edgelesssys · m1ghtym0 · Mar 19, 2024 · Mar 14, 2024 · Mar 14, 2024 · Mar 14, 2024
diff --git a/README.md b/README.md
@@ -120,34 +120,48 @@ confidential and deploying it together with Contrast.
 
 ### Prerequisite
 
-A CoCo enabled cluster is required to run Contrast. Create it using the [`az`](https://docs.microsoft.com/en-us/cli/azure/) CLI:
+A CoCo-enabled cluster is required to run Contrast. Create it using the [`az`](https://docs.microsoft.com/en-us/cli/azure/) CLI:
 
 ```sh
+# Ensure you set this to an existing resource group in your subscription
+azResourceGroup="ContrastDemo"
+# Select the name for your AKS cluster
+azClusterName="ContrastDemo"
+
 az extension add \
-  --name aks-preview
+  --name aks-preview \
+  --allow-preview true
+
+az extension update \
+  --name aks-preview \
+  --allow-preview true
+
+az feature register --namespace "Microsoft.ContainerService" --name "KataCcIsolationPreview"
+az feature show --namespace "Microsoft.ContainerService" --name "KataCcIsolationPreview"
+az provider register -n Microsoft.ContainerService
 
 az aks create \
-  --resource-group myResourceGroup \
-  --name myAKSCluster \
+  --resource-group "$azResourceGroup" \
+  --name "$azClusterName" \
   --kubernetes-version 1.29 \
   --os-sku AzureLinux \
   --node-vm-size Standard_DC4as_cc_v5 \
   --node-count 1 \
   --generate-ssh-keys
 
 az aks nodepool add \
-  --resource-group myResourceGroup \
+  --resource-group "$azResourceGroup" \
   --name nodepool2 \
-  --cluster-name myAKSCluster \
+  --cluster-name "$azClusterName" \
   --mode System \
   --node-count 1 \
   --os-sku AzureLinux \
   --node-vm-size Standard_DC4as_cc_v5 \
   --workload-runtime KataCcIsolation
 
 az aks get-credentials \
-  --resource-group myResourceGroup \
-  --name myAKSCluster
+  --resource-group "$azResourceGroup" \
+  --name "$azClusterName"
 ```
 
 Check [Azure's deployment guide](https://learn.microsoft.com/en-us/azure/aks/deploy-confidential-containers-default-policy) for more detailed instructions.
@@ -264,8 +278,26 @@ Connect to the workloads using the Coordinator's mesh root as a trusted CA certi
 For example, with `curl`:
 
 ```sh
-lbip=$(kubectl get svc ${MY_SERVICE} -o=jsonpath='{.status.loadBalancer.ingress[0].ip}')
-curl --cacert ./verify/mesh-root.pem "https://${lbip}:8443"
+kubectl patch svc web-svc -p '{"spec": {"type": "LoadBalancer"}}'
+timeout 30s bash -c 'until kubectl get service/web-svc --output=jsonpath='{.status.loadBalancer}' | grep "ingress"; do : ; done'
+lbip=$(kubectl get svc web-svc -o=jsonpath='{.status.loadBalancer.ingress[0].ip}')
+echo $lbip
+```
+
+```sh
+curl -k "https://${lbip}:8443"
+```
+
+The workload certificate is a DNS wildcard certificate. Therefore, SAN is expected to fail when accessing the workload via an IP address.
+On Azure, all load balancers automatically get ephemeral DNS entries, so either
+use that or configure DNS yourself.
+
+To validate the certificate locally, use `openssl`:
+
+```sh
+openssl s_client -showcerts -connect ${lbip}:443 </dev/null | sed -n -e '/-.BEGIN/,/-.END/ p' > certChain.pem
+awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert." c ".pem"}' < certChain.pem
+openssl verify -verbose -trusted verify/mesh-root.pem -- cert.1.pem
 ```
 
 ## Current limitations