[feat] add support for disk encryption (#423)

* add support for disk encryption

* fix cilium's broken links

Author: AshleyDumaine

api/v1alpha1/zz_generated.conversion.go

@@ -74,6 +74,10 @@ type LinodeMachineSpec struct {
 	// DataDisks is a map of any additional disks to add to an instance,
 	// The sum of these disks + the OSDisk must not be more than allowed on a linodes plan
 	DataDisks map[string]*InstanceDisk `json:"dataDisks,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
+	// +kubebuilder:validation:Enum=enabled;disabled
+	// DiskEncryption determines if the disks of the instance should be encrypted.
+	DiskEncryption string `json:"diskEncryption,omitempty"`
 
 	// CredentialsRef is a reference to a Secret that contains the credentials
 	// to use for provisioning this machine. If not supplied then these

api/v1alpha2/linodemachine_types.go

@@ -521,6 +521,16 @@ spec:
                   DataDisks is a map of any additional disks to add to an instance,
                   The sum of these disks + the OSDisk must not be more than allowed on a linodes plan
                 type: object
+              diskEncryption:
+                description: DiskEncryption determines if the disks of the instance
+                  should be encrypted.
+                enum:
+                - enabled
+                - disabled
+                type: string
+                x-kubernetes-validations:
+                - message: Value is immutable
+                  rule: self == oldSelf
               firewallID:
                 type: integer
                 x-kubernetes-validations:

config/crd/bases/infrastructure.cluster.x-k8s.io_linodemachines.yaml

@@ -386,6 +386,16 @@ spec:
                           DataDisks is a map of any additional disks to add to an instance,
                           The sum of these disks + the OSDisk must not be more than allowed on a linodes plan
                         type: object
+                      diskEncryption:
+                        description: DiskEncryption determines if the disks of the
+                          instance should be encrypted.
+                        enum:
+                        - enabled
+                        - disabled
+                        type: string
+                        x-kubernetes-validations:
+                        - message: Value is immutable
+                          rule: self == oldSelf
                       firewallID:
                         type: integer
                         x-kubernetes-validations:

config/crd/bases/infrastructure.cluster.x-k8s.io_linodemachinetemplates.yaml

@@ -107,9 +107,10 @@ var _ = Describe("create", Label("machine", "create"), func() {
 				UID:       "12345",
 			},
 			Spec: infrav1alpha2.LinodeMachineSpec{
-				InstanceID: ptr.To(0),
-				Type:       "g6-nanode-1",
-				Image:      rutil.DefaultMachineControllerLinodeImage,
+				InstanceID:     ptr.To(0),
+				Type:           "g6-nanode-1",
+				Image:          rutil.DefaultMachineControllerLinodeImage,
+				DiskEncryption: string(linodego.InstanceDiskEncryptionEnabled),
 			},
 		}
 		reconciler = &LinodeMachineReconciler{
@@ -141,7 +142,7 @@ var _ = Describe("create", Label("machine", "create"), func() {
 		getRegion := mockLinodeClient.EXPECT().
 			GetRegion(ctx, gomock.Any()).
 			After(listInst).
-			Return(&linodego.Region{Capabilities: []string{"Metadata"}}, nil)
+			Return(&linodego.Region{Capabilities: []string{linodego.CapabilityMetadata, linodego.CapabilityDiskEncryption}}, nil)
 		getImage := mockLinodeClient.EXPECT().
 			GetImage(ctx, gomock.Any()).
 			After(getRegion).
@@ -227,7 +228,7 @@ var _ = Describe("create", Label("machine", "create"), func() {
 			getRegion := mockLinodeClient.EXPECT().
 				GetRegion(ctx, gomock.Any()).
 				After(listInst).
-				Return(&linodego.Region{Capabilities: []string{"Metadata"}}, nil)
+				Return(&linodego.Region{Capabilities: []string{linodego.CapabilityMetadata, linodego.CapabilityDiskEncryption}}, nil)
 			getImage := mockLinodeClient.EXPECT().
 				GetImage(ctx, gomock.Any()).
 				After(getRegion).
@@ -309,7 +310,7 @@ var _ = Describe("create", Label("machine", "create"), func() {
 			getRegion := mockLinodeClient.EXPECT().
 				GetRegion(ctx, gomock.Any()).
 				After(listInst).
-				Return(&linodego.Region{Capabilities: []string{"Metadata"}}, nil)
+				Return(&linodego.Region{Capabilities: []string{linodego.CapabilityMetadata, linodego.CapabilityDiskEncryption}}, nil)
 			getImage := mockLinodeClient.EXPECT().
 				GetImage(ctx, gomock.Any()).
 				After(getRegion).
@@ -460,7 +461,7 @@ var _ = Describe("create", Label("machine", "create"), func() {
 			getRegion := mockLinodeClient.EXPECT().
 				GetRegion(ctx, gomock.Any()).
 				After(listInst).
-				Return(&linodego.Region{Capabilities: []string{"Metadata"}}, nil)
+				Return(&linodego.Region{Capabilities: []string{linodego.CapabilityMetadata, linodego.CapabilityDiskEncryption}}, nil)
 			getImage := mockLinodeClient.EXPECT().
 				GetImage(ctx, gomock.Any()).
 				After(getRegion).

controller/linodemachine_controller_test.go

@@ -56,7 +56,7 @@ kubectl label cluster $CLUSTER_NAME cni=$CLUSTER_NAME-cilium --overwrite
 Cilium will then be automatically installed via CAAPH into the labeled cluster.
 
 #### Enabled Features
-By default, Cilium's [BGP Control Plane](https://docs.cilium.io/en/stable/network/bgp-control-plane/)
+By default, Cilium's [BGP Control Plane](https://docs.cilium.io/en/stable/network/bgp-control-plane/bgp-control-plane/)
 is enabled when using Cilium as the CNI.
 
 ## CCM

docs/src/topics/addons.md

@@ -1,7 +1,7 @@
 # Cilium BGP Load-Balancing
 
 This flavor creates special labeled worker nodes for ingress which leverage Cilium's
-[BGP Control Plane](https://docs.cilium.io/en/stable/network/bgp-control-plane/)
+[BGP Control Plane](https://docs.cilium.io/en/stable/network/bgp-control-plane/bgp-control-plane/)
 and [LB IPAM](https://docs.cilium.io/en/stable/network/lb-ipam/) support.
 
 With this flavor, Services exposed via `type: LoadBalancer` automatically get

docs/src/topics/flavors/cilium-bgp-lb.md

@@ -32,9 +32,9 @@ export LINODE_MACHINE_TYPE=g6-standard-2
 For Regions and Images that do not yet support Akamai's cloud-init datasource CAPL will automatically use a stackscript shim
 to provision the node. If you are using a custom image ensure the [cloud_init](https://www.linode.com/docs/api/images/#image-create) flag is set correctly on it
 ```
-```admonish warning
-By default, clusters are provisioned within VPC. For Regions which do not have [VPC support](https://www.linode.com/docs/products/networking/vpc/#availability) yet, use the [VPCLess](./flavors/vpcless.md) flavor to have clusters provisioned.
-```
+~~~admonish warning
+By default, clusters are provisioned within VPC with disk encryption enabled. For Regions which do not have [VPC support](https://www.linode.com/docs/products/networking/vpc/#availability) yet, use the [VPCLess](./flavors/vpcless.md) flavor to have clusters provisioned. For disabling disk encryption, set `spec.template.spec.diskEncryption=disabled` in your generated LinodeMachineTemplate resources when creating a CAPL cluster.
+~~~
 
 ## Install CAPL on your management cluster
 ```admonish warning

docs/src/topics/getting-started.md

@@ -9,6 +9,7 @@ spec:
       image: ${LINODE_OS:="linode/ubuntu22.04"}
       type: ${LINODE_CONTROL_PLANE_MACHINE_TYPE}
       region: ${LINODE_REGION}
+      # diskEncryption: disabled
       interfaces:
         - purpose: public
       authorizedKeys:
@@ -25,6 +26,7 @@ spec:
       image: ${LINODE_OS:="linode/ubuntu22.04"}
       type: ${LINODE_MACHINE_TYPE}
       region: ${LINODE_REGION}
+      # diskEncryption: disabled
       interfaces:
         - purpose: public
       authorizedKeys: