Upgrade Astra Control Center

Contributors netapp-mwallis

To upgrade Astra Control Center, download the installation bundle from the NetApp Support Site and complete these instructions to upgrade the Astra Control Center components in your environment. You can use this procedure to upgrade Astra Control Center in internet-connected or air-gapped environments.

What you’ll need
About this task

The Astra Control Center upgrade process guides you through the following high-level steps:

Important Do not execute the following command during the entirety of the upgrade process to avoid deleting all Astra Control Center pods: kubectl delete -f astra_control_center_operator_deploy.yaml
Tip Perform upgrades in a maintenance window when schedules, backups, and snapshots are not running.
Note Podman commands can be used in place of Docker commands if you are using Red Hat’s Podman instead of Docker Engine.

Download the Astra Control Center bundle

  1. Download the Astra Control Center upgrade bundle (astra-control-center-[version].tar.gz) from the NetApp Support Site.

  2. (Optional) Use the following command to verify the signature of the bundle:

    openssl dgst -sha256 -verify astra-control-center[version].pub -signature <astra-control-center[version].sig astra-control-center[version].tar.gz

Unpack the bundle and change directory

  1. Extract the images:

    tar -vxzf astra-control-center-[version].tar.gz
  2. Change to the Astra directory.

    cd astra-control-center-[version]

Add the images to your local registry

  1. Add the files in the Astra Control Center image directory to your local registry.

    Note See a sample script for the automatic loading of images below.
    1. Log in to your Docker registry:

      docker login [your_registry_path]
    2. Load the images into Docker.

    3. Tag the images.

    4. Push the images to your local registry.

      export REGISTRY=[your_registry_path]
      for astraImageFile in $(ls images/*.tar)
        # Load to local cache. And store the name of the loaded image trimming the 'Loaded images: '
        do astraImage=$(docker load --input ${astraImageFile} | sed 's/Loaded image: //')
        astraImage=$(echo ${astraImage} | sed 's!localhost/!!')
        # Tag with local image repo.
        docker tag ${astraImage} ${REGISTRY}/${astraImage}
        # Push to the local repo.
        docker push ${REGISTRY}/${astraImage}
      done

Install the updated Astra Control Center operator

  1. Edit the Astra Control Center operator deployment yaml (astra_control_center_operator_deploy.yaml) to refer to your local registry and secret.

    vim astra_control_center_operator_deploy.yaml
    1. If you use a registry that requires authentication, replace the default line of imagePullSecrets: [] with the following:

      imagePullSecrets:
      - name: <name_of_secret_with_creds_to_local_registry>
    2. Change [your_registry_path] for the kube-rbac-proxy image to the registry path where you pushed the images in a previous step.

    3. Change [your_registry_path] for the acc-operator-controller-manager image to the registry path where you pushed the images in a previous step.

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      labels:
        control-plane: controller-manager
      name: acc-operator-controller-manager
      namespace: netapp-acc-operator
    spec:
      replicas: 1
      selector:
        matchLabels:
          control-plane: controller-manager
      template:
        metadata:
          labels:
            control-plane: controller-manager
        spec:
          containers:
          - args:
            - --secure-listen-address=0.0.0.0:8443
            - --upstream=http://127.0.0.1:8080/
            - --logtostderr=true
            - --v=10
            image: [your_registry_path]/kube-rbac-proxy:v4.8.0
            name: kube-rbac-proxy
            ports:
            - containerPort: 8443
              name: https
          - args:
            - --health-probe-bind-address=:8081
            - --metrics-bind-address=127.0.0.1:8080
            - --leader-elect
            command:
            - /manager
            env:
            - name: ACCOP_LOG_LEVEL
              value: "2"
            image: [your_registry_path]/acc-operator:[version x.y.z]
            imagePullPolicy: IfNotPresent
          imagePullSecrets: []
  2. Install the updated Astra Control Center operator:

    kubectl apply -f astra_control_center_operator_deploy.yaml

    Sample response:

