Upgrade
To set up a deployment, ESS provides various Kustomize overlays These overlays can act as the base for major/minor upgrades as well as for the initial installation.
See also Release Notes.
Important
Inputs may change per versions. For example, a new input file may be added or new input may be required in an existing input file. Always review the contents of the inputs/
folder when performing the installation/upgrades.
Procedure
Step 1: Prepare the Installation Directory
Go to your ESS installation directory.
cd ${HOME}/ess
Checkout a new branch.
Remove all files in this branch to have an empty
${HOME}/ess
directory.
Important
Ensure that the directory is empty.
Login to Inrupt’s private Docker registry. When prompted for your password, enter your entitlement token :
docker login --username <userid> docker.software.inrupt.com
Get the latest
2.3
version of theinrupt-kustomizer
:
docker pull docker.software.inrupt.com/inrupt-kustomizer:2.3.6
6. Initialize an empty installation directory with a base overlay for your environment:
Important
If the directory is not empty, the inrupt-kustomizer
does not attempt to initialize the directory with the base configuration files.
docker run -it -v ${HOME}/ess:/kustomize docker.software.inrupt.com/inrupt-kustomizer:2.3.6
Follow the prompts to install the base overlay for your upgrade version, same as the initial installation.
Step 2: Update Inputs and Build
Important
Inputs may change per versions. For example, a new input file may be added or new input may be required in an existing input file. Always review the contents of the inputs/
folder when performing the installation/upgrades.
During the initialization, Inrupt generates a readme.txt
file in the installation directory. The file provides instructions on updating inputs for your deployment and building the deployment file.
Go to the installation directory.
cd ${HOME}/ess
Using the instructions in the
readme.txt
file, update the inputs in the base overlay for your deployment.
Warning
CRITICAL SECURITY REQUIREMENT
NEVER commit files containing secrets such as .env
or JWT
to version control. These files must be managed securely.
As part of updating the inputs for your deployment:
Review the template secret files
Set strong secrets for the values, such as strong passwords
Store the secret securely outside your repository using one of these methods:
Cloud secrets management service
Enterprise secrets vault solution
Kubernetes Secrets with encryption at rest
Secure file system with restricted access (development only)
Configure your deployment to retrieve credentials from your secure storage at runtime
Add the secrets files to your
.gitignore
file immediately
Important
Inputs may change per versions. For example, a new input file may be added or new input may be required in an existing input file. Review the contents of your inputs/
folder for your installation/upgrades.
Kafka Message Encryption ESS’ services communicate with each other by sending messages through Kafka.
By default, Inrupt enables data encryption for all data that pass through the Kafka messaging system.
You MUST set the data encryption key values to a strong password.
For more information on the Kafka configurations, see ESS’ Kafka Configuration.
After updating the inputs, build the deployment file per the instructions in the
readme.txt
file.Commit all changes in the directory to source control.
Important Ensure that the repo is private.
Step 3: Optional. Customize Your Deployment Configuration
Optionally, you can further customize your ESS deployment using Kustomize overlays, such as to use certificates from an official Certificate Authority (CA).
For examples on customizing your deployment with overlays, see Customize ESS .
Step 4: Deploy
After you have built the deployment file, you can deploy.
If not already, go to the installation directory:
cd ${HOME}/ess
Deploy to your Kubernetes environment:
kubectl apply -f kustomized.yaml
Warning: Self-signed Certificates The provided base overlays create self-signed certificates. These self-signed certificates are for development purposes only. In production, ESS should be run with certificates from an official Certificate Authority (CA). For an example of how you can customize your deployment to use your production certificates, see Use Official Certificate Authority.
3. You can view the ESS components and services that are running:
kubectl -n ess get all
4. For local standalone deployments , add the ESS service domains to the /etc/hosts
file on your local machine.
To verify, go to
https://start.{ESS DOMAIN}/
.
Last updated