How to externally upgrade your Air-gapped Edge site
If you have an Air-gapped Edge site, you can download a new Zarf package to upgrade your site. You can also review the Software Bill of Materials, (SBOM) which outlines what is included in the upgrade, before upgrading your Edge sites. For more information about ZARF SBOMs, go to the ZARF SBOMs documentation.
Steps
- From the Downloads page, click the latest Collibra Zarf package. Note If you do not see Collibra CPSH extended capabilities please reach out to your Collibra account team.
- From the Collibra Zarf package page, click and download the Edge Zarf package.
- Set up your kubeconfig or kubecontext so that it points to the same Kubernetes cluster as your existing Air-gapped Edge site.
- If you don't plan to install Technical lineage Collibra Platform Self-Hosted, apply these priority classes with
kubectl apply -f cpsh-priority-classes.yamland/cpsh-platform-zarf-package/resources/cpsh-priority-classes.yaml:CopyapiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
name: platform
value: 10000000
description: "Platform supporting services level"
---
apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
name: application
value: 100000
description: "Application level"
---
apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
name: job
value: 1000
description: "Job level" -
If you are using an Openshift cluster, deploy Security Context Constraints (SCC) which provide Edge service accounts with the required permissions.
How to create and install security constraints…
- Create the SCC file, for example, edge-scc-minimal.yaml, and paste the following information into it:
Copy
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: edge-scc-documented
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities: []
allowedUnsafeSysctls: []
defaultAddCapabilities: []
fsGroup:
type: MustRunAs
priority: null
readOnlyRootFilesystem: true
requiredDropCapabilities: []
runAsUser:
type: MustRunAs
uid: 1000
seLinuxContext:
type: MustRunAs
seLinuxOptions:
level: "s0"
role: "system_r"
type: "container_t"
user: "system_u"
seccompProfiles:
- 'runtime/default'
supplementalGroups:
type: MustRunAs
# who can use it
users: []
groups: [system:authenticated] - Create the SCC-role file, for example, edge-scc-role-minimal.yaml, and paste the following information into it:
Copy
# File: edge-scc-role-minimal.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: edge-scc-minimal
rules:
- apiGroups:
- security.openshift.io
resourceNames:
- edge-scc-minimal
resources:
- securitycontextconstraints
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: edge-scc-minimal
subjects:
- kind: Group
name: system:serviceaccounts
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: edge-scc-minimal
apiGroup: rbac.authorization.k8s.io - Deploy both the SCC and SCC-role files:
Copy
kubectl apply -f edge-scc-minimal.yaml
kubectl apply -f edge-scc-role-minimal.yaml -n <my-namespace>
- Create the SCC file, for example, edge-scc-minimal.yaml, and paste the following information into it:
- Using the Zarf CLI:
- Copy and paste the following command in the Zarf CLI:Copy
zarf package deploy <PATH TO ZST PACKAGE> \
--set PLATFORM_ID=<DGC URL> \
--set PLATFORM_USER=<DGC ADMIN NAME> \
--set PLATFORM_PASSWORD=<DGC ADMIN PASSWORD> \
--set SITE_NAME=<SITE_NAME> \
--set EDGE_BACKUP_FILE=<EDGE_BACKUP_FILE> - Enter the relevant details for each installation flag. For example, enter your Collibra Platform Self-Hosted URL for
<DGC URL>.Show me the Zarf flags…Flag Description zarf package deploy <PATH TO ZST PACKAGE>The path Edge site Zarf package you downloaded. --set PLATFORM_ID=<DGC URL>The URL of your Collibra Platform Self-Hosted. --set PLATFORM_USER=<DGC ADMIN NAME>The username of your Collibra admin. --set PLATFORM_PASSWORD=<DGC ADMIN PASSWORD>The password of your Collibra admin. --set SITE_NAME=<SITE_NAME>The name of your existing Edge site.
Warning The site name must exactly match the existing Edge site you want to upgrade. If it doesn't match, a second Edge site is created without your connections or capabilities, and your original Edge site is unhealthy.--set EDGE_BACKUP_FILE=<EDGE_BACKUP_FILE>If you have stored the Edge site backup file somewhere other than the default location, specify the file path to your Edge site backup. --set OPENSHIFT_ENABLED=trueAdd this flag if you are deploying your Air-gapped Edge site on an OpenShift cluster. This enables the required Security Context Constraints (SCC) and OpenShift-specific configuration for the Edge site pods. - Run command to upgrade the Edge site. Your Air-gapped Edge site is created and deployed.Note If an Air-gapped Edge site fails to install on your Kubernetes cluster, a site is still created in Edge. You can choose to do one of the following:
- Remove the failed Edge site from your Kubernetes cluster and Edge by running the following command:Copy
zarf package remove ZARF_PACKAGE_FILE/ZARF_PACKAGE_NAME - Remove the failed Edge site from your Kubernetes cluster, but keep the Edge site in Edge by running the following command:CopyWhen you try to install or reinstall the failed Air-gapped Edge site installation, you can use the same name to reuse the Edge site in Edge.
ZARF_VAR_KEEP_CPSH_EDGE_SITE=true \
zarf package remove ZARF_PACKAGE_FILEZARF_PACKAGE_NAME
- Remove the failed Edge site from your Kubernetes cluster and Edge by running the following command:
- Copy and paste the following command in the Zarf CLI:
- Log in to Edge to add connections and capabilities to your Air-gapped Edge site.
What's next?
- Review the Compatibility between Edge sites and Collibra Platform Self-Hosted to know when you need to either reinstall your Edge site for an upgraded version of k3 or upgrade to the latest Edge supported version of your managed Kubernetes.
- Optionally, set up a private docker registry to easily incorporate Edge into your existing security procedures and perform your own security scans before upgrading to a new version of Edge site.