CMS Upgrade on Kubernetes
  • 12 Apr 2024
  • 5 Minutes to read
  • Dark
    Light
  • PDF

CMS Upgrade on Kubernetes

  • Dark
    Light
  • PDF

Article Summary

About this Article
This article provides information related to the LFR and CMS upgrade on Kubernetes.

(Not supported yet on VSP 3.0)

LFR Upgrade

  1. Log in to the Artifactory site using the Virsec-provided credentials from the local machine
  2. Download the tar file vsp_lfr.tar.gz from the below Artifactory directory in to the local machine
    1. Version 2.8 and Abovevsp > releases > public <Major_Release> > <Minor_Release> > <Patch_Version>
      Example: vsp > releases > public > 2 > 2.8 > 2.8.0
    2. Version 2.7vsp > releases > public > <Release_Number>
      Example: vsp > releases > public > 2.7.0
  3. Log in to the Kubernetes Management Node and copy the downloaded file
  4. Execute the below commands to remove the previous LFR instance and to perform a complete LFR refresh .Ensure that the executed script is from the installed VSP version directory. The URL and IP Address to access LFR service are provided at the end of script execution
    tar -xvzf vsp_lfr.tar.gz
    cd lfr 
    ./vsp_deploy_lfr.sh -s    # To remove the previous LFR Instance
    ./vsp_deploy_lfr.sh -h    # To view the help menu
    ./vsp_deploy_lfr.sh       # For complete LFR Refresh
    NOTE
    It takes approximately 10-15 minutes for LFR deployment and sync (over the internet)
  5. Instead of a complete LFR refresh, only the required LFR files can be downloaded in an incremental refresh
    Example: ./vsp_deploy_lfr.sh -O "rpm" -V "7,8" -S "host"
    Below are the various parameters for Incremental LFR Refresh
    ParameterDescription
    -CUpdate all the CMS files. Once the script execution is complete, ensure that the script setup.sh is also executed
    -OSpecify the required Operating System (comma separated without spaces)
    -rVSP Release Version. Example: 2.8.0
    -SProvide the required SKU. Allowed values are web, host, mem. By default, files related to all SKUs are downloaded
    -VProvide the version numbers for the specified Operating System (comma separated without spaces)
  6. LFR Verification: Procure the URL and IP for LFR using the below command
    kubectl get service -n virsec
  7. Access the above LFR IP address using any browser. Navigate to the directory vsp to view the refreshed list of files


CMS Upgrade

  1. For upgrade from existing version, execute the below commands to clean that CMS instance
     

    Upgrade from Version 2.5 or Above:

    rm -rf /var/kafkavolume
    rm -rf /var/zookeepervolume

    Upgrade from Version 2.4 or Below:

    rm -rf /home/virsec/kafkavolume
    rm -rf /home/virsec/zookeepervolume

  2. Execute the below commands in Kubernetes Management node to download the installable required for CMS installation
     

    Version 2.8 and Above:

    cd vsp/cms
    wget --no-check-certificate https://<LFR_IPAddress>:8443/vsp/vsp_download_files.sh
    chmod +x ./vsp_download_files.sh
    ./vsp_download_files.sh   #To download the required installable

    Version 2.7:

    cd vsp/cms
    wget --no-check-certificate http://<LFR_IPAddress>/vsp/vsp_download_files.sh
    chmod +x ./vsp_download_files.sh 
    ./vsp_download_files.sh   #To download the required installable
    1. CMS URL is provided at the end of script execution
  3. Execute the below commands to view the options to deploy CMS
    cd cms_serviceperpod 
    ./vsp_deploy_cms.sh -h
  4. Execute the above script using one of the below parameters to remove the previous version
    ParameterDescription
    -cThis deletes all the CMS deployments and services, including the infrastructure services (MongoDB, Kafka and Redis containers). When CMS is reinstalled, Probes might need reconfiguration as the CMS IP address might have changed
    -sFor clean CMS setup. This deletes the previous setup (if any) excluding the infrastructure services (MongoDB, Kafka and Redis containers). This option can be used if only the core CMS services need updates. It is applicable for minor release updates if there are no updates to the infrastructure services.
    Example: VSP 2.7.0 TO VSP 2.7.2
    -SFor a clean CMS setup. This deletes the previous setup (if any) including the infrastructure services (MongoDB, Kafka and Redis containers). This option can be used if the core CMS services and infrastructure services need updates. It is applicable for major release updates.
    Example: VSP 2.7 TO VSP 2.8
    NOTE
    Ensure that when the parameter -s, -S OR -c are utilized, only one of them is provided as per the requirement and never both
    Provide -s OR -S as the parameter in AWS EKS setup. Do not use the parameter -c


