commit c09327c6393202f0b425313a18a834954aeba572
author Tim Windelschmidt <tim@monogon.tech> Wed Jun 14 17:48:56 2023 +0200
committer Tim Windelschmidt <tim@monogon.tech> Wed Jun 14 18:18:30 2023 +0000
tree 80eebf9133ee9126295b1f3aa1a80578854b830a
parent 1600d9b3aa84c3259a3e8355cba7702825924b6d

metropolis/cli/metroctl: set storage security policy inside installer

Without it the installed metropolis node will fail initialization

Change-Id: I137107260fc7c4f50052791f58454dd07b98c29c
Reviewed-on: https://review.monogon.dev/c/monogon/+/1809
Tested-by: Jenkins CI
Reviewed-by: Serge Bazanski <serge@monogon.tech>

metropolis/cli/metroctl/cmd_install.go

diff --git a/metropolis/cli/metroctl/cmd_install.go b/metropolis/cli/metroctl/cmd_install.go
index 62be34f..986eeca 100644
--- a/metropolis/cli/metroctl/cmd_install.go
+++ b/metropolis/cli/metroctl/cmd_install.go
@@ -41,6 +41,7 @@
 var bootstrap bool
 
 var bootstrapTPMMode string
+var bootstrapStorageSecurityPolicy string
 
 //go:embed metropolis/installer/kernel.efi
 var installer []byte
@@ -58,6 +59,21 @@
 		log.Fatalf("Invalid --bootstrap-tpm-mode (must be one of: required, best-effort, disabled)")
 	}
 
+	var bootstrapStorageSecurity cpb.ClusterConfiguration_StorageSecurityPolicy
+	switch strings.ToLower(bootstrapStorageSecurityPolicy) {
+	case "permissive":
+		bootstrapStorageSecurity = cpb.ClusterConfiguration_STORAGE_SECURITY_POLICY_PERMISSIVE
+	case "needs-encryption":
+		bootstrapStorageSecurity = cpb.ClusterConfiguration_STORAGE_SECURITY_POLICY_NEEDS_ENCRYPTION
+	case "needs-encryption-and-authentication":
+		bootstrapStorageSecurity = cpb.ClusterConfiguration_STORAGE_SECURITY_POLICY_NEEDS_ENCRYPTION_AND_AUTHENTICATION
+	case "needs-insecure":
+		bootstrapStorageSecurity = cpb.ClusterConfiguration_STORAGE_SECURITY_POLICY_NEEDS_INSECURE
+	default:
+
+		log.Fatalf("Invalid --bootstrap-storage-security (must be one of: permissive, needs-encryption, needs-encryption-and-authentication, needs-insecure)")
+	}
+
 	var bundleReader io.Reader
 	var bundleSize uint64
 	if bundlePath == nil || *bundlePath == "" {
@@ -101,7 +117,8 @@
 				ClusterBootstrap: &api.NodeParameters_ClusterBootstrap{
 					OwnerPublicKey: pub,
 					InitialClusterConfiguration: &cpb.ClusterConfiguration{
-						TpmMode: tpmMode,
+						StorageSecurityPolicy: bootstrapStorageSecurity,
+						TpmMode:               tpmMode,
 					},
 				},
 			},
@@ -149,5 +166,6 @@
 
 	genusbCmd.Flags().BoolVar(&bootstrap, "bootstrap", false, "Create a bootstrap installer image.")
 	genusbCmd.Flags().StringVar(&bootstrapTPMMode, "bootstrap-tpm-mode", "required", "TPM mode to set on cluster (required, best-effort, disabled)")
+	genusbCmd.Flags().StringVar(&bootstrapStorageSecurityPolicy, "bootstrap-storage-security", "needs-encryption-and-authentication", "Storage security policy to set on cluster (permissive, needs-encryption, needs-encryption-and-authentication, needs-insecure)")
 	installCmd.AddCommand(genusbCmd)
 }