Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Scar Migration - PEM-6444 #4968

Merged
merged 31 commits into from
Dec 17, 2024
Merged
Show file tree
Hide file tree
Changes from 21 commits
Commits
Show all changes
31 commits
Select commit Hold shift + click to select a range
7228791
fix: patch release
karl-cardenas-coding Nov 20, 2024
6d5c709
Merge branch 'master' into release-4-5-b
karl-cardenas-coding Nov 22, 2024
c6e8aca
Merge branch 'master' into release-4-5-b
karl-cardenas-coding Nov 25, 2024
2c36cec
docs: add custom security group ingress rules section PCP-1906 (#4781)
addetz Nov 26, 2024
5616940
docs: VM Migration Assistant (#4737)
benradstone Nov 27, 2024
ed661ce
docs: Update VM Migration Assistant pack parameters table (#4810)
benradstone Nov 27, 2024
df13e07
docs: add message brokers section PEM-6141 (#4818)
addetz Nov 28, 2024
b9db5eb
docs: add feature gate to the vm clone guide DOC-1491 (#4827)
addetz Nov 29, 2024
4e9927c
Merge branch 'master' into release-4-5-b
karl-cardenas-coding Dec 2, 2024
684c9a4
docs: Palette 4.5.b API docs (#4842)
ravi-k8 Dec 2, 2024
ad74067
docs: proxy certificates for earthly builds (#4807)
lennessyy Dec 5, 2024
662dd23
docs: update cluster profile update guides PEM-6443 (#4859)
addetz Dec 5, 2024
f51f18d
docs: add cluster-wide resources backup options PEM-5124 (#4860)
addetz Dec 5, 2024
5bf7baa
docs: multi-node airgap documentation (#4281)
lennessyy Dec 5, 2024
791e680
docs: PE-5647: Allow skipping of node drains when running cluster upg…
lennessyy Dec 5, 2024
b58c40a
Merge branch 'master' into release-4-5-b
karl-cardenas-coding Dec 6, 2024
e8022d9
docs: Adjust wording and examples (#4896)
kreeuwijk Dec 6, 2024
7386876
Merge branch 'release-4-5-b' of github.com:spectrocloud/librarium int…
karl-cardenas-coding Dec 7, 2024
3c3d139
docs: add scar migration guide
caroldelwing Dec 10, 2024
2e4cc32
docs: convert image
caroldelwing Dec 10, 2024
57c9b0a
docs: add partials
caroldelwing Dec 10, 2024
76f5d4b
docs: fix broken link
caroldelwing Dec 10, 2024
c9ba2b8
Optimised images with calibre/image-actions
vault-token-factory-spectrocloud[bot] Dec 10, 2024
2b78a7b
docs: update palette keyword
caroldelwing Dec 10, 2024
9d9119a
Merge branch 'pem-6444-scar-migration' of https://github.com/spectroc…
caroldelwing Dec 10, 2024
c5f3ebb
Merge branch 'master' into pem-6444-scar-migration and fix merge conf…
caroldelwing Dec 16, 2024
7aa2730
docs: remove duplicate entry
caroldelwing Dec 16, 2024
8f91a02
docs: Apply suggestions from code review
caroldelwing Dec 16, 2024
4096780
Merge branch 'master' into pem-6444-scar-migration
caroldelwing Dec 16, 2024
63ea8d5
docs: address review suggestions
caroldelwing Dec 16, 2024
0c7b302
docs: address additional suggestions
caroldelwing Dec 17, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
354 changes: 354 additions & 0 deletions _partials/self-hosted/_scar-migration.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,354 @@
---
partial_category: self-hosted
partial_name: scar-migration
---

The {props.edition} installation process requires users to configure and maintain an HTTP server to host {props.edition} manifests. This
server is known as the Spectro Cloud Artifact Regisry (SCAR). Alternatively, users now have the option to migrate these
manifests to the same OCI registry that hosts the {props.edition} images and packs. This migration is handled by a service
called Specman, which fetches the manifests from the OCI registry and serves them via an internal HTTP server.
caroldelwing marked this conversation as resolved.
Show resolved Hide resolved

The migration process involves two main steps:

- Pushing the {props.edition} manifests to the OCI registry.
- Updating the SCAR endpoint to point to the new internal HTTP server.

