machine_webhook: Support TDX confidential computing on GCP

bgartzi · bgartzi · commit e4628f1c4f5d · 2025-03-05T17:37:37.000+01:00
Apart from AMD {SEV,SEV-SNP}, Intel TDX confidential computing machines
can be provisioned in GCP. Allow such configurations in the machine
webhooks.
diff --git a/pkg/webhooks/machine_webhook.go b/pkg/webhooks/machine_webhook.go
@@ -227,6 +227,7 @@ const (
 // reference: https://cloud.google.com/compute/confidential-vm/docs/os-and-machine-type#machine-type
 var gcpConfidentialTypeMachineSeriesSupportingSEV = []string{"n2d", "c2d", "c3d"}
 var gcpConfidentialTypeMachineSeriesSupportingSEVSNP = []string{"n2d"}
+var gcpConfidentialTypeMachineSeriesSupportingTDX = []string{"c3"}
 
 // defaultInstanceTypeForCloudProvider returns the default instance type for the given cloud provider and architecture.
 // If the cloud provider is not supported, an empty string is returned.
@@ -1339,10 +1340,17 @@ func validateGCPConfidentialComputing(providerSpec *machinev1beta1.GCPMachinePro
 					fmt.Sprintf("ConfidentialCompute %s requires a machine type in the following series: %s", providerSpec.ConfidentialCompute, strings.Join(gcpConfidentialTypeMachineSeriesSupportingSEVSNP, `,`))),
 				)
 			}
+		case machinev1beta1.ConfidentialComputePolicyTDX:
+			if !slices.Contains(gcpConfidentialTypeMachineSeriesSupportingTDX, machineSeries) {
+				errs = append(errs, field.Invalid(field.NewPath("providerSpec", "machineType"),
+					providerSpec.MachineType,
+					fmt.Sprintf("ConfidentialCompute %s requires a machine type in the following series: %s", providerSpec.ConfidentialCompute, strings.Join(gcpConfidentialTypeMachineSeriesSupportingTDX, `,`))),
+				)
+			}
 		default:
 			errs = append(errs, field.Invalid(field.NewPath("providerSpec", "confidentialCompute"),
 				providerSpec.ConfidentialCompute,
-				fmt.Sprintf("ConfidentialCompute must be %s, %s, %s, or %s", machinev1beta1.ConfidentialComputePolicyEnabled, machinev1beta1.ConfidentialComputePolicyDisabled, machinev1beta1.ConfidentialComputePolicySEV, machinev1beta1.ConfidentialComputePolicySEVSNP)),
+				fmt.Sprintf("ConfidentialCompute must be %s, %s, %s, %s, or %s", machinev1beta1.ConfidentialComputePolicyEnabled, machinev1beta1.ConfidentialComputePolicyDisabled, machinev1beta1.ConfidentialComputePolicySEV, machinev1beta1.ConfidentialComputePolicySEVSNP, machinev1beta1.ConfidentialComputePolicyTDX)),
 			)
 		}
 	}
diff --git a/pkg/webhooks/machine_webhook_test.go b/pkg/webhooks/machine_webhook_test.go
@@ -3805,7 +3805,7 @@ func TestValidateGCPProviderSpec(t *testing.T) {
 				p.OnHostMaintenance = machinev1beta1.TerminateHostMaintenanceType
 			},
 			expectedOk:    false,
-			expectedError: "providerSpec.confidentialCompute: Invalid value: \"invalid-value\": ConfidentialCompute must be Enabled, Disabled, AMDEncryptedVirtualization, or AMDEncryptedVirtualizationNestedPaging",
+			expectedError: "providerSpec.confidentialCompute: Invalid value: \"invalid-value\": ConfidentialCompute must be Enabled, Disabled, AMDEncryptedVirtualization, AMDEncryptedVirtualizationNestedPaging, or IntelTrustedDomainExtensions",
 		},
 		{
 			testCase: "with ConfidentialCompute enabled while onHostMaintenance is set to Migrate",
@@ -3890,6 +3890,37 @@ func TestValidateGCPProviderSpec(t *testing.T) {
 			expectedOk:    false,
 			expectedError: "providerSpec.onHostMaintenance: Invalid value: \"Migrate\": ConfidentialCompute AMDEncryptedVirtualizationNestedPaging requires OnHostMaintenance to be set to Terminate, the current value is: Migrate",
 		},
+		{
+			testCase: "with ConfidentialCompute IntelTrustedDomainExtensions and an unsupported machine",
+			modifySpec: func(p *machinev1beta1.GCPMachineProviderSpec) {
+				p.ConfidentialCompute = machinev1beta1.ConfidentialComputePolicyTDX
+				p.OnHostMaintenance = machinev1beta1.TerminateHostMaintenanceType
+				p.MachineType = "c3d-standard-4"
+			},
+			expectedOk:    false,
+			expectedError: "providerSpec.machineType: Invalid value: \"c3d-standard-4\": ConfidentialCompute IntelTrustedDomainExtensions requires a machine type in the following series: c3",
+		},
+		{
+			testCase: "with ConfidentialCompute IntelTrustedDomainExtensions and a supported machine",
+			modifySpec: func(p *machinev1beta1.GCPMachineProviderSpec) {
+				p.ConfidentialCompute = machinev1beta1.ConfidentialComputePolicyTDX
+				p.OnHostMaintenance = machinev1beta1.TerminateHostMaintenanceType
+				p.MachineType = "c3-standard-4"
+			},
+			expectedOk:    true,
+			expectedError: "",
+		},
+		{
+			testCase: "with ConfidentialCompute IntelTrustedDomainExtensions and onHostMaintenance set to Migrate",
+			modifySpec: func(p *machinev1beta1.GCPMachineProviderSpec) {
+				p.ConfidentialCompute = machinev1beta1.ConfidentialComputePolicyTDX
+				p.OnHostMaintenance = machinev1beta1.MigrateHostMaintenanceType
+				p.MachineType = "c3-standard-4"
+				p.GPUs = []machinev1beta1.GCPGPUConfig{}
+			},
+			expectedOk:    false,
+			expectedError: "providerSpec.onHostMaintenance: Invalid value: \"Migrate\": ConfidentialCompute IntelTrustedDomainExtensions requires OnHostMaintenance to be set to Terminate, the current value is: Migrate",
+		},
 		{
 			testCase: "with GPUs and Migrate onHostMaintenance",
 			modifySpec: func(p *machinev1beta1.GCPMachineProviderSpec) {

