Upgrading PingAccess
In a DevOps environment, upgrades can be simplified through automation, orchestration, and separation of concerns.
|
Caveats
-
This Document Assumes Kubernetes and Helm
The terms in this document will focus on deployments in a Kubernetes Environment using the ping-devops Helm chart. However, the concepts should apply to any containerized PingAccess Deployment.
-
This Document will Become Outdated
The examples referenced in this document point to a specific tag. This tag may not exist anymore at the time of reading. To correct the issue, update the tag on your file to
N-1from the current PF version. -
Irrelevant Ingress
The values.yaml files mentioned in this document expects an nginx ingress controller with class
nginx-public. It is not an issue if your environment does not have this class. In such cases, the created ingresses will not be used.
Configuration Forward
Steps:
-
Deploy your old version of PingAccess with server profile
-
Export the configuration as a data.json file
-
Copy the pa.jwk file to your server profile
-
Deploy new PingAccess version with server profile
Here we will walk through an example upgrade.
Deploy your old version of PingAccess with server profile
|
If you are using this example as-is, you will need a devops-secret. |
|
Be sure to change the ingress domain name value to your domain in 01-original.yaml. |
|
Be sure to change the image tag value in 01-original.yaml. |
|
In order to use the baseline server profile as outlined in this guide, you have to deploy PingFederate along with PingAccess. |
Navigate to the getting started repository and deploy your old version of PingAccess.
helm upgrade --install pa-upgrade pingidentity/ping-devops -f 30-helm/pingaccess-upgrade/01-original.yamlExport the configuration as a data.json file
After your cluster is healthy, export the configuration as a json file and add it to your server profile so the start-up-deployer can use it to configure your upgraded PingAccess.
$ curl -k -u Administrator:2FederateM0re -H "X-Xsrf-Header: PingAccess" https://pa-upgrade-pingaccess-admin.ping-devops.com/pa-admin-api/v3/config/export >~/<insert path to server profile here>/pingaccess/instance/data/data.json
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 22002 100 22002 0 0 42664 0 --:--:-- --:--:-- --:--:-- 43056Copy the pa.jwk file to your server profile.
Copy the /conf/pa.jwk file.
$ kubectl cp pa-upgrade-pingaccess-admin-0:/opt/out/instance/conf/pa.jwk ~/<insert path to server profile here>/pingaccess/instance/conf/pa.jwk
Defaulted container "pingaccess-admin" out of: pingaccess-admin, wait-for-pingfederate-engine (init), generate-private-cert-init (init)
tar: removing leading '/' from member namesCheck to see that the data.json and pa.jwk files have been updated in your server-profile and push these changes to your repository
Deploy new PingAccess version with server profile
Make sure to uninstall your old Ping Access cluster and remove any pvc’s created.
$ helm uninstall pa-upgrade
release "pa-upgrade" uninstalled
$ kubectl get pvc
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
out-dir-pa-upgrade-pingaccess-admin-0 Bound pvc-c1e5cd9b-35f5-4260-8704-3075fcf9b36e 4Gi RWO gp2 7m5s
$ kubectl delete pvc out-dir-pa-upgrade-pingaccess-admin-0
persistentvolumeclaim "out-dir-pa-upgrade-pingaccess-admin-0" deletedFinally, update the PingAccess image version to the new target version and run.
|
Be sure to change the ingress domain name value to your domain in 02-upgraded.yaml. |
|
Be sure to change the image tag value in 02-upgraded.yaml. |
|
Be sure to change the server profile url and path in 02-upgraded.yaml. |
helm upgrade --install pa-upgrade pingidentity/ping-devops -f 30-helm/pingaccess-upgrade/02-upgraded.yamlAt this time, you should have an upgraded PingAccess instance