OCPBUGS-65731: Skip Azure Confidential Compute Clusters for boot image updates

[djoshy]

- What I did
Added an exemption for Azure MachineSets with a non-empty securityType field set. See attached bug for additional context.

- How to verify it
I've added a few units for this, but unsure how to launch a confidential compute cluster. The boot image controller should skip over the machinesets in those cases - the controller logs and machinesets themselves could be examined to verify this behavior.

[openshift-ci-robot]

@djoshy: This pull request references Jira Issue OCPBUGS-65731, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @sergiordlr

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

- What I did
Added an exemption for Azure MachineSets with a non-empty securityType field set. See attached bug for additional context.

- How to verify it
I've added a few units for this, but unsure how to launch a confidential compute cluster. The boot image controller should skip over the machinesets in those cases - the controller logs and machinesets themselves could be examined to verify this behavior.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[sergiordlr]

Verification:

• All bootimages and controlplanemachineset tests passes in aws and non-confidential azure
• In a confidential cluster, the machineset resources are ignored reporting his message:

 I1203 13:14:35.601410       1 platform_helpers.go:74] Reconciling MAPI machineset ci-op-tc56s8xl-0b8bb-wcz77-worker-northcentralus on Azure, with arch x86_64
I1203 13:14:35.602993       1 platform_helpers.go:260] Skipping machineset ci-op-tc56s8xl-0b8bb-wcz77-worker-northcentralus, machinesets with a SecurityType TrustedLaunch is not currently supported for Azure

• In a confidential cluster, the controlplanemachineset resources are ignored reporting this message:

I1203 14:05:27.663278       1 cpms_helpers.go:282] Reconciling controlplanemachineset cluster on Azure, with arch x86_64
I1203 14:05:27.664591       1 platform_helpers.go:260] Skipping machineset cluster, machinesets with a SecurityType TrustedLaunch is not currently supported for Azure

The message is misleading in case of using a controlplanemachineset: Skipping machineset cluster, machinesets with a SecurityType TrustedLaunch is not currently supported for Azure

It points to a machineset, but we are configuring a controlplanemachineset. It says it is not supported for Azure too, first time I read it I understood that SecurityType TrustedLaunch is not supported, but actually what's not supported is to updated the boot image when SecurityType TrustedLaunch is configured.

[djoshy]

The message is misleading in case of using a controlplanemachineset: Skipping machineset cluster, machinesets with a SecurityType TrustedLaunch is not currently supported for Azure

It points to a machineset, but are configuring a controlplanemachineset. It says it not supported for Azure too, first time I read it I understood that SecurityType TrustedLaunch is not supported, but actually what's not supported is to updated the boot image when SecurityType TrustedLaunch is configured.

Thanks for verifying @sergiordlr ! I've tweaked the message to be more clear, let me know if that is better.

[djoshy]

/payload-job periodic-ci-openshift-machine-config-operator-release-4.21-periodics-e2e-azure-mco-disruptive

/label acknowledge-critical-fixes-only

This will require to be backported to 4.21 if it misses branch, and since this is opt-in behavior for 4.21, it should be a safe change.

[openshift-ci]

@djoshy: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-machine-config-operator-release-4.21-periodics-e2e-azure-mco-disruptive

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/965e5ee0-d473-11f0-844c-7c1d750fd85d-0

[yuqi-zhang]

/lgtm
/acknowledge-critical-fixes-only

Should be a safe merge regardless, since confidential vms are in techpreview, we shouldn't break anything at this time.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: djoshy, yuqi-zhang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [djoshy,yuqi-zhang]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[djoshy]

/retest-required

[openshift-ci]

@djoshy: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/bootstrap-unit	ed3a3c8	link	false	/test bootstrap-unit

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[sergiordlr]

The new message when we configure the update boot image functionality in a machineset in an azure confidential cluster is:

I1209 12:58:59.210131 1 platform_helpers.go:260] Skipping update for ci-op-c07fgizw-0b8bb-njqbm-worker-westus21, machinesets/controlplanemachinesets with a SecurityType defined(TrustedLaunch in this case) is not currently supported for Azure

When we enable techpreview we can see that the machinecontrolmachinesets are skipped too with a similar message:

