Upgrading Apigee hybrid to version 1.14

This procedure covers upgrading from Apigee hybrid version 1.13.x to Apigee hybrid version 1.14.0.

Changes from Apigee hybrid v1.13

Please note the following changes:

For additional information about features in Hybrid version 1.14, see the Apigee hybrid v1.14.0 release notes.

Prerequisites

Before upgrading to hybrid version 1.14, make sure your installation meets the following requirements:

Upgrading to version 1.14.0 overview

The procedures for upgrading Apigee hybrid are organized in the following sections:

  1. Prepare to upgrade.
  2. Install hybrid runtime version 1.14.0.

Prepare to upgrade to version 1.14

Back up your hybrid installation

  1. These instructions use the environment variable APIGEE_HELM_CHARTS_HOME for the directory in your file system where you have installed the Helm charts. If needed, change directory into this directory and define the variable with the following command:

    Linux

    export APIGEE_HELM_CHARTS_HOME=$PWD
    echo $APIGEE_HELM_CHARTS_HOME

    Mac OS

    export APIGEE_HELM_CHARTS_HOME=$PWD
    echo $APIGEE_HELM_CHARTS_HOME

    Windows

    set APIGEE_HELM_CHARTS_HOME=%CD%
    echo %APIGEE_HELM_CHARTS_HOME%
  2. Make a backup copy of your version 1.13 $APIGEE_HELM_CHARTS_HOME/ directory. You can use any backup process. For example, you can create a tar file of your entire directory with:
    tar -czvf $APIGEE_HELM_CHARTS_HOME/../apigee-helm-charts-v1.13-backup.tar.gz $APIGEE_HELM_CHARTS_HOME
  3. Back up your Cassandra database following the instructions in Cassandra backup and recovery.
  4. If you are using service cert files (.json) in your overrides to authenticate service accounts, make sure your service account cert files reside in the correct Helm chart directory. Helm charts cannot read files outside of each chart directory.

    This step is not required if you are using Kubernetes secrets or Workload Identity to authenticate service accounts.

    The following table shows the destination for each service account file, depending on your type of installation:

    Prod

    Service account Default filename Helm chart directory
    apigee-cassandra PROJECT_ID-apigee-cassandra.json $APIGEE_HELM_CHARTS_HOME/apigee-datastore/
    apigee-logger PROJECT_ID-apigee-logger.json $APIGEE_HELM_CHARTS_HOME/apigee-telemetry/
    apigee-mart PROJECT_ID-apigee-mart.json $APIGEE_HELM_CHARTS_HOME/apigee-org/
    apigee-metrics PROJECT_ID-apigee-metrics.json $APIGEE_HELM_CHARTS_HOME/apigee-telemetry/
    apigee-runtime PROJECT_ID-apigee-runtime.json $APIGEE_HELM_CHARTS_HOME/apigee-env
    apigee-synchronizer PROJECT_ID-apigee-synchronizer.json $APIGEE_HELM_CHARTS_HOME/apigee-env/
    apigee-udca PROJECT_ID-apigee-udca.json $APIGEE_HELM_CHARTS_HOME/apigee-org/
    apigee-watcher PROJECT_ID-apigee-watcher.json $APIGEE_HELM_CHARTS_HOME/apigee-org/

    Non-prod

    Make a copy of the apigee-non-prod service account file in each of the following directories:

    Service account Default filename Helm chart directories
    apigee-non-prod PROJECT_ID-apigee-non-prod.json $APIGEE_HELM_CHARTS_HOME/apigee-datastore/
    $APIGEE_HELM_CHARTS_HOME/apigee-telemetry/
    $APIGEE_HELM_CHARTS_HOME/apigee-org/
    $APIGEE_HELM_CHARTS_HOME/apigee-env/
  5. Make sure that your TLS certificate and key files (.crt, .key, and/or .pem) reside in the $APIGEE_HELM_CHARTS_HOME/apigee-virtualhost/ directory.

Upgrade your Kubernetes version

Check your Kubernetes platform version and if needed, upgrade your Kubernetes platform to a version that is supported by both hybrid 1.13 and hybrid 1.14. Follow your platform's documentation if you need help.

Install the hybrid 1.14.0 runtime

Configure the data collection pipeline.

