Instructions to Update the Parameters in value.yaml

Follow the instructions given below if you are upgrading from LDAP to SAML. The current installation could have been installed using helm (Scenario A) or using the gitops installer (Scenario B).

Please follow the steps as per your current scenario.

Scenario A

Use these instructions if

  • You have a openldap installed using the helm installer and

  • Already have a "gitops-repo" for Spinnaker Configuration

  • Have values.yaml that was used for helm installation

Execute these commands, replacing "gitops-repo" with your repo

git clone https://github.com/.../gitops-repo
git clone https://github.com/OpsMx/standard-isd-gitops.git -b 4.0.3
cp -r standard-isd-gitops/upgrade gitops-repo/
cd gitops-repo

Copy the existing values.yaml that was used for previous installation into this folder, and name it as "values.yaml" (file name is important)

Create gittoken secret. This token will be used to authenticate to the gitops-repo

You only need to create these secrets if they are changed from the default and update the namespace accordingly(default is opsmx-isd)

kubectl -n opsmx-isd create secret generic gittoken --from-literal 
gittoken=PUT_YOUR_GITTOKEN_HERE
kubectl -n opsmx-isd create secret generic ldapconfigpassword --from-literal ldapconfigpassword=PUT_YOUR_SECRET_HERE
kubectl -n opsmx-isd create secret generic ldappassword --from-literal ldappassword=PUT_YOUR_SECRET_HERE
kubectl -n opsmx-isd create secret generic miniopassword --from-literal miniopassword=PUT_YOUR_SECRET_HERE
kubectl -n opsmx-isd create secret generic redispassword --from-literal redispassword=PUT_YOUR_SECRET_HERE
kubectl -n opsmx-isd create secret generic saporpassword --from-literal saporpassword=PUT_YOUR_SECRET_HERE
kubectl -n opsmx-isd create secret generic rabbitmqpassword --from-literal rabbitmqpassword=PUT_YOUR_SECRET_HERE
kubectl -n opsmx-isd create secret generic keystorepassword --from-literal keystorepassword=PUT_YOUR_SECRET_HERE

Scenario B

  1. Use this set of instructions if:

  • You have an openldap installed using gitops installer

  • Already have a gitops-repo for ISD (AP and Spinnaker) Configuration

  1. Execute these commands, replacing "gitops-repo" with your repo

git clone https://github.com/.../gitops-repo
git clone https://github.com/OpsMx/standard-isd-gitops.git -b 4.0.3
cp -r standard-isd-gitops/upgrade gitops-repo/
cd gitops-repo
  1. Check that a "values.yaml" file exists in this directory (root of the gitops-repo)

Common Steps

Upgrade sequence: (Openldap to Saml):

  1. Create the application in Saml. Refer Okta Configuration for ISD.

  2. Below are the changes need to be done in the values.yaml file. Ignore if you have already done

  • Please make the global.installOpenLdap and global.ldap section to false.

  • Update global.auth.saml to true.

  • Update gate.config.saml to true.

  • Copy the below block of code into the values.yaml and paste if its already present please ignore and update the values.yal by reading the inline comments

gate:
  config:
    saml:
      Enabled: true
      userSource: gate  # Let it be the default do not change
      keyStore: /opt/spinnaker/saml/oessaml.jks  # The key in this secret must be oessaml.jks
      keyStorePassword: encrypted:keystorepassword:keystorepassword
      keyStoreAliasName: saml  # Let it be the default do not change
      metadataUrl: /opt/spinnaker/saml/oesmetadata.xml # The key in this secret must be oesmetadata.xml
      redirectProtocol: https # Let it be the default do not change
      redirectHostname: oes-ui.ryzon7-gitops.opsmx.org/gate # OES UI host name
      redirectBasePath: / # Let it be the default do not change
      issuerId: ryzonoesgate  # issuer id will is given as part of app creation
      jksSecretName: oessamljks 
  • Update the okta groups under global.saporgate config( Please specify the groups you want to see in isd)

saporgate:
    config:
      username: admin # Admin user of saml 
      adminGroups: admin ## groups defined here will have superAdmin privileges in Autopilot
  1. cd upgrade

  2. Update upgrade-inputcm.yaml: url, username and gitemail MUST be updated.

If you have install/inputcm.yaml from previous installation, simply copy-paste these lines here

  • If ISD Namespace is different from "opsmx-isd": Update namespace (default is opsmx-isd) to the namespace where ISD is installed.

  • If ISD Namespace is different from "opsmx-isd": Edit serviceaccount.yaml and edit "namespace:" to update it to the ISD namespace (e.g.opsmx-isd)

  1. Push changes to git using the below command:

git add -A; git commit -m"Upgrade related changes";git push
  1. Apply the upgrade-input and service account, generate using the below command:

kubectl -n opsmx-isd apply -f upgrade-inputcm.yaml
kubectl -n opsmx-isd apply -f serviceaccount.yaml # Edit namespace if changed from the default "opsmx-isd"
kubectl -n opsmx-isd replace --force -f ISD-Generate-yamls-job.yaml
  1. Compare and merge branch: This job will create a branch on the gitops-repo with the helmchart version number specified in the upgrade-inputcm.yaml. Raise a PR and check what changes are being made. Once satisfied, merge the PR.

  2. Execute the below command:

kubectl -n opsmx-isd replace -f ISD-Apply-yamls-job.yaml
  1. The isd-spinnaker-halyard-0 pod should restart automatically. If not, execute the following command:

kubectl -n opsmx-isd delete po isd-spinnaker-halyard-0
  1. Restart all the pods:

kubectl -n opsmx-isd scale deploy -l app=oes --replicas=0 # Wait for a min or two
kubectl -n opsmx-isd scale deploy -l app=oes --replicas=1 # Wait for all pods to come to ready state
  1. Go to ISD UI and check that the version number has changed in the top-right corner

  2. Wait for about 5 min for autoconfiguration to take place.

  3. If required: a) Connect Spinnaker again b) Configure pipeline-promotion again. To do this, in the ISD UI:

  • Click setup

  • Click Spinnaker tab at the top. Check if "External Accounts" and "Pipeline-promotion" columns show "yes". If any of them is "no":

  • Click "edit" on the 3 dots on the far right. Check the values already filled in, make changes if required and click "update".

  • Restart the halyard pod by clicking "Sync Accounts to Spinnaker" in the Cloud Accounts tab or simply delete the halayard pod

Rollback to OpenLDAP

  1. Create a PR to revert the changes which is merged as part of step 7.

kubectl -n opsmx-isd replace --force -f ISD-Apply-yamls-job.yaml 
# Wait for the pods to stabilize
  1. Restart all pods:

kubectl -n opsmx-isd scale deploy -l app=oes --replicas=0 # Wait for a min or two
kubectl -n opsmx-isd scale deploy -l app=oes --replicas=1 
# Wait for all pods to come to ready state

Troubleshooting

If the cluster gets deleted by mistake follow the below steps:

  1. Create the same namespace that was deleted earlier.

  2. It is assumed user have everything in the gitops repo(install,upgrade,halyard content etc)

  3. Create the gittoken secret by using the below command.

kubectl -n opsmx-isd create secret generic gittoken --from-literal 
gittoken=PUT_YOUR_GITTOKEN_HERE
  1. Execute the below commands

kubectl -n opsmx-isd apply -f serviceaccount.yaml # Edit namespace if changed from the default "opsmx-isd"
kubectl -n opsmx-isd apply -f inputcm.yaml
kubectl -n opsmx-isd replace --force -f ISD-Apply-yamls-job.yaml

Last updated