    namespace/netapp-acc-operator unchanged
    customresourcedefinition.apiextensions.k8s.io/astracontrolcenters.astra.netapp.io configured
    role.rbac.authorization.k8s.io/acc-operator-leader-election-role unchanged
    clusterrole.rbac.authorization.k8s.io/acc-operator-manager-role configured
    clusterrole.rbac.authorization.k8s.io/acc-operator-metrics-reader unchanged
    clusterrole.rbac.authorization.k8s.io/acc-operator-proxy-role unchanged
    rolebinding.rbac.authorization.k8s.io/acc-operator-leader-election-rolebinding unchanged
    clusterrolebinding.rbac.authorization.k8s.io/acc-operator-manager-rolebinding configured
    clusterrolebinding.rbac.authorization.k8s.io/acc-operator-proxy-rolebinding unchanged
    configmap/acc-operator-manager-config unchanged
    service/acc-operator-controller-manager-metrics-service unchanged
    deployment.apps/acc-operator-controller-manager configured

Upgrade Astra Control Center

  1. Edit the Astra Control Center custom resource (CR) and change the Astra version (astraVersion inside of Spec) number to the latest:

    kubectl edit acc -n [netapp-acc or custom namespace]
    Note Changing the Astra version is the only requirement for an Astra Control Center upgrade. Your registry path must match the registry path where you pushed the images in a previous step.
  2. Verify that the pods terminate and become available again:

    watch kubectl get pods -n [netapp-acc or custom namespace]
  3. Verify that all system components upgraded successfully.

    kubectl get pods -n [netapp-acc or custom namespace]

    Each pod should have a status of Running and Age that is recent. It may take several minutes before the system pods are deployed.

    Sample response:

    NAME                                         READY   STATUS    RESTARTS   AGE
    acc-helm-repo-5f75c5f564-bzqmt             1/1     Running   0          11m
    activity-6b8f7cccb9-mlrn4                  1/1     Running   0          9m2s
    api-token-authentication-6hznt             1/1     Running   0          8m50s
    api-token-authentication-qpfgb             1/1     Running   0          8m50s
    api-token-authentication-sqnb7             1/1     Running   0          8m50s
    asup-5578bbdd57-dxkbp                      1/1     Running   0          9m3s
    authentication-56bff4f95d-mspmq            1/1     Running   0          7m31s
    bucketservice-6f7968b95d-9rrrl             1/1     Running   0          8m36s
    cert-manager-5f6cf4bc4b-82khn              1/1     Running   0          6m19s
    cert-manager-cainjector-76cf976458-sdrbc   1/1     Running   0          6m19s
    cert-manager-webhook-5b7896bfd8-2n45j      1/1     Running   0          6m19s
    cloud-extension-749d9f684c-8bdhq           1/1     Running   0          9m6s
    cloud-insights-service-7d58687d9-h5tzw     1/1     Running   2          8m56s
    composite-compute-968c79cb5-nv7l4          1/1     Running   0          9m11s
    composite-volume-7687569985-jg9gg          1/1     Running   0          8m33s
    credentials-5c9b75f4d6-nx9cz               1/1     Running   0          8m42s
    entitlement-6c96fd8b78-zt7f8               1/1     Running   0          8m28s
    features-5f7bfc9f68-gsjnl                  1/1     Running   0          8m57s
    fluent-bit-ds-h88p7                        1/1     Running   0          7m22s
    fluent-bit-ds-krhnj                        1/1     Running   0          7m23s
    fluent-bit-ds-l5bjj                        1/1     Running   0          7m22s
    fluent-bit-ds-lrclb                        1/1     Running   0          7m23s
    fluent-bit-ds-s5t4n                        1/1     Running   0          7m23s
    fluent-bit-ds-zpr6v                        1/1     Running   0          7m22s
    graphql-server-5f5976f4bd-vbb4z            1/1     Running   0          7m13s
    identity-56f78b8f9f-8h9p9                  1/1     Running   0          8m29s
    influxdb2-0                                1/1     Running   0          11m
    krakend-6f8d995b4d-5khkl                   1/1     Running   0          7m7s
    license-5b5db87c97-jmxzc                   1/1     Running   0          9m
    login-ui-57b57c74b8-6xtv7                  1/1     Running   0          7m10s
    loki-0                                     1/1     Running   0          11m
    monitoring-operator-9dbc9c76d-8znck        2/2     Running   0          7m33s
    nats-0                                     1/1     Running   0          11m
    nats-1                                     1/1     Running   0          10m
    nats-2                                     1/1     Running   0          10m
    nautilus-6b9d88bc86-h8kfb                  1/1     Running   0          8m6s
    nautilus-6b9d88bc86-vn68r                  1/1     Running   0          8m35s
    openapi-b87d77dd8-5dz9h                    1/1     Running   0          9m7s
    polaris-consul-consul-5ljfb                1/1     Running   0          11m
    polaris-consul-consul-s5d5z                1/1     Running   0          11m
    polaris-consul-consul-server-0             1/1     Running   0          11m
    polaris-consul-consul-server-1             1/1     Running   0          11m
    polaris-consul-consul-server-2             1/1     Running   0          11m
    polaris-consul-consul-twmpq                1/1     Running   0          11m
    polaris-mongodb-0                          2/2     Running   0          11m
    polaris-mongodb-1                          2/2     Running   0          10m
    polaris-mongodb-2                          2/2     Running   0          10m
    polaris-ui-84dc87847f-zrg8w                1/1     Running   0          7m12s
    polaris-vault-0                            1/1     Running   0          11m
    polaris-vault-1                            1/1     Running   0          11m
    polaris-vault-2                            1/1     Running   0          11m
    public-metrics-657698b66f-67pgt            1/1     Running   0          8m47s
    storage-backend-metrics-6848b9fd87-w7x8r   1/1     Running   0          8m39s
    storage-provider-5ff5868cd5-r9hj7          1/1     Running   0          8m45s
    telegraf-ds-dw4hg                          1/1     Running   0          7m23s
    telegraf-ds-k92gn                          1/1     Running   0          7m23s
    telegraf-ds-mmxjl                          1/1     Running   0          7m23s
    telegraf-ds-nhs8s                          1/1     Running   0          7m23s
    telegraf-ds-rj7lw                          1/1     Running   0          7m23s
    telegraf-ds-tqrkb                          1/1     Running   0          7m23s
    telegraf-rs-9mwgj                          1/1     Running   0          7m23s
    telemetry-service-56c49d689b-ffrzx         1/1     Running   0          8m42s
    tenancy-767c77fb9d-g9ctv                   1/1     Running   0          8m52s
    traefik-5857d87f85-7pmx8                   1/1     Running   0          6m49s
    traefik-5857d87f85-cpxgv                   1/1     Running   0          5m34s
    traefik-5857d87f85-lvmlb                   1/1     Running   0          4m33s
    traefik-5857d87f85-t2xlk                   1/1     Running   0          4m33s
    traefik-5857d87f85-v9wpf                   1/1     Running   0          7m3s
    trident-svc-595f84dd78-zb8l6               1/1     Running   0          8m54s
    vault-controller-86c94fbf4f-krttq          1/1     Running   0          9m24s
  4. Verify that the Astra status conditions indicate that the upgrade is complete and ready:

