refactor: [M3-9532] – Account for "LA Disk Encryption" region capability in regionSupportsDiskEncryption checks

[dwiley-akamai]

Description 📝

Currently in staging, users with the "Disk Encryption" account capability are unable to deploy to regions that only have the "LA Disk Encryption" capability. This PR updates the logic checking if a region supports LDE to account for both the "Disk Encryption" (indicates GA) and "LA Disk Encryption" (indicates LA) capabilities.

Target release date 🗓️

3/17/25

How to test 🧪

There should be no adverse impacts on the LDE functionality outlined in #11817.

On this branch, pointing at staging, a user with the linode_disk_encryption customer tag should be able to deploy to not only regions with the "Disk Encryption" capability, but the "LA Disk Encryption" capability as well. The expectation at this moment is for Frankfurt to have the "Disk Encryption" capability and all others to have "LA Disk Encryption" but you can confirm by checking the /regions network request

Additionally, the encryption status indicators found on the Linode Details page and LKE Details page (at the node pool table level) should not display tooltips if the region the entities are in do not support LDE.

Author Checklists

As an Author, to speed up the review process, I considered 🤔

👀 Doing a self review
❔ Our contribution guidelines
🤏 Splitting feature into small PRs
➕ Adding a changeset
🧪 Providing/improving test coverage
🔐 Removing all sensitive information from the code and PR description
🚩 Using a feature flag to protect the release
👣 Providing comprehensive reproduction steps
📑 Providing or updating our documentation
🕛 Scheduling a pair reviewing session
📱 Providing mobile support
♿ Providing accessibility support

• I have read and considered all applicable items listed above.

As an Author, before moving this PR from Draft to Open, I confirmed ✅

• All unit tests are passing
• TypeScript compilation succeeded without errors
• Code passes all linting rules

[mjac0bs]

cc @dwiley-akamai if possible to make this change in this PR while doing changelog updates:

#11797 (comment)

[mjac0bs]

/regions requests

• User with enabled tag, I see the LA Disk Encryption capability for every region. This includes Frankfurt, which has both LA Disk Encryption and Disk Encryption.
• User without any tag, I see no LA Disk Encryption for any region. Frankfurt includes the Disk Encryption capability as if it’s GA.
• User with disabled tag, I see no LA Disk Encryption or Disk Encryption capabilities for any regions.

Linode Create flow

• User with enabled tag: sees the "Disk Encryption" section, regardless of selected region; the checkbox is enabled for every region (GA and LA Disk Encryption)
  • I can create a linode in a Core region
  • I can create a linode in a Distributed region and it is encrypted
• User without any tag: sees the "Disk Encryption" section, regardless of selected region; the checkbox is disabled for every region but Frankfurt, because it's the only one with 'Disk Encryption' (GA) and not 'LA Disk Encryption'
  • I can create a linode in a Core region
  • I can create a linode in a Distributed region and it is encrypted
• User with disabled tag does not see the "Disk Encryption" section
  • I can create a linode in a Core region
  • I can create a linode in a Distributed region and it is encrypted - noting that this wasn't made clear in documentation but is an assumption that the default encryption would take precedence over the disabled tag

Linode Details page

• User with enabled tag: sees encryption status indicator in the summary panel and a tooltip explaining encryption can be enabled by rebuilding (all regions support at least LA LDE)
• User without any tag: sees encryption status indicator in the summary panel and only sees the tooltip if the region the linode is in supports LDE
• User with disabled tag does not see the encryption status indicator (note: we might want to revisit in the future for Distributed region linodes where this is enabled by default)

Linode Rebuild flow

• User with enabled tag: sees "Disk Encryption" section, and default checkbox status should match the linode's current encryption status (i.e., unchecked if linode is currently not encrypted, checked if linode currently is)
• User without any tags: sees "Disk Encryption" section, and default checkbox status should match the linode's current encryption status (i.e., unchecked if linode is currently not encrypted, checked if linode currently is)
• User with disabled tag does not see the "Disk Encryption" section

LKE landing page banner

• User with enabled tag: should see banner (unless it has been dismissed)
• User without any tags: should see banner (unless it has been dismissed)
• User with disabled tag does not see the "Disk Encryption" section

LKE Details page

• User with enabled tag: should always be able to see pool encryption status indicator (and tooltip depends on LDE availability in region)
• User without any tags: should always be able to see pool encryption status indicator (and tooltip depends on LDE availability in region)
• User with disabled tag: does not see the encryption status indicator

