Implement kroxylicious#2765: Document Azure Key Vault KMS usage for record encryption (kroxylicious#2894)

* kroxylicious#2765: First draft Azure Key Vault KMS docs

Signed-off-by: Grace Grimwood <[email protected]>

* setup tweaks

Signed-off-by: Grace Grimwood <[email protected]>

* fix con-azure-key-vault-plugin-configuration.adoc

Signed-off-by: Grace Grimwood <[email protected]>

* Update kroxylicious-docs/docs/_modules/record-encryption/azure-key-vault/con-azure-key-vault-setup.adoc

Co-authored-by: Robert Young <[email protected]>
Signed-off-by: Grace Grimwood <[email protected]>

* docs tweaks from @robobario's feedback

Signed-off-by: Grace Grimwood <[email protected]>

* some more fixes

Signed-off-by: Grace Grimwood <[email protected]>

* add note about azure asymmetric keys to record encryption overview

Signed-off-by: Grace Grimwood <[email protected]>

* Update kroxylicious-docs/docs/_modules/record-encryption/azure-key-vault/con-azure-key-vault-key-creation.adoc

Co-authored-by: Robert Young <[email protected]>
Signed-off-by: Grace Grimwood <[email protected]>

* fixes to oauth scripts

Signed-off-by: Grace Grimwood <[email protected]>

* adjust scripts in key creation

Signed-off-by: Grace Grimwood <[email protected]>

* Apply suggestions from code review

Co-authored-by: PaulRMellor <[email protected]>
Signed-off-by: Grace Grimwood <[email protected]>

* rename azure-key-vault-setup a procedure - restructuring to follow

Signed-off-by: Grace Grimwood <[email protected]>

* add gating for managed identity content

Signed-off-by: Grace Grimwood <[email protected]>

* kill mentions of legacy permissions

Signed-off-by: Grace Grimwood <[email protected]>

* further fixes and tweaks

Signed-off-by: Grace Grimwood <[email protected]>

* rework granular permissions notes

Signed-off-by: Grace Grimwood <[email protected]>

* reformat proc-azure-key-vault-setup.adoc as a procedure

Signed-off-by: Grace Grimwood <[email protected]>

* refactor KEK_ prefix to KEK- across all the docs

Signed-off-by: Grace Grimwood <[email protected]>

* Apply suggestions from code review

Co-authored-by: PaulRMellor <[email protected]>
Signed-off-by: Grace Grimwood <[email protected]>

---------

Signed-off-by: Grace Grimwood <[email protected]>
Signed-off-by: Grace Grimwood <[email protected]>
Co-authored-by: Robert Young <[email protected]>
Co-authored-by: PaulRMellor <[email protected]>

Author: 3 people

kroxylicious-docs/docs/_assemblies/assembly-azure-key-vault.adoc

@@ -0,0 +1,31 @@
+:_mod-docs-content-type: ASSEMBLY
+
+// file included in the following:
+//
+// assembly-record-encryption-filter.adoc
+
+[id='assembly-azure-key-vault-{context}']
+= Preparing Azure Key Vault
+
+[role="_abstract"]
+To prepare Azure Key Vault for use with the Record Encryption filter, use the following setup:
+
+* Setup Azure resources
+* Establish a naming convention for keys
+* Create Azure Key Vault keys
+
+You'll need a privileged Azure user that is capable of creating users and resources to perform the set-up.
+
+include::../_modules/record-encryption/azure-key-vault/proc-azure-key-vault-setup.adoc[leveloffset=+1]
+include::../_modules/record-encryption/azure-key-vault/con-azure-key-vault-key-creation.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* https://learn.microsoft.com/en-us/azure/key-vault/general/overview
+* https://learn.microsoft.com/en-us/azure/key-vault/keys/about-keys
+* https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-access-policy
+* https://learn.microsoft.com/en-us/azure/key-vault/general/best-practices
+* https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/overview
+* https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/privileged
+* https://learn.microsoft.com/en-us/azure/role-based-access-control/scope-overview

kroxylicious-docs/docs/_assemblies/assembly-configuring-record-encryption-filter.adoc

