Rulesets nodepool isolation

[aweingarten]

📝 Description

What does this PR do and why is this change necessary?

Adds Go SDK support for three LKE Enterprise features: firewall ruleset IDs on clusters, node pool network isolation, and node pool disk encryption.

LKE Cluster Ruleset IDs

New LKEClusterRuleSetIDs struct and RuleSetIDs field on LKECluster:

type LKEClusterRuleSetIDs struct {
    Inbound  int `json:"inbound"`
    Outbound int `json:"outbound"`
}

LKE Enterprise clusters have service-managed firewall rulesets automatically created for them. This field enables deserialization when the API returns them. The companion Terraform provider PR uses ListFirewallRuleSets to discover these by label convention.

Node Pool Isolation

New LKENodePoolIsolation struct with PublicIPv4/PublicIPv6 booleans, added to LKENodePool, LKENodePoolCreateOptions, and LKENodePoolUpdateOptions:

type LKENodePoolIsolation struct {
    PublicIPv4 bool `json:"public_ipv4"`
    PublicIPv6 bool `json:"public_ipv6"`
}

Allows controlling whether worker nodes get public IPv4/IPv6 addresses. Essential for VPC-only deployments where nodes should have no public IPv4.

Node Pool Disk Encryption

Added DiskEncryption InstanceDiskEncryption to LKENodePoolCreateOptions, reusing the existing InstanceDiskEncryption type. Propagated through GetCreateOptions().

Files Changed

File	Change
lke_clusters.go	LKEClusterRuleSetIDs struct, RuleSetIDs field on LKECluster
lke_node_pools.go	LKENodePoolIsolation struct, Isolation + DiskEncryption on pool types and options
test/unit/lke_clusters_test.go	2 new tests for enterprise ruleset ID deserialization
test/unit/fixtures/lke_cluster_enterprise_create.json	Enterprise cluster fixture with ruleset_ids

✔️ How to Test

What are the steps to reproduce the issue or verify the changes?

These are struct/field additions with no behavioral changes to existing functionality. Verify by running the unit tests below.

How do I run the relevant unit tests?

go test ./test/unit/ -run 'TestLKECluster_Create_Enterprise_RuleSetIDs|TestLKECluster_Get_NoRuleSetIDs' -v

[Copilot]

Pull request overview

Adds Go SDK support for LKE Enterprise cluster firewall ruleset_ids, and introduces node pool network isolation + disk encryption fields so callers can control public IP assignment and encrypted disks via the API.

Changes:

• Add RuleSetIDs to LKECluster for enterprise service-managed firewall rulesets deserialization.
• Add Isolation to LKE node pool structs/options and propagate it through GetCreateOptions() / GetUpdateOptions().
• Add DiskEncryption to LKENodePoolCreateOptions and propagate it through GetCreateOptions().

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
lke_clusters.go	Adds ruleset_ids field + struct for enterprise firewall ruleset ID deserialization.
lke_node_pools.go	Adds node pool isolation + create-time disk_encryption support and propagates them into option helpers.

Comments suppressed due to low confidence (3)

lke_node_pools.go:153

• LKENodePool.GetCreateOptions() does not copy the pool Type into LKENodePoolCreateOptions (Type is a required JSON field). This can produce invalid create requests when callers use GetCreateOptions() to recreate/clone an existing pool. Copy l.Type into o.Type (and consider whether any other required fields should be mirrored).

func (l LKENodePool) GetCreateOptions() (o LKENodePoolCreateOptions) {
	o.Count = l.Count
	o.Disks = l.Disks
	o.Tags = l.Tags
	o.Labels = l.Labels
	o.Taints = l.Taints
	o.Autoscaler = &l.Autoscaler
	o.K8sVersion = l.K8sVersion
	o.UpdateStrategy = l.UpdateStrategy
	o.Label = l.Label
	o.FirewallID = l.FirewallID
	o.DiskEncryption = l.DiskEncryption
	o.Isolation = l.Isolation

lke_node_pools.go:113

• New Isolation/DiskEncryption fields were added to the node pool types/options, but there are no corresponding unit tests asserting request serialization and response deserialization for these fields. Given existing unit coverage for LKE node pools, add tests/fixtures that (1) include isolation in create + update payloads and (2) verify disk_encryption is sent on create and unmarshaled on responses.

	Isolation *LKENodePoolIsolation `json:"isolation,omitempty"`

	// K8sVersion and UpdateStrategy are only for LKE Enterprise to support node pool upgrades.
	// It may not currently be available to all users and is under v4beta.
	K8sVersion     *string                    `json:"k8s_version,omitempty"`
	UpdateStrategy *LKENodePoolUpdateStrategy `json:"update_strategy,omitempty"`
}

// LKENodePoolCreateOptions fields are those accepted by CreateLKENodePool
type LKENodePoolCreateOptions struct {
	Count  int                `json:"count"`
	Type   string             `json:"type"`
	Disks  []LKENodePoolDisk  `json:"disks"`
	Tags   []string           `json:"tags"`
	Labels LKENodePoolLabels  `json:"labels"`
	Taints []LKENodePoolTaint `json:"taints"`
	Label  *string            `json:"label,omitempty"`

	Autoscaler *LKENodePoolAutoscaler `json:"autoscaler,omitempty"`
	FirewallID *int                   `json:"firewall_id,omitempty"`

	// NOTE: Disk encryption may not currently be available to all users.
	DiskEncryption InstanceDiskEncryption `json:"disk_encryption,omitempty"`
	Isolation      *LKENodePoolIsolation  `json:"isolation,omitempty"`

lke_clusters.go:60

• RuleSetIDs was added to LKECluster, but there are no unit tests/fixtures in the current test suite validating (a) unmarshaling when ruleset_ids is present for enterprise clusters and (b) behavior when it is absent. Add unit tests similar to other LKE cluster unmarshal tests to prevent regressions in timestamp masking/custom unmarshaling.

	// RuleSetIDs contains the IDs of the service-managed firewall rulesets
	// automatically created for LKE Enterprise clusters.
	RuleSetIDs *LKEClusterRuleSetIDs `json:"ruleset_ids,omitempty"`
}

// LKEClusterRuleSetIDs contains the inbound and outbound ruleset IDs for an LKE-E cluster.
type LKEClusterRuleSetIDs struct {
	Inbound  int `json:"inbound"`
	Outbound int `json:"outbound"`
}

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.