From 0e9cb0c556b7609dabdbfd33c4ff58d2d660311e Mon Sep 17 00:00:00 2001 From: Patrick Dillon Date: Thu, 4 Dec 2025 15:38:03 -0500 Subject: [PATCH] OCPBUGS-66244: fix default image for confidential VMs The installer still creates an image gallery for confidfential VMs, and we can tell its a confidential VM from the machine provider spec, so this updates the default to point to an installer-created gallery rather than the marketplace image. --- pkg/webhooks/machine_webhook.go | 19 +++++++++++++++---- pkg/webhooks/machine_webhook_test.go | 4 ++-- pkg/webhooks/machineset_webhook_test.go | 2 +- 3 files changed, 18 insertions(+), 7 deletions(-) diff --git a/pkg/webhooks/machine_webhook.go b/pkg/webhooks/machine_webhook.go index f25fbb115..944e433bc 100644 --- a/pkg/webhooks/machine_webhook.go +++ b/pkg/webhooks/machine_webhook.go @@ -65,11 +65,22 @@ var ( defaultAzureNetworkResourceGroup = func(clusterID string) string { return fmt.Sprintf("%s-rg", clusterID) } - defaultAzureImage = func() machinev1beta1.Image { - if arch == ARM64 { + defaultAzureGalleryImage = func(clusterID string) machinev1beta1.Image { + // image gallery names cannot have dashes + galleryName := strings.Replace(clusterID, "-", "_", -1) + imageName := fmt.Sprintf("%s-gen2", clusterID) // Confidential VMs are gen2 only + imgID := fmt.Sprintf("/resourceGroups/%s/providers/Microsoft.Compute/galleries/gallery_%s/images/%s/versions/%s", clusterID+"-rg", galleryName, imageName, azureRHCOSVersion) + return machinev1beta1.Image{ResourceID: imgID} + } + defaultAzureImage = func(securityProfile *machinev1beta1.SecurityProfile, clusterID string) machinev1beta1.Image { + switch { + case securityProfile != nil: // Confidential VMs are x86-only + return defaultAzureGalleryImage(clusterID) + case arch == ARM64: return urnToImage(defaultAzureARMImageURN) + default: + return urnToImage(defaultAzureX86ImageURN) } - return urnToImage(defaultAzureX86ImageURN) } defaultAzureManagedIdentiy = func(clusterID string) string { return fmt.Sprintf("%s-identity", clusterID) @@ -1017,7 +1028,7 @@ func defaultAzure(m *machinev1beta1.Machine, config *admissionConfig) (bool, []s } if providerSpec.Image == (machinev1beta1.Image{}) { - providerSpec.Image = defaultAzureImage() + providerSpec.Image = defaultAzureImage(providerSpec.SecurityProfile, config.clusterID) } if providerSpec.UserDataSecret == nil { diff --git a/pkg/webhooks/machine_webhook_test.go b/pkg/webhooks/machine_webhook_test.go index 29069649f..824c60a30 100644 --- a/pkg/webhooks/machine_webhook_test.go +++ b/pkg/webhooks/machine_webhook_test.go @@ -1712,7 +1712,7 @@ func TestMachineUpdate(t *testing.T) { Vnet: defaultAzureVnet(azureClusterID), Subnet: defaultAzureSubnet(azureClusterID), NetworkResourceGroup: defaultAzureNetworkResourceGroup(azureClusterID), - Image: defaultAzureImage(), + Image: defaultAzureImage(nil, azureClusterID), ManagedIdentity: defaultAzureManagedIdentiy(azureClusterID), ResourceGroup: defaultAzureResourceGroup(azureClusterID), UserDataSecret: &corev1.SecretReference{ @@ -3765,7 +3765,7 @@ func TestDefaultAzureProviderSpec(t *testing.T) { VMSize: defaultInstanceType, Vnet: defaultAzureVnet(clusterID), Subnet: defaultAzureSubnet(clusterID), - Image: defaultAzureImage(), + Image: defaultAzureImage(nil, clusterID), UserDataSecret: &corev1.SecretReference{ Name: defaultUserDataSecret, }, diff --git a/pkg/webhooks/machineset_webhook_test.go b/pkg/webhooks/machineset_webhook_test.go index db9deb1ce..d91729c32 100644 --- a/pkg/webhooks/machineset_webhook_test.go +++ b/pkg/webhooks/machineset_webhook_test.go @@ -602,7 +602,7 @@ func TestMachineSetUpdate(t *testing.T) { Vnet: defaultAzureVnet(azureClusterID), Subnet: defaultAzureSubnet(azureClusterID), NetworkResourceGroup: defaultAzureNetworkResourceGroup(azureClusterID), - Image: defaultAzureImage(), + Image: defaultAzureImage(nil, azureClusterID), ManagedIdentity: defaultAzureManagedIdentiy(azureClusterID), ResourceGroup: defaultAzureResourceGroup(azureClusterID), UserDataSecret: &corev1.SecretReference{