From 610537766c933e84159db8170a80f36ea8a7a035 Mon Sep 17 00:00:00 2001
From: Ashley Dumaine <ashley.dumaine@gmail.com>
Date: Thu, 15 May 2025 18:02:17 -0400
Subject: [PATCH 1/2] simplify the fields for obj access

---
 cloud/scope/common.go                         | 12 +--
 cloud/scope/machine.go                        |  2 +-
 cloud/scope/machine_test.go                   |  8 +-
 cloud/scope/object_storage_key.go             |  4 +-
 cloud/scope/object_storage_key_test.go        | 30 +++----
 cloud/services/object_storage_objects_test.go | 88 +++++++++----------
 docs/src/topics/backups.md                    |  4 +-
 docs/src/topics/cluster-object-store.md       | 16 ++--
 .../chainsaw-test.yaml                        |  4 +-
 .../assert-key-and-secret.yaml                |  8 +-
 .../create-linodeobjectstoragekey.yaml        |  9 +-
 .../custom-secret/assert-key-and-secret.yaml  |  6 +-
 .../custom-secret/chainsaw-test.yaml          |  2 +-
 .../check-key-and-secret-deletion.yaml        |  2 +-
 .../create-linodeobjectstoragekey.yaml        |  6 +-
 .../assert-key-and-secret.yaml                |  6 +-
 .../deprecated-secret/chainsaw-test.yaml      |  2 +-
 .../check-key-and-secret-deletion.yaml        |  2 +-
 .../create-linodeobjectstoragekey.yaml        |  6 +-
 .../assert-key-and-secret.yaml                |  2 +-
 .../chainsaw-test.yaml                        |  2 +-
 .../check-key-and-secret-deletion.yaml        |  2 +-
 .../linodemachine_controller_helpers_test.go  | 14 +--
 .../linodeobjectstoragekey_controller_test.go | 12 +--
 .../cluster-object-store.yaml                 |  8 +-
 .../etcd-backup-restore.yaml                  |  8 +-
 .../etcd-backup-restore/linode-obj.yaml       |  6 +-
 27 files changed, 136 insertions(+), 135 deletions(-)

diff --git a/cloud/scope/common.go b/cloud/scope/common.go
index f775a6ed8..7513221f8 100644
--- a/cloud/scope/common.go
+++ b/cloud/scope/common.go
@@ -127,17 +127,17 @@ func CreateS3Clients(ctx context.Context, crClient clients.K8sClient, cluster in
 
 	// If we have a cluster object store bucket, get its configuration.
 	if cluster.Spec.ObjectStore != nil {
-		secret, err := getCredentials(ctx, crClient, cluster.Spec.ObjectStore.CredentialsRef, cluster.GetNamespace())
+		objSecret, err := getCredentials(ctx, crClient, cluster.Spec.ObjectStore.CredentialsRef, cluster.GetNamespace())
 		if err == nil {
 			var (
-				access_key  = string(secret.Data["access_key"])
-				secret_key  = string(secret.Data["secret_key"])
-				s3_endpoint = string(secret.Data["s3_endpoint"])
+				access   = string(objSecret.Data["access"])
+				secret   = string(objSecret.Data["secret"])
+				endpoint = string(objSecret.Data["endpoint"])
 			)
 
-			configOpts = append(configOpts, awsconfig.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(access_key, secret_key, "")))
+			configOpts = append(configOpts, awsconfig.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(access, secret, "")))
 			clientOpts = append(clientOpts, func(opts *s3.Options) {
-				opts.BaseEndpoint = aws.String(s3_endpoint)
+				opts.BaseEndpoint = aws.String(endpoint)
 			})
 		}
 	}
diff --git a/cloud/scope/machine.go b/cloud/scope/machine.go
index b7c772b06..c2b5f55e1 100644
--- a/cloud/scope/machine.go
+++ b/cloud/scope/machine.go
@@ -145,7 +145,7 @@ func (m *MachineScope) GetBucketName(ctx context.Context) (string, error) {
 		return "", errors.New("no cluster object store")
 	}
 
-	name, err := getCredentialDataFromRef(ctx, m.Client, m.LinodeCluster.Spec.ObjectStore.CredentialsRef, m.LinodeCluster.GetNamespace(), "bucket_name")
+	name, err := getCredentialDataFromRef(ctx, m.Client, m.LinodeCluster.Spec.ObjectStore.CredentialsRef, m.LinodeCluster.GetNamespace(), "bucket")
 	if err != nil {
 		return "", fmt.Errorf("get bucket name: %w", err)
 	}
diff --git a/cloud/scope/machine_test.go b/cloud/scope/machine_test.go
index 5dc4e443c..a1a51a756 100644
--- a/cloud/scope/machine_test.go
+++ b/cloud/scope/machine_test.go
@@ -268,10 +268,10 @@ func TestNewMachineScope(t *testing.T) {
 				Call("cluster object store used", func(ctx context.Context, mck Mock) {
 					mck.K8sClient.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(func(ctx context.Context, key client.ObjectKey, obj *corev1.Secret, opts ...client.GetOption) error {
 						secret := corev1.Secret{Data: map[string][]byte{
-							"bucket_name": []byte("fake"),
-							"s3_endpoint": []byte("fake"),
-							"access_key":  []byte("fake"),
-							"secret_key":  []byte("fake"),
+							"bucket":   []byte("fake"),
+							"endpoint": []byte("fake"),
+							"access":   []byte("fake"),
+							"secret":   []byte("fake"),
 						}}
 						*obj = secret
 						return nil
diff --git a/cloud/scope/object_storage_key.go b/cloud/scope/object_storage_key.go
index f63a9f290..d0cde08f3 100644
--- a/cloud/scope/object_storage_key.go
+++ b/cloud/scope/object_storage_key.go
@@ -105,8 +105,8 @@ func (s *ObjectStorageKeyScope) GenerateKeySecret(ctx context.Context, key *lino
 
 	if len(s.Key.Spec.Format) == 0 {
 		secretStringData = map[string]string{
-			"access_key": key.AccessKey,
-			"secret_key": key.SecretKey,
+			"access": key.AccessKey,
+			"secret": key.SecretKey,
 		}
 	} else {
 		// This should never run since the CRD has a validation marker to ensure bucketAccess has at least one item.
