sigs.k8s.io/cluster-api-provider-azure@v1.14.3/docs/book/src/topics/trusted-launch-for-vms.md

sigs.k8s.io/cluster-api-provider-azure@v1.14.3/docs/book/src/topics/trusted-launch-for-vms.md (about)

     1  # Trusted launch for VMs
     2  
     3  This document describes how to deploy a cluster with nodes that support [trusted launch](https://learn.microsoft.com/azure/virtual-machines/trusted-launch).
     4  
     5  ## Limitations
     6  
     7  Before you begin, be aware of the following:
     8  
     9  - [Limitations](https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch#limitations)
    10  - [SecureBoot](https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch#secure-boot)
    11  - [vTPM](https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch#vtpm)
    12  
    13  ## Trusted Launch Images
    14  
    15  One of the limitations of trusted launch for VMs is that they require [generation 2](https://learn.microsoft.com/en-us/azure/virtual-machines/generation-2) VMs.
    16  
    17  Trusted launch supported OS images are not included in the list of `capi` reference images. Before creating a cluster hosted on VMs with trusted launch features enabled, you can create a [custom image](custom-images.md) based on a one of the trusted launch supported OS images using [image-builder](https://github.com/kubernetes-sigs/image-builder). For example, you can run the following to create such an image based on Ubuntu Server 22.04 LTS:
    18  
    19  ```bash
    20  $ make -C images/capi build-azure-sig-ubuntu-2204-gen2
    21  # many minutes later...
    22  ==> sig-ubuntu-2204-gen2:
    23  Build 'sig-ubuntu-2204-gen2' finished.
    24  
    25  ==> Builds finished. The artifacts of successful builds are:
    26  --> sig-ubuntu-2204-gen2: Azure.ResourceManagement.VMImage:
    27  
    28  OSType: Linux
    29  ManagedImageResourceGroupName: cluster-api-images
    30  ManagedImageName: capi-ubuntu-2204-gen2-1684153817
    31  ManagedImageId: /subscriptions/01234567-89ab-cdef-0123-4567890abcde/resourceGroups/cluster-api-images/providers/Microsoft.Compute/images/capi-ubuntu-2204-gen2-1684153817
    32  ManagedImageLocation: southcentralus
    33  ManagedImageSharedImageGalleryId: /subscriptions/01234567-89ab-cdef-0123-4567890abcde/resourceGroups/cluster-api-images/providers/Microsoft.Compute/galleries/ClusterAPI/images/capi-ubuntu-2204-gen2/versions/0.3.1684153817
    34  ```
    35  
    36  ## Example
    37  
    38  The below example shows how to deploy a cluster with control-plane nodes that have SecureBoot and vTPM enabled. Make sure to choose a supported generation 2 VM size (e.g. `Standard_B2s`) and OS (e.g. Ubuntu Server 22.04 LTS).
    39  NOTE: the same can be applied to worker nodes
    40  
    41  ```yaml
    42  kind: AzureMachineTemplate
    43  apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
    44  metadata:
    45    name: capz-trusted-launch-example
    46  spec:
    47    template:
    48      spec:
    49        image:
    50          computeGallery:
    51            subscriptionID: "01234567-89ab-cdef-0123-4567890abcde"
    52            resourceGroup: "cluster-api-images"
    53            gallery: "ClusterAPI"
    54            name: "capi-ubuntu-2204-gen2-1684153817"
    55            version: "0.3.1684153817"
    56        securityProfile:
    57          securityType: "TrustedLaunch"
    58          uefiSettings:
    59            vTpmEnabled: true
    60            secureBootEnabled: true
    61        osDisk:
    62          diskSizeGB: 128
    63          osType: "Linux"
    64        vmSize: "Standard_B2s"
    65  ```