Add CRA docs and Compliance docs structure (#786)

xeniape · lfrancke · web-flow · commit 879e76f9a1e2 · 2025-11-05T09:08:38.000Z
* Add CRA docs and Compliance docs structure

* pre-commit fixes

* update menu navbar

* fix policies menu link

* fix policies menu link

* fix policies menu link

* Initial content for CRA page

* Add content to overview page

* Spell out CRA in table of contents

---------

Co-authored-by: Lars Francke &lt;git@lars-francke.de&gt;
diff --git a/antora.yml b/antora.yml
@@ -11,6 +11,7 @@ nav:
   - modules/ROOT/nav2.adoc # this is for the 'Management' link
   - modules/reference/nav.adoc
   - modules/contributor/nav.adoc
+  - modules/compliance/nav.adoc
   - modules/ROOT/nav3.adoc # this is for the extra bits at the end of the menu
 # The prerelease setting affects version sorting.
 # Set to 'true' for nightly and false otherwise.
diff --git a/modules/ROOT/nav3.adoc b/modules/ROOT/nav3.adoc
@@ -1,5 +1 @@
 * xref:release-notes.adoc[Release notes]
-* xref:product-information.adoc[]
-* xref:policies.adoc[]
-* xref:licenses.adoc[Licenses]
-* xref:export.adoc[Export Control]
diff --git a/modules/ROOT/partials/supported-kubernetes-distributions.adoc b/modules/ROOT/partials/supported-kubernetes-distributions.adoc
@@ -1,10 +1,10 @@
-* xref:kubernetes/eks.adoc[]
-* xref:kubernetes/aks.adoc[]
-* xref:kubernetes/gke.adoc[]
-* xref:kubernetes/ionos-managed-k8s.adoc[]
-* xref:kubernetes/ionos-managed-stackable.adoc[]
-* xref:kubernetes/kind.adoc[]
-* xref:kubernetes/microk8s.adoc[]
-* xref:kubernetes/openshift.adoc[]
-* xref:kubernetes/suse-k3s.adoc[]
-* xref:kubernetes/suse-rancher.adoc[]
+* xref:ROOT:kubernetes/eks.adoc[]
+* xref:ROOT:kubernetes/aks.adoc[]
+* xref:ROOT:kubernetes/gke.adoc[]
+* xref:ROOT:kubernetes/ionos-managed-k8s.adoc[]
+* xref:ROOT:kubernetes/ionos-managed-stackable.adoc[]
+* xref:ROOT:kubernetes/kind.adoc[]
+* xref:ROOT:kubernetes/microk8s.adoc[]
+* xref:ROOT:kubernetes/openshift.adoc[]
+* xref:ROOT:kubernetes/suse-k3s.adoc[]
+* xref:ROOT:kubernetes/suse-rancher.adoc[]
diff --git a/modules/ROOT/partials/tested-kubernetes-distributions.adoc b/modules/ROOT/partials/tested-kubernetes-distributions.adoc
@@ -1,7 +1,7 @@
-* xref:kubernetes/huawei-cloud.adoc[]
-* xref:kubernetes/ibm-cloud.adoc[]
-* xref:kubernetes/ovh-mks.adoc[]
-* xref:kubernetes/plusserver.adoc[]
-* xref:kubernetes/ske.adoc[] (with the exception of missing public NodePorts)
-* xref:kubernetes/vmware_tanzu.adoc[]
-* xref:kubernetes/oke.adoc[]
+* xref:ROOT:kubernetes/huawei-cloud.adoc[]
+* xref:ROOT:kubernetes/ibm-cloud.adoc[]
+* xref:ROOT:kubernetes/ovh-mks.adoc[]
+* xref:ROOT:kubernetes/plusserver.adoc[]
+* xref:ROOT:kubernetes/ske.adoc[] (with the exception of missing public NodePorts)
+* xref:ROOT:kubernetes/vmware_tanzu.adoc[]
+* xref:ROOT:kubernetes/oke.adoc[]
diff --git a/modules/compliance/images/full_support_scenario_1.png b/modules/compliance/images/full_support_scenario_1.png
diff --git a/modules/compliance/images/full_support_scenario_2.png b/modules/compliance/images/full_support_scenario_2.png
diff --git a/modules/compliance/images/maintenance_phase.png b/modules/compliance/images/maintenance_phase.png
diff --git a/modules/compliance/images/product_release_cycle.png b/modules/compliance/images/product_release_cycle.png
diff --git a/modules/compliance/nav.adoc b/modules/compliance/nav.adoc
@@ -0,0 +1,6 @@
+* xref:index.adoc[Compliance]
+** xref:product-information.adoc[]
+** xref:policies.adoc[]
+** xref:licenses.adoc[Licenses]
+** xref:export.adoc[Export Control]
+** xref:cra.adoc[Cyber Resilience Act]
diff --git a/modules/compliance/pages/cra.adoc b/modules/compliance/pages/cra.adoc
@@ -0,0 +1,57 @@
+= Cyber Resilience Act (CRA)
+
+NOTE: The https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R2847[Cyber Resilience Act (CRA)] is a European regulation that establishes cybersecurity requirements for products with digital elements placed on the EU market.
+It aims to ensure that hardware and software products are designed, developed, and maintained with adequate cybersecurity throughout their lifecycle.
+
+This will be expanded over time.
+
+== Target Audience & Content
+
+This page serves as a central hub for
+
+* users of the Stackable Data Platform (SDP),
+* market surveillance authorities,
+* and the https://single-market-economy.ec.europa.eu/single-market/goods/building-blocks/market-surveillance/organisation/adcos_en[Administrative Cooperation Group] (AdCo) established in Article 52(15)
+
+to find all information mandated by the CRA in a single and central place.
+
+== Stackable Data Platform (SDP) classification
+
+The CRA defines multiple product categories that determine the conformity assessment procedure.
+We consider the Stackable Data Platform to be a default product (not Important or Critical).
+This means we perform a self-assessment of conformity rather than requiring third-party certification.
+
+== Annex II: Information and instructions to the user
+
+Annex II of the CRA specifies information that manufacturers must provide to users.
+The following items correspond to the numbered requirements in Annex II:
+
+. **Contact Information**: You can find all our contact information on our homepage in the https://stackable.tech/en/imprint/[imprint] section.
+
+. **Vulnerability Disclosure**: Please see our https://stackable.tech/en/vulnerability-disclosure-policy/[Vulnerability Disclosure Policy] for all information on how to report vulnerabilities in a coordinated way.
+
+. **Product Identification**: The Stackable Data Platform (SDP) is a Kubernetes-based data platform for operating data applications.
+All our images are tagged and contain annotations to identify the product versions.
+Additional documentation will follow.
+
+. **Intended Purpose and Security Properties**: Information about the intended purpose of SDP, the security environment, essential functionalities, and security properties will be documented here.
+
+. **Known Cybersecurity Risks**: Information about known or foreseeable circumstances that may lead to significant cybersecurity risks will be documented here.
+
+. **EU Declaration of Conformity**: The internet address at which the EU declaration of conformity can be accessed will be provided here when available.
+
+. **Security Support and Support Period**: Please see our xref:policies.adoc[Lifecycle policies] for information on the type of security support offered and the support duration, including the period during which vulnerabilities will be handled and security updates provided for the Stackable Data Platform and the included products.
+
+. **Security Instructions**: Detailed instructions on the following topics will be documented here:
++
+--
+* Necessary measures during initial commissioning and throughout the product lifetime to ensure secure use
+* How changes to the product can affect data security
+* How to install security-relevant updates
+* Secure decommissioning of the product and secure removal of user data
+* How to manage automatic security update settings
+* Information for integrators on cybersecurity requirements (where applicable)
+--
+
+. **Software Bill of Materials (SBOM)**: We provide https://sboms.stackable.tech/[SBOMs] for all container images in the Stackable Data Platform.
+Please see our xref:guides:viewing-and-verifying-sboms.adoc[SBOM documentation] for information on how to access, view, and verify SBOMs.
diff --git a/modules/compliance/pages/export.adoc b/modules/compliance/pages/export.adoc
@@ -1,4 +1,5 @@
 = Export Control
+:page-aliases: ROOT:export.adoc
 :description: Stackable Data Platform is exempt from US EAR export controls due to its publicly available status and use of standard encryption. Code is open source on GitHub.
 
