K8SPSMDB-850: Fix S3 Server Side Encryption fields (#1352)

egegunes · tplavcic · commit 6cf1ad9e792a · 2023-10-06T08:27:47.000+02:00
diff --git a/config/crd/bases/psmdb.percona.com_perconaservermongodbbackups.yaml b/config/crd/bases/psmdb.percona.com_perconaservermongodbbackups.yaml
@@ -131,11 +131,6 @@ spec:
                         type: string
                       sseCustomerKey:
                         type: string
-                    required:
-                    - kmsKeyID
-                    - sseAlgorithm
-                    - sseCustomerAlgorithm
-                    - sseCustomerKey
                     type: object
                   storageClass:
                     type: string
diff --git a/config/crd/bases/psmdb.percona.com_perconaservermongodbrestores.yaml b/config/crd/bases/psmdb.percona.com_perconaservermongodbrestores.yaml
@@ -101,11 +101,6 @@ spec:
                             type: string
                           sseCustomerKey:
                             type: string
-                        required:
-                        - kmsKeyID
-                        - sseAlgorithm
-                        - sseCustomerAlgorithm
-                        - sseCustomerKey
                         type: object
                       storageClass:
                         type: string
diff --git a/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml b/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml
@@ -268,11 +268,6 @@ spec:
                                   type: string
                                 sseCustomerKey:
                                   type: string
-                              required:
-                              - kmsKeyID
-                              - sseAlgorithm
-                              - sseCustomerAlgorithm
-                              - sseCustomerKey
                               type: object
                             storageClass:
                               type: string
diff --git a/deploy/bundle.yaml b/deploy/bundle.yaml
@@ -130,11 +130,6 @@ spec:
                         type: string
                       sseCustomerKey:
                         type: string
-                    required:
-                    - kmsKeyID
-                    - sseAlgorithm
-                    - sseCustomerAlgorithm
-                    - sseCustomerKey
                     type: object
                   storageClass:
                     type: string
@@ -261,11 +256,6 @@ spec:
                             type: string
                           sseCustomerKey:
                             type: string
-                        required:
-                        - kmsKeyID
-                        - sseAlgorithm
-                        - sseCustomerAlgorithm
-                        - sseCustomerKey
                         type: object
                       storageClass:
                         type: string
@@ -909,11 +899,6 @@ spec:
                                   type: string
                                 sseCustomerKey:
                                   type: string
-                              required:
-                              - kmsKeyID
-                              - sseAlgorithm
-                              - sseCustomerAlgorithm
-                              - sseCustomerKey
                               type: object
                             storageClass:
                               type: string
diff --git a/deploy/cr.yaml b/deploy/cr.yaml
@@ -519,7 +519,7 @@ spec:
 #          credentialsSecret: my-cluster-name-backup-s3
 #          serverSideEncryption:
 #            kmsKeyID: 1234abcd-12ab-34cd-56ef-1234567890ab
-#            sseAlgorithm: AES256
+#            sseAlgorithm: aws:kms
 #            sseCustomerAlgorithm: AES256
 #            sseCustomerKey: Y3VzdG9tZXIta2V5
 #          region: us-west-2
diff --git a/deploy/crd.yaml b/deploy/crd.yaml
@@ -130,11 +130,6 @@ spec:
                         type: string
                       sseCustomerKey:
                         type: string
-                    required:
-                    - kmsKeyID
-                    - sseAlgorithm
-                    - sseCustomerAlgorithm
-                    - sseCustomerKey
                     type: object
                   storageClass:
                     type: string
@@ -261,11 +256,6 @@ spec:
                             type: string
                           sseCustomerKey:
                             type: string
-                        required:
-                        - kmsKeyID
-                        - sseAlgorithm
-                        - sseCustomerAlgorithm
-                        - sseCustomerKey
                         type: object
                       storageClass:
                         type: string
@@ -909,11 +899,6 @@ spec:
                                   type: string
                                 sseCustomerKey:
                                   type: string
-                              required:
-                              - kmsKeyID
-                              - sseAlgorithm
-                              - sseCustomerAlgorithm
-                              - sseCustomerKey
                               type: object
                             storageClass:
                               type: string
diff --git a/deploy/cw-bundle.yaml b/deploy/cw-bundle.yaml
@@ -130,11 +130,6 @@ spec:
                         type: string
                       sseCustomerKey:
                         type: string
-                    required:
-                    - kmsKeyID
-                    - sseAlgorithm
-                    - sseCustomerAlgorithm
-                    - sseCustomerKey
                     type: object
                   storageClass:
                     type: string
@@ -261,11 +256,6 @@ spec:
                             type: string
                           sseCustomerKey:
                             type: string
-                        required:
-                        - kmsKeyID
-                        - sseAlgorithm
-                        - sseCustomerAlgorithm
-                        - sseCustomerKey
                         type: object
                       storageClass:
                         type: string
@@ -909,11 +899,6 @@ spec:
                                   type: string
                                 sseCustomerKey:
                                   type: string
-                              required:
-                              - kmsKeyID
-                              - sseAlgorithm
-                              - sseCustomerAlgorithm
-                              - sseCustomerKey
                               type: object
                             storageClass:
                               type: string
diff --git a/e2e-tests/version-service/conf/crd.yaml b/e2e-tests/version-service/conf/crd.yaml
@@ -130,11 +130,6 @@ spec:
                         type: string
                       sseCustomerKey:
                         type: string
-                    required:
-                    - kmsKeyID
-                    - sseAlgorithm
-                    - sseCustomerAlgorithm
-                    - sseCustomerKey
                     type: object
                   storageClass:
                     type: string
@@ -261,11 +256,6 @@ spec:
                             type: string
                           sseCustomerKey:
                             type: string
-                        required:
-                        - kmsKeyID
-                        - sseAlgorithm
-                        - sseCustomerAlgorithm
-                        - sseCustomerKey
                         type: object
                       storageClass:
                         type: string
@@ -909,11 +899,6 @@ spec:
                                   type: string
                                 sseCustomerKey:
                                   type: string
-                              required:
-                              - kmsKeyID
-                              - sseAlgorithm
-                              - sseCustomerAlgorithm
-                              - sseCustomerKey
                               type: object
                             storageClass:
                               type: string
diff --git a/pkg/apis/psmdb/v1/psmdb_defaults.go b/pkg/apis/psmdb/v1/psmdb_defaults.go
@@ -485,6 +485,19 @@ func (cr *PerconaServerMongoDB) CheckNSetDefaults(platform version.Platform, log
 				FSGroup: fsgroup,
 			}
 		}
+
+		for _, stg := range cr.Spec.Backup.Storages {
+			if stg.Type != BackupStorageS3 {
+				continue
+			}
+
+			if len(stg.S3.ServerSideEncryption.SSECustomerAlgorithm) != 0 &&
+				len(stg.S3.ServerSideEncryption.SSECustomerKey) != 0 &&
+				len(stg.S3.ServerSideEncryption.KMSKeyID) != 0 &&
+				len(stg.S3.ServerSideEncryption.SSEAlgorithm) != 0 {
+				return errors.New("For S3 storage only one encryption method can be used. Set either (sseAlgorithm and kmsKeyID) or (sseCustomerAlgorithm and sseCustomerKey)")
+			}
+		}
 	}
 
