Add support for confidential VMs

[mresvanis]

What type of PR is this?

/kind feature

What this PR does / why we need it:

This change adds support for Confidential VMs and Trusted launch for VMs.

Azure Confidential VMs are defined by their SecurityProfile.SecurityType ConfidentialVM, which should be defined along with the OSDisk.ManagedDisk.SecurityProfile.SecurityEncryptionType field. Trusted launch for VMs is defined by the SecurityProfile.SecurityType TrustedLaunch, which should be defined along with the SecurityProfile.UefiSettings section, i.e. the SecureBootEnabled and VTpmEnabled fields.

Related image-builder PR.

Which issue(s) this PR fixes:
Fixes #3264

Special notes for your reviewer:

Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.

TODOs:

• squashed commits
• includes documentation
• adds unit tests

Release note:

Add SecurityProfile SecurityType to API
Add OSDisk VMDiskSecurityProfile to API
Add SecurityProfile UefiSettings with SecureBootEnabled and VTpmEnabled to API

[mresvanis]

/test pull-cluster-api-provider-azure-e2e

[nawazkh]

I started looking into this PR, will take sometime in going over the Azure Docs and the new fields being added.
Thanks for all the work!

[CecileRobertMichon]

@nawazkh are you still reviewing this?

[nawazkh]

Extremely sorry, It slipped my radar after I was half way done reviewing this PR. I will get started on it again!
Sorry @mresvanis !

[willie-yao]

Thanks for all your hard work on this! I just had one comment and a general question: I think it'd be great to have an E2E test for this feature. This may be out of scope for this PR but this seems like a great feature that can be tested E2E.

[mresvanis]

Thanks for all your hard work on this! I just had one comment and a general question: I think it'd be great to have an E2E test for this feature. This may be out of scope for this PR but this seems like a great feature that can be tested E2E.

@willie-yao Thank you for taking the time to review this change :)

I agree that having an E2E test for this feature would be quite useful. In order to keep this PR at its current size, would it be an option to open an issue for the E2E test and then tackle it in a future PR? Or would you prefer to have the E2E test as part of this PR?

(I would be happy to propose a change for the E2E test either way, I would just need a bit more time)

[willie-yao]

In order to keep this PR at its current size, would it be an option to open an issue for the E2E test and then tackle it in a future PR?

Ideally, we would want to have an E2E test be a part of this PR in order to ensure the feature is fully working E2E. Since the next release is planned for May 2, it would be totally okay to take some time. The feature won't be available to users until then anyways.

Would this be enough time for you to implement an E2E test? I apologize for the rush on this.. it's on us for not reviewing this PR sooner 😔

[mresvanis]

Would this be enough time for you to implement an E2E test? I apologize for the rush on this.. it's on us for not reviewing this PR sooner

Absolutely no problem, I'll get started as soon as I can and ping you here when I have something up for review. Thanks again for your time.

[nawazkh]

This is great effort @mresvanis , thanks for taking the time in putting this together!
Also, I apologize for sharing my review so late.

I would generally share all the review at once, but I am breaking it in chunks here to get the ball rolling. I plan on completing reviewing this PR in couple more hours.

[nawazkh]

Part 2/2 of the review.
I have skipped reviewing azuremachine_validation(.go and _test.go), azuremachine_validation_test.go since we are expecting for some refactor.

[nawazkh]

Would it be better if we enforce these validations at webhook level so that there are lesser chances for a user to run into Terminal Error ?

[nawazkh]

I also think, if we were to refactor the securityProfile as per earlier comments, then we would run into lesser (almost none) validations and have more of assignments at this stage of v1beta1 -> azure conversion.

[mresvanis]

Would it be better if we enforce these validations at webhook level so that there are lesser chances for a user to run into Terminal Error ?

I absolutely agree, these validations are quite useful at the webhook level and we have them here. The latter is initially called through here. Does this makes sense?

[nawazkh]

Makes sense, thanks!

@CecileRobertMichon do you know why we perform validations in generateSecurityProfile() func?
I am trying to understand the reasoning behind generateSecurityProfile() returning azure.WithTerminalError().
Can we not perform all the validations at webhook level ? Is it because we need s of type *VMSpec populated for these validations, and s can only be populated later in the reconciliation and not at the webhook level?

[nawazkh]

However, I am not sure if s.SKU.HasCapability(...) can be run at webhook level. If we cannot perform s.SKU.HasCapability(...) validations at webhook, then we might have to leave some of these dependent validations here.

What do you think @CecileRobertMichon @willie-yao ?

[codecov-commenter]

Codecov Report

Patch coverage: 85.83% and project coverage change: -0.24 ⚠️

Comparison is base (f20a204) 53.33% compared to head (353a109) 53.10%.

❗ Current head 353a109 differs from pull request most recent head 720566f. Consider uploading reports for the commit 720566f to get more accurate results

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3265      +/-   ##
==========================================
- Coverage   53.33%   53.10%   -0.24%     
==========================================
  Files         185      182       -3     
  Lines       18433    18367      -66     
==========================================
- Hits         9832     9754      -78     
  Misses       8063     8063              
- Partials      538      550      +12     

Impacted Files	Coverage Δ
api/v1beta1/types.go	60.71% <ø> (ø)
azure/services/resourceskus/sku.go	0.00% <ø> (ø)
api/v1beta1/azuremachine_validation.go	83.54% <82.97%> (-0.17%)	⬇️
azure/services/virtualmachines/spec.go	88.35% <87.67%> (-0.64%)	⬇️

... and 20 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

[alexeldeib]

cc @anujmaheshwari1 I wonder if we do this correctly for AKS...

[alexeldeib]

are you sure DiskWithVMGuestState is what you want? I've only used CVM with VMGuestStateOnly

either way, VMGuestStateOnly should be a valid setting for CVM, I think, and works with secure boot.

[alexeldeib]

need a gen1/gen2 check here as well. I believe you only get TrustedLaunchDisabled from SKU API on gen2 sizes which do not support it, it's annoyingly inverted from most capabilities.

as-is I believe you allow a gen1 VM size with TL + secure boot which is invalid.

[alexeldeib]

could sanity check sku api to confirm --

az vm list-skus -r virtualMachines -s Something_Thats_only_gen1 (Standard_NC6?)

[alexeldeib]

apologies for drive-by review but hope I added some useful comments -- happen to have worked a little on CVM/TL from AKS perspective so was curious :)

[alexeldeib]

some other random high level thoughts

• sku api in webhooks: your intuition is correct I don't think we do that today due to requirements to fetch creds, call azure, etc. would be nice
• other early validation: you can technically regex a lot of stuff without the sku api. I think CVM may work for that case, but you'd have to update the regex in the future. I got tired of manually updating sizes for AKS which is why I wrote the sku api clients to begin with. your mileage may vary :)

[nawazkh]

This PR looks good to me!

[CecileRobertMichon]

I still don't see any documentation in the PR, @mresvanis are you still working on adding it?

[mresvanis]

I still don't see any documentation in the PR, @mresvanis are you still working on adding it?

@CecileRobertMichon yes, I was waiting for the image-builder PR to get merged first, but I will add the documentation today so that you have time to review it.

[mresvanis]

@CecileRobertMichon I added documentation for both Confidential VMs and Trusted Launch for VMs, by adding 2 new topics. Please feel free to review. Thank you.

[nawazkh]

I looked into the newly added docs and they look good to me! 🚀
I like the thought of waiting until we have a defined way of generating CVM images and then merging this doc with the steps.

/lgtm

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: ab33867f4da255c6876eb53b839ff1231377fc59

[mresvanis]

@mboersma thank you for your input in the respective image-builder PR! Since that has been merged, your thoughts here would also be much appreciated.

[mboersma]

Thank you so much for your work and your patience. This is great!

I only found some typos and had some minor doc comments, feel free to ignore those you disagree with.

[mboersma]

/lgtm

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 4410040d6da82f0cc54a283e907b1a716c33f59d

[CecileRobertMichon]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: CecileRobertMichon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [CecileRobertMichon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment