linode · prajwalvathreya · Nov 13, 2024 · Oct 29, 2024 · Oct 29, 2024 · Oct 29, 2024
diff --git a/helm-chart/csi-driver/templates/linode-block-storage-retain.yaml b/helm-chart/csi-driver/templates/linode-block-storage-retain.yaml
@@ -7,10 +7,13 @@ metadata:
   annotations:
     storageclass.kubernetes.io/is-default-class: "true"
 {{- end }}
-{{- if .Values.volumeTags }}
 parameters:
+{{- if .Values.volumeTags }}
   linodebs.csi.linode.com/volumeTags: {{ join "," .Values.volumeTags }}
 {{- end}}
+{{- if .Values.volumeEncryption }}
+  linodebs.csi.linode.com/encrypted: "true"
+{{- end}}
 allowVolumeExpansion: true
 provisioner: linodebs.csi.linode.com
 reclaimPolicy: Retain
diff --git a/helm-chart/csi-driver/templates/linode-block-storage.yaml b/helm-chart/csi-driver/templates/linode-block-storage.yaml
@@ -7,9 +7,12 @@ metadata:
   annotations:
     storageclass.kubernetes.io/is-default-class: "true"
 {{- end }}
-{{- if .Values.volumeTags }}
 parameters:
+{{- if .Values.volumeTags }}
   linodebs.csi.linode.com/volumeTags: {{ join "," .Values.volumeTags }}
 {{- end}}
+{{- if .Values.volumeEncryption }}
+  linodebs.csi.linode.com/encrypted: "true"
+{{- end}}
 allowVolumeExpansion: true
 provisioner: linodebs.csi.linode.com
@@ -11,6 +11,9 @@ enableMetrics: false
 # default metrics address port
 metricsPort: 8081
 
+# enable encryption for volumes by default
+volumeEncryption: false
+
 # (OPTIONAL) Label prefix for the Linode Block Storage volumes created by this driver.
 volumeLabelPrefix: ""
 

@@ -93,7 +93,7 @@ func (cs *ControllerServer) CreateVolume(ctx context.Context, req *csi.CreateVol
 	}
 
 	// Create the volume
-	vol, err := cs.createAndWaitForVolume(ctx, volName, sizeGB, req.GetParameters()[VolumeTags], sourceVolInfo, accessibilityRequirements)
+	vol, err := cs.createAndWaitForVolume(ctx, volName, req.GetParameters()[VolumeTags], req.GetParameters()[VolumeEncryption], sizeGB, sourceVolInfo, accessibilityRequirements)
 	if err != nil {
 		metrics.RecordMetrics(metrics.ControllerCreateVolumeTotal, metrics.ControllerCreateVolumeDuration, metrics.Failed, functionStartTime)
 		return &csi.CreateVolumeResponse{}, err

@@ -80,6 +80,9 @@ const (
 	// devicePathKey is the key used in the publish context map when a volume is
 	// published/attached to an instance.
 	devicePathKey = "devicePath"
+
+	// volumeEncryption is the key used in the context map for encryption
+	VolumeEncryption = Name + "/encrypted"
 )
 
 // canAttach indicates whether or not another volume can be attached to the
@@ -186,7 +189,7 @@ func (cs *ControllerServer) getContentSourceVolume(ctx context.Context, contentS
 // attemptCreateLinodeVolume creates a Linode volume while ensuring idempotency.
 // It checks for existing volumes with the same label and either returns the existing
 // volume or creates a new one, optionally cloning from a source volume.
-func (cs *ControllerServer) attemptCreateLinodeVolume(ctx context.Context, label string, sizeGB int, tags string, sourceVolume *linodevolumes.LinodeVolumeKey, accessibilityRequirements *csi.TopologyRequirement) (*linodego.Volume, error) {
+func (cs *ControllerServer) attemptCreateLinodeVolume(ctx context.Context, label, tags, volumeEncryption string, sizeGB int, sourceVolume *linodevolumes.LinodeVolumeKey, accessibilityRequirements *csi.TopologyRequirement) (*linodego.Volume, error) {
 	log := logger.GetLogger(ctx)
 	log.V(4).Info("Attempting to create Linode volume", "label", label, "sizeGB", sizeGB, "tags", tags)
 
@@ -216,7 +219,7 @@ func (cs *ControllerServer) attemptCreateLinodeVolume(ctx context.Context, label
 		return cs.cloneLinodeVolume(ctx, label, sourceVolume.VolumeID)
 	}
 
