Merge pull request #56305 from jeana-redhat/OSDOCS-5013-CPMS-GCP-support-features

[OSDOCS-5013]: CPMS for GCP: Supported features

Author: jeana-redhat

machine_management/control_plane_machine_management/cpmso-using.adoc

@@ -87,3 +87,28 @@ include::modules/machineset-azure-accelerated-networking.adoc[leveloffset=+2]
 
 // Enabling Accelerated Networking on an existing Microsoft Azure cluster
 include::modules/machineset-azure-enabling-accelerated-networking-existing.adoc[leveloffset=+3]
+
+[id="cpmso-supported-features-gcp_{context}"]
+== Enabling Google Cloud Platform features for control plane machines
+
+You can enable Google Cloud Platform (GCP) features on control plane machines by changing the configuration of your control plane machine set. When you save an update to the control plane machine set, the Control Plane Machine Set Operator updates the control plane machines according to your configured update strategy.
+
+//Note: GCP GPU features should be compatible with CPMS, but dev cannot think of a use case. Leaving them out to keep things less cluttered. If a customer use case emerges, we can just add the necessary modules in here.
+
+//Configuring persistent disk types by using machine sets
+include::modules/machineset-gcp-pd-disk-types.adoc[leveloffset=+2]
+
+//Configuring Confidential VM by using machine sets
+include::modules/machineset-gcp-confidential-vm.adoc[leveloffset=+2]
+
+//Configuring Shielded VM options by using machine sets
+include::modules/machineset-gcp-shielded-vms.adoc[leveloffset=+2]
+[role="_additional-resources"]
+.Additional resources
+* link:https://cloud.google.com/compute/shielded-vm/docs/shielded-vm[What is Shielded VM?]
+** link:https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#secure-boot[Secure Boot]
+** link:https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#vtpm[Virtual Trusted Platform Module (vTPM)]
+** link:https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#integrity-monitoring[Integrity monitoring]
+
+//Enabling customer-managed encryption keys for a machine set
+include::modules/machineset-gcp-enabling-customer-managed-encryption.adoc[leveloffset=+2]

machine_management/creating_machinesets/creating-machineset-gcp.adoc

@@ -23,9 +23,7 @@ include::modules/machineset-creating.adoc[leveloffset=+1]
 //Configuring persistent disk types by using compute machine sets
 include::modules/machineset-gcp-pd-disk-types.adoc[leveloffset=+1]
 
-//Configuring Shielded VM options by using machine sets [PR#56252]
-
-//Configuring Confidential Computing by using machine sets
+//Configuring Confidential VM by using machine sets
 include::modules/machineset-gcp-confidential-vm.adoc[leveloffset=+1]
 
 //Machine sets that deploy machines as preemptible VM instances
@@ -44,12 +42,10 @@ include::modules/machineset-gcp-shielded-vms.adoc[leveloffset=+1]
 ** link:https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#integrity-monitoring[Integrity monitoring]
 
 //Enabling customer-managed encryption keys for a compute machine set
-include::modules/machineset-enabling-customer-managed-encryption.adoc[leveloffset=+1]
-//TODO break out procedure as a L2
+include::modules/machineset-gcp-enabling-customer-managed-encryption.adoc[leveloffset=+1]
 
 //Enabling GPU support for a compute machine set
 include::modules/machineset-gcp-enabling-gpu-support.adoc[leveloffset=+1]
-//TODO break out procedure as a L2
 
 //Adding a GPU node to a machine set (stesmith)
 include::modules/nvidia-gpu-gcp-adding-a-gpu-node.adoc[leveloffset=+1]

