From 6e4a27d54549fb36cbef68f61ba6b222d16625ff Mon Sep 17 00:00:00 2001
From: Patrick Dillon <padillon@redhat.com>
Date: Tue, 18 Nov 2025 21:41:15 -0500
Subject: [PATCH] azure: do not use marketplace images for confidential VMs

Marketplace images do not support confidential VMs or trusted launch,
so when machinesets use confidential VMs the installer will still
create an image gallery compatible with the security settings.
---
 pkg/asset/rhcos/image.go          |  4 +++-
 pkg/infrastructure/azure/azure.go | 30 ++++++++++++++----------------
 2 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/pkg/asset/rhcos/image.go b/pkg/asset/rhcos/image.go
index 92175f3247..aeef055a38 100644
--- a/pkg/asset/rhcos/image.go
+++ b/pkg/asset/rhcos/image.go
@@ -150,9 +150,11 @@ func osImage(ctx context.Context, ic *installconfig.InstallConfig, machinePool *
 			return "", fmt.Errorf("%s: No azure build found", streamArchPrefix)
 		}
 		azi := ext.AzureDisk.URL
+		azMP := machinePool.Platform.Azure
+		confidentialVM := azMP != nil && azMP.Settings != nil && azMP.Settings.SecurityType != ""
 		if mkt := ext.Marketplace; mkt == nil || mkt.Azure == nil || mkt.Azure.NoPurchasePlan == nil || mkt.Azure.NoPurchasePlan.Gen2 == nil {
 			logrus.Warnf("%s: No default Azure marketplace image was found in stream", streamArchPrefix)
-		} else {
+		} else if !confidentialVM { // Marketplace images don't suppot confidential VMs, so stick with managed image.
 			gen, err := getHyperVGeneration(ic.Azure, machinePool.Name)
 			if err != nil {
 				return "", fmt.Errorf("failed to get hyperVGeneration: %w", err)
diff --git a/pkg/infrastructure/azure/azure.go b/pkg/infrastructure/azure/azure.go
index fa997e5de9..0539428122 100644
--- a/pkg/infrastructure/azure/azure.go
+++ b/pkg/infrastructure/azure/azure.go
@@ -254,8 +254,9 @@ func (p *Provider) InfraReady(ctx context.Context, in clusterapi.InfraReadyInput
 		logrus.Debugf("StorageAccount.ID=%s", *storageAccount.ID)
 	}
 
-	// Create a managed image, which is only used for OKD, as OCP can use marketplace images.
-	if installConfig.IsOKD() && platform.CloudName != aztypes.StackCloud {
+	// Create a managed image, which is used for OKD or confidential VMs on OCP.
+	hasConfidentialVM := getMachinePoolSecurityType(installConfig) != ""
+	if (hasConfidentialVM || installConfig.IsOKD()) && platform.CloudName != aztypes.StackCloud {
 		// Create vhd blob storage container
 		publicAccess := armstorage.PublicAccessNone
 		createBlobContainerOutput, err := CreateBlobContainer(ctx, &CreateBlobContainerInput{
@@ -327,10 +328,7 @@ func (p *Provider) InfraReady(ctx context.Context, in clusterapi.InfraReadyInput
 		// If Control Plane Security Type is provided, then pass that along
 		// during Gen V2 Gallery Image creation. It will be added as a
 		// supported feature of the image.
-		securityType, err := getMachinePoolSecurityType(in)
-		if err != nil {
-			return err
-		}
+		securityType := getMachinePoolSecurityType(installConfig)
 
 		_, err = CreateGalleryImage(ctx, &CreateGalleryImageInput{
 			ResourceGroupName:    resourceGroupName,
@@ -819,16 +817,16 @@ func (p Provider) Ignition(ctx context.Context, in clusterapi.IgnitionInput) ([]
 	return ignSecrets, nil
 }
 
-func getMachinePoolSecurityType(in clusterapi.InfraReadyInput) (string, error) {
+func getMachinePoolSecurityType(installConfig *types.InstallConfig) string {
 	var securityType aztypes.SecurityTypes
-	if in.InstallConfig.Config.ControlPlane != nil && in.InstallConfig.Config.ControlPlane.Platform.Azure != nil {
-		pool := in.InstallConfig.Config.ControlPlane.Platform.Azure
+	if installConfig.ControlPlane != nil && installConfig.ControlPlane.Platform.Azure != nil {
+		pool := installConfig.ControlPlane.Platform.Azure
 		if pool.Settings != nil {
 			securityType = pool.Settings.SecurityType
 		}
 	}
-	if securityType == "" && in.InstallConfig.Config.Compute != nil {
-		for _, compute := range in.InstallConfig.Config.Compute {
+	if securityType == "" && installConfig.Compute != nil {
+		for _, compute := range installConfig.Compute {
 			if compute.Platform.Azure != nil {
 				pool := compute.Platform.Azure
 				if pool.Settings != nil {
@@ -838,17 +836,17 @@ func getMachinePoolSecurityType(in clusterapi.InfraReadyInput) (string, error) {
 			}
 		}
 	}
-	if securityType == "" && in.InstallConfig.Config.Platform.Azure.DefaultMachinePlatform != nil {
-		pool := in.InstallConfig.Config.Platform.Azure.DefaultMachinePlatform
+	if securityType == "" && installConfig.Platform.Azure.DefaultMachinePlatform != nil {
+		pool := installConfig.Platform.Azure.DefaultMachinePlatform
 		if pool.Settings != nil {
 			securityType = pool.Settings.SecurityType
 		}
 	}
 	switch securityType {
 	case aztypes.SecurityTypesTrustedLaunch:
-		return trustedLaunchST, nil
+		return trustedLaunchST
 	case aztypes.SecurityTypesConfidentialVM:
-		return confidentialVMST, nil
+		return confidentialVMST
 	}
-	return "", nil
+	return ""
 }