docs: few fixes and rewording

2024-10-01 01:36:09 -04:00 · 2022-12-12 13:55:55 +01:00 · 2022-12-12 13:55:55 +01:00 · 5ecf945226
commit 5ecf945226
parent dd4fc0d869
10 changed files with 36 additions and 32 deletions
--- a/docs/docs/architecture/encrypted-storage.md
+++ b/docs/docs/architecture/encrypted-storage.md
@ -26,7 +26,7 @@ Constellation provides CSI drivers for storage solutions in all major clouds wit
 Block storage provisioned by the CSP is [mapped](https://guix.gnu.org/manual/en/html_node/Mapped-Devices.html) using the [dm-crypt](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-crypt.html), and optionally the [dm-integrity](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-integrity.html), kernel modules, before it's formatted and accessed by the Kubernetes workloads.
 All cryptographic operations happen inside the trusted environment of the confidential Constellation node.

-Please note that for integrity-protected disks, [volume expansion](https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/) isn't supported.
+Note that for integrity-protected disks, [volume expansion](https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/) isn't supported.

 By default the driver uses data encryption keys (DEKs) issued by the Constellation [*KMS*](components.md#kms).
 The DEKs are in turn derived from the Constellation's key encryption key (KEK), which is directly derived from the [master secret](keys.md#master-secret).
@ -34,7 +34,7 @@ This is the recommended mode of operation, and also requires the least amount of

 Alternatively, the driver can be configured to use a key management system to store and access KEKs and DEKs.

-Please refer to [keys and cryptography](keys.md) for more details on key management in Constellation.
+Refer to [keys and cryptography](keys.md) for more details on key management in Constellation.

 Once deployed and configured, the CSI driver ensures transparent encryption and integrity of all persistent volumes provisioned via its storage class.
 Data at rest is secured without any additional actions required by the developer.
--- a/docs/docs/architecture/keys.md
+++ b/docs/docs/architecture/keys.md
@ -8,7 +8,7 @@ The following gives an overview of the architecture and explains the technical d
 ## Confidential VMs

 Confidential VM (CVM) technology comes with hardware and software components for memory encryption, isolation, and remote attestation.
-For details on the implementations and cryptographic soundness please refer to the hardware vendors' documentation and advisories.
+For details on the implementations and cryptographic soundness, refer to the hardware vendors' documentation and advisories.

 ## Master secret

--- a/docs/docs/workflows/cert-manager.md
+++ b/docs/docs/workflows/cert-manager.md
@ -0,0 +1,13 @@
+# Install cert-manager
+
+:::caution
+If you want to use cert-manager with Constellation, pay attention to the following to avoid potential pitfalls.
+:::
+
+Constellation ships with cert-manager preinstalled.
+The default installation is part of the `kube-system` namespace, as all other Constellation-managed components.
+You are free to install more instances of cert-manager into other namespaces.
+However, be aware that any new installation needs to use the same version as the one installed with Constellation or rely on the same CRD versions.
+Also remember to set the `installCRDs` value to `false` when installing new cert-manager instances.
+It will create problems if you have two installations of cert-manager depending on different versions of the installed CRDs.
+CRDs are cluster-wide resources and cert-manager depends on specific versions of those CRDs for each release.
--- a/docs/docs/workflows/config.md
+++ b/docs/docs/workflows/config.md
@ -72,10 +72,10 @@ constellation iam create azure --region=westus --resourceGroup=constellTest --se
 This command creates IAM configuration on the Azure region `westus` creating a new resource group `constellTest` and a new service principal `spTest`.

 Note that CVMs are currently only supported in a few regions, check [Azure's products available by region](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=virtual-machines&regions=all). These are:
-  * `westus`
-  * `eastus`
-  * `northeurope`
-  * `westeurope`
+* `westus`
+* `eastus`
+* `northeurope`
+* `westeurope`

 Paste the output into the corresponding fields of the `constellation-conf.yaml` file.

@ -110,9 +110,9 @@ constellation iam create aws --zone=eu-central-1a --prefix=constellTest
 This command creates IAM configuration for the AWS zone `eu-central-1a` using the prefix `constellTest` for all named resources being created.

 Constellation OS images are currently replicated to the following regions:
-    * `eu-central-1`
-    * `us-east-2`
-    * `ap-south-1`
+* `eu-central-1`
+* `us-east-2`
+* `ap-south-1`

 If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+AWS+image+region:+xx-xxxx-x).

