Add Azure CMEK support and improve documentation structure #20022
Conversation
✅ Deploy Preview for cockroachdb-interactivetutorials-docs canceled.
|
✅ Deploy Preview for cockroachdb-api-docs canceled.
|
✅ Netlify Preview
To edit notification comments on pull requests, go to your Netlify project configuration. |
| @@ -14,7 +14,6 @@ CockroachDB {{ site.data.products.advanced }} clusters on Azure have the followi | |||
|
|
|||
| - A cluster must have at minimum three nodes. A multi-region cluster must have at minimum three nodes per region. Single-node clusters are not supported on Azure. | |||
| - The following [PCI-Ready]({% link cockroachcloud/pci-dss.md %}) and HIPAA features are not yet available on Azure. However, CockroachDB {{ site.data.products.advanced }} on Azure meets or exceeds the requirements of SOC 2 Type 2. Refer to [Regulatory Compliance in CockroachDB {{ site.data.products.advanced }}]({% link cockroachcloud/compliance.md %}). | |||
| - [Customer Managed Encryption Keys (CMEK)]({% link cockroachcloud/cmek.md %}) | |||
| - [Egress Perimeter Controls]({% link cockroachcloud/egress-perimeter-controls.md %}) | |||
There was a problem hiding this comment.
Egress Perimeter control and CMEK both will be supported for Azure post the release to make Azure PCI compliant.
There was a problem hiding this comment.
Reworking the broader bullet to mention that both features are in Preview. We can further refine this Azure page in line with the GA release of these features. CC @biplav-crl
| <section class="filter-content" markdown="1" data-scope="azure"> | ||
|
|
||
| 1. Make a note of your {{ site.data.products.cloud }} organization ID in the [Organization settings page](https://cockroachlabs.cloud/settings). | ||
| 1. Find your {{ site.data.products.advanced }} cluster's ID. From the CockroachDB {{ site.data.products.cloud }} console [Clusters list](https://cockroachlabs.cloud/clusters), click the name of a cluster to open its **Cluster Overview** page. From the page's URL make a note of the **last 12 digits** of the portion of the URL before `/overview/`. This is the cluster ID. |
There was a problem hiding this comment.
In case of Azure the cluster id is the entire uuid and not just the last 12 digits.
| This creates an enterprise application in your Azure tenant that CockroachDB Cloud can use to access your Key Vault. It is named using the following format: | ||
|
|
||
| ~~~ | ||
| ClusterIdentity-<azure_cluster_identity_client_id> |
There was a problem hiding this comment.
This has been renamed to CockroachDB Cloud - <CLUSTER_ID> also azure_cluster_identity_client_id is not the place holder here, rather the cluster id is the place holder
|
|
||
| 1. In the Azure portal, navigate to your Key Vault > **Access control (IAM)** > **Add role assignment**. | ||
| 1. Select the **Key Vault Crypto Officer** role, and select the option to assign access to **User, group, or service principal**. | ||
| 1. Click **Select members**, then search for the enterprise application created above: `ClusterIdentity-<azure_cluster_identity_client_id>` |
There was a problem hiding this comment.
| 1. Click **Select members**, then search for the enterprise application created above: `ClusterIdentity-<azure_cluster_identity_client_id>` | |
| 1. Click **Select members**, then search for the enterprise application created above: `CockroachDB Cloud - <CLUSTER_ID>` |
| @@ -332,6 +382,23 @@ Make a note of the key ring name. | |||
|
|
|||
| Click **SAVE**. Make a note of the key ring name. | |||
|
|
|||
| </section> | |||
|
|
|||
| <section class="filter-content" markdown="1" data-scope="azure"> | |||
There was a problem hiding this comment.
This section doesn't appear in the Step 2. Create the CMEK key in the Azure tab, in the documentation link specified in the PR
Also I feel the IAM permission In the Azure portal, navigate to your Key Vault > Access control (IAM) > Add role assignment. must be given post the key creation step.
There was a problem hiding this comment.
Fixed both. (Edited your comment accidentally, then reverted it.)
There was a problem hiding this comment.
@sanchit-CRL Thanks for the thorough review. I believe everything is resolved in my latest commit. Please take a look.
| @@ -14,7 +14,6 @@ CockroachDB {{ site.data.products.advanced }} clusters on Azure have the followi | |||
|
|
|||
| - A cluster must have at minimum three nodes. A multi-region cluster must have at minimum three nodes per region. Single-node clusters are not supported on Azure. | |||
| - The following [PCI-Ready]({% link cockroachcloud/pci-dss.md %}) and HIPAA features are not yet available on Azure. However, CockroachDB {{ site.data.products.advanced }} on Azure meets or exceeds the requirements of SOC 2 Type 2. Refer to [Regulatory Compliance in CockroachDB {{ site.data.products.advanced }}]({% link cockroachcloud/compliance.md %}). | |||
| - [Customer Managed Encryption Keys (CMEK)]({% link cockroachcloud/cmek.md %}) | |||
| - [Egress Perimeter Controls]({% link cockroachcloud/egress-perimeter-controls.md %}) | |||
There was a problem hiding this comment.
Reworking the broader bullet to mention that both features are in Preview. We can further refine this Azure page in line with the GA release of these features. CC @biplav-crl
| <section class="filter-content" markdown="1" data-scope="azure"> | ||
|
|
||
| 1. Make a note of your {{ site.data.products.cloud }} organization ID in the [Organization settings page](https://cockroachlabs.cloud/settings). | ||
| 1. Find your {{ site.data.products.advanced }} cluster's ID. From the CockroachDB {{ site.data.products.cloud }} console [Clusters list](https://cockroachlabs.cloud/clusters), click the name of a cluster to open its **Cluster Overview** page. From the page's URL make a note of the **last 12 digits** of the portion of the URL before `/overview/`. This is the cluster ID. |
| This creates an enterprise application in your Azure tenant that CockroachDB Cloud can use to access your Key Vault. It is named using the following format: | ||
|
|
||
| ~~~ | ||
| ClusterIdentity-<azure_cluster_identity_client_id> |
|
|
||
| 1. In the Azure portal, navigate to your Key Vault > **Access control (IAM)** > **Add role assignment**. | ||
| 1. Select the **Key Vault Crypto Officer** role, and select the option to assign access to **User, group, or service principal**. | ||
| 1. Click **Select members**, then search for the enterprise application created above: `ClusterIdentity-<azure_cluster_identity_client_id>` |
DOC-9889
Summary:
This PR documents the new Customer-Managed Encryption Keys (CMEK) support for CockroachDB Cloud Advanced clusters on Microsoft Azure, enabling customers to use their own encryption keys stored in Azure Key Vault.
To preview the updated pages:
(click the Azure tab)
Changes:
managing-cmek.mdcmek.mdcockroachdb-advanced-on-azure.md- Removed CMEK from list of features "not yet available on Azure"releases/cloud.md- Added release note announcing Azure CMEK availability