From 297cd99f74dbfdd5091fa048771a5d8e3e4e4b16 Mon Sep 17 00:00:00 2001 From: Hayk Baluyan Date: Mon, 15 Apr 2019 12:51:36 -0700 Subject: [PATCH] feat(provider/google): Support Shielded VM policies (#6849) * feat(provider/google): Support Shielded VM policies * feat(provider/google): Disable integrity monitoring if vTPM is disabled. --- .../modules/google/src/help/gce.help.ts | 8 ++++++ .../serverGroupCommandBuilder.service.js | 13 +++++++++ .../advancedSettings.directive.html | 27 +++++++++++++++++++ .../advancedSettingsSelector.directive.js | 7 +++++ .../serverGroupDetails.gce.controller.js | 13 +++++++++ .../details/serverGroupDetails.html | 20 ++++++++++++++ 6 files changed, 88 insertions(+) diff --git a/app/scripts/modules/google/src/help/gce.help.ts b/app/scripts/modules/google/src/help/gce.help.ts index e24f2b2e3cd..6d5730ffc08 100644 --- a/app/scripts/modules/google/src/help/gce.help.ts +++ b/app/scripts/modules/google/src/help/gce.help.ts @@ -115,6 +115,14 @@ const helpContents: { [key: string]: string } = { 'gce.serverGroup.labels.spinnaker-region': 'This label can be used to group instances when querying for metrics.', 'gce.serverGroup.labels.spinnaker-server-group': 'This label can be used to group instances when querying for metrics.', + 'gce.serverGroup.shieldedVmConfig': + 'Shielded VM features include trusted UEFI firmware and come with options for Secure Boot, Virtual Trusted Platform Module (vTPM), and Integrity Monitoring.', + 'gce.serverGroup.shieldedVmSecureBoot': + 'Secure boot helps protect your VM instances against boot-level and kernel-level malware and rootkits.', + 'gce.serverGroup.shieldedVmVtpm': + 'Virtual Trusted Platform Module (vTPM) validates your guest VM pre-boot and boot integrity, and offers key generation and protection.', + 'gce.serverGroup.shieldedVmIntegrityMonitoring': + 'Integrity monitoring lets you monitor and verify the runtime boot integrity of your shielded VM instances using Stackdriver reports. Note: requires vTPM to be enabled.', 'gce.serverGroup.preemptibility': 'A preemptible VM costs much less, but lasts only 24 hours. It can be terminated sooner due to system demands.', 'gce.serverGroup.automaticRestart': diff --git a/app/scripts/modules/google/src/serverGroup/configure/serverGroupCommandBuilder.service.js b/app/scripts/modules/google/src/serverGroup/configure/serverGroupCommandBuilder.service.js index e019385b8d0..23b981b93ef 100644 --- a/app/scripts/modules/google/src/serverGroup/configure/serverGroupCommandBuilder.service.js +++ b/app/scripts/modules/google/src/serverGroup/configure/serverGroupCommandBuilder.service.js @@ -219,6 +219,12 @@ module.exports = angular } } + function populateShieldedVmConfig(serverGroup, command) { + command.enableSecureBoot = serverGroup.enableSecureBoot; + command.enableVtpm = serverGroup.enableVtpm; + command.enableIntegrityMonitoring = serverGroup.enableIntegrityMonitoring; + } + function populateCustomMetadata(metadataItems, command) { // Hide metadata items in the wizard. if (metadataItems) { @@ -347,6 +353,9 @@ module.exports = angular instanceMetadata: {}, tags: [], labels: {}, + enableSecureBoot: false, + enableVtpm: false, + enableIntegrityMonitoring: false, preemptible: false, automaticRestart: true, onHostMaintenance: 'MIGRATE', @@ -422,6 +431,9 @@ module.exports = angular tags: [], labels: {}, availabilityZones: [], + enableSecureBoot: serverGroup.enableSecureBoot, + enableVtpm: serverGroup.enableVtpm, + enableIntegrityMonitoring: serverGroup.enableIntegrityMonitoring, enableTraffic: true, cloudProvider: 'gce', selectedProvider: 'gce', @@ -546,6 +558,7 @@ module.exports = angular extendedCommand.instanceMetadata = {}; populateCustomMetadata(instanceMetadata, extendedCommand); populateAutoHealingPolicy(pipelineCluster, extendedCommand); + populateShieldedVmConfig(pipelineCluster, extendedCommand); const instanceTemplateTags = { items: extendedCommand.tags }; extendedCommand.tags = []; diff --git a/app/scripts/modules/google/src/serverGroup/configure/wizard/advancedSettings/advancedSettings.directive.html b/app/scripts/modules/google/src/serverGroup/configure/wizard/advancedSettings/advancedSettings.directive.html index 7065ae87bcc..66e45ec7ad2 100644 --- a/app/scripts/modules/google/src/serverGroup/configure/wizard/advancedSettings/advancedSettings.directive.html +++ b/app/scripts/modules/google/src/serverGroup/configure/wizard/advancedSettings/advancedSettings.directive.html @@ -81,6 +81,33 @@ +
+
+ Shielded VMs + +
+
+ +
+
+ +
+
+ +
+
Preemptibility diff --git a/app/scripts/modules/google/src/serverGroup/configure/wizard/advancedSettings/advancedSettingsSelector.directive.js b/app/scripts/modules/google/src/serverGroup/configure/wizard/advancedSettings/advancedSettingsSelector.directive.js index cdf5aeecf2a..691801a879c 100644 --- a/app/scripts/modules/google/src/serverGroup/configure/wizard/advancedSettings/advancedSettingsSelector.directive.js +++ b/app/scripts/modules/google/src/serverGroup/configure/wizard/advancedSettings/advancedSettingsSelector.directive.js @@ -48,5 +48,12 @@ module.exports = angular this.command.onHostMaintenance = 'MIGRATE'; } }; + + this.setEnableVtpm = () => { + if (!this.command.enableVtpm) { + // Integrity monitoring requires vTPM to be enabled. + this.command.enableIntegrityMonitoring = false; + } + }; }, ]); diff --git a/app/scripts/modules/google/src/serverGroup/details/serverGroupDetails.gce.controller.js b/app/scripts/modules/google/src/serverGroup/details/serverGroupDetails.gce.controller.js index b29e7ad0a4b..b5277ed7e40 100644 --- a/app/scripts/modules/google/src/serverGroup/details/serverGroupDetails.gce.controller.js +++ b/app/scripts/modules/google/src/serverGroup/details/serverGroupDetails.gce.controller.js @@ -143,6 +143,7 @@ module.exports = angular findStartupScript(); prepareDiskDescriptions(); prepareAvailabilityPolicies(); + prepareShieldedVmConfig(); prepareAutoHealingPolicy(); prepareAuthScopes(); prepareCurrentActions(); @@ -240,6 +241,18 @@ module.exports = angular } }; + const prepareShieldedVmConfig = () => { + if (_.has(this.serverGroup, 'launchConfig.instanceTemplate.properties.shieldedVmConfig')) { + const shieldedVmConfig = this.serverGroup.launchConfig.instanceTemplate.properties.shieldedVmConfig; + + this.serverGroup.shieldedVmConfig = { + enableSecureBoot: shieldedVmConfig.enableSecureBoot ? 'On' : 'Off', + enableVtpm: shieldedVmConfig.enableVtpm ? 'On' : 'Off', + enableIntegrityMonitoring: shieldedVmConfig.enableIntegrityMonitoring ? 'On' : 'Off', + }; + } + }; + const prepareAutoHealingPolicy = () => { if (this.serverGroup.autoHealingPolicy) { let autoHealingPolicy = this.serverGroup.autoHealingPolicy; diff --git a/app/scripts/modules/google/src/serverGroup/details/serverGroupDetails.html b/app/scripts/modules/google/src/serverGroup/details/serverGroupDetails.html index 1a2a8c7ac94..48fd436d264 100644 --- a/app/scripts/modules/google/src/serverGroup/details/serverGroupDetails.html +++ b/app/scripts/modules/google/src/serverGroup/details/serverGroupDetails.html @@ -255,6 +255,26 @@

[SERVER GROUP IS DIS + +
No Shielded VM policies associated with this server group
+
+
+ Secure Boot + +
+
{{ctrl.serverGroup.shieldedVmConfig.enableSecureBoot}}
+
+ vTPM + +
+
{{ctrl.serverGroup.shieldedVmConfig.enableVtpm}}
+
+ Integrity Monitoring + +
+
{{ctrl.serverGroup.shieldedVmConfig.enableIntegrityMonitoring}}
+
+
No availability policies associated with this server group