Upgrading PingAccess ¶
In a DevOps environment, upgrades can be simplified through automation, orchestration, and separation of concerns.
Notice
- Upgrading from PingAccess versions prior to 6.3.6 will not work using this method.
Caveats ¶
-
This Document Assumes Kubernetes and Helm
The terms in this document will focus on deployments in a Kubernetes Environment using the ping-devops Helm chart. However, the concepts should apply to any containerized PingAccess Deployment.
-
This Document will Become Outdated
The examples referenced in this document point to a specific tag. This tag may not exist anymore at the time of reading. To correct the issue, update the tag on your file to
N-1from the current PF version. -
Irrelevant Ingress
The values.yaml files mentioned in this document expects an nginx ingress controller with class
nginx-public. It is not an issue if your environment does not have this class. In such cases, the created ingresses will not be used.
Configuration Forward ¶
Steps:
- Deploy your old version of PingAccess with server profile
- Export the configuration as a data.json file
- Copy the pa.jwk file to your server profile
- Deploy new PingAccess version with server profile
Here we will walk through an example upgrade.
Deploy your old version of PingAccess with server profile ¶
Make sure you have a devops-secret
If you are using this example as-is, you will need a devops-secret
Be sure to change the ingress domain name value to your domain in 01-original.yaml
Be sure to change the image tag value in 01-original.yaml
In order to use the baseline server profile as outlined in this guide, you have to deploy PingFederate along with PingAccess
Navigate to the getting started repository and deploy your old version of PingAccess.
$ helm upgrade --install pa-upgrade pingidentity/ping-devops -f 30-helm/pingaccess-upgrade/01-original.yaml
Export the configuration as a data.json file ¶
After your cluster is healthy, export the configuration as a json file and add it to your server profile so the start-up-deployer can use it to configure your upgraded PingAccess.
$ curl -k -u Administrator:2FederateM0re -H "X-Xsrf-Header: PingAccess" https://pa-upgrade-pingaccess-admin.ping-devops.com/pa-admin-api/v3/config/export >~/<insert path to server profile here>/pingaccess/instance/data/data.json
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 22002 100 22002 0 0 42664 0 --:--:-- --:--:-- --:--:-- 43056
Copy the pa.jwk file to your server profile. ¶
Copy the
$ kubectl cp pa-upgrade-pingaccess-admin-0:/opt/out/instance/conf/pa.jwk ~/<insert path to server profile here>/pingaccess/instance/conf/pa.jwk
Defaulted container "pingaccess-admin" out of: pingaccess-admin, wait-for-pingfederate-engine (init), generate-private-cert-init (init)
tar: removing leading '/' from member names
Check to see that the data.json and pa.jwk files have been updated in your server-profile and push these changes to your repository
Deploy new PingAccess version with server profile ¶
Make sure to uninstall your old Ping Access cluster and remove any pvc's created.
$ helm uninstall pa-upgrade
release "pa-upgrade" uninstalled
$ kubectl get pvc
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
out-dir-pa-upgrade-pingaccess-admin-0 Bound pvc-c1e5cd9b-35f5-4260-8704-3075fcf9b36e 4Gi RWO gp2 7m5s
$ kubectl delete pvc out-dir-pa-upgrade-pingaccess-admin-0
persistentvolumeclaim "out-dir-pa-upgrade-pingaccess-admin-0" deleted
Finally, update the PingAccess image version to the new target version and run.
Be sure to change the ingress domain name value to your domain in 02-upgraded.yaml
Be sure to change the image tag value in 02-upgraded.yaml
Be sure to change the server profile url and path in 02-upgraded.yaml
helm upgrade --install pa-upgrade pingidentity/ping-devops -f 30-helm/pingaccess-upgrade/02-upgraded.yaml
At this time, you should have an upgraded PingAccess instance