[RFC] schema: add storage.encryption section

[lucab]

This introduces a new storage.encryption section which can be used
to provision LUKS volumes.
Volumes provisioned this way are meant to be unlocked early in the
boot process and made available in the initramfs (e.g. the rootfs).

[lucab]

/cc @dgonyeo for review. What do you use to keep JSON format coherent? I used js-beautify -k -n -r -s 2 schema/ignition.json and it introduced some minimal fixes; should we standardize on something?

[ajeddeloh]

File headers should be 2018.

The docs should probably also have a section in the operator notes on how wipeVolume is handled with regards to PXE booting with persistant root (similar to the filesystems section).

Will this be ammended with the implementation or is that coming in a seperate PR?

[ajeddeloh]

These can be broken up into Validate<FIELDNAME>() functions which will let the validator logic be a little more precise with line numbers when reporting errors. The file section has some examples.

[coreosbot]

Can one of the admins verify this patch?

[lucab]

@ajeddeloh thanks, I didn't know about generics Validate reflection. I added a section in the doc for wipeVolume too.

Implementation will follow in a separate PR, with the key fetching/unwrapping logic in coreos/coreos-cryptagent#5 (in case you have review cycles for that too, feel free to).

[cgonyeo]

You should add a func (c Content) ValidateSource() report.Report that calls validateUrl (or maybe something else since this only supports https?) on c.Source.

[lucab]

I've slightly bent validateURL to take an additional optional subset of whitelisted schemes, let me know if you prefer something simpler and dedicated instead.

[lucab]

@dgonyeo I guess I'll wait and rebase once #519 lands, as this is easier to rebase.

[lucab]

@arithx is there anything you want to salvage from here? Otherwise I'd just close it as just another stale PR.

[arithx]

@lucab feel free to nuke.