Upgrade server
This page describes the steps needed to upgrade your CircleCI server v4.2 installation.
A successful deployment will update the web app. Unless noted in the release notes, updates are rolling updates and there is no downtime.
| We recommend that you do not skip releases when upgrading. |
Prerequisites
-
Ensure you have access to the Kubernetes cluster in which server is installed.
-
Ensure you have set up Backup and Restore.
-
Ensure there is a recent backup. For more information, see the Backup and Restore guide.
-
If you are upgrading from Server v4.1.x to Server v4.2.0, and have chosen to manage secrets yourself, follow the User-managed secrets migration 4.1.x-4.2.0 step before upgrading.
User-managed secrets migration 4.1.x-4.2.0
From server v4.2, CircleCI server auto-generates the following secrets if not present in the Kubernetes namespace:
Before upgrading to Server 4.2: If you manage the secrets listed above yourself, run the following command for each secret to let CircleCI server know that they already exist.
kubectl -n <namespace> annotate secret/<secret-name> \
meta.helm.sh/release-name=<helm-release-name> \
meta.helm.sh/release-namespace=<namespace> \
helm.sh/resource-policy=keep --overwrite
kubectl -n <namespace> label secret/<secret-name> \
app.kubernetes.io/managed-by=Helm --overwriteUpgrade steps
-
Check the changelog and make sure there are no actions you need to take before deploying a new version.
-
Export the "RabbitMQ" password. We are also upgrading the RabbitMQ Helm chart during this upgrade.
export RABBITMQ_PASSWORD=$(kubectl get secret --namespace <namespace> rabbitmq-key -o jsonpath="{.data.rabbitmq-password}" | base64 -d) -
Optionally, confirm what the update is going to do using Helm Diff:
helm diff upgrade circleci-server oci://cciserver.azurecr.io/circleci-server -n $namespace --version <version> -f <path-to-values.yaml> --username $USERNAME --password $PASSWORD -
Perform the upgrade:
helm upgrade circleci-server oci://cciserver.azurecr.io/circleci-server -n $namespace --version <version> -f <path-to-values.yaml> --username $USERNAME --password $PASSWORD -
Deploy and run
reality checkin your test environment to ensure your installation is fully operational.
Vault
We have moved away from Vault to Tink for encryption. The process for migration is documented here, and includes a convenience script to move existing secrets. You should complete the migration to Tink on your v4.2.x installation after upgrading. Customers that do not perform this step may have issues restoring Vault from backup in v4.2.