Enable replication of SSE-C objects (#19107)

If site replication enabled across sites, replicate the SSE-C
objects as well. These objects could be read from target sites
using the same client encryption keys.

Signed-off-by: Shubhendu Ram Tripathi <shubhendu@minio.io>

docs/bucket/versioning/versioning-tests.sh

@@ -10,10 +10,10 @@ trap 'catch $LINENO' ERR
 catch() {
 	if [ $# -ne 0 ]; then
 		echo "error on line $1"
-		echo "$site server logs ========="
-		cat "/tmp/${site}_1.log"
+		echo "server logs ========="
+		cat "/tmp/sitea_1.log"
 		echo "==========================="
-		cat "/tmp/${site}_2.log"
+		cat "/tmp/sitea_2.log"
 	fi
 
 	echo "Cleaning up instances of MinIO"
@@ -42,32 +42,34 @@ if [ ! -f ./mc ]; then
 		chmod +x mc
 fi
 
-minio server --address 127.0.0.1:9001 "http://127.0.0.1:9001/tmp/multisitea/data/disterasure/xl{1...4}" \
-	"http://127.0.0.1:9002/tmp/multisitea/data/disterasure/xl{5...8}" >/tmp/sitea_1.log 2>&1 &
-minio server --address 127.0.0.1:9002 "http://127.0.0.1:9001/tmp/multisitea/data/disterasure/xl{1...4}" \
-	"http://127.0.0.1:9002/tmp/multisitea/data/disterasure/xl{5...8}" >/tmp/sitea_2.log 2>&1 &
+minio server --address ":9001" "https://localhost:9001/tmp/multisitea/data/disterasure/xl{1...4}" \
+	"https://localhost:9002/tmp/multisitea/data/disterasure/xl{5...8}" >/tmp/sitea_1.log 2>&1 &
+minio server --address ":9002" "https://localhost:9001/tmp/multisitea/data/disterasure/xl{1...4}" \
+	"https://localhost:9002/tmp/multisitea/data/disterasure/xl{5...8}" >/tmp/sitea_2.log 2>&1 &
 
-export MC_HOST_sitea=http://minio:minio123@127.0.0.1:9001
+sleep 60
 
-./mc mb sitea/delissue
+export MC_HOST_sitea=https://minio:minio123@localhost:9001
 
-./mc version enable sitea/delissue
+./mc mb sitea/delissue --insecure
 
-echo hello | ./mc pipe sitea/delissue/hello
+./mc version enable sitea/delissue --insecure
 
-./mc version suspend sitea/delissue
+echo hello | ./mc pipe sitea/delissue/hello --insecure
 
-./mc rm sitea/delissue/hello
+./mc version suspend sitea/delissue --insecure
 
-./mc version enable sitea/delissue
+./mc rm sitea/delissue/hello --insecure
 
-echo hello | ./mc pipe sitea/delissue/hello
+./mc version enable sitea/delissue --insecure
 
-./mc version suspend sitea/delissue
+echo hello | ./mc pipe sitea/delissue/hello --insecure
 
-./mc rm sitea/delissue/hello
+./mc version suspend sitea/delissue --insecure
 
-count=$(./mc ls --versions sitea/delissue | wc -l)
+./mc rm sitea/delissue/hello --insecure
+
+count=$(./mc ls --versions sitea/delissue --insecure | wc -l)
 
 if [ ${count} -ne 3 ]; then
 	echo "BUG: expected number of versions to be '3' found ${count}"
@@ -76,6 +78,6 @@ if [ ${count} -ne 3 ]; then
 fi
 
 echo "SUCCESS:"
-./mc ls --versions sitea/delissue
+./mc ls --versions sitea/delissue --insecure
 
 catch

docs/site-replication/run-sse-kms-object-replication.sh

@@ -0,0 +1,230 @@
+#!/usr/bin/env bash
+
+# shellcheck disable=SC2120
+exit_1() {
+	cleanup
+
+	echo "minio1 ============"
+	cat /tmp/minio1_1.log
+	echo "minio2 ============"
+	cat /tmp/minio2_1.log
+
+	exit 1
+}
+
+cleanup() {
+	echo -n "Cleaning up instances of MinIO ..."
+	pkill -9 minio || sudo pkill -9 minio
+	pkill -9 kes || sudo pkill -9 kes
+	rm -rf ${PWD}/keys
+	rm -rf /tmp/minio{1,2}
+	echo "done"
+}
+
+cleanup
+
+export MINIO_CI_CD=1
+export MINIO_BROWSER=off
+export MINIO_ROOT_USER="minio"
+export MINIO_ROOT_PASSWORD="minio123"
+
+# Create certificates for TLS enabled MinIO
+echo -n "Setup certs for MinIO instances ..."
+wget -O certgen https://github.com/minio/certgen/releases/latest/download/certgen-linux-amd64 && chmod +x certgen
+./certgen --host localhost
+mkdir -p ~/.minio/certs
+mv public.crt ~/.minio/certs || sudo mv public.crt ~/.minio/certs
+mv private.key ~/.minio/certs || sudo mv private.key ~/.minio/certs
+echo "done"
+
+# Start MinIO instances
+echo -n "Starting MinIO instances ..."
+CI=on MINIO_KMS_SECRET_KEY=minio-default-key:IyqsU3kMFloCNup4BsZtf/rmfHVcTgznO2F25CkEH1g= MINIO_ROOT_USER=minio MINIO_ROOT_PASSWORD=minio123 minio server --address ":9001" --console-address ":10000" /tmp/minio1/{1...4}/disk{1...4} /tmp/minio1/{5...8}/disk{1...4} >/tmp/minio1_1.log 2>&1 &
+CI=on MINIO_KMS_SECRET_KEY=minio-default-key:IyqsU3kMFloCNup4BsZtf/rmfHVcTgznO2F25CkEH1g= MINIO_ROOT_USER=minio MINIO_ROOT_PASSWORD=minio123 minio server --address ":9002" --console-address ":11000" /tmp/minio2/{1...4}/disk{1...4} /tmp/minio2/{5...8}/disk{1...4} >/tmp/minio2_1.log 2>&1 &
+echo "done"
+
+if [ ! -f ./mc ]; then
+	echo -n "Downloading MinIO client ..."
+	wget -O mc https://dl.min.io/client/mc/release/linux-amd64/mc &&
+		chmod +x mc
+	echo "done"
+fi
+
+sleep 10
+
+export MC_HOST_minio1=https://minio:minio123@localhost:9001
+export MC_HOST_minio2=https://minio:minio123@localhost:9002
+
+# Prepare data for tests
+echo -n "Preparing test data ..."
+mkdir -p /tmp/data
+echo "Hello from encrypted world" >/tmp/data/encrypted
+touch /tmp/data/mpartobj
+shred -s 500M /tmp/data/mpartobj
+touch /tmp/data/defpartsize
+shred -s 500M /tmp/data/defpartsize
+touch /tmp/data/custpartsize
+shred -s 500M /tmp/data/custpartsize
+echo "done"
+
+# Add replication site
+./mc admin replicate add minio1 minio2 --insecure
+# sleep for replication to complete
+sleep 30
+
+# Create bucket in source cluster
+echo "Create bucket in source MinIO instance"
+./mc mb minio1/test-bucket --insecure
+
+# Enable SSE KMS for the bucket
+./mc encrypt set sse-kms minio-default-key minio1/test-bucket --insecure
+
+# Load objects to source site
+echo "Loading objects to source MinIO instance"
+./mc cp /tmp/data/encrypted minio1/test-bucket --insecure
+./mc cp /tmp/data/mpartobj minio1/test-bucket --encrypt-key "minio1/test-bucket/mpartobj=iliketobecrazybutnotsomuchreally" --insecure
+./mc cp /tmp/data/defpartsize minio1/test-bucket --insecure
+./mc put /tmp/data/custpartsize minio1/test-bucket --insecure --part-size 50MiB
+sleep 120
+
+# List the objects from source site
+echo "Objects from source instance"
+./mc ls minio1/test-bucket --insecure
+count1=$(./mc ls minio1/test-bucket/encrypted --insecure | wc -l)
+if [ "${count1}" -ne 1 ]; then
+	echo "BUG: object minio1/test-bucket/encrypted not found"
+	exit_1
+fi
+count2=$(./mc ls minio1/test-bucket/mpartobj --insecure | wc -l)
+if [ "${count2}" -ne 1 ]; then
+	echo "BUG: object minio1/test-bucket/mpartobj not found"
+	exit_1
+fi
+count3=$(./mc ls minio1/test-bucket/defpartsize --insecure | wc -l)
+if [ "${count3}" -ne 1 ]; then
+	echo "BUG: object minio1/test-bucket/defpartsize not found"
+	exit_1
+fi
+count4=$(./mc ls minio1/test-bucket/custpartsize --insecure | wc -l)
+if [ "${count4}" -ne 1 ]; then
+	echo "BUG: object minio1/test-bucket/custpartsize not found"
+	exit_1
+fi
+
+# List the objects from replicated site
+echo "Objects from replicated instance"
+./mc ls minio2/test-bucket --insecure
+repcount1=$(./mc ls minio2/test-bucket/encrypted --insecure | wc -l)
+if [ "${repcount1}" -ne 1 ]; then
+	echo "BUG: object test-bucket/encrypted not replicated"
+	exit_1
+fi
+repcount2=$(./mc ls minio2/test-bucket/mpartobj --insecure | wc -l)
+if [ "${repcount2}" -ne 1 ]; then
+	echo "BUG: object test-bucket/mpartobj not replicated"
+	exit_1
+fi
+repcount3=$(./mc ls minio2/test-bucket/defpartsize --insecure | wc -l)
+if [ "${repcount3}" -ne 1 ]; then
+	echo "BUG: object test-bucket/defpartsize not replicated"
+	exit_1
+fi
+repcount4=$(./mc ls minio2/test-bucket/custpartsize --insecure | wc -l)
+if [ "${repcount4}" -ne 1 ]; then
+	echo "BUG: object test-bucket/custpartsize not replicated"
+	exit_1
+fi
+
+# Stat the objects from source site
+echo "Stat minio1/test-bucket/encrypted"
+./mc stat minio1/test-bucket/encrypted --insecure --json
+stat_out1=$(./mc stat minio1/test-bucket/encrypted --insecure --json)
+src_obj1_algo=$(echo "${stat_out1}" | jq '.metadata."X-Amz-Server-Side-Encryption"')
+src_obj1_keyid=$(echo "${stat_out1}" | jq '.metadata."X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id"')
+echo "Stat minio1/test-bucket/defpartsize"
+./mc stat minio1/test-bucket/defpartsize --insecure --json
+stat_out2=$(./mc stat minio1/test-bucket/defpartsize --insecure --json)
+src_obj2_algo=$(echo "${stat_out2}" | jq '.metadata."X-Amz-Server-Side-Encryption"')
+src_obj2_keyid=$(echo "${stat_out2}" | jq '.metadata."X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id"')
+echo "Stat minio1/test-bucket/custpartsize"
+./mc stat minio1/test-bucket/custpartsize --insecure --json
+stat_out3=$(./mc stat minio1/test-bucket/custpartsize --insecure --json)
+src_obj3_algo=$(echo "${stat_out3}" | jq '.metadata."X-Amz-Server-Side-Encryption"')
+src_obj3_keyid=$(echo "${stat_out3}" | jq '.metadata."X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id"')
+echo "Stat minio1/test-bucket/mpartobj"
+./mc stat minio1/test-bucket/mpartobj --encrypt-key "minio1/test-bucket/mpartobj=iliketobecrazybutnotsomuchreally" --insecure --json
+stat_out4=$(./mc stat minio1/test-bucket/mpartobj --encrypt-key "minio1/test-bucket/mpartobj=iliketobecrazybutnotsomuchreally" --insecure --json)
+src_obj4_etag=$(echo "${stat_out4}" | jq '.etag')
+src_obj4_size=$(echo "${stat_out4}" | jq '.size')
+src_obj4_md5=$(echo "${stat_out4}" | jq '.metadata."X-Amz-Server-Side-Encryption-Customer-Key-Md5"')
+
+# Stat the objects from replicated site
+echo "Stat minio2/test-bucket/encrypted"
+./mc stat minio2/test-bucket/encrypted --insecure --json
+stat_out1_rep=$(./mc stat minio2/test-bucket/encrypted --insecure --json)
+rep_obj1_algo=$(echo "${stat_out1_rep}" | jq '.metadata."X-Amz-Server-Side-Encryption"')
+rep_obj1_keyid=$(echo "${stat_out1_rep}" | jq '.metadata."X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id"')
+echo "Stat minio2/test-bucket/defpartsize"
+./mc stat minio2/test-bucket/defpartsize --insecure --json
+stat_out2_rep=$(./mc stat minio2/test-bucket/defpartsize --insecure --json)
+rep_obj2_algo=$(echo "${stat_out2_rep}" | jq '.metadata."X-Amz-Server-Side-Encryption"')
+rep_obj2_keyid=$(echo "${stat_out2_rep}" | jq '.metadata."X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id"')
+echo "Stat minio2/test-bucket/custpartsize"
+./mc stat minio2/test-bucket/custpartsize --insecure --json
+stat_out3_rep=$(./mc stat minio2/test-bucket/custpartsize --insecure --json)
+rep_obj3_algo=$(echo "${stat_out3_rep}" | jq '.metadata."X-Amz-Server-Side-Encryption"')
+rep_obj3_keyid=$(echo "${stat_out3_rep}" | jq '.metadata."X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id"')
+echo "Stat minio2/test-bucket/mpartobj"
+./mc stat minio2/test-bucket/mpartobj --encrypt-key "minio2/test-bucket/mpartobj=iliketobecrazybutnotsomuchreally" --insecure --json
+stat_out4_rep=$(./mc stat minio2/test-bucket/mpartobj --encrypt-key "minio2/test-bucket/mpartobj=iliketobecrazybutnotsomuchreally" --insecure --json)
+rep_obj4_etag=$(echo "${stat_out4}" | jq '.etag')
+rep_obj4_size=$(echo "${stat_out4}" | jq '.size')
+rep_obj4_md5=$(echo "${stat_out4}" | jq '.metadata."X-Amz-Server-Side-Encryption-Customer-Key-Md5"')
+
+# Check the algo and keyId of replicated objects
+if [ "${rep_obj1_algo}" != "${src_obj1_algo}" ]; then
+	echo "BUG: Algorithm: '${rep_obj1_algo}' of replicated object: 'minio2/test-bucket/encrypted' doesn't match with source value: '${src_obj1_algo}'"
+	exit_1
+fi
+if [ "${rep_obj1_keyid}" != "${src_obj1_keyid}" ]; then
+	echo "BUG: KeyId: '${rep_obj1_keyid}' of replicated object: 'minio2/test-bucket/encrypted' doesn't match with source value: '${src_obj1_keyid}'"
+	exit_1
+fi
+if [ "${rep_obj2_algo}" != "${src_obj2_algo}" ]; then
+	echo "BUG: Algorithm: '${rep_obj2_algo}' of replicated object: 'minio2/test-bucket/defpartsize' doesn't match with source value: '${src_obj2_algo}'"
+	exit_1
+fi
+if [ "${rep_obj2_keyid}" != "${src_obj2_keyid}" ]; then
+	echo "BUG: KeyId: '${rep_obj2_keyid}' of replicated object: 'minio2/test-bucket/defpartsize' doesn't match with source value: '${src_obj2_keyid}'"
+	exit_1
+fi
+if [ "${rep_obj3_algo}" != "${src_obj3_algo}" ]; then
+	echo "BUG: Algorithm: '${rep_obj3_algo}' of replicated object: 'minio2/test-bucket/custpartsize' doesn't match with source value: '${src_obj3_algo}'"
+	exit_1
+fi
+if [ "${rep_obj3_keyid}" != "${src_obj3_keyid}" ]; then
+	echo "BUG: KeyId: '${rep_obj3_keyid}' of replicated object: 'minio2/test-bucket/custpartsize' doesn't match with source value: '${src_obj3_keyid}'"
+	exit_1
+fi
+
+# Check the etag, size and md5 of replicated SSEC object
+if [ "${rep_obj4_etag}" != "${src_obj4_etag}" ]; then
+	echo "BUG: Etag: '${rep_obj4_etag}' of replicated object: 'minio2/test-bucket/mpartobj' doesn't match with source value: '${src_obj4_etag}'"
+	exit_1
+fi
+if [ "${rep_obj4_size}" != "${src_obj4_size}" ]; then
+	echo "BUG: Size: '${rep_obj4_size}' of replicated object: 'minio2/test-bucket/mpartobj' doesn't match with source value: '${src_obj4_size}'"
+	exit_1
+fi
+if [ "${src_obj4_md5}" != "${rep_obj4_md5}" ]; then
+	echo "BUG: MD5 checksum of object 'minio2/test-bucket/mpartobj' doesn't match with source. Expected: '${src_obj4_md5}', Found: '${rep_obj4_md5}'"
+	exit_1
+fi
+
+# Check content of replicated objects
+./mc cat minio2/test-bucket/encrypted --insecure
+./mc cat minio2/test-bucket/mpartobj --encrypt-key "minio2/test-bucket/mpartobj=iliketobecrazybutnotsomuchreally" --insecure >/dev/null || exit_1
+./mc cat minio2/test-bucket/defpartsize --insecure >/dev/null || exit_1
+./mc cat minio2/test-bucket/custpartsize --insecure >/dev/null || exit_1
+
+cleanup

docs/site-replication/run-ssec-object-replication-with-compression.sh

@@ -0,0 +1,193 @@
+#!/usr/bin/env bash
+
+# shellcheck disable=SC2120
+exit_1() {
+	cleanup
+
+	echo "minio1 ============"
+	cat /tmp/minio1_1.log
+	echo "minio2 ============"
+	cat /tmp/minio2_1.log
+
+	exit 1
+}
+
+cleanup() {
+	echo -n "Cleaning up instances of MinIO ..."
+	pkill minio || sudo pkill minio
+	pkill -9 minio || sudo pkill -9 minio
+	rm -rf /tmp/minio{1,2}
+	echo "done"
+}
+
+cleanup
+
+export MINIO_CI_CD=1
+export MINIO_BROWSER=off
+export MINIO_ROOT_USER="minio"
+export MINIO_ROOT_PASSWORD="minio123"
+
+# Create certificates for TLS enabled MinIO
+echo -n "Setup certs for MinIO instances ..."
+wget -O certgen https://github.com/minio/certgen/releases/latest/download/certgen-linux-amd64 && chmod +x certgen
+./certgen --host localhost
+mkdir -p ~/.minio/certs
+mv public.crt ~/.minio/certs || sudo mv public.crt ~/.minio/certs
+mv private.key ~/.minio/certs || sudo mv private.key ~/.minio/certs
+echo "done"
+
+# Start MinIO instances
+echo -n "Starting MinIO instances ..."
+minio server --address ":9001" --console-address ":10000" /tmp/minio1/{1...4}/disk{1...4} /tmp/minio1/{5...8}/disk{1...4} >/tmp/minio1_1.log 2>&1 &
+minio server --address ":9002" --console-address ":11000" /tmp/minio2/{1...4}/disk{1...4} /tmp/minio2/{5...8}/disk{1...4} >/tmp/minio2_1.log 2>&1 &
+echo "done"
+
+if [ ! -f ./mc ]; then
+	echo -n "Downloading MinIO client ..."
+	wget -O mc https://dl.min.io/client/mc/release/linux-amd64/mc &&
+		chmod +x mc
+	echo "done"
+fi
+
+sleep 10
+
+export MC_HOST_minio1=https://minio:minio123@localhost:9001
+export MC_HOST_minio2=https://minio:minio123@localhost:9002
+
+# Prepare data for tests
+echo -n "Preparing test data ..."
+mkdir -p /tmp/data
+echo "Hello world" >/tmp/data/plainfile
+echo "Hello from encrypted world" >/tmp/data/encrypted
+touch /tmp/data/defpartsize
+shred -s 500M /tmp/data/defpartsize
+touch /tmp/data/mpartobj.txt
+shred -s 500M /tmp/data/mpartobj.txt
+echo "done"
+
+# Enable compression for site minio1
+./mc admin config set minio1 compression enable=on extensions=".txt" --insecure
+./mc admin config set minio1 compression allow_encryption=on --insecure
+
+# Create bucket in source cluster
+echo "Create bucket in source MinIO instance"
+./mc mb minio1/test-bucket --insecure
+
+# Load objects to source site
+echo "Loading objects to source MinIO instance"
+./mc cp /tmp/data/plainfile minio1/test-bucket --insecure
+./mc cp /tmp/data/encrypted minio1/test-bucket --encrypt-key "minio1/test-bucket/encrypted=iliketobecrazybutnotsomuchreally" --insecure
