confidential vm support (#835)

* confidential vm support
gardener · Jun 24, 2024 · 79c7db5 · 79c7db5
1 parent 16870b5
commit 79c7db5
Show file tree

Hide file tree

Showing 14 changed files with 151 additions and 32 deletions.
diff --git a/charts/internal/machineclass/templates/machineclass.yaml b/charts/internal/machineclass/templates/machineclass.yaml
@@ -36,6 +36,16 @@ nodeTemplate:
 providerSpec:
   location: {{ $machineClass.region }}
   properties:
+    {{- if $machineClass.securityProfile }}
+    securityProfile:
+      {{- if hasKey $machineClass.securityProfile "securityType" }}
+      securityType: {{ $machineClass.securityProfile.securityType }}
+      {{- end }}
+      {{- if hasKey $machineClass.securityProfile "uefiSettings" }}
+      uefiSettings:
+{{ toYaml $machineClass.securityProfile.uefiSettings | indent 8 }}
+      {{- end }}
+    {{- end }}
     {{- if hasKey $machineClass "zone" }}
     zone: {{ $machineClass.zone }}
     {{- end }}
@@ -71,14 +81,21 @@ providerSpec:
         sharedGalleryImageID: {{ $machineClass.image.sharedGalleryImageID }}
 {{- else }}
         urn: {{ $machineClass.image.urn }}
+        {{- if $machineClass.image.skipMarketplaceAgreement}}
+        skipMarketPlaceAgreement: true
+        {{- end }}
 {{- end }}
       osDisk:
         caching: None
         diskSizeGB: {{ $machineClass.osDisk.size }}
-        {{- if hasKey $machineClass.osDisk "type" }}
         managedDisk:
+        {{- if hasKey $machineClass.osDisk "type" }}
           storageAccountType: {{ $machineClass.osDisk.type }}
         {{- end }}
+        {{- if hasKey $machineClass.osDisk "securityProfile" }}
+          securityProfile:
+            securityEncryptionType: {{ $machineClass.osDisk.securityProfile.securityEncryptionType }}
+        {{- end }}
         createOption: FromImage
 {{- if $machineClass.dataDisks }}
       dataDisks:

diff --git a/charts/internal/machineclass/values.yaml b/charts/internal/machineclass/values.yaml
@@ -31,12 +31,17 @@ machineClasses:
     zone: westeurope-1
   image:
     urn: "CoreOS:CoreOS:Stable:1576.5.0"
+    #skipMarketplaceAgreement: true
     #id: "/subscriptions/<subscription ID where the gallery is located>/resourceGroups/myGalleryRG/providers/Microsoft.Compute/galleries/myGallery/images/myImageDefinition/versions/1.0.0"
     #communityGalleryImageID: "/CommunityGalleries/<community gallery id>/Images/myImageDefinition/versions/1.0.0"
     #sharedGalleryImageID: "/SharedGalleries/<sharedGalleryName>/Images/<sharedGalleryImageName>/Versions/<sharedGalleryImageVersionName>"
   osDisk:
     size: 50
     #type: Standard_LRS
+    #securityProfile:
+      #securityEncryptionType: VMGuestStateOnly
+      #uefiSettings:
+        #vtpmEnabled: false
   sshPublicKey: ssh-rsa AAAAB3...
 - name: class-2-availability-set
   region: westeurope

diff --git a/hack/api-reference/api.md b/hack/api-reference/api.md
@@ -1056,6 +1056,18 @@ string
 <p>Architecture is the CPU architecture of the machine image.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>skipMarketplaceAgreement</code></br>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>SkipMarketplaceAgreement skips the marketplace agreement check when enabled.</p>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="azure.provider.extensions.gardener.cloud/v1alpha1.MachineImageVersion">MachineImageVersion
@@ -1100,6 +1112,18 @@ string
 </tr>
 <tr>
 <td>
+<code>skipMarketplaceAgreement</code></br>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>SkipMarketplaceAgreement skips the marketplace agreement check when enabled.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>id</code></br>
 <em>
 string

diff --git a/pkg/apis/azure/helper/helper.go b/pkg/apis/azure/helper/helper.go
@@ -105,14 +105,15 @@ func FindImageFromCloudProfile(cloudProfileConfig *api.CloudProfileConfig, image
 			for _, version := range machineImage.Versions {
 				if imageVersion == version.Version && ptr.Equal(architecture, version.Architecture) {
 					return &api.MachineImage{
-						Name:                    imageName,
-						Version:                 version.Version,
-						URN:                     version.URN,
-						ID:                      version.ID,
-						SharedGalleryImageID:    version.SharedGalleryImageID,
-						CommunityGalleryImageID: version.CommunityGalleryImageID,
-						AcceleratedNetworking:   version.AcceleratedNetworking,
-						Architecture:            version.Architecture,
+						Name:                     imageName,
+						Version:                  version.Version,
+						URN:                      version.URN,
+						ID:                       version.ID,
+						SharedGalleryImageID:     version.SharedGalleryImageID,
+						CommunityGalleryImageID:  version.CommunityGalleryImageID,
+						AcceleratedNetworking:    version.AcceleratedNetworking,
+						Architecture:             version.Architecture,
+						SkipMarketplaceAgreement: version.SkipMarketplaceAgreement,
 					}, nil
 				}
 			}

diff --git a/pkg/apis/azure/types_cloudprofile.go b/pkg/apis/azure/types_cloudprofile.go
@@ -56,6 +56,8 @@ type MachineImageVersion struct {
 	Version string
 	// URN is the uniform resource name of the image, it has the format 'publisher:offer:sku:version'.
 	URN *string
+	// SkipMarketplaceAgreement skips the marketplace agreement check when enabled.
+	SkipMarketplaceAgreement *bool
 	// ID is the Shared Image Gallery image id.
 	ID *string
 	// CommunityGalleryImageID is the Community Image Gallery image id, it has the format '/CommunityGalleries/myGallery/Images/myImage/Versions/myVersion'

diff --git a/pkg/apis/azure/types_worker.go b/pkg/apis/azure/types_worker.go
@@ -54,6 +54,8 @@ type MachineImage struct {
 	AcceleratedNetworking *bool
 	// Architecture is the CPU architecture of the machine image.
 	Architecture *string
+	// SkipMarketplaceAgreement skips the marketplace agreement check when enabled.
+	SkipMarketplaceAgreement *bool
 }
 
 // VmoDependency is dependency reference for a workerpool to a VirtualMachineScaleSet Orchestration Mode VM (VMO).

diff --git a/pkg/apis/azure/v1alpha1/types_cloudprofile.go b/pkg/apis/azure/v1alpha1/types_cloudprofile.go
@@ -60,6 +60,9 @@ type MachineImageVersion struct {
 	// URN is the uniform resource name of the image, it has the format 'publisher:offer:sku:version'.
 	// +optional
 	URN *string `json:"urn,omitempty"`
+	// SkipMarketplaceAgreement skips the marketplace agreement check when enabled.
+	// +optional
+	SkipMarketplaceAgreement *bool `json:"skipMarketplaceAgreement,omitempty"`
 	// ID is the Shared Image Gallery image id.
 	// +optional
 	ID *string `json:"id,omitempty"`

diff --git a/pkg/apis/azure/v1alpha1/types_worker.go b/pkg/apis/azure/v1alpha1/types_worker.go
@@ -65,6 +65,9 @@ type MachineImage struct {
 	// Architecture is the CPU architecture of the machine image.
 	// +optional
 	Architecture *string `json:"architecture,omitempty"`
+	// SkipMarketplaceAgreement skips the marketplace agreement check when enabled.
+	// +optional
+	SkipMarketplaceAgreement *bool `json:"skipMarketplaceAgreement,omitempty"`
 }
 
 // VmoDependency is dependency reference for a workerpool to a VirtualMachineScaleSet Orchestration Mode VM (VMO).

diff --git a/pkg/apis/azure/v1alpha1/zz_generated.conversion.go b/pkg/apis/azure/v1alpha1/zz_generated.conversion.go
diff --git a/pkg/apis/azure/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/azure/v1alpha1/zz_generated.deepcopy.go
diff --git a/pkg/apis/azure/zz_generated.deepcopy.go b/pkg/apis/azure/zz_generated.deepcopy.go
diff --git a/pkg/azure/types.go b/pkg/azure/types.go
@@ -147,4 +147,10 @@ const (
 var (
 	UsernamePrefix       = extensionsv1alpha1.SchemeGroupVersion.Group + ":" + Name + ":"
 	ValidFlowAnnotations = []string{AnnotationKeyUseFlow, GlobalAnnotationKeyUseFlow}
+
+	// ConfidentialVMFamilyPrefixes is a list of known families that are used for confidential VMs.
+	ConfidentialVMFamilyPrefixes = []string{
+		"standard_ec",
+		"standard_dc",
+	}
 )
diff --git a/pkg/controller/worker/machine_images.go b/pkg/controller/worker/machine_images.go
@@ -37,28 +37,28 @@ func (w *workerDelegate) UpdateMachineImagesStatus(ctx context.Context) error {
 	return nil
 }
 
-func (w *workerDelegate) findMachineImage(name, version string, architecture *string) (urn, id, communityGalleryImageID *string, sharedGalleryImageID *string, acceleratedNetworking *bool, err error) {
+func (w *workerDelegate) findMachineImage(name, version string, architecture *string) (*api.MachineImage, error) {
 	machineImage, err := helper.FindImageFromCloudProfile(w.cloudProfileConfig, name, version, architecture)
 	if err == nil {
-		return machineImage.URN, machineImage.ID, machineImage.CommunityGalleryImageID, machineImage.SharedGalleryImageID, machineImage.AcceleratedNetworking, nil
+		return machineImage, nil
 	}
 
 	// Try to look up machine image in worker provider status as it was not found in componentconfig.
 	if providerStatus := w.worker.Status.ProviderStatus; providerStatus != nil {
 		workerStatus := &api.WorkerStatus{}
 		if _, _, err := w.decoder.Decode(providerStatus.Raw, nil, workerStatus); err != nil {
-			return nil, nil, nil, nil, nil, fmt.Errorf("could not decode worker status of worker '%s': %w", kutil.ObjectName(w.worker), err)
+			return nil, fmt.Errorf("could not decode worker status of worker '%s': %w", kutil.ObjectName(w.worker), err)
 		}
 
 		machineImage, err := helper.FindMachineImage(workerStatus.MachineImages, name, version, architecture)
 		if err != nil {
-			return nil, nil, nil, nil, nil, worker.ErrorMachineImageNotFound(name, version, *architecture)
+			return nil, worker.ErrorMachineImageNotFound(name, version, *architecture)
 		}
 
-		return machineImage.URN, machineImage.ID, machineImage.CommunityGalleryImageID, machineImage.SharedGalleryImageID, machineImage.AcceleratedNetworking, nil
+		return machineImage, nil
 	}
 
-	return nil, nil, nil, nil, nil, worker.ErrorMachineImageNotFound(name, version, *architecture)
+	return nil, worker.ErrorMachineImageNotFound(name, version, *architecture)
 }
 
 func appendMachineImage(machineImages []api.MachineImage, machineImage api.MachineImage) []api.MachineImage {