DOCS-KMIP-updates (#337)

initial commit, fixes to code presentation - Updates to kmip with fixes to how we present code (website looks better now!) - Updates set-principal-key with similar fixes - Updated keyring.md with similar fixes And updated functions for two parameters with updates from 1506
4 months ago · 2ca6bb5a22
parent 2dbb8d8e29
commit 2ca6bb5a22
5 changed files with 85 additions and 57 deletions
--- a/contrib/pg_tde/documentation/docs/functions.md
+++ b/contrib/pg_tde/documentation/docs/functions.md
@ -106,15 +106,43 @@ The KMIP provider uses a remote KMIP server.
 Use these functions to add a KMIP provider:

 ```sql
-SELECT pg_tde_add_database_key_provider_kmip('provider-name','kmip-addr', `port`, '/path_to/server_certificate.pem', '/path_to/client_cert.pem', '/path_to/client_key.pem');
-SELECT pg_tde_add_global_key_provider_kmip('provider-name','kmip-addr', `port`, '/path_to/server_certificate.pem', '/path_to/client_cert.pem', '/path_to/client_key.pem');
+SELECT pg_tde_add_database_key_provider_kmip(
+  'provider-name',
+  'kmip-addr', 
+  `port`, 
+  '/path_to/server_certificate.pem', 
+  '/path_to/client_cert.pem', 
+  '/path_to/client_key.pem'
+);
+SELECT pg_tde_add_global_key_provider_kmip(
+  'provider-name',
+  'kmip-addr', 
+  `port`, 
+  '/path_to/server_certificate.pem', 
+  '/path_to/client_certificate.pem', 
+  '/path_to/client_key.pem'
+);
 ```

 These functions change the KMIP provider:

 ```sql
-SELECT pg_tde_change_database_key_provider_kmip('provider-name','kmip-addr', `port`, '/path_to/server_certificate.pem', '/path_to/client_cert.pem', '/path_to/client_key.pem');
-SELECT pg_tde_change_global_key_provider_kmip('provider-name','kmip-addr', `port`, '/path_to/server_certificate.pem', '/path_to/client_cert.pem', '/path_to/client_key.pem');
+SELECT pg_tde_change_database_key_provider_kmip(
+  'provider-name',
+  'kmip-addr', 
+  `port`, 
+  '/path_to/server_certificate.pem', 
+  '/path_to/client_cert.pem', 
+  '/path_to/client_key.pem'
+);
+SELECT pg_tde_change_global_key_provider_kmip(
+  'provider-name',
+  'kmip-addr', 
+  `port`, 
+  '/path_to/server_certificate.pem', 
+  '/path_to/client_certificate.pem', 
+  '/path_to/client_key.pem'
+);
 ```

 where:
@ -124,7 +152,7 @@ where:
 * `port` is the port to communicate with the KMIP server.
  Most KMIP servers use port 5696.
 * `server-certificate` is the path to the certificate file for the KMIP server.
-* `client-cert` is the path to the client certificate.
+* `client-certificate` is the path to the client certificate.
 * `client-key` is the path to the client key.

 The specified access parameters require permission to read and write keys at the server.
--- a/contrib/pg_tde/documentation/docs/global-key-provider-configuration/keyring.md
+++ b/contrib/pg_tde/documentation/docs/global-key-provider-configuration/keyring.md
@ -3,7 +3,6 @@
 This setup is intended for development and stores the keys unencrypted in the specified data file. See [how to use external reference to parameters](../how-to/external-parameters.md) to add an extra security layer to your setup.

 !!! note
-
     While keyfiles may be acceptable for **local** or **testing environments**, KMS integration is the recommended approach for production deployments.
  
 ```sql
--- a/contrib/pg_tde/documentation/docs/global-key-provider-configuration/kmip-server.md
+++ b/contrib/pg_tde/documentation/docs/global-key-provider-configuration/kmip-server.md
@ -3,7 +3,6 @@
 To use a Key Management Interoperability Protocol (KMIP) server with `pg_tde`, you must configure it as a global key provider. This setup enables `pg_tde` to securely fetch and manage encryption keys from a centralized key management appliance.

 !!! note
-
    You need the root certificate of the KMIP server and a client key/certificate pair with permissions to create and read keys on the server.

 It is recommended to review the [configuration guidelines for the HashiCorp Vault Enterprise KMIP Secrets Engine](https://developer.hashicorp.com/vault/tutorials/enterprise/kmip-engine) if you're using Vault.
--- a/contrib/pg_tde/documentation/docs/global-key-provider-configuration/set-principal-key.md
+++ b/contrib/pg_tde/documentation/docs/global-key-provider-configuration/set-principal-key.md
@ -23,11 +23,14 @@ Run the following command:
 This example is for testing purposes only. Replace the key name and provider name with your values:

 ```sql
-        SELECT pg_tde_set_key_using_global_key_provider('test-db-master-key','file-vault','ensure_new_key');
+SELECT pg_tde_set_key_using_global_key_provider(
+    'test-db-master-key',
+    'file-vault',
+    'ensure_new_key'
+);
 ```

 !!! note
-
    The key is auto-generated.

 After this, all databases that do not have something else configured will use this newly generated principal key.
--- a/contrib/pg_tde/documentation/docs/global-key-provider-configuration/vault.md
+++ b/contrib/pg_tde/documentation/docs/global-key-provider-configuration/vault.md
@ -3,7 +3,6 @@
 You can configure `pg_tde` to use HashiCorp Vault as a global key provider for managing encryption keys securely.

 !!! note
-
    This guide assumes that your Vault server is already set up and accessible. Vault configuration is outside the scope of this document, see [Vault's official documentation](https://developer.hashicorp.com/vault/docs) for more information.

 ## Example usage