Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Chapter 2. Upgrading using Helm charts

You must follow a specific upgrade path for RHACS depending on the release of RHACS that you are running. You must also back up your Central database before updating the Helm chart and performing the upgrade.

If you have installed RHACS by using Helm charts, to upgrade to the latest version of RHACS perform the following steps:

  1. Back up the Central database.
  2. Optionally, optimize Central’s database and Persistent Volume Claims (PVC).
  3. Optionally, generate a values-private.yaml configuration file containing root certificates for the central-services Helm chart.
  4. Update the Helm chart.
  5. Run the helm upgrade command.
Important
  • To ensure optimal functionality, use the same version for your secured-cluster-services Helm chart and central-services Helm chart.
  • To upgrade to RHACS 4.8, which includes an upgrade to PostgreSQL 15, you must free up disk space. Before beginning the upgrade, ensure you have free disk space that is at least double the size of your existing database.

2.1. Backing up the Central database
Copiar enlace

You can back up the Central database and use that backup for rolling back from a failed upgrade or data restoration in the case of an infrastructure disaster.

Prerequisites

  • You must have an API token with read permission for all resources of Red Hat Advanced Cluster Security for Kubernetes. The Analyst system role has read permissions for all resources.
  • You have installed the roxctl CLI.
  • You have configured the ROX_API_TOKEN and the ROX_CENTRAL_ADDRESS environment variables.

Procedure

  • Run the backup command: 

    $ roxctl -e "$ROX_CENTRAL_ADDRESS" central backup
    Copy to Clipboard Toggle word wrap

2.2. Optimizing Central database and PVC
Copiar enlace

When you upgrade to Red Hat Advanced Cluster Security for Kubernetes (RHACS) 4.0, RHACS creates a PostgreSQL instance called central-db with a default Persistent Volume Claims (PVC). Optionally, you can customize central-db or PVC configuration.

Red Hat recommends the following minimum memory and CPU requests: 

central:
  db:
    resources:
      requests:
        memory: 16Gi
        cpu: 8
      limits:
        memory: 16Gi
        cpu: 8
Copy to Clipboard Toggle word wrap

2.3. Generating root certificates file
Copiar enlace

If you do not have access to your values-private.yaml configuration file that you have used to install Red Hat Advanced Cluster Security for Kubernetes (RHACS), use the following instruction to generate the values-private.yaml configuration file containing root certificates.

Skip the instruction here, if you have access to your values-private.yaml configuration file.

Important

The generated values-private.yaml file has sensitive configuration options. Ensure that you store this file securely.

Procedure

  1. Download the create_certificate_values_file.sh script.

  2. Make the create_certificate_values_file.sh script executable: 

    $ chmod +x create_certificate_values_file.sh
    Copy to Clipboard Toggle word wrap

  3. Run the create_certificate_values_file.sh script file: 

    $ create_certificate_values_file.sh values-private.yaml
    Copy to Clipboard Toggle word wrap

2.4. Updating the Helm chart repository
Copiar enlace

You must always update Helm charts before upgrading to a new version of Red Hat Advanced Cluster Security for Kubernetes.

Prerequisites

  • You must have already added the Red Hat Advanced Cluster Security for Kubernetes Helm chart repository.
  • You must be using Helm version 3.8.3 or newer.

Procedure

  • Update Red Hat Advanced Cluster Security for Kubernetes charts repository. 

    $ helm repo update
    Copy to Clipboard Toggle word wrap

Verification

  • Run the following command to verify the added chart repository: 

    $ helm search repo -l rhacs/
    Copy to Clipboard Toggle word wrap

2.6. Preparing the custom resource definition for upgrade
Copiar enlace

If upgrading from version 4.6 or 4.7, you must prepare the SecurityPolicy custom resource definition (CRD) to avoid upgrade errors.

Note

If you use Kubernetes, enter kubectl instead of oc.

Procedure

  • Apply Helm-specific labels and annotations to the CRD by running the following commands: 

    $ oc annotate crd/securitypolicies.config.stackrox.io meta.helm.sh/release-name=stackrox-central-services
    Copy to Clipboard Toggle word wrap

    Adjust the value of the release-name as needed. The default value is stackrox-central-services. 

    $ oc annotate crd/securitypolicies.config.stackrox.io meta.helm.sh/release-namespace=stackrox
    Copy to Clipboard Toggle word wrap

    Adjust the value of the release-namespace as needed. The default value is stackrox. 

    $ oc label crd/securitypolicies.config.stackrox.io app.kubernetes.io/managed-by=Helm
    Copy to Clipboard Toggle word wrap

2.7. Running the Helm upgrade command
Copiar enlace

You can use the helm upgrade command to update Red Hat Advanced Cluster Security for Kubernetes (RHACS).

Prerequisites

  • You must have access to the values-private.yaml configuration file that you have used to install Red Hat Advanced Cluster Security for Kubernetes (RHACS). Otherwise, you must generate the values-private.yaml configuration file containing root certificates before proceeding with these commands.

Procedure

  • Run the helm upgrade command and specify the configuration files by using the -f option: 

    $ helm upgrade -n stackrox stackrox-central-services \
  rhacs/central-services --version <current-rhacs-version> \
  -f values-private.yaml \
  --set central.db.password.generate=true \
  --set central.db.serviceTLS.generate=true \
  --set central.db.persistence.persistentVolumeClaim.createClaim=true
    Copy to Clipboard Toggle word wrap 
    $ helm upgrade -n stackrox stackrox-secured-cluster-services \
  rhacs/secured-cluster-services --version <current-rhacs-version> \
  -f values-private.yaml
    Copy to Clipboard Toggle word wrap
Note

You might use the --reuse-values option to preserve the previously configured Helm values during the upgrade. If you do that, you must turn off central-db creation before you upgrade to the next version.

See the following command example: 

$ helm upgrade -n stackrox stackrox-central-services \
  rhacs/central-services --version <current-rhacs-version> --reuse-values \
  -f values-private.yaml \
  --set central.db.password.generate=false \
  --set central.db.serviceTLS.generate=false \
  --set central.db.persistence.persistentVolumeClaim.createClaim=false
Copy to Clipboard Toggle word wrap

2.8. Rolling back a Helm upgrade
Copiar enlace

You can roll back to an earlier version of Central if the upgrade to a new version is unsuccessful.

Note

If you use Kubernetes, enter kubectl instead of oc.

Procedure

  1. Run the following helm upgrade command: 

    $ helm upgrade -n stackrox \
  stackrox-central-services rhacs/central-services \
  --version <previous_rhacs_74_version> \
  --set central.db.enabled=false
    Copy to Clipboard Toggle word wrap

    where:

    <previous_rhacs_version>
    Specifies the previously installed RHACS version.

  2. Delete the central-db persistent volume claim (PVC): 

    $ oc -n stackrox delete pvc central-db
    Copy to Clipboard Toggle word wrap
Volver arriba
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2025 Red Hat