Skip to main content
Version: 3.11-dev

Upgrade KubeRocketCI v3.9 to 3.10

important

We suggest backing up the KubeRocketCI environment before starting the upgrade procedure.

This section provides detailed instructions for upgrading KubeRocketCI to version 3.10. Follow the steps and requirements outlined below:

  1. Update Custom Resource Definitions (CRDs). Run the following command to apply all necessary CRDs to the cluster:

    kubectl apply -f https://raw.githubusercontent.com/epam/edp-codebase-operator/v2.24.0/deploy-templates/crds/v2.edp.epam.com_cdstagedeployments.yaml
    kubectl apply -f https://raw.githubusercontent.com/epam/edp-codebase-operator/v2.24.0/deploy-templates/crds/v2.edp.epam.com_codebasebranches.yaml
    kubectl apply -f https://raw.githubusercontent.com/epam/edp-codebase-operator/v2.24.0/deploy-templates/crds/v2.edp.epam.com_codebaseimagestreams.yaml
    kubectl apply -f https://raw.githubusercontent.com/epam/edp-codebase-operator/v2.24.0/deploy-templates/crds/v2.edp.epam.com_codebases.yaml
    kubectl apply -f https://raw.githubusercontent.com/epam/edp-codebase-operator/v2.24.0/deploy-templates/crds/v2.edp.epam.com_gitservers.yaml
    kubectl apply -f https://raw.githubusercontent.com/epam/edp-codebase-operator/v2.24.0/deploy-templates/crds/v2.edp.epam.com_jiraissuemetadatas.yaml
    kubectl apply -f https://raw.githubusercontent.com/epam/edp-codebase-operator/v2.24.0/deploy-templates/crds/v2.edp.epam.com_jiraservers.yaml
    kubectl apply -f https://raw.githubusercontent.com/epam/edp-cd-pipeline-operator/v2.21.0/deploy-templates/crds/v2.edp.epam.com_cdpipelines.yaml
    kubectl apply -f https://raw.githubusercontent.com/epam/edp-cd-pipeline-operator/v2.21.0/deploy-templates/crds/v2.edp.epam.com_stages.yaml

  2. (Optional) If you are using the Gerrit Operator, update the necessary CRDs for Gerrit. Run the following command to apply the necessary CRDs to the cluster:

    kubectl apply -f https://raw.githubusercontent.com/epam/edp-gerrit-operator/v2.22.0/deploy-templates/crds/v2.edp.epam.com_gerritgroupmembers.yaml
    kubectl apply -f https://raw.githubusercontent.com/epam/edp-gerrit-operator/v2.22.0/deploy-templates/crds/v2.edp.epam.com_gerritgroups.yaml
    kubectl apply -f https://raw.githubusercontent.com/epam/edp-gerrit-operator/v2.22.0/deploy-templates/crds/v2.edp.epam.com_gerritmergerequests.yaml
    kubectl apply -f https://raw.githubusercontent.com/epam/edp-gerrit-operator/v2.22.0/deploy-templates/crds/v2.edp.epam.com_gerritprojectaccesses.yaml
    kubectl apply -f https://raw.githubusercontent.com/epam/edp-gerrit-operator/v2.22.0/deploy-templates/crds/v2.edp.epam.com_gerritprojects.yaml
    kubectl apply -f https://raw.githubusercontent.com/epam/edp-gerrit-operator/v2.22.0/deploy-templates/crds/v2.edp.epam.com_gerritreplicationconfigs.yaml
    kubectl apply -f https://raw.githubusercontent.com/epam/edp-gerrit-operator/v2.22.0/deploy-templates/crds/v2.edp.epam.com_gerrits.yaml

  3. (Optional) Update Tekton Pipeline labels:

    In version 3.10, Tekton pipelines require specific labels to indicate their type: build, review, clean, or deploy. These labels allow KubeRocketCI portal to correctly display pipeline data.

    Below are examples of the required labels for each pipeline type:

    • Build Pipeline 
      metadata:
        name: build
        labels:
          app.edp.epam.com/pipelinetype: build
    • Review Pipeline 
      metadata:
        name: review
        labels:
          app.edp.epam.com/pipelinetype: review
    • Clean Pipeline 
      metadata:
        name: clean
        labels:
          app.edp.epam.com/pipelinetype: clean
    • Deploy Pipeline 
      metadata:
        name: deploy
        labels:
          app.edp.epam.com/pipelinetype: deploy
    note

    For any custom Tekton pipelines created in earlier versions, ensure that each pipeline has the appropriate label to maintain compatibility.

