Skip to content

Commit 8bce5c5

Browse files
subhtksubhtk
committed
Added a section for day2 operator for azure disk encryption sets.
1 parent 21a925a commit 8bce5c5

File tree

2 files changed

+98
-0
lines changed

2 files changed

+98
-0
lines changed

installing/installing_azure/enabling-user-managed-encryption-azure.adoc

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
:_mod-docs-content-type: ASSEMBLY
2+
[id="enabling-user-managed-encryption-azure"]
3+
= Enabling user-managed encryption for Azure
4+
include::_attributes/common-attributes.adoc[]
5+
:context: enabling-user-managed-encryption-azure
6+
7+
toc::[]
8+
9+
In {product-title} version {product-version}, you can install a cluster with a user-managed encryption key in Azure. To enable this feature, you can prepare an Azure DiskEncryptionSet before installation, modify the `install-config.yaml` file, and then complete the installation.
10+
11+
include::modules/installation-azure-preparing-diskencryptionsets.adoc[leveloffset=+1]
12+
13+
include::modules/installation-azure-day2-operations-diskencryptionsets.adoc[leveloffset=+1]
14+
15+
[id="enabling-disk-encrytpion-additional-resources"]
16+
== Additional resources
17+
18+
* link:https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal?tabs=azure-cli#prerequisites[Use the Azure portal to enable end-to-end encryption using encryption at host]
19+
20+
[id="enabling-disk-encryption-sets-azure-next-steps"]
21+
== Next steps
22+
23+
* Install an {product-title} cluster:
24+
** xref:../../installing/installing_azure/installing-azure-customizations.adoc#installing-azure-customizations[Install a cluster with customizations on installer-provisioned infrastructure]
25+
** xref:../../installing/installing_azure/installing-azure-network-customizations.adoc#installing-azure-network-customizations[Install a cluster with network customizations on installer-provisioned infrastructure]
26+
** xref:../../installing/installing_azure/installing-azure-vnet.adoc#installing-azure-vnet[Install a cluster into an existing VNet on installer-provisioned infrastructure]
27+
** xref:../../installing/installing_azure/installing-azure-private.adoc#installing-azure-private[Install a private cluster on installer-provisioned infrastructure]
28+
** xref:../../installing/installing_azure/installing-azure-government-region.adoc#installing-azure-government-region[Install a cluster into an government region on installer-provisioned infrastructure]

modules/installation-azure-day2-operations-diskencryptionsets.adoc

Lines changed: 70 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,70 @@
1+
//Module included in the following assemblies:
2+
//
3+
// * installing/installing_azure/enabling-disk-encryption-sets-azure.adoc
4+
5+
:_mod-docs-content-type: PROCEDURE
6+
[id="preparing-disk-encryption-sets-day2-operator"]
7+
= Preparing an Azure Disk Encryption Set for Day2 operator
8+
The {product-title} installer can use an existing Disk Encryption Set with a user-managed key. To enable this feature, you can create a Disk Encryption Set in Azure and provide the key to the installer.
9+
10+
.Prerequisite
11+
12+
* The `EncryptionAtHost` feature must be enabled in your Azure subscription. For more information, see "Use the Azure portal to enable end-to-end encryption using encryption at host".
13+
14+
.Procedure
15+
16+
. Mark the node from the `encyptionATHost` cluster resource group as unschedulable using the following command:
17+
+
18+
[source,terminal]
19+
----
20+
$ oc adm cordon <node_name>
21+
----
22+
23+
. Drain the node to safely evacuate running pods:
24+
+
25+
[source,terminal]
26+
----
27+
$ oc adm drain <node_name> --ignore-daemonsets --delete-emptydir-data
28+
----
29+
30+
. De-allocate the node using the following command:
31+
+
32+
[source,terminal]
33+
----
34+
$ az vm deallocate -n <node_name> -g <cluster_resource_group>
35+
----
36+
37+
. Set the `encryptionAtHost` property to `true` using the following command:
38+
+
39+
[source,terminal]
40+
----
41+
$ az vm update -n <node_name> -g <cluster_resource_group> --set securityProfile.encryptionAtHost=true
42+
----
43+
44+
. Start the node by running the following commands:
45+
+
46+
[source,terminal]
47+
----
48+
$ az vm start -n <node_name> -g <cluster_resource_group>
49+
----
50+
51+
. Mark the node as schedulable using the follwoing command:
52+
+
53+
[source,terminal]
54+
----
55+
$ oc adm uncordon <node_name>
56+
----
57+
58+
. Make sure that all the operators are available.
59+
60+
. Repeat the above steps on all the nodes of the `encryptionAtHost`.
61+
62+
[NOTE]
63+
====
64+
If you want to enable encryption at host during installation, set the following fields in the `install-config.yaml` file:
65+
66+
* `compute.platform.azure.encryptionAtHost`
67+
* `controlPlane.platform.azure.encryptionAtHost`
68+
* `platform.azure.defaultMachinePlatform.encryptionAtHost`
69+
70+
====

0 commit comments

Comments
 (0)