Skip to content

Commit

Permalink
Merge pull request #1148 from mresvanis/add-cvm-images
Browse files Browse the repository at this point in the history
Add support for Confidential VM images
  • Loading branch information
k8s-ci-robot authored Jun 1, 2023
2 parents 978286e + e9313f8 commit 3779daf
Show file tree
Hide file tree
Showing 11 changed files with 146 additions and 3 deletions.
12 changes: 12 additions & 0 deletions docs/book/src/capi/providers/azure.md
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,18 @@ make build-azure-sig-ubuntu-1804-gen2

Generation 2 images may only be used with Shared Image Gallery, not VHD.

### Confidential VM Images

Confidential VMs require specific generation 2 OS images. The naming pattern of those images includes the suffix `-cvm`. For example:

```bash
# Ubuntu 20.04 LTS for Confidential VMs
make build-azure-sig-ubuntu-2004-cvm

# Windows 2019 with containerd for Confindential VMs
make build-azure-sig-windows-2019-containerd-cvm
```

### Configuration
#### Common Azure options

Expand Down
22 changes: 20 additions & 2 deletions images/capi/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -335,9 +335,11 @@ GCE_BUILD_NAMES ?= gce-ubuntu-1804 gce-ubuntu-2004 gce-ubuntu-2204 gce-rhel
VHD_TARGETS := $(shell grep VHD_TARGETS azure_targets.sh | sed 's/VHD_TARGETS=//' | tr -d \")
SIG_TARGETS := $(shell grep SIG_TARGETS azure_targets.sh | sed 's/SIG_TARGETS=//' | tr -d \")
SIG_GEN2_TARGETS := $(shell grep SIG_GEN2_TARGETS azure_targets.sh | sed 's/SIG_GEN2_TARGETS=//' | tr -d \")
SIG_CVM_TARGETS := $(shell grep SIG_CVM_TARGETS azure_targets.sh | sed 's/SIG_CVM_TARGETS=//' | tr -d \")
AZURE_BUILD_VHD_NAMES ?= $(addprefix azure-vhd-,$(VHD_TARGETS))
AZURE_BUILD_SIG_NAMES ?= $(addprefix azure-sig-,$(SIG_TARGETS))
AZURE_BUILD_SIG_GEN2_NAMES ?= $(addsuffix -gen2,$(addprefix azure-sig-,$(SIG_GEN2_TARGETS)))
AZURE_BUILD_SIG_CVM_NAMES ?= $(addsuffix -cvm,$(addprefix azure-sig-,$(SIG_CVM_TARGETS)))

OCI_BUILD_NAMES ?= oci-ubuntu-1804 oci-ubuntu-2004 oci-ubuntu-2204 oci-oracle-linux-8 oci-oracle-linux-9 oci-windows-2019 oci-windows-2022

