feat: [ConfidentialComputing] Add new VerifyConfidentialSpace and VerifyConfidentialGke rpcs and relevant fields (#8549)

* feat: Add new `VerifyConfidentialSpace` and `VerifyConfidentialGke` rpcs and relevant fields
fix!: Move `AwsPrincipalTagsOptions` out from `TokenOptions` message
docs: Updated comment for method `VerifyAttestation`, `VerifyAttestationRequest` and  `VerifyAttestationResponse` in service `ConfidentialComputing` is changed
docs: A comment for field `aws_principal_tags_options` in message `.google.cloud.confidentialcomputing.v1.TokenOptions` is changed

PiperOrigin-RevId: 800806196

Source-Link: googleapis/googleapis@bf9ef0b

Source-Link: googleapis/googleapis-gen@4744f98
Copy-Tag: eyJwIjoiQ29uZmlkZW50aWFsQ29tcHV0aW5nLy5Pd2xCb3QueWFtbCIsImgiOiI0NzQ0Zjk4YTlkYmY5YThlYmYwN2Y0YmVkNWY4MDcyMzgyNTkzOTQ2In0=

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

---------

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>

Author: gcf-owl-bot[bot]

ConfidentialComputing/metadata/V1/Service.php

@@ -30,7 +30,8 @@
 use Google\Cloud\ConfidentialComputing\V1\VerifyAttestationResponse;
 
 /**
- * Verifies the provided attestation info, returning a signed OIDC token.
+ * Verifies the provided attestation info, returning a signed attestation
+ * token.
  *
  * @param string $formattedChallenge The name of the Challenge whose nonce was used to generate the
  *                                   attestation, in the format `projects/*/locations/*/challenges/*`. The

ConfidentialComputing/samples/V1/ConfidentialComputingClient/verify_attestation.php

@@ -0,0 +1,78 @@
+<?php
+/*
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START confidentialcomputing_v1_generated_ConfidentialComputing_VerifyConfidentialGke_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\ConfidentialComputing\V1\Client\ConfidentialComputingClient;
+use Google\Cloud\ConfidentialComputing\V1\VerifyConfidentialGkeRequest;
+use Google\Cloud\ConfidentialComputing\V1\VerifyConfidentialGkeResponse;
+
+/**
+ * Verifies the provided Confidential GKE attestation info, returning a signed
+ * OIDC token.
+ *
+ * @param string $formattedChallenge The name of the Challenge whose nonce was used to generate the
+ *                                   attestation, in the format projects/&#42;/locations/&#42;/challenges/*. The
+ *                                   provided Challenge will be consumed, and cannot be used again. Please see
+ *                                   {@see ConfidentialComputingClient::challengeName()} for help formatting this field.
+ */
+function verify_confidential_gke_sample(string $formattedChallenge): void
+{
+    // Create a client.
+    $confidentialComputingClient = new ConfidentialComputingClient();
+
+    // Prepare the request message.
+    $request = (new VerifyConfidentialGkeRequest())
+        ->setChallenge($formattedChallenge);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var VerifyConfidentialGkeResponse $response */
+        $response = $confidentialComputingClient->verifyConfidentialGke($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedChallenge = ConfidentialComputingClient::challengeName(
+        '[PROJECT]',
+        '[LOCATION]',
+        '[UUID]'
+    );
+
+    verify_confidential_gke_sample($formattedChallenge);
+}
+// [END confidentialcomputing_v1_generated_ConfidentialComputing_VerifyConfidentialGke_sync]

ConfidentialComputing/samples/V1/ConfidentialComputingClient/verify_confidential_gke.php

@@ -0,0 +1,78 @@
+<?php
+/*
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * GENERATED CODE WARNING
+ * This file was automatically generated - do not edit!
+ */
+
+require_once __DIR__ . '/../../../vendor/autoload.php';
+
+// [START confidentialcomputing_v1_generated_ConfidentialComputing_VerifyConfidentialSpace_sync]
+use Google\ApiCore\ApiException;
+use Google\Cloud\ConfidentialComputing\V1\Client\ConfidentialComputingClient;
+use Google\Cloud\ConfidentialComputing\V1\VerifyConfidentialSpaceRequest;
+use Google\Cloud\ConfidentialComputing\V1\VerifyConfidentialSpaceResponse;
+
+/**
+ * Verifies whether the provided attestation info is valid, returning a signed
+ * attestation token if so.
+ *
+ * @param string $formattedChallenge The name of the Challenge whose nonce was used to generate the
+ *                                   attestation, in the format `projects/&#42;/locations/&#42;/challenges/*`. The
+ *                                   provided Challenge will be consumed, and cannot be used again. Please see
+ *                                   {@see ConfidentialComputingClient::challengeName()} for help formatting this field.
+ */
+function verify_confidential_space_sample(string $formattedChallenge): void
+{
+    // Create a client.
+    $confidentialComputingClient = new ConfidentialComputingClient();
+
+    // Prepare the request message.
+    $request = (new VerifyConfidentialSpaceRequest())
+        ->setChallenge($formattedChallenge);
+
+    // Call the API and handle any network failures.
+    try {
+        /** @var VerifyConfidentialSpaceResponse $response */
+        $response = $confidentialComputingClient->verifyConfidentialSpace($request);
+        printf('Response data: %s' . PHP_EOL, $response->serializeToJsonString());
+    } catch (ApiException $ex) {
+        printf('Call failed with message: %s' . PHP_EOL, $ex->getMessage());
+    }
+}
+
+/**
+ * Helper to execute the sample.
+ *
+ * This sample has been automatically generated and should be regarded as a code
+ * template only. It will require modifications to work:
+ *  - It may require correct/in-range values for request initialization.
+ *  - It may require specifying regional endpoints when creating the service client,
+ *    please see the apiEndpoint client configuration option for more details.
+ */
+function callSample(): void
+{
+    $formattedChallenge = ConfidentialComputingClient::challengeName(
+        '[PROJECT]',
+        '[LOCATION]',
+        '[UUID]'
+    );
+
+    verify_confidential_space_sample($formattedChallenge);
+}
+// [END confidentialcomputing_v1_generated_ConfidentialComputing_VerifyConfidentialSpace_sync]