new: Add support for Linode Disk Encryption (#413)

Author: lgarber-akamai

linode_api4/groups/linode.py

@@ -1,8 +1,9 @@
 import base64
 import os
 from collections.abc import Iterable
+from typing import Optional, Union
 
-from linode_api4 import Profile
+from linode_api4 import InstanceDiskEncryptionType, Profile
 from linode_api4.common import SSH_KEY_TYPES, load_and_validate_keys
 from linode_api4.errors import UnexpectedResponseError
 from linode_api4.groups import Group
@@ -131,7 +132,15 @@ def kernels(self, *filters):
 
     # create things
     def instance_create(
-        self, ltype, region, image=None, authorized_keys=None, **kwargs
+        self,
+        ltype,
+        region,
+        image=None,
+        authorized_keys=None,
+        disk_encryption: Optional[
+            Union[InstanceDiskEncryptionType, str]
+        ] = None,
+        **kwargs,
     ):
         """
         Creates a new Linode Instance. This function has several modes of operation:
@@ -266,6 +275,8 @@ def instance_create(
         :type metadata: dict
         :param firewall: The firewall to attach this Linode to.
         :type firewall: int or Firewall
+        :param disk_encryption: The disk encryption policy for this Linode.
+        :type disk_encryption: InstanceDiskEncryptionType or str
         :param interfaces: An array of Network Interfaces to add to this Linode’s Configuration Profile.
                            At least one and up to three Interface objects can exist in this array.
         :type interfaces: list[ConfigInterface] or list[dict[str, Any]]
@@ -326,6 +337,9 @@ def instance_create(
             "authorized_keys": authorized_keys,
         }
 
+        if disk_encryption is not None:
+            params["disk_encryption"] = str(disk_encryption)
+
         params.update(kwargs)
 
         result = self.client.post("/linode/instances", data=params)

linode_api4/objects/linode.py

@@ -22,12 +22,25 @@
 from linode_api4.objects.base import MappedObject
 from linode_api4.objects.filtering import FilterableAttribute
 from linode_api4.objects.networking import IPAddress, IPv6Range, VPCIPAddress
+from linode_api4.objects.serializable import StrEnum
 from linode_api4.objects.vpc import VPC, VPCSubnet
 from linode_api4.paginated_list import PaginatedList
 
 PASSWORD_CHARS = string.ascii_letters + string.digits + string.punctuation
 
 
+class InstanceDiskEncryptionType(StrEnum):
+    """
+    InstanceDiskEncryptionType defines valid values for the
+    Instance(...).disk_encryption field.
+
+    API Documentation: TODO
+    """
+
+    enabled = "enabled"
+    disabled = "disabled"
+
+
 class Backup(DerivedBase):
     """
     A Backup of a Linode Instance.
@@ -114,6 +127,7 @@ class Disk(DerivedBase):
         "filesystem": Property(),
         "updated": Property(is_datetime=True),
         "linode_id": Property(identifier=True),
+        "disk_encryption": Property(),
     }
 
     def duplicate(self):
@@ -650,6 +664,8 @@ class Instance(Base):
         "host_uuid": Property(),
         "watchdog_enabled": Property(mutable=True),
         "has_user_data": Property(),
+        "disk_encryption": Property(),
+        "lke_cluster_id": Property(),
     }
 
     @property
@@ -1343,7 +1359,16 @@ def ip_allocate(self, public=False):
         i = IPAddress(self._client, result["address"], result)
         return i
 
-    def rebuild(self, image, root_pass=None, authorized_keys=None, **kwargs):
+    def rebuild(
+        self,
+        image,
+        root_pass=None,
+        authorized_keys=None,
+        disk_encryption: Optional[
+            Union[InstanceDiskEncryptionType, str]
+        ] = None,
+        **kwargs,
+    ):
         """
         Rebuilding an Instance deletes all existing Disks and Configs and deploys
         a new :any:`Image` to it.  This can be used to reset an existing
@@ -1361,6 +1386,8 @@ def rebuild(self, image, root_pass=None, authorized_keys=None, **kwargs):
                                 be a single key, or a path to a file containing
                                 the key.
         :type authorized_keys: list or str
+        :param disk_encryption: The disk encryption policy for this Linode.
+        :type disk_encryption: InstanceDiskEncryptionType or str
 
