support LUKS for raw disk images/clouds

[cgwalters]

Some users want to hard require OS-level disk encryption even in cloud environments because it's provable at the OS level that it works. Also, some people want to do testing in virtualized environments and then deploy to bare metal.

Ignition has a wonderful story for both cases: You can apply the same Ignition configuration, ask for LUKS and get it whether it's bare metal or cloud, with the same language.

So this issue is about a high level request to make it easy with this project to generate a disk image ready for LUKS. In general it probably needs to support the LUKS feature sets available with kickstart and/or Ignition today, including e.g. Tang/NBDE etc.

[cgwalters]

BTW one thing I just learned when looking at this is we never added anything clevis into kickstart, the docs just talk about how to set it up via code execution in %post.

But yes related to this whole topic, if we take the solution here to be "add clevis to blueprints" it means the people who want to deploy to bare metal will need a different configuration and language for that - not a new problem at all, but when we start talking about complex configuration it becomes more relevant.

[wadimklincov]

Out of curiosity, what would be the difference in language and configuration for bare metal? I did some bare metal deployments with anaconda, clevis, tang and LUKS and it worked well (except for the resulting anaconda-iso issues like LIB).

[cgwalters]

Currently in this ecosystem it's kickstart for bare metal, blueprints for cloud. Personally I'd like to see more "crossover"...e.g. an ignition-to-kickstart or ignition-to-blueprint translator seems viable in some simple cases. Anyways, it's a tangent but a related one.