K8SPSMDB-995 add sse to secret (#1510)

nmarukovich · hors · web-flow · commit faea6aa115ec · 2024-04-11T15:31:11.000+02:00
* K8SPSMDB-995 add sse to secret
---------

Co-authored-by: Viacheslav Sarzhan &lt;slava.sarzhan@percona.com&gt;
diff --git a/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml b/config/crd/bases/psmdb.percona.com_perconaservermongodbs.yaml
@@ -7640,6 +7640,8 @@ spec:
                     type: string
                   ldapSecret:
                     type: string
+                  sse:
+                    type: string
                   ssl:
                     type: string
                   sslInternal:
diff --git a/deploy/bundle.yaml b/deploy/bundle.yaml
@@ -8287,6 +8287,8 @@ spec:
                     type: string
                   ldapSecret:
                     type: string
+                  sse:
+                    type: string
                   ssl:
                     type: string
                   sslInternal:
diff --git a/deploy/cr.yaml b/deploy/cr.yaml
@@ -44,6 +44,7 @@ spec:
     encryptionKey: my-cluster-name-mongodb-encryption-key
 #    vault: my-cluster-name-vault
 #    ldapSecret: my-ldap-secret
+#    sse: my-cluster-name-sse
   pmm:
     enabled: false
     image: perconalab/pmm-client:dev-latest
diff --git a/deploy/crd.yaml b/deploy/crd.yaml
@@ -8287,6 +8287,8 @@ spec:
                     type: string
                   ldapSecret:
                     type: string
+                  sse:
+                    type: string
                   ssl:
                     type: string
                   sslInternal:
diff --git a/deploy/cw-bundle.yaml b/deploy/cw-bundle.yaml
@@ -8287,6 +8287,8 @@ spec:
                     type: string
                   ldapSecret:
                     type: string
+                  sse:
+                    type: string
                   ssl:
                     type: string
                   sslInternal:
diff --git a/deploy/sse-secret.yaml b/deploy/sse-secret.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: my-cluster-name-sse
+type: Opaque
+stringData:
+  KMS_KEY_ID: "3338fac1-4f-lklklj-kjhjk"
diff --git a/e2e-tests/version-service/conf/crd.yaml b/e2e-tests/version-service/conf/crd.yaml
@@ -8287,6 +8287,8 @@ spec:
                     type: string
                   ldapSecret:
                     type: string
+                  sse:
+                    type: string
                   ssl:
                     type: string
                   sslInternal:
diff --git a/pkg/apis/psmdb/v1/psmdb_defaults.go b/pkg/apis/psmdb/v1/psmdb_defaults.go
@@ -493,8 +493,6 @@ func (cr *PerconaServerMongoDB) CheckNSetDefaults(platform version.Platform, log
 			}
 
 			if len(stg.S3.ServerSideEncryption.SSECustomerAlgorithm) != 0 &&
-				len(stg.S3.ServerSideEncryption.SSECustomerKey) != 0 &&
-				len(stg.S3.ServerSideEncryption.KMSKeyID) != 0 &&
 				len(stg.S3.ServerSideEncryption.SSEAlgorithm) != 0 {
 				return errors.New("For S3 storage only one encryption method can be used. Set either (sseAlgorithm and kmsKeyID) or (sseCustomerAlgorithm and sseCustomerKey)")
 			}
diff --git a/pkg/apis/psmdb/v1/psmdb_types.go b/pkg/apis/psmdb/v1/psmdb_types.go
@@ -625,6 +625,7 @@ type SecretsSpec struct {
 	SSLInternal   string `json:"sslInternal,omitempty"`
 	EncryptionKey string `json:"encryptionKey,omitempty"`
 	Vault         string `json:"vault,omitempty"`
+	SSE           string `json:"sse,omitempty"`
 	LDAPSecret    string `json:"ldapSecret,omitempty"`
 }
 
diff --git a/pkg/controller/perconaservermongodb/psmdb_controller.go b/pkg/controller/perconaservermongodb/psmdb_controller.go
@@ -137,19 +137,19 @@ func add(mgr manager.Manager, r reconcile.Reconciler) error {
 
 type CronRegistry struct {
 	crons      *cron.Cron
-	jobs       map[string]Shedule
+	jobs       map[string]Schedule
 	backupJobs *sync.Map
 }
 
-type Shedule struct {
-	ID          int
-	CronShedule string
+type Schedule struct {
+	ID           int
+	CronSchedule string
 }
 
 func NewCronRegistry() CronRegistry {
 	c := CronRegistry{
 		crons:      cron.New(),
-		jobs:       make(map[string]Shedule),
+		jobs:       make(map[string]Schedule),
 		backupJobs: new(sync.Map),
 	}
 
@@ -293,7 +293,6 @@ func (r *ReconcilePerconaServerMongoDB) Reconcile(ctx context.Context, request r
 	if err != nil {
 		return reconcile.Result{}, errors.Wrap(err, "reconcile users secret")
 	}
-
 	repls := cr.Spec.Replsets
 	if cr.Spec.Sharding.Enabled && cr.Spec.Sharding.ConfigsvrReplSet != nil {
 		repls = append([]*api.ReplsetSpec{cr.Spec.Sharding.ConfigsvrReplSet}, repls...)
diff --git a/pkg/controller/perconaservermongodb/version.go b/pkg/controller/perconaservermongodb/version.go
@@ -38,12 +38,12 @@ func (r *ReconcilePerconaServerMongoDB) scheduleEnsureVersion(ctx context.Contex
 		return nil
 	}
 
-	if ok && schedule.CronShedule == cr.Spec.UpgradeOptions.Schedule {
+	if ok && schedule.CronSchedule == cr.Spec.UpgradeOptions.Schedule {
 		return nil
 	}
 
 	if ok {
-		log.Info("remove job because of new", "old", schedule.CronShedule, "new", cr.Spec.UpgradeOptions.Schedule)
+		log.Info("remove job because of new", "old", schedule.CronSchedule, "new", cr.Spec.UpgradeOptions.Schedule)
 		r.deleteEnsureVersion(cr, schedule.ID)
 	}
 
@@ -91,9 +91,9 @@ func (r *ReconcilePerconaServerMongoDB) scheduleEnsureVersion(ctx context.Contex
 
 	jn := jobName(cr)
 	log.Info("add new job", "name", jn, "schedule", cr.Spec.UpgradeOptions.Schedule)
-	r.crons.jobs[jn] = Shedule{
-		ID:          int(id),
-		CronShedule: cr.Spec.UpgradeOptions.Schedule,
+	r.crons.jobs[jn] = Schedule{
+		ID:           int(id),
+		CronSchedule: cr.Spec.UpgradeOptions.Schedule,
 	}
 
 	return nil
diff --git a/pkg/controller/perconaservermongodbbackup/perconaservermongodbbackup_controller.go b/pkg/controller/perconaservermongodbbackup/perconaservermongodbbackup_controller.go
@@ -237,7 +237,7 @@ func (r *ReconcilePerconaServerMongoDBBackup) reconcile(
 	return bcp.Status(ctx, cr)
 }
 
-func (r *ReconcilePerconaServerMongoDBBackup) getPBMStorage(ctx context.Context, cr *psmdbv1.PerconaServerMongoDBBackup) (storage.Storage, error) {
+func (r *ReconcilePerconaServerMongoDBBackup) getPBMStorage(ctx context.Context, cluster *psmdbv1.PerconaServerMongoDB, cr *psmdbv1.PerconaServerMongoDBBackup) (storage.Storage, error) {
 	switch {
 	case cr.Status.Azure != nil:
 		if cr.Status.Azure.CredentialsSecret == "" {
@@ -276,17 +276,46 @@ func (r *ReconcilePerconaServerMongoDBBackup) getPBMStorage(ctx context.Context,
 			return nil, errors.Wrap(err, "getting s3 credentials secret name")
 		}
 
-		if len(cr.Status.S3.ServerSideEncryption.SSECustomerAlgorithm) != 0 && len(cr.Status.S3.ServerSideEncryption.SSECustomerKey) != 0 {
-			s3Conf.ServerSideEncryption = &s3.AWSsse{
-				SseCustomerAlgorithm: cr.Status.S3.ServerSideEncryption.SSECustomerAlgorithm,
-				SseCustomerKey:       cr.Status.S3.ServerSideEncryption.SSECustomerKey,
+		if len(cr.Status.S3.ServerSideEncryption.SSECustomerAlgorithm) != 0 {
+			switch {
+			case len(cr.Status.S3.ServerSideEncryption.SSECustomerKey) != 0:
+				s3Conf.ServerSideEncryption = &s3.AWSsse{
+					SseCustomerAlgorithm: cr.Status.S3.ServerSideEncryption.SSECustomerAlgorithm,
+					SseCustomerKey:       cr.Status.S3.ServerSideEncryption.SSECustomerKey,
+				}
+			case len(cluster.Spec.Secrets.SSE) != 0:
+				sseSecret, err := secret(ctx, r.client, cr.Namespace, cluster.Spec.Secrets.SSE)
+				if err != nil {
+					return nil, errors.Wrap(err, "get sse credentials secret")
+				}
+				s3Conf.ServerSideEncryption = &s3.AWSsse{
+					SseCustomerAlgorithm: cr.Status.S3.ServerSideEncryption.SSECustomerAlgorithm,
+					SseCustomerKey:       string(sseSecret.Data[backup.SSECustomerKey]),
+				}
+			default:
+				return nil, errors.New("no SseCustomerKey specified")
 			}
 		}
 
-		if len(cr.Status.S3.ServerSideEncryption.SSEAlgorithm) != 0 && len(cr.Status.S3.ServerSideEncryption.KMSKeyID) != 0 {
-			s3Conf.ServerSideEncryption = &s3.AWSsse{
-				SseAlgorithm: cr.Status.S3.ServerSideEncryption.SSEAlgorithm,
-				KmsKeyID:     cr.Status.S3.ServerSideEncryption.KMSKeyID,
+		if len(cr.Status.S3.ServerSideEncryption.SSEAlgorithm) != 0 {
+			switch {
+			case len(cr.Status.S3.ServerSideEncryption.KMSKeyID) != 0:
+				s3Conf.ServerSideEncryption = &s3.AWSsse{
+					SseAlgorithm: cr.Status.S3.ServerSideEncryption.SSEAlgorithm,
+					KmsKeyID:     cr.Status.S3.ServerSideEncryption.KMSKeyID,
+				}
+
+			case len(cluster.Spec.Secrets.SSE) != 0:
+				sseSecret, err := secret(ctx, r.client, cr.Namespace, cluster.Spec.Secrets.SSE)
+				if err != nil {
+					return nil, errors.Wrap(err, "get sse credentials secret")
+				}
+				s3Conf.ServerSideEncryption = &s3.AWSsse{
+					SseAlgorithm: cr.Status.S3.ServerSideEncryption.SSEAlgorithm,
+					KmsKeyID:     string(sseSecret.Data[backup.KMSKeyID]),
+				}
+			default:
+				return nil, errors.New("no KmsKeyID specified")
 			}
 		}
 
@@ -372,7 +401,7 @@ func (r *ReconcilePerconaServerMongoDBBackup) deleteBackupFinalizer(ctx context.
 		}
 	}
 	if b.pbm == nil || meta == nil {
-		stg, err := r.getPBMStorage(ctx, cr)
+		stg, err := r.getPBMStorage(ctx, cluster, cr)
 		if err != nil {
 			return errors.Wrap(err, "get storage")
 		}
diff --git a/pkg/psmdb/backup/pbm.go b/pkg/psmdb/backup/pbm.go
@@ -42,6 +42,8 @@ const (
 	AWSSecretAccessKeySecretKey      = "AWS_SECRET_ACCESS_KEY"
 	AzureStorageAccountNameSecretKey = "AZURE_STORAGE_ACCOUNT_NAME"
 	AzureStorageAccountKeySecretKey  = "AZURE_STORAGE_ACCOUNT_KEY"
+	SSECustomerKey                   = "SSE_CUSTOMER_KEY"
+	KMSKeyID                         = "KMS_KEY_ID"
 )
 
 type pbmC struct {
@@ -260,26 +262,56 @@ func GetPBMConfig(ctx context.Context, k8sclient client.Client, cluster *api.Per
 			},
 		}
 
-		if len(stg.S3.ServerSideEncryption.SSECustomerAlgorithm) != 0 && len(stg.S3.ServerSideEncryption.SSECustomerKey) != 0 {
-			conf.Storage.S3.ServerSideEncryption = &s3.AWSsse{
-				SseCustomerAlgorithm: stg.S3.ServerSideEncryption.SSECustomerAlgorithm,
-				SseCustomerKey:       stg.S3.ServerSideEncryption.SSECustomerKey,
-			}
-		}
-
-		if len(stg.S3.ServerSideEncryption.SSEAlgorithm) != 0 && len(stg.S3.ServerSideEncryption.KMSKeyID) != 0 {
-			conf.Storage.S3.ServerSideEncryption = &s3.AWSsse{
-				SseAlgorithm: stg.S3.ServerSideEncryption.SSEAlgorithm,
-				KmsKeyID:     stg.S3.ServerSideEncryption.KMSKeyID,
-			}
-		}
-
 		if len(stg.S3.CredentialsSecret) != 0 {
 			s3secret, err := getSecret(ctx, k8sclient, cluster.Namespace, stg.S3.CredentialsSecret)
 			if err != nil {
 				return conf, errors.Wrap(err, "get s3 credentials secret")
 			}
 
+			if len(stg.S3.ServerSideEncryption.SSECustomerAlgorithm) != 0 {
+
+				switch {
+				case len(stg.S3.ServerSideEncryption.SSECustomerKey) != 0:
+					conf.Storage.S3.ServerSideEncryption = &s3.AWSsse{
+						SseCustomerAlgorithm: stg.S3.ServerSideEncryption.SSECustomerAlgorithm,
+						SseCustomerKey:       stg.S3.ServerSideEncryption.SSECustomerKey,
+					}
+				case len(cluster.Spec.Secrets.SSE) != 0:
+					sseSecret, err := getSecret(ctx, k8sclient, cluster.Namespace, cluster.Spec.Secrets.SSE)
+
+					if err != nil {
+						return conf, errors.Wrap(err, "get sse credentials secret")
+					}
+					conf.Storage.S3.ServerSideEncryption = &s3.AWSsse{
+						SseCustomerAlgorithm: stg.S3.ServerSideEncryption.SSECustomerAlgorithm,
+						SseCustomerKey:       string(sseSecret.Data[SSECustomerKey]),
+					}
+				default:
+					return conf, errors.New("no SseCustomerKey specified")
+				}
+			}
+
+			if len(stg.S3.ServerSideEncryption.SSEAlgorithm) != 0 {
+				switch {
+				case len(stg.S3.ServerSideEncryption.KMSKeyID) != 0:
+					conf.Storage.S3.ServerSideEncryption = &s3.AWSsse{
+						SseAlgorithm: stg.S3.ServerSideEncryption.SSEAlgorithm,
+						KmsKeyID:     stg.S3.ServerSideEncryption.KMSKeyID,
+					}
+
+				case len(cluster.Spec.Secrets.SSE) != 0:
+					sseSecret, err := getSecret(ctx, k8sclient, cluster.Namespace, cluster.Spec.Secrets.SSE)
+					if err != nil {
+						return conf, errors.Wrap(err, "get sse credentials secret")
+					}
+					conf.Storage.S3.ServerSideEncryption = &s3.AWSsse{
+						SseAlgorithm: stg.S3.ServerSideEncryption.SSEAlgorithm,
+						KmsKeyID:     string(sseSecret.Data[KMSKeyID]),
+					}
+				default:
+					return conf, errors.New("no KmsKeyID specified")
+				}
+			}
 			conf.Storage.S3.Credentials = s3.Credentials{
 				AccessKeyID:     string(s3secret.Data[AWSAccessKeySecretKey]),
 				SecretAccessKey: string(s3secret.Data[AWSSecretAccessKeySecretKey]),

Original file line number	Diff line number	Diff line change
`@@ -493,8 +493,6 @@ func (cr *PerconaServerMongoDB) CheckNSetDefaults(platform version.Platform, log`
`493`	`493`	`}`
`494`	`494`
`495`	`495`	`if len(stg.S3.ServerSideEncryption.SSECustomerAlgorithm) != 0 &&`
`496`		`- len(stg.S3.ServerSideEncryption.SSECustomerKey) != 0 &&`
`497`		`- len(stg.S3.ServerSideEncryption.KMSKeyID) != 0 &&`
`498`	`496`	`len(stg.S3.ServerSideEncryption.SSEAlgorithm) != 0 {`
`499`	`497`	`return errors.New("For S3 storage only one encryption method can be used. Set either (sseAlgorithm and kmsKeyID) or (sseCustomerAlgorithm and sseCustomerKey)")`
`500`	`498`	`}`
Original file line number	Diff line number	Diff line change
`@@ -625,6 +625,7 @@ type SecretsSpec struct {`
`625`	`625`	SSLInternal string `json:"sslInternal,omitempty"`
`626`	`626`	EncryptionKey string `json:"encryptionKey,omitempty"`
`627`	`627`	Vault string `json:"vault,omitempty"`
	`628`	+ SSE string `json:"sse,omitempty"`
`628`	`629`	LDAPSecret string `json:"ldapSecret,omitempty"`
`629`	`630`	`}`
`630`	`631`