feat(storage): add encryption support (#282)

Author: kangasta

CHANGELOG.md

@@ -7,6 +7,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Support for storage encryption to storage `create`, `clone`, `show`, and `list` commands as well as server `create` and `show` commands.
+
+### Removed
+
+- From human output of `storage list`, _Created_ column. This field is still available in the machine readable outputs.
+
 ## [3.2.2] - 2024-01-02
 
 ### Added

go.mod

@@ -4,7 +4,7 @@ go 1.20
 
 require (
 	github.com/UpCloudLtd/progress v1.0.2
-	github.com/UpCloudLtd/upcloud-go-api/v6 v6.11.0
+	github.com/UpCloudLtd/upcloud-go-api/v6 v6.12.0
 	github.com/adrg/xdg v0.3.2
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d
 	github.com/gemalto/flume v0.12.0

go.sum

@@ -17,8 +17,8 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/UpCloudLtd/progress v1.0.2 h1:CTr1bBuFuXop9TEhR1PakbUMPTlUVL7Bgae9JgqXwPg=
 github.com/UpCloudLtd/progress v1.0.2/go.mod h1:iGxOnb9HvHW0yrLGUjHr0lxHhn7TehgWwh7a8NqK6iQ=
-github.com/UpCloudLtd/upcloud-go-api/v6 v6.11.0 h1:8KvsimMoPPBx8IVebtHJHavrJPoJfNL5jsyW4TAC5m4=
-github.com/UpCloudLtd/upcloud-go-api/v6 v6.11.0/go.mod h1:I8rWmBBl+OhiY3AGzKbrobiE5TsLCLNYkCQxE4eJcTg=
+github.com/UpCloudLtd/upcloud-go-api/v6 v6.12.0 h1:Qol8WuStmqWTXO8Hfel6FjCgLOZ98MGVCvg3ExcEs68=
+github.com/UpCloudLtd/upcloud-go-api/v6 v6.12.0/go.mod h1:I8rWmBBl+OhiY3AGzKbrobiE5TsLCLNYkCQxE4eJcTg=
 github.com/adrg/xdg v0.3.2 h1:GUSGQ5pHdev83AYhDSS1A/CX+0JIsxbiWtow2DSA+RU=
 github.com/adrg/xdg v0.3.2/go.mod h1:7I2hH/IT30IsupOpKZ5ue7/qNi3CoKzD6tL3HwpaRMQ=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=

internal/commands/server/create.go

@@ -57,10 +57,11 @@ var defaultCreateParams = &createParams{
 
 type createParams struct {
 	request.CreateServerRequest
-	firewall      bool
-	metadata      bool
-	os            string
-	osStorageSize int
+	firewall           bool
+	metadata           bool
+	os                 string
+	osStorageSize      int
+	osStorageEncrypted config.OptionalBoolean
 
 	labels   []string
 	storages []string
@@ -110,6 +111,10 @@ func (s *createParams) processParams(exec commands.Executor) error {
 		s.StorageDevices[0].Size = s.osStorageSize
 	}
 
+	if s.osStorageEncrypted.Value() {
+		s.StorageDevices[0].Encrypted = s.osStorageEncrypted.AsUpcloudBoolean()
+	}
+
 	if s.LoginUser == nil {
 		s.LoginUser = &request.LoginUser{}
 	}
@@ -130,6 +135,8 @@ func (s *createParams) processParams(exec commands.Executor) error {
 }
 
 func (s *createParams) handleStorage(in string, exec commands.Executor) (*request.CreateServerStorageDevice, error) {
+	var encryptedRaw string
+
 	sd := &request.CreateServerStorageDevice{}
 	fs := &pflag.FlagSet{}
 	args, err := commands.Parse(in)
@@ -138,6 +145,7 @@ func (s *createParams) handleStorage(in string, exec commands.Executor) (*reques
 	}
 	fs.StringVar(&sd.Action, "action", sd.Action, "")
 	fs.StringVar(&sd.Address, "address", sd.Address, "")
+	fs.StringVar(&encryptedRaw, "encrypt", encryptedRaw, "")
 	fs.StringVar(&sd.Storage, "storage", sd.Storage, "")
 	fs.StringVar(&sd.Type, "type", sd.Type, "")
 	fs.StringVar(&sd.Tier, "tier", sd.Tier, "")
@@ -148,6 +156,10 @@ func (s *createParams) handleStorage(in string, exec commands.Executor) (*reques
 		return nil, err
 	}
 
+	if encrypted, err := commands.BoolFromString(encryptedRaw); err == nil {
+		sd.Encrypted = *encrypted
+	}
+
 	if sd.Action != request.CreateServerStorageDeviceActionCreate {
 		if sd.Storage == "" {
 			return nil, fmt.Errorf("storage UUID or Title must be provided for %s operation", sd.Action)
@@ -258,6 +270,7 @@ func (s *createCommand) InitCommand() {
 	fs.StringArrayVar(&s.params.networks, "network", def.networks, "A network interface for the server, multiple can be declared.\nUsage: --network family=IPv4,type=public\n\n--network type=private,network=037a530b-533e-4cef-b6ad-6af8094bb2bc,ip-address=10.0.0.1")
 	fs.StringVar(&s.params.os, "os", def.os, "Server OS to use (will be the first storage device). The value should be title or UUID of an either public or private template. Set to empty to fully customise the storages.")
 	fs.IntVar(&s.params.osStorageSize, "os-storage-size", def.osStorageSize, "OS storage size in GiB. This is only applicable if `os` is also set. Zero value makes the disk equal to the minimum size of the template.")
+	config.AddToggleFlag(fs, &s.params.osStorageEncrypted, "os-storage-encrypt", false, "Encrypt the OS storage. This is only applicable if `os` is also set.")
 	fs.StringVar(&s.params.PasswordDelivery, "password-delivery", def.PasswordDelivery, "Defines how password is delivered. Available: email, sms")
 	fs.StringVar(&s.params.Plan, "plan", def.Plan, "Server plan name. See \"server plans\" command for valid plans. Set to \"custom\" and use `cores` and `memory` options for flexible plan.")
 	fs.StringVar(&s.params.RemoteAccessPassword, "remote-access-password", def.RemoteAccessPassword, "Defines the remote access password.")

internal/commands/server/create_test.go

@@ -266,8 +266,9 @@ func TestCreateServer(t *testing.T) {
 				"--hostname", "example.com",
 				"--title", "test-server",
 				"--zone", "uk-lon1",
+				"--os-storage-encrypt",
 				"--password-delivery", "email",
-				"--storage", "action=create,address=virtio,type=disk,size=20,title=new-storage",
+				"--storage", "action=create,address=virtio,encrypt=true,type=disk,size=20,title=new-storage",
 				"--storage", fmt.Sprintf("action=clone,storage=%s,title=three-clone", Storage3.Title),
 				"--storage", fmt.Sprintf("action=attach,storage=%s,type=cdrom", Storage1.Title),
 			},
@@ -282,20 +283,22 @@ func TestCreateServer(t *testing.T) {
 				LoginUser:        &request.LoginUser{CreatePassword: "yes"},
 				StorageDevices: request.CreateServerStorageDeviceSlice{
 					request.CreateServerStorageDevice{
-						Action:  "clone",
-						Address: "virtio",
-						Storage: StorageDef.UUID,
-						Title:   "example.com-OS",
-						Size:    50,
-						Tier:    upcloud.StorageTierMaxIOPS,
-						Type:    upcloud.StorageTypeDisk,
+						Action:    "clone",
+						Address:   "virtio",
+						Encrypted: upcloud.FromBool(true),
+						Storage:   StorageDef.UUID,
+						Title:     "example.com-OS",
+						Size:      50,
+						Tier:      upcloud.StorageTierMaxIOPS,
+						Type:      upcloud.StorageTypeDisk,
 					},
 					request.CreateServerStorageDevice{
-						Action:  "create",
-						Address: "virtio",
-						Title:   "new-storage",
-						Size:    20,
-						Type:    upcloud.StorageTypeDisk,
+						Action:    "create",
+						Address:   "virtio",
+						Encrypted: upcloud.FromBool(true),
+						Title:     "new-storage",
+						Size:      20,
+						Type:      upcloud.StorageTypeDisk,
 					},
 					request.CreateServerStorageDevice{
 						Action:  "clone",
@@ -470,6 +473,7 @@ func TestCreateServer(t *testing.T) {
 					assert.Equal(t, test.error, err.Error())
 				}
 			} else {
+				assert.NoError(t, err)
 				mService.AssertNumberOfCalls(t, "GetStorages", 1)
 				mService.AssertNumberOfCalls(t, "CreateServer", 1)
 			}

internal/commands/server/show.go

@@ -91,6 +91,7 @@ func (s *showCommand) Execute(exec commands.Executor, uuid string) (output.Outpu
 			storage.Type,
 			storage.Address,
 			storage.Size,
+			storage.Encrypted,
 			strings.Join(flags, " "),
 		})
 	}
@@ -152,6 +153,7 @@ func (s *showCommand) Execute(exec commands.Executor, uuid string) (output.Outpu
 					{Key: "type", Header: "Type"},
 					{Key: "address", Header: "Address"},
 					{Key: "size", Header: "Size (GiB)"},
+					{Key: "encrypted", Header: "Encrypted", Format: format.Boolean},
 					{Key: "flags", Header: "Flags"},
 				},
 				Rows: storageRows,

internal/commands/server/show_test.go

@@ -172,9 +172,9 @@ func TestServerHumanOutput(t *testing.T) {
     
   Storage: (Flags: B = bootdisk, P = part of plan)
 
