From 173c2aeba4a03507b9a11e36d788cac9a78ab809 Mon Sep 17 00:00:00 2001 From: Michail Resvanis Date: Wed, 8 Feb 2023 10:46:00 +0100 Subject: [PATCH] MGMT-13627: Add ConfidentialVM and TrustedLaunch options to AzureMachineProviderSpec This change introduces the security profile to the OS disk parameters and adds the SecurityType and UEFISettings sections to the VM's security profile. The SecurityType defines whether the VM is a Confidential or a Trusted Launch VM. This field should be set to one of the two options, in order to enable the UEFISettings section. The UEFISettings fields include the VirtualizedTrustedPlatformModule and SecureBoot fields, which can be set to either Enabled or Disabled. The OS disk security profile includes the SecurityEncryptionType and the DiskEncryptionSet fields. The SecurityEncryptionType can only be used when the VM is a Confidential one. When SecurityEncryptionType is set, vTPM should be enabled and the VM security profile's SecurityType should also be set to ConfidentialVM. Possible values for the SecurityEncryptionType are: - DiskWithVMGuestState, OS disk encryption before VM deployment that uses platform-managed keys (PMK) or a customer-managed key (CMK) - VMGuestStateOnly, no OS disk confidential encryption When the SecurityEncryptionType is set to DiskWithVMGuestState, the DiskEncryptionSet can be specified to allow for customer-managed keys to be used to encrypt the OS disk and the VMGuestState blob. Signed-off-by: Michail Resvanis --- machine/v1beta1/types_azureprovider.go | 118 +++++++++++- machine/v1beta1/zz_generated.deepcopy.go | 95 ++++++++++ .../zz_generated.swagger_doc_generated.go | 53 +++++- .../generated_openapi/zz_generated.openapi.go | 172 +++++++++++++++++- openapi/openapi.json | 90 ++++++++- 5 files changed, 521 insertions(+), 7 deletions(-) diff --git a/machine/v1beta1/types_azureprovider.go b/machine/v1beta1/types_azureprovider.go index 547da1af71e..1d565e5d229 100644 --- a/machine/v1beta1/types_azureprovider.go +++ b/machine/v1beta1/types_azureprovider.go @@ -6,6 +6,28 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// SecurityEncryptionTypes represents the Encryption Type when the Azure Virtual Machine is a +// Confidential VM. +type SecurityEncryptionTypes string + +const ( + // SecurityEncryptionTypesVMGuestStateOnly disables OS disk confidential encryption. + SecurityEncryptionTypesVMGuestStateOnly SecurityEncryptionTypes = "VMGuestStateOnly" + // SecurityEncryptionTypesDiskWithVMGuestState enables OS disk confidential encryption with a + // platform-managed key (PMK) or a customer-managed key (CMK). + SecurityEncryptionTypesDiskWithVMGuestState SecurityEncryptionTypes = "DiskWithVMGuestState" +) + +// SecurityTypes represents the SecurityType of the virtual machine. +type SecurityTypes string + +const ( + // SecurityTypesConfidentialVM defines the SecurityType of the virtual machine as a Confidential VM. + SecurityTypesConfidentialVM SecurityTypes = "ConfidentialVM" + // SecurityTypesTrustedLaunch defines the SecurityType of the virtual machine as a Trusted Launch VM. + SecurityTypesTrustedLaunch SecurityTypes = "TrustedLaunch" +) + // AzureMachineProviderSpec is the type that will be embedded in a Machine.Spec.ProviderSpec field // for an Azure virtual machine. It is used by the Azure machine actuator to create a single Machine. // Required parameters such as location that are not specified by this configuration, will be defaulted @@ -397,6 +419,36 @@ type OSDiskManagedDiskParameters struct { // DiskEncryptionSet is the disk encryption set properties // +optional DiskEncryptionSet *DiskEncryptionSetParameters `json:"diskEncryptionSet,omitempty"` + // securityProfile specifies the security profile for the managed disk. + // +optional + SecurityProfile VMDiskSecurityProfile `json:"securityProfile,omitempty"` +} + +// VMDiskSecurityProfile specifies the security profile settings for the managed disk. +// It can be set only for Confidential VMs. +type VMDiskSecurityProfile struct { + // diskEncryptionSet specifies the customer managed disk encryption set resource id for the + // managed disk that is used for Customer Managed Key encrypted ConfidentialVM OS Disk and + // VMGuest blob. + // +optional + DiskEncryptionSet DiskEncryptionSetParameters `json:"diskEncryptionSet,omitempty"` + // securityEncryptionType specifies the encryption type of the managed disk. + // It is set to DiskWithVMGuestState to encrypt the managed disk along with the VMGuestState + // blob, and to VMGuestStateOnly to encrypt the VMGuestState blob only. + // When set to VMGuestStateOnly, the vTPM should be enabled. + // When set to DiskWithVMGuestState, both SecureBoot and vTPM should be enabled. + // If the above conditions are not fulfilled, the VM will not be created and the respective error + // will be returned. + // It can be set only for Confidential VMs. Confidential VMs are defined by their + // SecurityProfile.SecurityType being set to ConfidentialVM, the SecurityEncryptionType of their + // OS disk being set to one of the allowed values and by enabling the respective + // SecurityProfile.UEFISettings of the VM (i.e. vTPM and SecureBoot), depending on the selected + // SecurityEncryptionType. + // For further details on Azure Confidential VMs, please refer to the respective documentation: + // https://learn.microsoft.com/azure/confidential-computing/confidential-vm-overview + // +kubebuilder:validation:Enum=VMGuestStateOnly;DiskWithVMGuestState + // +optional + SecurityEncryptionType SecurityEncryptionTypes `json:"securityEncryptionType,omitempty"` } // DataDiskManagedDiskParameters is the parameters of a DataDisk managed disk. @@ -437,11 +489,71 @@ type DiskEncryptionSetParameters struct { // SecurityProfile specifies the Security profile settings for a // virtual machine or virtual machine scale set. type SecurityProfile struct { - // This field indicates whether Host Encryption should be enabled - // or disabled for a virtual machine or virtual machine scale - // set. Default is disabled. + // encryptionAtHost indicates whether Host Encryption should be enabled or disabled for a virtual + // machine or virtual machine scale set. + // This should be disabled when SecurityEncryptionType is set to DiskWithVMGuestState. + // Default is disabled. // +optional EncryptionAtHost *bool `json:"encryptionAtHost,omitempty"` + // settings specify the security type and the UEFI settings of the virtual machine. This field can + // be set for Confidential VMs and Trusted Launch for VMs. + // +optional + Settings SecuritySettings `json:"settings,omitempty"` +} + +// SecuritySettings define the security type and the UEFI settings of the virtual machine. +// +union +type SecuritySettings struct { + // securityType specifies the SecurityType of the virtual machine. It has to be set to any specified value to + // enable UEFISettings. The default behavior is: UEFISettings will not be enabled unless this property is set. + // +kubebuilder:validation:Enum=ConfidentialVM;TrustedLaunch + // +kubebuilder:validation:Required + // +unionDiscriminator + SecurityType SecurityTypes `json:"securityType,omitempty"` + // confidentialVM specifies the security configuration of the virtual machine. + // For more information regarding Confidential VMs, please refer to: + // https://learn.microsoft.com/azure/confidential-computing/confidential-vm-overview + // +optional + ConfidentialVM *ConfidentialVM `json:"confidentialVM,omitempty"` + // trustedLaunch specifies the security configuration of the virtual machine. + // For more information regarding TrustedLaunch for VMs, please refer to: + // https://learn.microsoft.com/azure/virtual-machines/trusted-launch + // +optional + TrustedLaunch *TrustedLaunch `json:"trustedLaunch,omitempty"` +} + +// ConfidentialVM defines the UEFI settings for the virtual machine. +type ConfidentialVM struct { + // uefiSettings specifies the security settings like secure boot and vTPM used while creating the virtual machine. + // +kubebuilder:validation:Required + UEFISettings UEFISettings `json:"uefiSettings,omitempty"` +} + +// TrustedLaunch defines the UEFI settings for the virtual machine. +type TrustedLaunch struct { + // uefiSettings specifies the security settings like secure boot and vTPM used while creating the virtual machine. + // +kubebuilder:validation:Required + UEFISettings UEFISettings `json:"uefiSettings,omitempty"` +} + +// UEFISettings specifies the security settings like secure boot and vTPM used while creating the +// virtual machine. +type UEFISettings struct { + // secureBoot specifies whether secure boot should be enabled on the virtual machine. + // Secure Boot verifies the digital signature of all boot components and halts the boot process if + // signature verification fails. + // If omitted, the platform chooses a default, which is subject to change over time, currently that default is disabled. + // +kubebuilder:validation:Enum=Enabled;Disabled + // +optional + SecureBoot SecureBootPolicy `json:"secureBoot,omitempty"` + // virtualizedTrustedPlatformModule specifies whether vTPM should be enabled on the virtual machine. + // When enabled the virtualized trusted platform module measurements are used to create a known good boot integrity policy baseline. + // The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed. + // This is required to be enabled if SecurityEncryptionType is defined. + // If omitted, the platform chooses a default, which is subject to change over time, currently that default is disabled. + // +kubebuilder:validation:Enum=Enabled;Disabled + // +optional + VirtualizedTrustedPlatformModule VirtualizedTrustedPlatformModulePolicy `json:"virtualizedTrustedPlatformModule,omitempty"` } // AzureUltraSSDCapabilityState defines the different states of an UltraSSDCapability diff --git a/machine/v1beta1/zz_generated.deepcopy.go b/machine/v1beta1/zz_generated.deepcopy.go index e1b4c33f4c5..f39f4a5d5dc 100644 --- a/machine/v1beta1/zz_generated.deepcopy.go +++ b/machine/v1beta1/zz_generated.deepcopy.go @@ -434,6 +434,23 @@ func (in Conditions) DeepCopy() Conditions { return *out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ConfidentialVM) DeepCopyInto(out *ConfidentialVM) { + *out = *in + out.UEFISettings = in.UEFISettings + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfidentialVM. +func (in *ConfidentialVM) DeepCopy() *ConfidentialVM { + if in == nil { + return nil + } + out := new(ConfidentialVM) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *DataDisk) DeepCopyInto(out *DataDisk) { *out = *in @@ -1457,6 +1474,7 @@ func (in *OSDiskManagedDiskParameters) DeepCopyInto(out *OSDiskManagedDiskParame *out = new(DiskEncryptionSetParameters) **out = **in } + out.SecurityProfile = in.SecurityProfile return } @@ -1552,6 +1570,7 @@ func (in *SecurityProfile) DeepCopyInto(out *SecurityProfile) { *out = new(bool) **out = **in } + in.Settings.DeepCopyInto(&out.Settings) return } @@ -1565,6 +1584,32 @@ func (in *SecurityProfile) DeepCopy() *SecurityProfile { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SecuritySettings) DeepCopyInto(out *SecuritySettings) { + *out = *in + if in.ConfidentialVM != nil { + in, out := &in.ConfidentialVM, &out.ConfidentialVM + *out = new(ConfidentialVM) + **out = **in + } + if in.TrustedLaunch != nil { + in, out := &in.TrustedLaunch, &out.TrustedLaunch + *out = new(TrustedLaunch) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecuritySettings. +func (in *SecuritySettings) DeepCopy() *SecuritySettings { + if in == nil { + return nil + } + out := new(SecuritySettings) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *SpotMarketOptions) DeepCopyInto(out *SpotMarketOptions) { *out = *in @@ -1623,6 +1668,39 @@ func (in *TagSpecification) DeepCopy() *TagSpecification { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TrustedLaunch) DeepCopyInto(out *TrustedLaunch) { + *out = *in + out.UEFISettings = in.UEFISettings + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TrustedLaunch. +func (in *TrustedLaunch) DeepCopy() *TrustedLaunch { + if in == nil { + return nil + } + out := new(TrustedLaunch) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *UEFISettings) DeepCopyInto(out *UEFISettings) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UEFISettings. +func (in *UEFISettings) DeepCopy() *UEFISettings { + if in == nil { + return nil + } + out := new(UEFISettings) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *UnhealthyCondition) DeepCopyInto(out *UnhealthyCondition) { *out = *in @@ -1640,6 +1718,23 @@ func (in *UnhealthyCondition) DeepCopy() *UnhealthyCondition { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *VMDiskSecurityProfile) DeepCopyInto(out *VMDiskSecurityProfile) { + *out = *in + out.DiskEncryptionSet = in.DiskEncryptionSet + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VMDiskSecurityProfile. +func (in *VMDiskSecurityProfile) DeepCopy() *VMDiskSecurityProfile { + if in == nil { + return nil + } + out := new(VMDiskSecurityProfile) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *VSphereMachineProviderSpec) DeepCopyInto(out *VSphereMachineProviderSpec) { *out = *in diff --git a/machine/v1beta1/zz_generated.swagger_doc_generated.go b/machine/v1beta1/zz_generated.swagger_doc_generated.go index fa1a451da8b..90b1dc58221 100644 --- a/machine/v1beta1/zz_generated.swagger_doc_generated.go +++ b/machine/v1beta1/zz_generated.swagger_doc_generated.go @@ -223,6 +223,15 @@ func (AzureMachineProviderStatus) SwaggerDoc() map[string]string { return map_AzureMachineProviderStatus } +var map_ConfidentialVM = map[string]string{ + "": "ConfidentialVM defines the UEFI settings for the virtual machine.", + "uefiSettings": "uefiSettings specifies the security settings like secure boot and vTPM used while creating the virtual machine.", +} + +func (ConfidentialVM) SwaggerDoc() map[string]string { + return map_ConfidentialVM +} + var map_DataDisk = map[string]string{ "": "DataDisk specifies the parameters that are used to add one or more data disks to the machine. A Data Disk is a managed disk that's attached to a virtual machine to store application data. It differs from an OS Disk as it doesn't come with a pre-installed OS, and it cannot contain the boot volume. It is registered as SCSI drive and labeled with the chosen `lun`. e.g. for `lun: 0` the raw disk device will be available at `/dev/disk/azure/scsi1/lun0`.\n\nAs the Data Disk disk device is attached raw to the virtual machine, it will need to be partitioned, formatted with a filesystem and mounted, in order for it to be usable. This can be done by creating a custom userdata Secret with custom Ignition configuration to achieve the desired initialization. At this stage the previously defined `lun` is to be used as the \"device\" key for referencing the raw disk device to be initialized. Once the custom userdata Secret has been created, it can be referenced in the Machine's `.providerSpec.userDataSecret`. For further guidance and examples, please refer to the official OpenShift docs.", "nameSuffix": "NameSuffix is the suffix to be appended to the machine name to generate the disk name. Each disk name will be in format _. NameSuffix name must start and finish with an alphanumeric character and can only contain letters, numbers, underscores, periods or hyphens. The overall disk name must not exceed 80 chars in length.", @@ -295,6 +304,7 @@ var map_OSDiskManagedDiskParameters = map[string]string{ "": "OSDiskManagedDiskParameters is the parameters of a OSDisk managed disk.", "storageAccountType": "StorageAccountType is the storage account type to use. Possible