  1. For hybrid v1.14, you must add the following newDataPipeline stanza to your overrides.yaml file to allow data plane components to write directly to Apigee's control plane:

    # Required
    newDataPipeline:
      debugSession: true
      analytics: true
    
  2. Follow the steps in Analytics and debug data collection with data residency: Configuration to configure the authorization flow.

Prepare for the Helm charts upgrade

  1. Pull the Apigee Helm charts.

    Apigee hybrid charts are hosted in Google Artifact Registry:

    oci://us-docker.pkg.dev/apigee-release/apigee-hybrid-helm-charts

    Using the pull command, copy all of the Apigee hybrid Helm charts to your local storage with the following command:

    export CHART_REPO=oci://us-docker.pkg.dev/apigee-release/apigee-hybrid-helm-charts
    export CHART_VERSION=1.14.0
    helm pull $CHART_REPO/apigee-operator --version $CHART_VERSION --untar
    helm pull $CHART_REPO/apigee-datastore --version $CHART_VERSION --untar
    helm pull $CHART_REPO/apigee-env --version $CHART_VERSION --untar
    helm pull $CHART_REPO/apigee-ingress-manager --version $CHART_VERSION --untar
    helm pull $CHART_REPO/apigee-org --version $CHART_VERSION --untar
    helm pull $CHART_REPO/apigee-redis --version $CHART_VERSION --untar
    helm pull $CHART_REPO/apigee-telemetry --version $CHART_VERSION --untar
    helm pull $CHART_REPO/apigee-virtualhost --version $CHART_VERSION --untar
    
  2. Upgrade cert-manager if needed.

    If you need to upgrade your cert-manager version, install the new version with the following command:

    kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.1/cert-manager.yaml
    

    See Supported platforms and versions: cert-manager for a list of supported versions.

  3. If your Apigee namespace is not apigee, edit the apigee-operator/etc/crds/default/kustomization.yaml file and replace the namespace value with your Apigee namespace.
    apiVersion: kustomize.config.k8s.io/v1beta1
    kind: Kustomization
    
    namespace: APIGEE_NAMESPACE
    

    If you are using apigee as your namespace you do not need to edit the file.

  4. Install the updated Apigee CRDs:
    1. Use the kubectl dry-run feature by running the following command:

      kubectl apply -k  apigee-operator/etc/crds/default/ --server-side --force-conflicts --validate=false --dry-run
      
    2. After validating with the dry-run command, run the following command:

      kubectl apply -k  apigee-operator/etc/crds/default/ \
        --server-side \
        --force-conflicts \
        --validate=false
      
    3. Validate the installation with the kubectl get crds command:
      kubectl get crds | grep apigee

      Your output should look something like the following:

      apigeedatastores.apigee.cloud.google.com                    2024-08-21T14:48:30Z
      apigeedeployments.apigee.cloud.google.com                   2024-08-21T14:48:30Z
      apigeeenvironments.apigee.cloud.google.com                  2024-08-21T14:48:31Z
      apigeeissues.apigee.cloud.google.com                        2024-08-21T14:48:31Z
      apigeeorganizations.apigee.cloud.google.com                 2024-08-21T14:48:32Z
      apigeeredis.apigee.cloud.google.com                         2024-08-21T14:48:33Z
      apigeerouteconfigs.apigee.cloud.google.com                  2024-08-21T14:48:33Z
      apigeeroutes.apigee.cloud.google.com                        2024-08-21T14:48:33Z
      apigeetelemetries.apigee.cloud.google.com                   2024-08-21T14:48:34Z
      cassandradatareplications.apigee.cloud.google.com           2024-08-21T14:48:35Z
      
  5. Migrate apigee-operator from the apigee-system namespace to APIGEE_NAMESPACE.
    1. Annotate the clusterIssuer with the new namespace
      kubectl annotate --overwrite clusterIssuer apigee-ca-issuer meta.helm.sh/release-namespace='APIGEE_NAMESPACE'
      
    2. If you are changing the release name for apigee-operator, annotate the clusterIssuer with the new release name.
      kubectl annotate --overwrite clusterIssuer apigee-ca-issuer meta.helm.sh/release-name='APIGEE_OPERATOR_RELEASE_NAME'
      
