Upgrade SD Elements

New artifact store as of Q1 2023

As of Q1 2023, the SD Elements Helm chart and images are delivered through a new artifact store.

If your deployment environment requires network restrictions, ensure the repository.securitycompass.com hostname of the new artifact store, is allowed.

Please ensure your custom values file is configured as below before attempting an upgrade. Skip this step if these values have not previously been set (i.e., SDE elements was deployed using the respective defaults).

global:
  imageRegistry: repository.securitycompass.com
  imageRegistryFormat: "%s/sde-docker-%s/%s/%s:%s"
  imageOrganization: prod
  imageSource: sde
Steps:

  1. Run helm repo update to refresh the helm repository information and obtaine latest chart versions.

  2. Run helm search repo sdelements/sde to find the latest version of available charts.]

  3. Determine required changes to values.custom.yaml. See the Compatibility section for more details.

  4. Run helm upgrade with the same parameters used with helm install …​ in the previous section.

Compatibility

This page provides information on changes to helm customizations that may cause confusion or backwards incompatibility with older charts. Additional information on the customizations can be found in the default values.yaml packaged in the SD Elements helm chart.

Any changes marked as "Important" will contain new changes requiring mandatory modification to your custom overlays. All other changes are provided by default in the provided values.yaml packaged with the SD Elements helm chart.

Immutable Values

See Immutable Values for more information.

Upgrade path planning

Certain SD Elements versions contain changes to our architecture and necessitate making breaking change. Upgrades to the latest version require intermediate upgrades to prerequisite versions (e.g. to perform data migration, prevent data loss, etc.). Ensure your upgrade path includes each prerequisite version listed below

Prerequisite VersionComments
2022.2.71Data migration from `ReadWriteMany` volumes to S3 object storage

SD Elements 2024.2

Summary

In 2024.2, no breaking changes have been introduced.

Upgrade duration

SD Elements 2024.2 adds more new components than previous versions. Dataset composition and overall size may result in the upgrade taking longer than usual. We appreciate your patience while SD Elements adds these components to your instance.

Known Issues

Attempting to upgrade SD Elements using a Helm client version prior to 3.10.0 may result in the error below.

Error: INSTALLATION FAILED: failed pre-install: unable to build kubernetes object for pre-install hook sde/templates/sde-secrets.yaml: error validating "": error validating data: [unknown object type "nil" in Secret.data.SDE_GITHUB_OAUTH_CLIENT_ID, unknown object type "nil" in Secret.data.SDE_GITHUB_OAUTH_SECRET]

See the two workarounds below.

  • Option 1 (preferred): Upgrade your Helm client to version 3.10.0 or later. If this does not work, see Option 2 below.

  • Option 2: Set sde.codeScanning.github.secret in your custom values file to a non-empty string (e.g., abc123). This value can be updated in the future.

Support for older Helm client versions (<3.10.0) will be added prior to SD Elements 2024.3.

SD Elements 2024.1

Minio

In 2024.1 the default size of a PersistentVolume changed from 30Gi to 100Gi. If the storage class associated with the volume doesn’t support dynamic expansion, then it has to be expanded manually before the upgrade. Otherwise, add the following value to the overlay file in order to keep the old size:

minio:
    persistence:
        size: 30Gi

SD Elements 2023.4

Summary

In 2023.4, no breaking changes have been introduced, but there are some additional required values due to a new service being enabled.

Upgrade notes

  • The sc-cam service subchart is now enabled by default.

  • The default pod replacement strategy for some components has changed. Refer to Pod replacement strategy for more information.

  • Some pod default memory request limits were adjusted.

Pre-upgrade steps

Below are the changes an administrator of SD Elements should verify before attempting an upgrade to version 2023.4.

  • In your customization overlay files (e.g. values.yaml), ensure the following password values are set to new, randomized values:

sc-cam:
     databasePassword: myCamDatabasePassword
     brokerPassword: myCamBrokerPassword

These values will be used by the CAM service to connect to the database and broker as it’s own user.

SD Elements 2023.3

Summary

In 2023.3, no breaking changes have been introduced. However, we recommend reading the following notes to ensure a smooth upgrade process.

Upgrade notes

  • Due to a version upgrade of the RabbitMQ chart, the Broker’s StatefulSet will be replaced with a new one that might not reference the image registry credentials correctly. This can cause the broker pod to remain in an ImagePullBackOff state. If such an occurrence is identified, it is advisable to execute the helm upgrade command once more to ensure the StatefulSet is accurately referencing the correct Secret. A removal of the pod in error state may also be required.

  • The default pod replacement strategy for some components has changed. Refer to Pod replacement strategy for more information.

SD Elements 2023.2

Summary

In 2023.2, we introduced Bitnami helm charts to our deployment, specifically postgresql and rabbitmq, replacing their previous counterparts: sc-database and sc-broker. These changes will require migrating the password credentials applied in the old charts to the new charts to ensure a seamless upgrade process.

Pre-upgrade steps

Below are the changes an administrator of SD Elements should verify before attempting an upgrade to version 2023.2.

  • In your customization overlay files (e.g. values.yaml), ensure the following values are set, with the respective passwords migrated from sc-database and sc-broker:

        postgresql:
            primary:
                initdb:
                  user:  <replace with previous sc-database.clientUser>
            auth:
              username:  <replace with previous sc-database.clientUser>
              password:  <replace with previous sc-database.clientPassword>
              postgresPassword:  <replace with previous sc-database.clientPassword>
        rabbitmq:
            auth:
                erlangCookie: <your-erlang-cookie>
                password:  <replace with previous sc-broker.clientPassword>

  • Remove all occurrences of sc-database and sc-broker.

  • NOTE: the erlangCookie must be set to allow for communication between nodes, see Erlang Cookie.

  • NOTE: if the sc-database.clientUser wasn’t set, the default user postgres can be used

Minio

In 2023.2 the default size of a PersistentVolume changed from 10Gi to 30Gi. If the storage class associated with the volume doesn’t support dynamic expansion, then it has to be expanded manually before the upgrade. Otherwise, add the following value to the overlay file in order to keep the old size:

minio:
    persistence:
        size: 10Gi

SD Elements 2023.1

Summary

Below are the changes an administrator of SD Elements should verify before attempting an upgrade to version 2023.1.

  • Update datastore subsection customizations to sc-datastore

  • [If Applicable] Allow access to repository.securitycompass.com

datastore subsection changes

As part of this change, performing the upgrade while cron jobs are running may put the cron job pod into a waiting state and unable to find a key in the secrets. Please refer to the Troubleshooting page to remediate this issue.

The provided datastore has been refactored to clarify parameters and application ownership. Upgrading to this version and above requires a restructure of the values.yaml regarding the datastore section.

Old ParameterNew ParameterComments
datastore.*sc-datastore.*

Parameters that are not listed in the above table are unmodified.

results matching ""

    No results matching ""