Sync release-hotfixes with main

Sync release-hotfixes with main

Author: sethmanheim

AKS-Arc/TOC.yml

@@ -76,6 +76,10 @@
           href: deploy-load-balancer-portal.md
         # - name: Troubleshoot issues
         #   href: load-balancer-troubleshoot.md
+    - name: Security
+      items:
+      - name: Encrypt etcd secrets
+        href: encrypt-etcd-secrets.md
     - name: AI and Machine Learning
       items:
       - name: Deploy an AI model with the AI toolchain operator

AKS-Arc/aks-overview.md

@@ -2,7 +2,7 @@
 title: What is AKS enabled by Azure Arc?
 description: Learn about AKS enabled by Azure Arc and available deployment options.
 ms.topic: overview
-ms.date: 04/10/2025
+ms.date: 04/14/2025
 author: sethmanheim
 ms.author: sethm 
 ms.reviewer: abha
@@ -39,16 +39,11 @@ The following list describes some of the common use cases for AKS, but is not an
 
 The available deployment options are as follows:
 
-- **AKS on Azure Local**: AKS on Azure Local uses Azure Arc to create new Kubernetes clusters on Azure Local directly from Azure. It enables you to use familiar tools like the Azure portal and Azure Resource Manager templates to create and manage your Kubernetes clusters running on Azure Local.
-- **AKS Edge Essentials**: AKS Edge Essentials includes a lightweight Kubernetes distribution with a small footprint and simple installation experience, making it easy for you to deploy Kubernetes on PC-class or "light" edge hardware.
-- **AKS on Windows Server**: Azure Kubernetes Service on Windows Server (and on Azure Local) is an on-premises Kubernetes implementation of AKS that automates running containerized applications at scale, using Windows PowerShell and Windows Admin Center. It simplifies deployment and management of AKS on Windows Server 2019/2022 Datacenter and Azure Local.
-- **AKS on VMWare (preview)**: AKS on VMware (preview) enables you to use Azure Arc to create new Kubernetes clusters on VMware vSphere. With AKS on VMware, you can manage your AKS clusters running on VMware vSphere using familiar tools like Azure CLI.
+- [**AKS on Azure Local**](aks-whats-new-local.md): AKS on Azure Local uses Azure Arc to create new Kubernetes clusters on Azure Local directly from Azure. It enables you to use familiar tools like the Azure portal and Azure Resource Manager templates to create and manage your Kubernetes clusters running on Azure Local.
+- [**AKS Edge Essentials**](aks-edge-overview.md): AKS Edge Essentials includes a lightweight Kubernetes distribution with a small footprint and simple installation experience, making it easy for you to deploy Kubernetes on PC-class or "light" edge hardware.
+- [**AKS on VMWare (preview)**](aks-vmware-overview.md): AKS on VMware (preview) enables you to use Azure Arc to create new Kubernetes clusters on VMware vSphere. With AKS on VMware, you can manage your AKS clusters running on VMware vSphere using familiar tools like Azure CLI.
+- [**AKS on Windows Server**](overview.md): AKS on Windows Server is an on-premises Kubernetes implementation of AKS that automates running containerized applications at scale, using Windows PowerShell and Windows Admin Center. It simplifies deployment and management of AKS on Windows Server 2019/2022 Datacenter.
 
 ## Next steps
 
-To get started with AKS enabled by Azure Arc, see the following deployment option overviews:
-
 - [What's new in AKS on Azure Local](aks-whats-new-local.md)
-- [AKS on Windows Server](overview.md)
-- [AKS Edge Essentials](aks-edge-overview.md)
-- [AKS on VMware (preview)](aks-vmware-overview.md)

AKS-Arc/deploy-gpu-node-pool-22h2.md

@@ -1,5 +1,5 @@
 ---
-title: Use GPUs for compute-intensive workloads
+title: Use GPUs for compute-intensive workloads in AKS on Windows Server
 description: Learn how to deploy GPU-enabled node pools in AKS on Windows Server.
 author: sethmanheim
 ms.topic: how-to
@@ -11,7 +11,7 @@ ms.lastreviewed: 03/21/2023
 # Keyword: Run GPU workloads on Kubernetes
 ---
 
-# Use GPUs for compute-intensive workloads
+# Use GPUs for compute-intensive workloads in AKS on Windows Server
 
 [!INCLUDE [aks-hybrid-applies-to-azure-stack-hci-windows-server-sku](includes/aks-hci-applies-to-skus/aks-hybrid-applies-to-azure-stack-hci-windows-server-sku.md)]
 

AKS-Arc/deploy-gpu-node-pool.md

@@ -3,7 +3,7 @@ title: Use GPUs for compute-intensive workloads in AKS on Azure Local
 description: Learn how to deploy GPU-enabled node pools in AKS enabled by Arc on Azure Local.
 author: sethmanheim
 ms.topic: how-to
-ms.date: 03/25/2025
+ms.date: 04/14/2025
 ms.author: sethm 
 ms.lastreviewed: 03/21/2025
 ms.reviewer: abha
@@ -17,7 +17,7 @@ ms.reviewer: abha
 [!INCLUDE [hci-applies-to-23h2](includes/hci-applies-to-23h2.md)]
 
 > [!NOTE]
-> For information about GPUs in AKS on Azure Local 22H2, see [Use GPUs (Azure Local 22H2)](deploy-gpu-node-pool-22h2.md).
+> For information about GPUs in AKS on Windows Server, see [Use GPUs in AKS on Windows Server](deploy-gpu-node-pool-22h2.md).
 
 Graphical Processing Units (GPU) are used for compute-intensive workloads such as machine learning, deep learning, and more. This article describes how to use GPUs for compute-intensive workloads in AKS enabled by Azure Arc.
 

AKS-Arc/encrypt-etcd-secrets.md

@@ -0,0 +1,110 @@
+---
+title: Encrypt etcd secrets for Kubernetes clusters in AKS on Azure Local
+description: Learn how to encrypt etcd secrets in AKS on Azure Local.
+author: sethmanheim
+ms.topic: how-to
+ms.date: 04/11/2025
+ms.author: sethm 
+ms.lastreviewed: 04/10/2025
+ms.reviewer: khareanushka
+# Intent: As an IT Pro, I want to learn about encrypted etcd secrets and how they are used in my AKS deployment. 
+# Keyword: etcd secrets AKS Windows Server
+
+---
+
+# How to: Encrypt etcd secrets for Kubernetes clusters
+
+[!INCLUDE [hci-applies-to-23h2](includes/hci-applies-to-23h2.md)]
+
+A [*secret*](https://kubernetes.io/docs/concepts/configuration/secret/) in Kubernetes is an object that contains a small amount of sensitive data, such as passwords and SSH keys. In the Kubernetes API server, secrets are stored in *etcd*, which is a highly available key value store used as the Kubernetes backing store for all cluster data.
+
+Azure Kubernetes Service (AKS) on Azure Local comes with encryption of etcd secrets using a **Key Management Service (KMS) plugin**. All Kubernetes clusters in Azure Local have a built-in KMS plugin enabled by default. This plugin generates the [Key Encryption Key (KEK)](https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/#kms-encryption-and-per-object-encryption-keys)
+and automatically rotates it every 30 days.
+
+This article describes how to verify that the data is encrypted. For more information, see the [official Kubernetes documentation for the KMS plugin](https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/).
+
+> [!NOTE]
+> The KMS plugin currently uses the KMS v1 protocol.
+
+## Before you begin
+
+Before you begin, ensure that you have the following prerequisites:
+
+- To interact with Kubernetes clusters, you must install [**kubectl**](https://kubernetes.io/docs/tasks/tools/) and [**kubelogin**](https://azure.github.io/kubelogin/install.html).
+- To view or manage secrets, ensure you have the necessary entitlements to access them. For more information, see [Access and identity](concepts-security-access-identity.md#built-in-roles).
+
+## Access your Microsoft Entra-enabled cluster
+
+Get the user credentials to access your cluster using the [az aksarc get-credentials](/cli/azure/aksarc#az-aksarc-get-credentials) command. You need the **Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action** resource, which is included in the **Azure Kubernetes Service Arc Cluster User** role permission:
+
+```azurecli
+az aksarc get-credentials --resource-group $resource_group --name $aks_cluster_name
+```
+
+## Verify that the KMS plugin is enabled
+
+To verify that the KMS plugin is enabled, run the following command and ensure that the health status of **kms-providers** is **OK**:
+
+```azurecli
+kubectl get --raw='/readyz?verbose'
+```
+
+```output
+[+]ping ok
+[+]Log ok
+[+]etcd ok
+[+]kms-providers ok
+[+]poststarthook/start-encryption-provider-config-automatic-reload ok
+```
+
+## Verify that the data is encrypted
+
+To verify that secrets and data has been encrypted using a KMS plugin, [see the Kubernetes documentation](https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/#verifying-that-the-data-is-encrypted). You can use the following commands to verify that the data is encrypted:
+
+```azurecli
+kubectl exec --stdin --tty <etcd pod name> -n kube-system --etcdctl --cacert /etc/kubernetes/pki/etcd/ca.crt --key /etc/kubernetes/pki/etcd/server.key --cert /etc/kubernetes/pki/etcd/server.crt get /registry/secrets/default/db-user-pass -w fields
+```
+
+- `kubectl exec`: This is the kubectl command used to execute a command inside a running pod. It enables you to run commands within the container of a pod.
+- `--stdin`: This flag enables you to send input (stdin) to the command you are running inside the pod.
+- `--tty`: This flag allocates a TTY (terminal) for the command, making it behave as though you're interacting with a terminal session.
+- `<etcd pod name>`: to find the etcd pod name, run the following command:
+
+  ```azurecli
+   kubectl get pods -n kube-system | findstr etcd-moc
+   ```
+
+- `-n kube-system`: Specifies the namespace where the pod is located. **kube-system** is the default namespace used by Kubernetes for system components, such as etcd and other control plane services.
+- `--etcdctl`: Reads the secret from etcd. Additional fields are used for authentication before you get access to etcd.
+
+The following fields are returned in the command output:
+
+```output
+"ClusterID" : <cluster id> 
+"MemberID" : <member id> 
+"Revision" : <revision number> 
+"RaftTerm" : 2 
+"Key" : <path to the key>
+"CreateRevision" : <revision number at the time the key was created> 
+"ModRevision" :  <revision number at the time the key was modified> 
+"Version" : <version of the key-value pair in etcd> 
+"Value" : "k8s:enc:kms:v1:kms-plugin: <encrypted secret value>"  
+"Lease" : <lease associated with the secret> 
+"More" : <indicates if there are more results> 
+"Count" : <number of key-value pairs returned> 
+```
+
+After you run the command, examine the `Value` field in the output in the terminal window. This output shows the value stored in the etcd secret store for this key, which is the encrypted value of the secret. The value is encrypted using a KMS plugin. The `k8s:enc:kms:v1:` prefix indicates that Kubernetes is using the KMS v1 plugin to store the secret in an encrypted format.
+
+> [!NOTE]
+> If you use the `kubectl describe secrets` command to retrieve secrets, it returns them in base64-encoded format, but unencrypted. The `kubectl describe` command retrieves the details of a Kubernetes resource via the API server, which manages encryption and decryption automatically. For sensitive data such as secrets, even if they are mounted on a pod, the API server ensures that they are decrypted when accessed. As a result, running the `kubectl describe` command does not display secrets in their encrypted form, but rather in their decrypted form if they are being used by a resource.
+
+## Troubleshooting
+
+If you encounter any errors with the KMS plugin, follow the procedure on the [Troubleshooting page](aks-troubleshoot.md) to troubleshoot the issue.
+
+## Next steps
+
+- [Encrypt etcd secrets for Kubernetes clusters in AKS on Windows Server](encrypt-secrets.md)
+- [Deploy a Linux application on a Kubernetes cluster](deploy-linux-application.md)
+- [Deploy a Windows Server application on a Kubernetes cluster](deploy-windows-application.md)

AKS-Arc/includes/supported-gpu-models.md

@@ -2,15 +2,15 @@
 author: sethmanheim
 ms.author: sethm
 ms.topic: include
-ms.date: 03/25/2025
+ms.date: 04/14/2025
 ms.reviewer: abha
-ms.lastreviewed: 03/25/2025
+ms.lastreviewed: 04/14/2025
 
 ---
 
 ## Supported GPU models
 
-The following GPU models are supported by AKS on Azure Local, version 23H2:
+The following GPU models are supported by AKS on Azure Local.
 
 | Manufacturer | GPU model | Supported version |
 |--------------|-----------|-------------------|
@@ -20,7 +20,7 @@ The following GPU models are supported by AKS on Azure Local, version 23H2:
 
 ## Supported GPU VM sizes
 
-The following VM sizes for each GPU model are supported by AKS on Azure Local, version 23H2.
+The following VM sizes for each GPU model are supported by AKS on Azure Local.
 
 ### Nvidia T4 is supported by NK T4 SKUs
 

adaptive-cloud/docfx.json

@@ -45,7 +45,8 @@
       "feedback_system": "Standard",
       "permissioned-type": "public",
       "manager":"lizross",
-      "ms.service": "azure-stack",
+      "ms.service": "azure",
+      "ms.subservice": "azure-adaptive-cloud",
       "tittleSuffix": "Azure Adaptive Cloud",
       "feedback_product_url": "https://feedback.azure.com/d365community/forum/5c778dec-0625-ec11-b6e6-000d3a4f0858",
       "feedback_help_link_url": "https://learn.microsoft.com/en-us/answers/tags/146/azure-arc"

adaptive-cloud/index.yml

@@ -6,7 +6,8 @@ brand: azure
 metadata:
   title: Azure adaptive cloud documentation
   description: Leverage cloud-native and AI technologies to work simultaneously across hybrid, multicloud, edge, and IoT.
-  ms.service: azure-stack
+  ms.service: azure
+  ms.subservice: azure-adaptive-cloud
   ms.topic: hub-page
   author: asergaz 
   ms.author: sergaz

azure-local/deploy/deployment-virtual.md

@@ -5,7 +5,7 @@ author: alkohli
 ms.author: alkohli
 ms.reviewer: alkohli
 ms.topic: how-to
-ms.date: 02/20/2025
+ms.date: 04/08/2025
 ---
 
 # Deploy a virtual Azure Local system
@@ -39,7 +39,7 @@ Before you begin, make sure that:
 
     | Component | Minimum |
     | ------------- | -------- |
-    | Processor| Intel VT-x or AMD-V, with support for nested virtualization. For more information, see [Does My Processor Support Intel® virtualization technology?](https://www.intel.com/content/www/us/en/support/articles/000005486/processors.html).
+    | Processor| Intel VT-x or AMD-V, with support for nested virtualization. For more information, see [Does My Processor Support Intel® virtualization technology?](https://www.intel.com/content/www/us/en/support/articles/000005486/processors.html)
     | Memory| The physical host must have a minimum of 32 GB RAM for single virtual node deployments. The virtual host VM should have at least 24 GB RAM.<br><br>The physical host must have a minimum of 64 GB RAM for two virtual node deployments. Each virtual host VM should have at least 24 GB RAM for deployment and 32 GB for applying updates.|
     | Host network adapters| A single network adapter.|
     | Storage| 1 TB Solid state drive (SSD). |
@@ -54,9 +54,9 @@ Before you begin, make sure that each virtual host system can dedicate the follo
 | vCPUs | Four cores. |
 | Memory | A minimum of 24 GB. |
 | Networking | At least two network adapters connected to internal network. MAC spoofing must be enabled. |
-| Boot disk | One disk to install the Azure Stack HCI operating system from ISO. At least 200 GB |
+| Boot disk | One disk to install the Azure Stack HCI operating system from ISO. At least 200 GB. |
 | Hard disks for Storage Spaces Direct | Four dynamic expanding disks. Maximum disk size is 1024 GB. |
-| Data disks | At least 127 GB each. The size must be the same for each disk |
+| Data disks | At least 127 GB each. The size must be the same for each disk. |
 | Time synchronization in integration  | Disabled. |
 
 > [!NOTE]
@@ -359,4 +359,4 @@ Repeat the process above for extra nodes if you plan to test multi-node deployme
 
 ## Next steps
 
-- [Register to Arc and assign permissions for deployment](deployment-arc-register-server-permissions.md)
+- [Register to Arc and assign permissions for deployment](deployment-arc-register-server-permissions.md).

azure-local/manage/collect-logs.md

@@ -5,7 +5,7 @@ author: alkohli
 ms.author: alkohli
 ms.topic: how-to
 ms.service: azure-local
-ms.date: 11/11/2024
+ms.date: 04/08/2025
 ---
 
 # Collect diagnostic logs for Azure Local (preview)
@@ -627,4 +627,4 @@ When requested, share the following information with Microsoft Support. Get this
 
 ## Next steps
 
-- [Contact Microsoft Support](get-support.md)
+- [Contact Microsoft Support](get-support.md).