How to upgrade Azure Key Vault to Kubernetes
Make sure to check the requirements before installing.
Upgrading akv2k8s is exactly the same as installing, with two exceptions:
- The crd (Custom Resource Definition) will not be upgraded by Helm and must be applied using
- Pods having env variables injected by Env Injector AND using centralized authentication (akv2k8s Auth Service) (which is default), must be killed to avoid pod failures if crashed
Update helm chart:
helm repo update
Run the Helm upgrade:
helm upgrade --install akv2k8s spv-charts/akv2k8s \ --namespace akv2k8s
Latest CRDs are always be available at https://github.com/SparebankenVest/azure-key-vault-to-kubernetes/tree/master/crds and can be installed manually by:
kubectl apply -f https://raw.githubusercontent.com/SparebankenVest/azure-key-vault-to-kubernetes/master/crds/AzureKeyVaultSecret.yaml
Note: If you delete the
AzureKeyVaultSecretCRD from Kubernetes, all resources of type
AzureKeyVaultSecretcreated in cluster will be removed. This is by design: https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#delete-a-customresourcedefinition
Version 1.2 of the Env Injector has changed how the Auth Service works. It now requires a client certificate and older versions of the Env Injector Sidecar does not work with version 1.2.
As a consequence of breaking changes in the akv2k8s Helm chart a major version bump to 2.x.x was required. Uninstallation of v1.1.x is required before installing v2.x.x.
helm uninstall akv2k8s -n akv2k8s
Note: Remember to upgrade the CRD manually if an old CRD version is applied to the cluster, as Helm does not handle CRD upgrades.