OCPBUGS-66244: fix default image for confidential VMs

patrickdillon · patrickdillon · commit 0e9cb0c556b7 · 2025-12-04T15:49:52.000-05:00
The installer still creates an image gallery for confidfential
VMs, and we can tell its a confidential VM from the machine
provider spec, so this updates the default to point to an
installer-created gallery rather than the marketplace image.
diff --git a/pkg/webhooks/machine_webhook.go b/pkg/webhooks/machine_webhook.go
@@ -65,11 +65,22 @@ var (
 	defaultAzureNetworkResourceGroup = func(clusterID string) string {
 		return fmt.Sprintf("%s-rg", clusterID)
 	}
-	defaultAzureImage = func() machinev1beta1.Image {
-		if arch == ARM64 {
+	defaultAzureGalleryImage = func(clusterID string) machinev1beta1.Image {
+		// image gallery names cannot have dashes
+		galleryName := strings.Replace(clusterID, "-", "_", -1)
+		imageName := fmt.Sprintf("%s-gen2", clusterID) // Confidential VMs are gen2 only
+		imgID := fmt.Sprintf("/resourceGroups/%s/providers/Microsoft.Compute/galleries/gallery_%s/images/%s/versions/%s", clusterID+"-rg", galleryName, imageName, azureRHCOSVersion)
+		return machinev1beta1.Image{ResourceID: imgID}
+	}
+	defaultAzureImage = func(securityProfile *machinev1beta1.SecurityProfile, clusterID string) machinev1beta1.Image {
+		switch {
+		case securityProfile != nil: // Confidential VMs are x86-only
+			return defaultAzureGalleryImage(clusterID)
+		case arch == ARM64:
 			return urnToImage(defaultAzureARMImageURN)
+		default:
+			return urnToImage(defaultAzureX86ImageURN)
 		}
-		return urnToImage(defaultAzureX86ImageURN)
 	}
 	defaultAzureManagedIdentiy = func(clusterID string) string {
 		return fmt.Sprintf("%s-identity", clusterID)
@@ -1017,7 +1028,7 @@ func defaultAzure(m *machinev1beta1.Machine, config *admissionConfig) (bool, []s
 	}
 
 	if providerSpec.Image == (machinev1beta1.Image{}) {
-		providerSpec.Image = defaultAzureImage()
+		providerSpec.Image = defaultAzureImage(providerSpec.SecurityProfile, config.clusterID)
 	}
 
 	if providerSpec.UserDataSecret == nil {
diff --git a/pkg/webhooks/machine_webhook_test.go b/pkg/webhooks/machine_webhook_test.go
@@ -1712,7 +1712,7 @@ func TestMachineUpdate(t *testing.T) {
 		Vnet:                 defaultAzureVnet(azureClusterID),
 		Subnet:               defaultAzureSubnet(azureClusterID),
 		NetworkResourceGroup: defaultAzureNetworkResourceGroup(azureClusterID),
-		Image:                defaultAzureImage(),
+		Image:                defaultAzureImage(nil, azureClusterID),
 		ManagedIdentity:      defaultAzureManagedIdentiy(azureClusterID),
 		ResourceGroup:        defaultAzureResourceGroup(azureClusterID),
 		UserDataSecret: &corev1.SecretReference{
@@ -3765,7 +3765,7 @@ func TestDefaultAzureProviderSpec(t *testing.T) {
 				VMSize: defaultInstanceType,
 				Vnet:   defaultAzureVnet(clusterID),
 				Subnet: defaultAzureSubnet(clusterID),
-				Image:  defaultAzureImage(),
+				Image:  defaultAzureImage(nil, clusterID),
 				UserDataSecret: &corev1.SecretReference{
 					Name: defaultUserDataSecret,
 				},
diff --git a/pkg/webhooks/machineset_webhook_test.go b/pkg/webhooks/machineset_webhook_test.go
@@ -602,7 +602,7 @@ func TestMachineSetUpdate(t *testing.T) {
 		Vnet:                 defaultAzureVnet(azureClusterID),
 		Subnet:               defaultAzureSubnet(azureClusterID),
 		NetworkResourceGroup: defaultAzureNetworkResourceGroup(azureClusterID),
-		Image:                defaultAzureImage(),
+		Image:                defaultAzureImage(nil, azureClusterID),
 		ManagedIdentity:      defaultAzureManagedIdentiy(azureClusterID),
 		ResourceGroup:        defaultAzureResourceGroup(azureClusterID),
 		UserDataSecret: &corev1.SecretReference{
