gcp: Flag RHCOS with SECURE_BOOT and UEFI_COMPATIBLE #2921
Conversation
openshift-ci-robot
added
do-not-merge/work-in-progress
|
Tested this locally and it worked; logging in with However, the terraform-provider-google bump is a hack...I had to edit it slightly to work with our older Terraform. So, this depends on a terraform bump which I haven't tried before. |
IE the vendor bump is backported in the bump itself? |
This bumps the terraform-provider-google plugin (that we vendor), which requires a newer api in terraform (which we also vendor). I just edited the google plugin to stop using that API (it's for specifying the user agent in HTTP requests). |
|
/retest |
|
LGTM Having TPM2 encryption support for RHCOS in GCP would be an excellent feature. Thank you @cgwalters for getting this done. /approve |
This opts us in to some of the features from https://cloud.google.com/security/shielded-cloud/shielded-vm Specifically with this, we get a vTPM device. And what's nice about having a TPM device is that we can start to optionally make use of TPM devices in OpenShift which will then work on both bare metal *and* in GCP. Closes: openshift#2546
cgwalters
force-pushed
the
gcp-secureboot
branch
from
4ecc871 to
85270dd
Compare
|
Rebased 🏄♂️ - we no longer need to bump |
|
/test e2e-gcp |
1 similar comment
|
/test e2e-gcp |
| @@ -93,6 +93,14 @@ module "dns" { | |||
| resource "google_compute_image" "cluster" { | |||
| name = "${var.cluster_id}-rhcos-image" | |||
|
|
|||
| # See https://github.com/openshift/installer/issues/2546 | |||
There was a problem hiding this comment.
❤️ Thank you for linking to the issue!
ashcrow
added
size/XS
cgwalters
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
|
OK, lifting WIP on this! Tested by launching with cluster-bot, and interactively using The mess of test failures e.g. with openstack/ovirt/aws seems unrelated. |
|
/retest |
Note. |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: abhinavdahiya, ashcrow, darkmuggle The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
/retest Please review the full test history for this PR and help us cut down flakes. |
1 similar comment
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
@cgwalters: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
This opts us in to some of the features from
https://cloud.google.com/security/shielded-cloud/shielded-vm
Specifically with this, we get a vTPM device.
And what's nice about having a TPM device is that we can start
to optionally make use of TPM devices in OpenShift which
will then work on both bare metal and in GCP.
Closes: #2546