Enable doc-validator for specific directories (#63524)

* Enable doc-validator for specific directories Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Fix one linting error to trigger CI Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Update doc-validator to latest release Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Update make-docs procedure Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Use doc-validator version from CI in local make target Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Revert to 1.11.0 Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * adds missing descriptions * Fix titles and headings Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Fix link formats Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Fix easy to resolve anchors Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Remove broken anchor link This anchor appears to have been broken for a long time. Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Use doc-validator image with support for numbered anchors Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Update make-docs procedure to support doc-validator 2.0.x Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Fix a bunch of broken anchors Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Ignore old whatsnew content Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * Update doc-validator to v2.0.x and use reviewdog to report errors Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * removes broken links --------- Signed-off-by: Jack Baldry <jack.baldry@grafana.com> Co-authored-by: Chris Moyer <chris.moyer@grafana.com>
2023-05-18 15:50:20 +01:00
parent 44b1dae16d
commit 560f49b3dc
94 changed files with 903 additions and 800 deletions
@@ -12,26 +12,26 @@ weight: 700

 Grafana’s database contains secrets, which are used to query data sources, send alert notifications, and perform other functions within Grafana.

-Grafana encrypts these secrets before they are written to the database, by using a symmetric-key encryption algorithm called Advanced Encryption Standard (AES). These secrets are signed using a [secret key]({{< relref "../../configure-grafana/#secret_key" >}}) that you can change when you configure a new Grafana instance.
+Grafana encrypts these secrets before they are written to the database, by using a symmetric-key encryption algorithm called Advanced Encryption Standard (AES). These secrets are signed using a [secret key]({{< relref "../../configure-grafana#secret_key" >}}) that you can change when you configure a new Grafana instance.

 > **Note:** Grafana v9.0 and newer use [envelope encryption](#envelope-encryption) by default, which adds a layer of indirection to the encryption process that introduces an [**implicit breaking change**](#implicit-breaking-change) for older versions of Grafana.

-For further details about how to operate a Grafana instance with envelope encryption, see the [Operational work]({{< relref "./#operational-work" >}}) section.
+For further details about how to operate a Grafana instance with envelope encryption, see the [Operational work]({{< relref "#operational-work" >}}) section.

 > **Note:** In Grafana Enterprise, you can also [encrypt secrets in AES-GCM (Galois/Counter Mode)]({{< relref "#changing-your-encryption-mode-to-aes-gcm" >}}) instead of the default AES-CFB (Cipher FeedBack mode).

 ## Envelope encryption

-> **Note:** Since Grafana v9.0, you can turn envelope encryption off by adding the feature toggle `disableEnvelopeEncryption` to your [Grafana configuration]({{< relref "../../configure-grafana/#feature_toggles" >}}).
+> **Note:** Since Grafana v9.0, you can turn envelope encryption off by adding the feature toggle `disableEnvelopeEncryption` to your [Grafana configuration]({{< relref "../../configure-grafana#feature_toggles" >}}).

 Instead of encrypting all secrets with a single key, Grafana uses a set of keys called data encryption keys (DEKs) to encrypt them. These data encryption keys are themselves encrypted with a single key encryption key (KEK), configured through the `secret_key` attribute in your
-[Grafana configuration]({{< relref "../../configure-grafana/#secret_key" >}}) or with a [key management service (KMS) integration](#kms-integration).
+[Grafana configuration]({{< relref "../../configure-grafana#secret_key" >}}) or by [Encrypting your database with a key from a key management service (KMS)](#encrypting-your-database-with-a-key-from-a-key-management-service-kms).

 ### Implicit breaking change

 Envelope encryption introduces an implicit breaking change to versions of Grafana prior to v9.0, because it changes how secrets stored in the Grafana database are encrypted. Grafana administrators can upgrade to Grafana v9.0 with no action required from the database encryption perspective, but must be extremely careful if they need to roll an upgrade back to Grafana v8.5 or earlier because secrets created or modified after upgrading to Grafana v9.0 can’t be decrypted by previous versions.

-Grafana v8.5 implemented envelope encryption behind an optional feature toggle. Grafana administrators who need to downgrade to Grafana v8.5 can enable envelope encryption as a workaround by adding the feature toggle `envelopeEncryption` to the [Grafana configuration]({{< relref "../../configure-grafana/#feature_toggles" >}}).
+Grafana v8.5 implemented envelope encryption behind an optional feature toggle. Grafana administrators who need to downgrade to Grafana v8.5 can enable envelope encryption as a workaround by adding the feature toggle `envelopeEncryption` to the [Grafana configuration]({{< relref "../../configure-grafana#feature_toggles" >}}).

