Skip to content

Commit 14d3d35

Browse files
h3adexelchead
h3adex
authored and
elchead
committed
config: only allow confidential instances on stackit (#3463)
* cli: only allow confidential instances on stackit * review changes
1 parent 33f1a91 commit 14d3d35

File tree

2 files changed

+75
-3
lines changed

2 files changed

+75
-3
lines changed

internal/config/config_test.go

Lines changed: 62 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -688,107 +688,168 @@ func TestValidInstanceTypeForProvider(t *testing.T) {
688688
testCases := map[string]struct {
689689
variant variant.Variant
690690
instanceTypes []string
691+
providerConfig ProviderConfig
691692
expectedResult bool
692693
}{
693694
"empty all": {
694695
variant: variant.Dummy{},
695696
instanceTypes: []string{},
696697
expectedResult: false,
698+
providerConfig: ProviderConfig{},
697699
},
698700
"empty aws": {
699701
variant: variant.AWSSEVSNP{},
700702
instanceTypes: []string{},
701703
expectedResult: false,
704+
providerConfig: ProviderConfig{},
702705
},
703706
"empty azure only CVMs": {
704707
variant: variant.AzureSEVSNP{},
705708
instanceTypes: []string{},
706709
expectedResult: false,
710+
providerConfig: ProviderConfig{},
707711
},
708712
"empty azure with non-CVMs": {
709713
variant: variant.AzureTrustedLaunch{},
710714
instanceTypes: []string{},
711715
expectedResult: false,
716+
providerConfig: ProviderConfig{},
712717
},
713718
"empty gcp": {
714719
variant: variant.GCPSEVES{},
715720
instanceTypes: []string{},
716721
expectedResult: false,
722+
providerConfig: ProviderConfig{},
717723
},
718724
"azure only CVMs (SNP)": {
719725
variant: variant.AzureSEVSNP{},
720726
instanceTypes: instancetypes.AzureSNPInstanceTypes,
721727
expectedResult: true,
728+
providerConfig: ProviderConfig{},
722729
},
723730
"azure only CVMs (TDX)": {
724731
variant: variant.AzureTDX{},
725732
instanceTypes: instancetypes.AzureTDXInstanceTypes,
726733
expectedResult: true,
734+
providerConfig: ProviderConfig{},
727735
},
728736
"azure trusted launch VMs": {
729737
variant: variant.AzureTrustedLaunch{},
730738
instanceTypes: instancetypes.AzureTrustedLaunchInstanceTypes,
731739
expectedResult: true,
740+
providerConfig: ProviderConfig{},
732741
},
733742
"gcp": {
734743
variant: variant.GCPSEVES{},
735744
instanceTypes: instancetypes.GCPInstanceTypes,
736745
expectedResult: true,
746+
providerConfig: ProviderConfig{},
737747
},
738748
"gcp sev-snp": {
739749
variant: variant.GCPSEVSNP{},
740750
instanceTypes: instancetypes.GCPInstanceTypes,
741751
expectedResult: true,
752+
providerConfig: ProviderConfig{},
742753
},
743754
"put gcp when azure is set": {
744755
variant: variant.AzureSEVSNP{},
745756
instanceTypes: instancetypes.GCPInstanceTypes,
746757
expectedResult: false,
758+
providerConfig: ProviderConfig{},
747759
},
748760
"put azure when gcp is set": {
749761
variant: variant.GCPSEVES{},
750762
instanceTypes: instancetypes.AzureSNPInstanceTypes,
751763
expectedResult: false,
764+
providerConfig: ProviderConfig{},
752765
},
753766
// Testing every possible instance type for AWS is not feasible, so we just test a few based on known supported / unsupported families
754767
// Also serves as a test for checkIfInstanceInValidAWSFamilys
755768
"aws two valid instances": {
756769
variant: variant.AWSSEVSNP{},
757770
instanceTypes: []string{"c5.xlarge", "c5a.2xlarge", "c5a.16xlarge", "u-12tb1.112xlarge"},
758771
expectedResult: false, // False because 2 two of the instances are not valid
772+
providerConfig: ProviderConfig{},
759773
},
760774
"aws one valid instance one with too little vCPUs": {
761775
variant: variant.AWSSEVSNP{},
762776
instanceTypes: []string{"c5.medium"},
763777
expectedResult: false,
778+
providerConfig: ProviderConfig{},
764779
},
765780
"aws graviton sub-family unsupported": {
766781
variant: variant.AWSSEVSNP{},
767782
instanceTypes: []string{"m6g.xlarge", "r6g.2xlarge", "x2gd.xlarge", "g5g.8xlarge"},
768783
expectedResult: false,
784+
providerConfig: ProviderConfig{},
769785
},
770786
"aws combined two valid instances as one string": {
771787
variant: variant.AWSSEVSNP{},
772788
instanceTypes: []string{"c5.xlarge, c5a.2xlarge"},
773789
expectedResult: false,
790+
providerConfig: ProviderConfig{},
774791
},
775792
"aws only CVMs": {
776793
variant: variant.AWSSEVSNP{},
777794
instanceTypes: []string{"c6a.xlarge", "m6a.xlarge", "r6a.xlarge"},
778795
expectedResult: true,
796+
providerConfig: ProviderConfig{},
779797
},
780798
"aws nitroTPM VMs": {
781799
variant: variant.AWSNitroTPM{},
782800
instanceTypes: []string{"c5.xlarge", "c5a.2xlarge", "c5a.16xlarge", "u-12tb1.112xlarge"},
783801
expectedResult: true,
802+
providerConfig: ProviderConfig{},
803+
},
804+
"stackit valid flavors": {
805+
variant: variant.QEMUVTPM{},
806+
instanceTypes: []string{
807+
"m1a.2cd",
808+
"m1a.4cd",
809+
"m1a.8cd",
810+
"m1a.16cd",
811+
"m1a.30cd",
812+
},
813+
expectedResult: true,
814+
providerConfig: ProviderConfig{OpenStack: &OpenStackConfig{Cloud: "stackit"}},
815+
},
816+
"stackit not valid flavors": {
817+
variant: variant.QEMUVTPM{},
818+
instanceTypes: []string{
819+
// removed the c which indicates a confidential flavor
820+
"m1a.2d",
821+
"m1a.4d",
822+
"m1a.8d",
823+
"m1a.16d",
824+
"m1a.30d",
825+
},
826+
expectedResult: false,
827+
providerConfig: ProviderConfig{OpenStack: &OpenStackConfig{Cloud: "stackit"}},
828+
},
829+
"openstack cloud named test": {
830+
variant: variant.QEMUVTPM{},
831+
instanceTypes: []string{
832+
"foo.bar",
833+
"foo.bar1",
834+
},
835+
expectedResult: true,
836+
providerConfig: ProviderConfig{OpenStack: &OpenStackConfig{Cloud: "test"}},
837+
},
838+
"Qemutdx valid instance type": {
839+
variant: variant.QEMUTDX{},
840+
instanceTypes: []string{
841+
"foo.bar",
842+
},
843+
expectedResult: true,
844+
providerConfig: ProviderConfig{QEMU: &QEMUConfig{}},
784845
},
785846
}
786847
for name, tc := range testCases {
787848
t.Run(name, func(t *testing.T) {
788849
assert := assert.New(t)
789850
for _, instanceType := range tc.instanceTypes {
790851
assert.Equal(
791-
tc.expectedResult, validInstanceTypeForProvider(instanceType, tc.variant),
852+
tc.expectedResult, validInstanceTypeForProvider(instanceType, tc.variant, tc.providerConfig),
792853
instanceType,
793854
)
794855
}

