-
Notifications
You must be signed in to change notification settings - Fork 792
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add per-tenant S3 KMS SSE encryption key support to blocks storage #3811
Add per-tenant S3 KMS SSE encryption key support to blocks storage #3811
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM so far, except I wouldn't rename existing interfaces to include "Overrides", and instead of adding the S3SSEKMSKeyID
method everywhere, we can extend existing interfaces with newly introduced one.
4418cfe
to
3aeec40
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
I would still prefer if we didn't rename existing BlocksStoreLimits
type to BlocksStoreConfigOverrides
.
14702f4
to
9261743
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, nice work!
…nt basis. Signed-off-by: Marco Pracucci <marco@pracucci.com>
Signed-off-by: Marco Pracucci <marco@pracucci.com>
Signed-off-by: Marco Pracucci <marco@pracucci.com>
Signed-off-by: Marco Pracucci <marco@pracucci.com>
Signed-off-by: Marco Pracucci <marco@pracucci.com>
0f038da
to
e31f09b
Compare
Signed-off-by: Marco Pracucci <marco@pracucci.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed latest changes – great job! I think CHANGELOG.md should mention the fact that SSE config can be changed for each tenant individually, using overrides mechanism in the runtime config.
Signed-off-by: Marco Pracucci <marco@pracucci.com>
What this PR does:
In the PR #3810 I'm proposing to add S3 KMS SSE encryption key support with a global config. On top of that, we'll need to also add support for a per-tenant encryption key override.
In this PR I'm proposing a refactoring to add the support in the blocks storage. The idea is to use
UserBucketClient
everywhere and take in inputoverrides
. TheUserBucketClient.Upload()
will read the per-tenant encryption key from overrides and then inject it when calling the parentUpload()
(idea is to inject via context).I've manually tested it and looks working.
Which issue(s) this PR fixes:
N/A
Checklist
CHANGELOG.md
updated - the order of entries should be[CHANGE]
,[FEATURE]
,[ENHANCEMENT]
,[BUGFIX]