openshift · openshift-cherrypick-robot · Feb 26, 2024 · Nov 19, 2025 · Nov 19, 2025 · Nov 20, 2025
diff --git a/installing/installing_azure/ipi/installing-azure-preparing-ipi.adoc b/installing/installing_azure/ipi/installing-azure-preparing-ipi.adoc
@@ -31,6 +31,8 @@ include::modules/cli-installing-cli-macos.adoc[leveloffset=+1]
 
 include::modules/cluster-telemetry.adoc[leveloffset=+1]
 
+include::modules/installation-azure-day2-operations-diskencryptionsets.adoc[leveloffset=+1]
+
 [role="_additional-resources"]
 .Additional resources
 
@@ -44,4 +46,4 @@ include::modules/installation-azure-preparing-diskencryptionsets.adoc[leveloffse
 ** xref:../../../installing/installing_azure/ipi/installing-azure-customizations.adoc#installing-azure-customizations[Install a cluster with customizations on installer-provisioned infrastructure]
 ** xref:../../../installing/installing_azure/ipi/installing-azure-vnet.adoc#installing-azure-vnet[Install a cluster into an existing VNet on installer-provisioned infrastructure]
 ** xref:../../../installing/installing_azure/ipi/installing-azure-private.adoc#installing-azure-private[Install a private cluster on installer-provisioned infrastructure]
-** xref:../../../installing/installing_azure/ipi/installing-azure-government-region.adoc#installing-azure-government-region[Install a cluster into an government region on installer-provisioned infrastructure]
+** xref:../../../installing/installing_azure/ipi/installing-azure-government-region.adoc#installing-azure-government-region[Install a cluster into an government region on installer-provisioned infrastructure]
diff --git a/modules/installation-azure-day2-operations-diskencryptionsets.adoc b/modules/installation-azure-day2-operations-diskencryptionsets.adoc
@@ -0,0 +1,82 @@
+//Module included in the following assemblies:
+//
+// * installing/installing_azure/enabling-disk-encryption-sets-azure.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="installation-azure-day2-operations-diskencryptionsets.adoc_{context}"]
+= Preparing an Azure Disk Encryption Set for Day2 Operator
+
+The {product-title} installation program can use an existing Disk Encryption Set with a user-managed key. To enable this feature, create a `DiskEncryptionSet` object in Azure and provide the key to the installation program. 
+
+.Prerequisite
+
+* You enabled the `EncryptionAtHost` feature in your {azure-short} subscription. For more information, see "Use the Azure portal to enable end-to-end encryption using encryption at host".
+
+.Procedure
+
+. Mark the node from the `encyptionAtHost` cluster resource group as unschedulable by using the following command:
++
+[source,terminal]
+----
+$ oc adm cordon <node_name>
+----
+
+. Evacuate the pods from the compute node. There are several ways to do this. For example, you can evacuate all the pods or the selected pods on a node: 
++
+[source,terminal]
+----
+$ oc adm drain <compute_node> [--pod-selector=<pod_selector>]
+----
++
+[NOTE]
+====
+For other options to evacuate pods from a node, see the "Understanding how to evacuate pods on nodes" section. 
+====
+
+. De-allocate the node by running the following command:
++
+[source,terminal]
+----
+$ az vm deallocate -n <node_name> -g <cluster_resource_group>
+----
+
+. Set the `encryptionAtHost` property to `true` by running the following command:
++
+[source,terminal]
+----
+$ az vm update -n <node_name> -g <cluster_resource_group> --set securityProfile.encryptionAtHost=true
+----
+
+. Start the node by running the following commands:
++
+[source,terminal]
+----
+$ az vm start -n <node_name> -g <cluster_resource_group>
+----
+
+. Mark the node as schedulable by using the following command:
++
+[source,terminal]
+----
+$ oc adm uncordon <node_name>
+----
+
+. Verify that all cluster Operators are available:
++
+[source,terminal]
+----
+$ oc get clusteroperators
+----
++
+All Operators should show `AVAILABLE=True`, `PROGRESSING=False`, and `DEGRADED=False`.
+
+. Repeat the above steps on all the nodes that run `encryptionAtHost`.
+
+[NOTE]
+====
+If you want to enable encryption for your host during cluster installation, specify the following parameters in the `install-config.yaml` file:
+
+* `compute.platform.azure.encryptionAtHost`
+* `controlPlane.platform.azure.encryptionAtHost`
+* `platform.azure.defaultMachinePlatform.encryptionAtHost`
+====
diff --git a/modules/network-flow-matrix.adoc b/modules/network-flow-matrix.adoc
@@ -102,4 +102,4 @@ In addition to the base network flows, the following matrix describes the ingres
 [%header,format=csv]
 |===
 include::https://raw.githubusercontent.com/openshift-kni/commatrix/release-4.20/docs/stable/unique/aws-sno.csv[]
-|===
+|===
-Original file line number
+Diff line change
@@ Expand Up @@
     [%header,format=csv]
     |===
     include::https://raw.githubusercontent.com/openshift-kni/commatrix/release-4.20/docs/stable/unique/aws-sno.csv[]
-    |===
+    |===