Skip to content

Rolling Software Updates

TL;DR

Rolling updates of confidential services – what needs to be touched?

Software Updates

SCONE supports the rolling update of services and applications. Updates are a three-step process:

  • Update the security policy of the application: add the new MrEnclave for the updated service / application.
  • trigger a rolling update with Kubernetes / helm
  • Update the security policy of the application: remove the old MrEnclaves of the service / application

For each service, one can specify a sequence of MrEnclaves. This might look as follows:

services:
  - name: application
    mrenclaves: [0239...]

and we want to update to a new version that has mrenclave of 0239.... If the service support horizontal scaling, we might want a rolling update, e.g., we gradually replace old service instances by new instances. This means there is some time interval in which both old instances as well as new instances a running concurrently.

Scone Image

First Step

Consider that you want to update application to a new version with a new MrEnclave of, say, 4759.... In this case, you would update your policy as follows:

services:
  - name: application
    mrenclaves: [0239..., 4759...]

Second Step

Now you can upgrade your application with the help of helm. You might trigger a rolling update as follows:

helm upgrade application .

You need to check that all your service instances have been upgraded.

Third Step

We now ensure that the old version of the service / application cannot run anymore by removing the old MrEnclave from the policy:

services:
  - name: application
    mrenclaves: [4759...]

Scone Image