feat: add support for encryption as optional in BackupSnapshot

This commit modifies the `BackupSnapshot` function in the `service` package to add support for encryption of the etcd snapshot before uploading it to S3. The `BackupSnapshot` function now takes an additional boolean parameter `encrypt` which determines whether encryption should be enabled or not. If encryption is enabled, the etcd snapshot is encrypted using the provided public key before uploading it to S3. If encryption is disabled, the etcd snapshot is uploaded as is. This change allows users to choose whether they want to encrypt their etcd snapshots or not.

Signed-off-by: Cedric Grard <[email protected]>
Signed-off-by: Noel Georgi <[email protected]>

Author: cgrard

cmd/talos-backup/main.go

@@ -33,7 +33,7 @@ func run() error {
 		return fmt.Errorf("failed to create talos client: %w", err)
 	}
 
-	return service.BackupEncryptedSnapshot(ctx, serviceConfig, talosConfig, talosClient)
+	return service.BackupSnapshot(ctx, serviceConfig, talosConfig, talosClient, serviceConfig.DisableEncryption)
 }
 
 func main() {

cmd/talos-backup/service/service.go

@@ -19,8 +19,8 @@ import (
 	"github.com/siderolabs/talos-backup/pkg/util"
 )
 
-// BackupEncryptedSnapshot takes a snapshot of etcd, encrypts it and uploads it to S3.
-func BackupEncryptedSnapshot(ctx context.Context, serviceConfig *config.ServiceConfig, talosConfig *talosconfig.Config, talosClient *talosclient.Client) error {
+// BackupSnapshot takes a snapshot of etcd, encrypts it or not and uploads it to S3.
+func BackupSnapshot(ctx context.Context, serviceConfig *config.ServiceConfig, talosConfig *talosconfig.Config, talosClient *talosclient.Client, disableEncryption bool) error {
 	clusterName := serviceConfig.ClusterName
 	if clusterName == "" {
 		clusterName = talosConfig.Context
@@ -33,12 +33,16 @@ func BackupEncryptedSnapshot(ctx context.Context, serviceConfig *config.ServiceC
 
 	defer util.CleanupFile(snapshotPath)
 
-	encryptedFileName, err := encryption.EncryptFile(snapshotPath, serviceConfig.AgeX25519PublicKey)
-	if err != nil {
-		return fmt.Errorf("failed to encrypt etcd snapshot: %w", err)
-	}
+	if !disableEncryption {
+		encryptedFileName, encryptionErr := encryption.EncryptFile(snapshotPath, serviceConfig.AgeX25519PublicKey)
+		if encryptionErr != nil {
+			return fmt.Errorf("failed to encrypt etcd snapshot: %w", encryptionErr)
+		}
+
+		defer util.CleanupFile(encryptedFileName)
 
-	defer util.CleanupFile(encryptedFileName)
+		snapshotPath = encryptedFileName
+	}
 
 	client, err := s3.CreateClientWithCustomEndpoint(ctx, serviceConfig)
 	if err != nil {
@@ -54,9 +58,15 @@ func BackupEncryptedSnapshot(ctx context.Context, serviceConfig *config.ServiceC
 		s3Prefix = clusterName
 	}
 
-	err = s3.PushSnapshot(ctx, s3Info, client, s3Prefix, encryptedFileName)
+	err = s3.PushSnapshot(ctx, s3Info, client, s3Prefix, snapshotPath)
 	if err != nil {
-		return fmt.Errorf("failed to push encrypted snapshot: %w", err)
+		snapshotType := "snapshot"
+
+		if !disableEncryption {
+			snapshotType = "encrypted snapshot"
+		}
+
+		return fmt.Errorf("failed to push %s: %w", snapshotType, err)
 	}
 
 	return nil

internal/integration/integration_test.go

@@ -376,7 +376,7 @@ func cleanup(pool *dockertest.Pool, resources ...*dockertest.Resource) error {
 func (suite *integrationTestSuite) TestBackupEncryptedSnapshot() {
 	// when
 	suite.Require().Nil(
-		service.BackupEncryptedSnapshot(suite.ctx, &suite.serviceConfig, suite.talosConfig, suite.talosClient),
+		service.BackupSnapshot(suite.ctx, &suite.serviceConfig, suite.talosConfig, suite.talosClient, false),
 	)
 
 	// then

pkg/config/service.go

@@ -18,6 +18,7 @@ type ServiceConfig struct {
 	ClusterName        string `yaml:"clusterName"`
 	AgeX25519PublicKey string `yaml:"ageX25519PublicKey"`
 	UsePathStyle       bool   `yaml:"usePathStyle"`
+	DisableEncryption  bool   `yaml:"disableEncryption"`
 }
 
 const (
@@ -27,6 +28,7 @@ const (
 	s3PrefixEnvVar           = "S3_PREFIX"
 	clusterNameEnvVar        = "CLUSTER_NAME"
 	usePathStyleEnvVar       = "USE_PATH_STYLE"
+	disableEncryptionEnvVar  = "DISABLE_ENCRYPTION"
 	ageX25519PublicKeyEnvVar = "AGE_X25519_PUBLIC_KEY"
 )
 
@@ -39,6 +41,7 @@ func GetServiceConfig() *ServiceConfig {
 		S3Prefix:           os.Getenv(s3PrefixEnvVar),
 		ClusterName:        os.Getenv(clusterNameEnvVar),
 		UsePathStyle:       os.Getenv(usePathStyleEnvVar) == "false",
+		DisableEncryption:  os.Getenv(disableEncryptionEnvVar) == "true",
 		AgeX25519PublicKey: os.Getenv(ageX25519PublicKeyEnvVar),
 	}
 }