Skip to main content
Version: 25.08

Upgrading content inspection

Download the Chart

CHART_VERSION=”v24.09.28-d127c3d1” # CHANGE to the target version

helm pull oci://us-docker.pkg.dev/cyberhaven-cd/external/charts/ci-stack-onprem --untar --version $CHART_VERSION

cd ci-stack-onprem

Review the Configuration File

Ensure that the customer configuration section up to the dashed line is filled with the environment configuration values provided by Cyberhaven. You can reuse your previous configuration file and update it with any new values provided.

Open the configuration file for editing:

${EDITOR} values-overrides-gcp.yaml

NOTE: If Cyberhaven provides a new image tag for the release, update the image tag in your values overrides file accordingly. The tags should be provided in the Changelog section below.

Check the Upgrade Diff

Preview the changes that will be applied during the upgrade:

helm template --api-versions 'networking.k8s.io/v1/Ingress' ci-stack-onprem . -f values-overrides-gcp.yaml -f previous-values.yaml | kubectl diff -f -

NOTE: When modifying existing values, ensure the changes are made in the rightmost file provided in the Helm command, as it takes precedence.

Upgrade the Release

Proceed with upgrading the release:

helm upgrade ci-stack-onprem . -f values-overrides-gcp.yaml -f previous-values.yaml

You should see an output similar to:

Release "ci-stack-onprem" has been upgraded. Happy Helming!
NAME: ci-stack-onprem
LAST DEPLOYED: Fri Oct 4 22:46:20 2024
NAMESPACE: default
STATUS: deployed
REVISION: 11
TEST SUITE: None

Verify Pod Status

Check if the pods are running and healthy:

kubectl get pods -l app.kubernetes.io/instance=ci-stack-onprem

Rollback if Necessary

If you encounter any issues, rollback the upgrade to the previous revision (use REVISION-1 from your upgrade command output). For example:

helm rollback ci-stack-onprem 10

Refresh the install token

The install token is used as an additional authentication method from the on-prem ci-scanner to the SaaS backend to download the configured CI rules. We recommend periodically refreshing the install token every 3 months. Note that dev and prod clusters each use a different install tokens. Here is the procedure:

  1. Sign in to the Cyberhaven Console
    • Go to Endpoint Sensors → Sensor Installers
    • Copy the msiexec command, this includes your new Install Token.
  2. Option 1
    • Edit your values file and replace the old installToken value with the new one you just retrieved.
    • Double check the upgrade:
      helm template --api-versions 'networking.k8s.io/v1/Ingress' ci-stack-onprem . -f values-overrides-gcp.yaml -f previous-values.yaml | kubectl diff -f -
    • Run the helm upgrade command as usual (also double check the changes by using the --dry-run flag first):
      helm upgrade ci-stack-onprem . -f values-overrides-gcp.yaml -f previous-values.yaml
  3. Option 2:
    • Upgrade reusing the existing values:
      helm upgrade ci-stack-onprem cyberhaven/content-inspection-scanner --namespace cyberhaven --set installToken=<NEW_TOKEN> --reuse-values
  4. Either of these options should only change the value of the installToken secret.
  5. Restart content-inspection-scanner pods. Check logs for errors as the pods start up.