  6. Update the replicas of your existing Apigee Operator deployment in the apigee-system namespace to 0 (zero) to avoid the two controllers reconciling.
    kubectl scale deployment apigee-controller-manager -n apigee-system --replicas=0
    
  7. Update the replicas of your existing Apigee Operator deployment in the apigee-system namespace to 0 (zero) to avoid the two controllers reconciling.
    kubectl delete mutatingwebhookconfiguration apigee-mutating-webhook-configuration
    kubectl delete validatingwebhookconfiguration apigee-validating-webhook-configuration
    
  8. Check the labels on the cluster nodes. By default, Apigee schedules data pods on nodes with the label cloud.google.com/gke-nodepool=apigee-data and runtime pods are scheduled on nodes with the label cloud.google.com/gke-nodepool=apigee-runtime. You can customize your node pool labels in the overrides.yaml file.

    For more information, see Configuring dedicated node pools.

Install the Apigee hybrid Helm charts

  1. If you have not, navigate into your APIGEE_HELM_CHARTS_HOME directory. Run the following commands from that directory.
  2. Upgrade the Apigee Operator/Controller:

    Dry run:

    helm upgrade operator apigee-operator/ \
      --install \
      --namespace APIGEE_NAMESPACE \
      -f OVERRIDES_FILE \
      --dry-run=server
    

    Upgrade the chart:

    helm upgrade operator apigee-operator/ \
      --install \
      --namespace APIGEE_NAMESPACE \
      -f OVERRIDES_FILE
    

    Verify Apigee Operator installation:

    helm ls -n APIGEE_NAMESPACE
    
    NAME       NAMESPACE       REVISION   UPDATED                                STATUS     CHART                   APP VERSION
    operator   apigee   3          2024-08-21 00:42:44.492009 -0800 PST   deployed   apigee-operator-1.14.0   1.14.0
    

    Verify it is up and running by checking its availability:

    kubectl -n APIGEE_NAMESPACE get deploy apigee-controller-manager
    
    NAME                        READY   UP-TO-DATE   AVAILABLE   AGE
    apigee-controller-manager   1/1     1            1           7d20h
    
  3. Upgrade the Apigee datastore:

    Dry run:

    helm upgrade datastore apigee-datastore/ \
      --install \
      --namespace APIGEE_NAMESPACE \
      -f OVERRIDES_FILE \
      --dry-run=server
    

    Upgrade the chart:

    helm upgrade datastore apigee-datastore/ \
      --install \
      --namespace APIGEE_NAMESPACE \
      -f OVERRIDES_FILE
    

    Verify apigeedatastore is up and running by checking its state:

    kubectl -n APIGEE_NAMESPACE get apigeedatastore default
    
    NAME      STATE       AGE
    default   running    2d
  4. Upgrade Apigee telemetry:

    Dry run:

    helm upgrade telemetry apigee-telemetry/ \
      --install \
      --namespace APIGEE_NAMESPACE \
      -f OVERRIDES_FILE \
      --dry-run=server
    

    Upgrade the chart:

    helm upgrade telemetry apigee-telemetry/ \
      --install \
      --namespace APIGEE_NAMESPACE \
      -f OVERRIDES_FILE
    

    Verify it is up and running by checking its state:

    kubectl -n APIGEE_NAMESPACE get apigeetelemetry apigee-telemetry
    
    NAME               STATE     AGE
    apigee-telemetry   running   2d
  5. Upgrade Apigee Redis:

    Dry run:

    helm upgrade redis apigee-redis/ \
      --install \
      --namespace APIGEE_NAMESPACE \
      -f OVERRIDES_FILE \
      --dry-run=server
    

    Upgrade the chart:

    helm upgrade redis apigee-redis/ \
      --install \
      --namespace APIGEE_NAMESPACE \
      -f OVERRIDES_FILE
    

    Verify it is up and running by checking its state:

    kubectl -n APIGEE_NAMESPACE get apigeeredis default
    
    NAME      STATE     AGE
    default   running   2d
  6. Upgrade Apigee ingress manager:

    Dry run:

    helm upgrade ingress-manager apigee-ingress-manager/ \
      --install \
      --namespace APIGEE_NAMESPACE \
      -f OVERRIDES_FILE \
      --dry-run=server
    

    Upgrade the chart:

    helm upgrade ingress-manager apigee-ingress-manager/ \
      --install \
      --namespace APIGEE_NAMESPACE \
      -f OVERRIDES_FILE
    

    Verify it is up and running by checking its availability:

    kubectl -n APIGEE_NAMESPACE get deployment apigee-ingressgateway-manager
    
    NAME                            READY   UP-TO-DATE   AVAILABLE   AGE
    apigee-ingressgateway-manager   2/2     2            2           2d
  7. Upgrade the Apigee organization:

    Dry run:

    helm upgrade ORG_NAME apigee-org/ \
      --install \
      --namespace APIGEE_NAMESPACE \
      -f OVERRIDES_FILE \
      --dry-run=server
    

    Upgrade the chart:

    helm upgrade ORG_NAME apigee-org/ \
      --install \
      --namespace APIGEE_NAMESPACE \
      -f OVERRIDES_FILE
    

    Verify it is up and running by checking the state of the respective org:

    kubectl -n APIGEE_NAMESPACE get apigeeorg
    
    NAME                      STATE     AGE
    apigee-org1-xxxxx          running   2d
  8. Upgrade the environment.

    You must install one environment at a time. Specify the environment with --set env=ENV_NAME.

    Dry run:

    helm upgrade ENV_RELEASE_NAME apigee-env/ \
      --install \
      --namespace APIGEE_NAMESPACE \
      --set env=ENV_NAME \
      -f OVERRIDES_FILE \
      --dry-run=server
    
    • ENV_RELEASE_NAME is the name with which you previously installed the apigee-env chart. In hybrid v1.10, it is usually apigee-env-ENV_NAME. In Hybrid v1.11 and newer it is usually ENV_NAME.
    • ENV_NAME is the name of the environment you are upgrading.
    • OVERRIDES_FILE is your new overrides file for v.1.14.0

    Upgrade the chart:

    helm upgrade ENV_RELEASE_NAME apigee-env/ \
      --install \
      --namespace APIGEE_NAMESPACE \
      --set env=ENV_NAME \
      -f OVERRIDES_FILE
    

    Verify it is up and running by checking the state of the respective env:

    kubectl -n APIGEE_NAMESPACE get apigeeenv
    
    NAME                          STATE       AGE   GATEWAYTYPE
    apigee-org1-dev-xxx            running     2d
  9. Upgrade the environment groups (virtualhosts).
    1. You must upgrade one environment group (virtualhost) at a time. Specify the environment group with --set envgroup=ENV_GROUP_NAME. Repeat the following commands for each environment group mentioned in the overrides.yaml file:

      Dry run:

      helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \
        --install \
        --namespace APIGEE_NAMESPACE \
        --set envgroup=ENV_GROUP_NAME \
        -f OVERRIDES_FILE \
        --dry-run=server
      

      ENV_GROUP_RELEASE_NAME is the name with which you previously installed the apigee-virtualhost chart. In hybrid v1.10, it is usually apigee-virtualhost-ENV_GROUP_NAME. In Hybrid v1.11 and newer it is usually ENV_GROUP_NAME.

      Upgrade the chart:

      helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \
        --install \
        --namespace APIGEE_NAMESPACE \
        --set envgroup=ENV_GROUP_NAME \
        -f OVERRIDES_FILE
      
    2. Check the state of the ApigeeRoute (AR).

      Installing the virtualhosts creates ApigeeRouteConfig (ARC) which internally creates ApigeeRoute (AR) once the Apigee watcher pulls environment group-related details from the control plane. Therefore, check that the corresponding AR's state is running:

      kubectl -n APIGEE_NAMESPACE get arc
      
      NAME                                STATE   AGE
      apigee-org1-dev-egroup                       2d
      kubectl -n APIGEE_NAMESPACE get ar
      
      NAME                                        STATE     AGE
      apigee-org1-dev-egroup-xxxxxx                running   2d
  10. After you have verified all the installations are upgraded successfully, delete the older apigee-operator release from the apigee-system namespace.
    1. Uninstall the old operator release:
      helm delete operator -n apigee-system
      
    2. Delete the apigee-system namespace:
      kubectl delete namespace apigee-system
      
  11. Upgrade operator again in your Apigee namespace to re-install the deleted cluster-scoped resources:
    helm upgrade operator apigee-operator/ \
      --install \
      --namespace APIGEE_NAMESPACE \
      --atomic \
      -f overrides.yaml
    

Rolling back to a previous version

To roll back to the previous version, use the older chart version to roll back the upgrade process in the reverse order. Start with apigee-virtualhost and work your way back to apigee-operator, and then revert the CRDs.

Because of the change in the namespace for apigee-operator, you need to perform extra steps to delete the Validating and Mutating admission hooks. That way, when you install the apigee-operator back in the apigee-system namespace, they will be recreated to point to the correct Apigee Operator endpoint.

  1. Update the replicas of the existing Apigee Operator deployment in Apigee to 0 (zero) to avoid the two controllers reconciling the Custom Resources to avoid conflicts when rolling it back in the apigee-system namespace.
    kubectl scale deployment apigee-controller-manager -n APIGEE_NAMESPACE --replicas=0
    
    kubectl delete mutatingwebhookconfiguration \
      apigee-mutating-webhook-configuration-APIGEE_NAMESPACE
    
    kubectl delete validatingwebhookconfiguration \
      apigee-validating-webhook-configuration-APIGEE_NAMESPACE
    
  2. Revert all the charts from apigee-virtualhost to apigee-datastore. The following commands assume you are using the charts from the previous version (v1.13.x).

    Run the following command for each environment group:

    helm upgrade ENV_GROUP_RELEASE_NAME apigee-virtualhost/ \
      --install \
      --namespace apigee \
      --atomic \
      --set envgroup=ENV_GROUP_NAME \
      -f 1.13_OVERRIDES_FILE
    

    Run the following command for each environment:

    helm upgrade ENV_RELEASE_NAME apigee-env/ \
      --install \
      --namespace apigee \
      --atomic \
      --set env=ENV_NAME \
      -f 1.13_OVERRIDES_FILE
    

    Revert the remaining charts except for apigee-operator.

    helm upgrade ORG_NAME apigee-org/ \
      --install \
      --namespace apigee \
      --atomic \
      -f 1.13_OVERRIDES_FILE
    
    helm upgrade ingress-manager apigee-ingress-manager/ \
      --install \
      --namespace apigee \
      --atomic \
      -f 1.13_OVERRIDES_FILE
    
    helm upgrade redis apigee-redis/ \
      --install \
      --namespace apigee \
      --atomic \
      -f 1.13_OVERRIDES_FILE
    
    helm upgrade telemetry apigee-telemetry/ \
      --install \
      --namespace apigee \
      --atomic \
      -f 1.13_OVERRIDES_FILE
    
    helm upgrade datastore apigee-datastore/ \
      --install \
      --namespace apigee \
      --atomic \
      -f 1.13_OVERRIDES_FILE
    
  3. Create the apigee-system namespace.
    kubectl create namespace apigee-system
    
  4. Patch the resource annotation back to the apigee-system namespace.
    kubectl annotate --overwrite clusterIssuer apigee-ca-issuer meta.helm.sh/release-namespace='apigee-system'
    
  5. If you have changed the release name as well, update the annotation with the operator release name.
    kubectl annotate --overwrite cluseterIssuer apigee-ca-issuer meta.helm.sh/release-name='operator'
    
  6. Install apigee-operator back into the apigee-system namespace.
    helm upgrade operator apigee-operator/ \
      --install \
      --namespace apigee-system \
      --atomic \
      -f 1.13_OVERRIDES_FILE
    
  7. Revert the CRDs by reinstalling the older CRDs.
    kubectl apply -k apigee-operator/etc/crds/default/ \
      --server-side \
      --force-conflicts \
      --validate=false
    
  8. Clean up the apigee-operator release from the APIGEE_NAMESPACE namespace to complete the rollback process.
    helm uninstall operator -n APIGEE_NAMESPACE
    
  9. Some cluster-scoped resources, such as clusterIssuer, are deleted when operator is uninstalled. Reinstall them with the following command:
    helm upgrade operator apigee-operator/ \
      --install \
      --namespace apigee-system \
      --atomic \
      -f 1.13_OVERRIDES_FILE