Back to ITRS Analytics FAQ

How can I resolve "Error: UPGRADE FAILED: cannot patch iax" when changing TLS certificate in ITRS Analytics?

Issue Copied

When you change the TLS certificate for ITRS Analytics in the KOTS Admin Console, the upgrade may fail with errors like the following:

--- iax ---
Error: UPGRADE FAILED: cannot patch "iax" with kind ITRS Analytics: admission webhook "validating-webhook.obcerv.itrsgroup.com" denied the request: Updating or upgrading the ITRS Analytics instance kotsadm/iax is not allowed: ITRS Analytics licence is invalid or has expired

--- iax-app-query-service ---
Error: UPGRADE FAILED: pre-upgrade hooks failed: 1 error occurred:
* job obcerv-app-query-service-configure-platform-job failed: BackoffLimitExceeded

--- iax-app-webconsole ---
W0421 09:40:25.271861 874 warnings.go:70] spec.template.spec.containers[0].env[24]: hides previous definition of "OBCERV_CA_CRT", which may be dropped when using apply

--- iax-app-entities ---
Error: UPGRADE FAILED: pre-upgrade hooks failed: 1 error occurred:
* job iax-app-entities-configure-platform-job failed: BackoffLimitExceeded

The primary error is the admission webhook rejecting the upgrade because the license is invalid or expired. The pre-upgrade hook failures are typically a downstream effect of that license check.

You may also see repeated warnings in the licenced component logs:

2025-04-10 12:49:36.296 [grpc-server-7200-0] WARN  com.itrsgroup.obcerv.platform.service.licence.LicenceGrpcService(Component-0) - No stored licence found, using bootstrap licence
...
2025-04-21 10:19:53.856 [grpc-server-7200-0] WARN  com.itrsgroup.obcerv.platform.service.licence.LicenceGrpcService(Component-0) - No stored licence found, using bootstrap licence

The root cause is an expired bootstrap license. ITRS Analytics includes a temporary bootstrap license that is valid for only a few days. If it is not replaced with a permanent license, the admission webhook blocks upgrades, including TLS certificate changes.

Resolution Copied

Obtain a permanent ITRS Analytics license from your account manager or ITRS Support if you do not already have one. Once you have a valid license file, upload it in the Web Console.

After the license is applied, retry the TLS certificate change in the KOTS Admin Console.

["Geneos"] ["FAQ"]

Was this topic helpful?