fix: clear the encryption config in META when STATE is reset

When STATE is reset, we need to make sure we wipe the META keys containing encryption config as well. Fixes #7819 Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com> (cherry picked from commit ef7be16)
siderolabs · Oct 17, 2023 · 21d874a · 21d874a
1 parent 58b16b9
commit 21d874a
Showing 1 changed file with 25 additions and 0 deletions.
diff --git a/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go b/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go
@@ -1624,6 +1624,31 @@ func ResetSystemDiskSpec(_ runtime.Sequence, data any) (runtime.TaskExecutionFun
 			}
 		}
 
+		stateWiped := slices.Contains(in.GetSystemDiskTargets(), func(t runtime.PartitionTarget) bool {
+			return t.GetLabel() == constants.StatePartitionLabel
+		})
+
+		metaWiped := slices.Contains(in.GetSystemDiskTargets(), func(t runtime.PartitionTarget) bool {
+			return t.GetLabel() == constants.MetaPartitionLabel
+		})
+
+		if stateWiped && !metaWiped {
+			var removed bool
+
+			removed, err = r.State().Machine().Meta().DeleteTag(ctx, meta.StateEncryptionConfig)
+			if err != nil {
+				return fmt.Errorf("failed to remove state encryption META config tag: %w", err)
+			}
+
+			if removed {
+				if err = r.State().Machine().Meta().Flush(); err != nil {
+					return fmt.Errorf("failed to flush META: %w", err)
+				}
+
+				logger.Printf("reset the state encryption META config tag")
+			}
+		}
+
 		logger.Printf("successfully reset system disk by the spec")
 
 		return nil