Add support for AMD SEV-SNP instances

This commit adds support for AMD SEV-SNP instances. AMD SEV-SNP
can be configured by cpuOptions.AmdSevSnp, valid values: true,
false.

Signed-off-by: Fangge Jin <[email protected]>

Author: fangge1212

api/v1beta1/awscluster_conversion.go

@@ -63,6 +63,7 @@ func (src *AWSCluster) ConvertTo(dstRaw conversion.Hub) error {
 		dst.Status.Bastion.NetworkInterfaceType = restored.Status.Bastion.NetworkInterfaceType
 		dst.Status.Bastion.CapacityReservationID = restored.Status.Bastion.CapacityReservationID
 		dst.Status.Bastion.MarketType = restored.Status.Bastion.MarketType
+		dst.Status.Bastion.CpuOptions = restored.Status.Bastion.CpuOptions
 	}
 	dst.Spec.Partition = restored.Spec.Partition
 

api/v1beta1/awsmachine_conversion.go

@@ -45,6 +45,7 @@ func (src *AWSMachine) ConvertTo(dstRaw conversion.Hub) error {
 	dst.Spec.CapacityReservationID = restored.Spec.CapacityReservationID
 	dst.Spec.MarketType = restored.Spec.MarketType
 	dst.Spec.NetworkInterfaceType = restored.Spec.NetworkInterfaceType
+	dst.Spec.CpuOptions = restored.Spec.CpuOptions
 	if restored.Spec.ElasticIPPool != nil {
 		if dst.Spec.ElasticIPPool == nil {
 			dst.Spec.ElasticIPPool = &infrav1.ElasticIPPool{}
@@ -109,6 +110,7 @@ func (r *AWSMachineTemplate) ConvertTo(dstRaw conversion.Hub) error {
 	dst.Spec.Template.Spec.CapacityReservationID = restored.Spec.Template.Spec.CapacityReservationID
 	dst.Spec.Template.Spec.MarketType = restored.Spec.Template.Spec.MarketType
 	dst.Spec.Template.Spec.NetworkInterfaceType = restored.Spec.Template.Spec.NetworkInterfaceType
+	dst.Spec.Template.Spec.CpuOptions = restored.Spec.Template.Spec.CpuOptions
 	if restored.Spec.Template.Spec.ElasticIPPool != nil {
 		if dst.Spec.Template.Spec.ElasticIPPool == nil {
 			dst.Spec.Template.Spec.ElasticIPPool = &infrav1.ElasticIPPool{}

api/v1beta1/zz_generated.conversion.go

@@ -73,6 +73,33 @@ const (
 	NetworkInterfaceTypeEFAWithENAInterface NetworkInterfaceType = NetworkInterfaceType("efa")
 )
 
+// AmdSevSnpSpecification defines the different values for AmdSevSnp
+type AmdSevSnpSpecification string
+
+const (
+	// AmdSevSnpSpecificationEnabled means AMD SEV SNP is enabled for the instance.
+	AmdSevSnpSpecificationEnabled AmdSevSnpSpecification = "enabled"
+
+	// AmdSevSnpSpecificationDisabled means AMD SEV SNP is disabled for the instance.
+	AmdSevSnpSpecificationDisabled AmdSevSnpSpecification = "disabled"
+)
+
+// CpuOptions defines the cpu options for the instance.
+type CpuOptions struct {
+	// AmdSevSnp specifies AMD SEV-SNP for the instance.
+	// +kubebuilder:validation:Enum=enabled;disabled
+	// +optional
+	AmdSevSnp AmdSevSnpSpecification `json:"amdSevSnp,omitempty"`
+}
+
+// Confidentail computing support depends on the instance type.
+// Only certain instance types in M6a, R6a and C6a series support AMD SEV-SNP. Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html
+var (
+	instanceTypesSupportingAmdSevsnp = []string{"m6a.large", "m6a.xlarge", "m6a.2xlarge", "m6a.4xlarge", "m6a.8xlarge",
+		"c6a.large", "c6a.xlarge", "c6a.2xlarge", "c6a.4xlarge", "c6a.8xlarge", "c6a.12xlarge", "c6a.16xlarge",
+		"r6a.large", "r6a.xlarge", "r6a.2xlarge", "r6a.4xlarge"}
+)
+
 // AWSMachineSpec defines the desired state of an Amazon EC2 instance.
 // +kubebuilder:validation:XValidation:rule="!has(self.capacityReservationId) || !has(self.marketType) || self.marketType != 'Spot'",message="capacityReservationId may not be set when marketType is Spot"
 // +kubebuilder:validation:XValidation:rule="!has(self.capacityReservationId) || !has(self.spotMarketOptions)",message="capacityReservationId cannot be set when spotMarketOptions is specified"
@@ -116,6 +143,10 @@ type AWSMachineSpec struct {
 	// +kubebuilder:validation:MinLength:=2
 	InstanceType string `json:"instanceType"`
 
