Upgrade Guide
This guide provides step-by-step instructions to help you transition your Ansible files from earlier versions. Each section highlights specific configuration changes and the necessary actions to update your files manually.
Follow each section carefully to ensure your configuration reflects the latest structure and standards. Where applicable, this guide also includes example values and references to additional documentation to assist you with specific settings.
Updating Inventory File from CIVITAS/CORE v1.0 to v1.1
This section will walk you through the necessary updates for transitioning your Ansible inventory file from version v1.0 to v1.1. Each section highlights specific changes along with guidance for manually updating your inventory file.
1. Ingress Configuration for local deployment and custom SSL certificates
Change:
A new ingress
section has been added to support local deployment of the platform. The ca_path
value is set to the path to your local self-signed CA certificate (see local deployment guide for details). The http
value is set to true
if you want to allow HTTP access (without SSL).
Action: Add or update the following sections:
inv_k8s:
ingress:
ca_path: "" # Path to your local self-signed CA certificate
http: false # Allow HTTP access (without SSL)
2. Prometheus and Grafana Storage Adjustments
Change:
Prometheus can be disabled via the inv_op_stack.prometheus
section.
Action: Add or update these values:
inv_op_stack:
prometheus:
enable: false # Prometheus can be disabled
3. PostgreSQL Version Upgrade
Change:
PostgreSQL version is updated from 14
to 15
.
Action:
For all PostgreSQL configurations, update pg_version
to 15
:
pg_version: "15" # PostgreSQL version
4. Inventory Access and IDM Configurations
Change:
inv_access.base_domain
has been removed.
Action:
Remove base_domain
and update values as follows:
5. APISIX and Mimir Enhancements
Change:
Added ingress_controller
configuration within apisix
. This allows to enable or disable the Ingress controller. For a standard CIVITAS deployment, this can be set to false
. This allows to run multiple APISIX instances on the same cluster.
Action:
Add the ingress_controller
section within apisix
:
inv_access:
apisix:
ingress_controller:
enable: false # Enable or disable the Ingress controller
6. Typo in superset variable
Change:
A typo was fixed in the variable redis_auth_password
for superset. In existing inventories this typo must be fixed, too.
Action:
Change the variable redis_auth_pasword
in section superset
:
inv_da:
superset:
redis_auth_password: "yoursecretgeneratedpassword"
7. APISix Configuration
Change:
Two new configuration options have been added to APISix: enableIPv6
and volumePermissions
to provide more control over network configuration and permissions.
- enableIPv6: Controls whether APISix listens on IPv6 addresses. Enabled (
true
) by default, it can be set tofalse
if IPv6 support is not required. - volumePermissions: Manages permissions for the etcd volume. If you encounter permission issues (e.g., on Minikube), set this to
true
to ensure permissions are correctly set.
Action: Add or update the following configuration within your inventory:
inv_access:
apisix:
enableIPv6: true # Enable or disable IPv6 for APISix
etcd:
volumePermissions: false # Set to true if permission issues arise in your environment
8. Global Proxy Configuration
Change: Global proxy configuration support has been introduced to ensure that containers and pods can connect to external services using the appropriate proxy settings.
Action: Add the following proxy configuration to your inventory file under the general settings:
# Proxy environment variables for accessing external resources
inv_proxy:
http_proxy: "http://user:password@proxy:3128"
https_proxy: "http://user:password@proxy:3128"
no_proxy: "localhost,127.0.0.1,10.1.0.0/16,10.152.183.0/24"
9. Manual cleanup of redirect URLs in geostack client
Change:
A new installation of the V1.1 Platform has a reduced number of redirect URLs in the geostack client in keycloak. All former URLs containing .pre.{{DOMAIN}}
are not needed anymore.
Action:
To avoid unwanted deletions of URLs, we decided not to automate the deletion. So please login to keycloak, goto the realm, which was created for your platform and open the geostack
client. On the main page, the list of redirect URLs is shown. You can delete all URLs which contain .pre.{{DOMAIN}}
in the name.
Be careful if you entered additional URLs for other use cases - delete only the pre
ones.
The standard platform only needs these:
"https://oauth.geoportal.{{ DOMAIN }}/*",
"https://geoportal.{{ DOMAIN }}/*"
If you find any additional necessary changes, please let us know.