github/confidential-containers
1
0
Fork 0
mirror of https://github.com/confidential-containers/confidential-containers.git synced 2025-10-20 23:12:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

release: update release checklist for v0.9.0

Browse Source 
For release v0.9.0 we will be using Kata main (among other changes).
Update/overhaul the release checklist to account for these differences.

Signed-off-by: Tobin Feldman-Fitzthum <tobin@ibm.com>
This commit is contained in:
Tobin Feldman-Fitzthum
2024-04-08 16:26:23 -04:00
committed by Tobin Feldman-Fitzthum
parent fe829c58f2
commit 243224fc4a
1 changed files with 88 additions and 86 deletions
Download Patch File Download Diff File Expand all files Collapse all files

174
.github/ISSUE_TEMPLATE/release-check-list.md vendored
View File

@@ -8,106 +8,108 @@ assignees: ''
# v<TARGET_RELEASE>
## Code freeze
## Overview
- [ ] 1. Update Enclave CC to use the latest commit from image-rs
The release process mainly follows from this dependency graph.
* https://github.com/confidential-containers/enclave-cc/blob/main/src/enclave-agent/Cargo.toml
* Change the revision
* Run `cargo update -p image-rs`
```mermaid
flowchart LR
Trustee --> Versions.yaml
Guest-Components --> Versions.yaml
Kata --> kustomization.yaml
Guest-Components .-> Client-tool
Guest-Components --> enclave-agent
enclave-cc --> kustomization.yaml
Guest-Components --> versions.yaml
Trustee --> versions.yaml
Kata --> versions.yaml
- [ ] 2. Update Kata Containers to use the latest commit from image-rs, attestation-agent and td-shim
subgraph Kata
Versions.yaml
end
subgraph Guest-Components
end
subgraph Trustee
Client-tool
end
subgraph enclave-cc
enclave-agent
end
subgraph Operator
kustomization.yaml
reqs-deploy
end
subgraph cloud-api-adaptor
versions.yaml
end
```
* image-rs
* https://github.com/kata-containers/kata-containers/blob/CCv0/src/agent/Cargo.toml
* Change the revision
* Run `cargo update -p image-rs`
* attestation-agent and td-shim
* https://github.com/kata-containers/kata-containers/blob/CCv0/versions.yaml
* Change the version
Starting with v0.9.0 the release process no longer involves centralized dependency management.
In other words, when doing a CoCo release, we don't push the most recent versions of the subprojects
into Kata and enclave-cc. Instead, dependencies should be updated during the normal process of development.
Releases of most subprojects are now decoupled from releases of the CoCo project.
- [ ] 3. Wait for kata-runtime-payload-ci to be successfully built
* After the previous PR is merged wait for the kata-runtime-payload-ci (https://github.com/kata-containers/kata-containers/actions/workflows/cc-payload-after-push.yaml) has completed, so the latest kata-runtime-payload-ci contains the changes
## The Steps
- [ ] 4. Check if there are new changes in the pre install payload script
### Determine release builds
* https://github.com/confidential-containers/operator/tree/main/install/pre-install-payload
* The last commit there must match what's in the following files as preInstall / postUninstall image
* Enclave CC: https://github.com/confidential-containers/operator/blob/main/config/samples/enclave-cc/base/ccruntime-enclave-cc.yaml
* Kata Containers:
Note that for Kata Containers, we're looking for the newTag, below the quay.io/confidential-containers/reqs-payload image
* default: https://github.com/confidential-containers/operator/blob/main/config/samples/ccruntime/default/kustomization.yaml
Identify/create the bundles that we will release for Kata and enclave-cc.
- [ ] 5. Ensure the Operator is using the latest CI builds and that the Operator tests are passing
- [ ] 1. :eyes: **Create enclave-cc release**
Enclave-cc does not have regular releases apart from CoCo, so we need to make one.
Make sure that the CI [is green](https://github.com/confidential-containers/operator/actions/workflows/enclave-cc-cicd.yaml) and then use the Github release tool to create a tag and release.
This should create a bundle [here](https://quay.io/repository/confidential-containers/runtime-payload?tab=tags).
- [ ] 2. :eyes: **Find Kata release version**
The release will be based on an existing Kata containers bundle.
You should use a release of Kata containers.
Release bundles can be found [here](https://quay.io/repository/kata-containers/kata-deploy?tab=tags).
There is also a bundle built for [each commit](https://quay.io/repository/kata-containers/kata-deploy-ci?tab=tags).
If you absolutely cannot use a Kata release,
you can consider releasing one of these bundles.
### Test Release with Operator
- [ ] 3. :eyes: **Check operator pre-installation**
The operator uses a pre-install container to setup the node.
Check that the container matches the dependencies used in Kata
and that the operator pulls the most recent version of the container.
* Check that the version of the `nydus-snapshotter` used by Kata matches the one used by the operator
* Compare `nydus-snapshotter` version in Kata [versions.yaml](https://github.com/kata-containers/kata-containers/blob/main/versions.yaml#L291) with the [Makefile](https://github.com/confidential-containers/operator/blob/main/install/pre-install-payload/Makefile#L4) for the operator pre-intall container.
* If they do not match, update the operator. This can be part of the PR described in the next step.
* Make sure that the operator pulls the most recent version of the pre-install container
* Find the last commit in the [pre-install directory](https://github.com/confidential-containers/operator/tree/main/install/pre-install-payload)
* Make sure that the commit matches the preInstall / postUninstall image specified for [enclave-cc CRD](https://github.com/confidential-containers/operator/blob/main/config/samples/enclave-cc/base/ccruntime-enclave-cc.yaml) and [Kata CRD](https://github.com/confidential-containers/operator/blob/main/config/samples/ccruntime/default/kustomization.yaml)
* If these do not match (for instance if you changed the snapshotter above), update the operator so that they do match. This can be part of the PR described in the next step.
- [ ] 4. :wrench: **Open a PR to the operator to update the release artifacts**
Update the operator to use the payloads identified in steps 1 and 2.
There are a number of places where the payloads are referenced. Make sure to update all of the following to the tag matching the latest commit hash from steps 7 and 8:
* Enclave CC:
* SIM: https://github.com/confidential-containers/operator/blob/main/config/samples/enclave-cc/sim/kustomization.yaml
* HW: https://github.com/confidential-containers/operator/blob/main/config/samples/enclave-cc/base/ccruntime-enclave-cc.yaml
* Note that we need the quay.io/confidential-containers/runtime-payload-ci registry and enclave-cc-{SIM,HW}-latest tags
* [SIM](https://github.com/confidential-containers/operator/blob/main/config/samples/enclave-cc/sim/kustomization.yaml)
* [HW](https://github.com/confidential-containers/operator/blob/main/config/samples/enclave-cc/base/ccruntime-enclave-cc.yaml)
* Kata Containers:
* default: https://github.com/confidential-containers/operator/blob/main/config/samples/ccruntime/default/kustomization.yaml
* s390x: https://github.com/confidential-containers/operator/blob/main/config/samples/ccruntime/s390x/kustomization.yaml
* peer-pods: https://github.com/confidential-containers/operator/blob/main/config/samples/ccruntime/peer-pods/kustomization.yaml
* [default](https://github.com/confidential-containers/operator/blob/main/config/samples/ccruntime/default/kustomization.yaml)
* [s390x](https://github.com/confidential-containers/operator/blob/main/config/samples/ccruntime/s390x/kustomization.yaml)
* [peer-pods](https://github.com/confidential-containers/operator/blob/main/config/samples/ccruntime/peer-pods/kustomization.yaml)
Note that we need the quay.io/confidential-containers/runtime-payload-ci registry and kata-containers-latest tag
- [ ] 6. Update peer-pods with latest commits of kata-containers and attestation-agent and test it, following the [release candidate testing process](https://github.com/confidential-containers/cloud-api-adaptor/blob/main/docs/Release-Process.md#release-candidate-testing)
- [ ] 7. Cut an attestation-service v<TARGET_RELEASE> and make images for AS and RVPS, if changes happened in the project.
**Also, update the [operator version](https://github.com/confidential-containers/operator/blob/main/config/release/kustomization.yaml#L7)**
### Final Touches
* https://github.com/confidential-containers/attestation-service
* Cut a release (AS/RVPS images will be automatically built triggered by release)
- [ ] 5. :trophy: **Cut an operator release using the GitHub release tool**
- [ ] 8. Cut a guest-components v<TARGET_RELEASE> release
- [ ] 5. :green_book: **Make sure to update the [release notes](https://github.com/confidential-containers/confidential-containers/tree/main/releases) and tag/release the confidential-containers repo using the GitHub release tool.**
- [ ] 9. Cut a td-shim v<TARGET_RELEASE> release, if changes happened in the project
- [ ] 7. :hammer: **Poke Wainer Moschetta (@wainersm) to update the release to the OperatorHub. Find the documented flow [here](https://github.com/confidential-containers/operator/blob/main/docs/OPERATOR_HUB.md).**
- [ ] 10. Update kbs to use the tagged attestation-service and guest-components, cut a release and make image
* https://github.com/confidential-containers/kbs/blob/main/src/api/Cargo.toml
* Change the revision for the `as-types` and `attestation-service` crates (both use `v<TARGET_RELEASE>`) and update the lock file
* https://github.com/confidential-containers/kbs/blob/main/tools/client/Cargo.toml
* Change the revision for the `as-types` and `kbs_protocol` crates (both use `v<TARGET_RELEASE>`)
* Cut a release
* kbs image will be automatically built triggered by release, so ensure that the [release workflow](https://github.com/confidential-containers/kbs/actions/workflows/release.yaml) ran successfully
- [ ] 11. Update Enclave CC to use the released version of image-rs
* redo step 1, but now using v<TARGET_RELEASE>
- [ ] 12. Update Kata Containers to the latest released version of:
* image-rs and attestation-agent (redo step 2, but now using the v<TARGET_RELEASE>)
- [ ] 13. Update the operator to use the images generated from the latest commit of both Kata Containers and Enclave CC
* redo step 5, but now targetting the latest payload image generated for Kata Containers and Enclave CC
- [ ] 14. Make sure all the operator tests are passing
- [ ] 15. Cut an Enclave CC release
- [ ] 16. Add a new Kata Containers tag
- [ ] 17. Wait for release kata-runtime-payload to be successfully built
* After the Kata tag is created wait for (https://github.com/kata-containers/kata-containers/actions/workflows/cc-payload.yaml) to be successfully completed, so the latest commit kata-runtime-payload for the release is created
- [ ] 18. Update peer pods to use the release versions and then cut a release following the [documented flow](https://github.com/confidential-containers/cloud-api-adaptor/blob/main/docs/Release-Process.md#cutting-releases)
## Release
- [ ] 19. Update the operator to use the release tags coming from Enclave CC and Kata Containers
* redo step 5, but now targeting the latest release of the payload image generated for Kata Containers eand Enclave CC
- [ ] 20. Update the Operator version
* https://github.com/confidential-containers/operator/blob/main/config/release/kustomization.yaml#L7
- [ ] 21. Cut an operator release
- [ ] 22. Make sure to update the release notes and tag the confidential-containers repository
* https://github.com/confidential-containers/confidential-containers/tree/main/releases/v<TARGET_RELEASE>.md
- [ ] 23. Poke Wainer Moschetta (@wainersm) to update the release to the OperatorHub. Find the documented flow [here](https://github.com/confidential-containers/operator/blob/main/docs/OPERATOR_HUB.md).