azure: do not use marketplace images for confidential VMs

Marketplace images do not support confidential VMs or trusted launch, so when machinesets use confidential VMs the installer will still create an image gallery compatible with the security settings.
2026-02-05 15:47:14 +01:00 · 2025-11-18 21:41:15 -05:00
parent 0d363dc2e3
commit 6e4a27d545
2 changed files with 17 additions and 17 deletions
--- a/pkg/asset/rhcos/image.go
+++ b/pkg/asset/rhcos/image.go
@@ -150,9 +150,11 @@ func osImage(ctx context.Context, ic *installconfig.InstallConfig, machinePool *
 			return "", fmt.Errorf("%s: No azure build found", streamArchPrefix)
 		}
 		azi := ext.AzureDisk.URL
+		azMP := machinePool.Platform.Azure
+		confidentialVM := azMP != nil && azMP.Settings != nil && azMP.Settings.SecurityType != ""
 		if mkt := ext.Marketplace; mkt == nil || mkt.Azure == nil || mkt.Azure.NoPurchasePlan == nil || mkt.Azure.NoPurchasePlan.Gen2 == nil {
 			logrus.Warnf("%s: No default Azure marketplace image was found in stream", streamArchPrefix)
-		} else {
+		} else if !confidentialVM { // Marketplace images don't suppot confidential VMs, so stick with managed image.
 			gen, err := getHyperVGeneration(ic.Azure, machinePool.Name)
 			if err != nil {
 				return "", fmt.Errorf("failed to get hyperVGeneration: %w", err)
--- a/pkg/infrastructure/azure/azure.go
+++ b/pkg/infrastructure/azure/azure.go
@@ -254,8 +254,9 @@ func (p *Provider) InfraReady(ctx context.Context, in clusterapi.InfraReadyInput
 		logrus.Debugf("StorageAccount.ID=%s", *storageAccount.ID)
 	}

-	// Create a managed image, which is only used for OKD, as OCP can use marketplace images.
-	if installConfig.IsOKD() && platform.CloudName != aztypes.StackCloud {
+	// Create a managed image, which is used for OKD or confidential VMs on OCP.
+	hasConfidentialVM := getMachinePoolSecurityType(installConfig) != ""
+	if (hasConfidentialVM || installConfig.IsOKD()) && platform.CloudName != aztypes.StackCloud {
 		// Create vhd blob storage container
 		publicAccess := armstorage.PublicAccessNone
 		createBlobContainerOutput, err := CreateBlobContainer(ctx, &CreateBlobContainerInput{
@@ -327,10 +328,7 @@ func (p *Provider) InfraReady(ctx context.Context, in clusterapi.InfraReadyInput
 		// If Control Plane Security Type is provided, then pass that along
 		// during Gen V2 Gallery Image creation. It will be added as a
 		// supported feature of the image.
-		securityType, err := getMachinePoolSecurityType(in)
-		if err != nil {
-			return err
-		}
+		securityType := getMachinePoolSecurityType(installConfig)

 		_, err = CreateGalleryImage(ctx, &CreateGalleryImageInput{
 			ResourceGroupName:    resourceGroupName,
@@ -819,16 +817,16 @@ func (p Provider) Ignition(ctx context.Context, in clusterapi.IgnitionInput) ([]
 	return ignSecrets, nil
 }

-func getMachinePoolSecurityType(in clusterapi.InfraReadyInput) (string, error) {
+func getMachinePoolSecurityType(installConfig *types.InstallConfig) string {
 	var securityType aztypes.SecurityTypes
-	if in.InstallConfig.Config.ControlPlane != nil && in.InstallConfig.Config.ControlPlane.Platform.Azure != nil {
-		pool := in.InstallConfig.Config.ControlPlane.Platform.Azure
+	if installConfig.ControlPlane != nil && installConfig.ControlPlane.Platform.Azure != nil {
+		pool := installConfig.ControlPlane.Platform.Azure
 		if pool.Settings != nil {
 			securityType = pool.Settings.SecurityType
 		}
 	}
-	if securityType == "" && in.InstallConfig.Config.Compute != nil {
-		for _, compute := range in.InstallConfig.Config.Compute {
+	if securityType == "" && installConfig.Compute != nil {
+		for _, compute := range installConfig.Compute {
 			if compute.Platform.Azure != nil {
 				pool := compute.Platform.Azure
 				if pool.Settings != nil {
@@ -838,17 +836,17 @@ func getMachinePoolSecurityType(in clusterapi.InfraReadyInput) (string, error) {
 			}
 		}
 	}
-	if securityType == "" && in.InstallConfig.Config.Platform.Azure.DefaultMachinePlatform != nil {
-		pool := in.InstallConfig.Config.Platform.Azure.DefaultMachinePlatform
+	if securityType == "" && installConfig.Platform.Azure.DefaultMachinePlatform != nil {
+		pool := installConfig.Platform.Azure.DefaultMachinePlatform
 		if pool.Settings != nil {
 			securityType = pool.Settings.SecurityType
 		}
 	}
 	switch securityType {
 	case aztypes.SecurityTypesTrustedLaunch:
-		return trustedLaunchST, nil
+		return trustedLaunchST
 	case aztypes.SecurityTypesConfidentialVM:
-		return confidentialVMST, nil
+		return confidentialVMST
 	}
-	return "", nil
+	return ""
 }