From 41b98c72f4c40cf0c93500e50f736c028a8f316f Mon Sep 17 00:00:00 2001 From: Michael Burke Date: Thu, 18 Dec 2025 14:14:04 -0500 Subject: [PATCH 1/2] Added a section for day2 operator for azure disk encryption sets. --- .../ipi/installing-azure-preparing-ipi.adoc | 4 +- ...day2-operations-diskencryptionsets.adoc\n" | 80 +++++++++++++++++++ 2 files changed, 83 insertions(+), 1 deletion(-) create mode 100644 "modules/installation-azure-day2-operations-diskencryptionsets.adoc\n" diff --git a/installing/installing_azure/ipi/installing-azure-preparing-ipi.adoc b/installing/installing_azure/ipi/installing-azure-preparing-ipi.adoc index 14f2a1494444..c227be096ad9 100644 --- a/installing/installing_azure/ipi/installing-azure-preparing-ipi.adoc +++ b/installing/installing_azure/ipi/installing-azure-preparing-ipi.adoc @@ -36,6 +36,8 @@ include::modules/cluster-telemetry.adoc[leveloffset=+1] * For more information about the Telemetry service, see xref:../../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] +include::modules/installation-azure-day2-operations-diskencryptionsets.adoc[leveloffset=+1] + include::modules/installation-azure-preparing-diskencryptionsets.adoc[leveloffset=+1] .Next steps @@ -44,4 +46,4 @@ include::modules/installation-azure-preparing-diskencryptionsets.adoc[leveloffse ** xref:../../../installing/installing_azure/ipi/installing-azure-customizations.adoc#installing-azure-customizations[Install a cluster with customizations on installer-provisioned infrastructure] ** xref:../../../installing/installing_azure/ipi/installing-azure-vnet.adoc#installing-azure-vnet[Install a cluster into an existing VNet on installer-provisioned infrastructure] ** xref:../../../installing/installing_azure/ipi/installing-azure-private.adoc#installing-azure-private[Install a private cluster on installer-provisioned infrastructure] -** xref:../../../installing/installing_azure/ipi/installing-azure-government-region.adoc#installing-azure-government-region[Install a cluster into an government region on installer-provisioned infrastructure] \ No newline at end of file +** xref:../../../installing/installing_azure/ipi/installing-azure-government-region.adoc#installing-azure-government-region[Install a cluster into an government region on installer-provisioned infrastructure] diff --git "a/modules/installation-azure-day2-operations-diskencryptionsets.adoc\n" "b/modules/installation-azure-day2-operations-diskencryptionsets.adoc\n" new file mode 100644 index 000000000000..b9bc203bdbd4 --- /dev/null +++ "b/modules/installation-azure-day2-operations-diskencryptionsets.adoc\n" @@ -0,0 +1,80 @@ +//Module included in the following assemblies: +// +// * installing/installing_azure/enabling-disk-encryption-sets-azure.adoc + +:_mod-docs-content-type: PROCEDURE +[id="installation-azure-day2-operations-diskencryptionsets.adoc_{context}"] += Preparing an Azure Disk Encryption Set for Day2 Operator + +The {product-title} installation program can use an existing Disk Encryption Set with a user-managed key. To enable this feature, create a `DiskEncryptionSet` object in Azure and provide the key to the installation program. + +.Prerequisite + +* You enabled the `EncryptionAtHost` feature in your {azure-short} subscription. For more information, see "Use the Azure portal to enable end-to-end encryption using encryption at host". +.Procedure + +. Mark the node from the `encyptionAtHost` cluster resource group as unschedulable by using the following command: ++ +[source,terminal] +---- +$ oc adm cordon +---- + +. Evacuate the pods from the compute node. There are several ways to do this. For example, you can evacuate all the pods or the selected pods on a node: ++ +[source,terminal] +---- +$ oc adm drain [--pod-selector=] +---- ++ +[NOTE] +==== +For other options to evacuate pods from a node, see the "Understanding how to evacuate pods on nodes" section. +==== + +. De-allocate the node by running the following command: ++ +[source,terminal] +---- +$ az vm deallocate -n -g +---- + +. Set the `encryptionAtHost` property to `true` by running the following command: ++ +[source,terminal] +---- +$ az vm update -n -g --set securityProfile.encryptionAtHost=true +---- + +. Start the node by running the following commands: ++ +[source,terminal] +---- +$ az vm start -n -g +---- + +. Mark the node as schedulable by using the following command: ++ +[source,terminal] +---- +$ oc adm uncordon +---- + +. Verify that all cluster Operators are available: ++ +[source,terminal] +---- +$ oc get clusteroperators +---- ++ +All Operators should show `AVAILABLE=True`, `PROGRESSING=False`, and `DEGRADED=False`. + +. Repeat the above steps on all the nodes that run `encryptionAtHost`. + +[NOTE] +==== +If you want to enable encryption for your host during cluster installation, specify the following parameters in the `install-config.yaml` file: +* `compute.platform.azure.encryptionAtHost` +* `controlPlane.platform.azure.encryptionAtHost` +* `platform.azure.defaultMachinePlatform.encryptionAtHost` +==== From 5f046b432fc78a9bdd4875870702a1802ee2cb8e Mon Sep 17 00:00:00 2001 From: Michael Burke Date: Thu, 18 Dec 2025 14:34:57 -0500 Subject: [PATCH 2/2] build error --- .../installation-azure-day2-operations-diskencryptionsets.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename "modules/installation-azure-day2-operations-diskencryptionsets.adoc\n" => modules/installation-azure-day2-operations-diskencryptionsets.adoc (98%) diff --git "a/modules/installation-azure-day2-operations-diskencryptionsets.adoc\n" b/modules/installation-azure-day2-operations-diskencryptionsets.adoc similarity index 98% rename from "modules/installation-azure-day2-operations-diskencryptionsets.adoc\n" rename to modules/installation-azure-day2-operations-diskencryptionsets.adoc index b9bc203bdbd4..3d24cd45a418 100644 --- "a/modules/installation-azure-day2-operations-diskencryptionsets.adoc\n" +++ b/modules/installation-azure-day2-operations-diskencryptionsets.adoc @@ -1,4 +1,4 @@ -//Module included in the following assemblies: +// Module included in the following assemblies: // // * installing/installing_azure/enabling-disk-encryption-sets-azure.adoc