Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support AMD SEV_SNP machines on GCP #1324

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Support AMD SEV_SNP machines on GCP #1324

wants to merge 3 commits into from

Conversation

bgartzi
Copy link

@bgartzi bgartzi commented Jan 27, 2025

Only AMD SEV nodes could be provisioned on GCP by machine api operator through the confidentialCompute Enabled/Disabled flag.
GCP also supports the confidentialInstanceType, which lets users choose the confidential computing technology. The latter precedes confidentialCompute. That is, if confidentialCompute=Disabled is configured together with a valid confidentialInstanceType, GCP will provision confidential VM.
The validation webhook added in this patch mimics that behavior, so it's similar to the way GCP will handle it.
This patch complements openshift/machine-api-provider-gcp#107.

There's also a kubernetes-sigs/cluster-api-provider-gcp#1410 patch submitted.

Note the openshift/api in go.mod has been just replaced. The PR for openshift/api openshift/api#2165, hasn't been merged yet. I would update it properly when the PR is merged.

Meanwhile, it also updates the list of machines that support SEV confidential computing, as c3d machines support it too.

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 27, 2025
@openshift-ci openshift-ci bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jan 27, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jan 27, 2025

Hi @bgartzi. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jan 27, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign radekmanak for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 27, 2025
@bgartzi bgartzi mentioned this pull request Jan 27, 2025
Open
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 6, 2025
@bgartzi
go.mod: Bump, tidy, and vendor to openshift/api replacement
4b38db4 
Replacing openshift/api by a personal fork. In such, sev, sev-snp, and
tdx specific confidentialCompute values have been added to the
openshift api.
@bgartzi
machine_webhooks: GCP now supports SEV on c3d machines
de5a0f5 
Extend gcpConfidentialComputeSupportedMachineSeries to also consider c3d
machines capable of running SEV confidential machines.
@bgartzi
machine_webhook: Support AMD SEV and AMD SEV-SNP confidentialCompute
0ba5a53 
Additional logic to support AMD SEV and AMD SEV-SNP values in the
confidentialCompute parameter.
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 25, 2025
@bgartzi bgartzi mentioned this pull request Feb 25, 2025
Open
@bgartzi
Copy link
Author

bgartzi commented Feb 25, 2025

Still waiting for openshift/api#2165 to be merged. I will update the go.mod+tidy/vendor when that happens. However, the current implementation clones the behavior merged in kubernetes-sigs/cluster-api-provider-gcp#1410

I'm keeping the TDX implementation apart in #1326. Should I bring it here and close that PR instead?

cc @damdo and @JoelSpeed as you were the ones involved in the upstream patch review.

@bgartzi bgartzi mentioned this pull request Feb 27, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@racheljpg racheljpg Awaiting requested review from racheljpg

@theobarberbany theobarberbany Awaiting requested review from theobarberbany

Assignees
No one assigned
Labels
needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bgartzi @openshift-merge-robot