From ce7750c322d739cc3b72d140cacdf7697d46ac84 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Thu, 26 Aug 2021 20:09:31 +0200
Subject: [PATCH] machine-config: Improve LUKS performance

---
 .../worker/99-worker-disk-encryption.yaml     | 97 ++++++++++++++-----
 1 file changed, 74 insertions(+), 23 deletions(-)

diff --git a/clusters/okd4/machine-config/worker/99-worker-disk-encryption.yaml b/clusters/okd4/machine-config/worker/99-worker-disk-encryption.yaml
index 345f3d40b..3d060d3b0 100644
--- a/clusters/okd4/machine-config/worker/99-worker-disk-encryption.yaml
+++ b/clusters/okd4/machine-config/worker/99-worker-disk-encryption.yaml
@@ -1,27 +1,78 @@
 apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineConfig
 metadata:
-  name: 99-worker-tang
-  labels:
-    machineconfiguration.openshift.io/role: worker
+    name: 99-worker-tang
+    labels:
+        machineconfiguration.openshift.io/role: worker
 spec:
-  config:
-    ignition:
-      version: 3.2.0
-    storage:
-      luks:
-        - name: root
-          device: /dev/disk/by-partlabel/root
-          clevis:
-            tang:
-              - url: http://tang.shivering-isles.com:7500
-                thumbprint: lXbjdRq9-019gToeDgYaEA3UL0D8-aN5Wr8HKGoY1Z0
-          options: [--cipher, aes-cbc-essiv:sha256]
-          wipeVolume: true
-      filesystems:
-        - device: /dev/mapper/root
-          format: xfs
-          wipeFilesystem: true
-          label: root
-  kernelArguments:
-    - rd.neednet=1
+    config:
+        ignition:
+            version: 3.2.0
+        storage:
+            luks:
+                - name: root
+                  device: /dev/disk/by-partlabel/root
+                  clevis:
+                    tang:
+                        - url: ENC[AES256_GCM,data:2mnPUg++s2YWJqwuJavNemaBCc1rPomb+3QV/8WE/hjhj8aQ,iv:yMaX5T7Rxx7U7ibApFez/Glv6nblzyAc/RDToqUzN9Q=,tag:Noo3ERo1chDJWi/yPFdbOw==,type:str]
+                          thumbprint: ENC[AES256_GCM,data:dVll1JONSc6PS3D5PwL3nM/kBEgKw0cEt1xjYzF91sIRBx8H4JHAKSf0XQ==,iv:3x1aLK5NRiDfFg8X8y4qBtsy6rpfPoJHsWNxHj7VaXU=,tag:zwdE1K2kFi1k4eOqGuebrA==,type:str]
+                  options: null
+                  wipeVolume: true
+            filesystems:
+                - device: /dev/mapper/root
+                  format: xfs
+                  wipeFilesystem: true
+                  label: root
+    kernelArguments:
+        - rd.neednet=1
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2021-08-26T18:09:23Z"
+    mac: ENC[AES256_GCM,data:3oTrdaBsw1QI5Fd9xiitZ9saGBZItct78X6m7UkyaenOaSANPdsICm2DZC9ALbeN1ka9D8p7CtmSt+n+dATTmCv+UpEbef9K4rUYJiTPLAVHszu1OUPt/UHEkPlY1eF+42euiHclB4PE5FMkvTsNNcR1RFTUliM+bHbm/nmYd2k=,iv:BVim68EFzdDYygi120zFs6f/SJw8MsWx2cJ+7QyCMQ4=,tag:QiQxMB8TY1mv5U0KTvOq3A==,type:str]
