Upgrading the backup and restore software for an instance that uses Portworx asynchronous data replication (Upgrading from Version 5.2 to Version 5.4)

After you upgrade IBM® Software Hub, you must upgrade the cpdbr-tenant service and install the Backup Restore Orchestration service for the instance.

Upgrade phase
  • You are not here. Updating your client workstation
  • You are not here. Collecting required information
  • You are not here. Preparing to run an upgrade in a restricted network
  • You are not here. Preparing to run an upgrade from a private container registry
  • You are not here. Upgrading prerequisite software
  • You are not here. Upgrading shared cluster components
  • You are not here. Preparing to upgrade an instance
  • You are not here. Upgrading an instance
  • You are here icon. Setting up IBM Software Hub
Who needs to complete this task?

Cluster administrator A cluster administrator must complete this task.

When do you need to complete this task?

Repeat as needed If you have multiple instances of IBM Software Hub, repeat this task for each instance that you upgrade.

Before you begin

Best practice: You can run the commands in this task exactly as written using the installation environment variables. Ensure that you added the new environment variables from Updating your environment variables script.

In addition, ensure that you source the environment variables before you run the commands in this task.

About this task

To ensure that you can back up this instance of IBM Software Hub with Portworx asynchronous data replication, you must:
  • Give the service accounts for the Backup Restore Orchestration service the edit cluster role on the specified projects:
    Service account Projects Details
    ${BR_OPERATOR_SA}
    • Backup Restore Orchestration service
    		 The Red Hat® OpenShift® Container Platform edit role enables the Backup Restore Orchestration service operator to modify resources in the specified project.
    ${BR_OPERATOR_JOB_SA}
    • Operators project
    • Operands project
    • Any tethered projects
    		 The Red Hat OpenShift Container Platform edit role enables the Backup Restore Orchestration service jobs to modify resources in the specified projects. For example, the service can use this role to patch a custom resource to put a service in maintenance mode.
  • Upgrade the cpdbr-tenant service.
  • Install the Backup Restore Orchestration service

Procedure

  1. Log in to Red Hat OpenShift Container Platform as a cluster administrator. 
    ${OC_LOGIN}
    Remember: OC_LOGIN is an alias for the oc login command.
  2. Update the Data Protection Application:
    1. Get the name of the Data Protection Application: 
      oc get dpa \
--namespace=${OADP_PROJECT}

      The default name is dpa-sample.

    2. Set the DPA_NAME environment variable to the name of the Data Protection Application: 
      export DPA_NAME=<DPA-name>
    3. Patch the Data Protection Application custom resource.

      The command that you run depends on where your cluster pulls images from:

      IBM Entitled Registry
      oc patch dataprotectionapplication ${DPA_NAME} \
--namespace=${OADP_PROJECT} \
--type=json \
-p='[
  {
    "op": "replace",
    "path": "/spec/configuration/velero/customPlugins",
    "value": \[ 
      { 
        "image": "icr.io/cpopen/cpfs/cps-oadp-plugins:latest", 
        "name": "cpfs-oadp-plugin" 
      },
      { 
        "image": "icr.io/cpopen/cpd/cpdbr-velero-plugin:${VERSION}",
        "name": "cpdbr-velero-plugin" 
      },
      { 
        "image": "icr.io/cpopen/cpd/swhub-velero-plugin:${VERSION}", 
        "name": "swhub-velero-plugin" 
      },
      { 
        "image": "icr.io/db2u/db2u-velero-plugin:${VERSION}",
        "name": "db2u-velero-plugin" 
      } 
    \]
  }
]'
      Private container registry
      oc patch dataprotectionapplication ${DPA_NAME} \
--namespace=${OADP_PROJECT} \
--type=json \
-p='[
  {
    "op": "replace",
    "path": "/spec/configuration/velero/customPlugins",
    "value": \[ 
      { 
        "image": "${PRIVATE_REGISTRY_LOCATION}/cpopen/cpfs/cpfs-oadp-plugins:latest", 
        "name": "cpfs-oadp-plugin" 
      },
      { 
        "image": "${PRIVATE_REGISTRY_LOCATION}/cpopen/cpd/cpdbr-velero-plugin:${VERSION}",
        "name": "cpdbr-velero-plugin" 
      },
      { 
        "image": "${PRIVATE_REGISTRY_LOCATION}/cpopen/cpd/swhub-velero-plugin:${VERSION}", 
        "name": "swhub-velero-plugin" 
      },
      { 
        "image": "${PRIVATE_REGISTRY_LOCATION}/db2u/db2u-velero-plugin:${VERSION}",
        "name": "db2u-velero-plugin" 
      } 
    \]
  }
]'
  3. Upgrade the cpdbr-tenant service.

