Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. Cohesity Cloud Scale Technology Manual Deployment Guide for Kubernetes Clusters
  3. Section IV. Maintenance
  4. Upgrading
  5. Upgrading Cloud Scale Technology
Cohesity Cloud Scale Technology Manual Deployment Guide for Kubernetes Clusters

Upgrading Cloud Scale Technology

This section describes a high level procedure for upgrading Cloud Scale Technology.

Table: Steps for upgrading Cloud Scale Technology

Steps

Description

Step 1

Ensure that all the prerequisites are met as mentioned in the following section:

Step 2

Upgrade the following add-ons:

  • cert-manager

  • trust-manager

Step 3

(Applicable only when using non-official Veritas registry)

Upload the new images to your private registry.

  • Extract contents of VRTSk8s-netbackup-<version>.tar file as follows:

    sudo mkdir /path/to/extracted

    sudo chmod -R 777 /path/to/extracted

    tar -xvf /path/to/VRTSk8s-netbackup-<version>.tar -C /path/to/extracted

    cd /path/to/extracted/VRTSk8s-netbackup-<version>/scripts

  • Run one of the following command (update the registry/build information only):

    REGISTRY='XXXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com' PKG_ROOT='/path/to/extracted/VRTSk8s-netbackup-<version>' ./tag_push_images.sh

    REGISTRY='XXXXXXXXXX.azurecr.io' TAR_FILE='/path/to/VRTSk8s-netbackup-<version>.tar' ./tag_push_images.sh

    For example,

    REGISTRY='XXXXXXXXXX.azurecr.io' TAR_FILE='/home/azureuser/VRTSk8s-netbackup-11.1.x.x.xxxx.tar' ./tag_push_images.sh

For more information, refer to the following section:

See Loading docker images.

Step 4

Log into the primary server and use the following command to suspend the backup job processing:

kubectl exec -it pod/<primary-pod-name> -n netbackup -- bash

nbpemreq -suspend_scheduling

Step 5

(Applicable only for upgrade of DBaaS 10.4 )

Upgrade PostgreSQL DBaaS version from 14 to 16 for Azure/AWS:

For Azure: Execute the kubectl command into 10.4 primary pod and create the /tmp/grant_admin_option_to_roles.sql file.

Execute the following command to execute grant_admin_option_to_roles.sql file:

/usr/openv/db/bin/psql "host=$(< /tmp/.nb-pgdb/dbserver) port=$(< /tmp/.nb-pgdb/dbport) dbname=NBDB user=$(< /tmp/.nb-pgdb/dbadminlogin) password=$(< /tmp/.nb-pgdb/dbadminpassword) sslmode=verify-full sslrootcert='/tmp/.db-cert/dbcertpem'" -f /tmp/grant_admin_option_to_roles.sql

/*
Azure PostgreSQL upgrade from 14 to 16 does not grant the NetBackup database administrator role the ADMIN OPTION for NetBackup roles.
This script will grant the NetBackup database administrator role the ADMIN OPTION so that it can manage NetBackup roles.
*/
  
GRANT ADTR_MAIN TO current_user WITH ADMIN OPTION;
GRANT AUTH_MAIN TO current_user WITH ADMIN OPTION;
GRANT DARS_MAIN TO current_user WITH ADMIN OPTION;
GRANT DBM_MAIN TO current_user WITH ADMIN OPTION;
GRANT EMM_MAIN TO current_user WITH ADMIN OPTION;
GRANT JOBD_MAIN TO current_user WITH ADMIN OPTION;
GRANT PEM_MAIN TO current_user WITH ADMIN OPTION;
GRANT RB_MAIN TO current_user WITH ADMIN OPTION;
GRANT SLP_MAIN TO current_user WITH ADMIN OPTION;
GRANT NBPGBOUNCER TO current_user WITH ADMIN OPTION;
GRANT NBWEBSVC TO current_user WITH ADMIN OPTION;
GRANT AZ_DBA TO current_user WITH  ADMIN OPTION;

Exit 10.4 primary pod. Ready for 10.4 with PostgreSQL to 10.5 with PostgreSQL 16 upgrade.

Upgrade Azure PostgreSQL version from 14 to 16 using Azure portal.

For AWS: Upgrade AWS PostgreSQL RDS version from 14 to 16 using AWS Management Console. Navigate to RDS page, select the database instance and click Modify to change the engine version.

For more information, see Upgrading the PostgreSQL DB engine for Amazon RDS.

Step 6

(This step is applicable only when upgrading from version 10.3 and 10.3.0.1)

Perform the following (AWS/Azure) to create Secret containing DBaaS CA certificates:

For AWS:

TLS_FILE_NAME='/tmp/tls.crt'
PROXY_FILE_NAME='/tmp/proxy.pem'
 
rm -f ${TLS_FILE_NAME} ${PROXY_FILE_NAME}
 
DB_CERT_URL="https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem"
DB_PROXY_CERT_URL="https://www.amazontrust.com/repository/AmazonRootCA1.pem"
 
curl ${DB_CERT_URL} --output ${TLS_FILE_NAME}
curl ${DB_PROXY_CERT_URL} --output ${PROXY_FILE_NAME}
 
cat ${PROXY_FILE_NAME} >> ${TLS_FILE_NAME}
 
kubectl -n netbackup create secret generic postgresql-netbackup-ca --from-file ${TLS_FILE_NAME}

For Azure:

DIGICERT_ROOT_CA='/tmp/root_ca.pem'
DIGICERT_ROOT_G2='/tmp/root_g2.pem'
MS_ROOT_CRT='/tmp/ms_root.crt'
COMBINED_CRT_PEM='/tmp/tls.crt'
  
DIGICERT_ROOT_CA_URL="https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem";
DIGICERT_ROOT_G2_URL="https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem";
MS_ROOT_CRT_URL="http://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crt";
  
curl ${DIGICERT_ROOT_CA_URL} --output ${DIGICERT_ROOT_CA}
curl ${DIGICERT_ROOT_G2_URL} --output ${DIGICERT_ROOT_G2}
curl ${MS_ROOT_CRT_URL} --output ${MS_ROOT_CRT}
  
openssl x509 -inform DER -in ${MS_ROOT_CRT} -out ${COMBINED_CRT_PEM} -outform PEM
cat ${DIGICERT_ROOT_CA} ${DIGICERT_ROOT_G2} >> ${COMBINED_CRT_PEM}
 
kubectl -n netbackup create secret generic postgresql-netbackup-ca --from-file ${COMBINED_CRT_PEM}

Step 7

Create db-cert bundle if it does not exists.

Step 8

Upgrade Cloud Scale.

See Upgrade Cloud Scale using the kubectl plugin.

More Information

Prerequisites for Cloud Scale Technology upgrade

Feedback

Was this page helpful?
Previous

Upgrading

Next

Prerequisites for Cloud Scale Technology upgrade

Feedback

Was this page helpful?