Merge branch 'release-aks-ee-feb' of https://github.com/AnushkaKhare-Eng/azure-stack-docs-pr into kmsupd2-20

sethmanheim · sethmanheim · commit d3627d7ab655 · 2025-02-20T09:24:08.000-08:00
diff --git a/AKS-Arc/aks-edge-deployment-config-json.md b/AKS-Arc/aks-edge-deployment-config-json.md
@@ -21,6 +21,7 @@ You can find the complete JSON schema file at `C:\Program Files\AksEdge\aksedge-
 | `DeploymentType` |[`SingleMachineCluster` / `ScalableCluster`]| Specifies deployment type. In `ScalableCluster`, you can add more machines to the cluster infrastructure. | `SingleMachineCluster` |Single-machine and full deployment|
 | `Init.ServiceIPRangeStart` |IPv4 address `A.B.C.x`.|Reserved IP start address for your Kubernetes services. This IP range must be free on your subnet **A.B.C.0**.| None |Single-machine and full deployment|
 | `Init.ServiceIPRangeSize` |`[0-127]`|Number of reserved IP start addresses for your Kubernetes services. Based on the size, we allocate a range of free IP addresses on your subnet. | `0` |Single-machine and full deployment|
+| `Init.KmsPlugin.Enable` |Boolean| Enabling the KMS Plugin | false |Single-machine and full deployment|
 | `Join.ClusterJoinToken` |String|`Reserved` | None |Full deployment only|
 | `Join.DiscoveryTokenHash` |String|`Reserved`| None |Full deployment only|
 | `Join.CertificateKey` |String|`Reserved`| None |Full deployment only|
diff --git a/AKS-Arc/aks-edge-howto-secret-encryption.md b/AKS-Arc/aks-edge-howto-secret-encryption.md
@@ -25,7 +25,7 @@ This article demonstrates how to activate the KMS plugin for AKS Edge Essentials
 The KMS plugin is supported for all AKS Edge Essentials clusters, version 1.10.xxx.0 and later.
 
 > [!NOTE]
-> The KMS plugin can only be used for single node clusters. The plugin can't be used with [experimental features such as multi-node and Windows node](aks-edge-system-requirements.md#experimental-or-prerelease-features).
+> The KMS plugin can only be used for single node clusters. The plugin can't be used with [experimental features such as multi-node](aks-edge-system-requirements.md#experimental-or-prerelease-features).
 
 ## Enable the KMS plugin
 
@@ -50,6 +50,22 @@ For deployment instructions, see [Single machine deployment](aks-edge-howto-sing
 > [!NOTE]
 > You can only enable or disable the KMS plugin when you create a new deployment. Once you set the flag, it can't be changed.
 
+## Verify the KMS plugin is enabled
+To verify that the KMS plugin is enabled, run the command below and ensure that the health status of **kms-providers** is **OK**:
+
+   ```powershell
+   kubectl get --raw='/readyz?verbose'
+   ```
+
+   ```output
+   [+]ping ok
+   [+]Log ok
+   [+]etcd ok
+   [+]kms-providers ok
+   [+]poststarthook/start-encryption-provider-config-automatic-reload ok
+   ```
+
+
 To create secrets in AKS Edge Essentials clusters, see [Managing Secrets using kubectl](https://kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-kubectl/#use-raw-data) in the Kubernetes documentation.
 
 If you encounter errors, see the [Troubleshooting](#troubleshooting) section.
@@ -66,29 +82,17 @@ If there are errors with the KMS plugin, follow this procedure:
 
    If the version is older, upgrade to the latest version. For more information, see [Upgrade an AKS cluster](aks-edge-howto-update.md).
 
-1. View the `readyz` API. If the problem persists, validate that the installation succeeded. To check the health of the KMS plugin, run the following command and ensure that the health status of **kms-providers** is **OK**:
-
-   ```powershell
-   kubectl get --raw='/readyz?verbose'
-   ```
-
-   ```output
-   [+]ping ok
-   [+]Log ok
-   [+]etcd ok
-   [+]kms-providers ok
-   [+]poststarthook/start-encryption-provider-config-automatic-reload ok
-   ```
+2. View the `readyz` API. If the problem persists, verify that the KMS plugin is enabled. Please refer to the [Verify the KMS plugin is enabled](#verify-the-kms-plugin-is-enabled) above
 
    If you receive "**[-]**" before the `kms-providers` field, collect diagnostic logs for debugging. For more information, see [Get kubelet logs from cluster nodes](aks-get-kubelet-logs.md).
 
-1. Repair KMS. If there are still errors, the machine running the AKS Edge Essentials cluster might be paused or turned off for an extended period of time (over 30 days). To get KMS back into a healthy state, you can use the `Repair-Kms` command to restore any necessary tokens:
+3. Repair KMS. If there are still errors, the machine running the AKS Edge Essentials cluster might be paused or turned off for an extended period of time (over 30 days). To get KMS back into a healthy state, you can use the `Repair-Kms` command to restore any necessary tokens:
 
    ```powershell
    Repair-AksEdgeKms
    ```
 
-1. If you still encounter errors, contact [Microsoft Customer Support](aks-edge-troubleshoot-overview.md) and [collect logs](aks-get-kubelet-logs.md).
+4. If you still encounter errors, contact [Microsoft Customer Support](aks-edge-troubleshoot-overview.md) and [collect logs](aks-get-kubelet-logs.md).
 
 ## Next steps
 
diff --git a/AKS-Arc/reference/aks-edge-ps/index.md b/AKS-Arc/reference/aks-edge-ps/index.md
@@ -90,6 +90,9 @@ Removes the deployment from an existing cluster.
 ### [Remove-AksEdgeNode](./remove-aksedgenode.md)
 
 Removes a local node from an existing cluster.
+### [Repair-AksEdgeKms](./repair-aksedgekms.md)
+
+Repair the KMS plugin for an existing cluster
 
 ### [Set-AksEdgeBillingPodState](./set-aksedgebillingpodstate.md)
 
diff --git a/AKS-Arc/reference/aks-edge-ps/repair-aksedgekms.md b/AKS-Arc/reference/aks-edge-ps/repair-aksedgekms.md
@@ -0,0 +1,41 @@
+---
+title: Repair-AksEdgeKms for AKS Edge
+author: AnushkaKhare-Eng
+description: The Repair-AksEdgeKms command repairs the KMS plugin for an existing cluster
+ms.topic: reference
+ms.date: 2/18/2025
+ms.author: khareanushka
+ms.lastreviewed: 2/18/2025
+ms.reviewer: 
+
+---
+
+
+# Repair-AksEdgeKms
+
+Repair the KMS plugin for an existing cluster.
+
+## Syntax
+
+```powershell
+Repair-AksEdgeKms
+```
+
+## Description
+
+This command repairs the KMS plugin for an existing cluster. This function is supported only for single node and scalable clusters.The command below rehydrates nodeagent tokens required for key rotation to get KMS back in a healthy state.
+
+## Examples
+### Repairing the KMS plugin
+
+```powershell
+Repair-AksEdgeKms
+```
+
+### CommonParameters
+
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/?LinkID=113216).
+
+## Next steps
+
+[AksEdge PowerShell Reference](./index.md)
