|
| 1 | + |
| 2 | +## Upgrade project from 2.x to 3.x |
| 3 | + |
| 4 | +## Update Python virtual environment |
| 5 | + |
| 6 | +With conda: |
| 7 | + |
| 8 | +```sh |
| 9 | +conda create --name ENVNAME python=3.12 |
| 10 | +conda activate ENVNAME |
| 11 | +source install.sh |
| 12 | +``` |
| 13 | + |
| 14 | +## Migrate cloudharness-base images to debian |
| 15 | + |
| 16 | +Before 3.x, there were 2 different base images that could be used on applications: |
| 17 | + |
| 18 | +- `cloudharness-base` -- based on Alpine -- `FROM $CLOUDHARNESS_BASE` in Dockerfiles |
| 19 | +- `cloudharness-base-debian` -- based on Debian -- `FROM $CLOUDHARNESS_BASE_DEBIAN` in Dockerfiles |
| 20 | + |
| 21 | +Now `cloudharness-base` is based on Debian and `cloudharness-base-debian` cannot be used anymore as a dependency |
| 22 | + |
| 23 | +The new command `harness-migrate` will help with porting your cloudharness-base dependent images to debian. |
| 24 | + |
| 25 | +After that, it's likely that some apk based dependencies have still to be tweaked in your Dockerfiles. |
| 26 | + |
| 27 | + |
| 28 | +## Update Keycloak |
| 29 | + |
| 30 | +Updating Keycloak is easily done by restoring a Postgres backup after the upgrade is done, |
| 31 | +and letting Keycloak apply the migrations taking care of not mixing old and new replicas. |
| 32 | + |
| 33 | +### Prepare for update |
| 34 | + |
| 35 | +The new update is available on Cloud Harness 3.x+, or the develop branch. |
| 36 | + |
| 37 | +The following files are usually overridden and might need merge/replacement: |
| 38 | + |
| 39 | +applications/accounts/Dockerfile |
| 40 | + |
| 41 | +applications/accounts/deploy/resources/realm.json |
| 42 | + |
| 43 | +deployment-configuration/helm/templates/auto-gatekeepers.yaml |
| 44 | + |
| 45 | +In addition to this, there might be references to the code to old paths, as the new version removed the /auth prefix. |
| 46 | + |
| 47 | +If keycloak-js is used, better remove it as the updated version has known issues and doesn’t work on local deployments. The replacement to keycloak-js is to use a Gatekeeper and get user information from the kc-access cookie, as done for example here. |
| 48 | + |
| 49 | +### Upgrade procedure |
| 50 | +#### Before upgrading |
| 51 | +```sh |
| 52 | +BACKUP_FILE=full_backup_keycloak_postgres.psql |
| 53 | +NAMESPACE="${1:-neuroglass-research}" |
| 54 | + |
| 55 | +kubectl exec -n $NAMESPACE deployment/keycloak-postgres -- pg_dump -d auth_db -U postgres -F c > kc-$BACKUP_FILE |
| 56 | + |
| 57 | +kubectl scale deployment accounts --replicas=0 -n $NAMESPACE |
| 58 | +``` |
| 59 | + |
| 60 | +#### After upgrading (new version deployed) |
| 61 | +```sh |
| 62 | +kubectl scale deployment accounts --replicas=0 -n $NAMESPACE |
| 63 | +kubectl exec -i -n $NAMESPACE deployment/keycloak-postgres -- psql -U user -d auth_db -c "DROP SCHEMA public CASCADE; CREATE SCHEMA public;" |
| 64 | +kubectl exec -i -n $NAMESPACE deployment/keycloak-postgres -- pg_restore --if-exists --no-owner --clean -d auth_db -U user < kc-$BACKUP_FILE |
| 65 | +kubectl scale deployment accounts --replicas=1 -n $NAMESPACE |
| 66 | +``` |
| 67 | + |
| 68 | +### Manual steps |
| 69 | + |
| 70 | +There are a few known issues that have to be fixed manually after the upgrade: |
| 71 | + |
| 72 | +1. Users cannot access their account page (e.g. https://accounts.research.neuroglass.dev.metacell.us/realms/mnp/account/) unless this: https://github.com/keycloak/keycloak/discussions/12894#discussioncomment-3145960 → add the client scopes as optional to the account-console client. |
| 73 | +2. sub is not present in the token → add the mapper for sub to the profile client scope |
0 commit comments