Skip to content

Commit a2d8edb

Browse files
subhtksubhtk
committed
Added a section for day2 operator for azure disk encryption sets.
1 parent c1943a2 commit a2d8edb

File tree

2 files changed

+72
-0
lines changed

2 files changed

+72
-0
lines changed

installing/installing_azure/enabling-user-managed-encryption-azure.adoc

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,8 @@ In {product-title} version {product-version}, you can install a cluster with a u
1010

1111
include::modules/installation-azure-preparing-diskencryptionsets.adoc[leveloffset=+1]
1212

13+
include::modules/installation-azure-day2-operations-diskencryptionsets.adoc[leveloffset=+1]
14+
1315
[id="enabling-disk-encryption-sets-azure-next-steps"]
1416
== Next steps
1517

modules/installation-azure-day2-operations-diskencryptionsets.adoc

Lines changed: 70 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,70 @@
1+
//Module included in the following assemblies:
2+
//
3+
// * installing/installing_azure/enabling-disk-encryption-sets-azure.adoc
4+
5+
:_mod-docs-content-type: PROCEDURE
6+
[id="preparing-disk-encryption-sets-day2-operator"]
7+
= Preparing an Azure Disk Encryption Set for Day2 operator
8+
The {product-title} installer can use an existing Disk Encryption Set with a user-managed key. To enable this feature, you can create a Disk Encryption Set in Azure and provide the key to the installer.
9+
10+
.Prerequisite
11+
12+
* To enable encryption at host by using system managed key during the installation, set the following fields in `install-config.yaml`:
13+
14+
.Procedure
15+
16+
. Mark the node from the `encyptionATHost` cluster resource group as unschedulable using the following command:
17+
+
18+
[source,terminal]
19+
----
20+
$ oc adm cordon <node_name>
21+
----
22+
23+
. Drain the node to safely evacuate running pods:
24+
+
25+
[source,terminal]
26+
----
27+
$ oc adm drain <node_name> --ignore-daemonsets --delete-emptydir-data
28+
----
29+
30+
. De-allocate the node using the following command:
31+
+
32+
[source,terminal]
33+
----
34+
$ az vm deallocate -n <node_name> -g <cluster_resource_group>
35+
----
36+
37+
. Set the `encryptionAtHost` property to `true` using the following command:
38+
+
39+
[source,terminal]
40+
----
41+
$ az vm update -n <node_name> -g <cluster_resource_group> --set securityProfile.encryptionAtHost=true
42+
----
43+
44+
. Start the node by running the following commands:
45+
+
46+
[source,terminal]
47+
----
48+
$ az vm start -n <node_name> -g <cluster_resource_group>
49+
----
50+
51+
. Mark the node as schedulable using the follwoing command:
52+
+
53+
[source,terminal]
54+
----
55+
$ oc adm uncordon <node_name>
56+
----
57+
58+
. Make sure that all the operators are available.
59+
60+
. Repeat the above steps on all the nodes of the `encryptionAtHost`.
61+
62+
[NOTE]
63+
====
64+
If you want to enable encryption at host during installation, set the following fields in the `install-config.yaml` file:
65+
66+
* `compute.platform.azure.encryptionAtHost`
67+
* `controlPlane.platform.azure.encryptionAtHost`
68+
* `platform.azure.defaultMachinePlatform.encryptionAtHost`
69+
70+
====

0 commit comments

Comments
 (0)