Post-upgrade tasks

After you upgrade IBM Cloud Pak for Multicloud Management, you need to do the following tasks:

Note: The post-upgrade steps can be skipped if you upgrade IBM Cloud Pak for Multicloud Management from 2.3 GA to a 2.3 Fix Pack.

Creating a secret-share CR

Log in to your OpenShift Container Platform console, click Installed Operators, locate Advanced Cluster Management for Kubernetes, and check whether Red Hat Advanced Cluster Management is installed in the default namespace open-cluster-management.

If Red Hat Advanced Cluster Management is not installed in the default namespace open-cluster-management, you need to create a secret-share CR in the ibm-common-services namespace to keep the Common Services from deploying its own cert-manager.

Follow the steps:

  1. Create a secret-share CR in the ibm-common-services namespace as follows:
    apiVersion: ibmcpcs.ibm.com/v1
    kind: SecretShare
    metadata:
      name: rhacm-cs-ca-certificate-secret-share
      namespace: ibm-common-services
    spec:
      secretshares:
      - secretname: cs-ca-certificate-secret
        sharewith:
        - namespace: open-cluster-management-issuer
    
  2. Remove the deployment cert-manager-controller by running the following command:

    oc delete deployment cert-manager-controller
    
  3. Restart the pod ibm-cert-manager-operator-xxx by running the following command:

    oc delete pod ibm-cert-manager-operator-xxx
    
  4. Check whether the issuer cs-ca-issuer is created. If it is not created, you need to create it manually.
    apiVersion: certmanager.k8s.io/v1alpha1
    kind: Issuer
    metadata:
      labels:
        app.kubernetes.io/instance: ibm-cert-manager-operator
        app.kubernetes.io/managed-by: ibm-cert-manager-operator
        app.kubernetes.io/name: cert-manager
      name: cs-ca-issuer
      namespace: ibm-common-services
    spec:
      ca:
        secretName: cs-ca-certificate-secret
    

Updating the navigation menu

  1. If you upgraded IBM Cloud Pak for Multicloud Management from 2.2.x to 2.3.x, you need to do the following actions:

    Note: If you upgraded IBM Cloud Pak for Multicloud Management from 2.3.1 to 2.3.2, you can ignore this step.

    1. Create a JSON file named patch.json as shown here:

      [{"op":"add","path":"/spec/navItems/-","value":{"detectionLabelSelector":"component=mcmtunnelui","id":"administer-tunnel","isAuthorized":["ClusterAdministrator","AccountAdministrator","Administrator","Operator","Viewer","Editor"],"label":"Tunnel","namespace":"kube-system","parentId":"administer-mcm","serviceId":"tunnel-ui","url":"/multicloud/tunnel/networks"}},{"op":"add","path":"/spec/navItems/-","value":{"id":"administer-tunnel-audit","label":"Tunnelaudit","url":"/multicloud/tunnel/audit","serviceId":"tunnel-ui","parentId":"administer-mcm","isAuthorized":["ClusterAdministrator","AccountAdministrator","Administrator","Operator","Viewer","Editor"],"detectionLabelSelector":"component=mcmtunnelui","namespace":"kube-system"}},{"op":"add","path":"/spec/navItems/-","value":{"id":"chargeback","label":"Chargeback","url":"/multicloud/chargeback","serviceId":"httpd23","parentId":"costs","isAuthorized":["ClusterAdministrator","AccountAdministrator","Administrator","Operator","Viewer","Editor"],"detectionLabelSelector":"app=ibm-infra-management-application","namespace":"management-infrastructure-management"}}]
      
    2. Apply the patch to a navconfiguration object by using the following command:

      kubectl patch navconfiguration multicluster-hub-nav -n kube-system --type='json' -p "$(cat patch.json)"
      
  2. Run the following commands to refresh the existing Identity and access menu, and add the Teams and service IDs menu that goes to the Teams page.

      INDEX=$(kubectl get navconfiguration multicluster-hub-nav -n kube-system -o json  | jq '.spec.navItems | map(.id == "id-access") | index(true)')
    
      PATCH="[{\"op\":\"replace\",\"path\":\"/spec/about/version\",\"value\":\"2.3.3\"},{\"op\":\"replace\",\"path\":\"/spec/navItems/${INDEX}/url\",\"value\":\"/common-nav/identity-access/realms?useNav=multicluster-hub-nav\"},{\"op\":\"add\",\"path\":\"/spec/navItems/-\",\"value\":{\"id\":\"id-teams-access\",\"label\":\"Teams and service IDs\",\"url\":\"/common-nav/identity-access/teams?useNav=multicluster-hub-nav\",\"serviceId\":\"webui-nav\",\"parentId\":\"administer-mcm\",\"isAuthorized\":[\"Administrator\",\"ClusterAdministrator\",\"AccountAdministrator\"]}}]"
    
      kubectl patch navconfiguration multicluster-hub-nav -n kube-system --type='json' -p "${PATCH}"
    
  3. Check the navconfiguration object and see that the new entries are added:

    kubectl get navconfiguration multicluster-hub-nav -n kube-system -o yaml
    
  4. Restart the pod common-web-ui in ibm-common-services namespace.

  5. After few minutes, the entries Chargeback, Teams and Service IDs, Tunnel, and Tunnel audit are added in the navigation menu on IBM Cloud Pak console.

Upgrading version on the console About panel

After you upgrade IBM Cloud Pak for Multicloud Management, upgrade the IBM Cloud Pak for Multicloud Management version number for the console. If you do not upgrade the version, the incorrect version number displays when you select to open the About page from the Info menu on the console toolbar.

Run the following kubectl patch command to directly patch the navigation CR to update the version number. This command uses 2.3.x as an example:

kubectl patch navconfigurations.foundation.ibm.com multicluster-hub-nav -n kube-system --type json -p='[{"op": "replace", "path": "/spec/about/version", "value":"2.3.x"}]'

After you patch the navigation CR, the version for the About panel is updated.

Updating Vulnerability Advisor

After you upgrade IBM Cloud Pak for Multicloud Management, remove the Vulnerability Advisor deployment to restart the pod and update it to the latest version.

Note: If you upgraded from a pre-2.3 version of IBM Cloud Pak for Multicloud Management and the runtimeEngine had been added prior to upgrade, you need to remove the Vulnerability Advisor settings in the IBM Cloud Pak for Multicloud Management installation instance's YAML file that were defined previously. For example, the esXXXXXX settings under ibm-management-valnerability-advisor should be removed. The IBM Cloud Pak for Multicloud Management installation instance YAML file should be updated, for example:

  ```.....
  config:
  enabled: true
  name: ibm-management-notary
  enabled: true
  name: ibm-management-image-security-enforcement
  enabled: true
  name: ibm-management-mutation-advisor
  enabled: true
  name: ibm-management-vulnerability-advisor
  spec: {}
  enabled: true
  name: securityServices
  ......
  ```

Run the following commands to remove and restart the Vulnerability Advisor deployments:

oc delete deploy vulnerability-advisor-rootkit-annotator -n management-security-services
oc delete deploy vulnerability-advisor-sas-apiserver -n management-security-services

Updating ChatOps integration settings

If you upgrade from IBM Cloud Pak® for Multicloud Management V2.0, V2.1, V2.2 to V2.3, you need to update the ChatOps integration settings. Follow these steps:

  1. Ensure that all the ChatOps pods are in running status. If you see that only the ibm-sre-chatops-operator pod is in running status. You can refer to ChatOps pods are not running for ChatOps license is not enabled.

  2. Download the script chatops-update.sh, and assign the execute permission to the script by running the commands one by one:

    wget https://raw.githubusercontent.com/IBM/cp4mcm-samples/master/scripts/chatops-update.sh
    chmod +x chatops-update.sh
    
  3. Run the script to update integration settings that are related to IBM Cloud Pak® for Multicloud Management incidents and PagerDuty.

    ./chatops_update.sh [-a <PagerDuty API key>] [-s <PagerDuty service key>] [-u <Monitoring URL>] [-n <Monitoring API key name>] [-p <Monitoring API key password>]
    

    Where:

Upgrading Monitoring DataProvider Management

Monitoring DataProvider Management is not supported to be upgraded automatically. You need to upgrade Monitoring DataProvider Management manually starting from release 2.3 GA. For more information, see Upgrading Monitoring DataProvider Management. After Monitoring DataProvider Management is upgraded, UA will be upgraded automatically.

Checking whether the Bastion operand is upgraded successfully

After you upgrade IBM Cloud Pak® for Multicloud Management, check the upgrade status for the Bastion operand by viewing the ibm-sre-bastion-operator log. If you see the following error in the log:

failed to get candidate release: rendered manifests contain a new resource that already exists. Unable to continue with update: existing resource conflict: namespace: , name: sre-bastion-vault-server-binding

Follow the steps to solve the problem.

  1. Delete the existing ClusterRoleBinding by running the command:

    oc delete ClusterRoleBinding sre-bastion-vault-server-binding -n kube-system
    
  2. After a while, the Bastion operand can be upgraded.

Restoring management-monitoring configmap

Run the following command to compare the differences between the monitoring-sizing-sizeX.yaml before upgrading and the monitoring-sizing-sizeX.yaml after upgrading:

oc get configmap monitoring-sizing-sizeX -n management-monitoring -o yaml >/tmp/after-monitoring-sizing-sizeX.yaml

If any changes are missing in the configmap after upgrading, you need to run the following command to add the changes:

oc edit configmap monitoring-sizing-sizeX -n management-monitoring

Delete jobs with 0 completions in the management-monitoring namespace

After you upgrade IBM Cloud Pak® for Multicloud Management to Fix Pack 5, check and delete the jobs with 0 completions in the management-monitoring namespace. If not, sometimes you might find that the monitoring-metricprovider deployment is not updated so it has the same image as Fix Pack 4. See monitoring-metricprovider deployment is not updated after upgraded to Fix Pack 5.