mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-24 23:19:39 -05:00
Rewrite install.md and create verify-cli.md (#124)
* Rewrite install.md and create verify-cli * Small beautification * Address review comment * Shorten examples.md * Quick brush over examples * Fix broken links in v2.0 * Fix broken links in v2.0 * fix lint errors Co-authored-by: Thomas Tendyck <tt@edgeless.systems>
This commit is contained in:
parent
55af5695ed
commit
ebb8d7ca96
2
.github/workflows/docs-vale.yml
vendored
2
.github/workflows/docs-vale.yml
vendored
@ -16,7 +16,7 @@ jobs:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
|
||||
- name: Vale
|
||||
uses: errata-ai/vale-action@c4213d4de3d5f718b8497bd86161531c78992084
|
||||
uses: errata-ai/vale-action@753427452ff1d6cf7a7b76a552aa0cbee3971551
|
||||
with:
|
||||
files: docs/docs
|
||||
env:
|
||||
|
@ -112,7 +112,7 @@ Those correspond to measurements of closed-source firmware components and other
|
||||
While not being directly verifiable, they can be compared against previously observed values.
|
||||
As part of the [signed image measurements](#chain-of-trust), Constellation provides measurements that are known, previously observed values.
|
||||
Thereby, Constellation enables users to identify changes and deviations and allows them to act accordingly.
|
||||
See how to [fetch](../workflows/verify.md#fetch-measurements) the latest measurements and verify a cluster.
|
||||
See how to [fetch](../workflows/verify-cluster.md#fetch-measurements) the latest measurements and verify a cluster.
|
||||
|
||||
Second, are the measurements produced by the Constellation bootloader and boot chain itself.
|
||||
The Constellation Bootloader is the first part of the Constellation stack that takes over from the CVM firmware and measures the rest of the boot chain.
|
||||
@ -205,7 +205,7 @@ When an initialized node tries to join another cluster, its measurements inevita
|
||||
### User-facing attestation
|
||||
|
||||
The [*VerificationService*](components.md#verificationservice) provides an endpoint for obtaining its hardware-based remote attestation statement, which includes the runtime measurements.
|
||||
A user can [verify](../workflows/verify.md) this statement and compare the measurements against the configured ground truth and, thus, verify the identity and integrity of all Constellation components and the cluster configuration. Subsequently, the user knows that the entire cluster is in the expected state and is trustworthy.
|
||||
A user can [verify](../workflows/verify-cluster.md) this statement and compare the measurements against the configured ground truth and, thus, verify the identity and integrity of all Constellation components and the cluster configuration. Subsequently, the user knows that the entire cluster is in the expected state and is trustworthy.
|
||||
|
||||
## Chain of trust
|
||||
|
||||
|
@ -67,7 +67,7 @@ sequenceDiagram
|
||||
|
||||
The *VerificationService* runs as DaemonSet on each node.
|
||||
It provides user-facing functionality for remote attestation during the cluster's lifetime via an endpoint for [verifying the cluster](attestation.md#cluster-attestation).
|
||||
Read more about the hardware-based [attestation feature](attestation.md) of Constellation and how to [verify](../workflows/verify.md) a cluster on the client side.
|
||||
Read more about the hardware-based [attestation feature](attestation.md) of Constellation and how to [verify](../workflows/verify-cluster.md) a cluster on the client side.
|
||||
|
||||
## KMS
|
||||
|
||||
|
@ -70,7 +70,7 @@ You can read more about these values and their meaning in the guide on [cluster
|
||||
The *master secret* must be kept secret and can be used to [recover your cluster](../workflows/recovery.md).
|
||||
Instead of managing this secret manually, you can [use your key management solution of choice](keys.md#user-managed-key-management) with Constellation.
|
||||
|
||||
The *clusterID* uniquely identifies a cluster and can be used to [verify your cluster](../workflows/verify.md).
|
||||
The *clusterID* uniquely identifies a cluster and can be used to [verify your cluster](../workflows/verify-cluster.md).
|
||||
|
||||
## Upgrades
|
||||
|
||||
|
@ -1,10 +1,6 @@
|
||||
# Examples
|
||||
|
||||
After [installing the CLI](install.md) and [creating a cluster](first-steps.md) we've collected a few Kubernetes example applications for deploying in your cluster. They highlight different features and give a first hands-on experience working with Kubernetes in a Constellation cluster. If you have experience with Kubernetes deployments there shouldn't be any sensible differences. Have fun exploring your Confidential Kubernetes!
