Add support for AWS S3 Server-Side Encryption support

This adds support for AWS S3 SSE with S3 managed keys, this means the data is encrypted at rest and the encryption is handled transparently to the end user as well as in the AWS Console.

Points to double check

I'm unsure on the best way to the handle the default. I've followed the multipart_upload de facto in the app. I'm happy to change this if required or if it will impact elsewhere e.g. omnibus packages

I also think I've managed to catch all of the documentation for this change as well.

Why is this required

Many enterprises require good backup support but also for this to be encrypted. By default backups aren't encrypted, this allows at rest encryption to be supported in GitLab backups providing a layer of security should the physical media not be properly disposed of.

Relates to issue #2478 (closed).

Any feedback on this? cc: @jeroenvanbaarsen

For me this looks good. @jacobvosmaer You have more experience with S3 and AWS, what do you think?

Added 565 commits:

• e208e216...b6233917 - 564 commits from branch gitlab-org:master
• 253d2320 - Add support for AWS S3 Server-Side Encryption support

Updated to make the documentation read that it's optional, I've also commented out the lines by default so if a user wishes to add this they must do this manually and it won't happen automatically. I can change this as there's no charge and Amazon host the keys for the user so there's no key management to worry about.

I've also rebased as well to reflect the release of 8.0 since building this.

Thanks @paulbeattie

Status changed to merged

@marin do we need to add omnibus support for this or are we already dropping in a JSON hash?

@jacobvosmaer We need to add support, only upload_connection settings are a hash. Please create an issue for this in omnibus-gitlab.

Done

mentioned in commit 958af6f5

mentioned in issue omnibus-gitlab#836 (closed)