v2

charts/internal/machineclass/templates/machineclass.yaml

@@ -18,10 +18,6 @@ kind: MachineClass
 metadata:
   name: {{ $machineClass.name }}
   namespace: {{ $.Release.Namespace }}
-  annotations:
-    {{- if $machineClass.annotations }}
-{{ toYaml $machineClass.annotations | indent 4 }}
-    {{- end }}
   labels:
     {{- if $machineClass.operatingSystem }}
 {{ toYaml $machineClass.operatingSystem | indent 4 }}
@@ -42,7 +38,13 @@ providerSpec:
   properties:
     {{- if $machineClass.securityProfile }}
     securityProfile:
+      {{- if hasKey $machineClass.securityProfile "securityType" }}
       securityType: {{ $machineClass.securityProfile.securityType }}
+      {{- end }}
+      {{- if hasKey $machineClass.securityProfile "uefiSettings" }}
+      uefiSettings:
+{{ toYaml $machineClass.securityProfile.uefiSettings | indent 8 }}
+      {{- end }}
     {{- end }}
     {{- if hasKey $machineClass "zone" }}
     zone: {{ $machineClass.zone }}
@@ -79,17 +81,21 @@ providerSpec:
         sharedGalleryImageID: {{ $machineClass.image.sharedGalleryImageID }}
 {{- else }}
         urn: {{ $machineClass.image.urn }}
-{{- end }}
-{{- if $machineClass.image.privatePlan }}
-        privatePlan: {{ $machineClass.image.privatePlan }}
+        {{- if $machineClass.image.skipMarketplaceAgreement}}
+        skipMarketPlaceAgreement: true
+        {{- end }}
 {{- end }}
       osDisk:
         caching: None
         diskSizeGB: {{ $machineClass.osDisk.size }}
-        {{- if hasKey $machineClass.osDisk "type" }}
         managedDisk:
+        {{- if hasKey $machineClass.osDisk "type" }}
           storageAccountType: {{ $machineClass.osDisk.type }}
         {{- end }}
+        {{- if hasKey $machineClass.osDisk "securityProfile" }}
+          securityProfile:
+            securityEncryptionType: {{ $machineClass.osDisk.securityProfile.securityEncryptionType }}
+        {{- end }}
         createOption: FromImage
 {{- if $machineClass.dataDisks }}
       dataDisks:

charts/internal/machineclass/values.yaml

@@ -31,12 +31,17 @@ machineClasses:
     zone: westeurope-1
   image:
     urn: "CoreOS:CoreOS:Stable:1576.5.0"
+    #skipMarketplaceAgreement: true
     #id: "/subscriptions/<subscription ID where the gallery is located>/resourceGroups/myGalleryRG/providers/Microsoft.Compute/galleries/myGallery/images/myImageDefinition/versions/1.0.0"
     #communityGalleryImageID: "/CommunityGalleries/<community gallery id>/Images/myImageDefinition/versions/1.0.0"
     #sharedGalleryImageID: "/SharedGalleries/<sharedGalleryName>/Images/<sharedGalleryImageName>/Versions/<sharedGalleryImageVersionName>"
   osDisk:
     size: 50
     #type: Standard_LRS
+    #securityProfile:
+      #securityEncryptionType: VMGuestStateOnly
+      #uefiSettings:
+        #vtpmEnabled: false
   sshPublicKey: ssh-rsa AAAAB3...
 - name: class-2-availability-set
   region: westeurope

pkg/controller/worker/machines.go

@@ -139,6 +139,9 @@ func (w *workerDelegate) generateMachineConfig(ctx context.Context) error {
 		image := map[string]interface{}{}
 		if urn != nil {
 			image["urn"] = *urn
+			if skipAgreementPools.Has(pool.Name) {
+				image["skipMarketplaceAgreement"] = true
+			}
 		} else if communityGalleryImageID != nil {
 			image["communityGalleryImageID"] = *communityGalleryImageID
 		} else if sharedGalleryImageID != nil {
@@ -147,11 +150,6 @@ func (w *workerDelegate) generateMachineConfig(ctx context.Context) error {
 			image["id"] = *id
 		}
 
-		machineClassAnnotations := map[string]string{}
-		if skipAgreementPools.Has(pool.Name) {
-			machineClassAnnotations[azure.BetaSkipMarketPlaceAgreementMCMAnnotation] = "true"
-		}
-
 		disks, err := computeDisks(pool)
 		if err != nil {
 			return err
@@ -178,7 +176,6 @@ func (w *workerDelegate) generateMachineConfig(ctx context.Context) error {
 				}
 
 				machineClassSpec = utils.MergeMaps(map[string]interface{}{
-					"annotations":   machineClassAnnotations,
 					"region":        w.worker.Spec.Region,
 					"resourceGroup": infrastructureStatus.ResourceGroup.Name,
 					"tags":          w.getVMTags(pool),
@@ -278,10 +275,13 @@ func (w *workerDelegate) generateMachineConfig(ctx context.Context) error {
 				}
 			}
 
-			// special processing of confidential VMs.
-			if w.isConfidentialVM(pool.MachineType) {
+			// special processing of CVMs.
+			if isConfidentialVM(pool) {
 				machineClassSpec["securityProfile"] = map[string]interface{}{
 					"securityType": string(armcompute.SecurityTypesConfidentialVM),
+					"uefiSettings": map[string]interface{}{
+						"vtpmEnabled": true,
+					},
 				}
 			}
 
@@ -407,6 +407,12 @@ func computeDisks(pool extensionsv1alpha1.WorkerPool) (map[string]interface{}, e
 		osDisk["type"] = *pool.Volume.Type
 	}
 
+	if isConfidentialVM(pool) {
+		osDisk["securityProfile"] = map[string]interface{}{
+			"securityEncryptionType": string(armcompute.SecurityEncryptionTypesVMGuestStateOnly),
+		}
+	}
+
 	disks := map[string]interface{}{
 		"osDisk": osDisk,
 	}
@@ -491,9 +497,9 @@ func (w *workerDelegate) generateWorkerPoolHash(pool extensionsv1alpha1.WorkerPo
 }
 
 // TODO: Remove when we have support for VM Capabilities
-func (w *workerDelegate) isConfidentialVM(family string) bool {
+func isConfidentialVM(pool extensionsv1alpha1.WorkerPool) bool {
 	for _, v := range azure.ConfidentialVMFamilyPrefixes {
-		if strings.HasPrefix(strings.ToLower(family), strings.ToLower(v)) {
+		if strings.HasPrefix(strings.ToLower(pool.MachineType), strings.ToLower(v)) {
 			return true
 		}
 	}

pkg/controller/worker/machines_test.go

@@ -404,7 +404,6 @@ var _ = Describe("Machines", func() {
 					}
 
 					defaultMachineClass := map[string]interface{}{
-						"annotations":   map[string]string{},
 						"region":        region,
 						"resourceGroup": resourceGroupName,
 						"network": map[string]interface{}{