diff --git a/cloud/scope/object_storage_key_test.go b/cloud/scope/object_storage_key_test.go
index f0896ada4..e652e8f05 100644
--- a/cloud/scope/object_storage_key_test.go
+++ b/cloud/scope/object_storage_key_test.go
@@ -267,8 +267,8 @@ func TestGenerateKeySecret(t *testing.T) {
 			key: &linodego.ObjectStorageKey{
 				ID:        1,
 				Label:     "test-key",
-				AccessKey: "access_key",
-				SecretKey: "secret_key",
+				AccessKey: "access",
+				SecretKey: "secret",
 				BucketAccess: &[]linodego.ObjectStorageKeyBucketAccess{
 					{
 						BucketName:  "bucket",
@@ -285,8 +285,8 @@ func TestGenerateKeySecret(t *testing.T) {
 				}).Times(1)
 			},
 			expectedData: map[string]string{
-				"access_key": "access_key",
-				"secret_key": "secret_key",
+				"access": "access",
+				"secret": "secret",
 			},
 			expectedErr: nil,
 		},
@@ -317,8 +317,8 @@ func TestGenerateKeySecret(t *testing.T) {
 			key: &linodego.ObjectStorageKey{
 				ID:        1,
 				Label:     "test-key",
-				AccessKey: "access_key",
-				SecretKey: "secret_key",
+				AccessKey: "access",
+				SecretKey: "secret",
 				BucketAccess: &[]linodego.ObjectStorageKeyBucketAccess{
 					{
 						BucketName:  "bucket",
@@ -364,8 +364,8 @@ func TestGenerateKeySecret(t *testing.T) {
 			key: &linodego.ObjectStorageKey{
 				ID:        1,
 				Label:     "test-key",
-				AccessKey: "access_key",
-				SecretKey: "secret_key",
+				AccessKey: "access",
+				SecretKey: "secret",
 				BucketAccess: &[]linodego.ObjectStorageKeyBucketAccess{
 					{
 						BucketName:  "bucket",
@@ -389,7 +389,7 @@ func TestGenerateKeySecret(t *testing.T) {
 				}, nil)
 			},
 			expectedData: map[string]string{
-				"key": "access_key,secret_key,hostname",
+				"key": "access,secret,hostname",
 			},
 			expectedErr: nil,
 		},
@@ -421,8 +421,8 @@ func TestGenerateKeySecret(t *testing.T) {
 			key: &linodego.ObjectStorageKey{
 				ID:        1,
 				Label:     "test-key",
-				AccessKey: "access_key",
-				SecretKey: "secret_key",
+				AccessKey: "access",
+				SecretKey: "secret",
 				BucketAccess: &[]linodego.ObjectStorageKeyBucketAccess{
 					{
 						BucketName:  "bucket",
@@ -457,8 +457,8 @@ func TestGenerateKeySecret(t *testing.T) {
 			key: &linodego.ObjectStorageKey{
 				ID:        1,
 				Label:     "test-key",
-				AccessKey: "access_key",
-				SecretKey: "secret_key",
+				AccessKey: "access",
+				SecretKey: "secret",
 				BucketAccess: &[]linodego.ObjectStorageKeyBucketAccess{
 					{
 						BucketName:  "bucket",
@@ -496,8 +496,8 @@ func TestGenerateKeySecret(t *testing.T) {
 			key: &linodego.ObjectStorageKey{
 				ID:        1,
 				Label:     "test-key",
-				AccessKey: "access_key",
-				SecretKey: "secret_key",
+				AccessKey: "access",
+				SecretKey: "secret",
 				BucketAccess: &[]linodego.ObjectStorageKeyBucketAccess{
 					{
 						BucketName:  "bucket",
diff --git a/cloud/services/object_storage_objects_test.go b/cloud/services/object_storage_objects_test.go
index c5426e8f2..ebf494828 100644
--- a/cloud/services/object_storage_objects_test.go
+++ b/cloud/services/object_storage_objects_test.go
@@ -80,10 +80,10 @@ func TestCreateObject(t *testing.T) {
 				Call("empty bucket name", func(ctx context.Context, mck Mock) {
 					mck.K8sClient.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(func(ctx context.Context, key client.ObjectKey, obj *corev1.Secret, opts ...client.GetOption) error {
 						secret := corev1.Secret{Data: map[string][]byte{
-							"bucket_name": nil,
-							"s3_endpoint": []byte("fake"),
-							"access_key":  []byte("fake"),
-							"secret_key":  []byte("fake"),
+							"bucket":   nil,
+							"endpoint": []byte("fake"),
+							"access":   []byte("fake"),
+							"secret":   []byte("fake"),
 						}}
 						*obj = secret
 						return nil
@@ -108,10 +108,10 @@ func TestCreateObject(t *testing.T) {
 				Call("fail to put object", func(ctx context.Context, mck Mock) {
 					mck.K8sClient.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(func(ctx context.Context, key client.ObjectKey, obj *corev1.Secret, opts ...client.GetOption) error {
 						secret := corev1.Secret{Data: map[string][]byte{
-							"bucket_name": []byte("fake"),
-							"s3_endpoint": []byte("fake"),
-							"access_key":  []byte("fake"),
-							"secret_key":  []byte("fake"),
+							"bucket":   []byte("fake"),
+							"endpoint": []byte("fake"),
+							"access":   []byte("fake"),
+							"secret":   []byte("fake"),
