Merge pull request #56805 from bscott-rh/OSDOCS-5152

mjpytlak · web-flow · commit c25429587b1f · 2023-03-29T10:16:34.000-04:00
OSDOCS-5152 and 5158 Add support for Shielded and Confidential VMs
diff --git a/installing/installing_gcp/installing-gcp-customizations.adoc b/installing/installing_gcp/installing-gcp-customizations.adoc
@@ -36,6 +36,10 @@ include::modules/installation-gcp-tested-machine-types.adoc[leveloffset=+2]
 
 include::modules/installation-using-gcp-custom-machine-types.adoc[leveloffset=+2]
 
+include::modules/installation-gcp-enabling-shielded-vms.adoc[leveloffset=+2]
+
+include::modules/installation-gcp-enabling-confidential-vms.adoc[leveloffset=+2]
+
 include::modules/installation-gcp-config-yaml.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
diff --git a/installing/installing_gcp/installing-gcp-network-customizations.adoc b/installing/installing_gcp/installing-gcp-network-customizations.adoc
@@ -42,6 +42,10 @@ include::modules/installation-gcp-tested-machine-types.adoc[leveloffset=+2]
 
 include::modules/installation-using-gcp-custom-machine-types.adoc[leveloffset=+2]
 
+include::modules/installation-gcp-enabling-shielded-vms.adoc[leveloffset=+2]
+
+include::modules/installation-gcp-enabling-confidential-vms.adoc[leveloffset=+2]
+
 include::modules/installation-gcp-config-yaml.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
diff --git a/installing/installing_gcp/installing-gcp-private.adoc b/installing/installing_gcp/installing-gcp-private.adoc
@@ -39,6 +39,10 @@ include::modules/installation-gcp-tested-machine-types.adoc[leveloffset=+2]
 
 include::modules/installation-using-gcp-custom-machine-types.adoc[leveloffset=+2]
 
+include::modules/installation-gcp-enabling-shielded-vms.adoc[leveloffset=+2]
+
+include::modules/installation-gcp-enabling-confidential-vms.adoc[leveloffset=+2]
+
 include::modules/installation-gcp-config-yaml.adoc[leveloffset=+2]
 
 include::modules/nw-gcp-installing-global-access-configuration.adoc[leveloffset=+2]
diff --git a/installing/installing_gcp/installing-gcp-shared-vpc.adoc b/installing/installing_gcp/installing-gcp-shared-vpc.adoc
@@ -32,6 +32,10 @@ include::modules/installation-user-infra-generate.adoc[leveloffset=+1]
 
 include::modules/installation-initializing-manual.adoc[leveloffset=+2]
 
+include::modules/installation-gcp-enabling-shielded-vms.adoc[leveloffset=+2]
+
+include::modules/installation-gcp-enabling-confidential-vms.adoc[leveloffset=+2]
+
 include::modules/installation-gcp-shared-vpc-config.adoc[leveloffset=+2]
 
 include::modules/installation-configuration-parameters.adoc[leveloffset=+2]
diff --git a/installing/installing_gcp/installing-gcp-user-infra-vpc.adoc b/installing/installing_gcp/installing-gcp-user-infra-vpc.adoc
@@ -71,7 +71,8 @@ include::modules/installation-deployment-manager-vpc.adoc[leveloffset=+3]
 include::modules/installation-user-infra-generate.adoc[leveloffset=+1]
 
 include::modules/installation-initializing-manual.adoc[leveloffset=+2]
-
+include::modules/installation-gcp-enabling-shielded-vms.adoc[leveloffset=+2]
+include::modules/installation-gcp-enabling-confidential-vms.adoc[leveloffset=+2]
 include::modules/installation-gcp-user-infra-shared-vpc-config-yaml.adoc[leveloffset=+2]
 
 include::modules/installation-configure-proxy.adoc[leveloffset=+2]
diff --git a/installing/installing_gcp/installing-gcp-user-infra.adoc b/installing/installing_gcp/installing-gcp-user-infra.adoc
@@ -62,6 +62,8 @@ include::modules/installation-using-gcp-custom-machine-types.adoc[leveloffset=+2
 include::modules/installation-user-infra-generate.adoc[leveloffset=+1]
 include::modules/installation-disk-partitioning-upi-templates.adoc[leveloffset=+2]
 include::modules/installation-initializing.adoc[leveloffset=+2]
+include::modules/installation-gcp-enabling-shielded-vms.adoc[leveloffset=+2]
+include::modules/installation-gcp-enabling-confidential-vms.adoc[leveloffset=+2]
 include::modules/installation-configure-proxy.adoc[leveloffset=+2]
 //include::modules/installation-three-node-cluster.adoc[leveloffset=+2]
 include::modules/installation-user-infra-generate-k8s-manifest-ignition.adoc[leveloffset=+2]
diff --git a/installing/installing_gcp/installing-gcp-vpc.adoc b/installing/installing_gcp/installing-gcp-vpc.adoc
@@ -35,6 +35,10 @@ include::modules/installation-gcp-tested-machine-types.adoc[leveloffset=+2]
 
 include::modules/installation-using-gcp-custom-machine-types.adoc[leveloffset=+2]
 
+include::modules/installation-gcp-enabling-shielded-vms.adoc[leveloffset=+2]
+
+include::modules/installation-gcp-enabling-confidential-vms.adoc[leveloffset=+2]
+
 include::modules/installation-gcp-config-yaml.adoc[leveloffset=+2]
 
 include::modules/nw-gcp-installing-global-access-configuration.adoc[leveloffset=+2]
diff --git a/installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc b/installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc
@@ -46,6 +46,10 @@ include::modules/installation-gcp-tested-machine-types.adoc[leveloffset=+2]
 
 include::modules/installation-using-gcp-custom-machine-types.adoc[leveloffset=+2]
 
+include::modules/installation-gcp-enabling-shielded-vms.adoc[leveloffset=+2]
+
+include::modules/installation-gcp-enabling-confidential-vms.adoc[leveloffset=+2]
+
 include::modules/installation-gcp-config-yaml.adoc[leveloffset=+2]
 
 include::modules/nw-gcp-installing-global-access-configuration.adoc[leveloffset=+2]
diff --git a/installing/installing_gcp/installing-restricted-networks-gcp.adoc b/installing/installing_gcp/installing-restricted-networks-gcp.adoc
@@ -68,6 +68,8 @@ include::modules/installation-using-gcp-custom-machine-types.adoc[leveloffset=+2
 include::modules/installation-user-infra-generate.adoc[leveloffset=+1]
 include::modules/installation-disk-partitioning-upi-templates.adoc[leveloffset=+2]
 include::modules/installation-initializing.adoc[leveloffset=+2]
+include::modules/installation-gcp-enabling-shielded-vms.adoc[leveloffset=+2]
+include::modules/installation-gcp-enabling-confidential-vms.adoc[leveloffset=+2]
 include::modules/installation-configure-proxy.adoc[leveloffset=+2]
 include::modules/installation-user-infra-generate-k8s-manifest-ignition.adoc[leveloffset=+2]
 
diff --git a/modules/installation-configuration-parameters.adoc b/modules/installation-configuration-parameters.adoc
@@ -1246,6 +1246,18 @@ link:https://yaml.org/spec/1.2/spec.html#sequence//[YAML sequence].
 |The GCP service account used for the encryption request for control plane and compute machines. If absent, the Compute Engine default service account is used. For more information about GCP service accounts, see Google's documentation on link:https://cloud.google.com/compute/docs/access/service-accounts#compute_engine_service_account[service accounts].
 |The GCP service account email, for example `<service_account_name>@<project_id>.iam.gserviceaccount.com`.
 
+|`platform.gcp.defaultMachinePlatform.secureBoot`
+|Whether to enable Shielded VM secure boot for all machines in the cluster. Shielded VMs have additional security protocols such as secure boot, firmware and integrity monitoring, and rootkit protection. For more information on Shielded VMs, see Google's documentation on link:https://cloud.google.com/shielded-vm[Shielded VMs].
+|`Enabled` or `Disabled`. The default value is `Disabled`.
+
+|`platform.gcp.defaultMachinePlatform.confidentialCompute`
+|Whether to use Confidential VMs for all machines in the cluster. Confidential VMs provide encryption for data during processing. For more information on Confidential computing, see Google's documentation on link:https://cloud.google.com/confidential-computing[Confidential computing].
+|`Enabled` or `Disabled`. The default value is `Disabled`.
+
+|`platform.gcp.defaultMachinePlatform.onHostMaintenance`
+|Specifies the behavior of all VMs during a host maintenance event, such as a software or hardware update. For Confidential VMs, this parameter must be set to `Terminate`. Confidential VMs do not support live VM migration.
+|`Terminate` or `Migrate`. The default value is `Migrate`.
+
 |`controlPlane.platform.gcp.osDisk.encryptionKey.kmsKey.name`
 |The name of the customer managed encryption key to be used for control plane machine disk encryption.
 |The encryption key name.
@@ -1287,6 +1299,18 @@ link:https://yaml.org/spec/1.2/spec.html#sequence//[YAML sequence].
 |A list of valid link:https://cloud.google.com/compute/docs/regions-zones#available[GCP availability zones], such as `us-central1-a`, in a
 link:https://yaml.org/spec/1.2/spec.html#sequence//[YAML sequence].
 
+|`controlPlane.platform.gcp.secureBoot`
+|Whether to enable Shielded VM secure boot for control plane machines. Shielded VMs have additional security protocols such as secure boot, firmware and integrity monitoring, and rootkit protection. For more information on Shielded VMs, see Google's documentation on link:https://cloud.google.com/shielded-vm[Shielded VMs].
+|`Enabled` or `Disabled`. The default value is `Disabled`.
+
+|`controlPlane.platform.gcp.confidentialCompute`
+|Whether to enable Confidential VMs for control plane machines. Confidential VMs provide encryption for data while it is being processed. For more information on Confidential VMs, see Google's documentation on link:https://cloud.google.com/confidential-computing[Confidential Computing].
+|`Enabled` or `Disabled`. The default value is `Disabled`.
+
+|`controlPlane.platform.gcp.onHostMaintenance`
+|Specifies the behavior of control plane VMs during a host maintenance event, such as a software or hardware update. For Confidential VMs, this parameter must be set to `Terminate`. Confidential VMs do not support live VM migration.
+|`Terminate` or `Migrate`. The default value is `Migrate`.
+
 |`compute.platform.gcp.osDisk.encryptionKey.kmsKey.name`
 |The name of the customer managed encryption key to be used for compute machine disk encryption.
 |The encryption key name.
@@ -1328,6 +1352,18 @@ link:https://yaml.org/spec/1.2/spec.html#sequence//[YAML sequence].
 |A list of valid link:https://cloud.google.com/compute/docs/regions-zones#available[GCP availability zones], such as `us-central1-a`, in a
 link:https://yaml.org/spec/1.2/spec.html#sequence//[YAML sequence].
 
+|`compute.platform.gcp.secureBoot`
+|Whether to enable Shielded VM secure boot for compute machines. Shielded VMs have additional security protocols such as secure boot, firmware and integrity monitoring, and rootkit protection. For more information on Shielded VMs, see Google's documentation on link:https://cloud.google.com/shielded-vm[Shielded VMs].
+|`Enabled` or `Disabled`. The default value is `Disabled`.
+
+|`compute.platform.gcp.confidentialCompute`
+|Whether to enable Confidential VMs for compute machines. Confidential VMs provide encryption for data while it is being processed. For more information on Confidential VMs, see Google's documentation on link:https://cloud.google.com/confidential-computing[Confidential Computing].
+|`Enabled` or `Disabled`. The default value is `Disabled`.
+
+|`compute.platform.gcp.onHostMaintenance`
+|Specifies the behavior of compute VMs during a host maintenance event, such as a software or hardware update. For Confidential VMs, this parameter must be set to `Terminate`. Confidential VMs do not support live VM migration.
+|`Terminate` or `Migrate`. The default value is `Migrate`.
+
 |====
 
 endif::gcp[]
diff --git a/modules/installation-gcp-enabling-confidential-vms.adoc b/modules/installation-gcp-enabling-confidential-vms.adoc
@@ -0,0 +1,64 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_gcp/installing-gcp-customizations.adoc
+// * installing/installing_gcp/installing-gcp-network-customizations.adoc
+// * installing/installing_gcp/installing-gcp-private.adoc
+// * installing/installing_gcp/installing-gcp-vpc.adoc
+// * installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc
+// * installing/installing_gcp/installing-gcp-user-infra.adoc
+// * installing/installing_gcp/installing-gcp-user-infra-vpc.adoc
+// * installing/installing_gcp/installing-restricted-networks-gcp.adoc
+
+:_content-type: PROCEDURE
+[id="installation-gcp-enabling-confidential-vms_{context}"]
+= Enabling Confidential VMs
+
+You can use Confidential VMs when installing your cluster. Confidential VMs encrypt data while it is being processed. For more information, see Google's documentation on link:https://cloud.google.com/confidential-computing[Confidential Computing]. You can enable Confidential VMs and Shielded VMs at the same time, although they are not dependent on each other.
+
+:FeatureName: Confidential Computing
+include::snippets/technology-preview.adoc[]
+
+.Prerequisites
+* You have created an `install-config.yaml` file.
+
+.Procedure
+
+* Use a text editor to edit the `install-config.yaml` file prior to deploying your cluster and add one of the following stanzas:
+.. To use confidential VMs for only control plane machines:
++
+[source,yaml]
+----
+controlPlane:
+  platform:
+    gcp:
+       confidentialCompute: Enabled <1>
+       type: n2d-standard-8 <2>
+       onHostMaintenance: Terminate <3>
+----
+<1> Enable confidential VMs. 
+<2> Specify a machine type that supports Confidential VMs. Confidential VMs require the N2D or C2D series of machine types. For more information on supported machine types, see link:https://cloud.google.com/compute/confidential-vm/docs/os-and-machine-type#machine-type[Supported operating systems and machine types].
+<3> Specify the behavior of the VM during a host maintenance event, such as a hardware or software update. For a machine that uses Confidential VM, this value must be set to `Terminate`, which stops the VM. Confidential VMs do not support live VM migration.
++
+.. To use confidential VMs for only compute machines:
++
+[source,yaml]
+----
+compute:
+- platform:
+    gcp:
+       confidentialCompute: Enabled
+       type: n2d-standard-8
+       onHostMaintenance: Terminate
+----
++
+.. To use confidential VMs for all machines:
++
+[source,yaml]
+----
+platform:
+  gcp:
+    defaultMachinePlatform:
+       confidentialCompute: Enabled
+       type: n2d-standard-8
+       onHostMaintenance: Terminate
+----
diff --git a/modules/installation-gcp-enabling-shielded-vms.adoc b/modules/installation-gcp-enabling-shielded-vms.adoc
@@ -0,0 +1,51 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_gcp/installing-gcp-customizations.adoc
+// * installing/installing_gcp/installing-gcp-network-customizations.adoc
+// * installing/installing_gcp/installing-gcp-private.adoc
+// * installing/installing_gcp/installing-gcp-vpc.adoc
+// * installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc
+// * installing/installing_gcp/installing-gcp-user-infra.adoc
+// * installing/installing_gcp/installing-gcp-user-infra-vpc.adoc
+// * installing/installing_gcp/installing-restricted-networks-gcp.adoc
+
+:_content-type: PROCEDURE
+[id="installation-gcp-enabling-shielded-vms_{context}"]
+= Enabling Shielded VMs
+You can use Shielded VMs when installing your cluster. Shielded VMs have extra security features including secure boot, firmware and integrity monitoring, and rootkit detection. For more information, see Google's documentation on link:https://cloud.google.com/shielded-vm[Shielded VMs].
+
+.Prerequisites
+* You have created an `install-config.yaml` file.
+
+.Procedure
+
+* Use a text editor to edit the `install-config.yaml` file prior to deploying your cluster and add one of the following stanzas:
+.. To use shielded VMs for only control plane machines:
++
+[source,yaml]
+----
+controlPlane:
+  platform:
+    gcp:
+       secureBoot: Enabled
+----
++
+.. To use shielded VMs for only compute machines:
++
+[source,yaml]
+----
+compute:
+- platform:
+    gcp:
+       secureBoot: Enabled
+----
++
+.. To use shielded VMs for all machines:
++
+[source,yaml]
+----
+platform:
+  gcp:
+    defaultMachinePlatform:
+       secureBoot: Enabled
+----
