From 2acb5ff6b757e17569630f74b9aa1a5a402ffe60 Mon Sep 17 00:00:00 2001 From: Bryan Cox Date: Tue, 5 Dec 2023 08:43:35 -0500 Subject: [PATCH] Add doc on encrypting OS disks on Azure VMs Signed-off-by: Bryan Cox --- .../create-azure-cluster-with-options.md | 102 ++++++++++++++++++ .../how-to/azure/create-azure-cluster.md | 26 ----- docs/mkdocs.yml | 1 + 3 files changed, 103 insertions(+), 26 deletions(-) create mode 100644 docs/content/how-to/azure/create-azure-cluster-with-options.md diff --git a/docs/content/how-to/azure/create-azure-cluster-with-options.md b/docs/content/how-to/azure/create-azure-cluster-with-options.md new file mode 100644 index 0000000000..7ead4c9bbf --- /dev/null +++ b/docs/content/how-to/azure/create-azure-cluster-with-options.md @@ -0,0 +1,102 @@ +# Create an Azure cluster with Additional Options +This document describes how to set up an Azure cluster with Hypershift with additional flag options. + +Creating an Azure cluster with Hypershift without any additional flag options can be found [here](create-azure-cluster.md). + +## Prerequisites +See the Prerequisites section in [Create an Azure Cluster](./create-azure-cluster.md#prerequisites) + +## Creating the Cluster in an Existing Resource Group +If you want to use an existing resource group you've created in Azure, you can pass the name into the `--resource-group-name` flag. This will create all needed Azure infrastructure in specified resource group. + +``` +hypershift create cluster azure \ +--name \ +--pull-secret \ +--azure-creds \ +--location \ +--base-domain \ +--release-image \ +--node-pool-replicas \ +--resource-group-name +``` + +If you need to delete your hosted cluster, you will need to also use the `--resource-group-name` flag on the delete command. + +``` +hypershift destroy cluster azure \ +--name \ +--azure-creds \ +--resource-group-name +``` + +!!! note + + If you delete your hosted cluster, it will end up deleting any existing resources prior to when the hosted cluster was created as well as the resource group itself. + +## Encrypting the OS Disks on Azure VMs +There are a few prerequisites for encrypting the OS disks on the Azure VMs: + +1. Create your own resource group +2. Create an Azure Key Vault, with purge protection required, within the resource group +3. Create a key in the vault to use to create a DiskEncryptionSet +4. Create a DiskEncryptionSet with key in the vault and grant it permissions to assess the key vault + +!!! note + + You will need to use the `resource-group-name` flag when using the `DiskEncryptionSetID` flag. + +After performing these steps, you just need to provide the DiskEncryptionSet ID when creating a hosted cluster. + +### CLI Example +``` +hypershift create cluster azure \ +--name \ +--pull-secret \ +--azure-creds \ +--location \ +--base-domain \ +--release-image \ +--node-pool-replicas \ +--resource-group-name \ +--disk-encryption-set-id +``` + +You can also pass in the DiskEncryptionSet ID when creating a NodePool. + +``` +hypershift create nodepool azure \ +--name \ +--cluster-name \ +--resource-group-name \ +--disk-encryption-set-id +``` + +### NodePool CR Example +The DiskEncryptionSet ID can also be set directly through the NodePool CR. + +``` +apiVersion: hypershift.openshift.io/v1beta1 +kind: NodePool +metadata: + creationTimestamp: null + name: + namespace: clusters +spec: + arch: amd64 + clusterName: + management: + autoRepair: false + upgradeType: Replace + platform: + azure: + diskEncryptionSetID: + diskSizeGB: 120 + vmsize: Standard_D4s_v4 + type: Azure + release: + image: + replicas: +status: + replicas: 0 +``` diff --git a/docs/content/how-to/azure/create-azure-cluster.md b/docs/content/how-to/azure/create-azure-cluster.md index ef32231851..b36c27d8b8 100644 --- a/docs/content/how-to/azure/create-azure-cluster.md +++ b/docs/content/how-to/azure/create-azure-cluster.md @@ -36,29 +36,3 @@ hypershift create cluster azure --pull-secret \ --node-pool-replicas 3 \ --external-dns-domain= ``` - -## Creating the Cluster in an Existing Resource Group -If you want to use an existing resource group you've created in Azure, you can pass the name into the `--resource-group-name` flag. This will create all needed Azure infrastructure in specified resource group. - -``` -hypershift create cluster azure --pull-secret \ ---name \ ---azure-creds \ ---location eastus --base-domain \ ---release-image \ ---node-pool-replicas 3 \ ---resource-group-name -``` - -If you need to delete your hosted cluster, you will need to also use the `--resource-group-name` flag on the delete command. - -``` -hypershift destroy cluster azure \ ---name $CLUSTER_NAME \ ---azure-creds $AZURE_CREDS \ ---resource-group-name -``` - -!!! note - - If you delete your hosted cluster, it will end up deleting any existing resources prior to when the hosted cluster was created as well as the resource group itself. \ No newline at end of file diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml index 0815375f55..2cf39a6978 100644 --- a/docs/mkdocs.yml +++ b/docs/mkdocs.yml @@ -74,6 +74,7 @@ nav: - how-to/aws/create-aws-hosted-cluster-arm-workers.md - 'Azure': - how-to/azure/create-azure-cluster.md + - how-to/azure/create-azure-cluster-with-options.md - 'Agent': - how-to/agent/create-agent-cluster.md - 'Disconnected':