How to upgrade the HAProxy Package chartπ
BigBang makes modifications to the upstream helm chart. The full list of changes is at the end of this document.
- Find the current and latest release notes from the release page. Be aware of changes that are included in the upgrade. Take note of any manual upgrade steps that customers might need to perform, if any.
- Do diff of upstream chart between old and new release tags to become aware of any significant chart changes. A graphical diff tool such as Meld is useful. You can see where the current helm chart came from by inspecting
/chart/kptfile
or for an easier way to see the changes skip forward to the KPT instructions. - Create a development branch and merge request from the Gitlab issue.
- Merge/Sync the new helm chart with the existing HAProxy package code. A graphical diff tool like Meld is useful. Reference the βModifications made to upstream chartβ section below.
- An easy way to do this is with KPT
- In
chart/Kptfile
update.upstream.git.ref
to the tag of the release you found earlier. - Run the following.
kpt pkg update chart --strategy force-delete-replace
- Do the modifications found below.
- Update /CHANGELOG.md with an entry for βupgrade HAProxy to app version X.X.X chart version X.X.X-bb.Xβ. Or, whatever description is appropriate.
- Update the /README.md following the gluon library script
- Update /chart/Chart.yaml to the appropriate versions. The annotation version should match the
appVersion
(you will likely need to change that in the modifications below).version: X.X.X-bb.X appVersion: X.X.X annotations: bigbang.dev/applicationVersions: | - HAProxy: vX.X.X
- Use a development environment to deploy and test HAProxy. See more detailed testing instructions below. Also test an upgrade by deploying the old version first and then deploying the new version.
- When the Package pipeline runs expect the cypress tests to fail due to UI changes.
- Update the /README.md again if you have made any additional changes during the upgrade/testing process.
Testing a new HAProxy versionπ
- Create a k8s dev environment. One option is to use the Big Bang k3d-dev.sh with no arguments which will give you the default configuration. The following steps assume you are using the script.
- Follow the instructions at the end of the script to connect to the k8s cluster and install flux.
- Deploy HAProxy with these dev values overrides. Core apps are disabled for quick deployment.
istio: enabled: true monitoring: enabled: true sso: enabled: true istio: injection: "disabled"
- Ensure that the pod
authservice-haproxy-sso-*
comes up. - Browse to
prometheus.bigbang.dev
. - You should get redirected to an SSO page.
Note: if youβd like to test further you can use the instructions for authservice to spin up a local sso workflow and test it to get to prometheus using haproxy.
Modifications made to upstream chartπ
This is a high-level list of modifications that Big Bang has made to the upstream helm chart. You can use this as as cross-check to make sure that no modifications were lost during the upgrade process.
chart/Chart.yamlπ
- Append
-bb.0
to.version
. - Update the
.appVersion
to the value that you find for.image.tag
inchart/values.yaml
- Add the
annotations."bigbang.dev/applicationVersions"
as described above.
chart/values.yamlπ
- After the license add the
BigBang additions
back.## BigBang additions: imagePullSecrets: - name: private-registry usePSP: false
- Switch the
.image.repository
back to the registry1 upstream.repository: registry1.dso.mil/ironbank/opensource/haproxy/haproxy22 # can be changed to use CE or EE images
- Switch the
.image.tag
to the latest version on ironbank. - Update the
.existingImagePullSecret
toprivate-registry
. - Merge this in.
podSecurityPolicy: create: false
- Update the
.securityContext
securityContext: enabled: false runAsUser: 1000 runAsGroup: 1000
- Update the
.resources
resources: limits: cpu: 100m memory: 500Mi requests: cpu: 100m memory: 500Mi
automountServiceAccountTokenπ
The mutating Kyverno policy named update-automountserviceaccounttokens
is leveraged to harden all ServiceAccounts in this package with automountServiceAccountToken: false
. This policy is configured by namespace in the Big Bang umbrella chart repository at chart/templates/kyverno-policies/values.yaml.
This policy revokes access to the K8s API for Pods utilizing said ServiceAccounts. If a Pod truly requires access to the K8s API (for app functionality), the Pod is added to the pods:
array of the same mutating policy. This grants the Pod access to the API, and creates a Kyverno PolicyException to prevent an alert.