-	return cs.createLinodeVolume(ctx, label, sizeGB, tags, accessibilityRequirements)
+	return cs.createLinodeVolume(ctx, label, tags, volumeEncryption, sizeGB, accessibilityRequirements)
 }
 
 // Helper function to extract region from topology
@@ -237,7 +240,7 @@ func getRegionFromTopology(requirements *csi.TopologyRequirement) string {
 
 // createLinodeVolume creates a new Linode volume with the specified label, size, and tags.
 // It returns the created volume or an error if the creation fails.
-func (cs *ControllerServer) createLinodeVolume(ctx context.Context, label string, sizeGB int, tags string, accessibilityRequirements *csi.TopologyRequirement) (*linodego.Volume, error) {
+func (cs *ControllerServer) createLinodeVolume(ctx context.Context, label, tags, volumeEncryption string, sizeGB int, accessibilityRequirements *csi.TopologyRequirement) (*linodego.Volume, error) {
 	log := logger.GetLogger(ctx)
 	log.V(4).Info("Creating Linode volume", "label", label, "sizeGB", sizeGB, "tags", tags)
 
@@ -250,11 +253,27 @@ func (cs *ControllerServer) createLinodeVolume(ctx context.Context, label string
 		}
 	}
 
+	// Check encryption status and if it's supported in the specified region.
+	var encryptionStatus string
+	if volumeEncryption == True {
+		supported, err := cs.isEncryptionSupported(ctx, region)
+		if err != nil {
+			return nil, err
+		}
+		if !supported {
+			return nil, errInternal("Volume encryption is not supported in the %s region", region)
+		}
+		encryptionStatus = "enabled"
+	} else {
+		encryptionStatus = "disabled"
+	}
+
 	// Prepare the volume creation request with region, label, and size.
 	volumeReq := linodego.VolumeCreateOptions{
-		Region: region,
-		Label:  label,
-		Size:   sizeGB,
+		Region:     region,
+		Label:      label,
+		Size:       sizeGB,
+		Encryption: encryptionStatus,
 	}
 
 	// If tags are provided, split them into a slice for the request.
@@ -272,6 +291,36 @@ func (cs *ControllerServer) createLinodeVolume(ctx context.Context, label string
 	return result, nil
 }
 
+// isEncryptionSupported is a helper function that checks if the specified region supports volume encryption.
+// It returns true or false based on the support for encryption in that region.
+func (cs *ControllerServer) isEncryptionSupported(ctx context.Context, region string) (bool, error) {
+	log := logger.GetLogger(ctx)
+	log.V(4).Info("Checking if encryption is supported for region", "region", region)
+
+	// Fetch the list of regions from the Linode API
+	regions, err := cs.client.ListRegions(ctx, nil)
+	if err != nil {
+		return false, errInternal("failed to fetch regions: %v", err)
+	}
+
+	// Look for the specified region and check if encryption is supported.
+	for i := range regions {
+		r := &regions[i]
+		if r.ID == region {
+			for _, capability := range r.Capabilities {
+				if capability == "Block Storage Encryption" { // https://techdocs.akamai.com/linode-api/reference/get-regions
+					return true, nil
+				}
+			}
+			break
+		}
+	}
+
+	// If the region was found but does not support encryption, return false
+	log.V(4).Info("Encryption not supported in the specified region", "region", region)
+	return false, nil
+}
+
 // cloneLinodeVolume clones a Linode volume using the specified source ID and label.
 // It returns the cloned volume or an error if the cloning fails.
 func (cs *ControllerServer) cloneLinodeVolume(ctx context.Context, label string, sourceID int) (*linodego.Volume, error) {
@@ -448,12 +497,12 @@ func (cs *ControllerServer) createVolumeContext(ctx context.Context, req *csi.Cr
 
 // createAndWaitForVolume attempts to create a new volume and waits for it to become active.
 // It logs the process and handles any errors that occur during creation or waiting.
-func (cs *ControllerServer) createAndWaitForVolume(ctx context.Context, name string, sizeGB int, tags string, sourceInfo *linodevolumes.LinodeVolumeKey, accessibilityRequirements *csi.TopologyRequirement) (*linodego.Volume, error) {
+func (cs *ControllerServer) createAndWaitForVolume(ctx context.Context, name, tags, volumeEncryption string, sizeGB int, sourceInfo *linodevolumes.LinodeVolumeKey, accessibilityRequirements *csi.TopologyRequirement) (*linodego.Volume, error) {
 	log := logger.GetLogger(ctx)
 	log.V(4).Info("Entering createAndWaitForVolume()", "name", name, "sizeGB", sizeGB, "tags", tags)
 	defer log.V(4).Info("Exiting createAndWaitForVolume()")
 