+    pgp:
+        - created_at: "2021-08-26T18:09:22Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA1u//sli4/n1AQ//TtKQyQx1eqdh/xsUAarkziF/r2YCFIdLnJFLXuCwS8fy
+            5ELhmIWmRlufiKaeRvcvr5y32g4p/Y/PyupLPZ7h4uggeT2XG5ppErT+runkMCuk
+            6SqJV2wamOYdnMlX0vc2DSuoy1IkAuf9E4M+J0IFL8edhJEo4CpQQ0dJA894ug93
+            977fgdmQjY4pfSys0G9R3qYpKrVjArCx5u89vVIbTz93uMAOpNb/IjlW4BaYyHoJ
+            71fnAnvG0pVG+/I1qIocD5zf2q0o1XhE1XAGcMNC2+Rb61qFQbEnO+HbalJNP0Al
+            VB87jFWO4uL/Ve7kJ3Y3jEAdB+Q2jB8pytPv/mGRGu8dfNWniFlpPLzgm81JfHPv
+            8CmmXDZtCGVZ66NanEECtFRSrg+OL5qvZWvgDreOaR6wrAs2BcHswCvySneZSGRp
+            LJpL+KYE7laLtFPl91vA2W74gWgcfMWgfSSTXCUYJm/wcZ+VTsNqKaW0V6lugiOg
+            y/qrrWOYcCXfEFf0RJZ4NpHCXjFqyDr07JF5haZbNHD/oufUvOWuVdXZcB7C3GRp
+            96+JQ7FR8FHwOrX477LG2WjUuXjm4umkcouJ3lYLCLUSNvzAkCTaidao06WDrW2U
+            NeyxdZhvLqj9n0VYzzhLxVKL1MvnBwI6rZtsQv3GbZBRG6nSq6DMz58VmP457ovS
+            XAG6m5bIND7y2eanBhFD/+jSnvneOkjN7pqDezrIsp9UawkHm7L+Zhbp0H6FIXM4
+            N+KrqtOsmtdhd4BKVmNnp6fWc7Lv/B5ny2g5pMl1jDk2IxUnfLL1t3TN6m1v
+            =VXAR
+            -----END PGP MESSAGE-----
+          fp: 9D02A9AD73EF7F3D5F657AC2B392F6EB325E8C50
+        - created_at: "2021-08-26T18:09:22Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA7kpg2bgzVHcARAAVjlVvZLX/RhhTJQarRo4l3HqweLQRcRrZZrenI+sjjOx
+            R5S0GxBiK4Wo6YAnJRLWcBkUD47X+wZhN2+Wwc+e6nj5ml2duc4QfHDyMMrTYc+o
+            6IdwpMXOkzlzJkx9KPwgT0trCbv746inO2vVB5GBi+djN96j4a76awUNbLphgaI3
+            j5Ap8BZWmxh+W65p29WCHK83ckW79q7S8z6AhJIJi6+6DpPsb1b2n0doR/nSbXLg
+            VmXvtpsyTTnbzt5WhQUHTBVFEyBwOR4suhXXRBGnUG/IANCiPaQrS+xlUX02ldwC
+            weMiZgEo9ndRCHfDLfTfBRRlZOpSevcVbpJciCKpFUlqgpqXXs1UaWpr19CPkuh4
+            MT+4r+bEEl1g5N56PWTb0DZgFciCddwr9VhwoJ7b0Gg/uZcMKBIovCZqKR4gvaJf
+            ktAXbDST1WQrEMdJNeqHbfgrpKmRlJUtJOsIvo8O7q4cIW0/eZGZYIVVnjggPJy8
+            RmtsZDECvQM5b9FerraOwhqmavt3l0lXTpQ1l7Cg08tWeOVYh9LXpE4gcw8gw+xz
+            jQ67cl5DP+6OsGK9l7CPnbvAOOTHSGB1mL/sx4bYdjUzjc6QMpRU8EH1MPtPFblc
+            xAenmRXWsCoLVG930Sj9+XpAwbJtzZTgqj3RnaiN/TDZqkukXhSTDF0gV1cJWJzS
+            5gEuXbn6MH6dD+TcLbrLGCDdT6pZaVnYZbz6YVc/5GXmgbVzTFIYH4dSaOSA0jKb
+            bXletXV84P5DvhjJskDepAbkfZha1frR0OR36lElLt4QheI1tJCvAA==
+            =2GMF
+            -----END PGP MESSAGE-----
+          fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
+    encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang)$
+    version: 3.7.1
-- 
GitLab