global:
imageRegistry: repository.securitycompass.com
imageRegistryFormat: "%s/sde-docker-%s/%s/%s:%s"
imageOrganization: prod
imageSource: sde
Upgrade SD Elements
New artifact store as of Q1 2023
As of Q1 2023, the SD Elements Helm chart and images are delivered through a new artifact store. If your deployment environment requires network restrictions, ensure the Please ensure your custom values file is configured as below before attempting an upgrade. Skip this step if these values have not previously been set (i.e., SDE elements was deployed using the respective defaults). |
-
Run
helm repo update
to refresh the helm repository information and obtaine latest chart versions. -
Run
helm search repo sdelements/sde
to find the latest version of available charts.] -
Determine required changes to
values.custom.yaml
. See the Compatibility section for more details. -
Run
helm upgrade
with the same parameters used withhelm install …
in the previous section.
Compatibility
This page provides information on changes to helm customizations that may cause confusion or
backwards incompatibility with older charts. Additional information on the customizations can be
found in the default values.yaml
packaged in the SD Elements helm chart.
Any changes marked as "Important" will contain new changes requiring mandatory modification to
your custom overlays. All other changes are provided by default in the provided values.yaml
packaged with the SD Elements helm chart.
|
Immutable Values
See Immutable Values for more information.
Upgrade path planning
Certain SD Elements versions contain changes to our architecture and necessitate making breaking change. Upgrades to the latest version require intermediate upgrades to prerequisite versions (e.g. to perform data migration, prevent data loss, etc.). Ensure your upgrade path includes each prerequisite version listed below
Prerequisite Version | Comments |
---|---|
2022.2.71 | Data migration from `ReadWriteMany` volumes to S3 object storage |
SD Elements 2024.2
Summary
In 2024.2, no breaking changes have been introduced.
Upgrade duration
SD Elements 2024.2 adds more new components than previous versions. Dataset composition and overall size may result in the upgrade taking longer than usual. We appreciate your patience while SD Elements adds these components to your instance. |
Known Issues
Attempting to upgrade SD Elements using a Helm client version prior to 3.10.0
may result in the error below.
Error: INSTALLATION FAILED: failed pre-install: unable to build kubernetes object for pre-install hook sde/templates/sde-secrets.yaml: error validating "": error validating data: [unknown object type "nil" in Secret.data.SDE_GITHUB_OAUTH_CLIENT_ID, unknown object type "nil" in Secret.data.SDE_GITHUB_OAUTH_SECRET]
See the two workarounds below.
-
Option 1 (preferred): Upgrade your Helm client to version 3.10.0 or later. If this does not work, see Option 2 below.
-
Option 2: Set
sde.codeScanning.github.secret
in your custom values file to a non-empty string (e.g.,abc123
). This value can be updated in the future.
Support for older Helm client versions (<3.10.0 ) will be added prior to SD Elements 2024.3.
|
SD Elements 2024.1
Minio
In 2024.1 the default size of a PersistentVolume changed from 30Gi
to 100Gi
. If the storage class associated with the volume doesn’t support dynamic expansion, then it has to be expanded manually before the upgrade. Otherwise, add the following value to the overlay file in order to keep the old size:
minio:
persistence:
size: 30Gi
SD Elements 2023.4
Summary
In 2023.4, no breaking changes have been introduced, but there are some additional required values due to a new service being enabled.
Upgrade notes
-
The sc-cam service subchart is now enabled by default.
-
The default pod replacement strategy for some components has changed. Refer to Pod replacement strategy for more information.
-
Some pod default memory request limits were adjusted.
Pre-upgrade steps
Below are the changes an administrator of SD Elements should verify before attempting an upgrade to version 2023.4.
-
In your customization overlay files (e.g. values.yaml), ensure the following password values are set to new, randomized values:
sc-cam:
databasePassword: myCamDatabasePassword
brokerPassword: myCamBrokerPassword
These values will be used by the CAM service to connect to the database and broker as it’s own user.
SD Elements 2023.3
Summary
In 2023.3, no breaking changes have been introduced. However, we recommend reading the following notes to ensure a smooth upgrade process.
Upgrade notes
-
Due to a version upgrade of the RabbitMQ chart, the Broker’s
StatefulSet
will be replaced with a new one that might not reference the image registry credentials correctly. This can cause the broker pod to remain in anImagePullBackOff
state. If such an occurrence is identified, it is advisable to execute thehelm upgrade
command once more to ensure theStatefulSet
is accurately referencing the correctSecret
. A removal of the pod in error state may also be required. -
The default pod replacement strategy for some components has changed. Refer to Pod replacement strategy for more information.
SD Elements 2023.2
Summary
In 2023.2, we introduced Bitnami helm charts to our deployment, specifically postgresql
and rabbitmq
, replacing their previous counterparts: sc-database
and sc-broker
. These changes will require migrating the password credentials applied in the old charts to the new charts to ensure a seamless upgrade process.
Pre-upgrade steps
Below are the changes an administrator of SD Elements should verify before attempting an upgrade to version 2023.2.
-
In your customization overlay files (e.g. values.yaml), ensure the following values are set, with the respective passwords migrated from
sc-database
andsc-broker
:
postgresql:
primary:
initdb:
user: <replace with previous sc-database.clientUser>
auth:
username: <replace with previous sc-database.clientUser>
password: <replace with previous sc-database.clientPassword>
postgresPassword: <replace with previous sc-database.clientPassword>
rabbitmq:
auth:
erlangCookie: <your-erlang-cookie>
password: <replace with previous sc-broker.clientPassword>
-
Remove all occurrences of
sc-database
andsc-broker
. -
NOTE: the erlangCookie must be set to allow for communication between nodes, see Erlang Cookie.
-
NOTE: if the
sc-database.clientUser
wasn’t set, the default userpostgres
can be used
Minio
In 2023.2 the default size of a PersistentVolume changed from 10Gi
to 30Gi
. If the storage class associated with the volume doesn’t support dynamic expansion, then it has to be expanded manually before the upgrade. Otherwise, add the following value to the overlay file in order to keep the old size:
minio:
persistence:
size: 10Gi
SD Elements 2023.1
Summary
Below are the changes an administrator of SD Elements should verify before attempting an upgrade to version 2023.1.
-
Update
datastore
subsection customizations tosc-datastore
-
[If Applicable] Allow access to
repository.securitycompass.com
datastore
subsection changes
As part of this change, performing the upgrade while cron jobs are running may put the cron job pod into a waiting state and unable to find a key in the secrets. Please refer to the Troubleshooting page to remediate this issue. |
The provided datastore has been refactored to clarify parameters and application ownership.
Upgrading to this version and above requires a restructure of the values.yaml
regarding the datastore
section.
Old Parameter | New Parameter | Comments |
---|---|---|
datastore.* | sc-datastore.* |
Parameters that are not listed in the above table are unmodified. |