 						}}
 						*obj = secret
 						return nil
@@ -137,10 +137,10 @@ func TestCreateObject(t *testing.T) {
 				Call("fail to generate presigned url", func(ctx context.Context, mck Mock) {
 					mck.K8sClient.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(func(ctx context.Context, key client.ObjectKey, obj *corev1.Secret, opts ...client.GetOption) error {
 						secret := corev1.Secret{Data: map[string][]byte{
-							"bucket_name": []byte("fake"),
-							"s3_endpoint": []byte("fake"),
-							"access_key":  []byte("fake"),
-							"secret_key":  []byte("fake"),
+							"bucket":   []byte("fake"),
+							"endpoint": []byte("fake"),
+							"access":   []byte("fake"),
+							"secret":   []byte("fake"),
 						}}
 						*obj = secret
 						return nil
@@ -167,10 +167,10 @@ func TestCreateObject(t *testing.T) {
 				Call("create object", func(ctx context.Context, mck Mock) {
 					mck.K8sClient.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(func(ctx context.Context, key client.ObjectKey, obj *corev1.Secret, opts ...client.GetOption) error {
 						secret := corev1.Secret{Data: map[string][]byte{
-							"bucket_name": []byte("fake"),
-							"s3_endpoint": []byte("fake"),
-							"access_key":  []byte("fake"),
-							"secret_key":  []byte("fake"),
+							"bucket":   []byte("fake"),
+							"endpoint": []byte("fake"),
+							"access":   []byte("fake"),
+							"secret":   []byte("fake"),
 						}}
 						*obj = secret
 						return nil
@@ -256,10 +256,10 @@ func TestDeleteObject(t *testing.T) {
 				Call("empty bucket name", func(ctx context.Context, mck Mock) {
 					mck.K8sClient.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(func(ctx context.Context, key client.ObjectKey, obj *corev1.Secret, opts ...client.GetOption) error {
 						secret := corev1.Secret{Data: map[string][]byte{
-							"bucket_name": nil,
-							"s3_endpoint": []byte("fake"),
-							"access_key":  []byte("fake"),
-							"secret_key":  []byte("fake"),
+							"bucket":   nil,
+							"endpoint": []byte("fake"),
+							"access":   []byte("fake"),
+							"secret":   []byte("fake"),
 						}}
 						*obj = secret
 						return nil
@@ -284,10 +284,10 @@ func TestDeleteObject(t *testing.T) {
 				Call("fail to head object", func(ctx context.Context, mck Mock) {
 					mck.K8sClient.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(func(ctx context.Context, key client.ObjectKey, obj *corev1.Secret, opts ...client.GetOption) error {
 						secret := corev1.Secret{Data: map[string][]byte{
-							"bucket_name": []byte("fake"),
-							"s3_endpoint": []byte("fake"),
-							"access_key":  []byte("fake"),
-							"secret_key":  []byte("fake"),
+							"bucket":   []byte("fake"),
+							"endpoint": []byte("fake"),
+							"access":   []byte("fake"),
+							"secret":   []byte("fake"),
 						}}
 						*obj = secret
 						return nil
@@ -313,10 +313,10 @@ func TestDeleteObject(t *testing.T) {
 				Call("fail to delete object", func(ctx context.Context, mck Mock) {
 					mck.K8sClient.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(func(ctx context.Context, key client.ObjectKey, obj *corev1.Secret, opts ...client.GetOption) error {
 						secret := corev1.Secret{Data: map[string][]byte{
-							"bucket_name": []byte("fake"),
-							"s3_endpoint": []byte("fake"),
-							"access_key":  []byte("fake"),
-							"secret_key":  []byte("fake"),
+							"bucket":   []byte("fake"),
+							"endpoint": []byte("fake"),
+							"access":   []byte("fake"),
+							"secret":   []byte("fake"),
 						}}
 						*obj = secret
 						return nil
@@ -344,10 +344,10 @@ func TestDeleteObject(t *testing.T) {
 					Path(Call("delete object (no such key)", func(ctx context.Context, mck Mock) {
 						mck.K8sClient.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(func(ctx context.Context, key client.ObjectKey, obj *corev1.Secret, opts ...client.GetOption) error {
 							secret := corev1.Secret{Data: map[string][]byte{
-								"bucket_name": []byte("fake"),
-								"s3_endpoint": []byte("fake"),
-								"access_key":  []byte("fake"),
-								"secret_key":  []byte("fake"),
+								"bucket":   []byte("fake"),
+								"endpoint": []byte("fake"),
+								"access":   []byte("fake"),
+								"secret":   []byte("fake"),
 							}}
 							*obj = secret
 							return nil
@@ -357,10 +357,10 @@ func TestDeleteObject(t *testing.T) {
 					Path(Call("delete object (no such bucket)", func(ctx context.Context, mck Mock) {
 						mck.K8sClient.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(func(ctx context.Context, key client.ObjectKey, obj *corev1.Secret, opts ...client.GetOption) error {
 							secret := corev1.Secret{Data: map[string][]byte{
-								"bucket_name": []byte("fake"),
-								"s3_endpoint": []byte("fake"),
-								"access_key":  []byte("fake"),
-								"secret_key":  []byte("fake"),
+								"bucket":   []byte("fake"),
+								"endpoint": []byte("fake"),
+								"access":   []byte("fake"),
+								"secret":   []byte("fake"),
 							}}
 							*obj = secret
 							return nil
@@ -370,10 +370,10 @@ func TestDeleteObject(t *testing.T) {
 					Path(Call("delete object (not found)", func(ctx context.Context, mck Mock) {
 						mck.K8sClient.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(func(ctx context.Context, key client.ObjectKey, obj *corev1.Secret, opts ...client.GetOption) error {
 							secret := corev1.Secret{Data: map[string][]byte{
-								"bucket_name": []byte("fake"),
-								"s3_endpoint": []byte("fake"),
-								"access_key":  []byte("fake"),
-								"secret_key":  []byte("fake"),
+								"bucket":   []byte("fake"),
+								"endpoint": []byte("fake"),
+								"access":   []byte("fake"),
+								"secret":   []byte("fake"),
 							}}
 							*obj = secret
 							return nil
@@ -383,10 +383,10 @@ func TestDeleteObject(t *testing.T) {
 					Path(Call("delete object", func(ctx context.Context, mck Mock) {
 						mck.K8sClient.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(func(ctx context.Context, key client.ObjectKey, obj *corev1.Secret, opts ...client.GetOption) error {
 							secret := corev1.Secret{Data: map[string][]byte{
-								"bucket_name": []byte("fake"),
-								"s3_endpoint": []byte("fake"),
-								"access_key":  []byte("fake"),
-								"secret_key":  []byte("fake"),
+								"bucket":   []byte("fake"),
+								"endpoint": []byte("fake"),
+								"access":   []byte("fake"),
+								"secret":   []byte("fake"),
 							}}
 							*obj = secret
 							return nil
diff --git a/docs/src/topics/backups.md b/docs/src/topics/backups.md
index 1e2f261c3..c4f6cdd54 100644
--- a/docs/src/topics/backups.md
+++ b/docs/src/topics/backups.md
@@ -104,8 +104,8 @@ metadata:
       controller: true
       uid: <unique-uid>
 data:
-  access_key: <base64-encoded-access-key>
-  secret_key: <base64-encoded-secret-key>
+  access: <base64-encoded-access-key>
+  secret: <base64-encoded-secret-key>
 ```
 
 The secret is owned and managed by CAPL during the life of the `LinodeObjectStorageBucket`.
diff --git a/docs/src/topics/cluster-object-store.md b/docs/src/topics/cluster-object-store.md
index 99e9edd72..10d325eb5 100644
--- a/docs/src/topics/cluster-object-store.md
+++ b/docs/src/topics/cluster-object-store.md
@@ -29,12 +29,12 @@ kind: Secret
 metadata:
   name: ${CLUSTER_NAME}-object-store-credentials
 data:
-  bucket_name: ${BUCKET_NAME}
+  bucket: ${BUCKET_NAME}
   # Service endpoint
   # See: https://docs.aws.amazon.com/general/latest/gr/s3.html
-  s3_endpoint: ${S3_ENDPOINT}
-  access_key: ${ACCESS_KEY}
-  secret_key: ${SECRET_KEY}
+  endpoint: ${S3_ENDPOINT}
+  access: ${ACCESS_KEY}
+  secret: ${SECRET_KEY}
 ```
 
 Alternatively, the `LinodeObjectStorageBucket` and `LinodeObjectStorageKey` resources can be used:
@@ -86,10 +86,10 @@ spec:
     generatedSecret:
         type: Opaque
         format:
-            bucket_name: '{{ .BucketName }}'
-            s3_endpoint: '{{ .S3Endpoint }}'
-            access_key: '{{ .AccessKey }}'
-            secret_key: '{{ .SecretKey }}'
+            bucket: '{{ .BucketName }}'
+            endpoint: '{{ .S3Endpoint }}'
+            access: '{{ .AccessKey }}'
+            secret: '{{ .SecretKey }}'
 ```
 
 ## Capabilities
diff --git a/e2e/capl-cluster-flavors/kubeadm-full-capl-cluster/chainsaw-test.yaml b/e2e/capl-cluster-flavors/kubeadm-full-capl-cluster/chainsaw-test.yaml
index a9bd85b70..c5832bd5e 100644
--- a/e2e/capl-cluster-flavors/kubeadm-full-capl-cluster/chainsaw-test.yaml
+++ b/e2e/capl-cluster-flavors/kubeadm-full-capl-cluster/chainsaw-test.yaml
@@ -376,8 +376,8 @@ spec:
               set -e
             
               # Getting the keys from the CAPL cluster
-              access_key=$(KUBECONFIG=$CAPL_KUBECONFIG kubectl get secret $SECRET_NAME -n kube-system -o=jsonpath='{.data.access_key}' | base64 -d)
-              secret_key=$(KUBECONFIG=$CAPL_KUBECONFIG kubectl get secret $SECRET_NAME -n kube-system -o=jsonpath='{.data.secret_key}' | base64 -d)
+              access_key=$(KUBECONFIG=$CAPL_KUBECONFIG kubectl get secret $SECRET_NAME -n kube-system -o=jsonpath='{.data.access}' | base64 -d)
+              secret_key=$(KUBECONFIG=$CAPL_KUBECONFIG kubectl get secret $SECRET_NAME -n kube-system -o=jsonpath='{.data.secret}' | base64 -d)
 
               #Storing the keys into a config file
               cat <<EOL > .s5cfg
diff --git a/e2e/linodemachine-controller/cluster-object-store/assert-key-and-secret.yaml b/e2e/linodemachine-controller/cluster-object-store/assert-key-and-secret.yaml
index ccd6fa643..a2490d05d 100644
--- a/e2e/linodemachine-controller/cluster-object-store/assert-key-and-secret.yaml
+++ b/e2e/linodemachine-controller/cluster-object-store/assert-key-and-secret.yaml
@@ -14,7 +14,7 @@ kind: Secret
 metadata:
   name: ($key_secret)
 data:
-  (bucket_name != null): true
-  (s3_endpoint != null): true
-  (access_key != null): true
-  (secret_key != null): true
+  (bucket != null): true
+  (endpoint != null): true
+  (access != null): true
+  (secret != null): true
diff --git a/e2e/linodemachine-controller/cluster-object-store/create-linodeobjectstoragekey.yaml b/e2e/linodemachine-controller/cluster-object-store/create-linodeobjectstoragekey.yaml
index c2e4bcdad..a4c367a92 100644
--- a/e2e/linodemachine-controller/cluster-object-store/create-linodeobjectstoragekey.yaml
+++ b/e2e/linodemachine-controller/cluster-object-store/create-linodeobjectstoragekey.yaml
@@ -1,3 +1,4 @@
+
 apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
 kind: LinodeObjectStorageKey
 metadata:
@@ -10,7 +11,7 @@ spec:
   generatedSecret:
     name: ($key_secret)
     format:
-      bucket_name: '{{ .BucketName }}'
-      s3_endpoint: '{{ .S3Endpoint }}'
-      access_key: '{{ .AccessKey }}'
-      secret_key: '{{ .SecretKey }}'
+      bucket: '{{ .BucketName }}'
+      endpoint: '{{ .S3Endpoint }}'
+      access: '{{ .AccessKey }}'
+      secret: '{{ .SecretKey }}'
diff --git a/e2e/linodeobjectstoragekey-controller/custom-secret/assert-key-and-secret.yaml b/e2e/linodeobjectstoragekey-controller/custom-secret/assert-key-and-secret.yaml
index 866ed79ee..a211ea9d6 100644
--- a/e2e/linodeobjectstoragekey-controller/custom-secret/assert-key-and-secret.yaml
+++ b/e2e/linodeobjectstoragekey-controller/custom-secret/assert-key-and-secret.yaml
@@ -12,8 +12,8 @@ status:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: ($access_key_secret)
+  name: ($access_secret)
   namespace: default
 data:
-  (the_access_key != null): true
-  (the_secret_key != null): true
+  (the_access != null): true
+  (the_secret != null): true
diff --git a/e2e/linodeobjectstoragekey-controller/custom-secret/chainsaw-test.yaml b/e2e/linodeobjectstoragekey-controller/custom-secret/chainsaw-test.yaml
index 1b0f98af3..c746d58bc 100755
--- a/e2e/linodeobjectstoragekey-controller/custom-secret/chainsaw-test.yaml
+++ b/e2e/linodeobjectstoragekey-controller/custom-secret/chainsaw-test.yaml
@@ -18,7 +18,7 @@ spec:
       # Format the key name into a valid Kubernetes object name
       # TODO: This is over-truncated to account for the Kubernetes access key Secret
       value: (trim((truncate(($run), `52`)), '-'))
-    - name: access_key_secret
+    - name: access_secret
       value: (join('-', [($key), 'custom']))
   template: true
   steps:
diff --git a/e2e/linodeobjectstoragekey-controller/custom-secret/check-key-and-secret-deletion.yaml b/e2e/linodeobjectstoragekey-controller/custom-secret/check-key-and-secret-deletion.yaml
index 7b03d61e6..20839f86c 100644
--- a/e2e/linodeobjectstoragekey-controller/custom-secret/check-key-and-secret-deletion.yaml
+++ b/e2e/linodeobjectstoragekey-controller/custom-secret/check-key-and-secret-deletion.yaml
@@ -6,5 +6,5 @@ metadata:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: ($access_key_secret)
+  name: ($access_secret)
   namespace: default
\ No newline at end of file
diff --git a/e2e/linodeobjectstoragekey-controller/custom-secret/create-linodeobjectstoragekey.yaml b/e2e/linodeobjectstoragekey-controller/custom-secret/create-linodeobjectstoragekey.yaml
index b896d2e21..f250275f8 100644
--- a/e2e/linodeobjectstoragekey-controller/custom-secret/create-linodeobjectstoragekey.yaml
+++ b/e2e/linodeobjectstoragekey-controller/custom-secret/create-linodeobjectstoragekey.yaml
@@ -8,8 +8,8 @@ spec:
       permissions: read_only