values include \"Standard_LRS\", \"Premium_LRS\".", "diskEncryptionSet": "DiskEncryptionSet is the disk encryption set properties", + "securityProfile": "securityProfile specifies the security profile for the managed disk.", } func (OSDiskManagedDiskParameters) SwaggerDoc() map[string]string { @@ -303,13 +313,25 @@ func (OSDiskManagedDiskParameters) SwaggerDoc() map[string]string { var map_SecurityProfile = map[string]string{ "": "SecurityProfile specifies the Security profile settings for a virtual machine or virtual machine scale set.", - "encryptionAtHost": "This field indicates whether Host Encryption should be enabled or disabled for a virtual machine or virtual machine scale set. Default is disabled.", + "encryptionAtHost": "encryptionAtHost indicates whether Host Encryption should be enabled or disabled for a virtual machine or virtual machine scale set. This should be disabled when SecurityEncryptionType is set to DiskWithVMGuestState. Default is disabled.", + "settings": "settings specify the security type and the UEFI settings of the virtual machine. This field can be set for Confidential VMs and Trusted Launch for VMs.", } func (SecurityProfile) SwaggerDoc() map[string]string { return map_SecurityProfile } +var map_SecuritySettings = map[string]string{ + "": "SecuritySettings define the security type and the UEFI settings of the virtual machine.", + "securityType": "securityType specifies the SecurityType of the virtual machine. It has to be set to any specified value to enable UEFISettings. The default behavior is: UEFISettings will not be enabled unless this property is set.", + "confidentialVM": "confidentialVM specifies the security configuration of the virtual machine. For more information regarding Confidential VMs, please refer to: https://learn.microsoft.com/azure/confidential-computing/confidential-vm-overview", + "trustedLaunch": "trustedLaunch specifies the security configuration of the virtual machine. For more information regarding TrustedLaunch for VMs, please refer to: https://learn.microsoft.com/azure/virtual-machines/trusted-launch", +} + +func (SecuritySettings) SwaggerDoc() map[string]string { + return map_SecuritySettings +} + var map_SpotVMOptions = map[string]string{ "": "SpotVMOptions defines the options relevant to running the Machine on Spot VMs", "maxPrice": "MaxPrice defines the maximum price the user is willing to pay for Spot VM instances", @@ -319,6 +341,35 @@ func (SpotVMOptions) SwaggerDoc() map[string]string { return map_SpotVMOptions } +var map_TrustedLaunch = map[string]string{ + "": "TrustedLaunch defines the UEFI settings for the virtual machine.", + "uefiSettings": "uefiSettings specifies the security settings like secure boot and vTPM used while creating the virtual machine.", +} + +func (TrustedLaunch) SwaggerDoc() map[string]string { + return map_TrustedLaunch +} + +var map_UEFISettings = map[string]string{ + "": "UEFISettings specifies the security settings like secure boot and vTPM used while creating the virtual machine.", + "secureBoot": "secureBoot specifies whether secure boot should be enabled on the virtual machine. Secure Boot verifies the digital signature of all boot components and halts the boot process if signature verification fails. If omitted, the platform chooses a default, which is subject to change over time, currently that default is disabled.", + "virtualizedTrustedPlatformModule": "virtualizedTrustedPlatformModule specifies whether vTPM should be enabled on the virtual machine. When enabled the virtualized trusted platform module measurements are used to create a known good boot integrity policy baseline. The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed. This is required to be enabled if SecurityEncryptionType is defined. If omitted, the platform chooses a default, which is subject to change over time, currently that default is disabled.", +} + +func (UEFISettings) SwaggerDoc() map[string]string { + return map_UEFISettings +} + +var map_VMDiskSecurityProfile = map[string]string{ + "": "VMDiskSecurityProfile specifies the security profile settings for the managed disk. It can be set only for Confidential VMs.", + "diskEncryptionSet": "diskEncryptionSet specifies the customer managed disk encryption set resource id for the managed disk that is used for Customer Managed Key encrypted ConfidentialVM OS Disk and VMGuest blob.", + "securityEncryptionType": "securityEncryptionType specifies the encryption type of the managed disk. It is set to DiskWithVMGuestState to encrypt the managed disk along with the VMGuestState blob, and to VMGuestStateOnly to encrypt the VMGuestState blob only. When set to VMGuestStateOnly, the vTPM should be enabled. When set to DiskWithVMGuestState, both SecureBoot and vTPM should be enabled. If the above conditions are not fulfilled, the VM will not be created and the respective error will be returned. It can be set only for Confidential VMs. Confidential VMs are defined by their SecurityProfile.SecurityType being set to ConfidentialVM, the SecurityEncryptionType of their OS disk being set to one of the allowed values and by enabling the respective SecurityProfile.UEFISettings of the VM (i.e. vTPM and SecureBoot), depending on the selected SecurityEncryptionType. For further details on Azure Confidential VMs, please refer to the respective documentation: https://learn.microsoft.com/azure/confidential-computing/confidential-vm-overview", +} + +func (VMDiskSecurityProfile) SwaggerDoc() map[string]string { + return map_VMDiskSecurityProfile +} + var map_GCPDisk = map[string]string{ "": "GCPDisk describes disks for GCP.", "autoDelete": "AutoDelete indicates if the disk will be auto-deleted when the instance is deleted (default false).", diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index 74d83db6782..a92604479cd 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -632,6 +632,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/machine/v1beta1.AzureMachineProviderStatus": schema_openshift_api_machine_v1beta1_AzureMachineProviderStatus(ref), "github.com/openshift/api/machine/v1beta1.BlockDeviceMappingSpec": schema_openshift_api_machine_v1beta1_BlockDeviceMappingSpec(ref), "github.com/openshift/api/machine/v1beta1.Condition": schema_openshift_api_machine_v1beta1_Condition(ref), + "github.com/openshift/api/machine/v1beta1.ConfidentialVM": schema_openshift_api_machine_v1beta1_ConfidentialVM(ref), "github.com/openshift/api/machine/v1beta1.DataDisk": schema_openshift_api_machine_v1beta1_DataDisk(ref), "github.com/openshift/api/machine/v1beta1.DataDiskManagedDiskParameters": schema_openshift_api_machine_v1beta1_DataDiskManagedDiskParameters(ref), "github.com/openshift/api/machine/v1beta1.DiskEncryptionSetParameters": schema_openshift_api_machine_v1beta1_DiskEncryptionSetParameters(ref), @@ -675,10 +676,14 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/machine/v1beta1.Placement": schema_openshift_api_machine_v1beta1_Placement(ref), "github.com/openshift/api/machine/v1beta1.ProviderSpec": schema_openshift_api_machine_v1beta1_ProviderSpec(ref), "github.com/openshift/api/machine/v1beta1.SecurityProfile": schema_openshift_api_machine_v1beta1_SecurityProfile(ref), + "github.com/openshift/api/machine/v1beta1.SecuritySettings": schema_openshift_api_machine_v1beta1_SecuritySettings(ref), "github.com/openshift/api/machine/v1beta1.SpotMarketOptions": schema_openshift_api_machine_v1beta1_SpotMarketOptions(ref), "github.com/openshift/api/machine/v1beta1.SpotVMOptions": schema_openshift_api_machine_v1beta1_SpotVMOptions(ref), "github.com/openshift/api/machine/v1beta1.TagSpecification": schema_openshift_api_machine_v1beta1_TagSpecification(ref), + "github.com/openshift/api/machine/v1beta1.TrustedLaunch": schema_openshift_api_machine_v1beta1_TrustedLaunch(ref), + "github.com/openshift/api/machine/v1beta1.UEFISettings": schema_openshift_api_machine_v1beta1_UEFISettings(ref), "github.com/openshift/api/machine/v1beta1.UnhealthyCondition": schema_openshift_api_machine_v1beta1_UnhealthyCondition(ref), + "github.com/openshift/api/machine/v1beta1.VMDiskSecurityProfile": schema_openshift_api_machine_v1beta1_VMDiskSecurityProfile(ref), "github.com/openshift/api/machine/v1beta1.VSphereMachineProviderSpec": schema_openshift_api_machine_v1beta1_VSphereMachineProviderSpec(ref), "github.com/openshift/api/machine/v1beta1.VSphereMachineProviderStatus": schema_openshift_api_machine_v1beta1_VSphereMachineProviderStatus(ref), "github.com/openshift/api/machine/v1beta1.Workspace": schema_openshift_api_machine_v1beta1_Workspace(ref), @@ -32396,6 +32401,28 @@ func schema_openshift_api_machine_v1beta1_Condition(ref common.ReferenceCallback } } +func schema_openshift_api_machine_v1beta1_ConfidentialVM(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "ConfidentialVM defines the UEFI settings for the virtual machine.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "uefiSettings": { + SchemaProps: spec.SchemaProps{ + Description: "uefiSettings specifies the security settings like secure boot and vTPM used while creating the virtual machine.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.UEFISettings"), + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1beta1.UEFISettings"}, + } +} + func schema_openshift_api_machine_v1beta1_DataDisk(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -34306,12 +34333,19 @@ func schema_openshift_api_machine_v1beta1_OSDiskManagedDiskParameters(ref common Ref: ref("github.com/openshift/api/machine/v1beta1.DiskEncryptionSetParameters"), }, }, + "securityProfile": { + SchemaProps: spec.SchemaProps{ + Description: "securityProfile specifies the security profile for the managed disk.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.VMDiskSecurityProfile"), + }, + }, }, Required: []string{"storageAccountType"}, }, }, Dependencies: []string{ - "github.com/openshift/api/machine/v1beta1.DiskEncryptionSetParameters"}, + "github.com/openshift/api/machine/v1beta1.DiskEncryptionSetParameters", "github.com/openshift/api/machine/v1beta1.VMDiskSecurityProfile"}, } } @@ -34467,14 +34501,70 @@ func schema_openshift_api_machine_v1beta1_SecurityProfile(ref common.ReferenceCa Properties: map[string]spec.Schema{ "encryptionAtHost": { SchemaProps: spec.SchemaProps{ - Description: "This field indicates whether Host Encryption should be enabled or disabled for a virtual machine or virtual machine scale set. Default is disabled.", + Description: "encryptionAtHost indicates whether Host Encryption should be enabled or disabled for a virtual machine or virtual machine scale set. This should be disabled when SecurityEncryptionType is set to DiskWithVMGuestState. Default is disabled.", Type: []string{"boolean"}, Format: "", }, }, + "settings": { + SchemaProps: spec.SchemaProps{ + Description: "settings specify the security type and the UEFI settings of the virtual machine. This field can be set for Confidential VMs and Trusted Launch for VMs.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.SecuritySettings"), + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1beta1.SecuritySettings"}, + } +} + +func schema_openshift_api_machine_v1beta1_SecuritySettings(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "SecuritySettings define the security type and the UEFI settings of the virtual machine.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "securityType": { + SchemaProps: spec.SchemaProps{ + Description: "securityType specifies the SecurityType of the virtual machine. It has to be set to any specified value to enable UEFISettings. The default behavior is: UEFISettings will not be enabled unless this property is set.", + Type: []string{"string"}, + Format: "", + }, + }, + "confidentialVM": { + SchemaProps: spec.SchemaProps{ + Description: "confidentialVM specifies the security configuration of the virtual machine. For more information regarding Confidential VMs, please refer to: https://learn.microsoft.com/azure/confidential-computing/confidential-vm-overview", + Ref: ref("github.com/openshift/api/machine/v1beta1.ConfidentialVM"), + }, + }, + "trustedLaunch": { + SchemaProps: spec.SchemaProps{ + Description: "trustedLaunch specifies the security configuration of the virtual machine. For more information regarding TrustedLaunch for VMs, please refer to: https://learn.microsoft.com/azure/virtual-machines/trusted-launch", + Ref: ref("github.com/openshift/api/machine/v1beta1.TrustedLaunch"), + }, + }, + }, + }, + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-unions": []interface{}{ + map[string]interface{}{ + "discriminator": "securityType", + "fields-to-discriminateBy": map[string]interface{}{ + "confidentialVM": "ConfidentialVM", + "trustedLaunch": "TrustedLaunch", + }, + }, + }, }, }, }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1beta1.ConfidentialVM", "github.com/openshift/api/machine/v1beta1.TrustedLaunch"}, } } @@ -34549,6 +34639,55 @@ func schema_openshift_api_machine_v1beta1_TagSpecification(ref common.ReferenceC } } +func schema_openshift_api_machine_v1beta1_TrustedLaunch(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "TrustedLaunch defines the UEFI settings for the virtual machine.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "uefiSettings": { + SchemaProps: spec.SchemaProps{ + Description: "uefiSettings specifies the security settings like secure boot and vTPM used while creating the virtual machine.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.UEFISettings"), + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1beta1.UEFISettings"}, + } +} + +func schema_openshift_api_machine_v1beta1_UEFISettings(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "UEFISettings specifies the security settings like secure boot and vTPM used while creating the virtual machine.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "secureBoot": { + SchemaProps: spec.SchemaProps{ + Description: "secureBoot specifies whether secure boot should be enabled on the virtual machine. Secure Boot verifies the digital signature of all boot components and halts the boot process if signature verification fails. If omitted, the platform chooses a default, which is subject to change over time, currently that default is disabled.", + Type: []string{"string"}, + Format: "", + }, + }, + "virtualizedTrustedPlatformModule": { + SchemaProps: spec.SchemaProps{ + Description: "virtualizedTrustedPlatformModule specifies whether vTPM should be enabled on the virtual machine. When enabled the virtualized trusted platform module measurements are used to create a known good boot integrity policy baseline. The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed. This is required to be enabled if SecurityEncryptionType is defined. If omitted, the platform chooses a default, which is subject to change over time, currently that default is disabled.", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + } +} + func schema_openshift_api_machine_v1beta1_UnhealthyCondition(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ @@ -34586,6 +34725,35 @@ func schema_openshift_api_machine_v1beta1_UnhealthyCondition(ref common.Referenc } } +func schema_openshift_api_machine_v1beta1_VMDiskSecurityProfile(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "VMDiskSecurityProfile specifies the security profile settings for the managed disk. It can be set only for Confidential VMs.