edgelesssys · msanft · Apr 16, 2024 · Apr 4, 2024 · Apr 4, 2024 · Apr 4, 2024
diff --git a/.github/actions/e2e_verify/action.yml b/.github/actions/e2e_verify/action.yml
@@ -84,7 +84,7 @@ runs:
         aws-region: eu-central-1
 
     - name: Upload extracted TCBs
-      if: github.ref_name == 'main' && (inputs.attestationVariant == 'azure-sev-snp' || inputs.attestationVariant == 'aws-sev-snp')
+      if: github.ref_name == 'main' && (inputs.attestationVariant == 'azure-sev-snp' || inputs.attestationVariant == 'aws-sev-snp' || inputs.attestationVariant == 'gcp-sev-snp')
       shell: bash
       env:
         COSIGN_PASSWORD: ${{ inputs.cosignPassword }}

diff --git a/.github/actions/terraform_apply/action.yml b/.github/actions/terraform_apply/action.yml
@@ -26,6 +26,9 @@ runs:
           "gcpSEVES")
             attestationVariant="gcp-sev-es"
             ;;
+          "gcpSEVSNP")
+            attestationVariant="gcp-sev-snp"
+            ;;
           *)
             echo "Unknown attestation variant: $(yq '.attestation | keys | .[0]' constellation-conf.yaml)"
             exit 1

diff --git a/.github/workflows/e2e-attestationconfigapi.yml b/.github/workflows/e2e-attestationconfigapi.yml
@@ -22,7 +22,7 @@ jobs:
       fail-fast: false
       max-parallel: 1
       matrix:
-        csp: ["azure", "aws"]
+        csp: ["azure", "aws", "gcp"]
     runs-on: ubuntu-22.04
     permissions:
       id-token: write

diff --git a/.github/workflows/e2e-test-daily.yml b/.github/workflows/e2e-test-daily.yml
@@ -46,7 +46,7 @@ jobs:
       max-parallel: 5
       matrix:
         kubernetesVersion: ["1.28"] # should be default
-        attestationVariant: ["gcp-sev-es", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
+        attestationVariant: ["gcp-sev-es", "gcp-sev-snp", "azure-sev-snp", "azure-tdx", "aws-sev-snp"]
         refStream: ["ref/main/stream/debug/?", "ref/release/stream/stable/?"]
         test: ["sonobuoy quick"]
     runs-on: ubuntu-22.04

diff --git a/.github/workflows/e2e-test-internal-lb.yml b/.github/workflows/e2e-test-internal-lb.yml
@@ -11,10 +11,11 @@ on:
         description: "Which attestation variant to use."
         type: choice
         options:
-          - "gcp-sev-es"
+          - "aws-sev-snp"
           - "azure-sev-snp"
           - "azure-tdx"
-          - "aws-sev-snp"
+          - "gcp-sev-es"
+          - "gcp-sev-snp"
         default: "azure-sev-snp"
         required: true
       runner:

diff --git a/.github/workflows/e2e-test-marketplace-image.yml b/.github/workflows/e2e-test-marketplace-image.yml
@@ -11,10 +11,11 @@ on:
         description: "Which attestation variant to use."
         type: choice
         options:
-          - "gcp-sev-es"
+          - "aws-sev-snp"
           - "azure-sev-snp"
           - "azure-tdx"
-          - "aws-sev-snp"
+          - "gcp-sev-es"
+          - "gcp-sev-snp"
         default: "azure-sev-snp"
         required: true
       runner:

diff --git a/.github/workflows/e2e-test-provider-example.yml b/.github/workflows/e2e-test-provider-example.yml
@@ -31,6 +31,7 @@ on:
           - "azure-sev-snp"
           - "azure-tdx"
           - "gcp-sev-es"
+          - "gcp-sev-snp"
         default: "azure-sev-snp"
         required: true
   workflow_call:
@@ -265,11 +266,21 @@ jobs:
         run: |
           region=$(echo ${{ inputs.regionZone || 'europe-west3-b' }} | rev | cut -c 3- | rev)
 
+          case "${{ inputs.attestationVariant }}" in
+            "gcp-sev-snp")
+              cc_tech="SEV_SNP"
+              ;;
+            *)
+              cc_tech="SEV"
+              ;;
+          esac
+
           cat >> _override.tf <<EOF
           locals {
             project_id         = "constellation-e2e"
             region = "${region}"
             zone = "${{ inputs.regionZone || 'europe-west3-b' }}"
+            cc_technology = "${cc_tech}"
           }
           EOF
           cat _override.tf

diff --git a/.github/workflows/e2e-test-release.yml b/.github/workflows/e2e-test-release.yml
@@ -49,6 +49,10 @@ jobs:
             attestationVariant: "gcp-sev-es"
             kubernetes-version: "v1.29"
             runner: "ubuntu-22.04"
+          - test: "sonobuoy full"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.29"
+            runner: "ubuntu-22.04"
             clusterCreation: "cli"
           - test: "sonobuoy full"
             attestationVariant: "azure-sev-snp"
@@ -72,6 +76,11 @@ jobs:
             kubernetes-version: "v1.28"
             runner: "ubuntu-22.04"
             clusterCreation: "cli"
+          - test: "sonobuoy full"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.28"
+            runner: "ubuntu-22.04"
+            clusterCreation: "cli"
           - test: "sonobuoy full"
             attestationVariant: "azure-sev-snp"
             kubernetes-version: "v1.28"
@@ -93,6 +102,11 @@ jobs:
             kubernetes-version: "v1.27"
             runner: "ubuntu-22.04"
             clusterCreation: "cli"
+          - test: "sonobuoy full"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.27"
+            runner: "ubuntu-22.04"
+            clusterCreation: "cli"
           - test: "sonobuoy full"
             attestationVariant: "azure-sev-snp"
             kubernetes-version: "v1.27"
@@ -115,6 +129,11 @@ jobs:
             kubernetes-version: "v1.29"
             runner: "ubuntu-22.04"
             clusterCreation: "cli"
+          - test: "verify"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.29"
+            runner: "ubuntu-22.04"
+            clusterCreation: "cli"
           - test: "verify"
             attestationVariant: "azure-sev-snp"
             kubernetes-version: "v1.29"
@@ -137,6 +156,11 @@ jobs:
             kubernetes-version: "v1.29"
             runner: "ubuntu-22.04"
             clusterCreation: "cli"
+          - test: "recover"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.29"
+            runner: "ubuntu-22.04"
+            clusterCreation: "cli"
           - test: "recover"
             attestationVariant: "azure-sev-snp"
             kubernetes-version: "v1.29"
@@ -159,6 +183,11 @@ jobs:
             kubernetes-version: "v1.29"
             runner: "ubuntu-22.04"
             clusterCreation: "cli"
+          - test: "lb"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.29"
+            runner: "ubuntu-22.04"
+            clusterCreation: "cli"
           - test: "lb"
             attestationVariant: "azure-sev-snp"
             kubernetes-version: "v1.29"
@@ -181,6 +210,11 @@ jobs:
             kubernetes-version: "v1.29"
             runner: "ubuntu-22.04"
             clusterCreation: "cli"
+          - test: "autoscaling"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.29"
+            runner: "ubuntu-22.04"
+            clusterCreation: "cli"
           - test: "autoscaling"
             attestationVariant: "azure-sev-snp"
             kubernetes-version: "v1.29"
@@ -203,6 +237,11 @@ jobs:
             kubernetes-version: "v1.29"
             runner: "ubuntu-22.04"
             clusterCreation: "cli"
+          - test: "perf-bench"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.29"
+            runner: "ubuntu-22.04"
+            clusterCreation: "cli"
           - test: "perf-bench"
             attestationVariant: "azure-sev-snp"
             kubernetes-version: "v1.29"
@@ -223,6 +262,11 @@ jobs:
             attestationVariant: "gcp-sev-es"
             kubernetes-version: "v1.29"
             clusterCreation: "cli"
+          - test: "malicious join"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.29"
+            clusterCreation: "cli"
           - test: "malicious join"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "azure-sev-snp"

diff --git a/.github/workflows/e2e-test-terraform-provider.yml b/.github/workflows/e2e-test-terraform-provider.yml
@@ -11,10 +11,11 @@ on:
         description: "Which attestation variant to use."
         type: choice
         options:
-          - "gcp-sev-es"
+          - "aws-sev-snp"
           - "azure-sev-snp"
           - "azure-tdx"
-          - "aws-sev-snp"
+          - "gcp-sev-es"
+          - "gcp-sev-snp"
         default: "azure-sev-snp"
         required: true
       runner:

diff --git a/.github/workflows/e2e-test-weekly.yml b/.github/workflows/e2e-test-weekly.yml
@@ -57,6 +57,11 @@ jobs:
             attestationVariant: "gcp-sev-es"
             kubernetes-version: "v1.29"
             clusterCreation: "cli"
+          - test: "sonobuoy full"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.29"
+            clusterCreation: "cli"
           - test: "sonobuoy full"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "azure-sev-snp"
@@ -79,6 +84,11 @@ jobs:
             attestationVariant: "gcp-sev-es"
             kubernetes-version: "v1.28"
             clusterCreation: "cli"
+          - test: "sonobuoy quick"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.28"
+            clusterCreation: "cli"
           - test: "sonobuoy quick"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "azure-sev-snp"
@@ -100,6 +110,11 @@ jobs:
             attestationVariant: "gcp-sev-es"
             kubernetes-version: "v1.27"
             clusterCreation: "cli"
+          - test: "sonobuoy quick"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.27"
+            clusterCreation: "cli"
           - test: "sonobuoy quick"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "azure-sev-snp"
@@ -123,6 +138,11 @@ jobs:
             attestationVariant: "gcp-sev-es"
             kubernetes-version: "v1.29"
             clusterCreation: "cli"
+          - test: "verify"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.29"
+            clusterCreation: "cli"
           - test: "verify"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "azure-sev-snp"
@@ -146,6 +166,11 @@ jobs:
             attestationVariant: "gcp-sev-es"
             kubernetes-version: "v1.29"
             clusterCreation: "cli"
+          - test: "recover"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.29"
+            clusterCreation: "cli"
           - test: "recover"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "azure-sev-snp"
@@ -168,6 +193,11 @@ jobs:
             attestationVariant: "gcp-sev-es"
             kubernetes-version: "v1.29"
             clusterCreation: "cli"
+          - test: "lb"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.29"
+            clusterCreation: "cli"
           - test: "lb"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "azure-sev-snp"
@@ -190,6 +220,11 @@ jobs:
             attestationVariant: "gcp-sev-es"
             kubernetes-version: "v1.29"
             clusterCreation: "cli"
+          - test: "autoscaling"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.29"
+            clusterCreation: "cli"
           - test: "autoscaling"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "azure-sev-snp"
@@ -212,6 +247,11 @@ jobs:
             attestationVariant: "gcp-sev-es"
             kubernetes-version: "v1.29"
             clusterCreation: "cli"
+          - test: "perf-bench"
+            refStream: "ref/main/stream/debug/?"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.29"
+            clusterCreation: "cli"
           - test: "perf-bench"
             refStream: "ref/main/stream/debug/?"
             attestationVariant: "azure-sev-snp"
@@ -241,6 +281,11 @@ jobs:
             attestationVariant: "gcp-sev-es"
             kubernetes-version: "v1.28"
             clusterCreation: "cli"
+          - test: "verify"
+            refStream: "ref/release/stream/stable/?"
+            attestationVariant: "gcp-sev-snp"
+            kubernetes-version: "v1.28"
+            clusterCreation: "cli"
           - test: "verify"
             refStream: "ref/release/stream/stable/?"
             attestationVariant: "azure-sev-snp"

diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml
@@ -12,6 +12,7 @@ on:
         type: choice
         options:
           - "gcp-sev-es"
+          - "gcp-sev-snp"
           - "azure-sev-snp"
           - "azure-tdx"
           - "aws-sev-snp"

diff --git a/.github/workflows/e2e-upgrade.yml b/.github/workflows/e2e-upgrade.yml
@@ -7,10 +7,11 @@ on:
         description: "Which attestation variant to use."
         type: choice
         options:
-          - "gcp-sev-es"
+          - "aws-sev-snp"
           - "azure-sev-snp"
           - "azure-tdx"
-          - "aws-sev-snp"
+          - "gcp-sev-es"
+          - "gcp-sev-snp"
         default: "azure-sev-snp"
         required: true
       nodeCount:

diff --git a/.github/workflows/on-release.yml b/.github/workflows/on-release.yml
@@ -161,6 +161,7 @@ jobs:
         id: fetch-reference
         shell: bash
         run: |
+          # TODO(msanft): Implement marketplace images for GCP SEV-SNP
           aws s3 cp s3://cdn-constellation-backend/constellation/v2/ref/-/stream/stable/${{ steps.fetch-version.outputs.output }}/image/info.json .
           FULL_REF=$(yq e -r -oy '.list.[] | select(.attestationVariant == "gcp-sev-es") | .reference' info.json)
           IMAGE_NAME=$(echo "${FULL_REF}" | cut -d / -f 5)

@@ -209,6 +209,12 @@ func gcpTerraformVars(conf *config.Config, imageRef string) *terraform.GCPCluste
 			DiskType:        group.StateDiskType,
 		}
 	}
+
+	ccTech := "SEV"
+	if conf.GetAttestationConfig().GetVariant().Equal(variant.GCPSEVSNP{}) {
+		ccTech = "SEV_SNP"
+	}
+
 	return &terraform.GCPClusterVariables{
 		Name:                 conf.Name,
 		NodeGroups:           nodeGroups,
@@ -219,6 +225,7 @@ func gcpTerraformVars(conf *config.Config, imageRef string) *terraform.GCPCluste
 		Debug:                conf.IsDebugCluster(),
 		CustomEndpoint:       conf.CustomEndpoint,
 		InternalLoadBalancer: conf.InternalLoadBalancer,
+		CCTechnology:         ccTech,
 	}
 }
 

diff --git a/cli/internal/cmd/configgenerate_test.go b/cli/internal/cmd/configgenerate_test.go
@@ -235,6 +235,11 @@ func TestValidProviderAttestationCombination(t *testing.T) {
 			variant.GCPSEVES{},
 			config.AttestationConfig{GCPSEVES: defaultAttestation.GCPSEVES},
 		},
+		{
+			cloudprovider.GCP,
+			variant.GCPSEVSNP{},
+			config.AttestationConfig{GCPSEVSNP: defaultAttestation.GCPSEVSNP},
+		},
 		{
 			cloudprovider.QEMU,
 			variant.QEMUVTPM{},
@@ -286,6 +291,10 @@ func TestParseAttestationFlag(t *testing.T) {
 			attestationFlag: "gcp-sev-es",
 			wantVariant:     variant.GCPSEVES{},
 		},
+		"GCPSEVSNP": {
+			attestationFlag: "gcp-sev-snp",
+			wantVariant:     variant.GCPSEVSNP{},
+		},
 		"QEMUVTPM": {
 			attestationFlag: "qemu-vtpm",
 			wantVariant:     variant.QEMUVTPM{},