mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-23 14:39:40 -05:00
docs: few fixes and rewording
This commit is contained in:
parent
dd4fc0d869
commit
5ecf945226
@ -26,7 +26,7 @@ Constellation provides CSI drivers for storage solutions in all major clouds wit
|
||||
Block storage provisioned by the CSP is [mapped](https://guix.gnu.org/manual/en/html_node/Mapped-Devices.html) using the [dm-crypt](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-crypt.html), and optionally the [dm-integrity](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-integrity.html), kernel modules, before it's formatted and accessed by the Kubernetes workloads.
|
||||
All cryptographic operations happen inside the trusted environment of the confidential Constellation node.
|
||||
|
||||
Please note that for integrity-protected disks, [volume expansion](https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/) isn't supported.
|
||||
Note that for integrity-protected disks, [volume expansion](https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/) isn't supported.
|
||||
|
||||
By default the driver uses data encryption keys (DEKs) issued by the Constellation [*KMS*](components.md#kms).
|
||||
The DEKs are in turn derived from the Constellation's key encryption key (KEK), which is directly derived from the [master secret](keys.md#master-secret).
|
||||
@ -34,7 +34,7 @@ This is the recommended mode of operation, and also requires the least amount of
|
||||
|
||||
Alternatively, the driver can be configured to use a key management system to store and access KEKs and DEKs.
|
||||
|
||||
Please refer to [keys and cryptography](keys.md) for more details on key management in Constellation.
|
||||
Refer to [keys and cryptography](keys.md) for more details on key management in Constellation.
|
||||
|
||||
Once deployed and configured, the CSI driver ensures transparent encryption and integrity of all persistent volumes provisioned via its storage class.
|
||||
Data at rest is secured without any additional actions required by the developer.
|
||||
|
@ -8,7 +8,7 @@ The following gives an overview of the architecture and explains the technical d
|
||||
## Confidential VMs
|
||||
|
||||
Confidential VM (CVM) technology comes with hardware and software components for memory encryption, isolation, and remote attestation.
|
||||
For details on the implementations and cryptographic soundness please refer to the hardware vendors' documentation and advisories.
|
||||
For details on the implementations and cryptographic soundness, refer to the hardware vendors' documentation and advisories.
|
||||
|
||||
## Master secret
|
||||
|
||||
|
13
docs/docs/workflows/cert-manager.md
Normal file
13
docs/docs/workflows/cert-manager.md
Normal file
@ -0,0 +1,13 @@
|
||||
# Install cert-manager
|
||||
|
||||
:::caution
|
||||
If you want to use cert-manager with Constellation, pay attention to the following to avoid potential pitfalls.
|
||||
:::
|
||||
|
||||
Constellation ships with cert-manager preinstalled.
|
||||
The default installation is part of the `kube-system` namespace, as all other Constellation-managed components.
|
||||
You are free to install more instances of cert-manager into other namespaces.
|
||||
However, be aware that any new installation needs to use the same version as the one installed with Constellation or rely on the same CRD versions.
|
||||
Also remember to set the `installCRDs` value to `false` when installing new cert-manager instances.
|
||||
It will create problems if you have two installations of cert-manager depending on different versions of the installed CRDs.
|
||||
CRDs are cluster-wide resources and cert-manager depends on specific versions of those CRDs for each release.
|
@ -72,10 +72,10 @@ constellation iam create azure --region=westus --resourceGroup=constellTest --se
|
||||
This command creates IAM configuration on the Azure region `westus` creating a new resource group `constellTest` and a new service principal `spTest`.
|
||||
|
||||
Note that CVMs are currently only supported in a few regions, check [Azure's products available by region](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=virtual-machines®ions=all). These are:
|
||||
* `westus`
|
||||
* `eastus`
|
||||
* `northeurope`
|
||||
* `westeurope`
|
||||
* `westus`
|
||||
* `eastus`
|
||||
* `northeurope`
|
||||
* `westeurope`
|
||||
|
||||
Paste the output into the corresponding fields of the `constellation-conf.yaml` file.
|
||||
|
||||
@ -110,9 +110,9 @@ constellation iam create aws --zone=eu-central-1a --prefix=constellTest
|
||||
This command creates IAM configuration for the AWS zone `eu-central-1a` using the prefix `constellTest` for all named resources being created.
|
||||
|
||||
Constellation OS images are currently replicated to the following regions:
|
||||
* `eu-central-1`
|
||||
* `us-east-2`
|
||||
* `ap-south-1`
|
||||
* `eu-central-1`
|
||||
* `us-east-2`
|
||||
* `ap-south-1`
|
||||
|
||||
If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+AWS+image+region:+xx-xxxx-x).
|
||||
|
||||
|
@ -1,12 +0,0 @@
|
||||
# Installing cert-manager
|
||||
:::caution
|
||||
Please read this section before installing cert-manager.
|
||||
:::
|
||||
Constellation ships with cert-manager preinstalled.
|
||||
The default installation is part of the `kube-system` namespace, as all other Constellation-managed components.
|
||||
You are free to install more instances of `cert-manager` into other namespaces.
|
||||
However, please be aware that any new installation need to use the same version as the one installed with Constellation.
|
||||
Or rely on the same CRD versions as Constellation's installation.
|
||||
Also remember to set the `installCRDs` value to `false` when installing new `cert-manager` instances.
|
||||
It will create problems if you have two installations of cert-manager depending on different versions of the installed CRDs.
|
||||
CRDs are cluster-wide resources and `cert-manager` depends on specific versions of those CRDs for each release.
|
@ -145,8 +145,8 @@ const sidebars = {
|
||||
},
|
||||
{
|
||||
type: 'doc',
|
||||
label: 'Installing cert-manager',
|
||||
id: 'workflows/installing-cert-manager',
|
||||
label: 'Install cert-manager',
|
||||
id: 'workflows/cert-manager',
|
||||
},
|
||||
{
|
||||
type: 'doc',
|
||||
|
@ -3,6 +3,8 @@ agent
|
||||
auditable
|
||||
autoscaler
|
||||
[Aa]utoscaling
|
||||
AWS
|
||||
aws
|
||||
backend
|
||||
benchmarked
|
||||
[Bb]ootloader
|
||||
@ -18,6 +20,8 @@ Filestore
|
||||
Fulcio
|
||||
Mbps
|
||||
Gbps
|
||||
GCP
|
||||
gcp
|
||||
Grype
|
||||
iam
|
||||
IAM
|
||||
|
@ -26,7 +26,7 @@ Constellation provides CSI drivers for storage solutions in all major clouds wit
|
||||
Block storage provisioned by the CSP is [mapped](https://guix.gnu.org/manual/en/html_node/Mapped-Devices.html) using the [dm-crypt](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-crypt.html), and optionally the [dm-integrity](https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-integrity.html), kernel modules, before it's formatted and accessed by the Kubernetes workloads.
|
||||
All cryptographic operations happen inside the trusted environment of the confidential Constellation node.
|
||||
|
||||
Please note that for integrity-protected disks, [volume expansion](https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/) isn't supported.
|
||||
Note that for integrity-protected disks, [volume expansion](https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/) isn't supported.
|
||||
|
||||
By default the driver uses data encryption keys (DEKs) issued by the Constellation [*KMS*](components.md#kms).
|
||||
The DEKs are in turn derived from the Constellation's key encryption key (KEK), which is directly derived from the [master secret](keys.md#master-secret).
|
||||
@ -34,7 +34,7 @@ This is the recommended mode of operation, and also requires the least amount of
|
||||
|
||||
Alternatively, the driver can be configured to use a key management system to store and access KEKs and DEKs.
|
||||
|
||||
Please refer to [keys and cryptography](keys.md) for more details on key management in Constellation.
|
||||
Refer to [keys and cryptography](keys.md) for more details on key management in Constellation.
|
||||
|
||||
Once deployed and configured, the CSI driver ensures transparent encryption and integrity of all persistent volumes provisioned via its storage class.
|
||||
Data at rest is secured without any additional actions required by the developer.
|
||||
|
@ -8,7 +8,7 @@ The following gives an overview of the architecture and explains the technical d
|
||||
## Confidential VMs
|
||||
|
||||
Confidential VM (CVM) technology comes with hardware and software components for memory encryption, isolation, and remote attestation.
|
||||
For details on the implementations and cryptographic soundness please refer to the hardware vendors' documentation and advisories.
|
||||
For details on the implementations and cryptographic soundness, refer to the hardware vendors' documentation and advisories.
|
||||
|
||||
## Master secret
|
||||
|
||||
|
@ -4,19 +4,18 @@
|
||||
With the `constellation mini` command, you can deploy and test Constellation locally without a cloud subscription. This mode is called MiniConstellation. Conceptually, MiniConstellation is similar to [MicroK8s](https://microk8s.io/), [K3s](https://k3s.io/), and [minikube](https://minikube.sigs.k8s.io/docs/).
|
||||
<!-- vale on -->
|
||||
|
||||
MiniConstellation uses virtualization to create a local cluster with one control-plane node and one worker node.
|
||||
MiniConstellation uses virtualization to create a local cluster with one control-plane node and one worker node. It **doesn't** require hardware with Confidential VM (CVM) support. For attestation, MiniConstellation currently uses a software-based vTPM provided by KVM/QEMU.
|
||||
|
||||
:::info
|
||||
:::caution
|
||||
|
||||
MiniConstellation **doesn't** require hardware with Confidential VM (CVM) support.
|
||||
For attestation, MiniConstellation currently uses the software-based vTPM provided by KVM/QEMU.
|
||||
MiniConstellation has specific soft- and hardware requirements such as a Linux OS running on an x86-64 CPU. Pay attention to all [prerequisites](#prerequisites) when setting up.
|
||||
|
||||
:::
|
||||
|
||||
:::note
|
||||
|
||||
Since MiniConstellation runs on your local system, cloud features such as load balancing,
|
||||
attaching persistent storage, or autoscaling aren't available.
|
||||
attaching persistent storage, or autoscaling aren't available.
|
||||
|
||||
:::
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user