1. Deploying and Managing Oracle Identity Governance on Kubernetes
  2. Administering Oracle Identity Governance on Kubernetes
  3. Patching and Upgrading
  4. Patching and Upgrading Within 14.1.2
  5. Patching a Container Image

16.1.1 Patching a Container Image

The instructions in this section relate to patching or upgrading an existing 14.1.2.1.0 Oracle Identity Governance (OIG) deployment with a new OIG container image.

Note:

Administrators should be aware of the following:
  • If you are not using Oracle Container Registry or your own container registry, then you must first load the new container image on all nodes in your Kubernetes cluster.
  • If you have Kubernetes Horizontal Pod Autoscaler (HPA) enabled, you must disable HPA before performing the steps below. See, Deleting HPA.

The OIG domain patching script automatically performs the update of your OIG Kubernetes cluster with a new OIG container image.

The script executes the following steps sequentially:
  • Checks if the helper pod exists in the given namespace. If yes, then it deletes the helper pod.
  • Brings up a new helper pod with the new image.
  • Stops the Administration Server, SOA and OIG managed servers using serverStartPolicy set as Never in the domain definition yaml.
  • Waits for all servers to be stopped (default timeout 2000s) Introspects database properties including credentials from the job configmap or RCU Secrets.
  • Performs database schema changes from the helper pod Starts the Administration Server, SOA and OIG managed servers by setting serverStartPolicy to IfNeeded and image to new image tag.
  • Waits for all the servers to be ready (default timeout 2000s).

Prerequisites

Before you begin, perform the following steps:
  • Ensure that you have a running OIG deployment in your cluster.
  • Ensure that the database is up and running.
  • Ensure you have download the latest code repository. See, Setting Up the Code Repository for OIG and set the $WORKDIR correctly.

Running the Patch Domain Script

  1. Navigate to the $WORKDIR:
    cd $WORKDIR/kubernetes/domain-lifecycle
  2. Run the patch domain script as follows. Specify the inputs required by the script:

    Note:

    If you need help understanding the inputs run the command help with -h. 
    
./patch_oig_domain.sh -i <target_image_tag> -n <domain_namespace>
    For example:
    
./patch_oig_domain.sh -i 14.1.2.1.0-jdk17-ol8-<YYMMDD> -n oigns
    The output will look similar to the following:
    [INFO] Found domain name: governancedomain
[INFO] Image Registry: container-registry.oracle.com/middleware/oig_cpu
[INFO] Domain governancedomain is currently running with image: container-registry.oracle.com/middleware/oig_cpu:14.1.2.1.0-jdk17-ol8-<old>
current no of pods under governancedomain are 3
[INFO] The pod helper already exists in namespace oigns.
[INFO] Deleting pod helper
pod "helper" deleted
[INFO] Fetched Image Pull Secret: orclcred
[INFO] Creating new helper pod with image: container-registry.oracle.com/middleware/oig_cpu:14.1.2.1.0-jdk17-ol8-<new>
pod/helper created
Checking helper  Running
[INFO] Stopping Admin, SOA and OIM servers in domain governancedomain. This may take some time, monitor log /scratch/OIGK8Slatest/fmw-kubernetes/OracleIdentityGovernance/kubernetes/domain-lifecycle/log/oim_patch_log-<DATE>/stop_servers.log for details
[INFO] All servers are now stopped successfully. Proceeding with DB Schema changes
[INFO] Patching OIM schemas...
[INFO] DB schema update successful. Check log /scratch/OIGK8Slatest/fmw-kubernetes/OracleIdentityGovernance/kubernetes/domain-lifecycle/log/oim_patch_log-<DATE>/patch_oim_wls.log for details
[INFO] Starting Admin, SOA and OIM servers with new image container-registry.oracle.com/middleware/oig_cpu:14.1.2.1.0-jdk17-ol8-<new>
[INFO] Waiting for 3 weblogic pods to be ready..This may take several minutes, do not close the window. Check log /scratch/OIGK8Slatest/fmw-kubernetes/OracleIdentityGovernance/kubernetes/domain-lifecycle/log/oim_patch_log-<DATE>/monitor_weblogic_pods.log for progress
[SUCCESS] All servers under governancedomain are now in ready state with new image: container-registry.oracle.com/middleware/oig_cpu:14.1.2.1.0-jdk17-ol8-<new>
    The logs are available at $WORKDIR/kubernetes/domain-lifecycle by default. A custom log location can also be provided to the script.

    Note:

    If the patch domain script creation fails, refer to General Troubleshooting.

Verifying the OIG Deployment is Using the New Image

Once the upgrade is successful, you can run the following command to show the image is used by the pods:
kubectl describe pod <pod> -n <domain_namespace>
For example:
kubectl describe pod governancedomain-oim-server1 -n oigns
The new image should be displayed in the following section:
...
Containers:
  weblogic-server:
    Container ID:  cri-o://220fa83d079e079ac183c00f884b10ea30a794527dbb65e6964a035d450384f8
    Image:         container-registry.oracle.com/middleware/oig_cpu:<new>
    Image ID:      container-registry.oracle.com/middleware/oig_cpu@sha256:cdf51b6aa47cd05573bc53244681b193fb4e2f6db56e50d2251b9416bc68ebc0
    Port:          14100/TCP
    Host Port:     0/TCP
    Command:
...