    kubectl get -o yaml -n [netapp-acc or custom namespace] astracontrolcenters.astra.netapp.io astra

    Response:

    conditions:
      - lastTransitionTime: "2021-10-25T18:49:26Z"
        message: Astra is deployed
        reason: Complete
        status: "True"
        type: Ready
      - lastTransitionTime: "2021-10-25T18:49:26Z"
        message: Upgrading succeeded.
        reason: Complete
        status: "False"
        type: Upgrading

Upgrade third-party services

The third-party services Traefik and Cert-manager are not upgraded during earlier upgrade steps. You can optionally upgrade them using the procedure described here or retain existing service versions if your system requires it. The following is the recommended Traefik and Certs-manager upgrade sequence:

Set up acc-helm-repo to upgrade Traefik and Cert-manager

  1. Find the enterprise-helm-repo that is loaded to your local Docker cache:

    docker images enterprise-helm-repo

    Response:

    REPOSITORY             TAG         IMAGE ID       CREATED        SIZE
    enterprise-helm-repo   21.10.218   7a182d6b30f3   20 hours ago   464MB
  2. Start a container using the tag from the previous step:

    docker run -dp 8082:8080 enterprise-helm-repo:21.10.218

    Response:

    940436e67fa86d2c4559ac4987b96bb35588313c2c9ddc9cec195651963f08d8
  3. Add the Helm repo to your local host repositories:

    helm repo add acc-helm-repo http://localhost:8082/

    Response:

    "acc-helm-repo" has been added to your repositories
  4. Save the following Python script as a file, for example, set_previous_values.py:

