Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for confidential compute #809

Merged
merged 1 commit into from
Jan 26, 2023
Merged

Add support for confidential compute #809

merged 1 commit into from
Jan 26, 2023

Conversation

eranco74
Copy link
Contributor

/kind feature

What this PR does / why we need it:
The PR adds support for enabling confidential compute service as well as setting the instances on host maintenance policy.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #
#804

Special notes for your reviewer:

Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.

TODOs:

  • squashed commits
  • includes documentation
  • adds unit tests

Release note:
-->

Add confidential compute  to API
Add on host maintenance  to API

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jan 18, 2023
@k8s-ci-robot
Copy link
Contributor

Hi @eranco74. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jan 18, 2023
@eranco74 eranco74 mentioned this pull request Jan 18, 2023
Merged
@eranco74 eranco74 changed the title Confidentail compute Add support for confidential compute Jan 18, 2023
@richardcase
Copy link
Member

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jan 18, 2023
@richardcase
Copy link
Member

@eranco74 - thanks for this. Does the current CAPI image satisfy the requirements for the guest OS?

@eranco74
Copy link
Contributor Author

eranco74 commented Jan 24, 2023
edited
Loading

@eranco74 - thanks for this. Does the current CAPI image satisfy the requirements for the guest OS?

Yes, it has all the required guest-os-feature tags:

gcloud compute images describe projects/k8s-staging-cluster-api-gcp/global/images/cluster-api-ubuntu-2004-v1-25-4-nightly
architecture: X86_64
archiveSizeBytes: '2495363520'
creationTimestamp: '2022-12-27T08:21:26.569-08:00'
description: Created by Packer
diskSizeGb: '20'
family: capi-ubuntu-2004-k8s-v1-25
guestOsFeatures:
- type: VIRTIO_SCSI_MULTIQUEUE
- type: SEV_CAPABLE
- type: UEFI_COMPATIBLE
- type: GVNIC

JoelSpeed
JoelSpeed reviewed Jan 25, 2023
View reviewed changes
api/v1beta1/gcpmachine_types.go Outdated Show resolved Hide resolved
api/v1beta1/gcpmachine_types.go Outdated Show resolved Hide resolved
@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jan 25, 2023
richardcase
richardcase reviewed Jan 26, 2023
View reviewed changes
Copy link
Member

@richardcase richardcase left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work @eranco74 . Just a few minor comments (including an addition to Joel's comment).

api/v1beta1/gcpmachine_types.go Show resolved Hide resolved
api/v1beta1/gcpmachine_types.go Outdated Show resolved Hide resolved
api/v1beta1/gcpmachinetemplate_webhook.go Outdated Show resolved Hide resolved
richardcase
richardcase reviewed Jan 26, 2023
View reviewed changes
api/v1beta1/gcpmachine_types.go Outdated Show resolved Hide resolved
api/v1beta1/gcpmachine_webhook_test.go Outdated Show resolved Hide resolved
api/v1beta1/gcpmachinetemplate_webhook_test.go Outdated Show resolved Hide resolved
@richardcase
Copy link
Member

@eranco74 - it's probably worth creating an issue to follow this up with updating the e2e tests to cover confidential compute. wdyt?

@eranco74 eranco74 force-pushed the confidentailCompute branch 2 times, most recently from ea40fed to 72b5a0b Compare January 26, 2023 11:42
@eranco74 eranco74 mentioned this pull request Jan 26, 2023
Closed
@eranco74
Copy link
Contributor Author

@eranco74 - it's probably worth creating an issue to follow this up with updating the e2e tests to cover confidential compute. wdyt?

#813

JoelSpeed
JoelSpeed reviewed Jan 26, 2023
View reviewed changes
api/v1beta1/gcpmachine_webhook.go Outdated Show resolved Hide resolved
api/v1beta1/gcpmachinetemplate_webhook_test.go Outdated Show resolved Hide resolved
cloud/scope/machine.go Show resolved Hide resolved
JoelSpeed
JoelSpeed reviewed Jan 26, 2023
View reviewed changes
cloud/scope/machine.go Outdated Show resolved Hide resolved
@eranco74
Add OnHostMaintenance and ConfidentialCompute to GCPMachineSpec
d41dd4b 
Add manual conversion for ConfidentialCompute and OnHostMaintenance
Add webhook to validate that OnHostMaintenance is set to TERMINATE if ConfidentialCompute is Enabled
Add webhook to validate that the instanceType belongs to a machine series that support confidentail computing

Update machine.go to set instance.ConfidentialCompute and instance.OnHostMaintenance according to GCPMachine.Spec
@richardcase
Copy link
Member

In the future we should consider restructuring our code so that anything that isn't intended to be used outside this project is moved to internal folders.....which is most of the code except our API definitions.

Until that point happens we can ignore this:

/override pull-cluster-api-provider-gcp-apidiff

@k8s-ci-robot
Copy link
Contributor

@richardcase: Overrode contexts on behalf of richardcase: pull-cluster-api-provider-gcp-apidiff

In response to this:

In the future we should consider restructuring our code so that anything that isn't intended to be used outside this project is moved to internal folders.....which is most of the code except our API definitions.

Until that point happens we can ignore this:

/override pull-cluster-api-provider-gcp-apidiff

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

JoelSpeed
JoelSpeed reviewed Jan 26, 2023
View reviewed changes
Copy link

@JoelSpeed JoelSpeed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the updates
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 26, 2023
richardcase
richardcase reviewed Jan 26, 2023
View reviewed changes
cloud/services/compute/instances/service.go
@@ -40,7 +42,7 @@ type instancegroupsInterface interface {
// Scope is an interfaces that hold used methods.
type Scope interface {
cloud.Machine
InstanceSpec() *compute.Instance
InstanceSpec(log logr.Logger) *compute.Instance
Copy link
Member

@richardcase richardcase Jan 26, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit, we could probably have this on the concrete struct instead of as a parameter.

@richardcase
Copy link
Member

Great work, and thanks for the updates from review.

From my side:

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: eranco74, richardcase

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 26, 2023
@k8s-ci-robot k8s-ci-robot merged commit 5e0f442 into kubernetes-sigs:main Jan 26, 2023
@k8s-ci-robot k8s-ci-robot added this to the v1.1.0 milestone Jan 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@richardcase richardcase richardcase left review comments

@JoelSpeed JoelSpeed JoelSpeed left review comments

@cpanato cpanato Awaiting requested review from cpanato

Assignees

@JoelSpeed JoelSpeed

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
v1.1.0
Development

Successfully merging this pull request may close these issues.
4 participants
@eranco74 @k8s-ci-robot @richardcase @JoelSpeed