From da4007bf4ef84566b5814f5bae61f75a1222867f Mon Sep 17 00:00:00 2001 From: Mert Date: Mon, 27 Mar 2023 13:01:55 +0300 Subject: [PATCH 1/5] K8SPSMDB-850 - Server Side Encryption Support --- deploy/crd.yaml | 33 +++++++++++++++++++ pkg/apis/psmdb/v1/psmdb_types.go | 2 ++ .../perconaservermongodbbackup_controller.go | 9 +++++ pkg/psmdb/backup/pbm.go | 9 +++++ 4 files changed, 53 insertions(+) diff --git a/deploy/crd.yaml b/deploy/crd.yaml index f325fbe59c..c148b80561 100644 --- a/deploy/crd.yaml +++ b/deploy/crd.yaml @@ -112,6 +112,17 @@ spec: type: string insecureSkipTLSVerify: type: boolean + serverSideEncryption: + properties: + sseAlgorithm: + type: string + kmsKeyID: + type: string + sseCustomerAlgorithm: + type: string + sseCustomerKey: + type: string + type: object maxUploadParts: type: integer prefix: @@ -225,6 +236,17 @@ spec: type: string insecureSkipTLSVerify: type: boolean + serverSideEncryption: + properties: + sseAlgorithm: + type: string + kmsKeyID: + type: string + sseCustomerAlgorithm: + type: string + sseCustomerKey: + type: string + type: object maxUploadParts: type: integer prefix: @@ -853,6 +875,17 @@ spec: type: string insecureSkipTLSVerify: type: boolean + serverSideEncryption: + properties: + sseAlgorithm: + type: string + kmsKeyID: + type: string + sseCustomerAlgorithm: + type: string + sseCustomerKey: + type: string + type: object maxUploadParts: type: integer prefix: diff --git a/pkg/apis/psmdb/v1/psmdb_types.go b/pkg/apis/psmdb/v1/psmdb_types.go index ad262df31e..cdcaa569d9 100644 --- a/pkg/apis/psmdb/v1/psmdb_types.go +++ b/pkg/apis/psmdb/v1/psmdb_types.go @@ -12,6 +12,7 @@ import ( v "github.com/hashicorp/go-version" "github.com/percona/percona-backup-mongodb/pbm" "github.com/percona/percona-backup-mongodb/pbm/compress" + "github.com/percona/percona-backup-mongodb/pbm/storage/s3" "github.com/pkg/errors" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" @@ -760,6 +761,7 @@ type BackupStorageS3Spec struct { Region string `json:"region,omitempty"` EndpointURL string `json:"endpointUrl,omitempty"` CredentialsSecret string `json:"credentialsSecret,omitempty"` + ServerSideEncryption s3.AWSsse `json:"serverSideEncryption,omitempty"` UploadPartSize int `json:"uploadPartSize,omitempty"` MaxUploadParts int `json:"maxUploadParts,omitempty"` StorageClass string `json:"storageClass,omitempty"` diff --git a/pkg/controller/perconaservermongodbbackup/perconaservermongodbbackup_controller.go b/pkg/controller/perconaservermongodbbackup/perconaservermongodbbackup_controller.go index 5a7ad0545a..4cd2a9cf32 100644 --- a/pkg/controller/perconaservermongodbbackup/perconaservermongodbbackup_controller.go +++ b/pkg/controller/perconaservermongodbbackup/perconaservermongodbbackup_controller.go @@ -268,6 +268,15 @@ func (r *ReconcilePerconaServerMongoDBBackup) getPBMStorage(ctx context.Context, return nil, errors.Wrap(err, "getting s3 credentials secret name") } + if len(cr.Status.S3.ServerSideEncryption.SseAlgorithm) != 0 || len(cr.Status.S3.ServerSideEncryption.SseCustomerAlgorithm) != 0 { + s3Conf.ServerSideEncryption = &s3.AWSsse{ + SseAlgorithm: cr.Status.S3.ServerSideEncryption.SseAlgorithm, + KmsKeyID: cr.Status.S3.ServerSideEncryption.KmsKeyID, + SseCustomerAlgorithm: cr.Status.S3.ServerSideEncryption.SseCustomerAlgorithm, + SseCustomerKey: cr.Status.S3.ServerSideEncryption.SseCustomerKey, + } + } + s3Conf.Credentials = s3.Credentials{ AccessKeyID: string(s3secret.Data[backup.AWSAccessKeySecretKey]), SecretAccessKey: string(s3secret.Data[backup.AWSSecretAccessKeySecretKey]), diff --git a/pkg/psmdb/backup/pbm.go b/pkg/psmdb/backup/pbm.go index 51fe5b2a2c..8e673d4df7 100644 --- a/pkg/psmdb/backup/pbm.go +++ b/pkg/psmdb/backup/pbm.go @@ -215,6 +215,15 @@ func GetPBMConfig(ctx context.Context, k8sclient client.Client, cluster *api.Per }, } + if len(stg.S3.ServerSideEncryption.SseAlgorithm) != 0 || len(stg.S3.ServerSideEncryption.SseCustomerAlgorithm) != 0 { + conf.Storage.S3.ServerSideEncryption = &s3.AWSsse{ + SseAlgorithm: stg.S3.ServerSideEncryption.SseAlgorithm, + KmsKeyID: stg.S3.ServerSideEncryption.KmsKeyID, + SseCustomerAlgorithm: stg.S3.ServerSideEncryption.SseCustomerAlgorithm, + SseCustomerKey: stg.S3.ServerSideEncryption.SseCustomerKey, + } + } + if len(stg.S3.CredentialsSecret) != 0 { s3secret, err := getSecret(ctx, k8sclient, cluster.Namespace, stg.S3.CredentialsSecret) if err != nil { From 315d56edd275b0e8a433b7e54818aa721dc7543f Mon Sep 17 00:00:00 2001 From: Andrii Dema Date: Mon, 18 Sep 2023 17:10:19 +0300 Subject: [PATCH 2/5] fmt --- pkg/apis/psmdb/v1/psmdb_types.go | 18 +++++++++--------- pkg/psmdb/backup/pbm.go | 2 +- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/pkg/apis/psmdb/v1/psmdb_types.go b/pkg/apis/psmdb/v1/psmdb_types.go index e37efe9bc2..6f4f2a5eb5 100644 --- a/pkg/apis/psmdb/v1/psmdb_types.go +++ b/pkg/apis/psmdb/v1/psmdb_types.go @@ -714,16 +714,16 @@ func (task *BackupTaskSpec) JobName(cr *PerconaServerMongoDB) string { } type BackupStorageS3Spec struct { - Bucket string `json:"bucket"` - Prefix string `json:"prefix,omitempty"` - Region string `json:"region,omitempty"` - EndpointURL string `json:"endpointUrl,omitempty"` - CredentialsSecret string `json:"credentialsSecret,omitempty"` + Bucket string `json:"bucket"` + Prefix string `json:"prefix,omitempty"` + Region string `json:"region,omitempty"` + EndpointURL string `json:"endpointUrl,omitempty"` + CredentialsSecret string `json:"credentialsSecret,omitempty"` ServerSideEncryption s3.AWSsse `json:"serverSideEncryption,omitempty"` - UploadPartSize int `json:"uploadPartSize,omitempty"` - MaxUploadParts int `json:"maxUploadParts,omitempty"` - StorageClass string `json:"storageClass,omitempty"` - InsecureSkipTLSVerify bool `json:"insecureSkipTLSVerify,omitempty"` + UploadPartSize int `json:"uploadPartSize,omitempty"` + MaxUploadParts int `json:"maxUploadParts,omitempty"` + StorageClass string `json:"storageClass,omitempty"` + InsecureSkipTLSVerify bool `json:"insecureSkipTLSVerify,omitempty"` } type BackupStorageAzureSpec struct { diff --git a/pkg/psmdb/backup/pbm.go b/pkg/psmdb/backup/pbm.go index 33a0b86d16..5cd3fee504 100644 --- a/pkg/psmdb/backup/pbm.go +++ b/pkg/psmdb/backup/pbm.go @@ -249,7 +249,7 @@ func GetPBMConfig(ctx context.Context, k8sclient client.Client, cluster *api.Per SseCustomerAlgorithm: stg.S3.ServerSideEncryption.SseCustomerAlgorithm, SseCustomerKey: stg.S3.ServerSideEncryption.SseCustomerKey, } - } + } if len(stg.S3.CredentialsSecret) != 0 { s3secret, err := getSecret(ctx, k8sclient, cluster.Namespace, stg.S3.CredentialsSecret) From ec23d88987cae96a53d37e30564ea3d0f3d39bdf Mon Sep 17 00:00:00 2001 From: Andrii Dema Date: Mon, 18 Sep 2023 17:26:20 +0300 Subject: [PATCH 3/5] manifests --- ...rcona.com_perconaservermongodbbackups.yaml | 16 +++++ ...cona.com_perconaservermongodbrestores.yaml | 