From 78a723aa3171ceb33361d12c5375ddedfd1384e5 Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Thu, 4 Apr 2024 16:35:36 +0200 Subject: [PATCH] Adjust usage of GCP SEV-SNP throughout codebase --- .github/actions/terraform_apply/action.yml | 3 +++ cli/internal/cloudcmd/tfvars.go | 7 +++++++ cli/internal/cmd/configgenerate_test.go | 9 +++++++++ cli/internal/terraform/variables_test.go | 2 ++ docs/docs/reference/cli.md | 2 +- internal/constellation/state/state.go | 4 ++-- .../internal/provider/convert.go | 11 +++++++++++ 7 files changed, 35 insertions(+), 3 deletions(-) diff --git a/.github/actions/terraform_apply/action.yml b/.github/actions/terraform_apply/action.yml index f66b18ace..89361d14f 100644 --- a/.github/actions/terraform_apply/action.yml +++ b/.github/actions/terraform_apply/action.yml @@ -26,6 +26,9 @@ runs: "gcpSEVES") attestationVariant="gcp-sev-es" ;; + "gcpSEVSNP") + attestationVariant="gcp-sev-snp" + ;; *) echo "Unknown attestation variant: $(yq '.attestation | keys | .[0]' constellation-conf.yaml)" exit 1 diff --git a/cli/internal/cloudcmd/tfvars.go b/cli/internal/cloudcmd/tfvars.go index 309632d98..818590599 100644 --- a/cli/internal/cloudcmd/tfvars.go +++ b/cli/internal/cloudcmd/tfvars.go @@ -209,6 +209,12 @@ func gcpTerraformVars(conf *config.Config, imageRef string) *terraform.GCPCluste DiskType: group.StateDiskType, } } + + ccTech := "SEV" + if conf.GetAttestationConfig().GetVariant().Equal(variant.GCPSEVSNP{}) { + ccTech = "SEV_SNP" + } + return &terraform.GCPClusterVariables{ Name: conf.Name, NodeGroups: nodeGroups, @@ -219,6 +225,7 @@ func gcpTerraformVars(conf *config.Config, imageRef string) *terraform.GCPCluste Debug: conf.IsDebugCluster(), CustomEndpoint: conf.CustomEndpoint, InternalLoadBalancer: conf.InternalLoadBalancer, + CCTechnology: ccTech, } } diff --git a/cli/internal/cmd/configgenerate_test.go b/cli/internal/cmd/configgenerate_test.go index d1a4fbc92..952c43f8f 100644 --- a/cli/internal/cmd/configgenerate_test.go +++ b/cli/internal/cmd/configgenerate_test.go @@ -235,6 +235,11 @@ func TestValidProviderAttestationCombination(t *testing.T) { variant.GCPSEVES{}, config.AttestationConfig{GCPSEVES: defaultAttestation.GCPSEVES}, }, + { + cloudprovider.GCP, + variant.GCPSEVSNP{}, + config.AttestationConfig{GCPSEVSNP: defaultAttestation.GCPSEVSNP}, + }, { cloudprovider.QEMU, variant.QEMUVTPM{}, @@ -286,6 +291,10 @@ func TestParseAttestationFlag(t *testing.T) { attestationFlag: "gcp-sev-es", wantVariant: variant.GCPSEVES{}, }, + "GCPSEVSNP": { + attestationFlag: "gcp-sev-snp", + wantVariant: variant.GCPSEVSNP{}, + }, "QEMUVTPM": { attestationFlag: "qemu-vtpm", wantVariant: variant.QEMUVTPM{}, diff --git a/cli/internal/terraform/variables_test.go b/cli/internal/terraform/variables_test.go index df27ddb59..1c0ccb76b 100644 --- a/cli/internal/terraform/variables_test.go +++ b/cli/internal/terraform/variables_test.go @@ -122,6 +122,7 @@ func TestGCPClusterVariables(t *testing.T) { }, }, CustomEndpoint: "example.com", + CCTechnology: "SEV_SNP", } // test that the variables are correctly rendered @@ -151,6 +152,7 @@ node_groups = { } custom_endpoint = "example.com" internal_load_balancer = false +cc_technology = "SEV_SNP" ` got := vars.String() assert.Equal(t, strings.Fields(want), strings.Fields(got)) // to ignore whitespace differences diff --git a/docs/docs/reference/cli.md b/docs/docs/reference/cli.md index 52391f3d1..3ed16680a 100644 --- a/docs/docs/reference/cli.md +++ b/docs/docs/reference/cli.md @@ -78,7 +78,7 @@ constellation config generate {aws|azure|gcp|openstack|qemu|stackit} [flags] ### Options ``` - -a, --attestation string attestation variant to use {aws-sev-snp|aws-nitro-tpm|azure-sev-snp|azure-tdx|azure-trustedlaunch|gcp-sev-es|qemu-vtpm}. If not specified, the default for the cloud provider is used + -a, --attestation string attestation variant to use {aws-sev-snp|aws-nitro-tpm|azure-sev-snp|azure-tdx|azure-trustedlaunch|gcp-sev-snp|gcp-sev-es|qemu-vtpm}. If not specified, the default for the cloud provider is used -h, --help help for generate -k, --kubernetes string Kubernetes version to use in format MAJOR.MINOR (default "v1.28") ``` diff --git a/internal/constellation/state/state.go b/internal/constellation/state/state.go index bee5f8b2b..68e9b2845 100644 --- a/internal/constellation/state/state.go +++ b/internal/constellation/state/state.go @@ -383,7 +383,7 @@ func (s *State) preInitConstraints(attestation variant.Variant) func() []*valida ), ) } - case variant.GCPSEVES{}: + case variant.GCPSEVES{}, variant.GCPSEVSNP{}: // GCP values need to be valid after infrastructure creation. constraints = append(constraints, // Azure values need to be nil or empty. @@ -514,7 +514,7 @@ func (s *State) postInitConstraints(attestation variant.Variant) func() []*valid ), ) } - case variant.GCPSEVES{}: + case variant.GCPSEVES{}, variant.GCPSEVSNP{}: constraints = append(constraints, // Azure values need to be nil or empty. validation.Or( diff --git a/terraform-provider-constellation/internal/provider/convert.go b/terraform-provider-constellation/internal/provider/convert.go index 087728168..cfe9ec7fa 100644 --- a/terraform-provider-constellation/internal/provider/convert.go +++ b/terraform-provider-constellation/internal/provider/convert.go @@ -122,6 +122,10 @@ func convertFromTfAttestationCfg(tfAttestation attestationAttribute, attestation attestationConfig = &config.GCPSEVES{ Measurements: c11nMeasurements, } + case variant.GCPSEVSNP{}: + attestationConfig = &config.GCPSEVSNP{ + Measurements: c11nMeasurements, + } case variant.QEMUVTPM{}: attestationConfig = &config.QEMUVTPM{ Measurements: c11nMeasurements, @@ -150,6 +154,13 @@ func convertToTfAttestation(attVar variant.Variant, snpVersions attestationconfi } tfAttestation.AMDRootKey = certStr + case variant.GCPSEVSNP{}: + certStr, err := certAsString(config.DefaultForGCPSEVSNP().AMDRootKey) + if err != nil { + return tfAttestation, err + } + tfAttestation.AMDRootKey = certStr + case variant.AzureSEVSNP{}: certStr, err := certAsString(config.DefaultForAzureSEVSNP().AMDRootKey) if err != nil {