@@ -28,6 +28,7 @@ endif::OpenShiftOnly[]
 +
 * <<con-vault-plugin-configuration-{context},HashiCorp Vault plugin configuration>>
 * <<con-aws-kms-plugin-configuration-{context},AWS KMS plugin configuration>>
+* <<con-azure-key-vault-plugin-configuration-{context},Azure Key Vault KMS plugin configuration>>
 ifdef::include-fortanix-dsm-kms[]
 * <<con-fortanix-dsm-plugin-configuration-{context},Fortanix DSM plugin configuration>>
 endif::[]
@@ -49,6 +50,8 @@ include::../_modules/record-encryption/hashicorp-vault/con-vault-plugin-configur
 
 include::../_modules/record-encryption/aws-kms/con-aws-kms-plugin-configuration.adoc[leveloffset=+1]
 
+include::../_modules/record-encryption/azure-key-vault/con-azure-key-vault-plugin-configuration.adoc[leveloffset=+1]
+
 ifdef::include-fortanix-dsm-kms[]
 include::../_modules/record-encryption/fortanix-dsm/con-fortanix-dsm-plugin-configuration.adoc[leveloffset=+1]
 endif::[]

kroxylicious-docs/docs/_assemblies/assembly-preparing-kms.adoc

@@ -13,6 +13,8 @@ It describes how to prepare the KMS for use with the filter.
 include::assembly-hashicorp-vault.adoc[leveloffset=+1]
 //setting up AWS KMS
 include::assembly-aws-kms.adoc[leveloffset=+1]
+//setting up Azure Key Vault KMS
+include::assembly-azure-key-vault.adoc[leveloffset=+1]
 ifdef::include-fortanix-dsm-kms[]
 include::assembly-fortanix-dsm.adoc[leveloffset=+1]
 endif::[]

kroxylicious-docs/docs/_assets/attributes.adoc

@@ -104,6 +104,7 @@
 // (note: we control optional inclusion with ifdefs/ifndefs directives, so the value of the attribute is irrelevant)
 :include-fortanix-dsm-kms: 1
 :include-aws-kms-service-config-identity-ec2-metadata: 1
+:include-azure-key-vault-service-config-microsoft-entra-managed-identity: 1
 :include-platform-bare-metal: 1
 :include-platform-kubernetes: 1
 // We're not ready to enable OLM yet

kroxylicious-docs/docs/_assets/trademarks.adoc

@@ -9,6 +9,7 @@
 * Strimzi is a trademark of The Linux Foundation.
 * Hashicorp Vault is a registered trademark of HashiCorp, Inc.
 * AWS Key Management Service is a trademark of Amazon.com, Inc. or its affiliates.
+* Microsoft, Azure, and Microsoft Entra are trademarks of the Microsoft group of companies.
 ifdef::include-fortanix-dsm-kms[]
 * Fortanix and Data Security Manager are trademarks of Fortanix, Inc.
 endif::[]

kroxylicious-docs/docs/_modules/record-encryption/aws-kms/con-aws-kms-key-creation.adoc

@@ -21,7 +21,7 @@ If using the CLI, this can be done with commands like this:
 
 [source,shell]
 ----
-KEY_ALIAS="KEK_<name>"
+KEY_ALIAS="KEK-<name>"
 KEY_ID=$(aws kms create-key | jq -r '.KeyMetadata.KeyId')
 # the create key command will produce JSON output including the KeyId
 aws kms create-alias --alias-name alias/${KEY_ALIAS} --target-key-id ${KEY_ID}

kroxylicious-docs/docs/_modules/record-encryption/aws-kms/con-aws-kms-setup.adoc

@@ -11,7 +11,7 @@
 The filter references KEKs within AWS via an {aws}/kms/latest/developerguide/alias-about.html[AWS key alias].
 
 Establish a naming convention for key aliases to keep the filter’s keys separate from those used by other systems.
-Here, we use a prefix of KEK_ for filter aliases.
+Here, we use a prefix of KEK- for filter aliases.
 Adjust the instructions if a different naming convention is used.
 
 == Role of the administrator
@@ -67,7 +67,7 @@ cat > /tmp/policy << EOF
 			],
 			"Condition": {
 				"ForAnyValue:StringLike": {
-					"kms:ResourceAliases": "alias/KEK_*"
+					"kms:ResourceAliases": "alias/KEK-*"
 				}
 			}
 		}

kroxylicious-docs/docs/_modules/record-encryption/azure-key-vault/con-azure-key-vault-key-creation.adoc

@@ -0,0 +1,47 @@
+:_mod-docs-content-type: CONCEPT
+
+// file included in the following:
+//
+// assembly-azure-key-vault.adoc
+
+[id='con-azure-key-vault-key-creation-{context}']
+= Creating Azure Key Vault keys
+
+[role="_abstract"]
+As a user with the _Key Vault Crypto Officer_ role (or otherwise sufficient RBAC permissions to manage keys in Azure Key Vault), use either the Azure CLI or Azure PowerShell to create a `key` with `wrapKey` and `unwrapKey` operations enabled.
+
+== Establish the naming convention for keys within key vault hierarchy
+
+Establish a naming convention for keys to keep the filter’s keys separate from those used by other systems.
+
+== Supported Key Types
+
+NOTE: The key types available to you in Azure Key Vault will depend on your Azure Key Vault service tier. See the _About keys_ page in the Azure Key Vault docs for more details.
+
+The filter accepts the following key types and their associated wrapping algorithms:
+
+* *Symmetric Keys (`oct` or `oct-HSM`):* Uses the quantum-resistant `A256GCM` (256-bit AES GCM) wrapping algorithm, which requires a Managed HSM subscription.
+* *Asymmetric Keys (`RSA` or `RSA-HSM`):* Uses the `RSA-OAEP-256` (RSAES-OAEP with SHA-256 hash and MGF1/SHA-256 mask) wrapping algorithm, which is not quantum-resistant. This wrapping algorithm does not require a Managed HSM subscription to use (however, `RSA-HSM` is not available without a premium Azure Key Vault subscription).
+
+If you use the Azure CLI, you can create a key with a command similar to the following:
+
+[source,shell]
+----
+KEY_VAULT_NAME="kroxylicious-key-vault"
+KEY_NAME="KEK-<name>"
+KEY_TYPE="rsa"
+az keyvault key create --vault-name ${KEY_VAULT_NAME} --name ${KEY_NAME} --kty ${KEY_TYPE} --ops wrapKey unwrapKey
+----
+* Change `KEY_TYPE` if you want to use a key type other than RSA.
+* The `wrapKey` and `unwrapKey` operations must be enabled.
+
+When the key is created, it is recommended to use a key rotation policy.
+
+To configure a key rotation policy with the Azure CLI, save your policy to a JSON file. An example JSON file can be found in the Azure CLI docs.
+
+When you've prepared your policy, apply it with a command like this:
+
+[source,shell]
+----
+az keyvault key rotation-policy update --vault-name ${VAULT_NAME} --name ${KEY_NAME} --value path/to/my_policy.json
+----

kroxylicious-docs/docs/_modules/record-encryption/azure-key-vault/con-azure-key-vault-plugin-configuration.adoc

@@ -0,0 +1,24 @@
+:_mod-docs-content-type: CONCEPT
+
+// file included in the following:
+//
+// assembly-configuring-record-encryption-filter
+
+[id='con-azure-key-vault-plugin-configuration-{context}']
+= Azure Key Vault plugin configuration
+
+[role="_abstract"]
+For Azure Key Vault the configuration for authenticating with Microsoft Identity Platform looks like this:
+
+include::snip-azure-key-vault-service-config-microsoft-identity-platform-oauth2.adoc[leveloffset=+1]
+
+ifdef::include-azure-key-vault-service-config-microsoft-entra-managed-identity[]
+
+Alternatively, the configuration for authenticating with Managed Identities for Azure resources looks like this:
+
+include::snip-azure-key-vault-service-config-microsoft-entra-managed-identity.adoc[leveloffset=+1]
+endif::[]
+
+include::../../../_snippets/snip-tls-client-keystore.adoc[]
+
+include::../../../_snippets/snip-tls-client-truststore.adoc[]

kroxylicious-docs/docs/_modules/record-encryption/azure-key-vault/proc-azure-key-vault-setup-microsoft-entra-managed-identity.adoc

@@ -0,0 +1,68 @@
+:_mod-docs-content-type: PROCEDURE
+
+// file included in the following:
+//
+// proc-azure-key-vault-setup.adoc
+
+[id='proc-azure-key-vault-setup-microsoft-entra-managed-identity-{context}']
+= Authenticating with Managed Identities for Azure resources
+
+[role="_abstract"]
+This procedure describes how to use a System-assigned Managed Identity (on the Azure resource where Kroxylicious is deployed) to allow the Record Encryption filter to authenticate to Azure Key Vault. The process uses the Azure CLI to enable the identity on the hosting resource and grant it the required Azure Role-Based Access Control (RBAC) role.
+
+NOTE: A Managed Identity is a type of Service Principal that Azure manages automatically and does not require credentials. Assigning RBAC roles to a Managed Identity follows the same process as for other Service Principals.
+
+.Prerequisites
+
+* Access to the Azure CLI
+* A user with sufficient permissions to manage the hosting resource and assign RBAC roles.
+* The Azure resource that hosts Kroxylicious must be provisioned in advance.
+
+.Procedure
+
+. Enable the system-assigned managed identity on the hosting resource:
++
+[source,shell]
+----
+HOST_RESOURCE_NAME="kroxylicious-host"
+HOST_RESOURCE_GROUP="my-resource-group"
+az <RESOURCE_TYPE> identity assign \ 
+  --name ${HOST_RESOURCE_NAME} \
+  --resource-group ${HOST_RESOURCE_GROUP} \
+  --query "systemAssignedIdentity" --output tsv
+----
+* Set `HOST_RESOURCE_NAME` to the name of the Azure resource that hosts Kroxylicious.
+* Replace **<RESOURCE_TYPE>** with the correct Azure CLI subcommand for your resource type (for example, `vm`).
+* The command outputs the identifier of the system-assigned managed identity. Use this identifier in the next step.
+
+. Assign the built-in Azure Key Vault RBAC role to the managed identity:
++
+[source,shell]
+----
+SYSTEM_ASSIGNED_ID="x.kroxylicious-host"
+KEY_VAULT_NAME="kroxylicious-key-vault"
+RESOURCE_GROUP="my-resource-group"
+SCOPE_ID=$(az keyvault show --name ${KEY_VAULT_NAME} --resource-group ${RESOURCE_GROUP} --query "id" --output tsv)
+az role assignment create --assignee ${SYSTEM_ASSIGNED_ID} --role "Key Vault Crypto Service Encryption User" --scope ${SCOPE_ID}
+----
+* Set `SYSTEM_ASSIGNED_ID` to the managed identity’s identifier from the previous step.
+* Set `RESOURCE_GROUP` to the name of the resource group that contains your key vault. This may differ from the resource group that hosts Kroxylicious.
++
+These commands assign the built-in Key Vault Crypto Service Encryption User role to the Managed Identity, using the target Key Vault as the scope. Replace `HOST_RESOURCE_NAME`, `KEY_VAULT_NAME`, and `RESOURCE_GROUP` with your actual values.
+
+. (Optional) If you do not use the built-in RBAC roles, assign the following permissions to the managed identity instead:
+* `Microsoft.KeyVault/vaults/keys/read`
+* `Microsoft.KeyVault/vaults/keys/wrap/action`
+* `Microsoft.KeyVault/vaults/keys/unwrap/action`
++
+If you are using Managed HSM, also assign `Microsoft.KeyVault/managedhsms/rng/action`.
+
+. Confirm the role has been successfully assigned:
++
+[source,shell]
+----
+SYSTEM_ASSIGNED_ID="x.kroxylicious-host"
+az role assignment list --assignee ${SYSTEM_ASSIGNED_ID} --query '[].{Role:roleDefinitionName, Scope:scope}' --output tsv
+----
++
+The output lists the Key Vault Crypto Service Encryption User role and the full resource ID of your key vault.