Red Hat SummitChapter 1. Upgrade 3scale 2.1 to 2.2
Perform the steps in this document to upgrade Red Hat 3scale API Management on-premises deployment from version 2.1 to 2.2.
1.1. Prerequisites:
- 3scale On-Premises 2.1
- OpenShift CLI
- 3scale AMP 2.2 templates
- Access and permissions to your OpenShift server and project
- A persistent volume with enough space to hold a backup of the MySQL database
This process can cause disruption in the service. Make sure to have a maintenance window.
1.2. Select the Project
- Take a backup of your OpenShift cluster.
From a terminal session, log in to your OpenShift cluster:
oc login https://<YOUR_OPENSHIFT_CLUSTER>:8443Select the project that you want to upgrade:
oc project <YOUR_AMP_21_PROJECT>
1.3. Gather the Needed Values
You need the following parameters for the new 3scale API Management 2.2 Multitenancy feature. You may choose to either specify new values for these parameters or keep the default ones.
| Parameter | Description |
|---|---|
| MASTER_USER | Username for the Master Admin Portal. Default: "master" |
| MASTER_PASSWORD | Password for the Master Admin Portal. Automatically generated if not specified |
| MASTER_ACCESS_TOKEN | Access Token for master automatically generated during the upgrade. However, MASTER_ACCESS_TOKEN is not added to the system seed by default. |
| APICAST_REGISTRY_URL | The URL to point to APIcast policies registry management. Default: http://apicast-staging:8090/policies |
Gather the following values from the system components of your current 2.1 deployment:
- DATABASE_URL
- THREESCALE_SUPERDOMAIN
- TENANT_NAME
- APICAST_ACCESS_TOKEN
- ADMIN_ACCESS_TOKEN
- USER_LOGIN
- USER_PASSWORD
- EVENTS_SHARED_SECRET
- APICAST_BACKEND_ROOT_ENDPOINT
- CONFIG_INTERNAL_API_USER
- CONFIG_INTERNAL_API_PASSWORD
- SECRET_KEY_BASE
- BACKEND_ROUTE
Export them from the current deployment into the active shell:
export `oc env dc/system-app --list | grep -E '^(DATABASE_URL|THREESCALE_SUPERDOMAIN|TENANT_NAME|APICAST_ACCESS_TOKEN|ADMIN_ACCESS_TOKEN|USER_LOGIN|USER_PASSWORD|EVENTS_SHARED_SECRET|APICAST_BACKEND_ROOT_ENDPOINT|CONFIG_INTERNAL_API_USER|CONFIG_INTERNAL_API_PASSWORD|SECRET_KEY_BASE|BACKEND_ROUTE)=' | tr "\n" ' ' `Optionally, to query individual values from the OpenShift CLI, run the following
oc getcommand, where<variable_name>is the name of the variable you want to query:oc get "-o=custom-columns=NAMES:.spec.template.spec.containers[0].env[?(.name==\"<variable_name>\")].value" dc/system-appGather the following values from the
system-mysqlcomponent of your current 2.1 deployment:- MYSQL_USER
- MYSQL_PASSWORD
- MYSQL_DATABASE
- MYSQL_ROOT_PASSWORD
Export these values from the current deployment into the active shell:
export `oc env dc/system-mysql --list | grep -E '^(MYSQL_USER|MYSQL_PASSWORD|MYSQL_DATABASE|MYSQL_ROOT_PASSWORD)=' | tr "\n" ' ' `Optionally, to query individual values from the OpenShift CLI, run the following
oc getcommand, where<variable_name>is the name of the variable you want to query:oc get "-o=custom-columns=NAMES:.spec.template.spec.containers[0].env[?(.name==\"<variable_name>\")].value" dc/system-mysqlGather the following values from the APIcast component of your current 2.1 deployment:
- APICAST_MANAGEMENT_API
- OPENSSL_VERIFY
- APICAST_RESPONSE_CODES
Export these values from the current deployment into the active shell:
export `oc env dc/apicast-production --list | grep -E '^(APICAST_MANAGEMENT_API|OPENSSL_VERIFY|APICAST_RESPONSE_CODES)=' | tr "\n" ' ' `Optionally, to query individual values from the OpenShift CLI, run the following
oc getcommand, where<variable_name>is the name of the variable you want to query:oc get "-o=custom-columns=NAMES:.spec.template.spec.containers[0].env[?(.name==\"<variable_name>\")].value" dc/apicast-production
1.4. Configure New Variable Values
Set the value for the new version of the AMP release:
export AMP_RELEASE=2.2.0Set the values for the new optional parameters introduced in AMP 2.2. These parameters are described in the beginning of the gather needed values section. Use the
exportcommand, replacing the values in the parenthesis:export MASTER_ACCESS_TOKEN=<MASTER_ACCESS_TOKEN> export APICAST_REGISTRY_URL=<APICAST_REGISTRY_URL>Regarding MASTER_USER and MASTER_PASSWORD, consider the following:
- If you want to use the default values, no action is required.
If you have specified values for these environment variables, export them with the following commands:
export MASTER_USER=<MASTER_USER> export MASTER_PASSWORD=<MASTER_PASSWORD>
Confirm that the necessary values gathered in the gather needed values section are exported to the active shell and that the new values are set in this section:
echo AMP_RELEASE=$AMP_RELEASE echo DATABASE_URL=$DATABASE_URL echo THREESCALE_SUPERDOMAIN=$THREESCALE_SUPERDOMAIN echo TENANT_NAME=$TENANT_NAME echo APICAST_ACCESS_TOKEN=$APICAST_ACCESS_TOKEN echo ADMIN_ACCESS_TOKEN=$ADMIN_ACCESS_TOKEN echo USER_LOGIN=$USER_LOGIN echo USER_PASSWORD=$USER_PASSWORD echo EVENTS_SHARED_SECRET=$EVENTS_SHARED_SECRET echo APICAST_BACKEND_ROOT_ENDPOINT=$APICAST_BACKEND_ROOT_ENDPOINT echo CONFIG_INTERNAL_API_USER=$CONFIG_INTERNAL_API_USER echo CONFIG_INTERNAL_API_PASSWORD=$CONFIG_INTERNAL_API_PASSWORD echo SECRET_KEY_BASE=$SECRET_KEY_BASE echo BACKEND_ROUTE=$BACKEND_ROUTE echo MYSQL_USER=$MYSQL_USER echo MYSQL_PASSWORD=$MYSQL_PASSWORD echo MYSQL_DATABASE=$MYSQL_DATABASE echo MYSQL_ROOT_PASSWORD=$MYSQL_ROOT_PASSWORD echo APICAST_MANAGEMENT_API=$APICAST_MANAGEMENT_API echo OPENSSL_VERIFY=$OPENSSL_VERIFY echo APICAST_RESPONSE_CODES=$APICAST_RESPONSE_CODES echo MASTER_USER=$MASTER_USER echo MASTER_PASSWORD=$MASTER_PASSWORD echo MASTER_ACCESS_TOKEN=$MASTER_ACCESS_TOKEN echo APICAST_REGISTRY_URL=$APICAST_REGISTRY_URL
1.5. Upgrade the database pod
To upgrade the database, create a backup of the pod and deploy a new pod.
