From ed4e2cfc1d1169988d750d0acce0662cc3707512 Mon Sep 17 00:00:00 2001 From: Simon Blessenohl Date: Mon, 1 Apr 2024 13:08:28 +0200 Subject: [PATCH] flatcar/v1_2_exp: Add clevis support --- config/flatcar/v1_2_exp/translate.go | 8 +------- config/flatcar/v1_2_exp/translate_test.go | 6 ++---- docs/config-flatcar-v1_2-exp.md | 10 ++++++++++ 3 files changed, 13 insertions(+), 11 deletions(-) diff --git a/config/flatcar/v1_2_exp/translate.go b/config/flatcar/v1_2_exp/translate.go index cf95d724..fe0da918 100644 --- a/config/flatcar/v1_2_exp/translate.go +++ b/config/flatcar/v1_2_exp/translate.go @@ -22,15 +22,9 @@ import ( "github.com/coreos/vcontext/report" ) -var ( - fieldFilters = cutil.NewFilters(types.Config{}, cutil.FilterMap{ - "storage.luks.clevis": common.ErrClevisSupport, - }) -) - // Return FieldFilters for this spec. func (c Config) FieldFilters() *cutil.FieldFilters { - return &fieldFilters + return &cutil.FieldFilters{} } // ToIgn3_5 translates the config to an Ignition config. It returns a diff --git a/config/flatcar/v1_2_exp/translate_test.go b/config/flatcar/v1_2_exp/translate_test.go index ff6ea421..7d1015e4 100644 --- a/config/flatcar/v1_2_exp/translate_test.go +++ b/config/flatcar/v1_2_exp/translate_test.go @@ -59,9 +59,7 @@ func TestTranslation(t *testing.T) { }, }, }, - []entry{ - {report.Error, common.ErrClevisSupport, path.New("yaml", "storage", "luks", 1, "clevis")}, - }, + []entry{}, // Clevis support was added in 1_2_experimental and we therefore expect no errors. }, } @@ -72,7 +70,7 @@ func TestTranslation(t *testing.T) { expectedReport.AddOn(entry.path, entry.err, entry.kind) } actual, translations, r := test.in.ToIgn3_5Unvalidated(common.TranslateOptions{}) - r.Merge(fieldFilters.Verify(actual)) + r.Merge(test.in.FieldFilters().Verify(actual)) r = confutil.TranslateReportPaths(r, translations) baseutil.VerifyReport(t, test.in, r) assert.Equal(t, expectedReport, r, "report mismatch") diff --git a/docs/config-flatcar-v1_2-exp.md b/docs/config-flatcar-v1_2-exp.md index 515adf41..c0bc6e6d 100644 --- a/docs/config-flatcar-v1_2-exp.md +++ b/docs/config-flatcar-v1_2-exp.md @@ -157,6 +157,16 @@ The Flatcar configuration is a YAML document conforming to the following specifi * **_discard_** (boolean): whether to issue discard commands to the underlying block device when blocks are freed. Enabling this improves performance and device longevity on SSDs and space utilization on thinly provisioned SAN devices, but leaks information about which disk blocks contain data. If omitted, it defaults to false. * **_open_options_** (list of strings): any additional options to be passed to `cryptsetup luksOpen`. Supported options will be persistently written to the luks volume. * **_wipe_volume_** (boolean): whether or not to wipe the device before volume creation, see [Ignition's documentation on filesystems](https://coreos.github.io/ignition/operator-notes/#filesystem-reuse-semantics) for more information. + * **_clevis_** (object): describes the clevis configuration for the luks device. + * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`. + * **url** (string): url of the tang server. + * **thumbprint** (string): thumbprint of a trusted signing key. + * **_tpm2_** (boolean): whether or not to use a tpm2 device. + * **_threshold_** (integer): sets the minimum number of pieces required to decrypt the device. Default is 1. + * **_custom_** (object): overrides the clevis configuration. The `pin` & `config` will be passed directly to `clevis luks bind`. If specified, all other clevis options must be omitted. + * **pin** (string): the clevis pin. + * **config** (string): the clevis configuration JSON. + * **_needs_network_** (boolean): whether or not the device requires networking. * **_trees_** (list of objects): a list of local directory trees to be embedded in the config. Ownership is not preserved. File modes are set to 0755 if the local file is executable or 0644 otherwise. Attributes of files, directories, and symlinks can be overridden by creating a corresponding entry in the `files`, `directories`, or `links` section; such `files` entries must omit `contents` and such `links` entries must omit `target`. * **local** (string): the base of the local directory tree, relative to the directory specified by the `--files-dir` command-line argument. * **_path_** (string): the path of the tree within the target system. Defaults to `/`.