docs: misc fixes and rewording

2025-04-26 18:19:32 -04:00 · 2022-11-09 14:34:03 +01:00 · 2022-11-09 14:34:03 +01:00 · 01fbfeebb9
commit 01fbfeebb9
parent 0d12e37c96
10 changed files with 67 additions and 65 deletions
--- a/README.md
+++ b/README.md
@ -56,7 +56,7 @@ Encrypting your K8s is good for:
 <a href="https://landscape.cncf.io/?selected=constellation"><img src="https://raw.githubusercontent.com/cncf/artwork/1c1a10d9cc7de24235e07c8831923874331ef233/projects/kubernetes/certified-kubernetes/versionless/color/certified-kubernetes-color.svg" align="right" width="100px"></a>
 * Constellation is a [CNCF-certified][certified] Kubernetes. It's aligned to Kubernetes' [version support policy][k8s-version-support] and will likely work with your existing workloads and tools.
-* Support for Azure and GCP (more to come).
+* Support for Azure, GCP, and AWS.
 * Support for local installations with [MiniConstellation][first-steps-local].
 ## Getting started
--- a/docs/docs/architecture/attestation.md
+++ b/docs/docs/architecture/attestation.md
@ -218,8 +218,8 @@ The last missing link is how the ground truth in the form of runtime measurement
 The build process of Constellation images also creates the ground truth runtime measurements. <!-- soon: The builds of Constellation images are reproducible and the measurements of an image can be recalculated and verified by everyone. -->
 With every release, Edgeless Systems publishes signed runtime measurements.
-The release binary is also signed by Edgeless Systems.
+The CLI executable is also signed by Edgeless Systems.
-The [installation guide](../architecture/orchestration.md#verify-your-cli-installation) explains how you can verify this signature.
+You can [verify its signature](../workflows/verify-cli.md).
 The CLI contains the public key required to verify signed runtime measurements from Edgeless Systems.
 When a cluster is [created](../workflows/create.md) or [upgraded](../workflows/upgrade.md), the CLI automatically verifies the measurements for the selected image.
--- a/docs/docs/getting-started/first-steps.md
+++ b/docs/docs/getting-started/first-steps.md
@ -76,41 +76,41 @@ If you don't have a cloud subscription, check out [MiniConstellation](first-step
    * **subscription**: The UUID of your Azure subscription, e.g., `8b8bd01f-efd9-4113-9bd1-c82137c32da7`.
-        You can view your subscription UUID via `az account show` and read the `id` field. For more information refer to [Azure's documentation](https://docs.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id#find-your-azure-subscription).
+      You can view your subscription UUID via `az account show` and read the `id` field. For more information refer to [Azure's documentation](https://docs.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id#find-your-azure-subscription).
    * **tenant**: The UUID of your Azure tenant, e.g., `3400e5a2-8fe2-492a-886c-38cb66170f25`.
-        You can view your tenant UUID via `az account show` and read the `tenant` field. For more information refer to [Azure's documentation](https://docs.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id#find-your-azure-ad-tenant).
+      You can view your tenant UUID via `az account show` and read the `tenant` field. For more information refer to [Azure's documentation](https://docs.microsoft.com/en-us/azure/azure-portal/get-subscription-tenant-id#find-your-azure-ad-tenant).
    * **location**: The Azure datacenter location you want to deploy your cluster in, e.g., `westus`. CVMs are currently only supported in a few regions, check [Azure's products available by region](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=virtual-machines&regions=all). These are:
-        * `westus`
+      * `westus`
-        * `eastus`
+      * `eastus`
-        * `northeurope`
+      * `northeurope`
-        * `westeurope`
+      * `westeurope`
    * **resourceGroup**: [Create a new resource group in Azure](https://portal.azure.com/#create/Microsoft.ResourceGroup) for your Constellation cluster. Set this configuration field to the name of the created resource group.
    * **userAssignedIdentity**: [Create a new managed identity in Azure](https://portal.azure.com/#create/Microsoft.ManagedIdentity). You should create the identity in a different resource group as all resources within the cluster resource group will be deleted on cluster termination.
-        Add two role assignments to the identity: `Virtual Machine Contributor` and `Application Insights Component Contributor`. The `scope` of both should refer to the previously created cluster resource group.
+      Add two role assignments to the identity: `Virtual Machine Contributor` and `Application Insights Component Contributor`. The `scope` of both should refer to the previously created cluster resource group.
