-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds SSE-KMS and SSE-C config to S3 Objstore #3064
Merged
Merged
Changes from 12 commits
Commits
Show all changes
13 commits
Select commit
Hold shift + click to select a range
70ac68a
Adds SSE config to S3 Objstore
jalev 4b70610
Document sse_config block in storage.md
jalev 666be08
run make docs
jalev 16c2832
Add SSE config options to changelog
jalev 104c7a4
Update changelog
jalev 9608dc1
Define explicit SSE 'Type'
jalev 370466e
Update docs again for real
jalev e7a5408
Fix bad logic for SSE-KMS
jalev 81d03e8
Adds example policy for KMS documentation
jalev 1c8efe2
Changes SSE strings into constants
jalev 0b2d3a3
Make SSE error message prettier
jalev 9079289
Export consant with comments
jalev 2c52cc2
Group consts in pkg/s3
jalev File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -9,6 +9,7 @@ import ( | |
"crypto/tls" | ||
"fmt" | ||
"io" | ||
"io/ioutil" | ||
"net" | ||
"net/http" | ||
"os" | ||
|
@@ -34,6 +35,15 @@ import ( | |
// DirDelim is the delimiter used to model a directory structure in an object store bucket. | ||
const DirDelim = "/" | ||
|
||
// SSEKMS is the name of the SSE-KMS method for objectstore encryption. | ||
const SSEKMS = "SSE-KMS" | ||
jalev marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
// SSEC is the name of the SSE-C method for objstore encryption. | ||
const SSEC = "SSE-C" | ||
|
||
// SSES3 is the name of the SSE-S3 method for objstore encryption. | ||
const SSES3 = "SSE-S3" | ||
|
||
var DefaultConfig = Config{ | ||
PutUserMetadata: map[string]string{}, | ||
HTTPConfig: HTTPConfig{ | ||
|
@@ -53,13 +63,22 @@ type Config struct { | |
AccessKey string `yaml:"access_key"` | ||
Insecure bool `yaml:"insecure"` | ||
SignatureV2 bool `yaml:"signature_version2"` | ||
SSEEncryption bool `yaml:"encrypt_sse"` | ||
SecretKey string `yaml:"secret_key"` | ||
PutUserMetadata map[string]string `yaml:"put_user_metadata"` | ||
HTTPConfig HTTPConfig `yaml:"http_config"` | ||
TraceConfig TraceConfig `yaml:"trace"` | ||
// PartSize used for multipart upload. Only used if uploaded object size is known and larger than configured PartSize. | ||
PartSize uint64 `yaml:"part_size"` | ||
PartSize uint64 `yaml:"part_size"` | ||
SSEConfig SSEConfig `yaml:"sse_config"` | ||
} | ||
|
||
// SSEConfig deals with the configuration of SSE for Minio. The following options are valid: | ||
// kmsencryptioncontext == https://docs.aws.amazon.com/kms/latest/developerguide/services-s3.html#s3-encryption-context | ||
type SSEConfig struct { | ||
Type string `yaml:"type"` | ||
KMSKeyID string `yaml:"kms_key_id"` | ||
KMSEncryptionContext map[string]string `yaml:"kms_encryption_context"` | ||
EncryptionKey string `yaml:"encryption_key"` | ||
} | ||
|
||
type TraceConfig struct { | ||
|
@@ -173,8 +192,32 @@ func NewBucketWithConfig(logger log.Logger, config Config, component string) (*B | |
client.SetAppInfo(fmt.Sprintf("thanos-%s", component), fmt.Sprintf("%s (%s)", version.Version, runtime.Version())) | ||
|
||
var sse encrypt.ServerSide | ||
if config.SSEEncryption { | ||
sse = encrypt.NewSSE() | ||
if config.SSEConfig.Type != "" { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Instead of this we can have just empty case for Not a blocker (: |
||
switch config.SSEConfig.Type { | ||
case SSEKMS: | ||
sse, err = encrypt.NewSSEKMS(config.SSEConfig.KMSKeyID, config.SSEConfig.KMSEncryptionContext) | ||
if err != nil { | ||
return nil, errors.Wrap(err, "initialize s3 client SSE-KMS") | ||
} | ||
|
||
case SSEC: | ||
key, err := ioutil.ReadFile(config.SSEConfig.EncryptionKey) | ||
if err != nil { | ||
return nil, err | ||
} | ||
|
||
sse, err = encrypt.NewSSEC(key) | ||
if err != nil { | ||
return nil, errors.Wrap(err, "initialize s3 client SSE-C") | ||
} | ||
|
||
case SSES3: | ||
sse = encrypt.NewSSE() | ||
|
||
default: | ||
sseErrMsg := errors.Errorf("Unsupported type %q was provided. Supported types are SSE-S3, SSE-KMS, SSE-C", config.SSEConfig.Type) | ||
return nil, errors.Wrap(sseErrMsg, "Initialize s3 client SSE Config") | ||
} | ||
} | ||
|
||
if config.TraceConfig.Enable { | ||
|
@@ -211,6 +254,15 @@ func validate(conf Config) error { | |
if conf.AccessKey != "" && conf.SecretKey == "" { | ||
return errors.New("no s3 secret_key specified while access_key is present in config file; either both should be present in config or envvars/IAM should be used.") | ||
} | ||
|
||
if conf.SSEConfig.Type == SSEC && conf.SSEConfig.EncryptionKey == "" { | ||
return errors.New("encryption_key must be set if sse_config.type is set to 'SSE-C'") | ||
} | ||
|
||
if conf.SSEConfig.Type == SSEKMS && conf.SSEConfig.KMSKeyID == "" { | ||
return errors.New("kms_key_id must be set if sse_config.type is set to 'SSE-KMS'") | ||
} | ||
|
||
return nil | ||
} | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