feat: Add support for encryption as optional in BackupSnapshot

This commit modifies the `BackupSnapshot` function in the `service` package to add support for encryption of the etcd snapshot before uploading it to S3. The `BackupSnapshot` function now takes an additional boolean parameter `encrypt` which determines whether encryption should be enabled or not. If encryption is enabled, the etcd snapshot is encrypted using the provided public key before uploading it to S3. If encryption is disabled, the etcd snapshot is uploaded as is. This change allows users to choose whether they want to encrypt their etcd snapshots or not. Signed-off-by: Cedric Grard <[email protected]> Signed-off-by: Cedric Grard <[email protected]> Signed-off-by: Noel Georgi <[email protected]>
siderolabs · Aug 27, 2024 · cd654b8 · cd654b8
1 parent db9891a
commit cd654b8
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 11 deletions.
diff --git a/cmd/talos-backup/main.go b/cmd/talos-backup/main.go
@@ -33,7 +33,7 @@ func run() error {
 		return fmt.Errorf("failed to create talos client: %w", err)
 	}
 
-	return service.BackupEncryptedSnapshot(ctx, serviceConfig, talosConfig, talosClient)
+	return service.BackupSnapshot(ctx, serviceConfig, talosConfig, talosClient, serviceConfig.EnableEncryption)
 }
 
 func main() {

diff --git a/cmd/talos-backup/service/service.go b/cmd/talos-backup/service/service.go
@@ -19,8 +19,8 @@ import (
 	"github.com/siderolabs/talos-backup/pkg/util"
 )
 
-// BackupEncryptedSnapshot takes a snapshot of etcd, encrypts it and uploads it to S3.
-func BackupEncryptedSnapshot(ctx context.Context, serviceConfig *config.ServiceConfig, talosConfig *talosconfig.Config, talosClient *talosclient.Client) error {
+// BackupSnapshot takes a snapshot of etcd, encrypts it or not and uploads it to S3.
+func BackupSnapshot(ctx context.Context, serviceConfig *config.ServiceConfig, talosConfig *talosconfig.Config, talosClient *talosclient.Client, encrypt bool) error {
 	clusterName := serviceConfig.ClusterName
 	if clusterName == "" {
 		clusterName = talosConfig.Context
@@ -33,12 +33,17 @@ func BackupEncryptedSnapshot(ctx context.Context, serviceConfig *config.ServiceC
 
 	defer util.CleanupFile(snapshotPath)
 
-	encryptedFileName, err := encryption.EncryptFile(snapshotPath, serviceConfig.AgeX25519PublicKey)
-	if err != nil {
-		return fmt.Errorf("failed to encrypt etcd snapshot: %w", err)
-	}
+	if encrypt {
+		var encryptionErr error
 
-	defer util.CleanupFile(encryptedFileName)
+		encryptedFileName, encryptionErr := encryption.EncryptFile(snapshotPath, serviceConfig.AgeX25519PublicKey)
+		if encryptionErr != nil {
+			return fmt.Errorf("failed to encrypt etcd snapshot: %w", encryptionErr)
+		}
+
+		defer util.CleanupFile(encryptedFileName)
+		snapshotPath = encryptedFileName
+	}
 
 	client, err := s3.CreateClientWithCustomEndpoint(ctx, serviceConfig)
 	if err != nil {
@@ -54,9 +59,14 @@ func BackupEncryptedSnapshot(ctx context.Context, serviceConfig *config.ServiceC
 		s3Prefix = clusterName
 	}
 
-	err = s3.PushSnapshot(ctx, s3Info, client, s3Prefix, encryptedFileName)
+	err = s3.PushSnapshot(ctx, s3Info, client, s3Prefix, snapshotPath)
 	if err != nil {
-		return fmt.Errorf("failed to push encrypted snapshot: %w", err)
+		snapshotType := "snapshot"
+		if encrypt {
+			snapshotType = "encrypted snapshot"
+		}
+
+		return fmt.Errorf("failed to push %s: %w", snapshotType, err)
 	}
 
 	return nil

diff --git a/internal/integration/integration_test.go b/internal/integration/integration_test.go
@@ -376,7 +376,7 @@ func cleanup(pool *dockertest.Pool, resources ...*dockertest.Resource) error {
 func (suite *integrationTestSuite) TestBackupEncryptedSnapshot() {
 	// when
 	suite.Require().Nil(
-		service.BackupEncryptedSnapshot(suite.ctx, &suite.serviceConfig, suite.talosConfig, suite.talosClient),
+		service.BackupSnapshot(suite.ctx, &suite.serviceConfig, suite.talosConfig, suite.talosClient, true),
 	)
 
 	// then

diff --git a/pkg/config/service.go b/pkg/config/service.go
@@ -18,6 +18,7 @@ type ServiceConfig struct {
 	ClusterName        string `yaml:"clusterName"`
 	AgeX25519PublicKey string `yaml:"ageX25519PublicKey"`
 	UsePathStyle       bool   `yaml:"usePathStyle"`
+	EnableEncryption   bool   `yaml:"enableEncryption"`
 }
 
 const (
@@ -27,6 +28,7 @@ const (
 	s3PrefixEnvVar           = "S3_PREFIX"
 	clusterNameEnvVar        = "CLUSTER_NAME"
 	usePathStyleEnvVar       = "USE_PATH_STYLE"
+	enableEncryptionEnvVar   = "ENABLE_ENCRYPTION"
 	ageX25519PublicKeyEnvVar = "AGE_X25519_PUBLIC_KEY"
 )
 
@@ -39,6 +41,7 @@ func GetServiceConfig() *ServiceConfig {
 		S3Prefix:           os.Getenv(s3PrefixEnvVar),
 		ClusterName:        os.Getenv(clusterNameEnvVar),
 		UsePathStyle:       os.Getenv(usePathStyleEnvVar) == "false",
+		EnableEncryption:   os.Getenv(enableEncryptionEnvVar) == "true",
 		AgeX25519PublicKey: os.Getenv(ageX25519PublicKeyEnvVar),
 	}
 }