OpenShift: Post-upgrade steps

After you complete the API Connect upgrade, remove files left over from Version 2018 and optionally enable the Automated API behavior testing application.

About this task

Complete the following steps to remove files left over from Version 2018. Optionally, you can enable the Automated API behavior testing application by following the instructions in the last step.

Procedure

  1. Enable the Analytics subsystem as explained in Enabling Analytics after upgrading.
  2. To ensure that the 10.0.5.x user interface works correctly, clear your browser cache.
  3. Delete each Helm release used in 2018:
    1. List the Helm releases in the 2018 API Connect deployment by running the following command: 
      helm ls
      The response looks like the following example, with the name of each Helm release displaying in the CHART column:
      NAME            NAMESPACE       REVISION        UPDATED                                 STATUS          CHART                           APP VERSION
r19b9d4b2eb     e2e             1               2021-02-05 17:22:11.050619495 -0800 PST deployed        apiconnect-2.0.0
r5d63b7fc92     e2e             1               2021-02-05 17:22:24.115569226 -0800 PST deployed        apic-portal-2.0.0
r6c7b1188e0     e2e             1               2021-02-05 17:22:50.169539831 -0800 PST deployed        apic-analytics-2.0.0
r8dacbcffda     e2e             1               2021-02-05 17:22:36.248182901 -0800 PST deployed        dynamic-gateway-service-1.0.63  1.0
rff8ba771c8     e2e             1               2021-02-05 17:22:10.329984775 -0800 PST deployed        cassandra-operator-1.0.0        1.0.1
    2. For each Helm release, run the following command to delete it: 
      helm uninstall <helm_release_name>

      where <helm_release_name> is the name of the Helm release from the NAME column.

      For example, in the sample response, there are five Helm releases listed, so you must run the command 5 times.

  4. Manually delete any remaining 2018 pods for the current release by running the following commands, where APIC_namespace is the namespace where you installed API Connect:
    1. oc delete pod <releaseName>-apim-schema-init-job-xxxx -n <APIC_namespace>
    2. oc delete pod <releaseName>-lurschema-init-job-xxxx -n <APIC_namespace>
  5. Delete the secrets left over from 2018:
    1. Search for cassop (cassandra) secrets with the following names:
      • cassandra-backup-auth-secret-xxx,
      • cassop-client-certs-xxx,
      • cassop-server-certs-xxx
    2. For each cassop secret, run the following command:
      oc delete secret <Listed_Cassop_Secrets_from_Search> -n <APIC_namespace>

      where APIC_namespace is the namespace where you installed API Connect (if you installed subsystems into different namespaces, specify the namespace for the Management subsystem).

    3. Manually delete the following secrets by running each of the specified commands, where APIC_namespace is the namespace where you installed API Connect (if you installed subsystems into different namespaces, specify the namespace for the Management subsystem).
      • oc delete secret analytics-proxy-velox-certs-xxx -n <APIC_namespace>
      • oc delete secret apim-elasticsearch-velox-certs-xxx -n <APIC_namespace>
      • oc delete secret apim-ui-basic-auth -n <APIC_namespace>
      • oc delete secret apim-velox-certs-xxx -n <APIC_namespace>
      • oc delete secret client-downloads-server-velox-certs-xxx -n <APIC_namespace>
      • oc delete secret db-client-velox-certs-xxx -n <APIC_namespace>
      • oc delete secret db-velox-certs-xxx -n <APIC_namespace>
      • oc delete secret juhu-velox-certs-xxx -n <APIC_namespace>
      • oc delete secret ldap-velox-certs-xxx -n <APIC_namespace>
      • oc delete secret lur-velox-certs-xxx -n <APIC_namespace>
      • oc delete secret migration-inputs-xxx -n <APIC_namespace>
      • oc delete secret migration-velox-certs-xxx -n <APIC_namespace>
      • oc delete secret plugin-certs-xxx -n <APIC_namespace>
      • oc delete secret ui-velox-certs-xxx -n <APIC_namespace>
    Attention: When you upgrade to API Connect 10.0.5.x from 2018, some external certificates are carried over from the 2018 deployment and are not managed by cert-manager. When you update any of the retained certificates, you must restart the affected pods manually. For a list of the certificates that are retained after an upgrade and must be updated manually, see V2018 upgrade: List of certificates to update manually in the Renewing TLS certificates section of this documentation.
  6. Delete any remnant 2018 Analytics cronjob pods.

    Two cronjob pods can remain after the upgrade with names matching the format shown below:

    • r********-analytics-cronjobs-retention-**********-******
    • r********-analytics-cronjobs-rollover-**********-******

    These are remnant pods from 2018 and are now redundant. To remove them, run the following commands, where APIC_namespace is the namespace where you installed API Connect (if you installed subsystems into different namespaces, specify the namespace for the Analytics subsystem).

    1. List the pods:
      oc get pods -n <APIC_namespace>
    2. Delete the pods:
      oc delete pods <APIC_namespace> -n <namespace>
  7. Optional: Configure additional features related to inter-subsystem communication security, such as CA verification and JWT security: Optional post-upgrade steps for upgrade to 10.0.5.3 from earlier 10.0.5 release.
  8. Optional: Enable the Automated API behavior testing application.

    The Automated API behavior testing provides a simple set of fields where users can quickly invoke APIs to validate them, optionally automating tests and defining schedules for running them. Automated API behavior testing is an optional add-on to API Connect, and must be deployed separately. If you want to install the Automated API behavior testing application, complete the following steps.

    1. Create an ingress-issuer and ingress-ca for use with the Automated API behavior testing application.
      Note: The Automated API behavior testing application requires that the API Connect deployment use the cert-manager and the default certificates. Custom certificates are not supported and if used, the Automated API behavior testing application will not install correctly.

      The following example shows the configuration of the ingress-issuer and ingress-ca for the Automated API behavior testing application:

      apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: ingress-ca
  labels: {
    app.kubernetes.io/instance: "management",
    app.kubernetes.io/managed-by: "ibm-apiconnect",
    app.kubernetes.io/name: "ingress-ca"
  }
spec:
  duration: 87600h # 10 years
  renewBefore: 720h # 30 days
  secretName: ingress-ca
  commonName: "ingress-ca"
  usages:
  - digital signature
  - key encipherment
  - cert sign
  isCA: true
  issuerRef:
    name: selfsigning-issuer
    kind: Issuer
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: ingress-issuer
  labels: {
    app.kubernetes.io/instance: "management",
    app.kubernetes.io/managed-by: "ibm-apiconnect",
    app.kubernetes.io/name: "ingress-issuer"
  }
spec:
  ca:
    secretName: ingress-ca
---
    2. Add the Automated API behavior testing application to your deployment.
      Remember: When you configure the Automated API behavior testing application, make sure to use the same issuer name, ingress-issuer, that you created in the previous step.