diff --git a/api/resource/definitions/runtime/runtime.proto b/api/resource/definitions/runtime/runtime.proto index 151385ba5..263019fee 100755 --- a/api/resource/definitions/runtime/runtime.proto +++ b/api/resource/definitions/runtime/runtime.proto @@ -71,6 +71,7 @@ message MountStatusSpec { string filesystem_type = 3; repeated string options = 4; bool encrypted = 5; + repeated string encryption_providers = 6; } // PlatformMetadataSpec describes platform metadata properties. diff --git a/internal/pkg/dashboard/components/talosinfo.go b/internal/pkg/dashboard/components/talosinfo.go index b42d02148..57244921c 100644 --- a/internal/pkg/dashboard/components/talosinfo.go +++ b/internal/pkg/dashboard/components/talosinfo.go @@ -5,11 +5,14 @@ package components import ( + "fmt" "strconv" + "strings" "github.com/rivo/tview" "github.com/siderolabs/talos/internal/pkg/dashboard/resourcedata" + "github.com/siderolabs/talos/pkg/machinery/constants" "github.com/siderolabs/talos/pkg/machinery/resources/cluster" "github.com/siderolabs/talos/pkg/machinery/resources/config" "github.com/siderolabs/talos/pkg/machinery/resources/hardware" @@ -17,12 +20,15 @@ import ( ) type talosInfoData struct { - uuid string - clusterName string - stage string - ready string - typ string - numMachinesText string + uuid string + clusterName string + stage string + ready string + typ string + numMachinesText string + secureBootState string + statePartitionMountStatus string + ephemeralPartitionMountStatus string machineIDSet map[string]struct{} } @@ -93,6 +99,28 @@ func (widget *TalosInfo) updateNodeData(data resourcedata.Data) { nodeData.stage = formatStatus(res.TypedSpec().Stage.String()) nodeData.ready = formatStatus(res.TypedSpec().Status.Ready) } + case *runtime.SecurityState: + if data.Deleted { + nodeData.secureBootState = notAvailable + } else { + nodeData.secureBootState = formatStatus(res.TypedSpec().SecureBoot) + } + case *runtime.MountStatus: + switch res.Metadata().ID() { + case constants.StatePartitionLabel: + if data.Deleted { + nodeData.statePartitionMountStatus = notAvailable + } else { + nodeData.statePartitionMountStatus = mountStatus(res.TypedSpec().Encrypted, res.TypedSpec().EncryptionProviders) + } + case constants.EphemeralPartitionLabel: + if data.Deleted { + nodeData.ephemeralPartitionMountStatus = notAvailable + } else { + nodeData.ephemeralPartitionMountStatus = mountStatus(res.TypedSpec().Encrypted, res.TypedSpec().EncryptionProviders) + } + } + case *config.MachineType: if data.Deleted { nodeData.typ = notAvailable @@ -114,13 +142,16 @@ func (widget *TalosInfo) getOrCreateNodeData(node string) *talosInfoData { nodeData, ok := widget.nodeMap[node] if !ok { nodeData = &talosInfoData{ - uuid: notAvailable, - clusterName: notAvailable, - stage: notAvailable, - ready: notAvailable, - typ: notAvailable, - numMachinesText: notAvailable, - machineIDSet: make(map[string]struct{}), + uuid: notAvailable, + clusterName: notAvailable, + stage: notAvailable, + ready: notAvailable, + typ: notAvailable, + numMachinesText: notAvailable, + secureBootState: notAvailable, + statePartitionMountStatus: notAvailable, + ephemeralPartitionMountStatus: notAvailable, + machineIDSet: make(map[string]struct{}), } widget.nodeMap[node] = nodeData @@ -158,8 +189,28 @@ func (widget *TalosInfo) redraw() { Name: "MACHINES", Value: data.numMachinesText, }, + { + Name: "SECUREBOOT", + Value: data.secureBootState, + }, + { + Name: "STATE", + Value: data.statePartitionMountStatus, + }, + { + Name: "EPHEMERAL", + Value: data.ephemeralPartitionMountStatus, + }, }, } widget.SetText(fields.String()) } + +func mountStatus(encrypted bool, providers []string) string { + if !encrypted { + return "[green]OK[-]" + } + + return fmt.Sprintf("[green]OK - encrypted[-] (%s)", strings.Join(providers, ",")) +} diff --git a/internal/pkg/dashboard/resourcedata/resourcedata.go b/internal/pkg/dashboard/resourcedata/resourcedata.go index d04e06133..64d3ff40f 100644 --- a/internal/pkg/dashboard/resourcedata/resourcedata.go +++ b/internal/pkg/dashboard/resourcedata/resourcedata.go @@ -19,12 +19,14 @@ import ( "google.golang.org/grpc/metadata" "github.com/siderolabs/talos/pkg/machinery/client" + "github.com/siderolabs/talos/pkg/machinery/constants" "github.com/siderolabs/talos/pkg/machinery/resources/cluster" "github.com/siderolabs/talos/pkg/machinery/resources/config" "github.com/siderolabs/talos/pkg/machinery/resources/hardware" "github.com/siderolabs/talos/pkg/machinery/resources/k8s" "github.com/siderolabs/talos/pkg/machinery/resources/network" "github.com/siderolabs/talos/pkg/machinery/resources/runtime" + "github.com/siderolabs/talos/pkg/machinery/resources/v1alpha1" ) // Data contains a resource, whether it is deleted and the node it came from. @@ -114,6 +116,18 @@ func (source *Source) runResourceWatch(ctx context.Context, node string) error { return err } + if err := source.COSI.Watch(ctx, runtime.NewSecurityStateSpec(v1alpha1.NamespaceName).Metadata(), eventCh); err != nil { + return err + } + + if err := source.COSI.Watch(ctx, runtime.NewMountStatus(v1alpha1.NamespaceName, constants.StatePartitionLabel).Metadata(), eventCh); err != nil { + return err + } + + if err := source.COSI.Watch(ctx, runtime.NewMountStatus(v1alpha1.NamespaceName, constants.EphemeralPartitionLabel).Metadata(), eventCh); err != nil { + return err + } + if err := source.COSI.Watch(ctx, config.NewMachineType().Metadata(), eventCh); err != nil { return err } diff --git a/internal/pkg/mount/system.go b/internal/pkg/mount/system.go index 3c498f5f5..732d660c5 100644 --- a/internal/pkg/mount/system.go +++ b/internal/pkg/mount/system.go @@ -13,6 +13,7 @@ import ( "sync" "github.com/cosi-project/runtime/pkg/state" + "github.com/siderolabs/gen/maps" "github.com/siderolabs/go-blockdevice/blockdevice" "github.com/siderolabs/go-blockdevice/blockdevice/filesystem" "golang.org/x/sys/unix" @@ -235,6 +236,25 @@ func SystemPartitionMount(ctx context.Context, r runtime.Runtime, logger *log.Lo mountStatus.TypedSpec().FilesystemType = mountpoint.Fstype() mountStatus.TypedSpec().Encrypted = encrypted + if encrypted { + encryptionProviders := make(map[string]struct{}) + + for _, cfg := range o.Encryption.Keys() { + switch { + case cfg.Static() != nil: + encryptionProviders[cfg.Static().String()] = struct{}{} + case cfg.NodeID() != nil: + encryptionProviders[cfg.NodeID().String()] = struct{}{} + case cfg.KMS() != nil: + encryptionProviders[cfg.KMS().String()] = struct{}{} + case cfg.TPM() != nil: + encryptionProviders[cfg.TPM().String()] = struct{}{} + } + } + + mountStatus.TypedSpec().EncryptionProviders = maps.Keys(encryptionProviders) + } + // ignore the error if the MountStatus already exists, as many mounts are silently skipped with the flag SkipIfMounted if err = r.State().V1Alpha2().Resources().Create(context.Background(), mountStatus); err != nil && !state.IsConflictError(err) { return fmt.Errorf("error creating mount status resource: %w", err) diff --git a/pkg/machinery/api/resource/definitions/runtime/runtime.pb.go b/pkg/machinery/api/resource/definitions/runtime/runtime.pb.go index a0a30c405..969f77103 100644 --- a/pkg/machinery/api/resource/definitions/runtime/runtime.pb.go +++ b/pkg/machinery/api/resource/definitions/runtime/runtime.pb.go @@ -566,11 +566,12 @@ type MountStatusSpec struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - Source string `protobuf:"bytes,1,opt,name=source,proto3" json:"source,omitempty"` - Target string `protobuf:"bytes,2,opt,name=target,proto3" json:"target,omitempty"` - FilesystemType string `protobuf:"bytes,3,opt,name=filesystem_type,json=filesystemType,proto3" json:"filesystem_type,omitempty"` - Options []string `protobuf:"bytes,4,rep,name=options,proto3" json:"options,omitempty"` - Encrypted bool `protobuf:"varint,5,opt,name=encrypted,proto3" json:"encrypted,omitempty"` + Source string `protobuf:"bytes,1,opt,name=source,proto3" json:"source,omitempty"` + Target string `protobuf:"bytes,2,opt,name=target,proto3" json:"target,omitempty"` + FilesystemType string `protobuf:"bytes,3,opt,name=filesystem_type,json=filesystemType,proto3" json:"filesystem_type,omitempty"` + Options []string `protobuf:"bytes,4,rep,name=options,proto3" json:"options,omitempty"` + Encrypted bool `protobuf:"varint,5,opt,name=encrypted,proto3" json:"encrypted,omitempty"` + EncryptionProviders []string `protobuf:"bytes,6,rep,name=encryption_providers,json=encryptionProviders,proto3" json:"encryption_providers,omitempty"` } func (x *MountStatusSpec) Reset() { @@ -640,6 +641,13 @@ func (x *MountStatusSpec) GetEncrypted() bool { return false } +func (x *MountStatusSpec) GetEncryptionProviders() []string { + if x != nil { + return x.EncryptionProviders + } + return nil +} + // PlatformMetadataSpec describes platform metadata properties. type PlatformMetadataSpec struct { state protoimpl.MessageState @@ -933,7 +941,7 @@ var file_resource_definitions_runtime_runtime_proto_rawDesc = []byte{ 0x74, 0x49, 0x50, 0x52, 0x12, 0x72, 0x65, 0x61, 0x63, 0x68, 0x61, 0x62, 0x6c, 0x65, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x65, 0x73, 0x22, 0x23, 0x0a, 0x0b, 0x4d, 0x65, 0x74, 0x61, 0x4b, 0x65, 0x79, 0x53, 0x70, 0x65, 0x63, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, - 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22, 0xa2, 0x01, 0x0a, + 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22, 0xd5, 0x01, 0x0a, 0x0f, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x53, 0x70, 0x65, 0x63, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x74, 0x61, 0x72, 0x67, @@ -944,43 +952,46 @@ var file_resource_definitions_runtime_runtime_proto_rawDesc = []byte{ 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, - 0x64, 0x22, 0xf5, 0x01, 0x0a, 0x14, 0x50, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x4d, 0x65, - 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x53, 0x70, 0x65, 0x63, 0x12, 0x1a, 0x0a, 0x08, 0x70, 0x6c, - 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x6c, - 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x12, 0x1a, 0x0a, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61, - 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61, - 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x72, 0x65, 0x67, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x06, 0x72, 0x65, 0x67, 0x69, 0x6f, 0x6e, 0x12, 0x12, 0x0a, 0x04, 0x7a, 0x6f, - 0x6e, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x7a, 0x6f, 0x6e, 0x65, 0x12, 0x23, - 0x0a, 0x0d, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, - 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x54, - 0x79, 0x70, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x5f, - 0x69, 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, - 0x63, 0x65, 0x49, 0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, - 0x5f, 0x69, 0x64, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x72, 0x6f, 0x76, 0x69, - 0x64, 0x65, 0x72, 0x49, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x73, 0x70, 0x6f, 0x74, 0x18, 0x08, 0x20, - 0x01, 0x28, 0x08, 0x52, 0x04, 0x73, 0x70, 0x6f, 0x74, 0x22, 0xb2, 0x01, 0x0a, 0x11, 0x53, 0x65, - 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x53, 0x74, 0x61, 0x74, 0x65, 0x53, 0x70, 0x65, 0x63, 0x12, - 0x1f, 0x0a, 