Rolling Software Updates
TL;DR
Rolling updates of confidential services – what needs to be touched?
Software Updates
SCONE supports the rolling update of services and applications. Updates are a three-step process:
- Update the security policy of the application: add the new
MrEnclavefor the updated service / application. - trigger a rolling update with Kubernetes /
helm - Update the security policy of the application: remove the old
MrEnclaves of the service / application
For each service, one can specify a sequence of MrEnclaves. This might look as follows:
services:
- name: application
mrenclaves: [0239...]
and we want to update to a new version that has mrenclave of 0239.... If the service support
horizontal scaling, we might want a rolling update, e.g., we gradually replace old service instances
by new instances. This means there is some time interval in which both old instances as well as new
instances a running concurrently.
First Step
Consider that you want to update application to a new version with a new MrEnclave of, say, 4759.... In this case, you
would update your policy as follows:
services:
- name: application
mrenclaves: [0239..., 4759...]
Second Step
Now you can upgrade your application with the help of helm. You might trigger a rolling update as follows:
helm upgrade application .
You need to check that all your service instances have been upgraded.
Third Step
We now ensure that the old version of the service / application cannot run anymore by removing
the old MrEnclave from the policy:
services:
- name: application
mrenclaves: [4759...]
