docs: misc fixes and rewording

README.md

@@ -56,7 +56,7 @@ Encrypting your K8s is good for:
 <a href="https://landscape.cncf.io/?selected=constellation"><img src="https://raw.githubusercontent.com/cncf/artwork/1c1a10d9cc7de24235e07c8831923874331ef233/projects/kubernetes/certified-kubernetes/versionless/color/certified-kubernetes-color.svg" align="right" width="100px"></a>
 
 * Constellation is a [CNCF-certified][certified] Kubernetes. It's aligned to Kubernetes' [version support policy][k8s-version-support] and will likely work with your existing workloads and tools.
-* Support for Azure and GCP (more to come).
+* Support for Azure, GCP, and AWS.
 * Support for local installations with [MiniConstellation][first-steps-local].
 
 ## Getting started

docs/docs/architecture/attestation.md

@@ -218,8 +218,8 @@ The last missing link is how the ground truth in the form of runtime measurement
 The build process of Constellation images also creates the ground truth runtime measurements. <!-- soon: The builds of Constellation images are reproducible and the measurements of an image can be recalculated and verified by everyone. -->
 With every release, Edgeless Systems publishes signed runtime measurements.
 
-The release binary is also signed by Edgeless Systems.
-The [installation guide](../architecture/orchestration.md#verify-your-cli-installation) explains how you can verify this signature.
+The CLI executable is also signed by Edgeless Systems.
+You can [verify its signature](../workflows/verify-cli.md).
 
 The CLI contains the public key required to verify signed runtime measurements from Edgeless Systems.
 When a cluster is [created](../workflows/create.md) or [upgraded](../workflows/upgrade.md), the CLI automatically verifies the measurements for the selected image.

docs/docs/getting-started/first-steps.md

@@ -318,15 +318,13 @@ This action is irreversible and ALL DATA WILL BE LOST.
 Do you want to continue? [y/n]:
 ```
 
-After confirming with either `y` or `yes`, the cluster will be terminated :
+Confirm with `y` to terminate the cluster:
 
