --output yaml rabbit-chart > rabbit-chart-values.yaml

# Upgrade helm chart based on existing deployed values
helm upgrade --install rabbit-chart \
  --namespace=rabbitns \
  --values rabbit-chart-values.yaml \
  --set image.tag=3.11.3-debian-11-r2 \
  --set service.type=LoadBalancer \
  --set extraPlugins="rabbitmq_auth_mechanism_ssl" \
  --wait --timeout 10m \
  bitnami/rabbitmq --version 11.1.2

# Obtain details of newly deployed helm charts
helm list -A

Istio

The version of Istio installed aligns with the software version of istioctl.

For details of how to upgrade Istio, see Upgrade Istio.