From 7e50f871bf84a148c401d4b4fc24c34bc5db5d3e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Wei=C3=9Fe?=
 <66256922+daniel-weisse@users.noreply.github.com>
Date: Fri, 9 Dec 2022 08:48:33 +0100
Subject: [PATCH] Update CSI installation instructions in versioned docs (#741)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
---
 .../version-2.0/workflows/storage.md          | 113 ++++++------------
 .../version-2.1/workflows/storage.md          | 113 ++++++------------
 .../version-2.2/workflows/storage.md          | 113 ++++++------------
 3 files changed, 117 insertions(+), 222 deletions(-)

diff --git a/docs/versioned_docs/version-2.0/workflows/storage.md b/docs/versioned_docs/version-2.0/workflows/storage.md
index b961f894b..958c73261 100644
--- a/docs/versioned_docs/version-2.0/workflows/storage.md
+++ b/docs/versioned_docs/version-2.0/workflows/storage.md
@@ -48,66 +48,22 @@ The following installation guide gives an overview of how to securely use CSI-ba
 <tabs groupId="csp">
 <tabItem value="azure" label="Azure">
 
-1. Install the CSI driver:
-
-  ```bash
-  helm install azuredisk-csi-driver https://raw.githubusercontent.com/edgelesssys/constellation-azuredisk-csi-driver/main/charts/edgeless/latest/azuredisk-csi-driver.tgz \
-      --namespace kube-system \
-      --set linux.distro=fedora \
-      --set controller.replicas=1
-  ```
-
-2. Create a [storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/) for your driver
-
-    A storage class configures the driver responsible for provisioning storage for persistent volume claims.
-    A storage class only needs to be created once and can then be used by multiple volumes.
-    The following snippet creates a simple storage class using [Standard SSDs](https://docs.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) as the backing storage device when the first Pod claiming the volume is created.
+1. Install the driver:
 
     ```bash
-    cat <<EOF | kubectl apply -f -
-    apiVersion: storage.k8s.io/v1
-    kind: StorageClass
-    metadata:
-      name: encrypted-storage
-      annotations:
-        storageclass.kubernetes.io/is-default-class: "true"
-    provisioner: azuredisk.csi.confidential.cloud
-    parameters:
-      skuName: StandardSSD_LRS
-    reclaimPolicy: Delete
-    volumeBindingMode: WaitForFirstConsumer
-    EOF
+    git clone --branch v1.1.0 https://github.com/edgelesssys/constellation-azuredisk-csi-driver
+    cd constellation-azuredisk-csi-driver
+    helm install azuredisk-csi-driver charts/edgeless --namespace kube-system
     ```
 
 </tabItem>
 <tabItem value="gcp" label="GCP">
 
-1. Install the CSI driver:
-
-   ```bash
-   kubectl apply -k github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver/deploy/kubernetes/overlays/edgeless/latest
-   ```
-
-2. Create a [storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/) for your driver
-
-    A storage class configures the driver responsible for provisioning storage for persistent volume claims.
-    A storage class only needs to be created once and can then be used by multiple volumes.
-    The following snippet creates a simple storage class using [balanced persistent disks](https://cloud.google.com/compute/docs/disks#pdspecs) as the backing storage device when the first Pod claiming the volume is created.
+1. Install the driver:
 
     ```bash
-    cat <<EOF | kubectl apply -f -
-    apiVersion: storage.k8s.io/v1
-    kind: StorageClass
-    metadata:
-      name: encrypted-storage
-      annotations:
-        storageclass.kubernetes.io/is-default-class: "true"
-    provisioner: gcp.csi.confidential.cloud
-    parameters:
-      type: pd-standard
-    reclaimPolicy: Delete
-    volumeBindingMode: WaitForFirstConsumer
-    EOF
+    git clone --branch v1.1.0 https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver
+    helm install gcp-compute-persistent-disk-csi-driver charts/ --namespace kube-system
     ```
 
 </tabItem>
@@ -115,15 +71,21 @@ The following installation guide gives an overview of how to securely use CSI-ba
 
 :::info
 
-By default, integrity protection is disabled for performance reasons. If you want to enable integrity protection, add `csi.storage.k8s.io/fstype: ext4-integrity` to `parameters`. Alternatively, you can use another filesystem by specifying another file system type with the suffix `-integrity`. Note that volume expansion isn't supported for integrity-protected disks.
+The default storage class installed by the driver is set to `encrypted-rwo` for performance reasons.
+If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`.
+
+Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`.
+Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`.
+
+Note that volume expansion isn't supported for integrity-protected disks.
 
 :::
 
-3. Create a [persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/)
+2. Create a [persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/)
 
     A [persistent volume claim](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) is a request for storage with certain properties.
     It can refer to a storage class.
-    The following creates a persistent volume claim, requesting 20 GB of storage via the previously created storage class:
+    The following creates a persistent volume claim, requesting 20 GB of storage via the `encrypted-rwo` storage class:
 
     ```bash
     cat <<EOF | kubectl apply -f -
@@ -135,14 +97,14 @@ By default, integrity protection is disabled for performance reasons. If you wan
     spec:
       accessModes:
       - ReadWriteOnce
-      storageClassName: encrypted-storage
+      storageClassName: encrypted-rwo
       resources:
         requests:
           storage: 20Gi
     EOF
     ```
 
-4. Create a Pod with persistent storage
+3. Create a Pod with persistent storage
 
     You can assign a persistent volume claim to an application in need of persistent storage.
     The mounted volume will persist restarts.
@@ -170,8 +132,11 @@ By default, integrity protection is disabled for performance reasons. If you wan
     EOF
     ```
 
-### Set the default storage class
-The examples above are defined to be automatically set as the default storage class. The default storage class is responsible for all persistent volume claims that don't explicitly request `storageClassName`. In case you need to change the default, follow the steps below:
+### Change the default storage class
+
+The default storage class is responsible for all persistent volume claims that don't explicitly request `storageClassName`.
+The previous instructions create a storage class with encryption enabled and sets this as the default class.
+In case you wish to change it, follow the steps below:
 
 <tabs groupId="csp">
 <tabItem value="azure" label="Azure">
@@ -185,9 +150,9 @@ The examples above are defined to be automatically set as the default storage cl
       The output is similar to this:
 
       ```shell-session
-      NAME                      PROVISIONER                       AGE
-      some-storage (default)    disk.csi.azure.com                1d
-      encrypted-storage         azuredisk.csi.confidential.cloud  1d
+      NAME                      PROVISIONER                        RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
+      encrypted-rwo (default)   azuredisk.csi.confidential.cloud   Delete          Immediate           true                   1d
+      integrity-encrypted-rwo   azuredisk.csi.confidential.cloud   Delete          Immediate           false                  1d
       ```
 
       The default storage class is marked by `(default)`.
@@ -197,13 +162,13 @@ The examples above are defined to be automatically set as the default storage cl
       If you previously used another storage class as the default, you will have to remove that annotation:
 
       ```bash
-      kubectl patch storageclass <name-of-old-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
+      kubectl patch storageclass encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
       ```
 
   3. Mark new class as the default
 
       ```bash
-      kubectl patch storageclass <name-of-new-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
+      kubectl patch storageclass integrity-encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
       ```
 
   4. Verify that your chosen storage class is default:
@@ -215,9 +180,9 @@ The examples above are defined to be automatically set as the default storage cl
       The output is similar to this:
 
       ```shell-session
-      NAME                        PROVISIONER                       AGE
-      some-storage                disk.csi.azure.com                1d
-      encrypted-storage (default) azuredisk.csi.confidential.cloud  1d
+      NAME                                PROVISIONER                        RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
+      encrypted-rwo                       azuredisk.csi.confidential.cloud   Delete          Immediate           true                   1d
+      integrity-encrypted-rwo (default)   azuredisk.csi.confidential.cloud   Delete          Immediate           false                  1d
       ```
 
 </tabItem>
@@ -232,9 +197,9 @@ The examples above are defined to be automatically set as the default storage cl
       The output is similar to this:
 