         :returns: The newly generated password, if one was not provided
                   (otherwise True)
@@ -1378,6 +1405,10 @@ def rebuild(self, image, root_pass=None, authorized_keys=None, **kwargs):
             "root_pass": root_pass,
             "authorized_keys": authorized_keys,
         }
+
+        if disk_encryption is not None:
+            params["disk_encryption"] = str(disk_encryption)
+
         params.update(kwargs)
 
         result = self._client.post(
@@ -1683,6 +1714,22 @@ def stats(self):
             "{}/stats".format(Instance.api_endpoint), model=self
         )
 
+    @property
+    def lke_cluster(self) -> Optional["LKECluster"]:
+        """
+        Returns the LKE Cluster this Instance is a node of.
+
+        :returns: The LKE Cluster this Instance is a node of.
+        :rtype: Optional[LKECluster]
+        """
+
+        # Local import to prevent circular dependency
+        from linode_api4.objects.lke import (  # pylint: disable=import-outside-toplevel
+            LKECluster,
+        )
+
+        return LKECluster(self._client, self.lke_cluster_id)
+
     def stats_for(self, dt):
         """
         Returns stats for the month containing the given datetime

linode_api4/objects/lke.py

@@ -127,6 +127,7 @@ class LKENodePool(DerivedBase):
         "cluster_id": Property(identifier=True),
         "type": Property(slug_relationship=Type),
         "disks": Property(),
+        "disk_encryption": Property(),
         "count": Property(mutable=True),
         "nodes": Property(
             volatile=True

linode_api4/objects/serializable.py

@@ -1,5 +1,6 @@
 import inspect
 from dataclasses import dataclass
+from enum import Enum
 from types import SimpleNamespace
 from typing import (
     Any,
@@ -223,3 +224,22 @@ def __delitem__(self, key):
 
     def __len__(self):
         return len(vars(self))
+
+
+class StrEnum(str, Enum):
+    """
+    Used for enums that are of type string, which is necessary
+    for implicit JSON serialization.
+
+    NOTE: Replace this with StrEnum once Python 3.10 has been EOL'd.
+    See: https://docs.python.org/3/library/enum.html#enum.StrEnum
+    """
+
+    def __new__(cls, *values):
+        value = str(*values)
+        member = str.__new__(cls, value)
+        member._value_ = value
+        return member
+
+    def __str__(self):
+        return self._value_

test/fixtures/linode_instances.json

@@ -40,7 +40,9 @@
       "image": "linode/ubuntu17.04",
       "tags": ["something"],
       "host_uuid": "3a3ddd59d9a78bb8de041391075df44de62bfec8",
-      "watchdog_enabled": true
+      "watchdog_enabled": true,
+      "disk_encryption": "disabled",
+      "lke_cluster_id": null
     },
     {
       "group": "test",
@@ -79,7 +81,9 @@
       "image": "linode/debian9",
       "tags": [],
       "host_uuid": "3a3ddd59d9a78bb8de041391075df44de62bfec8",
-      "watchdog_enabled": false
+      "watchdog_enabled": false,
+      "disk_encryption": "enabled",
+      "lke_cluster_id": 18881
     }
   ]
 }

test/fixtures/linode_instances_123_disks.json

@@ -10,7 +10,8 @@
       "id": 12345,
       "updated": "2017-01-01T00:00:00",
       "label": "Ubuntu 17.04 Disk",
-      "created": "2017-01-01T00:00:00"
+      "created": "2017-01-01T00:00:00",
+      "disk_encryption": "disabled"
     },
     {
       "size": 512,
@@ -19,7 +20,8 @@
       "id": 12346,
       "updated": "2017-01-01T00:00:00",
       "label": "512 MB Swap Image",
-      "created": "2017-01-01T00:00:00"
+      "created": "2017-01-01T00:00:00",
+      "disk_encryption": "disabled"
     }
   ]
 }

test/fixtures/linode_instances_123_disks_12345_clone.json

@@ -5,6 +5,7 @@
     "id": 12345,
     "updated": "2017-01-01T00:00:00",
     "label": "Ubuntu 17.04 Disk",
-    "created": "2017-01-01T00:00:00"
+    "created": "2017-01-01T00:00:00",
+    "disk_encryption": "disabled"
   }
 

