diff --git a/api/v1alpha1/zz_generated.conversion.go b/api/v1alpha1/zz_generated.conversion.go index 73e18b4d9..80549ec0b 100644 --- a/api/v1alpha1/zz_generated.conversion.go +++ b/api/v1alpha1/zz_generated.conversion.go @@ -747,6 +747,7 @@ func autoConvert_v1alpha2_LinodeMachineSpec_To_v1alpha1_LinodeMachineSpec(in *v1 out.FirewallID = in.FirewallID out.OSDisk = (*InstanceDisk)(unsafe.Pointer(in.OSDisk)) out.DataDisks = *(*map[string]*InstanceDisk)(unsafe.Pointer(&in.DataDisks)) + // WARNING: in.DiskEncryption requires manual conversion: does not exist in peer-type out.CredentialsRef = (*v1.SecretReference)(unsafe.Pointer(in.CredentialsRef)) // WARNING: in.Configuration requires manual conversion: does not exist in peer-type // WARNING: in.PlacementGroupRef requires manual conversion: does not exist in peer-type diff --git a/api/v1alpha2/linodemachine_types.go b/api/v1alpha2/linodemachine_types.go index b3b52792b..e9fe6f6bc 100644 --- a/api/v1alpha2/linodemachine_types.go +++ b/api/v1alpha2/linodemachine_types.go @@ -76,6 +76,7 @@ type LinodeMachineSpec struct { DataDisks map[string]*InstanceDisk `json:"dataDisks,omitempty"` // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable" // +kubebuilder:validation:Enum=enabled;disabled + // +kubebuilder:default=enabled // DiskEncryption determines if the disks of the instance should be encrypted. DiskEncryption string `json:"diskEncryption,omitempty"` diff --git a/api/v1alpha2/linodemachine_webhook.go b/api/v1alpha2/linodemachine_webhook.go index 48d30ff40..4c0115370 100644 --- a/api/v1alpha2/linodemachine_webhook.go +++ b/api/v1alpha2/linodemachine_webhook.go @@ -113,14 +113,8 @@ func (r *LinodeMachine) validateLinodeMachineSpec(ctx context.Context, client Li // TODO: instrument with tracing, might need refactor to preserve readibility var errs field.ErrorList - if r.Spec.DiskEncryption == "enabled" { - if err := validateRegion(ctx, client, r.Spec.Region, field.NewPath("spec").Child("region"), linodego.CapabilityDiskEncryption); err != nil { - errs = append(errs, err) - } - } else { - if err := validateRegion(ctx, client, r.Spec.Region, field.NewPath("spec").Child("region")); err != nil { - errs = append(errs, err) - } + if err := validateRegion(ctx, client, r.Spec.Region, field.NewPath("spec").Child("region")); err != nil { + errs = append(errs, err) } plan, err := validateLinodeType(ctx, client, r.Spec.Type, field.NewPath("spec").Child("type")) if err != nil { diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_linodemachines.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_linodemachines.yaml index be1ce5d5c..9e00735c4 100644 --- a/config/crd/bases/infrastructure.cluster.x-k8s.io_linodemachines.yaml +++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_linodemachines.yaml @@ -522,6 +522,7 @@ spec: The sum of these disks + the OSDisk must not be more than allowed on a linodes plan type: object diskEncryption: + default: enabled description: DiskEncryption determines if the disks of the instance should be encrypted. enum: diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_linodemachinetemplates.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_linodemachinetemplates.yaml index 65cdb94d2..d6c839c3d 100644 --- a/config/crd/bases/infrastructure.cluster.x-k8s.io_linodemachinetemplates.yaml +++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_linodemachinetemplates.yaml @@ -386,6 +386,17 @@ spec: DataDisks is a map of any additional disks to add to an instance, The sum of these disks + the OSDisk must not be more than allowed on a linodes plan type: object + diskEncryption: + default: enabled + description: DiskEncryption determines if the disks of the + instance should be encrypted. + enum: + - enabled + - disabled + type: string + x-kubernetes-validations: + - message: Value is immutable + rule: self == oldSelf firewallID: type: integer x-kubernetes-validations: diff --git a/docs/src/topics/getting-started.md b/docs/src/topics/getting-started.md index e25c98770..0d9e2ba5e 100644 --- a/docs/src/topics/getting-started.md +++ b/docs/src/topics/getting-started.md @@ -32,9 +32,12 @@ export LINODE_MACHINE_TYPE=g6-standard-2 For Regions and Images that do not yet support Akamai's cloud-init datasource CAPL will automatically use a stackscript shim to provision the node. If you are using a custom image ensure the [cloud_init](https://www.linode.com/docs/api/images/#image-create) flag is set correctly on it ``` -```admonish warning -By default, clusters are provisioned within VPC. For Regions which do not have [VPC support](https://www.linode.com/docs/products/networking/vpc/#availability) yet, use the [VPCLess](./flavors/vpcless.md) flavor to have clusters provisioned. +~~~admonish warning +By default, clusters are provisioned within VPC with disk encryption enabled. For Regions which do not have [VPC support](https://www.linode.com/docs/products/networking/vpc/#availability) yet, use the [VPCLess](./flavors/vpcless.md) flavor to have clusters provisioned. For disabling disk encryption, set the disk encryption envionment variable: +``` +export LINODE_DISK_ENCYPTION=disabled ``` +~~~ ## Install CAPL on your management cluster ```admonish warning diff --git a/templates/infra/linodeMachineTemplate.yaml b/templates/infra/linodeMachineTemplate.yaml index 16b213cf5..b69747e10 100644 --- a/templates/infra/linodeMachineTemplate.yaml +++ b/templates/infra/linodeMachineTemplate.yaml @@ -9,6 +9,7 @@ spec: image: ${LINODE_OS:="linode/ubuntu22.04"} type: ${LINODE_CONTROL_PLANE_MACHINE_TYPE} region: ${LINODE_REGION} + diskEncryption: ${LINODE_DISK_ENCRYPTION:=enabled} interfaces: - purpose: public authorizedKeys: @@ -25,6 +26,7 @@ spec: image: ${LINODE_OS:="linode/ubuntu22.04"} type: ${LINODE_MACHINE_TYPE} region: ${LINODE_REGION} + diskEncryption: ${LINODE_DISK_ENCRYPTION:=enabled} interfaces: - purpose: public authorizedKeys: