From 9f06a16a44632b8017fbc867366b9d8b8721e240 Mon Sep 17 00:00:00 2001 From: Thomas Tendyck Date: Wed, 29 Nov 2023 09:25:46 +0100 Subject: [PATCH] docs: fix tabs and enterprise banner --- docs/docs/features/manifest.md | 2 +- docs/docs/features/recovery.md | 4 +- docs/docs/getting-started/installation.md | 16 ++--- docs/docs/getting-started/quickstart.md | 60 +++++++++---------- docs/docs/workflows/define-manifest.md | 2 +- docs/docs/workflows/recover-coordinator.md | 2 +- docs/docs/workflows/update-manifest.md | 2 +- docs/src/theme/MDXComponents.js | 6 +- .../version-1.1/features/manifest.md | 2 +- .../version-1.1/features/recovery.md | 4 +- .../version-1.1/getting-started/quickstart.md | 12 ++-- .../version-1.1/reference/cli.md | 29 +++++---- .../version-1.1/workflows/define-manifest.md | 2 +- .../workflows/recover-coordinator.md | 2 +- .../version-1.1/workflows/update-manifest.md | 2 +- .../version-1.2/features/manifest.md | 2 +- .../version-1.2/features/recovery.md | 4 +- .../getting-started/installation.md | 12 ++-- .../version-1.2/getting-started/quickstart.md | 60 +++++++++---------- .../version-1.2/reference/cli.md | 29 +++++---- .../version-1.2/workflows/define-manifest.md | 2 +- .../workflows/recover-coordinator.md | 2 +- .../version-1.2/workflows/update-manifest.md | 2 +- .../version-1.3/features/manifest.md | 2 +- .../version-1.3/features/recovery.md | 4 +- .../getting-started/installation.md | 16 ++--- .../version-1.3/getting-started/quickstart.md | 60 +++++++++---------- .../version-1.3/workflows/define-manifest.md | 2 +- .../workflows/recover-coordinator.md | 2 +- .../version-1.3/workflows/update-manifest.md | 2 +- 30 files changed, 173 insertions(+), 175 deletions(-) diff --git a/docs/docs/features/manifest.md b/docs/docs/features/manifest.md index 82d96389..7c525d42 100644 --- a/docs/docs/features/manifest.md +++ b/docs/docs/features/manifest.md @@ -20,7 +20,7 @@ Choose this approach for deployments with a well-defined scope, but a possibly l ## Fully updatable deployment - + The manifest allows to [permit a user to update the full manifest](../workflows/define-manifest.md#roles). With such a deployment, this user usually needs to be a trusted party. diff --git a/docs/docs/features/recovery.md b/docs/docs/features/recovery.md index 9611694c..f4a096cc 100644 --- a/docs/docs/features/recovery.md +++ b/docs/docs/features/recovery.md @@ -21,7 +21,7 @@ However, a [manual step](#recovery) is required to recover the Coordinator's sta ### Distributed Coordinator - + When you use MarbleRun [with Kubernetes](../deployment/kubernetes.md), you can scale the Coordinator to multiple instances. The instances share a common state, encrypted and stored as a Kubernetes secret. @@ -46,7 +46,7 @@ The Recovery Key's owner can access the Coordinator's raw state. ### Multi-party recovery - + Depending on the use case, it may not be acceptable that the owner has full control over the cluster. MarbleRun supports splitting the Recovery Key between parties. diff --git a/docs/docs/getting-started/installation.md b/docs/docs/getting-started/installation.md index c9a2b0f7..94a60b2a 100644 --- a/docs/docs/getting-started/installation.md +++ b/docs/docs/getting-started/installation.md @@ -28,8 +28,8 @@ Now your cluster is ready and you can install the MarbleRun CLI. CLI executables for different platforms are available at [GitHub](https://github.com/edgelesssys/marblerun/releases). The CLI needs an SGX [quote provider](https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/DCAP_ECDSA_Orientation.pdf) to verify attestation reports. - - + + The AppImage runs on all x86-64 Linux distributions with glibc v2.29 or higher. It includes the quote provider. @@ -40,8 +40,8 @@ wget https://github.com/edgelesssys/marblerun/releases/latest/download/marblerun sudo install marblerun-x86_64.AppImage /usr/local/bin/marblerun ``` - - + + Install the CLI and the quote provider with the following commands: @@ -58,8 +58,8 @@ sudo apt update sudo apt install libsgx-dcap-default-qpl ``` - - + + Install the CLI and the quote provider with the following commands: @@ -75,8 +75,8 @@ sudo apt update sudo apt install libsgx-dcap-default-qpl ``` - - + + Once installed, verify the CLI is running correctly with the following: diff --git a/docs/docs/getting-started/quickstart.md b/docs/docs/getting-started/quickstart.md index ae4a43ec..d0a63b9a 100644 --- a/docs/docs/getting-started/quickstart.md +++ b/docs/docs/getting-started/quickstart.md @@ -9,8 +9,8 @@ Depending on your setup, you may follow the quickstart for SGX-enabled clusters. Install MarbleRun's *Coordinator* control plane by running: - - + + ```bash marblerun install @@ -19,8 +19,8 @@ marblerun install The `marblerun install` command generates a Kubernetes manifest with all the necessary control plane resources. This includes a deployment for the Coordinator and for MarbleRun's [admission controller.](../features/kubernetes-integration.md) - - + + ```bash marblerun install --simulation @@ -30,8 +30,8 @@ The `marblerun install` command generates a Kubernetes manifest with all the nec This includes a deployment for the Coordinator and for MarbleRun's [admission controller.](../features/kubernetes-integration.md) The simulation flag tells MarbleRun that real SGX hardware might not be present and the SGX layer should be emulated. - - + + Wait for the control plane to finish installing: @@ -55,15 +55,15 @@ For this, we utilize SGX remote attestation and obtain the Coordinator's root ce Verify the quote and get the Coordinator's root certificate - - + + ```bash marblerun certificate root $MARBLERUN -o marblerun.crt ``` - - + + ```bash marblerun certificate root $MARBLERUN -o marblerun.crt --insecure @@ -71,8 +71,8 @@ marblerun certificate root $MARBLERUN -o marblerun.crt --insecure The insecure flag tells MarbleRun that real SGX hardware might not be present and the quote verification should be omitted. - - + + The CLI will obtain the Coordinator's remote attestation quote and verify it against the configuration on our [release page](https://github.com/edgelesssys/marblerun/releases/latest/download/coordinator-era.json). The SGX quote proves the integrity of the Coordinator pod. @@ -97,41 +97,41 @@ MarbleRun guarantees that the topology of your distributed app adheres to a mani MarbleRun verifies the integrity of services, bootstraps them, and sets up encrypted connections between them. The emojivoto demo already comes with a [manifest](https://github.com/edgelesssys/emojivoto/blob/main/tools/manifest.json), which you can deploy onto MarbleRun by running the following: - - + + ```bash marblerun manifest set tools/manifest.json $MARBLERUN ``` - - + + ```bash marblerun manifest set tools/manifest.json $MARBLERUN --insecure ``` - - + + You can check that the state of MarbleRun has changed and is now ready to authenticate your services by running: - - + + ```bash marblerun status $MARBLERUN ``` - - + + ```bash marblerun status $MARBLERUN --insecure ``` - - + + ### Step 3.2: Deploy emojivoto @@ -139,22 +139,22 @@ Finally, install the demo application onto your cluster. Please make sure you have [Helm](https://helm.sh/docs/intro/install/) ("the package manager for Kubernetes") installed at least at Version v3.2.0. Install emojivoto into the emojivoto namespace by running: - - + + ```bash helm install -f ./kubernetes/sgx_values.yaml emojivoto ./kubernetes --create-namespace -n emojivoto ``` - - + + ```bash helm install -f ./kubernetes/nosgx_values.yaml emojivoto ./kubernetes --create-namespace -n emojivoto ``` - - + + ## Step 4: Watch it run diff --git a/docs/docs/workflows/define-manifest.md b/docs/docs/workflows/define-manifest.md index 4f000655..f598b074 100644 --- a/docs/docs/workflows/define-manifest.md +++ b/docs/docs/workflows/define-manifest.md @@ -417,7 +417,7 @@ awk 1 ORS='\\n' public_key.pem ### Multi-party recovery - + To enable [multi-party recovery](../features/recovery.md#multi-party-recovery), first ask the other parties to generate key pairs as described above and receive their public keys via an authenticated channel. diff --git a/docs/docs/workflows/recover-coordinator.md b/docs/docs/workflows/recover-coordinator.md index 749b5175..23da81b0 100644 --- a/docs/docs/workflows/recover-coordinator.md +++ b/docs/docs/workflows/recover-coordinator.md @@ -50,7 +50,7 @@ On success, the Coordinator applies the sealed state again. If the Coordinator c ## Multi-party recovery - + If you've [configured your MarbleRun deployment for multi-party recovery](define-manifest.md#multi-party-recovery), send each party the corresponding [recovery secret](set-manifest.md). Ask them to perform the steps above. Once all parties have uploaded their secrets, the Coordinator recovers the sealed state and continues its operations. diff --git a/docs/docs/workflows/update-manifest.md b/docs/docs/workflows/update-manifest.md index ec74bcab..a5aae876 100644 --- a/docs/docs/workflows/update-manifest.md +++ b/docs/docs/workflows/update-manifest.md @@ -48,7 +48,7 @@ Don't define other values except the `SecurityVersion` value for a package, as M ## Full update - + Some deployment scenarios require more flexibility regarding changes to the manifest. To this end, MarbleRun also allows uploading a full manifest. User-defined secrets and secrets of type `symmetric-key` are retained if their definition doesn't change. diff --git a/docs/src/theme/MDXComponents.js b/docs/src/theme/MDXComponents.js index 937ce109..a4857b8a 100644 --- a/docs/src/theme/MDXComponents.js +++ b/docs/src/theme/MDXComponents.js @@ -10,7 +10,7 @@ export default { ...MDXComponents, // Map the "highlight" tag to our component! // `Highlight` will receive all props that were passed to `highlight` in MDX - tabs: Tabs, - tabItem: TabItem, - enterpriseBanner: EnterpriseBanner, + Tabs, + TabItem, + EnterpriseBanner, }; diff --git a/docs/versioned_docs/version-1.1/features/manifest.md b/docs/versioned_docs/version-1.1/features/manifest.md index 0f4bdb63..9d92853b 100644 --- a/docs/versioned_docs/version-1.1/features/manifest.md +++ b/docs/versioned_docs/version-1.1/features/manifest.md @@ -20,7 +20,7 @@ Choose this approach for deployments with a well-defined scope, but a possibly l ## Fully updatable deployment - + The manifest allows to [permit a user to update the full manifest](../workflows/define-manifest.md#roles). With such a deployment, this user usually needs to be a trusted party. diff --git a/docs/versioned_docs/version-1.1/features/recovery.md b/docs/versioned_docs/version-1.1/features/recovery.md index b718af6e..7bbfeb92 100644 --- a/docs/versioned_docs/version-1.1/features/recovery.md +++ b/docs/versioned_docs/version-1.1/features/recovery.md @@ -21,7 +21,7 @@ However, when the Coordinator is moved to another physical host, a [manual step] ### Distributed Coordinator - + When you use MarbleRun [with Kubernetes](../deployment/kubernetes.md), you can scale the Coordinator to multiple instances. The instances share a common state, encrypted and stored as a Kubernetes secret. @@ -47,7 +47,7 @@ The owner of the Recovery Key can access the raw state of the Coordinator. ### Multi-party recovery - + Depending on the use case, it may not be acceptable that the owner has full control over the cluster. MarbleRun supports splitting the Recovery Key between parties. diff --git a/docs/versioned_docs/version-1.1/getting-started/quickstart.md b/docs/versioned_docs/version-1.1/getting-started/quickstart.md index a0e3adbd..80da2ea8 100644 --- a/docs/versioned_docs/version-1.1/getting-started/quickstart.md +++ b/docs/versioned_docs/version-1.1/getting-started/quickstart.md @@ -31,24 +31,24 @@ If this is your first time running MarbleRun, you will need to download the Marb To install the CLI, run: - - + + ```bash wget -P ~/.local/bin https://github.com/edgelesssys/marblerun/releases/latest/download/marblerun chmod +x ~/.local/bin/marblerun ``` - - + + ```bash sudo wget -O /usr/local/bin/marblerun https://github.com/edgelesssys/marblerun/releases/latest/download/marblerun sudo chmod +x /usr/local/bin/marblerun ``` - - + + Once installed, verify the CLI is running correctly with: diff --git a/docs/versioned_docs/version-1.1/reference/cli.md b/docs/versioned_docs/version-1.1/reference/cli.md index 8c219f26..7079fe8a 100644 --- a/docs/versioned_docs/version-1.1/reference/cli.md +++ b/docs/versioned_docs/version-1.1/reference/cli.md @@ -7,24 +7,24 @@ This CLI allows you to install MarbleRun on your cluster and interacts with the To install the MarbleRun CLI on your machine you can use our pre-built binaries. - - + + ```bash wget -P ~/.local/bin https://github.com/edgelesssys/marblerun/releases/latest/download/marblerun chmod +x ~/.local/bin/marblerun ``` - - + + ```bash sudo wget -O /usr/local/bin/marblerun https://github.com/edgelesssys/marblerun/releases/latest/download/marblerun sudo chmod +x /usr/local/bin/marblerun ``` - - + + To build the MarbleRun CLI, [Edgeless RT](https://github.com/edgelesssys/edgelessrt) needs to be installed on your machine. @@ -33,16 +33,16 @@ git clone https://github.com/edgelesssys/marblerun && cd ./marblerun go build -buildvcs=false -o marblerun ./cli ``` - - + + ### Requirements The CLI requires an SGX quote verification library to verify quotes issued by the Coordinator. You have different options depending on the environment the Coordinator is deployed to: - - + + If the Coordinator is running on an Azure VM, the CLI relies on the [Azure DCAP Client](https://github.com/microsoft/Azure-DCAP-Client) to verify quotes. To install the dependency on Ubuntu 20.04 run: @@ -54,8 +54,8 @@ sudo apt update sudo apt install -y az-dcap-client ``` - - + + Intel provides the `libsgx-dcap-default-qpl` library to facilitate SGX quote verification. To install the dependency on Ubuntu 20.04 run: @@ -68,8 +68,8 @@ sudo apt install -y libsgx-dcap-default-qpl ``` Follow [Intel's documentation](https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/master/QuoteGeneration/qpl/README.md#configuration) to configure access to the PCCS. - - + + ## Reference @@ -933,4 +933,3 @@ marblerun version [flags] --era-config string Path to remote attestation config file in json format, if none provided the newest configuration will be loaded from github -i, --insecure Set to skip quote verification, needed when running in simulation mode ``` - diff --git a/docs/versioned_docs/version-1.1/workflows/define-manifest.md b/docs/versioned_docs/version-1.1/workflows/define-manifest.md index 4f000655..f598b074 100644 --- a/docs/versioned_docs/version-1.1/workflows/define-manifest.md +++ b/docs/versioned_docs/version-1.1/workflows/define-manifest.md @@ -417,7 +417,7 @@ awk 1 ORS='\\n' public_key.pem ### Multi-party recovery - + To enable [multi-party recovery](../features/recovery.md#multi-party-recovery), first ask the other parties to generate key pairs as described above and receive their public keys via an authenticated channel. diff --git a/docs/versioned_docs/version-1.1/workflows/recover-coordinator.md b/docs/versioned_docs/version-1.1/workflows/recover-coordinator.md index 749b5175..23da81b0 100644 --- a/docs/versioned_docs/version-1.1/workflows/recover-coordinator.md +++ b/docs/versioned_docs/version-1.1/workflows/recover-coordinator.md @@ -50,7 +50,7 @@ On success, the Coordinator applies the sealed state again. If the Coordinator c ## Multi-party recovery - + If you've [configured your MarbleRun deployment for multi-party recovery](define-manifest.md#multi-party-recovery), send each party the corresponding [recovery secret](set-manifest.md). Ask them to perform the steps above. Once all parties have uploaded their secrets, the Coordinator recovers the sealed state and continues its operations. diff --git a/docs/versioned_docs/version-1.1/workflows/update-manifest.md b/docs/versioned_docs/version-1.1/workflows/update-manifest.md index ec74bcab..a5aae876 100644 --- a/docs/versioned_docs/version-1.1/workflows/update-manifest.md +++ b/docs/versioned_docs/version-1.1/workflows/update-manifest.md @@ -48,7 +48,7 @@ Don't define other values except the `SecurityVersion` value for a package, as M ## Full update - + Some deployment scenarios require more flexibility regarding changes to the manifest. To this end, MarbleRun also allows uploading a full manifest. User-defined secrets and secrets of type `symmetric-key` are retained if their definition doesn't change. diff --git a/docs/versioned_docs/version-1.2/features/manifest.md b/docs/versioned_docs/version-1.2/features/manifest.md index 82d96389..7c525d42 100644 --- a/docs/versioned_docs/version-1.2/features/manifest.md +++ b/docs/versioned_docs/version-1.2/features/manifest.md @@ -20,7 +20,7 @@ Choose this approach for deployments with a well-defined scope, but a possibly l ## Fully updatable deployment - + The manifest allows to [permit a user to update the full manifest](../workflows/define-manifest.md#roles). With such a deployment, this user usually needs to be a trusted party. diff --git a/docs/versioned_docs/version-1.2/features/recovery.md b/docs/versioned_docs/version-1.2/features/recovery.md index 9611694c..f4a096cc 100644 --- a/docs/versioned_docs/version-1.2/features/recovery.md +++ b/docs/versioned_docs/version-1.2/features/recovery.md @@ -21,7 +21,7 @@ However, a [manual step](#recovery) is required to recover the Coordinator's sta ### Distributed Coordinator - + When you use MarbleRun [with Kubernetes](../deployment/kubernetes.md), you can scale the Coordinator to multiple instances. The instances share a common state, encrypted and stored as a Kubernetes secret. @@ -46,7 +46,7 @@ The Recovery Key's owner can access the Coordinator's raw state. ### Multi-party recovery - + Depending on the use case, it may not be acceptable that the owner has full control over the cluster. MarbleRun supports splitting the Recovery Key between parties. diff --git a/docs/versioned_docs/version-1.2/getting-started/installation.md b/docs/versioned_docs/version-1.2/getting-started/installation.md index 7640d34a..df763a4e 100644 --- a/docs/versioned_docs/version-1.2/getting-started/installation.md +++ b/docs/versioned_docs/version-1.2/getting-started/installation.md @@ -29,24 +29,24 @@ If this is your first time running MarbleRun, you will need to download the Marb To install the CLI, run the following: - - + + ```bash wget -P ~/.local/bin https://github.com/edgelesssys/marblerun/releases/latest/download/marblerun chmod +x ~/.local/bin/marblerun ``` - - + + ```bash sudo wget -O /usr/local/bin/marblerun https://github.com/edgelesssys/marblerun/releases/latest/download/marblerun sudo chmod +x /usr/local/bin/marblerun ``` - - + + Once installed, verify the CLI is running correctly with the following: diff --git a/docs/versioned_docs/version-1.2/getting-started/quickstart.md b/docs/versioned_docs/version-1.2/getting-started/quickstart.md index ae4a43ec..d0a63b9a 100644 --- a/docs/versioned_docs/version-1.2/getting-started/quickstart.md +++ b/docs/versioned_docs/version-1.2/getting-started/quickstart.md @@ -9,8 +9,8 @@ Depending on your setup, you may follow the quickstart for SGX-enabled clusters. Install MarbleRun's *Coordinator* control plane by running: - - + + ```bash marblerun install @@ -19,8 +19,8 @@ marblerun install The `marblerun install` command generates a Kubernetes manifest with all the necessary control plane resources. This includes a deployment for the Coordinator and for MarbleRun's [admission controller.](../features/kubernetes-integration.md) - - + + ```bash marblerun install --simulation @@ -30,8 +30,8 @@ The `marblerun install` command generates a Kubernetes manifest with all the nec This includes a deployment for the Coordinator and for MarbleRun's [admission controller.](../features/kubernetes-integration.md) The simulation flag tells MarbleRun that real SGX hardware might not be present and the SGX layer should be emulated. - - + + Wait for the control plane to finish installing: @@ -55,15 +55,15 @@ For this, we utilize SGX remote attestation and obtain the Coordinator's root ce Verify the quote and get the Coordinator's root certificate - - + + ```bash marblerun certificate root $MARBLERUN -o marblerun.crt ``` - - + + ```bash marblerun certificate root $MARBLERUN -o marblerun.crt --insecure @@ -71,8 +71,8 @@ marblerun certificate root $MARBLERUN -o marblerun.crt --insecure The insecure flag tells MarbleRun that real SGX hardware might not be present and the quote verification should be omitted. - - + + The CLI will obtain the Coordinator's remote attestation quote and verify it against the configuration on our [release page](https://github.com/edgelesssys/marblerun/releases/latest/download/coordinator-era.json). The SGX quote proves the integrity of the Coordinator pod. @@ -97,41 +97,41 @@ MarbleRun guarantees that the topology of your distributed app adheres to a mani MarbleRun verifies the integrity of services, bootstraps them, and sets up encrypted connections between them. The emojivoto demo already comes with a [manifest](https://github.com/edgelesssys/emojivoto/blob/main/tools/manifest.json), which you can deploy onto MarbleRun by running the following: - - + + ```bash marblerun manifest set tools/manifest.json $MARBLERUN ``` - - + + ```bash marblerun manifest set tools/manifest.json $MARBLERUN --insecure ``` - - + + You can check that the state of MarbleRun has changed and is now ready to authenticate your services by running: - - + + ```bash marblerun status $MARBLERUN ``` - - + + ```bash marblerun status $MARBLERUN --insecure ``` - - + + ### Step 3.2: Deploy emojivoto @@ -139,22 +139,22 @@ Finally, install the demo application onto your cluster. Please make sure you have [Helm](https://helm.sh/docs/intro/install/) ("the package manager for Kubernetes") installed at least at Version v3.2.0. Install emojivoto into the emojivoto namespace by running: - - + + ```bash helm install -f ./kubernetes/sgx_values.yaml emojivoto ./kubernetes --create-namespace -n emojivoto ``` - - + + ```bash helm install -f ./kubernetes/nosgx_values.yaml emojivoto ./kubernetes --create-namespace -n emojivoto ``` - - + + ## Step 4: Watch it run diff --git a/docs/versioned_docs/version-1.2/reference/cli.md b/docs/versioned_docs/version-1.2/reference/cli.md index 1081a446..33fbf561 100644 --- a/docs/versioned_docs/version-1.2/reference/cli.md +++ b/docs/versioned_docs/version-1.2/reference/cli.md @@ -7,24 +7,24 @@ This CLI allows you to install MarbleRun on your cluster and interacts with the To install the MarbleRun CLI on your machine you can use our pre-built binaries. - - + + ```bash wget -P ~/.local/bin https://github.com/edgelesssys/marblerun/releases/latest/download/marblerun chmod +x ~/.local/bin/marblerun ``` - - + + ```bash sudo wget -O /usr/local/bin/marblerun https://github.com/edgelesssys/marblerun/releases/latest/download/marblerun sudo chmod +x /usr/local/bin/marblerun ``` - - + + To build the MarbleRun CLI, [Edgeless RT](https://github.com/edgelesssys/edgelessrt) needs to be installed on your machine. @@ -33,16 +33,16 @@ git clone https://github.com/edgelesssys/marblerun && cd ./marblerun go build -buildvcs=false -o marblerun ./cli ``` - - + + ### Requirements The CLI requires an SGX quote verification library to verify quotes issued by the Coordinator. You have different options depending on the environment the Coordinator is deployed to: - - + + If the Coordinator is running on an Azure VM, the CLI relies on the [Azure DCAP Client](https://github.com/microsoft/Azure-DCAP-Client) to verify quotes. To install the dependency on Ubuntu 20.04 run: @@ -54,8 +54,8 @@ sudo apt update sudo apt install -y az-dcap-client ``` - - + + Intel provides the `libsgx-dcap-default-qpl` library to facilitate SGX quote verification. To install the dependency on Ubuntu 20.04 run: @@ -68,8 +68,8 @@ sudo apt install -y libsgx-dcap-default-qpl ``` Follow [Intel's documentation](https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/master/QuoteGeneration/qpl/README.md#configuration) to configure access to the PCCS. - - + + ## Reference @@ -934,4 +934,3 @@ marblerun version [flags] --era-config string Path to remote attestation config file in json format, if none provided the newest configuration will be loaded from github -i, --insecure Set to skip quote verification, needed when running in simulation mode ``` - diff --git a/docs/versioned_docs/version-1.2/workflows/define-manifest.md b/docs/versioned_docs/version-1.2/workflows/define-manifest.md index 4f000655..f598b074 100644 --- a/docs/versioned_docs/version-1.2/workflows/define-manifest.md +++ b/docs/versioned_docs/version-1.2/workflows/define-manifest.md @@ -417,7 +417,7 @@ awk 1 ORS='\\n' public_key.pem ### Multi-party recovery - + To enable [multi-party recovery](../features/recovery.md#multi-party-recovery), first ask the other parties to generate key pairs as described above and receive their public keys via an authenticated channel. diff --git a/docs/versioned_docs/version-1.2/workflows/recover-coordinator.md b/docs/versioned_docs/version-1.2/workflows/recover-coordinator.md index 749b5175..23da81b0 100644 --- a/docs/versioned_docs/version-1.2/workflows/recover-coordinator.md +++ b/docs/versioned_docs/version-1.2/workflows/recover-coordinator.md @@ -50,7 +50,7 @@ On success, the Coordinator applies the sealed state again. If the Coordinator c ## Multi-party recovery - + If you've [configured your MarbleRun deployment for multi-party recovery](define-manifest.md#multi-party-recovery), send each party the corresponding [recovery secret](set-manifest.md). Ask them to perform the steps above. Once all parties have uploaded their secrets, the Coordinator recovers the sealed state and continues its operations. diff --git a/docs/versioned_docs/version-1.2/workflows/update-manifest.md b/docs/versioned_docs/version-1.2/workflows/update-manifest.md index ec74bcab..a5aae876 100644 --- a/docs/versioned_docs/version-1.2/workflows/update-manifest.md +++ b/docs/versioned_docs/version-1.2/workflows/update-manifest.md @@ -48,7 +48,7 @@ Don't define other values except the `SecurityVersion` value for a package, as M ## Full update - + Some deployment scenarios require more flexibility regarding changes to the manifest. To this end, MarbleRun also allows uploading a full manifest. User-defined secrets and secrets of type `symmetric-key` are retained if their definition doesn't change. diff --git a/docs/versioned_docs/version-1.3/features/manifest.md b/docs/versioned_docs/version-1.3/features/manifest.md index 82d96389..7c525d42 100644 --- a/docs/versioned_docs/version-1.3/features/manifest.md +++ b/docs/versioned_docs/version-1.3/features/manifest.md @@ -20,7 +20,7 @@ Choose this approach for deployments with a well-defined scope, but a possibly l ## Fully updatable deployment - + The manifest allows to [permit a user to update the full manifest](../workflows/define-manifest.md#roles). With such a deployment, this user usually needs to be a trusted party. diff --git a/docs/versioned_docs/version-1.3/features/recovery.md b/docs/versioned_docs/version-1.3/features/recovery.md index 9611694c..f4a096cc 100644 --- a/docs/versioned_docs/version-1.3/features/recovery.md +++ b/docs/versioned_docs/version-1.3/features/recovery.md @@ -21,7 +21,7 @@ However, a [manual step](#recovery) is required to recover the Coordinator's sta ### Distributed Coordinator - + When you use MarbleRun [with Kubernetes](../deployment/kubernetes.md), you can scale the Coordinator to multiple instances. The instances share a common state, encrypted and stored as a Kubernetes secret. @@ -46,7 +46,7 @@ The Recovery Key's owner can access the Coordinator's raw state. ### Multi-party recovery - + Depending on the use case, it may not be acceptable that the owner has full control over the cluster. MarbleRun supports splitting the Recovery Key between parties. diff --git a/docs/versioned_docs/version-1.3/getting-started/installation.md b/docs/versioned_docs/version-1.3/getting-started/installation.md index c9a2b0f7..94a60b2a 100644 --- a/docs/versioned_docs/version-1.3/getting-started/installation.md +++ b/docs/versioned_docs/version-1.3/getting-started/installation.md @@ -28,8 +28,8 @@ Now your cluster is ready and you can install the MarbleRun CLI. CLI executables for different platforms are available at [GitHub](https://github.com/edgelesssys/marblerun/releases). The CLI needs an SGX [quote provider](https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/DCAP_ECDSA_Orientation.pdf) to verify attestation reports. - - + + The AppImage runs on all x86-64 Linux distributions with glibc v2.29 or higher. It includes the quote provider. @@ -40,8 +40,8 @@ wget https://github.com/edgelesssys/marblerun/releases/latest/download/marblerun sudo install marblerun-x86_64.AppImage /usr/local/bin/marblerun ``` - - + + Install the CLI and the quote provider with the following commands: @@ -58,8 +58,8 @@ sudo apt update sudo apt install libsgx-dcap-default-qpl ``` - - + + Install the CLI and the quote provider with the following commands: @@ -75,8 +75,8 @@ sudo apt update sudo apt install libsgx-dcap-default-qpl ``` - - + + Once installed, verify the CLI is running correctly with the following: diff --git a/docs/versioned_docs/version-1.3/getting-started/quickstart.md b/docs/versioned_docs/version-1.3/getting-started/quickstart.md index ae4a43ec..d0a63b9a 100644 --- a/docs/versioned_docs/version-1.3/getting-started/quickstart.md +++ b/docs/versioned_docs/version-1.3/getting-started/quickstart.md @@ -9,8 +9,8 @@ Depending on your setup, you may follow the quickstart for SGX-enabled clusters. Install MarbleRun's *Coordinator* control plane by running: - - + + ```bash marblerun install @@ -19,8 +19,8 @@ marblerun install The `marblerun install` command generates a Kubernetes manifest with all the necessary control plane resources. This includes a deployment for the Coordinator and for MarbleRun's [admission controller.](../features/kubernetes-integration.md) - - + + ```bash marblerun install --simulation @@ -30,8 +30,8 @@ The `marblerun install` command generates a Kubernetes manifest with all the nec This includes a deployment for the Coordinator and for MarbleRun's [admission controller.](../features/kubernetes-integration.md) The simulation flag tells MarbleRun that real SGX hardware might not be present and the SGX layer should be emulated. - - + + Wait for the control plane to finish installing: @@ -55,15 +55,15 @@ For this, we utilize SGX remote attestation and obtain the Coordinator's root ce Verify the quote and get the Coordinator's root certificate - - + + ```bash marblerun certificate root $MARBLERUN -o marblerun.crt ``` - - + + ```bash marblerun certificate root $MARBLERUN -o marblerun.crt --insecure @@ -71,8 +71,8 @@ marblerun certificate root $MARBLERUN -o marblerun.crt --insecure The insecure flag tells MarbleRun that real SGX hardware might not be present and the quote verification should be omitted. - - + + The CLI will obtain the Coordinator's remote attestation quote and verify it against the configuration on our [release page](https://github.com/edgelesssys/marblerun/releases/latest/download/coordinator-era.json). The SGX quote proves the integrity of the Coordinator pod. @@ -97,41 +97,41 @@ MarbleRun guarantees that the topology of your distributed app adheres to a mani MarbleRun verifies the integrity of services, bootstraps them, and sets up encrypted connections between them. The emojivoto demo already comes with a [manifest](https://github.com/edgelesssys/emojivoto/blob/main/tools/manifest.json), which you can deploy onto MarbleRun by running the following: - - + + ```bash marblerun manifest set tools/manifest.json $MARBLERUN ``` - - + + ```bash marblerun manifest set tools/manifest.json $MARBLERUN --insecure ``` - - + + You can check that the state of MarbleRun has changed and is now ready to authenticate your services by running: - - + + ```bash marblerun status $MARBLERUN ``` - - + + ```bash marblerun status $MARBLERUN --insecure ``` - - + + ### Step 3.2: Deploy emojivoto @@ -139,22 +139,22 @@ Finally, install the demo application onto your cluster. Please make sure you have [Helm](https://helm.sh/docs/intro/install/) ("the package manager for Kubernetes") installed at least at Version v3.2.0. Install emojivoto into the emojivoto namespace by running: - - + + ```bash helm install -f ./kubernetes/sgx_values.yaml emojivoto ./kubernetes --create-namespace -n emojivoto ``` - - + + ```bash helm install -f ./kubernetes/nosgx_values.yaml emojivoto ./kubernetes --create-namespace -n emojivoto ``` - - + + ## Step 4: Watch it run diff --git a/docs/versioned_docs/version-1.3/workflows/define-manifest.md b/docs/versioned_docs/version-1.3/workflows/define-manifest.md index 4f000655..f598b074 100644 --- a/docs/versioned_docs/version-1.3/workflows/define-manifest.md +++ b/docs/versioned_docs/version-1.3/workflows/define-manifest.md @@ -417,7 +417,7 @@ awk 1 ORS='\\n' public_key.pem ### Multi-party recovery - + To enable [multi-party recovery](../features/recovery.md#multi-party-recovery), first ask the other parties to generate key pairs as described above and receive their public keys via an authenticated channel. diff --git a/docs/versioned_docs/version-1.3/workflows/recover-coordinator.md b/docs/versioned_docs/version-1.3/workflows/recover-coordinator.md index 749b5175..23da81b0 100644 --- a/docs/versioned_docs/version-1.3/workflows/recover-coordinator.md +++ b/docs/versioned_docs/version-1.3/workflows/recover-coordinator.md @@ -50,7 +50,7 @@ On success, the Coordinator applies the sealed state again. If the Coordinator c ## Multi-party recovery - + If you've [configured your MarbleRun deployment for multi-party recovery](define-manifest.md#multi-party-recovery), send each party the corresponding [recovery secret](set-manifest.md). Ask them to perform the steps above. Once all parties have uploaded their secrets, the Coordinator recovers the sealed state and continues its operations. diff --git a/docs/versioned_docs/version-1.3/workflows/update-manifest.md b/docs/versioned_docs/version-1.3/workflows/update-manifest.md index ec74bcab..a5aae876 100644 --- a/docs/versioned_docs/version-1.3/workflows/update-manifest.md +++ b/docs/versioned_docs/version-1.3/workflows/update-manifest.md @@ -48,7 +48,7 @@ Don't define other values except the `SecurityVersion` value for a package, as M ## Full update - + Some deployment scenarios require more flexibility regarding changes to the manifest. To this end, MarbleRun also allows uploading a full manifest. User-defined secrets and secrets of type `symmetric-key` are retained if their definition doesn't change.