Merge pull request #17133 from sethmanheim/kmsupd2-20

Pull commits for KMS plugin updates

Author: sethmanheim

.openpublishing.redirection.azure-local.json

@@ -1734,6 +1734,181 @@
       "source_path": "azure-local/manage/storage-repair-speed.md", 
       "redirect_url": "/windows-server/storage/storage-spaces/storage-repair-speed", 
       "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/known-issues-2311.md", 
+      "redirect_url": "/azure/azure-local/known-issues", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/known-issues-2311-2.md", 
+      "redirect_url": "/azure/azure-local/known-issues", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/known-issues-2311-3.md", 
+      "redirect_url": "/azure/azure-local/known-issues", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/known-issues-2311-4.md", 
+      "redirect_url": "/azure/azure-local/known-issues", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/known-issues-2311-5.md", 
+      "redirect_url": "/azure/azure-local/known-issues", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/known-issues-2402.md", 
+      "redirect_url": "/azure/azure-local/known-issues", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/known-issues-2402-1.md", 
+      "redirect_url": "/azure/azure-local/known-issues", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/known-issues-2402-2.md", 
+      "redirect_url": "/azure/azure-local/known-issues", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/known-issues-2402-3.md", 
+      "redirect_url": "/azure/azure-local/known-issues", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/known-issues-2402-4.md", 
+      "redirect_url": "/azure/azure-local/known-issues", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/known-issues-2405.md", 
+      "redirect_url": "/azure/azure-local/known-issues", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/known-issues-2405-1.md", 
+      "redirect_url": "/azure/azure-local/known-issues", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/known-issues-2405-2.md", 
+      "redirect_url": "/azure/azure-local/known-issues", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/known-issues-2405-3.md", 
+      "redirect_url": "/azure/azure-local/known-issues", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/known-issues-2408.md", 
+      "redirect_url": "/azure/azure-local/known-issues", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/known-issues-2408-1.md", 
+      "redirect_url": "/azure/azure-local/known-issues", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/known-issues-2408-2.md", 
+      "redirect_url": "/azure/azure-local/known-issues", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/known-issues-2411.md", 
+      "redirect_url": "/azure/azure-local/known-issues", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/known-issues-2411-1.md", 
+      "redirect_url": "/azure/azure-local/known-issues", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/known-issues-2411-2.md", 
+      "redirect_url": "/azure/azure-local/known-issues", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/security-update/security-update-nov-2023.md", 
+      "redirect_url": "/azure/azure-local/security-update/security-update", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/security-update/security-update-dec-2023.md", 
+      "redirect_url": "/azure/azure-local/security-update/security-update", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/security-update/security-update-jan-2024.md", 
+      "redirect_url": "/azure/azure-local/security-update/security-update", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/security-update/security-update-feb-2024.md", 
+      "redirect_url": "/azure/azure-local/security-update/security-update", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/security-update/security-update-mar-2024.md", 
+      "redirect_url": "/azure/azure-local/security-update/security-update", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/security-update/security-update-apr-2024.md", 
+      "redirect_url": "/azure/azure-local/security-update/security-update", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/security-update/security-update-may-2024.md", 
+      "redirect_url": "/azure/azure-local/security-update/security-update", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/security-update/security-update-jun-2024.md", 
+      "redirect_url": "/azure/azure-local/security-update/security-update", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/security-update/security-update-jul-2024.md", 
+      "redirect_url": "/azure/azure-local/security-update/security-update", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/security-update/security-update-aug-2024.md", 
+      "redirect_url": "/azure/azure-local/security-update/security-update", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/security-update/security-update-sep-2024.md", 
+      "redirect_url": "/azure/azure-local/security-update/security-update", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/security-update/security-update-oct-2024.md", 
+      "redirect_url": "/azure/azure-local/security-update/security-update", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/security-update/security-update-nov-2024.md", 
+      "redirect_url": "/azure/azure-local/security-update/security-update", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/security-update/security-update-dec-2024.md", 
+      "redirect_url": "/azure/azure-local/security-update/security-update", 
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "azure-local/security-update/security-update-jan-2025.md", 
+      "redirect_url": "/azure/azure-local/security-update/security-update", 
+      "redirect_document_id": false
     }
   ]
 }

AKS-Arc/aks-edge-deployment-config-json.md

@@ -4,7 +4,7 @@ description: Description of deployment configuration JSON parameters in AKS Edge
 author: sethmanheim
 ms.author: sethm
 ms.topic: conceptual
-ms.date: 07/11/2024
+ms.date: 02/20/2025
 ms.custom: template-concept
 ---
 
@@ -21,6 +21,7 @@ You can find the complete JSON schema file at `C:\Program Files\AksEdge\aksedge-
 | `DeploymentType` |[`SingleMachineCluster` / `ScalableCluster`]| Specifies deployment type. In `ScalableCluster`, you can add more machines to the cluster infrastructure. | `SingleMachineCluster` |Single-machine and full deployment|
 | `Init.ServiceIPRangeStart` |IPv4 address `A.B.C.x`.|Reserved IP start address for your Kubernetes services. This IP range must be free on your subnet **A.B.C.0**.| None |Single-machine and full deployment|
 | `Init.ServiceIPRangeSize` |`[0-127]`|Number of reserved IP start addresses for your Kubernetes services. Based on the size, we allocate a range of free IP addresses on your subnet. | `0` |Single-machine and full deployment|
+| `Init.KmsPlugin.Enable` |Boolean| Enables the KMS plugin | false |Single-machine and full deployment|
 | `Join.ClusterJoinToken` |String|`Reserved` | None |Full deployment only|
 | `Join.DiscoveryTokenHash` |String|`Reserved`| None |Full deployment only|
 | `Join.CertificateKey` |String|`Reserved`| None |Full deployment only|

AKS-Arc/aks-edge-howto-secret-encryption.md

@@ -4,7 +4,7 @@ description: Learn how to enable the KMS plugin for AKS Edge Essentials clusters
 author: sethmanheim
 ms.author: sethm
 ms.topic: how-to
-ms.date: 02/13/2025
+ms.date: 02/20/2025
 ms.custom: template-how-to
 ms.reviewer: leslielin
 ---
@@ -25,7 +25,7 @@ This article demonstrates how to activate the KMS plugin for AKS Edge Essentials
 The KMS plugin is supported for all AKS Edge Essentials clusters, version 1.10.xxx.0 and later.
 
 > [!NOTE]
-> The KMS plugin can only be used for single node clusters. The plugin can't be used with [experimental features such as multi-node and Windows node](aks-edge-system-requirements.md#experimental-or-prerelease-features).
+> The KMS plugin can only be used for single node clusters. The plugin can't be used with [experimental features such as multi-node](aks-edge-system-requirements.md#experimental-or-prerelease-features).
 
 ## Enable the KMS plugin
 
@@ -50,6 +50,22 @@ For deployment instructions, see [Single machine deployment](aks-edge-howto-sing
 > [!NOTE]
 > You can only enable or disable the KMS plugin when you create a new deployment. Once you set the flag, it can't be changed.
 
+## Verify that the KMS plugin is enabled
+
+To verify that the KMS plugin is enabled, run the following command and ensure that the health status of **kms-providers** is **OK**:
+
+```powershell
+kubectl get --raw='/readyz?verbose'
+```
+
+```output
+[+]ping ok
+[+]Log ok
+[+]etcd ok
+[+]kms-providers ok
+[+]poststarthook/start-encryption-provider-config-automatic-reload ok
+```
+
 To create secrets in AKS Edge Essentials clusters, see [Managing Secrets using kubectl](https://kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-kubectl/#use-raw-data) in the Kubernetes documentation.
 
 If you encounter errors, see the [Troubleshooting](#troubleshooting) section.
@@ -66,19 +82,7 @@ If there are errors with the KMS plugin, follow this procedure:
 
    If the version is older, upgrade to the latest version. For more information, see [Upgrade an AKS cluster](aks-edge-howto-update.md).
 
-1. View the `readyz` API. If the problem persists, validate that the installation succeeded. To check the health of the KMS plugin, run the following command and ensure that the health status of **kms-providers** is **OK**:
-
-   ```powershell
-   kubectl get --raw='/readyz?verbose'
-   ```
-
-   ```output
-   [+]ping ok
-   [+]Log ok
-   [+]etcd ok
-   [+]kms-providers ok
-   [+]poststarthook/start-encryption-provider-config-automatic-reload ok
-   ```
+1. View the `readyz` API. If the problem persists, verify that the KMS plugin is enabled. See the [Verify that the KMS plugin is enabled](#verify-that-the-kms-plugin-is-enabled) section.
 
    If you receive "**[-]**" before the `kms-providers` field, collect diagnostic logs for debugging. For more information, see [Get kubelet logs from cluster nodes](aks-get-kubelet-logs.md).
 

AKS-Arc/aks-edge-workload-identity.md

@@ -4,7 +4,7 @@ description: Learn how to configure an AKS Edge Essentials cluster with workload
 author: sethmanheim
 ms.author: sethm
 ms.topic: how-to
-ms.date: 02/12/2025
+ms.date: 02/20/2025
 ms.reviewer: leslielin
 
 ---

AKS-Arc/reference/aks-edge-ps/TOC.yml

@@ -42,6 +42,8 @@
     href: remove-aksedgedeployment.md
   - name: Remove-AksEdgeNode
     href: remove-aksedgenode.md
+  - name: Repair-AksEdgeKms
+    href: repair-aksedgekms.md
   - name: Set-AksEdgeNodeToDrain
     href: set-aksedgenodetodrain.md
   - name: Set-AksEdgeUpgrade

AKS-Arc/reference/aks-edge-ps/index.md

@@ -4,7 +4,7 @@ description: PowerShell cmdlets for AKS Edge Essentials
 author: rcheeran
 ms.author: rcheeran
 ms.topic: reference
-ms.date: 01/31/2023
+ms.date: 02/20/2025
 ---
 
 # AKS Edge Essentials PowerShell module
@@ -91,13 +91,17 @@ Removes the deployment from an existing cluster.
 
 Removes a local node from an existing cluster.
 
+### [Repair-AksEdgeKms](./repair-aksedgekms.md)
+
+Repairs the KMS plugin for an existing cluster.
+
 ### [Set-AksEdgeBillingPodState](./set-aksedgebillingpodstate.md)
 
- Allows AIDE front end to set Billing pod state after joining Arc through Azure CLI.
+Allows AIDE front end to set Billing pod state after joining Arc through Azure CLI.
 
 ### [Set-AksEdgeNodeConnectivityMode](./set-aksedgenodeconnectivitymode.md)
 
- Sets AKS Edge Essentials node connectivity mode.
+Sets AKS Edge Essentials node connectivity mode.
 
 ### [Set-AksEdgeNodeToDrain](./set-aksedgenodetodrain.md)
 

AKS-Arc/reference/aks-edge-ps/repair-aksedgekms.md

@@ -0,0 +1,42 @@
+---
+title: Repair-AksEdgeKms for AKS Edge
+description: The Repair-AksEdgeKms command repairs the KMS plugin for an existing cluster
+author: sethmanheim
+ms.topic: reference
+ms.date: 2/20/2025
+ms.author: sethm
+ms.lastreviewed: 2/20/2025
+ms.reviewer: khareanushka
+
+---
+
+
+# Repair-AksEdgeKms
+
+Repairs the KMS plugin for an existing cluster.
+
+## Syntax
+
+```powershell
+Repair-AksEdgeKms
+```
+
+## Description
+
+This command repairs the KMS plugin for an existing cluster. This function is supported only for single node and scalable clusters. To get the KMS plugin back to a healthy state, the command rehydrates **nodeagent** tokens required for key rotation.
+
+## Examples
+
+### Repair the KMS plugin
+
+```powershell
+Repair-AksEdgeKms
+```
+
+### CommonParameters
+
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
+
+## Next steps
+
+[AksEdge PowerShell Reference](./index.md)