fix(migrations): Support Nubus MR upgrade.

2025-12-06 15:31:38 +01:00 · 2024-07-29 11:08:46 +02:00
parent 88db20b160
commit 2e1b3b3ba4
4 changed files with 86 additions and 9 deletions
--- a/docs/migrations.md
+++ b/docs/migrations.md
@@ -6,6 +6,10 @@ SPDX-License-Identifier: Apache-2.0
 <h1>Upgrade migrations</h1>

 * [Disclaimer](#disclaimer)
+* [From v0.9.0](#from-v090)
+  * [Manual migrations](#manual-migrations)
+  * [Automated migrations](#automated-migrations)
+    * [Updated IAM component Nubus](#updated-iam-component-nubus)
 * [From v0.8.1](#from-v081)
  * [Updated `cluster.networking.cidr`](#updated-clusternetworkingcidr)
  * [Nubus LDAP PVCs](#nubus-ldap-pvcs)
@@ -18,6 +22,29 @@ We do not offer support for upgrades before we reach openDesk 1.0.

 Though we try to ease the pain when it comes to 0.x upgrades. That is what this document is for.

+# From v0.9.0
+
+## Manual migrations
+
+None.
+
+## Automated migrations
+
+### Updated IAM component Nubus
+
+openDesk is integrating the latest [Nubus](https://www.univention.de/produkte/nubus/) development from Univention. The new redundant and scalable LDAP requires migration activities. These have been automated to avoid manual interaction. The `run_2` of the openDesk
+upgrade migrations executes the following steps
+
+- Stage PRE:
+  - Scale down `statefulset/ums-ldap-server` and `statefulset/ums-ldap-notifier`.
+  - Create two new PVCs `shared-data-ums-ldap-server-primary-0` and `shared-data-ums-ldap-server-primary-1` for the new LDAP primary pods as copy from the existing `shared-data-ums-ldap-server-0`. The LDAP secondaries will sync from the primary nodes.
+- Stage POST:
+  - Delete the no longer used `shared-data-ums-ldap-server-0`.
+  - Restart Keycloak.
+
+**Note:** You should ensure you have a backup of the contents of `shared-data-ums-ldap-server-0` if something goes wrong during the
+upgrade migration.
+
 # From v0.8.1

 ## Updated `cluster.networking.cidr`
@@ -79,6 +106,60 @@ EOF
 kubectl -n $NAMESPACE delete pvc shared-data-ums-ldap-server-0
 ```

+## Nubus LDAP PVCs
+
+openDesk is integrating the latest [Nubus](https://www.univention.de/produkte/nubus/) development from Univention. The new redundant and scalable LDAP requires some manual action to upgrade from 0.8.1:
+
+- Action: Before the upgrade you have to prepare the PVCs for the LDAP primary Pods. First scale down the 0.8.1 LDAP Pod and pre-create and pre-populate the new PVCs with the data from the current LDAP PVC. You can do all this by running the following snippet on your commandline, after setting `NAMESPACE` to the appropriate value. The LDAP secondaries get sync'd from the primary to fill their own PVCs data.
+```
+export NAMESPACE=YOUR_NAMESPACE
+kubectl -n $NAMESPACE scale --replicas=0 statefulset/ums-ldap-notifier
+kubectl -n $NAMESPACE scale --replicas=0 statefulset/ums-ldap-server
+kubectl -n $NAMESPACE apply -f - <<EOF
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  # Target PVC name
+  name: shared-data-ums-ldap-server-primary-0
+spec:
+  dataSource:
+    # Source PVC name
+    name: shared-data-ums-ldap-server-0
+    kind: PersistentVolumeClaim
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      # Target PVC size (deployments default to 1Gi)
+      storage: 1Gi
+...
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  # Target PVC name
+  name: shared-data-ums-ldap-server-primary-1
+spec:
+  dataSource:
+    # Source PVC name
+    name: shared-data-ums-ldap-server-0
+    kind: PersistentVolumeClaim
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      # Target PVC size (deployments default to 1Gi)
+      storage: 1Gi
+...
+EOF
+```
+
+- Once you have verified that your upgrade was successful, you can delete the previous LDAP's PVC:
+```
+kubectl -n $NAMESPACE delete pvc shared-data-ums-ldap-server-0
+```
+
 ## Updated customizable template attributes

 - Action: Please ensure you update you custom deployment values according with the updated default value structure.
--- a/helmfile/environments/default/global.generated.yaml
+++ b/helmfile/environments/default/global.generated.yaml
@@ -3,5 +3,5 @@
 ---
 global:
  systemInformation:
-    releaseVersion: "v0.9.0"
+    releaseVersion: "v0.9.1"
 ...
--- a/helmfile/environments/default/images.yaml
+++ b/helmfile/environments/default/images.yaml
@@ -205,7 +205,7 @@ images:
    # upstreamRepository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-migrations"
-    tag: "1.0.2@sha256:fbe21b4e2a276d2c5d052c1bb52158debfcc146188e654661001d4ff45b1b453"
+    tag: "1.1.0-trossner-run-2@sha256:132bbd4de55d611dce6094b9ead015c8a139144076efe97a9f4d7fe4181918b6"
  milter:
    # providerCategory: "Community"
    # providerResponsible: "openDesk"
--- a/helmfile/shared/migrations.yaml.gotmpl
+++ b/helmfile/shared/migrations.yaml.gotmpl
@@ -15,16 +15,12 @@ cleanup:
  keepPVCOnDelete: {{ .Values.debug.cleanup.keepPVCOnDelete }}

 migrations:
-  runId: 1
-  currentOdRelease: {{ .Values.global.systemInformation.releaseVersion | quote }}
+  runId: 2
  namespace: {{ .Values.migrations.namespace | quote }}
  loglevel: {{ if .Values.debug.enabled }}"DEBUG"{{ else }}"INFO"{{ end }}
  failOnUnexpectedState: true
-  credentials:
-    keycloakAdminUsername: "kcadmin"
-    keycloakAdminPassword: {{ .Values.secrets.keycloak.adminPassword | quote }}
-  urls:
-    keycloakBase: "http://ums-keycloak.{{ .Values.univentionManagementStack.namespace }}.svc.{{ .Values.cluster.networking.domain }}:8080"
+  environmentDetails:
+    {{ .Values | toYaml | nindent 4 }}

 containerSecurityContext:
  allowPrivilegeEscalation: false