Skip to main content
Astra Control Center
A newer release of this product is available.

Upgrade Astra Control Center

Contributors netapp-mwallis

To upgrade Astra Control Center, download the installation bundle from the NetApp Support Site and complete these instructions to upgrade the Astra Control Center components in your environment. You can use this procedure to upgrade Astra Control Center in internet-connected or air-gapped environments.

What you'll need
About this task

The Astra Control Center upgrade process guides you through the following high-level steps:

Important Do not execute the following command during the entirety of the upgrade process to avoid deleting all Astra Control Center pods: kubectl delete -f astra_control_center_operator_deploy.yaml
Tip Perform upgrades in a maintenance window when schedules, backups, and snapshots are not running.
Note Podman commands can be used in place of Docker commands if you are using Red Hat’s Podman instead of Docker Engine.

Download the Astra Control Center bundle

  1. Download the Astra Control Center upgrade bundle (astra-control-center-[version].tar.gz) from the https:mysupport.netapp.com/site/products/all/details/astra-control-center/downloads-tab[NetApp Support Site^].

  2. (Optional) Use the following command to verify the signature of the bundle:

    openssl dgst -sha256 -verify AstraControlCenter-public.pub -signature astra-control-center-[version].tar.gz.sig astra-control-center-[version].tar.gz

Unpack the bundle and change directory

  1. Extract the images:

    tar -vxzf astra-control-center-[version].tar.gz

Add the images to your local registry

  1. Complete the appropriate step sequence for your container engine:

Docker
  1. Change to the Astra directory:

    cd acc
  2. Push the package images in the Astra Control Center image directory to your local registry. Make the following substitutions before running the command:

    • Replace BUNDLE_FILE with the name of the Astra Control bundle file (for example, acc.manifest.yaml).

    • Replace MY_REGISTRY with the URL of the Docker repository.

    • Replace MY_REGISTRY_USER with the user name.

    • Replace MY_REGISTRY_TOKEN with an authorized token for the registry.

      kubectl astra packages push-images -m BUNDLE_FILE -r MY_REGISTRY -u MY_REGISTRY_USER -p MY_REGISTRY_TOKEN
Podman
  1. Log in to your registry:

    podman login [your_registry_path]
  2. Run the following script, making the <YOUR_REGISTRY> substitution as noted in the comments:

    # You need to be at the root of the tarball.
    # You should see these files to confirm correct location:
    #   acc.manifest.yaml
    #   acc/
    
    # Replace <YOUR_REGISTRY> with your own registry (e.g registry.customer.com or registry.customer.com/testing, etc..)
    export REGISTRY=<YOUR_REGISTRY>
    export PACKAGENAME=acc
    export PACKAGEVERSION=22.08.1-26
    export DIRECTORYNAME=acc
    for astraImageFile in $(ls ${DIRECTORYNAME}/images/*.tar) ; do
      # Load to local cache
      astraImage=$(podman load --input ${astraImageFile} | sed 's/Loaded image(s): //')
    
      # Remove path and keep imageName.
      astraImageNoPath=$(echo ${astraImage} | sed 's:.*/::')
    
      # Tag with local image repo.
      podman tag ${astraImage} ${REGISTRY}/netapp/astra/${PACKAGENAME}/${PACKAGEVERSION}/${astraImageNoPath}
    
      # Push to the local repo.
      podman push ${REGISTRY}/netapp/astra/${PACKAGENAME}/${PACKAGEVERSION}/${astraImageNoPath}
    done

Install the updated Astra Control Center operator

  1. Change the directory:

    cd manifests
  2. Edit the Astra Control Center operator deployment yaml (astra_control_center_operator_deploy.yaml) to refer to your local registry and secret.

    vim astra_control_center_operator_deploy.yaml
    1. If you use a registry that requires authentication, replace the default line of imagePullSecrets: [] with the following:

      imagePullSecrets:
      - name: <name_of_secret_with_creds_to_local_registry>
    2. Change [your_registry_path] for the kube-rbac-proxy image to the registry path where you pushed the images in a previous step.

    3. Change [your_registry_path] for the acc-operator-controller-manager image to the registry path where you pushed the images in a previous step.

