feat(provider/google): Support Shielded VM policies (spinnaker#6849)

* feat(provider/google): Support Shielded VM policies

* feat(provider/google): Disable integrity monitoring if vTPM is disabled.

app/scripts/modules/google/src/help/gce.help.ts

@@ -115,6 +115,14 @@ const helpContents: { [key: string]: string } = {
   'gce.serverGroup.labels.spinnaker-region': 'This label can be used to group instances when querying for metrics.',
   'gce.serverGroup.labels.spinnaker-server-group':
     'This label can be used to group instances when querying for metrics.',
+  'gce.serverGroup.shieldedVmConfig':
+    'Shielded VM features include trusted UEFI firmware and come with options for Secure Boot, Virtual Trusted Platform Module (vTPM), and Integrity Monitoring.',
+  'gce.serverGroup.shieldedVmSecureBoot':
+    'Secure boot helps protect your VM instances against boot-level and kernel-level malware and rootkits.',
+  'gce.serverGroup.shieldedVmVtpm':
+    'Virtual Trusted Platform Module (vTPM) validates your guest VM pre-boot and boot integrity, and offers key generation and protection.',
+  'gce.serverGroup.shieldedVmIntegrityMonitoring':
+    'Integrity monitoring lets you monitor and verify the runtime boot integrity of your shielded VM instances using Stackdriver reports. Note: requires vTPM to be enabled.',
   'gce.serverGroup.preemptibility':
     'A preemptible VM costs much less, but lasts only 24 hours. It can be terminated sooner due to system demands.',
   'gce.serverGroup.automaticRestart':

app/scripts/modules/google/src/serverGroup/configure/serverGroupCommandBuilder.service.js

@@ -219,6 +219,12 @@ module.exports = angular
         }
       }
 
+      function populateShieldedVmConfig(serverGroup, command) {
+        command.enableSecureBoot = serverGroup.enableSecureBoot;
+        command.enableVtpm = serverGroup.enableVtpm;
+        command.enableIntegrityMonitoring = serverGroup.enableIntegrityMonitoring;
+      }
+
       function populateCustomMetadata(metadataItems, command) {
         // Hide metadata items in the wizard.
         if (metadataItems) {
@@ -347,6 +353,9 @@ module.exports = angular
           instanceMetadata: {},
           tags: [],
           labels: {},
+          enableSecureBoot: false,
+          enableVtpm: false,
+          enableIntegrityMonitoring: false,
           preemptible: false,
           automaticRestart: true,
           onHostMaintenance: 'MIGRATE',
@@ -422,6 +431,9 @@ module.exports = angular
           tags: [],
           labels: {},
           availabilityZones: [],
+          enableSecureBoot: serverGroup.enableSecureBoot,
+          enableVtpm: serverGroup.enableVtpm,
+          enableIntegrityMonitoring: serverGroup.enableIntegrityMonitoring,
           enableTraffic: true,
           cloudProvider: 'gce',
           selectedProvider: 'gce',
@@ -546,6 +558,7 @@ module.exports = angular
             extendedCommand.instanceMetadata = {};
             populateCustomMetadata(instanceMetadata, extendedCommand);
             populateAutoHealingPolicy(pipelineCluster, extendedCommand);
+            populateShieldedVmConfig(pipelineCluster, extendedCommand);
 
             const instanceTemplateTags = { items: extendedCommand.tags };
             extendedCommand.tags = [];

app/scripts/modules/google/src/serverGroup/configure/wizard/advancedSettings/advancedSettings.directive.html

@@ -81,6 +81,33 @@
   </div>
   <map-editor model="vm.command.labels" add-button-label="Add New Label" allow-empty="true"></map-editor>
 </div>
+<div class="form-group">
+  <div class="sm-label-left">
+    Shielded VMs
+    <help-field key="gce.serverGroup.shieldedVmConfig"></help-field>
+  </div>
+  <div class="col-md-9 checkbox">
+    <label>
+      <input type="checkbox" ng-model="vm.command.enableSecureBoot" />
+      Turn on Secure Boot
+      <help-field key="gce.serverGroup.shieldedVmSecureBoot"></help-field>
+    </label>
+  </div>
+  <div class="col-md-9 checkbox">
+    <label>
+      <input type="checkbox" ng-model="vm.command.enableVtpm" ng-change="vm.setEnableVtpm()" />
+      Turn on vTPM
+      <help-field key="gce.serverGroup.shieldedVmVtpm"></help-field>
+    </label>
+  </div>
+  <div class="col-md-9 checkbox">
+    <label>
+      <input type="checkbox" ng-model="vm.command.enableIntegrityMonitoring" ng-disabled="!vm.command.enableVtpm" />
+      Turn on Integrity Monitoring
+      <help-field key="gce.serverGroup.shieldedVmIntegrityMonitoring"></help-field>
+    </label>
+  </div>
+</div>
 <div class="form-group">
   <div class="col-md-5 sm-label-right">
     <b>Preemptibility</b>

app/scripts/modules/google/src/serverGroup/configure/wizard/advancedSettings/advancedSettingsSelector.directive.js

@@ -48,5 +48,12 @@ module.exports = angular
           this.command.onHostMaintenance = 'MIGRATE';
         }
       };
+
+      this.setEnableVtpm = () => {
+        if (!this.command.enableVtpm) {
+          // Integrity monitoring requires vTPM to be enabled.
+          this.command.enableIntegrityMonitoring = false;
+        }
+      };
     },
   ]);

app/scripts/modules/google/src/serverGroup/details/serverGroupDetails.gce.controller.js

@@ -143,6 +143,7 @@ module.exports = angular
             findStartupScript();
             prepareDiskDescriptions();
             prepareAvailabilityPolicies();
+            prepareShieldedVmConfig();
             prepareAutoHealingPolicy();
             prepareAuthScopes();
             prepareCurrentActions();
@@ -240,6 +241,18 @@ module.exports = angular
         }
       };
 
+      const prepareShieldedVmConfig = () => {
+        if (_.has(this.serverGroup, 'launchConfig.instanceTemplate.properties.shieldedVmConfig')) {
+          const shieldedVmConfig = this.serverGroup.launchConfig.instanceTemplate.properties.shieldedVmConfig;
+
+          this.serverGroup.shieldedVmConfig = {
+            enableSecureBoot: shieldedVmConfig.enableSecureBoot ? 'On' : 'Off',
+            enableVtpm: shieldedVmConfig.enableVtpm ? 'On' : 'Off',
+            enableIntegrityMonitoring: shieldedVmConfig.enableIntegrityMonitoring ? 'On' : 'Off',
+          };
+        }
+      };
+
       const prepareAutoHealingPolicy = () => {
         if (this.serverGroup.autoHealingPolicy) {
           let autoHealingPolicy = this.serverGroup.autoHealingPolicy;

app/scripts/modules/google/src/serverGroup/details/serverGroupDetails.html

@@ -255,6 +255,26 @@ <h4 class="text-center" ng-if="ctrl.serverGroup.isDisabled">[SERVER GROUP IS DIS
         </dd>
       </dl>
     </collapsible-section>
+    <collapsible-section heading="Shielded VM Policies">
+      <div ng-if="!ctrl.serverGroup.shieldedVmConfig">No Shielded VM policies associated with this server group</div>
+      <dl ng-if="ctrl.serverGroup.shieldedVmConfig" class="horizontal-when-filters-collapsed">
+        <dt>
+          Secure Boot
+          <help-field key="gce.serverGroup.shieldedVmSecureBoot"></help-field>
+        </dt>
+        <dd>{{ctrl.serverGroup.shieldedVmConfig.enableSecureBoot}}</dd>
+        <dt>
+          vTPM
+          <help-field key="gce.serverGroup.shieldedVmVtpm"></help-field>
+        </dt>
+        <dd>{{ctrl.serverGroup.shieldedVmConfig.enableVtpm}}</dd>
+        <dt>
+          Integrity Monitoring
+          <help-field key="gce.serverGroup.shieldedVmIntegrityMonitoring"></help-field>
+        </dt>
+        <dd>{{ctrl.serverGroup.shieldedVmConfig.enableIntegrityMonitoring}}</dd>
+      </dl>
+    </collapsible-section>
     <collapsible-section heading="Availability Policies">
       <div ng-if="!ctrl.serverGroup.availabilityPolicies">
         No availability policies associated with this server group