gcp: handles DISABLECVM

Currently DISABLECVM is ignored with GCP. This is commit is implementing
the basic logic to handle it.

Signed-off-by: Beraldo Leal <bleal@redhat.com>

src/cloud-api-adaptor/entrypoint.sh

@@ -100,6 +100,7 @@ gcp() {
     [[ "${GCP_MACHINE_TYPE}" ]] && optionals+="-machine-type ${GCP_MACHINE_TYPE} "     # default e2-medium
     [[ "${GCP_NETWORK}" ]] && optionals+="-gcp-network ${GCP_NETWORK} "                # defaults to 'default'
     [[ "${GCP_DISK_TYPE}" ]] && optionals+="-disk-type ${GCP_DISK_TYPE} "              # defaults to 'pd-standard'
+    [[ "${DISABLECVM}" == "true" ]] && optionals+="-disable-cvm "
 
     set -x
     exec cloud-api-adaptor gcp \

src/cloud-api-adaptor/install/overlays/gcp/kustomization.yaml

@@ -23,6 +23,7 @@ configMapGenerator:
   - GCP_MACHINE_TYPE="e2-medium" # replace if needed. caa defaults to e2-medium
   - GCP_NETWORK="global/networks/default" # replace if needed.
   #- GCP_DISK_TYPE="" # Uncomment and set if you want to use a specific disk type. Defaults to pd-standard
+  #- DISABLECVM="true" # Uncomment it if you want a generic VM
   #- PAUSE_IMAGE="" # Uncomment and set if you want to use a specific pause image
   #- TUNNEL_TYPE="" # Uncomment and set if you want to use a specific tunnel type. Defaults to vxlan
   #- VXLAN_PORT="" # Uncomment and set if you want to use a specific vxlan port. Defaults to 4789

src/cloud-providers/gcp/manager.go

@@ -24,6 +24,7 @@ func (_ *Manager) ParseCmd(flags *flag.FlagSet) {
 	flags.StringVar(&gcpcfg.ImageId, "imageid", "", "Pod VM image id that is available at GCP Images. Usually a name like 'podvm-image'")
 	flags.StringVar(&gcpcfg.MachineType, "machine-type", "e2-medium", "Pod VM Machine type")
 	flags.StringVar(&gcpcfg.GcpNetworkId, "gcp-network", "default", "GCP Network ID for the VMs")
+	flags.BoolVar(&gcpcfg.DisableCVM, "disable-cvm", false, "Use non-CVMs for peer pods")
 	flags.StringVar(&gcpcfg.DiskType, "disk-type", "pd-standard", "Any GCP disk type (pd-standard, pd-ssd, pd-balanced or pd-extreme)")
 }
 

src/cloud-providers/gcp/provider.go

@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"log"
 	"net/netip"
+	"strings"
 
 	compute "cloud.google.com/go/compute/apiv1"
 	computepb "cloud.google.com/go/compute/apiv1/computepb"
@@ -141,6 +142,40 @@ func (p *gcpProvider) CreateInstance(ctx context.Context, podName, sandboxID str
 			},
 		},
 	}
+
+	if !p.serviceConfig.DisableCVM {
+		confidentialInstanceTypes := map[string]string{
+			"c2d-": "SEV",
+			"c3-":  "TDX",
+			"c3d-": "SEV",
+			"n2d-": "SEV_SNP",
+		}
+
+		var confidentialType string
+		for prefix, cType := range confidentialInstanceTypes {
+			if strings.HasPrefix(p.serviceConfig.MachineType, prefix) {
+				confidentialType = cType
+				break
+			}
+		}
+
+		if confidentialType == "" {
+			return nil, fmt.Errorf("unsupported instance type %s for confidential computing", p.serviceConfig.MachineType)
+		}
+
+		insertReq.InstanceResource.ConfidentialInstanceConfig = &computepb.ConfidentialInstanceConfig{
+			ConfidentialInstanceType:  proto.String(confidentialType),
+			EnableConfidentialCompute: proto.Bool(true),
+		}
+
+		// TODO: We need to better investigate the implications here. Confidential
+		// VM does not support migration at GCP.
+		insertReq.InstanceResource.Scheduling = &computepb.Scheduling{
+			OnHostMaintenance: proto.String("TERMINATE"),
+		}
+
+	}
+
 	op, err := p.instancesClient.Insert(ctx, insertReq)
 	if err != nil {
 		return nil, fmt.Errorf("Instances.Insert error: %s. req: %v", err, insertReq)

src/cloud-providers/gcp/types.go

@@ -16,7 +16,8 @@ type Config struct {
 	GcpNetworkId   string
 	// CAA configuration
 	ImageId        string
-	MachineType   string
+	MachineType    string
+	DisableCVM     bool
 	DiskType       string
 }