linode · AshleyDumaine · May 16, 2025 · May 15, 2025 · May 15, 2025
diff --git a/cloud/scope/common.go b/cloud/scope/common.go
@@ -127,17 +127,17 @@ func CreateS3Clients(ctx context.Context, crClient clients.K8sClient, cluster in
 
 	// If we have a cluster object store bucket, get its configuration.
 	if cluster.Spec.ObjectStore != nil {
-		secret, err := getCredentials(ctx, crClient, cluster.Spec.ObjectStore.CredentialsRef, cluster.GetNamespace())
+		objSecret, err := getCredentials(ctx, crClient, cluster.Spec.ObjectStore.CredentialsRef, cluster.GetNamespace())
 		if err == nil {
 			var (
-				access_key  = string(secret.Data["access_key"])
-				secret_key  = string(secret.Data["secret_key"])
-				s3_endpoint = string(secret.Data["s3_endpoint"])
+				access   = string(objSecret.Data["access"])
+				secret   = string(objSecret.Data["secret"])
+				endpoint = string(objSecret.Data["endpoint"])
 			)
 
-			configOpts = append(configOpts, awsconfig.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(access_key, secret_key, "")))
+			configOpts = append(configOpts, awsconfig.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(access, secret, "")))
 			clientOpts = append(clientOpts, func(opts *s3.Options) {
-				opts.BaseEndpoint = aws.String(s3_endpoint)
+				opts.BaseEndpoint = aws.String(endpoint)
 			})
 		}
 	}

diff --git a/cloud/scope/machine.go b/cloud/scope/machine.go
@@ -145,7 +145,7 @@
 		return "", errors.New("no cluster object store")
 	}
 
-	name, err := getCredentialDataFromRef(ctx, m.Client, m.LinodeCluster.Spec.ObjectStore.CredentialsRef, m.LinodeCluster.GetNamespace(), "bucket_name")
+	name, err := getCredentialDataFromRef(ctx, m.Client, m.LinodeCluster.Spec.ObjectStore.CredentialsRef, m.LinodeCluster.GetNamespace(), "bucket")
 	if err != nil {
 		return "", fmt.Errorf("get bucket name: %w", err)
 	}

diff --git a/cloud/scope/machine_test.go b/cloud/scope/machine_test.go
@@ -268,10 +268,10 @@ func TestNewMachineScope(t *testing.T) {
 				Call("cluster object store used", func(ctx context.Context, mck Mock) {
 					mck.K8sClient.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(func(ctx context.Context, key client.ObjectKey, obj *corev1.Secret, opts ...client.GetOption) error {
 						secret := corev1.Secret{Data: map[string][]byte{
-							"bucket_name": []byte("fake"),
-							"s3_endpoint": []byte("fake"),
-							"access_key":  []byte("fake"),
-							"secret_key":  []byte("fake"),
+							"bucket":   []byte("fake"),
+							"endpoint": []byte("fake"),
+							"access":   []byte("fake"),
+							"secret":   []byte("fake"),
 						}}
 						*obj = secret
 						return nil

diff --git a/cloud/scope/object_storage_key.go b/cloud/scope/object_storage_key.go
@@ -105,8 +105,8 @@ func (s *ObjectStorageKeyScope) GenerateKeySecret(ctx context.Context, key *lino
 
 	if len(s.Key.Spec.Format) == 0 {
 		secretStringData = map[string]string{
-			"access_key": key.AccessKey,
-			"secret_key": key.SecretKey,
+			"access": key.AccessKey,
+			"secret": key.SecretKey,
 		}
 	} else {
 		// This should never run since the CRD has a validation marker to ensure bucketAccess has at least one item.

diff --git a/cloud/scope/object_storage_key_test.go b/cloud/scope/object_storage_key_test.go
@@ -267,8 +267,8 @@ func TestGenerateKeySecret(t *testing.T) {
 			key: &linodego.ObjectStorageKey{
 				ID:        1,
 				Label:     "test-key",
-				AccessKey: "access_key",
-				SecretKey: "secret_key",
+				AccessKey: "access",
+				SecretKey: "secret",
 				BucketAccess: &[]linodego.ObjectStorageKeyBucketAccess{
 					{
 						BucketName:  "bucket",
@@ -285,8 +285,8 @@ func TestGenerateKeySecret(t *testing.T) {
 				}).Times(1)
 			},
 			expectedData: map[string]string{
-				"access_key": "access_key",
-				"secret_key": "secret_key",
+				"access": "access",
+				"secret": "secret",
 			},
 			expectedErr: nil,
 		},
@@ -317,8 +317,8 @@ func TestGenerateKeySecret(t *testing.T) {
 			key: &linodego.ObjectStorageKey{
 				ID:        1,
 				Label:     "test-key",
-				AccessKey: "access_key",
-				SecretKey: "secret_key",
+				AccessKey: "access",
+				SecretKey: "secret",
 				BucketAccess: &[]linodego.ObjectStorageKeyBucketAccess{
 					{
 						BucketName:  "bucket",
@@ -364,8 +364,8 @@ func TestGenerateKeySecret(t *testing.T) {
 			key: &linodego.ObjectStorageKey{
 				ID:        1,
 				Label:     "test-key",
-				AccessKey: "access_key",
-				SecretKey: "secret_key",
+				AccessKey: "access",
+				SecretKey: "secret",
 				BucketAccess: &[]linodego.ObjectStorageKeyBucketAccess{
 					{
 						BucketName:  "bucket",
@@ -389,7 +389,7 @@ func TestGenerateKeySecret(t *testing.T) {
 				}, nil)
 			},
 			expectedData: map[string]string{
-				"key": "access_key,secret_key,hostname",
+				"key": "access,secret,hostname",
 			},
 			expectedErr: nil,
 		},
@@ -421,8 +421,8 @@ func TestGenerateKeySecret(t *testing.T) {
 			key: &linodego.ObjectStorageKey{
 				ID:        1,
 				Label:     "test-key",
-				AccessKey: "access_key",
-				SecretKey: "secret_key",
+				AccessKey: "access",
+				SecretKey: "secret",
 				BucketAccess: &[]linodego.ObjectStorageKeyBucketAccess{
 					{
 						BucketName:  "bucket",
@@ -457,8 +457,8 @@ func TestGenerateKeySecret(t *testing.T) {
 			key: &linodego.ObjectStorageKey{
 				ID:        1,
 				Label:     "test-key",
-				AccessKey: "access_key",
-				SecretKey: "secret_key",
+				AccessKey: "access",
+				SecretKey: "secret",
 				BucketAccess: &[]linodego.ObjectStorageKeyBucketAccess{
 					{
 						BucketName:  "bucket",
@@ -496,8 +496,8 @@ func TestGenerateKeySecret(t *testing.T) {
 			key: &linodego.ObjectStorageKey{
 				ID:        1,
 				Label:     "test-key",
-				AccessKey: "access_key",
-				SecretKey: "secret_key",
+				AccessKey: "access",
+				SecretKey: "secret",
 				BucketAccess: &[]linodego.ObjectStorageKeyBucketAccess{
 					{
 						BucketName:  "bucket",

diff --git a/cloud/services/object_storage_objects_test.go b/cloud/services/object_storage_objects_test.go
@@ -80,10 +80,10 @@ func TestCreateObject(t *testing.T) {
 				Call("empty bucket name", func(ctx context.Context, mck Mock) {
 					mck.K8sClient.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(func(ctx context.Context, key client.ObjectKey, obj *corev1.Secret, opts ...client.GetOption) error {
 						secret := corev1.Secret{Data: map[string][]byte{
-							"bucket_name": nil,
-							"s3_endpoint": []byte("fake"),
-							"access_key":  []byte("fake"),
-							"secret_key":  []byte("fake"),
+							"bucket":   nil,
+							"endpoint": []byte("fake"),
+							"access":   []byte("fake"),
+							"secret":   []byte("fake"),
 						}}
 						*obj = secret
 						return nil
@@ -108,10 +108,10 @@ func TestCreateObject(t *testing.T) {
 				Call("fail to put object", func(ctx context.Context, mck Mock) {
 					mck.K8sClient.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(func(ctx context.Context, key client.ObjectKey, obj *corev1.Secret, opts ...client.GetOption) error {
 						secret := corev1.Secret{Data: map[string][]byte{
-							"bucket_name": []byte("fake"),
-							"s3_endpoint": []byte("fake"),
-							"access_key":  []byte("fake"),
-							"secret_key":  []byte("fake"),
+							"bucket":   []byte("fake"),
+							"endpoint": []byte("fake"),
+							"access":   []byte("fake"),
+							"secret":   []byte("fake"),
 						}}
 						*obj = secret
 						return nil
@@ -137,10 +137,10 @@ func TestCreateObject(t *testing.T) {
 				Call("fail to generate presigned url", func(ctx context.Context, mck Mock) {
 					mck.K8sClient.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(func(ctx context.Context, key client.ObjectKey, obj *corev1.Secret, opts ...client.GetOption) error {
 						secret := corev1.Secret{Data: map[string][]byte{
-							"bucket_name": []byte("fake"),
-							"s3_endpoint": []byte("fake"),
-							"access_key":  []byte("fake"),
-							"secret_key":  []byte("fake"),
+							"bucket":   []byte("fake"),
+							"endpoint": []byte("fake"),
+							"access":   []byte("fake"),
+							"secret":   []byte("fake"),
 						}}
 						*obj = secret
 						return nil
@@ -167,10 +167,10 @@ func TestCreateObject(t *testing.T) {
 				Call("create object", func(ctx context.Context, mck Mock) {
 					mck.K8sClient.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(func(ctx context.Context, key client.ObjectKey, obj *corev1.Secret, opts ...client.GetOption) error {
 						secret := corev1.Secret{Data: map[string][]byte{
-							"bucket_name": []byte("fake"),
-							"s3_endpoint": []byte("fake"),
-							"access_key":  []byte("fake"),
-							"secret_key":  []byte("fake"),
+							"bucket":   []byte("fake"),
+							"endpoint": []byte("fake"),
+							"access":   []byte("fake"),
+							"secret":   []byte("fake"),
 						}}
 						*obj = secret
 						return nil
@@ -256,10 +256,10 @@ func TestDeleteObject(t *testing.T) {
 				Call("empty bucket name", func(ctx context.Context, mck Mock) {
 					mck.K8sClient.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(func(ctx context.Context, key client.ObjectKey, obj *corev1.Secret, opts ...client.GetOption) error {
 						secret := corev1.Secret{Data: map[string][]byte{
-							"bucket_name": nil,
-							"s3_endpoint": []byte("fake"),
-							"access_key":  []byte("fake"),
-							"secret_key":  []byte("fake"),
+							"bucket":   nil,
+							"endpoint": []byte("fake"),
+							"access":   []byte("fake"),
+							"secret":   []byte("fake"),
 						}}
 						*obj = secret
 						return nil
@@ -284,10 +284,10 @@ func TestDeleteObject(t *testing.T) {
 				Call("fail to head object", func(ctx context.Context, mck Mock) {
 					mck.K8sClient.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(func(ctx context.Context, key client.ObjectKey, obj *corev1.Secret, opts ...client.GetOption) error {
 						secret := corev1.Secret{Data: map[string][]byte{
-							"bucket_name": []byte("fake"),
-							"s3_endpoint": []byte("fake"),
-							"access_key":  []byte("fake"),
-							"secret_key":  []byte("fake"),
+							"bucket":   []byte("fake"),
+							"endpoint": []byte("fake"),
+							"access":   []byte("fake"),
+							"secret":   []byte("fake"),
 						}}
 						*obj = secret
 						return nil
@@ -313,10 +313,10 @@ func TestDeleteObject(t *testing.T) {
 				Call("fail to delete object", func(ctx context.Context, mck Mock) {
 					mck.K8sClient.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(func(ctx context.Context, key client.ObjectKey, obj *corev1.Secret, opts ...client.GetOption) error {
 						secret := corev1.Secret{Data: map[string][]byte{
-							"bucket_name": []byte("fake"),
-							"s3_endpoint": []byte("fake"),
-							"access_key":  []byte("fake"),
-							"secret_key":  []byte("fake"),
+							"bucket":   []byte("fake"),
+							"endpoint": []byte("fake"),
+							"access":   []byte("fake"),
+							"secret":   []byte("fake"),
 						}}
 						*obj = secret
 						return nil
@@ -344,10 +344,10 @@ func TestDeleteObject(t *testing.T) {
 					Path(Call("delete object (no such key)", func(ctx context.Context, mck Mock) {
 						mck.K8sClient.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(func(ctx context.Context, key client.ObjectKey, obj *corev1.Secret, opts ...client.GetOption) error {
 							secret := corev1.Secret{Data: map[string][]byte{
-								"bucket_name": []byte("fake"),
-								"s3_endpoint": []byte("fake"),
-								"access_key":  []byte("fake"),
-								"secret_key":  []byte("fake"),
+								"bucket":   []byte("fake"),
+								"endpoint": []byte("fake"),
+								"access":   []byte("fake"),
+								"secret":   []byte("fake"),
 							}}
 							*obj = secret
 							return nil
@@ -357,10 +357,10 @@ func TestDeleteObject(t *testing.T) {
 					Path(Call("delete object (no such bucket)", func(ctx context.Context, mck Mock) {
 						mck.K8sClient.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(func(ctx context.Context, key client.ObjectKey, obj *corev1.Secret, opts ...client.GetOption) error {
 							secret := corev1.Secret{Data: map[string][]byte{
-								"bucket_name": []byte("fake"),
-								"s3_endpoint": []byte("fake"),
-								"access_key":  []byte("fake"),
-								"secret_key":  []byte("fake"),
+								"bucket":   []byte("fake"),
+								"endpoint": []byte("fake"),
+								"access":   []byte("fake"),
+								"secret":   []byte("fake"),
 							}}
 							*obj = secret
 							return nil
@@ -370,10 +370,10 @@ func TestDeleteObject(t *testing.T) {
 					Path(Call("delete object (not found)", func(ctx context.Context, mck Mock) {
 						mck.K8sClient.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(func(ctx context.Context, key client.ObjectKey, obj *corev1.Secret, opts ...client.GetOption) error {
 							secret := corev1.Secret{Data: map[string][]byte{
-								"bucket_name": []byte("fake"),
-								"s3_endpoint": []byte("fake"),
-								"access_key":  []byte("fake"),
-								"secret_key":  []byte("fake"),
+								"bucket":   []byte("fake"),
+								"endpoint": []byte("fake"),
+								"access":   []byte("fake"),
+								"secret":   []byte("fake"),
 							}}
 							*obj = secret
 							return nil
@@ -383,10 +383,10 @@ func TestDeleteObject(t *testing.T) {
 					Path(Call("delete object", func(ctx context.Context, mck Mock) {
 						mck.K8sClient.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(func(ctx context.Context, key client.ObjectKey, obj *corev1.Secret, opts ...client.GetOption) error {
 							secret := corev1.Secret{Data: map[string][]byte{
-								"bucket_name": []byte("fake"),
-								"s3_endpoint": []byte("fake"),
-								"access_key":  []byte("fake"),
-								"secret_key":  []byte("fake"),
+								"bucket":   []byte("fake"),
+								"endpoint": []byte("fake"),
+								"access":   []byte("fake"),
+								"secret":   []byte("fake"),
 							}}
 							*obj = secret
 							return nil