--- a/docs/docs/workflows/installing-cert-manager.md
+++ b/docs/docs/workflows/installing-cert-manager.md
@ -1,12 +0,0 @@
-# Installing cert-manager
-:::caution
-Please read this section before installing cert-manager.
-:::
-Constellation ships with cert-manager preinstalled.
-The default installation is part of the `kube-system` namespace, as all other Constellation-managed components.
-You are free to install more instances of `cert-manager` into other namespaces.
-However, please be aware that any new installation need to use the same version as the one installed with Constellation.
-Or rely on the same CRD versions as Constellation's installation.
-Also remember to set the `installCRDs` value to `false` when installing new `cert-manager` instances.
-It will create problems if you have two installations of cert-manager depending on different versions of the installed CRDs.
-CRDs are cluster-wide resources and `cert-manager` depends on specific versions of those CRDs for each release.
--- a/docs/sidebars.js
+++ b/docs/sidebars.js
@ -145,8 +145,8 @@ const sidebars = {
        },
        {
          type: 'doc',
-          label: 'Installing cert-manager',
-          id: 'workflows/installing-cert-manager',
+          label: 'Install cert-manager',
+          id: 'workflows/cert-manager',
        },
        {
          type: 'doc',
--- a/docs/styles/Vocab/constellation/accept.txt
+++ b/docs/styles/Vocab/constellation/accept.txt
@ -3,6 +3,8 @@ agent
 auditable
 autoscaler
 [Aa]utoscaling
+AWS
+aws
 backend
 benchmarked
 [Bb]ootloader
@ -18,6 +20,8 @@ Filestore
 Fulcio
 Mbps
 Gbps
+GCP
+gcp
 Grype
 iam
 IAM
--- a/docs/versioned_docs/version-2.2/architecture/encrypted-storage.md
+++ b/docs/versioned_docs/version-2.2/architecture/encrypted-storage.md
@ -26,7 +26,7 @@ Constellation provides CSI drivers for storage solutions in all major clouds wit
 Block storage provisioned by the CSP is [mapped](https://guix.gnu.org/manual/en/html_node/Mapped-Devices.html) using the [dm-crypt](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-crypt.html), and optionally the [dm-integrity](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-integrity.html), kernel modules, before it's formatted and accessed by the Kubernetes workloads.
 All cryptographic operations happen inside the trusted environment of the confidential Constellation node.

-Please note that for integrity-protected disks, [volume expansion](https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/) isn't supported.
+Note that for integrity-protected disks, [volume expansion](https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/) isn't supported.

 By default the driver uses data encryption keys (DEKs) issued by the Constellation [*KMS*](components.md#kms).
 The DEKs are in turn derived from the Constellation's key encryption key (KEK), which is directly derived from the [master secret](keys.md#master-secret).
@ -34,7 +34,7 @@ This is the recommended mode of operation, and also requires the least amount of

 Alternatively, the driver can be configured to use a key management system to store and access KEKs and DEKs.

-Please refer to [keys and cryptography](keys.md) for more details on key management in Constellation.
+Refer to [keys and cryptography](keys.md) for more details on key management in Constellation.

 Once deployed and configured, the CSI driver ensures transparent encryption and integrity of all persistent volumes provisioned via its storage class.
 Data at rest is secured without any additional actions required by the developer.
--- a/docs/versioned_docs/version-2.2/architecture/keys.md
+++ b/docs/versioned_docs/version-2.2/architecture/keys.md
@ -8,7 +8,7 @@ The following gives an overview of the architecture and explains the technical d
 ## Confidential VMs

 Confidential VM (CVM) technology comes with hardware and software components for memory encryption, isolation, and remote attestation.
-For details on the implementations and cryptographic soundness please refer to the hardware vendors' documentation and advisories.
+For details on the implementations and cryptographic soundness, refer to the hardware vendors' documentation and advisories.

 ## Master secret

--- a/docs/versioned_docs/version-2.2/getting-started/first-steps-local.md
+++ b/docs/versioned_docs/version-2.2/getting-started/first-steps-local.md
@ -4,19 +4,18 @@
 With the `constellation mini` command, you can deploy and test Constellation locally without a cloud subscription. This mode is called MiniConstellation. Conceptually, MiniConstellation is similar to [MicroK8s](https://microk8s.io/), [K3s](https://k3s.io/), and [minikube](https://minikube.sigs.k8s.io/docs/).
 <!-- vale on -->

-MiniConstellation uses virtualization to create a local cluster with one control-plane node and one worker node. 
+MiniConstellation uses virtualization to create a local cluster with one control-plane node and one worker node. It **doesn't** require hardware with Confidential VM (CVM) support. For attestation, MiniConstellation currently uses a software-based vTPM provided by KVM/QEMU.

-:::info
+:::caution

-MiniConstellation **doesn't** require hardware with Confidential VM (CVM) support. 
-For attestation, MiniConstellation currently uses the software-based vTPM provided by KVM/QEMU.
+MiniConstellation has specific soft- and hardware requirements such as a Linux OS running on an x86-64 CPU. Pay attention to all [prerequisites](#prerequisites) when setting up.

 :::

 :::note

 Since MiniConstellation runs on your local system, cloud features such as load balancing,
-attaching persistent storage, or autoscaling aren't available. 
+attaching persistent storage, or autoscaling aren't available.

 :::