From 8f5926683f81ee27319c25d44f0a440169e71edd Mon Sep 17 00:00:00 2001 From: subhtk Date: Tue, 27 Feb 2024 00:53:09 +0530 Subject: [PATCH 1/4] Added a section for day2 operator for azure disk encryption sets. --- _topic_maps/_topic_map.yml | 2 + ...nabling-user-managed-encryption-azure.adoc | 32 +++++++ ...re-day2-operations-diskencryptionsets.adoc | 83 +++++++++++++++++++ 3 files changed, 117 insertions(+) create mode 100644 installing/installing_azure/enabling-user-managed-encryption-azure.adoc create mode 100644 modules/installation-azure-day2-operations-diskencryptionsets.adoc diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml index 02a19225872e..d1d3448690cd 100644 --- a/_topic_maps/_topic_map.yml +++ b/_topic_maps/_topic_map.yml @@ -251,6 +251,8 @@ Topics: File: preparing-to-install-on-azure - Name: Configuring an Azure account File: installing-azure-account + - Name: Enabling user-managed encryption for Azure + File: enabling-user-managed-encryption-azure - Name: Installer-provisioned infrastructure Dir: ipi Distros: openshift-origin,openshift-enterprise diff --git a/installing/installing_azure/enabling-user-managed-encryption-azure.adoc b/installing/installing_azure/enabling-user-managed-encryption-azure.adoc new file mode 100644 index 000000000000..60193660bd8d --- /dev/null +++ b/installing/installing_azure/enabling-user-managed-encryption-azure.adoc @@ -0,0 +1,32 @@ +:_mod-docs-content-type: ASSEMBLY +[id="enabling-user-managed-encryption-azure"] += Enabling user-managed encryption for Azure +include::_attributes/common-attributes.adoc[] +:context: enabling-user-managed-encryption-azure + +toc::[] + +In {product-title} version {product-version}, you can install a cluster with a user-managed encryption key in {azure-first}. To enable this feature, you can prepare an {azure-short} `DiskEncryptionSet` before installation, modify the `install-config.yaml` file, and then complete the installation. + +// Preparing an Azure Disk Encryption Set +include::modules/installation-azure-preparing-diskencryptionsets.adoc[leveloffset=+1] + +// Preparing an Azure Disk Encryption Set for Day2 Operator +include::modules/installation-azure-day2-operations-diskencryptionsets.adoc[leveloffset=+1] + +[id="enabling-disk-encrytpion-additional-resources"] +== Additional resources + +* link:https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal?tabs=azure-cli#prerequisites[Use the {azure-short} portal to enable end-to-end encryption using encryption at host] ({azure-full} documentation) + +* xref:../../nodes/nodes/nodes-nodes-working.adoc#nodes-nodes-working-evacuating_nodes-nodes-working[Understanding how to evacuate pods on nodes] + +[id="enabling-disk-encryption-sets-azure-next-steps"] +== Next steps + +* Depending on your infrastructure preferences, install an {product-title} cluster by completing the instructions in one of the following documents: +** xref:../../installing/installing_azure/ipi/installing-azure-customizations.adoc#installing-azure-customizations[Install a cluster with customizations on installer-provisioned infrastructure] +** xref:../../installing/installing_azure/ipi/installing-azure-network-customizations.adoc#installing-azure-network-customizations[Install a cluster with network customizations on installer-provisioned infrastructure] +** xref:../../installing/installing_azure/ipi/installing-azure-vnet.adoc#installing-azure-vnet[Install a cluster into an existing VNet on installer-provisioned infrastructure] +** xref:../../installing/installing_azure/ipi/installing-azure-private.adoc#installing-azure-private[Install a private cluster on installer-provisioned infrastructure] +** xref:../../installing/installing_azure/ipi/installing-azure-government-region.adoc#installing-azure-government-region[Install a cluster into an government region on installer-provisioned infrastructure] diff --git a/modules/installation-azure-day2-operations-diskencryptionsets.adoc b/modules/installation-azure-day2-operations-diskencryptionsets.adoc