Upgrade Guide
This guide provides step-by-step instructions to help you transition your Ansible files from earlier versions. Each section highlights specific configuration changes and the necessary actions to update your files manually.
Follow each section carefully to ensure your configuration reflects the latest structure and standards. Where applicable, this guide also includes example values and references to additional documentation to assist you with specific settings.
Updating Inventory File from CIVITAS/CORE v1.1 to v1.2
This section will guide you through the necessary updates for transitioning your Ansible inventory file from version v1.1 to v1.2. Each section outlines specific changes along with instructions for manually updating your inventory file.
Unfortunately, APISIX is not update compatible with the current helm chart used. The upgrade will fail if you run ansible with the message Forbidden: updates to statefulset spec for fields ...
. You can either disabled APISIX in your upgrade inventory, or remove the helm release from your cluster.
Please BACKUP your manually created routes before running the upgrade, if any.
Default keycloak roles for the admin user will be added if not present any more. If you removed the roles on purpose, please make sure you remove them again after upgrading.
1. Configurable Database Ports
Change: All database ports can now be configured individually if required.
Action:
Add or update the following section in your inventory (optional, default is 5432
):
inv_mngd_db:
keycloak_postgres:
port: "5432" # Specify the desired port for Keycloak PostgreSQL
2. Private Registry Configuration
Change:
Support for configuring a private registry for all platform container images has been added. If all the platform container images are available in a private registry, this can be configured here Naming concept resembles the harbor configuration, i.e. <project_name>/<original_docker_io_path>
.
Action: Add or update the following configuration:
inv_op_stack:
private_registry:
enable: false # Enable if using a private registry
# registry_username: ""
# registry_password: ""
# registry_url: ""
# registry_full_url: ""
# registry_user_email: ""
3. Default Service Configuration
Change:
All services are now disabled by default (enable
is almost always set to false
).
Action: Review and adjust service enablement settings as needed.
4. Dataspace Configuration
Change:
Dataspaces can now be configured/created via the inventory file. additional_dataspaces
now supports to create multiple dataspaces. It is a list of dataspace names to be added to frost and stellio. All of these dataspaces will be added as private spaces.
Action: Add or update the following sections:
inv_access:
open_data_dataspace: ds_open_data # Default name of open data space (public access)
additional_dataspaces:
- "additional_data_space1"
- "additional_data_space2"
5. Removal of inv_access.group
Change:
The inv_access.group
key has been removed. Use inv_access.open_data_dataspace
instead.
Action:
Remove inv_access.group
and ensure open_data_dataspace
is configured appropriately.
6. Service Portal Configuration
Change: A service portal can now be configured as the entry page for the platform.
Action: Add the following configuration:
inv_access:
service_portal:
enable: false # Enable the service portal
ns_create: true
ns_name: "{{ ENVIRONMENT }}-access-stack"
ns_kubeconfig: "{{ kubeconfig_file }}"
replicas: 1
# Set the pathes to the certificate, the CRL and the CRL in PEM format
# Only required for self-signed certificates (e.g. for local development)
# If set, they will be offered for download on the portal page
certs:
enable: false
civitas_crt: "/workspaces/civitas-core/local_deployment/.ssl/civitas.crt"
civitas_crl: "/workspaces/civitas-core/local_deployment/.ssl/civitas.crl"
civitas_crl_pem: "/workspaces/civitas-core/local_deployment/.ssl/civitas.crl.pem"
oidc:
# If enabled, the user is logged in when accessing the portal
enable: false
oidc_authority: "https://idm.{{ DOMAIN }}/auth/realms/{{ ENVIRONMENT }}"
oidc_client_id: "api-access"
oidc_admin_role: ""
oidc_user_role: ""
apps:
portainer: false # Enable if you installed a portainer instances, e.g. via local deployment
7. Frost MQTT Session Affinity
Change:
Support for configuring session affinity in Frost MQTT has been added. If you use WSL on Windows, set this to None
.
Action: Add or update the following configuration:
inv_cm:
frost:
mqtt:
session_affinity: "ClientIP" # Set to None for local deployment on WSL2
8. Custom Harbor Instance Configuration
Change: Support for configuring a custom Harbor instance for container image replication. With this configuration, the images are replicated to the custom Harbor instance.