    To label an existing custom pipeline, you can use the following command as a reference:

    kubectl label pipeline <pipeline-name> app.edp.epam.com/pipelinetype=<build | review | deploy> -n <krci-namespace>

  4. (Optional) Migrate Git providers credentials to a new AWS Parameter Store object:

    note

    In version 3.9.0, Git providers credentials were included in the manageEDPInstallSecretsName object in AWS Parameter Store. Due to character limit restrictions, these credentials should now be migrated to a dedicated AWS Parameter Store object named manageGitProviderSecretsName.

    If you are using the External Secret Operator to manage secrets, specify a new field in the values.yaml file: manageGitProviderSecretsName. This field should be defined as follows:

    values.yaml
    externalSecrets:
      enabled: true
      ...
      manageEDPInstallSecretsName: /infra/core/addons/kuberocketci
      manageGitProviderSecretsName: /infra/core/addons/kuberocketci-git-provider-secrets

    Below is an example of the object structure for manageGitProviderSecretsName:

    {
      "github-config": {
        "id_rsa": "LS0tLS1...",
        "token": "ghp_fdO1joO...",
        "secretString": "kfr1ndk4..."
      },
      "gitlab-config": {
        "id_rsa": "LS0tLS1...",
        "token": "RW1UG2EAdEjPEC1NSoVm3A",
        "secretString": "kfr1ndk4..."
      },
      "bitbucket-config": {
        "id_rsa": "LS0tLS1...",
        "token": "YXV0b19lcG1kLWVkc...",
        "secretString": "kfr1ndk4..."
      }
    }

  5. (Optional) Enable Code Quality Widgets:

    note

    Starting from version 3.10, KrakenD is used to manage Code Quality widgets in KubeRocketCI portal. This migration simplifies the integration with third-party APIs, improves performance, and provides a scalable, flexible API gateway.

    By default, in version 3.10, Code Quality widgets are disabled. To enable them, follow these steps:

    1. Install KrakenD: For detailed installation instructions, refer to the KrakenD installation guide.

    2. Configure the values.yaml file: In the edp-install chart, set the apiGatewayUrl key to specify the API URL of KrakenD as configured during its installation.

      values.yaml
      global:
        apiGatewayUrl: "https://api.example.com"

  6. (Optional) Migrate SSO (OAuth2-proxy) configuration:

    danger

    Starting from version 3.10, the platform no longer supports setting single sign-on (SSO) configuration through the edp-install chart. This includes the installation of the oauth2-proxy component and the creation of required Keycloak resources.

    Deprecated fields in values.yaml file for SSO configuration are listed below:

    View: Deprecated fields in values.yaml
    sso:
      # -- Install OAuth2-proxy and Keycloak CRs as a part of EDP deployment.
      enabled: false

      keycloakOperatorResources:
        # Set to false if using the add-ons approach (refer to https://github.com/epam/edp-cluster-add-ons)
        # for EDP installation and if the extension-oidc is already installed.
        # This prevents the creation of an additional Keycloak resource and secret.
        # The 'kind' and 'name' must be specified in case of using an existing Keycloak/ClusterKeycloak resource.
        # Create kind: Keycloak as a part of chart installation
        createKeycloakCR: true
        # Can be Keycloak or ClusterKeycloak.
        kind: Keycloak
        # Name of kind: Keycloak/ClusterKeycloak CR.
        name: main

      # -- Defines the Keycloak realm name, which by default is named after the namespace where EDP is deployed.
      # realmName: edp
      # -- Defines Keycloak sso realm name that is used as the Identity Provider (IdP) realm
      ssoRealmName: "broker"
      # -- Defines Keycloak client name that is used for the Identity Provider (IdP) client
      ssoClientName: "edp"
      # -- Keycloak URL.
      keycloakUrl: https://keycloak.example.com/auth
      # -- Administrators of your tenant.
      admins:
        - "stub_user_one@example.com"
      # -- Developers of your tenant
      developers:
        - "stub_user_one@example.com"
        - "stub_user_two@example.com"

      # Oauth2-proxy image
      image:
        # -- OAuth2-proxy image repository
        repository: quay.io/oauth2-proxy/oauth2-proxy
        # -- OAuth2-proxy image tag
        tag: v7.4.0

      # Create a cookie-secret with the following command:
      # 'openssl rand -base64 32 | head -c 32 | base64'
      # Use an existing secret for OAuth2 cookie-secret
      existingSecret:
        # -- Secret name which stores cookie-secret
        secretName: oauth2-proxy-cookie-secret
        # -- Secret key which stores cookie-secret
        secretKey: cookie-secret

      # -- Additional container environment variables
      extraEnv: []
      # -- Extra arguments to provide to the OAuth2-proxy
      extraArgs: {}

      # -- Additional volumes to be added to the OAuth2-proxy pod
      extraVolumes: []
      #  - name: custom-ca
      #    secret:
      #      defaultMode: 420
      #      secretName: custom-ca

