gcp: handles DISABLECVM

Currently DISABLECVM is ignored with GCP. This is commit is implementing
the basic logic to handle it.

Signed-off-by: Beraldo Leal <bleal@redhat.com>

src/cloud-api-adaptor/entrypoint.sh

@@ -100,6 +100,7 @@ gcp() {
     [[ "${GCP_MACHINE_TYPE}" ]] && optionals+="-gcp-machine-type ${GCP_MACHINE_TYPE} " # default e2-medium
     [[ "${GCP_NETWORK}" ]] && optionals+="-gcp-network ${GCP_NETWORK} "                # defaults to 'default'
     [[ "${GCP_DISK_TYPE}" ]] && optionals+="-disk-type ${GCP_DISK_TYPE} "              # defaults to 'pd-standard'
+    [[ "${DISABLECVM}" == "true" ]] && optionals+="-disable-cvm "
 
     set -x
     exec cloud-api-adaptor gcp \

src/cloud-api-adaptor/install/overlays/gcp/kustomization.yaml

@@ -17,14 +17,15 @@ configMapGenerator:
   namespace: confidential-containers-system
   literals:
   - CLOUD_PROVIDER="gcp"
-  #- PAUSE_IMAGE="" # Uncomment and set if you want to use a specific pause image
-  #- TUNNEL_TYPE="" # Uncomment and set if you want to use a specific tunnel type. Defaults to vxlan
-  #- VXLAN_PORT="" # Uncomment and set if you want to use a specific vxlan port. Defaults to 4789
   - PODVM_IMAGE_NAME="" # set from step "Build Pod VM Image" in gcp/README.md
   - GCP_PROJECT_ID="" # set
   - GCP_ZONE="" # set e.g. "us-west1-a"
   - GCP_MACHINE_TYPE="e2-medium" # replace if needed. caa defaults to e2-medium
   - GCP_NETWORK="global/networks/default" # replace if needed.
+  #- DISABLECVM="true" # Uncomment it if you want a generic VM
+  #- PAUSE_IMAGE="" # Uncomment and set if you want to use a specific pause image
+  #- TUNNEL_TYPE="" # Uncomment and set if you want to use a specific tunnel type. Defaults to vxlan
+  #- VXLAN_PORT="" # Uncomment and set if you want to use a specific vxlan port. Defaults to 4789
 ##TLS_SETTINGS
   #- CACERT_FILE="/etc/certificates/ca.crt" # for TLS
   #- CERT_FILE="/etc/certificates/client.crt" # for TLS

src/cloud-providers/gcp/manager.go

@@ -24,6 +24,7 @@ func (_ *Manager) ParseCmd(flags *flag.FlagSet) {
 	flags.StringVar(&gcpcfg.ImageId, "imageid", "", "Pod VM image id that is available at GCP Images. Usually a name like 'podvm-image'")
 	flags.StringVar(&gcpcfg.InstanceType, "instance-type", "e2-medium", "Pod VM instance type")
 	flags.StringVar(&gcpcfg.SubnetId, "subnetid", "default", "Network Subnet ID for the VMs")
+	flags.BoolVar(&gcpcfg.DisableCVM, "disable-cvm", false, "Use non-CVMs for peer pods")
 	flags.StringVar(&gcpcfg.DiskType, "disk-type", "pd-standard", "Any GCP disk type (pd-standard, pd-ssd, pd-balanced or pd-extreme)")
 }
 

src/cloud-providers/gcp/provider.go

@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"log"
 	"net/netip"
+	"strings"
 
 	compute "cloud.google.com/go/compute/apiv1"
 	computepb "cloud.google.com/go/compute/apiv1/computepb"
@@ -141,6 +142,32 @@ func (p *gcpProvider) CreateInstance(ctx context.Context, podName, sandboxID str
 			},
 		},
 	}
+
+	if !p.serviceConfig.DisableCVM {
+		confidentialInstanceTypes := map[string]string{
+			"c3-":  "TDX",
+			"n2d-": "SEV_SNP",
+			"t2d-": "SEV_SNP",
+		}
+
+		var confidentialType string
+		for prefix, cType := range confidentialInstanceTypes {
+			if strings.HasPrefix(p.serviceConfig.InstanceType, prefix) {
+				confidentialType = cType
+				break
+			}
+		}
+
+		if confidentialType == "" {
+			return nil, fmt.Errorf("unsupported instance type %s for confidential computing", p.serviceConfig.InstanceType)
+		}
+
+		insertReq.InstanceResource.ConfidentialInstanceConfig = &computepb.ConfidentialInstanceConfig{
+			ConfidentialInstanceType:  proto.String(confidentialType),
+			EnableConfidentialCompute: proto.Bool(true),
+		}
+	}
+
 	op, err := p.instancesClient.Insert(ctx, insertReq)
 	if err != nil {
 		return nil, fmt.Errorf("Instances.Insert error: %s. req: %v", err, insertReq)

src/cloud-providers/gcp/types.go

@@ -17,6 +17,7 @@ type Config struct {
 	// CAA configuration
 	ImageId        string
 	InstanceType   string
+	DisableCVM     bool
 	DiskType       string
 }