 ## Operational work

@@ -39,7 +39,7 @@ From the database encryption perspective, Grafana administrators can:

 - [**Re-encrypt secrets**](#re-encrypt-secrets): re-encrypt secrets with envelope encryption and a fresh data key.
 - [**Roll back secrets**](#roll-back-secrets): decrypt secrets encrypted with envelope encryption and re-encrypt them with legacy encryption.
- [**Re-encrypt data keys**](#re-encrypt-data-keys): re-encrypt data keys with a fresh key encryption key and a [KMS integration](#kms-integration).
+- [**Re-encrypt data keys**](#re-encrypt-data-keys): re-encrypt data keys with a fresh key encryption key and a KMS integration.
 - [**Rotate data keys**](#rotate-data-keys): disable active data keys and stop using them for encryption in favor of a fresh one.

 ### Re-encrypt secrets
@@ -49,19 +49,19 @@ You can re-encrypt secrets in order to:
 - Move already existing secrets' encryption forward from legacy to envelope encryption.
 - Re-encrypt secrets after a [data keys rotation](#rotate-data-keys).

-To re-encrypt secrets, use the [Grafana CLI]({{< relref "../../../cli/" >}}) by running the `grafana cli admin secrets-migration re-encrypt` command or the `/encryption/reencrypt-secrets` endpoint of the Grafana [Admin API]({{< relref "../../../developers/http_api/admin/#roll-back-secrets" >}}). It's safe to run more than once, more recommended under maintenance mode.
+To re-encrypt secrets, use the [Grafana CLI]({{< relref "../../../cli" >}}) by running the `grafana cli admin secrets-migration re-encrypt` command or the `/encryption/reencrypt-secrets` endpoint of the Grafana [Admin API]({{< relref "../../../developers/http_api/admin#roll-back-secrets" >}}). It's safe to run more than once, more recommended under maintenance mode.

 ### Roll back secrets

 You can roll back secrets encrypted with envelope encryption to legacy encryption. This might be necessary to downgrade to Grafana versions prior to v9.0 after an unsuccessful upgrade.

-To roll back secrets, use the [Grafana CLI]({{< relref "../../../cli/" >}}) by running the `grafana cli admin secrets-migration rollback` command or the `/encryption/rollback-secrets` endpoint of the Grafana [Admin API]({{< relref "../../../developers/http_api/admin/#re-encrypt-secrets" >}}). It's safe to run more than once, more recommended under maintenance mode.
+To roll back secrets, use the [Grafana CLI]({{< relref "../../../cli" >}}) by running the `grafana cli admin secrets-migration rollback` command or the `/encryption/rollback-secrets` endpoint of the Grafana [Admin API]({{< relref "../../../developers/http_api/admin#re-encrypt-secrets" >}}). It's safe to run more than once, more recommended under maintenance mode.

 ### Re-encrypt data keys

-You can re-encrypt data keys encrypted with a specific key encryption key (KEK). This allows you to either re-encrypt existing data keys with a new KEK version (see [KMS integration](#kms-integration) rotation) or to re-encrypt them with a completely different KEK.
+You can re-encrypt data keys encrypted with a specific key encryption key (KEK). This allows you to either re-encrypt existing data keys with a new KEK version or to re-encrypt them with a completely different KEK.

-To re-encrypt data keys, use the [Grafana CLI]({{< relref "../../../cli/" >}}) by running the `grafana cli admin secrets-migration re-encrypt-data-keys` command or the `/encryption/reencrypt-data-keys` endpoint of the Grafana [Admin API]({{< relref "../../../developers/http_api/admin/#re-encrypt-data-encryption-keys" >}}). It's safe to run more than once, more recommended under maintenance mode.
+To re-encrypt data keys, use the [Grafana CLI]({{< relref "../../../cli" >}}) by running the `grafana cli admin secrets-migration re-encrypt-data-keys` command or the `/encryption/reencrypt-data-keys` endpoint of the Grafana [Admin API]({{< relref "../../../developers/http_api/admin#re-encrypt-data-encryption-keys" >}}). It's safe to run more than once, more recommended under maintenance mode.

 ### Rotate data keys

@@ -73,7 +73,7 @@ New data keys for encryption operations are generated on demand.
 > secrets still encrypted with them. To completely stop using
 > rotated data keys for both encryption and decryption, see [secrets re-encryption](#re-encrypt-secrets).

-To rotate data keys, use the `/encryption/rotate-data-keys` endpoint of the Grafana [Admin API]({{< relref "../../../developers/http_api/admin/#rotate-data-encryption-keys" >}}). It's safe to call more than once, more recommended under maintenance mode.
+To rotate data keys, use the `/encryption/rotate-data-keys` endpoint of the Grafana [Admin API]({{< relref "../../../developers/http_api/admin#rotate-data-encryption-keys" >}}). It's safe to call more than once, more recommended under maintenance mode.

 ## Encrypting your database with a key from a key management service (KMS)

@@ -83,10 +83,10 @@ You can choose to encrypt secrets stored in the Grafana database using a key fro

 Grafana integrates with the following key management services:

- [AWS KMS]({{< relref "encrypt-secrets-using-aws-kms/" >}})
- [Azure Key Vault]({{< relref "encrypt-secrets-using-azure-key-vault/" >}})
- [Google Cloud KMS]({{< relref "encrypt-secrets-using-google-cloud-kms/" >}})
- [Hashicorp Key Vault]({{< relref "encrypt-secrets-using-hashicorp-key-vault/" >}})
+- [AWS KMS]({{< relref "./encrypt-secrets-using-aws-kms" >}})
+- [Azure Key Vault]({{< relref "./encrypt-secrets-using-azure-key-vault" >}})
+- [Google Cloud KMS]({{< relref "./encrypt-secrets-using-google-cloud-kms" >}})
+- [Hashicorp Key Vault]({{< relref "./encrypt-secrets-using-hashicorp-key-vault" >}})

 ## Changing your encryption mode to AES-GCM

@@ -13,7 +13,7 @@ You can use an encryption key from AWS Key Management Service to encrypt secrets
 **Prerequisites:**

 - An AWS account with permission to view and create KMS keys and programmatic credentials to access those keys
- Access to the Grafana [configuration]({{< relref "../../../configure-grafana/#config-file-locations" >}}) file
+- Access to the Grafana [configuration]({{< relref "../../../configure-grafana#configuration-file-location" >}}) file

 1. Create a symmetric API key either from the AWS Management Console or by using the AWS KMS API.
   <br><br>For detailed instructions, refer to [Creating keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html).
@@ -24,7 +24,7 @@ You can use an encryption key from AWS Key Management Service to encrypt secrets
 3. Create a [programmatic credential](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys) (access key ID and secret access key), which has permission to view the key that you created.
   <br><br>In AWS, you can control access to your KMS keys by using [key policies](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html), [IAM policies](https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html), and [grants](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html). You can also create [temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html), which must provide a session token along with an access key ID and a secret access key.

-4. From within Grafana, turn on [envelope encryption]({{< relref "/#envelope-encryption" >}}).
+4. From within Grafana, turn on envelope encryption.
 5. Add your AWS KMS details to the Grafana configuration file; depending on your operating system, it is usually named `grafana.ini`:
   <br><br>a. Add a new section to the configuration file, with a name in the format of `[security.encryption.awskms.<KEY-NAME>]`, where `<KEY-NAME>` is any name that uniquely identifies this key among other provider keys.
   <br><br>b. Fill in the section with the following values:
@@ -71,7 +71,7 @@ You can use an encryption key from AWS Key Management Service to encrypt secrets

   **> Note:** The encryption key that is stored in the `secret_key` field is still used by Grafana’s legacy alerting system to encrypt secrets, for decrypting existing secrets, or it is used as the default provider when external providers are not configured. Do not change or remove that value when adding a new KMS provider.

-7. [Restart Grafana](https://grafana.com/docs/grafana/latest/installation/restart-grafana/).
+7. [Restart Grafana](/docs/grafana/latest/installation/restart-grafana/).

 8. (Optional) From the command line and the root directory of Grafana, re-encrypt all of the secrets within the Grafana database with the new key using the following command:

@@ -13,7 +13,7 @@ You can use an encryption key from Azure Key Vault to encrypt secrets in the Gra
 **Prerequisites:**

 - An Azure account with permission to view and create Key Vault keys and programmatic credentials to access those keys
- Access to the Grafana [configuration]({{< relref "../../../configure-grafana/#config-file-locations" >}}) file
+- Access to the Grafana [configuration]({{< relref "../../../configure-grafana#configuration-file-location" >}}) file

 1. [Create a vault](https://docs.microsoft.com/en-us/azure/key-vault/general/quick-create-portal#create-a-vault).