       ```shell-session
-      NAME                      PROVISIONER                 AGE
-      some-storage (default)    pd.csi.storage.gke.io       1d
-      encrypted-storage         gcp.csi.confidential.cloud  1d
+      NAME                      PROVISIONER                  RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
+      encrypted-rwo (default)   gcp.csi.confidential.cloud   Delete          Immediate           true                   1d
+      integrity-encrypted-rwo   gcp.csi.confidential.cloud   Delete          Immediate           false                  1d
       ```
 
       The default storage class is marked by `(default)`.
@@ -244,13 +209,13 @@ The examples above are defined to be automatically set as the default storage cl
       If you previously used another storage class as the default, you will have to remove that annotation:
 
       ```bash
-      kubectl patch storageclass <name-of-old-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
+      kubectl patch storageclass encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
       ```
 
   3. Mark new class as the default
 
       ```bash
-      kubectl patch storageclass <name-of-new-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
+      kubectl patch storageclass integrity-encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
       ```
 
   4. Verify that your chosen storage class is default:
@@ -262,9 +227,9 @@ The examples above are defined to be automatically set as the default storage cl
       The output is similar to this:
 
       ```shell-session
-      NAME                        PROVISIONER                 AGE
-      some-storage                pd.csi.storage.gke.io       1d
-      encrypted-storage (default) gcp.csi.confidential.cloud  1d
+      NAME                                PROVISIONER                  RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
+      encrypted-rwo                       gcp.csi.confidential.cloud   Delete          Immediate           true                   1d
+      integrity-encrypted-rwo (default)   gcp.csi.confidential.cloud   Delete          Immediate           false                  1d
       ```
 
 </tabItem>
diff --git a/docs/versioned_docs/version-2.1/workflows/storage.md b/docs/versioned_docs/version-2.1/workflows/storage.md
index b961f894b..958c73261 100644
--- a/docs/versioned_docs/version-2.1/workflows/storage.md
+++ b/docs/versioned_docs/version-2.1/workflows/storage.md
@@ -48,66 +48,22 @@ The following installation guide gives an overview of how to securely use CSI-ba
 <tabs groupId="csp">
 <tabItem value="azure" label="Azure">
 
-1. Install the CSI driver:
-
-  ```bash
-  helm install azuredisk-csi-driver https://raw.githubusercontent.com/edgelesssys/constellation-azuredisk-csi-driver/main/charts/edgeless/latest/azuredisk-csi-driver.tgz \
-      --namespace kube-system \
-      --set linux.distro=fedora \
-      --set controller.replicas=1
-  ```
-
-2. Create a [storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/) for your driver
-
-    A storage class configures the driver responsible for provisioning storage for persistent volume claims.
-    A storage class only needs to be created once and can then be used by multiple volumes.
-    The following snippet creates a simple storage class using [Standard SSDs](https://docs.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) as the backing storage device when the first Pod claiming the volume is created.
+1. Install the driver:
 
     ```bash
-    cat <<EOF | kubectl apply -f -
-    apiVersion: storage.k8s.io/v1
-    kind: StorageClass
-    metadata:
-      name: encrypted-storage
-      annotations:
-        storageclass.kubernetes.io/is-default-class: "true"
-    provisioner: azuredisk.csi.confidential.cloud
-    parameters:
-      skuName: StandardSSD_LRS
-    reclaimPolicy: Delete
-    volumeBindingMode: WaitForFirstConsumer
-    EOF
+    git clone --branch v1.1.0 https://github.com/edgelesssys/constellation-azuredisk-csi-driver
+    cd constellation-azuredisk-csi-driver
+    helm install azuredisk-csi-driver charts/edgeless --namespace kube-system
     ```
 
 </tabItem>
 <tabItem value="gcp" label="GCP">
 
-1. Install the CSI driver:
-
-   ```bash
-   kubectl apply -k github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver/deploy/kubernetes/overlays/edgeless/latest
-   ```
-
-2. Create a [storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/) for your driver
-
-    A storage class configures the driver responsible for provisioning storage for persistent volume claims.
-    A storage class only needs to be created once and can then be used by multiple volumes.
-    The following snippet creates a simple storage class using [balanced persistent disks](https://cloud.google.com/compute/docs/disks#pdspecs) as the backing storage device when the first Pod claiming the volume is created.
+1. Install the driver:
 
