Upgrading the Anjuna Kubernetes Toolset for AWS EKS

Follow these procedures when you need to upgrade the toolset.

To upgrade the Anjuna Kubernetes Toolset for AWS EKS, first download the desired version of the Anjuna Kubernetes Toolset for AWS EKS tarfile from the Anjuna Resource Center.

When upgrading, you can use the same namespace for the upgraded Toolset as you used for the previous version, or you can use a different namespace:

  • If you choose to use the same namespace, you can use the already created TLS certificate for the Anjuna Webhook, and the K8s secret that was already created to hold that certificate.

  • If you choose to use a different namespace, make sure to delete and recreate the Webhook certificate and K8s secret as specified in the Webhook certificate section.

Tearing down resources

Change your working directory to the "anjuna-tools" directory of your previous version of the Anjuna Kubernetes Toolset for AWS EKS deployment:

$ cd [previous deployment dir]/anjuna-tools

If you used Helm to deploy your older version of the Anjuna Kubernetes Toolset for AWS EKS, follow the Helm teardown instructions in the Tearing down the Anjuna Kubernetes Toolset for AWS EKS section.
Otherwise, follow the Manual teardown instructions in the Tearing down the Anjuna Kubernetes Toolset for AWS EKS section.

Do not delete the K8s TLS secret as instructed as the first step under the Tearing down the Anjuna Kubernetes Toolset for AWS EKS section; only follow the steps under the Helm teardown or Manual teardown headings.

Upgrading procedure

Change your directory to the directory containing the newer version of the Anjuna Kubernetes Toolset for AWS EKS tarfile.

Follow the Prepare the workspace instructions in the Preparing the environment section.

Follow the instructions in the Creating the Anjuna Docker images section.

From the anjuna-tools directory of your previous version of the Anjuna Kubernetes Toolset for AWS EKS deployment, find the webhook-tls directory containing the Anjuna Nitro Webhook TLS certificate and key. Copy it to the anjuna-tools directory of the new version of the Anjuna Kubernetes Toolset for AWS EKS deployment:

$ cp -r \
      [old deployment dir]/anjuna-tools/webhook-tls \
      webhook-tls

Create an environment variable to store a base64-encoded version of the CA certificate:

$ export CA_BUNDLE=$(cat webhook-tls/caBundle.txt)

If you want to use Helm, follow the Helm deployment instructions in the Configuring the Anjuna Kubernetes Toolset for AWS EKS section.
Otherwise, follow the Manual deployment instructions in the Configuring the Anjuna Kubernetes Toolset for AWS EKS section.

Follow the instructions in the Deploying the Anjuna Kubernetes Toolset for AWS EKS section.

Rebuilding the EIFs with the new runtime version

After upgrading the version of the Anjuna Seaglass Toolset for EKS in your cluster, the Confidential Pods you are running in this cluster are still running with the Anjuna Seaglass Runtime version of an earlier version than the one used for running the Toolset.

You can consider rebuilding the EIFs with the new Runtime version to gain some of the following benefits of the newer version:

  1. New abilities.

  2. Fixes for bugs.

  3. Fixes for security vulnerabilities.

You can always review the Anjuna Release Notes page to see the improvements in newer versions.

If you decide to rebuild the EIF of a Confidential Pod with a newer version of the Runtime, you should be aware of the following potential side effects:

  • If your KMS policy is based on the hash of the enclave’s software measurements (PCR0, PCR1, or PCR2), you should update the KMS policy before launching the Confidential Pod with the new EIF.

    • The software measurement will change due to the change in the Anjuna Runtime code, even if your container image did not change.

    • If you plan to run EIFs in parallel to the new one, while using the same KMS secret, extend the older PCR0-2 values in the KMS policy with the new values.

  • If your KMS policy is based on the hash of the EIF’s signing certificate (PCR8):

    • If you use the same certificate, you do not need to change the KMS policy.

    • If you use a different signing certificate, update the KMS policy with the new PCR8 value before launching the Confidential Pod with the new EIF.

    • If you plan to run EIFs in parallel to the new one, while using the same KMS secret, extend the older PCR8 values in the KMS policy with the new PCR8 value.

  • When you stop using a version of an EIF in a Confidential Pod, remember to remove its PCR values from any KMS policy that uses these values.