Add support for AMD SEV-SNP instances

This commit adds support for AMD SEV-SNP instances, so users can
utilize confidential computing technology on cluster nodes.

Signed-off-by: Fangge Jin <[email protected]>

Author: fangge1212

api/v1beta1/awscluster_conversion.go

@@ -66,6 +66,7 @@ func (src *AWSCluster) ConvertTo(dstRaw conversion.Hub) error {
 		dst.Status.Bastion.HostAffinity = restored.Status.Bastion.HostAffinity
 		dst.Status.Bastion.HostID = restored.Status.Bastion.HostID
 		dst.Status.Bastion.CapacityReservationPreference = restored.Status.Bastion.CapacityReservationPreference
+		dst.Status.Bastion.CPUOptions = restored.Status.Bastion.CPUOptions
 	}
 	dst.Spec.Partition = restored.Spec.Partition
 

api/v1beta1/awsmachine_conversion.go

@@ -48,6 +48,7 @@ func (src *AWSMachine) ConvertTo(dstRaw conversion.Hub) error {
 	dst.Spec.HostAffinity = restored.Spec.HostAffinity
 	dst.Spec.CapacityReservationPreference = restored.Spec.CapacityReservationPreference
 	dst.Spec.NetworkInterfaceType = restored.Spec.NetworkInterfaceType
+	dst.Spec.CPUOptions = restored.Spec.CPUOptions
 	if restored.Spec.ElasticIPPool != nil {
 		if dst.Spec.ElasticIPPool == nil {
 			dst.Spec.ElasticIPPool = &infrav1.ElasticIPPool{}
@@ -115,6 +116,7 @@ func (r *AWSMachineTemplate) ConvertTo(dstRaw conversion.Hub) error {
 	dst.Spec.Template.Spec.HostAffinity = restored.Spec.Template.Spec.HostAffinity
 	dst.Spec.Template.Spec.CapacityReservationPreference = restored.Spec.Template.Spec.CapacityReservationPreference
 	dst.Spec.Template.Spec.NetworkInterfaceType = restored.Spec.Template.Spec.NetworkInterfaceType
+	dst.Spec.Template.Spec.CPUOptions = restored.Spec.Template.Spec.CPUOptions
 	if restored.Spec.Template.Spec.ElasticIPPool != nil {
 		if dst.Spec.Template.Spec.ElasticIPPool == nil {
 			dst.Spec.Template.Spec.ElasticIPPool = &infrav1.ElasticIPPool{}

api/v1beta1/zz_generated.conversion.go

@@ -116,6 +116,11 @@ type AWSMachineSpec struct {
 	// +kubebuilder:validation:MinLength:=2
 	InstanceType string `json:"instanceType"`
 
+	// CPUOptions defines CPU-related settings for the instance, including the confidential computing policy.
+	// When omitted, this means no opinion and the AWS platform is left to choose a reasonable default.
+	// +optional
+	CPUOptions CPUOptions `json:"cpuOptions,omitempty,omitzero"`
+
 	// AdditionalTags is an optional set of tags to add to an instance, in addition to the ones added by default by the
 	// AWS provider. If both the AWSCluster and the AWSMachine specify the same tag name with different values, the
 	// AWSMachine's value takes precedence.

api/v1beta2/awsmachine_types.go

@@ -293,6 +293,11 @@ type Instance struct {
 	// +kubebuilder:validation:Enum="";None;CapacityReservationsOnly;Open
 	// +optional
 	CapacityReservationPreference CapacityReservationPreference `json:"capacityReservationPreference,omitempty"`
+
+	// CPUOptions defines CPU-related settings for the instance, including the confidential computing policy.
+	// When omitted, this means no opinion and the AWS platform is left to choose a reasonable default.
+	// +optional
+	CPUOptions CPUOptions `json:"cpuOptions,omitempty,omitzero"`
 }
 
 // CapacityReservationPreference describes the preferred use of capacity reservations
@@ -534,3 +539,33 @@ var (
 	// SubnetSchemaPreferPublic allocates more subnets in the VPC to public subnets.
 	SubnetSchemaPreferPublic = SubnetSchemaType("PreferPublic")
 )
+
+// AWSConfidentialComputePolicy represents the confidential compute configuration for the instance.
+// +kubebuilder:validation:Enum=Disabled;AMDEncrytedVirtualizationNestedPaging
+type AWSConfidentialComputePolicy string
+
+const (
+	// AWSConfidentialComputePolicyDisabled disables confidential computing for the instance.
+	AWSConfidentialComputePolicyDisabled AWSConfidentialComputePolicy = "Disabled"
+	// AWSConfidentialComputePolicySEVSNP enables AMD SEV-SNP as the confidential computing technology for the instance.
+	AWSConfidentialComputePolicySEVSNP AWSConfidentialComputePolicy = "AMDEncrytedVirtualizationNestedPaging"
+)
+
+// CPUOptions defines CPU-related settings for the instance, including the confidential computing policy.
+// +kubebuilder:validation:MinProperties=1
+type CPUOptions struct {
+	// confidentialCompute specifies whether confidential computing should be enabled for the instance,
+	// and, if so, which confidential computing technology to use.
+	// Valid values are: Disabled, AMDEncrytedVirtualizationNestedPaging
+	// When set to Disabled, confidential computing will be disabled for the instance.
+	// When set to AMDEncrytedVirtualizationNestedPaging, AMD SEV-SNP will be used as the confidential computing technology for the instance.
+	// In this case, ensure the following conditions are met:
+	// 1) The selected instance type supports AMD SEV-SNP.
+	// 2) The selected AWS region supports AMD SEV-SNP.
+	// 3) The selected AMI supports AMD SEV-SNP.
+	// More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html
+	// When omitted, this means no opinion and the AWS platform is left to choose a reasonable default,
+	// which is subject to change without notice. The current default is Disabled.
+	// +optional
+	ConfidentialCompute AWSConfidentialComputePolicy `json:"confidentialCompute,omitempty"`
+}

api/v1beta2/types.go

@@ -1237,6 +1237,31 @@ spec:
                       "None": The instance may not make use of any Capacity Reservations. This is to conserve open reservations for desired workloads
                       "CapacityReservationsOnly": The instance will only run if matched or targeted to a Capacity Reservation. Note that this is incompatible with a MarketType of `Spot`
                     type: string
+                  cpuOptions:
+                    description: |-
+                      CPUOptions defines CPU-related settings for the instance, including the confidential computing policy.
+                      When omitted, this means no opinion and the AWS platform is left to choose a reasonable default.
+                    minProperties: 1
+                    properties:
+                      confidentialCompute:
+                        description: |-
+                          confidentialCompute specifies whether confidential computing should be enabled for the instance,
+                          and, if so, which confidential computing technology to use.
+                          Valid values are: Disabled, AMDEncrytedVirtualizationNestedPaging
+                          When set to Disabled, confidential computing will be disabled for the instance.
+                          When set to AMDEncrytedVirtualizationNestedPaging, AMD SEV-SNP will be used as the confidential computing technology for the instance.
+                          In this case, ensure the following conditions are met:
+                          1) The selected instance type supports AMD SEV-SNP.
+                          2) The selected AWS region supports AMD SEV-SNP.
+                          3) The selected AMI supports AMD SEV-SNP.
+                          More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html
+                          When omitted, this means no opinion and the AWS platform is left to choose a reasonable default,
+                          which is subject to change without notice. The current default is Disabled.
+                        enum:
+                        - Disabled
+                        - AMDEncrytedVirtualizationNestedPaging
+                        type: string
+                    type: object
                   ebsOptimized:
                     description: Indicates whether the instance is optimized for Amazon
                       EBS I/O.
@@ -3456,6 +3481,31 @@ spec:
                       "None": The instance may not make use of any Capacity Reservations. This is to conserve open reservations for desired workloads
                       "CapacityReservationsOnly": The instance will only run if matched or targeted to a Capacity Reservation. Note that this is incompatible with a MarketType of `Spot`
                     type: string
+                  cpuOptions:
+                    description: |-
+                      CPUOptions defines CPU-related settings for the instance, including the confidential computing policy.
+                      When omitted, this means no opinion and the AWS platform is left to choose a reasonable default.
+                    minProperties: 1
+                    properties:
+                      confidentialCompute:
+                        description: |-
+                          confidentialCompute specifies whether confidential computing should be enabled for the instance,
+                          and, if so, which confidential computing technology to use.
+                          Valid values are: Disabled, AMDEncrytedVirtualizationNestedPaging
+                          When set to Disabled, confidential computing will be disabled for the instance.
+                          When set to AMDEncrytedVirtualizationNestedPaging, AMD SEV-SNP will be used as the confidential computing technology for the instance.
+                          In this case, ensure the following conditions are met:
+                          1) The selected instance type supports AMD SEV-SNP.
+                          2) The selected AWS region supports AMD SEV-SNP.
+                          3) The selected AMI supports AMD SEV-SNP.
+                          More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html
+                          When omitted, this means no opinion and the AWS platform is left to choose a reasonable default,
+                          which is subject to change without notice. The current default is Disabled.
+                        enum:
+                        - Disabled
+                        - AMDEncrytedVirtualizationNestedPaging
+                        type: string
+                    type: object
                   ebsOptimized:
                     description: Indicates whether the instance is optimized for Amazon
                       EBS I/O.

