Upgrading Connectware to 2.0.0 (Kubernetes)

Verify that your firewalls and security rules are updated to allow the new ports (TCP/4222 and TCP/4223) and to remove dependencies on the deprecated ones (TCP/1884 and TCP/8884).

This ensures uninterrupted connectivity between your agents and Connectware.

We recommend adding the following resources to your hardware setup:

• 12 CPU cores

• 11 GB of memory

• 52 Gi of storage

However, these are general guidelines. Check what your specific system needs and make adjustments accordingly. If you were using the control-plane-broker option, you can offset these additional requirements with the resources it used, since it is being removed in this upgrade.

The microservices postgresql, auth-server, nats, and resource-status-tracking now have new or revised Kubernetes resource requests and limits. Make sure to adapt the default values to match your deployment needs.

We recommend beginning with the defaults, monitoring performance metrics, and fine-tuning resource allocations as needed.

• To adjust the default values, update the corresponding values in the global.podResources Helm value context.

Example

These steps apply to every Connectware installation upgrading to Connectware 2.0.0. For a detailed guide, see Mandatory Upgrade Steps.

1. TLS Changes: Default behavior on certificate validation has been adjusted.

2. Update Helm Values: Remove obsolete Helm values and adjust for changed and new values.

3. Preparing the Connectware Helm Upgrade: Prepare removal of control-plane-broker and remove PostgreSQL StatefulSet.

4. Upgrading to Connectware 2.0.0: Download and install Connectware 2.0.0.

5. Enabling Agents in the Connectware Helm Chart: After upgrading Connectware, you need to go back to your agents to enable their TLS connections.

6. Updating Helm Values for the Connectware Agent Helm Chart: Update your agent configuration to comply with the updated Helm value configuration.

7. Upgrading Agents for the Connectware Agent Helm Chart: Upgrade your agents with the connectware-agent Helm chart.

8. Reinstalling Services: This upgrade changes where your services are stored. You will need to reinstall any services after the upgrade.

Only follow these if you use the related features, so they continue working after the upgrade.

1. Roles and Permissions: New permissions were added to Connectware. Verify your custom roles, if they require updates.

2. Custom Connectors: Update your customer connector configurations to meet new requirements.

3. Systemstate Protocol: Update your Systemstate protocol configurations to meet new requirements.

4. Log Monitoring: Some logging strings are changed. If you use log monitoring, you may need to update it.

5. Heidenhain Agents: Upgrade your Heidenhain agents.

6. Auto-Generated MQTT Topics of Resources: Topic generation no longer includes resource-specific properties. Update your service commissioning files if you relied on old patterns.

7. Auto-Generated MQTT Users: The behavior of how MQTT users are auto-generated has changed. You may need to update your service commissioning file if you relied on auto-generated MQTT users.

Connectware maintains two separate CA chains:

• External certificates validated by cybus_ca.crt.

• Internal certificates validated by shared_yearly_ca.crt.

Which CA an agent requires depends on the hostname through which it connects to Connectware. For example, through the Connectware ingress, or directly to the Control Streaming Server (NATS) through the internal network.

To simplify configuration, we introduced cybus_combined_ca.crt, a bundle containing both chains, so agents can use a single file without needing to distinguish between internal and external CA certificates.

Agents now enforce TLS chain validation by default. Each agent requires access to cybus_combined_ca.crt, available on the certs volume.

• To revert to the previous behavior (skipping verification), set the environment variable CYBUS_TRUST_ALL_CERTS to true. Note that it has been renamed from TRUST_ALL_CERTS.

The default Connectware-generated CA includes the hostnames localhost and connectware.

• To add more hostnames, configure the Helm value global.ingressDNSNames.

With 2.0.0, the internal CA chain is replaced:

• Certificate Authority renamed from CybusCA to CybusInternalCA.

• The hostname nats is added as a Subject Alternate Name (SAN) to shared_yearly_server.crt.

The built-in default external CA certificate chain is also replaced.

• The hostname connectware is added as a SAN to cybus_server.crt.

If you rely on monitoring, custom setups, or modified certificates, adapt your configuration accordingly.

To replace Connectware’s default external chain with your enterprise-managed CA:

• Replace cybus_ca.crt with your enterprise CA certificate.

• Ensure cybus_server.crt and cybus_server.key form a valid key pair, signed by the CA in cybus_ca.crt.

Do not replace the internal CA (shared_yearly_ca.crt).

After replacement:

1. Restart the system-control-server deployment to rebuild and synchronize the combined CA bundle (cybus_combined_ca.crt):

1. Restart all Connectware services.

Some Helm values are obsolete and have been removed. Remove the following Helm values from your values.yaml file for the connectware Helm chart:

• global.rpcTimeout

• global.adminWebApp.rpcTimeout

• global.containerManager.rpcTimeout

• global.protocolMapper.rpcTimeout

• global.systemControlServer.rpcTimeout

• global.serviceManager.rpcTimeout

• global.serviceManager.storage

• global.controlPlaneBroker

• global.protocolMapperAgents[*].controlPlane

• global.serviceManager.useServicesGraph

With the changes TLS behavior in Connectware, it has become essential to add the DNS names under which Connectware is addressed, for example by agents.

If you are replacing Connectware's default PKI, you can, and likely have managed this yourself by providing a valid cybus_server.crt containing all Subject Alternate Names (SANs) used within your setup.

If you are using Connectware's default PKI, you can use the new Helm value global.ingressDNSNames, which is a list of names that will be added to the default cybus_server.crt.

Hostname Formats

You can include multiple hostnames in the list. The certificate will include all specified names in its SAN section.

The configuration accepts various hostname formats:

• Wildcards (e.g., *.company.io)

• Subdomains (e.g., connectware.company.io)

• Custom hostnames (e.g., localhost)

• IP Addresses (e.g. 192.168.100.42)

Example

Connectware's proxy configuration has been improved with version 2.0. Accompanying this, we added Helm values to configure proxy usage. This means that you cannot configure proxy usage directly through environment variables. If you have been doing this in the past, transfer your configuration to these new Helm values:

Example

Example with existing secret

Create your secret using your preferred method, in this example we will use a kubectl create command:

Connectware 2.0.0 introduces NATS as the stream server, primarily used for inter-service communication. The key configuration parameter is global.nats.replicas, which defines the cluster size. Typical values are 3 or 5, with 3 as the default. Increasing this to 5 raises the redundancy level from N+1 to N+2.

The following configuration values are available for the NATS streaming server:

In addition to the new stream server, Connectware introduces a second new component called resource-status-tracking. This component allows you to monitor the status of resources created through service commissioning files and enables you to detect deviations in service behavior.

The following configuration values are available for resource-status-tracking:

In previous releases, the storage volume of the PostgreSQL component was fixed at 1 Gi. With Connectware 2.0.0, the reliance on PostgreSQL has increased, resulting in a new default storage size of 5 Gi. This parameter is now configurable.

We recommend to allocate at least 5 Gi. For larger deployments, storage sizes of 20 Gi or more may be appropriate.

You can configure the storage size via the global.postgresql.storage.size Helm value:

A new Helm value is available to configure whether a protocol-mapper agent establishes its data plane connection to the Connectware MQTT broker using TLS.

To prevent agents from requiring re-registration after the upgrade, you must disable them during the installation. Once the upgrade is complete, you will re-enable the agents, update their configuration, and provide them with a valid CA certificate.

• To disable the agents defined in your Connectware Helm chart, set the Helm value global.protocolMapperAgents and all related values within this context to disabled. You can do this either by commenting out each line with a # or by temporarily removing them from the file.

The control-plane-broker is deprecated and its associated StatefulSet is no longer used. It will not be started anymore after the upgrade.

• No action is required in your Helm installation.

• Optional: Remove global.controlPlaneBroker from the connectware chart and controlPlaneBrokerEnabled from the connectware-agent chart.

• The brokerdata-control-plane-broker-* and brokerlog-control-plane-broker-* PersistentVolumeClaims are not removed automatically. Delete them manually if you want to reclaim the storage.

With Connectware 2.0.0, Connectware uses a new major version of PostgreSQL. You need to delete your postgresql volume before upgrading Connectware (this is covered later in this upgrade guide). This requires you to create a backup of your database and restore this after the upgrade.