I1209 14:44:45.048332       1 platform_helpers.go:74] Reconciling MAPI machineset ci-op-c07fgizw-0b8bb-njqbm-worker-westus21 on Azure, with arch x86_64
I1209 14:44:45.049624       1 platform_helpers.go:260] Skipping update for ci-op-c07fgizw-0b8bb-njqbm-worker-westus21, machinesets/controlplanemachinesets with a SecurityType defined(TrustedLaunch in this case) is not currently supported for Azure
I1209 14:44:45.049651       1 ms_helpers.go:190] No patching required for MAPI machineset ci-op-c07fgizw-0b8bb-njqbm-worker-westus21
I1209 14:45:11.673713       1 machine_set_boot_image_controller.go:387] Bootimages management configuration has been updated, reconciling enrolled machine resources
I1209 14:45:11.702101       1 cpms_helpers.go:282] Reconciling controlplanemachineset cluster on Azure, with arch x86_64
I1209 14:45:11.704934       1 platform_helpers.go:260] Skipping update for cluster, machinesets/controlplanemachinesets with a SecurityType defined(TrustedLaunch in this case) is not currently supported for Azure

Machinesets are ControlplaneMachinesets were not updated, and the message is clear enough.

Thank you very much!!

/label qe-approved
/verified by @sergiordlr

[openshift-ci-robot]

@djoshy: This pull request references Jira Issue OCPBUGS-65731, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @sergiordlr

In response to this:

- What I did
Added an exemption for Azure MachineSets with a non-empty securityType field set. See attached bug for additional context.

- How to verify it
I've added a few units for this, but unsure how to launch a confidential compute cluster. The boot image controller should skip over the machinesets in those cases - the controller logs and machinesets themselves could be examined to verify this behavior.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@sergiordlr: This PR has been marked as verified by @sergiordlr.

In response to this:

The new message when we configure the update boot image functionality in a machineset in an azure confidential cluster is:

I1209 12:58:59.210131 1 platform_helpers.go:260] Skipping update for ci-op-c07fgizw-0b8bb-njqbm-worker-westus21, machinesets/controlplanemachinesets with a SecurityType defined(TrustedLaunch in this case) is not currently supported for Azure

When we enable techpreview we can see that the machinecontrolmachinesets are skipped too with a similar message:

I1209 14:44:45.048332       1 platform_helpers.go:74] Reconciling MAPI machineset ci-op-c07fgizw-0b8bb-njqbm-worker-westus21 on Azure, with arch x86_64
I1209 14:44:45.049624       1 platform_helpers.go:260] Skipping update for ci-op-c07fgizw-0b8bb-njqbm-worker-westus21, machinesets/controlplanemachinesets with a SecurityType defined(TrustedLaunch in this case) is not currently supported for Azure
I1209 14:44:45.049651       1 ms_helpers.go:190] No patching required for MAPI machineset ci-op-c07fgizw-0b8bb-njqbm-worker-westus21
I1209 14:45:11.673713       1 machine_set_boot_image_controller.go:387] Bootimages management configuration has been updated, reconciling enrolled machine resources
I1209 14:45:11.702101       1 cpms_helpers.go:282] Reconciling controlplanemachineset cluster on Azure, with arch x86_64
I1209 14:45:11.704934       1 platform_helpers.go:260] Skipping update for cluster, machinesets/controlplanemachinesets with a SecurityType defined(TrustedLaunch in this case) is not currently supported for Azure

Machinesets are ControlplaneMachinesets were not updated, and the message is clear enough.

Thank you very much!!

/label qe-approved
/verified by @sergiordlr

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@djoshy: Jira Issue Verification Checks: Jira Issue OCPBUGS-65731
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-65731 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

In response to this:

- What I did
Added an exemption for Azure MachineSets with a non-empty securityType field set. See attached bug for additional context.

- How to verify it
I've added a few units for this, but unsure how to launch a confidential compute cluster. The boot image controller should skip over the machinesets in those cases - the controller logs and machinesets themselves could be examined to verify this behavior.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[sergiordlr]

No new e2e extended test cases will be created. We consider that test cases in this PR will cover this scenario.