Contribute in GitHub:
Open doc issue|Edit online
Upgrading IBM Support for Hyperledger Fabric to version 1.0.6
These instructions are to be used to upgrade any version of IBM Support for Hyperledger Fabric to version 1.0.6.
Peer and ordering nodes will restart during this upgrade. Performing the upgrade during a planned maintenance window is suggested since these components will restart.
Log in to your cluster
Before you can complete the next steps, you need to log in to your cluster by using the kubectl CLI. Follow the instructions for logging in to your cluster.
Delete the ibm-hlfsupport-infra project for the webhook
Consistency issues require a re-install of the webhook as part of this release.
Run the following command to delete the project.
kubectl delete project ibm-hlfsupport-infra
Create the ibm-hlfsupport-infra project for the webhook
After you log in to your cluster, you can create the new ibm-hlfsupport-infra project for the Kubernetes conversion webhook using the kubectl CLI. The new project needs to be created by a cluster administrator.
Run the following command to create the project:
oc new-project ibm-hlfsupport-infra
When you create a new project, a new namespace is created with the same name as your project. You can verify that the existence of the new namespace by using the oc get namespace command:
$ oc get namespace
NAME STATUS AGE
ibm-hlfsupport-infra Active 2m
Deploy the webhook and custom resource definitions (CRDs) to your OpenShift cluster
Before you can deploy a new instance of the platform to your Kubernetes cluster, you need to create the conversion webhook by completing the steps in this section. The webhook is deployed to its own namespace or project, referred to ibm-hlfsupport-infra throughout these instructions.
The first three steps are for deployment of the webhook. The last step is for the custom resource definitions for the CA, peer, orderer, and console components that IBM Support for Hyperledger Fabric requires. You only have to deploy the webhook and custom resource definitions once per cluster. If you have already deployed this webhook and custom resource definitions to your cluster, you can skip these four steps below.
1. Configure role-based access control (RBAC) for the webhook
First, copy the following text to a file on your local system and save the file as rbac.yaml. This step allows the webhook to read and create a TLS secret in its own project.
apiVersion: v1
kind: ServiceAccount
metadata:
name: webhook
namespace: ibm-hlfsupport-infra
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: webhook
rules:
- apiGroups:
- "*"
resources:
- secrets
verbs:
- "*"
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ibm-hlfsupport-infra
subjects:
- kind: ServiceAccount
name: webhook
namespace: ibm-hlfsupport-infra
roleRef:
kind: Role
name: webhook
apiGroup: rbac.authorization.k8s.io
Run the following command to add the file to your cluster definition:
kubectl apply -f rbac.yaml -n ibm-hlfsupport-infra
When the command completes successfully, you should see something similar to:
serviceaccount/webhook created
role.rbac.authorization.k8s.io/webhook created
rolebinding.rbac.authorization.k8s.io/ibm-hlfsupport-infra created
2. Apply the Security Context Constraint
IBM Support for Hyperledger Fabric requires specific security and access policies to be added to the ibm-hlfsupport-infra project. Copy the security context constraint object below and save it to your local system as ibm-hlfsupport-infra-scc.yaml.
Replace <PROJECT_NAME> with ibm-hlfsupport-infra.
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities:
- NET_BIND_SERVICE
- CHOWN
- DAC_OVERRIDE
- SETGID
- SETUID
- FOWNER
apiVersion: security.openshift.io/v1
defaultAddCapabilities: []
fsGroup:
type: RunAsAny
groups:
- system:serviceaccounts:<PROJECT_NAME>
kind: SecurityContextConstraints
metadata:
name: <PROJECT_NAME>
readOnlyRootFilesystem: false
requiredDropCapabilities: []
runAsUser:
type: RunAsAny
seLinuxContext:
type: RunAsAny
seccompProfiles:
- runtime/default
supplementalGroups:
type: RunAsAny
users:
- system:serviceaccounts:<PROJECT_NAME>
volumes:
- "*"
After you save the file, run the following commands to add the file to your cluster and add the policy to your project.
oc apply -f ibm-hlfsupport-infra-scc.yaml -n ibm-hlfsupport-infra
oc adm policy add-scc-to-user ibm-hlfsupport-infra system:serviceaccounts:ibm-hlfsupport-infra
If the commands are successful, you can see a response that is similar to the following example:
securitycontextconstraints.security.openshift.io/ibm-hlfsupport-infra created
clusterrole.rbac.authorization.k8s.io/system:openshift:scc:ibm-hlfsupport-infra added: "system:serviceaccounts:ibm-hlfsupport-infra"
3. Deploy the webhook
In order to deploy the webhook, you need to create two .yaml files and apply them to your Kubernetes cluster.
deployment.yaml
Copy the following text to a file on your local system and save the file as deployment.yaml.
apiVersion: apps/v1
kind: Deployment
metadata:
name: "ibm-hlfsupport-webhook"
labels:
helm.sh/chart: "ibm-hlfsupport"
app.kubernetes.io/name: "ibm-hlfsupport"
app.kubernetes.io/instance: "ibm-hlfsupport-webhook"
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/instance: "ibm-hlfsupport-webhook"
strategy:
type: Recreate
template:
metadata:
labels:
helm.sh/chart: "ibm-hlfsupport"
app.kubernetes.io/name: "ibm-hlfsupport"
app.kubernetes.io/instance: "ibm-hlfsupport-webhook"
annotations:
productName: "IBM Support for Hyperledger Fabric"
productID: "5d5997a033594f149a534a09802d60f1"
productVersion: "1.0.6"
productChargedContainers: ""
productMetric: "VIRTUAL_PROCESSOR_CORE"
spec:
serviceAccountName: webhook
imagePullSecrets:
- name: cp-pull-secret
hostIPC: false
hostNetwork: false
hostPID: false
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 2000
containers:
- name: "ibm-hlfsupport-webhook"
image: "icr.io/cpopen/ibm-hlfsupport-crdwebhook:1.0.6-20231010-amd64"
imagePullPolicy: Always
securityContext:
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
env:
- name: "LICENSE"
value: "accept"
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: SERVICE_NAME
value: ibm-hlfsupport-webhook
ports:
- name: server
containerPort: 3000
livenessProbe:
httpGet:
path: /healthz
port: server
scheme: HTTPS
initialDelaySeconds: 30
timeoutSeconds: 5
failureThreshold: 6
readinessProbe:
httpGet:
path: /healthz
port: server
scheme: HTTPS
initialDelaySeconds: 26
timeoutSeconds: 5
periodSeconds: 5
resources:
requests:
cpu: 0.1
memory: "100Mi"
Run the following command to add the file to your cluster definition:
kubectl apply -n ibm-hlfsupport-infra -f deployment.yaml
When the command completes successfully, you should see something similar to:
deployment.apps/ibm-hlfsupport-webhook created
service.yaml
Second, copy the following text to a file on your local system and save the file as service.yaml.
apiVersion: v1
kind: Service
metadata:
name: "ibm-hlfsupport-webhook"
labels:
type: "webhook"
app.kubernetes.io/name: "ibm-hlfsupport"
app.kubernetes.io/instance: "ibm-hlfsupport-webhook"
helm.sh/chart: "ibm-hlfsupport"
spec:
type: ClusterIP
ports:
- name: server
port: 443
targetPort: server
protocol: TCP
selector:
app.kubernetes.io/instance: "ibm-hlfsupport-webhook"
Run the following command to add the file to your cluster definition:
kubectl apply -n ibm-hlfsupport-infra -f service.yaml
When the command completes successfully, you should see something similar to:
service/ibm-hlfsupport-webhook created
4. Extract the certificate and create the custom resource definitions
- Extract the webhook TLS certificate from the
ibm-hlfsupport-infranamespace by running the following command:export TLS_CERT=$(kubectl get secret/webhook-tls-cert -n ibm-hlfsupport-infra -o jsonpath={'.data.cert\.pem'}) - When you deploy IBM Support for Hyperledger Fabric you need to apply the following four CRDs for the CA, peer, orderer, and console. Run the following four commands to apply or update each CRD.
Run this command to update the CA CRD:
cat <<EOF | kubectl apply -f -
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: ibpcas.ibp.com
labels:
app.kubernetes.io/name: "ibm-hlfsupport"
app.kubernetes.io/instance: "ibm-hlfsupport"
app.kubernetes.io/managed-by: "ibm-hlfsupport"
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
caBundle: "${TLS_CERT}"
service:
name: ibm-hlfsupport-webhook
namespace: ibm-hlfsupport-infra
path: /crdconvert
conversionReviewVersions:
- v1beta1
- v1alpha2
- v1alpha1
group: ibp.com
names:
kind: IBPCA
listKind: IBPCAList
plural: ibpcas
singular: ibpca
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
x-kubernetes-preserve-unknown-fields: true
served: true
storage: true
subresources:
status: {}
- name: v1alpha2
schema:
openAPIV3Schema:
x-kubernetes-preserve-unknown-fields: true
served: true
storage: false
subresources:
status: {}
- name: v210
schema:
openAPIV3Schema:
x-kubernetes-preserve-unknown-fields: true
served: false
storage: false
subresources:
status: {}
- name: v212
schema:
openAPIV3Schema:
x-kubernetes-preserve-unknown-fields: true
served: false
storage: false
subresources:
status: {}
- name: v1alpha1
schema:
openAPIV3Schema:
x-kubernetes-preserve-unknown-fields: true
served: true
storage: false
subresources:
status: {}
status:
acceptedNames:
kind: IBPCA
listKind: IBPCAList
plural: ibpcas
singular: ibpca
conditions: []
storedVersions:
- v1beta1
EOF
Depending on whether you are creating or updating the CRD, when successful, you should see:
customresourcedefinition.apiextensions.k8s.io/ibpcas.ibp.com created
or
customresourcedefinition.apiextensions.k8s.io/ibpcas.ibp.com configured
Run this command to update the peer CRD:
cat <<EOF | kubectl apply -f -
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: ibppeers.ibp.com
labels:
app.kubernetes.io/name: "ibm-hlfsupport"
app.kubernetes.io/instance: "ibm-hlfsupport"
app.kubernetes.io/managed-by: "ibm-hlfsupport"
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
caBundle: "${TLS_CERT}"
service:
name: ibm-hlfsupport-webhook
namespace: ibm-hlfsupport-infra
path: /crdconvert
conversionReviewVersions:
- v1beta1
- v1alpha2
- v1alpha1
group: ibp.com
names:
kind: IBPPeer
listKind: IBPPeerList
plural: ibppeers
singular: ibppeer
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
x-kubernetes-preserve-unknown-fields: true
served: true
storage: true
subresources:
status: {}
- name: v1alpha2
schema:
openAPIV3Schema:
x-kubernetes-preserve-unknown-fields: true
served: true
storage: false
subresources:
status: {}
- name: v1alpha1
schema:
openAPIV3Schema:
x-kubernetes-preserve-unknown-fields: true
served: true
storage: false
subresources:
status: {}
status:
acceptedNames:
kind: IBPPeer
listKind: IBPPeerList
plural: ibppeers
singular: ibppeer
conditions: []
storedVersions:
- v1beta1
EOF
When successful, you should see:
customresourcedefinition.apiextensions.k8s.io/ibppeers.ibp.com created
or
customresourcedefinition.apiextensions.k8s.io/ibppeers.ibp.com configured
Run this command to update the console CRD:
cat <<EOF | kubectl apply -f -
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: ibpconsoles.ibp.com
labels:
app.kubernetes.io/name: "ibm-hlfsupport"
app.kubernetes.io/instance: "ibm-hlfsupport"
app.kubernetes.io/managed-by: "ibm-hlfsupport"
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
caBundle: "${TLS_CERT}"
service:
name: ibm-hlfsupport-webhook
namespace: ibm-hlfsupport-infra
path: /crdconvert
conversionReviewVersions:
- v1beta1
- v1alpha2
- v1alpha1
group: ibp.com
names:
kind: IBPConsole
listKind: IBPConsoleList
plural: ibpconsoles
singular: ibpconsole
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
x-kubernetes-preserve-unknown-fields: true
served: true
storage: true
subresources:
status: {}
- name: v1alpha2
schema:
openAPIV3Schema:
x-kubernetes-preserve-unknown-fields: true
served: true
storage: false
subresources:
status: {}
- name: v1alpha1
schema:
openAPIV3Schema:
x-kubernetes-preserve-unknown-fields: true
served: true
storage: false
subresources:
status: {}
status:
acceptedNames:
kind: IBPConsole
listKind: IBPConsoleList
plural: ibpconsoles
singular: ibpconsole
conditions: []
storedVersions:
- v1beta1
EOF
When successful, you should see:
customresourcedefinition.apiextensions.k8s.io/ibpconsoles.ibp.com created
or
customresourcedefinition.apiextensions.k8s.io/ibpconsoles.ibp.com configured
Run this command to update the orderer CRD:
cat <<EOF | kubectl apply -f -
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: ibporderers.ibp.com
labels:
app.kubernetes.io/name: "ibm-hlfsupport"
app.kubernetes.io/instance: "ibm-hlfsupport"
app.kubernetes.io/managed-by: "ibm-hlfsupport"
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
caBundle: "${TLS_CERT}"
service:
name: ibm-hlfsupport-webhook
namespace: ibm-hlfsupport-infra
path: /crdconvert
conversionReviewVersions:
- v1beta1
- v1alpha2
- v1alpha1
group: ibp.com
names:
kind: IBPOrderer
listKind: IBPOrdererList
plural: ibporderers
singular: ibporderer
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
x-kubernetes-preserve-unknown-fields: true
served: true
storage: true
subresources:
status: {}
- name: v1alpha2
schema:
openAPIV3Schema:
x-kubernetes-preserve-unknown-fields: true
served: true
storage: false
subresources:
status: {}
- name: v1alpha1
schema:
openAPIV3Schema:
x-kubernetes-preserve-unknown-fields: true
served: true
storage: false
subresources:
status: {}
status:
acceptedNames:
kind: IBPOrderer
listKind: IBPOrdererList
plural: ibporderers
singular: ibporderer
conditions: []
storedVersions:
- v1beta1
EOF
When successful, you should see:
customresourcedefinition.apiextensions.k8s.io/ibporderers.ibp.com created
or
customresourcedefinition.apiextensions.k8s.io/ibporderers.ibp.com configured
Continue the upgrade process by completing the fixpack process
In the following process, skip "Step one: Update the webhook". Complete all of the steps in the Apply Fix Pack process.