gcp: add --confidential-vm option to support confidential vm

coreos · May 15, 2023 · a88e5ed · a88e5ed
1 parent 551e93e
commit a88e5ed
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 10 deletions.
diff --git a/mantle/cmd/kola/options.go b/mantle/cmd/kola/options.go
@@ -123,6 +123,7 @@ func init() {
 	sv(&kola.GCPOptions.ServiceAcct, "gcp-service-account", "", "GCP service account to attach to instance (default project default)")
 	bv(&kola.GCPOptions.ServiceAuth, "gcp-service-auth", false, "for non-interactive auth when running within GCP")
 	sv(&kola.GCPOptions.JSONKeyFile, "gcp-json-key", "", "use a service account's JSON key for authentication (default \"~/"+auth.GCPConfigPath+"\")")
+	bv(&kola.GCPOptions.Confidential, "gcp-confidential-vm", false, "create confidential instances")
 
 	// openstack-specific options
 	sv(&kola.OpenStackOptions.ConfigPath, "openstack-config-file", "", "Path to a clouds.yaml formatted OpenStack config file. The underlying library defaults to ./clouds.yaml")

diff --git a/mantle/cmd/ore/gcloud/gcloud.go b/mantle/cmd/ore/gcloud/gcloud.go
@@ -48,6 +48,7 @@ func init() {
 	sv(&opts.Network, "network", "default", "network name")
 	sv(&opts.JSONKeyFile, "json-key", "", "use a service account's JSON key for authentication")
 	GCloud.PersistentFlags().BoolVar(&opts.ServiceAuth, "service-auth", false, "use non-interactive auth when running within GCP")
+	GCloud.PersistentFlags().BoolVar(&opts.Confidential, "confidential-vm", false, "create confidential instances")
 
 	cli.WrapPreRun(GCloud, preauth)
 }

diff --git a/mantle/platform/api/gcloud/api.go b/mantle/platform/api/gcloud/api.go
@@ -33,15 +33,16 @@ var (
 )
 
 type Options struct {
-	Image       string
-	Project     string
-	Zone        string
-	MachineType string
-	DiskType    string
-	Network     string
-	ServiceAcct string
-	JSONKeyFile string
-	ServiceAuth bool
+	Image        string
+	Project      string
+	Zone         string
+	MachineType  string
+	DiskType     string
+	Network      string
+	ServiceAcct  string
+	JSONKeyFile  string
+	ServiceAuth  bool
+	Confidential bool
 	*platform.Options
 }
 

diff --git a/mantle/platform/api/gcloud/compute.go b/mantle/platform/api/gcloud/compute.go
@@ -111,7 +111,15 @@ func (a *API) mkinstance(userdata, name string, keys []*agent.Key, useServiceAcc
 			Value: &userdata,
 		})
 	}
-
+	// create confidential instance
+	if a.options.Confidential {
+		instance.ConfidentialInstanceConfig = &compute.ConfidentialInstanceConfig{
+			EnableConfidentialCompute: true,
+		}
+		instance.Scheduling = &compute.Scheduling{
+			OnHostMaintenance: "TERMINATE",
+		}
+	}
 	return instance
 
 }