Add Shielded VMs configuration options to GCPMachineSpec

Add manual conversion for ShieldedInstanceConfig
Set instance.ShieldedInstanceConfig according to GCPMachine.Spec.ShieldedInstanceConfig

Signed-off-by: Eran Cohen <eranco@redhat.com>

api/v1alpha3/gcpmachine_conversion.go

@@ -42,6 +42,10 @@ func (src *GCPMachine) ConvertTo(dstRaw conversion.Hub) error { // nolint
 		dst.Spec.IPForwarding = restored.Spec.IPForwarding
 	}
 
+	if restored.Spec.ShieldedInstanceConfig != nil {
+		dst.Spec.ShieldedInstanceConfig = restored.Spec.ShieldedInstanceConfig
+	}
+
 	return nil
 }
 

api/v1alpha3/gcpmachinetemplate_conversion.go

@@ -42,6 +42,10 @@ func (src *GCPMachineTemplate) ConvertTo(dstRaw conversion.Hub) error { // nolin
 		dst.Spec.Template.Spec.IPForwarding = restored.Spec.Template.Spec.IPForwarding
 	}
 
+	if restored.Spec.Template.Spec.ShieldedInstanceConfig != nil {
+		dst.Spec.Template.Spec.ShieldedInstanceConfig = restored.Spec.Template.Spec.ShieldedInstanceConfig
+	}
+
 	return nil
 }
 

api/v1alpha4/gcpmachine_conversion.go

@@ -41,6 +41,10 @@ func (src *GCPMachine) ConvertTo(dstRaw conversion.Hub) error { // nolint
 		dst.Spec.IPForwarding = restored.Spec.IPForwarding
 	}
 
+	if restored.Spec.ShieldedInstanceConfig != nil {
+		dst.Spec.ShieldedInstanceConfig = restored.Spec.ShieldedInstanceConfig
+	}
+
 	return nil
 }
 

api/v1alpha4/gcpmachinetemplate_conversion.go

@@ -43,6 +43,10 @@ func (src *GCPMachineTemplate) ConvertTo(dstRaw conversion.Hub) error { // nolin
 		dst.Spec.Template.Spec.IPForwarding = restored.Spec.Template.Spec.IPForwarding
 	}
 
+	if restored.Spec.Template.Spec.ShieldedInstanceConfig != nil {
+		dst.Spec.Template.Spec.ShieldedInstanceConfig = restored.Spec.Template.Spec.ShieldedInstanceConfig
+	}
+
 	return nil
 }
 

api/v1beta1/gcpmachine_types.go

@@ -66,6 +66,62 @@ const (
 	IPForwardingDisabled IPForwarding = "Disabled"
 )
 
+type SecureBootPolicy string
+
+const (
+	// SecureBootPolicyEnable enables the secure boot configuration for the GCP machine.
+	SecureBootPolicyEnable SecureBootPolicy = "Enabled"
+	// SecureBootPolicyDisable disables the secure boot configuration for the GCP machine.
+	SecureBootPolicyDisable SecureBootPolicy = "Disable"
+)
+
+type VTPMPolicy string
+
+const (
+	// VTPMPolicyEnable enables the virtualized trusted platform module configuration for the GCP machine.
+	VTPMPolicyEnable VTPMPolicy = "Enabled"
+	// VTPMPolicyDisable disables the virtualized trusted platform module configuration for the GCP machine.
+	VTPMPolicyDisable VTPMPolicy = "Disable"
+)
+
+type IntegrityMonitoringPolicy string
+
+const (
+	// IntegrityMonitoringPolicyEnable enables integrity monitoring for the GCP machine.
+	IntegrityMonitoringPolicyEnable IntegrityMonitoringPolicy = "Enabled"
+	// IntegrityMonitoringPolicyDisable disables integrity monitoring for the GCP machine.
+	IntegrityMonitoringPolicyDisable IntegrityMonitoringPolicy = "Disable"
+)
+
+// GCPShieldedInstanceConfig describes the shielded VM configuration of the instance on GCP.
+// Shielded VM configuration allow users to enable and disable Secure Boot, vTPM, and Integrity Monitoring
+type GCPShieldedInstanceConfig struct {
+	// SecureBoot Defines whether the instance should have secure boot enabled.
+	// Secure Boot verify the digital signature of all boot components, and halting the boot process if signature verification fails.
+	// If omitted, the platform chooses a default, which is subject to change over time, currently that default is Disabled.
+	// +kubebuilder:validation:Enum=Enabled;Disabled
+	// +kubebuilder:default=Disabled
+	//+optional
+	SecureBoot SecureBootPolicy `json:"secureBoot,omitempty"`
+
+	// VTPM enable virtualized trusted platform module measurements to create a known good boot integrity policy baseline.
+	// The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed.
+	// If omitted, the platform chooses a default, which is subject to change over time, currently that default is Enabled.
+	// +kubebuilder:validation:Enum=Enabled;Disabled
+	// +kubebuilder:default=Enabled
+	// +optional
+	VTPM VTPMPolicy `json:"vTPM,omitempty"`
+
+	// IntegrityMonitoring determines whether the instance should have integrity monitoring that verify the runtime boot integrity.
+	// Compares the most recent boot measurements to the integrity policy baseline and return
+	// a pair of pass/fail results depending on whether they match or not.
+	// If omitted, the platform chooses a default, which is subject to change over time, currently that default is Enabled.
+	// +kubebuilder:validation:Enum=Enabled;Disabled
+	// +kubebuilder:default=Enabled
+	// +optional
+	IntegrityMonitoring IntegrityMonitoringPolicy `json:"integrityMonitoring,omitempty"`
+}
+
 // GCPMachineSpec defines the desired state of GCPMachine.
 type GCPMachineSpec struct {
 	// InstanceType is the type of instance to create. Example: n1.standard-2
@@ -149,6 +205,10 @@ type GCPMachineSpec struct {
 	// +kubebuilder:default=Enabled
 	// +optional
 	IPForwarding *IPForwarding `json:"ipForwarding,omitempty"`
+
+	// ShieldedInstanceConfig is the Shielded VM configuration for this machine
+	// +optional
+	ShieldedInstanceConfig *GCPShieldedInstanceConfig `json:"shieldedInstanceConfig,omitempty"`
 }
 
