Breadcrumbs

Upgrade VeridiumID Containers from 3.7.1 to v3.7.2

1. Prerequisites

Please install the following software on the machine that will be used to deploy VeridiumID:

2. Download docker images

If using a custom Docker registry, please download and unpack the following archive, then upload its contents to your Docker registry.

Name

URL

SHA256

MD5

veridiumid-saas-images-3.7.2.tar.gz

https://veridium-repo.veridium-dev.com/repository/docker-images/11.2.65/veridiumid-saas-images-3.7.2.tar.gz

c55a4fa1071dff2981852a3ed5687d68a230fefbf1e9719f8225f71e6c0f7a7d

c0f2d0745863fd918d900aeb92521e95

3. Change directory to the folder where veridium-containers folder is located

4. Download required files

wget --user <NEXUS_USER> --password <NEXUS_PASSWORD> https://veridium-repo.veridium-dev.com/repository/helm-releases/veridiumid-containers/3.7.2/veridiumid-saas-3.7.2.zip

unzip -o veridiumid-saas-3.7.2.zip -d 3.7.2

5. Upgrade Zookeeper and Elasticsearch images.

The NAMESPACE and ENV_NO variables should be set according to your existing installation.

Perform the following modifications:

  • In veridiumid-containers/eck-operator-values.yaml, remove the image.tag field.

  • In veridiumid-containers/zookeeper-operator-values.yaml, remove the image.tag field.

  • In veridiumid-containers/elasticsearch-values.yaml, update all occurrences of 8.6.1 to 8.6.1-r1, then 1.28.3 to 1.28.3-r1.

# update ECK operator
helm upgrade --install -n <NAMESPACE> -f veridiumid-containers/eck-operator-values.yaml eck-operator-<ENV_NO> ../3.7.2/helm/eck-operator-2.1.0.tgz

# update zookeeper-operator
helm upgrade --install -n <NAMESPACE> -f veridiumid-containers/zookeeper-operator-values.yaml zookeeper-operator-<ENV_NO> ../3.7.2/helm/zookeeper-operator-0.2.15.tgz

# update elasticsearch
helm upgrade --install -n <NAMESPACE> -f veridiumid-containers/elasticsearch-values.yaml elasticsearch-<ENV_NO> ../3.7.2/helm/elasticsearch-0.2.3.tgz
# force restart, if necessary:
oc -n <NAMESPACE> delete sts elasticsearch-<ENV_NO>-es-default 

# update zookeeper
helm upgrade --install -n <NAMESPACE> --timeout 60m -f veridiumid-containers/zookeeper-values.yaml zookeeper-<ENV_NO> ../3.7.2/helm/zookeeper-0.2.15.tgz

6. Upgrade VeridiumID

The NAMESPACE and ENV_NO variables should be set according to your existing installation.

helm upgrade --install -n <NAMESPACE> -f veridiumid-containers/veridiumid-values.yaml veridiumid ../3.7.2/helm/veridiumid-0.6.12.tgz

7. Upgrade Cassandra and K8ssandra-operator

7.1. Disable medusa, medusa_backup and update sasi property name

Configuration Updates for veridiumid-containers/k8ssandra-values.yaml

  • Set .medusa.enable to false.

  • Set .medusa_backup.enable to false.

  • Remove the .cassandra.config.cassandraYaml.enable_sasi_indexes field.

helm upgrade --install -n $NAMESPACE -f veridiumid-containers/k8ssandra-values.yaml --timeout 60m k8ssandra-$ENV_NO helm/vid-k8ssandra-0.6.7.tgz

7.2. Install new CRD

The new CustomResourceDefinitions are available in ./3.7.2/values/veridiumid-crds/k8ssandra-operator.yaml

7.3. Update RBAC rules

The updated RBAC rules for K8ssandra are available in ./3.7.2/values/rbac/rbac-service-accounts-rules_k8ssandra.yaml. The files are templates, so run the following command to replace the placeholders:

sed -i "s|<ENV_NO>|$ENV_NO|g" ./3.7.2/values/rbac/*.yaml
sed -i "s|<NAMESPACE>|$NAMESPACE|g" ./3.7.2/values/rbac/*.yaml

Next, apply the ./3.7.2/values/rbac/rbac-service-accounts-rules_k8ssandra.yaml file.

7.4. Upgrade k8ssandra-operator

Ensure the per-node configuration is compatible with the updated operator version:

oc -n $NAMESPACE label cm/cassandra-$ENV_NO-dc1-per-node-config k8ssandra.io/cleaned-up-by=k8ssandracluster-controller

Copy the new version of values file to the working folder.

cp ../3.7.2/values/k8ssandra-operator-values.yaml veridiumid-containers/k8ssandra-operator-values.yaml

Configuration Updates for veridiumid-containers/k8ssandra-operator-values.yaml

  • Set .serviceAccount.create to false.

  • Set .rbac.create to false.

  • Set ."cass-operator".serviceAccount.create to false.

  • Set ."cass-operator".rbac.create to false.

  • Replace all occurrences of 018397616607.dkr.ecr.eu-central-1.amazonaws.com to laas-docker-virtual.artifactory.six-group.net.

helm -n $NAMESPACE upgrade --install -f veridiumid-containers/k8ssandra-operator-values.yaml k8ssandra-operator-$ENV_NO ../3.7.2/helm/k8ssandra-operator-1.20.2.tgz

7.5. Upgrade Cassandra

Configuration Updates for veridiumid-containers/k8ssandra-values.yaml

  • Remove the reaper field.

  • Remove the medusa field.

  • Set .medusa.storageProperties.storageProvider to "s3".

  • Remove the medusa_backup field.

  • Set .cassandra.serverVersion to "5.0.2".

  • Remove the .cassandra.serverImage field.

  • Set .cassandra.image.repository to
    "laas-docker-virtual.artifactory.six-group.net/veridiumid/vid-cassandra".

  • Set .cassandra.perNodeConfigInitContainerImage to
    "laas-docker-virtual.artifactory.six-group.net/dependencies/mikefarah/yq:4.45.1".

  • Remove the .cassandra.config.cassandraYaml.enable_sasi_indexes field.

  • Set .cassandra.config.cassandraYaml.sasi_indexes_enabled to true.

helm upgrade --install -n $NAMESPACE -f veridiumid-containers/k8ssandra-values.yaml --timeout 60m k8ssandra-$ENV_NO ../3.7.2/helm/vid-k8ssandra-0.6.12.tgz

8. Configure encryption of backups

8.1. Generate a new GPG Key

Run the following command to create a new key:

gpg --full-generate-key

Step-by-step prompts:

  1. Select Key Type: Choose RSA and RSA (default).

  2. Choose Key Size: Enter 4096 (recommended for strong security).

  3. Set Expiration: Choose 0 (never expires) or specify a timeframe.

  4. Enter User Details:

    • Name: e.g., Backup Encryption Key

    • Email: e.g., backup@example.com (can be anything). This will need to be configures in k8ssandra-values.yaml and veridiumid-values.yaml, under backup.encryption.recipient

    • Comment: (Optional, e.g., For encrypted backups)

    • Set Passphrase: Choose a strong passphrase for added security.

8.2. Verify the key

List available keys to find the Key ID:

gpg --list-keys

8.3. Export the keys as files

gpg --export --armor "backup@example.com" > public-key.asc

gpg --export-secret-keys --armor "backup@example.com" > private-key.asc

8.4. Create a secret containing the private, public keys and passphrase

oc create secret generic veridiumid-gpg-keys --from-file=private-key.asc --from-file=public-key.asc --from-literal=passphrase=<YOUR_PASSPHRASE>

8.5. Enable encryption in values file

Configuration Updates for veridiumid-containers/k8ssandra-values.yaml

  • Set 'cassandra.backup.encryption.enable' to true.

Configuration Updates for veridiumid-containers/veridiumid-values.yaml

  • Set 'vid-maintenance.backup.encryption.enable' to true.

Next, update the k8ssandra and veridiumid releases using the commands described in sections 6 and 7.5.

9. Update API definitions

Apply the latest dmz-api.3.7.2.json and websec-api.3.7.2.json files in the /api folder.