1.5.1. Create the backup
- Create a persistent volume with enough storage to hold the MySQL database.
To create a persistent volume claim with enough storage to hold the MySQL database, run the following command, replacing the
<size>value with an appropriate size for your database:echo "apiVersion: v1 kind: PersistentVolumeClaim metadata: name: mysql-backup spec: accessModes: - ReadWriteOnce resources: requests: storage: <size>" | oc create -f -This command crates a persistent volume claim named
mysql-backup.To create a pod to house the backup database, run the following command:
echo "apiVersion: v1 kind: Pod metadata: name: mysql-backup labels: name: mysql-backup spec: containers: - name: mysql-backup image: registry.access.redhat.com/rhscl/mysql-57-rhel7:5.7-5 args: - sleep - infinity volumeMounts: - mountPath: /backup name: mysql-backup volumes: - name: mysql-backup persistentVolumeClaim: claimName: mysql-backup" | oc create -f -Wait until the pod is created and log in to it using the following
oc rshcommand and take the backup:oc rsh mysql-backup /opt/rh/rh-mysql57/root/usr/bin/mysqldump -h system-mysql -u ${MYSQL_USER} -p${MYSQL_PASSWORD} system -r /backup/backup.sqlTo verify the contents of your backup, check the backup file size against the original file size by running the following
oc rshcommand:oc rsh mysql-backup ls -lha /backup/backup.sql
If in the next steps you experience a failure, you can redeploy your database from your backup by using the following oc rsh command:
oc rsh mysql-backup /bin/bash -c "/usr/bin/cat /backup/backup.sql | /opt/rh/rh-mysql57/root/usr/bin/mysql -h system-mysql -uroot -p${MYSQL_ROOT_PASSWORD} system"1.5.2. Perform the upgrade
Delete the system service with the following
oc deletecommand. Note that your application will be down from this point because the application loses connection with the database:oc delete service system-mysqlTo patch the MySQL DeploymentConfig, run the following
oc patchcommand:oc patch dc/system-mysql -p "spec: template: spec: containers: - name: system-mysql image: registry.access.redhat.com/rhscl/mysql-57-rhel7:5.7-5 args: - /opt/rh/rh-mysql57/root/usr/libexec/mysqld - '--datadir=/var/lib/mysql/data/' "- Ensure that the new pod is deployed successfully before continuing.
To fetch the new pod details, run the following
oc getcommands:To fetch the pod name:
oc get pods -l deploymentconfig=system-mysqlTo fetch the pod IP address:
oc get pods -o=custom-columns=IP:.status.podIP -l deploymentconfig=system-mysql
Log in to the pod using the following
oc rshcommand, substitute the <pod_name> and <pod_ip> with the name and IP address from the preceding steps:oc rsh <pod_name> /opt/rh/rh-mysql57/root/usr/bin/mysql_upgrade -h <pod_ip> -u root -p${MYSQL_ROOT_PASSWORD}To patch the mysql Deployment Config with the changes done on the 2.2 version, run the following
oc patchcommand:oc patch dc/system-mysql -p " metadata: labels: app: System spec: template: spec: containers: - name: system-mysql args: imagePullPolicy: IfNotPresent resources: limits: memory: 2Gi requests: cpu: 250m memory: 512Mi "
1.5.3. Change the MySQL character set and collation
To create the
mysql-extra-confConfigMap with the mysql-charset.cnf config file, run the followingoc createcommand:echo "kind: ConfigMap apiVersion: v1 metadata: name: mysql-extra-conf data: mysql-charset.cnf: | [client] default-character-set = utf8 [mysql] default-character-set = utf8 [mysqld] character-set-server = utf8 collation-server = utf8_unicode_ci" | oc create -f -To create the
mysql-main-confConfigMap, run the followingoc createcommand:echo 'kind: ConfigMap apiVersion: v1 metadata: name: mysql-main-conf data: my.cnf: | !include /etc/my.cnf !includedir /etc/my-extra.d' | oc create -f -To configure system-mysql starting with the created configmaps on last steps, run the following
oc patchcommand:oc patch dc/system-mysql -p "spec: template: spec: containers: - name: system-mysql env: - name: MYSQL_USER value: "${MYSQL_USER}" - name: MYSQL_PASSWORD value: "${MYSQL_PASSWORD}" - name: MYSQL_DATABASE value: "${MYSQL_DATABASE}" - name: MYSQL_ROOT_PASSWORD value: "${MYSQL_ROOT_PASSWORD}" - name: MYSQL_LOWER_CASE_TABLE_NAMES value: '1' - name: MYSQL_DEFAULTS_FILE value: "/etc/my-extra/my.cnf" volumeMounts: - name: 'mysql-storage' mountPath: /var/lib/mysql/data - name: 'mysql-extra-conf' mountPath: /etc/my-extra.d - name: 'mysql-main-conf' mountPath: /etc/my-extra volumes: - name: 'mysql-storage' persistentVolumeClaim: claimName: 'mysql-storage' - name: 'mysql-extra-conf' configMap: name: 'mysql-extra-conf' - name: 'mysql-main-conf' configMap: name: 'mysql-main-conf' "Wait until the deployment is complete on system-mysql and run the following
oc getcommand to fetch the new MySQL pod name:oc get pods -l deploymentconfig=system-mysqlTo fetch the new MySQL pod IP address, run the following
oc getcommand:oc get pods -o=custom-columns=IP:.status.podIP -l deploymentconfig=system-mysqlTo change the character set on the database and all the tables, run the
oc rshcommand, specifying the previously fetched<pod_name>and<pod_ip>:oc rsh <pod_name> /bin/bash -c "echo ALTER DATABASE system CHARACTER SET utf8 COLLATE utf8_general_ci | mysql -h <pod_ip> -u root -p${MYSQL_ROOT_PASSWORD} --default-character-set=utf8" oc rsh <pod_name> /bin/bash -c "/opt/rh/rh-mysql57/root/usr/bin/mysql -h <pod_ip> -u root -p${MYSQL_ROOT_PASSWORD} --default-character-set=utf8 -B -N -e 'SHOW TABLES' system | awk '{print \"SET foreign_key_checks = 0; ALTER TABLE\", \$1, \"CONVERT TO CHARACTER SET utf8 COLLATE utf8_general_ci; SET foreign_key_checks = 1; \"}' | /opt/rh/rh-mysql57/root/usr/bin/mysql -h <pod_ip> -u root -p${MYSQL_ROOT_PASSWORD} --default-character-set=utf8 system"To create the
system-mysqlservice, run the followingoc createcommand:echo "kind: Service apiVersion: v1 metadata: name: 'system-mysql' spec: ports: - name: system-mysql protocol: TCP port: 3306 targetPort: 3306 nodePort: 0 selector: name: 'system-mysql'" | oc create -f -
1.5.4. Delete the backups
- Verify the updated database and ensure that the pods are running.