       region: us-sea
   generatedSecret:
-    name: ($access_key_secret)
+    name: ($access_secret)
     namespace: default
     format:
-      the_access_key: "{{ .AccessKey }}"
-      the_secret_key: "{{ .SecretKey }}"
+      the_access: "{{ .AccessKey }}"
+      the_secret: "{{ .SecretKey }}"
diff --git a/e2e/linodeobjectstoragekey-controller/deprecated-secret/assert-key-and-secret.yaml b/e2e/linodeobjectstoragekey-controller/deprecated-secret/assert-key-and-secret.yaml
index 866ed79ee..a211ea9d6 100644
--- a/e2e/linodeobjectstoragekey-controller/deprecated-secret/assert-key-and-secret.yaml
+++ b/e2e/linodeobjectstoragekey-controller/deprecated-secret/assert-key-and-secret.yaml
@@ -12,8 +12,8 @@ status:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: ($access_key_secret)
+  name: ($access_secret)
   namespace: default
 data:
-  (the_access_key != null): true
-  (the_secret_key != null): true
+  (the_access != null): true
+  (the_secret != null): true
diff --git a/e2e/linodeobjectstoragekey-controller/deprecated-secret/chainsaw-test.yaml b/e2e/linodeobjectstoragekey-controller/deprecated-secret/chainsaw-test.yaml
index 7d7a0a3e8..cb84cdf71 100755
--- a/e2e/linodeobjectstoragekey-controller/deprecated-secret/chainsaw-test.yaml
+++ b/e2e/linodeobjectstoragekey-controller/deprecated-secret/chainsaw-test.yaml
@@ -18,7 +18,7 @@ spec:
       # Format the key name into a valid Kubernetes object name
       # TODO: This is over-truncated to account for the Kubernetes access key Secret
       value: (trim((truncate(($run), `52`)), '-'))
-    - name: access_key_secret
+    - name: access_secret
       value: (join('-', [($key), 'custom']))
   template: true
   steps:
diff --git a/e2e/linodeobjectstoragekey-controller/deprecated-secret/check-key-and-secret-deletion.yaml b/e2e/linodeobjectstoragekey-controller/deprecated-secret/check-key-and-secret-deletion.yaml
index 7b03d61e6..20839f86c 100644
--- a/e2e/linodeobjectstoragekey-controller/deprecated-secret/check-key-and-secret-deletion.yaml
+++ b/e2e/linodeobjectstoragekey-controller/deprecated-secret/check-key-and-secret-deletion.yaml
@@ -6,5 +6,5 @@ metadata:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: ($access_key_secret)
+  name: ($access_secret)
   namespace: default
\ No newline at end of file
diff --git a/e2e/linodeobjectstoragekey-controller/deprecated-secret/create-linodeobjectstoragekey.yaml b/e2e/linodeobjectstoragekey-controller/deprecated-secret/create-linodeobjectstoragekey.yaml
index 58ee27232..79256c010 100644
--- a/e2e/linodeobjectstoragekey-controller/deprecated-secret/create-linodeobjectstoragekey.yaml
+++ b/e2e/linodeobjectstoragekey-controller/deprecated-secret/create-linodeobjectstoragekey.yaml
@@ -9,8 +9,8 @@ spec:
       region: us-sea
   secretType: Opaque
   secretDataFormat:
-    the_access_key: "{{ .AccessKey }}"
-    the_secret_key: "{{ .SecretKey }}"
+    the_access: "{{ .AccessKey }}"
+    the_secret: "{{ .SecretKey }}"
   generatedSecret:
-    name: ($access_key_secret)
+    name: ($access_secret)
     namespace: default
diff --git a/e2e/linodeobjectstoragekey-controller/minimal-linodeobjectstoragekey/assert-key-and-secret.yaml b/e2e/linodeobjectstoragekey-controller/minimal-linodeobjectstoragekey/assert-key-and-secret.yaml
index 384ce6662..6579fd12e 100644
--- a/e2e/linodeobjectstoragekey-controller/minimal-linodeobjectstoragekey/assert-key-and-secret.yaml
+++ b/e2e/linodeobjectstoragekey-controller/minimal-linodeobjectstoragekey/assert-key-and-secret.yaml
@@ -16,4 +16,4 @@ status:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: ($access_key_secret)
+  name: ($access_secret)
diff --git a/e2e/linodeobjectstoragekey-controller/minimal-linodeobjectstoragekey/chainsaw-test.yaml b/e2e/linodeobjectstoragekey-controller/minimal-linodeobjectstoragekey/chainsaw-test.yaml
index 1cc040cab..16a8af270 100755
--- a/e2e/linodeobjectstoragekey-controller/minimal-linodeobjectstoragekey/chainsaw-test.yaml
+++ b/e2e/linodeobjectstoragekey-controller/minimal-linodeobjectstoragekey/chainsaw-test.yaml
@@ -17,7 +17,7 @@ spec:
       # Format the key name into a valid Kubernetes object name
       # TODO: This is over-truncated to account for the Kubernetes access key Secret
       value: (trim((truncate(($run), `52`)), '-'))
-    - name: access_key_secret
+    - name: access_secret
       value: (join('-', [($key), 'obj-key']))
   template: true
   steps:
diff --git a/e2e/linodeobjectstoragekey-controller/minimal-linodeobjectstoragekey/check-key-and-secret-deletion.yaml b/e2e/linodeobjectstoragekey-controller/minimal-linodeobjectstoragekey/check-key-and-secret-deletion.yaml
index 85f76cb62..be6b2ec35 100644
--- a/e2e/linodeobjectstoragekey-controller/minimal-linodeobjectstoragekey/check-key-and-secret-deletion.yaml
+++ b/e2e/linodeobjectstoragekey-controller/minimal-linodeobjectstoragekey/check-key-and-secret-deletion.yaml
@@ -6,4 +6,4 @@ metadata:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: ($access_key_secret)
+  name: ($access_secret)
diff --git a/internal/controller/linodemachine_controller_helpers_test.go b/internal/controller/linodemachine_controller_helpers_test.go
index a041f2527..6a6bd416b 100644
--- a/internal/controller/linodemachine_controller_helpers_test.go
+++ b/internal/controller/linodemachine_controller_helpers_test.go
@@ -165,11 +165,11 @@ https://object.bucket.example.com
 				kMock.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(func(ctx context.Context, key types.NamespacedName, obj *corev1.Secret, opts ...client.GetOption) error {
 					cred := corev1.Secret{
 						Data: map[string][]byte{
-							"bucket_name":     []byte("fake"),
+							"bucket":          []byte("fake"),
 							"bucket_endpoint": []byte("fake.example.com"),
 							"endpoint":        []byte("example.com"),
-							"access_key":      []byte("fake"),
-							"secret_key":      []byte("fake"),
+							"access":          []byte("fake"),
+							"secret":          []byte("fake"),
 						},
 					}
 					*obj = cred
@@ -243,11 +243,11 @@ https://object.bucket.example.com
 				kMock.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(func(ctx context.Context, key types.NamespacedName, obj *corev1.Secret, opts ...client.GetOption) error {
 					cred := corev1.Secret{
 						Data: map[string][]byte{
-							"bucket_name":     []byte("fake"),
+							"bucket":          []byte("fake"),
 							"bucket_endpoint": []byte("fake.example.com"),
-							"s3_endpoint":     []byte("example.com"),
-							"access_key":      []byte("fake"),
-							"secret_key":      []byte("fake"),
+							"endpoint":        []byte("example.com"),
+							"access":          []byte("fake"),
+							"secret":          []byte("fake"),
 						},
 					}
 					*obj = cred
diff --git a/internal/controller/linodeobjectstoragekey_controller_test.go b/internal/controller/linodeobjectstoragekey_controller_test.go
index 24a828e0c..30122bb4a 100644
--- a/internal/controller/linodeobjectstoragekey_controller_test.go
+++ b/internal/controller/linodeobjectstoragekey_controller_test.go
@@ -138,8 +138,8 @@ var _ = Describe("lifecycle", Ordered, Label("key", "key-lifecycle"), func() {
 					secretKey := client.ObjectKey{Namespace: "default", Name: "lifecycle-obj-key"}
 					Expect(k8sClient.Get(ctx, secretKey, &secret)).To(Succeed())
 					Expect(secret.Data).To(HaveLen(2))
-					Expect(string(secret.Data["access_key"])).To(Equal("access-key-1"))
-					Expect(string(secret.Data["secret_key"])).To(Equal("secret-key-1"))
+					Expect(string(secret.Data["access"])).To(Equal("access-key-1"))
+					Expect(string(secret.Data["secret"])).To(Equal("secret-key-1"))
 
 					events := mck.Events()
 					Expect(events).To(ContainSubstring("Object storage key assigned"))
@@ -193,8 +193,8 @@ var _ = Describe("lifecycle", Ordered, Label("key", "key-lifecycle"), func() {
 					secretKey := client.ObjectKey{Namespace: "default", Name: "lifecycle-obj-key"}
 					Expect(k8sClient.Get(ctx, secretKey, &secret)).To(Succeed())
 					Expect(secret.Data).To(HaveLen(2))
-					Expect(string(secret.Data["access_key"])).To(Equal("access-key-2"))
-					Expect(string(secret.Data["secret_key"])).To(Equal("secret-key-2"))
+					Expect(string(secret.Data["access"])).To(Equal("access-key-2"))
+					Expect(string(secret.Data["secret"])).To(Equal("secret-key-2"))
 
 					events := mck.Events()
 					Expect(events).To(ContainSubstring("Object storage key assigned"))
@@ -242,8 +242,8 @@ var _ = Describe("lifecycle", Ordered, Label("key", "key-lifecycle"), func() {
 					secretKey := client.ObjectKey{Namespace: "default", Name: "lifecycle-obj-key"}
 					Expect(k8sClient.Get(ctx, secretKey, &secret)).To(Succeed())
 					Expect(secret.Data).To(HaveLen(2))
-					Expect(string(secret.Data["access_key"])).To(Equal("access-key-2"))
-					Expect(string(secret.Data["secret_key"])).To(Equal("secret-key-2"))
+					Expect(string(secret.Data["access"])).To(Equal("access-key-2"))