    4. Add the following values to the env section:

      - name: ACCOP_HELM_UPGRADETIMEOUT
        value: 300m
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        labels:
          control-plane: controller-manager
        name: acc-operator-controller-manager
        namespace: netapp-acc-operator
      spec:
        replicas: 1
        selector:
          matchLabels:
            control-plane: controller-manager
        template:
          metadata:
            labels:
              control-plane: controller-manager
          spec:
            containers:
            - args:
              - --secure-listen-address=0.0.0.0:8443
              - --upstream=http://127.0.0.1:8080/
              - --logtostderr=true
              - --v=10
              image: [your_registry_path]/kube-rbac-proxy:v4.8.0
              name: kube-rbac-proxy
              ports:
              - containerPort: 8443
                name: https
            - args:
              - --health-probe-bind-address=:8081
              - --metrics-bind-address=127.0.0.1:8080
              - --leader-elect
              command:
              - /manager
              env:
              - name: ACCOP_LOG_LEVEL
                value: "2"
              - name: ACCOP_HELM_UPGRADETIMEOUT
                value: 300m
              image: [your_registry_path]/acc-operator:[version x.y.z]
              imagePullPolicy: IfNotPresent
            imagePullSecrets: []
  3. Install the updated Astra Control Center operator:

    kubectl apply -f astra_control_center_operator_deploy.yaml

    Sample response:

    namespace/netapp-acc-operator unchanged
    customresourcedefinition.apiextensions.k8s.io/astracontrolcenters.astra.netapp.io configured
    role.rbac.authorization.k8s.io/acc-operator-leader-election-role unchanged
    clusterrole.rbac.authorization.k8s.io/acc-operator-manager-role configured
    clusterrole.rbac.authorization.k8s.io/acc-operator-metrics-reader unchanged
    clusterrole.rbac.authorization.k8s.io/acc-operator-proxy-role unchanged
    rolebinding.rbac.authorization.k8s.io/acc-operator-leader-election-rolebinding unchanged
    clusterrolebinding.rbac.authorization.k8s.io/acc-operator-manager-rolebinding configured
    clusterrolebinding.rbac.authorization.k8s.io/acc-operator-proxy-rolebinding unchanged
    configmap/acc-operator-manager-config unchanged
    service/acc-operator-controller-manager-metrics-service unchanged
    deployment.apps/acc-operator-controller-manager configured
  4. Verify pods are running:

    kubectl get pods -n netapp-acc-operator

Upgrade Astra Control Center

  1. Edit the Astra Control Center custom resource (CR) (astra_control_center_min.yaml) and change the Astra version (astraVersion inside of Spec) number to the latest:

    kubectl edit acc -n [netapp-acc or custom namespace]
    Note Your registry path must match the registry path where you pushed the images in a previous step.
  2. Add the following lines within additionalValues inside of Spec in the Astra Control Center CR:

    additionalValues:
        nautilus:
          startupProbe:
            periodSeconds: 30
            failureThreshold: 600
  3. Do one of the following:

    1. If you don't have your own IngressController or ingress and have been using the Astra Control Center with its Traefik gateway as a LoadBalancer type service and would like to continue with that setup, specify another field ingressType (if not already present) and set it to AccTraefik.

      ingressType: AccTraefik
    2. If you want to switch to the default Astra Control Center generic ingress deployment, provide your own IngressController/Ingress setup (with TLS termination, etc.), open up a route to Astra Control Center, and set ingressType to Generic.

      ingressType: Generic
      Tip If you omit the field, the process becomes the generic deployment. If you don't want the generic deployment, be sure to add the field.
  4. (Optional) Verify that the pods terminate and become available again:

    watch kubectl get po -n [netapp-acc or custom namespace]
  5. Wait for the Astra status conditions to indicate that the upgrade is complete and ready:

    kubectl get -o yaml -n [netapp-acc or custom namespace] astracontrolcenters.astra.netapp.io astra

    Response:

    conditions:
      - lastTransitionTime: "2021-10-25T18:49:26Z"
        message: Astra is deployed
        reason: Complete
        status: "True"
        type: Ready
      - lastTransitionTime: "2021-10-25T18:49:26Z"
        message: Upgrading succeeded.
        reason: Complete
        status: "False"
        type: Upgrading
  6. Log back in and verify that all managed clusters and apps are still present and protected.

