Hi Anders,
There are two parts to consider in an upgrade:
- General upgrade release notes for the version
- Upgrade method specific to the deployment type (Helm in your case)
For (1) the following should be read:
https://www.ibm.com/support/pages/urgent-apar-information-ibm-security-verify-access-10001-firmware-upgradeThere will also be release notes associated with the update package.
There is also this:
https://www.ibm.com/support/pages/node/6340107(It doesn't apply to upgrade from 10.0.0.0 to 10.0.0.1 so should be fine but I include in case others are reading this).
For upgrade from 10.0.0.0 to 10.0.0.1 there is a specific known issue around configuration snapshot migration when using containers. The upgraded 10.0.0.1 system doesn't detect the existing 10.0.0.0 snapshot file. The easiest workaround to this issue is to perform the following step just before the upgrade:
"exec" into the configuration container and run this command:
cp /var/shared/snapshots/isva_10.0.0.0_published.snapshot /var/shared/snapshots/isam_9.0.7.1_published.snapshot
On specifics for a Helm environment:
My first advice would be to make sure you have a backup of all data before attempting the upgrade. This means a backup of the configuration snapshot, LDAP data, and Database data. This is especially important for Helm if you are using dynamic provisioning because it will delete your persistent volumes if you delete the associated release.
The simplest upgrade is to use the "helm upgrade" process. In this case you would simply:
- Update the values.yaml file and change the repository parameter to point to ibmcom/verify-access:10.0.0.1
- run the "helm upgrade <application> <chart> -f <values file>" command.
You must have sufficient nodes available to allow new versions of the Verify Access containers to start on a different node from the originals. This is because of the anti-affinity rules in the charts. It might be a good idea to modify the affinity settings in the chart to make the rules a preference instead of a requirement to allow in-place upgrade on the same node.
As an alternative approach, you could delete the current application and then create a new one with the updated values file. You must be really careful if you use this approach and you are using dynamic provisioning because the delete step will likely delete you persistent volumes. If you are using PVCs that you manually created (non-dynamic) then these are not deleted and will be picked up by the new application when it starts (based on existingClaim names specified in the values.yaml).
I hope this helps. I strongly suggest thoroughly testing and getting familiar with the upgrade process before attempting on any live system (including the backup/restore so you know you will recover if anything goes wrong).
Jon.
P.S. I have created a new (v1.21) Helm Chart for Verify Access with some enhancements you might find interesting. It is not officially published yet but it is a branch of the IBM-Security/helm-charts Github repo. Upgrading to a new chart version would require similar steps to the above upgrade I think. Probably best not to attempt both at the same time though.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------
Original Message:
Sent: Wed November 11, 2020 05:55 AM
From: Anders Domeij
Subject: Helm insallation and ISA fixpak 1
Hi,
we are running ISVA ver 10.0.0.0 on a Kubernetes cluster installed from the official Helm repo (version 1.20).
What is the 'correct' way to apply the 10.0.0.1 fixpak to this installation?
Rgds
------------------------------
Anders Domeij
CGI Sweden AB
------------------------------