Upgrading the Anjuna Kubernetes Toolset for AWS EKS
Follow these procedures when you need to upgrade the toolset.
To upgrade the Anjuna Kubernetes Toolset for AWS EKS, first download the desired version of the Anjuna Kubernetes Toolset for AWS EKS tarfile from the Anjuna Resource Center.
When upgrading, you can use the same namespace for the upgraded Toolset as you used for the previous version, or you can use a different namespace:
|
Tearing down resources
Change your working directory to the "anjuna-tools" directory of your previous version of the Anjuna Kubernetes Toolset for AWS EKS deployment:
$ cd [previous deployment dir]/anjuna-tools
If you used Helm to deploy your older version of the Anjuna Kubernetes Toolset for AWS EKS, follow the
Helm teardown
instructions in the Tearing down the Anjuna Kubernetes Toolset for AWS EKS section.
Otherwise, follow the
Manual teardown
instructions in the Tearing down the Anjuna Kubernetes Toolset for AWS EKS section.
Do not delete the K8s TLS secret as instructed as the first step under the Tearing down the Anjuna Kubernetes Toolset for AWS EKS section; only follow the steps under the Helm teardown or Manual teardown headings. |
Upgrading procedure
Change your directory to the directory containing the newer version of the Anjuna Kubernetes Toolset for AWS EKS tarfile.
Follow the Prepare the workspace instructions in the Preparing the environment section.
Follow the instructions in the Creating the Anjuna Docker images section.
From the anjuna-tools
directory of your previous version of the Anjuna Kubernetes Toolset for AWS EKS deployment,
find the webhook-tls
directory containing the Anjuna Nitro Webhook TLS certificate and key.
Copy it to the anjuna-tools
directory of the new version of the Anjuna Kubernetes Toolset for AWS EKS deployment:
$ cp -r \
[old deployment dir]/anjuna-tools/webhook-tls \
webhook-tls
Create an environment variable to store a base64-encoded version of the CA certificate:
$ export CA_BUNDLE=$(cat webhook-tls/caBundle.txt)
If you want to use Helm, follow the
Helm deployment
instructions in the Configuring the Anjuna Kubernetes Toolset for AWS EKS section.
Otherwise, follow the Manual deployment
instructions in the Configuring the Anjuna Kubernetes Toolset for AWS EKS section.
Follow the instructions in the Deploying the Anjuna Kubernetes Toolset for AWS EKS section.
Rebuilding the EIFs with the new runtime version
After upgrading the version of the Anjuna Seaglass Toolset for EKS in your cluster, the Confidential Pods you are running in this cluster are still running with the Anjuna Seaglass Runtime version of an earlier version than the one used for running the Toolset.
You can consider rebuilding the EIFs with the new Runtime version to gain some of the following benefits of the newer version:
-
New abilities.
-
Fixes for bugs.
-
Fixes for security vulnerabilities.
You can always review the Anjuna Release Notes page to see the improvements in newer versions.
If you decide to rebuild the EIF of a Confidential Pod with a newer version of the Runtime, you should be aware of the following potential side effects:
-
If your KMS policy is based on the hash of the enclave’s software measurements (PCR0, PCR1, or PCR2), you should update the KMS policy before launching the Confidential Pod with the new EIF.
-
The software measurement will change due to the change in the Anjuna Runtime code, even if your container image did not change.
-
If you plan to run EIFs in parallel to the new one, while using the same KMS secret, extend the older PCR0-2 values in the KMS policy with the new values.
-
-
If your KMS policy is based on the hash of the EIF’s signing certificate (PCR8):
-
If you use the same certificate, you do not need to change the KMS policy.
-
If you use a different signing certificate, update the KMS policy with the new PCR8 value before launching the Confidential Pod with the new EIF.
-
If you plan to run EIFs in parallel to the new one, while using the same KMS secret, extend the older PCR8 values in the KMS policy with the new PCR8 value.
-
-
When you stop using a version of an EIF in a Confidential Pod, remember to remove its PCR values from any KMS policy that uses these values.