Merge pull request #9007 from openshift-cherrypick-robot/cherry-pick-…

…9000-to-release-4.17 [release-4.17] OCPBUGS-41300: Azure CAPI: Improve handling of security features configured on the MachinePools and OSDisk
openshift · Sep 14, 2024 · c378781 · c378781
2 parents e63d309 + ba157e8
commit c378781
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 9 deletions.
diff --git a/pkg/asset/machines/azure/azuremachines.go b/pkg/asset/machines/azure/azuremachines.go
@@ -93,6 +93,7 @@ func GenerateMachines(clusterID, resourceGroup, subscriptionID string, in *Machi
 		image = &capz.Image{ID: &imageID}
 	}
 
+	// Set up OSDisk
 	osDisk := capz.OSDisk{
 		OSType:     "Linux",
 		DiskSizeGB: &mpool.DiskSizeGB,
@@ -101,16 +102,31 @@ func GenerateMachines(clusterID, resourceGroup, subscriptionID string, in *Machi
 		},
 		CachingType: "ReadWrite",
 	}
-	ultrassd := mpool.UltraSSDCapability == "Enabled"
-	additionalCapabilities := &capz.AdditionalCapabilities{
-		UltraSSDEnabled: &ultrassd,
-	}
 	if in.Pool.Platform.Azure.DiskEncryptionSet != nil {
 		osDisk.ManagedDisk.DiskEncryptionSet = &capz.DiskEncryptionSetParameters{
 			ID: mpool.OSDisk.DiskEncryptionSet.ToID(),
 		}
 	}
 
+	var diskSecurityProfile capz.VMDiskSecurityProfile
+	if mpool.OSDisk.SecurityProfile != nil && mpool.OSDisk.SecurityProfile.SecurityEncryptionType != "" {
+		diskSecurityProfile = capz.VMDiskSecurityProfile{
+			SecurityEncryptionType: capz.SecurityEncryptionType(mpool.OSDisk.SecurityProfile.SecurityEncryptionType),
+		}
+
+		if mpool.OSDisk.SecurityProfile.DiskEncryptionSet != nil {
+			diskSecurityProfile.DiskEncryptionSet = &capz.DiskEncryptionSetParameters{
+				ID: mpool.OSDisk.SecurityProfile.DiskEncryptionSet.ToID(),
+			}
+		}
+		osDisk.ManagedDisk.SecurityProfile = &diskSecurityProfile
+	}
+
+	ultrassd := mpool.UltraSSDCapability == "Enabled"
+	additionalCapabilities := &capz.AdditionalCapabilities{
+		UltraSSDEnabled: &ultrassd,
+	}
+
 	machineProfile := generateSecurityProfile(mpool)
 	securityProfile := &capz.SecurityProfile{
 		EncryptionAtHost: machineProfile.EncryptionAtHost,

diff --git a/pkg/infrastructure/azure/azure.go b/pkg/infrastructure/azure/azure.go
@@ -433,7 +433,7 @@ func (p *Provider) InfraReady(ctx context.Context, in clusterapi.InfraReadyInput
 		// If Control Plane Security Type is provided, then pass that along
 		// during Gen V2 Gallery Image creation. It will be added as a
 		// supported feature of the image.
-		securityType, err := getControlPlaneSecurityType(in)
+		securityType, err := getMachinePoolSecurityType(in)
 		if err != nil {
 			return err
 		}
@@ -887,17 +887,17 @@ func (p Provider) Ignition(ctx context.Context, in clusterapi.IgnitionInput) ([]
 	return ignSecrets, nil
 }
 
-func getControlPlaneSecurityType(in clusterapi.InfraReadyInput) (string, error) {
+func getMachinePoolSecurityType(in clusterapi.InfraReadyInput) (string, error) {
 	var securityType aztypes.SecurityTypes
-	if in.InstallConfig.Config.ControlPlane != nil {
+	if in.InstallConfig.Config.ControlPlane != nil && in.InstallConfig.Config.ControlPlane.Platform.Azure != nil {
 		pool := in.InstallConfig.Config.ControlPlane.Platform.Azure
-		if pool.EncryptionAtHost && pool.Settings != nil {
+		if pool.Settings != nil {
 			securityType = pool.Settings.SecurityType
 		}
 	}
 	if securityType == "" && in.InstallConfig.Config.Platform.Azure.DefaultMachinePlatform != nil {
 		pool := in.InstallConfig.Config.Platform.Azure.DefaultMachinePlatform
-		if pool.EncryptionAtHost && pool.Settings != nil {
+		if pool.Settings != nil {
 			securityType = pool.Settings.SecurityType
 		}
 	}