confidential vm support

gardener · Apr 30, 2024 · e63e146 · e63e146
1 parent 2b9a349
commit e63e146
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 0 deletions.
diff --git a/charts/internal/machineclass/templates/machineclass.yaml b/charts/internal/machineclass/templates/machineclass.yaml
@@ -36,6 +36,10 @@ nodeTemplate:
 providerSpec:
   location: {{ $machineClass.region }}
   properties:
+    {{- if $machineClass.securityProfile }}
+    securityProfile:
+      securityType: {{ $machineClass.securityProfile.securityType }}
+    {{- end }}
     {{- if hasKey $machineClass "zone" }}
     zone: {{ $machineClass.zone }}
     {{- end }}
@@ -71,6 +75,9 @@ providerSpec:
         sharedGalleryImageID: {{ $machineClass.image.sharedGalleryImageID }}
 {{- else }}
         urn: {{ $machineClass.image.urn }}
+{{- end }}
+{{- if $machineClass.image.privatePlan }}
+        privatePlan: {{ $machineClass.image.privatePlan }}
 {{- end }}
       osDisk:
         caching: None

diff --git a/pkg/controller/worker/machines.go b/pkg/controller/worker/machines.go
@@ -12,6 +12,7 @@ import (
 	"sort"
 	"strings"
 
+	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5"
 	"github.com/gardener/gardener/extensions/pkg/controller/worker"
 	genericworkeractuator "github.com/gardener/gardener/extensions/pkg/controller/worker/genericactuator"
 	v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants"
@@ -20,6 +21,7 @@ import (
 	"github.com/gardener/gardener/pkg/client/kubernetes"
 	"github.com/gardener/gardener/pkg/utils"
 	machinev1alpha1 "github.com/gardener/machine-controller-manager/pkg/apis/machine/v1alpha1"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -85,6 +87,7 @@ func (w *workerDelegate) generateMachineConfig(ctx context.Context) error {
 		machineDeployments        = worker.MachineDeployments{}
 		machineClasses            []map[string]interface{}
 		machineImages             []azureapi.MachineImage
+		skipAgreementPools        = sets.New[string]()
 	)
 
 	infrastructureStatus, err := w.decodeAzureInfrastructureStatus()
@@ -102,6 +105,12 @@ func (w *workerDelegate) generateMachineConfig(ctx context.Context) error {
 		return err
 	}
 
+	if v, ok := w.cluster.Shoot.GetAnnotations()["azure.provider.extensions.gardener.cloud/skip-marketplace-agreement"]; ok {
+		for _, p := range strings.Split(v, ",") {
+			skipAgreementPools.Insert(p)
+		}
+	}
+
 	for _, pool := range w.worker.Spec.Pools {
 		// Get the vmo dependency from the worker status if exists.
 		vmoDependency, err := w.determineWorkerPoolVmoDependency(ctx, infrastructureStatus, workerStatus, pool.Name)
@@ -136,6 +145,9 @@ func (w *workerDelegate) generateMachineConfig(ctx context.Context) error {
 		} else {
 			image["id"] = *id
 		}
+		if skipAgreementPools.Has(pool.Name) {
+			image["privatePlan"] = true
+		}
 
 		disks, err := computeDisks(pool)
 		if err != nil {
@@ -262,6 +274,13 @@ func (w *workerDelegate) generateMachineConfig(ctx context.Context) error {
 				}
 			}
 
+			// special processing of confidential VMs.
+			if w.isConfidentialVM(pool.MachineType) {
+				machineClassSpec["securityProfile"] = map[string]interface{}{
+					"securityType": string(armcompute.SecurityTypesConfidentialVM),
+				}
+			}
+
 			machineDeployment.ClusterAutoscalerAnnotations = extensionsv1alpha1helper.GetMachineDeploymentClusterAutoscalerAnnotations(pool.ClusterAutoscaler)
 
 			return machineDeployment, machineClassSpec
@@ -466,3 +485,11 @@ func (w *workerDelegate) generateWorkerPoolHash(pool extensionsv1alpha1.WorkerPo
 	}
 	return workerPoolHash, nil
 }
+
+// TODO(AK): Remove when we have support for VM Capabilities
+func (w *workerDelegate) isConfidentialVM(family string) bool {
+	if strings.HasPrefix(strings.ToLower(family), "standard_ec") || strings.HasPrefix(strings.ToLower(family), "standard_dc") {
+		return true
+	}
+	return false
+}