To delete the backup pod and persistent volume claim, run the following
oc deletecommand:oc delete pod/mysql-backup oc delete pvc/mysql-backup
1.6. Create new routes and services for system
After you have configured the new variable values, run the following oc create command to create new routes and services:
echo "
apiVersion: v1
kind: Service
metadata:
name: system-master
annotations:
service.alpha.openshift.io/dependencies: '[{\"name\": \"system-developer\", \"kind\": \"Service\"}]'
spec:
ports:
- port: 3000
protocol: TCP
targetPort: master
name: http
selector:
name: system-app
" | oc create -f -echo "
apiVersion: v1
kind: Route
metadata:
name: system-master-admin-route
spec:
host: master-account-admin.${THREESCALE_SUPERDOMAIN}
to:
kind: Service
name: system-master
port:
targetPort: http
tls:
termination: edge
insecureEdgeTerminationPolicy: Allow
" | oc create -f -1.7. Patch System Components
Continue your in-place upgrade using the oc patch command. The oc patch command allows you to patch your deployment configurations, image streams and ConfigMaps.
In this section of the upgrade, you must patch the system config map. You must also patch deployment configurations for the following pods:
- system-app
- system-resque
- system-sidekiq
- system-sphinx
Follow these steps to patch config maps and deployment configurations:
To patch the
systemConfigMap, run the followingoc patchcommand:oc patch cm/system -p " data: zync.yml: | production: endpoint: 'http://zync:8080' authentication: token: \"<%= ENV.fetch('ZYNC_AUTHENTICATION_TOKEN') %>\" connect_timeout: 5 send_timeout: 5 receive_timeout: 10 root_url: rolling_updates.yml: | production: old_charts: false new_provider_documentation: false proxy_pro: false instant_bill_plan_change: false service_permissions: true async_apicast_deploy: false duplicate_application_id: true duplicate_user_key: true plan_changes_wizard: false require_cc_on_signup: false apicast_per_service: true new_notification_system: true cms_api: false apicast_v2: true forum: false published_service_plan_signup: true apicast_oidc: true policies: true"To patch the
system-resquedeployment configuration, consider the following:-
If you want to use the default values for MASTER_USER and MASTER_PASSWORD environment variables, do not describe them in the
oc patchcommand below. Alternatively, if you want to specify values for MASTER_USER and MASTER_PASSWORD, include them in the
oc patchcommand below.oc patch dc/system-resque -p " metadata: labels: app: System spec: template: spec: containers: - env: - name: RAILS_ENV value: \"production\" - name: DATABASE_URL value: \"${DATABASE_URL}\" - name: FORCE_SSL value: \"true\" - name: THREESCALE_SUPERDOMAIN value: \"${THREESCALE_SUPERDOMAIN}\" - name: MASTER_USER value: \"${MASTER_USER}\" - name: MASTER_PASSWORD value: \"${MASTER_PASSWORD}\" - name: TENANT_NAME value: \"${TENANT_NAME}\" - name: APICAST_ACCESS_TOKEN value: \"${APICAST_ACCESS_TOKEN}\" - name: ADMIN_ACCESS_TOKEN value: \"${ADMIN_ACCESS_TOKEN}\" - name: PROVIDER_PLAN value: 'enterprise' - name: USER_LOGIN value: \"${USER_LOGIN}\" - name: USER_PASSWORD value: \"${USER_PASSWORD}\" - name: RAILS_LOG_TO_STDOUT value: \"true\" - name: RAILS_LOG_LEVEL value: \"info\" - name: THINKING_SPHINX_ADDRESS value: \"system-sphinx\" - name: THINKING_SPHINX_PORT value: \"9306\" - name: THINKING_SPHINX_CONFIGURATION_FILE value: \"/tmp/sphinx.conf\" - name: EVENTS_SHARED_SECRET value: \"${EVENTS_SHARED_SECRET}\" - name: THREESCALE_SANDBOX_PROXY_OPENSSL_VERIFY_MODE value: \"VERIFY_NONE\" - name: APICAST_BACKEND_ROOT_ENDPOINT value: \"${APICAST_BACKEND_ROOT_ENDPOINT}\" - name: CONFIG_INTERNAL_API_USER value: \"${CONFIG_INTERNAL_API_USER}\" - name: CONFIG_INTERNAL_API_PASSWORD value: \"${CONFIG_INTERNAL_API_PASSWORD}\" - name: SECRET_KEY_BASE value: \"${SECRET_KEY_BASE}\" - name: AMP_RELEASE value: \"${AMP_RELEASE}\" - name: ZYNC_AUTHENTICATION_TOKEN valueFrom: secretKeyRef: name: zync key: ZYNC_AUTHENTICATION_TOKEN - name: SMTP_ADDRESS valueFrom: configMapKeyRef: name: smtp key: address - name: SMTP_USER_NAME valueFrom: configMapKeyRef: name: smtp key: username - name: SMTP_PASSWORD valueFrom: configMapKeyRef: name: smtp key: password - name: SMTP_DOMAIN valueFrom: configMapKeyRef: name: smtp key: domain - name: SMTP_PORT valueFrom: configMapKeyRef: name: smtp key: port - name: SMTP_AUTHENTICATION valueFrom: configMapKeyRef: name: smtp key: authentication - name: SMTP_OPENSSL_VERIFY_MODE valueFrom: configMapKeyRef: name: smtp key: openssl.verify.mode - name: BACKEND_ROUTE value: \"${BACKEND_ROUTE}\" - name: SSL_CERT_DIR value: \"/etc/pki/tls/certs\" - name: APICAST_REGISTRY_URL value: \"${APICAST_REGISTRY_URL}\" image: registry.access.redhat.com/3scale-amp22/system:1.7 imagePullPolicy: IfNotPresent name: system-resque resources: limits: cpu: 150m memory: 450Mi requests: cpu: 100m memory: 300Mi - env: - name: RAILS_ENV value: \"production\" - name: DATABASE_URL value: \"${DATABASE_URL}\" - name: FORCE_SSL value: \"true\" - name: THREESCALE_SUPERDOMAIN value: \"${THREESCALE_SUPERDOMAIN}\" - name: MASTER_USER value: \"${MASTER_USER}\" - name: MASTER_PASSWORD value: \"${MASTER_PASSWORD}\" - name: TENANT_NAME value: \"${TENANT_NAME}\" - name: APICAST_ACCESS_TOKEN value: \"${APICAST_ACCESS_TOKEN}\" - name: ADMIN_ACCESS_TOKEN value: \"${ADMIN_ACCESS_TOKEN}\" - name: PROVIDER_PLAN value: 'enterprise' - name: USER_LOGIN value: \"${USER_LOGIN}\" - name: USER_PASSWORD value: \"${USER_PASSWORD}\" - name: RAILS_LOG_TO_STDOUT value: \"true\" - name: RAILS_LOG_LEVEL value: \"info\" - name: THINKING_SPHINX_ADDRESS value: \"system-sphinx\" - name: THINKING_SPHINX_PORT value: \"9306\" - name: THINKING_SPHINX_CONFIGURATION_FILE value: \"/tmp/sphinx.conf\" - name: EVENTS_SHARED_SECRET value: \"${EVENTS_SHARED_SECRET}\" - name: THREESCALE_SANDBOX_PROXY_OPENSSL_VERIFY_MODE value: \"VERIFY_NONE\" - name: APICAST_BACKEND_ROOT_ENDPOINT value: \"${APICAST_BACKEND_ROOT_ENDPOINT}\" - name: CONFIG_INTERNAL_API_USER value: \"${CONFIG_INTERNAL_API_USER}\" - name: CONFIG_INTERNAL_API_PASSWORD value: \"${CONFIG_INTERNAL_API_PASSWORD}\" - name: SECRET_KEY_BASE value: \"${SECRET_KEY_BASE}\" - name: AMP_RELEASE value: \"${AMP_RELEASE}\" - name: ZYNC_AUTHENTICATION_TOKEN valueFrom: secretKeyRef: name: zync key: ZYNC_AUTHENTICATION_TOKEN - name: SMTP_ADDRESS valueFrom: configMapKeyRef: name: smtp key: address - name: SMTP_USER_NAME valueFrom: configMapKeyRef: name: smtp key: username - name: SMTP_PASSWORD valueFrom: configMapKeyRef: name: smtp key: password - name: SMTP_DOMAIN valueFrom: configMapKeyRef: name: smtp key: domain - name: SMTP_PORT valueFrom: configMapKeyRef: name: smtp key: port - name: SMTP_AUTHENTICATION valueFrom: configMapKeyRef: name: smtp key: authentication - name: SMTP_OPENSSL_VERIFY_MODE valueFrom: configMapKeyRef: name: smtp key: openssl.verify.mode - name: BACKEND_ROUTE value: \"${BACKEND_ROUTE}\" - name: SSL_CERT_DIR value: \"/etc/pki/tls/certs\" - name: APICAST_REGISTRY_URL value: \"${APICAST_REGISTRY_URL}\" image: registry.access.redhat.com/3scale-amp22/system:1.7 imagePullPolicy: IfNotPresent name: system-scheduler resources: limits: cpu: 150m memory: 250Mi requests: cpu: 50m memory: 200Mi "
-
If you want to use the default values for MASTER_USER and MASTER_PASSWORD environment variables, do not describe them in the
To patch the
system-sidekiqdeployment configuration, consider the following:-
If you want to use the default values for MASTER_USER and MASTER_PASSWORD environment variables, do not describe them in the
oc patchcommand below. Alternatively, if you want to specify values for MASTER_USER and MASTER_PASSWORD, include them in the
oc patchcommand below.oc patch dc/system-sidekiq -p " spec: template: spec: containers: - name: system-sidekiq volumeMounts: "oc patch dc/system-sidekiq -p " metadata: labels: app: System spec: template: spec: containers: - env: - name: RAILS_ENV value: \"production\" - name: DATABASE_URL value: \"${DATABASE_URL}\" - name: FORCE_SSL value: \"true\" - name: THREESCALE_SUPERDOMAIN value: \"${THREESCALE_SUPERDOMAIN}\" - name: MASTER_USER value: \"${MASTER_USER}\" - name: MASTER_PASSWORD value: \"${MASTER_PASSWORD}\" - name: TENANT_NAME value: \"${TENANT_NAME}\" - name: APICAST_ACCESS_TOKEN value: \"${APICAST_ACCESS_TOKEN}\" - name: ADMIN_ACCESS_TOKEN value: \"${ADMIN_ACCESS_TOKEN}\" - name: PROVIDER_PLAN value: 'enterprise' - name: USER_LOGIN value: \"${USER_LOGIN}\" - name: USER_PASSWORD value: \"${USER_PASSWORD}\" - name: RAILS_LOG_TO_STDOUT value: \"true\" - name: RAILS_LOG_LEVEL value: \"info\" - name: THINKING_SPHINX_ADDRESS value: \"system-sphinx\" - name: THINKING_SPHINX_PORT value: \"9306\" - name: THINKING_SPHINX_CONFIGURATION_FILE value: \"/tmp/sphinx.conf\" - name: EVENTS_SHARED_SECRET value: \"${EVENTS_SHARED_SECRET}\" - name: THREESCALE_SANDBOX_PROXY_OPENSSL_VERIFY_MODE value: \"VERIFY_NONE\" - name: APICAST_BACKEND_ROOT_ENDPOINT value: \"${APICAST_BACKEND_ROOT_ENDPOINT}\" - name: CONFIG_INTERNAL_API_USER value: \"${CONFIG_INTERNAL_API_USER}\" - name: CONFIG_INTERNAL_API_PASSWORD value: \"${CONFIG_INTERNAL_API_PASSWORD}\" - name: SECRET_KEY_BASE value: \"${SECRET_KEY_BASE}\" - name: AMP_RELEASE value: \"${AMP_RELEASE}\" - name: ZYNC_AUTHENTICATION_TOKEN valueFrom: secretKeyRef: name: zync key: ZYNC_AUTHENTICATION_TOKEN - name: SMTP_ADDRESS valueFrom: configMapKeyRef: name: smtp key: address - name: SMTP_USER_NAME valueFrom: configMapKeyRef: name: smtp key: username - name: SMTP_PASSWORD valueFrom: configMapKeyRef: name: smtp key: password - name: SMTP_DOMAIN valueFrom: configMapKeyRef: name: smtp key: domain - name: SMTP_PORT valueFrom: configMapKeyRef: name: smtp key: port - name: SMTP_AUTHENTICATION valueFrom: configMapKeyRef: name: smtp key: authentication - name: SMTP_OPENSSL_VERIFY_MODE valueFrom: configMapKeyRef: name: smtp key: openssl.verify.mode - name: BACKEND_ROUTE value: \"${BACKEND_ROUTE}\" - name: SSL_CERT_DIR value: \"/etc/pki/tls/certs\" - name: APICAST_REGISTRY_URL value: \"${APICAST_REGISTRY_URL}\" image: registry.access.redhat.com/3scale-amp22/system:1.7 volumeMounts: - name: system-storage mountPath: /opt/system/public/system - name: system-config mountPath: /opt/system-extra-configs - name: system-tmp mountPath: /tmp image: registry.access.redhat.com/3scale-amp22/system:1.7 imagePullPolicy: IfNotPresent name: system-sidekiq resources: limits: cpu: 1000m memory: 2Gi requests: cpu: 100m memory: 500Mi volumes: - name: system-tmp emptyDir: medium: Memory - name: system-storage persistentVolumeClaim: claimName: system-storage - name: system-config configMap: name: system items: - key: zync.yml path: zync.yml - key: rolling_updates.yml path: rolling_updates.yml "
-
If you want to use the default values for MASTER_USER and MASTER_PASSWORD environment variables, do not describe them in the
To patch the
system-appdeployment configuration, consider the following:-
If you want to use the default values for MASTER_USER and MASTER_PASSWORD environment variables, do not describe them in the
oc patchcommand below. Alternatively, if you want to specify values for MASTER_USER and MASTER_PASSWORD, include them in the
oc patchcommand below.oc patch dc/system-app -p " spec: template: spec: containers: - name: system-provider volumeMounts: - name: system-developer volumeMounts: "oc patch dc/system-app -p " metadata: labels: app: System spec: strategy: rollingParams: pre: execNewPod: containerName: system-master env: - name: RAILS_ENV value: \"production\" - name: DATABASE_URL value: \"${DATABASE_URL}\" - name: FORCE_SSL value: \"true\" - name: THREESCALE_SUPERDOMAIN value: \"${THREESCALE_SUPERDOMAIN}\" - name: MASTER_USER value: \"${MASTER_USER}\" - name: MASTER_PASSWORD value: \"${MASTER_PASSWORD}\" - name: TENANT_NAME value: \"${TENANT_NAME}\" - name: APICAST_ACCESS_TOKEN value: \"${APICAST_ACCESS_TOKEN}\" - name: ADMIN_ACCESS_TOKEN value: \"${ADMIN_ACCESS_TOKEN}\" - name: PROVIDER_PLAN value: 'enterprise' - name: USER_LOGIN value: \"${USER_LOGIN}\" - name: USER_PASSWORD value: \"${USER_PASSWORD}\" - name: RAILS_LOG_TO_STDOUT value: \"true\" - name: RAILS_LOG_LEVEL value: \"info\" - name: THINKING_SPHINX_ADDRESS value: \"system-sphinx\" - name: THINKING_SPHINX_PORT value: \"9306\" - name: THINKING_SPHINX_CONFIGURATION_FILE value: \"/tmp/sphinx.conf\" - name: EVENTS_SHARED_SECRET value: \"${EVENTS_SHARED_SECRET}\" - name: THREESCALE_SANDBOX_PROXY_OPENSSL_VERIFY_MODE value: \"VERIFY_NONE\" - name: APICAST_BACKEND_ROOT_ENDPOINT value: \"${APICAST_BACKEND_ROOT_ENDPOINT}\" - name: CONFIG_INTERNAL_API_USER value: \"${CONFIG_INTERNAL_API_USER}\" - name: CONFIG_INTERNAL_API_PASSWORD value: \"${CONFIG_INTERNAL_API_PASSWORD}\" - name: SECRET_KEY_BASE value: \"${SECRET_KEY_BASE}\" - name: AMP_RELEASE value: \"${AMP_RELEASE}\" - name: ZYNC_AUTHENTICATION_TOKEN valueFrom: secretKeyRef: name: zync key: ZYNC_AUTHENTICATION_TOKEN - name: SMTP_ADDRESS valueFrom: configMapKeyRef: name: smtp key: address - name: SMTP_USER_NAME valueFrom: configMapKeyRef: name: smtp key: username - name: SMTP_PASSWORD valueFrom: configMapKeyRef: name: smtp key: password - name: SMTP_DOMAIN valueFrom: configMapKeyRef: name: smtp key: domain - name: SMTP_PORT valueFrom: configMapKeyRef: name: smtp key: port - name: SMTP_AUTHENTICATION valueFrom: configMapKeyRef: name: smtp key: authentication - name: SMTP_OPENSSL_VERIFY_MODE valueFrom: configMapKeyRef: name: smtp key: openssl.verify.mode - name: BACKEND_ROUTE value: \"${BACKEND_ROUTE}\" - name: SSL_CERT_DIR value: \"/etc/pki/tls/certs\" - name: APICAST_REGISTRY_URL value: \"${APICAST_REGISTRY_URL}\" command: - bash - -c - bundle exec rake boot openshift:deploy MASTER_ACCESS_TOKEN="${MASTER_ACCESS_TOKEN}" post: execNewPod: containerName: system-master template: spec: containers: - args: env: - name: RAILS_ENV value: \"production\" - name: DATABASE_URL value: \"${DATABASE_URL}\" - name: FORCE_SSL value: \"true\" - name: THREESCALE_SUPERDOMAIN value: \"${THREESCALE_SUPERDOMAIN}\" - name: MASTER_USER value: \"${MASTER_USER}\" - name: MASTER_PASSWORD value: \"${MASTER_PASSWORD}\" - name: TENANT_NAME value: \"${TENANT_NAME}\" - name: APICAST_ACCESS_TOKEN value: \"${APICAST_ACCESS_TOKEN}\" - name: ADMIN_ACCESS_TOKEN value: \"${ADMIN_ACCESS_TOKEN}\" - name: PROVIDER_PLAN value: 'enterprise' - name: USER_LOGIN value: \"${USER_LOGIN}\" - name: USER_PASSWORD value: \"${USER_PASSWORD}\" - name: RAILS_LOG_TO_STDOUT value: \"true\" - name: RAILS_LOG_LEVEL value: \"info\" - name: THINKING_SPHINX_ADDRESS value: \"system-sphinx\" - name: THINKING_SPHINX_PORT value: \"9306\" - name: THINKING_SPHINX_CONFIGURATION_FILE value: \"/tmp/sphinx.conf\" - name: EVENTS_SHARED_SECRET value: \"${EVENTS_SHARED_SECRET}\" - name: THREESCALE_SANDBOX_PROXY_OPENSSL_VERIFY_MODE value: \"VERIFY_NONE\" - name: APICAST_BACKEND_ROOT_ENDPOINT value: \"${APICAST_BACKEND_ROOT_ENDPOINT}\" - name: CONFIG_INTERNAL_API_USER value: \"${CONFIG_INTERNAL_API_USER}\" - name: CONFIG_INTERNAL_API_PASSWORD value: \"${CONFIG_INTERNAL_API_PASSWORD}\" - name: SECRET_KEY_BASE value: \"${SECRET_KEY_BASE}\" - name: AMP_RELEASE value: \"${AMP_RELEASE}\" - name: ZYNC_AUTHENTICATION_TOKEN valueFrom: secretKeyRef: name: zync key: ZYNC_AUTHENTICATION_TOKEN - name: SMTP_ADDRESS valueFrom: configMapKeyRef: name: smtp key: address - name: SMTP_USER_NAME valueFrom: configMapKeyRef: name: smtp key: username - name: SMTP_PASSWORD valueFrom: configMapKeyRef: name: smtp key: password - name: SMTP_DOMAIN valueFrom: configMapKeyRef: name: smtp key: domain - name: SMTP_PORT valueFrom: configMapKeyRef: name: smtp key: port - name: SMTP_AUTHENTICATION valueFrom: configMapKeyRef: name: smtp key: authentication - name: SMTP_OPENSSL_VERIFY_MODE valueFrom: configMapKeyRef: name: smtp key: openssl.verify.mode - name: BACKEND_ROUTE value: \"${BACKEND_ROUTE}\" - name: SSL_CERT_DIR value: \"/etc/pki/tls/certs\" - name: APICAST_REGISTRY_URL value: \"${APICAST_REGISTRY_URL}\" image: registry.access.redhat.com/3scale-amp22/system:1.7 imagePullPolicy: IfNotPresent args: [ 'env', 'TENANT_MODE=master', 'PORT=3002', 'container-entrypoint', 'bundle', 'exec', 'unicorn', '-c', 'config/unicorn.rb' ] command: name: system-master resources: limits: cpu: 1000m memory: 800Mi requests: cpu: 50m memory: 600Mi livenessProbe: timeoutSeconds: 10 initialDelaySeconds: 20 tcpSocket: port: master periodSeconds: 10 readinessProbe: httpGet: path: /check.txt port: master scheme: HTTP httpHeaders: - name: X-Forwarded-Proto value: https initialDelaySeconds: 30 timeoutSeconds: 10 periodSeconds: 30 ports: - containerPort: 3002 protocol: TCP name: master volumeMounts: - name: system-storage mountPath: /opt/system/public/system - name: system-config mountPath: /opt/system-extra-configs - name: system-provider env: - name: MASTER_USER value: ${MASTER_USER} - name: MASTER_PASSWORD value: ${MASTER_PASSWORD} - name: AMP_RELEASE value: ${AMP_RELEASE} - name: APICAST_REGISTRY_URL value: ${APICAST_REGISTRY_URL} image: registry.access.redhat.com/3scale-amp22/system:1.7 imagePullPolicy: IfNotPresent resources: limits: cpu: 1000m memory: 800Mi requests: cpu: 50m memory: 600Mi command: args: [ 'env', 'TENANT_MODE=provider', 'PORT=3000', 'container-entrypoint', 'bundle', 'exec', 'unicorn', '-c', 'config/unicorn.rb' ] volumeMounts: - name: system-storage mountPath: /opt/system/public/system - name: system-config mountPath: /opt/system-extra-configs - name: system-developer env: - name: MASTER_USER value: ${MASTER_USER} - name: MASTER_PASSWORD value: ${MASTER_PASSWORD} - name: AMP_RELEASE value: ${AMP_RELEASE} - name: APICAST_REGISTRY_URL value: ${APICAST_REGISTRY_URL} image: registry.access.redhat.com/3scale-amp22/system:1.7 imagePullPolicy: IfNotPresent command: args: [ 'env', 'PORT=3001', 'container-entrypoint', 'bundle', 'exec', 'unicorn', '-c', 'config/unicorn.rb' ] volumeMounts: - name: system-storage readOnly: true mountPath: /opt/system/public/system - name: system-config mountPath: /opt/system-extra-configs triggers: - type: ConfigChange - type: ImageChange imageChangeParams: automatic: true containerNames: - system-provider - system-developer - system-master from: kind: ImageStreamTag name: amp-system:latest "
-
If you want to use the default values for MASTER_USER and MASTER_PASSWORD environment variables, do not describe them in the
To patch the
