This page lists version-specific changes that may require manual action when upgrading Klio. For the upgrade procedure, see the Helm chart page.
Upgrading to 0.0.16
Metric names renamed (breaking change)
Warning
All emitted OpenTelemetry metric names have been renamed to follow a
component-based taxonomy of the form
klio.<component>.<domain>.<measurement>. There is no dual emission
or aliasing — dashboards and alerts using the previous names must be
updated.
The tier-1 (WAL server) and tier-2 (consumer) WAL metric families
have also been folded into a single family discriminated by the
tier attribute ("tier1" or "tier2"). Backup verification
metrics have moved from klio.consumer.backup_verification_* to
klio.server.backup.verification_*, pairing with the existing
klio.plugin.backup.* series. Kopia base snapshot gauges
(klio.base.snapshots, klio.base.latest_snapshot_*,
klio.base.oldest_snapshot_age) have been folded under the same
klio.server.backup.* prefix alongside the verification counters.
These snapshot gauges carry the tier attribute
("tier1" or "tier2"), matching the rest of the
klio.server.backup.* family; dashboards that aggregate them must
either group by tier or filter to a specific tier to avoid mixing
the local-disk and object-store series.
The klio.plugin.backup.running 0/1 gauge has been replaced by the
klio.plugin.backup.in_progress UpDownCounter, which reports the
number of backups currently in progress on each plugin instance.
Dashboards that read the previous gauge as a boolean should now check
klio.plugin.backup.in_progress > 0 instead.
The success/failure counter pairs have been collapsed into a single
counter per family, distinguished by an outcome attribute
(success / failure):
klio.plugin.backup.successesandklio.plugin.backup.failuresare now both reported asklio.plugin.backup.runswithoutcome.klio.plugin.backup.verificationsno longer counts every attempt on its own; it is now split byoutcome. The previous total is recoverable assum by () (klio.plugin.backup.verifications), and the previousklio.plugin.backup.verification_failurescounter isklio.plugin.backup.verifications{outcome="failure"}.klio.server.backup.verification_successandklio.server.backup.verification_failureare now both reported asklio.server.backup.verificationswithoutcome(and the existingtierattribute).
The klio.plugin.backup.latest_duration_seconds gauge has been
renamed to klio.plugin.backup.latest_duration — the unit (s) is
conveyed via the OpenTelemetry metric metadata, per the
semantic-conventions naming guidelines.
The Prometheus export name is unchanged
(klio_plugin_backup_latest_duration_seconds) because the Prometheus
exporter appends the unit suffix automatically when the OpenTelemetry
name lacks it.
The klio.server.queue.messages and klio.server.queue.bytes gauges
are now reported per JetStream stream via a stream attribute,
reflecting the WAL/backup queue split. Dashboards that previously
read a single aggregate value should sum across the stream
attribute or filter to a specific stream (for example
stream="klio-wal-stream").
See the OpenTelemetry metrics reference for the complete old-to-new mapping table.
Upgrading to 0.0.15
The --custom-cnpg-group and --custom-cnpg-version flags have been
removed from the operator manager arguments. The operator now derives the CNPG
API group and version from the cluster's metadata at runtime.
In the Helm chart, --custom-cnpg-group was previously set in the default
controllerManager.manager.args list, and has now been removed.
No action is needed in most cases, unless one of the following applies:
- You are setting these flags in your Helm values or
--setoverrides explicitly - You are using
--reuse-valueswhen upgrading, which would preserve the old flags in the new deployment.
In any of these cases, ensure that the controllerManager.manager.args is
overridden to define the parameter list.
The default arguments are shown in the Helm chart page.
Upgrading to 0.0.14
Encryption key management (breaking change)
Warning
You should complete the first four steps in this section before proceeding with the Klio upgrade with Helm.
Previous versions of Klio stored the encryption key as a
plaintext value in a Kubernetes Secret, referenced via the
encryptionKey field (a SecretKeySelector). This field has
been replaced by encryptionKeyFile and identityFile, which
use Age encryption to protect
the key at rest.
Warning
This is a breaking API change. Existing Server resources
using encryptionKey must be updated after upgrading the CRD.
The underlying encryption key (used by Kopia) does not
change — only how it is stored and delivered to Klio.
The steps below show the migration for tier1. If your
Server also has tier2 configured, repeat the same steps
for tier2 (replacing .spec.tier1 with .spec.tier2 in
the commands, and updating the tier2 section in the Server
spec). Tier1 and tier2 may use different encryption keys and
identity files.
To migrate an existing deployment:
Warning
Complete steps from 1. to 4. before upgrading Klio.
Extract the secret name and key from the Server resource:
SECRET_NAME=$(kubectl get server my-server \ -o jsonpath='{.spec.tier1.encryptionKey.name}') SECRET_KEY=$(kubectl get server my-server \ -o jsonpath='{.spec.tier1.encryptionKey.key}')
Retrieve the current encryption key from the secret:
ENCRYPTION_KEY=$(kubectl get secret "$SECRET_NAME" \ -o jsonpath="{.data.${SECRET_KEY}}" | base64 -d)
Create the
values.yamlfile from the existing Helm chart:helm get values -n cnpg-system <RELEASE_NAME> > values.yaml
Edit the
values.yamlfile updating the Klio version with the new release tag:controllerManager: manager: env: SIDECAR_IMAGE: docker.enterprisedb.com/k8s/klio:v0.0.14 [...] image: tag: v0.0.14 [...]
Before proceeding, finish reading this section. Then perform the Klio upgrade following the Helm chart page, up to and including the "Upgrade Klio Server" section.
Warning
The command to verify that the Server is running the latest version will continue showing the old version. This is normal, as the operator can not reconcile yet.
You can use the
values.yamlfile created in the previous step when requested.Warning
Do not delete the Klio Server's Pod yet, nor the StatefulSet. The situation will settle after you perform the following steps in this section.
Generate an Age key pair:
age-keygen -o identity.txt # Note the public key from the output
Encrypt the existing key with Age:
echo -n "$ENCRYPTION_KEY" | age \ -r <public-key-from-step-5> \ -o encryption-key.age --armor
Create new Kubernetes Secrets:
kubectl create secret generic my-server-encryption-key \ --from-file=encryption-key.age kubectl create secret generic my-server-age-identity \ --from-file=identity.txt
Update the
tier1section of theServerresource, replacing the oldencryptionKeyfield with the new fields:# Before (remove this): # encryptionKey: # name: my-server-encryption # key: encryptionKey # After: encryptionKeyFile: fileReference: volume: secret: secretName: my-server-encryption-key path: encryption-key.age identityFile: fileReference: volume: secret: secretName: my-server-age-identity path: identity.txt
Note
Add the same sections in
tier2, in case it is enabled.Apply the updated
Serverresource, then verify the Klio server pod restarts successfully.In case the Server's Pod is stuck in
CrashLoopBackOffstate, please delete it, then check again.Once verified, delete the old plaintext secret and the local
identity.txtfile:kubectl delete secret my-server-encryption rm identity.txt