Adds support to S3 server side encryption using AWS KMS

[lucasvmiguel]

What this PR does: Adds support to S3 server side encryption using KMS.

Which issue(s) this PR fixes:
Fixes #3437

Checklist

• Tests updated
• Documentation added
• CHANGELOG.md updated - the order of entries should be [CHANGE], [FEATURE], [ENHANCEMENT], [BUGFIX]
• Manually tests to verify if S3 SSE is working
  • Data stored without SSE
  • Data stored with deprecated SSE (s3.sse-encryption=true)
  • Data stored with S3 SSE (sse-config.type=SSE-S3)
  • Data store with S3 KMS (sse-config.type=SSE-KMS)

TIP: Just to help future folks that want to use this feature (because I lost sometime to understand how I'd fetch the data back from the S3 bucket). You basically have to create the following IAM policy and attach to an IAM role.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "s3:GetObject"
            ],
            "Resource": [
                "<AWS KMS KEY ARN>",
                "<AWS S3 BUCKET ARN>/*"
            ]
        }
    ]
}

[pracucci]

Thanks for working on this! I haven't review it properly. Just leaving a comment about a little thing I've noticed and then will do a proper review.

[lucasvmiguel]

Manual tests performed

bucket name	params	result
cortex-test-sse	none	stored without SSE
cortex-test-sse-2	s3.sse-encryption=true	stored encrypted data with SSE-S3
cortex-test-sse-3	s3.sse-config.type=SSE-S3	stored encrypted data with SSE-S3
cortex-test-sse-4	s3.sse-config.type=SSE-KMS and s3.sse-config.kms-key-id=SOME_KEY	stored encrypted data with SSE-KMS

[pracucci]

Good job @lucasvmiguel and sorry for the extremely delay in the review! Overall LGTM, just left few comments to polish it a bit before merging. Thanks!

[pracucci]

We're used to define RegisterFlagsWithPrefix(prefix string, f *flag.FlagSet) on the receiver config. I would suggest you to do the same on SSEConfig, passing prefix+"s3.sse." as prefix to SSEConfig.RegisterFlagsWithPrefix().

[pracucci]

Please add also a // TODO Remove in Cortex 1.9.0 (because we guarantee deprecated config to be removed at least after 2 minor releases).

[pracucci]

Why do we need this when we already have SSEConfig?

[lucasvmiguel]

SSEConfig is the struct responsible to receive the config from the CLI or a config file. After SSEConfig is filled with the values provided by the user, a SSEEncryptionConfig struct will be created to be worked inside the application. In the end, SSEEncryptionConfig will have different values than SSEConfig.

[pracucci]

I'm not a big fan of pointers in config structs. You can achieve the same assuming empty string means not configured (which should be fine in this context).

[lucasvmiguel]

AWS lib uses string pointers several times in there. Removing string pointers from sse_config.go (SSEEncryptionConfig) means that I will have to treat that on the file s3_storage_client.go, which has more logic that should have.

[pracucci]

In recent times we stopped appending _config to sub-config structs cause it's a bit redundant. I would remove it from here too.

Suggested change

	SSEConfig SSEConfig `yaml:"sse_config"`
	SSEConfig SSEConfig `yaml:"sse"`

[lucasvmiguel]

If we decide to not use _config, we won't be compatible with Thanos config.

I don't mind to remove _config, I just thought that we wanted the config interface exactly the same as Thanos. (to not "break" any future migration)

[pracucci]

We're not 1:1 compatible with Thanos even in the blocks storage. It's perfectly fine. We just wanna let configure the same things, so that when we'll add KMS support to blocks storage too we can keep the same config struct.

[pracucci]

We're used to group CHANGELOG entries together by type. Please move this entry below, under the group of [FEATURE].

[pracucci]

We've just released 1.7.0-rc.0. Could you rebase master and move the CHANGELOG entry under the master / unreleased section, please?

[pracucci]

We've just released 1.7.0-rc.0. Could you rebase master and move the CHANGELOG entry under the master / unreleased section, please?

[pracucci]

Thanks for the follow up! We're very close! I left last comments.

Please mention that S3 server-side encryption is experimental in docs/configuration/v1-guarantees.md (there's a list of experimental features). This will allow us to introduce config breaking changes in the near future if we find out any issue (or improvement).

[pracucci]

Suggested change

	* [FEATURE] Adds support to S3 server side encryption using KMS. Deprecated `<prefix>.s3.sse-encryption`, you should use the following config fields that have been added. #3651
	* [FEATURE] Adds support to S3 server side encryption using KMS. Deprecated `-<prefix>.s3.sse-encryption`, you should use the following CLI flags that have been added. #3651

[pracucci]

Suggested change

	- `<prefix>.s3.sse.type`
	- `-<prefix>.s3.sse.type`

[pracucci]

Suggested change

	- `<prefix>.s3.sse.kms-key-id`
	- `-<prefix>.s3.sse.kms-key-id`

[pracucci]

Suggested change

	- `<prefix>.s3.sse.kms-encryption-context`
	- `-<prefix>.s3.sse.kms-encryption-context`

[pracucci]

I don't think we should use chunk.Tags here. I would simplify it just taking in input the context json as a string. Moreover, I would clarify in the CLI flag description that it expects a JSON as a string.

[pracucci]

Suggested change

	name: "Test invalid SEE type",
	name: "Test invalid SSE type",

[pracucci]

This test is duplicated from above.

[pracucci]

Thanks for the follow up! I have a last question about context parsing.

[pstibrany]

LGTM, thank you! Please take a look at final comments before merging.

[pstibrany]

Nit: Perhaps this should have been a method on SSEConfig or take it as a parameter?

[pstibrany]

Suggested change

	parsedKMSEncryptionContext := "eyJhIjoiYmMiLCJiIjoiY2QifQ=="
	parsedKMSEncryptionContext = base64.StdEncoding.EncodeToString([]byte(`{"a":"bc","b":"cd"}`)) // compact form of kmsEncryptionContext