Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added 3.1.2 to 3.2 warning note per TFDEV-2318

📙 You will learn

How to upgrade a Kubernetes deployment of ThreadFix with Helm.

Prerequisites

Audience: IT Professional
Difficulty: Basic
Time needed: Approximately 10 minutes
Tools required: See Pre-requisites list below

Pre-requisites list

  • ThreadFix instance running in Kubernetes

  • kubectl access to Kubernetes cluster

  • Helm version greater than 3.5

Note

Users upgrading from 3.1.2 please view the 3.2 Release Notes for a potential additional upgrade step.

Upgrading

Enter the following commands on a command line to perform the described action.

  1. Add the Denim Group Helm repository if not present:

    Code Block
    helm repo add denimgroup https://threadfix-downloads.s3-us-west-2.amazonaws.com/helm/

  2. Backup the ThreadFix instance by following the Backup & Restoreguide.

  3. Get the Helm release name for the ThreadFix instance.

    Code Block
    TF_RELEASE=$(helm ls | grep threadfix | awk '{print $1}')

  4. Get the current installed version of ThreadFix.

    Code Block
    TF_VERSION=$(helm ls --filter "$TF_RELEASE" | grep -o 'threadfix-[Az0-9\.\-]*' | sed 's|threadfix-||g')

  5. ThreadFix automatically generates internal credentials if not explicitly provided. If not already done so, save these in a secure location for recovery purposes.

    1. Network properties:

      Code Block
      kubectl get secrets ${TF_RELEASE}-network-props -o go-template='{{index .data "network.properties"}}' | base64 -d
    2. Database password:

      Code Block
      kubectl get secret ${TF_RELEASE}-db -o jsonpath='{ .data.password }' | base64 -d
    3. Postgres password:

      Code Block
      kubectl get secret ${TF_RELEASE}-postgresql -o jsonpath='{ .data.postgresql-password }' | base64 -d
    4. ESAPI encryption keys:

      Code Block
      kubectl get secret ${TF_RELEASE}-config-secrets -o go-template='{{ index .data "ESAPI.properties" }}' | base64 -d | grep ESAPI.Master

  6. Pull the latest chart from Denim Group's Helm repository for ThreadFix.

    Code Block
    helm repo update

  7. Check the latest available version.

    Code Block
    helm search repo threadfix

  8. Review the release notes prior to upgrading. Not all upgrade paths are supported.

  9. (Optional) If changes to the charts values are required:

    1. Export the currently installed Helm values.

      Code Block
      helm get values $TF_RELEASE > myValues.yaml
    2. Make necessary changes to the myValues.yaml file.

    3. Pass the modified values file in the the helm upgrade command with -f myValues.yaml.

  10. Upgrade ThreadFix with Helm (include -f myValues.yaml if modifying installation values).

    Code Block
    helm upgrade $TF_RELEASE denimgroup/threadfix

  11. Follow the Upgrade Validation Checklist to validate the ThreadFix upgrade has completed successfully. If there are any issues, users may rollback to the previous state with:

    Code Block
    helm rollback $TF_RELEASE

    If rolling back a failed upgrade, the user may have to restore the database from backup depending on the status of the database migration. Follow Backup & Restore for more information.

Table of Contents

Table of Contents