You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/osd-create-cluster-ccs.adoc
+22-26Lines changed: 22 additions & 26 deletions
Original file line number
Diff line number
Diff line change
@@ -146,10 +146,21 @@ To successfully create a cluster, you must select *Enable Secure Boot support fo
146
146
+
147
147
endif::osd-on-gcp[]
148
148
.. Leave *Enable user workload monitoring* selected to monitor your own projects in isolation from Red Hat Site Reliability Engineer (SRE) platform metrics. This option is enabled by default.
149
+
.. Optional: Expand *Advanced Encryption* to make changes to encryption settings.
150
+
ifdef::osd-on-aws[]
151
+
... Accept the default setting *Use default KMS Keys* to use your default AWS KMS key, or select *Use Custom KMS keys* to use a custom KMS key.
152
+
.... With *Use Custom KMS keys* selected, enter the AWS Key Management Service (KMS) custom key Amazon Resource Name (ARN) ARN in the *Key ARN* field.
153
+
The key is used for encrypting all control plane, infrastructure, worker node root volumes, and persistent volumes in your cluster.
154
+
//Commented out due to changes in the UI
155
+
//[IMPORTANT]
156
+
//====
157
+
//Only persistent volumes (PVs) created from the default storage class are encrypted with this specific key.
158
+
//PVs created by using any other storage class are still encrypted, but the PVs are not encrypted with this key unless the storage class is specifically configured to use this key.
159
+
//====
160
+
+
161
+
endif::osd-on-aws[]
149
162
ifdef::osd-on-gcp[]
150
-
. Optional: Expand *Advanced Encryption* to make changes to encryption settings.
151
-
152
-
.. Select *Use Custom KMS keys* to use custom KMS keys. If you prefer not to use custom KMS keys, leave the default setting *Use default KMS Keys*.
163
+
... Select *Use Custom KMS keys* to use custom KMS keys. If you prefer not to use custom KMS keys, leave the default setting *Use default KMS Keys*.
153
164
+
154
165
[IMPORTANT]
155
166
====
@@ -158,41 +169,26 @@ To use custom KMS keys, the IAM service account `osd-ccs-admin` must be granted
158
169
+
159
170
With *Use Custom KMS keys* selected:
160
171
161
-
... Select a key ring location from the *Key ring location* drop-down menu.
162
-
... Select a key ring from the *Key ring* drop-down menu.
163
-
... Select a key name from the *Key name* drop-down menu.
164
-
... Provide the *KMS Service Account*.
172
+
.... Select a key ring location from the *Key ring location* drop-down menu.
173
+
.... Select a key ring from the *Key ring* drop-down menu.
174
+
.... Select a key name from the *Key name* drop-down menu.
175
+
.... Provide the *KMS Service Account*.
165
176
+
166
-
167
-
.. Optional: Select *Enable FIPS cryptography* if you require your cluster to be FIPS validated.
177
+
endif::osd-on-gcp[]
178
+
... Optional: Select *Enable FIPS cryptography* if you require your cluster to be FIPS validated.
168
179
+
169
180
[NOTE]
170
181
====
171
182
If *Enable FIPS cryptography* is selected, *Enable additional etcd encryption* is enabled by default and cannot be disabled. You can select *Enable additional etcd encryption* without selecting *Enable FIPS cryptography*.
172
183
====
173
-
endif::osd-on-gcp[]
174
-
.. Optional: Select *Enable additional etcd encryption* if you require etcd key value encryption. With this option, the etcd key values are encrypted, but the keys are not. This option is in addition to the control plane storage encryption that encrypts the etcd volumes in {product-title} clusters by default.
184
+
+
185
+
... Optional: Select *Enable additional etcd encryption* if you require etcd key value encryption. With this option, the etcd key values are encrypted, but the keys are not. This option is in addition to the control plane storage encryption that encrypts the etcd volumes in {product-title} clusters by default.
175
186
+
176
187
[NOTE]
177
188
====
178
189
By enabling etcd encryption for the key values in etcd, you will incur a performance overhead of approximately 20%. The overhead is a result of introducing this second layer of encryption, in addition to the default control plane storage encryption that encrypts the etcd volumes. Consider enabling etcd encryption only if you specifically require it for your use case.
179
190
====
180
191
+
181
-
ifdef::osd-on-aws[]
182
-
.. Optional: Select *Encrypt persistent volumes with customer keys* if you want to provide your own
183
-
AWS Key Management Service (KMS) key Amazon Resource Name (ARN).
184
-
// ifdef::osd-on-gcp[]
185
-
// encryption keys through the Google Cloud Key Management Service.
186
-
// endif::osd-on-gcp[]
187
-
The key is used for encrypting all control plane, infrastructure, worker node root volumes, and persistent volumes in your cluster.
188
-
+
189
-
[IMPORTANT]
190
-
====
191
-
Only persistent volumes (PVs) created from the default storage class are encrypted with this specific key.
192
-
193
-
PVs created by using any other storage class are still encrypted, but the PVs are not encrypted with this key unless the storage class is specifically configured to use this key.
194
-
====
195
-
endif::osd-on-aws[]
196
192
.. Click *Next*.
197
193
198
194
. On the *Default machine pool* page, select a *Compute node instance type* and a *Compute node count*. The number and types of nodes that are available depend on your {product-title} subscription. If you are using multiple availability zones, the compute node count is per zone.
0 commit comments