-        Set the configuration value to the full ID of the created identity, e.g., `/subscriptions/8b8bd01f-efd9-4113-9bd1-c82137c32da7/resourcegroups/constellation-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-identity`. You can get it by opening the `JSON View` from the `Overview` section of the identity.
+      Set the configuration value to the full ID of the created identity, e.g., `/subscriptions/8b8bd01f-efd9-4113-9bd1-c82137c32da7/resourcegroups/constellation-identity/providers/Microsoft.ManagedIdentity/userAssignedIdentities/constellation-identity`. You can get it by opening the `JSON View` from the `Overview` section of the identity.
-        The user-assigned identity is used by instances of the cluster to access other cloud resources.
+      The user-assigned identity is used by instances of the cluster to access other cloud resources.
-        For more information about managed identities refer to [Azure's documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities).
+      For more information about managed identities refer to [Azure's documentation](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities).
    * **appClientID**: [Create a new app registration in Azure](https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/CreateApplicationBlade/quickStartType~/null/isMSAApp~/false).
-        Set `Supported account types` to `Accounts in this organizational directory only` and leave the `Redirect URI` empty.
+      Set `Supported account types` to `Accounts in this organizational directory only` and leave the `Redirect URI` empty.
-        Set the configuration value to the `Application (client) ID`, e.g., `86ec31dd-532b-4a8c-a055-dd23f25fb12f`.
+      Set the configuration value to the `Application (client) ID`, e.g., `86ec31dd-532b-4a8c-a055-dd23f25fb12f`.
-        In the cluster resource group, go to `Access Control (IAM)` and set the created app registration as `Owner`.
+      In the cluster resource group, go to `Access Control (IAM)` and set the created app registration as `Owner`.
    * **clientSecretValue**: In the previously created app registration, go to `Certificates & secrets` and create a new `Client secret`.
-        Set the configuration value to the secret value.
+      Set the configuration value to the secret value.
    * **instanceType**: The VM type you want to use for your Constellation nodes.
@ -147,69 +147,69 @@ If you don't have a cloud subscription, check out [MiniConstellation](first-step
    * **project**: The ID of your GCP project, e.g., `constellation-129857`.
-        You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113).
+      You can find it on the [welcome screen of your GCP project](https://console.cloud.google.com/welcome). For more information refer to [Google's documentation](https://support.google.com/googleapi/answer/7014113).
    * **region**: The GCP region you want to deploy your cluster in, e.g., `us-west1`.
-        You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available).
+      You can find a [list of all regions in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available).
    * **zone**: The GCP zone you want to deploy your cluster in, e.g., `us-west1-a`.
-        You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available).
+      You can find a [list of all zones in Google's documentation](https://cloud.google.com/compute/docs/regions-zones#available).
    * **serviceAccountKeyPath**: To configure this, you need to create a GCP [service account](https://cloud.google.com/iam/docs/service-accounts) with the following permissions:
-        - `Compute Instance Admin (v1) (roles/compute.instanceAdmin.v1)`
+      - `Compute Instance Admin (v1) (roles/compute.instanceAdmin.v1)`
-        - `Compute Network Admin (roles/compute.networkAdmin)`
+      - `Compute Network Admin (roles/compute.networkAdmin)`
-        - `Compute Security Admin (roles/compute.securityAdmin)`
+      - `Compute Security Admin (roles/compute.securityAdmin)`
-        - `Compute Storage Admin (roles/compute.storageAdmin)`
+      - `Compute Storage Admin (roles/compute.storageAdmin)`
-        - `Service Account User (roles/iam.serviceAccountUser)`
+      - `Service Account User (roles/iam.serviceAccountUser)`
-        Afterward, create and download a new JSON key for this service account. Place the downloaded file in your Constellation workspace, and set the config parameter to the filename, e.g., `constellation-129857-15343dba46cb.json`.
+      Afterward, create and download a new JSON key for this service account. Place the downloaded file in your Constellation workspace, and set the config parameter to the filename, e.g., `constellation-129857-15343dba46cb.json`.
    * **instanceType**: The VM type you want to use for your Constellation nodes.
-        Supported are all machines from the N2D family. It defaults to `n2d-standard-4` (4 vCPUs, 16 GB RAM), but you can use any other VMs from the same family. Refer to [N2D machine series](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines) or run `constellation config instance-types` to get the list of all supported options.
+      Supported are all machines from the N2D family. It defaults to `n2d-standard-4` (4 vCPUs, 16 GB RAM), but you can use any other VMs from the same family. Refer to [N2D machine series](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines) or run `constellation config instance-types` to get the list of all supported options.
    </tabItem>
    <tabItem value="aws" label="AWS">
    * **region**: The name of your chosen AWS data center region, e.g., `us-east-2`.
-        Constellation OS images are currently replicated to the following regions:
+      Constellation OS images are currently replicated to the following regions:
-        * `eu-central-1`
+      * `eu-central-1`
-        * `us-east-2`
+      * `us-east-2`
-        * `ap-south-1`
+      * `ap-south-1`
-        If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+AWS+image+region:+xx-xxxx-x).
+      If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+AWS+image+region:+xx-xxxx-x).
-        You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions).
+      You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions).
    * **zone**: The name of your chosen AWS data center availability zone, e.g., `us-east-2a`.
-        Learn more about [availability zones in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-availability-zones).
+      Learn more about [availability zones in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-availability-zones).
    * **image**: The ID of the amazon machine image (AMI) the Constellation nodes will use:
-        Constellation OS images are available with the following IDs:
+      Constellation OS images are available with the following IDs:
-        | AMI | Region |
+      | AMI | Region |
-        | - | - |
+      | - | - |
-        | `ami-0e27ebcefc38f648b` | `eu-central-1` |
+      | `ami-0e27ebcefc38f648b` | `eu-central-1` |
-        | `ami-098cd37f66523b7c3` | `us-east-2` |
+      | `ami-098cd37f66523b7c3` | `us-east-2` |
-        | `ami-04a87d302e2509aad` | `ap-south-1` |
+      | `ami-04a87d302e2509aad` | `ap-south-1` |
    * **iamProfileControlPlane**: The name of an IAM instance profile attached to all control-plane nodes.
-        Use the [provided Terraform script](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam) to generate the necessary profile. The profile name will be provided as Terraform output value: `control_plane_instance_profile`.
+      Use the [provided Terraform script](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam) to generate the necessary profile. The profile name will be provided as Terraform output value: `control_plane_instance_profile`.
-        Alternatively, you can create the AWS profile with a tool of your choice. Use the JSON policy in [main.tf](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam/main.tf) in the resource `aws_iam_policy.control_plane_policy`.
+      Alternatively, you can create the AWS profile with a tool of your choice. Use the JSON policy in [main.tf](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam/main.tf) in the resource `aws_iam_policy.control_plane_policy`.
    * **iamProfileWorkerNodes**: The name of an IAM instance profile attached to all worker nodes.
-        Use the [provided Terraform script](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam) to generate the necessary profile. The profile name will be provided as Terraform output value: `worker_nodes_instance_profile`.
+      Use the [provided Terraform script](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam) to generate the necessary profile. The profile name will be provided as Terraform output value: `worker_nodes_instance_profile`.
-        Alternatively, you can create the AWS profile with a tool of your choice. Use the JSON policy in [main.tf](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam/main.tf) in the resource `aws_iam_policy.worker_node_policy`.
+      Alternatively, you can create the AWS profile with a tool of your choice. Use the JSON policy in [main.tf](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam/main.tf) in the resource `aws_iam_policy.worker_node_policy`.
    </tabItem>
    </tabs>
@ -318,15 +318,13 @@ This action is irreversible and ALL DATA WILL BE LOST.
 Do you want to continue? [y/n]:
 ```
-After confirming with either `y` or `yes`, the cluster will be terminated :
+Confirm with `y` to terminate the cluster:
 ```shell-session
 Terminating ...
 Your Constellation cluster was terminated successfully.
 ```
 For automation purposes, you can skip the prompt by passing `--yes` as a flag to `constellation terminate`.
 :::tip
 On Azure, if you have used the `az` script, you can keep the prerequisite resources and reuse them for a new cluster.
