gcp: add --confidential-vm option to support confidential vm

mantle/cmd/kola/options.go

@@ -123,6 +123,7 @@ func init() {
 	sv(&kola.GCPOptions.ServiceAcct, "gcp-service-account", "", "GCP service account to attach to instance (default project default)")
 	bv(&kola.GCPOptions.ServiceAuth, "gcp-service-auth", false, "for non-interactive auth when running within GCP")
 	sv(&kola.GCPOptions.JSONKeyFile, "gcp-json-key", "", "use a service account's JSON key for authentication (default \"~/"+auth.GCPConfigPath+"\")")
+	bv(&kola.GCPOptions.Confidential, "gcp-confidential-vm", false, "create confidential instances")
 
 	// openstack-specific options
 	sv(&kola.OpenStackOptions.ConfigPath, "openstack-config-file", "", "Path to a clouds.yaml formatted OpenStack config file. The underlying library defaults to ./clouds.yaml")

mantle/cmd/ore/gcloud/gcloud.go

@@ -48,6 +48,7 @@ func init() {
 	sv(&opts.Network, "network", "default", "network name")
 	sv(&opts.JSONKeyFile, "json-key", "", "use a service account's JSON key for authentication")
 	GCloud.PersistentFlags().BoolVar(&opts.ServiceAuth, "service-auth", false, "use non-interactive auth when running within GCP")
+	GCloud.PersistentFlags().BoolVar(&opts.Confidential, "confidential-vm", false, "create confidential instances")
 
 	cli.WrapPreRun(GCloud, preauth)
 }

mantle/platform/api/gcloud/api.go

@@ -42,6 +42,7 @@ type Options struct {
 	ServiceAcct string
 	JSONKeyFile string
 	ServiceAuth bool
+	Confidential bool
 	*platform.Options
 }
 

mantle/platform/api/gcloud/compute.go

@@ -111,7 +111,15 @@ func (a *API) mkinstance(userdata, name string, keys []*agent.Key, useServiceAcc
 			Value: &userdata,
 		})
 	}
-
+	// create confidential instance
+	if a.options.Confidential {
+		instance.ConfidentialInstanceConfig = &compute.ConfidentialInstanceConfig {
+			EnableConfidentialCompute: true,
+		}
+		instance.Scheduling = &compute.Scheduling {
+			OnHostMaintenance: "TERMINATE",
+		}
+	}
 	return instance
 
 }