0x0b, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x5f, 0x62, 0x6f, 0x6f, 0x74, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x42, 0x6f, 0x6f, 0x74, - 0x12, 0x3d, 0x0a, 0x1b, 0x75, 0x6b, 0x69, 0x5f, 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x5f, - 0x6b, 0x65, 0x79, 0x5f, 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x18, - 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x18, 0x75, 0x6b, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, - 0x67, 0x4b, 0x65, 0x79, 0x46, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x12, - 0x3d, 0x0a, 0x1b, 0x70, 0x63, 0x72, 0x5f, 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x5f, 0x6b, - 0x65, 0x79, 0x5f, 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x18, 0x03, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x18, 0x70, 0x63, 0x72, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, - 0x4b, 0x65, 0x79, 0x46, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x22, 0x3c, - 0x0a, 0x0e, 0x55, 0x6e, 0x6d, 0x65, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, - 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, - 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x18, 0x02, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x42, 0x4c, 0x5a, 0x4a, - 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x64, 0x65, 0x72, - 0x6f, 0x6c, 0x61, 0x62, 0x73, 0x2f, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2f, 0x70, 0x6b, 0x67, 0x2f, - 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x72, 0x79, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x72, 0x65, - 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, - 0x6e, 0x73, 0x2f, 0x72, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x33, + 0x64, 0x12, 0x31, 0x0a, 0x14, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x5f, + 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x09, 0x52, + 0x13, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x76, 0x69, + 0x64, 0x65, 0x72, 0x73, 0x22, 0xf5, 0x01, 0x0a, 0x14, 0x50, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, + 0x6d, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x53, 0x70, 0x65, 0x63, 0x12, 0x1a, 0x0a, + 0x08, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x08, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x12, 0x1a, 0x0a, 0x08, 0x68, 0x6f, 0x73, + 0x74, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x68, 0x6f, 0x73, + 0x74, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x72, 0x65, 0x67, 0x69, 0x6f, 0x6e, 0x18, + 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x72, 0x65, 0x67, 0x69, 0x6f, 0x6e, 0x12, 0x12, 0x0a, + 0x04, 0x7a, 0x6f, 0x6e, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x7a, 0x6f, 0x6e, + 0x65, 0x12, 0x23, 0x0a, 0x0d, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x5f, 0x74, 0x79, + 0x70, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, + 0x63, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x69, 0x6e, 0x73, 0x74, 0x61, 0x6e, + 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x69, 0x6e, 0x73, + 0x74, 0x61, 0x6e, 0x63, 0x65, 0x49, 0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x72, 0x6f, 0x76, 0x69, + 0x64, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x72, + 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x49, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x73, 0x70, 0x6f, 0x74, + 0x18, 0x08, 0x20, 0x01, 0x28, 0x08, 0x52, 0x04, 0x73, 0x70, 0x6f, 0x74, 0x22, 0xb2, 0x01, 0x0a, + 0x11, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x53, 0x74, 0x61, 0x74, 0x65, 0x53, 0x70, + 0x65, 0x63, 0x12, 0x1f, 0x0a, 0x0b, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x5f, 0x62, 0x6f, 0x6f, + 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x73, 0x65, 0x63, 0x75, 0x72, 0x65, 0x42, + 0x6f, 0x6f, 0x74, 0x12, 0x3d, 0x0a, 0x1b, 0x75, 0x6b, 0x69, 0x5f, 0x73, 0x69, 0x67, 0x6e, 0x69, + 0x6e, 0x67, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, + 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x18, 0x75, 0x6b, 0x69, 0x53, 0x69, 0x67, + 0x6e, 0x69, 0x6e, 0x67, 0x4b, 0x65, 0x79, 0x46, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, + 0x6e, 0x74, 0x12, 0x3d, 0x0a, 0x1b, 0x70, 0x63, 0x72, 0x5f, 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, + 0x67, 0x5f, 0x6b, 0x65, 0x79, 0x5f, 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, + 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x18, 0x70, 0x63, 0x72, 0x53, 0x69, 0x67, 0x6e, + 0x69, 0x6e, 0x67, 0x4b, 0x65, 0x79, 0x46, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, + 0x74, 0x22, 0x3c, 0x0a, 0x0e, 0x55, 0x6e, 0x6d, 0x65, 0x74, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, + 0x69, 0x6f, 0x6e, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, + 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x42, + 0x4c, 0x5a, 0x4a, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, + 0x64, 0x65, 0x72, 0x6f, 0x6c, 0x61, 0x62, 0x73, 0x2f, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2f, 0x70, + 0x6b, 0x67, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x72, 0x79, 0x2f, 0x61, 0x70, 0x69, + 0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, + 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x72, 0x75, 0x6e, 0x74, 0x69, 0x6d, 0x65, 0x62, 0x06, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/pkg/machinery/api/resource/definitions/runtime/runtime_vtproto.pb.go b/pkg/machinery/api/resource/definitions/runtime/runtime_vtproto.pb.go index 338a0778a..946345c4c 100644 --- a/pkg/machinery/api/resource/definitions/runtime/runtime_vtproto.pb.go +++ b/pkg/machinery/api/resource/definitions/runtime/runtime_vtproto.pb.go @@ -556,6 +556,15 @@ func (m *MountStatusSpec) MarshalToSizedBufferVT(dAtA []byte) (int, error) { i -= len(m.unknownFields) copy(dAtA[i:], m.unknownFields) } + if len(m.EncryptionProviders) > 0 { + for iNdEx := len(m.EncryptionProviders) - 1; iNdEx >= 0; iNdEx-- { + i -= len(m.EncryptionProviders[iNdEx]) + copy(dAtA[i:], m.EncryptionProviders[iNdEx]) + i = encodeVarint(dAtA, i, uint64(len(m.EncryptionProviders[iNdEx]))) + i-- + dAtA[i] = 0x32 + } + } if m.Encrypted { i-- if m.Encrypted { @@ -1016,6 +1025,12 @@ func (m *MountStatusSpec) SizeVT() (n int) { if m.Encrypted { n += 2 } + if len(m.EncryptionProviders) > 0 { + for _, s := range m.EncryptionProviders { + l = len(s) + n += 1 + l + sov(uint64(l)) + } + } n += len(m.unknownFields) return n } @@ -2302,6 +2317,38 @@ func (m *MountStatusSpec) UnmarshalVT(dAtA []byte) error { } } m.Encrypted = bool(v != 0) + case 6: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field EncryptionProviders", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflow + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLength + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLength + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.EncryptionProviders = append(m.EncryptionProviders, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skip(dAtA[iNdEx:]) diff --git a/pkg/machinery/config/config/machine.go b/pkg/machinery/config/config/machine.go index cc66b050b..7262a42d2 100644 --- a/pkg/machinery/config/config/machine.go +++ b/pkg/machinery/config/config/machine.go @@ -364,18 +364,24 @@ type EncryptionKey interface { // EncryptionKeyStatic ephemeral encryption key. type EncryptionKeyStatic interface { Key() []byte + String() string } // EncryptionKeyKMS encryption key sealed by KMS. type EncryptionKeyKMS interface { Endpoint() string + String() string } // EncryptionKeyNodeID deterministically generated encryption key. -type EncryptionKeyNodeID