diff --git a/docs/src/topics/backups.md b/docs/src/topics/backups.md
@@ -104,8 +104,8 @@ metadata:
       controller: true
       uid: <unique-uid>
 data:
-  access_key: <base64-encoded-access-key>
-  secret_key: <base64-encoded-secret-key>
+  access: <base64-encoded-access-key>
+  secret: <base64-encoded-secret-key>
 ```
 
 The secret is owned and managed by CAPL during the life of the `LinodeObjectStorageBucket`.

diff --git a/docs/src/topics/cluster-object-store.md b/docs/src/topics/cluster-object-store.md
@@ -29,12 +29,12 @@ kind: Secret
 metadata:
   name: ${CLUSTER_NAME}-object-store-credentials
 data:
-  bucket_name: ${BUCKET_NAME}
+  bucket: ${BUCKET_NAME}
   # Service endpoint
   # See: https://docs.aws.amazon.com/general/latest/gr/s3.html
-  s3_endpoint: ${S3_ENDPOINT}
-  access_key: ${ACCESS_KEY}
-  secret_key: ${SECRET_KEY}
+  endpoint: ${S3_ENDPOINT}
+  access: ${ACCESS_KEY}
+  secret: ${SECRET_KEY}
 ```
 
 Alternatively, the `LinodeObjectStorageBucket` and `LinodeObjectStorageKey` resources can be used:
@@ -86,10 +86,10 @@ spec:
     generatedSecret:
         type: Opaque
         format:
-            bucket_name: '{{ .BucketName }}'
-            s3_endpoint: '{{ .S3Endpoint }}'
-            access_key: '{{ .AccessKey }}'
-            secret_key: '{{ .SecretKey }}'
+            bucket: '{{ .BucketName }}'
+            endpoint: '{{ .S3Endpoint }}'
+            access: '{{ .AccessKey }}'
+            secret: '{{ .SecretKey }}'
 ```
 
 ## Capabilities

diff --git a/docs/src/topics/flavors/flatcar.md b/docs/src/topics/flavors/flatcar.md
@@ -28,7 +28,7 @@ clusterctl init --infrastructure linode-linode --addon helm
 
 Flatcar is not officially provided by Akamai/Linode so it is required to import a Flatcar image. Akamai support is available on Flatcar since the release [4012.0.0][release-4012]: all releases equal or greater than this major release will fit.
 
-To import the image, it is recommended to follow this documentation: https://www.flatcar.org/docs/latest/installing/community-platforms/akamai/#importing-an-image
+To import the image, it is recommended to follow this documentation: https://www.flatcar.org/docs/latest/installing/cloud/akamai/#importing-an-image
 
 By following this import step, you will get the Flatcar image ID stored into `IMAGE_ID`.
 

diff --git a/e2e/capl-cluster-flavors/kubeadm-full-capl-cluster/chainsaw-test.yaml b/e2e/capl-cluster-flavors/kubeadm-full-capl-cluster/chainsaw-test.yaml
@@ -376,8 +376,8 @@ spec:
               set -e
 
               # Getting the keys from the CAPL cluster
-              access_key=$(KUBECONFIG=$CAPL_KUBECONFIG kubectl get secret $SECRET_NAME -n kube-system -o=jsonpath='{.data.access_key}' | base64 -d)
-              secret_key=$(KUBECONFIG=$CAPL_KUBECONFIG kubectl get secret $SECRET_NAME -n kube-system -o=jsonpath='{.data.secret_key}' | base64 -d)
+              access_key=$(KUBECONFIG=$CAPL_KUBECONFIG kubectl get secret $SECRET_NAME -n kube-system -o=jsonpath='{.data.access}' | base64 -d)
+              secret_key=$(KUBECONFIG=$CAPL_KUBECONFIG kubectl get secret $SECRET_NAME -n kube-system -o=jsonpath='{.data.secret}' | base64 -d)
 
               #Storing the keys into a config file
               cat <<EOL > .s5cfg

diff --git a/e2e/linodemachine-controller/cluster-object-store/assert-key-and-secret.yaml b/e2e/linodemachine-controller/cluster-object-store/assert-key-and-secret.yaml
@@ -14,7 +14,7 @@ kind: Secret
 metadata:
   name: ($key_secret)
 data:
-  (bucket_name != null): true
-  (s3_endpoint != null): true
-  (access_key != null): true
-  (secret_key != null): true
+  (bucket != null): true
+  (endpoint != null): true
+  (access != null): true
+  (secret != null): true