test/fixtures/lke_clusters_18881_nodes_123456.json

@@ -1,5 +1,5 @@
 {
     "id": "123456",
-    "instance_id": 123458,
+    "instance_id": 456,
     "status": "ready"
   }

test/fixtures/lke_clusters_18881_pools_456.json

@@ -23,5 +23,6 @@
       "example tag",
       "another example"
     ],
-    "type": "g6-standard-4"
+    "type": "g6-standard-4",
+    "disk_encryption": "enabled"
   }

test/integration/helpers.py

@@ -79,12 +79,14 @@ def wait_for_condition(
 
 
 # Retry function to help in case of requests sending too quickly before instance is ready
-def retry_sending_request(retries: int, condition: Callable, *args) -> object:
+def retry_sending_request(
+    retries: int, condition: Callable, *args, **kwargs
+) -> object:
     curr_t = 0
     while curr_t < retries:
         try:
             curr_t += 1
-            res = condition(*args)
+            res = condition(*args, **kwargs)
             return res
         except ApiError:
             if curr_t >= retries:

test/integration/models/linode/test_linode.py

@@ -1,4 +1,5 @@
 import time
+from test.integration.conftest import get_region
 from test.integration.helpers import (
     get_test_label,
     retry_sending_request,
@@ -19,7 +20,7 @@
     Instance,
     Type,
 )
-from linode_api4.objects.linode import MigrationType
+from linode_api4.objects.linode import InstanceDiskEncryptionType, MigrationType
 
 
 @pytest.fixture(scope="session")
@@ -137,6 +138,30 @@ def create_linode_for_long_running_tests(test_linode_client):
     linode_instance.delete()
 
 
+@pytest.fixture(scope="function")
+def linode_with_disk_encryption(test_linode_client, request):
+    client = test_linode_client
+
+    target_region = get_region(client, {"Disk Encryption"})
+    timestamp = str(time.time_ns())
+    label = "TestSDK-" + timestamp
+
+    disk_encryption = request.param
+
+    linode_instance, password = client.linode.instance_create(
+        "g6-nanode-1",
+        target_region,
+        image="linode/ubuntu23.04",
+        label=label,
+        booted=False,
+        disk_encryption=disk_encryption,
+    )
+
+    yield linode_instance
+
+    linode_instance.delete()
+
+
 # Test helper
 def get_status(linode: Instance, status: str):
     return linode.status == status
@@ -165,8 +190,7 @@ def test_linode_transfer(test_linode_client, linode_with_volume_firewall):
 
 def test_linode_rebuild(test_linode_client):
     client = test_linode_client
-    available_regions = client.regions()
-    chosen_region = available_regions[4]
+    chosen_region = get_region(client, {"Disk Encryption"})
     label = get_test_label() + "_rebuild"
 
     linode, password = client.linode.instance_create(
@@ -175,12 +199,18 @@ def test_linode_rebuild(test_linode_client):
 
     wait_for_condition(10, 100, get_status, linode, "running")
 
-    retry_sending_request(3, linode.rebuild, "linode/debian10")
+    retry_sending_request(
+        3,
+        linode.rebuild,
+        "linode/debian10",
+        disk_encryption=InstanceDiskEncryptionType.disabled,
+    )
 
     wait_for_condition(10, 100, get_status, linode, "rebuilding")
 
     assert linode.status == "rebuilding"
     assert linode.image.id == "linode/debian10"
+    assert linode.disk_encryption == InstanceDiskEncryptionType.disabled
 
     wait_for_condition(10, 300, get_status, linode, "running")
 
@@ -383,6 +413,18 @@ def test_linode_volumes(linode_with_volume_firewall):
     assert "test" in volumes[0].label
 
 
+@pytest.mark.parametrize(
+    "linode_with_disk_encryption", ["disabled"], indirect=True
+)
+def test_linode_with_disk_encryption_disabled(linode_with_disk_encryption):
+    linode = linode_with_disk_encryption
+
+    assert linode.disk_encryption == InstanceDiskEncryptionType.disabled
+    assert (
+        linode.disks[0].disk_encryption == InstanceDiskEncryptionType.disabled
+    )
+
+
 def wait_for_disk_status(disk: Disk, timeout):
     start_time = time.time()
     while True: