Guides

Upgrade

Upgrade an existing managed self-hosted Manifest installation (1.20.0 or later) to a newer release using the manifest-installer CLI.

This page covers upgrading an existing managed self-hosted Manifest installation to a newer release. If you are still on a pre-1.20.0 unmanaged installation, use Upgrade from Unmanaged Installation instead.

Latest released version: 1.62.0 Manifest Cyber will provide the version string for your release.

Prerequisites

Before proceeding, ensure you have:

  • An existing managed installation (manifest-installer already on your PATH)
  • AWS CLI configured with the manifest profile used during the original install
  • Docker installed and running
  • The target version string from Manifest Cyber

1. Refresh AWS and Docker Authentication

All commands are run on the Manifest host.

  1. Export the AWS profile used for the original install:
export AWS_PROFILE=manifest
  1. Verify CLI access:
aws sts get-caller-identity
  1. Log Docker into Manifest's ECR. ECR tokens expire after 12 hours, so refresh before every upgrade:
aws ecr get-login-password --region us-east-1 \
  | docker login --username AWS --password-stdin 623542229617.dkr.ecr.us-east-1.amazonaws.com

2. Download the New Bundle

  1. Set the target version. INSTALL_TOOLS_VERSION should match VERSION:
export VERSION=<version>
export INSTALL_TOOLS_VERSION=${VERSION}
  1. Download the installer script and the bundle tarball from S3:
aws s3 cp s3://manifest-deployables/on-prem/install.sh install.sh
aws s3 cp "s3://manifest-deployables/on-prem/k3s-on-prem-${VERSION}.tar" k3s-on-prem-${VERSION}.tar
chmod +x install.sh
  1. Extract the bundle. This installs the new version alongside any previously installed versions under ~/.manifest/versions/ and updates the manifest-installer binary on your PATH:
./install.sh --bundle k3s-on-prem-${VERSION}.tar
  1. Confirm the new binary is in place:
manifest-installer version

3. Run the Upgrade

Apply the new version to your deployment:

manifest-installer upgrade --to ${VERSION}

The upgrade is idempotent. If it is interrupted (lost SSH session, ECR token expiry, transient pod failure), re-run the same command to resume from the saved state.

Upgrades typically take 10-20 minutes depending on image-pull speed and host performance.

4. Verify the Upgrade

Drop into the install-tools container shell and confirm the cluster is healthy:

manifest-installer shell
kubectl get nodes
kubectl get pods -A

All pods should reach Running or Completed. Type exit when done.

Confirm the deployed version matches the target:

manifest-installer status

Troubleshooting

If the upgrade fails or pods do not become healthy, see the Troubleshooting Guide. The most common upgrade-time issue is an expired ECR token producing ImagePullBackOff — re-run the docker login from step 1, then re-run manifest-installer upgrade --to ${VERSION}.

For additional assistance, contact Manifest Cyber support at [email protected].

Updated about 15 hours ago