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "diskEncryptionSet": { + SchemaProps: spec.SchemaProps{ + Description: "diskEncryptionSet specifies the customer managed disk encryption set resource id for the managed disk that is used for Customer Managed Key encrypted ConfidentialVM OS Disk and VMGuest blob.", + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/machine/v1beta1.DiskEncryptionSetParameters"), + }, + }, + "securityEncryptionType": { + SchemaProps: spec.SchemaProps{ + Description: "securityEncryptionType specifies the encryption type of the managed disk. It is set to DiskWithVMGuestState to encrypt the managed disk along with the VMGuestState blob, and to VMGuestStateOnly to encrypt the VMGuestState blob only. When set to VMGuestStateOnly, the vTPM should be enabled. When set to DiskWithVMGuestState, both SecureBoot and vTPM should be enabled. If the above conditions are not fulfilled, the VM will not be created and the respective error will be returned. It can be set only for Confidential VMs. Confidential VMs are defined by their SecurityProfile.SecurityType being set to ConfidentialVM, the SecurityEncryptionType of their OS disk being set to one of the allowed values and by enabling the respective SecurityProfile.UEFISettings of the VM (i.e. vTPM and SecureBoot), depending on the selected SecurityEncryptionType. For further details on Azure Confidential VMs, please refer to the respective documentation: https://learn.microsoft.com/azure/confidential-computing/confidential-vm-overview", + Type: []string{"string"}, + Format: "", + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/machine/v1beta1.DiskEncryptionSetParameters"}, + } +} + func schema_openshift_api_machine_v1beta1_VSphereMachineProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ diff --git a/openapi/openapi.json b/openapi/openapi.json index ee5914f19c7..feb1f69739a 100644 --- a/openapi/openapi.json +++ b/openapi/openapi.json @@ -18839,6 +18839,17 @@ } } }, + "com.github.openshift.api.machine.v1beta1.ConfidentialVM": { + "description": "ConfidentialVM defines the UEFI settings for the virtual machine.", + "type": "object", + "properties": { + "uefiSettings": { + "description": "uefiSettings specifies the security settings like secure boot and vTPM used while creating the virtual machine.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.machine.v1beta1.UEFISettings" + } + } + }, "com.github.openshift.api.machine.v1beta1.DataDisk": { "description": "DataDisk specifies the parameters that are used to add one or more data disks to the machine. A Data Disk is a managed disk that's attached to a virtual machine to store application data. It differs from an OS Disk as it doesn't come with a pre-installed OS, and it cannot contain the boot volume. It is registered as SCSI drive and labeled with the chosen `lun`. e.g. for `lun: 0` the raw disk device will be available at `/dev/disk/azure/scsi1/lun0`.\n\nAs the Data Disk disk device is attached raw to the virtual machine, it will need to be partitioned, formatted with a filesystem and mounted, in order for it to be usable. This can be done by creating a custom userdata Secret with custom Ignition configuration to achieve the desired initialization. At this stage the previously defined `lun` is to be used as the \"device\" key for referencing the raw disk device to be initialized. Once the custom userdata Secret has been created, it can be referenced in the Machine's `.providerSpec.userDataSecret`. For further guidance and examples, please refer to the official OpenShift docs.", "type": "object", @@ -19984,6 +19995,11 @@ "description": "DiskEncryptionSet is the disk encryption set properties", "$ref": "#/definitions/com.github.openshift.api.machine.v1beta1.DiskEncryptionSetParameters" }, + "securityProfile": { + "description": "securityProfile specifies the security profile for the managed disk.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.machine.v1beta1.VMDiskSecurityProfile" + }, "storageAccountType": { "description": "StorageAccountType is the storage account type to use. Possible values include \"Standard_LRS\", \"Premium_LRS\".", "type": "string", @@ -20068,11 +20084,43 @@ "type": "object", "properties": { "encryptionAtHost": { - "description": "This field indicates whether Host Encryption should be enabled or disabled for a virtual machine or virtual machine scale set. Default is disabled.", + "description": "encryptionAtHost indicates whether Host Encryption should be enabled or disabled for a virtual machine or virtual machine scale set. This should be disabled when SecurityEncryptionType is set to DiskWithVMGuestState. Default is disabled.", "type": "boolean" + }, + "settings": { + "description": "settings specify the security type and the UEFI settings of the virtual machine. This field can be set for Confidential VMs and Trusted Launch for VMs.