Skip to main content

Upgrade Airgap Palette Installed with Kubernetes

This guide takes you through the process of upgrading a self-hosted airgap Palette instance installed on Kubernetes.

warning

Before upgrading Palette to a new major version, you must first update it to the latest patch version of the latest minor version available. Refer to the Supported Upgrade Paths section for details.

If your setup includes a PCG, you must also allow the PCG to upgrade automatically before each major or minor Palette upgrade.

Prerequisites

  • Access to the x86 Linux jumpbox or bastion host with connectivity to the target platform where you have installed Palette.

  • An OCI registry such as Harbor or AWS ECR configured and available to store the new Palette images and packs.

  • Access to the latest Palette airgap setup binary. Refer to Access Palette for more details.

  • kubectl and helm available in your system.

  • Access to the kubeconfig file of the target Kubernetes cluster. You must be able to interact with the cluster through kubectl and have sufficient permissions to upgrade Palette. We recommend using a role with the cluster-admin permissions.

  • unzip or a similar tool available in your system.

  • Access to the latest Palette Helm Chart. Refer to Access Palette for more details.

Upgrade

  1. Log in to the Linux environment from which you can access your self-hosted airgap Palette instance.

  2. Authenticate with your OCI registry and get credentials to your spectro-packs and spectro-images repositories.

    info

    Be mindful of the auth token timeout. Uploading Palette images and packages to the OCI registry can take about an hour. If your auth token expires before everything is uploaded, you will need to re-authenticate and start the upload again.

    Select one of the following tabs for instructions on how to authenticate with Harbor and AWS ECR.

    Use the following command template to authenticate with your Harbor OCI registry through oras. Refer to the oras login docs for more details about the available CLI flags and examples.

    oras login X.X.X.X --user 'yourUserNameHere' --password 'yourPasswordHere'
    tip

    If your Harbor registry has a self-signed certificate, use the --insecure flag.

    oras login X.X.X.X --insecure --user 'yourUserNameHere' --password 'yourPasswordHere'

  3. Prepare and export the environment variables required by the Palette airgap binary. Select one of the following tabs for instructions on how to prepare these variables for Harbor and AWS ECR.

    • OCI_IMAGE_REGISTRY: The IP address or domain name of the spectro-images registry.

    • OCI_IMAGE_BASE: The namespace or repository that hosts the images.

    • OCI_PACK_REGISTRY: The IP address or domain name of the spectro-packs registry.

    • OCI_PACK_BASE: The namespace or repository that hosts the packages.

      export OCI_IMAGE_REGISTRY=<harbor-endpoint>
      export OCI_IMAGE_BASE=spectro-images
      export OCI_PACK_REGISTRY=<harbor-endpoint>
      export OCI_PACK_BASE=spectro-packs

      Consider the following example for reference.

      export OCI_IMAGE_REGISTRY=example.internal.com
      export OCI_IMAGE_BASE=spectro-images
      export OCI_PACK_REGISTRY=10.10.100.48
      export OCI_PACK_BASE=spectro-packs

  4. Download the airgap setup binary using the credentials our support team provided along with the binary version. Use the following command template to set up a VERSION variable you'll use in the following steps.

    export VERSION=<x.y.z>

    Consider the following example for reference.

    export VERSION=4.2.7

  5. Use the following command template to download the new Palette airgap installation bin. Enter the username, password, and the Palette airgap installation URL you received from our support team. In the output file name, replace <version> with the Palette version you're downloading.

    curl --user <username>:<password> --output airgap-<version>.bin <url-to-airgap-installation-bin>

    Consider the following command example for reference.

    curl --user <username>:<password> --output airgap-4.2.7.bin https://software.spectrocloud.com/airgap-v4.2.7.bin

  6. Use the following command template to execute the new Palette airgap installation bin.

    chmod +x airgap-v$VERSION.bin && ./airgap-v$VERSION.bin

    After the binary execution is done, you should receive the following success message (the example is shortened for brevity). As a result of starting the binary, you should have a spectro-manifests archive in your temporary directory.

    Verifying archive integrity...  100%   MD5 checksums are OK. All good.
    Uncompressing Airgap Setup - Version 4.0.17  100%
    Setting up Packs
    - Pushing Pack cni-calico:3.25.1
    ...
    Setting up Images
    - Pushing image docker.io/kindest/kindnetd:v20230227-15197099
    - Pushing image gcr.io/cloud-provider-vsphere/cpi/release/manager:v1.22.8
    ...
    Preparing Manifests Archive
    Manifests are available in /tmp/spectro-manifests-1696971110.zip. Extract the archive to a file server to serve as a Spectro Cloud Repository
    Setup Completed

  7. Move the spectro-manifests archive to a directory that your file server can access and use the following command template to unzip it.

    unzip spectro-manifests-<file-id>.zip -d /target/folder
    warning

    Do not remove or replace the existing files inside your target folder that is served by the file server. The previous content is necessary for the upgrade process.

