Merge pull request #2791 from AliyunContainerService/support-oss-byok

Support BYOK for OSS storage driver
distribution · Jan 17, 2019 · b75069e · b75069e
2 parents b1fd12d + b783921
commit b75069e
Show file tree

Hide file tree

Showing 16 changed files with 1,216 additions and 108 deletions.
diff --git a/docs/configuration.md b/docs/configuration.md
@@ -147,7 +147,8 @@ storage:
     endpoint: optional endpoints
     internal: optional internal endpoint
     bucket: OSS bucket
-    encrypt: optional data encryption setting
+    encrypt: optional enable server-side encryption
+    encryptionkeyid: optional KMS key id for encryption
     secure: optional ssl setting
     chunksize: optional size valye
     rootdirectory: optional root directory
@@ -447,7 +448,8 @@ storage:
     endpoint: optional endpoints
     internal: optional internal endpoint
     bucket: OSS bucket
-    encrypt: optional data encryption setting
+    encrypt: optional enable server-side encryption
+    encryptionkeyid: optional KMS key id for encryption
     secure: optional ssl setting
     chunksize: optional size valye
     rootdirectory: optional root directory

diff --git a/registry/storage/driver/oss/oss.go b/registry/storage/driver/oss/oss.go
@@ -54,6 +54,7 @@ type DriverParameters struct {
 	ChunkSize       int64
 	RootDirectory   string
 	Endpoint        string
+	EncryptionKeyID string
 }
 
 func init() {
@@ -68,11 +69,12 @@ func (factory *ossDriverFactory) Create(parameters map[string]interface{}) (stor
 }
 
 type driver struct {
-	Client        *oss.Client
-	Bucket        *oss.Bucket
-	ChunkSize     int64
-	Encrypt       bool
-	RootDirectory string
+	Client          *oss.Client
+	Bucket          *oss.Bucket
+	ChunkSize       int64
+	Encrypt         bool
+	RootDirectory   string
+	EncryptionKeyID string
 }
 
 type baseEmbed struct {
@@ -132,6 +134,11 @@ func FromParameters(parameters map[string]interface{}) (*Driver, error) {
 		}
 	}
 
+	encryptionKeyID, ok := parameters["encryptionkeyid"]
+	if !ok {
+		encryptionKeyID = ""
+	}
+
 	secureBool := true
 	secure, ok := parameters["secure"]
 	if ok {
@@ -185,6 +192,7 @@ func FromParameters(parameters map[string]interface{}) (*Driver, error) {
 		Secure:          secureBool,
 		Internal:        internalBool,
 		Endpoint:        fmt.Sprint(endpoint),
+		EncryptionKeyID: fmt.Sprint(encryptionKeyID),
 	}
 
 	return New(params)
@@ -209,11 +217,12 @@ func New(params DriverParameters) (*Driver, error) {
 	// if you initiated a new OSS client while another one is running on the same bucket.
 
 	d := &driver{
-		Client:        client,
-		Bucket:        bucket,
-		ChunkSize:     params.ChunkSize,
-		Encrypt:       params.Encrypt,
-		RootDirectory: params.RootDirectory,
+		Client:          client,
+		Bucket:          bucket,
+		ChunkSize:       params.ChunkSize,
+		Encrypt:         params.Encrypt,
+		RootDirectory:   params.RootDirectory,
+		EncryptionKeyID: params.EncryptionKeyID,
 	}
 
 	return &Driver{
@@ -403,7 +412,7 @@ func (d *driver) Move(ctx context.Context, sourcePath string, destPath string) e
 	err := d.Bucket.CopyLargeFileInParallel(d.ossPath(sourcePath), d.ossPath(destPath),
 		d.getContentType(),
 		getPermissions(),
-		oss.Options{},
+		d.getOptions(),
 		maxConcurrency)
 	if err != nil {
 		logrus.Errorf("Failed for move from %s to %s: %v", d.ossPath(sourcePath), d.ossPath(destPath), err)
@@ -503,7 +512,17 @@ func hasCode(err error, code string) bool {
 }
 
 func (d *driver) getOptions() oss.Options {
-	return oss.Options{ServerSideEncryption: d.Encrypt}
+	return oss.Options{
+		ServerSideEncryption:      d.Encrypt,
+		ServerSideEncryptionKeyID: d.EncryptionKeyID,
+	}
+}
+
+func (d *driver) getCopyOptions() oss.CopyOptions {
+	return oss.CopyOptions{
+		ServerSideEncryption:      d.Encrypt,
+		ServerSideEncryptionKeyID: d.EncryptionKeyID,
+	}
 }
 
 func getPermissions() oss.ACL {
@@ -580,7 +599,7 @@ func (w *writer) Write(p []byte) (int, error) {
 			w.readyPart = contents
 		} else {
 			// Otherwise we can use the old file as the new first part
-			_, part, err := multi.PutPartCopy(1, oss.CopyOptions{}, w.driver.Bucket.Name+"/"+w.key)
+			_, part, err := multi.PutPartCopy(1, w.driver.getCopyOptions(), w.driver.Bucket.Name+"/"+w.key)
 			if err != nil {
 				return 0, err
 			}

diff --git a/registry/storage/driver/oss/oss_test.go b/registry/storage/driver/oss/oss_test.go
@@ -31,6 +31,7 @@ func init() {
 	encrypt := os.Getenv("OSS_ENCRYPT")
 	secure := os.Getenv("OSS_SECURE")
 	endpoint := os.Getenv("OSS_ENDPOINT")
+	encryptionKeyID := os.Getenv("OSS_ENCRYPTIONKEYID")
 	root, err := ioutil.TempDir("", "driver-")
 	if err != nil {
 		panic(err)
@@ -73,6 +74,7 @@ func init() {
 			Encrypt:         encryptBool,
 			Secure:          secureBool,
 			Endpoint:        endpoint,
+			EncryptionKeyID: encryptionKeyID,
 		}
 
 		return New(parameters)

diff --git a/vendor.conf b/vendor.conf
@@ -7,7 +7,7 @@ github.com/beorn7/perks 4c0e84591b9aa9e6dcfdf3e020114cd81f89d5f9
 github.com/bugsnag/bugsnag-go b1d153021fcd90ca3f080db36bec96dc690fb274
 github.com/bugsnag/osext 0dd3f918b21bec95ace9dc86c7e70266cfc5c702
 github.com/bugsnag/panicwrap e2c28503fcd0675329da73bf48b33404db873782
-github.com/denverdino/aliyungo afedced274aa9a7fcdd47ac97018f0f8db4e5de2
+github.com/denverdino/aliyungo 6df11717a253d9c7d4141f9af4deaa7c580cd531
 github.com/dgrijalva/jwt-go a601269ab70c205d26370c16f7c81e9017c14e04
 github.com/docker/go-metrics 399ea8c73916000c64c2c76e8da00ca82f8387ab
 github.com/docker/libtrust fa567046d9b14f6aa788882a950d69651d230b21

diff --git a/vendor/github.com/denverdino/aliyungo/README.md b/vendor/github.com/denverdino/aliyungo/README.md