Once the migration is complete, there is no longer a need to maintain a separate file server exclusively for hosting the
{props.edition} manifests.

This guide will walk you through the steps required to push the {props.edition} manifests to the OCI registry and update the
caroldelwing marked this conversation as resolved.
Show resolved Hide resolved
SCAR endpoint.

## Prerequisites

- A deployed {props.edition} <PaletteVertexUrlMapper
caroldelwing marked this conversation as resolved.
Show resolved Hide resolved
edition={props.edition}
text="cluster"
palettePath="/install-palette"
vertexPath="/install-palette-vertex"
/> that uses a customer-managed SCAR to host {props.edition}
manifests.
- Access to the kubeconfig file for the {props.edition} cluster to verify the SCAR endpoint update.

:::tip

If you deployed {props.edition} using the Palette CLI, you can download the kubeconfig file from the {props.edition} cluster details
page in the system console. Navigate to the **Enterprise Cluster Migration** page and click on the **Admin
Kubeconfig** link to download the kubeconfig file. If you deployed {props.edition} to an existing Kubernetes cluster, contact
caroldelwing marked this conversation as resolved.
Show resolved Hide resolved
your cluster administrator to obtain the kubeconfig file. For instructions on using the kubeconfig file to access your
cluster, refer to the [Access Cluster with CLI](../../clusters/cluster-management/palette-webctl.md) guide.

:::

- Access to the file server that hosts the {props.edition} manifests.
- The {props.edition} cluster must have been upgraded to version `4.5.13` or later. This is required for the SCAR migration to
function properly.
- Access to the {props.edition} system console.
- Ensure the following software is installed and available in the environment hosting the file server. For example, if
you deployed an airgapped instance of {props.edition} using the CLI, these tools must be available on your airgap support VM.

- [tar](https://www.gnu.org/software/tar/)
- [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) - Required only for AWS
ECR.
- [ORAS](https://oras.land/docs/installation/) v1.0.0

:::warning

This specific version of ORAS is explicitly required for pushing packs to OCI registries.

:::

- Ensure the following software is installed and available locally.
caroldelwing marked this conversation as resolved.
Show resolved Hide resolved
- [curl](https://curl.se/docs/install.html)
- [jq](https://jqlang.github.io/jq/download/)
- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/)

## Migrate SCAR

caroldelwing marked this conversation as resolved.
Show resolved Hide resolved
1. Open a terminal window in the environment hosting the file server and navigate to the folder where the {props.edition}
caroldelwing marked this conversation as resolved.
Show resolved Hide resolved
manifests are stored. For example, if you deployed {props.edition} using the CLI, navigate to the `/var/www/html/`
directory.

```shell
cd /var/www/html/
```

2. Compress the folder contents into an archive file called `manifests.tgz`. Issue the following command to create the
archive.

```shell
tar -czvf manifests.tgz .
```

3. After compressing the files, authenticate with the OCI registry that hosts the {props.edition} images and packs.

:::tip

If you deployed {props.edition} using the CLI, the OCI registry address is provided by the `airgap-setup.sh` script. If you
caroldelwing marked this conversation as resolved.
Show resolved Hide resolved
deployed {props.edition} with Helm charts to an existing Kubernetes cluster, contact your cluster administrator for the OCI
registry configuration.

:::

<!-- prettier-ignore -->
<Tabs groupId="registry">
caroldelwing marked this conversation as resolved.
Show resolved Hide resolved
<TabItem label="ECR" value="ECR_Registry">

Authenticate to your ECR registry using the `aws ecr get-login-password` command. This command generates an ECR
authorization token, which is then passed to the `oras login` command with `AWS` as username. Replace `<aws-region>`
with the AWS region where your ECR registry is configured, and `<aws-account-id>` with your AWS account ID.

```bash
aws ecr get-login-password --region <aws-region> | oras login --username AWS --password-stdin <aws-account-id>.dkr.ecr.<aws-region>.amazonaws.com
```

If the login is successful, you will receive the following confirmation message.

```hideClipboard
Login Succeeded
```

<!-- prettier-ignore -->
</TabItem>
<TabItem label="Harbor" value="Harbor_Registry">