  8. Refer to the Additional Packs page and update the packages you are currently using. You must update each package separately.

    info

    Depending on your underlying infrastructure provider and Kubernetes distribution, you may need to modify the following Palette upgrade steps to match your environment.

  9. Navigate to the directory with the Palette installation zip file. Unzip the file to a palette-install directory.

    unzip release-*.zip -d palette-install

  10. Navigate to the release directory inside palette-install.

    cd palette-install/charts/release-*

  11. In a code editor of your choice, open the extras/cert-manager/values.yaml file and replace the controllerImage, webhookImage, and amceResolverImage image URLs with your OCI image registry URLs.

    image:
    cainjectorImage: "gcr.io/spectro-images-public/release-fips/jetstack/cert-manager-cainjector:spectro-v1.11.0-20230427"
    controllerImage: "<your-oci-registry-url>/spectro-images-public/release-fips/jetstack/cert-manager-controller:spectro-v1.11.0-20230427"
    webhookImage: "<your-oci-registry-url>/spectro-images-public/release-fips/jetstack/cert-manager-webhook:spectro-v1.11.0-20230808"
    amceResolverImage: "<your-oci-registry-url>/spectro-images-public/release-fips/jetstack/cert-manager-acmesolver:spectro-v1.11.0-20230427"

    featureGates: "AdditionalCertificateOutputFormats=true"

    Consider the following example for reference.

    image:
    cainjectorImage: "gcr.io/spectro-images-public/release-fips/jetstack/cert-manager-cainjector:spectro-v1.11.0-20230427"
    controllerImage: "harbor.docs.spectro.dev/spectro-images-public/release-fips/jetstack/cert-manager-controller:spectro-v1.11.0-20230427"
    webhookImage: "harbor.docs.spectro.dev/spectro-images-public/release-fips/jetstack/cert-manager-webhook:spectro-v1.11.0-20230808"
    amceResolverImage: "harbor.docs.spectro.dev/spectro-images-public/release-fips/jetstack/cert-manager-acmesolver:spectro-v1.11.0-20230427"

    featureGates: "AdditionalCertificateOutputFormats=true"

  12. Update the cert-manager chart using the following command.

    helm upgrade --values extras/cert-manager/values.yaml \
    cert-manager extras/cert-manager/cert-manager-*.tgz --install

    You should receive an output similar to the following.

    Release "cert-manager" has been upgraded. Happy Helming!
    NAME: cert-manager
    LAST DEPLOYED: Thu Feb 22 19:42:33 2024
    NAMESPACE: default
    STATUS: deployed
    REVISION: 2
    TEST SUITE: None

  13. Prepare the Palette configuration file values.yaml. If you saved values.yaml used during the Palette installation, you can reuse it for the upgrade. Alternatively, follow the Kubernetes Installation Instructions to populate your values.yaml.

    warning

    Ensure that the values.yaml file is ready before proceeding. Specifically, make sure that the ociPackEcrRegistry and ociImageRegistry configurations include the parameters necessary to interact with your spectro-images and spectro-packs repositories.

  14. Upgrade the image-swap chart with the following command. Point to the palette/values.yaml file from step twelve.

    helm upgrade --values palette/values.yaml \
    image-swap extras/image-swap/image-swap-*.tgz --install

    You should receive an output similar to the following.

    Release "image-swap" has been upgraded. Happy Helming!
    NAME: image-swap
    LAST DEPLOYED: Thu Feb 22 19:44:13 2024
    NAMESPACE: default
    STATUS: deployed
    REVISION: 2
    TEST SUITE: None

  15. Upgrade the reach-system chart with the following command. Point to the palette/values.yaml file from step twelve.

    helm upgrade --values palette/values.yaml \
    reach-system extras/reach-system/reach-system-\*.tgz --install

    You should receive an output similar to the following.

    Release "reach-system" has been upgraded. Happy Helming!
    NAME: reach-system
    LAST DEPLOYED: Thu Feb 22 19:47:10 2024
    NAMESPACE: default
    STATUS: deployed
    REVISION: 2
    TEST SUITE: None

  16. Upgrade Palette with the following command.

    helm upgrade --values palette/values.yaml \
    hubble palette/spectro-mgmt-plane-\*.tgz --install

    You should receive an output similar to the following.

