Confidential Compute with SGX (#526)

* SGX Signed-off-by: Gordonby <gordon.byers@microsoft.com> * vmsku update * bicep fix Signed-off-by: Gordonby <gordon.byers@microsoft.com> * better message Signed-off-by: Gordonby <gordon.byers@microsoft.com> --------- Signed-off-by: Gordonby <gordon.byers@microsoft.com>
Azure · Feb 23, 2023 · 657c052 · 657c052
1 parent f7935da
commit 657c052
Show file tree

Hide file tree

Showing 7 changed files with 690 additions and 2 deletions.
diff --git a/bicep/main.bicep b/bicep/main.bicep
@@ -855,6 +855,9 @@ param kedaAddon bool = false
 @description('Enables Open Service Mesh')
 param openServiceMeshAddon bool = false
 
+@description('Enables SGX Confidential Compute plugin')
+param sgxPlugin bool = false
+
 @description('Enables the Blob CSI driver')
 param blobCSIDriver bool = false
 
@@ -1145,6 +1148,10 @@ var aks_addons = union({
     enabled: openServiceMeshAddon
     config: {}
   }
+  ACCSGXDevicePlugin: {
+    enabled: sgxPlugin
+    config: {}
+  }
 }, createLaw && omsagent ? {
   omsagent: {
     enabled: createLaw && omsagent

diff --git a/helper/src/components/addonsTab.js b/helper/src/components/addonsTab.js
@@ -531,6 +531,27 @@ export default function ({ tabValues, updateFn, featureFlag, invalidArray }) {
                 />
             </Stack.Item>
 
+
+            <Separator className="notopmargin" />
+
+            <Stack.Item align="start">
+                <Label required={true}>
+                    Confidential Computing
+                    (<a target="_new" href="https://learn.microsoft.com/azure/confidential-computing/confidential-enclave-nodes-aks-get-started">docs</a>)
+                </Label>
+                <MessageBar messageBarType={MessageBarType.info} styles={{ root: { marginBottom: "10px" } }}>
+                    Enabling this option installs the SGX Device Plugin, but will require a node pool using a VM SKU that supports SGX. Choose `SGX Enclave` for the compute on the cluster tab.
+                </MessageBar>
+                <Checkbox
+                    styles={{ root: { marginLeft: "50px" } }}
+                    inputProps={{ "data-testid": "addons-sgx-checkbox" }}
+                    checked={addons.sgxPlugin}
+                    onChange={(ev, v) => updateFn("sgxPlugin", v)}
+                    label="Install the sgxPlugin on compatible VM node pools"
+                    disabled={cluster.computeType !== 'sgx'}
+                />
+            </Stack.Item>
+
         </Stack>
     );
 }
diff --git a/helper/src/components/clusterTab.js b/helper/src/components/clusterTab.js
@@ -198,6 +198,12 @@ export default function ({ defaults, tabValues, updateFn, featureFlag, invalidAr
                                     iconProps: { iconName: 'Game' },
                                     text: 'GPU Workloads',
                                     disabled: true
+                                },
+                                {
+                                    key: 'sgx',
+                                    iconProps: { iconName: 'LaptopSecure' },
+                                    text: 'SGX Enclave',
+                                    disabled: false
                                 }
                             ]}
                             />

diff --git a/helper/src/components/deployTab.js b/helper/src/components/deployTab.js
@@ -119,6 +119,7 @@ export default function DeployTab({ defaults, updateFn, tabValues, invalidArray,
     ...(addons.fluxGitOpsAddon !== defaults.addons.fluxGitOpsAddon && { fluxGitOpsAddon: addons.fluxGitOpsAddon}),
     ...(addons.daprAddon !== defaults.addons.daprAddon && { daprAddon: addons.daprAddon }),
     ...(addons.daprAddonHA !== defaults.addons.daprAddonHA && { daprAddonHA: addons.daprAddonHA }),
+    ...(addons.sgxPlugin !== defaults.addons.sgxPlugin && { sgxPlugin: addons.sgxPlugin })
   }
 
   const preview_params = {

diff --git a/helper/src/config.json b/helper/src/config.json
@@ -106,7 +106,8 @@
             "kvId": "",
             "gitops": "none",
             "containerLogsV2": false,
-            "containerLogsV2BasicLogs": false
+            "containerLogsV2BasicLogs": false,
+            "sgxPlugin": false
         },
         "net": {
             "vnetFirewallManagementSubnetAddressPrefix": "10.240.51.0/26",

diff --git a/helper/src/skuFamilies.json b/helper/src/skuFamilies.json
@@ -3,5 +3,6 @@
     {"key": "standardDSv3Family", "text": "General Purpose V3", "computeType": "gp"},
     {"key": "standardDDSv4Family", "text": "General Purpose V4", "computeType": "gp"},
     {"key": "standardFSv2Family", "text": "Compute Optimized","computeType": "gp"},
-    {"key": "standardBSFamily", "text": "Burstable (dev/test)","computeType": "gp"}
+    {"key": "standardBSFamily", "text": "Burstable (dev/test)","computeType": "gp"},
+    {"key": "standardDCSv3Family", "text": "Confidential v3","computeType": "sgx"}
 ]