interface{} +type EncryptionKeyNodeID interface { + String() string +} // EncryptionKeyTPM encryption key sealed by TPM. -type EncryptionKeyTPM interface{} +type EncryptionKeyTPM interface { + String() string +} // Encryption defines settings for the partition encryption. type Encryption interface { diff --git a/pkg/machinery/config/types/v1alpha1/v1alpha1_provider.go b/pkg/machinery/config/types/v1alpha1/v1alpha1_provider.go index bf48b4ade..ed96387ef 100644 --- a/pkg/machinery/config/types/v1alpha1/v1alpha1_provider.go +++ b/pkg/machinery/config/types/v1alpha1/v1alpha1_provider.go @@ -1384,6 +1384,16 @@ func (e *EncryptionKey) TPM() config.EncryptionKeyTPM { return e.KeyTPM } +// String implements the config.Provider interface. +func (e *EncryptionKeyNodeID) String() string { + return "nodeid" +} + +// String implements the config.Provider interface. +func (e *EncryptionKeyTPM) String() string { + return "tpm" +} + // Slot implements the config.Provider interface. func (e *EncryptionKey) Slot() int { return e.KeySlot @@ -1394,11 +1404,21 @@ func (e *EncryptionKeyStatic) Key() []byte { return []byte(e.KeyData) } +// String implements the config.Provider interface. +func (e *EncryptionKeyStatic) String() string { + return "static" +} + // Endpoint implements the config.Provider interface. func (e *EncryptionKeyKMS) Endpoint() string { return e.KMSEndpoint } +// String implements the config.Provider interface. +func (e *EncryptionKeyKMS) String() string { + return "kms" +} + // Get implements the config.Provider interface. func (e *SystemDiskEncryptionConfig) Get(label string) config.Encryption { switch label { diff --git a/pkg/machinery/resources/runtime/deep_copy.generated.go b/pkg/machinery/resources/runtime/deep_copy.generated.go index 52ee0da3c..c0fb22fba 100644 --- a/pkg/machinery/resources/runtime/deep_copy.generated.go +++ b/pkg/machinery/resources/runtime/deep_copy.generated.go @@ -104,6 +104,10 @@ func (o MountStatusSpec) DeepCopy() MountStatusSpec { cp.Options = make([]string, len(o.Options)) copy(cp.Options, o.Options) } + if o.EncryptionProviders != nil { + cp.EncryptionProviders = make([]string, len(o.EncryptionProviders)) + copy(cp.EncryptionProviders, o.EncryptionProviders) + } return cp } diff --git a/pkg/machinery/resources/runtime/mount_status.go b/pkg/machinery/resources/runtime/mount_status.go index 6f9f374c5..d59621f7f 100644 --- a/pkg/machinery/resources/runtime/mount_status.go +++ b/pkg/machinery/resources/runtime/mount_status.go @@ -23,11 +23,12 @@ type MountStatus = typed.Resource[MountStatusSpec, MountStatusExtension] // //gotagsrewrite:gen type MountStatusSpec struct { - Source string `yaml:"source" protobuf:"1"` - Target string `yaml:"target" protobuf:"2"` - FilesystemType string `yaml:"filesystemType" protobuf:"3"` - Options []string `yaml:"options" protobuf:"4"` - Encrypted bool `yaml:"encrypted" protobuf:"5"` + Source string `yaml:"source" protobuf:"1"` + Target string `yaml:"target" protobuf:"2"` + FilesystemType string `yaml:"filesystemType" protobuf:"3"` + Options []string `yaml:"options" protobuf:"4"` + Encrypted bool `yaml:"encrypted" protobuf:"5"` + EncryptionProviders []string `yaml:"encryptionProviders,omitempty" protobuf:"6"` } // NewMountStatus initializes a MountStatus resource. diff --git a/website/content/v1.6/reference/api.md b/website/content/v1.6/reference/api.md index 8b9e662f1..4ce6f8f80 100644 --- a/website/content/v1.6/reference/api.md +++ b/website/content/v1.6/reference/api.md @@ -3617,6 +3617,7 @@ MountStatusSpec describes status of the defined sysctls. | filesystem_type | [string](#string) | | | | options | [string](#string) | repeated | | | encrypted | [bool](#bool) | | | +| encryption_providers | [string](#string) | repeated | |