Merge branch 'aws_sse-c' into 'master'

Add SSE-C key configuration option for Amazon S3 remote backups See merge request gitlab-org/gitlab-ce!23797
2019-01-09 16:39:20 +00:00 · 2019-01-09 16:39:20 +00:00 · 3f01f0c5b3
commit 3f01f0c5b3
parent 00ac520e20 1b3ffdf250
6 changed files with 17 additions and 0 deletions
--- a/changelogs/unreleased/backup_aws_sse-c.yml
+++ b/changelogs/unreleased/backup_aws_sse-c.yml
@ -0,0 +1,5 @@
+title: Add support for customer provided encryption keys for Amazon S3 remote backups
+merge_request: 23797
+author: Pepijn Van Eeckhoudt
+type: added
+
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@ -635,6 +635,10 @@ production: &base
    #   multipart_chunk_size: 104857600
    #   # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional
    #   # encryption: 'AES256'
+    #   # Turns on AWS Server-Side Encryption with Amazon Customer-Provided Encryption Keys for backups, this is optional
+    #   #   This should be set to the 256-bit, base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data. 
+    #   #   'encryption' must also be set in order for this to have any effect. 
+    #   # encryption_key: '<base64 key>'
    #   # Specifies Amazon S3 storage class to use for backups, this is optional
    #   # storage_class: 'STANDARD'

--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@ -392,6 +392,7 @@ Settings.backup['archive_permissions'] ||= 0600
 Settings.backup['upload'] ||= Settingslogic.new({ 'remote_directory' => nil, 'connection' => nil })
 Settings.backup['upload']['multipart_chunk_size'] ||= 104857600
 Settings.backup['upload']['encryption'] ||= nil
+Settings.backup['upload']['encryption_key'] ||= ENV['GITLAB_BACKUP_ENCRYPTION_KEY']
 Settings.backup['upload']['storage_class'] ||= nil

 #
--- a/doc/raketasks/backup_restore.md
+++ b/doc/raketasks/backup_restore.md
@ -311,6 +311,11 @@ For installations from source:
          remote_directory: 'my.s3.bucket'
          # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional
          # encryption: 'AES256'
+          # Turns on AWS Server-Side Encryption with Amazon Customer-Provided Encryption Keys for backups, this is optional
+          #   This should be set to the base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data.
+          #   'encryption' must also be set in order for this to have any effect.
+          #   To avoid storing the key on disk, the key can also be specified via the `GITLAB_BACKUP_ENCRYPTION_KEY` environment variable.
+          # encryption_key: '<base64 key>'
          # Specifies Amazon S3 storage class to use for backups, this is optional
          # storage_class: 'STANDARD'
    ```
--- a/lib/backup/manager.rb
+++ b/lib/backup/manager.rb
@ -50,6 +50,7 @@ module Backup
      if directory.files.create(key: remote_target, body: File.open(tar_file), public: false,
                                multipart_chunk_size: Gitlab.config.backup.upload.multipart_chunk_size,
                                encryption: Gitlab.config.backup.upload.encryption,
+                                encryption_key: Gitlab.config.backup.upload.encryption_key,
                                storage_class: Gitlab.config.backup.upload.storage_class)
        progress.puts "done".color(:green)
      else
--- a/spec/lib/backup/manager_spec.rb
+++ b/spec/lib/backup/manager_spec.rb
@ -266,6 +266,7 @@ describe Backup::Manager do
          remote_directory: 'directory',
          multipart_chunk_size: 104857600,
          encryption: nil,
+          encryption_key: nil,
          storage_class: nil
        }
      )