Add securityProfile support for TrustedLaunch VMs

[buraksekili]

What this PR does / why we need it:
Azure enforces TrustedLaunch on Gen2 VMs using Compute Gallery images, causing VM creation to fail with a 400 BadRequest. This PR adds a securityProfile field to the Azure cloud provider spec so users can set securityType to TrustedLaunch (with optional secureBootEnabled and vTpmEnabled) or Standard (to opt out of auto-enforced TrustedLaunch on subscriptions where Azure enables it by default).

Which issue(s) this PR fixes:
Fixes #2013

What type of PR is this?
/kind feature

Special notes for your reviewer:

• TrustedLaunch is exclusively a Generation 2 feature (Gen1 is PCAT BIOS, Gen2 is UEFI). Our validateSecurityProfile rejects TrustedLaunch on non-Gen2 SKUs to fail fast before reaching Azure: https://learn.microsoft.com/en-us/azure/virtual-machines/generation-2 and https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch-existing-vm-gen-1
• secureBootEnabled and vTpmEnabled are optional. Azure defaults: vTPM enabled, Secure Boot disabled. Source: https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch-existing-vm-gen-1#upgrade-gen1-vm-to-trusted-launch
• Image-level SecurityType compatibility (TrustedLaunch / TrustedLaunchSupported / TrustedLaunchAndConfidentialVmSupported / ConfidentialVMSupported) is enforced by Azure at VM creation time. We deliberately do not pre-validate image properties (consistent with our existing pattern for other image attributes): https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch-faq
• securityType: Standard requires the UseStandardSecurityType subscription feature flag, which Azure enforces. We do not pre-check feature-flag registration (consistent with how image SecurityType is handled): https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch-faq#can-i-disable-trusted-launch-for-a-new-vm-deployment
• Context for the Standard opt-out path: Azure rolling out "Trusted Launch as Default" (TrustedLaunchByDefaultPreview) means new Gen2 VMs on preview-registered subscriptions auto-enable TrustedLaunch unless Standard is explicitly set: https://learn.microsoft.com/en-us/azure/virtual-machines/trusted-launch#preview-trusted-launch-as-default

Does this PR introduce a user-facing change? Then add your Release Note here:

Azure VMs now support setting `securityProfile` with `securityType` TrustedLaunch or Standard in the cloud provider spec, enabling the use of Compute Gallery images that require TrustedLaunch.

Documentation:

NONE

[kubermatic-bot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[kubermatic-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign ahmedwaleedmalik for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[buraksekili]

/hold still working and need to test

[kubermatic-bot]

@buraksekili: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-machine-controller-e2e-azure-custom-image-reference	45dbe38	link	true	/test pull-machine-controller-e2e-azure-custom-image-reference
pull-machine-controller-e2e-azure	45dbe38	link	true	/test pull-machine-controller-e2e-azure

Full PR test history

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.