1. To create a backup of your database, run the following command.

1. Make sure the backup is successful, then store the database file in a secure location.

The service-manager PersistentVolumeClaim (PVC) is deprecated and will be removed automatically during the upgrade to 2.0.0.

Depending on your ReclaimPolicy, this may or may not mean that the volume is being deleted too. If it is not automatically deleted, you will have to manually delete the volume previously associated with the service-manager PersistentVolumeClaim to free up the disk space.

The former contents will in the future be stored in the PostgreSQL database, but will not be automatically migrated. You will need to reinstall any services you used before. See Reinstalling Services.

If you do not have your services stored outside of Connectware, make sure to export your services, or create a backup of your service-manager volume before upgrading.

Before performing the upgrade, update the Helm repository cache to ensure the latest Connectware chart version is available.

• Run the following command:

Before upgrading to Connectware 2.0.0, review the changelog to familiarize yourself with new features, bug fixes, and other changes introduced in Connectware 2.0.0.

Before upgrading to Connectware 2.0.0, review the readme file. The readme may contain important version-specific upgrade instructions.

• To open the readme file, run the following command:

With a new Connectware version, there might be changes to the default Helm configuration values. We recommend that you compare the default Helms values of your current Connectware version with the default Helm values of your target Connectware version.

• To display the new default values, enter the following command:

• To display which Connectware default values have changed between your current version and your target version, enter the following command:

Example

In this example, only the image version has changed. However, if any of the Helm value changes are relevant to your setup, make the appropriate changes.

• To override default Helm values, add the custom Helm value to your local values.yaml file.

When you have reviewed the necessary information, adjust your configuration in your values.yaml file. Not every upgrade requires adjustments.

If you specified which image version of Connectware to use by setting the Helm value global.image.version you will need to update this to <target-version>. Unless you have a specific reason to use a specific image version, we recommend not setting the Helm value.

Make sure that you store backups of your setup. This allows you to restore a previous state if necessary.

Your backups must consist of the following files:

• All Kubernetes PersistentVolumes that Connectware uses

• Your Connectware database

• Your values.yaml file

• All service commissioning files

Depending on your local infrastructure, it may be necessary to back up additional files.

Before running the helm upgrade command, you must stop all connected agents. Agents which remain up during this upgrade run the risk of having to go through the agent registration process again.

• Docker Run: To stop agents which were started using docker run, use the docker stop command. If you are not aware of the name these containers use, run the docker ps command to find out.

• Docker Compose: If your agents are running in Docker Compose, use the docker compose down command to stop them.

• Agent Helm Chart: You can shut down agents that have been installed via the connectware-agent Helm chart using this command:

• Before running the helm upgrade command, you must remove the postgresql StatefulSet:

You can now start the first of two upgrade processes. This first upgrade run applies the new Connectware 2.0.0 workloads and prepares the system for the required database migration.

• To upgrade Connectware, enter the following command:

Result: The newly generated workload definitions are applied to your Kubernetes cluster and your Connectware pods are replaced.

• Wait for the system-control-server deployment to contain a ready pod, then shut down Connectware to restore your PostgreSQL database:

1. Note down the Persistent Volume name for your postgresql-postgresql-0 PersistentVolumeClaim. You will need this name later to make sure the volume is not recycled.

1. Remove the postgresql-postgresql-0 PersistentVolumeClaim:

1. Remove the PostgreSQL PersistentVolume. You can skip this step if the volume has been automatically deleted through a reclaim policy, or if you are sure a new volume will be used. If the same volume is reused for postgresql, the upgrade will fail.

1. Start PostgreSQL:

1. Restore your PostgreSQL Database. Wait for the postgresql-0 pod to become ready, then run:

You can start the final upgrade process. This upgrade finalizes the process by starting Connectware with the restored PostgreSQL database.

• To upgrade Connectware, enter the following command:

Optional: You can use the --atomic --timeout 10m command line switch, which will cause Helm to wait for the result of your upgrade and perform a rollback when it fails. We recommend setting the timeout value to at least 10 minutes, but because the time it takes to complete an upgrade strongly depends on your infrastructure and configuration you might have to increase it further.

Result: The newly generated workload definitions are applied to your Kubernetes cluster and your Connectware pods are replaced.

