Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: gcp: Flag RHCOS with SECURE_BOOT and UEFI_COMPATIBLE #2921

Open
wants to merge 2 commits into
base: master
from

Conversation

@cgwalters
Copy link
Member

cgwalters commented Jan 14, 2020

This opts us in to some of the features from
https://cloud.google.com/security/shielded-cloud/shielded-vm
Specifically with this, we get a vTPM device.

And what's nice about having a TPM device is that we can start
to optionally make use of TPM devices in OpenShift which
will then work on both bare metal and in GCP.

Closes: #2546

cgwalters added 2 commits Jan 14, 2020
So we can use the `guest_os_features` to flag RHCOS
as `UEFI_COMPATIBLE`+`SECURE_BOOT`.
This opts us in to some of the features from
https://cloud.google.com/security/shielded-cloud/shielded-vm
Specifically with this, we get a vTPM device.

And what's nice about having a TPM device is that we can start
to optionally make use of TPM devices in OpenShift which
will then work on both bare metal *and* in GCP.

Closes: #2546
@cgwalters

This comment has been minimized.

Copy link
Member Author

cgwalters commented Jan 14, 2020

Tested this locally and it worked; logging in with oc debug node I could use e.g. clevis encrypt tpm2.

However, the terraform-provider-google bump is a hack...I had to edit it slightly to work with our older Terraform.

So, this depends on a terraform bump which I haven't tried before.

@ashcrow ashcrow requested a review from darkmuggle Jan 14, 2020
@ashcrow

This comment has been minimized.

Copy link
Member

ashcrow commented Jan 14, 2020

However, the terraform-provider-google bump is a hack...I had to edit it slightly to work with our older Terraform.

IE the vendor bump is backported in the bump itself?

@cgwalters

This comment has been minimized.

Copy link
Member Author

cgwalters commented Jan 15, 2020

IE the vendor bump is backported in the bump itself?

This bumps the terraform-provider-google plugin (that we vendor), which requires a newer api in terraform (which we also vendor). I just edited the google plugin to stop using that API (it's for specifying the user agent in HTTP requests).

@cgwalters

This comment has been minimized.

Copy link
Member Author

cgwalters commented Jan 15, 2020

/retest

@openshift-ci-robot

This comment has been minimized.

Copy link

openshift-ci-robot commented Jan 15, 2020

@cgwalters: The following tests failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
ci/prow/unit 4ecc871 link /test unit
ci/prow/govet 4ecc871 link /test govet
ci/prow/e2e-ovirt 4ecc871 link /test e2e-ovirt
ci/prow/e2e-aws 4ecc871 link /test e2e-aws
ci/prow/e2e-openstack 4ecc871 link /test e2e-openstack
ci/prow/e2e-libvirt 4ecc871 link /test e2e-libvirt
ci/prow/e2e-aws-upgrade 4ecc871 link /test e2e-aws-upgrade
ci/prow/e2e-aws-scaleup-rhel7 4ecc871 link /test e2e-aws-scaleup-rhel7
ci/prow/e2e-aws-fips 4ecc871 link /test e2e-aws-fips
ci/prow/images 4ecc871 link /test images

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@darkmuggle

This comment has been minimized.

Copy link
Contributor

darkmuggle commented Jan 15, 2020

LGTM

Having TPM2 encryption support for RHCOS in GCP would be an excellent feature. Thank you @cgwalters for getting this done.

/approve

@openshift-ci-robot

This comment has been minimized.

Copy link

openshift-ci-robot commented Jan 15, 2020

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: darkmuggle
To complete the pull request process, please assign smarterclayton
You can assign the PR to them by writing /assign @smarterclayton in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.