This procedure covers upgrading from Apigee hybrid version 1.12.x to Apigee hybrid version 1.13.2.
Changes from Apigee hybrid v1.12
Please note the following changes:
-
apigee-operator
in the Apigee namespace: Starting in version 1.13,apigee-operator
runs in the same Kubernetes namespace as the other Apigee hybrid components,apigee
by default. You can supply any name for the namespace. In previous versions, theapigee-operator
was required to run in its own namespace,apigee-system
. - Anthos (on bare metal or VMware) is now Google Distributed Cloud (for bare metal or VMware): For more information see the product overviews for Google Distributed Cloud for bare metal and Google Distributed Cloud for VMware.
Prerequisites
Before upgrading to hybrid version 1.13, make sure your installation meets the following requirements:
- If your hybrid installation is running a version older than v1.12, you must upgrade to version 1.12 before upgrading to v1.13. See Upgrading Apigee hybrid to version 1.12.
- Helm version v3.14.2+.
kubectl
: A supported version ofkubectl
appropriate for your Kubernetes platform version. see Supported platforms and versions:kubectl
.- cert-manager: A supported version of cert-manager. See Supported platforms and versions: cert-manager. If needed, you will upgrade cert-manager in the Prepare to upgrade to version 1.13 section below.
Upgrading to version 1.13.2 overview
The procedures for upgrading Apigee hybrid are organized in the following sections:
Prepare to upgrade to version 1.13
Back up your hybrid installation
- These instructions use the environment variable APIGEE_HELM_CHARTS_HOME for the directory
in your file system where you have installed the Helm charts. If needed, change directory
into this directory and define the variable with the following command:
Linux
export APIGEE_HELM_CHARTS_HOME=$PWD
echo $APIGEE_HELM_CHARTS_HOME
Mac OS
export APIGEE_HELM_CHARTS_HOME=$PWD
echo $APIGEE_HELM_CHARTS_HOME
Windows
set APIGEE_HELM_CHARTS_HOME=%CD%
echo %APIGEE_HELM_CHARTS_HOME%
- Make a backup copy of your version 1.12
$APIGEE_HELM_CHARTS_HOME/
directory. You can use any backup process. For example, you can create atar
file of your entire directory with:tar -czvf $APIGEE_HELM_CHARTS_HOME/../apigee-helm-charts-v1.12-backup.tar.gz $APIGEE_HELM_CHARTS_HOME
- Back up your Cassandra database following the instructions in Cassandra backup and recovery.
- If you are using service cert files (
.json
) in your overrides to authenticate service accounts, make sure your service account cert files reside in the correct Helm chart directory. Helm charts cannot read files outside of each chart directory.This step is not required if you are using Kubernetes secrets or Workload Identity to authenticate service accounts.
The following table shows the destination for each service account file, depending on your type of installation:
Prod
Service account Default filename Helm chart directory apigee-cassandra
PROJECT_ID-apigee-cassandra.json
$APIGEE_HELM_CHARTS_HOME/apigee-datastore/
apigee-logger
PROJECT_ID-apigee-logger.json
$APIGEE_HELM_CHARTS_HOME/apigee-telemetry/
apigee-mart
PROJECT_ID-apigee-mart.json
$APIGEE_HELM_CHARTS_HOME/apigee-org/
apigee-metrics
PROJECT_ID-apigee-metrics.json
$APIGEE_HELM_CHARTS_HOME/apigee-telemetry/
apigee-runtime
PROJECT_ID-apigee-runtime.json
$APIGEE_HELM_CHARTS_HOME/apigee-env
apigee-synchronizer
PROJECT_ID-apigee-synchronizer.json
$APIGEE_HELM_CHARTS_HOME/apigee-env/
apigee-udca
PROJECT_ID-apigee-udca.json
$APIGEE_HELM_CHARTS_HOME/apigee-org/
apigee-watcher
PROJECT_ID-apigee-watcher.json
$APIGEE_HELM_CHARTS_HOME/apigee-org/
Non-prod
Make a copy of the
apigee-non-prod
service account file in each of the following directories:Service account Default filename Helm chart directories apigee-non-prod
PROJECT_ID-apigee-non-prod.json
$APIGEE_HELM_CHARTS_HOME/apigee-datastore/
$APIGEE_HELM_CHARTS_HOME/apigee-telemetry/
$APIGEE_HELM_CHARTS_HOME/apigee-org/
$APIGEE_HELM_CHARTS_HOME/apigee-env/
-
Make sure that your TLS certificate and key files (
.crt
,.key
, and/or.pem
) reside in the$APIGEE_HELM_CHARTS_HOME/apigee-virtualhost/
directory.
Upgrade your Kubernetes version
Check your Kubernetes platform version and if needed, upgrade your Kubernetes platform to a version that is supported by both hybrid 1.12 and hybrid 1.13. Follow your platform's documentation if you need help.
Install the hybrid 1.13.2 runtime
Prepare for the Helm charts upgrade
- Pull the Apigee Helm charts.
Apigee hybrid charts are hosted in Google Artifact Registry:
oci://us-docker.pkg.dev/apigee-release/apigee-hybrid-helm-charts
Using the
pull
command, copy all of the Apigee hybrid Helm charts to your local storage with the following command:export CHART_REPO=oci://us-docker.pkg.dev/apigee-release/apigee-hybrid-helm-charts
export CHART_VERSION=1.13.2
helm pull $CHART_REPO/apigee-operator --version $CHART_VERSION --untar
helm pull $CHART_REPO/apigee-datastore --version $CHART_VERSION --untar
helm pull $CHART_REPO/apigee-env --version $CHART_VERSION --untar
helm pull $CHART_REPO/apigee-ingress-manager --version $CHART_VERSION --untar
helm pull $CHART_REPO/apigee-org --version $CHART_VERSION --untar
helm pull $CHART_REPO/apigee-redis --version $CHART_VERSION --untar
helm pull $CHART_REPO/apigee-telemetry --version $CHART_VERSION --untar
helm pull $CHART_REPO/apigee-virtualhost --version $CHART_VERSION --untar
- Upgrade cert-manager if needed.
If you need to upgrade your cert-manager version, install the new version with the following command:
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.1/cert-manager.yaml
See Supported platforms and versions: cert-manager for a list of supported versions.
- If your Apigee namespace is not
apigee
, edit theapigee-operator/etc/crds/default/kustomization.yaml
file and replace thenamespace
value with your Apigee namespace.apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: APIGEE_NAMESPACE
If you are using
apigee
as your namespace you do not need to edit the file. - Install the updated Apigee CRDs:
-
Use the
kubectl
dry-run feature by running the following command:kubectl apply -k apigee-operator/etc/crds/default/ --server-side --force-conflicts --validate=false --dry-run=server
-
After validating with the dry-run command, run the following command:
kubectl apply -k apigee-operator/etc/crds/default/ \ --server-side \ --force-conflicts \ --validate=false
- Validate the installation with the
kubectl get crds
command:kubectl get crds | grep apigee
Your output should look something like the following:
apigeedatastores.apigee.cloud.google.com 2024-08-21T14:48:30Z apigeedeployments.apigee.cloud.google.com 2024-08-21T14:48:30Z apigeeenvironments.apigee.cloud.google.com 2024-08-21T14:48:31Z apigeeissues.apigee.cloud.google.com 2024-08-21T14:48:31Z apigeeorganizations.apigee.cloud.google.com 2024-08-21T14:48:32Z apigeeredis.apigee.cloud.google.com 2024-08-21T14:48:33Z apigeerouteconfigs.apigee.cloud.google.com 2024-08-21T14:48:33Z apigeeroutes.apigee.cloud.google.com 2024-08-21T14:48:33Z apigeetelemetries.apigee.cloud.google.com 2024-08-21T14:48:34Z cassandradatareplications.apigee.cloud.google.com 2024-08-21T14:48:35Z
-
-
Migrate
apigee-operator
from theapigee-system
namespace to APIGEE_NAMESPACE.- Annotate the
clusterIssuer
with the new namespacekubectl annotate --overwrite clusterIssuer apigee-ca-issuer meta.helm.sh/release-namespace='APIGEE_NAMESPACE'
- If you are changing the release name for
apigee-operator
, annotate theclusterIssuer
with the new release name.kubectl annotate --overwrite clusterIssuer apigee-ca-issuer meta.helm.sh/release-name='APIGEE_OPERATOR_RELEASE_NAME'
- Annotate the
