- 26 Dec 2024
- 5 Minutes to read
- Print
- DarkLight
- PDF
CMS Upgrade on Kubernetes
- Updated on 26 Dec 2024
- 5 Minutes to read
- Print
- DarkLight
- PDF
(Not supported yet on VSP 3.0)
LFR Upgrade
- Log in to the Artifactory site using the Virsec-provided credentials from the local machine
- Download the tar file vsp_lfr.tar.gz from the below Artifactory directory in to the local machine
- Version 2.8 and Above: vsp > releases > public <Major_Release> > <Minor_Release> > <Patch_Version>
Example: vsp > releases > public > 2 > 2.8 > 2.8.0 - Version 2.7: vsp > releases > public > <Release_Number>
Example: vsp > releases > public > 2.7.0
- Version 2.8 and Above: vsp > releases > public <Major_Release> > <Minor_Release> > <Patch_Version>
- Log in to the Kubernetes Management Node and copy the downloaded file
- Execute the below commands to remove the previous LFR instance and to perform a complete LFR refresh .Ensure that the executed script is from the installed VSP version directory. The URL and IP Address to access LFR service are provided at the end of script execution
tar -xvzf vsp_lfr.tar.gz cd lfr ./vsp_deploy_lfr.sh -s # To remove the previous LFR Instance ./vsp_deploy_lfr.sh -h # To view the help menu ./vsp_deploy_lfr.sh # For complete LFR Refresh
NOTEIt takes approximately 10-15 minutes for LFR deployment and sync (over the internet) - Instead of a complete LFR refresh, only the required LFR files can be downloaded in an incremental refresh
Example: ./vsp_deploy_lfr.sh -O "rpm" -V "7,8" -S "host"
Below are the various parameters for Incremental LFR RefreshParameter Description -C Update all the CMS files. Once the script execution is complete, ensure that the script setup.sh is also executed -O Specify the required Operating System (comma separated without spaces) -r VSP Release Version. Example: 2.8.0 -S Provide the required SKU. Allowed values are web, host, mem. By default, files related to all SKUs are downloaded -V Provide the version numbers for the specified Operating System (comma separated without spaces) - LFR Verification: Procure the URL and IP for LFR using the below command
kubectl get service -n virsec
- Access the above LFR IP address using any browser. Navigate to the directory vsp to view the refreshed list of files
CMS Upgrade
- For upgrade from existing version, execute the below commands to clean that CMS instance
Upgrade from Version 2.5 or Above:
rm -rf /var/kafkavolume rm -rf /var/zookeepervolume
Upgrade from Version 2.4 or Below:
rm -rf /home/virsec/kafkavolume rm -rf /home/virsec/zookeepervolume
- Execute the below commands in Kubernetes Management node to download the installable required for CMS installation
Version 2.8 and Above:
cd vsp/cms wget --no-check-certificate https://<LFR_IPAddress>:8443/vsp/vsp_download_files.sh chmod +x ./vsp_download_files.sh ./vsp_download_files.sh #To download the required installable
Version 2.7:
cd vsp/cms wget --no-check-certificate http://<LFR_IPAddress>/vsp/vsp_download_files.sh chmod +x ./vsp_download_files.sh ./vsp_download_files.sh #To download the required installable
- CMS URL is provided at the end of script execution
- Execute the below commands to view the options to deploy CMS
cd cms_serviceperpod ./vsp_deploy_cms.sh -h
- Execute the above script using one of the below parameters to remove the previous version
Parameter Description -c This deletes all the CMS deployments and services, including the infrastructure services (MongoDB, Kafka and Redis containers). When CMS is reinstalled, Probes might need reconfiguration as the CMS IP address might have changed -s For clean CMS setup. This deletes the previous setup (if any) excluding the infrastructure services (MongoDB, Kafka and Redis containers). This option can be used if only the core CMS services need updates. It is applicable for minor release updates if there are no updates to the infrastructure services.
Example: VSP 2.7.0 TO VSP 2.7.2-S For a clean CMS setup. This deletes the previous setup (if any) including the infrastructure services (MongoDB, Kafka and Redis containers). This option can be used if the core CMS services and infrastructure services need updates. It is applicable for major release updates.
Example: VSP 2.7 TO VSP 2.8NOTEEnsure that when the parameter -s, -S OR -c are utilized, only one of them is provided as per the requirement and never bothProvide -s OR -S as the parameter in AWS EKS setup. Do not use the parameter -c - Execute the below command to deploy CMS. Ensure that the executed script is from the new CMS Version Directory
./vsp_deploy_cms.sh
- The CMS URL is provided at the end of the execution
- The various optional arguments accepted by the script vsp_deploy_cms.share:
Parameter Description -C Node name where Client service must be deployed (CMS UI)
-K Node name where Kafka service must be deployed
-M Node name where Mongo service must be deployed -n DO NOT utilize this parameter to provide a namespace. CMS MUST be deployed in the default namespace virsec -R Node name where Redis service must be deployed
-c For CMS Uninstall – This deletes all the CMS deployments and services, including the infrastructure services (MongoDB, Kafka and Redis containers). When CMS is reinstalled, Probes might need reconfiguration as the CMS IP address might have changed
-k Use this option during CMS installation/startup/ upgrade. Allowed Kafka options:
0: For Unsecure Kafka connection. The option is available only for Version 2.7. By default, the value is set to 0 if not specified
1: For One-way SSL where the Client verifies the Server
2: For Two-way SSL where both the Client and Server verify each other.
Version 2.8 and Above: By default, the value is set to 2 if not specified-o To install the optional CMS services. Indicate with “Y” or “N” for each of the options -S For a clean CMS setup. This deletes the previous setup (if any) including the infrastructure services (MongoDB, Kafka and Redis containers). This option can be used if the core CMS services and infrastructure services need updates -s For a clean CMS setup. This deletes the previous setup (if any) excluding the infrastructure services (MongoDB, Kafka and Redis containers). This option can be used if only the core CMS services need updates
NOTE:
Ensure that when the parameters -s,-S OR -c are utilized, only one of them is provided as per the requirement
Provide -s OR -S as the parameter in AWS EKS setup. Do not use the parameter -c-x To expose VSP Kafka service externally. Kafka Service must be exposed externally only when the Applications are deployed on a different Kubernetes Cluster than VSP CMS
-u To disable SSL hostname verification between CMS and Probe. This is useful when a customized domain name is desired for CMS (Default Domain Name: int.cms.virsec.com) -Z When CMS services are running. Allowed Kafka options:
0: For Unsecure Kafka connection. The option is available only for Version 2.7. By default, the value is set to 0 if not specified
1: For One-way SSL where the Client verifies the Server
2: For Two-way SSL where both the Client and Server verify each other.
Version 2.8 and Above: By default, the value is set to 2 if not specified
- To ensure that CMS maintains the same IP address and Worker Node, execute the below commands:
kubectl -n virsec patch deployments vsp-cms-client -p '{"spec": {"template": {"spec": {"nodeSelector": {"kubernetes.io/hostname": ""}}}}}' kubectl -n virsec patch service vsp-cms -p '{"spec" : {"type": "LoadBalancer", "externalIPs":[""]}}'
NOTEIf a proxy server with SSL (for internet access) OR LDAP server with SSL (for user management) is configured, ensure that the root certificate information is added to the property file, as described in the Deploy Custom SSL Certificate section of the Maintenance article - CMS Verification: Execute the below command on the Kubernetes Management Node to list all the deployments and pods
kubectl get pods -n virsec