|
||||
|
||||
Before trying out the example applications, make sure you [installed the Constellation CLI](install.md) and [created a cluster](first-steps.md). From there, the examples shown here are designed to work on a freshly created cluster and don't require any further prerequisites.
|
||||
|
||||
Check out the following examples:
|
||||
* [Emojivoto](examples/emojivoto.md): A simple but fun demo application to test the general functionality of your confidential cluster.
|
||||
* [Online Boutique](examples/online-boutique.md): An e-commerce demo application by Google consisting of 11 separate microservices.
|
||||
* [Horizontal Pod Autoscaling](examples/horizontal-scaling.md): An example demonstrating Constellation's autoscaling capabilities.
|
||||
After you [installed the CLI](install.md) and [created your first cluster](first-steps.md), you're ready to deploy applications. Why not start with one of the following examples?
|
||||
* [Emojivoto](examples/emojivoto.md): a simple but fun web application
|
||||
* [Online Boutique](examples/online-boutique.md): an e-commerce demo application by Google consisting of 11 separate microservices
|
||||
* [Horizontal Pod Autoscaling](examples/horizontal-scaling.md): an example demonstrating Constellation's autoscaling capabilities
|
||||
|
@ -1,5 +1,5 @@
|
||||
# Emojivoto
|
||||
For a simple but fun demo application to test the general functionality of your confidential cluster, take a look at [Emojivoto](https://github.com/BuoyantIO/emojivoto).
|
||||
[Emojivoto](https://github.com/BuoyantIO/emojivoto) is a simple and fun application that's well suited to test the basic functionality of your cluster.
|
||||
|
||||
<!-- vale off -->
|
||||
|
||||
|
@ -1,10 +1,14 @@
|
||||
# Horizontal Pod Autoscaling
|
||||
This example demonstrates Constellation's autoscaling capabilities by utilizing a slightly adapted version of the Kubernetes [HorizontalPodAutoscaler Walkthrough](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/). During the following steps, we will see Constellation be able to spawn new VMs on demand, add them to the cluster and later on delete them again when the load has settled down.
|
||||
This example demonstrates Constellation's autoscaling capabilities by utilizing a slightly adapted version of the Kubernetes [HorizontalPodAutoscaler Walkthrough](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/). During the following steps, Constellation will spawn new VMs on demand, verify them, add them to the cluster, and delete them again when the load has settled down.
|
||||
|
||||
## Requirements
|
||||
The cluster needs to be initialized with Kubernetes 1.23 or higher. In addition, autoscaling must be enabled to trigger Constellation to assign new nodes dynamically.
|
||||
|
||||
Just for this example specifically, the cluster should have as few worker nodes in the beginning as possible. Starting with a small cluster having only *one* control plane node and *one* worker node using one of the low-end supported VMs is recommended for an easier demonstration and saving costs. The example has been tested on Azure using a `Standard_DC4as_v5` and on GCP using `n2d-standard-4` instance.
|
||||
Just for this example specifically, the cluster should have as few worker nodes in the beginning as possible. We recommend starting with a small cluster with only *one* low-powered node for the control plane node and *one* low-powered worker node.
|
||||
|
||||
:::info
|
||||
We tested the example using instances of types `Standard_DC4as_v5` on Azure and `n2d-standard-4` on GCP.
|
||||
:::
|
||||
|
||||
## Setup
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
# Online Boutique
|
||||
[Online Boutique](https://github.com/GoogleCloudPlatform/microservices-demo) is an e-commerce demo application by Google consisting of 11 separate microservices. Constellation is automatically able to set up a load balancer on your CSP, making it easy to expose services from your confidential cluster without any additional setup required.
|
||||
[Online Boutique](https://github.com/GoogleCloudPlatform/microservices-demo) is an e-commerce demo application by Google consisting of 11 separate microservices. In this demo, Constellation automatically sets up a load balancer on your CSP, making it easy to expose services from your confidential cluster.