- Update the replicas of your existing Apigee Operator deployment in the
apigee-system
namespace to 0 (zero) to avoid the two controllers reconciling.kubectl scale deployment apigee-controller-manager -n apigee-system --replicas=0
- Update the replicas of your existing Apigee Operator deployment in the
apigee-system
namespace to 0 (zero) to avoid the two controllers reconciling.kubectl delete mutatingwebhookconfiguration apigee-mutating-webhook-configuration
kubectl delete validatingwebhookconfiguration apigee-validating-webhook-configuration
-
Check the labels on the cluster nodes. By default, Apigee schedules data pods on nodes with the label
cloud.google.com/gke-nodepool=apigee-data
and runtime pods are scheduled on nodes with the labelcloud.google.com/gke-nodepool=apigee-runtime
. You can customize your node pool labels in theoverrides.yaml
file.For more information, see Configuring dedicated node pools.
Install the Apigee hybrid Helm charts
- If you have not, navigate into your
APIGEE_HELM_CHARTS_HOME
directory. Run the following commands from that directory. - Upgrade the Apigee Operator/Controller:
Dry run:
helm upgrade operator apigee-operator/ \ --install \ --namespace APIGEE_NAMESPACE \ -f OVERRIDES_FILE \ --dry-run
Upgrade the chart:
helm upgrade operator apigee-operator/ \ --install \ --namespace APIGEE_NAMESPACE \ -f OVERRIDES_FILE
Verify Apigee Operator installation:
helm ls -n APIGEE_NAMESPACE
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION operator apigee 3 2024-08-21 00:42:44.492009 -0800 PST deployed apigee-operator-1.13.2 1.13.2
Verify it is up and running by checking its availability:
kubectl -n APIGEE_NAMESPACE get deploy apigee-controller-manager
NAME READY UP-TO-DATE AVAILABLE AGE apigee-controller-manager 1/1 1 1 7d20h
- Upgrade the Apigee datastore:
Dry run:
helm upgrade datastore apigee-datastore/ \ --install \ --namespace APIGEE_NAMESPACE \ -f OVERRIDES_FILE \ --dry-run=server
Upgrade the chart:
helm upgrade datastore apigee-datastore/ \ --install \ --namespace APIGEE_NAMESPACE \ -f OVERRIDES_FILE
Verify
apigeedatastore
is up and running by checking its state:kubectl -n APIGEE_NAMESPACE get apigeedatastore default
NAME STATE AGE default running 2d
- Upgrade Apigee telemetry:
Dry run:
helm upgrade telemetry apigee-telemetry/ \ --install \ --namespace APIGEE_NAMESPACE \ -f OVERRIDES_FILE \ --dry-run
Upgrade the chart:
helm upgrade telemetry apigee-telemetry/ \ --install \ --namespace APIGEE_NAMESPACE \ -f OVERRIDES_FILE
Verify it is up and running by checking its state:
kubectl -n APIGEE_NAMESPACE get apigeetelemetry apigee-telemetry
NAME STATE AGE apigee-telemetry running 2d
- Upgrade Apigee Redis:
Dry run:
helm upgrade redis apigee-redis/ \ --install \ --namespace APIGEE_NAMESPACE \ -f OVERRIDES_FILE \ --dry-run
Upgrade the chart:
helm upgrade redis apigee-redis/ \ --install \ --namespace APIGEE_NAMESPACE \ -f OVERRIDES_FILE
Verify it is up and running by checking its state:
kubectl -n APIGEE_NAMESPACE get apigeeredis default
NAME STATE AGE default running 2d
- Upgrade Apigee ingress manager:
Dry run:
helm upgrade ingress-manager apigee-ingress-manager/ \ --install \ --namespace APIGEE_NAMESPACE \ -f OVERRIDES_FILE \ --dry-run
Upgrade the chart:
helm upgrade ingress-manager apigee-ingress-manager/ \ --install \ --namespace APIGEE_NAMESPACE \ -f OVERRIDES_FILE
Verify it is up and running by checking its availability:
kubectl -n APIGEE_NAMESPACE get deployment apigee-ingressgateway-manager
NAME READY UP-TO-DATE AVAILABLE AGE apigee-ingressgateway-manager 2/2 2 2 2d
- Upgrade the Apigee organization:
Dry run:
helm upgrade ORG_NAME apigee-org/ \ --install \ --namespace APIGEE_NAMESPACE \ -f OVERRIDES_FILE \ --dry-run
Upgrade the chart:
helm upgrade ORG_NAME apigee-org/ \ --install \ --namespace APIGEE_NAMESPACE \ -f OVERRIDES_FILE
Verify it is up and running by checking the state of the respective org:
kubectl -n APIGEE_NAMESPACE get apigeeorg
NAME STATE AGE apigee-org1-xxxxx running 2d
- Upgrade the environment.
You must install one environment at a time. Specify the environment with
--set env=
ENV_NAME.Dry run:
helm upgrade ENV_RELEASE_NAME apigee-env/ \ --install \ --namespace APIGEE_NAMESPACE \ --set env=ENV_NAME \ -f OVERRIDES_FILE \ --dry-run
- ENV_RELEASE_NAME is the name with which you previously installed the
apigee-env
chart. In hybrid v1.10, it is usuallyapigee-env-ENV_NAME
. In Hybrid v1.11 and newer it is usually ENV_NAME. - ENV_NAME is the name of the environment you are upgrading.
- OVERRIDES_FILE is your new overrides file for v.1.13.2
Upgrade the chart:
helm upgrade ENV_RELEASE_NAME apigee-env/ \ --install \ --namespace APIGEE_NAMESPACE \ --set env=ENV_NAME \ -f OVERRIDES_FILE
Verify it is up and running by checking the state of the respective env:
kubectl -n APIGEE_NAMESPACE get apigeeenv
NAME STATE AGE GATEWAYTYPE apigee-org1-dev-xxx running 2d
- ENV_RELEASE_NAME is the name with which you previously installed the
-
Upgrade the environment groups (
virtualhosts
).- You must upgrade one environment group (virtualhost) at a time. Specify the environment
group with
--set envgroup=
ENV_GROUP_NAME. Repeat the following commands for each environment group mentioned in the overrides.yaml file:Dry run:
helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \ --install \ --namespace APIGEE_NAMESPACE \ --set envgroup=ENV_GROUP_NAME \ -f OVERRIDES_FILE \ --dry-run
ENV_GROUP_RELEASE_NAME is the name with which you previously installed the
apigee-virtualhost
chart. In hybrid v1.10, it is usuallyapigee-virtualhost-ENV_GROUP_NAME
. In Hybrid v1.11 and newer it is usually ENV_GROUP_NAME.Upgrade the chart:
helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \ --install \ --namespace APIGEE_NAMESPACE \ --set envgroup=ENV_GROUP_NAME \ -f OVERRIDES_FILE
- Check the state of the ApigeeRoute (AR).
Installing the
virtualhosts
creates ApigeeRouteConfig (ARC) which internally creates ApigeeRoute (AR) once the Apigee watcher pulls environment group-related details from the control plane. Therefore, check that the corresponding AR's state is running:kubectl -n APIGEE_NAMESPACE get arc
NAME STATE AGE apigee-org1-dev-egroup 2d
kubectl -n APIGEE_NAMESPACE get ar
NAME STATE AGE apigee-org1-dev-egroup-xxxxxx running 2d
- You must upgrade one environment group (virtualhost) at a time. Specify the environment
group with
- After you have verified all the installations are upgraded successfully, delete the older
apigee-operator
release from theapigee-system
namespace.- Uninstall the old
operator
release:helm delete operator -n apigee-system
- Delete the
apigee-system
namespace:kubectl delete namespace apigee-system
- Uninstall the old
- Upgrade
operator
again in your Apigee namespace to re-install the deleted cluster-scoped resources:helm upgrade operator apigee-operator/ \ --install \ --namespace APIGEE_NAMESPACE \ --atomic \ -f overrides.yaml
Rolling back to a previous version
To roll back to the previous version, use the older chart version to roll back the upgrade process in the reverse order. Start with apigee-virtualhost
and work your way back to apigee-operator
, and then revert the CRDs.
Because of the change in the namespace for apigee-operator
, you need to perform extra steps to delete the Validating and Mutating admission hooks. That way, when you install the apigee-operator
back in the apigee-system
namespace, they will be recreated to point to the correct Apigee Operator endpoint.
- Update the replicas of the existing Apigee Operator deployment in Apigee to 0 (zero) to avoid the two controllers reconciling the Custom Resources to avoid conflicts when rolling it back in the
apigee-system
namespace.kubectl scale deployment apigee-controller-manager -n APIGEE_NAMESPACE --replicas=0
kubectl delete mutatingwebhookconfiguration \ apigee-mutating-webhook-configuration-APIGEE_NAMESPACE
kubectl delete validatingwebhookconfiguration \ apigee-validating-webhook-configuration-APIGEE_NAMESPACE
- Revert all the charts from
apigee-virtualhost
toapigee-datastore
. The following commands assume you are using the charts from the previous version (v1.12.x).Run the following command for each environment group:
helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \ --install \ --namespace apigee \ --atomic \ --set envgroup=ENV_GROUP_NAME \ -f 1.12_OVERRIDES_FILE
Run the following command for each environment:
helm upgrade ENV_RELEASE_NAME apigee-env/ \ --install \ --namespace apigee \ --atomic \ --set env=ENV_NAME \ -f 1.12_OVERRIDES_FILE
Revert the remaining charts except for
apigee-operator
.helm upgrade ORG_NAME apigee-org/ \ --install \ --namespace apigee \ --atomic \ -f 1.12_OVERRIDES_FILE
helm upgrade ingress-manager apigee-ingress-manager/ \ --install \ --namespace apigee \ --atomic \ -f 1.12_OVERRIDES_FILE
helm upgrade redis apigee-redis/ \ --install \ --namespace apigee \ --atomic \ -f 1.12_OVERRIDES_FILE
helm upgrade telemetry apigee-telemetry/ \ --install \ --namespace apigee \ --atomic \ -f 1.12_OVERRIDES_FILE
helm upgrade datastore apigee-datastore/ \ --install \ --namespace apigee \ --atomic \ -f 1.12_OVERRIDES_FILE
- Create the
apigee-system
namespace.kubectl create namespace apigee-system
- Patch the resource annotation back to the
apigee-system
namespace.kubectl annotate --overwrite clusterIssuer apigee-ca-issuer meta.helm.sh/release-namespace='apigee-system'
- If you have changed the release name as well, update the annotation with the
operator
release name.kubectl annotate --overwrite cluseterIssuer apigee-ca-issuer meta.helm.sh/release-name='operator'
- Install
apigee-operator
back into theapigee-system
namespace.helm upgrade operator apigee-operator/ \ --install \ --namespace apigee-system \ --atomic \ -f 1.12_OVERRIDES_FILE
- Revert the CRDs by reinstalling the older CRDs.
kubectl apply -k apigee-operator/etc/crds/default/ \ --server-side \ --force-conflicts \ --validate=false
- Clean up the
apigee-operator
release from the APIGEE_NAMESPACE namespace to complete the rollback process.helm uninstall operator -n APIGEE_NAMESPACE
- Some cluster-scoped resources, such as
clusterIssuer
, are deleted whenoperator
is uninstalled. Reinstall them with the following command:helm upgrade operator apigee-operator/ \ --install \ --namespace apigee-system \ --atomic \ -f 1.12_OVERRIDES_FILE