@@ -25,7 +25,7 @@ You can use an encryption key from Azure Key Vault to encrypt secrets in the Gra

 5. In the Key Permissions section, set encrypt and decrypt permissions, and click **Save**.

-6. From within Grafana, turn on [envelope encryption]({{< relref "./#envelope-encryption" >}}).
+6. From within Grafana, turn on envelope encryption.

 7. Add your Azure Key Vault details to the Grafana configuration file; depending on your operating system, is usually named `grafana.ini`:
   <br><br>a. Add a new section to the configuration file, with a name in the format of `[security.encryption.azurekv.<KEY-NAME>]`, where `<KEY-NAME>` is any name that uniquely identifies this key among other provider keys.
@@ -69,7 +69,7 @@ You can use an encryption key from Azure Key Vault to encrypt secrets in the Gra

   **> Note:** The encryption key stored in the `secret_key` field is still used by Grafana’s legacy alerting system to encrypt secrets. Do not change or remove that value.

-9. [Restart Grafana](https://grafana.com/docs/grafana/latest/installation/restart-grafana/).
+9. [Restart Grafana](/docs/grafana/latest/installation/restart-grafana/).

 10. (Optional) From the command line and the root directory of Grafana Enterprise, re-encrypt all of the secrets within the Grafana database with the new key using the following command:

@@ -13,7 +13,7 @@ You can use an encryption key from Google Cloud Key Management Service to encryp
 **Prerequisites:**

 - A Google Cloud account with permission to list and create KMS keys and service accounts to access those keys
- Access to the Grafana [configuration]({{< relref "../../../configure-grafana/#config-file-locations" >}}) file
+- Access to the Grafana [configuration]({{< relref "../../../configure-grafana#configuration-file-location" >}}) file

 1. [Create a key ring](https://cloud.google.com/kms/docs/creating-keys#kms-create-key-ring-console) in Google Cloud KMS.

@@ -23,7 +23,7 @@ You can use an encryption key from Google Cloud Key Management Service to encryp

 4. [Create a service account key and save its JSON file](https://cloud.google.com/iam/docs/creating-managing-service-account-keys#creating) to you computer, for example, as `~/.config/gcloud/sample-project-credentials.json`.

-5. From within Grafana, turn on [envelope encryption]({{< relref "/#envelope-encryption" >}}).
+5. From within Grafana, turn on envelope encryption.

 6. Add your Google Cloud KMS details to the Grafana configuration file; depending on your operating system, is usually named `grafana.ini`:
   <br><br>a. Add a new section to the configuration file, with a name in the format of `[security.encryption.azurekv.<KEY-NAME>]`, where `<KEY-NAME>` is any name that uniquely identifies this key among other provider keys.
@@ -58,7 +58,7 @@ You can use an encryption key from Google Cloud Key Management Service to encryp

   **> Note:** The encryption key stored in the `secret_key` field is still used by Grafana’s legacy alerting system to encrypt secrets. Do not change or remove that value.

-8. [Restart Grafana](https://grafana.com/docs/grafana/latest/installation/restart-grafana/).
+8. [Restart Grafana](/docs/grafana/latest/installation/restart-grafana/).

 9. (Optional) From the command line and the root directory of Grafana Enterprise, re-encrypt all of the secrets within the Grafana database with the new key using the following command:

@@ -13,7 +13,7 @@ You can use an encryption key from Hashicorp Vault to encrypt secrets in the Gra
 **Prerequisites:**

 - Permissions to manage Hashicorp Vault to enable secrets engines and issue tokens.
- Access to the Grafana [configuration]({{< relref "../../../configure-grafana/#config-file-locations" >}}) file
+- Access to the Grafana [configuration]({{< relref "../../../configure-grafana#configuration-file-location" >}}) file

 1. [Enable the transit secrets engine](https://www.vaultproject.io/docs/secrets/transit#setup) in Hashicorp Vault.

@@ -21,7 +21,7 @@ You can use an encryption key from Hashicorp Vault to encrypt secrets in the Gra

 3. [Create a periodic service token](https://learn.hashicorp.com/tutorials/vault/tokens#periodic-service-tokens).

-4. From within Grafana, turn on [envelope encryption]({{< relref "/#envelop-encryption" >}}).
+4. From within Grafana, turn on envelope encryption.

 5. Add your Hashicorp Vault details to the Grafana configuration file; depending on your operating system, is usually named `grafana.ini`:
   <br><br>a. Add a new section to the configuration file, with a name in the format of `[security.encryption.hashicorpvault.<KEY-NAME>]`, where `<KEY-NAME>` is any name that uniquely identifies this key among other provider keys.
@@ -65,7 +65,7 @@ You can use an encryption key from Hashicorp Vault to encrypt secrets in the Gra

   **> Note:** The encryption key stored in the `secret_key` field is still used by Grafana’s legacy alerting system to encrypt secrets. Do not change or remove that value.

-7. [Restart Grafana](https://grafana.com/docs/grafana/latest/installation/restart-grafana/).
+7. [Restart Grafana](/docs/grafana/latest/installation/restart-grafana/).

 8. (Optional) From the command line and the root directory of Grafana Enterprise, re-encrypt all of the secrets within the Grafana database with the new key using the following command:

@@ -9,11 +9,11 @@ weight: 500

 # Integrate Grafana with Hashicorp Vault

-If you manage your secrets with [Hashicorp Vault](https://www.hashicorp.com/products/vault), you can use them for [Configuration]({{< relref "../../../configure-grafana/" >}}) and [Provisioning]({{< relref "../../../../administration/provisioning/" >}}).
+If you manage your secrets with [Hashicorp Vault](https://www.hashicorp.com/products/vault), you can use them for [Configuration]({{< relref "../../../configure-grafana" >}}) and [Provisioning]({{< relref "../../../../administration/provisioning" >}}).

-> **Note:** Available in [Grafana Enterprise]({{< relref "../../../../introduction/grafana-enterprise/" >}}) and [Grafana Cloud Advanced](/docs/grafana-cloud).
+> **Note:** Available in [Grafana Enterprise]({{< relref "../../../../introduction/grafana-enterprise" >}}) and [Grafana Cloud Advanced](/docs/grafana-cloud).

-> **Note:** If you have Grafana [set up for high availability]({{< relref "../../../set-up-for-high-availability/" >}}), then we advise not to use dynamic secrets for provisioning files.
+> **Note:** If you have Grafana [set up for high availability]({{< relref "../../../set-up-for-high-availability" >}}), then we advise not to use dynamic secrets for provisioning files.
 > Each Grafana instance is responsible for renewing its own leases. Your data source leases might expire when one of your Grafana servers shuts down.

 ## Configuration
@@ -55,7 +55,7 @@ token = s.sAZLyI0r7sFLMPq6MWtoOhAN # replace with your key
 ## Using the Vault expander

 After you configure Vault, you must set the configuration or provisioning files you wish to
-use Vault. Vault configuration is an extension of configuration's [variable expansion]({{< relref "../../../configure-grafana/#variable-expansion" >}}) and follows the
+use Vault. Vault configuration is an extension of configuration's [variable expansion]({{< relref "../../../configure-grafana#variable-expansion" >}}) and follows the
 `$__vault{<argument>}` syntax.

 The argument to Vault consists of three parts separated by a colon:
@@ -93,12 +93,12 @@ $__vault{database:database/creds/grafana:username}

 ### Examples

-The following examples show you how to set your [configuration]({{< relref "../../../configure-grafana/" >}}) or [provisioning]({{< relref "../../../../administration/provisioning/" >}}) files to use Vault to retrieve configuration values.
+The following examples show you how to set your [configuration]({{< relref "../../../configure-grafana" >}}) or [provisioning]({{< relref "../../../../administration/provisioning" >}}) files to use Vault to retrieve configuration values.

 #### Configuration

 The following is a partial example for using Vault to set up a Grafana configuration file's email and database credentials.
-Refer to [Configuration]({{< relref "../../../configure-grafana/" >}}) for more information.
+Refer to [Configuration]({{< relref "../../../configure-grafana" >}}) for more information.

 ```ini
 [smtp]
@@ -119,7 +119,7 @@ password = $__vault{database:database/creds/grafana:password}

 The following is a full examples of a provisioning YAML file setting up a MySQL data source using Vault's
 database secrets engine.
-Refer to [Provisioning]({{< relref "../../../../administration/provisioning/" >}}) for more information.
+Refer to [Provisioning]({{< relref "../../../../administration/provisioning" >}}) for more information.

 **provisioning/custom.yaml**