Upgrade from foundational services version 3.x to version 4.x fails due to custom certificate issue

If you used custom certificates in foundational services version 3, upgrade of foundational services to version 4.x fails.

Symptom

The custom certificates are not available in the cluster after the upgrade. The cp-console route then uses the default ingress certificates.

You see the following error after upgrade.

======>>> START-14 : update secrets 'custom-tls-secret'
Starting new HTTPS connection (1): kubernetes.default:443
https://kubernetes.default:443 "GET /api/v1/namespaces/aiops/secrets/custom-tls-secret HTTP/1.1" 404 208
Unable to GET URL :https://kubernetes.default:443/api/v1/namespaces/aiops/secrets/custom-tls-secret
<Response [404]>
FAILED : GET oper, URL : /api/v1/namespaces/aiops/secrets/custom-tls-secret

Cause

In the cs-onprem-tenant-config configmap, the custom_host_certificate_secret field uses a default name custom-tls-secret. If you use any other name for the secret, the upgrade fails.

Workaround

After you upgrade, complete the steps to create a custom TLS secret with the name custom-tls-secret. For more information, see Updating custom hostname and TLS secret by using a configmap.

Then, restart the IM and Zen pods.

  1. Get the IM authentication pod name and delete the pod.

    oc get pod -n <your-foundational-services-namespace> | grep platform-auth-service
    

    Delete the auth pod.

    oc delete pod -n <your-foundational-services-namespace> <platform-auth-service-pod-name>
    
  2. Get the IM identity provider pod name and delete the pod.

    oc get pod -n <your-foundational-services-namespace> | grep platform-identity-provider
    

    Delete the identity provider pod.

    oc delete pod -n <your-foundational-services-namespace> <platform-identity-provider-pod-name>
    
  3. Get the Zen operator pod name and delete the pod.

    oc get pod -n <your-foundational-services-namespace> | grep ibm-zen-operator
    

    Delete the Zen operator pod.

    oc delete pod -n <your-foundational-services-namespace> <ibm-zen-operator-pod-name>