+	// CpuOptions is the set of cpu options for the instance
+	// +optional
+	CpuOptions *CpuOptions `json:"cpuOptions,omitempty"`
+
 	// AdditionalTags is an optional set of tags to add to an instance, in addition to the ones added by default by the
 	// AWS provider. If both the AWSCluster and the AWSMachine specify the same tag name with different values, the
 	// AWSMachine's value takes precedence.

api/v1beta2/awsmachine_types.go

@@ -24,6 +24,8 @@ import (
 	"net/url"
 	"strings"
 
+	"k8s.io/utils/strings/slices"
+
 	"github.com/google/go-cmp/cmp"
 	"github.com/pkg/errors"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -78,6 +80,7 @@ func (*awsMachineWebhook) ValidateCreate(_ context.Context, obj runtime.Object)
 	allErrs = append(allErrs, r.Spec.AdditionalTags.Validate()...)
 	allErrs = append(allErrs, r.validateNetworkElasticIPPool()...)
 	allErrs = append(allErrs, r.validateInstanceMarketType()...)
+	allErrs = append(allErrs, r.validateInstanceTypeForConfidentialCompute()...)
 
 	return nil, aggregateObjErrors(r.GroupVersionKind().GroupKind(), r.Name, allErrs)
 }
@@ -417,6 +420,17 @@ func (r *AWSMachine) validateNonRootVolumes() field.ErrorList {
 	return allErrs
 }
 
+func (r *AWSMachine) validateInstanceTypeForConfidentialCompute() field.ErrorList {
+	var allErrs field.ErrorList
+	if r.Spec.CpuOptions != nil {
+		if r.Spec.CpuOptions.AmdSevSnp != "" && r.Spec.CpuOptions.AmdSevSnp == "enabled" && !slices.Contains(instanceTypesSupportingAmdSevsnp, r.Spec.InstanceType) {
+			allErrs = append(allErrs, field.Required(field.NewPath("spec.InstanceType"), "this instance type doesn't support AMD SEV-SNP"))
+		}
+	}
+
+	return allErrs
+}
+
 // ValidateDelete implements webhook.Validator so a webhook will be registered for the type.
 func (*awsMachineWebhook) ValidateDelete(_ context.Context, _ runtime.Object) (admission.Warnings, error) {
 	return nil, nil

api/v1beta2/awsmachine_webhook.go

@@ -279,6 +279,30 @@ func TestAWSMachineCreate(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "invalid instance type for AMD SEV-SNP",
+			machine: &AWSMachine{
+				Spec: AWSMachineSpec{
+					InstanceType: "test",
+					CpuOptions: &CpuOptions{
+						AmdSevSnp: "enabled",
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "valid instance type for AMD SEV-SNP",
+			machine: &AWSMachine{
+				Spec: AWSMachineSpec{
+					InstanceType: "m6a.large",
+					CpuOptions: &CpuOptions{
+						AmdSevSnp: "enabled",
+					},
+				},
+			},
+			wantErr: false,
+		},
 		{
 			name: "invalid tags return error",
 			machine: &AWSMachine{

api/v1beta2/awsmachine_webhook_test.go

@@ -172,6 +172,9 @@ type Instance struct {
 	// The instance type.
 	Type string `json:"type,omitempty"`
 
+	// The cpu options of the instance.
+	CpuOptions *CpuOptions `json:"cpuOptions,omitempty"`
+
 	// The ID of the subnet of the instance.
 	SubnetID string `json:"subnetId,omitempty"`
 

api/v1beta2/types.go

@@ -1214,6 +1214,16 @@ spec:
                     description: CapacityReservationID specifies the target Capacity
                       Reservation into which the instance should be launched.
                     type: string
+                  cpuOptions:
+                    description: The cpu options of the instance.
+                    properties:
+                      amdSevSnp:
+                        description: AmdSevSnp specifies AMD SEV-SNP for the instance.
+                        enum:
+                        - enabled
+                        - disabled
+                        type: string
+                    type: object
                   ebsOptimized:
                     description: Indicates whether the instance is optimized for Amazon
                       EBS I/O.
@@ -3395,6 +3405,16 @@ spec:
                     description: CapacityReservationID specifies the target Capacity
                       Reservation into which the instance should be launched.
                     type: string
+                  cpuOptions:
+                    description: The cpu options of the instance.
+                    properties:
+                      amdSevSnp:
+                        description: AmdSevSnp specifies AMD SEV-SNP for the instance.
+                        enum:
+                        - enabled
+                        - disabled
+                        type: string
+                    type: object
                   ebsOptimized:
                     description: Indicates whether the instance is optimized for Amazon
                       EBS I/O.

api/v1beta2/zz_generated.deepcopy.go

@@ -2197,6 +2197,16 @@ spec:
                     description: CapacityReservationID specifies the target Capacity
                       Reservation into which the instance should be launched.
                     type: string
+                  cpuOptions:
+                    description: The cpu options of the instance.
+                    properties:
+                      amdSevSnp:
+                        description: AmdSevSnp specifies AMD SEV-SNP for the instance.
+                        enum:
+                        - enabled
+                        - disabled
+                        type: string
+                    type: object
                   ebsOptimized:
                     description: Indicates whether the instance is optimized for Amazon
                       EBS I/O.