 	if !cr.Spec.Backup.Enabled {
diff --git a/pkg/apis/psmdb/v1/psmdb_types.go b/pkg/apis/psmdb/v1/psmdb_types.go
@@ -10,7 +10,6 @@ import (
 	v "github.com/hashicorp/go-version"
 	"github.com/percona/percona-backup-mongodb/pbm"
 	"github.com/percona/percona-backup-mongodb/pbm/compress"
-	"github.com/percona/percona-backup-mongodb/pbm/storage/s3"
 	"github.com/pkg/errors"
 	"gopkg.in/yaml.v2"
 	appsv1 "k8s.io/api/apps/v1"
@@ -713,17 +712,31 @@ func (task *BackupTaskSpec) JobName(cr *PerconaServerMongoDB) string {
 	return fmt.Sprintf("%s-backup-%s-%s", cr.Name, task.Name, cr.Namespace)
 }
 
+type S3ServiceSideEncryption struct {
+	// Used to specify the SSE algorithm used when keys are managed by the server
+	SSEAlgorithm string `json:"sseAlgorithm,omitempty"`
+	KMSKeyID     string `json:"kmsKeyID,omitempty"`
+
+	// Used to specify SSE-C style encryption. For Amazon S3 SSECustomerAlgorithm must be 'AES256'
+	// see https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html
+	SSECustomerAlgorithm string `json:"sseCustomerAlgorithm,omitempty"`
+
+	// If SSECustomerAlgorithm is set, this must be a base64 encoded key compatible with the algorithm
+	// specified in the SseCustomerAlgorithm field.
+	SSECustomerKey string `json:"sseCustomerKey,omitempty"`
+}
+
 type BackupStorageS3Spec struct {
-	Bucket                string    `json:"bucket"`
-	Prefix                string    `json:"prefix,omitempty"`
-	Region                string    `json:"region,omitempty"`
-	EndpointURL           string    `json:"endpointUrl,omitempty"`
-	CredentialsSecret     string    `json:"credentialsSecret,omitempty"`
-	ServerSideEncryption  s3.AWSsse `json:"serverSideEncryption,omitempty"`
-	UploadPartSize        int       `json:"uploadPartSize,omitempty"`
-	MaxUploadParts        int       `json:"maxUploadParts,omitempty"`
-	StorageClass          string    `json:"storageClass,omitempty"`
-	InsecureSkipTLSVerify bool      `json:"insecureSkipTLSVerify,omitempty"`
+	Bucket                string                  `json:"bucket"`
+	Prefix                string                  `json:"prefix,omitempty"`
+	Region                string                  `json:"region,omitempty"`
+	EndpointURL           string                  `json:"endpointUrl,omitempty"`
+	CredentialsSecret     string                  `json:"credentialsSecret,omitempty"`
+	UploadPartSize        int                     `json:"uploadPartSize,omitempty"`
+	MaxUploadParts        int                     `json:"maxUploadParts,omitempty"`
+	StorageClass          string                  `json:"storageClass,omitempty"`
+	InsecureSkipTLSVerify bool                    `json:"insecureSkipTLSVerify,omitempty"`
+	ServerSideEncryption  S3ServiceSideEncryption `json:"serverSideEncryption,omitempty"`
 }
 
 type BackupStorageAzureSpec struct {
diff --git a/pkg/apis/psmdb/v1/zz_generated.deepcopy.go b/pkg/apis/psmdb/v1/zz_generated.deepcopy.go
diff --git a/pkg/controller/perconaservermongodbbackup/perconaservermongodbbackup_controller.go b/pkg/controller/perconaservermongodbbackup/perconaservermongodbbackup_controller.go
@@ -273,12 +273,17 @@ func (r *ReconcilePerconaServerMongoDBBackup) getPBMStorage(ctx context.Context,
 			return nil, errors.Wrap(err, "getting s3 credentials secret name")
 		}
 
-		if len(cr.Status.S3.ServerSideEncryption.SseAlgorithm) != 0 || len(cr.Status.S3.ServerSideEncryption.SseCustomerAlgorithm) != 0 {
+		if len(cr.Status.S3.ServerSideEncryption.SSECustomerAlgorithm) != 0 && len(cr.Status.S3.ServerSideEncryption.SSECustomerKey) != 0 {
 			s3Conf.ServerSideEncryption = &s3.AWSsse{
-				SseAlgorithm:         cr.Status.S3.ServerSideEncryption.SseAlgorithm,
-				KmsKeyID:             cr.Status.S3.ServerSideEncryption.KmsKeyID,
-				SseCustomerAlgorithm: cr.Status.S3.ServerSideEncryption.SseCustomerAlgorithm,
-				SseCustomerKey:       cr.Status.S3.ServerSideEncryption.SseCustomerKey,
+				SseCustomerAlgorithm: cr.Status.S3.ServerSideEncryption.SSECustomerAlgorithm,
+				SseCustomerKey:       cr.Status.S3.ServerSideEncryption.SSECustomerKey,
+			}
+		}
+
+		if len(cr.Status.S3.ServerSideEncryption.SSEAlgorithm) != 0 && len(cr.Status.S3.ServerSideEncryption.KMSKeyID) != 0 {
+			s3Conf.ServerSideEncryption = &s3.AWSsse{
+				SseAlgorithm: cr.Status.S3.ServerSideEncryption.SSEAlgorithm,
+				KmsKeyID:     cr.Status.S3.ServerSideEncryption.KMSKeyID,
 			}
 		}
 
diff --git a/pkg/psmdb/backup/pbm.go b/pkg/psmdb/backup/pbm.go
@@ -246,12 +246,17 @@ func GetPBMConfig(ctx context.Context, k8sclient client.Client, cluster *api.Per
 			},
 		}
 
-		if len(stg.S3.ServerSideEncryption.SseAlgorithm) != 0 || len(stg.S3.ServerSideEncryption.SseCustomerAlgorithm) != 0 {
+		if len(stg.S3.ServerSideEncryption.SSECustomerAlgorithm) != 0 && len(stg.S3.ServerSideEncryption.SSECustomerKey) != 0 {
 			conf.Storage.S3.ServerSideEncryption = &s3.AWSsse{
-				SseAlgorithm:         stg.S3.ServerSideEncryption.SseAlgorithm,
-				KmsKeyID:             stg.S3.ServerSideEncryption.KmsKeyID,
-				SseCustomerAlgorithm: stg.S3.ServerSideEncryption.SseCustomerAlgorithm,
-				SseCustomerKey:       stg.S3.ServerSideEncryption.SseCustomerKey,
+				SseCustomerAlgorithm: stg.S3.ServerSideEncryption.SSECustomerAlgorithm,
+				SseCustomerKey:       stg.S3.ServerSideEncryption.SSECustomerKey,
+			}
+		}
+
+		if len(stg.S3.ServerSideEncryption.SSEAlgorithm) != 0 && len(stg.S3.ServerSideEncryption.KMSKeyID) != 0 {
+			conf.Storage.S3.ServerSideEncryption = &s3.AWSsse{
+				SseAlgorithm: stg.S3.ServerSideEncryption.SSEAlgorithm,
+				KmsKeyID:     stg.S3.ServerSideEncryption.KMSKeyID,
 			}
 		}
 

Original file line number	Diff line number	Diff line change
`@@ -485,6 +485,19 @@ func (cr *PerconaServerMongoDB) CheckNSetDefaults(platform version.Platform, log`
`485`	`485`	`FSGroup: fsgroup,`
`486`	`486`	`}`
`487`	`487`	`}`
	`488`	`+`
	`489`	`+ for _, stg := range cr.Spec.Backup.Storages {`
	`490`	`+ if stg.Type != BackupStorageS3 {`
	`491`	`+ continue`
	`492`	`+ }`
	`493`	`+`
	`494`	`+ if len(stg.S3.ServerSideEncryption.SSECustomerAlgorithm) != 0 &&`
	`495`	`+ len(stg.S3.ServerSideEncryption.SSECustomerKey) != 0 &&`
	`496`	`+ len(stg.S3.ServerSideEncryption.KMSKeyID) != 0 &&`
	`497`	`+ len(stg.S3.ServerSideEncryption.SSEAlgorithm) != 0 {`
	`498`	`+ return errors.New("For S3 storage only one encryption method can be used. Set either (sseAlgorithm and kmsKeyID) or (sseCustomerAlgorithm and sseCustomerKey)")`
	`499`	`+ }`
	`500`	`+ }`
`488`	`501`	`}`
`489`	`502`
`490`	`503`	`if !cr.Spec.Backup.Enabled {`