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.machine.v1beta1.SecuritySettings" } } }, + "com.github.openshift.api.machine.v1beta1.SecuritySettings": { + "description": "SecuritySettings define the security type and the UEFI settings of the virtual machine.", + "type": "object", + "properties": { + "confidentialVM": { + "description": "confidentialVM specifies the security configuration of the virtual machine. For more information regarding Confidential VMs, please refer to: https://learn.microsoft.com/azure/confidential-computing/confidential-vm-overview", + "$ref": "#/definitions/com.github.openshift.api.machine.v1beta1.ConfidentialVM" + }, + "securityType": { + "description": "securityType specifies the SecurityType of the virtual machine. It has to be set to any specified value to enable UEFISettings. The default behavior is: UEFISettings will not be enabled unless this property is set.", + "type": "string" + }, + "trustedLaunch": { + "description": "trustedLaunch specifies the security configuration of the virtual machine. For more information regarding TrustedLaunch for VMs, please refer to: https://learn.microsoft.com/azure/virtual-machines/trusted-launch", + "$ref": "#/definitions/com.github.openshift.api.machine.v1beta1.TrustedLaunch" + } + }, + "x-kubernetes-unions": [ + { + "discriminator": "securityType", + "fields-to-discriminateBy": { + "confidentialVM": "ConfidentialVM", + "trustedLaunch": "TrustedLaunch" + } + } + ] + }, "com.github.openshift.api.machine.v1beta1.SpotMarketOptions": { "description": "SpotMarketOptions defines the options available to a user when configuring Machines to run on Spot instances. Most users should provide an empty struct.", "type": "object", @@ -20113,6 +20161,31 @@ } } }, + "com.github.openshift.api.machine.v1beta1.TrustedLaunch": { + "description": "TrustedLaunch defines the UEFI settings for the virtual machine.", + "type": "object", + "properties": { + "uefiSettings": { + "description": "uefiSettings specifies the security settings like secure boot and vTPM used while creating the virtual machine.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.machine.v1beta1.UEFISettings" + } + } + }, + "com.github.openshift.api.machine.v1beta1.UEFISettings": { + "description": "UEFISettings specifies the security settings like secure boot and vTPM used while creating the virtual machine.", + "type": "object", + "properties": { + "secureBoot": { + "description": "secureBoot specifies whether secure boot should be enabled on the virtual machine. Secure Boot verifies the digital signature of all boot components and halts the boot process if signature verification fails. If omitted, the platform chooses a default, which is subject to change over time, currently that default is disabled.", + "type": "string" + }, + "virtualizedTrustedPlatformModule": { + "description": "virtualizedTrustedPlatformModule specifies whether vTPM should be enabled on the virtual machine. When enabled the virtualized trusted platform module measurements are used to create a known good boot integrity policy baseline. The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed. This is required to be enabled if SecurityEncryptionType is defined. If omitted, the platform chooses a default, which is subject to change over time, currently that default is disabled.", + "type": "string" + } + } + }, "com.github.openshift.api.machine.v1beta1.UnhealthyCondition": { "description": "UnhealthyCondition represents a Node condition type and value with a timeout specified as a duration. When the named condition has been in the given status for at least the timeout value, a node is considered unhealthy.", "type": "object", @@ -20137,6 +20210,21 @@ } } }, + "com.github.openshift.api.machine.v1beta1.VMDiskSecurityProfile": { + "description": "VMDiskSecurityProfile specifies the security profile settings for the managed disk. It can be set only for Confidential VMs.", + "type": "object", + "properties": { + "diskEncryptionSet": { + "description": "diskEncryptionSet specifies the customer managed disk encryption set resource id for the managed disk that is used for Customer Managed Key encrypted ConfidentialVM OS Disk and VMGuest blob.", + "default": {}, + "$ref": "#/definitions/com.github.openshift.api.machine.v1beta1.DiskEncryptionSetParameters" + }, + "securityEncryptionType": { + "description": "securityEncryptionType specifies the encryption type of the managed disk. It is set to DiskWithVMGuestState to encrypt the managed disk along with the VMGuestState blob, and to VMGuestStateOnly to encrypt the VMGuestState blob only. When set to VMGuestStateOnly, the vTPM should be enabled. When set to DiskWithVMGuestState, both SecureBoot and vTPM should be enabled. If the above conditions are not fulfilled, the VM will not be created and the respective error will be returned. It can be set only for Confidential VMs. Confidential VMs are defined by their SecurityProfile.SecurityType being set to ConfidentialVM, the SecurityEncryptionType of their OS disk being set to one of the allowed values and by enabling the respective SecurityProfile.UEFISettings of the VM (i.e. vTPM and SecureBoot), depending on the selected SecurityEncryptionType. For further details on Azure Confidential VMs, please refer to the respective documentation: https://learn.microsoft.com/azure/confidential-computing/confidential-vm-overview", + "type": "string" + } + } + }, "com.github.openshift.api.machine.v1beta1.VSphereMachineProviderSpec": { "description": "VSphereMachineProviderSpec is the type that will be embedded in a Machine.Spec.ProviderSpec field for an VSphere virtual machine. It is used by the vSphere machine actuator to create a single Machine. Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).", "type": "object",