From 96b3581828b978efa907f40c6cede457986ad3af Mon Sep 17 00:00:00 2001
From: nexusix <nexus.ix@gmail.com>
Date: Fri, 5 Oct 2018 19:08:03 +0300
Subject: [PATCH] enable S3 serverside encryption (#52)

* enable encryption

* Add variable description

* Fix readme

* fix breakup when AWS_S3_SSE is not provided

* fix pointers
---
 README.md                 |  4 ++++
 internal/awss3/storage.go | 35 +++++++++++++++++++++++++----------
 2 files changed, 29 insertions(+), 10 deletions(-)

diff --git a/README.md b/README.md
index d3e23814..8c190f5f 100644
--- a/README.md
+++ b/README.md
@@ -192,6 +192,10 @@ and others. To configure the plugin to work alternative S3 backend, just define
 
 See [these integration tests](https://github.com/hypnoglow/helm-s3/blob/master/hack/integration-tests-local.sh#L10) that use local minio docker container for a complete example.
 
+## Using S3 bucket ServerSide Encryption
+
+To enable S3 SSE export environment variable `AWS_S3_SSE` and set it to desired type for example `AES256`.
+
 ## Documentation
 
 Additional documentation is available in the [docs](docs) directory. This currently includes:
diff --git a/internal/awss3/storage.go b/internal/awss3/storage.go
index 90d306f5..e7420a58 100644
--- a/internal/awss3/storage.go
+++ b/internal/awss3/storage.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"io"
 	"net/url"
+	"os"
 	"strings"
 
 	"github.com/aws/aws-sdk-go/aws"
@@ -20,6 +21,11 @@ import (
 	"k8s.io/helm/pkg/provenance"
 )
 
+const (
+	// selects serverside encryption for bucket
+	awsS3encryption = "AWS_S3_SSE"
+)
+
 var (
 	// ErrBucketNotFound signals that a bucket was not found.
 	ErrBucketNotFound = errors.New("bucket not found")
@@ -33,6 +39,15 @@ func New(session *session.Session) *Storage {
 	return &Storage{session: session}
 }
 
+// Returns desired encryption
+func getSSE() *string {
+	sse := os.Getenv(awsS3encryption)
+	if sse == "" {
+		return nil
+	}
+	return &sse
+}
+
 // Storage provides an interface to work with AWS S3 objects by s3 protocol.
 type Storage struct {
 	session *session.Session
@@ -227,14 +242,14 @@ func (s *Storage) PutChart(ctx context.Context, uri string, r io.Reader, chartMe
 	if err != nil {
 		return "", err
 	}
-
 	result, err := s3manager.NewUploader(s.session).UploadWithContext(
 		ctx,
 		&s3manager.UploadInput{
-			Bucket: aws.String(bucket),
-			Key:    aws.String(key),
-			ACL:    aws.String(acl),
-			Body:   r,
+			Bucket:               aws.String(bucket),
+			Key:                  aws.String(key),
+			ACL:                  aws.String(acl),
+			ServerSideEncryption: getSSE(),
+			Body:                 r,
 			Metadata: map[string]*string{
 				metaChartMetadata: aws.String(chartMeta),
 				metaChartDigest:   aws.String(chartDigest),
@@ -259,14 +274,14 @@ func (s *Storage) PutIndex(ctx context.Context, uri string, acl string, r io.Rea
 	if err != nil {
 		return err
 	}
-
 	_, err = s3manager.NewUploader(s.session).UploadWithContext(
 		ctx,
 		&s3manager.UploadInput{
-			Bucket: aws.String(bucket),
-			Key:    aws.String(key),
-			ACL:    aws.String(acl),
-			Body:   r,
+			Bucket:               aws.String(bucket),
+			Key:                  aws.String(key),
+			ACL:                  aws.String(acl),
+			ServerSideEncryption: getSSE(),
+			Body:                 r,
 		})
 	if err != nil {
 		return errors.Wrap(err, "upload index to S3 bucket")