diff --git a/pkg/asset/rhcos/image.go b/pkg/asset/rhcos/image.go index 92175f3247..aeef055a38 100644 --- a/pkg/asset/rhcos/image.go +++ b/pkg/asset/rhcos/image.go @@ -150,9 +150,11 @@ func osImage(ctx context.Context, ic *installconfig.InstallConfig, machinePool * return "", fmt.Errorf("%s: No azure build found", streamArchPrefix) } azi := ext.AzureDisk.URL + azMP := machinePool.Platform.Azure + confidentialVM := azMP != nil && azMP.Settings != nil && azMP.Settings.SecurityType != "" if mkt := ext.Marketplace; mkt == nil || mkt.Azure == nil || mkt.Azure.NoPurchasePlan == nil || mkt.Azure.NoPurchasePlan.Gen2 == nil { logrus.Warnf("%s: No default Azure marketplace image was found in stream", streamArchPrefix) - } else { + } else if !confidentialVM { // Marketplace images don't suppot confidential VMs, so stick with managed image. gen, err := getHyperVGeneration(ic.Azure, machinePool.Name) if err != nil { return "", fmt.Errorf("failed to get hyperVGeneration: %w", err) diff --git a/pkg/infrastructure/azure/azure.go b/pkg/infrastructure/azure/azure.go index fa997e5de9..0539428122 100644 --- a/pkg/infrastructure/azure/azure.go +++ b/pkg/infrastructure/azure/azure.go @@ -254,8 +254,9 @@ func (p *Provider) InfraReady(ctx context.Context, in clusterapi.InfraReadyInput logrus.Debugf("StorageAccount.ID=%s", *storageAccount.ID) } - // Create a managed image, which is only used for OKD, as OCP can use marketplace images. - if installConfig.IsOKD() && platform.CloudName != aztypes.StackCloud { + // Create a managed image, which is used for OKD or confidential VMs on OCP. + hasConfidentialVM := getMachinePoolSecurityType(installConfig) != "" + if (hasConfidentialVM || installConfig.IsOKD()) && platform.CloudName != aztypes.StackCloud { // Create vhd blob storage container publicAccess := armstorage.PublicAccessNone createBlobContainerOutput, err := CreateBlobContainer(ctx, &CreateBlobContainerInput{ @@ -327,10 +328,7 @@ func (p *Provider) InfraReady(ctx context.Context, in clusterapi.InfraReadyInput // If Control Plane Security Type is provided, then pass that along // during Gen V2 Gallery Image creation. It will be added as a // supported feature of the image. - securityType, err := getMachinePoolSecurityType(in) - if err != nil { - return err - } + securityType := getMachinePoolSecurityType(installConfig) _, err = CreateGalleryImage(ctx, &CreateGalleryImageInput{ ResourceGroupName: resourceGroupName, @@ -819,16 +817,16 @@ func (p Provider) Ignition(ctx context.Context, in clusterapi.IgnitionInput) ([] return ignSecrets, nil } -func getMachinePoolSecurityType(in clusterapi.InfraReadyInput) (string, error) { +func getMachinePoolSecurityType(installConfig *types.InstallConfig) string { var securityType aztypes.SecurityTypes - if in.InstallConfig.Config.ControlPlane != nil && in.InstallConfig.Config.ControlPlane.Platform.Azure != nil { - pool := in.InstallConfig.Config.ControlPlane.Platform.Azure + if installConfig.ControlPlane != nil && installConfig.ControlPlane.Platform.Azure != nil { + pool := installConfig.ControlPlane.Platform.Azure if pool.Settings != nil { securityType = pool.Settings.SecurityType } } - if securityType == "" && in.InstallConfig.Config.Compute != nil { - for _, compute := range in.InstallConfig.Config.Compute { + if securityType == "" && installConfig.Compute != nil { + for _, compute := range installConfig.Compute { if compute.Platform.Azure != nil { pool := compute.Platform.Azure if pool.Settings != nil { @@ -838,17 +836,17 @@ func getMachinePoolSecurityType(in clusterapi.InfraReadyInput) (string, error) { } } } - if securityType == "" && in.InstallConfig.Config.Platform.Azure.DefaultMachinePlatform != nil { - pool := in.InstallConfig.Config.Platform.Azure.DefaultMachinePlatform + if securityType == "" && installConfig.Platform.Azure.DefaultMachinePlatform != nil { + pool := installConfig.Platform.Azure.DefaultMachinePlatform if pool.Settings != nil { securityType = pool.Settings.SecurityType } } switch securityType { case aztypes.SecurityTypesTrustedLaunch: - return trustedLaunchST, nil + return trustedLaunchST case aztypes.SecurityTypesConfidentialVM: - return confidentialVMST, nil + return confidentialVMST } - return "", nil + return "" }