 == USA
diff --git a/modules/compliance/pages/index.adoc b/modules/compliance/pages/index.adoc
@@ -0,0 +1,26 @@
+= Compliance
+:description: Documentation covering regulatory compliance, lifecycle policies, licensing, product specifications, and export control for the Stackable Data Platform.
+
+This section provides information about compliance, licensing, and regulatory aspects of the Stackable Data Platform.
+It covers regulatory requirements like the Cyber Resilience Act, lifecycle and support policies for the platform and products, licensing information for all components, detailed product specifications, and export control regulations.
+
+== Regulatory Compliance
+
+Learn about xref:cra.adoc[Cyber Resilience Act (CRA)] compliance, including how the Stackable Data Platform meets European cybersecurity requirements, product classification, and mandated information for users and market surveillance authorities.
+
+== Lifecycle and Support Policies
+
+The xref:policies.adoc[Lifecycle policies] page details support policies for SDP releases, CRD versioning, product versions, and Kubernetes/OpenShift compatibility.
+It explains the full support and maintenance phases, upgrade policies, and how security vulnerabilities and bugs are handled.
+
+== Product Information
+
+The xref:product-information.adoc[Product information] page provides detailed specifications about the Stackable Data Platform, including which components are included, supported products, installation methods, system requirements, and required external dependencies.
+
+== Licensing
+
+Find all xref:licenses.adoc[license information] for Stackable operators, stackablectl, and product images, with links to the complete license texts on GitHub.
+
+== Export Control
+
+Learn about xref:export.adoc[export control] regulations and how the Stackable Data Platform is exempt from US Export Administration Regulations due to its publicly available open source status.
diff --git a/modules/compliance/pages/licenses.adoc b/modules/compliance/pages/licenses.adoc
@@ -1,4 +1,5 @@
 = Licenses for the Stackable Data Platform
+:page-aliases: ROOT:licenses.adoc
 :description: Find licenses for all Stackable Data Platform components available on GitHub including operators, stackablectl, and Docker images.
 
 The Stackable Data Platform is open source, and the source code of all the components can be found on GitHub. Licenses are also provided alongside the source code, in a file called `LICENSE`.
diff --git a/modules/compliance/pages/policies.adoc b/modules/compliance/pages/policies.adoc
@@ -1,4 +1,5 @@
 = Lifecycle policies
+:page-aliases: ROOT:policies.adoc
 :description: Detailed lifecycle policies for Stackable Data Platform, covering SDP, CRD versioning, product support, and compatibility with Kubernetes & OpenShift.
 
 This page details lifecycle policies for the Stackable Data Platform (SDP).
diff --git a/modules/compliance/pages/product-information.adoc b/modules/compliance/pages/product-information.adoc
@@ -1,4 +1,5 @@
 = Product information
+:page-aliases: ROOT:product-information.adoc
 :description: Learn about concrete specifications of the Stackable Data Platform (SDP) as a product, which components are
 included, how they are supplied and which external dependencies exist that you as a customer need to take care of.
 
@@ -39,7 +40,7 @@ functionality for managing and control SDP: xref:commons-operator:index.adoc[Com
 xref:secret-operator:index.adoc[Secret] and xref:listener-operator:index.adoc[Listener] Operator.
 
 The pages linked above also detail the use cases and features supported by each component. You can find additional
-information in the xref:release_notes.adoc[release notes]. Refer to the xref:operators:supported_versions.adoc[list of
+information in the xref:ROOT:release_notes.adoc[release notes]. Refer to the xref:operators:supported_versions.adoc[list of
 supported product versions] to find out which product versions are supported.
 
 
@@ -106,16 +107,16 @@ components.
 A Kubernetes cluster is required to install the Stackable Data Platform.
 The supported Kubernetes versions for each platform release can be found here:
 
-xref:release-notes.adoc[SDP Release notes]
+xref:ROOT:release-notes.adoc[SDP Release notes]
 
 There are various Kubernetes distributions.
 The following distributions are supported for a production setup of the Stackable Data Platform:
 
-include::partial$supported-kubernetes-distributions.adoc[]
+include::ROOT:partial$supported-kubernetes-distributions.adoc[]
 
 These Kubernetes distributions are not officially tested by us but based on community feedback have been known to work. Some might require extra steps, please refer to the detailed pages for more information. Please contact us if you're interested in official support for any of these:
 
-include::partial$tested-kubernetes-distributions.adoc[]
+include::ROOT:partial$tested-kubernetes-distributions.adoc[]
 
 === Product specific dependencies
 
diff --git a/supplemental-ui/partials/navbar.hbs b/supplemental-ui/partials/navbar.hbs
@@ -69,12 +69,27 @@
     </div>
 </div>
 <div class="navbar-item has-dropdown is-hoverable">
-    <a class="navbar-link" href="#">Policies and Licenses</a>
+    <a class="navbar-link" href="#">Compliance</a>
     <div class="navbar-dropdown">
-        <a class="navbar-item" href="{{{ relativize "/home/stable/product-information" }}}">Product Information</a>
+        <a class="navbar-item" href="{{{ relativize "/home/stable/compliance/product-information" }}}">Product Information</a>
+        {{#if (or
+            (eq page.version "23.1")
+            (eq page.version "23.4")
+            (eq page.version "23.7")
+            (eq page.version "23.11")
+            (eq page.version "24.3")
+            (eq page.version "24.7")
+            (eq page.version "24.11")
+            (eq page.version "25.3")
+            (eq page.version "25.7")
+        )}}
         <a class="navbar-item" href="{{{ relativize (versioned "home" page "policies.html") }}}">Policies</a>
-        <a class="navbar-item" href="{{{ relativize "/home/stable/licenses" }}}">Licenses</a>
-        <a class="navbar-item" href="{{{ relativize "/home/stable/export" }}}">Export Control</a>
+        {{else}}
+        <a class="navbar-item" href="{{{ relativize (versioned "home" page "compliance/policies.html") }}}">Policies</a>
+        {{/if}}
+        <a class="navbar-item" href="{{{ relativize "/home/stable/compliance/licenses" }}}">Licenses</a>
+        <a class="navbar-item" href="{{{ relativize "/home/stable/compliance/export" }}}">Export Control</a>
+        <a class="navbar-item" href="{{{ relativize "/home/stable/compliance/cra" }}}">Cyber Resilience Act</a>
     </div>
 </div>
 <div class="navbar-item has-dropdown is-hoverable">