    Note This Python script creates two files that are used in later upgrade steps to retain helm values.
    #!/usr/bin/env python3
    import json
    import os
    
    NAMESPACE = "netapp-acc"
    
    os.system(f"helm get values traefik -n {NAMESPACE} -o json > traefik_values.json")
    os.system(f"helm get values cert-manager -n {NAMESPACE} -o json > cert_manager_values.json")
    
    # reformat traefik values
    f = open("traefik_values.json", "r")
    traefik_values = {'traefik': json.load(f)}
    f.close()
    
    with open('traefik_values.json', 'w') as output_file:
        json.dump(traefik_values, output_file)
    
    # reformat cert-manager values
    f = open("cert_manager_values.json", "r")
    cm_values = {'cert-manager': json.load(f)}
    f.close()
    
    cm_values['global'] = cm_values['cert-manager']['global']
    del cm_values['cert-manager']['global']
    
    with open('cert_manager_values.json', 'w') as output_file:
        json.dump(cm_values, output_file)
    
    print('Done')
  5. Run the script:

    python3.7 ./set_previous_values.py

Update Traefik service using acc-helm-repo

Note You must already have set up acc-helm-repo before completing the following procedure.
  1. Download the Traefik bundle using a secure, file-transfer tool, such as GNU wget:

    wget http://localhost:8082/traefik-0.2.0.tgz
  2. Extract the images:

    tar -vxzf traefik-0.2.0.tgz
  3. Apply the Traefik CRDs:

    kubectl apply -f ./traefik/charts/traefik/crds/
  4. Find the Helm chart version to use with your upgraded Traefik:

    helm search repo acc-helm-repo/traefik

    Response:

    NAME                                    CHART VERSION   APP VERSION DESCRIPTION
    acc-helm-repo/traefik                 0.2.0           2.5.3       Helm chart for Traefik Ingress controller
    acc-helm-repo/traefik-ingressroutes   0.2.0           2.5.3       A Helm chart for Kubernetes
  5. Validate the traefik_values.json file for upgrade:

    1. Open the traefik_values.json file.

    2. Check if there is a value for the imagePullSecret field. If it is empty, remove the following text from the file:

      "imagePullSecrets": [{"name": ""}],
    3. Ensure that the traefik image is directed to the correct location and has the correct name:

      image: [your_registry_path]/traefik
  6. Upgrade your Traefik configuration:

    helm upgrade --version 0.2.0 --namespace netapp-acc -f traefik_values.json traefik acc-helm-repo/traefik

    Response:

    Release "traefik" has been upgraded. Happy Helming!
    NAME: traefik
    LAST DEPLOYED: Mon Oct 25 22:53:19 2021
    NAMESPACE: netapp-acc
    STATUS: deployed
    REVISION: 2
    TEST SUITE: None

Update the Cert-manager service

Note You must already have completed the Traefik update and added acc-helm-repo in Helm before completing the following procedure.
  1. Find the helm chart version to use with your upgraded Cert-manager:

    helm search repo acc-helm-repo/cert-manager

    Response:

    NAME CHART VERSION APP VERSION DESCRIPTION
    acc-helm-repo/cert-manager 0.3.0 v1.5.4 A Helm chart for cert-manager
    acc-helm-repo/cert-manager-certificates 0.1.0 1.16.0 A Helm chart for Kubernetes
  2. Validate the cert_manager_values.json file for upgrade:

    1. Open the cert_manager_values.json file.

    2. Check if there is a value for the imagePullSecret field. If it is empty, remove the following text from the file:

      "imagePullSecrets": [{"name": ""}],
    3. Ensure that the three cert-manager images are directed to the correct location and have the correct names.

  3. Upgrade your Cert-manager configuration:

    helm upgrade --version 0.3.0 --namespace netapp-acc -f cert_manager_values.json cert-manager acc-helm-repo/cert-manager

    Response:

    Release "cert-manager" has been upgraded. Happy Helming!
    NAME: cert-manager
    LAST DEPLOYED: Tue Nov 23 11:20:05 2021
    NAMESPACE: netapp-acc
    STATUS: deployed
    REVISION: 2
    TEST SUITE: None

Verify system status

  1. Log in to Astra Control Center.

  2. Verify that all your managed clusters and apps are still present and protected.