  7. If the operator did not update the Cert-manager, upgrade third-party services, next.

Upgrade third-party services (Optional)

The third-party services Traefik and Cert-manager are not upgraded during earlier upgrade steps. You can optionally upgrade them using the procedure described here or retain existing service versions if your system requires it.

  • Traefik: By default, Astra Control Center manages the lifecycle of the Traefik deployment. Setting externalTraefik to false (default) indicates that no external Traefik exists in the system and and Traefik is being installed and managed by Astra Control Center. In this case, externalTraefik is set to false.

    On the other hand, if you have your own Traefik deployment, set externalTraefik to true. In this case, you maintain the deployment and Astra Control Center will not upgrade the CRDs, unless shouldUpgrade is set to true.

  • Cert-manager: By default, Astra Control Center installs the cert-manager (and CRDs) unless you set externalCertManager to true. Set shouldUpgrade to true to have Astra Control Center upgrade the CRDs.

Traefik is upgraded if any of the following conditions are met:

  • externalTraefik: false

  • externalTraefik: true AND shouldUpgrade: true.

Steps
  1. Edit the acc CR:

    kubectl edit acc -n [netapp-acc or custom namespace]
  2. Change the externalTraefik field and the shouldUpgrade field to either true or false as needed.

    crds:
        externalTraefik: false
        externalCertManager: false
        shouldUpgrade: false

Verify system status

  1. Log in to Astra Control Center.

  2. Verify that all your managed clusters and apps are still present and protected.

Set up ingress for load balancing

You can set up a Kubernetes ingress object that manages external access to the services, such as load balancing in a cluster.

  • Default upgrade uses the generic ingress deployment. In this case, you will also need to set up an ingress controller or ingress resource.

  • If you don't want an ingress controller and want to retain what you already have, set ingressType to AccTraefik.

Note For additional details about the service type of "LoadBalancer" and ingress, see Requirements.

The steps differ depending on the type of ingress controller you use:

  • Nginx ingress controller

  • OpenShift ingress controller

What you'll need
  • In the CR spec,

    • If crd.externalTraefik is present, it should be set to false OR

    • If crd.externalTraefik is true, crd.shouldUpgrade should also be true.

  • The required ingress controller should already be deployed.

  • The ingress class corresponding to the ingress controller should already be created.

  • You are using Kubernetes versions between and including v1.19 and v1.21.

Steps for Nginx ingress controller
  1. Use the existing secret secure-testing-cert or create a secret of type kubernetes.io/tls for a TLS private key and certificate in netapp-acc (or custom-named) namespace as described in TLS secrets.

  2. Deploy an ingress resource in netapp-acc (or custom-named) namespace for either a deprecated or a new schema:

    1. For a deprecated schema, follow this sample:

      apiVersion: extensions/v1beta1
      kind: IngressClass
      metadata:
        name: ingress-acc
        namespace: [netapp-acc or custom namespace]
        annotations:
          kubernetes.io/ingress.class: nginx
      spec:
        tls:
        - hosts:
          - <ACC address>
          secretName: [tls secret name]
        rules:
        - host: [ACC address]
          http:
            paths:
            - backend:
              serviceName: traefik
              servicePort: 80
              pathType: ImplementationSpecific
    2. For a new schema, follow this example:

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: netapp-acc-ingress
      namespace: [netapp-acc or custom namespace]
    spec:
      ingressClassName: [class name for nginx controller]
      tls:
      - hosts:
        - <ACC address>
        secretName: [tls secret name]
      rules:
      - host: <ACC address>
        http:
          paths:
            - path:
              backend:
                service:
                  name: traefik
                  port:
                    number: 80
              pathType: ImplementationSpecific
Steps for OpenShift ingress controller
  1. Procure your certificate and get the key, certificate, and CA files ready for use by the OpenShift route.

  2. Create the OpenShift route:

    oc create route edge --service=traefik
    --port=web -n [netapp-acc or custom namespace]
    --insecure-policy=Redirect --hostname=<ACC address>
    --cert=cert.pem --key=key.pem

Verify ingress set up

You can verify the ingress set up before you continue.

  1. Ensure that Traefik has changed to clusterIP from Loadbalancer:

    kubectl get service traefik -n [netapp-acc or custom namespace]
  2. Verify routes in Traefik:

    Kubectl get ingressroute ingressroutetls -n [netapp-acc or custom namespace]
    -o yaml | grep "Host("
    Note The result should be empty.