      # -- Additional volumeMounts to be added to the OAuth2-proxy container
      extraVolumeMounts: []
      #  - name: custom-ca
      #    mountPath: /etc/ssl/certs/CA.crt
      #    readOnly: true
      #    subPath: CA.crt

      ingress:
        # -- Enable ingress controller resource
        enabled: true
        # -- Additional ingress annotations
        annotations: {}
        # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific`
        pathType: Prefix

        # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName
        # Ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress
        # -- Defines which ingress controller will implement the resource, e.g. nginx
        ingressClassName: ""
        # -- Ingress TLS configuration
        tls: []
        #  - secretName: chart-example-tls
        #    hosts:
        #      - chart-example.local
      # -- Node labels for pod assignment
      nodeSelector: {}
      # -- Toleration labels for pod assignment
      tolerations: []
      # -- Affinity settings for pod assignment
      affinity: {}

    If you previously used SSO configuration section, follow these migration steps:

    1. Manually remove all Keycloak resources previously created by the edp-install chart. The list of resources to remove can be found here. Remove the resources sequentially, following the specified deletion order. Sample commands for deleting Keycloak resources are provided below:

      kubectl delete keycloakclient gerrit -n <krci-namespace>
      kubectl delete keycloakclient oauth2-proxy -n <krci-namespace>
      kubectl delete keycloakclientscope edp -n <krci-namespace>
      kubectl delete keycloakrealmrole default-roles-administrator -n <krci-namespace>
      kubectl delete keycloakrealmrole default-roles-developer -n <krci-namespace>
      kubectl delete keycloakrealmrolebatch default-roles -n <krci-namespace>
      kubectl delete keycloakauthflow keycloakauthflow-browser -n <krci-namespace>
      kubectl delete keycloakrealmidentityprovider broker-idp -n <krci-namespace>
      kubectl delete keycloakrealm main -n <krci-namespace>
      kubectl delete keycloak keycloak -n <krci-namespace>

    2. Review and configure the kuberocketci-rbac chart in the add-ons repository. Set the required values in the values.yaml file and install the chart. Verify that all necessary Keycloak resources have been successfully created in Keycloak.

    3. Review and configure the oauth2-proxy chart in the add-ons repository. Set the required values in the values.yaml file and install the chart. Ensure that oauth2-proxy is running correctly.

    4. Once the kuberocketci-rbac and oauth2-proxy charts are installed and verified, proceed with upgrading the platform to version 3.10.

  7. (Optional) Update the OIDC Integration section for edp-headlamp chart:

    In version 3.10, the OpenID Connect (OIDC) section for the edp-headlamp chart has been modified. Certain fields have been renamed or removed. For example, the keycloakUrl field has been renamed to issuerUrl, and the issuerRealm field is no longer required. Refer to the example values configurations below for versions 3.9 and 3.10 to identify the fields that need to be modified for compatibility:

    values.yaml
    edp-headlamp:
      enabled: true
      ...
      config:
        oidc:
          enabled: true
          keycloakUrl: "https://keycloak.example.com"
          clientID: ""
          clientSecretName: "keycloak-client-headlamp-secret"
          clientSecretKey: "clientSecret"
          issuerRealm: ""
          scopes: ""

  8. (Optional) Update Gerrit configuration:

    Update the following configuration for the gerrit-operator section in values.yaml:

    1. Update the extraEnv variable. Modify the OAUTH_KEYCLOAK_CLIENT_ID value to follow the gerrit-<KRCI_NAMESPACE_NAME> format:

      values.yaml
      gerrit-operator:
        enabled: true
        ...
        gerrit:
          extraEnv:
            - name: OAUTH_KEYCLOAK_CLIENT_ID
              value: gerrit-<KRCI_NAMESPACE_NAME>

    2. Specify the Single Sign-on (SSO) configuration. Ensure the SSO configuration is defined as follows:

      values.yaml
      sso:
        enabled: true
        keycloakUrl: https://keycloak.example.com
        kind: ClusterKeycloakRealm
        name: main

  9. (Optional) Enable Tekton Dashboard:

    Starting from version 3.10, the Tekton Dashboard is disabled by default. To enable it, set the following configuration in the values.yaml file:

    values.yaml
    edp-tekton:
      enabled: true
      ...
      dashboard:
        enabled: true

  10. To upgrade KubeRocketCI to the v3.10, run the following command:

    helm upgrade krci epamedp/edp-install -n krci --values values.yaml --version=3.10.2
    note

    To verify the installation, you can test the deployment before applying it to the cluster with the --dry-run key: helm upgrade krci epamedp/edp-install -n krci --values values.yaml --version=3.10.2 --dry-run