|
||||
|
||||
<!-- vale off -->
|
||||
|
||||
|
@ -177,7 +177,7 @@ The following steps will guide you through the process of creating a cluster and
|
||||
|
||||
This command is necessary to download the latest trusted measurements for your configured image.
|
||||
|
||||
For more details, see the [verification section](../workflows/verify.md).
|
||||
For more details, see the [verification section](../workflows/verify-cluster.md).
|
||||
|
||||
4. Create the cluster with one control-plane node and two worker nodes. `constellation create` uses options set in `constellation-conf.yaml` automatically.
|
||||
|
||||
|
@ -2,64 +2,39 @@
|
||||
|
||||
Constellation runs entirely in your cloud environment and can be easily controlled via a dedicated Command Line Interface (CLI).
|
||||
|
||||
The installation process will guide you through the steps of installing the CLI on your machine, verifying it, and connecting it to your Cloud Service Provider (CSP).
|
||||
The following guides you through the steps of installing the CLI on your machine, verifying it, and connecting it to your Cloud Service Provider (CSP).
|
||||
|
||||
### Prerequisites
|
||||
|
||||
Before we start, make sure the following requirements are fulfilled:
|
||||
Make sure the following requirements are met:
|
||||
|
||||
- Your machine is running Ubuntu or macOS
|
||||
- Your machine is running Linux or macOS
|
||||
- You have admin rights on your machine
|
||||
- [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
|
||||
- Your cloud provider is Microsoft Azure or Google Cloud
|
||||
- Your cloud provider is Microsoft Azure or Google Cloud Platform (GCP)
|
||||
|
||||
## Install the Constellation CLI
|
||||
|
||||
The Constellation CLI can be downloaded from our [release page](https://github.com/edgelesssys/constellation/releases). Therefore, navigate to a release and download the `constellation` binary for your operating system and architecture. Move the downloaded file to a directory in your `PATH` (default: `/usr/local/bin`) and make it executable by entering `chmod u+x constellation` in your terminal.
|
||||
Download the CLI executable from the [release page](https://github.com/edgelesssys/constellation/releases). Move the downloaded file to a directory in your `PATH` (default: `/usr/local/bin`) and make it executable by entering `chmod u+x constellation` in your terminal.
|
||||
|
||||
Running `constellation` should then give you:
|
||||
:::note
|
||||
Edgeless Systems uses [sigstore](https://www.sigstore.dev/) to sign each release of the CLI. You may want to [verify the signature](../workflows/verify-cli.md) before you use the CLI.
|
||||
:::
|
||||
|
||||
```shell-session
|
||||
$ constellation
|
||||
Manage your Constellation cluster.
|
||||
|
||||
Usage:
|
||||
constellation [command]
|
||||
|
||||
...
|
||||
```
|
||||
|
||||
### Optional: Enable shell autocompletion
|
||||
|
||||
The Constellation CLI supports autocompletion for various shells. To set it up, run `constellation completion` and follow the steps.
|
||||
|
||||
## Verify the CLI
|
||||
|
||||
For extra security, make sure to verify your CLI. Therefore, install [cosign](https://github.com/sigstore/cosign). Then, head to our [release page](https://github.com/edgelesssys/constellation/releases) again and, from the same release as before, download the following files:
|
||||
|
||||
- `cosign.pub` (Edgeless System's cosign public key)
|
||||
- `constellation-*.sig` (the CLI's signature)
|
||||
|
||||
You can then verify your CLI before launching a cluster using the paths to the public key, signature, and CLI executable:
|
||||
|
||||
```bash
|
||||
cosign verify-blob --key cosign.pub --signature constellation.sig constellation
|
||||
```
|
||||
|
||||
For more detailed information read our [installation, update and verification documentation](../architecture/orchestration.md).
|
||||
:::tip
|
||||
The CLI supports autocompletion for various shells. To set it up, run `constellation completion` and follow the given steps.
|
||||
:::
|
||||
|
||||
## Set up cloud credentials
|
||||
|
||||
The CLI makes authenticated calls to the CSP API. Therefore, you need to set up Constellation with the credentials for your CSP.
|
||||
The CLI makes authenticated calls to the CSP API. Therefore, you need to set up Constellation with the credentials for your CSP. Currently, Microsoft Azure and Google Cloud Platform (GCP) are the only supported CSPs.
