From 3c58298a8a6c5fc7d778088925680df8b68699d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mert=20G=C3=B6n=C3=BCl?= Date: Tue, 19 Sep 2023 19:57:37 +0300 Subject: [PATCH] K8SPSMDB-850 - Server Side Encryption Support (#1198) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * K8SPSMDB-850 - Server Side Encryption Support * fmt * manifests * update `cr.yamll` * update `restore.yaml` --------- Co-authored-by: Viacheslav Sarzhan Co-authored-by: Ege Güneş Co-authored-by: Andrii Dema --- ...rcona.com_perconaservermongodbbackups.yaml | 16 +++++++ ...cona.com_perconaservermongodbrestores.yaml | 16 +++++++ ...mdb.percona.com_perconaservermongodbs.yaml | 16 +++++++ deploy/backup/restore.yaml | 5 ++ deploy/bundle.yaml | 48 +++++++++++++++++++ deploy/cr.yaml | 5 ++ deploy/crd.yaml | 48 +++++++++++++++++++ deploy/cw-bundle.yaml | 48 +++++++++++++++++++ e2e-tests/version-service/conf/crd.yaml | 48 +++++++++++++++++++ pkg/apis/psmdb/v1/psmdb_types.go | 20 ++++---- pkg/apis/psmdb/v1/zz_generated.deepcopy.go | 1 + .../perconaservermongodbbackup_controller.go | 9 ++++ pkg/psmdb/backup/pbm.go | 9 ++++ 13 files changed, 280 insertions(+), 9 deletions(-) diff --git a/config/crd/bases/psmdb.percona.com_perconaservermongodbbackups.yaml b/config/crd/bases/psmdb.percona.com_perconaservermongodbbackups.yaml index efd141fe2e..cb1e32fa61 100644 --- a/config/crd/bases/psmdb.percona.com_perconaservermongodbbackups.yaml +++ b/config/crd/bases/psmdb.percona.com_perconaservermongodbbackups.yaml @@ -119,6 +119,22 @@ spec: type: string region: type: string + serverSideEncryption: + properties: + kmsKeyID: + type: string + sseAlgorithm: + type: string + sseCustomerAlgorithm: + type: string + sseCustomerKey: + type: string + required: + - kmsKeyID + - sseAlgorithm + - sseCustomerAlgorithm + - sseCustomerKey + type: object storageClass: type: string uploadPartSize: diff --git a/config/crd/bases/psmdb.percona.com_perconaservermongodbrestores.yaml b/config/crd/bases/psmdb.percona.com_perconaservermongodbrestores.yaml index c8605f490a..6df14541f0 100644 --- a/config/crd/bases/psmdb.percona.com_perconaservermongodbrestores.yaml +++ b/config/crd/bases/psmdb.percona.com_perconaservermongodbrestores.yaml @@ -89,6 +89,22 @@ spec: type: string region: type: string + serverSideEncryption: + properties: + kmsKeyID: + type: string + sseAlgorithm: + type: string + sseCustomerAlgorithm: + type: string + sseCustomerKey: + type: string + required: + - kmsKeyID + - sseAlgorithm + - sseCustomerAlgorithm + - sseCustomerKey + type: object storageClass: type: string uploadPartSize: diff --git a/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml b/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml index a847f5ad1d..929aa9c5f7 100644 --- a/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml +++ b/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml @@ -258,6 +258,22 @@ spec: type: string region: type: string + serverSideEncryption: + properties: + kmsKeyID: + type: string + sseAlgorithm: + type: string + sseCustomerAlgorithm: + type: string + sseCustomerKey: + type: string + required: + - kmsKeyID + - sseAlgorithm + - sseCustomerAlgorithm + - sseCustomerKey + type: object storageClass: type: string uploadPartSize: diff --git a/deploy/backup/restore.yaml b/deploy/backup/restore.yaml index 152435b70e..d50efbe175 100644 --- a/deploy/backup/restore.yaml +++ b/deploy/backup/restore.yaml @@ -13,6 +13,11 @@ spec: # destination: s3://S3-BACKUP-BUCKET-NAME-HERE/BACKUP-DESTINATION # s3: # credentialsSecret: my-cluster-name-backup-s3 +# serverSideEncryption: +# kmsKeyID: 1234abcd-12ab-34cd-56ef-1234567890ab +# sseAlgorithm: AES256 +# sseCustomerAlgorithm: AES256 +# sseCustomerKey: Y3VzdG9tZXIta2V5 # region: us-west-2 # bucket: S3-BACKUP-BUCKET-NAME-HERE # endpointUrl: https://s3.us-west-2.amazonaws.com/ diff --git a/deploy/bundle.yaml b/deploy/bundle.yaml index cdc15b9ac1..c45a0b1eb1 100644 --- a/deploy/bundle.yaml +++ b/deploy/bundle.yaml @@ -118,6 +118,22 @@ spec: type: string region: type: string + serverSideEncryption: + properties: + kmsKeyID: + type: string + sseAlgorithm: + type: string + sseCustomerAlgorithm: + type: string + sseCustomerKey: + type: string + required: + - kmsKeyID + - sseAlgorithm + - sseCustomerAlgorithm + - sseCustomerKey + type: object storageClass: type: string uploadPartSize: @@ -231,6 +247,22 @@ spec: type: string region: type: string + serverSideEncryption: + properties: + kmsKeyID: + type: string + sseAlgorithm: + type: string + sseCustomerAlgorithm: + type: string + sseCustomerKey: + type: string + required: + - kmsKeyID + - sseAlgorithm + - sseCustomerAlgorithm + - sseCustomerKey + type: object storageClass: type: string uploadPartSize: @@ -863,6 +895,22 @@ spec: type: string region: type: string + serverSideEncryption: + properties: + kmsKeyID: + type: string + sseAlgorithm: + type: string + sseCustomerAlgorithm: + type: string + sseCustomerKey: + type: string + required: + - kmsKeyID + - sseAlgorithm + - sseCustomerAlgorithm + - sseCustomerKey + type: object storageClass: type: string uploadPartSize: diff --git a/deploy/cr.yaml b/deploy/cr.yaml index de0620a07c..f7d525ace3 100644 --- a/deploy/cr.yaml +++ b/deploy/cr.yaml @@ -517,6 +517,11 @@ spec: # s3: # bucket: S3-BACKUP-BUCKET-NAME-HERE # credentialsSecret: my-cluster-name-backup-s3 +# serverSideEncryption: +# kmsKeyID: 1234abcd-12ab-34cd-56ef-1234567890ab +# sseAlgorithm: AES256 +# sseCustomerAlgorithm: AES256 +# sseCustomerKey: Y3VzdG9tZXIta2V5 # region: us-west-2 # prefix: "" # uploadPartSize: 10485760 diff --git a/deploy/crd.yaml b/deploy/crd.yaml index 2cbe846781..d90a01d4c7 100644 --- a/deploy/crd.yaml +++ b/deploy/crd.yaml @@ -118,6 +118,22 @@ spec: type: string region: type: string + serverSideEncryption: + properties: + kmsKeyID: + type: string + sseAlgorithm: + type: string + sseCustomerAlgorithm: + type: string + sseCustomerKey: + type: string + required: + - kmsKeyID + - sseAlgorithm + - sseCustomerAlgorithm + - sseCustomerKey + type: object storageClass: type: string uploadPartSize: @@ -231,6 +247,22 @@ spec: type: string region: type: string + serverSideEncryption: + properties: + kmsKeyID: + type: string + sseAlgorithm: + type: string + sseCustomerAlgorithm: + type: string + sseCustomerKey: + type: string + required: + - kmsKeyID + - sseAlgorithm + - sseCustomerAlgorithm + - sseCustomerKey + type: object storageClass: type: string uploadPartSize: @@ -863,6 +895,22 @@ spec: type: string region: type: string + serverSideEncryption: + properties: + kmsKeyID: + type: string + sseAlgorithm: + type: string + sseCustomerAlgorithm: + type: string + sseCustomerKey: + type: string + required: + - kmsKeyID + - sseAlgorithm + - sseCustomerAlgorithm + - sseCustomerKey + type: object storageClass: type: string uploadPartSize: diff --git a/deploy/cw-bundle.yaml b/deploy/cw-bundle.yaml index dfb97eac61..cc1bd279c0 100644 --- a/deploy/cw-bundle.yaml +++ b/deploy/cw-bundle.yaml @@ -118,6 +118,22 @@ spec: type: string region: type: string + serverSideEncryption: + properties: + kmsKeyID: + type: string + sseAlgorithm: + type: string + sseCustomerAlgorithm: + type: string + sseCustomerKey: + type: string + required: + - kmsKeyID + - sseAlgorithm + - sseCustomerAlgorithm + - sseCustomerKey + type: object storageClass: type: string uploadPartSize: @@ -231,6 +247,22 @@ spec: type: string region: type: string + serverSideEncryption: + properties: + kmsKeyID: + type: string + sseAlgorithm: + type: string + sseCustomerAlgorithm: + type: string + sseCustomerKey: + type: string + required: + - kmsKeyID + - sseAlgorithm + - sseCustomerAlgorithm + - sseCustomerKey + type: object storageClass: type: string uploadPartSize: @@ -863,6 +895,22 @@ spec: type: string region: type: string + serverSideEncryption: + properties: + kmsKeyID: + type: string + sseAlgorithm: + type: string + sseCustomerAlgorithm: + type: string + sseCustomerKey: + type: string + required: + - kmsKeyID + - sseAlgorithm + - sseCustomerAlgorithm + - sseCustomerKey + type: object storageClass: type: string uploadPartSize: diff --git a/e2e-tests/version-service/conf/crd.yaml b/e2e-tests/version-service/conf/crd.yaml index 2cbe846781..d90a01d4c7 100644 --- a/e2e-tests/version-service/conf/crd.yaml +++ b/e2e-tests/version-service/conf/crd.yaml @@ -118,6 +118,22 @@ spec: type: string region: type: string + serverSideEncryption: + properties: + kmsKeyID: + type: string + sseAlgorithm: + type: string + sseCustomerAlgorithm: + type: string + sseCustomerKey: + type: string + required: + - kmsKeyID + - sseAlgorithm + - sseCustomerAlgorithm + - sseCustomerKey + type: object storageClass: type: string uploadPartSize: @@ -231,6 +247,22 @@ spec: type: string region: type: string + serverSideEncryption: + properties: + kmsKeyID: + type: string + sseAlgorithm: + type: string + sseCustomerAlgorithm: + type: string + sseCustomerKey: + type: string + required: + - kmsKeyID + - sseAlgorithm + - sseCustomerAlgorithm + - sseCustomerKey + type: object storageClass: type: string uploadPartSize: @@ -863,6 +895,22 @@ spec: type: string region: type: string + serverSideEncryption: + properties: + kmsKeyID: + type: string + sseAlgorithm: + type: string + sseCustomerAlgorithm: + type: string + sseCustomerKey: + type: string + required: + - kmsKeyID + - sseAlgorithm + - sseCustomerAlgorithm + - sseCustomerKey + type: object storageClass: type: string uploadPartSize: diff --git a/pkg/apis/psmdb/v1/psmdb_types.go b/pkg/apis/psmdb/v1/psmdb_types.go index 25c0dba32d..6f4f2a5eb5 100644 --- a/pkg/apis/psmdb/v1/psmdb_types.go +++ b/pkg/apis/psmdb/v1/psmdb_types.go @@ -10,6 +10,7 @@ import ( v "github.com/hashicorp/go-version" "github.com/percona/percona-backup-mongodb/pbm" "github.com/percona/percona-backup-mongodb/pbm/compress" + "github.com/percona/percona-backup-mongodb/pbm/storage/s3" "github.com/pkg/errors" "gopkg.in/yaml.v2" appsv1 "k8s.io/api/apps/v1" @@ -713,15 +714,16 @@ func (task *BackupTaskSpec) JobName(cr *PerconaServerMongoDB) string { } type BackupStorageS3Spec struct { - Bucket string `json:"bucket"` - Prefix string `json:"prefix,omitempty"` - Region string `json:"region,omitempty"` - EndpointURL string `json:"endpointUrl,omitempty"` - CredentialsSecret string `json:"credentialsSecret,omitempty"` - UploadPartSize