This page describes the steps to update and patch your Google Distributed Cloud (GDC) air-gapped appliance device.
Prepare for the upgrade
Make sure you meet the requirements listed in this section before the upgrade.
Before you begin
Review the Laptop prerequisites to ensure that the laptop you use for the update and patch upgrades meets physical specifications and other requirements.
You must first complete the following actions regarding the gdcloud
command-line interface (CLI) tools:
- Download the
gdcloud
CLI tools. - Install the
gdcloud
CLI tools. - Upgrade the
gdcloud
CLI tools as required. - Ensure the
docker-credential-gdcloud
is present.
Transfer the artifacts to the upgrade machine
You must have access to the Cloud Storage bucket.
Follow these steps to transfer the artifacts to the laptop you use for the update and patch upgrades:
Download the package based on the selected patch version:
VERSION=<x.x.x-gdch.yyy> RELEASE_SUFFIX="_te" DOWNLOADER=gdch-downloader-prod${RELEASE_SUFFIX}-$VERSION.sh gcloud storage cp "gs://$GCS_BUCKET/$VERSION/$DOWNLOADER" . gcloud storage cp "gs://$GCS_BUCKET/$VERSION/${DOWNLOADER}.sig" . PUBLIC_KEY=$(cat <<-PUBEND -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEn46iVSyFXsvuKLZ4dVOr2AqlXDnR 5cKztkpraexHDxn/ozq03EvrdkRmZkSACFfcaEFyitpraidgAx8sPjvzXQ== -----END PUBLIC KEY----- PUBEND ) echo "${PUBLIC_KEY}" > "key.pub" DOWNLOADER=gdch-downloader-${PRODUCT}-$VERSION.sh gcloud storage cp "gs://${GCS_BUCKET:-private-cloud-release}/$VERSION/$DOWNLOADER*" . openssl dgst -sha256 -verify "key.pub" -signature "${DOWNLOADER}.sig" ${DOWNLOADER} && chmod +x $DOWNLOADER && ./$DOWNLOADER --skip-unzip
This command fetches the update package and the downloader script to the current directory, for example,
/home/download
.Run
tree -L 3 /home/download
.Example output:
/home/download ├── gdch │ └── x.x.x-gdch.x │ ├── bootstrapper │ │ ├── bootstrapper.iso │ │ └── bootstrapper.iso.sig │ ├── gdch-prod_te-x.x.x-gdch.x-sbom.tar.gz │ ├── gdch-prod_te-x.x.x-gdch.x-sbom.tar.gz.sig │ ├── prod_te_gdch.tar.gz │ └── prod_te_gdch.tar.gz.sig ├── gdch-downloader-prod_te-x.x.x-gdch.x.sh ├── gdch-downloader-prod_te-x.x.x-gdch.x.sh.1.sig ├── gdch-downloader-prod_te-x.x.x-gdch.x.sh.sig └── key.pub
Copy the update to the air-gapped environment, using your USB drive.
Copy both the downloader script and the
gdch
directory that you downloaded to your USB drive in step 1 to the upgrade machine in the air-gapped environment.In the upgrade machine, verify the contents and extract the files using the same information you used to download the package. For example, the following code copies the package to the
/root
directory.Unpack the package:
VERSION=x.x.x-gdch.x PRODUCT=prod_te DOWNLOADER=gdch-downloader-${PRODUCT}-$VERSION.sh openssl dgst -sha256 -verify "key.pub" -signature "${DOWNLOADER}.sig" ${DOWNLOADER} && chmod +x $DOWNLOADER && ./$DOWNLOADER --skip-download
The package is unpacked at the
/root/gdch/full-release-x.x.x-gdch.x
path.Confirm that the version matches the one that you set in VERSION:
/root/gdch/full-release-x.x.x-gdch.x/gdcloud version
Sample output:
gdcloud version: 1.14.4-gdch.0
Authenticate
To authenticate with your configured identity provider and request a kubeconfig file for your user identity and cluster, see Authenticate.
Sign in and generate the kubeconfig files.
Set the kubeconfig files as environment variables:
export KUBECONFIG=ROOT_ADMIN_KUBECONFIG export MANAGEMENT_KUBECONFIG=MANAGEMENT_API_KUBECONFIG
Request the following roles:
Upgrade Appliance Admin:
kubectl --kubeconfig=$KUBECONFIG create clusterrolebinding upgrade-admin-te-initial-user --clusterrole=upgrade-admin-te --user=keycloak-oidc-initial-user@example.com kubectl --kubeconfig=$MANAGEMENT_KUBECONFIG create clusterrolebinding upgrade-admin-te-initial-user --clusterrole=upgrade-admin-te --user=keycloak-oidc-initial-user@example.com
System Artifact Management Admin:
kubectl --kubeconfig=$KUBECONFIG create rolebinding system-artifact-management-admin-initial-user --role=system-artifact-management-admin --user=keycloak-oidc-initial-user@example.com -n gpc-system kubectl --kubeconfig=$MANAGEMENT_KUBECONFIG create rolebinding system-artifact-management-admin-initial-user --role=system-artifact-management-admin --user=keycloak-oidc-initial-user@example.com -n gpc-system
System Artifact Management Secrets Admin:
kubectl --kubeconfig=$KUBECONFIG create rolebinding system-artifact-management-secrets-admin-initial-user --role=system-artifact-management-secrets-admin --user=keycloak-oidc-initial-user@example.com -n anthos-creds
DNS Suffix Viewer:
kubectl --kubeconfig=$MANAGEMENT_KUBECONFIG create rolebinding dnssuffix-viewer-initial-user --role=dnssuffix-viewer --user=keycloak-oidc-initial-user@example.com -n gpc-system
System Artifact Registry Monitor:
kubectl --kubeconfig=$KUBECONFIG create clusterrolebinding sar-monitor-initial-user --clusterrole=sar-monitor --user=keycloak-oidc-initial-user@example.com kubectl --kubeconfig=$MANAGEMENT_KUBECONFIG create clusterrolebinding sar-monitor-initial-user --clusterrole=sar-monitor --user=keycloak-oidc-initial-user@example.com
Upgrade Debugger:
kubectl --kubeconfig=$KUBECONFIG create clusterrolebinding upgrade-debugger-initial-user --clusterrole=upgrade-debugger --user=keycloak-oidc-initial-user@example.com
System Artifact Registry Debugger:
kubectl --kubeconfig=$KUBECONFIG create clusterrolebinding sar-debugger-initial-user --clusterrole=sar-debugger --user=keycloak-oidc-initial-user@example.com
Configure Docker:
gdcloud auth configure-docker --config-cert=true
Start the upgrade
Go through the following steps to start the appliance upgrade:
gdcloud appliance upgrade
See gdcloud appliance upgrade
for more information.
The command runs the following steps:
- Runs the preflight checks on the upgrade machine.
- Runs the preflight checks for OTS storage
- Pushes the artifacts to the artifact registry.
- Upgrades the appliance software and firmware, including:
- GDC root-admin cluster.
- GDC services.
- The operating systems (OSes) of physical and virtual nodes.
- The switch.
- Storage
The command drives the updates in sequence, and waits for each step to complete. After completing the steps and if the upgrade is successful, you see a message similar to the following:
The GDC appliance upgrade completed successfully