openshift-docs/modules/installation-azure-finalizing-encryption.adoc

//Module included in the following assemblies:
//
// * installing/installing_azure/installing-azure-customizations.adoc
// * installing/installing_azure/installing-azure-government-region.adoc
// * installing/installing_azure/installing-azure-network-customizations.adoc
// * installing/installing_azure/installing-azure-private.adoc
// * installing/installing_azure/installing-azure-vnet.adoc


ifeval::["{context}" == "installing-azure-customizations"]
:azure-public:
endif::[]
ifeval::["{context}" == "installing-azure-government-region"]
:azure-gov:
endif::[]
ifeval::["{context}" == "installing-azure-network-customizations"]
:azure-public:
endif::[]
ifeval::["{context}" == "installing-azure-private"]
:azure-public:
endif::[]
ifeval::["{context}" == "installing-azure-vnet"]
:azure-public:
endif::[]

:_mod-docs-content-type: PROCEDURE
[id="finalizing-encryption_{context}"]
= Finalizing user-managed encryption after installation
If you installed {product-title} using a user-managed encryption key, you can complete the installation by creating a new storage class and granting write permissions to the Azure cluster resource group.

.Procedure

. Obtain the identity of the cluster resource group used by the installer:
.. If you specified an existing resource group in `install-config.yaml`, obtain its Azure identity by running the following command:
+
[source,terminal]
----
$ az identity list --resource-group "<existing_resource_group>"
----
.. If you did not specify a existing resource group in `install-config.yaml`, locate the resource group that the installer created, and then obtain its Azure identity by running the following commands:
+
[source,terminal]
----
$ az group list
----
+
[source,terminal]
----
$ az identity list --resource-group "<installer_created_resource_group>"
----
+
. Grant a role assignment to the cluster resource group so that it can write to the Disk Encryption Set by running the following command:
+
[source,terminal]
----
$ az role assignment create --role "<privileged_role>" \// <1>
    --assignee "<resource_group_identity>" <2>
----
<1> Specifies an Azure role that has read/write permissions to the disk encryption set. You can use the `Owner` role or a custom role with the necessary permissions.
<2> Specifies the identity of the cluster resource group.
+
. Obtain the `id` of the disk encryption set you created prior to installation by running the following command:
+
[source,terminal]
----
$ az disk-encryption-set show -n <disk_encryption_set_name> \// <1>
     --resource-group <resource_group_name> <2>
----
<1> Specifies the name of the disk encryption set.
<2> Specifies the resource group that contains the disk encryption set.
The `id` is in the format of `"/subscriptions/.../resourceGroups/.../providers/Microsoft.Compute/diskEncryptionSets/..."`.
+
. Obtain the identity of the cluster service principal by running the following command:
+
[source,terminal]
----
$ az identity show -g <cluster_resource_group> \// <1>
     -n <cluster_service_principal_name> \// <2>
     --query principalId --out tsv
----
<1> Specifies the name of the cluster resource group created by the installation program.
<2> Specifies the name of the cluster service principal created by the installation program.
The identity is in the format of `12345678-1234-1234-1234-1234567890`.
ifdef::azure-gov[]
. Create a role assignment that grants the cluster service principal `Contributor` privileges to the disk encryption set by running the following command:
+
[source,terminal]
----
$ az role assignment create --assignee <cluster_service_principal_id> \// <1>
     --role 'Contributor' \//
     --scope <disk_encryption_set_id> \// <2>
----
<1> Specifies the ID of the cluster service principal obtained in the previous step.
<2> Specifies the ID of the disk encryption set.
endif::azure-gov[]
ifdef::azure-public[]
. Create a role assignment that grants the cluster service principal necessary privileges to the disk encryption set by running the following command:
+
[source,terminal]
----
$ az role assignment create --assignee <cluster_service_principal_id> \// <1>
     --role <privileged_role> \// <2>
     --scope <disk_encryption_set_id> \// <3>
----
<1> Specifies the ID of the cluster service principal obtained in the previous step.
<2> Specifies the Azure role name. You can use the `Contributor` role or a custom role with the necessary permissions.
<3> Specifies the ID of the disk encryption set.
endif::azure-public[]
+
. Create a storage class that uses the user-managed disk encryption set:
.. Save the following storage class definition to a file, for example `storage-class-definition.yaml`:
+
[source,yaml]
----
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: managed-premium
provisioner: kubernetes.io/azure-disk
parameters:
  skuname: Premium_LRS
  kind: Managed
  diskEncryptionSetID: "<disk_encryption_set_ID>" <1>
  resourceGroup: "<resource_group_name>" <2>
reclaimPolicy: Delete
allowVolumeExpansion: true
volumeBindingMode: WaitForFirstConsumer
----
<1> Specifies the ID of the disk encryption set that you created in the prerequisite steps, for example `"/subscriptions/xxxxxx-xxxxx-xxxxx/resourceGroups/test-encryption/providers/Microsoft.Compute/diskEncryptionSets/disk-encryption-set-xxxxxx"`.
<2> Specifies the name of the resource group used by the installer. This is the same resource group from the first step.
.. Create the storage class `managed-premium` from the file you created by running the following command:
+
[source,terminal]
----
$ oc create -f storage-class-definition.yaml
----
. Select the `managed-premium` storage class when you create persistent volumes to use encrypted storage.



ifeval::["{context}" == "installing-azure-customizations"]
:!azure-public:
endif::[]
ifeval::["{context}" == "installing-azure-government-region"]
:!azure-gov:
endif::[]
ifeval::["{context}" == "installing-azure-network-customizations"]
:!azure-public:
endif::[]
ifeval::["{context}" == "installing-azure-private"]
:!azure-public:
endif::[]
ifeval::["{context}" == "installing-azure-vnet"]
:!azure-public:
endif::[]