1 package v1beta1 2 3 import ( 4 corev1 "k8s.io/api/core/v1" 5 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 6 ) 7 8 // GCPHostMaintenanceType is a type representing acceptable values for OnHostMaintenance field in GCPMachineProviderSpec 9 type GCPHostMaintenanceType string 10 11 const ( 12 // MigrateHostMaintenanceType [default] - causes Compute Engine to live migrate an instance when there is a maintenance event. 13 MigrateHostMaintenanceType GCPHostMaintenanceType = "Migrate" 14 // TerminateHostMaintenanceType - stops an instance instead of migrating it. 15 TerminateHostMaintenanceType GCPHostMaintenanceType = "Terminate" 16 ) 17 18 // GCPHostMaintenanceType is a type representing acceptable values for RestartPolicy field in GCPMachineProviderSpec 19 type GCPRestartPolicyType string 20 21 const ( 22 // Restart an instance if an instance crashes or the underlying infrastructure provider stops the instance as part of a maintenance event. 23 RestartPolicyAlways GCPRestartPolicyType = "Always" 24 // Do not restart an instance if an instance crashes or the underlying infrastructure provider stops the instance as part of a maintenance event. 25 RestartPolicyNever GCPRestartPolicyType = "Never" 26 ) 27 28 // SecureBootPolicy represents the secure boot configuration for the GCP machine. 29 type SecureBootPolicy string 30 31 const ( 32 // SecureBootPolicyEnabled enables the secure boot configuration for the GCP machine. 33 SecureBootPolicyEnabled SecureBootPolicy = "Enabled" 34 // SecureBootPolicyDisabled disables the secure boot configuration for the GCP machine. 35 SecureBootPolicyDisabled SecureBootPolicy = "Disabled" 36 ) 37 38 // VirtualizedTrustedPlatformModulePolicy represents the virtualized trusted platform module configuration for the GCP machine. 39 type VirtualizedTrustedPlatformModulePolicy string 40 41 const ( 42 // VirtualizedTrustedPlatformModulePolicyEnabled enables the virtualized trusted platform module configuration for the GCP machine. 43 VirtualizedTrustedPlatformModulePolicyEnabled VirtualizedTrustedPlatformModulePolicy = "Enabled" 44 // VirtualizedTrustedPlatformModulePolicyDisabled disables the virtualized trusted platform module configuration for the GCP machine. 45 VirtualizedTrustedPlatformModulePolicyDisabled VirtualizedTrustedPlatformModulePolicy = "Disabled" 46 ) 47 48 // IntegrityMonitoringPolicy represents the integrity monitoring configuration for the GCP machine. 49 type IntegrityMonitoringPolicy string 50 51 const ( 52 // IntegrityMonitoringPolicyEnabled enables integrity monitoring for the GCP machine. 53 IntegrityMonitoringPolicyEnabled IntegrityMonitoringPolicy = "Enabled" 54 // IntegrityMonitoringPolicyDisabled disables integrity monitoring for the GCP machine. 55 IntegrityMonitoringPolicyDisabled IntegrityMonitoringPolicy = "Disabled" 56 ) 57 58 // ConfidentialComputePolicy represents the confidential compute configuration for the GCP machine. 59 type ConfidentialComputePolicy string 60 61 const ( 62 // ConfidentialComputePolicyEnabled enables confidential compute for the GCP machine. 63 ConfidentialComputePolicyEnabled ConfidentialComputePolicy = "Enabled" 64 // ConfidentialComputePolicyDisabled disables confidential compute for the GCP machine. 65 ConfidentialComputePolicyDisabled ConfidentialComputePolicy = "Disabled" 66 ) 67 68 // GCPMachineProviderSpec is the type that will be embedded in a Machine.Spec.ProviderSpec field 69 // for an GCP virtual machine. It is used by the GCP machine actuator to create a single Machine. 70 // Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer). 71 // +openshift:compatibility-gen:level=2 72 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 73 type GCPMachineProviderSpec struct { 74 metav1.TypeMeta `json:",inline"` 75 76 // metadata is the standard object's metadata. 77 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 78 metav1.ObjectMeta `json:"metadata,omitempty"` 79 // UserDataSecret contains a local reference to a secret that contains the 80 // UserData to apply to the instance 81 // +optional 82 UserDataSecret *corev1.LocalObjectReference `json:"userDataSecret,omitempty"` 83 // CredentialsSecret is a reference to the secret with GCP credentials. 84 // +optional 85 CredentialsSecret *corev1.LocalObjectReference `json:"credentialsSecret,omitempty"` 86 // CanIPForward Allows this instance to send and receive packets with non-matching destination or source IPs. 87 // This is required if you plan to use this instance to forward routes. 88 CanIPForward bool `json:"canIPForward"` 89 // DeletionProtection whether the resource should be protected against deletion. 