From cd654b88f8c573f8c24bdc8bec61c93d679ab876 Mon Sep 17 00:00:00 2001
From: Cedric Grard <cedric.grard@eurofiber.com>
Date: Tue, 27 Aug 2024 11:44:07 +0200
Subject: [PATCH] feat: Add support for encryption as optional in
 BackupSnapshot

This commit modifies the `BackupSnapshot` function in the `service` package to add support for encryption of the etcd snapshot before uploading it to S3. The `BackupSnapshot` function now takes an additional boolean parameter `encrypt` which determines whether encryption should be enabled or not. If encryption is enabled, the etcd snapshot is encrypted using the provided public key before uploading it to S3. If encryption is disabled, the etcd snapshot is uploaded as is. This change allows users to choose whether they want to encrypt their etcd snapshots or not.

Signed-off-by: Cedric Grard
<cedric.grard@eurofiber.com>
Signed-off-by: Cedric Grard <cedric.grard@eurofiber.com>
Signed-off-by: Noel Georgi <git@frezbo.dev>
---
 cmd/talos-backup/main.go                 |  2 +-
 cmd/talos-backup/service/service.go      | 28 ++++++++++++++++--------
 internal/integration/integration_test.go |  2 +-
 pkg/config/service.go                    |  3 +++
 4 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/cmd/talos-backup/main.go b/cmd/talos-backup/main.go
index d3cf82c..4cb5760 100644
--- a/cmd/talos-backup/main.go
+++ b/cmd/talos-backup/main.go
@@ -33,7 +33,7 @@ func run() error {
 		return fmt.Errorf("failed to create talos client: %w", err)
 	}
 
-	return service.BackupEncryptedSnapshot(ctx, serviceConfig, talosConfig, talosClient)
+	return service.BackupSnapshot(ctx, serviceConfig, talosConfig, talosClient, serviceConfig.EnableEncryption)
 }
 
 func main() {
diff --git a/cmd/talos-backup/service/service.go b/cmd/talos-backup/service/service.go
index 5c2acd8..0259c6c 100644
--- a/cmd/talos-backup/service/service.go
+++ b/cmd/talos-backup/service/service.go
@@ -19,8 +19,8 @@ import (
 	"github.com/siderolabs/talos-backup/pkg/util"
 )
 
-// BackupEncryptedSnapshot takes a snapshot of etcd, encrypts it and uploads it to S3.
-func BackupEncryptedSnapshot(ctx context.Context, serviceConfig *config.ServiceConfig, talosConfig *talosconfig.Config, talosClient *talosclient.Client) error {
+// BackupSnapshot takes a snapshot of etcd, encrypts it or not and uploads it to S3.
+func BackupSnapshot(ctx context.Context, serviceConfig *config.ServiceConfig, talosConfig *talosconfig.Config, talosClient *talosclient.Client, encrypt bool) error {
 	clusterName := serviceConfig.ClusterName
 	if clusterName == "" {
 		clusterName = talosConfig.Context
@@ -33,12 +33,17 @@ func BackupEncryptedSnapshot(ctx context.Context, serviceConfig *config.ServiceC
 
 	defer util.CleanupFile(snapshotPath)
 
-	encryptedFileName, err := encryption.EncryptFile(snapshotPath, serviceConfig.AgeX25519PublicKey)
-	if err != nil {
-		return fmt.Errorf("failed to encrypt etcd snapshot: %w", err)
-	}
+	if encrypt {
+		var encryptionErr error
 
-	defer util.CleanupFile(encryptedFileName)
+		encryptedFileName, encryptionErr := encryption.EncryptFile(snapshotPath, serviceConfig.AgeX25519PublicKey)
+		if encryptionErr != nil {
+			return fmt.Errorf("failed to encrypt etcd snapshot: %w", encryptionErr)
+		}
+
+		defer util.CleanupFile(encryptedFileName)
+		snapshotPath = encryptedFileName
+	}
 
 	client, err := s3.CreateClientWithCustomEndpoint(ctx, serviceConfig)
 	if err != nil {
@@ -54,9 +59,14 @@ func BackupEncryptedSnapshot(ctx context.Context, serviceConfig *config.ServiceC
 		s3Prefix = clusterName
 	}
 
-	err = s3.PushSnapshot(ctx, s3Info, client, s3Prefix, encryptedFileName)
+	err = s3.PushSnapshot(ctx, s3Info, client, s3Prefix, snapshotPath)
 	if err != nil {
-		return fmt.Errorf("failed to push encrypted snapshot: %w", err)
+		snapshotType := "snapshot"
+		if encrypt {
+			snapshotType = "encrypted snapshot"
+		}
+
+		return fmt.Errorf("failed to push %s: %w", snapshotType, err)
 	}
 
 	return nil
diff --git a/internal/integration/integration_test.go b/internal/integration/integration_test.go
index 31d9414..b697126 100644
--- a/internal/integration/integration_test.go
+++ b/internal/integration/integration_test.go
@@ -376,7 +376,7 @@ func cleanup(pool *dockertest.Pool, resources ...*dockertest.Resource) error {
 func (suite *integrationTestSuite) TestBackupEncryptedSnapshot() {
 	// when
 	suite.Require().Nil(
-		service.BackupEncryptedSnapshot(suite.ctx, &suite.serviceConfig, suite.talosConfig, suite.talosClient),
+		service.BackupSnapshot(suite.ctx, &suite.serviceConfig, suite.talosConfig, suite.talosClient, true),
 	)
 
 	// then
diff --git a/pkg/config/service.go b/pkg/config/service.go
index cbe9207..17d6299 100644
--- a/pkg/config/service.go
+++ b/pkg/config/service.go
@@ -18,6 +18,7 @@ type ServiceConfig struct {
 	ClusterName        string `yaml:"clusterName"`
 	AgeX25519PublicKey string `yaml:"ageX25519PublicKey"`
 	UsePathStyle       bool   `yaml:"usePathStyle"`
+	EnableEncryption   bool   `yaml:"enableEncryption"`
 }
 
 const (
@@ -27,6 +28,7 @@ const (
 	s3PrefixEnvVar           = "S3_PREFIX"
 	clusterNameEnvVar        = "CLUSTER_NAME"
 	usePathStyleEnvVar       = "USE_PATH_STYLE"
+	enableEncryptionEnvVar   = "ENABLE_ENCRYPTION"
 	ageX25519PublicKeyEnvVar = "AGE_X25519_PUBLIC_KEY"
 )
 
@@ -39,6 +41,7 @@ func GetServiceConfig() *ServiceConfig {
 		S3Prefix:           os.Getenv(s3PrefixEnvVar),
 		ClusterName:        os.Getenv(clusterNameEnvVar),
 		UsePathStyle:       os.Getenv(usePathStyleEnvVar) == "false",
+		EnableEncryption:   os.Getenv(enableEncryptionEnvVar) == "true",
 		AgeX25519PublicKey: os.Getenv(ageX25519PublicKeyEnvVar),
 	}
 }