|
||||
|
||||
### Authentication
|
||||
### Step 1: Authenticate
|
||||
|
||||
In the following, we provide you with different ways to authenticate with your CSP.
|
||||
First, you need to authenticate with your CSP. The following lists the required steps for *testing* and *production* environments.
|
||||
|
||||
:::danger
|
||||
|
||||
Don't use the testing methods for setting up a production-grade Constellation cluster. In those methods, secrets are stored on disk during installation which would be exposed to the CSP.
|
||||
|
||||
The steps for a *testing* environment are simpler. However, they may expose secrets to the CSP. If in doubt, follow the *production* steps.
|
||||
:::
|
||||
|
||||
<tabs groupId="csp">
|
||||
@ -67,11 +42,11 @@ Don't use the testing methods for setting up a production-grade Constellation cl
|
||||
|
||||
**Testing**
|
||||
|
||||
To try out Constellation, using a cloud environment such as [Azure Cloud Shell](https://docs.microsoft.com/en-us/azure/cloud-shell/overview) is the quickest way to get started.
|
||||
Simply open the [Azure Cloud Shell](https://docs.microsoft.com/en-us/azure/cloud-shell/overview).
|
||||
|
||||
**Production**
|
||||
|
||||
For production clusters, use the latest version of the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/) on a trusted machine:
|
||||
Use the latest version of the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/) on a trusted machine:
|
||||
|
||||
```bash
|
||||
az login
|
||||
@ -90,13 +65,13 @@ Enable the following cloud APIs first:
|
||||
|
||||
**Testing**
|
||||
|
||||
- If you are running from within a Google VM, and the VM is allowed to access the necessary APIs, no further configuration is needed.
|
||||
If you are running from within VM on GCP, and the VM is allowed to access the necessary APIs, no further configuration is needed.
|
||||
|
||||
- If you are using the [Google Cloud Shell](https://cloud.google.com/shell), make sure your [session is authorized](https://cloud.google.com/shell/docs/auth). For example, execute `gsutil` and accept the authorization prompt.
|
||||
If you are using the [Google Cloud Shell](https://cloud.google.com/shell), make sure your [session is authorized](https://cloud.google.com/shell/docs/auth). For example, execute `gsutil` and accept the authorization prompt.
|
||||
|
||||
**Production**
|
||||
|
||||
For production clusters, use one of the following options on a trusted machine:
|
||||
For production, use one of the following options on a trusted machine:
|
||||
|
||||
- Use the [`gcloud` CLI](https://cloud.google.com/sdk/gcloud)
|
||||
|
||||
@ -104,7 +79,7 @@ For production clusters, use one of the following options on a trusted machine:
|
||||
gcloud auth application-default login
|
||||
```
|
||||
|
||||
This will ask you to log in to your Google account, and then create your credentials.
|
||||
This will ask you to log-in to your Google account and create your credentials.
|
||||
The Constellation CLI will automatically load these credentials when needed.
|
||||
|
||||
- Set up a service account and pass the credentials manually
|
||||
@ -114,12 +89,14 @@ For production clusters, use one of the following options on a trusted machine:
|
||||
</tabItem>
|
||||
</tabs>
|
||||
|
||||
### Authorization
|
||||
### Step 2: Set permissions
|
||||
|
||||
Finally, set the required permissions for your user account.
|
||||
|
||||
<tabs groupId="csp">
|
||||
<tabItem value="azure" label="Azure" default>
|
||||
|
||||
Your user account needs the following permissions to set up a Constellation cluster:
|
||||
Set the following permissions:
|
||||
|
||||
- `Contributor`
|
||||
- `User Access Administrator`
|
||||
@ -127,7 +104,7 @@ Your user account needs the following permissions to set up a Constellation clus
|
||||
</tabItem>
|
||||
<tabItem value="gcp" label="GCP" default>
|
||||
|
||||
Your user account needs the following permissions to set up a Constellation:
|
||||
Set the following permissions:
|
||||
|
||||
- `compute.*` (or the subset defined by `roles/compute.instanceAdmin.v1`)
|
||||
- `iam.serviceAccountUser`
|
||||
@ -139,4 +116,4 @@ Follow Google's guide on [understanding](https://cloud.google.com/iam/docs/under
|
||||
|
||||
### Next Steps
|
||||
|
||||
Once you have followed all previous steps, you can proceed [to deploy your first confidential Kubernetes cluster and application](first-steps.md).
|
||||
You are now ready to [deploy your first confidential Kubernetes cluster and application](first-steps.md).
|
||||
|
@ -1,6 +1,6 @@
|
||||
# Security benefits and threat model
|
||||
|
||||
Constellation implements the [Confidential Kubernetes](confidential-kubernetes.md) concept and shields entire Kubernetes deployments from the infrastructure. More concretely, Constellation decreases the size of the trusted computing base (TCB) of a Kubernetes deployment. The TCB is the totality of elements in a computing environment that must be trusted not to be compromised. A smaller TCB results in a smaller attack surface. The following diagram shows how Constellation removes the *cloud & datacenter infrastructure* and the *physical hosts*, including the hypervisor, the host OS, and other components, from the TCB (red). Inside the confidential context (green), Kubernetes remains part of the TCB, but its integrity is attested and can be [verified](../workflows/verify.md).
|
||||
Constellation implements the [Confidential Kubernetes](confidential-kubernetes.md) concept and shields entire Kubernetes deployments from the infrastructure. More concretely, Constellation decreases the size of the trusted computing base (TCB) of a Kubernetes deployment. The TCB is the totality of elements in a computing environment that must be trusted not to be compromised. A smaller TCB results in a smaller attack surface. The following diagram shows how Constellation removes the *cloud & datacenter infrastructure* and the *physical hosts*, including the hypervisor, the host OS, and other components, from the TCB (red). Inside the confidential context (green), Kubernetes remains part of the TCB, but its integrity is attested and can be [verified](../workflows/verify-cluster.md).
|
||||
|
||||
![TCB comparison](../_media/tcb.svg)
|
||||
|
||||
|
@ -50,7 +50,7 @@ Next, download the latest trusted measurements for your configured image.
|
||||
constellation config fetch-measurements
|
||||
```
|
||||
|
||||
For more details, see the [verification section](../workflows/verify.md).
|
||||
For more details, see the [verification section](../workflows/verify-cluster.md).
|
||||
|
||||
### Create
|
||||
|
||||
|
90
docs/docs/workflows/verify-cli.md
Normal file
90
docs/docs/workflows/verify-cli.md
Normal file
@ -0,0 +1,90 @@
|
||||
# Verify the CLI
|
||||
|
||||
Edgeless Systems uses [sigstore](https://www.sigstore.dev/) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/cosign/overview), [Rekor](https://docs.sigstore.dev/rekor/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are automatically uploaded to the public Rekor transparency log, which resides at https://rekor.sigstore.dev/.
|
||||
|
||||
:::note
|
||||
The public key for Edgeless Systems' long-term code-signing key is:
|
||||
```
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf8F1hpmwE+YCFXzjGtaQcrL6XZVT
|
||||
JmEe5iSLvG1SyQSAew7WdMKF6o9t8e2TFuCkzlOhhlws2OHWbiFZnFWCFw==
|
||||
-----END PUBLIC KEY-----
|
||||
```
|
||||
The public key is also available for download at https://edgeless.systems/es.pub and in the Twitter profile [@EdgelessSystems](https://twitter.com/EdgelessSystems).
|
||||
:::
|
||||
|
||||
The Rekor transparency log is a public append-only ledger that verifies and records signatures and associated metadata. The Rekor transparency log enables everyone to observe the sequence of (software) signatures issued by Edgeless Systems and many other parties. The transparency log allows for the public identification of dubious or malicious signatures.
|
||||
|
||||
You should always ensure that (1) your CLI executable was signed with the private key corresponding to the above public key and that (2) there is a corresponding entry in the Rekor transparency log. Both can be done as is described in the following.
|
||||
|
||||
:::info
|
||||
You don't need to verify the Constellation node images. This is done automatically by your CLI and the rest of Constellation.
