Add support for AWS S3 Server Side Encryption (SSE-KMS)
Prior to this change, uploads to AWS S3 were only encrypted on the server if a default encryption were specified on the bucket.
With this change, admins can now configure the encryption and the AWS
Key Management Service (KMS) key ID in GitLab Rails, and the
configuration will be used in uploads. Bucket policies to enforce
encryption can now be used since Workhorse sends the required
headers (x-amz-server-side-encryption
and
x-amz-server-side-encryption-aws-kms-key-id
). The bucket policy
cannot be enforced with default encryption, since that is applied after the check.
This requires the changes in gitlab!38240 (merged) to work.
Part of gitlab#22200 (closed)
Edited by Stan Hu