Skip to content

CORS-4188: AWS - Add support to AMD SEV-SNP confidential VMs #10012

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

CORS-4188: AWS - Add support to AMD SEV-SNP confidential VMs #10012

wants to merge 10 commits into from
+919,567 −776,653

Conversation

@fangge1212
Copy link

This PR adds support to AMD SEV-SNP confidential VMs on AWS platform.
Related PRs:
openshift/api: openshift/api#2424
machine-api-operator: openshift/machine-api-operator#1420
machine-api-provider-aws: openshift/machine-api-provider-aws#141
upstream: kubernetes-sigs/cluster-api-provider-aws#5605

@fangge1212
go.mod: Bump CAPA
7b9135a 
Update CAPA version to support confidential computing, specifically
AMD SEV-SNP, on the AWS platform. The updates include "go get && go
mod tidy" in:
- top-level
- cluster-api/providers/aws

Signed-off-by: Fangge Jin <[email protected]>
@fangge1212
vendor: Revendor after CAPA bump
67b887a 
Run "go mod vendor" in:
- top-level
- cluster-api/providers/aws

Signed-off-by: Fangge Jin <[email protected]>
@fangge1212
capi/aws: update CRD after CAPA bump
c394715 
Signed-off-by: Fangge Jin <[email protected]>
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Oct 11, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Oct 11, 2025
edited by openshift-ci bot
Loading

@fangge1212: This pull request references CORS-4188 which is a valid jira issue.

In response to this:

This PR adds support to AMD SEV-SNP confidential VMs on AWS platform.
Related PRs:
openshift/api: openshift/api#2424
machine-api-operator: openshift/machine-api-operator#1420
machine-api-provider-aws: openshift/machine-api-provider-aws#141
upstream: kubernetes-sigs/cluster-api-provider-aws#5605

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 11, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign tthvo for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@fangge1212
aws: Add support for AMD SEV-SNP VMs
30a5643 
Signed-off-by: Fangge Jin <[email protected]>
@fangge1212
go.mod: Bump openshift/api
35727da 
Update openshift/api version to support confidential computing,
specifically AMD SEV-SNP, on the AWS platform. The updates include
"go get && go mod tidy" in top-level.

Signed-off-by: Fangge Jin <[email protected]>
@fangge1212
vendor: Revendor after openshift/api bump
bebaab6 
Run "go mod vendor" in top level.

Signed-off-by: Fangge Jin <[email protected]>
@fangge1212
aws: Add cpuOptions to install-config.yaml
a87b0e5 
This will allow configuring confidential computing on AWS platform,
only AMD SEV-SNP is supported for now.

Signed-off-by: Fangge Jin <[email protected]>
@fangge1212
go.mod: Bump openshift/client-go to match updated openshift/api
e77b65d 
client-go depends on api, so it must be updated after bumping api.

Signed-off-by: Fangge Jin <[email protected]>
@fangge1212
vendor: Revendor after openshift/client-go bump
64988ba 
Signed-off-by: Fangge Jin <[email protected]>
@fangge1212
Remove NodeSwap from feature gates
55c2984 
NodeSwap has been removed from the openshift API, so remove it
from the installer feature gates accordingly.

Signed-off-by: Fangge Jin <[email protected]>
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 14, 2025

@fangge1212: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/okd-scos-e2e-aws-ovn 55c2984 link false /test okd-scos-e2e-aws-ovn
ci/prow/e2e-gcp-ovn 55c2984 link true /test e2e-gcp-ovn
ci/prow/e2e-gcp-xpn-dedicated-dns-project 55c2984 link false /test e2e-gcp-xpn-dedicated-dns-project
ci/prow/azure-private 55c2984 link false /test azure-private
ci/prow/e2e-gcp-ovn-byo-vpc 55c2984 link false /test e2e-gcp-ovn-byo-vpc
ci/prow/e2e-gcp-ovn-xpn 55c2984 link false /test e2e-gcp-ovn-xpn
ci/prow/gcp-private 55c2984 link false /test gcp-private
ci/prow/e2e-gcp-default-config 55c2984 link false /test e2e-gcp-default-config
ci/prow/e2e-aws-default-config 55c2984 link false /test e2e-aws-default-config
ci/prow/govet 55c2984 link true /test govet
ci/prow/e2e-azure-default-config 55c2984 link false /test e2e-azure-default-config
ci/prow/okd-scos-images 55c2984 link true /test okd-scos-images
ci/prow/artifacts-images 55c2984 link true /test artifacts-images
ci/prow/unit 55c2984 link true /test unit
ci/prow/e2e-gcp-custom-dns 55c2984 link false /test e2e-gcp-custom-dns
ci/prow/images 55c2984 link true /test images
ci/prow/e2e-aws-ovn-edge-zones 55c2984 link false /test e2e-aws-ovn-edge-zones
ci/prow/e2e-aws-ovn-heterogeneous 55c2984 link false /test e2e-aws-ovn-heterogeneous
ci/prow/e2e-aws-ovn-single-node 55c2984 link false /test e2e-aws-ovn-single-node
ci/prow/e2e-aws-ovn-imdsv2 55c2984 link false /test e2e-aws-ovn-imdsv2
ci/prow/e2e-azure-ovn-shared-vpc 55c2984 link false /test e2e-azure-ovn-shared-vpc
ci/prow/e2e-aws-ovn-shared-vpc-edge-zones 55c2984 link false /test e2e-aws-ovn-shared-vpc-edge-zones
ci/prow/e2e-aws-ovn 55c2984 link true /test e2e-aws-ovn
ci/prow/azure-ovn-marketplace-images 55c2984 link false /test azure-ovn-marketplace-images
ci/prow/aws-private 55c2984 link false /test aws-private
ci/prow/e2e-gcp-secureboot 55c2984 link false /test e2e-gcp-secureboot
ci/prow/e2e-aws-ovn-shared-vpc-custom-security-groups 55c2984 link false /test e2e-aws-ovn-shared-vpc-custom-security-groups
ci/prow/e2e-gcp-custom-endpoints 55c2984 link false /test e2e-gcp-custom-endpoints
ci/prow/e2e-azurestack 55c2984 link false /test e2e-azurestack
ci/prow/e2e-aws-ovn-edge-zones-manifest-validation 55c2984 link true /test e2e-aws-ovn-edge-zones-manifest-validation
ci/prow/e2e-azure-ovn 55c2984 link true /test e2e-azure-ovn
ci/prow/e2e-aws-ovn-fips 55c2984 link false /test e2e-aws-ovn-fips
ci/prow/e2e-aws-byo-subnet-role-security-groups 55c2984 link false /test e2e-aws-byo-subnet-role-security-groups
ci/prow/golint 55c2984 link true /test golint