You can monitor the Connectware upgrade progress to verify that everything runs smoothly, to know when the installation is successful, or to investigate potential issues.

Monitoring the Connectware Upgrade

The Connectware upgrade can take a few minutes. To monitor the upgrade process, do one of the following:

• To monitor the current status of the upgrade process, enter the following command:

• To monitor the continuous progress of the upgrade process, enter the following command:

• To stop monitoring the continuous progress of the upgrade process , press Ctrl+C.

Pod Stages During the Connectware Upgrade

During the Connectware upgrade, the pods go through the following stages:

• Terminating

• Pending

• PodInitializing

• ContainerCreating

• Init:x/x

• Running

When pods reach the STATUS Running, they go through their individual startup before reporting as Ready. To be fully functional, all pods must reach the STATUS Running and report all their containers as ready. This is indicated by them showing the same number on both sides of the / in the column READY.

Example

At this point Connectware is upgraded and started. You can now make additional configurations or verify the upgrade status in the Admin UI.

You must update the Helm values of your connectware installation again to re-enable agents by removing the "#" you added, or adding them to the Helm values file again. Then add the cybus_combined_ca.crt or set CYBUS_TRUST_ALL_CERTS to true. If you were directly targeting our MQTT broker or control-plane-broker before, you should also move the respective configuration to their new replacements.

The following Helm values have changed. If you had specific configuration for these in the past, update the Helm values accordingly.

For some Helm values, you need to take additional steps depending on your setup. The required steps are covered in the following sections.

When deploying agents in the internal network of Connectware, they are able to directly connect to our MQTT broker instead of going through the Connectware ingress.

This improves performance and reduces failure points, so if you are running a heavy, critical load, it may be worth the extra configuration.

The major hindrance is, that the name "broker", which is used by our MQTT broker on the internal network, is not part of the cybus_server.crt by default. In order to connect agents with a TLS connection to this hostname, you either need to add the hostname "broker" as a Subject Alternate Name (SAN) to the certificate, or set CYBUS_TRUST_ALL_CERTS=true for the agent.

Adding the Hostname to the Default Certificate

If you are using the built-in default certificate for Connectware, you can add the hostname "broker" through the Helm value global.ingressDNSNames:

It is easiest if you add this Helm value before running your upgrade to Connectware 2.0.0, since activating it will automatically be covered by the upgrade guide.

If applying this configuration after already upgrading to Connectware 2.0.0, running helm upgrade on your Connectware installation will cause the system-control-server Deployment to restart. Once it is ready again, restart the broker StatefulSet:

Configuring Your Agents to Target the MQTT Broker

Next you need to configure your agents to target the MQTT broker directly by using the protocolMapperAgents[*].dataPlane.host Helm value:

The TCP port used for this connection is automatically determined by other configuration like TLS and mTLS settings, however, if for some reason you need to override this, use the Helm value protocolMapperAgents[*].dataPlane.port.

When deploying agents in the internal network of Connectware, they are able to directly connect to our streaming server control plane instead of going through the Connectware ingress.

This improves performance and reduces failure points, so if you are running a heavy, critical load, it may be worth the extra configuration.

Configuring Your Agents to Target the Streaming Server

Next you need to configure your agents to target the streaming server directly by using the protocolMapperAgents[*].streamServer.host Helm value. The default internal name is "nats".

The TCP port used for this connection is automatically determined by other configuration like mTLS settings, however, if for some reason you need to override this, use the Helm value protocolMapperAgents[*].streamServer.port.

You will need to have the CA certificate you want to add at hand, in this example we will assume, that you are using the cybus_combined_ca.crt:

1. Copy cybus_combined_ca.crt from Connectware:

2. Add cybus_combined_ca.crt to Agent Helm Values:

Add the CA certificate to the Helm values of every agent in your connectware installation:

Alternatively you can add it using an existing Kubernetes ConfigMap:

As an alternative you can disable TLS certificate validation for agents. This of course has negative impact on security of your TLS connections, allowing for Man-in-the-middle attacks, but this may be acceptable for development instances or test installations.

After choosing and configuring your method of choice, you can run helm upgrade on your connectware installation again.

• To upgrade Connectware, enter the following command:

Obsolete Helm Values (Connectware-Agent Chart)

Some Helm values are obsolete and have been removed. Remove the following Helm values from your values.yaml file for the connectware Helm chart:

• protocolMapperAgentDefaults.controlPlaneBrokerEnabled

• protocolMapperAgents[*].controlPlaneBrokerEnabled

• protocolMapperAgentDefaults.controlPlane

• protocolMapperAgents[*].controlPlane

• protocolMapperAgentDefaults.rpcTimeout

• protocolMapperAgents[*].rpcTimeout

Changed Helm Values (Connectware-Agent Chart)

The following Helm values have changed. If you had specific configuration for these in the past, update the Helm values accordingly.

For some Helm values, you need to take additional steps depending on your setup. The required steps are covered in the following sections.

When deploying agents in the internal network of Connectware, they are able to directly connect to our MQTT broker instead of going through the Connectware ingress.

This improves performance and reduces failure points, so if you are running a heavy, critical load, it may be worth the extra configuration.

The major hindrance is, that the name "broker", which is used by our MQTT broker on the internal network, is not part of the cybus_server.crt by default. In order to connect agents with a TLS connection to this hostname, you either need to add the hostname "broker" as a Subject Alternate Name (SAN) to the certificate, or set CYBUS_TRUST_ALL_CERTS=true for the agent.

Adding the Hostname to the Default Certificate

If you are using the built-in default certificate for Connectware, you can add the hostname "broker" through the Helm value global.ingressDNSNames:

It is easiest if you add this Helm value before running your upgrade to Connectware 2.0.0, since activating it will automatically be covered by the upgrade guide.

If applying this configuration after already upgrading to Connectware 2.0.0, running helm upgrade on your Connectware installation will cause the system-control-server Deployment to restart. Once it is ready again, restart the broker StatefulSet:

Configuring Your Agents to Target the MQTT Broker

Next you need to configure your agents to target the MQTT broker directly by using the protocolMapperAgentDefaults.dataPlane.host Helm value:

The TCP port used for this connection is automatically determined by other configuration like TLS and mTLS settings, however, if for some reason you need to override this, use the Helm value protocolMapperAgentDefaults.dataPlane.port.

When deploying agents in the internal network of Connectware, they are able to directly connect to our streaming server control plane instead of going through the Connectware ingress.

This improves performance and reduces failure points, so if you are running a heavy, critical load, it may be worth the extra configuration.

Configuring Your Agents to Target the Streaming Server

Next you need to configure your agents to target the streaming server directly by using the protocolMapperAgentDefaults.streamServer.host Helm value. The default internal name is "nats".

The TCP port used for this connection is automatically determined by other configuration like mTLS settings, however, if for some reason you need to override this, use the Helm value protocolMapperAgentDefaults.streamServer.port.

To connect a protocol-mapper agent with Connectware 2.0.0, you must either provide the agent with the valid CA certificate for the server certificate in use, or disable verification of TLS certificate validity by setting the environment variable CYBUS_TRUST_ALL_CERTS to true on the agent.

Depending on the fact if you are connecting an agent through Connectware's ingress or through the internal network, you may need to provide either cybus_ca.crt or shared_yearly_ca.crt, but if you want to skip this complexity, there is a new file called cybus_combined_ca.crt, which includes both CA bundles, allowing internal and external connections.

The following examples use the method of configuring all agents inside one connectware-agent installation through the protocolMapperAgentDefaults Helm value context. However, you can also configure this using the protocolMapperAgents Helm value context as described in Configuration Principles for the connectware-agent Helm Chart.

You need to have the CA certificate that you want to add at hand. In this example, we assume that you are using the cybus_combined_ca.crt:

1. Copy cybus_combined_ca.crt from Connectware:

1. Add the CA certificate cybus_combined_ca.crt to the Helm values of your connectware-agent installation:

Alternatively, you can add it using an existing Kubernetes ConfigMap:

You can choose to disable TLS certificate validation for agents. This is not recommended, as it weakens security and makes your setup vulnerable to man-in-the-middle attacks. However, it may be acceptable in non-production environments such as development or testing.

