UNCLASSIFIED - NO CUI

remove secretKeys overrides in favor of manual secret key migration

Jonathan Braswellrequested to merge
fix-postgresql-secret-migration into main

General MR

Summary

The new postgresql chart, which we migrated to in the previous release, contains some password migration logic. That logic performs a helm lookup to read the existing passwords out of an existing secret prior to updating the secret. Our old chart used different keys than the new chart, so we provided overrides to allow the lookups to succeed. The problem arises on subsequent upgrades. The logic in the chart only respects the key overrides for the lookups, and not when writing the new secret, so subsequent upgrades fail when the lookup cannot find the specified keys. The fix is to remove the secretKey overrides, and let users know they need to run a manual command prior to upgrading to complete the migration. The upgrade notice lays it all out.

Relevant logs/screenshots

(Include any relevant logs/screenshots)

Linked Issue

issue

Umbrella Branch

update-anchoreEnterprise-tag-3.21.0-bb.1

Upgrade Notices

The internal PostgreSQL dependency has been migrated from a bundled chart to the upstream Bitnami chart. This migration requires two manual steps before running helm upgrade:

Warning: Platform One does not support the internal PostgreSQL database for production deployments. These steps are only applicable to development environments using the chart's built-in PostgreSQL.

  1. Migrate the PostgreSQL secret keys:

    The new chart expects different key names in the PostgreSQL secret. This must be done before the upgrade because Helm's template rendering will fail if the expected keys are not present.

    kubectl patch secret anchore-enterprise-postgresql -n anchore --type='json' -p="[
  {\"op\":\"add\",\"path\":\"/data/password\",\"value\":\"$(kubectl get secret anchore-enterprise-postgresql -n anchore -o jsonpath='{.data.postgresql-password}')\"},
  {\"op\":\"add\",\"path\":\"/data/postgres-password\",\"value\":\"$(kubectl get secret anchore-enterprise-postgresql -n anchore -o jsonpath='{.data.postgresql-postgres-password}')\"}
]"

  2. Delete the PostgreSQL StatefulSet while preserving the running pod:

    The new chart changes an immutable field on the PostgreSQL StatefulSet, which will cause the upgrade to fail. The --cascade=orphan flag is critical, because it deletes the StatefulSet while leaving the database pod running, allowing the upgrade to recreate the StatefulSet and adopt the existing pod.

    kubectl delete statefulset anchore-enterprise-postgresql -n anchore --cascade=orphan

After completing both steps, proceed with helm upgrade as normal.

Edited by Jonathan Braswell

Merge request reports

UNCLASSIFIED - NO CUI