-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mount SSE-C Encryption file for the AWS plugin #837
Comments
Thanks for filing issue! |
At least for internal image backup maybe blocked by distribution/distribution#3745 |
@WafaAmr is restic/restic#3612 (comment) a concern for you? |
So if this gets implemented it would be scoped to just manifests most likely. |
Velero's restic, and future kopia uses encryption that are independent from storage provider specific implementations. |
Hey @kaovilai, thank you for you detailed response. |
I'm not sure if Kopia will encrypt everything (vmware-tanzu/velero#3218 (comment)). If it's the case, it would be much better than supporting vendor-specific implementations. |
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
Stale issues rot after 30d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle rotten |
Rotten issues close after 30d of inactivity. Reopen the issue by commenting /close |
@openshift-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Rotten issues close after 30d of inactivity. Reopen the issue by commenting /close |
@openshift-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Rotten issues close after 30d of inactivity. Reopen the issue by commenting /close |
@openshift-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/lifecycle frozen |
SSE-C is working as documented in the aws plugin. |
For anyone reading this: you need to trigger oadp's secret mounting per known issues in the hackmd above. Future enhancements will be after vmware-tanzu/velero#7767 is solved. |
Is your feature request related to a problem? Please describe.
The AWS plugin supports Server-Side Encryption with Customer-Managed Keys.
For example:
As stated in the AWS:BSL documentation, I can define a path to the encryption file. The question now, Where should I specify the name of the Secret object
customer-key
to be mounted inside the velero-pod?"Error getting backup store for this location" backupLocation=velero-sample-1 controller=backup-sync error="rpc error: code = Unknown desc = provided customerKeyEncryptionFile does not exist: /credentials/customer-key: stat /credentials/customer-key: no such file or directory"
Describe the solution you'd like
Provide a way to specify the secret
customer-key
as followed in backupLocation credential.Additional context
OpenShift version : 4.9.48
OADP-Operator version : 1.1.0
The text was updated successfully, but these errors were encountered: