Upgrading

New versions of Puppet Comply are released regularly. Upgrading to the current version ensures you are always taking advantage of the latest features, fixes, and improvements.

Important: The CIS-CAT assessor setup process is embedded in the comply module. To ensure you always have the latest version, upgrade the comply module before you upgrade the Comply application. Note that you cannot run scans until you complete both of these upgrades.

Upgrade from Comply 1.0.4 to 2.6.0

Comply 2.6.0 automatically upgrades the CIS-CAT Pro Assessor to the latest version every time you upgrade Comply.

The upgrade process involves generating certificates in Puppet Enterprise (PE) and setting up Mutual Transport Layer Security (MTLS) in Puppet Application Manager (PAM). MTLS enables a secure authenticated connection between your nodes and Comply.
  1. SSH into your PE primary server and generate the certificates:
    puppetserver ca generate --certname <COMPLY-HOSTNAME>
    This command does the following:
    • Saves the private key to /etc/puppetlabs/puppet/ssl/private_keys/<COMPLY-HOSTNAME>.pem
    • Saves the certificate to /etc/puppetlabs/puppet/ssl/certs/<COMPLY-HOSTNAME>.pem
  2. Log in to Puppet Application Manager, click the Version history tab, and click Check for update.
  3. Click the Config tab, and scroll down to Transport layer security (TLS) certificates to interact with PE.
  4. Upload the signed certificate public key, the private key files, and the CA certificate, with the following locations:
    • Paste the contents of /etc/puppetlabs/puppet/ssl/certs/<COMPLY-HOSTNAME>.pem to the TLS certificate field.
    • Paste the contents of /etc/puppetlabs/puppet/ssl/private_keys/<COMPLY-HOSTNAME>.pem to the TLS private key field.
    • Paste the contents of /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem to the CA certificate field.
    Note: To host the assessor on your own supported cluster via NGINX ingress, click the Bring your own NGINX ingress checkbox and enter the FQDN in the PE TLS FQDN field — using the same FQDN that you used to generate the TLS certificates.
  5. Click Save Config.
  6. Navigate to Puppet Enterprise (PE), and update the default value of the comply class scanner_source parameter to one of the following assessor distribution files:
    • If using the Puppet supported cluster: https://<COMPLY-HOSTNAME>:30303/assessor

    • If using NGINX Ingress: scanner_source to: https://<PE-TLS-FQDN>/assessor

    For more information, see Classify the nodes you want to scan in PE.

  7. Click Add to node group, and then commit the changes.
  8. Upgrade the comply module.
    1. Update your Puppetfile with the latest version of the comply module and its dependencies.
    2. Deploy code by running the puppet-code deploy --all command.
  9. Navigate back to Puppet Application Manager. After pre-flight checks have completed successfully, click Go to updated version, and then click Deploy.
    Note: If the upgrade of an assessor on a node fails, the node is marked in red on the Inventory page. Failures may be due to network issues. If that is the case, Comply attempts to upgrade the node once connectivity returns. An hourly background task runs to check if nodes have been upgraded or not. If a node does not upgrade and remains red on the Inventory page, run the Puppet agent. If the upgrade continues to fail, see the Puppet agent logs for more information.

Upgrade from Comply 2.2.2 to 2.3.0

Comply 2.3.0 automatically upgrades the CIS-CAT assessor to the latest version every time you upgrade Comply.

Before you begin
Make sure you have generated certificates in Puppet Enterprise (PE) and set up Mutual Transport Layer Security (MTLS) in Puppet Application Manager (PAM). MTLS enables a secure authenticated connection between your nodes and Comply. For more information, see Configure Comply TLS certificates.
  1. If you want Comply to update the CIS-CAT Assessor automatically, select Automatically kick off PE jobs on assessor upgrade on the Config page in Puppet Application Manager.

    If you select this option, on upgrade Comply kicks off 2 PE agent runs: the first to download the new assessor, and the second update the facts in PE.

    Tip: Because this option starts PE jobs automatically on upgrading Comply, systems administrators, especially of larger implementation, may wish to consider leaving this option unchecked. Assessor upgrade then takes place automatically when the next two PE jobs are run.

    Comply requires the latest version of the assessor on the node in order to perform runs. A background task runs to check if nodes have been upgraded every 15 minutes if this option is selected and every hour if it is not selected. If a node does not upgrade and remains red on the Inventory page, run the Puppet agent. If the upgrade continues to fail, see the Puppet agent logs for more information.

  2. Click Save Config.
  3. If you have not already configured the comply class scanner_source parameter, you can do so at this point. Otherwise proceed to the next step. Navigate to Puppet Enterprise (PE), and update the default value of the comply class scanner_source parameter to one of the following assessor distribution files:
    • If using the Puppet supported cluster: https://<COMPLY-HOSTNAME>:30303/assessor

    • If using NGINX Ingress scanner_source: https://<PE-TLS-FQDN>/assessor

    For more information, see Classify the nodes you want to scan in PE.

    Click Add to node group, and then commit the changes.

  4. Upgrade the comply module.
    1. Update your Puppetfile with the latest version of the comply module and its dependencies.
    2. Deploy code by running the puppet-code deploy --all command.
    Warning: When upgrading the comply module, running the agent before Comply is updated may cause an error.
  5. Navigate back to Puppet Application Manager. After pre-flight checks have completed successfully, click Go to updated version, and then click Deploy.
    Note: If the upgrade of an assessor on a node fails, the node is marked in red on the Inventory page. Failures may be due to network issues. If that is the case, Comply attempts to upgrade the node once connectivity returns. An hourly background task runs to check if nodes have been upgraded or not. If a node does not upgrade and remains red on the Inventory page, run the Puppet agent. If the upgrade continues to fail, see the Puppet agent logs for more information.

Upgrade Comply in an online environment

Check for download and deploy updates from the Version history tab in the Puppet Application Manager UI.

Before you begin
Upgrade the comply module.
  1. In the Puppet Application Manager UI, click Version history.
  2. Click Check for updates.
    Configure an automatic update check by clicking Configure automatic updates. You can check for updates hourly, every four hours, daily, weekly, or at a custom interval.
  3. If an update is available, Puppet Application Manager downloads it for you and performs preflight checks on your system to make sure your cluster meets system requirements for the new version. Review the outcome of these checks by clicking View preflight.
  4. When you're ready to upgrade to the new version of Comply, click Deploy.

Upgrade Comply in an offline environment

If your environments do not have direct access to the internet, use the links below to upgrade to the latest version of Comply.

Before you begin
Upgrade the comply module.
  1. Navigate to the portal provided to you by Puppet in the licence email, for example, https://get.replicated.com/airgap/#/kots/comply/, and login with the password.
  2. Select Embeded cluster and download the latest Comply release .airgap file.
  3. Log into Puppet Application Managerhttps://<PLATFORM-ADMIN-CONSOLE-ADDRESS>:8800.
  4. Select Version history, and upload the new version of the .airgap file that you downloaded in step 2.
  5. Click Deploy.