Add support for AMD SEV-SNP instances

This commit adds support for AMD SEV-SNP instances, so users can
utilize confidential computing technologies on cluster nodes.

Signed-off-by: Fangge Jin <fjin@redhat.com>

Author: fangge1212

pkg/actuators/machine/instances.go

@@ -468,6 +468,7 @@ func launchInstance(machine *machinev1beta1.Machine, machineProviderConfig *mach
 		MetadataOptions:                  getInstanceMetadataOptionsRequest(machineProviderConfig),
 		InstanceMarketOptions:            instanceMarketOptions,
 		CapacityReservationSpecification: capacityReservationSpecification,
+		CpuOptions:                       getCPUOptionsRequest(machineProviderConfig),
 	}
 
 	if len(blockDeviceMappings) > 0 {
@@ -709,3 +710,26 @@ func getCapacityReservationSpecification(capacityReservationID string) (*ec2.Cap
 		},
 	}, nil
 }
+
+func getCPUOptionsRequest(providerConfig *machinev1beta1.AWSMachineProviderConfig) *ec2.CpuOptionsRequest {
+	if providerConfig.CPUOptions == nil {
+		return nil
+	}
+
+	cpuOptions := &ec2.CpuOptionsRequest{}
+
+	if providerConfig.CPUOptions.ConfidentialCompute != nil {
+		switch *providerConfig.CPUOptions.ConfidentialCompute {
+		case machinev1beta1.AWSConfidentialComputePolicySEVSNP:
+			cpuOptions.AmdSevSnp = aws.String(ec2.AmdSevSnpSpecificationEnabled)
+		case machinev1beta1.AWSConfidentialComputePolicyDisabled:
+			cpuOptions.AmdSevSnp = aws.String(ec2.AmdSevSnpSpecificationDisabled)
+		}
+	}
+
+	if *cpuOptions == (ec2.CpuOptionsRequest{}) {
+		return nil
+	}
+
+	return cpuOptions
+}

pkg/actuators/machine/instances_test.go

@@ -16,6 +16,7 @@ import (
 	mapierrors "github.com/openshift/machine-api-operator/pkg/controller/machine"
 	mockaws "github.com/openshift/machine-api-provider-aws/pkg/client/mock"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 )
@@ -1695,3 +1696,53 @@ func TestGetCapacityReservationSpecification(t *testing.T) {
 		})
 	}
 }
+
+func TestGetCPUOptionsRequest(t *testing.T) {
+	testCases := []struct {
+		name            string
+		providerConfig  *machinev1beta1.AWSMachineProviderConfig
+		expectedRequest *ec2.CpuOptionsRequest
+	}{
+		{
+			name:            "with CPUOptions unspecified",
+			providerConfig:  &machinev1beta1.AWSMachineProviderConfig{},
+			expectedRequest: nil,
+		},
+		{
+			name: "with ConfidentialCompute set to AMD SEV-SNP",
+			providerConfig: &machinev1beta1.AWSMachineProviderConfig{
+				CPUOptions: &machinev1beta1.CPUOptions{
+					ConfidentialCompute: ptr.To(machinev1beta1.AWSConfidentialComputePolicySEVSNP),
+				},
+			},
+			expectedRequest: &ec2.CpuOptionsRequest{
+				AmdSevSnp: aws.String(ec2.AmdSevSnpSpecificationEnabled),
+			},
+		},
+		{
+			name: "with ConfidentialCompute disabled",
+			providerConfig: &machinev1beta1.AWSMachineProviderConfig{
+				CPUOptions: &machinev1beta1.CPUOptions{
+					ConfidentialCompute: ptr.To(machinev1beta1.AWSConfidentialComputePolicyDisabled),
+				},
+			},
+			expectedRequest: &ec2.CpuOptionsRequest{
+				AmdSevSnp: aws.String(ec2.AmdSevSnpSpecificationDisabled),
+			},
+		},
+		{
+			name: "with ConfidentialCompute unspecified",
+			providerConfig: &machinev1beta1.AWSMachineProviderConfig{
+				CPUOptions: &machinev1beta1.CPUOptions{},
+			},
+			expectedRequest: nil,
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			g := gmg.NewWithT(t)
+			req := getCPUOptionsRequest(tc.providerConfig)
+			g.Expect(req).To(gmg.BeEquivalentTo(tc.expectedRequest))
+		})
+	}
+}