Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DOC-428][doc][ybm] CLI example for EAR #26070

Open
wants to merge 18 commits into
base: master
Choose a base branch
from
+210 −3
Open

[DOC-428][doc][ybm] CLI example for EAR #26070

Show file tree
Hide file tree
Changes from 13 commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
812c271
[Docs] Add examples for creating and managing EAR-enabled clusters wi…
sudhanshu456 Feb 17, 2025
68d16e5
Apply suggestions from code review
sudhanshu456 Feb 18, 2025
4a867e9
Apply suggestions from code review
sudhanshu456 Feb 18, 2025
bfd1c90
use tabs for commands and outputs
sudhanshu456 Feb 18, 2025
a9bb998
update pr with new commands outputs and use tabs
sudhanshu456 Feb 18, 2025
e67b38d
[Docs] Add output examples for CMK configuration commands in managed-…
sudhanshu456 Feb 18, 2025
680b9b7
Apply suggestions from code review
sudhanshu456 Feb 19, 2025
668ae3d
Apply suggestions from code review
sudhanshu456 Feb 20, 2025
53dcb4c
[Docs] Update managed-cli examples for cluster encryption commands an…
sudhanshu456 Feb 20, 2025
d3da315
[Docs] Update encryption command examples with new placeholder values
sudhanshu456 Feb 20, 2025
9e271cd
[Docs] Update managed-cli example
sudhanshu456 Feb 20, 2025
6341487
[Docs] Update managed-cli cluster examples to use 'my-sandbox' as the…
sudhanshu456 Feb 20, 2025
3690e39
[Docs] Update managed-cli encryption examples for AWS, GCP, and Azure…
sudhanshu456 Feb 20, 2025
0e5548f
Apply suggestions from code review
sudhanshu456 Feb 21, 2025
c754236
update managed CLI encryption example
sudhanshu456 Feb 21, 2025
53cf35b
Add encryption update-state command to managed CLI cluster documentation
sudhanshu456 Feb 21, 2025
8e37ab9
tidyups
ddhodge Feb 21, 2025
d32b6a3
Apply suggestions from code review
sudhanshu456 Feb 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
294 changes: 294 additions & 0 deletions ...naged-automation/managed-cli/managed-cli-examples/managed-cli-example-create.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -213,6 +213,300 @@ Name Tier Version State Health Regions
my-multi-region Dedicated 2.14.7.0-b51 ACTIVE 💚 us-central1,+2 3 6 / 24GB / 600GB
```

## Encryption at rest

YugabyteDB Aeon supports [encryption at rest](../../../../cloud-secure-clusters/managed-ear) (EAR). Before you can create a cluster with EAR, you need to create a customer managed key (CMK) in a cloud provider Key Management Service (KMS). See [Prerequisites](../../../../cloud-secure-clusters/managed-ear/#prerequisites).

### Create a cluster with EAR

Use the following commands to create a new cluster with EAR in AWS, GCP, or Azure.

{{< tabpane text=true >}}

{{% tab header="AWS" %}}

```sh
ybm cluster create \
--cluster-name my-sandbox \
--cloud-provider AWS \
--cluster-tier Dedicated \
--cluster-type SYNCHRONOUS \
--encryption-spec cloud-provider=AWS,aws-secret-key=<your-secret-key>,aws-access-key=<your-access-key>,aws-arn=<your-aws-arn-key> \
--credentials username=admin,password=password \
--fault-tolerance=ZONE \
--region-info region=us-east-2,num-nodes=3,num-cores=4
```

```output
The cluster my-sandbox has been created
Name Tier Version State Health Provider Regions Nodes Node Res.(Vcpu/Mem/DiskGB/IOPS)
my-sandbox Dedicated {{< yb-version version="preview" format="build">}} ACTIVE 💚 AWS us-east-2 3 4 / 16GB / 200GB / 3000
```

You can list the EAR details using the encryption list command.


```sh
ybm cluster encryption list --cluster-name my-sandbox
```

```output
Provider Key Alias Last Rotated Security Principals CMK Status
AWS XXXXXXXX-e690-42fc-b209-baf969930b2c - arn:aws:kms:us-east-1:712345678912:key/db272c8d-1592-4c73-bfa3-420d05822933 ACTIVE
```

Note the EAR details are also shown when you use `cluster describe` command.

```sh
ybm cluster describe --cluster-name my-sandbox
```

```output
General
Name ID Version State Health
my-sandbox b1676d3f-8898-4c04-a1d6-bedf5bXXXXXX 2.18.3.0-b75 ACTIVE 💚

Provider Tier Fault Tolerance Nodes Node Res.(Vcpu/Mem/DiskGB/IOPS)
AWS Dedicated ZONE, RF 3 3 4 / 16GB / 200GB / 3000


Regions
Region Nodes vCPU/Node Mem/Node Disk/Node VPC
us-east-2 3 4 16GB 200GB


Endpoints
Region Accessibility State Host
us-east-2 PUBLIC ACTIVE us-east-2 .XXXXXXXX-8898-4c04-a1d6-bedf5bXXXXXX.aws.devcloud.yugabyte.com


Encryption at Rest
Provider Key Alias Last Rotated Security Principals CMK Status
AWS 0a80e409-e690-42fc-b209-XXXXXXXXXXX 2023-11-03T07:37:26.351Z arn:aws:kms:us-east-1:<your-account-id>:key/<your-key-id> ACTIVE


Nodes
Name Region[zone] Health Master Tserver ReadReplica Used Memory(MB)
my-sandbox-n1 us-east-2 [us-east-2 a] 💚 ✅ ✅ ❌ 75MB
my-sandbox-n2 us-east-2 [us-east-2 b] 💚 ✅ ✅ ❌ 96MB
my-sandbox-n3 us-east-2 [us-east-2 c] 💚 ✅ ✅ ❌ 76MB
```

{{% /tab %}}

{{% tab header="GCP" %}}

```sh
ybm cluster create \
--cluster-name my-sandbox \
--cloud-provider GCP \
--cluster-tier Dedicated \
--cluster-type SYNCHRONOUS \
--encryption-spec cloud-provider=GCP,gcp-resource-id=projects/<your-project>/locations/<your-location>/keyRings/<your-key-ring-name>/cryptoKeys/<your-key-name>,gcp-service-account-path=creds.json \
--credentials username=admin,password=password \
--fault-tolerance=ZONE \
--region-info region=us-central1,num-nodes=3,num-cores=4
```

```output
The cluster my-sandbox has been created
Name Tier Version State Health Provider Regions Nodes Node Res.(Vcpu/Mem/DiskGB/IOPS)
my-sandbox Dedicated {{< yb-version version="preview" format="build">}} ACTIVE 💚 GCP us-central1 3 4 / 16GB / 200GB / 3000
```

You can list the EAR details using the encryption list command.


```sh
ybm cluster encryption list --cluster-name my-sandbox
```

```output
Provider Key Alias Last Rotated Security Principals CMK Status
GCP <your-key-name> 2023-11-03T07:37:26.351Z projects/<your-project-id>/<your-location>/global/keyRings/<your-key-ring-name>/cryptoKeys/<your-key-name> ACTIVE
```

Note the EAR details are also shown when you use `cluster describe` command.

```sh
ybm cluster describe --cluster-name my-sandbox
```

```output
General
Name ID Version State Health
my-sandbox b1676d3f-8898-4c04-a1d6-bedf5bXXXXXX 2.18.3.0-b75 ACTIVE 💚

Provider Tier Fault Tolerance Nodes Node Res.(Vcpu/Mem/DiskGB/IOPS)
GCP Dedicated ZONE, RF 3 3 4 / 16GB / 200GB / 3000


Regions
Region Nodes vCPU/Node Mem/Node Disk/Node VPC
us-central1 3 4 16GB 200GB


Endpoints
Region Accessibility State Host
us-central1 PUBLIC ACTIVE us-central1.b1676d3f-8898-4c04-a1d6-bedf5bXXXXXX.gcp.devcloud.yugabyte.com


Encryption at Rest
Provider Key Alias Last Rotated Security Principals CMK Status
GCP <your-key-name> 2023-11-03T07:37:26.351Z projects/<your-project-id>/<your-location>/global/keyRings/<your-key-ring-name>/cryptoKeys/<your-key-name> ACTIVE


Nodes
Name Region[zone] Health Master Tserver ReadReplica Used Memory(MB)
my-sandbox-n1 us-central1 [us-central1 a] 💚 ✅ ✅ ❌ 75MB
my-sandbox-n2 us-central1 [us-central1 b] 💚 ✅ ✅ ❌ 96MB
my-sandbox-n3 us-central1 [us-central1 c] 💚 ✅ ✅ ❌ 76MB
```

{{% /tab %}}

{{% tab header="Azure" %}}

```sh
ybm cluster create \
--cluster-name my-sandbox \
--cloud-provider AZURE \
--cluster-tier Dedicated \
--cluster-type SYNCHRONOUS \
--encryption-spec cloud-provider=AZURE,azu-client-id=<your-client-id>,azu-client-secret=<your-client-secret>,azu-tenant-id=<your-tenant-id>,azu-key-name=test-key,azu-key-vault-uri=<your-key-vault-uri> \
--credentials username=admin,password=password \
--fault-tolerance=ZONE --region-info region=eastus,num-nodes=3,num-cores=4 \
```

```output
The cluster my-sandbox has been created
Name Tier Version State Health Provider Regions Nodes Node Res.(Vcpu/Mem/DiskGB/IOPS)
my-sandbox Dedicated {{< yb-version version="preview" format="build">}} ACTIVE 💚 AZURE eastus 3 4 / 16GB / 200GB / 3000
```

You can list the EAR details using the encryption list command.


```sh
ybm cluster encryption list --cluster-name my-sandbox
```

```output
Provider Key Alias Last Rotated Security Principals CMK Status
AZURE 8aXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX5b 2023-11-03T07:37:26.351Z <your-key-vault-uri> ACTIVE
```

Note the EAR details are also shown when you use `cluster describe` command.

```sh
ybm cluster describe --cluster-name my-sandbox
```

```output
General
Name ID Version State Health
my-sandbox b1676d3f-8898-4c04-a1d6-bedf5b7867ff 2.18.3.0-b75 ACTIVE 💚

Provider Tier Fault Tolerance Nodes Node Res.(Vcpu/Mem/DiskGB/IOPS)
AZURE Dedicated ZONE, RF 3 3 4 / 16GB / 200GB / 3000


Regions
Region Nodes vCPU/Node Mem/Node Disk/Node VPC
eastus 3 4 16GB 200GB


Endpoints
Region Accessibility State Host
eastus PUBLIC ACTIVE eastus.b1676d3f-8898-4c04-a1d6-bedf5b7867ff.azure.devcloud.yugabyte.com


Encryption at Rest
Provider Key Alias Last Rotated Security Principals CMK Status
AZURE 8aXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX5b 2023-11-03T07:37:26.351Z <your-key-vault-uri> ACTIVE


Nodes
Name Region[zone] Health Master Tserver ReadReplica Used Memory(MB)
my-sandbox-n1 eastus[eastusa] 💚 ✅ ✅ ❌ 75MB
my-sandbox-n2 eastus[eastusb] 💚 ✅ ✅ ❌ 96MB
my-sandbox-n3 eastus[eastusc] 💚 ✅ ✅ ❌ 76MB
```

{{% /tab %}}

{{< /tabpane >}}

### Rotate your CMK

Use the following commands to rotate your CMK. You can also use these commands to encrypt a cluster where the specified cluster does not already have EAR.

Note: Only credentials can be modified in the current configuration (for example, AWS access/secret keys or GCP service account credentials).

{{< tabpane text=true >}}

{{% tab header="AWS" %}}

```sh
ybm cluster encryption update \
--cluster-name my-sandbox \
--encryption-spec cloud-provider=AWS,aws-secret-key=<new-secret-key>,aws-access-key=<new-access-key>
```

{{% /tab %}}

{{% tab header="GCP" %}}

```sh
ybm cluster encryption update \
--cluster-name my-sandbox \
--encryption-spec cloud-provider=GCP,gcp-resource-id=projects/yugabyte/locations/global/keyRings/test-byok/cryptoKeys/key1,gcp-service-account-path=<path-to-service-account-file>
```

{{% /tab %}}

{{% tab header="Azure" %}}

```sh
ybm cluster encryption update \
--cluster-name my-sandbox \
--encryption-spec cloud-provider=AZURE,azu-client-id=<new-client-id>,azu-client-secret=<new-client-secret>,azu-tenant-id=<new-tenant-id>,azu-key-name=test-key,azu-key-vault-uri=<new-key-vault-uri>
```

{{% /tab %}}

{{< /tabpane >}}

### Update CMK state

Use the following commands to enable or disable the CMK state.

#### disable CMK

```sh
ybm cluster encryption update-state \
--cluster-name my-sandbox \
--disable
```

```output
Successfully DISABLED encryption spec status for cluster my-sandbox
```

#### enable CMK

```sh
ybm cluster encryption update-state \
--cluster-name my-sandbox \
--enable
```

```output
Successfully ENABLED encryption spec status for cluster my-sandbox
```



## Pause, resume, and terminate

To list your clusters, enter the following command:
Expand Down
4 changes: 2 additions & 2 deletions ...oud/managed-automation/managed-cli/managed-cli-reference/managed-cli-cluster.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ Create a local single-node cluster:

```sh
ybm cluster create \
--cluster-name test-cluster \
--cluster-name my-sandbox \
--credentials username=admin,password=password123
```

Expand All @@ -47,7 +47,7 @@ ybm cluster create \
--cluster-tier Dedicated \
--fault-tolerance ZONE \
--database-version Innovation \
--cluster-name test-cluster \
--cluster-name my-sandbox \
--wait
```

Expand Down