Chapter 2. Upgrading using Helm charts

You can upgrade to the latest version of Red Hat Advanced Cluster Security for Kubernetes from a supported older version. For upgrading to RHACS 4.0, you must be using the latest patch release of RHACS 3.74. If you are using an older version, you must first upgrade to RHACS 3.74.

If you have installed Red Hat Advanced Cluster Security for Kubernetes by using Helm charts, to upgrade to the latest version of Red Hat Advanced Cluster Security for Kubernetes you must perform the following:

  • Backup the Central database.
  • (Optional) Optimize Central database and Persistent Volume Claims (PVC).
  • (Optional) Generate values-private.yaml configuration file containing root certificates for the central-services Helm chart.
  • Update the Helm chart.
  • Run the helm upgrade command.
Important

To ensure optimal functionality, use the same version for your secured-cluster-services Helm chart and central-services Helm chart.

2.1. Backing up the Central database

You can back up the Central database and use that backup for rolling back from a failed upgrade or data restoration in the case of an infrastructure disaster.

Prerequisites

  • You must have an API token with read permission for all resources of Red Hat Advanced Cluster Security for Kubernetes. The Analyst system role has read permissions for all resources.
  • You have installed the roxctl CLI.
  • You have configured the ROX_API_TOKEN and the ROX_CENTRAL_ADDRESS environment variables.

Procedure

  • Run the backup command: 

    $ roxctl -e "$ROX_CENTRAL_ADDRESS" central backup

Additional resources

2.2. Optimizing Central database and PVC

When you upgrade to Red Hat Advanced Cluster Security for Kubernetes (RHACS) 4.0, RHACS creates a PostgreSQL instance called central-db with a default Persistent Volume Claims (PVC). Optionally, you can customize central-db or PVC configuration.

Red Hat recommends the following minimum memory and CPU requests: 

central:
  db:
    resources:
      requests:
        memory: 16Gi
        cpu: 8
      limits:
        memory: 16Gi
        cpu: 8

2.3. Generating root certificates file

If you do not have access to your values-private.yaml configuration file that you have used to install Red Hat Advanced Cluster Security for Kubernetes (RHACS), use the following instruction to generate the values-private.yaml configuration file containing root certificates.

Skip the instruction here, if you have access to your values-private.yaml configuration file.

Important

The generated values-private.yaml file has sensitive configuration options. Ensure that you store this file securely.

Procedure

  1. Download the create_certificate_values_file.sh script.

  2. Make the create_certificate_values_file.sh script executable: 

    $ chmod +x create_certificate_values_file.sh

  3. Run the create_certificate_values_file.sh script file: 

    $ create_certificate_values_file.sh values-private.yaml

2.4. Updating the Helm chart repository

You must always update Helm charts before upgrading to a new version of Red Hat Advanced Cluster Security for Kubernetes.

Prerequisites

  • You must have already added the Red Hat Advanced Cluster Security for Kubernetes Helm chart repository.
  • You must be using Helm version 3.8.3 or newer.

Procedure

  • Update Red Hat Advanced Cluster Security for Kubernetes charts repository. 

    $ helm repo update

Verification

  • Run the following command to verify the added chart repository: 

    $ helm search repo -l rhacs/

2.5. Additional resources

2.6. Running the Helm upgrade command

You can use the helm upgrade command to update Red Hat Advanced Cluster Security for Kubernetes (RHACS).

Prerequisites

  • You must have access to the values-private.yaml configuration file that you have used to install Red Hat Advanced Cluster Security for Kubernetes (RHACS). Otherwise, you must generate the values-private.yaml configuration file containg root certificates, before proceeding with the commands here.

Procedure

  • Run the helm upgrade command and specify the configuration files by using the -f option: 

    $ helm upgrade -n stackrox stackrox-central-services \
  rhacs/central-services --version <current-rhacs-version> \ 1
  -f values-private.yaml \
  --set central.db.password.generate=true \
  --set central.db.serviceTLS.generate=true \
  --set central.db.persistence.persistentVolumeClaim.createClaim=true
    Note

    You might use the --reuse-values option to preserve the previously configured Helm values during the upgrade. If you do that, you must turn off central-db creation before you upgrade to the next version. For example, 

    $ helm upgrade -n stackrox stackrox-central-services \
  rhacs/central-services --version <current-rhacs-version> --reuse-values \
  -f values-private.yaml \
  --set central.db.password.generate=false \
  --set central.db.serviceTLS.generate=false \
  --set central.db.persistence.persistentVolumeClaim.createClaim=false

2.7. Rolling back an Helm upgrade

You can roll back to a previous version of Central if the upgrade to a new version is unsuccessful.

Procedure

  1. Run the following helm upgrade command: 

    $ helm upgrade -n stackrox \
  stackrox-central-services rhacs/central-services \
  --version <previous_rhacs_74_version> \ 1
  --set central.db.enabled=false
    1 1
    Replace <previous_rhacs_74_version> with the previously installed RHACS version.

  2. Delete the central-db persistent volume claim (PVC): 

    $ oc -n stackrox delete pvc central-db 1
    1
    If you use Kubernetes, enter kubectl instead of oc.