api/v1beta2/zz_generated.deepcopy.go

@@ -2215,6 +2215,31 @@ spec:
                       "None": The instance may not make use of any Capacity Reservations. This is to conserve open reservations for desired workloads
                       "CapacityReservationsOnly": The instance will only run if matched or targeted to a Capacity Reservation. Note that this is incompatible with a MarketType of `Spot`
                     type: string
+                  cpuOptions:
+                    description: |-
+                      CPUOptions defines CPU-related settings for the instance, including the confidential computing policy.
+                      When omitted, this means no opinion and the AWS platform is left to choose a reasonable default.
+                    minProperties: 1
+                    properties:
+                      confidentialCompute:
+                        description: |-
+                          confidentialCompute specifies whether confidential computing should be enabled for the instance,
+                          and, if so, which confidential computing technology to use.
+                          Valid values are: Disabled, AMDEncrytedVirtualizationNestedPaging
+                          When set to Disabled, confidential computing will be disabled for the instance.
+                          When set to AMDEncrytedVirtualizationNestedPaging, AMD SEV-SNP will be used as the confidential computing technology for the instance.
+                          In this case, ensure the following conditions are met:
+                          1) The selected instance type supports AMD SEV-SNP.
+                          2) The selected AWS region supports AMD SEV-SNP.
+                          3) The selected AMI supports AMD SEV-SNP.
+                          More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html
+                          When omitted, this means no opinion and the AWS platform is left to choose a reasonable default,
+                          which is subject to change without notice. The current default is Disabled.
+                        enum:
+                        - Disabled
+                        - AMDEncrytedVirtualizationNestedPaging
+                        type: string
+                    type: object
                   ebsOptimized:
                     description: Indicates whether the instance is optimized for Amazon
                       EBS I/O.

config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml

@@ -692,6 +692,31 @@ spec:
                     - ssm-parameter-store
                     type: string
                 type: object
+              cpuOptions:
+                description: |-
+                  CPUOptions defines CPU-related settings for the instance, including the confidential computing policy.
+                  When omitted, this means no opinion and the AWS platform is left to choose a reasonable default.
+                minProperties: 1
+                properties:
+                  confidentialCompute:
+                    description: |-
+                      confidentialCompute specifies whether confidential computing should be enabled for the instance,
+                      and, if so, which confidential computing technology to use.
+                      Valid values are: Disabled, AMDEncrytedVirtualizationNestedPaging
+                      When set to Disabled, confidential computing will be disabled for the instance.
+                      When set to AMDEncrytedVirtualizationNestedPaging, AMD SEV-SNP will be used as the confidential computing technology for the instance.
+                      In this case, ensure the following conditions are met:
+                      1) The selected instance type supports AMD SEV-SNP.
+                      2) The selected AWS region supports AMD SEV-SNP.
+                      3) The selected AMI supports AMD SEV-SNP.
+                      More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html
+                      When omitted, this means no opinion and the AWS platform is left to choose a reasonable default,
+                      which is subject to change without notice. The current default is Disabled.
+                    enum:
+                    - Disabled
+                    - AMDEncrytedVirtualizationNestedPaging
+                    type: string
+                type: object
               elasticIpPool:
                 description: ElasticIPPool is the configuration to allocate Public
                   IPv4 address (Elastic IP/EIP) from user-defined pool.

config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml

@@ -611,6 +611,31 @@ spec:
                             - ssm-parameter-store
                             type: string
                         type: object
+                      cpuOptions:
+                        description: |-
+                          CPUOptions defines CPU-related settings for the instance, including the confidential computing policy.
+                          When omitted, this means no opinion and the AWS platform is left to choose a reasonable default.
+                        minProperties: 1
+                        properties:
+                          confidentialCompute:
+                            description: |-
+                              confidentialCompute specifies whether confidential computing should be enabled for the instance,
+                              and, if so, which confidential computing technology to use.
+                              Valid values are: Disabled, AMDEncrytedVirtualizationNestedPaging
+                              When set to Disabled, confidential computing will be disabled for the instance.
+                              When set to AMDEncrytedVirtualizationNestedPaging, AMD SEV-SNP will be used as the confidential computing technology for the instance.
+                              In this case, ensure the following conditions are met:
+                              1) The selected instance type supports AMD SEV-SNP.
+                              2) The selected AWS region supports AMD SEV-SNP.
+                              3) The selected AMI supports AMD SEV-SNP.
+                              More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html
+                              When omitted, this means no opinion and the AWS platform is left to choose a reasonable default,
+                              which is subject to change without notice. The current default is Disabled.
+                            enum:
+                            - Disabled
+                            - AMDEncrytedVirtualizationNestedPaging
+                            type: string
+                        type: object
                       elasticIpPool:
                         description: ElasticIPPool is the configuration to allocate
                           Public IPv4 address (Elastic IP/EIP) from user-defined pool.