Skip to content

Upgrading from 1.0.23 and Earlier

The upgrade process is pretty straight forward, but will require some down time. You don't need a new values.yaml though! The steps are:

  1. Backup Secrets so they don't get lost
  2. Delete the orchestra chart to clear out the old objects generated by the operator
  3. Re-deploy Secrets
  4. Upgrade your openunison chart
  5. Deploy the orchestra and orchestra-login-portal charts

The ugprade process shouldn't take more then 5-10 minutes.

Backup Secrets

We don't want to lose the Secret objects that our operator has created. First get the Secret objects that store certificates:

kubectl get secrets --all-namespaces -l tremolo_operator_created=true -o yaml > /tmp/ou-secrets.yaml

Next, get your existing static keys:

kubectl get secret orchestra-static-keys -o yaml -n openunison > /tmp/ou-static-secrets.yaml

With your Secret objects backed up, next we can move on to removing your existing deployment.

Remove the existing OpenUnison

Deleting the orchestra helm chart will remove OpenUnison:

helm delete orchestra -n openunison

Wait until the openunison-orchestra pod is gone before moving on to the next step.

Redpeloy Secrets

Our OpenUnison operator won't overwrite Secret objects that already exist with valid certificates. Re-import your backed-up Secret objects:

$ kubectl delete -f /tmp/ou-secrets.yaml 
$ kubectl create -f /tmp/ou-secrets.yaml
$ kubectl create -f /tmp/ou-static-secrets.yaml 

Upgrade the openunison Helm Chart

The latest openunison helm chart includes additional schemas needed to run the latest OpenUnison.

$ helm repo update
$ helm upgrade openunison tremolo/openunison-operator --namespace openunison

Wait for the new openunison-operator Pod to be running.

Deploy the New Helm Charts

Before updating your charts, update the image value in your values.yaml to point to the new container at docker.io/tremolosecurity/openunison-k8s, then update your

Using the same values.yaml you used for your previous deployment of OpenUnison, first deploy the orchestra chart and wait for it to finish:

$ kubectl delete cronjobs --all -n openunison
$ helm install orchestra tremolo/orchestra --namespace openunison -f /path/to/values.yaml
$ while [[ $(kubectl get pods -l app=openunison-orchestra -n openunison -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True" ]]; do echo "waiting for pod" && sleep 1; done

Finally. deploy the orchestra-login-portal chart:

helm install orchestra-login-portal tremolo/orchestra-login-portal --namespace openunison -f /path/to/values.yaml

Once the ouhtml-orchestra-login-portal Pod is running, you can login again! you won't need to worry about re-trusting OpenUnison if using OpenID Connect with your API server.

Next Steps

Now that you've upgraded your OpenUnison deployment, you can look at the new features and customizations available. You can also explore building a Namespace as a Service (NaaS) portal too!