feat(machine-config): Add disk encryption and NTS to all hosts

7adbd2fb · Sheogorath · 5312d792 · 7adbd2fb · 7adbd2fb · 7adbd2fb
Verified Commit 7adbd2fb authored 3 years ago by Sheogorath
--- a/.sops.yaml
+++ b/.sops.yaml
 creation_rules:
  - path_regex: (clusters|apps)/okd4/.*.yaml
-    encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?)$
+    encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang)$
    pgp: >-
      9D02A9AD73EF7F3D5F657AC2B392F6EB325E8C50,
      286791FB6648539775DB31B8FCB98C2A3EC6F601
--- a/clusters/okd4/machine-config/kustomization.yaml
+++ b/clusters/okd4/machine-config/kustomization.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- worker/99-worker-chrony.yaml
+- worker/99-worker-disk-encryption.yaml
+- master/99-master-chrony.yaml
+- master/99-master-disk-encryption.yaml
--- a/clusters/okd4/machine-config/master/99-master-chrony.yaml
+++ b/clusters/okd4/machine-config/master/99-master-chrony.yaml
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+  name: 99-master-chrony
+  labels:
+    machineconfiguration.openshift.io/role: master
+spec:
+  config:
+    ignition:
+      version: 3.2.0
+    storage:
+      files:
+      - contents:
+          source: data:,server%20time.cloudflare.com%20iburst%20nts%0Aserver%20nts.sth1.ntp.se%20iburst%20nts%0Aserver%20nts.sth2.ntp.se%20iburst%20nts%0A%0Adriftfile%20%2Fvar%2Flib%2Fchrony%2Fdrift%0Amakestep%201.0%203%0Artcsync%0Akeyfile%20%2Fetc%2Fchrony.keys%0Antsdumpdir%20%2Fvar%2Flib%2Fchrony%0Aleapsectz%20right%2FUTC%0Alogdir%20%2Fvar%2Flog%2Fchrony%0A
+        mode: 420
+        overwrite: true
+        path: /etc/chrony.conf
--- a/clusters/okd4/machine-config/master/99-master-disk-encryption.yaml
+++ b/clusters/okd4/machine-config/master/99-master-disk-encryption.yaml
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+    name: 99-master-tang
+    labels:
+        machineconfiguration.openshift.io/role: master
+spec:
+    config:
+        ignition:
+            version: 3.2.0
+        storage:
+            luks:
+                - name: root
+                  device: /dev/disk/by-partlabel/root
+                  clevis:
+                    tang:
+                        - url: ENC[AES256_GCM,data:b/wCa4GtPLFVDNQJH2ixhDMJMCTYGN2GGxYrvMU2eIwd49Te,iv:3ogfJlgxyyV1ZVTPGUA/OSMgWk9NR2JQjU/LSrE/19U=,tag:84T+FTPRBHY20onFc/eFhg==,type:str]
+                          thumbprint: ENC[AES256_GCM,data:2/2ii6uptjqAunn2gKxa9MfR6jrQoyoccS0EuMyXqnRUTHOdmXrDxyyDTg==,iv:Yk+/iYDfsxiOFvadl1kN7QQeFnW4YfesfLTZe8VqpY8=,tag:uJG9C7NlHR96v2IRrauUWw==,type:str]
+                  options:
+                    - --cipher
+                    - aes-cbc-essiv:sha256
+                  wipeVolume: true
+            filesystems:
+                - device: /dev/mapper/root
+                  format: xfs
+                  wipeFilesystem: true
+                  label: root
+    kernelArguments:
+        - rd.neednet=1
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2021-08-16T18:44:40Z"
+    mac: ENC[AES256_GCM,data:FVzDsD2xS64sLy45DjWwzskoC1NSdzoknoYOCC1KhmYQpY8LjeUwqoKUUa7iK3ecaHSTwlacygefFLdAJGWCcvyPLLE9Zerjk+kw7O3mGOVoP+4BdwWYQQYbIhBJZ5ERo19Dr+wwQe8DHR3IrThouzrSASstQYiAGpN4DXz72sw=,iv:gckENeDJuaVn2lovZOk2NrUuqumYlPvFdfi67p5qS0c=,tag:zIHG/TWNHKbXTJCCZQCLqw==,type:str]
+    pgp:
+        - created_at: "2021-08-16T18:44:40Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+            hQIMA1u//sli4/n1ARAAg+39LJBPbxoHZeupBcpEocVYTxsXsdeH9cclDLzVy+oE
+            mpPYkoUBypXg8y+681Di6dUuDGp2z8rEa66a3e1DeJGaAUlGmRjz9i7YSb1vy9ds
+            Th3NgvDfUnV11EQWPUMVy5CSFOU6VAq52RHO6CbeoDrkFxbp3LwQVuwEfh3zLS8+
+            3wC4KUGfbFvSvXH/7ULTsaGgibPXAw+XXHfQkkPM6Aywt4mDtlrbGAKT8zYSmqfc
+            LxmDYQ4HXK5hhL6cGNdVs0FasROAhZqYg9CnNQx0GraFVtP7pzt1OEOxY+ashgDb
+            SSz7OjxnfxSApZyHnF4g89b7bGD9yYbQ0jSYtHFoWp1Czj0osbHn2Ptpegc8sSv3
+            1/Rgya6pzuFK85xo2ptJUnOU6rlgDmNIrpd1mk0Tdc1lTxKj7wXriLt97EPqtb1k
+            het2m2nfg6uzkcUWrfJsdDIlmrEWIYgPGtaZaRz49LyCwaociceGmAZKGmQX4A1d
+            8GXS88LdZPR6+LOPBQxxq2Mmvr1aWIhyzDrXsZp/eAFvq/ek/XfuGmFiUfoBEis2
+            8SYzBoulmizHm4kA0vc2+wDy3XdpkoojXWm2FoDASVSKgzIldwpHu4HzH9QM+XaA
+            EiecF//VhkScUiuQEyZ443t5Huyoo2lz4MELC5WEiRaXyvYcZEbgqKqJaFptS+7S
+            XAEQOvDAcDZyi+L5gl52tR+MdjYx4BlucWEgHRUGTRjQ6PuZ7IhbacBfZu0t9djT
+            KGMTj1mmy60so8BllBzCKSCUSlGxQUE0lpOMS6Nl5C2FJ/DtkWX4z4AV5x40
+            =szed
+            -----END PGP MESSAGE-----
+          fp: 9D02A9AD73EF7F3D5F657AC2B392F6EB325E8C50
+        - created_at: "2021-08-16T18:44:40Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+            wcFMA7kpg2bgzVHcARAAgpvpN/X3e7svTUWOhWxKa1mIcuUScBvCgOIiwQJSEBOU
+            QFuckyf5KaaKgX6+WHbS7MBx+6PeBHsX1fZNQmsvYMQFYfw6vzpvJ8w2HUn0eSJy
+            I7RRXwJg3mpAcltZm2EK74GE1wF08+DW53n4uLAceTB2/2aA4KxVaYSL7Zuwd89o
+            0cG8siyt+rCwzziGOxtTsUJwx9yrV5011ON7eBtbh73wjrhxwgdDMxb+yNyM6wSp
+            hfOrHI7hYrdETV3v085IQIghOUOokvVDjUmF22HCaIOnCniqyoKbg8rjwJtY9VaM
+            TgfiAThk8HLJ/0FKfUZspdMykhhSAWkoqKV0zjt+tPfkrggMLN7oe+ql9xyISMjl
+            LS3pKNUSceCoSHXadIXAgCaqcAJcnUXD9H6gK+IPbJ6GHSL9uPpK8fx12pWLoXH5
+            E+v2uyFTkS66YVqhnZaVuE5PyPNwp/Hqm7awv1WEnm7Lx3YSIaeR7FmDGkGnj79Y
+            Eru8ea5QItoujTnW2wOobNLB2RAdMETwqxY4CkGxWg6XyxeAq59icIijkXkwkm7l
+            tf5O87I+jFX0BTz90yYTP9GlSKbFdgriBWZIWChnFrHPXCwCtC+Rhdc/b1/rvVcq
+            CL5Hq41byxiXyW0i9KmQMzveTTnfsbi6708ppBh/pCGIhBzn7ptRgYOzBpQZ00rS
+            5gEENb9DyHgvupo+FbfSDmj7wX46bcemFNLAiXGIO7HIy69RsmfqF7Fox2QLRkN7
+            Wjva8FEcH24hIEchgiP/Fg3k4c2++yVN34pPljwrS+GmIeLuv8CwAA==
+            =dKsE
+            -----END PGP MESSAGE-----
+          fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
+    encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang)$
+    version: 3.7.1
--- a/clusters/okd4/machine-config/worker/99-worker-chrony.yaml
+++ b/clusters/okd4/machine-config/worker/99-worker-chrony.yaml
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+  name: 99-worker-chrony
+  labels:
+    machineconfiguration.openshift.io/role: worker
+spec:
+  config:
+    ignition:
+      version: 3.2.0
+    storage:
+      files:
+      - contents:
+          source: data:,server%20time.cloudflare.com%20iburst%20nts%0Aserver%20nts.sth1.ntp.se%20iburst%20nts%0Aserver%20nts.sth2.ntp.se%20iburst%20nts%0A%0Adriftfile%20%2Fvar%2Flib%2Fchrony%2Fdrift%0Amakestep%201.0%203%0Artcsync%0Akeyfile%20%2Fetc%2Fchrony.keys%0Antsdumpdir%20%2Fvar%2Flib%2Fchrony%0Aleapsectz%20right%2FUTC%0Alogdir%20%2Fvar%2Flog%2Fchrony%0A
+        mode: 420
+        overwrite: true
+        path: /etc/chrony.conf
--- a/clusters/okd4/machine-config/worker/99-worker-disk-encryption.yaml
+++ b/clusters/okd4/machine-config/worker/99-worker-disk-encryption.yaml
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+  name: 99-worker-tang
+  labels:
+    machineconfiguration.openshift.io/role: worker
+spec:
+  config:
+    ignition:
+      version: 3.2.0
+    storage:
+      luks:
+        - name: root
+          device: /dev/disk/by-partlabel/root
+          clevis:
+            tang:
+              - url: http://tang.shivering-isles.com:7500
+                thumbprint: lXbjdRq9-019gToeDgYaEA3UL0D8-aN5Wr8HKGoY1Z0
+          options: [--cipher, aes-cbc-essiv:sha256]
+          wipeVolume: true
+      filesystems:
+        - device: /dev/mapper/root
+          format: xfs
+          wipeFilesystem: true
+          label: root
+  kernelArguments:
+    - rd.neednet=1