internal/config/validation.go

Lines changed: 13 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -520,7 +520,7 @@ func (c *Config) translateMoreThanOneProviderError(ut ut.Translator, fe validato
520520
return t
521521
}
522522

523-
func validInstanceTypeForProvider(insType string, attestation variant.Variant) bool {
523+
func validInstanceTypeForProvider(insType string, attestation variant.Variant, provider ProviderConfig) bool {
524524
switch attestation {
525525
case variant.AWSSEVSNP{}, variant.AWSNitroTPM{}:
526526
return isSupportedAWSInstanceType(insType, attestation.Equal(variant.AWSNitroTPM{}))
@@ -549,6 +549,17 @@ func validInstanceTypeForProvider(insType string, attestation variant.Variant) b
549549
}
550550
}
551551
case variant.QEMUVTPM{}, variant.QEMUTDX{}:
552+
// only allow confidential instances on stackit cloud using QEMU vTPM
553+
if provider.OpenStack != nil {
554+
if cloud := provider.OpenStack.Cloud; strings.ToLower(cloud) == "stackit" {
555+
for _, instanceType := range instancetypes.STACKITInstanceTypes {
556+
if insType == instanceType {
557+
return true
558+
}
559+
}
560+
return false
561+
}
562+
}
552563
return true
553564
}
554565
return false
@@ -789,7 +800,7 @@ func (c *Config) validateNodeGroupZoneField(fl validator.FieldLevel) bool {
789800
}
790801

791802
func (c *Config) validateInstanceType(fl validator.FieldLevel) bool {
792-
return validInstanceTypeForProvider(fl.Field().String(), c.GetAttestationConfig().GetVariant())
803+
return validInstanceTypeForProvider(fl.Field().String(), c.GetAttestationConfig().GetVariant(), c.Provider)
793804
}
794805

795806
func (c *Config) validateStateDiskTypeField(fl validator.FieldLevel) bool {

0 commit comments

Comments
 (0)