How to upgrade to newer on-prem harness charts with ssl disabled

Harness Experts
, ,
1

image
image977×350 43.4 KB

Introduction
This article will walk you through how you can upgrade to newer on-prem harness charts with ssl disabled.

Process

Step 1: Get the release name for your setup

helm list -n <namespace>

Step 2: Check if ssl is turned off

kubectl get config <release-name>-timescaledb-patroni

Search for ssl config

Step 3: Get the existing timescaledb certificate name

kubectl get secrets -n <namespace>

Search for timescaledb <release-name>-certificate and copy the secret name.

Step 4: Upgrade helm chart with the following additional overrides

platform:
  timescaledb:
    useCertificates: true
    secrets:
      certificateSecretName: <secret-name-from-prev-step>

helm upgrade ........ -f additional.yaml

Step 5: Edit configmap for -timescaledb-patroni

a) Remove the root level below config

ssl: 'on'
ssl_cert_file: '/etc/certificate/tls.crt'
ssl_key_file: '/etc/certificate/tls.key'

b) Add the same under existing bootstrap.dcs.postgresql.parameters

ssl: 'on'
ssl_cert_file: '/etc/certificate/tls.crt'
ssl_key_file: '/etc/certificate/tls.key'

c) Save the configmap

Step 6: Get patroni job yaml

a) kubectl get job -n <namespace>

b) Copy the most recent <release-name>-patroni-* job name

c) Get the job yaml kubectl get job <job-name> -n <namespace> -o yaml > patroni-job.yaml

Step 7: Delete k8s properties and Modify the ssl parameter in job yaml (delete uuids and add ssl in parameters )

Add \"ssl\":\"off\" before archive_command parameter

Existing yaml sample:

...
    spec:
      containers:
      - args:
        - -c
        - |
          /usr/bin/curl --connect-timeout 30 --include --request PATCH --data \
          "{\"loop_wait\":10,\"maximum_lag_on_failover\":33554432,\"postgresql\":{\"parameters\":{\"archive_command\":\"/etc/timescaledb/scripts/pgbackrest_archive.sh %p\",\"archive_mode\":\"on\",\"archive_timeout\":\"1800s\",\"autovacuum_analyze_scale_factor\":0.02,\"autovacuum_max_workers\":10,\"autovacuum_naptime\":\"5s\",\"autovacuum_vacuum_cost_limit\":500,\"autovacuum_vacuum_scale_factor\":0.05,\"hot_standby\":\"on\",\"log_autovacuum_min_duration\":\"1min\",\"log_checkpoints\":\"on\",\"log_connections\":\"on\",\"log_disconnections\":\"on\",\"log_line_prefix\":\"%t [%p]: [%c-%l] %u@%d,app=%a [%e] \",\"log_lock_waits\":\"on\",\"log_min_duration_statement\":\"1s\",\"log_statement\":\"ddl\",\"max_connections\":100,\"max_prepared_transactions\":150,\"shared_preload_libraries\":\"timescaledb,pg_stat_statements\",\"tcp_keepalives_idle\":900,\"tcp_keepalives_interval\":100,\"temp_file_limit\":\"1GB\",\"timescaledb.passfile\":\"../.pgpass\",\"unix_socket_directories\":\"/var/run/postgresql\",\"unix_socket_permissions\":\"0750\",\"wal_level\":\"hot_standby\",\"wal_log_hints\":\"on\"},\"use_pg_rewind\":true,\"use_slots\":true},\"retry_timeout\":10,\"ttl\":30}" \
          "http://timescaledb-single-chart-config:8008/config"
          exit 0
        command:
        - /bin/sh
        image: curlimages/curl
        imagePullPolicy: Always
        name: my-release-timescaledb-patch-patroni-config
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      restartPolicy: OnFailure
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 30
...

New yaml example:

...
    spec:
      containers:
      - args:
        - -c
        - |
          /usr/bin/curl --connect-timeout 30 --include --request PATCH --data \
          "{\"loop_wait\":10,\"maximum_lag_on_failover\":33554432,\"postgresql\":{\"parameters\":{\"ssl\":\"off\", \"archive_command\":\"/etc/timescaledb/scripts/pgbackrest_archive.sh %p\",\"archive_mode\":\"on\",\"archive_timeout\":\"1800s\",\"autovacuum_analyze_scale_factor\":0.02,\"autovacuum_max_workers\":10,\"autovacuum_naptime\":\"5s\",\"autovacuum_vacuum_cost_limit\":500,\"autovacuum_vacuum_scale_factor\":0.05,\"hot_standby\":\"on\",\"log_autovacuum_min_duration\":\"1min\",\"log_checkpoints\":\"on\",\"log_connections\":\"on\",\"log_disconnections\":\"on\",\"log_line_prefix\":\"%t [%p]: [%c-%l] %u@%d,app=%a [%e] \",\"log_lock_waits\":\"on\",\"log_min_duration_statement\":\"1s\",\"log_statement\":\"ddl\",\"max_connections\":100,\"max_prepared_transactions\":150,\"shared_preload_libraries\":\"timescaledb,pg_stat_statements\",\"tcp_keepalives_idle\":900,\"tcp_keepalives_interval\":100,\"temp_file_limit\":\"1GB\",\"timescaledb.passfile\":\"../.pgpass\",\"unix_socket_directories\":\"/var/run/postgresql\",\"unix_socket_permissions\":\"0750\",\"wal_level\":\"hot_standby\",\"wal_log_hints\":\"on\"},\"use_pg_rewind\":true,\"use_slots\":true},\"retry_timeout\":10,\"ttl\":30}" \
          "http://timescaledb-single-chart-config:8008/config"
          exit 0
        command:
        - /bin/sh
        image: curlimages/curl
        imagePullPolicy: Always
        name: my-release-timescaledb-patch-patroni-config
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      restartPolicy: OnFailure
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 30

Step 8: Apply the new job

kubectl apply -f patroni-job.yaml -n <namespace>

Step 9: Restart timescaledb pods

kubectl rollout restart statefulset harness-timescaledb -n <namespace>

Step 10: Set useCertificates = false in the additional.yaml file

platform:
  timescaledb:
    useCertificates: false
    secrets:
      certificateSecretName: <secret-name-from-prev-step>

Step 11: Helm upgrade to existing chart with just changed config