Uninstallation and upgrade instructions

This article covers various topics of uninstallation, cleanup, and upgrade of Airlock Microgateway. Note that some instructions in this article are release-dependent because upgrading from Microgateway versions 4.0 and 4.1 to helm-install-based Microgateway 4.2 (and newer) is not possible.

Do not add the --reuse-values flag during the helm upgrade operations when upgrading to a different version of Airlock Microgateway/Helm charts. This flag would prevent updating some required settings and changes, such as new chart default values and container image digests.

If the helm upgrade command does not change the Airlock Microgateway version, the flag is safe to use in the commands below, e.g., to clean up test resources.

Upgrade from Microgateway 4.1 to 4.2

When changing from any older Airlock Microgateway 4 version to Microgateway 4.2 and newer, you must uninstall the old version first. Except the CRDs and the CNI plugin have been installed via Helm. The following brief sequence describes the upgrade from a Microgatway 4.x release to 4.2 and newer.
Note that the instructions must be performed in the correct order.

  1. Label all the applications that should be protected with Airlock Microgateway with the new label sidecar.microgateway.airlock.com/inject=true . This is necessary because we switched from annotation to label.
  2. Uninstall the Microgateway CNI plugin if it was installed with kustomize.

    3. Adapt the <environment> part before running the following command:

    copy
    kubectl kustomize --enable-helm https://github.com/airlock/microgateway/deploy/cni/<environment> | kubectl delete -f -
  3. Upgrade the Microgateway CNI plugin. If the CNI plugin was installed with kustomize the command is helm install instead of helm upgrade.
    4. copy
    helm upgrade airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.3.0'
  4. Uninstall Microgateway deployments. Note that you must not uninstall the CRDs.
    5. copy
    kubectl delete -k https://github.com/airlock/microgateway/deploy/deployment/
kubectl delete -k https://github.com/airlock/microgateway/deploy/crd-rbac/
  5. Apply the new license. This is important because the license format changed in Microgateway 4.2.
    6. copy
    kubectl create namespace airlock-microgateway-system
kubectl -n airlock-microgateway-system create secret generic airlock-microgateway-license --from-file=microgateway-license.txt
  6. Update the CRDs. This will not break your current installation if not noted otherwise in the release notes of the new Microgateway version.
    7. copy
    kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=4.3.0
  7. Install the new Microgateway Operator.
    8. copy
    helm install airlock-microgateway -n airlock-microgateway-system oci://quay.io/airlockcharts/microgateway --version '4.3.0'
  8. You can verify the current Pod status by checking the version label. To finalize the upgrade process, manually restart all application Pods containing Microgateway Engine sidecars. See Uninstallation and upgrade (MGW) section in this article.

Uninstalling Microgateway versions 4.0 and 4.1

  1. Remove the label sidecar.microgateway.airlock.com/inject from your applications and make sure they are restarted.
  2. Uninstall Microgateway deployments and the CRDs.
    3. copy
    kubectl delete -k https://github.com/airlock/microgateway/deploy/deployment/
kubectl delete -k https://github.com/airlock/microgateway/deploy/crd-rbac/
kubectl delete -k https://github.com/airlock/microgateway/deploy/crds
  3. Uninstall the Microgateway CNI plugin.

    4. If the CNI plugin has been manually installed using kustomize adapt the <environment> part before running the following command:

    copy
    kubectl kustomize --enable-helm https://github.com/airlock/microgateway/deploy/cni/<environment> | kubectl delete -f -

    If the CNI plugin has been installed using helm, run:

    copy
    helm uninstall -n kube-system airlock-microgateway-cni

Uninstalling Microgateway version 4.2 and newer

Airlock Microgateway 4.2 and newer releases are helm-based and can be uninstalled using helm commands. However, helm does not support removing installed CRDs, which requires using kubectl delete commands to complete the uninstallation process.

