MGMT-12837: Add Shielded VMs configuration to gcp provider types

openshift · Dec 6, 2022 · 4dff19b · 4dff19b
1 parent f2fbb1d
commit 4dff19b
Show file tree

Hide file tree

Showing 5 changed files with 142 additions and 21 deletions.
diff --git a/machine/v1beta1/types_gcpprovider.go b/machine/v1beta1/types_gcpprovider.go
@@ -95,6 +95,10 @@ type GCPMachineProviderSpec struct {
 	// +kubebuilder:validation:Enum=Always;Never;
 	// +optional
 	RestartPolicy GCPRestartPolicyType `json:"restartPolicy,omitempty"`
+
+	// ShieldedInstanceConfig is the Shielded VM configuration for the VM
+	// +optional
+	ShieldedInstanceConfig *GCPShieldedInstanceConfig `json:"shieldedInstanceConfig,omitempty"`
 }
 
 // GCPDisk describes disks for GCP.
@@ -201,3 +205,24 @@ type GCPMachineProviderStatus struct {
 	// +optional
 	Conditions []metav1.Condition `json:"conditions,omitempty"`
 }
+
+// GCPShieldedInstanceConfig describes the shielded VM configuration of the instance on GCP.
+// Shielded VM configuration allow users to enable and disable Secure Boot, vTPM, and Integrity Monitoring
+type GCPShieldedInstanceConfig struct {
+	// EnableSecureBoot enable digital signature verification of all boot components, and halt the boot process if signature verification fails.
+	// Secure boot helps protect your VM instances against boot-level and kernel-level malware and rootkits.
+	// If omitted, the platform chooses a default, which is subject to change over time, currently that default is false.
+	// +optional
+	EnableSecureBoot bool `json:"enableSecureBoot,omitempty"`
+
+	// EnableVTPM enable virtualized trusted platform module measurements to create a known good boot integrity policy baseline.
+	// The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed.
+	// If omitted, the platform chooses a default, which is subject to change over time, currently that default is true.
+	EnableVTPM bool `json:"enableVTPM,omitempty"`
+
+	// EnableIntegrityMonitoring Enable integrity monitoring that verify the runtime boot integrity.
+	// Compares the most recent boot measurements to the integrity policy baseline and return
+	// a pair of pass/fail results depending on whether they match or not.
+	// If omitted, the platform chooses a default, which is subject to change over time, currently that default is true.
+	EnableIntegrityMonitoring bool `json:"enableIntegrityMonitoring,omitempty"`
+}
diff --git a/machine/v1beta1/zz_generated.deepcopy.go b/machine/v1beta1/zz_generated.deepcopy.go
diff --git a/machine/v1beta1/zz_generated.swagger_doc_generated.go b/machine/v1beta1/zz_generated.swagger_doc_generated.go
diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go
diff --git a/openapi/openapi.json b/openapi/openapi.json
@@ -18349,6 +18349,10 @@
             "$ref": "#/definitions/com.github.openshift.api.machine.v1beta1.GCPServiceAccount"
           }
         },
+        "shieldedInstanceConfig": {
+          "description": "ShieldedInstanceConfig is the Shielded VM configuration for the VM",
+          "$ref": "#/definitions/com.github.openshift.api.machine.v1beta1.GCPShieldedInstanceConfig"
+        },
         "tags": {
           "description": "Tags list of tags to apply to the VM.",
           "type": "array",
@@ -18474,6 +18478,24 @@
         }
       }
     },
+    "com.github.openshift.api.machine.v1beta1.GCPShieldedInstanceConfig": {
+      "description": "GCPShieldedInstanceConfig describes the shielded VM configuration of the instance on GCP. Shielded VM configuration allow users to enable and disable Secure Boot, vTPM, and Integrity Monitoring",
+      "type": "object",
+      "properties": {
+        "enableIntegrityMonitoring": {
+          "description": "EnableIntegrityMonitoring Enable integrity monitoring that verify the runtime boot integrity. Compares the most recent boot measurements to the integrity policy baseline and return a pair of pass/fail results depending on whether they match or not. If omitted, the platform chooses a default, which is subject to change over time, currently that default is true.",
+          "type": "boolean"
+        },
+        "enableSecureBoot": {
+          "description": "EnableSecureBoot enable digital signature verification of all boot components, and halt the boot process if signature verification fails. Secure boot helps protect your VM instances against boot-level and kernel-level malware and rootkits. If omitted, the platform chooses a default, which is subject to change over time, currently that default is false.",
+          "type": "boolean"
+        },
+        "enableVTPM": {
+          "description": "EnableVTPM enable virtualized trusted platform module measurements to create a known good boot integrity policy baseline. The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed. If omitted, the platform chooses a default, which is subject to change over time, currently that default is true.",
+          "type": "boolean"
+        }
+      }
+    },
     "com.github.openshift.api.machine.v1beta1.Image": {
       "description": "Image is a mirror of azure sdk compute.ImageReference",
       "type": "object",