16 +++++ ...mdb.percona.com_perconaservermongodbs.yaml | 16 +++++ deploy/bundle.yaml | 48 +++++++++++++ deploy/crd.yaml | 67 ++++++++++++------- deploy/cw-bundle.yaml | 48 +++++++++++++ e2e-tests/version-service/conf/crd.yaml | 48 +++++++++++++ pkg/apis/psmdb/v1/zz_generated.deepcopy.go | 1 + 8 files changed, 234 insertions(+), 26 deletions(-) diff --git a/config/crd/bases/psmdb.percona.com_perconaservermongodbbackups.yaml b/config/crd/bases/psmdb.percona.com_perconaservermongodbbackups.yaml index efd141fe2e..cb1e32fa61 100644 --- a/config/crd/bases/psmdb.percona.com_perconaservermongodbbackups.yaml +++ b/config/crd/bases/psmdb.percona.com_perconaservermongodbbackups.yaml @@ -119,6 +119,22 @@ spec: type: string region: type: string + serverSideEncryption: + properties: + kmsKeyID: + type: string + sseAlgorithm: + type: string + sseCustomerAlgorithm: + type: string + sseCustomerKey: + type: string + required: + - kmsKeyID + - sseAlgorithm + - sseCustomerAlgorithm + - sseCustomerKey + type: object storageClass: type: string uploadPartSize: diff --git a/config/crd/bases/psmdb.percona.com_perconaservermongodbrestores.yaml b/config/crd/bases/psmdb.percona.com_perconaservermongodbrestores.yaml index c8605f490a..6df14541f0 100644 --- a/config/crd/bases/psmdb.percona.com_perconaservermongodbrestores.yaml +++ b/config/crd/bases/psmdb.percona.com_perconaservermongodbrestores.yaml @@ -89,6 +89,22 @@ spec: type: string region: type: string + serverSideEncryption: + properties: + kmsKeyID: + type: string + sseAlgorithm: + type: string + sseCustomerAlgorithm: + type: string + sseCustomerKey: + type: string + required: + - kmsKeyID + - sseAlgorithm + - sseCustomerAlgorithm + - sseCustomerKey + type: object storageClass: type: string uploadPartSize: diff --git a/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml b/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml index a847f5ad1d..929aa9c5f7 100644 --- a/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml +++ b/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml @@ -258,6 +258,22 @@ spec: type: string region: type: string + serverSideEncryption: + properties: + kmsKeyID: + type: string + sseAlgorithm: + type: string + sseCustomerAlgorithm: + type: string + sseCustomerKey: + type: string + required: + - kmsKeyID + - sseAlgorithm + - sseCustomerAlgorithm + - sseCustomerKey + type: object storageClass: type: string uploadPartSize: diff --git a/deploy/bundle.yaml b/deploy/bundle.yaml index cdc15b9ac1..c45a0b1eb1 100644 --- a/deploy/bundle.yaml +++ b/deploy/bundle.yaml @@ -118,6 +118,22 @@ spec: type: string region: type: string + serverSideEncryption: + properties: + kmsKeyID: + type: string + sseAlgorithm: + type: string + sseCustomerAlgorithm: + type: string + sseCustomerKey: + type: string + required: + - kmsKeyID + - sseAlgorithm + - sseCustomerAlgorithm + - sseCustomerKey + type: object storageClass: type: string uploadPartSize: @@ -231,6 +247,22 @@ spec: type: string region: type: string + serverSideEncryption: + properties: + kmsKeyID: + type: string + sseAlgorithm: + type: string + sseCustomerAlgorithm: + type: string + sseCustomerKey: + type: string + required: + - kmsKeyID + - sseAlgorithm + - sseCustomerAlgorithm + - sseCustomerKey + type: object storageClass: type: string uploadPartSize: @@ -863,6 +895,22 @@ spec: type: string region: type: string + serverSideEncryption: + properties: + kmsKeyID: + type: string + sseAlgorithm: + type: string + sseCustomerAlgorithm: + type: string + sseCustomerKey: + type: string + required: + - kmsKeyID + - sseAlgorithm + - sseCustomerAlgorithm + - sseCustomerKey + type: object storageClass: type: string uploadPartSize: diff --git a/deploy/crd.yaml b/deploy/crd.yaml index 76d7630e2a..d90a01d4c7 100644 --- a/deploy/crd.yaml +++ b/deploy/crd.yaml @@ -112,23 +112,28 @@ spec: type: string insecureSkipTLSVerify: type: boolean + maxUploadParts: + type: integer + prefix: + type: string + region: + type: string serverSideEncryption: properties: - sseAlgorithm: - type: string kmsKeyID: type: string + sseAlgorithm: + type: string sseCustomerAlgorithm: type: string sseCustomerKey: type: string + required: + - kmsKeyID + - sseAlgorithm + - sseCustomerAlgorithm + - sseCustomerKey type: object - maxUploadParts: - type: integer - prefix: - type: string - region: - type: string storageClass: type: string uploadPartSize: @@ -236,23 +241,28 @@ spec: type: string insecureSkipTLSVerify: type: boolean + maxUploadParts: + type: integer + prefix: + type: string + region: + type: string serverSideEncryption: properties: - sseAlgorithm: - type: string kmsKeyID: type: string + sseAlgorithm: + type: string sseCustomerAlgorithm: type: string sseCustomerKey: type: string - type: object - maxUploadParts: - type: integer - prefix: - type: string - region: - type: string + required: + - kmsKeyID + - sseAlgorithm + - sseCustomerAlgorithm + - sseCustomerKey + type: object storageClass: type: string uploadPartSize: @@ -879,23 +889,28 @@ spec: type: string insecureSkipTLSVerify: type: boolean + maxUploadParts: + type: integer + prefix: + type: string + region: + type: string serverSideEncryption: properties: - sseAlgorithm: - type: string kmsKeyID: type: string + sseAlgorithm: + type: string sseCustomerAlgorithm: type: string sseCustomerKey: type: string - type: object - maxUploadParts: - type: integer - prefix: - type: string - region: - type: string + required: + - kmsKeyID + - sseAlgorithm + - sseCustomerAlgorithm + - sseCustomerKey + type: object storageClass: type: string uploadPartSize: diff --git a/deploy/cw-bundle.yaml b/deploy/cw-bundle.yaml index dfb97eac61..cc1bd279c0 100644 --- a/deploy/cw-bundle.yaml +++ b/deploy/cw-bundle.yaml @@ -118,6 +118,22 @@ spec: type: string region: type: string + serverSideEncryption: + properties: + kmsKeyID: + type: string + sseAlgorithm: + type: string + sseCustomerAlgorithm: + type: string + sseCustomerKey: + type: string + required: + - kmsKeyID + - sseAlgorithm + - sseCustomerAlgorithm + - sseCustomerKey + type: object storageClass: type: string uploadPartSize: @@ -231,6 +247,22 @@ spec: type: string region: type: string + serverSideEncryption: + properties: + kmsKeyID: + type: string + sseAlgorithm: + type: string + sseCustomerAlgorithm: + type: string + sseCustomerKey: + type: string + required: + - kmsKeyID + - sseAlgorithm + - sseCustomerAlgorithm + - sseCustomerKey + type: object storageClass: type: string uploadPartSize: @@ -863,6 +895,22 @@ spec: type: string region: type: string + serverSideEncryption: + properties: + kmsKeyID: + type: string + sseAlgorithm: + type: string + sseCustomerAlgorithm: + type: string + sseCustomerKey: + type: string + required: + - kmsKeyID + - sseAlgorithm + - sseCustomerAlgorithm + - sseCustomerKey + type: object storageClass: type: string uploadPartSize: diff --git