Upgrade Guide
Note: Fission upgrades cause a downtime as of now, however we try to minimize it. Please upvote the issue#1856 so we can priortize fixing it.
Upgrade to the latest Fission version
Upgrade/Replace the CRDs
kubectl replace -k "github.com/fission/fission/crds/v1?ref=v1.23.0"
Install the latest Fission CLI
Please make sure you have the latest CLI installed. Refer to Fission CLI Installation
Upgrade Fission chart
Update the helm repo and upgrade by mentioning the namespace Fission is installed in :
export FISSION_NAMESPACE="fission"
helm repo update
helm upgrade --namespace $FISSION_NAMESPACE fission fission-charts/fission-all
See configuration below.
Upgrade to 1.23.x release
v1.23.0 enables HMAC-signed internal authentication between Fission control-plane services by default. This introduces two changes operators should plan for before upgrading.
Public router no longer serves /fission-function/<ns>/<name>
The router now binds two listeners — a public one (port 8888, unchanged for user HTTPTrigger traffic) and a new internal one (port 8889, hosting /fission-function/<ns>/<name>).
This closes GHSA-3g33-6vg6-27m8: function-invocation routes are no longer reachable from the public listener.
Any external tooling that today curls /fission-function/... against the public router URL (typically through an Ingress) will get 404 after upgrade.
Audit before upgrading and migrate any such caller to use a proper HTTPTrigger, or route through the internal Service (in-cluster only).
KEDA message-queue triggers and the connector signing gap
internalAuth.enabled defaults to true in v1.23.0.
Upstream fission/kafka-http-connector (and the other Fission KEDA connector images) do not yet sign their /fission-function/... invocations, so KEDA-driven message-queue triggers will receive 401 from the new router internal listener.
If your installation uses KEDA-backed MessageQueueTrigger resources, set internalAuth.enabled=false at upgrade time until signing-aware KEDA connector images ship:
helm upgrade --namespace $FISSION_NAMESPACE fission fission-charts/fission-all \
--set internalAuth.enabled=false
With enabled=false, every signer/verifier short-circuits to pass-through and the cluster falls back to NetworkPolicy + namespace isolation alone — matching pre-1.23 in-cluster behaviour.
See Internal Service Authentication for the full toggle matrix, secret rotation, and longer-term mitigation.
Upgrade to 1.15.x release from 1.14.x release
With 1.15.x release, following changes are made:
fission-corechart is removedfission-allchart is made similarfission-corechartIn the
fission-allchart, the following components are disabled which were enabled by default earlier. If you want to enable them, please use--setflag.- nats - Set
nats.enabled=trueto enable Fission Nats integration - influxdb - Set
influxdb.enabled=trueto enable Fission InfluxDB and logger component - prometheus - Set
prometheus.enabled=trueto install Prometheus with Fission - canaryDeployment - Set
canaryDeployment.enabled=trueto enable Canary Deployment
- nats - Set
See configuration below.
Migrating from fission-core chart to fission-all chart
Fission-all chart is now exactly similar to fission-core chart and can be used to migrate from fission-core.
If you are upgrading from the fission-core chart, you can use the following command to migrate with required changes.
helm upgrade [RELEASE_NAME] fission-charts/fission-all --namespace fission
Configuration
See Customizing the Chart Before Installing. To see all configurable options with detailed comments:
helm show values fission-charts/fission-all
You may also helm show values on chart’s dependencies for additional options.