-     UUID                                   Title                             Type   Address    Size (GiB)   Flags 
-    ────────────────────────────────────── ───────────────────────────────── ────── ────────── ──────────── ───────
-     012580a1-32a1-466e-a323-689ca16f2d43   Storage for server1.example.com   disk   virtio:0           20   P     
+     UUID                                   Title                             Type   Address    Size (GiB)   Encrypted   Flags 
+    ────────────────────────────────────── ───────────────────────────────── ────── ────────── ──────────── ─────────── ───────
+     012580a1-32a1-466e-a323-689ca16f2d43   Storage for server1.example.com   disk   virtio:0           20   no          P     
     
   NICs: (Flags: S = source IP filtering, B = bootable)
 

internal/commands/storage/clone.go

@@ -24,6 +24,7 @@ type cloneCommand struct {
 
 type cloneParams struct {
 	request.CloneStorageRequest
+	encrypted config.OptionalBoolean
 }
 
 // CloneCommand creates the "storage clone" command
@@ -53,6 +54,7 @@ func (s *cloneCommand) InitCommand() {
 	flagSet.StringVar(&s.params.Tier, "tier", defaultCloneParams.Tier, "The storage tier to use.")
 	flagSet.StringVar(&s.params.Title, "title", defaultCloneParams.Title, "A short, informational description.")
 	flagSet.StringVar(&s.params.Zone, "zone", defaultCloneParams.Zone, namedargs.ZoneDescription("storage"))
+	config.AddToggleFlag(flagSet, &s.params.encrypted, "encrypt", false, "Encrypt the new storage.")
 
 	s.AddFlags(flagSet)
 	_ = s.Cobra().MarkFlagRequired("title")
@@ -68,6 +70,7 @@ func (s *cloneCommand) Execute(exec commands.Executor, uuid string) (output.Outp
 	svc := exec.Storage()
 	req := s.params.CloneStorageRequest
 	req.UUID = uuid
+	req.Encrypted = s.params.encrypted.AsUpcloudBoolean()
 
 	msg := fmt.Sprintf("Cloning storage %v", uuid)
 	exec.PushProgressStarted(msg)

internal/commands/storage/clone_test.go

@@ -66,6 +66,17 @@ func TestCloneCommand(t *testing.T) {
 				Title: "test-title",
 			},
 		},
+		{
+			name: "encrypted",
+			args: []string{"--zone", "test-zone", "--title", "test-title", "--encrypt"},
+			expected: request.CloneStorageRequest{
+				Encrypted: upcloud.FromBool(true),
+				UUID:      Storage2.UUID,
+				Zone:      "test-zone",
+				Tier:      "hdd",
+				Title:     "test-title",
+			},
+		},
 		{
 			name: "title is missing",
 			args: []string{

internal/commands/storage/create.go

@@ -50,6 +50,7 @@ func newCreateParams() createParams {
 type createParams struct {
 	request.CreateStorageRequest
 	backupTime string
+	encrypted  config.OptionalBoolean
 }
 
 func (s *createParams) processParams() error {
@@ -62,6 +63,9 @@ func (s *createParams) processParams() error {
 	} else {
 		s.BackupRule = nil
 	}
+
+	s.Encrypted = s.encrypted.AsUpcloudBoolean()
+
 	return nil
 }
 
@@ -76,6 +80,7 @@ func applyCreateFlags(fs *pflag.FlagSet, dst, def *createParams) {
 	fs.IntVar(&dst.Size, "size", def.Size, "Size of the storage in GiB.")
 	fs.StringVar(&dst.Zone, "zone", def.Zone, namedargs.ZoneDescription("storage"))
 	fs.StringVar(&dst.Tier, "tier", def.Tier, "Storage tier.")
+	config.AddToggleFlag(fs, &dst.encrypted, "encrypt", false, "Encrypt the storage.")
 	fs.StringVar(&dst.backupTime, "backup-time", def.backupTime, "The time when to create a backup in HH:MM. Empty value means no backups.")
 	fs.StringVar(&dst.BackupRule.Interval, "backup-interval", def.BackupRule.Interval, "The interval of the backup.\nAvailable: daily,mon,tue,wed,thu,fri,sat,sun")
 	fs.IntVar(&dst.BackupRule.Retention, "backup-retention", def.BackupRule.Retention, "How long to store the backups in days. The accepted range is 1-1095")