Try different configuration for S3 SSE-C (#363)

* Try different configuration for S3 SSE-C

* Switch to pod_environment_secret

* Move sensitive information to Secret, leave everything else in ConfigMap

* Disable linter as this is not the actual secret

* Test ConfigMap and Secret at the same time

* Read wal_g encryption key from central secret

Author: eberlep

controllers/postgres_controller.go

@@ -53,6 +53,8 @@ const (
 	postgresExporterServiceProjectIDAnnotationName string = pg.ProjectIDLabelName
 	storageEncryptionKeyName                       string = "storage-encryption-key"
 	storageEncryptionKeyFinalizerName              string = "postgres.database.fits.cloud/secret-finalizer"
+	walGEncryptionSecretNamePostfix                string = "-walg-encryption"
+	walGEncryptionSecretKeyName                    string = "key"
 )
 
 // requeue defines in how many seconds a requeue should happen
@@ -80,6 +82,8 @@ type PostgresReconciler struct {
 	PatroniLoopWait                     uint32
 	PatroniRetryTimeout                 uint32
 	EnableRandomStorageEncryptionSecret bool
+	EnableWalGEncryption                bool
+	PostgresletFullname                 string
 }
 
 // Reconcile is the entry point for postgres reconciliation.
@@ -403,6 +407,10 @@ func (r *PostgresReconciler) ensureZalandoDependencies(ctx context.Context, p *p
 		return fmt.Errorf("error while updating backup config: %w", err)
 	}
 
+	if err := r.updatePodEnvironmentSecret(ctx, p); err != nil {
+		return fmt.Errorf("error while updating backup config secret: %w", err)
+	}
+
 	return nil
 }
 
@@ -433,19 +441,12 @@ func (r *PostgresReconciler) updatePodEnvironmentConfigMap(ctx context.Context,
 
 	// use the rest as provided in the secret
 	bucketName := backupConfig.S3BucketName
-	awsAccessKeyID := backupConfig.S3AccessKey
-	awsSecretAccessKey := backupConfig.S3SecretKey
 	backupSchedule := backupConfig.Schedule
 	backupNumToRetain := backupConfig.Retention
 
-	// s3 server side encryption SSE is enabled if the key is given
-	// TODO our s3 needs a small change to make this work
+	// s3 server side encryption SSE is disabled
+	// we use client side encryption
 	walgDisableSSE := "true"
-	walgSSE := ""
-	if backupConfig.S3EncryptionKey != nil {
-		walgDisableSSE = "false"
-		walgSSE = *backupConfig.S3EncryptionKey
-	}
 
 	// create updated content for pod environment configmap
 	data := map[string]string{
@@ -457,12 +458,9 @@ func (r *PostgresReconciler) updatePodEnvironmentConfigMap(ctx context.Context,
 		"WALE_BACKUP_THRESHOLD_PERCENTAGE": "100",
 		"AWS_ENDPOINT":                     awsEndpoint,
 		"WALE_S3_ENDPOINT":                 walES3Endpoint, // same as above, but slightly modified
-		"AWS_ACCESS_KEY_ID":                awsAccessKeyID,
-		"AWS_SECRET_ACCESS_KEY":            awsSecretAccessKey,
 		"AWS_S3_FORCE_PATH_STYLE":          "true",
 		"AWS_REGION":                       region,         // now we can use AWS S3
-		"WALG_DISABLE_S3_SSE":              walgDisableSSE, // disable server side encryption if key is nil
-		"WALG_S3_SSE":                      walgSSE,        // server side encryption key
+		"WALG_DISABLE_S3_SSE":              walgDisableSSE, // server side encryption
 		"BACKUP_SCHEDULE":                  backupSchedule,
 		"BACKUP_NUM_TO_RETAIN":             backupNumToRetain,
 	}
@@ -491,6 +489,62 @@ func (r *PostgresReconciler) updatePodEnvironmentConfigMap(ctx context.Context,
 	return nil
 }
 
+func (r *PostgresReconciler) updatePodEnvironmentSecret(ctx context.Context, p *pg.Postgres) error {
+	log := r.Log.WithValues("postgres", p.Name)
+	if p.Spec.BackupSecretRef == "" {
+		log.Info("No configured backupSecretRef found, skipping configuration of postgres backup")
+		return nil
+	}
+
+	backupConfig, err := r.getBackupConfig(ctx, p.Namespace, p.Spec.BackupSecretRef)
+	if err != nil {
+		return err
+	}
+
+	awsAccessKeyID := backupConfig.S3AccessKey
+	awsSecretAccessKey := backupConfig.S3SecretKey
+
+	// create updated content for pod environment configmap
+	data := map[string][]byte{
+		"AWS_ACCESS_KEY_ID":     []byte(awsAccessKeyID),
+		"AWS_SECRET_ACCESS_KEY": []byte(awsSecretAccessKey),
+	}
+
+	// libsodium client side encryption key
+	if r.EnableWalGEncryption {
+		s, err := r.getWalGEncryptionSecret(ctx)
+		if err != nil {
+			return err
+		}
+		k, exists := s.Data[walGEncryptionSecretKeyName]
+		if !exists {
+			return fmt.Errorf("could not find key %v in secret %v/%v-%v", walGEncryptionSecretKeyName, r.PostgresletNamespace, r.PostgresletFullname, walGEncryptionSecretNamePostfix)
+		}
+		// libsodium keys are fixed-size keys of 32 bytes, see https://github.com/wal-g/wal-g#encryption
+		if len(k) != 32 {
+			return fmt.Errorf("wal_g encryption key must be exactly 32 bytes, got %v", len(k))
+		}
+		data["WALG_LIBSODIUM_KEY"] = k
+	}
+
+	var s *corev1.Secret
+	ns := types.NamespacedName{
+		Name:      operatormanager.PodEnvCMName,
+		Namespace: p.ToPeripheralResourceNamespace(),
+	}
+
+	if s, err = r.CreateOrGetPodEnvironmentSecret(ctx, ns.Namespace); err != nil {
+		return fmt.Errorf("error while accessing the pod environment secret %v: %w", ns.Namespace, err)
+	}
+
+	s.Data = data
+	if err := r.SvcClient.Update(ctx, s); err != nil {
+		return fmt.Errorf("error while updating the pod environment secret in service cluster: %w", err)
+	}
+
+	return nil
+}
+
 func (r *PostgresReconciler) isManagedByUs(obj *pg.Postgres) bool {
 	if obj.Spec.PartitionID != r.PartitionID {
 		return false
@@ -1206,6 +1260,24 @@ func (r *PostgresReconciler) deleteExporterSidecarService(ctx context.Context, n
 	return nil
 }
 
+func (r *PostgresReconciler) getWalGEncryptionSecret(ctx context.Context) (*corev1.Secret, error) {
+
+	ns := r.PostgresletNamespace
+	name := r.PostgresletFullname + walGEncryptionSecretNamePostfix
+
+	// fetch secret
+	s := &corev1.Secret{}
+	nn := types.NamespacedName{
+		Name:      name,
+		Namespace: ns,
+	}
+	if err := r.SvcClient.Get(ctx, nn, s); err != nil {
+		return nil, fmt.Errorf("error while getting the backup secret from service cluster: %w", err)
+	}
+
+	return s, nil
+}
+
 func (r *PostgresReconciler) ensureStorageEncryptionSecret(ctx context.Context, instance *pg.Postgres) error {
 
 	if !r.EnableRandomStorageEncryptionSecret {

main.go

@@ -70,6 +70,7 @@ const (
 	postgresletFullnameFlg                = "postgreslet-fullname"
 	enableLBSourceRangesFlg               = "enable-lb-source-ranges"
 	enableRandomStorageEncrytionSecretFlg = "enable-random-storage-encryption-secret"
+	enableWalGEncryptionFlg               = "enable-walg-encryption"
 )
 
 var (
@@ -120,6 +121,7 @@ func main() {
 		deployEtcd                         bool
 		enableLBSourceRanges               bool
 		enableRandomStorageEncrytionSecret bool
+		enableWalGEncryption               bool
 
 		portRangeStart int
 		portRangeSize  int
@@ -250,6 +252,9 @@ func main() {
 	viper.SetDefault(enableRandomStorageEncrytionSecretFlg, false)
 	enableRandomStorageEncrytionSecret = viper.GetBool(enableRandomStorageEncrytionSecretFlg)
 
+	viper.SetDefault(enableWalGEncryptionFlg, false)
+	enableWalGEncryption = viper.GetBool(enableWalGEncryptionFlg)
+
 	ctrl.SetLogger(zap.New(zap.UseDevMode(true)))
 
 	ctrl.Log.Info("flag",
@@ -284,9 +289,10 @@ func main() {
 		etcdBackupSidecarImageFlg, etcdBackupSidecarImage,
 		etcdBackupSecretNameFlg, etcdBackupSecretName,
 		etcdPSPNameFlg, etcdPSPName,
-		postgresletFullnameFlg, postgresletFullname,
 		enableLBSourceRangesFlg, enableLBSourceRanges,
 		enableRandomStorageEncrytionSecretFlg, enableRandomStorageEncrytionSecret,
+		postgresletFullnameFlg, postgresletFullname,
+		enableWalGEncryptionFlg, enableWalGEncryption,
 	)
 
 	svcClusterConf := ctrl.GetConfigOrDie()
@@ -391,6 +397,8 @@ func main() {
 		PatroniLoopWait:                     patroniLoopWait,
 		PatroniRetryTimeout:                 patroniRetryTimeout,
 		EnableRandomStorageEncryptionSecret: enableRandomStorageEncrytionSecret,
+		EnableWalGEncryption:                enableWalGEncryption,
+		PostgresletFullname:                 postgresletFullname,
 	}).SetupWithManager(ctrlPlaneClusterMgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "Postgres")
 		os.Exit(1)

pkg/operatormanager/operatormanager.go

@@ -39,6 +39,9 @@ const (
 	// PodEnvCMName Name of the pod environment configmap to create and use
 	PodEnvCMName string = "postgres-pod-config"
 
+	// PodEnvSecretName Name of the pod environment secret to create and use
+	PodEnvSecretName string = "postgres-pod-secret" //nolint:gosec
+
 	operatorPodLabelName  string = "name"
 	operatorPodLabelValue string = "postgres-operator"
 
@@ -124,6 +127,11 @@ func (m *OperatorManager) InstallOrUpdateOperator(ctx context.Context, namespace
 		return fmt.Errorf("error while creating pod environment configmap %v: %w", namespace, err)
 	}
 
+	// Add our (initially empty) custom pod environment secret
+	if _, err := m.CreateOrGetPodEnvironmentSecret(ctx, namespace); err != nil {
+		return fmt.Errorf("error while creating pod environment secret %v: %w", namespace, err)
+	}
+
 	// Add our sidecars configmap
 	if err := m.createOrUpdateSidecarsConfig(ctx, namespace); err != nil {
 		return fmt.Errorf("error while creating sidecars config %v: %w", namespace, err)
@@ -396,6 +404,8 @@ func (m *OperatorManager) editConfigMap(cm *corev1.ConfigMap, namespace string,
 	cm.Data["pod_service_account_name"] = serviceAccountName
 	// set the reference to our custom pod environment configmap
 	cm.Data["pod_environment_configmap"] = PodEnvCMName
+	// set the reference to our custom pod environment secret
+	cm.Data["pod_environment_secret"] = PodEnvSecretName
 	// set the list of inherited labels that will be passed on to the pods
 	s := []string{pg.TenantLabelName, pg.ProjectIDLabelName, pg.UIDLabelName, pg.NameLabelName}
 	// TODO maybe use a precompiled string here
@@ -491,6 +501,35 @@ func (m *OperatorManager) CreatePodEnvironmentConfigMap(ctx context.Context, nam
 	return cm, nil
 }
 
+// CreateOrGetPodEnvironmentSecret creates a new Secret with additional environment variables for the pods or simply returns it if it already exists
+func (m *OperatorManager) CreateOrGetPodEnvironmentSecret(ctx context.Context, namespace string) (*corev1.Secret, error) {
+	ns := types.NamespacedName{
+		Namespace: namespace,
+		Name:      PodEnvSecretName,
+	}
+	s := &corev1.Secret{}
+	if err := m.Get(ctx, ns, s); err == nil {
+		// secret already exists, nothing to do here
+		// we will update the secret with the correct S3 config in the postgres controller
+		m.log.Info("Pod Environment Secret already exists")
+		return s, nil
+	}
+
+	if err := m.SetName(s, PodEnvSecretName); err != nil {
+		return nil, fmt.Errorf("error while setting the name of the new Pod Environment Secret to %v: %w", namespace, err)
+	}
+	if err := m.SetNamespace(s, namespace); err != nil {
+		return nil, fmt.Errorf("error while setting the namespace of the new Pod Environment Secret to %v: %w", namespace, err)
+	}
+
+	if err := m.Create(ctx, s); err != nil {
+		return nil, fmt.Errorf("error while creating the new Pod Environment Secret: %w", err)
+	}
+	m.log.Info("new Pod Environment Secret created")
+
+	return s, nil
+}
+
 func (m *OperatorManager) createOrUpdateSidecarsConfig(ctx context.Context, namespace string) error {
 	// try to fetch the global sidecars configmap
 	cns := types.NamespacedName{