×

You must follow a specific upgrade path for RHACS depending on the release of RHACS that you are running. You must also back up your Central database before updating the Helm chart and performing the upgrade.

If you have installed RHACS by using Helm charts, to upgrade to the latest version of RHACS perform the following steps:

  1. Back up the Central database.

  2. Optionally, optimize Central’s database and Persistent Volume Claims (PVC).

  3. Optionally, generate a values-private.yaml configuration file containing root certificates for the central-services Helm chart.

  4. Update the Helm chart.

  5. Run the helm upgrade command.

To ensure optimal functionality, use the same version for your secured-cluster-services Helm chart and central-services Helm chart.

Backing up the Central database

You can back up the Central database and use that backup for rolling back from a failed upgrade or data restoration in the case of an infrastructure disaster.

Prerequisites
  • You must have an API token with read permission for all resources of Red Hat Advanced Cluster Security for Kubernetes. The Analyst system role has read permissions for all resources.

  • You have installed the roxctl CLI.

  • You have configured the ROX_API_TOKEN and the ROX_CENTRAL_ADDRESS environment variables.

Procedure
  • Run the backup command:

    $ roxctl -e "$ROX_CENTRAL_ADDRESS" central backup

Optimizing Central database and PVC

When you upgrade to Red Hat Advanced Cluster Security for Kubernetes (RHACS) 4.0, RHACS creates a PostgreSQL instance called central-db with a default Persistent Volume Claims (PVC). Optionally, you can customize central-db or PVC configuration.

Red Hat recommends the following minimum memory and CPU requests:

central:
  db:
    resources:
      requests:
        memory: 16Gi
        cpu: 8
      limits:
        memory: 16Gi
        cpu: 8

Generating root certificates file

If you do not have access to your values-private.yaml configuration file that you have used to install Red Hat Advanced Cluster Security for Kubernetes (RHACS), use the following instruction to generate the values-private.yaml configuration file containing root certificates.

Skip the instruction here, if you have access to your values-private.yaml configuration file.

The generated values-private.yaml file has sensitive configuration options. Ensure that you store this file securely.

Procedure
  1. Download the create_certificate_values_file.sh script.

  2. Make the create_certificate_values_file.sh script executable:

    $ chmod +x create_certificate_values_file.sh
  3. Run the create_certificate_values_file.sh script file:

    $ create_certificate_values_file.sh values-private.yaml

Updating the Helm chart repository

You must always update Helm charts before upgrading to a new version of Red Hat Advanced Cluster Security for Kubernetes.

Prerequisites
  • You must have already added the Red Hat Advanced Cluster Security for Kubernetes Helm chart repository.

  • You must be using Helm version 3.8.3 or newer.

Procedure
  • Update Red Hat Advanced Cluster Security for Kubernetes charts repository.

    $ helm repo update
Verification
  • Run the following command to verify the added chart repository:

    $ helm search repo -l rhacs/

Running the Helm upgrade command

You can use the helm upgrade command to update Red Hat Advanced Cluster Security for Kubernetes (RHACS).

Prerequisites
  • You must have access to the values-private.yaml configuration file that you have used to install Red Hat Advanced Cluster Security for Kubernetes (RHACS). Otherwise, you must generate the values-private.yaml configuration file containing root certificates before proceeding with these commands.

Procedure
  • Run the helm upgrade command and specify the configuration files by using the -f option:

    $ helm upgrade -n stackrox stackrox-central-services \
      rhacs/central-services --version <current-rhacs-version> \(1)
      -f values-private.yaml \
      --set central.db.password.generate=true \
      --set central.db.serviceTLS.generate=true \
      --set central.db.persistence.persistentVolumeClaim.createClaim=true
    1 Use the -f option to specify the paths for your YAML configuration files.
    $ helm upgrade -n stackrox stackrox-secured-cluster-services \
      rhacs/secured-cluster-services --version <current-rhacs-version> \(1)
      -f values-private.yaml
    1 Use the -f option to specify the paths for your YAML configuration files.

You might use the --reuse-values option to preserve the previously configured Helm values during the upgrade. If you do that, you must turn off central-db creation before you upgrade to the next version.

See the following command example:

$ helm upgrade -n stackrox stackrox-central-services \
  rhacs/central-services --version <current-rhacs-version> --reuse-values \
  -f values-private.yaml \
  --set central.db.password.generate=false \
  --set central.db.serviceTLS.generate=false \
  --set central.db.persistence.persistentVolumeClaim.createClaim=false

Rolling back a Helm upgrade

You can roll back to an earlier version of Central if the upgrade to a new version is unsuccessful.

Procedure
  1. Run the following helm upgrade command:

    $ helm upgrade -n stackrox \
      stackrox-central-services rhacs/central-services \
      --version <previous_rhacs_74_version> \ (1)
      --set central.db.enabled=false
    1 Replace <previous_rhacs_74_version> with the previously installed RHACS version.
  2. Delete the central-db persistent volume claim (PVC):

    $ oc -n stackrox delete pvc central-db (1)
    1 If you use Kubernetes, enter kubectl instead of oc.