new file mode 100644 index 000000000000..21a2deadcb8a --- /dev/null +++ b/modules/installation-azure-day2-operations-diskencryptionsets.adoc @@ -0,0 +1,83 @@ +//Module included in the following assemblies: +// +// * installing/installing_azure/enabling-disk-encryption-sets-azure.adoc + +:_mod-docs-content-type: PROCEDURE +[id="preparing-disk-encryption-sets-day2-operator_{context}"] += Preparing an Azure Disk Encryption Set for Day2 Operator + +The {product-title} installation program can use an existing Disk Encryption Set with a user-managed key. To enable this feature, create a `DiskEncryptionSet` in Azure and provide the key to the installation program. + +.Prerequisite + +* You enabled the `EncryptionAtHost` feature in your {ausre-short} subscription. For more information, see "Use the Azure portal to enable end-to-end encryption using encryption at host". + +.Procedure + +. Mark the node from the `encyptionAtHost` cluster resource group as unschedulable by using the following command: ++ +[source,terminal] +---- +$ oc adm cordon +---- + +. Evacuate the pods from the compute node. There are several ways to do this. For example, you can evacuate all the pods or the selected pods on a node: ++ +[source,terminal] +---- +$ oc adm drain [--pod-selector=] +---- ++ +[NOTE] +==== +For other options to evacuate pods from a node, see the "Understanding how to evacuate pods on nodes" section. +==== + +. De-allocate the node by running the following command: ++ +[source,terminal] +---- +$ az vm deallocate -n -g +---- + +. Set the `encryptionAtHost` property to `true` by running the following command: ++ +[source,terminal] +---- +$ az vm update -n -g --set securityProfile.encryptionAtHost=true +---- + +. Start the node by running the following commands: ++ +[source,terminal] +---- +$ az vm start -n -g +---- + +. Mark the node as schedulable by using the following command: ++ +[source,terminal] +---- +$ oc adm uncordon +---- + +. Verify that all cluster Operators are available: ++ +[source,terminal] +---- +$ oc get clusteroperators +---- ++ +All Operators should show `AVAILABLE=True`, `PROGRESSING=False`, and `DEGRADED=False`. + +. Repeat the above steps on all the nodes that run `encryptionAtHost`. + +[NOTE] +==== +If you want to enable encryption for your host during cluster installation, specify the following parameters in the `install-config.yaml` file: + +* `compute.platform.azure.encryptionAtHost` +* `controlPlane.platform.azure.encryptionAtHost` +* `platform.azure.defaultMachinePlatform.encryptionAtHost` + +==== From 786872b26708416ef230671e7c72b309a8dcf929 Mon Sep 17 00:00:00 2001 From: Michael Burke Date: Wed, 19 Nov 2025 16:38:27 -0500 Subject: [PATCH 2/4] Fix merge error --- modules/network-flow-matrix.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/network-flow-matrix.adoc b/modules/network-flow-matrix.adoc index 2bbb7f664c80..2ea6b2d7a0d8 100644 --- a/modules/network-flow-matrix.adoc +++ b/modules/network-flow-matrix.adoc @@ -102,4 +102,4 @@ In addition to the base network flows, the following matrix describes the ingres [%header,format=csv] |=== include::https://raw.githubusercontent.com/openshift-kni/commatrix/release-4.20/docs/stable/unique/aws-sno.csv[] -|=== \ No newline at end of file +|=== From cefa9332892e734d2c032e5f5fdaf21218881fc3 Mon Sep 17 00:00:00 2001 From: Michael Burke Date: Wed, 19 Nov 2025 17:19:13 -0500 Subject: [PATCH 3/4] edits --- .../enabling-user-managed-encryption-azure.adoc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/installing/installing_azure/enabling-user-managed-encryption-azure.adoc b/installing/installing_azure/enabling-user-managed-encryption-azure.adoc index 60193660bd8d..c0cd25fb6e00 100644 --- a/installing/installing_azure/enabling-user-managed-encryption-azure.adoc +++ b/installing/installing_azure/enabling-user-managed-encryption-azure.adoc @@ -6,7 +6,8 @@ include::_attributes/common-attributes.adoc[] toc::[] -In {product-title} version {product-version}, you can install a cluster with