add additional server-side encryption parameters to s3 config section, …

…fix #619
Altinity · Mar 17, 2023 · 551a1e3 · 551a1e3
1 parent 759c234
commit 551a1e3
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 0 deletions.
diff --git a/ChangeLog.md b/ChangeLog.md
@@ -1,3 +1,7 @@
+# v2.3.0
+IMPROVEMENTS
+- add additional server-side encryption parameters to s3 config section, fix [619](https://github.com/AlexAkulov/clickhouse-backup/issues/619)
+
 # v2.2.0
 IMPROVEMENTS
 - switch to go 1.20

diff --git a/ReadMe.md b/ReadMe.md
@@ -461,7 +461,15 @@ s3:
   disable_ssl: false               # S3_DISABLE_SSL
   compression_level: 1             # S3_COMPRESSION_LEVEL
   compression_format: tar          # S3_COMPRESSION_FORMAT, allowed values tar, lz4, bzip2, gzip, sz, xz, brortli, zstd, `none` for upload data part folders as is
+  # look details in https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html
   sse: ""                          # S3_SSE, empty (default), AES256, or aws:kms
+  sse_kms_key_id: ""               # S3_SSE_KMS_KEY_ID, if S3_SSE is aws:kms then specifies the ID of the Amazon Web Services Key Management Service
+  sse_customer_algorithm: ""       # S3_SSE_CUSTOMER_ALGORITHM, Specifies the algorithm to use to when encrypting the object (for example, AES256)
+  sse_customer_key: ""             # S3_SSE_CUSTOMER_KEY, Specifies the customer-provided encryption key for Amazon S3 to use in encrypting data
+  sse_customer_key_md5: ""         # S3_SSE_CUSTOMER_KEY_MD5, Specifies the 128-bit MD5 digest of the encryption key according to RFC 1321.
+  sse_kms_encryption_context: ""   # S3_SSE_KMS_ENCRYPTION_CONTEXT, The value of this header is a base64-encoded UTF-8 string holding JSON with the encryption context key-value pairs.
+                                   # Specifies the Amazon Web Services KMS Encryption Context to use for object
+                                   # encryption. 
   disable_cert_verification: false # S3_DISABLE_CERT_VERIFICATION
   use_custom_storage_class: false  # S3_USE_CUSTOM_STORAGE_CLASS
   storage_class: STANDARD          # S3_STORAGE_CLASS, by default allow only from list https://github.com/aws/aws-sdk-go-v2/blob/main/service/s3/types/enums.go#L787-L799

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -110,6 +110,11 @@ type S3Config struct {
 	CompressionLevel        int               `yaml:"compression_level" envconfig:"S3_COMPRESSION_LEVEL"`
 	CompressionFormat       string            `yaml:"compression_format" envconfig:"S3_COMPRESSION_FORMAT"`
 	SSE                     string            `yaml:"sse" envconfig:"S3_SSE"`
+	SSEKMSKeyId             string            `yaml:"sse_kms_key_id" envconfig:"S3_SSE_KMS_KEY_ID"`
+	SSECustomerAlgorithm    string            `yaml:"sse_customer_algorithm" envconfig:"S3_SSE_CUSTOMER_ALGORITHM"`
+	SSECustomerKey          string            `yaml:"sse_customer_key" envconfig:"S3_SSE_CUSTOMER_KEY"`
+	SSECustomerKeyMD5       string            `yaml:"sse_customer_key_md5" envconfig:"S3_SSE_CUSTOMER_KEY_MD5"`
+	SSEKMSEncryptionContext string            `yaml:"sse_kms_encryption_context" envconfig:"S3_SSE_KMS_ENCRYPTION_CONTEXT"`
 	DisableCertVerification bool              `yaml:"disable_cert_verification" envconfig:"S3_DISABLE_CERT_VERIFICATION"`
 	UseCustomStorageClass   bool              `yaml:"use_custom_storage_class" envconfig:"S3_USE_CUSTOM_STORAGE_CLASS"`
 	StorageClass            string            `yaml:"storage_class" envconfig:"S3_STORAGE_CLASS"`

diff --git a/pkg/storage/s3.go b/pkg/storage/s3.go
@@ -207,6 +207,21 @@ func (s *S3) PutFile(ctx context.Context, key string, r io.ReadCloser) error {
 	if s.Config.SSE != "" {
 		params.ServerSideEncryption = s3types.ServerSideEncryption(s.Config.SSE)
 	}
+	if s.Config.SSEKMSKeyId != "" {
+		params.SSEKMSKeyId = aws.String(s.Config.SSEKMSKeyId)
+	}
+	if s.Config.SSECustomerAlgorithm != "" {
+		params.SSECustomerAlgorithm = aws.String(s.Config.SSECustomerAlgorithm)
+	}
+	if s.Config.SSECustomerKey != "" {
+		params.SSECustomerKey = aws.String(s.Config.SSECustomerKey)
+	}
+	if s.Config.SSECustomerKeyMD5 != "" {
+		params.SSECustomerKeyMD5 = aws.String(s.Config.SSECustomerKeyMD5)
+	}
+	if s.Config.SSEKMSEncryptionContext != "" {
+		params.SSEKMSEncryptionContext = aws.String(s.Config.SSEKMSEncryptionContext)
+	}
 	_, err := s.uploader.Upload(ctx, &params)
 	return err
 }