[Release] Check list for v0.5.0

[jepio]

v0.5.0

Code freeze

• - 1. Update image-rs to use the latest commit from ocicrypt-rs (@wainersm)

    * https://github.com/confidential-containers/image-rs/blob/main/Cargo.toml
      * Change the revision
      * Run `cargo update -p ocicrypt-rs`
    * Opened: https://github.com/confidential-containers/image-rs/pull/138
  

• - 2. Update image-rs to use the latest commit from attestation-agent (@wainersm)

    * https://github.com/confidential-containers/image-rs/blob/main/Cargo.toml
      * Change the revision
      * Run `cargo update -p attestation_agent`
    * Opened: https://github.com/confidential-containers/image-rs/pull/138
  

• - 3. Update Enclave CC to use the latest commit from image-rs (@wainersm)

    * https://github.com/confidential-containers/enclave-cc/blob/main/src/enclave-agent/Cargo.toml
      * Change the revision
      * Run `cargo update --manifest-path src/enclave-agent/Cargo.toml -p image-rs`
    Note that you can point to your own fork here, so you don't actually do changes in the other projects
    before making sure this step works as expected.
    * Opened: https://github.com/confidential-containers/enclave-cc/pull/143
  

• - 4. Update Kata Containers to use the latest commit from image-rs (@wainersm)

    * https://github.com/kata-containers/kata-containers/blob/CCv0/src/agent/Cargo.toml
      * Change the revision
      * Run `cargo update -p image-rs`
    Note that you can point to your own fork here, so you don't actually do changes in the other projects
    before making sure this step works as expected.
  

• - 5. Update Kata Containers to use the latest attestation-agent (@wainersm)

    * https://github.com/kata-containers/kata-containers/blob/CCv0/versions.yaml
      * Change the version
  

• - 6. Update Kata Containers to use the latest td-shim (@wainersm)

    * https://github.com/kata-containers/kata-containers/blob/CCv0/versions.yaml
      * Change the version
  

• - 7. Check if there are new changes in the pre install payload script

    * https://github.com/confidential-containers/operator/tree/main/install/pre-install-payload
      * The last commit there must match what's in the following files as preInstall / postUninstall image
        * Enclave CC: https://github.com/confidential-containers/operator/blob/main/config/samples/enclave-cc/base/ccruntime-enclave-cc.yaml
        * Kata Containers:
          Note that for Kata Containers, we're looking for the newTag, below the quay.io/confidential-containers/container-engine-for-cc-payload image
          * s390x: https://github.com/confidential-containers/operator/blob/main/config/samples/ccruntime/s390x/kustomization.yaml
          * x86_64: https://github.com/confidential-containers/operator/blob/main/config/samples/ccruntime/default/kustomization.yaml
  

• - 8. Ensure the Operator is using the latest CI builds and that the Operator tests are passsing

    * Enclave CC:
      * SIM: https://github.com/confidential-containers/operator/blob/main/config/samples/enclave-cc/sim/kustomization.yaml
      * HW: https://github.com/confidential-containers/operator/blob/main/config/samples/enclave-cc/base/ccruntime-enclave-cc.yaml
      * Note that we need the quay.io/confidential-containers/runtime-payload-ci registry and enclave-cc-{SIM,HW}-latest tags
    * Kata Containers:
      * s390x: https://github.com/confidential-containers/operator/blob/main/config/samples/ccruntime/s390x/kustomization.yaml
      * x86_64: https://github.com/confidential-containers/operator/blob/main/config/samples/ccruntime/default/kustomization.yaml
      Note that we need the quay.io/confidential-containers/runtime-payload-ci registry and kata-containers-latest tag
  

• - 9. Cut an ocicrypt-rs v<TARGET_RELEASE> release, if changes happened in the project

• - 10. Cut an attestation-agent v<TARGET_RELEASE>, if changes happened in the project

• - 11. Cut an image-rs v<TARGET_RELEASE> release, using the latest release of:

    * ocicrypt-rs (redo step 1, but now using v<TARGET_RELEASE>)
    * attestation-agent (redo step 2, but now using v<TARGET_RELEASE>)
  

• - 12. Cut a td-shim v<TARGET_RELEASE> release, if changes happened in the project

• - 13. Update Enclave CC to use the released version of image-rs

    * redo step 3, but now using v<TARGET_RELEASE>
  

• - 14. Update Kata Containers to the latest released version of:

    * image-rs (redo step 4, but now using the v<TARGET_RELEASE>)
    * attestation-agent (redo step 5, but now using the v<TARGET_RELEASE>)
    * td-shim (redo step 6, but now using the v<TARGET_RELEASE>)
  

• - 15. Update the operator to use the images generated from the latest commit of both Kata Containers and Enclave CC

    * redo step 8, but now targetting the latest payload image generated for Kata Containers and Enclave CC
  

• - 16. Make sure all the operator tests are passing

• - 17. Cut an Enclave CC release

• - 18. Add a new Kata Containers tag

Release

• - 19. Update the operator to use the release tags coming from Enclave CC and Kata Containers

    * redo step 8, but now targetting thje latest release of the payload image generated for Kata Containers eand Enclave CC
  

• - 20. Update the Operator version

    * https://github.com/confidential-containers/operator/blob/main/config/release/kustomization.yaml#L7
  

• - 21. Cut an operator release

• - 22. Make sure to update the release notes

    * https://github.com/confidential-containers/documentation/tree/main/releases/v<TARGET_RELEASE>.md
  

• - 23. Poke Jens Freimann (jfreiman@redhat.com) to update the release to the OperatorHub

[jepio]

I believe the following PRs need to be tested, approved and merged to start the release:
kata-containers:

• agent: add support for ttrpc kata-containers/kata-containers#6404
• osbuilder: support cc-kbc for tdx kata-containers/kata-containers#6520

tests:

• Signatures: add resources with new URI scheme kata-containers/tests#5577
• ci: Set cc_kbc as the AA_KBC type for TDX kata-containers/tests#5582
• SEV: Make SEV tests work with resource URI kata-containers/tests#5584
• Signatures: add resources with new URI scheme; PART 2 kata-containers/tests#5579 (this PR combines the others + has some extra fixes needed)

ssh-demo:

• ssh-demo: Use KBS URI in demo documentation#114

I'm current running CI of all those PRs together (using depends-on) in:

• CC | agent: add support for ttrpc + dependency on test PR kata-containers/kata-containers#6569.

[Xynnn007]

Also, this release also includes KBS/AS. We might need the following steps:

• 1. Cut an attestation-service v<TARGET_RELEASE> and make images for AS and RVPS, if changes happened in the project.

   * https://github.com/confidential-containers/attestation-service
   * Cut a release (AS/RVPS images will be automatically built triggered by release)

• 2. Update kbs to use the latest commit from attestation-service, cut a release and make image

  * https://github.com/confidential-containers/kbs/blob/main/src/api_server/Cargo.toml
  * Change the revision for the following crates (both use `v<TARGET_RELEASE>`)
     * `as-types`
     * `attestation-service`
  * Cut a release (kbs image will be automatically built triggered by release)

PR for docker-compose:
confidential-containers/trustee#70

[jepio]

@Xynnn007 where is the release automation for those container images?

Tagging and syncing up more dependencies and repositories is problematic and unsustainable. This needs a better solution.

[Xynnn007]

@Xynnn007 where is the release automation for those container images?

Tagging and syncing up more dependencies and repositories is problematic and unsustainable. This needs a better solution.

Yes, you're right. Now we do not have one. Do you have any examples or suggestions? I can start with this, probably after v0.5.0

[wainersm]

I believe the following PRs need to be tested, approved and merged to start the release: kata-containers:

* [x]  [agent: add support for ttrpc kata-containers/kata-containers#6404](https://github.com/kata-containers/kata-containers/pull/6404)

* [x]  [osbuilder: support cc-kbc for tdx kata-containers/kata-containers#6520](https://github.com/kata-containers/kata-containers/pull/6520)

tests:

* [x]  [Signatures: add resources with new URI scheme kata-containers/tests#5577](https://github.com/kata-containers/tests/pull/5577)

* [x]  [ci: Set cc_kbc as the AA_KBC type for TDX kata-containers/tests#5582](https://github.com/kata-containers/tests/pull/5582)

* [x]  [SEV: Make SEV tests work with resource URI kata-containers/tests#5584](https://github.com/kata-containers/tests/pull/5584)

* [x]  [Signatures: add resources with new URI scheme; PART 2 kata-containers/tests#5579](https://github.com/kata-containers/tests/pull/5579) (this PR combines the others + has some extra fixes needed)

ssh-demo:

* [x]  [ssh-demo: Use KBS URI in demo documentation#114](https://github.com/confidential-containers/documentation/pull/114)

I'm current running CI of all those PRs together (using depends-on) in:

* [CC | agent: add support for ttrpc + dependency on test PR kata-containers/kata-containers#6569](https://github.com/kata-containers/kata-containers/pull/6569).

Hi @jepio ,

All those PR are closed now. Can we start the freeze process? What can I do to help?

[fidencio]

@wainersm, what about start with items from 1-5?

[wainersm]

@wainersm, what about start with items from 1-5?

Good idea. Edited the description, put my name on those items.

[wainersm]

This is a summary of steps 1-6:

• attestation-agent commit c939d21
• ocicrypt-rs had updated attestation-agent to commit c939d21 (chore: bump attestation-agent version with the latest one ocicrypt-rs#63)
• image-rs had updated attestation-agent to commit c939d21 and ocicrypt-rs to commit 55ab22d (Cargo: update dependencies for CoCo release 0.5.0 guest-components#138)
• enclave-cc had updated image-rs to commit b28eaae (enclave-agent: update image-rs dependency enclave-cc#143)
• kata-containers had updated image-rs to commit b28eaae, td-shim to commit 10568bab569b and attestation-agent to commit c939d211fe5ac49771 (CCv0: update dependencies for CoCo release 0.5.0 kata-containers/kata-containers#6651)

The steps 7 and 8 can be carried out as soon as https://github.com/kata-containers/kata-containers/actions/runs/4693722127 finishes, that is going to generate the new runtime payload (https://quay.io/repository/confidential-containers/runtime-payload-ci?tab=tags) for the operator. @larrydewey

[fidencio]

Items 7 and 8 are covered here: confidential-containers/operator#200

[fidencio]

ocicrypt-rs release: https://github.com/confidential-containers/ocicrypt-rs/releases/tag/v0.5.0

[fidencio]

attestation-agent release: https://github.com/confidential-containers/attestation-agent/releases/tag/v0.5.0

[fidencio]

td-shim release: https://github.com/confidential-containers/td-shim/releases/tag/v0.5.0

[fidencio]

image-rs release with up-to-date tags: https://github.com/confidential-containers/image-rs/releases/tag/v0.5.0

[fidencio]

ocicrypt-rs release: https://github.com/confidential-containers/ocicrypt-rs/releases/tag/v0.5.0

Second try: https://github.com/confidential-containers/ocicrypt-rs/releases/tag/v0.5.1

[fidencio]

image-rs release with up-to-date tags: https://github.com/confidential-containers/image-rs/releases/tag/v0.5.0

Second try: https://github.com/confidential-containers/image-rs/releases/tag/v0.5.1

[fidencio]

Enclave CC release was cut: https://github.com/confidential-containers/enclave-cc/releases/tag/v0.5.0

[fidencio]

Kata Containers tag has been created: https://github.com/kata-containers/kata-containers/releases/tag/CC-0.5.0

[fidencio]

https://github.com/confidential-containers/documentation/blob/main/releases/v0.5.0.md was updated 2 weeks ago.

[fidencio]

@jensfr, the only bit missing from the checklist is adding the release to the OperatorHub.

[jensfr]

yep, I'll do that

[fitzthum]

Docs are done for v0.5.0. I am holding off on tagging the docs until Monday so that we can change the link to the CAA README to point to main rather than staging.

[jensfr]

PR for operatorhub is merged
k8s-operatorhub/community-operators#2622

[fitzthum]

Documentation tagged now.