MGMT-13713: Add confidential VM support #54
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@mresvanis: This pull request references MGMT-13713 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/hold |
openshift-ci
bot
added
the
do-not-merge/hold
|
Upstream PR: kubernetes-sigs/cluster-api-provider-azure#3265 |
mresvanis
force-pushed
the
mgmt-13713-add-confidential-vm-support
branch
from
ec2ffce to
1b4afac
Compare
|
/test unit |
|
/retest-required |
mresvanis
force-pushed
the
mgmt-13713-add-confidential-vm-support
branch
from
1b4afac to
a1270aa
Compare
|
@mresvanis: This pull request references MGMT-13713 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
mresvanis
force-pushed
the
mgmt-13713-add-confidential-vm-support
branch
from
a1270aa to
b64aef1
Compare
openshift-merge-robot
added
the
needs-rebase
mresvanis
force-pushed
the
mgmt-13713-add-confidential-vm-support
branch
from
b64aef1 to
e12d9d5
Compare
openshift-merge-robot
removed
the
needs-rebase
|
apologies @mresvanis , i am just seeing this. i will try to review this week. |
mresvanis
force-pushed
the
mgmt-13713-add-confidential-vm-support
branch
from
e12d9d5 to
f7e9189
Compare
|
/test unit |
|
/test e2e-azure-operator |
mresvanis
force-pushed
the
mgmt-13713-add-confidential-vm-support
branch
from
f7e9189 to
d51d3eb
Compare
|
@mresvanis: This pull request references MGMT-13713 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
mresvanis
force-pushed
the
mgmt-13713-add-confidential-vm-support
branch
from
d51d3eb to
cbc3c71
Compare
|
/unhold |
openshift-ci
bot
removed
the
do-not-merge/hold
|
on second thought, it seems we've broken the unit test somehow... /unlgtm |
|
/lgtm cancel |
|
/test unit |
|
@mresvanis: This pull request references MGMT-13713 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@elmiko I am also seeing this error randomly on the Specifically: $ git log -1
commit 97ea1221e4ca999a161ddee4d1e075880fcbad67 (HEAD -> main, origin/release-4.15, origin/release-4.14, origin/main, origin/HEAD)
$ make test
Testing...
KUBEBUILDER_ASSETS="/home/mresvani/Projects/machine-api-provider-azure/bin/k8s/1.27.1-linux-amd64" ./hack/ci-test.sh
go run ./hack/../vendor/github.com/onsi/ginkgo/v2/ginkgo -v --randomize-all --randomize-suites --keep-going --race --trace --timeout=30m <omitted>
...
Summarizing 1 Failure:
[TIMEDOUT] Handler Suite when polling the termination endpoint [JustBeforeEach] and the poll URL cannot be reached should return an error
/home/mresvani/Projects/machine-api-provider-azure/pkg/termination/termination_test.go:138
Ran 1 of 13 Specs in 1765.299 seconds
FAIL! - Suite Timeout Elapsed -- 0 Passed | 1 Failed | 0 Pending | 12 Skipped
--- FAIL: TestReconciler (1765.30s)
FAIL
Ginkgo ran 9 suites in 30m1.387893037s
There were failures detected in the following suites:
termination ./pkg/termination
machineset ./pkg/cloud/azure/actuators/machineset [Suite did not run because the timeout elapsed]
actuators ./pkg/cloud/azure/actuators [Suite did not run because the timeout elapsed]
azure ./pkg/cloud/azure [Suite did not run because the timeout elapsed]
versioninfo ./cmd/versioninfo [Suite did not run because the timeout elapsed]
machine ./pkg/cloud/azure/actuators/machine [Suite did not run because the timeout elapsed]
resourceskus ./pkg/cloud/azure/services/resourceskus [Suite did not run because the timeout elapsed]
ttllru ./pkg/util/cache/ttllru [Suite did not run because the timeout elapsed]
Test Suite Failed
exit status 1
make: *** [Makefile:118: test] Error 1I will try to track the issue down, since I can reproduce it easily locally, but I don't think it's caused by any changes in this PR. WDYT? UPDATE: I think I found the unit tests issue and proposed a PR. |
|
thanks for doing the debug work @mresvanis , i have approved the other PR, once it has merged and we can rebase this one i am happy to give an lgtm, i would like to get another member of the team to review as well. |
Signed-off-by: Michail Resvanis <mresvani@redhat.com>
mresvanis
force-pushed
the
mgmt-13713-add-confidential-vm-support
branch
from
cbc3c71 to
dd02e5a
Compare
@elmiko thank you for the review, I have rebased the PR branch to latest |
|
@mresvanis: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
thanks @mresvanis , i'd like to get another review from the team but for me it's /lgtm |
| if vmSpec.SecurityProfile.Settings.SecurityType != machinev1.SecurityTypesConfidentialVM { | ||
| return nil, apierrors.InvalidMachineConfiguration("failed to generate security profile for vm %s. "+ | ||
| "SecurityType should be set to %s when SecurityEncryptionType is defined.", | ||
| vmSpec.Name, compute.SecurityTypesConfidentialVM) | ||
| } | ||
|
|
||
| if vmSpec.SecurityProfile.Settings.ConfidentialVM == nil { | ||
| return nil, apierrors.InvalidMachineConfiguration("failed to generate security profile for vm %s. "+ | ||
| "UEFISettings should be set when SecurityEncryptionType is defined.", vmSpec.Name) | ||
| } | ||
|
|
||
| if vmSpec.SecurityProfile.Settings.ConfidentialVM.UEFISettings.VirtualizedTrustedPlatformModule != machinev1.VirtualizedTrustedPlatformModulePolicyEnabled { | ||
| return nil, apierrors.InvalidMachineConfiguration("failed to generate security profile for vm %s. "+ | ||
| "VirtualizedTrustedPlatformModule should be enabled when SecurityEncryptionType is defined.", vmSpec.Name) | ||
| } | ||
|
|
||
| if osDisk.ManagedDisk.SecurityProfile.SecurityEncryptionType == compute.SecurityEncryptionTypesDiskWithVMGuestState { | ||
| if vmSpec.SecurityProfile.EncryptionAtHost != nil && *vmSpec.SecurityProfile.EncryptionAtHost { | ||
| return nil, apierrors.InvalidMachineConfiguration("failed to generate security profile for vm %s. "+ | ||
| "EncryptionAtHost cannot be set to true when SecurityEncryptionType is set to %s.", | ||
| vmSpec.Name, compute.SecurityEncryptionTypesDiskWithVMGuestState) | ||
| } | ||
| if vmSpec.SecurityProfile.Settings.ConfidentialVM.UEFISettings.SecureBoot != machinev1.SecureBootPolicyEnabled { | ||
| return nil, apierrors.InvalidMachineConfiguration("failed to generate security profile for vm %s. "+ | ||
| "SecureBoot should be enabled when SecurityEncryptionType is set to %s.", | ||
| vmSpec.Name, compute.SecurityEncryptionTypesDiskWithVMGuestState) | ||
| } | ||
| } |
There was a problem hiding this comment.
We should duplicate these validations into the webhooks in MAO
There was a problem hiding this comment.
That's a very good point, I'll open a PR as soon as possible.
There was a problem hiding this comment.
Here is the respective MAO PR.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: JoelSpeed The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
This change adds support for Azure Confidential VMs and Trusted Launch for VMs.
Feature link: https://issues.redhat.com/browse/OCPBU-233
Depends on: openshift/api#1403 - merged
Upstream Cluster API provider Azure PR: kubernetes-sigs/cluster-api-provider-azure#3265