 // MetadataItem defines a single piece of metadata associated with an instance.

cloud/scope/machine.go

@@ -351,6 +351,22 @@ func (m *MachineScope) InstanceSpec() *compute.Instance {
 	if m.GCPMachine.Spec.IPForwarding != nil && *m.GCPMachine.Spec.IPForwarding == infrav1.IPForwardingDisabled {
 		instance.CanIpForward = false
 	}
+	if m.GCPMachine.Spec.ShieldedInstanceConfig != nil {
+		instance.ShieldedInstanceConfig = &compute.ShieldedInstanceConfig{}
+		instance.ShieldedInstanceConfig.EnableSecureBoot = false
+		if m.GCPMachine.Spec.ShieldedInstanceConfig.SecureBoot == infrav1.SecureBootPolicyEnable {
+			instance.ShieldedInstanceConfig.EnableSecureBoot = true
+		}
+		instance.ShieldedInstanceConfig.EnableVtpm = true
+		if m.GCPMachine.Spec.ShieldedInstanceConfig.VTPM == infrav1.VTPMPolicyDisable {
+			instance.ShieldedInstanceConfig.EnableVtpm = false
+		}
+		instance.ShieldedInstanceConfig.EnableIntegrityMonitoring = true
+		if m.GCPMachine.Spec.ShieldedInstanceConfig.IntegrityMonitoring == infrav1.IntegrityMonitoringPolicyDisable {
+			instance.ShieldedInstanceConfig.EnableIntegrityMonitoring = false
+		}
+
+	}
 
 	instance.Disks = append(instance.Disks, m.InstanceImageSpec())
 	instance.Disks = append(instance.Disks, m.InstanceAdditionalDiskSpec()...)

cloud/services/compute/instances/reconcile_test.go

@@ -115,18 +115,22 @@ var fakeGCPCluster = &infrav1.GCPCluster{
 	},
 }
 
-var fakeGCPMachine = &infrav1.GCPMachine{
-	ObjectMeta: metav1.ObjectMeta{
-		Name:      "my-machine",
-		Namespace: "default",
-	},
-	Spec: infrav1.GCPMachineSpec{
-		AdditionalLabels: map[string]string{
-			"foo": "bar",
+func getFakeGCPMachine() *infrav1.GCPMachine {
+	return &infrav1.GCPMachine{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "my-machine",
+			Namespace: "default",
 		},
-	},
+		Spec: infrav1.GCPMachineSpec{
+			AdditionalLabels: map[string]string{
+				"foo": "bar",
+			},
+		},
+	}
 }
 
