Merge pull request #1420 from fangge1212/amd_sev_snp

OCPCLOUD-3072: Support AMD SEV-SNP on AWS

Author: openshift-merge-bot[bot]

go.mod

@@ -19,7 +19,7 @@ require (
 	github.com/onsi/ginkgo/v2 v2.23.4
 	github.com/onsi/gomega v1.37.0
 	github.com/openshift-eng/openshift-tests-extension v0.0.0-20250711173707-dc2a20e5a5f8
-	github.com/openshift/api v0.0.0-20250901120840-a638ff2e96fb
+	github.com/openshift/api v0.0.0-20251009093019-7837a801e8c1
 	github.com/openshift/client-go v0.0.0-20250710075018-396b36f983ee
 	github.com/openshift/cluster-api-actuator-pkg/testutils v0.0.0-20250718085303-e712b1ebf374
 	github.com/openshift/cluster-control-plane-machine-set-operator v0.0.0-20250424110138-1dbf0c7a5d51

go.sum

@@ -457,8 +457,8 @@ github.com/opencontainers/selinux v1.11.1 h1:nHFvthhM0qY8/m+vfhJylliSshm8G1jJ2jD
 github.com/opencontainers/selinux v1.11.1/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
 github.com/openshift-eng/openshift-tests-extension v0.0.0-20250711173707-dc2a20e5a5f8 h1:D+Qga9nujuIcrAjcAuKPukoUcVBl6ZDEbtgNLgKKlgY=
 github.com/openshift-eng/openshift-tests-extension v0.0.0-20250711173707-dc2a20e5a5f8/go.mod h1:6gkP5f2HL0meusT0Aim8icAspcD1cG055xxBZ9yC68M=
-github.com/openshift/api v0.0.0-20250901120840-a638ff2e96fb h1:L5A3091VKSyOJb0nJto/pQyyHueoaW+4sXLO5fHrTBE=
-github.com/openshift/api v0.0.0-20250901120840-a638ff2e96fb/go.mod h1:SPLf21TYPipzCO67BURkCfK6dcIIxx0oNRVWaOyRcXM=
+github.com/openshift/api v0.0.0-20251009093019-7837a801e8c1 h1:YDyN6zwe8H/bdYAp3kQekpjknSAGK4CjKOfYtk3261M=
+github.com/openshift/api v0.0.0-20251009093019-7837a801e8c1/go.mod h1:SPLf21TYPipzCO67BURkCfK6dcIIxx0oNRVWaOyRcXM=
 github.com/openshift/client-go v0.0.0-20250710075018-396b36f983ee h1:tOtrrxfDEW8hK3eEsHqxsXurq/D6LcINGfprkQC3hqY=
 github.com/openshift/client-go v0.0.0-20250710075018-396b36f983ee/go.mod h1:zhRiYyNMk89llof2qEuGPWPD+joQPhCRUc2IK0SB510=
 github.com/openshift/cluster-api-actuator-pkg/testutils v0.0.0-20250718085303-e712b1ebf374 h1:ldUi0e64kdYJC2+ucB24GRXIXfMnI3NpSkcnalPqBGo=

pkg/webhooks/machine_webhook.go

@@ -868,6 +868,35 @@ func validateAWS(m *machinev1beta1.Machine, config *admissionConfig) (bool, []st
 		)
 	}
 
+	if providerSpec.CPUOptions != nil {
+		if *providerSpec.CPUOptions == (machinev1beta1.CPUOptions{}) {
+			errs = append(
+				errs,
+				field.Invalid(
+					field.NewPath("providerSpec", "CPUOptions"),
+					"{}",
+					"At least one field must be set if cpuOptions is provided",
+				),
+			)
+		}
+
+		if providerSpec.CPUOptions.ConfidentialCompute != nil {
+			switch *providerSpec.CPUOptions.ConfidentialCompute {
+			case machinev1beta1.AWSConfidentialComputePolicyDisabled, machinev1beta1.AWSConfidentialComputePolicySEVSNP:
+				// Valid values
+			default:
+				errs = append(
+					errs,
+					field.Invalid(
+						field.NewPath("providerSpec", "CPUOptions", "ConfidentialCompute"),
+						providerSpec.CPUOptions.ConfidentialCompute,
+						fmt.Sprintf("Allowed values are %s, %s and omitted", machinev1beta1.AWSConfidentialComputePolicyDisabled, machinev1beta1.AWSConfidentialComputePolicySEVSNP),
+					),
+				)
+			}
+		}
+	}
+
 	if len(errs) > 0 {
 		return false, warnings, errs
 	}

pkg/webhooks/machine_webhook_test.go

@@ -2610,6 +2610,52 @@ func TestValidateAWSProviderSpec(t *testing.T) {
 			expectedOk:    false,
 			expectedError: "providerSpec.metadataServiceOptions.authentication: Invalid value: \"Boom\": Allowed values are either 'Optional' or 'Required'",
 		},
+		{
+			testCase: "with cpuOptions empty",
+			modifySpec: func(p *machinev1beta1.AWSMachineProviderConfig) {
+				p.CPUOptions = &machinev1beta1.CPUOptions{}
+			},
+			expectedOk:    false,
+			expectedError: "providerSpec.CPUOptions: Invalid value: \"{}\": At least one field must be set if cpuOptions is provided",
+		},
+		{
+			testCase: "with confidentialCompute set to AMD SEV-SNP",
+			modifySpec: func(p *machinev1beta1.AWSMachineProviderConfig) {
+				p.CPUOptions = &machinev1beta1.CPUOptions{
+					ConfidentialCompute: ptr.To(machinev1beta1.AWSConfidentialComputePolicySEVSNP),
+				}
+			},
+			expectedOk: true,
+		},
+		{
+			testCase: "with confidentialCompute disabled",
+			modifySpec: func(p *machinev1beta1.AWSMachineProviderConfig) {
+				p.CPUOptions = &machinev1beta1.CPUOptions{
+					ConfidentialCompute: ptr.To(machinev1beta1.AWSConfidentialComputePolicyDisabled),
+				}
+			},
+			expectedOk: true,
+		},
+		{
+			testCase: "with confidentialCompute set to invalid value",
+			modifySpec: func(p *machinev1beta1.AWSMachineProviderConfig) {
+				p.CPUOptions = &machinev1beta1.CPUOptions{
+					ConfidentialCompute: ptr.To(machinev1beta1.AWSConfidentialComputePolicy("invalid")),
+				}
+			},
+			expectedOk:    false,
+			expectedError: "providerSpec.CPUOptions.ConfidentialCompute: Invalid value: \"invalid\": Allowed values are Disabled, AMDEncryptedVirtualizationNestedPaging and omitted",
+		},
+		{
+			testCase: "with confidentialCompute empty",
+			modifySpec: func(p *machinev1beta1.AWSMachineProviderConfig) {
+				p.CPUOptions = &machinev1beta1.CPUOptions{
+					ConfidentialCompute: ptr.To(machinev1beta1.AWSConfidentialComputePolicy("")),
+				}
+			},
+			expectedOk:    false,
+			expectedError: "providerSpec.CPUOptions.ConfidentialCompute: Invalid value: \"\": Allowed values are Disabled, AMDEncryptedVirtualizationNestedPaging and omitted",
+		},
 		{
 			testCase: "with invalid GroupVersionKind",
 			modifySpec: func(p *machinev1beta1.AWSMachineProviderConfig) {