a user-managed encryption key in {azure-first}. To enable this feature, you can prepare an {azure-short} `DiskEncryptionSet` before installation, modify the `install-config.yaml` file, and then complete the installation. +[role="_abstract"] +In {product-title} version {product-version}, you can install a cluster with a user-managed encryption key in {azure-first}. To enable this feature, you can prepare an {azure-short} disk encryption set before installation, modify the `install-config.yaml` file, and then complete the installation. // Preparing an Azure Disk Encryption Set include::modules/installation-azure-preparing-diskencryptionsets.adoc[leveloffset=+1] From ae3f743917ac64b4585654579c42013c921806ae Mon Sep 17 00:00:00 2001 From: Michael Burke Date: Thu, 20 Nov 2025 11:13:54 -0500 Subject: [PATCH 4/4] Removed assembly, updatd topic map; existing content was moved elsewhere --- _topic_maps/_topic_map.yml | 2 -- ...nabling-user-managed-encryption-azure.adoc | 33 ------------------- .../ipi/installing-azure-preparing-ipi.adoc | 4 ++- ...re-day2-operations-diskencryptionsets.adoc | 7 ++-- 4 files changed, 6 insertions(+), 40 deletions(-) delete mode 100644 installing/installing_azure/enabling-user-managed-encryption-azure.adoc diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml index d1d3448690cd..02a19225872e 100644 --- a/_topic_maps/_topic_map.yml +++ b/_topic_maps/_topic_map.yml @@ -251,8 +251,6 @@ Topics: File: preparing-to-install-on-azure - Name: Configuring an Azure account File: installing-azure-account - - Name: Enabling user-managed encryption for Azure - File: enabling-user-managed-encryption-azure - Name: Installer-provisioned infrastructure Dir: ipi Distros: openshift-origin,openshift-enterprise diff --git a/installing/installing_azure/enabling-user-managed-encryption-azure.adoc b/installing/installing_azure/enabling-user-managed-encryption-azure.adoc deleted file mode 100644 index c0cd25fb6e00..000000000000 --- a/installing/installing_azure/enabling-user-managed-encryption-azure.adoc +++ /dev/null @@ -1,33 +0,0 @@ -:_mod-docs-content-type: ASSEMBLY -[id="enabling-user-managed-encryption-azure"] -= Enabling user-managed encryption for Azure -include::_attributes/common-attributes.adoc[] -:context: enabling-user-managed-encryption-azure - -toc::[] - -[role="_abstract"] -In {product-title} version {product-version}, you can install a cluster with a user-managed encryption key in {azure-first}. To enable this feature, you can prepare an {azure-short} disk encryption set before installation, modify the `install-config.yaml` file, and then complete the installation. - -// Preparing an Azure Disk Encryption Set -include::modules/installation-azure-preparing-diskencryptionsets.adoc[leveloffset=+1] - -// Preparing an Azure Disk Encryption Set for Day2 Operator -include::modules/installation-azure-day2-operations-diskencryptionsets.adoc[leveloffset=+1] - -[id="enabling-disk-encrytpion-additional-resources"] -== Additional resources - -* link:https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal?tabs=azure-cli#prerequisites[Use the {azure-short} portal to enable end-to-end encryption using encryption at host] ({azure-full} documentation) - -* xref:../../nodes/nodes/nodes-nodes-working.adoc#nodes-nodes-working-evacuating_nodes-nodes-working[Understanding how to evacuate pods on nodes] - -[id="enabling-disk-encryption-sets-azure-next-steps"] -== Next steps - -* Depending on your infrastructure preferences, install an {product-title} cluster by completing the instructions in one of the following documents: -** xref:../../installing/installing_azure/ipi/installing-azure-customizations.adoc#installing-azure-customizations[Install a cluster with customizations on installer-provisioned infrastructure] -** xref:../../installing/installing_azure/ipi/installing-azure-network-customizations.adoc#installing-azure-network-customizations[Install a cluster with network customizations on installer-provisioned