16.1.1 Patching a Container Image

The instructions in this section relate to patching or upgrading an existing 14.1.2.1.0 Oracle Identity Governance (OIG) deployment with a new OIG container image.

Note:

Administrators should be aware of the following:

• If you are not using Oracle Container Registry or your own container registry, then you must first load the new container image on all nodes in your Kubernetes cluster.
• If you have Kubernetes Horizontal Pod Autoscaler (HPA) enabled, you must disable HPA before performing the steps below. See, Deleting HPA.

Note:

The instructions in this section relate to patching an OIG container image to the July 25 container image or later. If you are patching to a version earlier than July 25, you only need to follow Patching the Container Image and Verifying the OIG Deployment is Using the New Image .

Patching the container image involves the following:

• Stopping the Domain
• Patching the Database Schemas
• Patching the Container Image
• Starting the OIG Domain
• Verifying the OIG Deployment is Using the New Image

Stopping the Domain

Before patching you must shutdown the OIG Domain. For details on how to do this, see Stopping and Starting the Domain.

Patching the Database Schemas

Once the image has been updated you must patch the schemas in the database.

1. Check to see if the helper pod exists by running:

   kubectl get pods -n <domain_namespace> | grep helper

   For example:

   kubectl get pods -n oigns | grep helper
   

   The output should look similar to the following:

   helper                                  1/1     Running     0          26h
   

   If the helper pod exists delete the pod with following command:

   kubectl delete pod helper -n <namespace>
   

   For example:

   kubectl delete pod helper -n oigns
   

2. Create a new helper pod using the new image.
   If using Oracle Container Registry or your own container registry for the Oracle Identity Governance (OIG) container image:

   kubectl run --image=<image_name-from-registry>:<tag> \
   --image-pull-policy="IfNotPresent" \
   --overrides='{"apiVersion": "v1", "spec":{"imagePullSecrets": [{"name": "orclcred"}]}}' \
   helper -n <domain_namespace> \
   -- sleep infinity

   For example:

   kubectl run --image=container-registry.oracle.com/middleware/oig_cpu:14.1.2.1.0-jdk17-ol8-<YYMMDD> \
   --image-pull-policy="IfNotPresent" \
   --overrides='{"apiVersion": "v1","spec":{"imagePullSecrets": [{"name": "orclcred"}]}}' \
   helper -n oigns \
   -- sleep infinity

   If you are not using a container registry and have loaded the image on each of the worker nodes, run the following command:

   kubectl run helper --image <image>:<tag> -n oigns -- sleep infinity

   For example:

   kubectl run helper --image oracle/oig_cpu:14.1.2.1.0-jdk17-ol8-<YYMMDD> -n oigns --sleep infinity

   The output will look similar to the following:

   pod/helper created

3. Run the following command to start a bash shell in the helper pod:

   kubectl exec -it helper -n <domain_namespace> -- /bin/bash
   

   For example:

   kubectl exec -it helper -n oigns -- /bin/bash
   

   This will take you into a bash shell in the running helper pod:

   [oracle@helper ~]$

4. In the helper bash shell run the following commands to set the environment:

   export DB_HOST=<db_host.domain>

   export DB_PORT=<db_port>

   export DB_SERVICE=<service_name>

   export RCUPREFIX=<rcu_schema_prefix>

   export RCU_SCHEMA_PWD=<rcu_schema_pwd>

   echo -e <db_pwd>"\n"<rcu_schema_pwd> > /tmp/pwd.txt

   cat /tmp/pwd.txt

   Where:
   • <db_host.domain> is the database server hostname.
   • <db_port> is the database listener port.
   • <service_name> is the database service name.
   • <rcu_schema_prefix> is the RCU schema prefix you want to set.
   • <rcu_schema_pwd> is the password you want to set for the <rcu_schema_prefix>.
   • <db_pwd> is the SYS password for the database.
   For example:

   export DB_HOST=mydatabasehost.example.com

   export DB_PORT=1521

   export DB_SERVICE=orcl.example.com

   export RCUPREFIX=OIGK8S

   export RCU_SCHEMA_PWD=<password>

   echo -e <db_pwd>"\n"<rcu_schema_pwd> > /tmp/pwd.txt

   cat /tmp/pwd.txt

   Ensure the cat /tmp/pwd.txt command shows the correct passwords.
5. In the helper bash shell run the following command to patch the schemas:

   /u01/oracle/oracle_common/modules/thirdparty/org.apache.ant/apache-ant/bin/ant \
   -f /u01/oracle/idm/server/setup/deploy-files/automation.xml \
   run-patched-sql-files \
   -logger org.apache.tools.ant.NoBannerLogger \
   -logfile /u01/oracle/idm/server/bin/patch_oim_wls.log \
   -DoperationsDB.host="$DB_HOST" \
   -DoperationsDB.port="$DB_PORT" \
   -DoperationsDB.serviceName="$DB_SERVICE" \
   -DoperationsDB.user="$RCUPREFIX"_OIM \
   -DOIM.DBPassword="$RCU_SCHEMA_PWD" \
   -Dojdbc=/u01/oracle/oracle_common/modules/oracle.jdbc/ojdbc11.jar

   The output will look similar to the following:

   Buildfile: /u01/oracle/idm/server/setup/deploy-files/automation.xml

6. Inside the helper pod, verify the database was patched successfully by viewing the patch_oim_wls.log:

   cat /u01/oracle/idm/server/bin/patch_oim_wls.log

   The output should look similar to below:

   ...
   run-patched-sql-files:
         [sql] Executing resource: /u01/oracle/idm/server/db/oim/oracle/StoredProcedures/Recon/OIM_SP_ReconBlkAccountChglog.sql
         [sql] Executing resource: /u01/oracle/idm/server/db/oim/oracle/Upgrade/oim14cBP/list/oim14c_dml_pty_insert_self_assignment_allowed.sql
         [sql] Executing resource: /u01/oracle/idm/server/db/oim/oracle/StoredProcedures/API/oim_role_mgmt_pkg_body.sql
         [sql] Executing resource: /u01/oracle/idm/server/db/oim/oracle/StoredProcedures/API/oim_usr_mgmt_pkg_body.sql
         [sql] Executing resource: /u01/oracle/idm/server/db/oim/oracle/StoredProcedures/DBDiagnostics/oim_db_diagnostics_pkg_body.sql
         [sql] 5 of 5 SQL statements executed successfully
   BUILD SUCCESSFUL
   Total time: 1 second

Patching the Container Image

To update the domain:

1. Run the following command to set the image parameter to the location of the new image:

   kubectl patch domain <domainUID> -n <domain_namespace> --type merge  -p '{"spec":{"image":"<repository>:<new_tag>"}}'
   

   For example:
   • If using Oracle Container Registry or your own container registry for your OIG container image:

     kubectl patch domain governancedomain -n oigns --type merge  -p '{"spec":{"image":"container-registry.oracle.com/middleware/oig_cpu:<new_tag>"}}'
     

   • If you are not using a container registry and have loaded the image on each of the worker nodes:

     kubectl patch domain governancedomain -n oigns --type merge  -p '{"spec":{"image":"oracle/oig:<new_tag>"}}'
     

     The output will look similar to the following:

     domain.weblogic.oracle/governancedomain patched
     

Starting the OIG Domain

To start the OIG domain, seeStopping and Starting the Domain.

Verifying the OIG Deployment is Using the New Image

Once the upgrade is successful, you can run the following command to show the image is used by the pods:

kubectl describe pod <pod> -n <domain_namespace>

For example:

kubectl describe pod governancedomain-oim-server1 -n oigns

The new image should be displayed in the following section:

...
Containers:
  weblogic-server:
    Container ID:  cri-o://220fa83d079e079ac183c00f884b10ea30a794527dbb65e6964a035d450384f8
    Image:         container-registry.oracle.com/middleware/oig_cpu:<new>
    Image ID:      container-registry.oracle.com/middleware/oig_cpu@sha256:cdf51b6aa47cd05573bc53244681b193fb4e2f6db56e50d2251b9416bc68ebc0
    Port:          14100/TCP
    Host Port:     0/TCP
    Command:
...