After completing the upgrade, you must reinstall all previously used services. You can do this using your preferred method:

• Via the Admin UI, see Installing Services.

• Automatically through a CI pipeline.

Additionally, there have been changes to the relationships between services. Understanding how these interdependencies behave at runtime is crucial for correct deployment and maintenance.

Install parent services first (recommended): If the service depends on another service (parent/child relationship), install the parent service first. This ensures:

• Service relations are created during installation.

• Each service can be installed with targetState=enabled.

Install child services first (alternative): It is possible to install the dependent (child) service first, but this comes with limitations:

• Service relations are only established when the service is enabled.

• The dependent (child) service can only be installed with targetState=disabled.

For more details, see Service Dependency Behavior and targetState.

• Check the permissions of your users. Compare them with the default roles in Connectware 2.0.0 and make any updates needed so your users can continue working without interruptions.

For more information on managing permissions, see Permissions.

VRPC is no longer supported in the custom connector environment.

• Remove all VRPC references in the custom connector code. This includes the import and any usage of VrpcAdapter:

Example

• When defining the Dockerfile, ensure that the destination path for the copied source files ends in a protocol-specific directory name written entirely in lowercase.

Example

• The schema $id must match the file name (without the .json).

• The schema must start with a capital letter, like Foobar.

Example

• In FoobarConnection.json, the class must be like:

• In FoobarEndpoint.json, the class must be like:

Schemas support versioning through the additional version property, which must be a positive integer greater than zero. If this property is omitted, the default value is 1.

Versioning ensures that only the latest version of a schema is considered active and valid. This means that even though all custom connector instances should run the same version of schemas, the latest version will overwrite any previous version in the CW control plane.

Example

• FoobarConnection.json supporting versioning.

Follow the case-sensitive naming conventions based on the protocol name.

• File names must start with an uppercase protocol name (e.g., Foobar).

• Connection and endpoint suffixes are mandatory.

• JS files define classes.

• JSON files define schemas.

Example

• The class name must match the file name, excluding the .js extension.

• The class name must start with a capital letter, such as Foobar.

Example

• In FoobarConnection.js, the class must be:

• In FoobarEndpoint.js, the class must be:

Unless you need a specific constructor, there is no need to specify one because it is inherited from the parent class. However, if you need to implement a custom constructor for the Connection or Endpoint classes, preserve the following format:

• In FoobarConnection.js, the class constructor must be like:

• In FoobarEndpoint.js, the class constructor must be like:

The _topic property is now handled automatically. Manually assigning it will cause errors.

The following code is invalid and must be removed since topics are now built internally.

The standard JavaScript environment of custom connectors is based on CommonJS modules. ES modules are not supported.

TypeScript is not officially supported in development workflows. However, if you want to use TypeScript and compile it to JavaScript, make sure to configure your tsconfig.json file as follows:

Additionally, the compiled JavaScript output must include an exports.default assignment and the exported class itself. This ensures interoperability with our CommonJS-based module system. The compiled .js file should result in:

• Tracking the entire service object is no longer allowed. You must update your connector configuration to track individual resources only (like specific endpoints or connections).

Example

The following status events have been removed from Systemstate. If your implementation depends on them (e.g., for health monitoring or automation), you must refactor that logic:

• subscribed/unsubscribed

• online/offline

If you rely on log monitoring, review whether your setup references any of the updated log messages and adjust accordingly.

You must upgrade the Windows-based Cybus Heidenhain Agent to work with Connectware 2.0.0.

1. Uninstall the existing Heidenhain agent installation from your Windows system.

2. Install the updated Heidenhain agent. You can find the download link at Heidenhain DNC.

Auto-generated topics no longer include resource-specific properties. They always follow:

Example of new behavior

• S7: services/myService/pressure

• Modbus: services/myService/current

• HTTP: services/myService/myEndpoint

Procedure

1. Scan your service commissioning files for any usage of auto-generated topics.

2. Adapt those references by replacing direct topic strings with !ref references.

For more details, see Reference Method (!ref).

If you are using auto-generated MQTT users outside of services (e.g., scripts, dashboards, or other non-commissioning references), migrate to explicit identities:

• Create dedicated users with the required roles/permissions. See User Management.

• Update your external systems to use the new explicit credentials.