Start Building for Free
CircleCI.comAcademyBlogCommunitySupport

Upgrade server

2 months ago1 min read
Server v4.2
Server Admin
On This Page

This page describes the steps needed to upgrade your CircleCI server v4.2 installation.

A successful deployment will update the web app. Unless noted in the release notes, updates are rolling updates and there is no downtime.

Prerequisites

User-managed secrets migration 4.1.x-4.2.0

From server v4.2, CircleCI server auto-generates the following secrets if not present in the Kubernetes namespace:

Before upgrading to Server 4.2: If you manage the secrets listed above yourself, run the following command for each secret to let CircleCI server know that they already exist.

kubectl -n <namespace> annotate secret/<secret-name> \
  meta.helm.sh/release-name=<helm-release-name> \
  meta.helm.sh/release-namespace=<namespace> \
  helm.sh/resource-policy=keep --overwrite

kubectl -n <namespace> label secret/<secret-name> \
  app.kubernetes.io/managed-by=Helm --overwrite

Upgrade steps

  1. Check the changelog and make sure there are no actions you need to take before deploying a new version.

  2. Export the "RabbitMQ" password. We are also upgrading the RabbitMQ Helm chart during this upgrade.

    export RABBITMQ_PASSWORD=$(kubectl get secret --namespace <namespace> rabbitmq-key -o jsonpath="{.data.rabbitmq-password}" | base64 -d)
  3. Optionally, confirm what the update is going to do using Helm Diff:

    helm diff upgrade circleci-server oci://cciserver.azurecr.io/circleci-server -n $namespace --version <version> -f <path-to-values.yaml> --username $USERNAME --password $PASSWORD
  4. Perform the upgrade:

    helm upgrade circleci-server oci://cciserver.azurecr.io/circleci-server -n $namespace --version <version> -f <path-to-values.yaml> --username $USERNAME --password $PASSWORD
  5. Deploy and run reality check in your test environment to ensure your installation is fully operational.

Vault

We have moved away from Vault to Tink for encryption. The process for migration is documented here, and includes a convenience script to move existing secrets. You should complete the migration to Tink on your v4.2.x installation after upgrading. Customers that do not perform this step may have issues restoring Vault from backup in v4.2.


Suggest an edit to this page

Make a contribution
Learn how to contribute