Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 2. Upgrading using Helm charts

You must follow a specific upgrade path for RHACS depending on the release of RHACS that you are running. You must also back up your Central database before updating the Helm chart and performing the upgrade.

When upgrading from earlier releases, follow this guidance:

  • If the release for Central is earlier than 3.74, you must upgrade to the latest 3.74 patch before upgrading to a 4.x release. See the upgrade documentation for version 3.74 for information about upgrades from earlier versions to 3.74.
  • When upgrading Helm-based installations from release 3.74, you can upgrade to any latest patch of RHACS version 4.0 through 4.4. However, for full functionality, upgrade to release 4.4.

If you have installed RHACS by using Helm charts, to upgrade to the latest version of RHACS perform the following steps:

  1. Back up the Central database.
  2. Optionally, optimize Central’s database and Persistent Volume Claims (PVC).
  3. Optionally, generate a values-private.yaml configuration file containing root certificates for the central-services Helm chart.
  4. Update the Helm chart.
  5. Run the helm upgrade command.
Important

To ensure optimal functionality, use the same version for your secured-cluster-services Helm chart and central-services Helm chart.

2.2. Backing up the Central database
Copy link

You can back up the Central database and use that backup for rolling back from a failed upgrade or data restoration in the case of an infrastructure disaster.

Prerequisites

  • You must have an API token with read permission for all resources of Red Hat Advanced Cluster Security for Kubernetes. The Analyst system role has read permissions for all resources.
  • You have installed the roxctl CLI.
  • You have configured the ROX_API_TOKEN and the ROX_CENTRAL_ADDRESS environment variables.

Procedure

  • Run the backup command: 

    $ roxctl -e "$ROX_CENTRAL_ADDRESS" central backup
    Copy to Clipboard Toggle word wrap

2.3. Optimizing Central database and PVC
Copy link

When you upgrade to Red Hat Advanced Cluster Security for Kubernetes (RHACS) 4.0, RHACS creates a PostgreSQL instance called central-db with a default Persistent Volume Claims (PVC). Optionally, you can customize central-db or PVC configuration.

Red Hat recommends the following minimum memory and CPU requests: 

central:
  db:
    resources:
      requests:
        memory: 16Gi
        cpu: 8
      limits:
        memory: 16Gi
        cpu: 8
Copy to Clipboard Toggle word wrap

2.4. Generating root certificates file
Copy link

If you do not have access to your values-private.yaml configuration file that you have used to install Red Hat Advanced Cluster Security for Kubernetes (RHACS), use the following instruction to generate the values-private.yaml configuration file containing root certificates.

Skip the instruction here, if you have access to your values-private.yaml configuration file.

Important

The generated values-private.yaml file has sensitive configuration options. Ensure that you store this file securely.

Procedure

  1. Download the create_certificate_values_file.sh script.

  2. Make the create_certificate_values_file.sh script executable: 

    $ chmod +x create_certificate_values_file.sh
    Copy to Clipboard Toggle word wrap

  3. Run the create_certificate_values_file.sh script file: 

    $ create_certificate_values_file.sh values-private.yaml
    Copy to Clipboard Toggle word wrap

2.5. Updating the Helm chart repository
Copy link

You must always update Helm charts before upgrading to a new version of Red Hat Advanced Cluster Security for Kubernetes.

Prerequisites

  • You must have already added the Red Hat Advanced Cluster Security for Kubernetes Helm chart repository.
  • You must be using Helm version 3.8.3 or newer.

Procedure

  • Update Red Hat Advanced Cluster Security for Kubernetes charts repository. 

    $ helm repo update
    Copy to Clipboard Toggle word wrap

Verification

  • Run the following command to verify the added chart repository: 

    $ helm search repo -l rhacs/
    Copy to Clipboard Toggle word wrap

2.7. Running the Helm upgrade command
Copy link

You can use the helm upgrade command to update Red Hat Advanced Cluster Security for Kubernetes (RHACS).

Prerequisites

  • You must have access to the values-private.yaml configuration file that you have used to install Red Hat Advanced Cluster Security for Kubernetes (RHACS). Otherwise, you must generate the values-private.yaml configuration file containing root certificates before proceeding with these commands.

Procedure

  • Run the helm upgrade command and specify the configuration files by using the -f option: 

    $ helm upgrade -n stackrox stackrox-central-services \
  rhacs/central-services --version <current-rhacs-version> \
    1 
    
  -f values-private.yaml \
  --set central.db.password.generate=true \
  --set central.db.serviceTLS.generate=true \
  --set central.db.persistence.persistentVolumeClaim.createClaim=true
    Copy to Clipboard Toggle word wrap
    1
    Use the -f option to specify the paths for your YAML configuration files. 
    $ helm upgrade -n stackrox stackrox-secured-cluster-services \
  rhacs/secured-cluster-services --version <current-rhacs-version> \
    1 
    
  -f values-private.yaml
    Copy to Clipboard Toggle word wrap
    1
    Use the -f option to specify the paths for your YAML configuration files.
Note

You might use the --reuse-values option to preserve the previously configured Helm values during the upgrade. If you do that, you must turn off central-db creation before you upgrade to the next version.

See the following command example: 

$ helm upgrade -n stackrox stackrox-central-services \
  rhacs/central-services --version <current-rhacs-version> --reuse-values \
  -f values-private.yaml \
  --set central.db.password.generate=false \
  --set central.db.serviceTLS.generate=false \
  --set central.db.persistence.persistentVolumeClaim.createClaim=false
Copy to Clipboard Toggle word wrap

Kubernetes and OpenShift Container Platform do not delete persistent volumes (PV) automatically. When you upgrade RHACS from earlier versions, the Central PV called stackrox-db remains mounted. However, in RHACS 4.1, Central does not need the previously attached PV anymore.

The PV has data and persistent files used by earlier RHACS versions. You can use the PV to roll back to an earlier version before RHACS 4.1. Or, if you have a large RocksDB backup bundle for Central, you can use the PV to restore that data.

After you complete the upgrade to 4.1, you can remove the Central-attached persistent volume claim (PVC) to free up the storage. Only remove the PVC if you do not plan to roll back or restore from earlier RocksDB backups.

Warning

After removing PVC, you cannot roll back Central to an earlier version before RHACS 4.1 or restore large RocksDB backups created with RocksDB.

2.8.1. Removing Central-attached PV using Helm
Copy link

Remove the Central-attached persistent volume claim (PVC) stackrox-db to free up storage space.

Procedure

  • Run the following command: 

    $ helm upgrade -n stackrox stackrox-central-services \
    rhacs/central-services --version <current-rhacs-version> \
    --set central.persistence.none=true
    Copy to Clipboard Toggle word wrap

Verification

  • Run the following command: 

    $ oc -n stackrox describe pvc stackrox-db | grep -i 'Used By'
Used By: <none>
    1
    Copy to Clipboard Toggle word wrap
    1
    Wait until you see Used By: <none>. It may take a few minutes.

2.9. Rolling back a Helm upgrade
Copy link

You can roll back to an earlier version of Central if the upgrade to a new version is unsuccessful.

Procedure

  1. Run the following helm upgrade command: 

    $ helm upgrade -n stackrox \
  stackrox-central-services rhacs/central-services \
  --version <previous_rhacs_74_version> \
    1 
    
  --set central.db.enabled=false
    Copy to Clipboard Toggle word wrap
    1
    Replace <previous_rhacs_74_version> with the previously installed RHACS version.

  2. Delete the central-db persistent volume claim (PVC): 

    $ oc -n stackrox delete pvc central-db
    1
    Copy to Clipboard Toggle word wrap
    1
    If you use Kubernetes, enter kubectl instead of oc.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat