constellation/docs/versioned_docs/version-2.0/workflows/verify-cluster.md

# Verify your cluster

Constellation's [attestation feature](../architecture/attestation.md) allows you, or a third party, to verify the integrity and confidentiality of your Constellation cluster.

## Fetch measurements

To verify the integrity of Constellation you need trusted measurements to verify against. For each node image released by Edgeless Systems, there are signed measurements, which you can download using the CLI:

```bash
constellation config fetch-measurements
```

This command performs the following steps:
1. Download the signed measurements for the configured image. By default, this will use Edgeless Systems' public measurement registry.
2. Verify the signature of the measurements. This will use Edgeless Systems' [public key](https://edgeless.systems/es.pub).
3. Write measurements into configuration file.

## The *verify* command

:::note
The steps below are purely optional. They're automatically executed by `constellation init` when you initialize your cluster. The `constellation verify` command mostly has an illustrative purpose.
:::

The `verify` command obtains and verifies an attestation statement from a running Constellation cluster.

```bash
constellation verify [--cluster-id ...]
```

From the attestation statement, the command verifies the following properties:
* The cluster is using the correct Confidential VM (CVM) type.
* Inside the CVMs, the correct node images are running. The node images are identified through the measurements obtained in the previous step.
* The unique ID of the cluster matches the one from your `constellation-id.json` file or passed in via `--cluster-id`.

Once the above properties are verified, you know that you are talking to the right Constellation cluster and it's in a good and trustworthy shape.

### Custom arguments

The `verify` command also allows you to verify any Constellation deployment that you have network access to. For this you need the following:

* The IP address of a running Constellation cluster's [VerificationService](../architecture/components.md#verificationservice). The `VerificationService` is exposed via a `NodePort` service using the external IP address of your cluster. Run `kubectl get nodes -o wide` and look for `EXTERNAL-IP`.
* The cluster's *clusterID*. See [cluster identity](../architecture/keys.md#cluster-identity) for more details.

For example:

```shell-session
constellation verify -e 192.0.2.1 --cluster-id Q29uc3RlbGxhdGlvbkRvY3VtZW50YXRpb25TZWNyZXQ=
```
docs: minor fixes in first steps and wording improvements (#155) * docs: minor fixes in first steps and wording improvements * publish to 2.0 2022-09-14 08:40:41 -04:00			`# Verify your cluster`
Add docs to repo (#38) 2022-09-02 05:52:42 -04:00
docs: minor fixes in first steps and wording improvements (#155) * docs: minor fixes in first steps and wording improvements * publish to 2.0 2022-09-14 08:40:41 -04:00			`Constellation's [attestation feature](../architecture/attestation.md) allows you, or a third party, to verify the integrity and confidentiality of your Constellation cluster.`
Add docs to repo (#38) 2022-09-02 05:52:42 -04:00
			`## Fetch measurements`

Re-wording in docs/workflows (#135) * Quick pass over create.md * pass over verify.md * Re-arrange workflows * Quick polish of scale.md and upgrade.md * Quick polish of terminate.md * Cut recovery.md down * Brush over ssh * storage * Brush over trusted launch VMs * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * Add Azure back to title * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * fix lint errors * publish to 2.0 Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Co-authored-by: Thomas Tendyck <tt@edgeless.systems> 2022-09-13 09:12:05 -04:00			`To verify the integrity of Constellation you need trusted measurements to verify against. For each node image released by Edgeless Systems, there are signed measurements, which you can download using the CLI:`
Add docs to repo (#38) 2022-09-02 05:52:42 -04:00
			```bash
			`constellation config fetch-measurements`
			```

			`This command performs the following steps:`
Re-wording in docs/workflows (#135) * Quick pass over create.md * pass over verify.md * Re-arrange workflows * Quick polish of scale.md and upgrade.md * Quick polish of terminate.md * Cut recovery.md down * Brush over ssh * storage * Brush over trusted launch VMs * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * Add Azure back to title * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * fix lint errors * publish to 2.0 Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Co-authored-by: Thomas Tendyck <tt@edgeless.systems> 2022-09-13 09:12:05 -04:00			`1. Download the signed measurements for the configured image. By default, this will use Edgeless Systems' public measurement registry.`
docs: publish to 2.0 2022-09-28 10:31:47 -04:00			`2. Verify the signature of the measurements. This will use Edgeless Systems' [public key](https://edgeless.systems/es.pub).`
Re-wording in docs/workflows (#135) * Quick pass over create.md * pass over verify.md * Re-arrange workflows * Quick polish of scale.md and upgrade.md * Quick polish of terminate.md * Cut recovery.md down * Brush over ssh * storage * Brush over trusted launch VMs * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * Add Azure back to title * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * fix lint errors * publish to 2.0 Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Co-authored-by: Thomas Tendyck <tt@edgeless.systems> 2022-09-13 09:12:05 -04:00			`3. Write measurements into configuration file.`
Add docs to repo (#38) 2022-09-02 05:52:42 -04:00
			`## The verify command`

docs: minor fixes in first steps and wording improvements (#155) * docs: minor fixes in first steps and wording improvements * publish to 2.0 2022-09-14 08:40:41 -04:00			`:::note`
			The steps below are purely optional. They're automatically executed by `constellation init` when you initialize your cluster. The `constellation verify` command mostly has an illustrative purpose.
			`:::`