  1. Remove the label sidecar.microgateway.airlock.com/inject from your applications and make sure they are restarted.
  2. Uninstall the Microgateway Operator.
    3. copy
    helm uninstall -n airlock-microgateway-system airlock-microgateway
  3. Uninstall the CRDs.
    4. copy

    Before uninstalling the CRDs make sure that no other Airlock Microgateway installation is existing.

    copy
    kubectl delete -k "https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=<installed-release-version>"
  4. Uninstall the Microgateway CNI plugin.
    5. copy
    helm uninstall -n kube-system airlock-microgateway-cni

Cleanup after installation tests for Microgateway version 4.2 and newer

CNI and operator test pods are not automatically uninstalled after test completion. We recommend uninstalling them after testing, even if they are inactive and do not require any resources.

  1. Delete the CNI test Pods.
    2. copy
    kubectl delete pod -n kube-system -l "app.kubernetes.io/instance=airlock-microgateway-cni,app.kubernetes.io/component=test-install"
  2. Delete the Operator test Pods.
    3. copy
    kubectl delete pod -n airlock-microgateway-system -l "app.kubernetes.io/instance=airlock-microgateway,app.kubernetes.io/component=test-install"
  3. To remove remaining test resources, run:
    4. copy
    helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway --version '<installed-version>'
helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '<installed-version>'

Upgrading Microgateway 4.2 and newer

The following upgrade instructions aim to upgrade running deployments to a newer version of Airlock Microgateway without interruption of service.

This instruction may not apply to breaking release upgrades of Airlock Microgateway. Refer to the release notes of the Microgatway version you want to upgrade to before following the below instructions.

  1. Update the CRDs. This will not break your current installation if not noted otherwise in the release notes of the new Microgateway version.
    2. copy
    kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=4.3.0 --server-side --force-conflicts
  2. Upgrade the Microgateway CNI plugin.
    3. copy
    helm upgrade airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.3.0'
  3. Upgrade the Microgateway Operator.
    4. copy
    helm upgrade airlock-microgateway -n airlock-microgateway-system oci://quay.io/airlockcharts/microgateway --version '4.3.0'
  4. You can verify the current Pod status by checking the version label. To finalize the upgrade process, manually restart all application Pods containing Microgateway Engine sidecars.

Script-supported upgrading of deployments with outdated application Pods:

We have created a useful script to accelerate the deployment update process with multiple application Pods. The script can fetch Deployments, DaemonSets, and StatefulSets managing outdated application Pods.

  1. Save the script fetch-outdated-resources, rename it to fetch-outdated-resources.sh, and make it executable.
    2. copy
    #!/bin/sh 
set -eu 
namespace=${1:-"default"} 
 
pod_selector="sidecar.microgateway.airlock.com/incompatible=true"
 
rootController() { 
    namespace=$1 
    resource=$2 
    owner=$(kubectl get "${resource}" -n "${namespace}" -ojsonpath='{range .metadata.ownerReferences[?(@.controller==true)]}{.kind}/{.name}{"\n"}{end}') 
    if [ -n "$owner" ]; then 
        rootController "${namespace}" "${owner}" 
    elif echo "${resource}" | grep -vq Pod/; then 
        echo "${resource}" 
    fi 
} 
 
for pod in $(kubectl get pods -n "${namespace}" -l "${pod_selector}" -ojsonpath='{range .items[*]}Pod/{.metadata.name}{"\n"}{end}'); do 
        rootController "${namespace}" "${pod}" 
done | sort -u
  2. Variant 1

    3. Automatic rollout restart of outdated resources with the following command:

    copy
    ./fetch-outdated-resources.sh <application-namespace> | xargs kubectl rollout restart -n <application-namespace>
  3. Variant 2
    1. Set the microgateway.airlock.com/restartRequired=true label.
      2. copy
      ./fetch-outdated-resources.sh <application-namespace> | xargs -I{} kubectl label {} -n <application-namespace> "restartRequired=true"
    2. Perform a rollout restart of the labeled resources.
      3. copy
      kubectl rollout restart -n <application-namespace> deployments -l microgateway.airlock.com/restartRequired=true
kubectl rollout restart -n <application-namespace> daemonsets -l microgateway.airlock.com/restartRequired=true
kubectl rollout restart -n <application-namespace> statefulsets -l microgateway.airlock.com/restartRequired=true
    3. Remove the microgateway.airlock.com/restartRequired=true label after rollout.

Further information and links

  • Internal links:
  • See chapter Installation for available installation options and instructions.