pkg/storage/s3: enable bucket key on encryption settings

flavianmissi · flavianmissi · commit f638559f28d9 · 2024-02-26T15:50:42.000+01:00
using this setting enables a key to be used for the entire bucket instead of AWS creating one key per object. for more info see https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html.
diff --git a/pkg/storage/s3/s3.go b/pkg/storage/s3/s3.go
@@ -794,12 +794,14 @@ func (d *driver) CreateStorage(cr *imageregistryv1.Config) error {
 			encryptionType = s3.ServerSideEncryptionAes256
 		}
 
+		enableBucketKey := true
 		_, err = svc.PutBucketEncryptionWithContext(d.Context, &s3.PutBucketEncryptionInput{
 			Bucket: aws.String(d.Config.Bucket),
 			ServerSideEncryptionConfiguration: &s3.ServerSideEncryptionConfiguration{
 				Rules: []*s3.ServerSideEncryptionRule{
 					{
 						ApplyServerSideEncryptionByDefault: encryption,
+						BucketKeyEnabled:                   &enableBucketKey,
 					},
 				},
 			},
diff --git a/test/e2e/aws_test.go b/test/e2e/aws_test.go
@@ -226,7 +226,7 @@ func TestAWSDefaults(t *testing.T) {
 					ApplyServerSideEncryptionByDefault: &s3.ServerSideEncryptionByDefault{
 						SSEAlgorithm: aws.String(s3.ServerSideEncryptionAes256),
 					},
-					BucketKeyEnabled: aws.Bool(false),
+					BucketKeyEnabled: aws.Bool(true),
 				},
 			},
 		}
@@ -550,7 +550,7 @@ func TestAWSChangeS3Encryption(t *testing.T) {
 				ApplyServerSideEncryptionByDefault: &s3.ServerSideEncryptionByDefault{
 					SSEAlgorithm: aws.String(s3.ServerSideEncryptionAes256),
 				},
-				BucketKeyEnabled: aws.Bool(false),
+				BucketKeyEnabled: aws.Bool(true),
 			},
 		},
 	}
@@ -599,7 +599,7 @@ func TestAWSChangeS3Encryption(t *testing.T) {
 						SSEAlgorithm:   aws.String(s3.ServerSideEncryptionAwsKms),
 						KMSMasterKeyID: aws.String("testKey"),
 					},
-					BucketKeyEnabled: aws.Bool(false),
+					BucketKeyEnabled: aws.Bool(true),
 				},
 			},
 		}

Original file line number	Diff line number	Diff line change
`@@ -794,12 +794,14 @@ func (d driver) CreateStorage(cr imageregistryv1.Config) error {`
`794`	`794`	`encryptionType = s3.ServerSideEncryptionAes256`
`795`	`795`	`}`
`796`	`796`
	`797`	`+ enableBucketKey := true`
`797`	`798`	`_, err = svc.PutBucketEncryptionWithContext(d.Context, &s3.PutBucketEncryptionInput{`
`798`	`799`	`Bucket: aws.String(d.Config.Bucket),`
`799`	`800`	`ServerSideEncryptionConfiguration: &s3.ServerSideEncryptionConfiguration{`
`800`	`801`	`Rules: []*s3.ServerSideEncryptionRule{`
`801`	`802`	`{`
`802`	`803`	`ApplyServerSideEncryptionByDefault: encryption,`
	`804`	`+ BucketKeyEnabled: &enableBucketKey,`
`803`	`805`	`},`
`804`	`806`	`},`
`805`	`807`	`},`