Add doc on encrypting OS disks on Azure VMs

Signed-off-by: Bryan Cox <brcox@redhat.com>
bryan-cox · Jan 2, 2024 · 2acb5ff · 2acb5ff
1 parent f9cccc5
commit 2acb5ff
Show file tree

Hide file tree

Showing 3 changed files with 103 additions and 26 deletions.
diff --git a/docs/content/how-to/azure/create-azure-cluster-with-options.md b/docs/content/how-to/azure/create-azure-cluster-with-options.md
@@ -0,0 +1,102 @@
+# Create an Azure cluster with Additional Options
+This document describes how to set up an Azure cluster with Hypershift with additional flag options. 
+
+Creating an Azure cluster with Hypershift without any additional flag options can be found [here](create-azure-cluster.md).
+
+## Prerequisites
+See the Prerequisites section in [Create an Azure Cluster](./create-azure-cluster.md#prerequisites)
+
+## Creating the Cluster in an Existing Resource Group
+If you want to use an existing resource group you've created in Azure, you can pass the name into the `--resource-group-name` flag. This will create all needed Azure infrastructure in specified resource group.
+
+```
+hypershift create cluster azure \ 
+--name <cluster_name> \
+--pull-secret <pull_secret_file> \
+--azure-creds <path_to_azure_credentials_file> \
+--location <location> \
+--base-domain <base_domain> \
+--release-image <release_image> \
+--node-pool-replicas <number_of_replicas> \
+--resource-group-name <my_existing_resource_group>
+```
+
+If you need to delete your hosted cluster, you will need to also use the `--resource-group-name` flag on the delete command.
+
+```
+hypershift destroy cluster azure \
+--name <cluster_name> \ 
+--azure-creds <path_to_azure_credentials_file> \
+--resource-group-name <my_existing_resource_group>
+```
+
+!!! note
+
+    If you delete your hosted cluster, it will end up deleting any existing resources prior to when the hosted cluster was created as well as the resource group itself.
+
+## Encrypting the OS Disks on Azure VMs
+There are a few prerequisites for encrypting the OS disks on the Azure VMs:
+
+1. Create your own resource group
+2. Create an Azure Key Vault, with purge protection required, within the resource group
+3. Create a key in the vault to use to create a DiskEncryptionSet
+4. Create a DiskEncryptionSet with key in the vault and grant it permissions to assess the key vault
+
+!!! note
+
+    You will need to use the `resource-group-name` flag when using the `DiskEncryptionSetID` flag.
+
+After performing these steps, you just need to provide the DiskEncryptionSet ID when creating a hosted cluster.
+
+### CLI Example
+```
+hypershift create cluster azure \
+--name <cluster_name> \
+--pull-secret <pull_secret_file> \
+--azure-creds <path_to_azure_credentials_file> \
+--location <location> \
+--base-domain <base_domain> \
+--release-image <release_image> \
+--node-pool-replicas <number_of_replicas> \
+--resource-group-name <resource_group_name> \
+--disk-encryption-set-id <disk_encryption_set_id>
+```
+
+You can also pass in the DiskEncryptionSet ID when creating a NodePool.
+
+```
+hypershift create nodepool azure \
+--name <name_of_nodepool> \
+--cluster-name <cluster_name> \
+--resource-group-name <resource_group_name> \
+--disk-encryption-set-id <disk_encryption_set_id>
+```
+
+### NodePool CR Example
+The DiskEncryptionSet ID can also be set directly through the NodePool CR. 
+
+```
+apiVersion: hypershift.openshift.io/v1beta1
+kind: NodePool
+metadata:
+  creationTimestamp: null
+  name: <nodepool_name>
+  namespace: clusters
+spec:
+  arch: amd64
+  clusterName: <cluster_name>
+  management:
+    autoRepair: false
+    upgradeType: Replace
+  platform:
+    azure:
+      diskEncryptionSetID: <disk_encryption_set_id>
+      diskSizeGB: 120
+      vmsize: Standard_D4s_v4
+    type: Azure
+  release:
+    image: <release_image>
+  replicas: <number_of_replicas>
+status:
+  replicas: 0
+```
diff --git a/docs/content/how-to/azure/create-azure-cluster.md b/docs/content/how-to/azure/create-azure-cluster.md
@@ -36,29 +36,3 @@ hypershift create cluster azure --pull-secret <pull_secret_file> \
 --node-pool-replicas 3 \
 --external-dns-domain=<service_provider_domain>
 ```
-
-## Creating the Cluster in an Existing Resource Group
-If you want to use an existing resource group you've created in Azure, you can pass the name into the `--resource-group-name` flag. This will create all needed Azure infrastructure in specified resource group.
-
-```
-hypershift create cluster azure --pull-secret <pull_secret_file> \
---name <cluster_name> \
---azure-creds <path_to_azure_credentials_file> \
---location eastus --base-domain <base_domain> \
---release-image <release_image> \
---node-pool-replicas 3 \
---resource-group-name <my_existing_resource_group>
-```
-
-If you need to delete your hosted cluster, you will need to also use the `--resource-group-name` flag on the delete command.
-
-```
-hypershift destroy cluster azure \
---name $CLUSTER_NAME \ 
---azure-creds $AZURE_CREDS \
---resource-group-name <my_existing_resource_group>
-```
-
-!!! note
-
-    If you delete your hosted cluster, it will end up deleting any existing resources prior to when the hosted cluster was created as well as the resource group itself.
diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml
@@ -74,6 +74,7 @@ nav:
     - how-to/aws/create-aws-hosted-cluster-arm-workers.md
   - 'Azure':
     - how-to/azure/create-azure-cluster.md
+    - how-to/azure/create-azure-cluster-with-options.md
   - 'Agent':
     - how-to/agent/create-agent-cluster.md
   - 'Disconnected':