Added a section for day2 operator for azure disk encryption sets.

Author: subhtk

_topic_maps/_topic_map.yml

@@ -251,6 +251,8 @@ Topics:
     File: preparing-to-install-on-azure
   - Name: Configuring an Azure account
     File: installing-azure-account
+  - Name: Enabling user-managed encryption for Azure
+    File: enabling-user-managed-encryption-azure
   - Name: Installer-provisioned infrastructure
     Dir: ipi
     Distros: openshift-origin,openshift-enterprise

installing/installing_azure/enabling-user-managed-encryption-azure.adoc

@@ -0,0 +1,30 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="enabling-user-managed-encryption-azure"]
+= Enabling user-managed encryption for Azure
+include::_attributes/common-attributes.adoc[]
+:context: enabling-user-managed-encryption-azure
+
+toc::[]
+
+In {product-title} version {product-version}, you can install a cluster with a user-managed encryption key in Azure. To enable this feature, you can prepare an Azure `DiskEncryptionSet` before installation, modify the `install-config.yaml` file, and then complete the installation.
+
+include::modules/installation-azure-preparing-diskencryptionsets.adoc[leveloffset=+1]
+
+include::modules/installation-azure-day2-operations-diskencryptionsets.adoc[leveloffset=+1]
+
+[id="enabling-disk-encrytpion-additional-resources"]
+== Additional resources
+
+* link:https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal?tabs=azure-cli#prerequisites[Use the Azure portal to enable end-to-end encryption using encryption at host]
+
+* xref:../../nodes/nodes/nodes-nodes-working.adoc#nodes-nodes-working-evacuating_nodes-nodes-working[Understanding how to evacuate pods on nodes]
+
+[id="enabling-disk-encryption-sets-azure-next-steps"]
+== Next steps
+
+* Install an {product-title} cluster:
+** xref:../../installing/installing_azure/ipi/installing-azure-customizations.adoc#installing-azure-customizations[Install a cluster with customizations on installer-provisioned infrastructure]
+** xref:../../installing/installing_azure/ipi/installing-azure-network-customizations.adoc#installing-azure-network-customizations[Install a cluster with network customizations on installer-provisioned infrastructure]
+** xref:../../installing/installing_azure/ipi/installing-azure-vnet.adoc#installing-azure-vnet[Install a cluster into an existing VNet on installer-provisioned infrastructure]
+** xref:../../installing/installing_azure/ipi/installing-azure-private.adoc#installing-azure-private[Install a private cluster on installer-provisioned infrastructure]
+** xref:../../installing/installing_azure/ipi/installing-azure-government-region.adoc#installing-azure-government-region[Install a cluster into an government region on installer-provisioned infrastructure]

modules/installation-azure-day2-operations-diskencryptionsets.adoc

@@ -0,0 +1,72 @@
+//Module included in the following assemblies:
+//
+// * installing/installing_azure/enabling-disk-encryption-sets-azure.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="preparing-disk-encryption-sets-day2-operator_{context}"]
+= Preparing an Azure Disk Encryption Set for Day2 Operator
+The {product-title} installer can use an existing Disk Encryption Set with a user-managed key. To enable this feature, create a `DiskEncryptionSet` in Azure and provide the key to the installer. 
+
+.Prerequisite
+
+* The `EncryptionAtHost` feature must be enabled in your Azure subscription. For more information, see "Use the Azure portal to enable end-to-end encryption using encryption at host".
+
+.Procedure
+
+. Mark the node from the `encyptionAtHost` cluster resource group as unschedulable using the following command:
++
+[source,terminal]
+----
+$ oc adm cordon <node_name>
+----
+
+. Evacuate the pods from the compute node. There are several ways to do this. For example, you can evacuate all or selected pods on a node: 
++
+[source,terminal]
+----
+$ oc adm drain <compute_node> [--pod-selector=<pod_selector>]
+----
++
+See the "Understanding how to evacuate pods on nodes" section for other options to evacuate pods from a node. 
+
+. De-allocate the node by running the following command:
++
+[source,terminal]
+----
+$ az vm deallocate -n <node_name> -g <cluster_resource_group>
+----
+
+. Set the `encryptionAtHost` property to `true` by running the following command:
++
+[source,terminal]
+----
+$ az vm update -n <node_name> -g <cluster_resource_group> --set securityProfile.encryptionAtHost=true
+----
+
+. Start the node by running the following commands:
++
+[source,terminal]
+----
+$ az vm start -n <node_name> -g <cluster_resource_group>
+----
+
+. Mark the node as schedulable using the follwoing command:
++
+[source,terminal]
+----
+$ oc adm uncordon <node_name>
+----
+
+. Make sure that all the operators are available.
+
+. Repeat the above steps on all the nodes of the `encryptionAtHost`.
+
+[NOTE]
+====
+If you want to enable encryption at host during installation, set the following fields in the `install-config.yaml` file:
+
+* `compute.platform.azure.encryptionAtHost`
+* `controlPlane.platform.azure.encryptionAtHost`
+* `platform.azure.defaultMachinePlatform.encryptionAtHost`
+
+====