Action: Add or update the following configuration:
inv_infra:
harbor:
enable: false # Enable if using a custom Harbor instance
username: ""
password: ""
debug: false
base_url: ""
If you identify any additional necessary changes, please let us know.
Updating Inventory File from CIVITAS/CORE v1.0 to v1.1
This section will walk you through the necessary updates for transitioning your Ansible inventory file from version v1.0 to v1.1. Each section highlights specific changes along with guidance for manually updating your inventory file.
1. Ingress Configuration for local deployment and custom SSL certificates
Change:
A new ingress
section has been added to support local deployment of the platform. The ca_path
value is set to the path to your local self-signed CA certificate (see local deployment guide for details). The http
value is set to true
if you want to allow HTTP access (without SSL).
Action: Add or update the following sections:
inv_k8s:
ingress:
ca_path: "" # Path to your local self-signed CA certificate
http: false # Allow HTTP access (without SSL)
2. Prometheus and Grafana Storage Adjustments
Change:
Prometheus can be disabled via the inv_op_stack.prometheus
section.
Action: Add or update these values:
inv_op_stack:
prometheus:
enable: false # Prometheus can be disabled
3. PostgreSQL Version Upgrade
Change:
PostgreSQL version is updated from 14
to 15
.
Action:
For all PostgreSQL configurations, update pg_version
to 15
:
pg_version: "15" # PostgreSQL version
4. Inventory Access and IDM Configurations
Change:
inv_access.base_domain
has been removed.
Action:
Remove base_domain
and update values as follows:
5. APISIX and Mimir Enhancements
Change:
Added ingress_controller
configuration within apisix
. This allows to enable or disable the Ingress controller. For a standard CIVITAS deployment, this can be set to false
. This allows to run multiple APISIX instances on the same cluster.
Action:
Add the ingress_controller
section within apisix
:
inv_access:
apisix:
ingress_controller:
enable: false # Enable or disable the Ingress controller
6. Typo in Superset variable
Change:
A typo was fixed in the variable redis_auth_password
for Superset. In existing inventories this typo must be fixed, too.
Action:
Change the variable redis_auth_pasword
in section superset
:
inv_da:
superset:
redis_auth_password: "yoursecretgeneratedpassword"
7. APISix Configuration
Change:
Two new configuration options have been added to APISix: enableIPv6
and volumePermissions
to provide more control over network configuration and permissions.
- enableIPv6: Controls whether APISix listens on IPv6 addresses. Enabled (
true
) by default, it can be set tofalse
if IPv6 support is not required. - volumePermissions: Manages permissions for the etcd volume. If you encounter permission issues (e.g., on Minikube), set this to
true
to ensure correct permissions.
Action: Add or update the following configuration within your inventory:
inv_access:
apisix:
enableIPv6: true # Enable or disable IPv6 for APISix
etcd:
volumePermissions: false # Set to true if permission issues arise in your environment
8. Global Proxy Configuration
Change: Global proxy configuration support has been introduced to ensure that containers and pods can connect to external services using the appropriate proxy settings.
Action: Add the following proxy configuration to your inventory file under the general settings:
# Proxy environment variables for accessing external resources
inv_proxy:
http_proxy: "http://user:password@proxy:3128"
https_proxy: "http://user:password@proxy:3128"
no_proxy: "localhost,127.0.0.1,10.1.0.0/16,10.152.183.0/24"
9. Manual cleanup of redirect URLs in geostack client
Change:
A new installation of the V1.1 Platform has a reduced number of redirect URLs in the geostack client in keycloak. All former URLs containing .pre.{{DOMAIN}}
are not needed anymore.
Action:
To avoid unwanted deletions of URLs, we decided not to automate the deletion. So please login to keycloak, goto the realm, which was created for your platform and open the geostack
client. On the main page, the list of redirect URLs is shown. You can delete all URLs which contain .pre.{{DOMAIN}}
in the name.
Be careful if you entered additional URLs for other use cases - delete only the pre
ones.
The standard platform only needs these:
"https://oauth.geoportal.{{ DOMAIN }}/*",
"https://geoportal.{{ DOMAIN }}/*"
If you find any additional necessary changes, please let us know.