Expand Down Expand Up @@ -375,8 +377,10 @@ AZURE_BUILD_VHD_TARGETS := $(addprefix build-,$(AZURE_BUILD_VHD_NAMES))
AZURE_VALIDATE_VHD_TARGETS := $(addprefix validate-,$(AZURE_BUILD_VHD_NAMES))
AZURE_BUILD_SIG_TARGETS := $(addprefix build-,$(AZURE_BUILD_SIG_NAMES))
AZURE_BUILD_SIG_GEN2_TARGETS := $(addprefix build-,$(AZURE_BUILD_SIG_GEN2_NAMES))
AZURE_BUILD_SIG_CVM_TARGETS := $(addprefix build-,$(AZURE_BUILD_SIG_CVM_NAMES))
AZURE_VALIDATE_SIG_TARGETS := $(addprefix validate-,$(AZURE_BUILD_SIG_NAMES))
AZURE_VALIDATE_SIG_GEN2_TARGETS := $(addprefix validate-,$(AZURE_BUILD_SIG_GEN2_NAMES))
AZURE_VALIDATE_SIG_CVM_TARGETS := $(addprefix validate-,$(AZURE_BUILD_SIG_CVM_NAMES))
DO_BUILD_TARGETS := $(addprefix build-,$(DO_BUILD_NAMES))
DO_VALIDATE_TARGETS := $(addprefix validate-,$(DO_BUILD_NAMES))
OPENSTACK_BUILD_TARGETS := $(addprefix build-,$(OPENSTACK_BUILD_NAMES))
Expand Down Expand Up @@ -464,6 +468,10 @@ $(AZURE_BUILD_SIG_TARGETS): deps-azure
$(AZURE_BUILD_SIG_GEN2_TARGETS): deps-azure
. $(abspath packer/azure/scripts/init-sig.sh) $(subst build-azure-sig-,,$@) && $(PACKER) build $(if $(findstring windows,$@),$(PACKER_WINDOWS_NODE_FLAGS),$(PACKER_NODE_FLAGS)) -var-file="$(abspath packer/azure/azure-config.json)" -var-file="$(abspath packer/azure/azure-sig-gen2.json)" -var-file="$(abspath packer/azure/$(subst build-azure-sig-,,$@).json)" -only="$(subst build-azure-,,$@)" $(ABSOLUTE_PACKER_VAR_FILES) packer/azure/packer$(findstring -windows,$@).json

.PHONY: $(AZURE_BUILD_SIG_CVM_TARGETS)
$(AZURE_BUILD_SIG_CVM_TARGETS): deps-azure
. $(abspath packer/azure/scripts/init-sig.sh) $(subst build-azure-sig-,,$@) && packer build $(if $(findstring windows,$@),$(PACKER_WINDOWS_NODE_FLAGS),$(PACKER_NODE_FLAGS)) -var-file="$(abspath packer/azure/azure-config.json)" -var-file="$(abspath packer/azure/azure-sig-cvm.json)" -var-file="$(abspath packer/azure/$(subst build-azure-sig-,,$@).json)" -only="$(subst build-azure-,,$@)" $(ABSOLUTE_PACKER_VAR_FILES) packer/azure/packer$(findstring -windows,$@).json

.PHONY: $(AZURE_VALIDATE_SIG_TARGETS)
$(AZURE_VALIDATE_SIG_TARGETS): deps-azure
$(PACKER) validate $(if $(findstring windows,$@),$(PACKER_WINDOWS_NODE_FLAGS),$(PACKER_NODE_FLAGS)) -var-file="$(abspath packer/azure/azure-config.json)" -var-file="$(abspath packer/azure/azure-sig.json)" -var-file="$(abspath packer/azure/$(subst validate-azure-sig-,,$@).json)" -only="$(subst validate-azure-,,$@)" $(ABSOLUTE_PACKER_VAR_FILES) packer/azure/packer$(findstring -windows,$@).json
Expand All @@ -472,6 +480,10 @@ $(AZURE_VALIDATE_SIG_TARGETS): deps-azure
$(AZURE_VALIDATE_SIG_GEN2_TARGETS): deps-azure
$(PACKER) validate $(if $(findstring windows,$@),$(PACKER_WINDOWS_NODE_FLAGS),$(PACKER_NODE_FLAGS)) -var-file="$(abspath packer/azure/azure-config.json)" -var-file="$(abspath packer/azure/azure-sig-gen2.json)" -var-file="$(abspath packer/azure/$(subst validate-azure-sig-,,$@).json)" -only="$(subst validate-azure-,,$@)" $(ABSOLUTE_PACKER_VAR_FILES) packer/azure/packer$(findstring windows,$@).json

.PHONY: $(AZURE_VALIDATE_SIG_CVM_TARGETS)
$(AZURE_VALIDATE_SIG_CVM_TARGETS): deps-azure
packer validate $(if $(findstring windows,$@),$(PACKER_WINDOWS_NODE_FLAGS),$(PACKER_NODE_FLAGS)) -var-file="$(abspath packer/azure/azure-config.json)" -var-file="$(abspath packer/azure/azure-sig-cvm.json)" -var-file="$(abspath packer/azure/$(subst validate-azure-sig-,,$@).json)" -only="$(subst validate-azure-,,$@)" $(ABSOLUTE_PACKER_VAR_FILES) packer/azure/packer$(findstring -windows,$@).json

.PHONY: $(DO_BUILD_TARGETS)
$(DO_BUILD_TARGETS): deps-do
$(PACKER) build $(PACKER_NODE_FLAGS) -var-file="$(abspath packer/digitalocean/$(subst build-do-,,$@).json)" $(ABSOLUTE_PACKER_VAR_FILES) packer/digitalocean/packer.json
Expand Down Expand Up @@ -603,6 +615,8 @@ build-azure-sig-rhel-8: ## Builds RHEL 8 Azure managed image in Shared Image Gal
build-azure-sig-windows-2019: ## Builds Windows Server 2019 Azure managed image in Shared Image Gallery
build-azure-sig-windows-2019-containerd: ## Builds Windows Server 2019 with containerd Azure managed image in Shared Image Gallery
build-azure-sig-windows-2022-containerd: ## Builds Windows Server 2022 with containerd Azure managed image in Shared Image Gallery
build-azure-sig-windows-2019-containerd-cvm: ## Builds Windows Server 2019 with containerd CVM Azure managed image in Shared Image Gallery
build-azure-sig-windows-2022-containerd-cvm: ## Builds Windows Server 2022 with containerd CVM Azure managed image in Shared Image Gallery
build-azure-sig-windows-2004: ## Builds Windows Server 2004 SAC Azure managed image in Shared Image Gallery
build-azure-vhd-ubuntu-1804: ## Builds Ubuntu 18.04 VHD image for Azure
build-azure-vhd-ubuntu-2004: ## Builds Ubuntu 20.04 VHD image for Azure
Expand All @@ -619,8 +633,10 @@ build-azure-sig-flatcar-gen2: ## Builds Flatcar Azure Gen2 managed image in Shar
build-azure-sig-ubuntu-1804-gen2: ## Builds Ubuntu 18.04 Gen2 managed image in Shared Image Gallery
build-azure-sig-ubuntu-2004-gen2: ## Builds Ubuntu 20.04 Gen2 managed image in Shared Image Gallery
build-azure-sig-ubuntu-2204-gen2: ## Builds Ubuntu 22.04 Gen2 managed image in Shared Image Gallery
build-azure-sig-ubuntu-2004-cvm: ## Builds Ubuntu 20.04 CVM managed image in Shared Image Gallery
build-azure-sig-ubuntu-2204-cvm: ## Builds Ubuntu 22.04 CVM managed image in Shared Image Gallery
build-azure-vhds: $(AZURE_BUILD_VHD_TARGETS) ## Builds all Azure VHDs
build-azure-sigs: $(AZURE_BUILD_SIG_TARGETS) $(AZURE_BUILD_SIG_GEN2_TARGETS) ## Builds all Azure Shared Image Gallery images
build-azure-sigs: $(AZURE_BUILD_SIG_TARGETS) $(AZURE_BUILD_SIG_GEN2_TARGETS) $(AZURE_BUILD_SIG_CVM_TARGETS) ## Builds all Azure Shared Image Gallery images

