Rolling Software Updates
SCONE supports the rolling update of applications. Updates are a two-step process:
- Update the security policy of the application: add the new
MrEnclave
s of the application - trigger a rolling update with Kubernetes /
helm
- Update the security policy of the application: remove the old
MrEnclave
s of the application
For each service, you can update a sequence of MrEnclave
s. This might look as follows:
services:
- name: my-service
mrenclaves: [d08b7351eeb8d5c0653d32794218f183ac9c6fa3923b67052752f78a3559de61]
First Step
Consider that you want to update my-service
to a new version with a new MrEnclave
of, say, e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
. In this case, you
would update your policy as follows:
services:
- name: my-service
mrenclaves: [d08b7351eeb8d5c0653d32794218f183ac9c6fa3923b67052752f78a3559de61,
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]
Second Step
Now you would upgrade your application with the help of helm
. You might trigger a rolling update as follows:
helm upgrade my-service .
You need to check that all your service instances have been upgraded.
Third Step
We now ensure that the old version of the service cannot run anymore by removing
the old MrEnclave
from the policy:
services:
- name: my-service
mrenclaves: [e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]