add: Support LUKS encryption using IBM CEX secure keys on s390x

[madhu-pillai]

fcos/1.6.0-exp: Fix context for boot_device.layout errors

• Use "layout" in the context path for errors related to the layout
  entry in the boot_device configuration.
• Add tests for those error cases.
• Refactor mirror boot_device check for s390x.

Fixes: #484

---

vendor: Update ignition/v2 v2.19.0 & aws-sdk-go v1.53.5

---

Support LUKS encryption using IBM CEX secure keys on s390x

For fcos 1.6.0-exp & openshift 4.18.0-exp specs, expected to be based on
stable 3.5.0 spec.

See: coreos/ignition#1693
See: coreos/fedora-coreos-tracker#1708

[madhu-pillai]

Hi @travier ,
Can i've a review on this?

[madhu-pillai]

Hi @travier ,
I've changed the schema part to Cex. Kindly review it.

[madhu-pillai]

$ butane % cat bin/arm64/openshift.bu 
variant: openshift
version: 4.17.0-experimental
metadata:
  name: MachineConfig
  labels:
    machineconfiguration.openshift.io/role: master1
boot_device:
  layout: s390x-eckd
  luks:
    device: /dev/dasda
    cex:
      enabled: true

 $ ./butane openshift.bu -o openshift.ign --pretty && cat openshift.ign
# Generated by Butane; do not edit
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: master1
  name: MachineConfig
spec:
  config:
    ignition:
      version: 3.5.0-experimental
    storage:
      filesystems:
        - device: /dev/mapper/root
          format: xfs
          label: root
          wipeFilesystem: true
      luks:
        - cex:
            enabled: true
          device: /dev/dasda2
          label: luks-root
          name: root
          wipeVolume: true

[prestist]

It's coming along! a few nits;

Thank you for doing this.

[madhu-pillai]

Hi @prestist ,
Could you please review the updated comment?.

[prestist]

Gennerally lgtm I have like one nit; otherwise I think its gtg.

[madhu-pillai]

[root@a3elp53 s390x]# ./butane boot.bu -o boot.ign --pretty
[root@a3elp53 s390x]# cat boot.bu
variant: fcos
version: 1.6.0-experimental
boot_device:
  layout: s390x-zfcp
  luks:
    device: /dev/sdb
    cex:
      enabled: true
[root@a3elp53 s390x]# cat boot.ign
{
  "ignition": {
    "version": "3.5.0-experimental"
  },
  "storage": {
    "filesystems": [
      {
        "device": "/dev/mapper/root",
        "format": "xfs",
        "label": "root",
        "wipeFilesystem": true
      }
    ],
    "luks": [
      {
        "cex": {
          "enabled": true
        },
        "device": "/dev/sdb4",
        "label": "luks-root",
        "name": "root",
        "wipeVolume": true
      }
    ]
  }
}

[madhu-pillai]

Hi, Is this pr ok to approve? or anything pending from my side?

[prestist]

@madhu-pillai , I am going to run through and review from my perspective, but will not be merging until I hear from @travier since he had a lot of feedback, and I want to ensure his concerns are resolved.

Note: the now latest version of ignition is 2.20.0 which has the functionality this sugar uses in stable, I would prefer to get this in before we update butane with that version and its new specs.

[prestist]

Please make sure that you have resolved, and fixed any review comments, there seems to be one which has gramar issues still here, and more importantly a question about structure here

[madhu-pillai]

Please make sure that you have resolved, and fixed any review comments, there seems to be one which has gramar issues still here, and more importantly a question about structure here

Hi @prestist ,
These reviews were already updated in the last commit. Sorry i missed to update the review message. Now done.

[madhu-pillai]

Hi @travier , Could you review the PR please?

[travier]

OK, we need to split this in at least two commits:

• vendor code update
• addition of CEX support

[travier]

OK, we can not update to 2.20 until we do #558

[travier]

#550 (comment)

[travier]

Hold on, I'm doing the rebase / resplit.

[travier]

This should be good now. I'll do another pass tomorrow. Then we need to stabilize all of that.

[prestist]

With the latest changes, lgtm.

[prestist]

This should be good now. I'll do another pass tomorrow. Then we need to stabilize all of that.

@travier Makes sense, so to be clear, we land this pr then separately stabilize? (preferred) I don't want to stabilize in this pr.

[travier]

Yes, if I'm not mistaken, we should follow this order (#550 (comment)):

• This PR
• Bump ignition experimental to 3.6.0-experimental #558
• Stabilise base 0.6, fcos 1.6 on ignition 3.5.0 spec #559
• Release Butane 0.23.0 #550

[travier]

Alright, I've added more tests and fixed the case where they failed so this should be ready now.

[prestist]

Thank you for catching that/fixing it, and then adding tests. LGTM