infrastructure] -** xref:../../installing/installing_azure/ipi/installing-azure-vnet.adoc#installing-azure-vnet[Install a cluster into an existing VNet on installer-provisioned infrastructure] -** xref:../../installing/installing_azure/ipi/installing-azure-private.adoc#installing-azure-private[Install a private cluster on installer-provisioned infrastructure] -** xref:../../installing/installing_azure/ipi/installing-azure-government-region.adoc#installing-azure-government-region[Install a cluster into an government region on installer-provisioned infrastructure] diff --git a/installing/installing_azure/ipi/installing-azure-preparing-ipi.adoc b/installing/installing_azure/ipi/installing-azure-preparing-ipi.adoc index 14f2a1494444..3877ddd4f6c9 100644 --- a/installing/installing_azure/ipi/installing-azure-preparing-ipi.adoc +++ b/installing/installing_azure/ipi/installing-azure-preparing-ipi.adoc @@ -31,6 +31,8 @@ include::modules/cli-installing-cli-macos.adoc[leveloffset=+1] include::modules/cluster-telemetry.adoc[leveloffset=+1] +include::modules/installation-azure-day2-operations-diskencryptionsets.adoc[leveloffset=+1] + [role="_additional-resources"] .Additional resources @@ -44,4 +46,4 @@ include::modules/installation-azure-preparing-diskencryptionsets.adoc[leveloffse ** xref:../../../installing/installing_azure/ipi/installing-azure-customizations.adoc#installing-azure-customizations[Install a cluster with customizations on installer-provisioned infrastructure] ** xref:../../../installing/installing_azure/ipi/installing-azure-vnet.adoc#installing-azure-vnet[Install a cluster into an existing VNet on installer-provisioned infrastructure] ** xref:../../../installing/installing_azure/ipi/installing-azure-private.adoc#installing-azure-private[Install a private cluster on installer-provisioned infrastructure] -** xref:../../../installing/installing_azure/ipi/installing-azure-government-region.adoc#installing-azure-government-region[Install a cluster into an government region on installer-provisioned infrastructure] \ No newline at end of file +** xref:../../../installing/installing_azure/ipi/installing-azure-government-region.adoc#installing-azure-government-region[Install a cluster into an government region on installer-provisioned infrastructure] diff --git a/modules/installation-azure-day2-operations-diskencryptionsets.adoc b/modules/installation-azure-day2-operations-diskencryptionsets.adoc index 21a2deadcb8a..ba9dda5b68d3 100644 --- a/modules/installation-azure-day2-operations-diskencryptionsets.adoc +++ b/modules/installation-azure-day2-operations-diskencryptionsets.adoc @@ -3,14 +3,14 @@ // * installing/installing_azure/enabling-disk-encryption-sets-azure.adoc :_mod-docs-content-type: PROCEDURE -[id="preparing-disk-encryption-sets-day2-operator_{context}"] +[id="installation-azure-day2-operations-diskencryptionsets.adoc_{context}"] = Preparing an Azure Disk Encryption Set for Day2 Operator -The {product-title} installation program can use an existing Disk Encryption Set with a user-managed key. To enable this feature, create a `DiskEncryptionSet` in Azure and provide the key to the installation program. +The {product-title} installation program can use an existing Disk Encryption Set with a user-managed key. To enable this feature, create a `DiskEncryptionSet` object in Azure and provide the key to the installation program. .Prerequisite -* You enabled the `EncryptionAtHost` feature in your {ausre-short} subscription. For more information, see "Use the Azure portal to enable end-to-end encryption using encryption at host". +* You enabled the `EncryptionAtHost` feature in your {azure-short} subscription. For more information, see "Use the Azure portal to enable end-to-end encryption using encryption at host". .Procedure @@ -79,5 +79,4 @@ If you want to enable encryption for your host during cluster installation, spec * `compute.platform.azure.encryptionAtHost` * `controlPlane.platform.azure.encryptionAtHost` * `platform.azure.defaultMachinePlatform.encryptionAtHost` - ====