     ```bash
-    cat <<EOF | kubectl apply -f -
-    apiVersion: storage.k8s.io/v1
-    kind: StorageClass
-    metadata:
-      name: encrypted-storage
-      annotations:
-        storageclass.kubernetes.io/is-default-class: "true"
-    provisioner: gcp.csi.confidential.cloud
-    parameters:
-      type: pd-standard
-    reclaimPolicy: Delete
-    volumeBindingMode: WaitForFirstConsumer
-    EOF
+    git clone --branch v1.1.0 https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver
+    helm install gcp-compute-persistent-disk-csi-driver charts/ --namespace kube-system
     ```
 
 </tabItem>
@@ -115,15 +71,21 @@ The following installation guide gives an overview of how to securely use CSI-ba
 
 :::info
 
-By default, integrity protection is disabled for performance reasons. If you want to enable integrity protection, add `csi.storage.k8s.io/fstype: ext4-integrity` to `parameters`. Alternatively, you can use another filesystem by specifying another file system type with the suffix `-integrity`. Note that volume expansion isn't supported for integrity-protected disks.
+The default storage class installed by the driver is set to `encrypted-rwo` for performance reasons.
+If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`.
+
+Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`.
+Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`.
+
+Note that volume expansion isn't supported for integrity-protected disks.
 
 :::
 
-3. Create a [persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/)
+2. Create a [persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/)
 
     A [persistent volume claim](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) is a request for storage with certain properties.
     It can refer to a storage class.
-    The following creates a persistent volume claim, requesting 20 GB of storage via the previously created storage class:
+    The following creates a persistent volume claim, requesting 20 GB of storage via the `encrypted-rwo` storage class:
 
     ```bash
     cat <<EOF | kubectl apply -f -
@@ -135,14 +97,14 @@ By default, integrity protection is disabled for performance reasons. If you wan
     spec:
       accessModes:
       - ReadWriteOnce
-      storageClassName: encrypted-storage
+      storageClassName: encrypted-rwo
       resources:
         requests:
           storage: 20Gi
     EOF
     ```
 
-4. Create a Pod with persistent storage
+3. Create a Pod with persistent storage
 
     You can assign a persistent volume claim to an application in need of persistent storage.
     The mounted volume will persist restarts.
@@ -170,8 +132,11 @@ By default, integrity protection is disabled for performance reasons. If you wan
     EOF
     ```
 
-### Set the default storage class
-The examples above are defined to be automatically set as the default storage class. The default storage class is responsible for all persistent volume claims that don't explicitly request `storageClassName`. In case you need to change the default, follow the steps below:
+### Change the default storage class
+
+The default storage class is responsible for all persistent volume claims that don't explicitly request `storageClassName`.
+The previous instructions create a storage class with encryption enabled and sets this as the default class.
+In case you wish to change it, follow the steps below:
 
 <tabs groupId="csp">
 <tabItem value="azure" label="Azure">
@@ -185,9 +150,9 @@ The examples above are defined to be automatically set as the default storage cl
       The output is similar to this:
 
       ```shell-session
-      NAME                      PROVISIONER                       AGE
-      some-storage (default)    disk.csi.azure.com                1d
-      encrypted-storage         azuredisk.csi.confidential.cloud  1d
+      NAME                      PROVISIONER                        RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
+      encrypted-rwo (default)   azuredisk.csi.confidential.cloud   Delete          Immediate           true                   1d
+      integrity-encrypted-rwo   azuredisk.csi.confidential.cloud   Delete          Immediate           false                  1d
       ```
 
       The default storage class is marked by `(default)`.
@@ -197,13 +162,13 @@ The examples above are defined to be automatically set as the default storage cl
       If you previously used another storage class as the default, you will have to remove that annotation:
 
       ```bash
-      kubectl patch storageclass <name-of-old-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
+      kubectl patch storageclass encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
       ```
 
   3. Mark new class as the default
 
       ```bash
-      kubectl patch storageclass <name-of-new-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
+      kubectl patch storageclass integrity-encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
       ```
 
   4. Verify that your chosen storage class is default:
@@ -215,9 +180,9 @@ The examples above are defined to be automatically set as the default storage cl
       The output is similar to this:
 
       ```shell-session
-      NAME                        PROVISIONER                       AGE
-      some-storage                disk.csi.azure.com                1d
-      encrypted-storage (default) azuredisk.csi.confidential.cloud  1d
+      NAME                                PROVISIONER                        RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
+      encrypted-rwo                       azuredisk.csi.confidential.cloud   Delete          Immediate           true                   1d
+      integrity-encrypted-rwo (default)   azuredisk.csi.confidential.cloud   Delete          Immediate           false                  1d
       ```
 
 </tabItem>
@@ -232,9 +197,9 @@ The examples above are defined to be automatically set as the default storage cl
       The output is similar to this:
 
       ```shell-session
-      NAME                      PROVISIONER                 AGE
-      some-storage (default)    pd.csi.storage.gke.io       1d
-      encrypted-storage         gcp.csi.confidential.cloud  1d
+      NAME                      PROVISIONER                  RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
+      encrypted-rwo (default)   gcp.csi.confidential.cloud   Delete          Immediate           true                   1d
+      integrity-encrypted-rwo   gcp.csi.confidential.cloud   Delete          Immediate           false                  1d
       ```
 
       The default storage class is marked by `(default)`.
@@ -244,13 +209,13 @@ The examples above are defined to be automatically set as the default storage cl
       If you previously used another storage class as the default, you will have to remove that annotation:
 
       ```bash
-      kubectl patch storageclass <name-of-old-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
+      kubectl patch storageclass encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
       ```
 
   3. Mark new class as the default
 
       ```bash
-      kubectl patch storageclass <name-of-new-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
+      kubectl patch storageclass integrity-encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
       ```
 
   4. Verify that your chosen storage class is default:
@@ -262,9 +227,9 @@ The examples above are defined to be automatically set as the default storage cl
       The output is similar to this:
 
       ```shell-session
-      NAME                        PROVISIONER                 AGE
-      some-storage                pd.csi.storage.gke.io       1d
-      encrypted-storage (default) gcp.csi.confidential.cloud  1d
+      NAME                                PROVISIONER                  RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
+      encrypted-rwo                       gcp.csi.confidential.cloud   Delete          Immediate           true                   1d
+      integrity-encrypted-rwo (default)   gcp.csi.confidential.cloud   Delete          Immediate           false                  1d
       ```
 
 </tabItem>
diff --git a/docs/versioned_docs/version-2.2/workflows/storage.md b/docs/versioned_docs/version-2.2/workflows/storage.md
index 367fb90b9..878449fa5 100644
--- a/docs/versioned_docs/version-2.2/workflows/storage.md
+++ b/docs/versioned_docs/version-2.2/workflows/storage.md
@@ -59,66 +59,22 @@ The following installation guide gives an overview of how to securely use CSI-ba
 <tabs groupId="csp">
 <tabItem value="azure" label="Azure">
 
-1. Install the CSI driver:
-
-  ```bash
-  helm install azuredisk-csi-driver https://raw.githubusercontent.com/edgelesssys/constellation-azuredisk-csi-driver/main/charts/edgeless/latest/azuredisk-csi-driver.tgz \
-      --namespace kube-system \
-      --set linux.distro=fedora \
-      --set controller.replicas=1
-  ```
-
-2. Create a [storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/) for your driver
-
-    A storage class configures the driver responsible for provisioning storage for persistent volume claims.
-    A storage class only needs to be created once and can then be used by multiple volumes.
-    The following snippet creates a simple storage class using [Standard SSDs](https://docs.microsoft.com/en-us/azure/virtual-machines/disks-types#standard-ssds) as the backing storage device when the first Pod claiming the volume is created.
+1. Install the driver:
 
     ```bash
-    cat <<EOF | kubectl apply -f -
-    apiVersion: storage.k8s.io/v1
-    kind: StorageClass
-    metadata:
-      name: encrypted-storage
-      annotations:
-        storageclass.kubernetes.io/is-default-class: "true"
-    provisioner: azuredisk.csi.confidential.cloud
-    parameters:
-      skuName: StandardSSD_LRS
-    reclaimPolicy: Delete
-    volumeBindingMode: WaitForFirstConsumer
-    EOF
+    git clone --branch v1.1.0 https://github.com/edgelesssys/constellation-azuredisk-csi-driver
+    cd constellation-azuredisk-csi-driver
+    helm install azuredisk-csi-driver charts/edgeless --namespace kube-system
     ```
 
 </tabItem>
 <tabItem value="gcp" label="GCP">
 
-1. Install the CSI driver:
-
-   ```bash
-   kubectl apply -k github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver/deploy/kubernetes/overlays/edgeless/latest
-   ```
-
-2. Create a [storage class](https://kubernetes.io/docs/concepts/storage/storage-classes/) for your driver
-
-    A storage class configures the driver responsible for provisioning storage for persistent volume claims.
-    A storage class only needs to be created once and can then be used by multiple volumes.
-    The following snippet creates a simple storage class using [balanced persistent disks](https://cloud.google.com/compute/docs/disks#pdspecs) as the backing storage device when the first Pod claiming the volume is created.
+1. Install the driver:
 
     ```bash
-    cat <<EOF | kubectl apply -f -
-    apiVersion: storage.k8s.io/v1
-    kind: StorageClass
-    metadata:
-      name: encrypted-storage
-      annotations:
-        storageclass.kubernetes.io/is-default-class: "true"
-    provisioner: gcp.csi.confidential.cloud
-    parameters:
-      type: pd-standard
-    reclaimPolicy: Delete
-    volumeBindingMode: WaitForFirstConsumer
-    EOF
+    git clone --branch v1.1.0 https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver
+    helm install gcp-compute-persistent-disk-csi-driver charts/ --namespace kube-system
     ```
 
 </tabItem>
@@ -137,15 +93,21 @@ You may use other (non-confidential) CSI drivers that are compatible with Kubern
 
 :::info
 
-By default, integrity protection is disabled for performance reasons. If you want to enable integrity protection, add `csi.storage.k8s.io/fstype: ext4-integrity` to `parameters`. Alternatively, you can use another filesystem by specifying another file system type with the suffix `-integrity`. Note that volume expansion isn't supported for integrity-protected disks.
+The default storage class installed by the driver is set to `encrypted-rwo` for performance reasons.
+If you want integrity-protected storage, set the `storageClassName` parameter of your persistent volume claim to `integrity-encrypted-rwo`.
+
+Alternatively, you can create your own storage class with integrity protection enabled by adding `csi.storage.k8s.io/fstype: ext4-integrity` to the class `parameters`.
+Or use another filesystem by specifying another file system type with the suffix `-integrity`, e.g., `csi.storage.k8s.io/fstype: xfs-integrity`.
+
+Note that volume expansion isn't supported for integrity-protected disks.
 
 :::
 
-3. Create a [persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/)
+2. Create a [persistent volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/)
 
     A [persistent volume claim](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims) is a request for storage with certain properties.
     It can refer to a storage class.
-    The following creates a persistent volume claim, requesting 20 GB of storage via the previously created storage class:
+    The following creates a persistent volume claim, requesting 20 GB of storage via the `encrypted-rwo` storage class:
 
     ```bash
     cat <<EOF | kubectl apply -f -
@@ -157,14 +119,14 @@ By default, integrity protection is disabled for performance reasons. If you wan
     spec:
       accessModes:
       - ReadWriteOnce
-      storageClassName: encrypted-storage
+      storageClassName: encrypted-rwo
       resources:
         requests:
           storage: 20Gi
     EOF
     ```
 
-4. Create a Pod with persistent storage
+3. Create a Pod with persistent storage
 
     You can assign a persistent volume claim to an application in need of persistent storage.
     The mounted volume will persist restarts.
@@ -192,8 +154,11 @@ By default, integrity protection is disabled for performance reasons. If you wan
     EOF
     ```
 