|
||||
:::
|
||||
|
||||
## Verify the signature
|
||||
|
||||
First, [install the Cosign CLI](https://docs.sigstore.dev/cosign/installation). Next, verify the signature that accompanies your CLI executable, for example:
|
||||
|
||||
```shell-session
|
||||
$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64
|
||||
|
||||
Verified OK
|
||||
```
|
||||
|
||||
The above performs an offline verification of the provided public key, signature, and executable. To also verify that a corresponding entry exists in the public Rekor transparency log, add the variable `COSIGN_EXPERIMENTAL=1`:
|
||||
|
||||
```shell-session
|
||||
$ COSIGN_EXPERIMENTAL=1 cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64
|
||||
|
||||
tlog entry verified with uuid: 0629f03c379219f4ae1b99819fd4c266a39490a338ec24321198ba6ccc16f147 index: 3334047
|
||||
Verified OK
|
||||
```
|
||||
|
||||
🏁 You now know that your CLI executable was officially released and signed by Edgeless Systems.
|
||||
|
||||
## Optional: Manually inspect the transparency log
|
||||
|
||||
To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/rekor/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.)
|
||||
|
||||
```shell-session
|
||||
$ rekor-cli search --artifact constellation-linux-amd64
|
||||
|
||||
Found matching entries (listed by UUID):
|
||||
362f8ecba72f43260629f03c379219f4ae1b99819fd4c266a39490a338ec24321198ba6ccc16f147
|
||||
```
|
||||
|
||||
With this UUID you can get the full entry from the transparency log:
|
||||
|
||||
```shell-session
|
||||
$ rekor-cli get --uuid=362f8ecba72f43260629f03c379219f4ae1b99819fd4c266a39490a338ec24321198ba6ccc16f147
|
||||
|
||||
LogID: c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
|
||||
Index: 3334047
|
||||
IntegratedTime: 2022-08-31T08:36:25Z
|
||||
UUID: 0629f03c379219f4ae1b99819fd4c266a39490a338ec24321198ba6ccc16f147
|
||||
Body: {
|
||||
"HashedRekordObj": {
|
||||
"data": {
|
||||
"hash": {
|
||||
"algorithm": "sha256",
|
||||
"value": "7cdc7a7101b215058264279b8d8f624e4e48b6b42cd54857a5e02daf1a1b014c"
|
||||
}
|
||||
},
|
||||
"signature": {
|
||||
"content": "MEYCIQDdL8fuhtFk6ON4b6kW6bvLMXqvw37nm8/UiLcYKjogsAIhAODZCdS1HgHvFJ5KFxT1JZzRN2wPdn3HZsiP0+3q6zsL",
|
||||
"publicKey": {
|
||||
"content": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFZjhGMWhwbXdFK1lDRlh6akd0YVFjckw2WFpWVApKbUVlNWlTTHZHMVN5UVNBZXc3V2RNS0Y2bzl0OGUyVEZ1Q2t6bE9oaGx3czJPSFdiaUZabkZXQ0Z3PT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg=="
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
The field `publicKey` should contain Edgeless Systems' public key in Base64 encoding.
|
||||
|
||||
You can get an exhaustive list of artifact signatures issued by Edgeless Systems via the following command:
|
||||
|
||||
```bash
|
||||
$ rekor-cli search --public-key https://edgeless.systems/es.pub --pki-format x509
|
||||
```
|
||||
|
||||
Edgeless Systems monitors this list to detect potential unauthorized use of its private key.