int `json:"uploadPartSize,omitempty"` - MaxUploadParts int `json:"maxUploadParts,omitempty"` - StorageClass string `json:"storageClass,omitempty"` - InsecureSkipTLSVerify bool `json:"insecureSkipTLSVerify,omitempty"` + Bucket string `json:"bucket"` + Prefix string `json:"prefix,omitempty"` + Region string `json:"region,omitempty"` + EndpointURL string `json:"endpointUrl,omitempty"` + CredentialsSecret string `json:"credentialsSecret,omitempty"` + ServerSideEncryption s3.AWSsse `json:"serverSideEncryption,omitempty"` + UploadPartSize int `json:"uploadPartSize,omitempty"` + MaxUploadParts int `json:"maxUploadParts,omitempty"` + StorageClass string `json:"storageClass,omitempty"` + InsecureSkipTLSVerify bool `json:"insecureSkipTLSVerify,omitempty"` } type BackupStorageAzureSpec struct { diff --git a/pkg/apis/psmdb/v1/zz_generated.deepcopy.go b/pkg/apis/psmdb/v1/zz_generated.deepcopy.go index 8120ac863a..3e21b3d874 100644 --- a/pkg/apis/psmdb/v1/zz_generated.deepcopy.go +++ b/pkg/apis/psmdb/v1/zz_generated.deepcopy.go @@ -106,6 +106,7 @@ func (in *BackupStorageAzureSpec) DeepCopy() *BackupStorageAzureSpec { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *BackupStorageS3Spec) DeepCopyInto(out *BackupStorageS3Spec) { *out = *in + out.ServerSideEncryption = in.ServerSideEncryption } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupStorageS3Spec. diff --git a/pkg/controller/perconaservermongodbbackup/perconaservermongodbbackup_controller.go b/pkg/controller/perconaservermongodbbackup/perconaservermongodbbackup_controller.go index a8f7af8688..3033c585bf 100644 --- a/pkg/controller/perconaservermongodbbackup/perconaservermongodbbackup_controller.go +++ b/pkg/controller/perconaservermongodbbackup/perconaservermongodbbackup_controller.go @@ -273,6 +273,15 @@ func (r *ReconcilePerconaServerMongoDBBackup) getPBMStorage(ctx context.Context, return nil, errors.Wrap(err, "getting s3 credentials secret name") } + if len(cr.Status.S3.ServerSideEncryption.SseAlgorithm) != 0 || len(cr.Status.S3.ServerSideEncryption.SseCustomerAlgorithm) != 0 { + s3Conf.ServerSideEncryption = &s3.AWSsse{ + SseAlgorithm: cr.Status.S3.ServerSideEncryption.SseAlgorithm, + KmsKeyID: cr.Status.S3.ServerSideEncryption.KmsKeyID, + SseCustomerAlgorithm: cr.Status.S3.ServerSideEncryption.SseCustomerAlgorithm, + SseCustomerKey: cr.Status.S3.ServerSideEncryption.SseCustomerKey, + } + } + s3Conf.Credentials = s3.Credentials{ AccessKeyID: string(s3secret.Data[backup.AWSAccessKeySecretKey]), SecretAccessKey: string(s3secret.Data[backup.AWSSecretAccessKeySecretKey]), diff --git a/pkg/psmdb/backup/pbm.go b/pkg/psmdb/backup/pbm.go index 51c13eb64a..e028ec4380 100644 --- a/pkg/psmdb/backup/pbm.go +++ b/pkg/psmdb/backup/pbm.go @@ -242,6 +242,15 @@ func GetPBMConfig(ctx context.Context, k8sclient client.Client, cluster *api.Per }, } + if len(stg.S3.ServerSideEncryption.SseAlgorithm) != 0 || len(stg.S3.ServerSideEncryption.SseCustomerAlgorithm) != 0 { + conf.Storage.S3.ServerSideEncryption = &s3.AWSsse{ + SseAlgorithm: stg.S3.ServerSideEncryption.SseAlgorithm, + KmsKeyID: stg.S3.ServerSideEncryption.KmsKeyID, + SseCustomerAlgorithm: stg.S3.ServerSideEncryption.SseCustomerAlgorithm, + SseCustomerKey: stg.S3.ServerSideEncryption.SseCustomerKey, + } + } + if len(stg.S3.CredentialsSecret) != 0 { s3secret, err := getSecret(ctx, k8sclient, cluster.Namespace, stg.S3.CredentialsSecret) if err != nil {