  5. Execute the below command to deploy CMS. Ensure that the executed script is from the new CMS Version Directory
    ./vsp_deploy_cms.sh
    1. The CMS URL is provided at the end of the execution
    2. The various optional arguments accepted by the script vsp_deploy_cms.share:
      ParameterDescription
      -C

      Node name where Client service must be deployed (CMS UI)

      -K

      Node name where Kafka service must be deployed

      -MNode name where Mongo service must be deployed
      -nDO NOT utilize this parameter to provide a namespace. CMS MUST be deployed in the default namespace virsec
      -R

      Node name where Redis service must be deployed

      -c

      For CMS Uninstall – This deletes all the CMS deployments and services, including the infrastructure services (MongoDB, Kafka and Redis containers). When CMS is reinstalled, Probes might need reconfiguration as the CMS IP address might have changed

      -k

      Use this option during CMS installation/startup/ upgrade. Allowed Kafka options:
      0: For Unsecure Kafka connection. The option is available only for Version 2.7. By default, the value is set to 0 if not specified
      1: For One-way SSL where the Client verifies the Server
      2: For Two-way SSL where both the Client and Server verify each other.
      Version 2.8 and Above: By default, the value is set to 2 if not specified

      -oTo install the optional CMS services. Indicate with “Y” or “N” for each of the options
      -SFor a clean CMS setup. This deletes the previous setup (if any) including the infrastructure services (MongoDB, Kafka and Redis containers). This option can be used if the core CMS services and infrastructure services need updates
      -sFor a clean CMS setup. This deletes the previous setup (if any) excluding the infrastructure services (MongoDB, Kafka and Redis containers). This option can be used if only the core CMS services need updates
      NOTE:
      Ensure that when the parameters -s,-S OR -c are utilized, only one of them is provided as per the requirement
      Provide -s OR -S as the parameter in AWS EKS setup. Do not use the parameter -c
      -x

      To expose VSP Kafka service externally. Kafka Service must be exposed externally only when the Applications are deployed on a different Kubernetes Cluster than VSP CMS

      -uTo disable SSL hostname verification between CMS and Probe. This is useful when a customized domain name is desired for CMS (Default Domain Name: int.cms.virsec.com)
      -Z

      When CMS services are running. Allowed Kafka options:
      0: For Unsecure Kafka connection. The option is available only for Version 2.7. By default, the value is set to 0 if not specified
      1: For One-way SSL where the Client verifies the Server
      2: For Two-way SSL where both the Client and Server verify each other.
      Version 2.8 and Above: By default, the value is set to 2 if not specified

  6. To ensure that CMS maintains the same IP address and Worker Node, execute the below commands:
    kubectl -n virsec patch deployments vsp-cms-client -p '{"spec": {"template": {"spec": {"nodeSelector": {"kubernetes.io/hostname": ""}}}}}'
    kubectl -n virsec patch service vsp-cms -p '{"spec" : {"type": "LoadBalancer", "externalIPs":[""]}}'
    NOTE
    If a proxy server with SSL (for internet access) OR LDAP server with SSL (for user management) is configured, ensure that the root certificate information is added to the property file, as described in the Deploy Custom SSL Certificate section of the Maintenance article


  7. CMS Verification: Execute the below command on the Kubernetes Management Node to list all the deployments and pods
    kubectl get pods -n virsec 



Was this article helpful?


What's Next