search

openshift / installer

Install an OpenShift 4.x cluster
https://try.openshift.com
Apache License 2.0
1.4k stars 1.36k forks source link

Unable to install OCP 4.15 on Azure with Confidential Computing Enabled #8136

Open pietromariodambrosio opened 4 months ago

pietromariodambrosio commented 4 months ago

Version

Openshift 4.15

Platform:

Azure IPI Installation

What happened?

I tried to install an Openshift Cluster on Azure with Confidential Computing Feature Enabled and Customer Managed Key Disk Encryption Set for encrypt the OS Disk.

I have configured the install-config.yaml by adding the parameter for confidential Computing:

https://docs.openshift.com/container-platform/4.15/installing/installing_azure/installing-azure-private.html#installation-azure-confidential-vms_installing-azure-private

I run the command for create the cluster: ./openshift-install create cluster --dir config --log-level=debug

but the creation failed with this error:

ERROR Error: creating Linux Virtual Machine: (Name "clu01-test-22965-bootstrap" / Resource Group "xxxxxxxxx"): compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="BadRequest" Message="Encryption Type ConfidentialVmEncryptedWithCustomerKey is not supported for server side encryption with customer managed key." Target="/subscriptions/xxxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.Compute/disks/clu01-test-22965-bootstrap_OSDisk"

I think the problem is that in the case of confidential computing I need to configure secure_vm_disk_encryption_set_id for the encryption of OS disk ( The ID of the Disk Encryption Set which should be used to Encrypt this OS Disk when the Virtual Machine is a Confidential VM).

Is it possible to add this parameter to the install-config.yaml file? instead of the standard diskEncryptionSet present in the file.

I saw that the reference variable is present in the main.tf of the bootstrap: https://github.com/openshift/installer/blob/master/data/data/azure/bootstrap/main.tf

How to reproduce it (as minimally and precisely as possible)?

Create a OCP Cluster on Azure with Confidential Computing and Confidential disk encryption with a customer-managed key.

openshift-bot commented 1 month ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

openshift-bot commented 5 days ago

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten /remove-lifecycle stale