Use `oras` to log in to your OCI registry. Replace the values below with your environment configuration. For
additional information about CLI flags and examples, check out the
[oras login](https://oras.land/docs/commands/oras_login) documentation. Replace `<harbor-address>` with the address
of your Harbor registry without the `https://` prefix, and `<harbor-username>` and `<harbor-password>` with your
Harbor credentials.

```shell
oras login <harbor-address> --username <harbor-username> --password <harbor-password>
```

If you are using a Harbor registry with a self-signed certificate, you must add the `--insecure` flag according to the following example.

```shell
oras login <harbor-address> --insecure --username <harbor-username> --password <harbor-password>
```

If the login is successful, you will receive the following confirmation message.

```hideClipboard
Login Succeeded
```

<!-- prettier-ignore -->
</TabItem>
</Tabs>

4. Push the `manifests.tgz` file to your OCI registry.
<!-- prettier-ignore -->
<Tabs groupId="registry">
<TabItem label="ECR" value="ECR_Registry">

Issue the following command to push the `manifests.tgz` file to your ECR registry. Replace `<aws-region>` with the AWS region where your ECR registry is configured and `<aws-account-id>` with your AWS account ID.

```shell
oras push <aws-account-id>.dkr.ecr.<aws-region>.amazonaws.com/spectro-packs/spectro-manifests/manifest:0.0.0 manifests.tgz
```

<!-- prettier-ignore -->
</TabItem>
<TabItem label="Harbor" value="Harbor_Registry">

Issue the following command to push the `manifests.tgz` file to your Harbor registry. Replace `<harbor-address>` with the address of your Harbor registry.

```shell
oras push <harbor-address>/spectro-packs/spectro-manifests/manifest:0.0.0 manifests.tgz
```

<!-- prettier-ignore -->
</TabItem>
</Tabs>

5. Next, login to the {props.edition} system console and select **Administration** from the left **Main Menu**.

6. Select **Pack Registries**, click on the **three-dot Menu**, and then select **Edit**.
caroldelwing marked this conversation as resolved.
Show resolved Hide resolved

7. Check the **Contains Spectro Manifests** box, click **Validate**, and then click **Confirm**.

![View of the 'Contains Spectro Manifests' OCI registry box.](/enterprise-version_system-management_scar-migration.webp)

8. In a terminal with connectivity to your {props.edition} cluster, issue the following command to verify that the `Specman`
service is fetching the content pushed to the OCI registry in step **4** of this guide, with the tag `0.0.0`.

```shell
kubectl logs --namespace hubble-system specman-0
```

```text hideClipboard
time="2024-12-06T12:43:14Z" level=info msg="Syncing with OCI repo"
time="2024-12-06T12:43:14Z" level=info msg="tags[4.5.11 4.5.13 0.0.0]"
time="2024-12-06T12:43:14Z" level=info msg="Downloading 0.0.0"
time="2024-12-06T12:43:14Z" level=info msg="tags[4.5.11 4.5.13 0.0.0]"
time="2024-12-06T12:43:14Z" level=info msg="Downloading 0.0.0"
time="2024-12-06T12:43:14Z" level=info msg="listing dir /tmp/0.0.03808764833"
time="2024-12-06T12:43:14Z" level=info msg="filename: manifests.tgz, isDir: false"
time="2024-12-06T12:43:14Z" level=info msg="Persisting 0.0.0"
```