-### Set the default storage class
-The examples above are defined to be automatically set as the default storage class. The default storage class is responsible for all persistent volume claims that don't explicitly request `storageClassName`. In case you need to change the default, follow the steps below:
+### Change the default storage class
+
+The default storage class is responsible for all persistent volume claims that don't explicitly request `storageClassName`.
+The previous instructions create a storage class with encryption enabled and sets this as the default class.
+In case you wish to change it, follow the steps below:
 
 <tabs groupId="csp">
 <tabItem value="azure" label="Azure">
@@ -207,9 +172,9 @@ The examples above are defined to be automatically set as the default storage cl
       The output is similar to this:
 
       ```shell-session
-      NAME                      PROVISIONER                       AGE
-      some-storage (default)    disk.csi.azure.com                1d
-      encrypted-storage         azuredisk.csi.confidential.cloud  1d
+      NAME                      PROVISIONER                        RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
+      encrypted-rwo (default)   azuredisk.csi.confidential.cloud   Delete          Immediate           true                   1d
+      integrity-encrypted-rwo   azuredisk.csi.confidential.cloud   Delete          Immediate           false                  1d
       ```
 
       The default storage class is marked by `(default)`.
@@ -219,13 +184,13 @@ The examples above are defined to be automatically set as the default storage cl
       If you previously used another storage class as the default, you will have to remove that annotation:
 
       ```bash
-      kubectl patch storageclass <name-of-old-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
+      kubectl patch storageclass encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
       ```
 
   3. Mark new class as the default
 
       ```bash
-      kubectl patch storageclass <name-of-new-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
+      kubectl patch storageclass integrity-encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
       ```
 
   4. Verify that your chosen storage class is default:
@@ -237,9 +202,9 @@ The examples above are defined to be automatically set as the default storage cl
       The output is similar to this:
 
       ```shell-session
-      NAME                        PROVISIONER                       AGE
-      some-storage                disk.csi.azure.com                1d
-      encrypted-storage (default) azuredisk.csi.confidential.cloud  1d
+      NAME                                PROVISIONER                        RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
+      encrypted-rwo                       azuredisk.csi.confidential.cloud   Delete          Immediate           true                   1d
+      integrity-encrypted-rwo (default)   azuredisk.csi.confidential.cloud   Delete          Immediate           false                  1d
       ```
 
 </tabItem>
@@ -254,9 +219,9 @@ The examples above are defined to be automatically set as the default storage cl
       The output is similar to this:
 
       ```shell-session
-      NAME                      PROVISIONER                 AGE
-      some-storage (default)    pd.csi.storage.gke.io       1d
-      encrypted-storage         gcp.csi.confidential.cloud  1d
+      NAME                      PROVISIONER                  RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
+      encrypted-rwo (default)   gcp.csi.confidential.cloud   Delete          Immediate           true                   1d
+      integrity-encrypted-rwo   gcp.csi.confidential.cloud   Delete          Immediate           false                  1d
       ```
 
       The default storage class is marked by `(default)`.
@@ -266,13 +231,13 @@ The examples above are defined to be automatically set as the default storage cl
       If you previously used another storage class as the default, you will have to remove that annotation:
 
       ```bash
-      kubectl patch storageclass <name-of-old-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
+      kubectl patch storageclass encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
       ```
 
   3. Mark new class as the default
 
       ```bash
-      kubectl patch storageclass <name-of-new-default> -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
+      kubectl patch storageclass integrity-encrypted-rwo -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
       ```
 
   4. Verify that your chosen storage class is default:
@@ -284,9 +249,9 @@ The examples above are defined to be automatically set as the default storage cl
       The output is similar to this:
 
       ```shell-session
-      NAME                        PROVISIONER                 AGE
-      some-storage                pd.csi.storage.gke.io       1d
-      encrypted-storage (default) gcp.csi.confidential.cloud  1d
+      NAME                                PROVISIONER                  RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
+      encrypted-rwo                       gcp.csi.confidential.cloud   Delete          Immediate           true                   1d
+      integrity-encrypted-rwo (default)   gcp.csi.confidential.cloud   Delete          Immediate           false                  1d
       ```
 
 </tabItem>