Merge pull request #2220 from xangelix/synapse-s3-sse-c

Add S3 SSE-C config support for synapse-s3-storage-provider
3 лет назад · d2416365d2
--- a/docs/configuring-playbook-synapse-s3-storage-provider.md
+++ b/docs/configuring-playbook-synapse-s3-storage-provider.md
@@ -39,6 +39,13 @@ matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id: access-key-
 matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key: secret-key-goes-here
 matrix_synapse_ext_synapse_s3_storage_provider_config_storage_class: STANDARD # or STANDARD_IA, etc.

 # S3 Server Side Encryption with a Customer provided key (SSE-C) can also be configured as follows
 # This is not recommended unless you understand what you are doing, and may make restoring from backups additionally challenging
 # You can read more about SSE-C here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html
 matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled: true
 matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key: ssec-key-goes-here # Generate with: cat /dev/urandom | base64 | head -c 32
 matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_algo: AES256

 # For additional advanced settings, take a look at `roles/custom/matrix-synapse/defaults/main.yml`
 ```

--- a/roles/custom/matrix-synapse/defaults/main.yml
+++ b/roles/custom/matrix-synapse/defaults/main.yml
@@ -792,7 +792,7 @@ matrix_synapse_ext_encryption_config_yaml: |
 # Installing it requires building a customized Docker image for Synapse (see `matrix_synapse_container_image_customizations_enabled`).
 # Enabling this will enable customizations and inject the appropriate Dockerfile clauses for installing synapse-s3-storage-provider.
 matrix_synapse_ext_synapse_s3_storage_provider_enabled: false
 matrix_synapse_ext_synapse_s3_storage_provider_version: 1.1.2
 matrix_synapse_ext_synapse_s3_storage_provider_version: 1.2.0
 # Controls whether media from this (local) server is stored in s3-storage-provider
 matrix_synapse_ext_synapse_s3_storage_provider_store_local: true
 # Controls whether media from remote servers is stored in s3-storage-provider
@@ -807,6 +807,9 @@ matrix_synapse_ext_synapse_s3_storage_provider_config_region_name: ''
 matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url: ''
 matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id: ''
 matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key: ''
 matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled: false
 matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key: ''
 matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_algo: 'AES256'
 matrix_synapse_ext_synapse_s3_storage_provider_config_storage_class: STANDARD
 matrix_synapse_ext_synapse_s3_storage_provider_config_threadpool_size: 40
 # matrix_synapse_ext_synapse_s3_storage_provider_update_db_day_count is a day value (number) for the `s3_media_upload update-db` command.
--- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/migrate.j2
+++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/migrate.j2
@@ -10,4 +10,4 @@
 	--network={{ matrix_docker_network }} \
 	--entrypoint=/bin/bash \
 	{{ matrix_synapse_docker_image_final }} \
 	-c 's3_media_upload update-db $UPDATE_DB_DURATION && s3_media_upload --no-progress check-deleted $MEDIA_PATH && s3_media_upload --no-progress upload $MEDIA_PATH $BUCKET --delete --storage-class $STORAGE_CLASS --endpoint-url $ENDPOINT'
 	-c 's3_media_upload update-db $UPDATE_DB_DURATION && s3_media_upload --no-progress check-deleted $MEDIA_PATH && s3_media_upload --no-progress upload $MEDIA_PATH $BUCKET --delete --storage-class $STORAGE_CLASS --endpoint-url $ENDPOINT {% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %}--sse-customer-algo $SSE_CUSTOMER_ALGO --sse-customer-key $SSE_CUSTOMER_KEY{% endif %}'
--- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2
+++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2
@@ -4,6 +4,12 @@ AWS_DEFAULT_REGION={{ matrix_synapse_ext_synapse_s3_storage_provider_config_regi

 ENDPOINT={{ matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url }}
 BUCKET={{ matrix_synapse_ext_synapse_s3_storage_provider_config_bucket }}

 {% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %}
 SSE_CUSTOMER_KEY={{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key }}
 SSE_CUSTOMER_ALGO={{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_algo }}
 {% endif %}

 STORAGE_CLASS={{ matrix_synapse_ext_synapse_s3_storage_provider_config_storage_class }}

 MEDIA_PATH=/matrix-media-store-parent/{{ matrix_synapse_media_store_directory_name }}
--- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2
+++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2
@@ -9,6 +9,11 @@ config:
  access_key_id: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id | to_json }}
  secret_access_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key | to_json }}

 {% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %}
  sse_customer_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key | to_json }}
  sse_customer_algo: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_algo | to_json }}
 {% endif %}

  storage_class: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_storage_class | to_json }}

  threadpool_size: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_threadpool_size | to_json }}