Upgrading

New versions of Puppet Comply are released regularly. Upgrading to the current version ensures you are always taking advantage of the latest features, fixes, and improvements.

Important: The CIS-CAT assessor setup process is embedded in the comply module. To ensure you always have the latest version, upgrade the comply module before you upgrade the Comply application. Note that you cannot run scans until you complete both of these upgrades.

Upgrade from Comply 1.0.4 to 2.0.0

Comply 2.0.0 automatically upgrades the CIS-CAT assessor to the latest version every time you upgrade Comply.

The upgrade process involves generating certificates in Puppet Enterprise (PE) and setting up Mutual Transport Layer Security (MTLS) in Puppet Application Manager (PAM). MTLS enables a secure authenticated connection between your nodes and Comply.
  1. SSH into your PE primary server and generate the certificates:
    puppetserver ca generate --certname <COMPLY-HOSTNAME>
    This command does the following:
    • Saves the private key to /etc/puppetlabs/puppet/ssl/private_keys/<COMPLY-HOSTNAME>.pem
    • Saves the certificate to /etc/puppetlabs/puppet/ssl/certs/<COMPLY-HOSTNAME>.pem
  2. Log in to Puppet Application Manager, click on the Version history tab, and click Check for update.
  3. Click on the Config tab, and scroll down to Transport layer security (TLS) certificates to interact with PE.
  4. Upload the signed certificate public key, the private key files, and the CA certificate, with the following locations:
    • Paste the contents of /etc/puppetlabs/puppet/ssl/certs/<COMPLY-HOSTNAME>.pem to the TLS certificate field.
    • Paste the contents of /etc/puppetlabs/puppet/ssl/private_keys/<COMPLY-HOSTNAME>.pem to the TLS private key field.
    • Paste the contents of /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem to the CA certificate field.
      Note: To host the assessor on your own supported cluster via NGINX ingress, click the Bring your own NGINX ingress check box and enter the FQDN in the PE TLS FQDN field — using the same FQDN that you used to generate the TLS certificates.
  5. Click Save Config.
  6. Navigate to Puppet Enterprise (PE), and update the default value of the comply class scanner_source parameter to one of the following assessor distribution files:
    • If using the Puppet supported cluster: https://<COMPLY-HOSTNAME>:30303/assessor

    • If using NGINX Ingress: scanner_source to: https://<PE-TLS-FQDN>/assessor

    For more information, see Classify the nodes you want to scan in PE.
  7. Click Add to node group, and then commit the changes.
  8. Upgrade the comply module.
    1. Update your Puppetfile with the latest version of the comply module and its dependencies.
    2. Deploy code by running the puppet-code deploy --all command.
      For more information, see upgrade the comply module.
  9. Navigate back to Puppet Application Manager. After pre-flight checks have completed successfully, click Go to updated version, and then click Deploy.
    Note: If the upgrade of an assessor on a node fails, the node is marked in red on the Inventory page. Failures may be due to network issues. If that is the case, Comply attempts to upgrade the node once connectivity returns. An hourly background task runs to check if nodes have been upgraded or not. If a node does not upgrade and remains red on the Inventory page, run the Puppet agent. If the upgrade continues to fail, see the Puppet agent logs for more information.

Upgrade the Comply module

Upgrade to the latest version of the comply module in Puppet Enterprise (PE).

Note: Take note of module dependencies when upgrading to a new major version — you need to upgrade these as well.
  1. Update your Puppetfile with the latest version of the comply module and its dependencies. For example:
    # Puppet comply module
    mod 'puppetlabs-comply',           '2.0.0'
    
    # dependencies for comply
    mod 'puppet/archive',              '5.0.0'
    mod 'puppetlabs/chocolatey',       '6.0.1'
    mod 'puppetlabs/inifile',          '5.1.0'
    mod 'puppetlabs/java',             '7.1.0'
    mod 'puppetlabs/ruby_task_helper', '0.6.0'
    mod 'puppetlabs/stdlib',           '7.1.0'
  2. SSH into your PE primary server and deploy code by running the puppet-code deploy --all command.

Upgrade Comply in an online environment

Check for download and deploy updates from the Version history tab in the Puppet Application Manager UI.

Before you begin
Upgrade the comply module.
  1. In the platform admin console, click Version history.
  2. Click Check for updates.
    Configure an automatic update check by clicking Configure automatic updates. You can check for updates hourly, every four hours, daily, weekly, or at a custom interval.
  3. If an update is available, Puppet Application Manager downloads it for you and performs preflight checks on your system to make sure your cluster meets system requirements for the new version. Review the outcome of these checks by clicking View preflight.
  4. When you're ready to upgrade to the new version of Comply, click Deploy.

Upgrade Comply in an offline environment

If your environments do not have direct access to the internet, use the links below to upgrade to the latest version of Comply.

Before you begin
Upgrade the comply module.
  1. Navigate to the portal provided to you by Puppet in the licence email, for example, https://get.replicated.com/airgap/#/kots/comply/, and login with the password.
  2. Select Embeded cluster and download the latest Comply release .airgap file.
  3. Log into Puppet Application Managerhttps://<PLATFORM-ADMIN-CONSOLE-ADDRESS>:8800.
  4. Select Version history, and upload the new version of the .airgap file that you downloaded in step 2.
  5. Click Deploy.