 ```shell-session
 Terminating ...
 Your Constellation cluster was terminated successfully.
 ```
 
-For automation purposes, you can skip the prompt by passing `--yes` as a flag to `constellation terminate`.
-
 :::tip
 
 On Azure, if you have used the `az` script, you can keep the prerequisite resources and reuse them for a new cluster.

docs/docs/overview/clouds.md

@@ -32,7 +32,7 @@ The [CVMs available in GCP](https://cloud.google.com/compute/confidential-vm/doc
 
 ## Amazon Web Services (AWS)
 
-AWS currently doesn't offer CVMs. AWS proprietary Nitro Enclaves offer some related features but [are explicitly not designed to keep AWS itself out](https://aws.amazon.com/blogs/security/confidential-computing-an-aws-perspective/). Besides, they aren't suitable for running entire Kubernetes nodes inside them. Therefore, Constellation uses regular EC2 instances on AWS [Nitro](https://aws.amazon.com/ec2/nitro/) without runtime encryption. Attestation is based on the [NitroTPM], which is a vTPM managed by the Nitro hypervisor. Hence, the hypervisor is currently part of Constellation's TCB.
+AWS currently doesn't offer CVMs. AWS proprietary Nitro Enclaves offer some related features but [are explicitly not designed to keep AWS itself out](https://aws.amazon.com/blogs/security/confidential-computing-an-aws-perspective/). Besides, they aren't suitable for running entire Kubernetes nodes inside them. Therefore, Constellation uses regular EC2 instances on AWS [Nitro](https://aws.amazon.com/ec2/nitro/) without runtime encryption. Attestation is based on the [NitroTPM](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitrotpm.html), which is a vTPM managed by the Nitro hypervisor. Hence, the hypervisor is currently part of Constellation's TCB.
 
 ## OpenStack
 

docs/docs/overview/product.md

@@ -6,6 +6,6 @@ From a security perspective, Constellation implements the [Confidential Kubernet
 
 From an operational perspective, Constellation provides the following key features:
 
-* **Native support for different clouds**: Constellation works on Microsoft Azure and Google Cloud Platform (GCP). Support for Amazon Web Services (AWS) and OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
+* **Native support for different clouds**: Constellation works on Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Support for OpenStack-based environments is coming with a future release. Constellation securely interfaces with the cloud infrastructure to provide [cluster autoscaling](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler), [dynamic persistent volumes](https://kubernetes.io/docs/concepts/storage/dynamic-provisioning/), and [service load balancing](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer).
 * **High availability**: Constellation uses a [multi-master architecture](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) with a [stacked etcd topology](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/ha-topology/#stacked-etcd-topology) to ensure high availability.
 * **Integrated Day-2 operations**: Constellation lets you securely [upgrade](../workflows/upgrade.md) your cluster to a new release. It also lets you securely [recover](../workflows/recovery.md) a failed cluster. Both with a single command.

docs/docs/workflows/create.md

@@ -64,7 +64,7 @@ constellation create --control-plane-nodes 1 --worker-nodes 2
 
 For details on the flags, consult the command help via `constellation create -h`.
 
-*create* stores your cluster's state into a [`terraform.tfstate`](../architecture/orchestration.md#installation-process) file in your current directory.
+*create* stores your cluster's state into a [`terraform.tfstate`](../architecture/orchestration.md#cluster-creation-process) file in your current directory.
 
 ## The *init* step
 

docs/docs/workflows/recovery.md

@@ -90,7 +90,7 @@ This means that you have to recover the node manually.
 </tabItem>
 <tabItem value="aws" label="AWS">
 
-First, open the AWS console to view all Auto Scaling Groups (ASGs) in the region of your Constellation. Select the ASG of the control-plane `<cluster-name>-<UID>-control-plane` and check that enough members are in a *Running* state.
+First, open the AWS console to view all Auto Scaling Groups (ASGs) in the region of your cluster. Select the ASG of the control plane `<cluster-name>-<UID>-control-plane` and check that enough members are in a *Running* state.
 
 Second, check the boot logs of these *Instances*. In the ASG's *Instance management* view, select each desired instance. In the upper right corner, select **Action > Monitor and troubleshoot > Get system log**.
 

docs/docs/workflows/terminate.md

@@ -14,6 +14,12 @@ Terminate the cluster by running:
 constellation terminate
 ```
 
+Or without confirmation (e.g., for automation purposes):
+
+```bash
+constellation terminate --yes
+```
+
 This deletes all resources created by Constellation in your cloud environment.
 All local files created by the `create` and `init` commands are deleted as well, except for `constellation-mastersecret.json` and the configuration file.
 

docs/docs/workflows/trusted-launch.md

@@ -14,7 +14,7 @@ Constellation supports trusted launch VMs with instance types `Standard_D*_v4` a
 
 Azure currently doesn't support [community galleries for trusted launch VMs](https://docs.microsoft.com/en-us/azure/virtual-machines/share-gallery-community). Thus, you need to manually import the Constellation node image into your cloud subscription.
 
-The latest image is available at [https://public-edgeless-constellation.s3.us-east-2.amazonaws.com/azure_image_exports/2.0.0](https://public-edgeless-constellation.s3.us-east-2.amazonaws.com/azure_image_exports/2.0.0). Simply adjust the last three digits to download a different version.
+The latest image is available at <https://cdn.confidential.cloud/constellation/images/azure/trusted-launch/v2.2.0/constellation.img>. Simply adjust the version number to download a newer version.
 
 After you've downloaded the image, create a resource group `constellation-images` in your Azure subscription and import the image.
 You can use a script to do this:
@@ -22,21 +22,21 @@ You can use a script to do this:
 ```bash
 wget https://raw.githubusercontent.com/edgelesssys/constellation/main/hack/importAzure.sh
 chmod +x importAzure.sh
-AZURE_IMAGE_VERSION=2.0.0 AZURE_RESOURCE_GROUP_NAME=constellation-images AZURE_IMAGE_FILE=./2.0.0 ./importAzure.sh
+AZURE_IMAGE_VERSION=2.2.0 AZURE_RESOURCE_GROUP_NAME=constellation-images AZURE_IMAGE_FILE=./constellation.img ./importAzure.sh
 ```
 
 The script creates the following resources:
 1. A new image gallery with the default name `constellation-import`
 2. A new image definition with the default name `constellation`
-3. The actual image with the provided version. In this case `2.0.0`
+3. The actual image with the provided version. In this case `2.2.0`
 
 Once the import is completed, use the `ID` of the image version in your `constellation-conf.yaml` for the `image` field. Set `confidentialVM` to `false`.
 
 Fetch the image measurements:
 
 ```bash
-IMAGE_VERSION=2.0.0
-URL=https://public-edgeless-constellation.s3.us-east-2.amazonaws.com//CommunityGalleries/ConstellationCVM-b3782fa0-0df7-4f2f-963e-fc7fc42663df/Images/constellation/Versions/$IMAGE_VERSION/measurements.yaml
+IMAGE_VERSION=2.2.0
+URL=https://public-edgeless-constellation.s3.us-east-2.amazonaws.com//communitygalleries/constellationcvm-b3782fa0-0df7-4f2f-963e-fc7fc42663df/images/constellation/versions/$IMAGE_VERSION/measurements.yaml
 constellation config fetch-measurements -u$URL -s$URL.sig
 ```
 

docs/docs/workflows/verify-cluster.md

@@ -15,15 +15,13 @@ This command performs the following steps:
 2. Verify the signature of the measurements. This will use Edgeless Systems' [public key](https://edgeless.systems/es.pub).
 3. Write measurements into configuration file.
 
-After the command succeeded the configuration file will contain a list of key value pairs (index, hash) under the `measurements` key and a list of indices under `enforcedMeasurements`.
+The configuration file then contains a list of key-value pairs (index, hash) under the `measurements` key and a list of indices under `enforcedMeasurements`.
 Not all keys under `measurements` will have a matching index under `enforcedMeasurements`.
-This is because only a subset of the available measurements can be locally reproduced and verified.
-These non-reproducible values typically measure parts of the boot process that are controlled by the CSP.
-You can find a list with descriptions in the [runtime measurements](../architecture/attestation.md#runtime-measurements) section.
+This is because only a subset of the [available measurements](../architecture/attestation.md#runtime-measurements) can be locally reproduced and verified.
 
-During attestation, the validating side (CLI or [join service](../architecture/components.md#joinservice)) will compare each [measurement](../architecture/attestation.md##runtime-measurement) reported by the issuing side (first node or joining node) individually.
-For mismatching measurements that are set under the `measurements` key a warning will be emitted.
-For mismatching measurements that are additionally set under `enforcedMeasurements` an error will be emitted and attestation fails.
+During attestation, the validating side (CLI or [join service](../architecture/components.md#joinservice)) compares each measurement reported by the issuing side (first node or joining node) individually.
+For mismatching measurements that are only set under the `measurements` key a warning is emitted.
+For mismatching measurements that are additionally set under `enforcedMeasurements` an error is emitted and attestation fails.
 If attestation fails, the new node can't join the cluster.
 
 ## The *verify* command
@@ -49,7 +47,7 @@ Once the above properties are verified, you know that you are talking to the rig
 
 The `verify` command also allows you to verify any Constellation deployment that you have network access to. For this you need the following:
 
-* The IP address of a running Constellation cluster's [VerificationService](../architecture/components.md#verification-service). The `VerificationService` is exposed via a `NodePort` service using the external IP address of your cluster. Run `kubectl get nodes -o wide` and look for `EXTERNAL-IP`.
+* The IP address of a running Constellation cluster's [VerificationService](../architecture/components.md#verificationservice). The `VerificationService` is exposed via a `NodePort` service using the external IP address of your cluster. Run `kubectl get nodes -o wide` and look for `EXTERNAL-IP`.
 * The cluster's *clusterID*. See [cluster identity](../architecture/keys.md#cluster-identity) for more details.
 
 For example: