wip

Signed-off-by: Paul Meyer <[email protected]>

.vale.ini

@@ -3,10 +3,11 @@ Vocab = edgeless
 
 [*.md]
 BasedOnStyles = Vale, Microsoft, Google
+
+# Disable rules
 Vale.Terms = NO
 
 # decrease to suggestion
-Microsoft.Foreign = suggestion  # conflicts with Microsoft.Contractions
 Microsoft.HeadingAcronyms = suggestion  # doesn't consider well-known ones
 Microsoft.GeneralURL = suggestion  # ok for technical users
 

README.md

@@ -12,7 +12,7 @@ Contrast currently targets the [CoCo preview on AKS](https://learn.microsoft.com
 
 ## Goal
 
-Contrast is designed to keep all data always encrypted and to prevent access from the infrastructure layer, i.e., remove the infrastructure from the trusted computing base (TCB). This includes access from datacenter employees, privileged cloud admins, own cluster administrators, and attackers coming through the infrastructure, e.g., malicious co-tenants escalating their privileges.
+Contrast is designed to keep all data always encrypted and to prevent access from the infrastructure layer. It removes the infrastructure provider from the trusted computing base (TCB). This includes access from datacenter employees, privileged cloud admins, own cluster administrators, and attackers coming through the infrastructure, for example, malicious co-tenants escalating their privileges.
 
 Contrast integrates fluently with the existing Kubernetes workflows. It's compatible with managed Kubernetes, can be installed as a day-2 operation and imposes only minimal changes to your deployment flow.
 
@@ -196,7 +196,7 @@ helm template release-name chart-name > resources/all.yml
 To specify that a workload (pod, deployment, etc.) should be deployed as confidential containers,
 add `runtimeClassName: kata-cc-isolation` to the pod spec (pod definition or template).
 In addition, add the Contrast Initializer as `initContainers` to these workloads and configure the
-workload to use the certificates written to the `tls-certs` volumeMount.
+workload to use the certificates written to a `volumeMount` named `tls-certs`.
 
 ```yaml
 spec: # v1.PodSpec

dev-docs/coco/policy.md

@@ -63,7 +63,7 @@ The rules can be divided into two major checks: *OCI spec* and *storage*.
 ### OCI Rules
 
 The OCI spec check is concerned with the content of the [OCI config] requested by the Kubelet.
-This includes command line arguments, env vars and security configuration.
+This includes command line arguments, environment variables and security configuration.
 
 [OCI config]: https://github.com/opencontainers/runtime-spec/blob/cb7ae92/specs-go/config.go#L6-L34
 

dev-docs/user-manual.md

@@ -48,16 +48,16 @@ It's automatically generated from your deployment by the Contrast CLI.
 It currently consists of the following parts:
 
 * *Policies*: The identities of your Pods, represented by the hashes of their respective runtime policies.
-* *Reference Values*: The remote attestation reference values for the Kata confidential micro-VM that is the runtime environment of your Pods.
+* *Reference Values*: The remote attestation reference values for the Kata confidential micro-VM that's the runtime environment of your Pods.
 * *WorkloadOwnerKeyDigest*: The workload owner's public key digest. Used for authenticating subsequent manifest updates.
 
 ### Runtime Policies
 
 Runtime Policies are a mechanism to enable the use of the (untrusted) Kubernetes API for orchestration while ensuring the confidentiality and integrity of your confidential containers.
 They allow us to enforce the integrity of your containers' runtime environment as defined in your deployment files.
-The runtime policy mechanism is based on the Open Policy Agent (OPA) and translates the Kubernetes deployment YAMLs into OPA's Rego policy language.
+The runtime policy mechanism is based on the Open Policy Agent (OPA) and translates the Kubernetes deployment YAML into Rego policy language of OPA.
 The Kata Agent inside the confidential micro-VM then enforces the policy by only acting on permitted requests.
-The Contrast CLI provides the tooling for automatically translating Kubernetes deployment YAMLs into OPA's Rego policy language.
+The Contrast CLI provides the tooling for automatically translating Kubernetes deployment YAML into Rego policy language of OPA.
 
 The trust chain goes as follows:
 

docs/docs/examples/emojivoto.md

@@ -4,9 +4,10 @@
 ![screenshot of the emojivoto UI](../../static/img/emoijvoto.png)
 
 This tutorial guides you through deploying [emojivoto](https://github.com/BuoyantIO/emojivoto) as a
-confidential Contrast deployment. Emojivoto is an example app that allows users to vote for different emojis and view votes cast on a leaderboard. It has a microservice architecture consisting of a
+confidential Contrast deployment. Emojivoto is an example app that allows users to vote for different
+emojis and view votes cast on a leader board. It has a microservice architecture consisting of a
 web frontend (`web`), a gRPC backend for listing available emojis (`emoji`), and a backend for
-the voting and leaderboard logic (`voting`). The `vote-bot` simulates user traffic by submitting
+the voting and leader board logic (`voting`). The `vote-bot` simulates user traffic by submitting
 votes to the frontend.
 
 <!-- TODO(katexochen): recreate in our design -->
@@ -87,9 +88,9 @@ kubectl apply -f deployment/
 :::note[Inter-deployment communication]
 
 The Contrast Coordinator issues mesh certificates after successfully validating workloads.
-These certificates can be used for sercure inter-deployment communication. The Initializer
+These certificates can be used for secure inter-deployment communication. The Initializer
 sends an attestation report to the Coordinator, retrieves certificates and a private key in return
-and writes them to a volumeMount. The emojivoto version we are using is patched to only communicate
+and writes them to a `volumeMount`. The emojivoto version we're using is patched to only communicate
 via mTLS (the original app talks plain HTTP). The different parts of the workload are configured
 to use the credentials from the `volumeMount` when communicating with each other.
 

docs/docs/intro.md

@@ -15,7 +15,7 @@ Contrast currently targets the [CoCo preview on AKS](https://learn.microsoft.com
 
 ## Goal
 
-Contrast is designed to keep all data always encrypted and to prevent access from the infrastructure layer, i.e., remove the infrastructure from the trusted computing base (TCB). This includes access from datacenter employees, privileged cloud admins, own cluster administrators, and attackers coming through the infrastructure, e.g., malicious co-tenants escalating their privileges.
+Contrast is designed to keep all data always encrypted and to prevent access from the infrastructure layer. It removes the infrastructure provider from the trusted computing base (TCB). This includes access from datacenter employees, privileged cloud admins, own cluster administrators, and attackers coming through the infrastructure, for example, malicious co-tenants escalating their privileges.
 
 Contrast integrates fluently with the existing Kubernetes workflows. It's compatible with managed Kubernetes, can be installed as a day-2 operation and imposes only minimal changes to your deployment flow.
 

docs/styles/Microsoft/Terms.yml

@@ -7,15 +7,14 @@ ignorecase: true
 action:
   name: replace
 swap:
-  '(?:agent|virtual assistant|intelligent personal assistant)': personal digital assistant
-  '(?:drive C:|drive C>|C: drive)': drive C
-  '(?:internet bot|web robot)s?': bot(s)
-  '(?:microsoft cloud|the cloud)': cloud
-  '(?:mobile|smart) ?phone': phone
-  '24/7': every day
-  'audio(?:-| )book': audiobook
-  'back(?:-| )light': backlight
-  'chat ?bots?': chatbot(s)
+  "(?:drive C:|drive C>|C: drive)": drive C
+  "(?:internet bot|web robot)s?": bot(s)
+  "(?:microsoft cloud|the cloud)": cloud
+  "(?:mobile|smart) ?phone": phone
+  "24/7": every day
+  "audio(?:-| )book": audiobook
+  "back(?:-| )light": backlight
+  "chat ?bots?": chatbot(s)
   adaptor: adapter
   administrate: administer
   afterwards: afterward
@@ -27,7 +26,7 @@ swap:
   anti-virus: antivirus
   appendixes: appendices
   artificial intelligence: AI
-  '(?:assembler|machine language)': assembly language
+  "(?:assembler|machine language)": assembly language
   caap: CaaP
   conversation-as-a-platform: conversation as a platform
   eb: EB

docs/styles/config/vocabularies/edgeless/accept.txt

@@ -56,6 +56,7 @@ KMS
 kubeadm
 kubectl
 kubelet
+Kustomization
 libcryptsetup
 Logstash
 Mbps
@@ -65,6 +66,7 @@ Nginx
 paravisor
 PCR
 plaintext
+protobuf
 proxied
 QEMU
 Rego

rfc/001-service-mesh.md

@@ -64,13 +64,13 @@ are wildcard certificates per default.
 ### Proxy Solution 1: Custom implemented TPROXY
 
 TPROXY [1] is a kernel feature to allow applications to proxy traffic without
-changing the actual packets e.g., when re-routing them via NAT.
+changing the actual packets, for example when re-routing them via NAT.
 
 The proxy can implement custom user-space logic to handle traffic and
 route the traffic to the original destination (see a simple Go example [2]).
 
 We likely re-implement parts of Envoy (see below), but have more
-flexibility regarding additional verification, e.g. should we decide to also
+flexibility regarding additional verification, for example in case we decide to also
 use custom client certificate extensions.
 
 [1] <https://www.kernel.org/doc/Documentation/networking/tproxy.txt>

treefmt.nix

@@ -25,7 +25,10 @@
       options = [
         "--no-wrap"
       ];
-      includes = [ "*.md" ];
+      includes = [
+        "docs/**/*.md"
+        "rfc/**/*.md"
+      ];
     };
   };
 }