modules/machineset-enabling-customer-managed-encryption.adoc

@@ -0,0 +1,74 @@
+// Module included in the following assemblies:
+//
+// * machine_management/creating_machinesets/creating-machineset-gcp.adoc
+// * machine_management/control_plane_machine_management/cpmso-using.adoc
+
+ifeval::["{context}" == "cpmso-using"]
+:cpmso:
+endif::[]
+
+:_content-type: PROCEDURE
+[id="machineset-gcp-enabling-customer-managed-encryption_{context}"]
+= Enabling customer-managed encryption keys for a machine set
+
+Google Cloud Platform (GCP) Compute Engine allows users to supply an encryption key to encrypt data on disks at rest. The key is used to encrypt the data encryption key, not to encrypt the customer's data. By default, Compute Engine encrypts this data by using Compute Engine keys.
+
+You can enable encryption with a customer-managed key in clusters that use the Machine API. You must first link:https://cloud.google.com/compute/docs/disks/customer-managed-encryption#before_you_begin[create a KMS key] and assign the correct permissions to a service account. The KMS key name, key ring name, and location are required to allow a service account to use your key.
+
+[NOTE]
+====
+If you do not want to use a dedicated service account for the KMS encryption, the Compute Engine default service account is used instead. You must grant the default service account permission to access the keys if you do not use a dedicated service account. The Compute Engine default service account name follows the `service-<project_number>@compute-system.iam.gserviceaccount.com` pattern.
+====
+
+.Procedure
+
+. To allow a specific service account to use your KMS key and to grant the service account the correct IAM role, run the following command with your KMS key name, key ring name, and location:
++
+[source,terminal]
+----
+$ gcloud kms keys add-iam-policy-binding <key_name> \
+  --keyring <key_ring_name> \
+  --location <key_ring_location> \
+  --member "serviceAccount:service-<project_number>@compute-system.iam.gserviceaccount.com” \
+  --role roles/cloudkms.cryptoKeyEncrypterDecrypter
+----
+
+. Configure the encryption key under the `providerSpec` field in your machine set YAML file. For example:
++
+[source,yaml]
+----
+ifndef::cpmso[]
+apiVersion: machine.openshift.io/v1beta1
+kind: MachineSet
+endif::cpmso[]
+ifdef::cpmso[]
+apiVersion: machine.openshift.io/v1
+kind: ControlPlaneMachineSet
+endif::cpmso[]
+...
+spec:
+  template:
+    spec:
+      providerSpec:
+        value:
+          disks:
+          - type:
+            encryptionKey:
+              kmsKey:
+                name: machine-encryption-key <1>
+                keyRing: openshift-encrpytion-ring <2>
+                location: global <3>
+                projectID: openshift-gcp-project <4>
+              kmsKeyServiceAccount: openshift-service-account@openshift-gcp-project.iam.gserviceaccount.com <5>
+----
+<1> The name of the customer-managed encryption key that is used for the disk encryption.
+<2> The name of the KMS key ring that the KMS key belongs to.
+<3> The GCP location in which the KMS key ring exists.
+<4> Optional: The ID of the project in which the KMS key ring exists. If a project ID is not set, the machine set `projectID` in which the machine set was created is used.
+<5> Optional: The service account that is used for the encryption request for the given KMS key. If a service account is not set, the Compute Engine default service account is used.
++
+When a new machine is created by using the updated `providerSpec` object configuration, the disk encryption key is encrypted with the KMS key.
+
+ifeval::["{context}" == "cpmso-using"]
+:!cpmso:
+endif::[]

modules/machineset-gcp-enabling-customer-managed-encryption.adoc

@@ -1,30 +1,51 @@
 // Module included in the following assemblies:
 //
 // * machine_management/creating_machinesets/creating-machineset-gcp.adoc
+// * machine_management/control_plane_machine_management/cpmso-using.adoc
+
+ifeval::["{context}" == "cpmso-using"]
+:cpmso:
+endif::[]
 
 :_content-type: PROCEDURE
 [id="machineset-gcp-pd-disk-types_{context}"]
-= Configuring persistent disk types by using compute machine sets
+= Configuring persistent disk types by using machine sets
 
-You can configure the type of persistent disk that a compute machine set deploys machines on by editing the compute machine set YAML file.
+You can configure the type of persistent disk that a machine set deploys machines on by editing the machine set YAML file.
 
 For more information about persistent disk types, compatibility, regional availability, and limitations, see the GCP Compute Engine documentation about link:https://cloud.google.com/compute/docs/disks#pdspecs[persistent disks].
 
 .Procedure
 
-. In a text editor, open the YAML file for an existing compute machine set or create a new one.
+. In a text editor, open the YAML file for an existing machine set or create a new one.
 
 . Edit the following line under the `providerSpec` field:
 +
 [source,yaml]
 ----
-providerSpec:
-  value:
-    disks:
-      type: <pd-disk-type> <1>
+ifndef::cpmso[]
+apiVersion: machine.openshift.io/v1beta1
+kind: MachineSet
+endif::cpmso[]
+ifdef::cpmso[]
+apiVersion: machine.openshift.io/v1
+kind: ControlPlaneMachineSet
+endif::cpmso[]
+...
+spec:
+  template:
+    spec:
+      providerSpec:
+        value:
+          disks:
+            type: <pd-disk-type> <1>
 ----
 <1> Specify the disk persistent type. Valid values are `pd-ssd`, `pd-standard`, and `pd-balanced`. The default value is `pd-standard`.
 
 .Verification
 
-* Using the Google Cloud console, review the details for a machine deployed by the compute machine set and verify that the `Type` field matches the configured disk type.
+* Using the Google Cloud console, review the details for a machine deployed by the machine set and verify that the `Type` field matches the configured disk type.
+
+ifeval::["{context}" == "cpmso-using"]
+:!cpmso:
+endif::[]

modules/machineset-gcp-pd-disk-types.adoc

@@ -42,10 +42,19 @@ spec:
             virtualizedTrustedPlatformModule: Enabled <4>
 ...
 ----
++
+--
 <1> In this section, specify any Shielded VM options that you want.
 <2> Specify whether UEFI Secure Boot is enabled. Valid values are `Disabled` or `Enabled`.
 <3> Specify whether integrity monitoring is enabled. Valid values are `Disabled` or `Enabled`.
-<4> Specify whether virtual trusted platform module (vTPM) is enabled. Valid values are `Disabled` or `Enabled`.
++
+[NOTE]
+====
+When integrity monitoring is enabled, you must not disable virtual trusted platform module (vTPM).
+====
+
+<4> Specify whether vTPM is enabled. Valid values are `Disabled` or `Enabled`.
+--
 
 .Verification