You can upgrade the NSX Application Platform to a later build version using the NSX Manager UI.

Upgrading to a newer version of the NSX Application Platform involves multiple steps. You must first configure and deploy the Upgrade Coordinator before you can proceed with upgrading the platform and each of the currently activated NSX features. The Upgrade Coordinator orchestrates all of the upgrade steps, and the system provides status on the UI as it upgrades each component.

Prerequisites

  • Review the NSX Release Notes for any known upgrade issue and workaround documented for the NSX Application Platform.
  • Implement the upgrade requirements to your environment. See Upgrade Requirements.
  • Ensure that there are no open alarms detected on the NSX Application Platform.

  • Verify that you have met all of the prerequisites and system requirements listed in NSX Application Platform Deployment Prerequisites.

  • You must have Enterprise Admin privileges.
  • Upgrade NSX Application Platform and NSX first before upgrading to Tanzu Kubernetes 1.23 version to avoid an upgrade sequence error. If this upgrade sequence error occurs, see Upgrade Error When Tanzu Kubernetes is Updated Before NSX Application Platform and NSX.
  • If you do not have internet connectivity, configure the NSX proxy to route internet traffic. Make sure that the proxy is activated and port number is accurate. For HTTPS proxy, you must have a proxy server self-signed certificate available.

    See the Configure Proxy Settings topic in the Operations and Management section of the NSX Administration Guide, which is delivered with the VMware NSX Documentation set.

  • Verify that the proxy details are configured on the TKG Guest Clusters running in the vSphere Client so that worker nodes can access Docker images. See Configure HTTP Proxy Setting on the Supervisor by Using the vSphere Client.
  • If you are using a private Helm repository and Docker registry location, the private Harbor custom certificate must be imported and available within the NSX Manager.

    See the Creating Self-signed Certificates topic in the Certificates section of the NSX Administration Guide, which is delivered with the VMware NSX Documentation set.

  • If you are using proxy, verify that the NSX Manager version is updated to 4.2.

    This option is available only in the NSX Application Platform 4.2 release.

Procedure

  1. (Optional) Configure proxy in existing Upstream Kubernetes nodes before upgrade.
    1. Run the command on all the master and worker nodes. 
      #log into each node
    cp the squid.crt file to node
    sudo mkdir -p /etc/systemd/system/containerd.service.d
    sudo touch /etc/systemd/system/containerd.service.d/http-proxy.conf
    vi /etc/systemd/system/containerd.service.d/http-proxy.conf
    2. Copy the proxy information in the http-proxy.conf file. 
      [Service]
    Environment="HTTP_PROXY=https://admin:<password>@20.20.0.60:3129"
    Environment="HTTPS_PROXY=https://admin:<password>@20.20.0.60:3129"
    Environment="SSL_CERT_FILE=/root/squid.cert"
    Environment="NO_PROXY=localhost"
    3. Restart the containerd service. 
      sudo systemctl daemon-reload
    sudo systemctl restart containerd
    sudo systemctl show --property=Environment containerd

    root@bmk8s:~# sudo systemctl show --property=Environment containerd
    Environment=HTTP_PROXY=http://10.49.89.41:8080 HTTPS_PROXY=http://10.49.89.41:8080 SSL_CERT_FILE=/root/mitm.cert Environment=NO_PROXY=localhost
    4. Copy the newly created Squid certificate file to the NSX Manager or Kubernetes worker node.
    5. Verify that the newly configured proxy is working properly. 
      ###https on 3129

root@bmk8s:~# curl -k -x https://20.20.0.60:3129 -I --proxy-user admin:<password> --proxy-cacert squid.cert  http://www.google.com

HTTP/1.1 200 OK

Content-Type: text/html; charset=ISO-8859-1

Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-EfTlady2QObxpeH3ZPFUUg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp

P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."

Date: Wed, 10 Apr 2024 11:25:29 GMT

Server: gws

X-XSS-Protection: 0

X-Frame-Options: SAMEORIGIN

Expires: Wed, 10 Apr 2024 11:25:29 GMT

Cache-Control: private

Set-Cookie: 1P_JAR=2024-04-10-11; expires=Fri, 10-May-2024 11:25:29 GMT; path=/; domain=.google.com; Secure

Set-Cookie: AEC=AQTF6HxRFi9u6FhGHJNwuHrz1Cpx5jdKbu5eUFkocX-ilfv-ncpCGYPoIw; expires=Mon, 07-Oct-2024 11:25:29 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax

Set-Cookie: NID=513=jHWm3TTU0h7DY9psz4wLIxTDPsXUfMfMUGNrPcfdVPxBxFwbM1PByezEsTfEg2iJZG_DeCqff_ESXXD3k3OuEi4H2JN-a-kzqweJUpJ9x0_mfVigr8QmT4WjMUD7WYprkJXCVGoU1mFLTHdNoqneRWn7f1clJL7vG6pO9at8EvQ; expires=Thu, 10-Oct-2024 11:25:29 GMT; path=/; domain=.google.com; HttpOnly

X-Cache: MISS from Kub-2210

X-Cache-Lookup: MISS from Kub-2210:3127

Via: 1.1 Kub-2210 (squid/5.7)

Connection: keep-alive
  2. From your browser, log in with Enterprise Admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  3. If you deployed the NSX Application Platform with an earlier version, increase the worker nodes from 3 to 4 in the existing Kubernetes cluster before starting the upgrade.
    In NSX Application Platform 4.2, a minimum of 4 worker nodes is required. If you scaled the worker nodes to more than 3 in the earlier version, no action is required.

    If the Security Intelligence, NSX Network Detection and Response, and NSX Malware Prevention features or any two of the features are enabled, increase to 5 worker nodes instead of 4.

  4. Navigate to System > Upgrade.
  5. Deploy the Upgrade Coordinator.
    1. In the NSX Application Platform card, click Upgrade.
      This step can take some time as the system obtains the information from the VMware-hosted Helm repository. When the information is obtained successfully, the Prepare for Upgrade tab is displayed with the text boxes prepopulated with the information obtained for Helm Repository, Docker Registry, and Platform Target Version, as illustrated in the following image. Note that the values shown in the image are the default values for the VMware-hosted Helm repository and Docker registry locations, and the latest available NSX Application Platform version.
      Prepare tab in the Upgrade NSX Application Platform UI with text boxes prepopulated default values from the Helm repository.

    2. (Optional) If you are using a private Helm repository and Docker registry location, provide the private locations of the required Helm charts and Docker images.
      For the OCI-compatible Helm Repository text box, use the format oci://<your-private-registry-server-fqdn>/<your-private-registry-name>/helm-charts.

      For the Docker Registry text box, use the format <your-private-registry-server-fqdn>/<your-private-registry-name>/clustering.

    3. Select a custom certificate from the drop-down menu, if you are using a private Helm repository and Docker registry location.
    4. Click Save And Retrieve Version.

      This step might take some time to complete as the system gathers the NSX Application Platform details from the Helm charts and Docker registry locations and name.

    5. (Optional) Click Reset to Default to remove the private Helm repository and Docker registry location and revert to the default path.
    6. In the Platform Target Version text box, verify that the build version that you want to use for the upgrade is selected.
    7. Click Deploy Upgrade Coordinator.

      This step can also take some time as the system deploys the Upgrade Coordinator to your TKG Cluster on Supervisor pod or Upstream Kubernetes pod.

    After the Upgrade Coordinator deployment completes, the Prepare tab is displayed. The Status section displays the Success status.

  6. In the Deploy Upgrade Coordinator section located in the upper half of the Prepare tab, verify that the values shown in Helm Repository, Docker Registry, and Platform Target Version text boxes are correct.

    If you must modify any of the values, click Delete next to the Note located after the Status section and redeploy a new Upgrade Coordinator.

  7. Review the Summary section located in the lower half of the Prepare tab.

    The NSX Application Platform card displays the status information for the platform. The Upgrade Completed indicates that the Upgrade Coordinator has been upgraded with the target NSX Application Platform version successfully. The card shows the current version and the target version to which the platform will be upgraded. The card also shows the precheck status.

    If other NSX features that are hosted on the NSX Application Platform are activated, those features are also checked and scheduled for the upgrade. A separate feature card for each activated feature is also displayed. For example, the Security Intelligence feature card appears in the following image because it is currently an activated NSXfeature on the NSX Application Platform. The system upgrades the activated features after the platform upgrade finishes successfully.


    UI page for Upgrade NSX Application Platform. The Prepare tab contents are displayed and described by the surrounding text.

  8. If all the Upgrade Coordinator values are correct, click Run Pre-Checks and select All Prechecks from the drop-down menu.

    To optionally precheck specific components only, click Run Prechecks and from the drop-down menu, select the name of the component that you want to precheck.

    The system performs all the prechecks for all the components that are scheduled for the upgrade. The prechecks help detect and resolve potential problems early in the upgrade process, which can make the upgrade process run more smoothly. The system updates the component cards with their prechecks status.

    If the system identifies any issues during the precheck, you can click Download Pre-check Results and use the information in the downloaded file to help investigate the reported issues.

  9. Click Next.

    The NSX Application Platform tab displays a grid of all the groups of components that comprise the platform. You can expand each row to see all of the units for each component group that will be upgraded.

  10. Click Upgrade.

    The system upgrades each group that comprise the NSX Application Platform. This step can take some time to finish. You can leave the Upgrade UI screen and return to it by navigating back to System > Upgrade page and clicking Continue With Upgrade.

    There are multiple ways to track the progress of the upgrade.

    1. To view the logs generated as the upgraded progresses, click Recent Logs.

    2. To monitor the upgrade status for each component group, use the Group Status column.

    3. To see the upgrade status for each item in a particular group, expand the grid row for that group and verify the status shown for each group item.

    If an error occurs for a group upgrade, expand the row for the group and click the Failed link to see the reason for the failure. Use that information to resolve the reported problem and to work with your infrastructure administrator or VMware support. When you have resolved the cause of the failure, click Retry to try to complete the upgrade.

  11. When the NSX Application Platform is successfully upgraded, click Next and in the tab for the NSX feature (for example, Security Intelligence), click Upgrade.

    After this feature is successfully upgraded, repeat this step for each of the remaining NSX features that must be upgraded.

  12. Click Finish to let the Upgrade Coordinator uninstall completely.
    Note: You cannot update any activated NSX features on the NSX Application Platform until the Upgrade Coordinator is unistalled.
  13. After you have upgraded all of the NSX features activated on the NSX Application Platform, navigate to System > NSX Application Platform. Verify the Platform Version and Feature Version details for each of the activated features are correct.