Merge pull request #1326 from bgartzi/gcp-tdx

OCPCLOUD-2882, OCPCLOUD-2889: support AMD SEV_SNP and TDX confidential computing machines on GCP

Author: openshift-merge-bot[bot]

go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/google/uuid v1.6.0
 	github.com/onsi/ginkgo/v2 v2.22.2
 	github.com/onsi/gomega v1.36.2
-	github.com/openshift/api v0.0.0-20250218131406-8b82294c5e3a
+	github.com/openshift/api v0.0.0-20250305122440-3e04d3af8c3e
 	github.com/openshift/client-go v0.0.0-20250125113824-8e1f0b8fa9a7
 	github.com/openshift/cluster-api-actuator-pkg/testutils v0.0.0-20250122171707-86066d47a264
 	github.com/openshift/cluster-control-plane-machine-set-operator v0.0.0-20250128131205-c7b3d7b57a8e

go.sum

@@ -357,8 +357,8 @@ github.com/onsi/ginkgo/v2 v2.22.2 h1:/3X8Panh8/WwhU/3Ssa6rCKqPLuAkVY2I0RoyDLySlU
 github.com/onsi/ginkgo/v2 v2.22.2/go.mod h1:oeMosUL+8LtarXBHu/c0bx2D/K9zyQ6uX3cTyztHwsk=
 github.com/onsi/gomega v1.36.2 h1:koNYke6TVk6ZmnyHrCXba/T/MoLBXFjeC1PtvYgw0A8=
 github.com/onsi/gomega v1.36.2/go.mod h1:DdwyADRjrc825LhMEkD76cHR5+pUnjhUN8GlHlRPHzY=
-github.com/openshift/api v0.0.0-20250218131406-8b82294c5e3a h1:G26rXyn/CoUWkZW/nQS8dhOG9061GxeshAtuJDlwv7Q=
-github.com/openshift/api v0.0.0-20250218131406-8b82294c5e3a/go.mod h1:yk60tHAmHhtVpJQo3TwVYq2zpuP70iJIFDCmeKMIzPw=
+github.com/openshift/api v0.0.0-20250305122440-3e04d3af8c3e h1:bEcCutNr5RLU/DudWNs/nlOLBqMxrfsHtVuMttkxvWE=
+github.com/openshift/api v0.0.0-20250305122440-3e04d3af8c3e/go.mod h1:yk60tHAmHhtVpJQo3TwVYq2zpuP70iJIFDCmeKMIzPw=
 github.com/openshift/client-go v0.0.0-20250125113824-8e1f0b8fa9a7 h1:4iliLcvr1P9EUMZgIaSNEKNQQzBn+L6PSequlFOuB6Q=
 github.com/openshift/client-go v0.0.0-20250125113824-8e1f0b8fa9a7/go.mod h1:2tcufBE4Cu6RNgDCxcUJepa530kGo5GFVfR9BSnndhI=
 github.com/openshift/cluster-api-actuator-pkg/testutils v0.0.0-20250122171707-86066d47a264 h1:KoJiId8Ynajf/ZFodvmayFkDODIL7Vow3LmgR5+oVRg=

pkg/webhooks/machine_webhook.go

@@ -225,7 +225,9 @@ const (
 
 // GCP Confidential VM supports Compute Engine machine types in the following series:
 // reference: https://cloud.google.com/compute/confidential-vm/docs/os-and-machine-type#machine-type
-var gcpConfidentialComputeSupportedMachineSeries = []string{"n2d", "c2d"}
+var gcpConfidentialTypeMachineSeriesSupportingSEV = []string{"n2d", "c2d", "c3d"}
+var gcpConfidentialTypeMachineSeriesSupportingSEVSNP = []string{"n2d"}
+var gcpConfidentialTypeMachineSeriesSupportingTDX = []string{"c3"}
 
 // defaultInstanceTypeForCloudProvider returns the default instance type for the given cloud provider and architecture.
 // If the cloud provider is not supported, an empty string is returned.
@@ -1320,30 +1322,44 @@ func validateShieldedInstanceConfig(providerSpec *machinev1beta1.GCPMachineProvi
 
 func validateGCPConfidentialComputing(providerSpec *machinev1beta1.GCPMachineProviderSpec) field.ErrorList {
 	var errs field.ErrorList
-
-	switch providerSpec.ConfidentialCompute {
-	case machinev1beta1.ConfidentialComputePolicyEnabled:
+	if providerSpec.ConfidentialCompute != "" && providerSpec.ConfidentialCompute != machinev1beta1.ConfidentialComputePolicyDisabled {
 		// Check on host maintenance
 		if providerSpec.OnHostMaintenance != machinev1beta1.TerminateHostMaintenanceType {
 			errs = append(errs, field.Invalid(field.NewPath("providerSpec", "onHostMaintenance"),
 				providerSpec.OnHostMaintenance,
-				fmt.Sprintf("ConfidentialCompute require OnHostMaintenance to be set to %s, the current value is: %s", machinev1beta1.TerminateHostMaintenanceType, providerSpec.OnHostMaintenance)))
+				fmt.Sprintf("ConfidentialCompute %s requires OnHostMaintenance to be set to %s, the current value is: %s", providerSpec.ConfidentialCompute, machinev1beta1.TerminateHostMaintenanceType, providerSpec.OnHostMaintenance)))
 		}
 		// Check machine series supports confidential computing
 		machineSeries := strings.Split(providerSpec.MachineType, "-")[0]
-		if !slices.Contains(gcpConfidentialComputeSupportedMachineSeries, machineSeries) {
-			errs = append(errs, field.Invalid(field.NewPath("providerSpec", "machineType"),
-				providerSpec.MachineType,
-				fmt.Sprintf("ConfidentialCompute require machine type in the following series: %s", strings.Join(gcpConfidentialComputeSupportedMachineSeries, `,`))),
+		switch providerSpec.ConfidentialCompute {
+		case machinev1beta1.ConfidentialComputePolicyEnabled, machinev1beta1.ConfidentialComputePolicySEV:
+			if !slices.Contains(gcpConfidentialTypeMachineSeriesSupportingSEV, machineSeries) {
+				errs = append(errs, field.Invalid(field.NewPath("providerSpec", "machineType"),
+					providerSpec.MachineType,
+					fmt.Sprintf("ConfidentialCompute %s requires a machine type in the following series: %s", providerSpec.ConfidentialCompute, strings.Join(gcpConfidentialTypeMachineSeriesSupportingSEV, `,`))),
+				)
+			}
+		case machinev1beta1.ConfidentialComputePolicySEVSNP:
+			if !slices.Contains(gcpConfidentialTypeMachineSeriesSupportingSEVSNP, machineSeries) {
+				errs = append(errs, field.Invalid(field.NewPath("providerSpec", "machineType"),
+					providerSpec.MachineType,
+					fmt.Sprintf("ConfidentialCompute %s requires a machine type in the following series: %s", providerSpec.ConfidentialCompute, strings.Join(gcpConfidentialTypeMachineSeriesSupportingSEVSNP, `,`))),
+				)
+			}
+		case machinev1beta1.ConfidentialComputePolicyTDX:
+			if !slices.Contains(gcpConfidentialTypeMachineSeriesSupportingTDX, machineSeries) {
+				errs = append(errs, field.Invalid(field.NewPath("providerSpec", "machineType"),
+					providerSpec.MachineType,
+					fmt.Sprintf("ConfidentialCompute %s requires a machine type in the following series: %s", providerSpec.ConfidentialCompute, strings.Join(gcpConfidentialTypeMachineSeriesSupportingTDX, `,`))),
+				)
+			}
+		default:
+			errs = append(errs, field.Invalid(field.NewPath("providerSpec", "confidentialCompute"),
+				providerSpec.ConfidentialCompute,
+				fmt.Sprintf("ConfidentialCompute must be %s, %s, %s, %s, or %s", machinev1beta1.ConfidentialComputePolicyEnabled, machinev1beta1.ConfidentialComputePolicyDisabled, machinev1beta1.ConfidentialComputePolicySEV, machinev1beta1.ConfidentialComputePolicySEVSNP, machinev1beta1.ConfidentialComputePolicyTDX)),
 			)
 		}
-	case machinev1beta1.ConfidentialComputePolicyDisabled, "":
-	default:
-		errs = append(errs, field.Invalid(field.NewPath("providerSpec", "confidentialCompute"),
-			providerSpec.ConfidentialCompute,
-			fmt.Sprintf("ConfidentialCompute must be either %s or %s.", machinev1beta1.ConfidentialComputePolicyEnabled, machinev1beta1.ConfidentialComputePolicyDisabled)))
 	}
-
 	return errs
 }
 

pkg/webhooks/machine_webhook_test.go

@@ -3862,9 +3862,10 @@ func TestValidateGCPProviderSpec(t *testing.T) {
 			testCase: "with ConfidentialCompute invalid value",
 			modifySpec: func(p *machinev1beta1.GCPMachineProviderSpec) {
 				p.ConfidentialCompute = "invalid-value"
+				p.OnHostMaintenance = machinev1beta1.TerminateHostMaintenanceType
 			},
 			expectedOk:    false,
-			expectedError: "providerSpec.confidentialCompute: Invalid value: \"invalid-value\": ConfidentialCompute must be either Enabled or Disabled.",
+			expectedError: "providerSpec.confidentialCompute: Invalid value: \"invalid-value\": ConfidentialCompute must be Enabled, Disabled, AMDEncryptedVirtualization, AMDEncryptedVirtualizationNestedPaging, or IntelTrustedDomainExtensions",
 		},
 		{
 			testCase: "with ConfidentialCompute enabled while onHostMaintenance is set to Migrate",
@@ -3875,7 +3876,7 @@ func TestValidateGCPProviderSpec(t *testing.T) {
 				p.GPUs = []machinev1beta1.GCPGPUConfig{}
 			},
 			expectedOk:    false,
-			expectedError: "providerSpec.onHostMaintenance: Invalid value: \"Migrate\": ConfidentialCompute require OnHostMaintenance to be set to Terminate, the current value is: Migrate",
+			expectedError: "providerSpec.onHostMaintenance: Invalid value: \"Migrate\": ConfidentialCompute Enabled requires OnHostMaintenance to be set to Terminate, the current value is: Migrate",
 		},
 		{
 			testCase: "with ConfidentialCompute enabled and unsupported machineType",
@@ -3885,7 +3886,100 @@ func TestValidateGCPProviderSpec(t *testing.T) {
 				p.MachineType = "e2-standard-4"
 			},
 			expectedOk:    false,
-			expectedError: "providerSpec.machineType: Invalid value: \"e2-standard-4\": ConfidentialCompute require machine type in the following series: n2d,c2d",
+			expectedError: "providerSpec.machineType: Invalid value: \"e2-standard-4\": ConfidentialCompute Enabled requires a machine type in the following series: n2d,c2d,c3d",
+		},
+		{
+			testCase: "with ConfidentialCompute AMDEncryptedVirtualization and an unsupported machine",
+			modifySpec: func(p *machinev1beta1.GCPMachineProviderSpec) {
+				p.ConfidentialCompute = machinev1beta1.ConfidentialComputePolicySEV
+				p.OnHostMaintenance = machinev1beta1.TerminateHostMaintenanceType
+				p.MachineType = "c3-standard-4"
+			},
+			expectedOk:    false,
+			expectedError: "providerSpec.machineType: Invalid value: \"c3-standard-4\": ConfidentialCompute AMDEncryptedVirtualization requires a machine type in the following series: n2d,c2d,c3d",
+		},
+		{
+			testCase: "with ConfidentialCompute AMDEncryptedVirtualization and a supported machine",
+			modifySpec: func(p *machinev1beta1.GCPMachineProviderSpec) {
+				p.ConfidentialCompute = machinev1beta1.ConfidentialComputePolicySEV
+				p.OnHostMaintenance = machinev1beta1.TerminateHostMaintenanceType
+				p.MachineType = "c2d-standard-4"
+			},
+			expectedOk:    true,
+			expectedError: "",
+		},
+		{
+			testCase: "with ConfidentialCompute AMDEncryptedVirtualization and onHostMaintenance set to Migrate",
+			modifySpec: func(p *machinev1beta1.GCPMachineProviderSpec) {
+				p.ConfidentialCompute = machinev1beta1.ConfidentialComputePolicySEV
+				p.OnHostMaintenance = machinev1beta1.MigrateHostMaintenanceType
+				p.MachineType = "c3d-standard-4"
+				p.GPUs = []machinev1beta1.GCPGPUConfig{}
+			},
+			expectedOk:    false,
+			expectedError: "providerSpec.onHostMaintenance: Invalid value: \"Migrate\": ConfidentialCompute AMDEncryptedVirtualization requires OnHostMaintenance to be set to Terminate, the current value is: Migrate",
+		},
+		{
+			testCase: "with ConfidentialCompute AMDEncryptedVirtualizationNestedPaging and an unsupported machine",
+			modifySpec: func(p *machinev1beta1.GCPMachineProviderSpec) {
+				p.ConfidentialCompute = machinev1beta1.ConfidentialComputePolicySEVSNP
+				p.OnHostMaintenance = machinev1beta1.TerminateHostMaintenanceType
+				p.MachineType = "c3-standard-4"
+			},
+			expectedOk:    false,
+			expectedError: "providerSpec.machineType: Invalid value: \"c3-standard-4\": ConfidentialCompute AMDEncryptedVirtualizationNestedPaging requires a machine type in the following series: n2d",
+		},
+		{
+			testCase: "with ConfidentialCompute AMDEncryptedVirtualizationNestedPaging and a supported machine",
+			modifySpec: func(p *machinev1beta1.GCPMachineProviderSpec) {
+				p.ConfidentialCompute = machinev1beta1.ConfidentialComputePolicySEVSNP
+				p.OnHostMaintenance = machinev1beta1.TerminateHostMaintenanceType
+				p.MachineType = "n2d-standard-4"
+			},
+			expectedOk:    true,
+			expectedError: "",
+		},
+		{
+			testCase: "with ConfidentialCompute AMDEncryptedVirtualizationNestedPaging and onHostMaintenance set to Migrate",
+			modifySpec: func(p *machinev1beta1.GCPMachineProviderSpec) {
+				p.ConfidentialCompute = machinev1beta1.ConfidentialComputePolicySEVSNP
+				p.OnHostMaintenance = machinev1beta1.MigrateHostMaintenanceType
+				p.MachineType = "n2d-standard-4"
+				p.GPUs = []machinev1beta1.GCPGPUConfig{}
+			},
+			expectedOk:    false,
+			expectedError: "providerSpec.onHostMaintenance: Invalid value: \"Migrate\": ConfidentialCompute AMDEncryptedVirtualizationNestedPaging requires OnHostMaintenance to be set to Terminate, the current value is: Migrate",
+		},
+		{
+			testCase: "with ConfidentialCompute IntelTrustedDomainExtensions and an unsupported machine",
+			modifySpec: func(p *machinev1beta1.GCPMachineProviderSpec) {
+				p.ConfidentialCompute = machinev1beta1.ConfidentialComputePolicyTDX
+				p.OnHostMaintenance = machinev1beta1.TerminateHostMaintenanceType
+				p.MachineType = "c3d-standard-4"
+			},
+			expectedOk:    false,
+			expectedError: "providerSpec.machineType: Invalid value: \"c3d-standard-4\": ConfidentialCompute IntelTrustedDomainExtensions requires a machine type in the following series: c3",
+		},
+		{
+			testCase: "with ConfidentialCompute IntelTrustedDomainExtensions and a supported machine",
+			modifySpec: func(p *machinev1beta1.GCPMachineProviderSpec) {
+				p.ConfidentialCompute = machinev1beta1.ConfidentialComputePolicyTDX
+				p.OnHostMaintenance = machinev1beta1.TerminateHostMaintenanceType
+				p.MachineType = "c3-standard-4"
+			},
+			expectedOk:    true,
+			expectedError: "",
+		},
+		{
+			testCase: "with ConfidentialCompute IntelTrustedDomainExtensions and onHostMaintenance set to Migrate",
+			modifySpec: func(p *machinev1beta1.GCPMachineProviderSpec) {
+				p.ConfidentialCompute = machinev1beta1.ConfidentialComputePolicyTDX
+				p.OnHostMaintenance = machinev1beta1.MigrateHostMaintenanceType
+				p.MachineType = "c3-standard-4"
+				p.GPUs = []machinev1beta1.GCPGPUConfig{}
+			},
+			expectedOk:    false,
+			expectedError: "providerSpec.onHostMaintenance: Invalid value: \"Migrate\": ConfidentialCompute IntelTrustedDomainExtensions requires OnHostMaintenance to be set to Terminate, the current value is: Migrate",
 		},
 		{
 			testCase: "with GPUs and Migrate onHostMaintenance",