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@fangge1212
Copy link
Author

/hold
The current openshift/api requires a client-go version that requires k8s.io/apimachinery v0.33. k8s.io/apimachinery v0.33 requires cluster-api v1.11.

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 16, 2025
@fangge1212
Copy link
Author

fangge1212 commented Oct 16, 2025
edited
Loading

/hold The current openshift/api requires a client-go version that requires k8s.io/apimachinery v0.33. k8s.io/apimachinery v0.33 requires cluster-api v1.11.

When I tried to bump openshift/client-go to db0dee36 and cluster-api to v1.11.2, I encountered more dependency issues:
$ go get github.com/openshift/client-go@c2dfb51e

$ (edit go.mod to remove the replace lines for k83.io/apimachinery and cluster-api)

$ go mod tidy
go: downloading sigs.k8s.io/cluster-api v1.11.2
go: downloading github.com/coredns/corefile-migration v1.0.28
go: downloading golang.org/x/term v0.33.0
go: downloading github.com/spf13/pflag v1.0.7
go: downloading github.com/go-logr/logr v1.4.3
go: downloading golang.org/x/tools v0.34.0
go: downloading k8s.io/apiextensions-apiserver v0.33.3
go: downloading golang.org/x/mod v0.25.0
go: downloading github.com/onsi/gomega v1.38.0
go: downloading golang.org/x/net v0.42.0
go: downloading golang.org/x/crypto v0.40.0
go: downloading golang.org/x/oauth2 v0.30.0
go: downloading google.golang.org/grpc v1.71.3
go: downloading google.golang.org/protobuf v1.36.6
go: downloading go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.58.0
go: downloading k8s.io/cluster-bootstrap v0.33.3
go: finding module for package sigs.k8s.io/cluster-api/exp/ipam/api/v1beta1
go: finding module for package sigs.k8s.io/cluster-api/api/v1beta1
go: finding module for package sigs.k8s.io/cluster-api/exp/api/v1beta1
go: finding module for package sigs.k8s.io/cluster-api/util/defaulting
go: github.com/openshift/installer/pkg/asset/machines imports
sigs.k8s.io/cluster-api/exp/ipam/api/v1beta1: module sigs.k8s.io/cluster-api@latest found (v1.11.2), but does not contain package sigs.k8s.io/cluster-api/exp/ipam/api/v1beta1
go: github.com/openshift/installer/pkg/asset/machines/aws imports
sigs.k8s.io/cluster-api/api/v1beta1: module sigs.k8s.io/cluster-api@latest found (v1.11.2), but does not contain package sigs.k8s.io/cluster-api/api/v1beta1
go: github.com/openshift/installer/pkg/asset/manifests/azure/stack/v1beta1 imports
sigs.k8s.io/cluster-api-provider-azure/util/azure imports
sigs.k8s.io/cluster-api/exp/api/v1beta1: module sigs.k8s.io/cluster-api@latest found (v1.11.2), but does not contain package sigs.k8s.io/cluster-api/exp/api/v1beta1
go: github.com/openshift/installer/pkg/asset/machines imports
sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2 tested by
sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2.test imports
sigs.k8s.io/cluster-api/util/defaulting: module sigs.k8s.io/cluster-api@latest found (v1.11.2), but does not contain package sigs.k8s.io/cluster-api/util/defaulting

@fangge1212
Copy link
Author

Hi @mtulio @patrickdillon
I'm not sure how to resolve the dependency issues in this PR, could you provide some guidance?

@fangge1212
Copy link
Author

go get github.com/openshift/client-go@c2dfb51e

The module paths changed in cluster-api v1.11.2. It seems like a big change, so should we bump cluster-api in another PR?

@tthvo
Copy link
Member

tthvo commented Oct 22, 2025

@fangge1212 Bumping cluster-api (capi) to v1.11 is a significant change in the installer as we will need to bump all providers to versions that is compatible with capi v1.11 😞

We have opened a card https://issues.redhat.com/browse/CORS-4262 here to track with more details.

@tthvo
Copy link
Member

tthvo commented Oct 22, 2025

/cc

@openshift-ci openshift-ci bot requested a review from tthvo October 22, 2025 06:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtulio mtulio Awaiting requested review from mtulio

@patrickdillon patrickdillon Awaiting requested review from patrickdillon

@tthvo tthvo Awaiting requested review from tthvo

Assignees

No one assigned

Labels

do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fangge1212 @openshift-ci-robot @tthvo