amp-systemimage, run the followingoc patchcommand:oc patch is/amp-system -p " spec: tags: - name: 2.2.0 annotations: openshift.io/display-name: AMP system 2.2.0 from: kind: DockerImage name: 'registry.access.redhat.com/3scale-amp22/system:1.7' - name: latest from: kind: ImageStreamTag name: 2.2.0 "To patch the
system-sphinxdeployment configuration, run the followingoc patchcommand:oc patch dc/system-sphinx -p " metadata: labels: app: System spec: template: spec: containers: - imagePullPolicy: IfNotPresent image: registry.access.redhat.com/3scale-amp22/system:1.7 name: system-sphinx resources: limits: cpu: 1000m memory: 512Mi requests: cpu: 80m memory: 250Mi "To patch the
system-redisdeployment configuration, run the followingoc patchcommand:oc patch dc/system-redis -p ' metadata: labels: app: System spec: template: spec: containers: - imagePullPolicy: IfNotPresent name: system-redis command: - "/opt/rh/rh-redis32/root/usr/bin/redis-server" args: - "/etc/redis.d/redis.conf" - "--daemonize" - "no" resources: limits: memory: 32Gi cpu: 500m requests: cpu: 150m memory: 256Mi volumeMounts: - name: system-redis-storage mountPath: "/var/lib/redis/data" - name: redis-config mountPath: /etc/redis.d/ 'To patch the
system-memcachedeployment configuration, run the followingoc patchcommand:oc patch dc/system-memcache -p " metadata: labels: app: System spec: template: spec: containers: - imagePullPolicy: IfNotPresent name: memcache resources: limits: cpu: 250m memory: 96Mi requests: cpu: 50m memory: 64Mi "
1.8. Patch Backend Components
To patch the
backend-crondeployment configuration, run the followingoc patchcommand:oc patch dc/backend-cron -p " metadata: labels: app: Backend spec: template: spec: containers: - name: backend-cron env: - name: CONFIG_REDIS_PROXY value: redis://backend-redis:6379/0 - name: CONFIG_REDIS_SENTINEL_HOSTS value: "" - name: CONFIG_REDIS_SENTINEL_ROLE value: "" - name: CONFIG_QUEUES_MASTER_NAME value: redis://backend-redis:6379/1 - name: CONFIG_QUEUES_SENTINEL_HOSTS value: "" - name: CONFIG_QUEUES_SENTINEL_ROLE value: "" - name: RACK_ENV value: "production" image: registry.access.redhat.com/3scale-amp22/backend:1.6 imagePullPolicy: IfNotPresent resources: limits: cpu: 150m memory: 80Mi requests: cpu: 50m memory: 40Mi "To patch the
backend-workerdeployment configuration, run the followingoc patchcommand:oc patch dc/backend-worker -p " metadata: labels: app: Backend spec: template: spec: containers: - name: backend-worker env: - name: CONFIG_REDIS_PROXY value: redis://backend-redis:6379/0 - name: CONFIG_REDIS_SENTINEL_HOSTS - name: CONFIG_REDIS_SENTINEL_ROLE - name: CONFIG_QUEUES_MASTER_NAME value: redis://backend-redis:6379/1 - name: CONFIG_QUEUES_SENTINEL_HOSTS - name: CONFIG_QUEUES_SENTINEL_ROLE - name: RACK_ENV value: \"production\" - name: PUMA_WORKERS value: \"16\" - name: CONFIG_EVENTS_HOOK value: http://system-master:3000/master/events/import - name: CONFIG_EVENTS_HOOK_SHARED_SECRET value: ${EVENTS_SHARED_SECRET} image: registry.access.redhat.com/3scale-amp22/backend:1.6 imagePullPolicy: IfNotPresent resources: limits: cpu: 1000m memory: 300Mi requests: cpu: 150m memory: 50Mi "To patch the
backend-listenerdeployment configuration, run the followingoc patchcommand:oc patch dc/backend-listener -p " metadata: labels: app: Backend spec: template: spec: containers: - name: backend-listener env: - name: CONFIG_REDIS_PROXY value: redis://backend-redis:6379/0 - name: CONFIG_REDIS_SENTINEL_HOSTS - name: CONFIG_REDIS_SENTINEL_ROLE value: "" - name: CONFIG_QUEUES_MASTER_NAME value: redis://backend-redis:6379/1 - name: CONFIG_QUEUES_SENTINEL_HOSTS - name: CONFIG_QUEUES_SENTINEL_ROLE value: "" - name: RACK_ENV value: \"production\" - name: CONFIG_INTERNAL_API_USER value: \"${CONFIG_INTERNAL_API_USER}\" - name: CONFIG_INTERNAL_API_PASSWORD value: \"${CONFIG_INTERNAL_API_PASSWORD}\" - name: PUMA_WORKERS value: \"16\" image: registry.access.redhat.com/3scale-amp22/backend:1.6 imagePullPolicy: IfNotPresent resources: limits: cpu: 1000m memory: 700Mi requests: cpu: 500m memory: 550Mi "To patch the
amp-backendimage stream, run the followingoc patchcommand:oc patch is/amp-backend -p " spec: tags: - name: 2.2.0 annotations: openshift.io/display-name: AMP backend from: kind: DockerImage name: 'registry.access.redhat.com/3scale-amp22/backend:1.6' - name: latest from: kind: ImageStreamTag name: 2.2.0 "To patch the
backend-redisdeployment configuration, run the followingoc patchcommand:oc patch dc/backend-redis -p ' metadata: labels: app: Backend spec: template: spec: containers: - name: backend-redis command: - "/opt/rh/rh-redis32/root/usr/bin/redis-server" args: - "/etc/redis.d/redis.conf" - "--daemonize" - "no" imagePullPolicy: IfNotPresent resources: limits: cpu: 2000m memory: 32Gi requests: cpu: 1000m memory: 1024Mi volumeMounts: - name: backend-redis-storage mountPath: "/var/lib/redis/data" - name: redis-config mountPath: /etc/redis.d/ '