Re-wording in docs/workflows (#135) * Quick pass over create.md * pass over verify.md * Re-arrange workflows * Quick polish of scale.md and upgrade.md * Quick polish of terminate.md * Cut recovery.md down * Brush over ssh * storage * Brush over trusted launch VMs * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * Add Azure back to title * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * fix lint errors * publish to 2.0 Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Co-authored-by: Thomas Tendyck <tt@edgeless.systems> 2022-09-13 09:12:05 -04:00			The `verify` command obtains and verifies an attestation statement from a running Constellation cluster.
Add docs to repo (#38) 2022-09-02 05:52:42 -04:00
			```bash
Re-wording in docs/workflows (#135) * Quick pass over create.md * pass over verify.md * Re-arrange workflows * Quick polish of scale.md and upgrade.md * Quick polish of terminate.md * Cut recovery.md down * Brush over ssh * storage * Brush over trusted launch VMs * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * Add Azure back to title * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * fix lint errors * publish to 2.0 Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Co-authored-by: Thomas Tendyck <tt@edgeless.systems> 2022-09-13 09:12:05 -04:00			`constellation verify [--cluster-id ...]`
Add docs to repo (#38) 2022-09-02 05:52:42 -04:00			```

Re-wording in docs/workflows (#135) * Quick pass over create.md * pass over verify.md * Re-arrange workflows * Quick polish of scale.md and upgrade.md * Quick polish of terminate.md * Cut recovery.md down * Brush over ssh * storage * Brush over trusted launch VMs * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * Add Azure back to title * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * fix lint errors * publish to 2.0 Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Co-authored-by: Thomas Tendyck <tt@edgeless.systems> 2022-09-13 09:12:05 -04:00			`From the attestation statement, the command verifies the following properties:`
			`* The cluster is using the correct Confidential VM (CVM) type.`
			`* Inside the CVMs, the correct node images are running. The node images are identified through the measurements obtained in the previous step.`
docs: publish to 2.0 2022-09-28 10:31:47 -04:00			* The unique ID of the cluster matches the one from your `constellation-id.json` file or passed in via `--cluster-id`.
Re-wording in docs/workflows (#135) * Quick pass over create.md * pass over verify.md * Re-arrange workflows * Quick polish of scale.md and upgrade.md * Quick polish of terminate.md * Cut recovery.md down * Brush over ssh * storage * Brush over trusted launch VMs * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * Add Azure back to title * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * fix lint errors * publish to 2.0 Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Co-authored-by: Thomas Tendyck <tt@edgeless.systems> 2022-09-13 09:12:05 -04:00
			`Once the above properties are verified, you know that you are talking to the right Constellation cluster and it's in a good and trustworthy shape.`
Add docs to repo (#38) 2022-09-02 05:52:42 -04:00
			`### Custom arguments`

docs: minor fixes in first steps and wording improvements (#155) * docs: minor fixes in first steps and wording improvements * publish to 2.0 2022-09-14 08:40:41 -04:00			The `verify` command also allows you to verify any Constellation deployment that you have network access to. For this you need the following:
Add docs to repo (#38) 2022-09-02 05:52:42 -04:00
docs: publish 2022-11-09 10:28:56 -05:00			* The IP address of a running Constellation cluster's [VerificationService](../architecture/components.md#verificationservice). The `VerificationService` is exposed via a `NodePort` service using the external IP address of your cluster. Run `kubectl get nodes -o wide` and look for `EXTERNAL-IP`.
Re-wording in docs/workflows (#135) * Quick pass over create.md * pass over verify.md * Re-arrange workflows * Quick polish of scale.md and upgrade.md * Quick polish of terminate.md * Cut recovery.md down * Brush over ssh * storage * Brush over trusted launch VMs * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * Add Azure back to title * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * fix lint errors * publish to 2.0 Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Co-authored-by: Thomas Tendyck <tt@edgeless.systems> 2022-09-13 09:12:05 -04:00			`* The cluster's clusterID. See [cluster identity](../architecture/keys.md#cluster-identity) for more details.`
Add docs to repo (#38) 2022-09-02 05:52:42 -04:00
Re-wording in docs/workflows (#135) * Quick pass over create.md * pass over verify.md * Re-arrange workflows * Quick polish of scale.md and upgrade.md * Quick polish of terminate.md * Cut recovery.md down * Brush over ssh * storage * Brush over trusted launch VMs * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * Add Azure back to title * Update docs/docs/workflows/verify-cluster.md Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> * fix lint errors * publish to 2.0 Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com> Co-authored-by: Thomas Tendyck <tt@edgeless.systems> 2022-09-13 09:12:05 -04:00			`For example:`

			```shell-session
Ref/docs 2.0 (#112) 2022-09-09 11:01:57 -04:00			`constellation verify -e 192.0.2.1 --cluster-id Q29uc3RlbGxhdGlvbkRvY3VtZW50YXRpb25TZWNyZXQ=`
Add docs to repo (#38) 2022-09-02 05:52:42 -04:00			```