-	vol, err := cs.attemptCreateLinodeVolume(ctx, name, sizeGB, tags, sourceInfo, accessibilityRequirements)
+	vol, err := cs.attemptCreateLinodeVolume(ctx, name, tags, volumeEncryption, sizeGB, sourceInfo, accessibilityRequirements)
 	if err != nil {
 		return nil, err
 	}
@@ -649,8 +698,31 @@ func (cs *ControllerServer) attachVolume(ctx context.Context, volumeID, linodeID
 	log.V(4).Info("Entering attachVolume()", "volume_id", volumeID, "node_id", linodeID)
 	defer log.V(4).Info("Exiting attachVolume()")
 
+	// Get the details of the volume to check for attachment possibilities
+	volume, err := cs.client.GetVolume(ctx, volumeID)
+	if err != nil {
+		return status.Errorf(codes.Internal, "failed to retrieve volume details: %v", err)
+	}
+
+	// Check if the volume is encrypted
+	isEncrypted := volume.Encryption == "enabled"
+	var linode *linodego.Instance
+
+	// If the volume is encrypted, get the details of the Linode instance and check region compatibility
+	if isEncrypted {
+		linode, err = cs.client.GetInstance(ctx, linodeID)
+		if err != nil {
+			return status.Errorf(codes.Internal, "failed to retrieve Linode instance details: %v", err)
+		}
+
+		// Ensure the encrypted volume and Linode are in the same region
+		if volume.Region != linode.Region {
+			return status.Errorf(codes.FailedPrecondition, "encrypted volume and Linode instance must be in the same region for attachment")
+		}
+	}
+
 	persist := false
-	_, err := cs.client.AttachVolume(ctx, volumeID, &linodego.VolumeAttachOptions{
+	_, err = cs.client.AttachVolume(ctx, volumeID, &linodego.VolumeAttachOptions{
 		LinodeID:           linodeID,
 		PersistAcrossBoots: &persist,
 	})

@@ -237,14 +237,15 @@ func TestCreateAndWaitForVolume(t *testing.T) {
 	}
 
 	testCases := []struct {
-		name           string
-		volumeName     string
-		sizeGB         int
-		tags           string
-		sourceInfo     *linodevolumes.LinodeVolumeKey
-		setupMocks     func()
-		expectedVolume *linodego.Volume
-		expectedError  error
+		name             string
+		volumeName       string
+		sizeGB           int
+		tags             string
+		volumeEncryption string
+		sourceInfo       *linodevolumes.LinodeVolumeKey
+		setupMocks       func()
+		expectedVolume   *linodego.Volume
+		expectedError    error
 	}{
 		{
 			name:       "Successful volume creation",
@@ -321,7 +322,7 @@ func TestCreateAndWaitForVolume(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			tc.setupMocks()
 
-			volume, err := cs.createAndWaitForVolume(context.Background(), tc.volumeName, tc.sizeGB, tc.tags, tc.sourceInfo, topology)
+			volume, err := cs.createAndWaitForVolume(context.Background(), tc.volumeName, tc.tags, tc.volumeEncryption, tc.sizeGB, tc.sourceInfo, topology)
 
 			if err != nil && !reflect.DeepEqual(tc.expectedError, err) {
 				if tc.expectedError != nil {
@@ -1006,6 +1007,7 @@ func TestAttachVolume(t *testing.T) {
 			volumeID: 123,
 			linodeID: 456,
 			setupMocks: func() {
+				mockClient.EXPECT().GetVolume(gomock.Any(), 123).Return(&linodego.Volume{}, nil)
 				mockClient.EXPECT().AttachVolume(gomock.Any(), 123, gomock.Any()).Return(&linodego.Volume{}, nil)
 			},
 			expectedError: nil,
@@ -1015,6 +1017,7 @@ func TestAttachVolume(t *testing.T) {
 			volumeID: 789,
 			linodeID: 101,
 			setupMocks: func() {
+				mockClient.EXPECT().GetVolume(gomock.Any(), 789).Return(&linodego.Volume{}, nil)
 				mockClient.EXPECT().AttachVolume(gomock.Any(), 789, gomock.Any()).Return(nil, &linodego.Error{Message: "Volume 789 is already attached"})
 			},
 			expectedError: status.Error(codes.Unavailable, "attach volume: [000] Volume 789 is already attached"),
@@ -1024,6 +1027,7 @@ func TestAttachVolume(t *testing.T) {
 			volumeID: 202,
 			linodeID: 303,
 			setupMocks: func() {
+				mockClient.EXPECT().GetVolume(gomock.Any(), 202).Return(&linodego.Volume{}, nil)
 				mockClient.EXPECT().AttachVolume(gomock.Any(), 202, gomock.Any()).Return(nil, errors.New("API error"))
 			},
 			expectedError: status.Error(codes.Internal, "attach volume: API error"),

