Skip to main content

Upgrade 5.1.0 to 5.1.1

Upgrade from Operator-based to Helm-based Installation

In IBM DevOps Solution Workbench 5.1.1, the installation method changes from Operator-based to Helm chart-based. Follow the steps below to upgrade to 5.1.1.

1. Save your installation configuration

In the OpenShift Console, in your installation namespace:

  1. Go to Operators → Installed Operators.
  2. Open the IBM DevOps Solution Workbench Operator.
  3. Open the ISW tab and open your instance in YAML view.
  4. Save the full content, especially all values under spec.values.

2. Uninstall IBM DevOps Solution Workbench (application instance)

In the OpenShift Console, in your installation namespace:

  1. Go to Operators → Installed Operators.
  2. Open the IBM DevOps Solution Workbench Operator.
  3. Delete your ISW instance.
  4. Verify that all pods have been deleted before continuing.

3. Uninstall the IBM DevOps Solution Workbench Operator

In the OpenShift Console, in your installation namespace:

  1. Go to Operators → Installed Operators.
  2. Uninstall the IBM DevOps Solution Workbench Operator.
  3. Optionally remove any CatalogSource and ImageContentSourcePolicy resources you created for the Operator; they are no longer needed.

4. Install IBM DevOps Solution Workbench via Helm

  1. Follow the Installation Process.

  2. Apply the values from your saved ISW instance (spec.values) to the Helm deployment:

    • spec.values.global.* → use as global.k5.* in the Helm chart.
    • spec.values.service-builder.* → use as the same path under the Helm chart (without the service-builder prefix).

    Examples:

ISW Custom Resource (spec.values...)Helm chart value
spec.values.global.network.egressPolicy.enabledglobal.k5.network.egressPolicy.enabled
spec.values.global.routes.annotationsglobal.k5.routes.annotations
spec.values.service-builder.k5-asset-manager.mongoDb.dbNamek5-asset-manager.mongoDb.dbName
spec.values.service-builder.k5-designer-backend.mongoDb.dbNamek5-designer-backend.mongoDb.dbName
spec.values.service-builder.k5-links-manager.mongoDb.dbNamek5-pipeline-manager.mongoDb.dbName
spec.values.service-builder.k5-pipeline-manager.tekton.cleanup.enabledk5-pipeline-manager.tekton.cleanup.enabled
spec.values.service-builder.k5-pipeline-manager.tekton.cleanup.keepLastPipelineRunsk5-pipeline-manager.tekton.cleanup.keepLastPipelineRuns
spec.values.service-builder.k5-pipeline-manager.tekton.cleanup.scheduleInMinutesk5-pipeline-manager.tekton.cleanup.scheduleInMinutes

5. Migrate mandatory Product Configuration secrets

Some existing mandatory Product Configuration secrets are no longer used because they are now part of the Helm chart. Handle them as follows.

❗️info

Back up the following secrets before you continue.

Secrets replaced by Helm values (back up, then configure via Helm):

  • IAM Configuration (k5-iam-settings):
    • Parameter hostname is now set via the helm chart: --set global.k5.identity.url
    • Parameter realm is now set via the helm chart: --set global.k5.identity.realm
  • IAM Credentials (k5-iam-secret):
    • Parameter adminUsername is now set via the helm chart: --set global.k5.identity.username
    • Parameter adminPassword is now set via the helm chart: --set global.k5.identity.password
❗️info

Keycloak’s latest versions no longer use the /auth path by default, and IBM DevOps Solution Workbench no longer expects it. You can still include /auth in the base URL if your Keycloak instance uses it.

Example: if hostname in k5-iam-settings was https://keycloak.apps.my.cloud and your Keycloak URL includes /auth, set:

--set global.k5.identity.url=https://keycloak.apps.my.cloud/auth

during your helm deployment.

Secret you must keep in the cluster:

  • Master Key (k5-encryption-master-key):
    • You must keep this secret in your cluster and tell the helm chart that it should not create a new secret by:
      • set via the helm chart: --set global.k5.secrets.masterkeyCreate=false
warning

Please be careful and ensure that you do not lose this key!!! Losing/changing the master key will cause data loss, because user tokens are encrypted with that and can't be decrypted without it! In this case all encrypted data is invalid, hence all users have to remove and renew the saved Git Tokens and API Keys.

Secrets you should/can keep in the cluster:

  • MongoDB (k5-designer-mongodb):
    • By default, the IBM DevOps Solution Workbench helm chart will deploy and configure an own database (ferretdb instance).
    • If you want to keep and use your already running mongoDb instance set the following helm chart variables:
      • set via the helm chart: --set global.k5.secrets.mongodbConnectionString='' and --set database.enabled=false
  • Truststore (k5-hub-truststore)
    • By default, the IBM DevOps Solution Workbench helm chart will create an own truststore secret including most common certificates.
    • If you want to keep your existing truststore set the following helm chart variable:
      • set via the helm chart: --set truststore.create=false

6. Update k5project instances (CRs)

Keycloak’s removal of the /auth path (see above) also affects existing Deployment Targets. If your Keycloak URL still includes /auth, add it to the Keycloak URL in every k5project Custom Resource under spec.configuration.iam.host.

Before (example):

apiVersion: k5.project.operator/v1
kind: k5project
metadata:
  name: dev-stage
  namespace: dev-stage
spec:
  configuration:
    ...
    iam:
      autoConfiguration:
        enabled: true
      host: 'https://keycloak.apps.ocp43.tec.uk.ibm.com'
...

After (only if your Keycloak instance still uses the /auth path):

apiVersion: k5.project.operator/v1
kind: k5project
metadata:
  name: dev-stage
  namespace: dev-stage
spec:
  configuration:
    ...
    iam:
      autoConfiguration:
        enabled: true
      host: 'https://keycloak.apps.ocp43.tec.uk.ibm.com/auth'
...