build-do-ubuntu-1804: ## Builds Ubuntu 18.04 DigitalOcean Snapshot
build-do-ubuntu-2004: ## Builds Ubuntu 20.04 DigitalOcean Snapshot
Expand Down Expand Up @@ -787,8 +803,10 @@ validate-azure-vhd-windows-2004: ## Validate Windows Server 2004 SAC VHD image A
validate-azure-sig-centos-7-gen2: ## Validates CentOS 7 Azure managed image in Shared Image Gallery Packer config
validate-azure-sig-ubuntu-1804-gen2: ## Validates Ubuntu 18.04 Azure managed image in Shared Image Gallery Packer config
validate-azure-sig-ubuntu-2004-gen2: ## Validates Ubuntu 20.04 Azure managed image in Shared Image Gallery Packer config
validate-azure-sig-ubuntu-2004-cvm: ## Validates Ubuntu 20.04 CVM Azure managed image in Shared Image Gallery Packer config
validate-azure-sig-ubuntu-2204-gen2: ## Validates Ubuntu 22.04 Azure managed image in Shared Image Gallery Packer config
validate-azure-all: $(AZURE_VALIDATE_SIG_TARGETS) $(AZURE_VALIDATE_VHD_TARGETS) $(AZURE_VALIDATE_SIG_GEN2_TARGETS) ## Validates all images for Azure Packer config
validate-azure-sig-ubuntu-2204-cvm: ## Validates Ubuntu 22.04 CVM Azure managed image in Shared Image Gallery Packer config
validate-azure-all: $(AZURE_VALIDATE_SIG_TARGETS) $(AZURE_VALIDATE_VHD_TARGETS) $(AZURE_VALIDATE_SIG_GEN2_TARGETS) $(AZURE_VALIDATE_SIG_CVM_TARGETS) ## Validates all images for Azure Packer config

validate-do-ubuntu-1804: ## Validates Ubuntu 18.04 DigitalOcean Snapshot Packer config
validate-do-ubuntu-2004: ## Validates Ubuntu 20.04 DigitalOcean Snapshot Packer config
Expand Down
15 changes: 15 additions & 0 deletions images/capi/ansible/roles/setup/tasks/debian.yml
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,16 @@
loop: "{{ extra_repos.split() }}"
when: extra_repos != ""

- name: Hold nullboot
ansible.builtin.dpkg_selections:
name: nullboot
selection: hold
when: packer_build_name is search('cvm')

- name: Add '--no-tpm --no-efivars' to nullboot post install script
command: "sed -i 's/nullbootctl/nullbootctl --no-tpm --no-efivars/' /var/lib/dpkg/info/nullboot.postinst"
when: packer_build_name is search('cvm')

- name: perform a dist-upgrade
apt:
force_apt_get: True
Expand Down Expand Up @@ -103,3 +113,8 @@
until: apt_lock_status is not failed
retries: 5
delay: 10

- name: Remove '--no-tpm --no-efivars' from nullboot post install script
command: "sed -i 's/nullbootctl --no-tpm --no-efivars/nullbootctl/' /var/lib/dpkg/info/nullboot.postinst"
when: packer_build_name is search('cvm')

2 changes: 2 additions & 0 deletions images/capi/azure_targets.sh
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,5 @@ SIG_TARGETS="ubuntu-1804 ubuntu-2004 ubuntu-2204 centos-7 rhel-8 windows-2019 wi
SIG_CI_TARGETS="ubuntu-2004 ubuntu-2204 windows-2019-containerd windows-2022-containerd flatcar"
SIG_GEN2_TARGETS="ubuntu-1804 ubuntu-2004 ubuntu-2204 centos-7 flatcar"
SIG_GEN2_CI_TARGETS="ubuntu-2004 ubuntu-2204 flatcar"
SIG_CVM_TARGETS="ubuntu-2004 ubuntu-2204 windows-2019-containerd windows-2022-containerd"
SIG_CVM_CI_TARGETS="ubuntu-2204 windows-2022-containerd"
7 changes: 7 additions & 0 deletions images/capi/packer/azure/azure-sig-cvm.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
"image_name": "capi-{{user `distribution`}}-{{user `distribution_version`}}-cvm",
"replication_regions": "{{env `AZURE_LOCATION`}}",
"resource_group_name": "{{env `RESOURCE_GROUP_NAME`}}",
"shared_image_gallery_name": "{{env `GALLERY_NAME`}}",
"sig_image_version": "0.3.{{user `build_timestamp`}}"
}
19 changes: 18 additions & 1 deletion images/capi/packer/azure/scripts/init-sig.sh
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@ packer validate -syntax-only $PACKER_FILE || exit 1

az sig create --resource-group ${RESOURCE_GROUP_NAME} --gallery-name ${GALLERY_NAME}

SECURITY_TYPE_CVM_SUPPORTED_FEATURE="SecurityType=ConfidentialVmSupported"

create_image_definition() {
az sig image-definition create \
--resource-group ${RESOURCE_GROUP_NAME} \
Expand All @@ -43,7 +45,8 @@ create_image_definition() {
--offer ${SIG_OFFER:-capz-demo} \
--sku ${SIG_SKU:-$2} \
--hyper-v-generation ${3} \
--os-type ${4}
--os-type ${4} \
--features ${5:-''}
}

SIG_TARGET=$1
Expand Down Expand Up @@ -73,6 +76,14 @@ case ${SIG_TARGET} in
windows-2022-containerd)
create_image_definition ${SIG_TARGET} "win-2022-containerd" "V1" "Windows"
;;
windows-2019-containerd-cvm)
SKU="windows-2019-cvm-containerd"
create_image_definition ${SKU} ${SKU} "V2" "Windows" ${SECURITY_TYPE_CVM_SUPPORTED_FEATURE}
;;
windows-2022-containerd-cvm)
SKU="windows-2022-cvm-containerd"
create_image_definition ${SKU} ${SKU} "V2" "Windows" ${SECURITY_TYPE_CVM_SUPPORTED_FEATURE}
;;
flatcar)
SKU="flatcar-${FLATCAR_CHANNEL}-${FLATCAR_VERSION}"
create_image_definition ${SKU} ${SKU} "V1" "Linux"
Expand All @@ -83,9 +94,15 @@ case ${SIG_TARGET} in
ubuntu-2004-gen2)
create_image_definition ${SIG_TARGET} "20_04-lts-gen2" "V2" "Linux"
;;
ubuntu-2004-cvm)
create_image_definition ${SIG_TARGET} "20_04-lts-cvm" "V2" "Linux" ${SECURITY_TYPE_CVM_SUPPORTED_FEATURE}
;;
ubuntu-2204-gen2)
create_image_definition ${SIG_TARGET} "22_04-lts-gen2" "V2" "Linux"
;;
ubuntu-2204-cvm)
create_image_definition ${SIG_TARGET} "22_04-lts-cvm" "V2" "Linux" ${SECURITY_TYPE_CVM_SUPPORTED_FEATURE}
;;
centos-7-gen2)
create_image_definition "centos-7-gen2" "centos-7-gen2" "V2" "Linux"
;;
Expand Down
9 changes: 9 additions & 0 deletions images/capi/packer/azure/ubuntu-2004-cvm.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
{
"build_name": "ubuntu-2004-cvm",
"distribution": "ubuntu",
"distribution_release": "focal",
"distribution_version": "2004",
"image_offer": "0001-com-ubuntu-confidential-vm-focal",
"image_publisher": "Canonical",
"image_sku": "20_04-lts-cvm"
}
9 changes: 9 additions & 0 deletions images/capi/packer/azure/ubuntu-2204-cvm.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
{
"build_name": "ubuntu-2204-cvm",
"distribution": "ubuntu",
"distribution_release": "jammy",
"distribution_version": "2204",
"image_offer": "0001-com-ubuntu-confidential-vm-jammy",
"image_publisher": "Canonical",
"image_sku": "22_04-lts-cvm"
}
16 changes: 16 additions & 0 deletions images/capi/packer/azure/windows-2019-containerd-cvm.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
{
"additional_registry_images": "false",
"additional_registry_images_list": "",
"build_name": "windows-2019-containerd-cvm",
"distribution": "windows",
"distribution_version": "2019",
"image_offer": "windows-cvm",
"image_publisher": "MicrosoftWindowsServer",
"image_sku": "2019-datacenter-cvm",
"image_version": "latest",
"load_additional_components": "false",
"runtime": "containerd",
"vm_size": "Standard_D4s_v3",
"windows_updates_kbs": "",
"wins_url": ""
}
16 changes: 16 additions & 0 deletions images/capi/packer/azure/windows-2022-containerd-cvm.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
{
"additional_registry_images": "false",
"additional_registry_images_list": "",
"build_name": "windows-2022-containerd-cvm",
"distribution": "windows",
"distribution_version": "2022",
"image_offer": "windows-cvm",
"image_publisher": "MicrosoftWindowsServer",
"image_sku": "2022-datacenter-cvm",
"image_version": "latest",
"load_additional_components": "false",
"runtime": "containerd",
"vm_size": "Standard_D4s_v3",
"windows_updates_kbs": "",
"wins_url": ""
}
22 changes: 22 additions & 0 deletions images/capi/scripts/ci-azure-e2e.sh
Original file line number Diff line number Diff line change
Expand Up @@ -38,13 +38,17 @@ source azure_targets.sh
IFS=' ' read -r -a VHD_CI_TARGETS <<< "${VHD_CI_TARGETS}"
IFS=' ' read -r -a SIG_CI_TARGETS <<< "${SIG_CI_TARGETS}"
IFS=' ' read -r -a SIG_GEN2_CI_TARGETS <<< "${SIG_GEN2_CI_TARGETS}"
IFS=' ' read -r -a SIG_CVM_CI_TARGETS <<< "${SIG_CVM_CI_TARGETS}"