Original file line number	Diff line number	Diff line change
`@@ -227,6 +227,7 @@ const (`
`227`	`227`	`// reference: https://cloud.google.com/compute/confidential-vm/docs/os-and-machine-type#machine-type`
`228`	`228`	`var gcpConfidentialTypeMachineSeriesSupportingSEV = []string{"n2d", "c2d", "c3d"}`
`229`	`229`	`var gcpConfidentialTypeMachineSeriesSupportingSEVSNP = []string{"n2d"}`
	`230`	`+var gcpConfidentialTypeMachineSeriesSupportingTDX = []string{"c3"}`
`230`	`231`
`231`	`232`	`// defaultInstanceTypeForCloudProvider returns the default instance type for the given cloud provider and architecture.`
`232`	`233`	`// If the cloud provider is not supported, an empty string is returned.`
`@@ -1339,10 +1340,17 @@ func validateGCPConfidentialComputing(providerSpec *machinev1beta1.GCPMachinePro`
`1339`	`1340`	fmt.Sprintf("ConfidentialCompute %s requires a machine type in the following series: %s", providerSpec.ConfidentialCompute, strings.Join(gcpConfidentialTypeMachineSeriesSupportingSEVSNP, `,`))),
`1340`	`1341`	`)`
`1341`	`1342`	`}`
	`1343`	`+ case machinev1beta1.ConfidentialComputePolicyTDX:`
	`1344`	`+ if !slices.Contains(gcpConfidentialTypeMachineSeriesSupportingTDX, machineSeries) {`
	`1345`	`+ errs = append(errs, field.Invalid(field.NewPath("providerSpec", "machineType"),`
	`1346`	`+ providerSpec.MachineType,`
	`1347`	+ fmt.Sprintf("ConfidentialCompute %s requires a machine type in the following series: %s", providerSpec.ConfidentialCompute, strings.Join(gcpConfidentialTypeMachineSeriesSupportingTDX, `,`))),
	`1348`	`+ )`
	`1349`	`+ }`
`1342`	`1350`	`default:`
`1343`	`1351`	`errs = append(errs, field.Invalid(field.NewPath("providerSpec", "confidentialCompute"),`
`1344`	`1352`	`providerSpec.ConfidentialCompute,`
`1345`		`- fmt.Sprintf("ConfidentialCompute must be %s, %s, %s, or %s", machinev1beta1.ConfidentialComputePolicyEnabled, machinev1beta1.ConfidentialComputePolicyDisabled, machinev1beta1.ConfidentialComputePolicySEV, machinev1beta1.ConfidentialComputePolicySEVSNP)),`
	`1353`	`+ fmt.Sprintf("ConfidentialCompute must be %s, %s, %s, %s, or %s", machinev1beta1.ConfidentialComputePolicyEnabled, machinev1beta1.ConfidentialComputePolicyDisabled, machinev1beta1.ConfidentialComputePolicySEV, machinev1beta1.ConfidentialComputePolicySEVSNP, machinev1beta1.ConfidentialComputePolicyTDX)),`
`1346`	`1354`	`)`
`1347`	`1355`	`}`
`1348`	`1356`	`}`