diff --git a/internal/kuberesource/parts.go b/internal/kuberesource/parts.go index 4a77fd828..80ca22f91 100644 --- a/internal/kuberesource/parts.go +++ b/internal/kuberesource/parts.go @@ -593,53 +593,3 @@ func ServiceMeshProxy() *applycorev1.ContainerApplyConfiguration { "-l", "debug", ) } - -// CryptsetupInitCommand returns the init command for the cryptsetup -// container to setup an encrypted LUKS mount. -func CryptsetupInitCommand() string { - return `#!/bin/bash -set -e - -# Regarding https://man7.org/linux/man-pages/man8/cryptsetup.8.html -# passphrase <=> key in this document, not an actual cryptographic key - -# device is the path to the block device to be encrypted. -device="/dev/csi0" - -# workload_secret_path is the path to the Contrast workload secret. -workload_secret_path="/contrast/secrets/workload-secret-seed" - -# tmp_key_path is the path to a temporary key file. -tmp_key_path="/dev/shm/key" -# disk_encryption_key_path is the path to the disk encryption key. -disk_encryption_key_path="/dev/shm/disk-key" - -# (First initialization) -if ! cryptsetup isLuks "${device}"; then - # First init requires formatting to LUKS to allow getting the uuid of LUKS block device. - echo "init_passphrase" > "${tmp_key_path}" - cryptsetup luksFormat --pbkdf-memory=10240 $device "${tmp_key_path}" "${disk_encryption_key_path}" - - # Change the encryption key to use derived passphrase. - cryptsetup luksChangeKey --pbkdf-memory=10240 "${device}" --key-file "${tmp_key_path}" "${disk_encryption_key_path}" - - cryptsetup open "${device}" state -d "${disk_encryption_key_path}" - - # Create the ext4 filesystem on the mapper device. - mkfs.ext4 /dev/mapper/state -else - # (Everytime) - # Generate passphrase based on workload secret and uuid of LUKS device. - echo "$(cat "${workload_secret_path}")$(cryptsetup luksUUID "${device}")" > "${disk_encryption_key_path}" - cryptsetup open "${device}" state -d "${disk_encryption_key_path}" -fi - -cryptsetup luksUUID "${device}" -mount /dev/mapper/state /state -touch /done -sleep inf -` -} diff --git a/internal/kuberesource/sets.go b/internal/kuberesource/sets.go index b1e5d6ca2..a962e0721 100644 --- a/internal/kuberesource/sets.go +++ b/internal/kuberesource/sets.go @@ -522,7 +522,7 @@ func VolumeStatefulSet() []any { PodSpec(). WithContainers( Initializer(). - WithCommand("/bin/sh", "-c", "sleep inf"). + WithCommand("/bin/sh", "-c", "sleep inf"). WithVolumeMounts( VolumeMount(). WithName("share"). @@ -573,47 +573,6 @@ func MySQL() []any { WithAnnotations(map[string]string{"contrast.edgeless.systems/pod-role": "initializer-enc-volume"}). WithSpec( PodSpec(). - WithInitContainers( - Container(). - WithName("luks-setup"). - WithImage("ghcr.io/edgelesssys/contrast/initializer:latest"). - WithCommand("/bin/sh", "-c", CryptsetupInitCommand()). - WithVolumeDevices( - applycorev1.VolumeDevice(). - WithName("state"). - WithDevicePath("/dev/csi0"), - ). - WithVolumeMounts( - VolumeMount(). - WithName("run"). - WithMountPath("/run"), - VolumeMount(). - WithName("share"). - WithMountPath("/state"). - WithMountPropagation(corev1.MountPropagationBidirectional), - VolumeMount(). - WithName("contrast-secrets"). - WithMountPath("/contrast"), - ). - WithSecurityContext( - applycorev1.SecurityContext(). - WithPrivileged(true), - ). - WithResources(ResourceRequirements(). - WithMemoryLimitAndRequest(100), - ). - WithStartupProbe( - Probe(). - WithFailureThreshold(20). - WithPeriodSeconds(5). - WithExec(applycorev1.ExecAction(). - WithCommand("/bin/test", "-f", "/done"), - ), - ). - WithRestartPolicy( - corev1.ContainerRestartPolicyAlways, - ), - ). WithContainers( Container(). WithName("mysql-backend").