Enable SSE-S3#385
Merged
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds bucket Server-Side Encryption (SSE-S3 / SSE-KMS) support to provider-ceph by introducing a new Bucket spec field and a corresponding per-backend subresource reconciler, along with status conditions and tests to track reconciliation progress across backends.
Changes:
- Extend the Bucket API/CRD to support
spec.forProvider.serverSideEncryptionConfigurationand per-backend SSE status conditions, plus aserverSideEncryptionConfigurationDisabledswitch. - Add a new bucket subresource client/controller to observe/create/update/delete SSE configuration across S3 backends, including autopause gating logic.
- Update backend S3 interfaces/fakes and add unit + e2e test coverage for the new SSE subresource behavior.
Reviewed changes
Copilot reviewed 17 out of 19 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| package/crds/provider-ceph.ceph.crossplane.io_buckets.yaml | Adds SSE configuration fields, disable flag, and per-backend SSE condition schema to the Bucket CRD. |
| apis/provider-ceph/v1alpha1/bucket_types.go | Adds SSE config pointer in BucketParameters, SSE disable flag in BucketSpec, and per-backend SSE condition in BackendInfo. |
| apis/provider-ceph/v1alpha1/serversideencryptionconfiguration_types.go | Introduces the new API types for SSE configuration. |
| apis/provider-ceph/v1alpha1/zz_generated.deepcopy.go | Updates deepcopy generation for the new SSE types/fields. |
| internal/rgw/serversideencryptionconfiguration.go | Adds RGW wrappers for Get/Put/Delete bucket encryption. |
| internal/rgw/serversideencryptionconfiguration_helpers.go | Adds input/rule conversion helpers and “not found” error detection for SSE config. |
| internal/backendstore/backend.go | Extends S3Client interface with Put/Get/DeleteBucketEncryption methods. |
| internal/backendstore/backendstorefakes/fake_s3client.go | Extends fake S3 client with encryption methods to support unit tests. |
| internal/controller/bucket/serversideencryptionconfiguration.go | New subresource client to reconcile SSE config across backends and update per-backend conditions. |
| internal/controller/bucket/serversideencryptionconfiguration_test.go | Unit tests covering observe/handle scenarios for SSE config. |
| internal/controller/bucket/subresources.go | Wires the new SSE subresource client behind a disable flag. |
| internal/controller/bucket/bucket_backends.go | Stores SSE conditions and adds helper checks for “available/removed on all backends”. |
| internal/controller/bucket/helpers.go | Adds autopause gating for SSE config availability/removal across backends. |
| internal/controller/bucket/consts.go | Adds SSE-specific observe/handle error message constants. |
| cmd/provider/main.go | Adds --disable-sse-config-reconcile flag and plumbs it into bucket connector setup. |
| e2e/tests/stable/chainsaw-test.yaml | Updates e2e bucket spec/status assertions to include SSE config and condition. |
| Makefile | Excludes new RGW SSE helper from nilaway checks (false positives). |
| internal/rgw/lifecycleconfig.go / internal/controller/bucket/lifecycleconfiguration.go | Adds //nolint:dupl annotations referencing SSE similarity. |
Files not reviewed (2)
- apis/provider-ceph/v1alpha1/zz_generated.deepcopy.go: Language not supported
- internal/backendstore/backendstorefakes/fake_s3client.go: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Shunpoco
approved these changes
May 26, 2026
Co-authored-by: Shunsuke Tokunaga <tkngsnsk313320@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
-->
Description of your changes
This PR provides full support of Server Side Encryption (SSE). This is a large PR and should therefore be reviewed commit by commit. The most significant commit is the addition of the SSE config subresource controller, however this is mostly a copy of the Lifecycle config subresource controller as they are handled similarly. Note: I am hoping to refactor all of the subresource controllers to reduce code duplication, but I will do this in a follow-up PR to avoid too much code churn at once. For now, the SSE controller is being added in a similar fashion.
I have:
make ready-for-reviewto ensure this PR is ready for review.make ceph-chainsawto validate these changes against Ceph. This step is not always necessary. However, for changes related to S3 calls it is sensible to validate against an actual Ceph cluster. Localstack is used in our CI Chainsaw suite for convenience and there can be disparity in S3 behaviours between it and Ceph. Seedocs/TESTING.mdfor information on how to run tests against a Ceph cluster.backport release-x.ylabels to auto-backport this PR if necessary.How has this code been tested