add SFT upgrade process. (#524)

* add SFT upgrade process.

* take review into account.

offline/docs.md

@@ -324,26 +324,30 @@ For full docs with details and explanations please see https://github.com/wireap
 First, make sure you have a certificate for `sftd.<yourdomain>`. This could be the same wildcard or SAN certificate
 you used at previous steps.
 
-If you want to restrict SFT to certain nodes, make sure that in your inventory
-you have annotated all the nodes that are able to run sftd workloads correctly.
+Next, copy `values/sftd/prod-example-values.yaml` to `values/sftd/values.yaml`, and change the contents accordingly. 
+
+ * If your turn servers can be reached on their public IP by the SFT service, Wire recommends you enable cooperation between turn and SFT. add a line reading `turnDiscoveryEnabled: true` to your values file.
+
+#### Deploying
+If you want to restrict SFT to certain nodes, make sure that in your inventory file you have annotated all of the nodes that are able to run sftd workloads with a node label indicating they are to be used, and their external IP, if they are behind a 1:1 firewall (Wire recommends this.).
 ```
 kubenode3 node_labels="{'wire.com/role': 'sftd'}" node_annotations="{'wire.com/external-ip': 'XXXX'}"
 ```
 
-If these weren't already set; you should rerun :
+If these values weren't already set earlier in the process you should rerun ansible to set them:
 ```
 d ansible-playbook -i ./ansible/inventory/offline ansible/kubernetes.yml --skip-tags bootstrap-os,preinstall,container-engine
 ```
 
-
-If you are restricting SFT to certain nodes, use `nodeSelector` to run on specific nodes (of course **replace the domains with yours**):
+If you are restricting SFT to certain nodes, use `nodeSelector` to run on specific nodes (**replacing the example.com domains with yours**):
 ```
 d helm upgrade --install sftd ./charts/sftd \
   --set 'nodeSelector.wire\.com/role=sftd' \
   --set host=sftd.example.com \
   --set allowOrigin=https://webapp.example.com \
   --set-file tls.crt=/path/to/tls.crt \
-  --set-file tls.key=/path/to/tls.key
+  --set-file tls.key=/path/to/tls.key \
+  --values values/sftd/values.yaml
 ```
 
 If you are not doing that, omit the `nodeSelector` argument:
@@ -352,5 +356,6 @@ d helm upgrade --install sftd ./charts/sftd \
   --set host=sftd.example.com \
   --set allowOrigin=https://webapp.example.com \
   --set-file tls.crt=/path/to/tls.crt \
-  --set-file tls.key=/path/to/tls.key
+  --set-file tls.key=/path/to/tls.key \
+  --values values/sftd/values.yaml
 ```

offline/upgrading-SFT_ONLY.md

@@ -0,0 +1,39 @@
+# How to upgrade wire (SFT only)
+
+You should have received a deployment artifact from the Wire team in order to upgrade your SFT calling service.
+
+Your deployment artifact contains three things: the new chart, the new values file, and an image for sftd.
+
+## Uploading the Image into Kubernetes hosts
+
+The image needs to be imported with `docker load` on each of the kubernetes hosts.
+
+Copy the sft image to the kubernetes hosts, and `docker load` it on each of the kubernetes hosts.
+
+To load into docker as root, you can `cat quay.io_wire_sftd_2.1.19.tar | docker load`. If you are using a non-priviledged user, and sudo (wire's recommendation), you can use:
+
+```
+sudo bash -c "cat quay.io_wire_sftd_2.1.19.tar | docker load"
+```
+
+## Replacing your SFT Chart
+
+Move your sft/ chart out of the charts folder in the workspace where you're working with wire, and replace it wit the one in the deliverable. Keep this, in case you need to step back.
+
+## Examining your Values
+
+Examine the values file we've provided, comparing it to the one you used when last deploying SFT. Make sure there are no changes to make with the new chart. If there are changes to make, make a backup copy before you make changes!
+
+## Deploying:
+
+Use helm install --upgrade in the same fashion as the installation process guided you through.
+
+## Verifying your deployment was successful:
+
+In the web client, place a call, and then go to 'gear icon' -> Audio / Video -> and then to 'Save the calling debug report'.
+When you read that file, search for a line that starts with "a=tool:sftd". that has your sft server version on it.
+
+# How to step back, if this has made things worse:
+
+Just move your old SFT chart and values file back into place, and use helm uninstall, and then helm install.
+

offline/upgrading.md

@@ -1,8 +1,6 @@
 # How to upgrade wire (services only)
 
-We have a pipeline in  `wire-server-deploy` producing container images, static
-binaries, ansible playbooks, debian package sources and everything required to
-install Wire.
+We have a pipeline in `wire-server-deploy` producing container images, static binaries, ansible playbooks, debian package sources and everything required to install Wire.
 
 Create a fresh workspace to download the new artifacts: