Create HC without specifying encryption-at-host:
hypershift create cluster azure --fips --annotations=hypershift.openshift.io/pod-security-admission-label-override=baseline --marketplace-offer=aro4 --marketplace-publisher=azureopenshift --marketplace-sku=aro_417 --marketplace-version=417.94.20240701 --diagnostics-storage-account-type=Managed --control-plane-availability-policy=HighlyAvailable --infra-availability-policy=HighlyAvailable --image-content-sources /tmp/secret/mgmt_icsp.yaml --name 1fb0e78578609be047da --node-pool-replicas 3 --base-domain qe.azure.devcluster.openshift.com --external-dns-domain=qe1.azure.devcluster.openshift.com --pull-secret /etc/ci-pull-credentials/.dockerconfigjson --azure-creds /var/run/secrets/ci.openshift.io/cluster-profile/osServicePrincipal.json --location centralus --release-image registry.build03.ci.openshift.org/ci-op-fwvrsy0i/release@sha256:9f33c91217daf8fc0e3526498946ab0cc098ee91078cc86b90fec3c13aa6674a --encryption-key-id= --disk-encryption-set-id= --resource-group-name=ci-op-fwvrsy0i-8979e-rg --vnet-id=/subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/ci-op-fwvrsy0i-8979e-vnet-rg/providers/Microsoft.Network/virtualNetworks/ci-op-fwvrsy0i-8979e-vnet --subnet-id=/subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/ci-op-fwvrsy0i-8979e-vnet-rg/providers/Microsoft.Network/virtualNetworks/ci-op-fwvrsy0i-8979e-vnet/subnets/ci-op-fwvrsy0i-8979e-subnet --network-security-group-id=/subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/ci-op-fwvrsy0i-8979e-nsg-rg/providers/Microsoft.Network/networkSecurityGroups/ci-op-fwvrsy0i-8979e-nsg
oc get hc -A
NAMESPACE NAME VERSION KUBECONFIG PROGRESS AVAILABLE PROGRESSING MESSAGE
clusters 1fb0e78578609be047da 4.18.0-0.nightly-2024-09-11-221444 1fb0e78578609be047da-admin-kubeconfig Completed True False The hosted control plane is available
oc get np -n clusters 1fb0e78578609be047da -o jsonpath='{.spec.platform.azure.encryptionAtHost}'
Enabled
Check Azure console, VMs have encryption at host enabled.
Create HC with --encryption-at-host=Disabled:
hypershift create cluster azure --annotations=hypershift.openshift.io/pod-security-admission-label-override=baseline --network-type=Other --encryption-at-host=Disabled --image-content-sources /tmp/secret/mgmt_icsp.yaml --name 34ead5644f2231daf006 --node-pool-replicas 3 --base-domain qe.azure.devcluster.openshift.com --external-dns-domain=qe1.azure.devcluster.openshift.com --pull-secret /etc/ci-pull-credentials/.dockerconfigjson --azure-creds /var/run/secrets/ci.openshift.io/cluster-profile/osServicePrincipal.json --location northcentralus --release-image registry.build03.ci.openshift.org/ci-op-lpc37237/release@sha256:9f33c91217daf8fc0e3526498946ab0cc098ee91078cc86b90fec3c13aa6674a --encryption-key-id= --disk-encryption-set-id= --resource-group-name= --vnet-id= --subnet-id= --network-security-group-id=
oc get hc -A
NAMESPACE NAME VERSION KUBECONFIG PROGRESS AVAILABLE PROGRESSING MESSAGE
clusters 34ead5644f2231daf006 4.18.0-0.nightly-2024-09-11-221444 34ead5644f2231daf006-admin-kubeconfig Completed True False The hosted control plane is available
oc get np -n clusters 08abc3d493db75f18d63 -o jsonpath='{.spec.platform.azure.encryptionAtHost}'
Disabled
Check Azure console, VMs have encryption at host disabled.
Create HC with --encryption-at-host=Enabled:
hypershift create cluster azure --fips --annotations=hypershift.openshift.io/pod-security-admission-label-override=baseline --diagnostics-storage-account-type=UserManaged --diagnostics-storage-account-uri=https:
oc get hc -A
NAMESPACE NAME VERSION KUBECONFIG PROGRESS AVAILABLE PROGRESSING MESSAGE
clusters d7e3f8e75734766003a5 4.18.0-0.nightly-2024-09-11-221444 d7e3f8e75734766003a5-admin-kubeconfig Completed True False The hosted control plane is available
oc get np -n clusters d7e3f8e75734766003a5 -o jsonpath='{.spec.platform.azure.encryptionAtHost}'
Enabled
Check Azure console, VMs have encryption at host enabled.
Verified with latest HO + 4.17 HC as well.