Migration Guide

When the Reports Server is enabled, migration from etcd occurs automatically under the following conditions:

  • The cluster has Kyverno already installed.
  • The cluster has policy reports crds already installed.

Migration from Kyverno 1.12+

For users running older versions of Kyverno, the recommended migration path is -

  1. Upgarde to the latest Nirmata Enterprise for Kyverno version
  2. Migrate from K8s etcd to Reports Server

Optionally verify the policyreports stored in etcd.

etcdctl get "/registry/wgpolicyk8s.io/policyreports" --prefix --keys-only
```text

Since Nirmata Enterprise for Kyverno is already running in the cluster, run the following commands to install reports-server:
```bash
 helm repo add nirmata https://nirmata.github.io/kyverno-charts/
 helm repo update nirmata
 helm upgrade kyverno --namespace kyverno --create-namespace nirmata/kyverno  --set crds.reportsServer.enabled=true --set reports-server.install=true --set reports-server.apiServicesManagement.migrateReportsServer.enabled=true
```text

Wait for reports-server pod to come up and check for apiservices.
```bash
kubectl get pods -n kyverno
kubectl get apiservices
```text

>NOTE: Existing policy reports from K8s etcd should be manually cleaned up.

When reports-server is introduced in an active cluster (reports exist in k8s etcd), the reports are copied to the offloaded datastore (etcd or postgres). But these reports are not automatically deleted from k8s etcd. Users have to manually delete those reports.

First check reports are properly copied over to reports-server etcd. We can confirm it by looking at reports-server pod logs using:
```bash
kubectl logs reports-server-969f45d4b-jj9r5 -n kyverno
```text

Manually delete reports from k8s etcd:
```bash
kubectl exec -it etcd-test-rs-control-plane -n kube-system -- sh
```text

Inside the pod, etcdctl is usually installed. Export the following variables:
```bash
export ETCDCTL_API=3
export ETCDCTL_CACERT=/etc/kubernetes/pki/etcd/ca.crt
export ETCDCTL_CERT=/etc/kubernetes/pki/etcd/server.crt
export ETCDCTL_KEY=/etc/kubernetes/pki/etcd/server.key
```text

Run the following commands for deleting policy reports:
```text
etcdctl del "/registry/wgpolicyk8s.io/policyreports" --prefix
etcdctl get "/registry/wgpolicyk8s.io/policyreports" --prefix --keys-only
```text

## Rollback from Reports Server
When reports-server is uninstalled, kyverno controllers will start throwing errors for missing report CRDs.

1. Manually install the required report CRDs.
1. Uninstall reports-server.
1. Verify if apiservices are removed and reports-server is deleted.
1. Reports will be lost, so manually scale down and up the background controller to trigger reconciliation and recreate reports.
1. Verify if policyreports are regenerated.

>NOTE: If you are using Postgres for offloading, note that policy reports will have to be manually cleaned up from the database.