[github-actions]

Coverage Report: ✅
Base Coverage: 80.18%
Current Coverage: 80.18%

[coliu-akamai]

Going through stuff from the linked pr - I'm not too sure if my understanding of this feature is correct, but here's what I've been seeing:

tag combinations:

• disk_encryption tag
• disk-encryption-disabled tag
• both disk_encryption and disk-encryption-disabled
• no tags

/regions requests
✅ User w disk_encryption tag: should see "Disk Encryption" as a capability for Frankfurt, DE and "LA" for other (non distributed) regions
✅ User only disk-encryption-disabled tag: don't see anything
✅ User w disk_encryption tag and disk-encryption-disabled tag: don't see anything
✅ no tag: seeing "Disk Encryption" for Frankfurt, but no LA for other regions

Linode Create flow - testing both distributed and non distributed
✅ disk_encryption tag - always seeing Disk encryption section, regardless of selected region. Section disabled and checked for distributed Linodes once region selected
✅ disk-encryption-disabled - no section seen (both distributed and non-distributed)
✅ disk_encryption and disk-encryption-disabled - no section seen (both distributed and non-distributed)
✅ no tag: see Disk encryption section disabled for every region except DE frankfurt, able to create a Linode in DE frankfurt. For distributed, seeing section disabled and once region selected, checked

Linode Details page - non distributed Linodes
✅ disk_encryption tag - seeing Disk encryption status + tooltip if Linode is not encrypted
✅ disk-encryption-disabled - no status seen
✅ disk_encryption and disk-encryption-disabled - no status seen
✅ no customer tags tag: see Disk encryption status for for all my linodes (but no tooltip if not encrypted bc no support)

Linode Rebuild flow - non distributed Linodes
✅ disk_encryption tag - seeing enabled Disk Encryption status for various regions (Frankfurt, Atlanta, etc)
✅ disk-encryption-disabled - no status seen
✅ disk_encryption and disk-encryption-disabled - no status seen
✅ no tags - seeing enabled Disk Encryption for Frankfurt linode, seeing it disabled for other regions

LKE landing page banner
✅ disk_encryption tag - banner appears
✅ disk-encryption-disabled - no banner seen
✅ disk_encryption and disk-encryption-disabled - no banner seen
✅ no tags - banner appears

LKE Details page
✅ ❓ disk_encryption tag - status seen + tooltip if node pool is not encrypted (I'm a bit unfamiliar - for LKE, I created a new node pool but it still had the tooltip saying "New node pools are always encrypted". Is this expected?)
✅ disk-encryption-disabled - no status indicator seen
✅ disk_encryption and disk-encryption-disabled - no indicator seen
✅ no tags - seeing not encrypted status indicator (only one region - Dallas, Texas)

[coliu-akamai]

going to walk through some stuff with distributed Linodes, but things are looking good so far! one question for the LKE details page

[dwiley-akamai]

@coliu-akamai apologies if it was unclear -- there shouldn't be a situation where a user has both the linode_disk_encryption and linode-disk-encryption-disabled tags.

With the latest commits on this PR, you shouldn't see a tooltip for unencrypted linodes or node pools if the region the entities are in do not support LDE

[mjac0bs]

Approving this based on our latest testing. Confirmed all Linode actions at least kick off as expected for encrypted and non-encrypted Linodes.

Confirmed changes for Disk Encryption box to be checked in the create flow if Disk Encryption is enabled in either LA or GA for that region look good.

This looks good from a UI perspective and outstanding errors are on the API side, so we should be good to merge this to staging; we'll need an update from them on status of fixes.

[jaalah-akamai]

User Flow w/ Disabled Tag:

• Can Rebuild
• Can Clone
• Can Migrate
• Can Resize
• Can Rescue
• Can Delete

[dwiley-akamai]

@mjac0bs @jaalah-akamai Sorry about the dismissals ☹️

[carrillo-erik]

I can confirm that the following flows work with the tag combinations specified.

• Linode Create
• Linode Details
• LKE Details and Banner
• regions requests

[linode-gh-bot]

Cloud Manager UI test results

🎉 535 passing tests on test run #9 ↗︎

❌ Failing	✅ Passing	↪️ Skipped	🕐 Duration
0 Failing	535 Passing	3 Skipped	112m 38s