Merge pull request #55014 from lpettyjo/OSDOCS-3780_3781_3782

lpettyjo · web-flow · commit e2dda9215168 · 2023-05-10T08:08:25.000-04:00
OSDOCS-3780&amp;3781&amp;3782:BYOK encryption
diff --git a/modules/persistent-storage-byok.adoc b/modules/persistent-storage-byok.adoc
@@ -0,0 +1,19 @@
+// Module included in the following assemblies:
+//
+// storage/container_storage_interface/persistent-storage-csi-azure.adoc
+// storage/container_storage_interface/persistent-storage-csi-ebs.adoc
+// storage/container_storage_interface/persistent-storage-csi-gcp-pd.adoc
+
+:_content-type: CONCEPT
+[id="byok_{context}"]
+= User-managed encryption
+
+The user-managed encryption feature allows you to provide keys during installation that encrypt {product-title} node root volumes, and enables all managed storage classes to use these keys to encrypt provisioned storage volumes. You must specify the custom key in the `platform.<cloud_type>.defaultMachinePlatform` field in the install-config YAML file.
+
+This features supports the following storage types:
+
+* Amazon Web Services (AWS) Elastic Block storage (EBS)
+
+* Microsoft Azure Disk storage
+
+* Google Cloud Platform (GCP) persistent disk (PD) storage
diff --git a/storage/container_storage_interface/persistent-storage-csi-azure.adoc b/storage/container_storage_interface/persistent-storage-csi-azure.adoc
@@ -31,6 +31,17 @@ After full migration, in-tree plugins will eventually be removed in later versio
 
 include::modules/persistent-storage-csi-azure-disk-sc-zrs.adoc[leveloffset=+1]
 
+ifndef::openshift-rosa,openshift-dedicated[]
+include::modules/persistent-storage-byok.adoc[leveloffset=+1]
+
+[NOTE]
+====
+If the OS (root) disk is encrypted, and there is no encrypted key defined in the storage class, Azure Disk CSI driver uses the OS disk encryption key by default to encrypt provisioned storage volumes.
+====
+
+For information about installing with user-managed encryption for Azure, see xref:../../installing/installing_azure/enabling-user-managed-encryption-azure.adoc[Enabling user-managed encryption for Azure].
+endif::openshift-rosa,openshift-dedicated[]
+
 //Machine sets that deploy machines on ultra disks using PVCs
 include::modules/machineset-azure-ultra-disk.adoc[leveloffset=+1]
 
diff --git a/storage/container_storage_interface/persistent-storage-csi-ebs.adoc b/storage/container_storage_interface/persistent-storage-csi-ebs.adoc
@@ -41,7 +41,18 @@ After full migration, in-tree plugins will eventually be removed in future versi
 
 For information about dynamically provisioning AWS EBS persistent volumes in {product-title}, see xref:../../storage/persistent_storage/persistent-storage-aws.adoc#persistent-storage-aws[Persistent storage using AWS Elastic Block Store].
 
+ifndef::openshift-rosa,openshift-dedicated[]
+include::modules/persistent-storage-byok.adoc[leveloffset=+1]
+
+[NOTE]
+====
+If there is no encrypted key defined in the storage class, only set `encrypted: "true"` in the storage class. The AWS EBS CSI driver uses the AWS managed alias/aws/ebs, which is created by Amazon EBS automatically in each region by default to encrypt provisioned storage volumes. In addition, the managed storage classes all have the `encrypted: "true"` setting.
+====
+
+For information about installing with user-managed encryption for AWS EBS, see xref:../../installing/installing_aws/installing-aws-customizations.adoc#installation-configuration-parameters_installing-aws-customizations[Installation configuration parameters].
+endif::openshift-rosa,openshift-dedicated[]
+
 [role="_additional-resources"]
-.Additional resources
+== Additional resources
 * xref:../../storage/persistent_storage/persistent-storage-aws.adoc#persistent-storage-aws[Persistent storage using AWS Elastic Block Store]
 * xref:../../storage/container_storage_interface/persistent-storage-csi.adoc#persistent-storage-csi[Configuring CSI volumes]
diff --git a/storage/container_storage_interface/persistent-storage-csi-gcp-pd.adoc b/storage/container_storage_interface/persistent-storage-csi-gcp-pd.adoc
@@ -38,7 +38,13 @@ include::modules/persistent-storage-csi-gcp-pd-storage-class-ref.adoc[leveloffse
 
 include::modules/persistent-storage-csi-gcp-pd-encrypted-pv.adoc[leveloffset=+1]
 
+ifndef::openshift-rosa,openshift-dedicated[]
+include::modules/persistent-storage-byok.adoc[leveloffset=+1]
+
+For information about installing with user-managed encryption for GCP PD, see xref:../../installing/installing_gcp/installing-gcp-customizations.adoc#installation-configuration-parameters_installing-gcp-customizations[Installation configuration parameters].
+endif::openshift-rosa,openshift-dedicated[]
+
 [role="_additional-resources"]
-.Additional resources
+== Additional resources
 * xref:../../storage/persistent_storage/persistent-storage-gce.adoc#persistent-storage-using-gce[Persistent storage using GCE Persistent Disk]
 * xref:../../storage/container_storage_interface/persistent-storage-csi.adoc#persistent-storage-csi[Configuring CSI volumes]