9. The final step to complete the migration involves updating the SCAR endpoint to the internal HTTP server endpoint
that now serves the {props.edition} manifests: `https://specman-service.hubble-system.svc.cluster.local:8443`. Issue the
following command to create the script responsible for updating the endpoint.

```shell
cat << 'EOF1' > scar-registry-update.sh
#!/bin/bash
###############################################################################
# Usage:
# ./ec-scar-registry-update.sh https://<PALETTE_URL> admin <SYS_ADMIN_PASSWORD>
###############################################################################
#

set -u
caroldelwing marked this conversation as resolved.
Show resolved Hide resolved
set -x
caroldelwing marked this conversation as resolved.
Show resolved Hide resolved

export ENDPOINT=$1
export SYSTEM_ADMIN_USERNAME=$2
export SYSTEM_ADMIN_PASSWORD=$3

export SCAR_ENDPOINT=https://specman-service.hubble-system.svc.cluster.local:8443
export SCAR_USERNAME=
export SCAR_PASSWORD=

auth_request() {
cat <<EOF
{
"username": "${SYSTEM_ADMIN_USERNAME}",
"password": "${SYSTEM_ADMIN_PASSWORD}"
}
EOF
}

scar_request(){
cat <<EOF
{
"endpoint": "${SCAR_ENDPOINT}",
"password": "${SCAR_PASSWORD}",
"username": "${SCAR_USERNAME}"
}
EOF
}

get_auth_token() {
authtoken=$(curl -k --location --silent --request POST "${ENDPOINT}/v1/auth/syslogin?setCookie=true" \
caroldelwing marked this conversation as resolved.
Show resolved Hide resolved
--header 'Content-Type: application/json' \
--data "$(auth_request)" | jq ."Authorization")
if [[ "${authtoken}" == null ]]; then
echo "Error Logging in. Please check the credentials and URL"
exit 1
fi
}

update_scar_repo() {
response=$(curl -k --write-out '%{http_code}' --silent --output /dev/null --location --request PUT "${ENDPOINT}/v1/system/config/scar" \
caroldelwing marked this conversation as resolved.
Show resolved Hide resolved
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header "Cookie: Authorization=${authtoken}" \
--data-raw "$(scar_request)")
if [[ "${response}" != "204" ]]; then
echo "Error: Unable to update the Scar Repo"
else
echo "Success Setting the Scar Repo. Waiting for a minute to get the changes syncing"
sleep 60
fi
}

update_instance_type() {
response=$(curl -k --write-out '%{http_code}' --location "${ENDPOINT}/v1/jobs/internal/syncCloudInstanceTypesData/run" \
caroldelwing marked this conversation as resolved.
Show resolved Hide resolved
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header "Cookie: Authorization=${authtoken}")
if [[ "${response}" != "204" ]]; then
echo "Error: Unable to update the Instance Type"
else
echo "Started Syncing Storage Type from the palette Service"
fi
}

update_storage_type() {
response=$(curl -k --write-out '%{http_code}' --location "${ENDPOINT}/v1/jobs/internal/syncCloudStorageTypesData/run" \
caroldelwing marked this conversation as resolved.
Show resolved Hide resolved
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header "Cookie: Authorization=${authtoken}")
if [[ "${response}" != "204" ]]; then
echo "Error: Unable to update the Storage Type"
else
echo "Started Syncing Storage Type from the palette Service"
fi
}

get_auth_token
update_scar_repo
update_instance_type
update_storage_type

echo "Wait for 5 minute for the sync process to complete."
EOF1
```

10. Grant execution permissions to the `scar-registry-update.sh` script.

```shell
chmod +x scar-registry-update.sh
```

11. Invoke the script to update the SCAR endpoint. Replace `<cluster-url>` with the address of your {props.edition} instance and
`<sys-admin-password>` with the system administrator password.

```shell
./scar-registry-update.sh <cluster-url> admin <sys-admin-password>
```

Consider the following example for reference.

```shell hideClipboard
./scar-registry-update.sh https://example.spectrocloud.com admin examplepassword
```

The following message confirms that the script has completed its tasks.

```text hideClipboard
Wait for 5 minutes for the sync process to complete.
```

caroldelwing marked this conversation as resolved.
Show resolved Hide resolved
## Validate

Use the following steps to verify that the endpoint was updated successfully.

1. Export your {props.edition} credentials as environment variables. Replace `<cluster-url>` with the
address of your {props.edition} cluster and `<sys-admin-password>` with the system administrator password.

```shell
export ENDPOINT=<cluster-url>
export PASSWORD=<sys-admin-password>
```

2. Issue the following command to confirm that the endpoint was correctly updated.
caroldelwing marked this conversation as resolved.
Show resolved Hide resolved

```shell
AUTH_TOKEN=$(curl --location "${ENDPOINT}/v1/auth/syslogin" \
--header 'Content-Type: application/json' \
--data '{
"username": "admin",
"password": "'${PASSWORD}'"
}' | jq ."Authorization")

curl --location "${ENDPOINT}/v1/system/config/scar" \
--header "Cookie: Authorization=${AUTH_TOKEN}"
```

:::tip

If your cluster is using the default self-signed certificate, you can use the `--insecure` flag with the `curl` commands
to bypass the certificate check.

:::

The output should contain the updated SCAR endpoint.

```text hideClipboard
{"endpoint":"https://specman-service.hubble-system.svc.cluster.local:8443"}
```
Loading
Loading