+					Expect(string(secret.Data["secret"])).To(Equal("secret-key-2"))
 
 					events := mck.Events()
 					Expect(events).To(ContainSubstring("Object storage key retrieved"))
diff --git a/templates/addons/cluster-object-store/cluster-object-store.yaml b/templates/addons/cluster-object-store/cluster-object-store.yaml
index b3e96d718..855c4e28a 100644
--- a/templates/addons/cluster-object-store/cluster-object-store.yaml
+++ b/templates/addons/cluster-object-store/cluster-object-store.yaml
@@ -36,7 +36,7 @@ spec:
     generatedSecret:
         type: Opaque
         format:
-            bucket_name: '{{ .BucketName }}'
-            s3_endpoint: '{{ .S3Endpoint }}'
-            access_key: '{{ .AccessKey }}'
-            secret_key: '{{ .SecretKey }}'
+            bucket: '{{ .BucketName }}'
+            endpoint: '{{ .S3Endpoint }}'
+            access: '{{ .AccessKey }}'
+            secret: '{{ .SecretKey }}'
diff --git a/templates/addons/etcd-backup-restore/etcd-backup-restore.yaml b/templates/addons/etcd-backup-restore/etcd-backup-restore.yaml
index c47d572c9..36879d3e6 100644
--- a/templates/addons/etcd-backup-restore/etcd-backup-restore.yaml
+++ b/templates/addons/etcd-backup-restore/etcd-backup-restore.yaml
@@ -52,7 +52,7 @@ data:
               valueFrom:
                 secretKeyRef:
                   name: ${CLUSTER_NAME}-etcd-backup-obj-key
-                  key: "bucket_name"
+                  key: "bucket"
             - name: "AWS_ENDPOINT"
               valueFrom:
                 secretKeyRef:
@@ -62,12 +62,12 @@ data:
               valueFrom:
                 secretKeyRef:
                   name: ${CLUSTER_NAME}-etcd-backup-obj-key
-                  key: "access_key"
+                  key: "access"
             - name: "AWS_SECRET_ACCESS_KEY"
               valueFrom:
                 secretKeyRef:
                   name: ${CLUSTER_NAME}-etcd-backup-obj-key
-                  key: "secret_key"
+                  key: "secret"
             - name: "AWS_SSE_CUSTOMER_KEY"
               valueFrom:
                 secretKeyRef:
@@ -117,7 +117,7 @@ data:
               valueFrom:
                 secretKeyRef:
                   name: ${CLUSTER_NAME}-etcd-backup-obj-key
-                  key: "bucket_name"
+                  key: "bucket"
             volumeMounts:
             - mountPath: ${CERTPATH}
               name: k8s-certs
diff --git a/templates/addons/etcd-backup-restore/linode-obj.yaml b/templates/addons/etcd-backup-restore/linode-obj.yaml
index 6bde78a0f..07026d501 100644
--- a/templates/addons/etcd-backup-restore/linode-obj.yaml
+++ b/templates/addons/etcd-backup-restore/linode-obj.yaml
@@ -43,11 +43,11 @@ spec:
           name: ${CLUSTER_NAME}-etcd-backup-obj-key
           namespace: kube-system
         stringData:
-          bucket_name: ${CLUSTER_NAME}-etcd-backup
+          bucket: ${CLUSTER_NAME}-etcd-backup
           bucket_region: ${OBJ_BUCKET_REGION:=${LINODE_REGION}}
           bucket_endpoint: {{ .BucketEndpoint }}
-          access_key: {{ .AccessKey }}
-          secret_key: {{ .SecretKey }}
+          access: {{ .AccessKey }}
+          secret: {{ .SecretKey }}
 ---
 apiVersion: addons.cluster.x-k8s.io/v1beta1
 kind: ClusterResourceSet

From 1ef6e2e01239ec18401842c89df8ce449221f3cc Mon Sep 17 00:00:00 2001
From: Ashley Dumaine <ashley.dumaine@gmail.com>
Date: Thu, 15 May 2025 18:07:54 -0400
Subject: [PATCH 2/2] fix broken upstream link

---
 docs/src/topics/flavors/flatcar.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/src/topics/flavors/flatcar.md b/docs/src/topics/flavors/flatcar.md
index 56298cdc8..12c2fc621 100644
--- a/docs/src/topics/flavors/flatcar.md
+++ b/docs/src/topics/flavors/flatcar.md
@@ -28,7 +28,7 @@ clusterctl init --infrastructure linode-linode --addon helm
 
 Flatcar is not officially provided by Akamai/Linode so it is required to import a Flatcar image. Akamai support is available on Flatcar since the release [4012.0.0][release-4012]: all releases equal or greater than this major release will fit.
 
-To import the image, it is recommended to follow this documentation: https://www.flatcar.org/docs/latest/installing/community-platforms/akamai/#importing-an-image
+To import the image, it is recommended to follow this documentation: https://www.flatcar.org/docs/latest/installing/cloud/akamai/#importing-an-image
 
 By following this import step, you will get the Flatcar image ID stored into `IMAGE_ID`.