Skip to main content
Version: 1.1

Upgrade Guide

This guide provides step-by-step instructions to help you transition your Ansible files from earlier versions. Each section highlights specific configuration changes and the necessary actions to update your files manually.

Follow each section carefully to ensure your configuration reflects the latest structure and standards. Where applicable, this guide also includes example values and references to additional documentation to assist you with specific settings.

Updating Inventory File from CIVITAS/CORE v1.0 to v1.1

This section will walk you through the necessary updates for transitioning your Ansible inventory file from version v1.0 to v1.1. Each section highlights specific changes along with guidance for manually updating your inventory file.


1. Ingress Configuration for local deployment and custom SSL certificates

Change: A new ingress section has been added to support local deployment of the platform. The ca_path value is set to the path to your local self-signed CA certificate (see local deployment guide for details). The http value is set to true if you want to allow HTTP access (without SSL).

Action: Add or update the following sections:

inv_k8s:
ingress:
ca_path: "" # Path to your local self-signed CA certificate
http: false # Allow HTTP access (without SSL)

2. Prometheus and Grafana Storage Adjustments

Change: Prometheus can be disabled via the inv_op_stack.prometheus section.

Action: Add or update these values:

inv_op_stack:
prometheus:
enable: false # Prometheus can be disabled

3. PostgreSQL Version Upgrade

Change: PostgreSQL version is updated from 14 to 15.

Action: For all PostgreSQL configurations, update pg_version to 15:

pg_version: "15" # PostgreSQL version

4. Inventory Access and IDM Configurations

Change: inv_access.base_domain has been removed.

Action: Remove base_domain and update values as follows:


5. APISIX and Mimir Enhancements

Change: Added ingress_controller configuration within apisix. This allows to enable or disable the Ingress controller. For a standard CIVITAS deployment, this can be set to false. This allows to run multiple APISIX instances on the same cluster.

Action: Add the ingress_controller section within apisix:

inv_access:
apisix:
ingress_controller:
enable: false # Enable or disable the Ingress controller

6. Typo in superset variable

Change: A typo was fixed in the variable redis_auth_password for superset. In existing inventories this typo must be fixed, too.

Action: Change the variable redis_auth_pasword in section superset:

inv_da:
superset:
redis_auth_password: "yoursecretgeneratedpassword"

7. APISix Configuration

Change: Two new configuration options have been added to APISix: enableIPv6 and volumePermissions to provide more control over network configuration and permissions.

  • enableIPv6: Controls whether APISix listens on IPv6 addresses. Enabled (true) by default, it can be set to false if IPv6 support is not required.
  • volumePermissions: Manages permissions for the etcd volume. If you encounter permission issues (e.g., on Minikube), set this to true to ensure permissions are correctly set.

Action: Add or update the following configuration within your inventory:

inv_access:
apisix:
enableIPv6: true # Enable or disable IPv6 for APISix
etcd:
volumePermissions: false # Set to true if permission issues arise in your environment

8. Global Proxy Configuration

Change: Global proxy configuration support has been introduced to ensure that containers and pods can connect to external services using the appropriate proxy settings.

Action: Add the following proxy configuration to your inventory file under the general settings:

# Proxy environment variables for accessing external resources
inv_proxy:
http_proxy: "http://user:password@proxy:3128"
https_proxy: "http://user:password@proxy:3128"
no_proxy: "localhost,127.0.0.1,10.1.0.0/16,10.152.183.0/24"

9. Manual cleanup of redirect URLs in geostack client

Change: A new installation of the V1.1 Platform has a reduced number of redirect URLs in the geostack client in keycloak. All former URLs containing .pre.{{DOMAIN}} are not needed anymore.

Action: To avoid unwanted deletions of URLs, we decided not to automate the deletion. So please login to keycloak, goto the realm, which was created for your platform and open the geostack client. On the main page, the list of redirect URLs is shown. You can delete all URLs which contain .pre.{{DOMAIN}} in the name.

Be careful if you entered additional URLs for other use cases - delete only the preones.

The standard platform only needs these:

    "https://oauth.geoportal.{{ DOMAIN }}/*",
"https://geoportal.{{ DOMAIN }}/*"

If you find any additional necessary changes, please let us know.