|
@ -112,7 +112,8 @@ async function createConfig() {
|
||||
},
|
||||
announcementBar: {
|
||||
content:
|
||||
'⭐️ If you like Constellation, give it a star on <a target="_blank" rel="noopener noreferrer" href="https://github.com/edgelesssys/constellation">GitHub</a>! ⭐️',
|
||||
'If you like Constellation, give it a star on <a target="_blank" rel="noopener noreferrer" href="https://github.com/edgelesssys/constellation">GitHub</a> ⭐️',
|
||||
backgroundColor: '#E7E6E6'
|
||||
},
|
||||
footer: {
|
||||
style: 'dark',
|
||||
@ -174,7 +175,7 @@ async function createConfig() {
|
||||
],
|
||||
},
|
||||
],
|
||||
copyright: `Copyright © ${new Date().getFullYear()} Edgeless Systems. Built with Docusaurus.`,
|
||||
copyright: `Copyright © ${new Date().getFullYear()} Edgeless Systems`,
|
||||
},
|
||||
prism: {
|
||||
theme: lightCodeTheme,
|
||||
|
@ -15,8 +15,9 @@
|
||||
},
|
||||
"dependencies": {
|
||||
"@cmfcmf/docusaurus-search-local": "^0.11.0",
|
||||
"@docusaurus/core": "2.0.1",
|
||||
"@docusaurus/preset-classic": "2.0.1",
|
||||
"@docusaurus/core": "^2.1.0",
|
||||
"@docusaurus/module-type-aliases": "^2.1.0",
|
||||
"@docusaurus/preset-classic": "^2.1.0",
|
||||
"@mdx-js/react": "^1.6.22",
|
||||
"clsx": "^1.2.1",
|
||||
"mdx-mermaid": "^1.3.2",
|
||||
@ -25,9 +26,6 @@
|
||||
"react": "^17.0.2",
|
||||
"react-dom": "^17.0.2"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@docusaurus/module-type-aliases": "2.0.1"
|
||||
},
|
||||
"browserslist": {
|
||||
"production": [
|
||||
">0.5%",
|
||||
|
@ -113,6 +113,11 @@ const sidebars = {
|
||||
type: 'generated-index',
|
||||
},
|
||||
items: [
|
||||
{
|
||||
type: 'doc',
|
||||
label: 'Verify the CLI',
|
||||
id: 'workflows/verify-cli',
|
||||
},
|
||||
{
|
||||
type: 'doc',
|
||||
label: 'Create your cluster',
|
||||
@ -121,7 +126,7 @@ const sidebars = {
|
||||
{
|
||||
type: 'doc',
|
||||
label: 'Verify your cluster',
|
||||
id: 'workflows/verify',
|
||||
id: 'workflows/verify-cluster',
|
||||
},
|
||||
{
|
||||
type: 'doc',
|
||||
|
@ -56,3 +56,17 @@
|
||||
html[data-theme='dark'] .header-github-link:before {
|
||||
background: url("data:image/svg+xml,%3Csvg viewBox='0 0 24 24' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath fill='white' d='M12 .297c-6.63 0-12 5.373-12 12 0 5.303 3.438 9.8 8.205 11.385.6.113.82-.258.82-.577 0-.285-.01-1.04-.015-2.04-3.338.724-4.042-1.61-4.042-1.61C4.422 18.07 3.633 17.7 3.633 17.7c-1.087-.744.084-.729.084-.729 1.205.084 1.838 1.236 1.838 1.236 1.07 1.835 2.809 1.305 3.495.998.108-.776.417-1.305.76-1.605-2.665-.3-5.466-1.332-5.466-5.93 0-1.31.465-2.38 1.235-3.22-.135-.303-.54-1.523.105-3.176 0 0 1.005-.322 3.3 1.23.96-.267 1.98-.399 3-.405 1.02.006 2.04.138 3 .405 2.28-1.552 3.285-1.23 3.285-1.23.645 1.653.24 2.873.12 3.176.765.84 1.23 1.91 1.23 3.22 0 4.61-2.805 5.625-5.475 5.92.42.36.81 1.096.81 2.22 0 1.606-.015 2.896-.015 3.286 0 .315.21.69.825.57C20.565 22.092 24 17.592 24 12.297c0-6.627-5.373-12-12-12'/%3E%3C/svg%3E") no-repeat;
|
||||
}
|
||||
|
||||
.tabs-container {
|
||||
border: 1px solid var(--ifm-color-emphasis-300);
|
||||
border-radius: var(--ifm-pagination-nav-border-radius);
|
||||
padding: var(--ifm-global-spacing);
|
||||
}
|
||||
|
||||
.tabs {
|
||||
border-bottom: 1px solid var(--ifm-color-emphasis-300);
|
||||
}
|
||||
|
||||
.footer--dark {
|
||||
background-color: black;
|
||||
}
|
@ -15,6 +15,7 @@ deallocate
|
||||
[Ee]mojivoto
|
||||
etcd
|
||||
Filestore
|
||||
Fulcio
|
||||
Gbps
|
||||
iam
|
||||
IAM
|
||||
@ -26,6 +27,7 @@ kubelet
|
||||
libcryptsetup
|
||||
namespace
|
||||
[Pp]laintext
|
||||
Rekor
|
||||
resizable
|
||||
sigstore
|
||||
systemd
|
||||
|
Loading…
Reference in New Issue
Block a user