Support AWS SSE-KMS in backups
AWS supports three different modes for encrypting S3 data: 1. Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) 2. Server-Side Encryption with Customer Master Keys (CMKs) Stored in AWS Key Management Service (SSE-KMS) 3. Server-Side Encryption with Customer-Provided Keys (SSE-C) Previously, SSE-S3 and SSE-C were supported via the `backup.upload.encryption` and `backup.upload.encryption_key` configuration options. SSE-KMS was previously not supported in backups because there was no way to specify which customer-managed key to use. However, we did support SSE-KMS with consolidated object storage enabled for other CI artifacts, attachments, LFS, etc. Note that SSE-C is NOT supported here. In consolidated object storage, the `storage_options` Hash provides the `server_side_encryption` and `server_side_encryption_kms_key_id` parameters that allow admins to configure SSE-KMS. We reuse this configuration in backups to support SSE-KMS. Relates to #338764 Changelog: added
显示
- config/gitlab.yml.example 14 个添加, 6 个删除config/gitlab.yml.example
- lib/backup/manager.rb 27 个添加, 9 个删除lib/backup/manager.rb
- lib/object_storage/config.rb 5 个添加, 2 个删除lib/object_storage/config.rb
- spec/lib/backup/manager_spec.rb 71 个添加, 0 个删除spec/lib/backup/manager_spec.rb
- spec/lib/object_storage/config_spec.rb 3 个添加, 1 个删除spec/lib/object_storage/config_spec.rb
加载中
想要评论请 注册 或 登录