@@ -212,11 +212,11 @@ func TestControllerPublishVolume(t *testing.T) {
 			},
 			expectLinodeClientCalls: func(m *mocks.MockLinodeClient) {
 				m.EXPECT().GetInstance(gomock.Any(), gomock.Any()).Return(&linodego.Instance{ID: 1003, Specs: &linodego.InstanceSpec{Memory: 16 << 10}}, nil)
+				m.EXPECT().GetVolume(gomock.Any(), gomock.Any()).Return(&linodego.Volume{ID: 1001, LinodeID: createLinodeID(1003), Size: 10, Status: linodego.VolumeActive}, nil).AnyTimes()
 				m.EXPECT().WaitForVolumeLinodeID(gomock.Any(), 630706045, gomock.Any(), gomock.Any()).Return(&linodego.Volume{ID: 1001, LinodeID: createLinodeID(1003), Size: 10, Status: linodego.VolumeActive}, nil)
 				m.EXPECT().AttachVolume(gomock.Any(), 630706045, gomock.Any()).Return(&linodego.Volume{ID: 1001, LinodeID: createLinodeID(1003), Size: 10, Status: linodego.VolumeActive}, nil)
 				m.EXPECT().ListInstanceVolumes(gomock.Any(), 1003, gomock.Any()).Return([]linodego.Volume{{ID: 1001, LinodeID: createLinodeID(1003), Size: 10, Status: linodego.VolumeActive}}, nil)
 				m.EXPECT().ListInstanceDisks(gomock.Any(), 1003, gomock.Any()).Return([]linodego.InstanceDisk{}, nil)
-				m.EXPECT().GetVolume(gomock.Any(), gomock.Any()).Return(&linodego.Volume{ID: 1001, LinodeID: createLinodeID(1003), Size: 10, Status: linodego.VolumeActive}, nil)
 			},
 			expectedError: nil,
 		},
@@ -623,6 +623,10 @@ func (c *fakeLinodeClient) ListInstanceDisks(_ context.Context, _ int, _ *linode
 	return c.disks, nil
 }
 
+func (flc *fakeLinodeClient) ListRegions(_ context.Context, _ *linodego.ListOptions) ([]linodego.Region, error) {
+	return []linodego.Region{}, nil
+}
+
 //nolint:nilnil // TODO: re-work tests
 func (flc *fakeLinodeClient) GetInstance(context.Context, int) (*linodego.Instance, error) {
 	return nil, nil

@@ -52,6 +52,7 @@ func TestDriverSuite(t *testing.T) {
 		Memory: 4 << 30, // 4GiB
 	}
 	linodeDriver := GetLinodeDriver(context.Background())
+	// variables that are picked up from the environment
 	enableMetrics := "true"
 	metricsPort := "10251"
 	if err := linodeDriver.SetupLinodeDriver(context.Background(), fakeCloudProvider, mounter, deviceUtils, md, driver, vendorVersion, bsPrefix, encrypt, enableMetrics, metricsPort); err != nil {

@@ -14,6 +14,7 @@ type LinodeClient interface {
 	ListVolumes(context.Context, *linodego.ListOptions) ([]linodego.Volume, error)
 	ListInstanceVolumes(ctx context.Context, instanceID int, options *linodego.ListOptions) ([]linodego.Volume, error)
 	ListInstanceDisks(ctx context.Context, instanceID int, options *linodego.ListOptions) ([]linodego.InstanceDisk, error)
+	ListRegions(context.Context, *linodego.ListOptions) ([]linodego.Region, error)
 
 	GetInstance(context.Context, int) (*linodego.Instance, error)
 	GetVolume(context.Context, int) (*linodego.Volume, error)