Bug 1900454

Summary: Enable host-based disk encryption on Azure platform
Product: OpenShift Container Platform Reporter: Denis <dkorzuno>
Component: Cloud ComputeAssignee: Joel Speed <jspeed>
Cloud Compute sub component: Other Providers QA Contact: Milind Yadav <miyadav>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: unspecified CC: jspeed, mimccune, mjudeiki
Version: 4.7   
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-27 22:34:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1929721    

Description Denis 2020-11-23 05:05:43 UTC 
Description of problem:

Customers are requesting "encryption at host" feature on Azure to enable encryption of hypervisor-local resources including scratch volumes.

This feature is already supported in other cloud offerings (AKS) and we need to include this feature to arrive at parity.

Version-Release number of selected component (if applicable):
4.6, 4.7

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:
This does not work on the current release.

Expected results:
The cloud provider code supports this feature.

Additional info:
A possible solution is to add an optional parameter into machine specification which can be used to prepare the appropriate Azure API request. I made a PRfor the change which can be found here: https://github.com/openshift/cluster-api-provider-azure/pull/183.
Comment 1 Michael McCune 2020-12-04 21:30:42 UTC 
the PR associated with this issue is still under review
Comment 2 Joel Speed 2020-12-17 17:13:41 UTC 
We are deferring this feature to 4.8
Comment 3 Joel Speed 2021-01-06 11:26:23 UTC 
As this is being deferred, unsetting target release for now
Comment 11 Milind Yadav 2021-02-22 10:58:02 UTC 
Validated on : 
[miyadav@miyadav ~]$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.8.0-0.nightly-2021-02-21-102854   True        False         45m     Cluster version is 4.8.0-0.nightly-2021-02-21-102854


Steps :

1. Copy the exiting machineset that comes with IPI installation 

oc get machineset <machineset-name> -o yaml > new_encrypt_at_rest.yaml

example-
[miyadav@miyadav ~]$ oc get machineset
oc NAME                                       DESIRED   CURRENT   READY   AVAILABLE   AGE
miyadav-2202-5n7qm-worker-northcentralus   3         3         3       3           52m
[miyadav@miyadav ~]$ oc get machineset miyadav-2202-5n7qm-worker-northcentralus -o yaml > rhv/azure/encry_ms.yaml

2.create new machineset after replacing below values : 
name -> as per choice , replicas -> as per choice

Add below to spec section values :
.
.
.
 publicIP: false
          securityProfile:
                  encryptionAtHost: true

.
.

Run oc create -f new_encrypt_at_rest.yaml 

3.Describe the created machine

Expected and Actual result:
[miyadav@miyadav ~]$ oc describe machine miyadav-2202-5n7qm-worker-northcentralus-e-nk4zv | grep -i "Encryption" 
        Encryption At Host:  true


Additional Info :

Moved to VERIFIED
Comment 14 errata-xmlrpc 2021-07-27 22:34:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438