    The command that you run depends on where your cluster pulls images from:

    IBM Entitled Registry
    cpd-cli oadp install \
--component=cpdbr-tenant \
--namespace=${OADP_PROJECT} \
--tenant-operator-namespace=${PROJECT_CPD_INST_OPERATORS} \
--skip-recipes \
--upgrade=true \
--log-level=debug \
--verbose
    Private container registry
    cpd-cli oadp install \
--component=cpdbr-tenant \
--namespace=${OADP_PROJECT} \
--tenant-operator-namespace=${PROJECT_CPD_INST_OPERATORS} \
--private_registry_location=${PRIVATE_REGISTRY_LOCATION} \
--skip-recipes \
--upgrade=true \
--log-level=debug \
--verbose
  4. Confirm that the required cluster role and cluster role binding were created in the ${PROJECT_INST_BR_SVC} when you installed the cpdbr-tenant service.
    If they do not exist, the command creates them.
    BINDING_NAME="cpdbr-tenant-service-crb-${PROJECT_CPD_INST_OPERATORS}"
SHOULD_ADD=false

# Check if the exact combination of SA name and namespace exists
if oc get clusterrolebinding ${BINDING_NAME} -o json | \
   jq -e ".subjects[]? | select(.kind==\"ServiceAccount\" and .name==\"${BR_OPERATOR_JOB_SA}\" and .namespace==\"${PROJECT_INST_BR_SVC}\")" > /dev/null 2>&1; then
  echo "ServiceAccount ${BR_OPERATOR_JOB_SA} already exists in namespace ${PROJECT_INST_BR_SVC}"
else
  echo "ServiceAccount ${BR_OPERATOR_JOB_SA} in namespace ${PROJECT_INST_BR_SVC} not found, adding"
  SHOULD_ADD=true
fi

# Add the subject if needed
if [ "${SHOULD_ADD}" = true ]; then
  oc patch clusterrolebinding ${BINDING_NAME} --type=json -p="[
    {
      \"op\": \"add\",
      \"path\": \"/subjects/-\",
      \"value\": {
        \"kind\": \"ServiceAccount\",
        \"name\": \"${BR_OPERATOR_JOB_SA}\",
        \"namespace\": \"${PROJECT_INST_BR_SVC}\"
      }
    }
  ]"
fi
  5. Install the Backup Restore Orchestration service for the instance:
    Instances without tethered projects
    cpd-cli manage apply-br \
--license_acceptance=true \
--release=${VERSION} \
--patch_id=${PATCH_ID} \
--br_tool=oadp \
--oadp_ns=${OADP_PROJECT} \
--br_operator_ns=${PROJECT_INST_BR_SVC} \
--operator_ns=${PROJECT_CPD_INST_OPERATORS} \
--instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--image_pull_prefix=${IMAGE_PULL_PREFIX} \
--image_pull_secret=${IMAGE_PULL_SECRET}
    Instances with tethered projects
    cpd-cli manage apply-br \
--license_acceptance=true \
--release=${VERSION} \
--patch_id=${PATCH_ID} \
--br_tool=oadp \
--oadp_ns=${OADP_PROJECT} \
--br_operator_ns=${PROJECT_INST_BR_SVC} \
--operator_ns=${PROJECT_CPD_INST_OPERATORS} \
--instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--tethered_instance_ns=${PROJECT_CPD_INSTANCE_TETHERED_LIST} \
--image_pull_prefix=${IMAGE_PULL_PREFIX} \
--image_pull_secret=${IMAGE_PULL_SECRET}
  6. Give the ${BR_OPERATOR_SA} service account the edit cluster role on the required projects: 
    oc create rolebinding bros-rolebinding-edit \
--clusterrole=edit \
--serviceaccount=${PROJECT_CPD_INST_BR_SVC}:${BR_OPERATOR_SA} \
-n ${PROJECT_CPD_INST_BR_SVC}

oc label rolebinding bros-rolebinding-edit \
-n ${PROJECT_CPD_INST_BR_SVC} \
component-id=br-orchestration \
icpdsupport/addOnId=bros
  7. Give the ${BR_OPERATOR_JOB_SA} service account the edit cluster role on the required projects: 
    # Assign the edit role in the operators project
# =======================================================================================
oc create rolebinding bros-job-sa-rb-${BR_OPERATOR_JOB_SA} \
--clusterrole=edit \
--serviceaccount=${PROJECT_CPD_INST_BR_SVC}:${BR_OPERATOR_JOB_SA} \
-n ${PROJECT_CPD_INST_OPERATORS}

oc label rolebinding bros-job-sa-rb-${BR_OPERATOR_JOB_SA} \
-n ${PROJECT_CPD_INST_OPERATORS} \
component-id=br-orchestration \
icpdsupport/addOnId=bros

# Assign the edit role in the operands project
# =======================================================================================
oc create rolebinding bros-job-sa-rb-${BR_OPERATOR_JOB_SA} \
--clusterrole=edit \
--serviceaccount=${PROJECT_CPD_INST_BR_SVC}:${BR_OPERATOR_JOB_SA} \
-n ${PROJECT_CPD_INST_OPERANDS}


oc label rolebinding bros-job-sa-rb-${BR_OPERATOR_JOB_SA} \
-n ${PROJECT_CPD_INST_OPERANDS} \
component-id=br-orchestration \
icpdsupport/addOnId=bros

if [ -n "${PROJECT_CPD_INSTANCE_TETHERED_LIST}" ]; then
    IFS=',' read -ra TETHERED_NS_LIST <<< "${PROJECT_CPD_INSTANCE_TETHERED_LIST}"
    
    for TETHERED_NS in "${TETHERED_NS_LIST[@]}"; do
      oc create rolebinding bros-job-sa-rb-${BR_OPERATOR_JOB_SA} \
      --clusterrole=edit \
      --serviceaccount=${PROJECT_CPD_INST_BR_SVC}:${BR_OPERATOR_JOB_SA} \
      -n ${TETHERED_NS}
      
      oc label rolebinding bros-job-sa-rb-${BR_OPERATOR_JOB_SA} \
      -n ${TETHERED_NS} \
      component-id=br-orchestration \
      icpdsupport/addOnId=bros

    done
fi
  8. Icon representing back up and restore Restore Install the cpdbr-tenant service role-based access control and the Backup Restore Orchestration service role-based access control on the target cluster:
    1. Install the cpdbr-tenant service role-based access control:
      cpd-cli oadp install \
--component=cpdbr-tenant \
--namespace=${OADP_PROJECT} \
--tenant-operator-namespace=${PROJECT_CPD_INST_OPERATORS} \
--skip-recipes \
--rbac-only=true \
--log-level=debug \
--verbose
    2. Install the Backup Restore Orchestration service role-based access control.
      Instances without tethered projects
      cpd-cli manage apply-br \
--license_acceptance=true \
--release=${VERSION} \
--patch_id=${PATCH_ID} \
--br_tool=oadp \
--oadp_ns=${OADP_PROJECT} \
--ignore_tenant_ns_resources \
--br_operator_ns=${PROJECT_INST_BR_SVC} \
--operator_ns=${PROJECT_CPD_INST_OPERATORS} \
--instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--image_pull_prefix=${IMAGE_PULL_PREFIX} \
--image_pull_secret=${IMAGE_PULL_SECRET}
      Instances with tethered projects
      cpd-cli manage apply-br \
--license_acceptance=true \
--release=${VERSION} \
--patch_id=${PATCH_ID} \
--br_tool=oadp \
--oadp_ns=${OADP_PROJECT} \
--ignore_tenant_ns_resources \
--br_operator_ns=${PROJECT_INST_BR_SVC} \
--operator_ns=${PROJECT_CPD_INST_OPERATORS} \
--instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--tethered_instance_ns=${PROJECT_CPD_INSTANCE_TETHERED_LIST} \
--image_pull_prefix=${IMAGE_PULL_PREFIX} \
--image_pull_secret=${IMAGE_PULL_SECRET}

What to do next

Now that you've upgraded the backup and restore software for the instance, you're ready to complete Upgrading privileged monitors (Upgrading from Version 5.2 to Version 5.4)