+var fakeGCPMachine = getFakeGCPMachine()
+
 func TestService_createOrGetInstance(t *testing.T) {
 	fakec := fake.NewClientBuilder().
 		WithScheme(scheme.Scheme).
@@ -271,6 +275,7 @@ func TestService_createOrGetInstance(t *testing.T) {
 			name: "instance does not exist (should create instance) and ipForwarding disabled",
 			scope: func() Scope {
 				ipForwardingDisabled := infrav1.IPForwardingDisabled
+				machineScope.GCPMachine = getFakeGCPMachine()
 				machineScope.GCPMachine.Spec.IPForwarding = &ipForwardingDisabled
 				return machineScope
 			},
@@ -327,6 +332,69 @@ func TestService_createOrGetInstance(t *testing.T) {
 				Zone: "us-central1-c",
 			},
 		},
+		{
+			name: "instance does not exist (should create instance) and SecureBoot enabled",
+			scope: func() Scope {
+				machineScope.GCPMachine = getFakeGCPMachine()
+				machineScope.GCPMachine.Spec.ShieldedInstanceConfig = &infrav1.GCPShieldedInstanceConfig{
+					SecureBoot: infrav1.SecureBootPolicyEnable,
+				}
+				return machineScope
+			},
+			mockInstance: &cloud.MockInstances{
+				ProjectRouter: &cloud.SingleProjectRouter{ID: "proj-id"},
+				Objects:       map[meta.Key]*cloud.MockInstancesObj{},
+			},
+			want: &compute.Instance{
+				Name:                   "my-machine",
+				CanIpForward:           true,
+				ShieldedInstanceConfig: &compute.ShieldedInstanceConfig{EnableSecureBoot: true, EnableVtpm: true, EnableIntegrityMonitoring: true},
+				Disks: []*compute.AttachedDisk{
+					{
+						AutoDelete: true,
+						Boot:       true,
+						InitializeParams: &compute.AttachedDiskInitializeParams{
+							DiskType:    "zones/us-central1-c/diskTypes/pd-standard",
+							SourceImage: "projects/my-proj/global/images/family/capi-ubuntu-1804-k8s-v1-19",
+						},
+					},
+				},
+				Labels: map[string]string{
+					"capg-role":               "node",
+					"capg-cluster-my-cluster": "owned",
+					"foo":                     "bar",
+				},
+				MachineType: "zones/us-central1-c/machineTypes",
+				Metadata: &compute.Metadata{
+					Items: []*compute.MetadataItems{
+						{
+							Key:   "user-data",
+							Value: pointer.String("Zm9vCg=="),
+						},
+					},
+				},
+				NetworkInterfaces: []*compute.NetworkInterface{
+					{
+						Network: "projects/my-proj/global/networks/default",
+					},
+				},
+				SelfLink:   "https://www.googleapis.com/compute/v1/projects/proj-id/zones/us-central1-c/instances/my-machine",
+				Scheduling: &compute.Scheduling{},
+				ServiceAccounts: []*compute.ServiceAccount{
+					{
+						Email:  "default",
+						Scopes: []string{"https://www.googleapis.com/auth/cloud-platform"},
+					},
+				},
+				Tags: &compute.Tags{
+					Items: []string{
+						"my-cluster-node",
+						"my-cluster",
+					},
+				},
+				Zone: "us-central1-c",
+			},
+		},
 		{
 			name:  "FailureDomain not given (should pick up a failure domain from the cluster)",
 			scope: func() Scope { return machineScopeWithoutFailureDomain },
@@ -337,7 +405,7 @@ func TestService_createOrGetInstance(t *testing.T) {
 			wantErr: false,
 			want: &compute.Instance{
 				Name:         "my-machine",
-				CanIpForward: false,
+				CanIpForward: true,
 				Disks: []*compute.AttachedDisk{
 					{
 						AutoDelete: true,

config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmachines.yaml

@@ -607,6 +607,48 @@ spec:
                       type: string
                     type: array
                 type: object
+              shieldedInstanceConfig:
+                description: ShieldedInstanceConfig is the Shielded VM configuration
+                  for this machine
+                properties:
+                  integrityMonitoring:
+                    default: Enabled
+                    description: IntegrityMonitoring determines whether the instance
+                      should have integrity monitoring that verify the runtime boot
+                      integrity. Compares the most recent boot measurements to the
+                      integrity policy baseline and return a pair of pass/fail results
+                      depending on whether they match or not. If omitted, the platform
+                      chooses a default, which is subject to change over time, currently
+                      that default is Enabled.
+                    enum:
+                    - Enabled
+                    - Disabled
+                    type: string
+                  secureBoot:
+                    default: Disabled
+                    description: SecureBoot Defines whether the instance should have
+                      secure boot enabled. Secure Boot verify the digital signature
+                      of all boot components, and halting the boot process if signature
+                      verification fails. If omitted, the platform chooses a default,
+                      which is subject to change over time, currently that default
+                      is Disabled.
+                    enum:
+                    - Enabled
+                    - Disabled
+                    type: string
+                  vTPM:
+                    default: Enabled
+                    description: VTPM enable virtualized trusted platform module measurements
+                      to create a known good boot integrity policy baseline. The integrity
+                      policy baseline is used for comparison with measurements from
+                      subsequent VM boots to determine if anything has changed. If
+                      omitted, the platform chooses a default, which is subject to
+                      change over time, currently that default is Enabled.
+                    enum:
+                    - Enabled
+                    - Disabled
+                    type: string
+                type: object
               subnet:
                 description: Subnet is a reference to the subnetwork to use for this
                   instance. If not specified, the first subnetwork retrieved from