openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity

Merge pull request #104197 from openshift-cherrypick-robot/cherry-pick-104190-to-enterprise-4.21

Browse Source 
[enterprise-4.21] Added a section for day2 operator for azure disk encryption sets.
This commit is contained in:
Michael Burke
2025-12-18 15:27:00 -05:00
committed by GitHub
parent 7ad25f84ec 49bfb024e0
commit a2ac0dedfe
2 changed files with 83 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
installing/installing_azure/ipi/installing-azure-preparing-ipi.adoc
View File

@@ -36,6 +36,8 @@ include::modules/cluster-telemetry.adoc[leveloffset=+1]
* For more information about the Telemetry service, see xref:../../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring]
include::modules/installation-azure-day2-operations-diskencryptionsets.adoc[leveloffset=+1]
include::modules/installation-azure-preparing-diskencryptionsets.adoc[leveloffset=+1]
.Next steps
@@ -44,4 +46,4 @@ include::modules/installation-azure-preparing-diskencryptionsets.adoc[leveloffse
** xref:../../../installing/installing_azure/ipi/installing-azure-customizations.adoc#installing-azure-customizations[Install a cluster with customizations on installer-provisioned infrastructure]
** xref:../../../installing/installing_azure/ipi/installing-azure-vnet.adoc#installing-azure-vnet[Install a cluster into an existing VNet on installer-provisioned infrastructure]
** xref:../../../installing/installing_azure/ipi/installing-azure-private.adoc#installing-azure-private[Install a private cluster on installer-provisioned infrastructure]
** xref:../../../installing/installing_azure/ipi/installing-azure-government-region.adoc#installing-azure-government-region[Install a cluster into an government region on installer-provisioned infrastructure]
** xref:../../../installing/installing_azure/ipi/installing-azure-government-region.adoc#installing-azure-government-region[Install a cluster into an government region on installer-provisioned infrastructure]

80
modules/installation-azure-day2-operations-diskencryptionsets.adoc Normal file
View File

@@ -0,0 +1,80 @@
// Module included in the following assemblies:
//
// * installing/installing_azure/enabling-disk-encryption-sets-azure.adoc
:_mod-docs-content-type: PROCEDURE
[id="installation-azure-day2-operations-diskencryptionsets.adoc_{context}"]
= Preparing an Azure Disk Encryption Set for Day2 Operator
The {product-title} installation program can use an existing Disk Encryption Set with a user-managed key. To enable this feature, create a `DiskEncryptionSet` object in Azure and provide the key to the installation program.
.Prerequisite
* You enabled the `EncryptionAtHost` feature in your {azure-short} subscription. For more information, see "Use the Azure portal to enable end-to-end encryption using encryption at host".
.Procedure
. Mark the node from the `encyptionAtHost` cluster resource group as unschedulable by using the following command:
+
[source,terminal]
----
$ oc adm cordon <node_name>
----
. Evacuate the pods from the compute node. There are several ways to do this. For example, you can evacuate all the pods or the selected pods on a node:
+
[source,terminal]
----
$ oc adm drain <compute_node> [--pod-selector=<pod_selector>]
----
+
[NOTE]
====
For other options to evacuate pods from a node, see the "Understanding how to evacuate pods on nodes" section.
====
. De-allocate the node by running the following command:
+
[source,terminal]
----
$ az vm deallocate -n <node_name> -g <cluster_resource_group>
----
. Set the `encryptionAtHost` property to `true` by running the following command:
+
[source,terminal]
----
$ az vm update -n <node_name> -g <cluster_resource_group> --set securityProfile.encryptionAtHost=true
----
. Start the node by running the following commands:
+
[source,terminal]
----
$ az vm start -n <node_name> -g <cluster_resource_group>
----
. Mark the node as schedulable by using the following command:
+
[source,terminal]
----
$ oc adm uncordon <node_name>
----
. Verify that all cluster Operators are available:
+
[source,terminal]
----
$ oc get clusteroperators
----
+
All Operators should show `AVAILABLE=True`, `PROGRESSING=False`, and `DEGRADED=False`.
. Repeat the above steps on all the nodes that run `encryptionAtHost`.
[NOTE]
====
If you want to enable encryption for your host during cluster installation, specify the following parameters in the `install-config.yaml` file:
* `compute.platform.azure.encryptionAtHost`
* `controlPlane.platform.azure.encryptionAtHost`
* `platform.azure.defaultMachinePlatform.encryptionAtHost`
====