Skip to content

Commit

Permalink
feat(s3): add server side encryption
Browse files Browse the repository at this point in the history
  • Loading branch information
nebnes authored and sylvestre committed Oct 24, 2023
1 parent 841fb0b commit 9d7bdb0
Show file tree
Hide file tree
Showing 5 changed files with 24 additions and 0 deletions.
1 change: 1 addition & 0 deletions docs/Configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ bucket = "name"
endpoint = "s3-us-east-1.amazonaws.com"
use_ssl = true
key_prefix = "s3prefix"
server_side_encription = false
```

sccache looks for its configuration file at the path indicated by env variable `SCCACHE_CONF`.
Expand Down
3 changes: 3 additions & 0 deletions docs/S3.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ If using the default endpoint, you **must** configure the region using the `SCCA

If your endpoint requires HTTPS/TLS, set `SCCACHE_S3_USE_SSL=true`. If you don't need a secure network layer, HTTP (`SCCACHE_S3_USE_SSL=false`) might be better for performance.

Enable server side encryption with s3 managed key (SSE-S3), set `SCCACHE_S3_SERVER_SIDE_ENCRYPTION=true` .
More details about encryption [here](https://opendal.apache.org/docs/services/s3/#server-side-encryption) and documentation [here](https://docs.rs/opendal/latest/opendal/services/struct.S3.html#method.server_side_encryption_with_s3_key).

You can also define a prefix that will be prepended to the keys of all cache objects created and read within the S3 bucket, effectively creating a scope. To do that use the `SCCACHE_S3_KEY_PREFIX` environment variable. This can be useful when sharing a bucket with another application.

# R2
Expand Down
1 change: 1 addition & 0 deletions src/cache/cache.rs
Original file line number Diff line number Diff line change
Expand Up @@ -547,6 +547,7 @@ pub fn storage_from_config(
c.no_credentials,
c.endpoint.as_deref(),
c.use_ssl,
c.server_side_encryption,
)
.map_err(|err| anyhow!("create s3 cache failed: {err:?}"))?;

Expand Down
5 changes: 5 additions & 0 deletions src/cache/s3.rs
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ impl S3Cache {
no_credentials: bool,
endpoint: Option<&str>,
use_ssl: Option<bool>,
server_side_encryption: Option<bool>,
) -> Result<Operator> {
let mut builder = S3::default();
builder.bucket(bucket);
Expand All @@ -51,6 +52,10 @@ impl S3Cache {
builder.endpoint(&endpoint_resolver(endpoint, use_ssl)?);
}

if server_side_encryption.unwrap_or_default() {
builder.server_side_encryption_with_s3_key();
}

let op = Operator::new(builder)?
.layer(LoggingLayer::default())
.finish();
Expand Down
14 changes: 14 additions & 0 deletions src/config.rs
Original file line number Diff line number Diff line change
Expand Up @@ -245,6 +245,7 @@ pub struct S3CacheConfig {
pub no_credentials: bool,
pub endpoint: Option<String>,
pub use_ssl: Option<bool>,
pub server_side_encryption: Option<bool>,
}

#[derive(Debug, PartialEq, Eq)]
Expand Down Expand Up @@ -519,6 +520,16 @@ fn config_from_env() -> Result<EnvConfig> {
let use_ssl = env::var("SCCACHE_S3_USE_SSL")
.ok()
.map(|value| value != "off");
let server_side_encryption =
env::var("SCCACHE_S3_SERVER_SIDE_ENCRYPTION")
.ok()
.map_or(Ok(Some(false)), |val| match val.as_str() {
"true" | "1" => Ok(Some(true)),
"false" | "0" => Ok(Some(false)),
_ => bail!(
"SCCACHE_S3_SERVER_SIDE_ENCRYPTION must be 'true', '1', 'false', or '0'."
),
})?;
let endpoint = env::var("SCCACHE_ENDPOINT").ok();
let key_prefix = env::var("SCCACHE_S3_KEY_PREFIX")
.ok()
Expand All @@ -535,6 +546,7 @@ fn config_from_env() -> Result<EnvConfig> {
key_prefix,
endpoint,
use_ssl,
server_side_encryption,
})
} else {
None
Expand Down Expand Up @@ -1244,6 +1256,7 @@ endpoint = "s3-us-east-1.amazonaws.com"
use_ssl = true
key_prefix = "s3prefix"
no_credentials = true
server_side_encryption = false
[cache.webdav]
endpoint = "http://127.0.0.1:8080"
Expand Down Expand Up @@ -1289,6 +1302,7 @@ token = "webdavtoken"
use_ssl: Some(true),
key_prefix: "s3prefix".into(),
no_credentials: true,
server_side_encryption: Some(false)
}),
webdav: Some(WebdavCacheConfig {
endpoint: "http://127.0.0.1:8080".to_string(),
Expand Down

0 comments on commit 9d7bdb0

Please sign in to comment.