diff --git a/CHANGELOG b/CHANGELOG
index f34f79d18dd48395d16b8a533e3a3ffa3e24d998..28992b62c47721b083dd793b973beebda62556c5 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -33,6 +33,7 @@ v 8.0.2
- Use standard Markdown font in Markdown preview instead of fixed-width font (Stan Hu)
- Fix Reply by email for non-UTF-8 messages.
- Add option to use StartTLS with Reply by email IMAP server.
+ - Allow AWS S3 Server-Side Encryption with Amazon S3-Managed Keys for backups (Paul Beattie)
v 8.0.1
- Remove git refs used internally by GitLab from network graph (Stan Hu)
diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example
index 15930fc90791e283eff0ff9f312aee5e3da1cd5f..c7174f8601437f7c8456d33963397152429cecf1 100644
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -159,7 +159,7 @@ production: &base
method: 'plain' # "tls" or "ssl" or "plain"
bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
password: '_the_password_of_the_bind_user'
-
+
# This setting specifies if LDAP server is Active Directory LDAP server.
# For non AD servers it skips the AD specific queries.
# If your LDAP server is not AD, set this to false.
@@ -204,13 +204,13 @@ production: &base
# The username will be used in paths for the user's own projects
# (like `gitlab.example.com/username/project`) and when mentioning
# them in issues, merge request and comments (like `@username`).
- # If the attribute specified for `username` contains an email address,
+ # If the attribute specified for `username` contains an email address,
# the GitLab username will be the part of the email address before the '@'.
username: ['uid', 'userid', 'sAMAccountName']
email: ['mail', 'email', 'userPrincipalName']
# If no full name could be found at the attribute specified for `name`,
- # the full name is determined using the attributes specified for
+ # the full name is determined using the attributes specified for
# `first_name` and `last_name`.
name: 'cn'
first_name: 'givenName'
@@ -252,28 +252,28 @@ production: &base
# arguments, followed by optional 'args' which can be either a hash or an array.
# Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html
providers:
- # - { name: 'google_oauth2',
+ # - { name: 'google_oauth2',
# label: 'Google',
- # app_id: 'YOUR_APP_ID',
+ # app_id: 'YOUR_APP_ID',
# app_secret: 'YOUR_APP_SECRET',
# args: { access_type: 'offline', approval_prompt: '' } }
- # - { name: 'twitter',
- # app_id: 'YOUR_APP_ID',
+ # - { name: 'twitter',
+ # app_id: 'YOUR_APP_ID',
# app_secret: 'YOUR_APP_SECRET' }
- # - { name: 'github',
+ # - { name: 'github',
# label: 'GitHub',
- # app_id: 'YOUR_APP_ID',
+ # app_id: 'YOUR_APP_ID',
# app_secret: 'YOUR_APP_SECRET',
# args: { scope: 'user:email' } }
- # - { name: 'gitlab',
+ # - { name: 'gitlab',
# label: 'GitLab.com',
- # app_id: 'YOUR_APP_ID',
+ # app_id: 'YOUR_APP_ID',
# app_secret: 'YOUR_APP_SECRET',
# args: { scope: 'api' } }
- # - { name: 'bitbucket',
- # app_id: 'YOUR_APP_ID',
+ # - { name: 'bitbucket',
+ # app_id: 'YOUR_APP_ID',
# app_secret: 'YOUR_APP_SECRET' }
- # - { name: 'saml',
+ # - { name: 'saml',
# label: 'Our SAML Provider',
# args: {
# assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
@@ -319,6 +319,8 @@ production: &base
# # Use multipart uploads when file size reaches 100MB, see
# # http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html
# multipart_chunk_size: 104857600
+ # # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional
+ # # encryption: 'AES256'
## GitLab Shell settings
gitlab_shell:
diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
index 48601b67335c630556a21dc93657b31d2d41c6e6..4e4a8ecbdb3c090edeab869b5c1a1014d56abf4a 100644
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -229,6 +229,7 @@ if Settings.backup['upload']['connection']
Settings.backup['upload']['connection'] = Hash[Settings.backup['upload']['connection'].map { |k, v| [k.to_sym, v] }]
end
Settings.backup['upload']['multipart_chunk_size'] ||= 104857600
+Settings.backup['upload']['encryption'] ||= nil
#
# Git
diff --git a/doc/raketasks/backup_restore.md b/doc/raketasks/backup_restore.md
index 4ff5e74d438601a68f8b272bb9651f1187d0a944..b212964436f971bf6d1e6d17ba6b2598ad590e94 100644
--- a/doc/raketasks/backup_restore.md
+++ b/doc/raketasks/backup_restore.md
@@ -95,6 +95,8 @@ For installations from source:
aws_secret_access_key: 'secret123'
# The remote 'directory' to store your backups. For S3, this would be the bucket name.
remote_directory: 'my.s3.bucket'
+ # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional
+ # encryption: 'AES256'
```
If you are uploading your backups to S3 you will probably want to create a new
diff --git a/lib/backup/manager.rb b/lib/backup/manager.rb
index ac63f89c6ec4f3caef5d09b56f0122dbbcba4355..5c42f25f4a267a3fbd8ad10dd8deb4f8ffe64bba 100644
--- a/lib/backup/manager.rb
+++ b/lib/backup/manager.rb
@@ -45,7 +45,8 @@ module Backup
directory = connection.directories.get(remote_directory)
if directory.files.create(key: tar_file, body: File.open(tar_file), public: false,
- multipart_chunk_size: Gitlab.config.backup.upload.multipart_chunk_size)
+ multipart_chunk_size: Gitlab.config.backup.upload.multipart_chunk_size,
+ encryption: Gitlab.config.backup.upload.encryption)
$progress.puts "done".green
else
puts "uploading backup to #{remote_directory} failed".red
@@ -55,7 +56,7 @@ module Backup
def cleanup
$progress.print "Deleting tmp directories ... "
-
+
backup_contents.each do |dir|
next unless File.exist?(File.join(Gitlab.config.backup.path, dir))
@@ -75,7 +76,7 @@ module Backup
if keep_time > 0
removed = 0
-
+
Dir.chdir(Gitlab.config.backup.path) do
file_list = Dir.glob('*_gitlab_backup.tar')
file_list.map! { |f| $1.to_i if f =~ /(\d+)_gitlab_backup.tar/ }