    Release "hubble" has been upgraded. Happy Helming!
    NAME: hubble
    LAST DEPLOYED: Thu Feb 22 20:05:24 2024
    NAMESPACE: default
    STATUS: deployed
    REVISION: 2
    TEST SUITE: None

  17. Use the following command to track the upgrade process.

    kubectl get pods --all-namespaces --watch
    tip

    For a more user-friendly experience, consider using K9s or a similar tool to track the upgrade.

    The upgrade usually takes up to five minutes. Palette is upgraded when the deployments in the namespaces cp-system, hubble-system, ingress-nginx, jet-system , and ui-system are in the Ready status.

Validate

  1. In your terminal, issue the following command.

    helm ls

    You should receive an output with the version and other details of the currently deployed apps. Check the App Version column of cert-manager, image-swap, reach-system, and hubble to verify that they have the expected versions.

    NAME        	NAMESPACE	REVISION	UPDATED                             	STATUS  	CHART                   	APP VERSION
    cert-manager	default  	2       	2024-02-22 19:42:33.776829 +0100 CET	deployed	cert-manager-1.11.0     	1.11.0
    image-swap  	default  	2       	2024-02-22 19:44:13.209592 +0100 CET	deployed	image-swap-v1.5.2-spectro-4.1.1	1.5.2
    reach-system	default  	2       	2024-02-22 19:47:10.558061 +0100 CET	deployed	reach-system-4.2.0             	4.2.0
    hubble      	default  	2       	2024-02-22 19:47:24.085305 +0100 CET	deployed	spectro-mgmt-plane-4.2.7	4.2.7

  2. Issue the following command to verify that the Palette clusters work as expected.

    kubectl get pods --all-namespaces --output custom-columns="NAMESPACE:metadata.namespace,NAME:metadata.name,STATUS:status.phase" \
    | grep -E '^(cp-system|hubble-system|ingress-nginx|jet-system|ui-system)\s'

    The command should return a list of deployments in the cp-system, hubble-system, ingress-nginx, jet-system, and ui-system namespaces. All deployments should have the status Running.

    cp-system       spectro-cp-ui-689984f88d-54wsw             Running
    hubble-system   auth-85b748cbf4-6drkn                      Running
    hubble-system   auth-85b748cbf4-dwhw2                      Running
    hubble-system   cloud-fb74b8558-lqjq5                      Running
    hubble-system   cloud-fb74b8558-zkfp5                      Running
    hubble-system   configserver-685fcc5b6d-t8f8h              Running
    hubble-system   event-68568f54c7-jzx5t                     Running
    hubble-system   event-68568f54c7-w9rnh                     Running
    hubble-system   foreq-6b689f54fb-vxjts                     Running
    hubble-system   hashboard-897bc9884-pxpvn                  Running
    hubble-system   hashboard-897bc9884-rmn69                  Running
    hubble-system   hutil-6d7c478c96-td8q4                     Running
    hubble-system   hutil-6d7c478c96-zjhk4                     Running
    hubble-system   mgmt-85dbf6bf9c-jbggc                      Running
    hubble-system   mongo-0                                    Running
    hubble-system   mongo-1                                    Running
    hubble-system   mongo-2                                    Running
    hubble-system   msgbroker-6c9b9fbf8b-mcsn5                 Running
    hubble-system   oci-proxy-7789cf9bd8-qcjkl                 Running
    hubble-system   packsync-28205220-bmzcg                    Succeeded
    hubble-system   spectrocluster-6c57f5775d-dcm2q            Running
    hubble-system   spectrocluster-6c57f5775d-gmdt2            Running
    hubble-system   spectrocluster-6c57f5775d-sxks5            Running
    hubble-system   system-686d77b947-8949z                    Running
    hubble-system   system-686d77b947-cgzx6                    Running
    hubble-system   timeseries-7865bc9c56-5q87l                Running
    hubble-system   timeseries-7865bc9c56-scncb                Running
    hubble-system   timeseries-7865bc9c56-sxmgb                Running
    hubble-system   user-5c9f6c6f4b-9dgqz                      Running
    hubble-system   user-5c9f6c6f4b-hxkj6                      Running
    ingress-nginx   ingress-nginx-controller-2txsv             Running
    ingress-nginx   ingress-nginx-controller-55pk2             Running
    ingress-nginx   ingress-nginx-controller-gmps9             Running
    jet-system      jet-6599b9856d-t9mr4                       Running
    ui-system       spectro-ui-76ffdf67fb-rkgx8                Running