-
Bug
-
Resolution: Unresolved
-
Undefined
-
4.14
-
Moderate
-
No
-
False
-
Description of problem:
Install IPI cluster with confidential VM, installer should have pre-check for vm type, disk encryption type etc to avoid installation failed during infrastructure creation 1. vm type Different security type support on different vm type for example, set platfrom.azure.defaultMachinePlatform.type to Standard_DC8ads_v5 and platform.azure.defaultMachinePlatform.settings.securityType to TrustedLaunch, installation will be failed as Standard_DC8ads_v5 only support security type ConfidentialVM ERROR Error: creating Linux Virtual Machine: (Name "jimaconf1-89qmp-bootstrap" / Resource Group "jimaconf1-89qmp-rg"): compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="BadRequest" Message="The VM size 'Standard_DC16ads_v5' is not supported for creation of VMs and Virtual Machine Scale Set with 'TrustedLaunch' security type." 2. Disk encryption Set When install cluster with ConfidentialVM +securityEncryptionType:DiskWithVMGuestState, then using customer-managed key, it requires that DES encryption type is ConfidentialVmEncryptedWithCustomerKey, else installer throw error as below: 08-31 10:12:54.443 level=error msg=Error: creating Linux Virtual Machine: (Name "jima30confa-vtrm2-bootstrap" / Resource Group "jima30confa-vtrm2-rg"): compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="BadRequest" Message="The type of the Disk Encryption Set in the request is 'ConfidentialVmEncryptedWithCustomerKey', but this Disk Encryption Set was created with type 'EncryptionAtRestWithCustomerKey'." Target="/subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/jima30confa-vtrm2-rg/providers/Microsoft.Compute/disks/jima30confa-vtrm2-bootstrap_OSDisk" Installer should check vm type and DES's encryption type to make sure that expected DES is set.
Version-Release number of selected component (if applicable):
4.14 nightly build
How reproducible:
Always
Steps to Reproduce:
1. Prepare install-config, 1) enable confidentialVM but use vm type which does not support Confidential VM 2) enable TrustedLaunch but use vm type which support confidentialVM 3) enable confidentialVM + securityEncryptionType: DiskWithVMGuestState, use customer-managed key to encrypt managed key, but customer-managed key's encryption type is the default one "EncryptionAtRestWithPlatformKey" 2. Create cluster 3.
Actual results:
Installation failed when creating infrastructure
Expected results:
Installer should have pre-check for those scenarios, and exit with expected error message.
Additional info:
