Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gallery image reference and security profile support for VMs #1162

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

gallery image reference and security profile support for VMs #1162

wants to merge 6 commits into from
+504 −16

Conversation

et1975
Copy link
Contributor

@et1975 et1975 commented Nov 20, 2024
edited
Loading

This PR closes #1161 and closes #1163

The changes in this PR are as follows:

  • Offers Community and Shared gallery image support
  • Introduces ImageInfo DU to support gallery image references as well as existing image SKUs
  • Gallery references still require OS when configuring a VM - purely to maintain farmer validation
  • Expose VM/SS security profile options

I have read the contributing guidelines and have completed the following:

  • Tested my code end-to-end against a live Azure subscription.
  • Updated the documentation in the docs folder for the affected changes.
  • Written unit tests against the modified code that I have made.
  • Updated the release notes with a new entry for this PR.
  • Checked the coding standards outlined in the contributions guide and ensured my code adheres to them.

Below is a minimal example configuration that includes the new features, which can be used to deploy to Azure:

                    vmss {
                        name "my-scale-set"
                        osupgrade_automatic true
                        vm_profile (
                            vm {
                                username "azureuser"
                                operating_system (Linux, SharedGalleryImageId(ResourceName "vm-gallery", ResourceName "vm-image", "image-version"))
                                vm_size Standard_B1s
                                os_disk 128 StandardSSD_LRS
                                security_type TrustedLaunch
                                uefi { SecureBoot = Enabled; Vtpm = Enabled }
                            }
                        )
                   }

@ninjarobot ninjarobot added this to the 1.9.7 milestone Nov 22, 2024
ninjarobot
ninjarobot reviewed Nov 22, 2024
View reviewed changes
src/Farmer/Common.fs
@@ -821,6 +821,19 @@ module Vm =
OS: OS
}

type GalleryImageId =
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be possible to use the GalleryImageIdentifier from gallery image builder instead of an arbitrary string?

Copy link
Contributor Author

@et1975 et1975 Nov 22, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Despite both using the term "gallery" the distributing mechanism seems to be different depending on reference method used - the offer/sku refers to the "marketplace", while the string id references azure gallery artifact, the listings are completely independent and while the same image may appear in both there's no direct correspondence between any part of id string of the gallery and offer/sku of the marketplace.
Using the string reference in the deployment also involves completely different validation flow.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see now - this is not the gallery image identifier, this is the ARM resource identifier for the image from the gallery. It just should be ResourceId, same as in the ImageTemplate.SharedImageVersionSource.

Copy link
Contributor Author

@et1975 et1975 Nov 25, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You'd think so, but shared and community galleries references do not refer to ARM resources and have no type, subscription or resource group, for example: /sharedGalleries/CblMariner.1P/images/cbl-mariner-2-gen2/versions/latest and make it possible to access images shared tenant-wide or cloud-wide, respectively, w/o having access to the subscription where the gallery resides.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated reference type to enforce a bit of structure in the URIs.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For comparison, the imageTemplate format is /subscriptions/111111111-1111-1111-1111-111111111111/resourcegroups/mydtlrg/providers/microsoft.devtestlab/labs/mydtllab/sharedgalleries/spsig/sharedimages/myimagefromgallery

@et1975 et1975 changed the title gallery image reference support for VMs gallery image reference and security profile support for VMs Dec 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ninjarobot ninjarobot ninjarobot left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.9.7
Development

Successfully merging this pull request may close these issues.

securityProfile support for VMSS imageReference support for sharedGalleryImageId
2 participants
@et1975 @ninjarobot