MGMT-12837: Add Shielded VMs configuration to gcp provider types

machine/v1beta1/types_gcpprovider.go

@@ -25,6 +25,27 @@ const (
 	RestartPolicyNever GCPRestartPolicyType = "Never"
 )
 
+type SecureBootPolicy string
+
+const (
+	SecureBootPolicyEnable  SecureBootPolicy = "Enabled"
+	SecureBootPolicyDisable SecureBootPolicy = "Disable"
+)
+
+type VTPMPolicy string
+
+const (
+	VTPMPolicyEnable  VTPMPolicy = "Enabled"
+	VTPMPolicyDisable VTPMPolicy = "Disable"
+)
+
+type IntegrityMonitoringPolicy string
+
+const (
+	IntegrityMonitoringPolicyEnable  IntegrityMonitoringPolicy = "Enabled"
+	IntegrityMonitoringPolicyDisable IntegrityMonitoringPolicy = "Disable"
+)
+
 // GCPMachineProviderSpec is the type that will be embedded in a Machine.Spec.ProviderSpec field
 // for an GCP virtual machine. It is used by the GCP machine actuator to create a single Machine.
 // Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).
@@ -95,6 +116,10 @@ type GCPMachineProviderSpec struct {
 	// +kubebuilder:validation:Enum=Always;Never;
 	// +optional
 	RestartPolicy GCPRestartPolicyType `json:"restartPolicy,omitempty"`
+
+	// ShieldedInstanceConfig is the Shielded VM configuration for the VM
+	// +optional
+	ShieldedInstanceConfig GCPShieldedInstanceConfig `json:"shieldedInstanceConfig,omitempty"`
 }
 
 // GCPDisk describes disks for GCP.
@@ -201,3 +226,26 @@ type GCPMachineProviderStatus struct {
 	// +optional
 	Conditions []metav1.Condition `json:"conditions,omitempty"`
 }
+
+// GCPShieldedInstanceConfig describes the shielded VM configuration of the instance on GCP.
+// Shielded VM configuration allow users to enable and disable Secure Boot, vTPM, and Integrity Monitoring
+type GCPShieldedInstanceConfig struct {
+	// SecureBoot Defines whether the instance should have secure boot enabled.
+	// Secure Boot verify the digital signature of all boot components, and halting the boot process if signature verification fails.
+	// If omitted, the platform chooses a default, which is subject to change over time, currently that default is Disabled.
+	// +optional
+	SecureBoot SecureBootPolicy `json:"secureBoot,omitempty"`
+
+	// VTPM enable virtualized trusted platform module measurements to create a known good boot integrity policy baseline.
+	// The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed.
+	// If omitted, the platform chooses a default, which is subject to change over time, currently that default is Enabled.
+	// +optional
+	VTPM VTPMPolicy `json:"vTPM,omitempty"`
+
+	// IntegrityMonitoring determines whether the instance should have integrity monitoring that verify the runtime boot integrity.
+	// Compares the most recent boot measurements to the integrity policy baseline and return
+	// a pair of pass/fail results depending on whether they match or not.
+	// If omitted, the platform chooses a default, which is subject to change over time, currently that default is Enabled.
+	// +optional
+	IntegrityMonitoring IntegrityMonitoringPolicy `json:"integrityMonitoring,omitempty"`
+}

openapi/openapi.json

@@ -18349,6 +18349,11 @@
             "$ref": "#/definitions/com.github.openshift.api.machine.v1beta1.GCPServiceAccount"
           }
         },
+        "shieldedInstanceConfig": {
+          "description": "ShieldedInstanceConfig is the Shielded VM configuration for the VM",
+          "default": {},
+          "$ref": "#/definitions/com.github.openshift.api.machine.v1beta1.GCPShieldedInstanceConfig"
+        },
         "tags": {
           "description": "Tags list of tags to apply to the VM.",
           "type": "array",
@@ -18474,6 +18479,24 @@
         }
       }
     },
+    "com.github.openshift.api.machine.v1beta1.GCPShieldedInstanceConfig": {
+      "description": "GCPShieldedInstanceConfig describes the shielded VM configuration of the instance on GCP. Shielded VM configuration allow users to enable and disable Secure Boot, vTPM, and Integrity Monitoring",
+      "type": "object",
+      "properties": {
+        "integrityMonitoring": {
+          "description": "IntegrityMonitoring determines whether the instance should have integrity monitoring that verify the runtime boot integrity. Compares the most recent boot measurements to the integrity policy baseline and return a pair of pass/fail results depending on whether they match or not. If omitted, the platform chooses a default, which is subject to change over time, currently that default is Enabled.",
+          "type": "string"
+        },
+        "secureBoot": {
+          "description": "SecureBoot Defines whether the instance should have secure boot enabled. Secure Boot verify the digital signature of all boot components, and halting the boot process if signature verification fails. If omitted, the platform chooses a default, which is subject to change over time, currently that default is Disabled.",
+          "type": "string"
+        },
+        "vTPM": {
+          "description": "VTPM enable virtualized trusted platform module measurements to create a known good boot integrity policy baseline. The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed. If omitted, the platform chooses a default, which is subject to change over time, currently that default is Enabled.",
+          "type": "string"
+        }
+      }
+    },
     "com.github.openshift.api.machine.v1beta1.Image": {
       "description": "Image is a mirror of azure sdk compute.ImageReference",
       "type": "object",