Page MenuHomeDevCentral

Salt migration to 3007, 3008 and extensions
Open, HighPublic

Description

A proposal about SaltStack migration. We need to be aware of work currently needed to migrate Vault code from the core module to the extension.

Salt 3006

As of August 2024, FreeBSD packages repository still provide Salt 3006.

As such, this is the main version deployed on our servers and the version used for the primary server.

3006 is a LTS release with support until:

  • 2024-10-18 for active support
  • 2025-10-18 for security issues

Complector won't be upgraded to 3007 until one of those three scenarii occurs:

  • FreeBSD package is available and deployed everywhere
  • A critical need for features in extensions or 3008+
  • We're in October 2025 and there is no extension for 3006 LTS lifetime

Reference: https://docs.saltproject.io/salt/install-guide/en/latest/topics/salt-version-support-lifecycle.htm

Salt 3007

Salt 3007 provides new feature and a transition to 3008. See https://salt.tips/whats-new-in-salt-chlorine/

It's currently deployed on Linux servers without any issue.

If we're still on 3006 in October 2024, we'll skip 3007 on FreeBSD and we'll wait for 3008 until October 2025, per previously stated scenarii.

Extensions

Most of the features beyond OS-level management will be moved to modules. Complete list is available at https://github.com/saltstack/great-module-migration/.

Once 3007 is deployed everywhere, a priority is to start work to migrate to the Vault extension can be done. We'll gain in security and best practices, as documented in https://github.com/saltstack/salt/pull/62684.

Some considerations needs to be done for the ZFS community extension, including adoption.

If we need to directly migrate from 3006 to 3008, that will be tricker, especially for secrets provisioning, and will need an ad-hoc plan.

Salt 3008

Migration to Salt 3008 needs to be blocked by correct extension deployment:

  • ZFS
  • Vault

Event Timeline

dereckson triaged this task as Normal priority.Aug 3 2024, 11:16
dereckson created this task.
dereckson raised the priority of this task from Normal to High.Aug 3 2024, 16:53

I've also discovered we can't deploy secrets to Salt 3007+ anymore from a Salt 3006 server:

Complector
$ salt dwellers credentials.get_username espacewin/bugzilla/mysql_root
dwellers:
    ERROR: Failed to read secret! InvalidConfigError: Invalid vault configuration: auth:token is required for token auth

This is critical, hence priority increase.

Per previous comment, I'd advice to downgrade to 3006 LTS for paas-docker servers too.

That means using https://repo.saltproject.io/salt/py3/redhat/9/x86_64/3006/ as repository.