1.9. Patch APIcast
To patch the
apicast-stagingdeployment configuration, run the followingoc patchcommand:oc patch dc/apicast-staging -p " metadata: labels: app: APIcast spec: template: spec: containers: - name: apicast-staging env: - name: THREESCALE_PORTAL_ENDPOINT value: \"http://${APICAST_ACCESS_TOKEN}@system-master:3000/master/api/proxy/configs\" - name: APICAST_CONFIGURATION_LOADER value: \"lazy\" - name: APICAST_CONFIGURATION_CACHE value: \"0\" - name: THREESCALE_DEPLOYMENT_ENV value: \"sandbox\" - name: APICAST_MANAGEMENT_API value: \"${APICAST_MANAGEMENT_API}\" - name: BACKEND_ENDPOINT_OVERRIDE value: http://backend-listener:3000 - name: OPENSSL_VERIFY value: \"${OPENSSL_VERIFY}\" - name: APICAST_RESPONSE_CODES value: \"${APICAST_RESPONSE_CODES}\" - name: REDIS_URL value: \"redis://system-redis:6379/2\" image: registry.access.redhat.com/3scale-amp22/apicast-gateway:1.8 imagePullPolicy: IfNotPresent resources: limits: cpu: 100m memory: 128Mi requests: cpu: 50m memory: 64Mi "To patch the
apicast-productiondeployment configuration, run the followingoc patchcommand:oc patch dc/apicast-production -p " metadata: labels: app: APIcast spec: template: spec: containers: - name: apicast-production env: - name: THREESCALE_PORTAL_ENDPOINT value: \"http://${APICAST_ACCESS_TOKEN}@system-master:3000/master/api/proxy/configs\" - name: APICAST_CONFIGURATION_LOADER value: \"boot\" - name: APICAST_CONFIGURATION_CACHE value: \"300\" - name: THREESCALE_DEPLOYMENT_ENV value: \"production\" - name: APICAST_MANAGEMENT_API value: \"${APICAST_MANAGEMENT_API}\" - name: BACKEND_ENDPOINT_OVERRIDE value: http://backend-listener:3000 - name: OPENSSL_VERIFY value: \"${APICAST_OPENSSL_VERIFY}\" - name: APICAST_RESPONSE_CODES value: \"${APICAST_RESPONSE_CODES}\" - name: REDIS_URL value: \"redis://system-redis:6379/1\" image: registry.access.redhat.com/3scale-amp22/apicast-gateway:1.8 imagePullPolicy: IfNotPresent resources: limits: cpu: 1000m memory: 128Mi requests: cpu: 500m memory: 64Mi "To patch the
amp-apicastimage stream, run the followingoc patchcommand:oc patch is/amp-apicast -p " spec: tags: - name: 2.2.0 annotations: openshift.io/display-name: AMP apicast from: kind: DockerImage name: 'registry.access.redhat.com/3scale-amp22/apicast-gateway:1.8' - name: latest from: kind: ImageStreamTag name: 2.2.0 "To patch the
apicast-wildcard-routerdeployment configuration, run the followingoc patchcommand:oc patch dc/apicast-wildcard-router -p " metadata: labels: app: APIcast spec: template: spec: containers: - name: apicast-wildcard-router env: - name: API_HOST value: \"http://${APICAST_ACCESS_TOKEN}@system-master:3000\" image: registry.access.redhat.com/3scale-amp22/wildcard-router:1.6 imagePullPolicy: IfNotPresent resources: limits: cpu: 500m memory: 64Mi requests: cpu: 120m memory: 32Mi "To patch the
amp-wildcard-routerimage stream, run the followingoc patchcommand:oc patch is/amp-wildcard-router -p " spec: tags: - name: 2.2.0 annotations: openshift.io/display-name: AMP wildcard router from: kind: DockerImage name: 'registry.access.redhat.com/3scale-amp22/wildcard-router:1.6' - name: latest from: kind: ImageStreamTag name: 2.2.0 "
1.10. Patch Zync components
To patch the
zync-databasedeployment configuration, run the followingoc patchcommand:oc patch dc/zync-database -p " metadata: labels: app: Zync spec: template: spec: containers: - name: postgresql imagePullPolicy: IfNotPresent resources: limits: memory: 2Gi cpu: 250m requests: cpu: 50m memory: 250Mi "To patch the
zyncdeployment configuration, run the followingoc patchcommand:oc patch dc/zync -p " metadata: labels: app: Zync spec: template: spec: containers: - name: zync image: 'registry.access.redhat.com/3scale-amp22/zync:1.6' resources: limits: cpu: 1 memory: 512Mi requests: cpu: 150m memory: 250Mi "To patch the
zyncimage stream, run the followingoc patchcommand:oc patch is/amp-zync -p " spec: tags: - name: 2.2.0 annotations: openshift.io/display-name: AMP zync from: kind: DockerImage name: 'registry.access.redhat.com/3scale-amp22/zync:1.6' - name: latest from: kind: ImageStreamTag name: 2.2.0 "
1.11. Verify Upgrade
After you have performed the upgrade procedure, verify the success of your upgrade operation by checking the version number in the lower-right corner of your 3scale Admin Portal.
It may take some time for your redeployment operations to complete in OpenShift.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}