azure: do not use marketplace images for confidential VMs

patrickdillon · patrickdillon · commit 6ec00c74a25d · 2025-11-18T22:00:23.000-05:00
Marketplace images do not support confidential VMs or trusted launch,
so when machinesets use confidential VMs the installer will still
create an image gallery compatible with the security settings.
diff --git a/pkg/asset/rhcos/image.go b/pkg/asset/rhcos/image.go
@@ -149,9 +149,11 @@ func osImage(ctx context.Context, ic *installconfig.InstallConfig, machinePool *
 			return "", fmt.Errorf("%s: No azure build found", streamArchPrefix)
 		}
 		azi := ext.AzureDisk.URL
+		azMP := machinePool.Platform.Azure
+		confidentialVM := azMP != nil && azMP.Settings != nil && azMP.Settings.SecurityType != ""
 		if mkt := ext.Marketplace; mkt == nil || mkt.Azure == nil || mkt.Azure.NoPurchasePlan == nil || mkt.Azure.NoPurchasePlan.Gen2 == nil {
 			logrus.Warnf("%s: No default Azure marketplace image was found in stream", streamArchPrefix)
-		} else {
+		} else if !confidentialVM { // Marketplace images don't suppot confidential VMs, so stick with managed image.
 			gen, err := getHyperVGeneration(ic.Azure, machinePool.Name)
 			if err != nil {
 				return "", fmt.Errorf("failed to get hyperVGeneration: %w", err)
diff --git a/pkg/infrastructure/azure/azure.go b/pkg/infrastructure/azure/azure.go
@@ -254,8 +254,9 @@ func (p *Provider) InfraReady(ctx context.Context, in clusterapi.InfraReadyInput
 		logrus.Debugf("StorageAccount.ID=%s", *storageAccount.ID)
 	}
 
-	// Create a managed image, which is only used for OKD, as OCP can use marketplace images.
-	if installConfig.IsOKD() && platform.CloudName != aztypes.StackCloud {
+	// Create a managed image, which is used for OKD or confidential VMs on OCP.
+	hasConfidentialVM := getMachinePoolSecurityType(installConfig) == ""
+	if (hasConfidentialVM || installConfig.IsOKD()) && platform.CloudName != aztypes.StackCloud {
 		// Create vhd blob storage container
 		publicAccess := armstorage.PublicAccessNone
 		createBlobContainerOutput, err := CreateBlobContainer(ctx, &CreateBlobContainerInput{
@@ -327,10 +328,7 @@ func (p *Provider) InfraReady(ctx context.Context, in clusterapi.InfraReadyInput
 		// If Control Plane Security Type is provided, then pass that along
 		// during Gen V2 Gallery Image creation. It will be added as a
 		// supported feature of the image.
-		securityType, err := getMachinePoolSecurityType(in)
-		if err != nil {
-			return err
-		}
+		securityType := getMachinePoolSecurityType(installConfig)
 
 		_, err = CreateGalleryImage(ctx, &CreateGalleryImageInput{
 			ResourceGroupName:    resourceGroupName,
@@ -803,16 +801,16 @@ func (p Provider) Ignition(ctx context.Context, in clusterapi.IgnitionInput) ([]
 	return ignSecrets, nil
 }
 
-func getMachinePoolSecurityType(in clusterapi.InfraReadyInput) (string, error) {
+func getMachinePoolSecurityType(installConfig *types.InstallConfig) string {
 	var securityType aztypes.SecurityTypes
-	if in.InstallConfig.Config.ControlPlane != nil && in.InstallConfig.Config.ControlPlane.Platform.Azure != nil {
-		pool := in.InstallConfig.Config.ControlPlane.Platform.Azure
+	if installConfig.ControlPlane != nil && installConfig.ControlPlane.Platform.Azure != nil {
+		pool := installConfig.ControlPlane.Platform.Azure
 		if pool.Settings != nil {
 			securityType = pool.Settings.SecurityType
 		}
 	}
-	if securityType == "" && in.InstallConfig.Config.Compute != nil {
-		for _, compute := range in.InstallConfig.Config.Compute {
+	if securityType == "" && installConfig.Compute != nil {
+		for _, compute := range installConfig.Compute {
 			if compute.Platform.Azure != nil {
 				pool := compute.Platform.Azure
 				if pool.Settings != nil {
@@ -822,17 +820,17 @@ func getMachinePoolSecurityType(in clusterapi.InfraReadyInput) (string, error) {
 			}
 		}
 	}
-	if securityType == "" && in.InstallConfig.Config.Platform.Azure.DefaultMachinePlatform != nil {
-		pool := in.InstallConfig.Config.Platform.Azure.DefaultMachinePlatform
+	if securityType == "" && installConfig.Platform.Azure.DefaultMachinePlatform != nil {
+		pool := installConfig.Platform.Azure.DefaultMachinePlatform
 		if pool.Settings != nil {
 			securityType = pool.Settings.SecurityType
 		}
 	}
 	switch securityType {
 	case aztypes.SecurityTypesTrustedLaunch:
-		return trustedLaunchST, nil
+		return trustedLaunchST
 	case aztypes.SecurityTypesConfidentialVM:
-		return confidentialVMST, nil
+		return confidentialVMST
 	}
-	return "", nil
+	return ""
 }