# Append the "gen2" targets to the original SIG list
for element in "${SIG_GEN2_CI_TARGETS[@]}"
do
SIG_CI_TARGETS+=("${element}-gen2")
done

# Append "-cvm" suffix to SIG CVM targets
SIG_CVM_CI_TARGETS=("${SIG_CVM_CI_TARGETS[@]/%/-cvm}")

# shellcheck source=parse-prow-creds.sh
source "packer/azure/scripts/parse-prow-creds.sh"

Expand All @@ -59,6 +63,11 @@ get_random_region() {
echo "${REGIONS[${RANDOM} % ${#REGIONS[@]}]}"
}

export VALID_CVM_LOCATIONS=("eastus" "westus" "northeurope" "westeurope")
get_random_cvm_region() {
echo "${VALID_CVM_LOCATIONS[${RANDOM} % ${#VALID_CVM_LOCATIONS[@]}]}"
}

export PATH=${PWD}/.local/bin:$PATH
export PATH=${PYTHON_BIN_DIR:-"/root/.local/bin"}:$PATH

Expand Down Expand Up @@ -96,6 +105,19 @@ if [[ "${AZURE_BUILD_FORMAT:-vhd}" == "sig" ]]; then
make build-azure-sig-${target} > ${ARTIFACTS}/azure-sigs/${target}.log 2>&1 &
PIDS["sig-${target}"]=$!
done

SELECTED_LOCATION="${AZURE_LOCATION}"
if [[ ! " ${VALID_CVM_LOCATIONS[*]} " =~ " ${SELECTED_LOCATION} " ]]; then
SELECTED_LOCATION="$(get_random_cvm_region)"
echo "AZURE_LOCATION=${AZURE_LOCATION} is invalid for Confidential VM targets. Valid CVM locations: ${VALID_CVM_LOCATIONS[*]}."
echo "Selected location is ${SELECTED_LOCATION}."
fi

for target in ${SIG_CVM_CI_TARGETS[@]};
do
AZURE_LOCATION="${SELECTED_LOCATION}" make build-azure-sig-${target} > ${ARTIFACTS}/azure-sigs/${target}.log 2>&1 &
PIDS["sig-${target}"]=$!
done
else
for target in ${VHD_CI_TARGETS[@]};
do
Expand Down

0 comments on commit 3779daf

Please sign in to comment.