a/e2e-tests/version-service/conf/crd.yaml b/e2e-tests/version-service/conf/crd.yaml index 2cbe846781..d90a01d4c7 100644 --- a/e2e-tests/version-service/conf/crd.yaml +++ b/e2e-tests/version-service/conf/crd.yaml @@ -118,6 +118,22 @@ spec: type: string region: type: string + serverSideEncryption: + properties: + kmsKeyID: + type: string + sseAlgorithm: + type: string + sseCustomerAlgorithm: + type: string + sseCustomerKey: + type: string + required: + - kmsKeyID + - sseAlgorithm + - sseCustomerAlgorithm + - sseCustomerKey + type: object storageClass: type: string uploadPartSize: @@ -231,6 +247,22 @@ spec: type: string region: type: string + serverSideEncryption: + properties: + kmsKeyID: + type: string + sseAlgorithm: + type: string + sseCustomerAlgorithm: + type: string + sseCustomerKey: + type: string + required: + - kmsKeyID + - sseAlgorithm + - sseCustomerAlgorithm + - sseCustomerKey + type: object storageClass: type: string uploadPartSize: @@ -863,6 +895,22 @@ spec: type: string region: type: string + serverSideEncryption: + properties: + kmsKeyID: + type: string + sseAlgorithm: + type: string + sseCustomerAlgorithm: + type: string + sseCustomerKey: + type: string + required: + - kmsKeyID + - sseAlgorithm + - sseCustomerAlgorithm + - sseCustomerKey + type: object storageClass: type: string uploadPartSize: diff --git a/pkg/apis/psmdb/v1/zz_generated.deepcopy.go b/pkg/apis/psmdb/v1/zz_generated.deepcopy.go index 8120ac863a..3e21b3d874 100644 --- a/pkg/apis/psmdb/v1/zz_generated.deepcopy.go +++ b/pkg/apis/psmdb/v1/zz_generated.deepcopy.go @@ -106,6 +106,7 @@ func (in *BackupStorageAzureSpec) DeepCopy() *BackupStorageAzureSpec { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *BackupStorageS3Spec) DeepCopyInto(out *BackupStorageS3Spec) { *out = *in + out.ServerSideEncryption = in.ServerSideEncryption } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupStorageS3Spec. From b17b75d7575fd760375534cd73c27a8525ad6ac3 Mon Sep 17 00:00:00 2001 From: Andrii Dema Date: Tue, 19 Sep 2023 10:22:27 +0300 Subject: [PATCH 4/5] update `cr.yamll` --- deploy/cr.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deploy/cr.yaml b/deploy/cr.yaml index b9ae82c0bc..ab26ca2efb 100644 --- a/deploy/cr.yaml +++ b/deploy/cr.yaml @@ -528,6 +528,11 @@ spec: # s3: # bucket: S3-BACKUP-BUCKET-NAME-HERE # credentialsSecret: my-cluster-name-backup-s3 +# serverSideEncryption: +# kmsKeyID: 1234abcd-12ab-34cd-56ef-1234567890ab +# sseAlgorithm: AES256 +# sseCustomerAlgorithm: AES256 +# sseCustomerKey: Y3VzdG9tZXIta2V5 # region: us-west-2 # prefix: "" # uploadPartSize: 10485760 From 22d7c5c9a5324d4a8e6e84c22c7dfc89d712808f Mon Sep 17 00:00:00 2001 From: Andrii Dema Date: Tue, 19 Sep 2023 10:24:49 +0300 Subject: [PATCH 5/5] update `restore.yaml` --- deploy/backup/restore.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deploy/backup/restore.yaml b/deploy/backup/restore.yaml index 152435b70e..d50efbe175 100644 --- a/deploy/backup/restore.yaml +++ b/deploy/backup/restore.yaml @@ -13,6 +13,11 @@ spec: # destination: s3://S3-BACKUP-BUCKET-NAME-HERE/BACKUP-DESTINATION # s3: # credentialsSecret: my-cluster-name-backup-s3 +# serverSideEncryption: +# kmsKeyID: 1234abcd-12ab-34cd-56ef-1234567890ab +# sseAlgorithm: AES256 +# sseCustomerAlgorithm: AES256 +# sseCustomerKey: Y3VzdG9tZXIta2V5 # region: us-west-2 # bucket: S3-BACKUP-BUCKET-NAME-HERE # endpointUrl: https://s3.us-west-2.amazonaws.com/