Skip to main content
Astra Control Center
A newer release of this product is available.

Upgrade Astra Control Center

Contributors netapp-rlithman
PDFs

To upgrade Astra Control Center, download the installation bundle from the NetApp Support Site and complete these instructions to upgrade the Astra Control Center components in your environment. You can use this procedure to upgrade Astra Control Center in internet-connected or air-gapped environments.

What you'll need
About this task

The Astra Control Center upgrade process guides you through the following high-level steps:

Important Do not execute the following command during the entirety of the upgrade process to avoid deleting all Astra Control Center pods: kubectl delete -f astra_control_center_operator_deploy.yaml
Tip Perform upgrades in a maintenance window when schedules, backups, and snapshots are not running.
Note Podman commands can be used in place of Docker commands if you are using Red Hat’s Podman instead of Docker Engine.

Download the Astra Control Center bundle

  1. Download the Astra Control Center upgrade bundle (astra-control-center-[version].tar.gz) from the NetApp Support Site.

  2. (Optional) Use the following command to verify the signature of the bundle:

    openssl dgst -sha256 -verify astra-control-center[version].pub -signature <astra-control-center[version].sig astra-control-center[version].tar.gz

Unpack the bundle and change directory

  1. Extract the images:

    tar -vxzf astra-control-center-[version].tar.gz

  2. Change to the Astra directory.

    cd astra-control-center-[version]

Add the images to your local registry

  1. Add the files in the Astra Control Center image directory to your local registry.

    Note See a sample script for the automatic loading of images below.

    1. Log in to your Docker registry:

      docker login [your_registry_path]

    2. Load the images into Docker.

    3. Tag the images.

    4. Push the images to your local registry.

      export REGISTRY=[your_registry_path]
for astraImageFile in $(ls images/*.tar)
  # Load to local cache. And store the name of the loaded image trimming the 'Loaded images: '
  do astraImage=$(docker load --input ${astraImageFile} | sed 's/Loaded image: //')
  astraImage=$(echo ${astraImage} | sed 's!localhost/!!')
  # Tag with local image repo.
  docker tag ${astraImage} ${REGISTRY}/${astraImage}
  # Push to the local repo.
  docker push ${REGISTRY}/${astraImage}
done

Install the updated Astra Control Center operator

  1. Edit the Astra Control Center operator deployment yaml (astra_control_center_operator_deploy.yaml) to refer to your local registry and secret.

    vim astra_control_center_operator_deploy.yaml

    1. If you use a registry that requires authentication, replace the default line of imagePullSecrets: [] with the following:

      imagePullSecrets:
- name: <name_of_secret_with_creds_to_local_registry>

    2. Change [your_registry_path] for the kube-rbac-proxy image to the registry path where you pushed the images in a previous step.

    3. Change [your_registry_path] for the acc-operator-controller-manager image to the registry path where you pushed the images in a previous step.

    4. Add the following values to the env section:

      - name: ACCOP_HELM_UPGRADETIMEOUT
  value: 300m
      apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    control-plane: controller-manager
  name: acc-operator-controller-manager
  namespace: netapp-acc-operator
spec:
  replicas: 1
  selector:
    matchLabels:
      control-plane: controller-manager
  template:
    metadata:
      labels:
        control-plane: controller-manager
    spec:
      containers:
      - args:
        - --secure-listen-address=0.0.0.0:8443
        - --upstream=http://127.0.0.1:8080/
        - --logtostderr=true
        - --v=10
        image: [your_registry_path]/kube-rbac-proxy:v4.8.0
        name: kube-rbac-proxy
        ports:
        - containerPort: 8443
          name: https
      - args:
        - --health-probe-bind-address=:8081
        - --metrics-bind-address=127.0.0.1:8080
        - --leader-elect
        command:
        - /manager
        env:
        - name: ACCOP_LOG_LEVEL
          value: "2"
        - name: ACCOP_HELM_UPGRADETIMEOUT
          value: 300m
        image: [your_registry_path]/acc-operator:[version x.y.z]
        imagePullPolicy: IfNotPresent
      imagePullSecrets: []

  2. Install the updated Astra Control Center operator:

    kubectl apply -f astra_control_center_operator_deploy.yaml

    Sample response:

    namespace/netapp-acc-operator unchanged
customresourcedefinition.apiextensions.k8s.io/astracontrolcenters.astra.netapp.io configured
role.rbac.authorization.k8s.io/acc-operator-leader-election-role unchanged
clusterrole.rbac.authorization.k8s.io/acc-operator-manager-role configured
clusterrole.rbac.authorization.k8s.io/acc-operator-metrics-reader unchanged
clusterrole.rbac.authorization.k8s.io/acc-operator-proxy-role unchanged
rolebinding.rbac.authorization.k8s.io/acc-operator-leader-election-rolebinding unchanged
clusterrolebinding.rbac.authorization.k8s.io/acc-operator-manager-rolebinding configured
clusterrolebinding.rbac.authorization.k8s.io/acc-operator-proxy-rolebinding unchanged
configmap/acc-operator-manager-config unchanged
service/acc-operator-controller-manager-metrics-service unchanged
deployment.apps/acc-operator-controller-manager configured

Upgrade Astra Control Center

  1. Edit the Astra Control Center custom resource (CR) (astra_control_center_min.yaml) and change the Astra version (astraVersion inside of Spec) number to the latest:

    kubectl edit acc -n [netapp-acc or custom namespace]
    Note Your registry path must match the registry path where you pushed the images in a previous step.

  2. Add the following lines within additionalValues inside of Spec in the Astra Control Center CR:

    additionalValues:
    nautilus:
      startupProbe:
        periodSeconds: 30
        failureThreshold: 600

  3. Do one of the following:

    1. If you don't have your own IngressController or ingress and have been using the Astra Control Center with its Traefik gateway as a LoadBalancer type service and would like to continue with that setup, specify another field ingressType (if not already present) and set it to AccTraefik.

      ingressType: AccTraefik

    2. If you want to switch to the default Astra Control Center generic ingress deployment, provide your own IngressController/Ingress setup (with TLS termination, etc.), open up a route to Astra Control Center, and set ingressType to Generic.

      ingressType: Generic
      Tip If you omit the field, the process becomes the generic deployment. If you don't want the generic deployment, be sure to add the field.

  4. (Optional) Verify that the pods terminate and become available again:

    watch kubectl get po -n [netapp-acc or custom namespace]

  5. Wait for the Astra status conditions to indicate that the upgrade is complete and ready:

    kubectl get -o yaml -n [netapp-acc or custom namespace] astracontrolcenters.astra.netapp.io astra

    Response:

    conditions:
  - lastTransitionTime: "2021-10-25T18:49:26Z"
    message: Astra is deployed
    reason: Complete
    status: "True"
    type: Ready
  - lastTransitionTime: "2021-10-25T18:49:26Z"
    message: Upgrading succeeded.
    reason: Complete
    status: "False"
    type: Upgrading

  6. Log back in and verify that all managed clusters and apps are still present and protected.

  7. If the operator did not update the Cert-manager, upgrade third-party services, next.

Upgrade third-party services (Optional)

The third-party services Traefik and Cert-manager are not upgraded during earlier upgrade steps. You can optionally upgrade them using the procedure described here or retain existing service versions if your system requires it.

  • Traefik: By default, Astra Control Center manages the lifecycle of the Traefik deployment. Setting externalTraefik to false (default) indicates that no external Traefik exists in the system and and Traefik is being installed and managed by Astra Control Center. In this case, externalTraefik is set to false.

    On the other hand, if you have your own Traefik deployment, set externalTraefik to true. In this case, you maintain the deployment and Astra Control Center will not upgrade the CRDs, unless shouldUpgrade is set to true.

  • Cert-manager: By default, Astra Control Center installs the cert-manager (and CRDs) unless you set externalCertManager to true. Set shouldUpgrade to true to have Astra Control Center upgrade the CRDs.

Traefik is upgraded if any of the following conditions are met:

  • externalTraefik: false
    OR

  • externalTraefik: true AND shouldUpgrade: true.

Steps

  1. Edit the acc CR:

    kubectl edit acc -n [netapp-acc or custom namespace]

  2. Change the externalTraefik field and the shouldUpgrade field to either true or false as needed.

    crds:
    externalTraefik: false
    externalCertManager: false
    shouldUpgrade: false

Verify system status

  1. Log in to Astra Control Center.

  2. Verify that all your managed clusters and apps are still present and protected.

Set up ingress for load balancing

You can set up a Kubernetes ingress object that manages external access to the services, such as load balancing in a cluster.

  • Default upgrade uses the generic ingress deployment. In this case, you will also need to set up an ingress controller or ingress resource.

  • If you don't want an ingress controller and want to retain what you already have, set ingressType to AccTraefik.

Note For additional details about the service type of "LoadBalancer" and ingress, see Requirements.

The steps differ depending on the type of ingress controller you use:

  • Nginx ingress controller

  • OpenShift ingress controller

What you'll need

  • In the CR spec,

    • If crd.externalTraefik is present, it should be set to false OR

    • If crd.externalTraefik is true, crd.shouldUpgrade should also be true.

  • The required ingress controller should already be deployed.

  • The ingress class corresponding to the ingress controller should already be created.

  • You are using Kubernetes versions between and including v1.19 and v1.21.

Steps for Nginx ingress controller

  1. Use the existing secret secure-testing-cert or create a secret of type kubernetes.io/tls for a TLS private key and certificate in netapp-acc (or custom-named) namespace as described in TLS secrets.

  2. Deploy an ingress resource in netapp-acc (or custom-named) namespace for either a deprecated or a new schema:

    1. For a deprecated schema, follow this sample:

      apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-acc
  namespace: [netapp-acc or custom namespace]
  annotations:
    kubernetes.io/ingress.class: nginx
spec:
  tls:
  - hosts:
    - <ACC address>
    secretName: [tls secret name]
  rules:
  - host: [ACC address]
    http:
      paths:
      - backend:
        serviceName: traefik
        servicePort: 80
        pathType: ImplementationSpecific

    2. For a new schema, follow this example:

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: netapp-acc-ingress
  namespace: [netapp-acc or custom namespace]
spec:
  ingressClassName: [class name for nginx controller]
  tls:
  - hosts:
    - <ACC address>
    secretName: [tls secret name]
  rules:
  - host: <ACC address>
    http:
      paths:
        - path:
          backend:
            service:
              name: traefik
              port:
                number: 80
          pathType: ImplementationSpecific
Steps for OpenShift ingress controller

  1. Procure your certificate and get the key, certificate, and CA files ready for use by the OpenShift route.

  2. Create the OpenShift route:

    oc create route edge --service=traefik
--port=web -n [netapp-acc or custom namespace]
--insecure-policy=Redirect --hostname=<ACC address>
--cert=cert.pem --key=key.pem

Verify ingress set up

You can verify the ingress set up before you continue.

  1. Ensure that Traefik has changed to clusterIP from Loadbalancer:

    kubectl get service traefik -n [netapp-acc or custom namespace]

  2. Verify routes in Traefik:

    Kubectl get ingressroute ingressroutetls -n [netapp-acc or custom namespace]
-o yaml | grep "Host("
    Note The result should be empty.