90 DeletionProtection bool `json:"deletionProtection"` 91 // Disks is a list of disks to be attached to the VM. 92 // +optional 93 Disks []*GCPDisk `json:"disks,omitempty"` 94 // Labels list of labels to apply to the VM. 95 // +optional 96 Labels map[string]string `json:"labels,omitempty"` 97 // Metadata key/value pairs to apply to the VM. 98 // +optional 99 Metadata []*GCPMetadata `json:"gcpMetadata,omitempty"` 100 // NetworkInterfaces is a list of network interfaces to be attached to the VM. 101 // +optional 102 NetworkInterfaces []*GCPNetworkInterface `json:"networkInterfaces,omitempty"` 103 // ServiceAccounts is a list of GCP service accounts to be used by the VM. 104 ServiceAccounts []GCPServiceAccount `json:"serviceAccounts"` 105 // Tags list of tags to apply to the VM. 106 Tags []string `json:"tags,omitempty"` 107 // TargetPools are used for network TCP/UDP load balancing. A target pool references member instances, 108 // an associated legacy HttpHealthCheck resource, and, optionally, a backup target pool 109 // +optional 110 TargetPools []string `json:"targetPools,omitempty"` 111 // MachineType is the machine type to use for the VM. 112 MachineType string `json:"machineType"` 113 // Region is the region in which the GCP machine provider will create the VM. 114 Region string `json:"region"` 115 // Zone is the zone in which the GCP machine provider will create the VM. 116 Zone string `json:"zone"` 117 // ProjectID is the project in which the GCP machine provider will create the VM. 118 // +optional 119 ProjectID string `json:"projectID,omitempty"` 120 // GPUs is a list of GPUs to be attached to the VM. 121 // +optional 122 GPUs []GCPGPUConfig `json:"gpus,omitempty"` 123 // Preemptible indicates if created instance is preemptible. 124 // +optional 125 Preemptible bool `json:"preemptible,omitempty"` 126 // OnHostMaintenance determines the behavior when a maintenance event occurs that might cause the instance to reboot. 127 // This is required to be set to "Terminate" if you want to provision machine with attached GPUs. 128 // Otherwise, allowed values are "Migrate" and "Terminate". 129 // If omitted, the platform chooses a default, which is subject to change over time, currently that default is "Migrate". 130 // +kubebuilder:validation:Enum=Migrate;Terminate; 131 // +optional 132 OnHostMaintenance GCPHostMaintenanceType `json:"onHostMaintenance,omitempty"` 133 // RestartPolicy determines the behavior when an instance crashes or the underlying infrastructure provider stops the instance as part of a maintenance event (default "Always"). 134 // Cannot be "Always" with preemptible instances. 135 // Otherwise, allowed values are "Always" and "Never". 136 // If omitted, the platform chooses a default, which is subject to change over time, currently that default is "Always". 137 // RestartPolicy represents AutomaticRestart in GCP compute api 138 // +kubebuilder:validation:Enum=Always;Never; 139 // +optional 140 RestartPolicy GCPRestartPolicyType `json:"restartPolicy,omitempty"` 141 142 // ShieldedInstanceConfig is the Shielded VM configuration for the VM 143 // +optional 144 ShieldedInstanceConfig GCPShieldedInstanceConfig `json:"shieldedInstanceConfig,omitempty"` 145 146 // confidentialCompute Defines whether the instance should have confidential compute enabled. 147 // If enabled OnHostMaintenance is required to be set to "Terminate". 148 // If omitted, the platform chooses a default, which is subject to change over time, currently that default is false. 149 // +kubebuilder:validation:Enum=Enabled;Disabled 150 // +optional 151 ConfidentialCompute ConfidentialComputePolicy `json:"confidentialCompute,omitempty"` 152 } 153 154 // GCPDisk describes disks for GCP. 155 type GCPDisk struct { 156 // AutoDelete indicates if the disk will be auto-deleted when the instance is deleted (default false). 157 AutoDelete bool `json:"autoDelete"` 158 // Boot indicates if this is a boot disk (default false). 159 Boot bool `json:"boot"` 160 // SizeGB is the size of the disk (in GB). 161 SizeGB int64 `json:"sizeGb"` 162 // Type is the type of the disk (eg: pd-standard). 163 Type string `json:"type"` 164 // Image is the source image to create this disk. 165 Image string `json:"image"` 166 // Labels list of labels to apply to the disk. 167 Labels map[string]string `json:"labels"` 168 // EncryptionKey is the customer-supplied encryption key of the disk. 169 // +optional 170 EncryptionKey *GCPEncryptionKeyReference `json:"encryptionKey,omitempty"` 171 } 172 173 // GCPMetadata describes metadata for GCP. 174 type GCPMetadata struct { 175 // Key is the metadata key. 176 Key string `json:"key"` 177 // Value is the metadata value. 178 Value *string `json:"value"` 179 } 180 181 // GCPNetworkInterface describes network interfaces for GCP 182 type GCPNetworkInterface struct { 183 // PublicIP indicates if true a public IP will be used 184 PublicIP bool `json:"publicIP,omitempty"` 185 // Network is the network name. 186 Network string `json:"network,omitempty"` 187 // ProjectID is the project in which the GCP machine provider will create the VM. 188 ProjectID string `json:"projectID,omitempty"` 189 // Subnetwork is the subnetwork name. 190 Subnetwork string `json:"subnetwork,omitempty"` 191 } 192 193 // GCPServiceAccount describes service accounts for GCP. 194 type GCPServiceAccount struct { 195 // Email is the service account email. 196 Email string `json:"email"` 197 // Scopes list of scopes to be assigned to the service account. 198 Scopes []string `json:"scopes"` 199 } 200 201 // GCPEncryptionKeyReference describes the encryptionKey to use for a disk's encryption. 202 type GCPEncryptionKeyReference struct { 203 // KMSKeyName is the reference KMS key, in the format 204 // +optional 205 KMSKey *GCPKMSKeyReference `json:"kmsKey,omitempty"` 206 // KMSKeyServiceAccount is the service account being used for the 207 // encryption request for the given KMS key. If absent, the Compute 208 // Engine default service account is used. 209 // See https://cloud.google.com/compute/docs/access/service-accounts#compute_engine_service_account 210 // for details on the default service account. 211 // +optional 212 KMSKeyServiceAccount string `json:"kmsKeyServiceAccount,omitempty"` 213 } 214 215 // GCPKMSKeyReference gathers required fields for looking up a GCP KMS Key 216 type GCPKMSKeyReference struct { 217 // Name is the name of the customer managed encryption key to be used for the disk encryption. 218 Name string `json:"name"` 219 // KeyRing is the name of the KMS Key Ring which the KMS Key belongs to. 220 KeyRing string `json:"keyRing"` 221 // ProjectID is the ID of the Project in which the KMS Key Ring exists. 222 // Defaults to the VM ProjectID if not set. 223 // +optional 224 ProjectID string `json:"projectID,omitempty"` 225 // Location is the GCP location in which the Key Ring exists. 226 Location string `json:"location"` 227 } 228 229 // GCPGPUConfig describes type and count of GPUs attached to the instance on GCP. 230 type GCPGPUConfig struct { 231 // Count is the number of GPUs to be attached to an instance. 232 Count int32 `json:"count"` 233 // Type is the type of GPU to be attached to an instance. 234 // Supported GPU types are: nvidia-tesla-k80, nvidia-tesla-p100, nvidia-tesla-v100, nvidia-tesla-p4, nvidia-tesla-t4 235 // +kubebuilder:validation:Pattern=`^nvidia-tesla-(k80|p100|v100|p4|t4)$` 236 Type string `json:"type"` 237 } 238 239 // GCPMachineProviderStatus is the type that will be embedded in a Machine.Status.ProviderStatus field. 240 // It contains GCP-specific status information. 241 // Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer). 242 // +openshift:compatibility-gen:level=2 243 type GCPMachineProviderStatus struct { 244 metav1.TypeMeta `json:",inline"` 245 // +optional 246 metav1.ObjectMeta `json:"metadata,omitempty"` 247 // InstanceID is the ID of the instance in GCP 248 // +optional 249 InstanceID *string `json:"instanceId,omitempty"` 250 // InstanceState is the provisioning state of the GCP Instance. 251 // +optional 252 InstanceState *string `json:"instanceState,omitempty"` 253 // Conditions is a set of conditions associated with the Machine to indicate 254 // errors or other status 255 // +optional 256 Conditions []metav1.Condition `json:"conditions,omitempty"` 257 } 258 259 // GCPShieldedInstanceConfig describes the shielded VM configuration of the instance on GCP. 260 // Shielded VM configuration allow users to enable and disable Secure Boot, vTPM, and Integrity Monitoring. 261 type GCPShieldedInstanceConfig struct { 262 // SecureBoot Defines whether the instance should have secure boot enabled. 263 // Secure Boot verify the digital signature of all boot components, and halting the boot process if signature verification fails. 264 // If omitted, the platform chooses a default, which is subject to change over time, currently that default is Disabled. 265 // +kubebuilder:validation:Enum=Enabled;Disabled 266 //+optional 267 SecureBoot SecureBootPolicy `json:"secureBoot,omitempty"` 268 269 // VirtualizedTrustedPlatformModule enable virtualized trusted platform module measurements to create a known good boot integrity policy baseline. 270 // The integrity policy baseline is used for comparison with measurements from subsequent VM boots to determine if anything has changed. 271 // This is required to be set to "Enabled" if IntegrityMonitoring is enabled. 272 // If omitted, the platform chooses a default, which is subject to change over time, currently that default is Enabled. 273 // +kubebuilder:validation:Enum=Enabled;Disabled 274 // +optional 275 VirtualizedTrustedPlatformModule VirtualizedTrustedPlatformModulePolicy `json:"virtualizedTrustedPlatformModule,omitempty"` 276 277 // IntegrityMonitoring determines whether the instance should have integrity monitoring that verify the runtime boot integrity. 278 // Compares the most recent boot measurements to the integrity policy baseline and return 279 // a pair of pass/fail results depending on whether they match or not. 280 // If omitted, the platform chooses a default, which is subject to change over time, currently that default is Enabled. 281 // +kubebuilder:validation:Enum=Enabled;Disabled 282 // +optional 283 IntegrityMonitoring IntegrityMonitoringPolicy `json:"integrityMonitoring,omitempty"` 284 } 285