Skip to content

Rolling Software Updates

SCONE supports the rolling update of applications. Updates are a two-step process:

  • Update the security policy of the application: add the new MrEnclaves of the application
  • trigger a rolling update with Kubernetes / helm
  • Update the security policy of the application: remove the old MrEnclaves of the application

For each service, you can update a sequence of MrEnclaves. This might look as follows:

services:
  - name: my-service
    mrenclaves: [d08b7351eeb8d5c0653d32794218f183ac9c6fa3923b67052752f78a3559de61]

First Step

Consider that you want to update my-service to a new version with a new MrEnclave of, say, e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855. In this case, you would update your policy as follows:

services:
  - name: my-service
    mrenclaves: [d08b7351eeb8d5c0653d32794218f183ac9c6fa3923b67052752f78a3559de61,
                 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]

Second Step

Now you would upgrade your application with the help of helm. You might trigger a rolling update as follows:

helm upgrade my-service .

You need to check that all your service instances have been upgraded.

Third Step

We now ensure that the old version of the service cannot run anymore by removing the old MrEnclave from the policy:

services:
  - name: my-service
    mrenclaves: [e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]