initializer: remove cryptsetup init command

internal/kuberesource/parts.go

@@ -593,53 +593,3 @@ func ServiceMeshProxy() *applycorev1.ContainerApplyConfiguration {
 			"-l", "debug",
 		)
 }
-
-// CryptsetupInitCommand returns the init command for the cryptsetup
-// container to setup an encrypted LUKS mount.
-func CryptsetupInitCommand() string {
-	return `#!/bin/bash
-set -e
-
-# Regarding https://man7.org/linux/man-pages/man8/cryptsetup.8.html
-# passphrase <=> key in this document, not an actual cryptographic key
-
-# device is the path to the block device to be encrypted.
-device="/dev/csi0"
-
-# workload_secret_path is the path to the Contrast workload secret.
-workload_secret_path="/contrast/secrets/workload-secret-seed"
-
-# tmp_key_path is the path to a temporary key file.
-tmp_key_path="/dev/shm/key"
-# disk_encryption_key_path is the path to the disk encryption key.
-disk_encryption_key_path="/dev/shm/disk-key"
-
-# (First initialization)
-if ! cryptsetup isLuks "${device}"; then
-	# First init requires formatting to LUKS to allow getting the uuid of LUKS block device.
-	echo "init_passphrase" > "${tmp_key_path}"
-	cryptsetup luksFormat --pbkdf-memory=10240 $device "${tmp_key_path}" </dev/null
-
-	# Generate passphrase based on workload secret and uuid of LUKS device.
-	echo "$(cat "${workload_secret_path}")$(cryptsetup luksUUID "${device}")" > "${disk_encryption_key_path}"
-
-	# Change the encryption key to use derived passphrase.
-	cryptsetup luksChangeKey --pbkdf-memory=10240 "${device}" --key-file "${tmp_key_path}" "${disk_encryption_key_path}"
-
-	cryptsetup open "${device}" state -d "${disk_encryption_key_path}"
-
-	# Create the ext4 filesystem on the mapper device.
-	mkfs.ext4 /dev/mapper/state
-else
-	# (Everytime)
-	# Generate passphrase based on workload secret and uuid of LUKS device.
-	echo "$(cat "${workload_secret_path}")$(cryptsetup luksUUID "${device}")" > "${disk_encryption_key_path}"
-	cryptsetup open "${device}" state -d "${disk_encryption_key_path}"
-fi
-
-cryptsetup luksUUID "${device}"
-mount /dev/mapper/state /state
-touch /done
-sleep inf
-`
-}

internal/kuberesource/sets.go

@@ -522,7 +522,7 @@ func VolumeStatefulSet() []any {
 					PodSpec().
 						WithContainers(
 							Initializer().
-							WithCommand("/bin/sh", "-c", "sleep inf").
+								WithCommand("/bin/sh", "-c", "sleep inf").
 								WithVolumeMounts(
 									VolumeMount().
 										WithName("share").
@@ -573,47 +573,6 @@ func MySQL() []any {
 				WithAnnotations(map[string]string{"contrast.edgeless.systems/pod-role": "initializer-enc-volume"}).
 				WithSpec(
 					PodSpec().
-						WithInitContainers(
-							Container().
-								WithName("luks-setup").
-								WithImage("ghcr.io/edgelesssys/contrast/initializer:latest").
-								WithCommand("/bin/sh", "-c", CryptsetupInitCommand()).
-								WithVolumeDevices(
-									applycorev1.VolumeDevice().
-										WithName("state").
-										WithDevicePath("/dev/csi0"),
-								).
-								WithVolumeMounts(
-									VolumeMount().
-										WithName("run").
-										WithMountPath("/run"),
-									VolumeMount().
-										WithName("share").
-										WithMountPath("/state").
-										WithMountPropagation(corev1.MountPropagationBidirectional),
-									VolumeMount().
-										WithName("contrast-secrets").
-										WithMountPath("/contrast"),
-								).
-								WithSecurityContext(
-									applycorev1.SecurityContext().
-										WithPrivileged(true),
-								).
-								WithResources(ResourceRequirements().
-									WithMemoryLimitAndRequest(100),
-								).
-								WithStartupProbe(
-									Probe().
-										WithFailureThreshold(20).
-										WithPeriodSeconds(5).
-										WithExec(applycorev1.ExecAction().
-											WithCommand("/bin/test", "-f", "/done"),
-										),
-								).
-								WithRestartPolicy(
-									corev1.ContainerRestartPolicyAlways,
-								),
-						).
 						WithContainers(
 							Container().
 								WithName("mysql-backend").