Upgrade Instructions

Upgrade Instructions

In order to upgrade the existing deployment of the Envoy Authorizer, use the helm upgrade command:

helm upgrade sidecar-test authz-envoy

Update the version of the authz-envoy-sidecar to 1.6.0 and apply this
configuration - kubectl apply -f samples/authz_v1_plainidinjector.yaml:

kind: PlainidInjector
spec:
  ...
  container:
    name: plainid-authz
    image: docker.io/plainid/authz-envoy-sidecar:1.6.0
    ...

Upgrade from version 1.2.x to 1.6.x

Helm chart
Helm chart name is changed, new name is authz-envoy.

Cert Management

Please note - if you are using the certificates that are included in the container, you will need to change to the
mount, as described below.
As part of the security enhancements in authz-operator version 1.6.0, the certificates are no longer included inside
of authz-operator container.
From version 1.6.0, the certificates should be mounted from a Secret.
Here is an example of plainid-controller-manager deployment with mounted certificates (templates/manager.yaml file):

spec:
  ...
  template:
    ...
    spec:
      ...
      containers:
        ...
        volumeMounts:
            - mountPath: /app/certs
              name: cert
              readOnly: true
              ...
      volumes:
        - name: cert
          secret:
            defaultMode: 420
            secretName: plainid-webhook-server-cert

Secret configuration is present in templates/webhook.yaml file and is taken from values.yaml file.

Example:

apiVersion: v1
kind: Secret
metadata:
  ...
  name: plainid-webhook-server-cert
type: Opaque
data:
  bundle.pem: { { .Values.webhook.bundle } }
  tls.crt: { { .Values.webhook.crt } }
  tls.key: { { .Values.webhook.key } }