--- a/docs/docs/overview/clouds.md
+++ b/docs/docs/overview/clouds.md
@ -32,7 +32,7 @@ The [CVMs available in GCP](https://cloud.google.com/compute/confidential-vm/doc
 ## Amazon Web Services (AWS)
-AWS currently doesn't offer CVMs. AWS proprietary Nitro Enclaves offer some related features but [are explicitly not designed to keep AWS itself out](https://aws.amazon.com/blogs/security/confidential-computing-an-aws-perspective/). Besides, they aren't suitable for running entire Kubernetes nodes inside them. Therefore, Constellation uses regular EC2 instances on AWS [Nitro](https://aws.amazon.com/ec2/nitro/) without runtime encryption. Attestation is based on the [NitroTPM], which is a vTPM managed by the Nitro hypervisor. Hence, the hypervisor is currently part of Constellation's TCB.
+AWS currently doesn't offer CVMs. AWS proprietary Nitro Enclaves offer some related features but [are explicitly not designed to keep AWS itself out](https://aws.amazon.com/blogs/security/confidential-computing-an-aws-perspective/). Besides, they aren't suitable for running entire Kubernetes nodes inside them. Therefore, Constellation uses regular EC2 instances on AWS [Nitro](https://aws.amazon.com/ec2/nitro/) without runtime encryption. Attestation is based on the [NitroTPM](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitrotpm.html), which is a vTPM managed by the Nitro hypervisor. Hence, the hypervisor is currently part of Constellation's TCB.
 ## OpenStack
--- a/docs/docs/overview/product.md
+++ b/docs/docs/overview/product.md
@ -6,6 +6,6 @@ From a security perspective, Constellation implements the [Confidential Kubernet
 From an operational perspective, Constellation provides the following key features:
-* **Native support for different clouds**: Constellation works on Microsoft Azure and Google Cloud Platform (GCP). Support for Amazon Web Services (AWS) and OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
+* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
 * **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
 * **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.
--- a/docs/docs/workflows/create.md
+++ b/docs/docs/workflows/create.md
@ -64,7 +64,7 @@ constellation create --control-plane-nodes 1 --worker-nodes 2
 For details on the flags, consult the command help via `constellation create -h`.
-*create* stores your cluster's state into a [`terraform.tfstate`](../architecture/orchestration.md#installation-process) file in your current directory.
+*create* stores your cluster's state into a [`terraform.tfstate`](../architecture/orchestration.md#cluster-creation-process) file in your current directory.
 ## The *init* step
--- a/docs/docs/workflows/recovery.md
+++ b/docs/docs/workflows/recovery.md
@ -90,7 +90,7 @@ This means that you have to recover the node manually.
 </tabItem>
 <tabItem value="aws" label="AWS">
-First, open the AWS console to view all Auto Scaling Groups (ASGs) in the region of your Constellation. Select the ASG of the control-plane `<cluster-name>-<UID>-control-plane` and check that enough members are in a *Running* state.
+First, open the AWS console to view all Auto Scaling Groups (ASGs) in the region of your cluster. Select the ASG of the control plane `<cluster-name>-<UID>-control-plane` and check that enough members are in a *Running* state.
 Second, check the boot logs of these *Instances*. In the ASG's *Instance management* view, select each desired instance. In the upper right corner, select **Action > Monitor and troubleshoot > Get system log**.
--- a/docs/docs/workflows/terminate.md
+++ b/docs/docs/workflows/terminate.md
@ -14,6 +14,12 @@ Terminate the cluster by running:
 constellation terminate
 ```
 Or without confirmation (e.g., for automation purposes):
 ```bash
 constellation terminate --yes
 ```
 This deletes all resources created by Constellation in your cloud environment.
 All local files created by the `create` and `init` commands are deleted as well, except for `constellation-mastersecret.json` and the configuration file.
--- a/docs/docs/workflows/trusted-launch.md
+++ b/docs/docs/workflows/trusted-launch.md
@ -14,7 +14,7 @@ Constellation supports trusted launch VMs with instance types `Standard_D*_v4` a
 Azure currently doesn't support [community galleries for trusted launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/share-gallery-community). Thus, you need to manually import the Constellation node image into your cloud subscription.
-The latest image is available at [https://public-edgeless-constellation.s3.us-east-2.amazonaws.com/azure_image_exports/2.0.0](https://public-edgeless-constellation.s3.us-east-2.amazonaws.com/azure_image_exports/2.0.0). Simply adjust the last three digits to download a different version.
+The latest image is available at <https://cdn.confidential.cloud/constellation/images/azure/trusted-launch/v2.2.0/constellation.img>. Simply adjust the version number to download a newer version.
 After you've downloaded the image, create a resource group `constellation-images` in your Azure subscription and import the image.
 You can use a script to do this:
@ -22,21 +22,21 @@ You can use a script to do this:
 ```bash
 wget https://raw.githubusercontent.com/edgelesssys/constellation/main/hack/importAzure.sh
 chmod +x importAzure.sh
-AZURE_IMAGE_VERSION=2.0.0 AZURE_RESOURCE_GROUP_NAME=constellation-images AZURE_IMAGE_FILE=./2.0.0 ./importAzure.sh
+AZURE_IMAGE_VERSION=2.2.0 AZURE_RESOURCE_GROUP_NAME=constellation-images AZURE_IMAGE_FILE=./constellation.img ./importAzure.sh
 ```
 The script creates the following resources:
 1. A new image gallery with the default name `constellation-import`
 2. A new image definition with the default name `constellation`
-3. The actual image with the provided version. In this case `2.0.0`
+3. The actual image with the provided version. In this case `2.2.0`
 Once the import is completed, use the `ID` of the image version in your `constellation-conf.yaml` for the `image` field. Set `confidentialVM` to `false`.
 Fetch the image measurements:
 ```bash
-IMAGE_VERSION=2.0.0
+IMAGE_VERSION=2.2.0
-URL=https://public-edgeless-constellation.s3.us-east-2.amazonaws.com//CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$IMAGE_VERSION/measurements.yaml
+URL=https://public-edgeless-constellation.s3.us-east-2.amazonaws.com//communitygalleries/constellationcvm-b3782fa0-0df7-4f2f-963e-fc7fc42663df/images/constellation/versions/$IMAGE_VERSION/measurements.yaml
 constellation config fetch-measurements -u$URL -s$URL.sig
 ```
--- a/docs/docs/workflows/verify-cluster.md
+++ b/docs/docs/workflows/verify-cluster.md
@ -15,15 +15,13 @@ This command performs the following steps:
 2. Verify the signature of the measurements. This will use Edgeless Systems' [public key](https://edgeless.systems/es.pub).
 3. Write measurements into configuration file.
-After the command succeeded the configuration file will contain a list of key value pairs (index, hash) under the `measurements` key and a list of indices under `enforcedMeasurements`.
+The configuration file then contains a list of key-value pairs (index, hash) under the `measurements` key and a list of indices under `enforcedMeasurements`.
 Not all keys under `measurements` will have a matching index under `enforcedMeasurements`.
-This is because only a subset of the available measurements can be locally reproduced and verified.
+This is because only a subset of the [available measurements](../architecture/attestation.md#runtime-measurements) can be locally reproduced and verified.
 These non-reproducible values typically measure parts of the boot process that are controlled by the CSP.
 You can find a list with descriptions in the [runtime measurements](../architecture/attestation.md#runtime-measurements) section.
-During attestation, the validating side (CLI or [join service](../architecture/components.md#joinservice)) will compare each [measurement](../architecture/attestation.md##runtime-measurement) reported by the issuing side (first node or joining node) individually.
+During attestation, the validating side (CLI or [join service](../architecture/components.md#joinservice)) compares each measurement reported by the issuing side (first node or joining node) individually.
-For mismatching measurements that are set under the `measurements` key a warning will be emitted.
+For mismatching measurements that are only set under the `measurements` key a warning is emitted.
-For mismatching measurements that are additionally set under `enforcedMeasurements` an error will be emitted and attestation fails.
+For mismatching measurements that are additionally set under `enforcedMeasurements` an error is emitted and attestation fails.
 If attestation fails, the new node can't join the cluster.
 ## The *verify* command
@ -49,7 +47,7 @@ Once the above properties are verified, you know that you are talking to the rig
 The `verify` command also allows you to verify any Constellation deployment that you have network access to. For this you need the following:
-* The IP address of a running Constellation cluster's [VerificationService](../architecture/components.md#verification-service). The `VerificationService` is exposed via a `NodePort` service using the external IP address of your cluster. Run `kubectl get nodes -o wide` and look for `EXTERNAL-IP`.
+* The IP address of a running Constellation cluster's [VerificationService](../architecture/components.md#verificationservice). The `VerificationService` is exposed via a `NodePort` service using the external IP address of your cluster. Run `kubectl get nodes -o wide` and look for `EXTERNAL-IP`.
 * The cluster's *clusterID*. See [cluster identity](../architecture/keys.md#cluster-identity) for more details.
 For example: