IPI improvements

Author: Shubha Narayanan

installing/installing_azure/ipi/installing-azure-government-region.adoc

@@ -11,15 +11,6 @@ Microsoft Azure into a government region. To configure the government region,
 you modify parameters in the `install-config.yaml` file before you install the
 cluster.
 
-== Prerequisites
-
-* You reviewed details about the xref:../../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes.
-* You read the documentation on xref:../../../installing/overview/installing-preparing.adoc#installing-preparing[selecting a cluster installation method and preparing it for users].
-* You xref:../../../installing/installing_azure/installing-azure-account.adoc#installing-azure-account[configured an Azure account] to host the cluster and determined the tested and validated government region to deploy the cluster to.
-* If you use a firewall, you xref:../../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured it to allow the sites] that your cluster requires access to.
-* If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, you can xref:../../../installing/installing_azure/ipi/installing-azure-customizations.adoc#manually-create-iam_installing-azure-customizations[manually create and maintain long-term credentials].
-* If you use customer-managed encryption keys, you xref:../../../installing/installing_azure/ipi/installing-azure-preparing-ipi.adoc#preparing-disk-encryption-sets_installing-azure-preparing-ipi[prepared your Azure environment for encryption].
-
 include::modules/installation-azure-about-government-region.adoc[leveloffset=+1]
 
 include::modules/private-clusters-default.adoc[leveloffset=+1]

installing/installing_azure/ipi/installing-azure-network-customizations.adoc

@@ -16,14 +16,6 @@ You must set most of the network configuration parameters during installation,
 and you can modify only `kubeProxy` configuration parameters in a running
 cluster.
 
-== Prerequisites
-
-* You reviewed details about the xref:../../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes.
-* You read the documentation on xref:../../../installing/overview/installing-preparing.adoc#installing-preparing[selecting a cluster installation method and preparing it for users].
-* You xref:../../../installing/installing_azure/installing-azure-account.adoc#installing-azure-account[configured an Azure account] to host the cluster and determined the tested and validated region to deploy the cluster to.
-* If you use a firewall, you xref:../../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured it to allow the sites] that your cluster requires access to.
-* If you use customer-managed encryption keys, you xref:../../../installing/installing_azure/ipi/installing-azure-preparing-ipi.adoc#preparing-disk-encryption-sets_installing-azure-preparing-ipi[prepared your Azure environment for encryption].
-
 include::modules/installation-initializing.adoc[leveloffset=+1]
 
 [role="_additional-resources"]

installing/installing_azure/ipi/installing-azure-private.adoc

@@ -8,14 +8,6 @@ toc::[]
 
 In {product-title} version {product-version}, you can install a private cluster into an existing Azure Virtual Network (VNet) on Microsoft Azure. The installation program provisions the rest of the required infrastructure, which you can further customize. To customize the installation, you modify parameters in the `install-config.yaml` file before you install the cluster.
 
-== Prerequisites
-
-* You reviewed details about the xref:../../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes.
-* You read the documentation on xref:../../../installing/overview/installing-preparing.adoc#installing-preparing[selecting a cluster installation method and preparing it for users].
-* You xref:../../../installing/installing_azure/installing-azure-account.adoc#installing-azure-account[configured an Azure account] to host the cluster and determined the tested and validated region to deploy the cluster to.
-* If you use a firewall, you xref:../../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured it to allow the sites] that your cluster requires access to.
-* If you use customer-managed encryption keys, you xref:../../../installing/installing_azure/ipi/installing-azure-preparing-ipi.adoc#preparing-disk-encryption-sets_installing-azure-preparing-ipi[prepared your Azure environment for encryption].
-
 include::modules/private-clusters-default.adoc[leveloffset=+1]
 
 include::modules/private-clusters-about-azure.adoc[leveloffset=+2]

installing/installing_azure/ipi/installing-azure-vnet.adoc

@@ -8,14 +8,6 @@ toc::[]
 
 In {product-title} version {product-version}, you can install a cluster into an existing Azure Virtual Network (VNet) on Microsoft Azure. The installation program provisions the rest of the required infrastructure, which you can further customize. To customize the installation, you modify parameters in the `install-config.yaml` file before you install the cluster.
 
-== Prerequisites
-
-* You reviewed details about the xref:../../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes.
-* You read the documentation on xref:../../../installing/overview/installing-preparing.adoc#installing-preparing[selecting a cluster installation method and preparing it for users].
-* You xref:../../../installing/installing_azure/installing-azure-account.adoc#installing-azure-account[configured an Azure account] to host the cluster and determined the tested and validated region to deploy the cluster to.
-* If you use a firewall, you xref:../../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured it to allow the sites] that your cluster requires access to.
-* If you use customer-managed encryption keys, you xref:../../../installing/installing_azure/ipi/installing-azure-preparing-ipi.adoc#preparing-disk-encryption-sets_installing-azure-preparing-ipi[prepared your Azure environment for encryption].
-
 include::modules/installation-about-custom-azure-vnet.adoc[leveloffset=+1]
 
 [role="_additional-resources"]

installing/installing_azure/ipi/installing-restricted-networks-azure-installer-provisioned.adoc

@@ -16,20 +16,15 @@ You can install an {product-title} cluster by using mirrored installation releas
 [id="prerequisites_installing-restricted-networks-azure-installer-provisioned"]
 == Prerequisites
 
-* You reviewed details about the xref:../../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes.
-* You read the documentation on xref:../../../installing/overview/installing-preparing.adoc#installing-preparing[selecting a cluster installation method and preparing it for users].
-* You xref:../../../installing/installing_azure/installing-azure-account.adoc#installing-azure-account[configured an Azure account] to host the cluster and determined the tested and validated region to deploy the cluster.
 * You xref:../../../installing/disconnected_install/installing-mirroring-installation-images.adoc#installation-about-mirror-registry_installing-mirroring-installation-images[mirrored the images for a disconnected installation] to your registry and obtained the `imageContentSources` data for your version of {product-title}.
 +
 [IMPORTANT]
 ====
 Because the installation media is on the mirror host, you can use that computer to complete all installation steps.
 ====
 * You have an existing VNet in Azure. While installing a cluster in a restricted network that uses installer-provisioned infrastructure, you cannot use the installer-provisioned VNet. You must use a user-provisioned VNet that satisfies one of the following requirements:
-** The VNet contains the mirror registry
-** The VNet has firewall rules or a peering connection to access the mirror registry hosted elsewhere
-* If you use a firewall, you xref:../../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured it to allow the sites] that your cluster requires access to.
-* If you use customer-managed encryption keys, you xref:../../../installing/installing_azure/ipi/installing-azure-preparing-ipi.adoc#preparing-disk-encryption-sets_installing-azure-preparing-ipi[prepared your Azure environment for encryption].
+** The VNet contains the mirror registry.
+** The VNet has firewall rules or a peering connection to access the mirror registry hosted elsewhere.
 
 include::modules/installation-about-restricted-network.adoc[leveloffset=+1]
 
@@ -44,10 +39,6 @@ include::modules/installation-about-custom-azure-vnet.adoc[leveloffset=+1]
 
 * xref:../../../installing/install_config/configuring-firewall.adoc#configuring-firewall[Configuring your firewall]
 
-include::modules/cluster-entitlements.adoc[leveloffset=+1]
-
-include::modules/ssh-agent-using.adoc[leveloffset=+1]
-
 include::modules/installation-initializing.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
@@ -67,9 +58,6 @@ include::modules/installation-azure-config-yaml.adoc[leveloffset=+2]
 
 include::modules/installation-configure-proxy.adoc[leveloffset=+2]
 
-//Installing the OpenShift CLI by downloading the binary: Moved up to precede manual cred (short and long) steps, which require the use of `oc`
-include::modules/cli-installing-cli.adoc[leveloffset=+1]
-
 [id="installing-azure-manual-modes_{context}"]
 == Alternatives to storing administrator-level secrets in the kube-system project
 
@@ -101,13 +89,6 @@ include::modules/installation-launching-installer.adoc[leveloffset=+1]
 
 include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1]
 
-include::modules/cluster-telemetry.adoc[leveloffset=+1]
-
-[role="_additional-resources"]
-.Additional resources
-
-* See xref:../../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] for more information about the Telemetry service
-
 == Next steps
 
 * xref:../../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].

modules/installation-azure-confidential-vms.adoc

@@ -40,37 +40,31 @@ Confidential VMs are currently not supported on 64-bit ARM architectures.
 
 .Procedure
 
-* Use a text editor to edit the `install-config.yaml` file prior to deploying your cluster and add the following stanza:
+* Edit the `install-config.yaml` file before deploying your cluster:
+
+** Enable confidential VMs only on control plane by adding the following stanza:
 +
 [source,yaml]
 ----
-controlPlane: <1>
+controlPlane:
   platform:
     azure:
       settings:
-        securityType: ConfidentialVM <2>
+        securityType: ConfidentialVM
         confidentialVM:
           uefiSettings:
-            secureBoot: Enabled <3>
-            virtualizedTrustedPlatformModule: Enabled <4>
+            secureBoot: Enabled
+            virtualizedTrustedPlatformModule: Enabled
       osDisk:
         securityProfile:
-          securityEncryptionType: VMGuestStateOnly <5>
+          securityEncryptionType: VMGuestStateOnly
 ----
-<1> Specify `controlPlane.platform.azure` or `compute.platform.azure` to deploy confidential VMs on only control plane or compute nodes respectively. Specify `platform.azure.defaultMachinePlatform` to deploy confidential VMs on all nodes.
-<2> Enable confidential VMs.
-<3> Enable secure boot. For more information, see the Azure documentation about link:https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch#secure-boot[secure boot].
-<4> Enable the virtualized Trusted Platform Module. For more information, see the Azure documentation about link:https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/trusted-platform-module-overview[virtualized Trusted Platform Modules].
-<5> Specify `VMGuestStateOnly` to encrypt the VM guest state.
 
-// commenting out the second option until https://issues.redhat.com/browse/OCPBUGS-18379 is fixed
-////
-+
-.. To use confidential VMs that encrypt both the VM guest state and the OS disk:
+**  Enable confidential VMs only on compute nodes by adding the following stanza:
 +
 [source,yaml]
 ----
-controlPlane:
+compute:
   platform:
     azure:
       settings:
@@ -81,12 +75,23 @@ controlPlane:
             virtualizedTrustedPlatformModule: Enabled
       osDisk:
         securityProfile:
-          securityEncryptionType: DiskWithVMGuestState <1>
-          diskEncryptionSet: <2>
-            resourceGroup: <your-resource-group-name>
-            name: <your-des-name>
-            subscriptionId: <subscription-uuid>
+          securityEncryptionType: VMGuestStateOnly
+----
+
+**  Enable confidential VMs on all nodes by adding the following stanza:
++
+
+[source,yaml]
 ----
-<1> Enable OS disk and VM guest state encryption.
-<2> Specify disk encryption set parameters for user-managed encryption, or omit the `diskEncryptionSet` stanza for platform-managed encryption.
-////
+platform:
+  azure:
+    settings:
+      securityType: ConfidentialVM
+      confidentialVM:
+        uefiSettings:
+          secureBoot: Enabled
+          virtualizedTrustedPlatformModule: Enabled
+    osDisk:
+      securityProfile:
+        securityEncryptionType: VMGuestStateOnly
+----

modules/installation-azure-trusted-launch.adoc

@@ -8,7 +8,7 @@
 
 You can enable two trusted launch features when installing your cluster on Azure: link:https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch#secure-boot[secure boot] and link:https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/trusted-platform-module-overview[virtualized Trusted Platform Modules].
 
-See the Azure documentation about link:https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch#virtual-machines-sizes[virtual machine sizes] to learn what sizes of virtual machines support these features.
+For more information about the sizes of virtual machines that support the trusted launch features, see link:https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch#virtual-machines-sizes[Virtual machine sizes].
 
 :FeatureName: Trusted launch
 
@@ -19,21 +19,48 @@ include::snippets/technology-preview.adoc[]
 
 .Procedure
 
-* Use a text editor to edit the `install-config.yaml` file prior to deploying your cluster and add the following stanza:
+* Edit the `install-config.yaml` file before deploying your cluster:
+
+** Enable trusted launch only on control plane by adding the following stanza:
 +
 [source,yaml]
 ----
-controlPlane: <1>
+controlPlane:
   platform:
     azure:
       settings:
-        securityType: TrustedLaunch <2>
+        securityType: TrustedLaunch
         trustedLaunch:
           uefiSettings:
-            secureBoot: Enabled <3>
-            virtualizedTrustedPlatformModule: Enabled <4>
+            secureBoot: Enabled
+            virtualizedTrustedPlatformModule: Enabled
+----
+
+** Enable trusted launch only on compute node by adding the following stanza:
++
+[source,yaml]
+----
+compute:
+  platform:
+    azure:
+      settings:
+        securityType: TrustedLaunch
+        trustedLaunch:
+          uefiSettings:
+            secureBoot: Enabled
+            virtualizedTrustedPlatformModule: Enabled
+----
+
+**  Enable trusted launch on all nodes by adding the following stanza:
++
+[source,yaml]
 ----
-<1> Specify `controlPlane.platform.azure` or `compute.platform.azure` to enable trusted launch on only control plane or compute nodes respectively. Specify `platform.azure.defaultMachinePlatform` to enable trusted launch on all nodes.
-<2> Enable trusted launch features.
-<3> Enable secure boot. For more information, see the Azure documentation about link:https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch#secure-boot[secure boot].
-<4> Enable the virtualized Trusted Platform Module. For more information, see the Azure documentation about link:https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/trusted-platform-module-overview[virtualized Trusted Platform Modules].
+platform:
+  azure:
+    settings:
+      securityType: TrustedLaunch
+      trustedLaunch:
+        uefiSettings:
+          secureBoot: Enabled
+          virtualizedTrustedPlatformModule: Enabled
+----