+./mc cp /tmp/data/defpartsize minio1/test-bucket --encrypt-key "minio1/test-bucket/defpartsize=iliketobecrazybutnotsomuchreally" --insecure
+
+# Below should fail as compression and SSEC used at the same time
+RESULT=$({ ./mc put /tmp/data/mpartobj.txt minio1/test-bucket --encrypt-key "minio1/test-bucket/mpartobj.txt=iliketobecrazybutnotsomuchreally" --insecure; } 2>&1)
+if [[ ${RESULT} != *"Server side encryption specified with SSE-C with compression not allowed"* ]]; then
+	echo "BUG: Loading an SSE-C object to site with compression should fail. Succeeded though."
+	exit_1
+fi
+
+# Add replication site
+./mc admin replicate add minio1 minio2 --insecure
+# sleep for replication to complete
+sleep 30
+
+# List the objects from source site
+echo "Objects from source instance"
+./mc ls minio1/test-bucket --insecure
+count1=$(./mc ls minio1/test-bucket/plainfile --insecure | wc -l)
+if [ "${count1}" -ne 1 ]; then
+	echo "BUG: object minio1/test-bucket/plainfile not found"
+	exit_1
+fi
+count2=$(./mc ls minio1/test-bucket/encrypted --insecure | wc -l)
+if [ "${count2}" -ne 1 ]; then
+	echo "BUG: object minio1/test-bucket/encrypted not found"
+	exit_1
+fi
+count3=$(./mc ls minio1/test-bucket/defpartsize --insecure | wc -l)
+if [ "${count3}" -ne 1 ]; then
+	echo "BUG: object minio1/test-bucket/defpartsize not found"
+	exit_1
+fi
+sleep 120
+
+# List the objects from replicated site
+echo "Objects from replicated instance"
+./mc ls minio2/test-bucket --insecure
+repcount1=$(./mc ls minio2/test-bucket/plainfile --insecure | wc -l)
+if [ "${repcount1}" -ne 1 ]; then
+	echo "BUG: object test-bucket/plainfile not replicated"
+	exit_1
+fi
+repcount2=$(./mc ls minio2/test-bucket/encrypted --insecure | wc -l)
+if [ "${repcount2}" -ne 1 ]; then
+	echo "BUG: object test-bucket/encrypted not replicated"
+	exit_1
+fi
+repcount3=$(./mc ls minio2/test-bucket/defpartsize --insecure | wc -l)
+if [ "${repcount3}" -ne 1 ]; then
+	echo "BUG: object test-bucket/defpartsize not replicated"
+	exit_1
+fi
+
+# Stat the SSEC objects from source site
+echo "Stat minio1/test-bucket/encrypted"
+./mc stat minio1/test-bucket/encrypted --encrypt-key "minio1/test-bucket/encrypted=iliketobecrazybutnotsomuchreally" --insecure --json
+stat_out1=$(./mc stat minio1/test-bucket/encrypted --encrypt-key "minio1/test-bucket/encrypted=iliketobecrazybutnotsomuchreally" --insecure --json)
+src_obj1_etag=$(echo "${stat_out1}" | jq '.etag')
+src_obj1_size=$(echo "${stat_out1}" | jq '.size')
+src_obj1_md5=$(echo "${stat_out1}" | jq '.metadata."X-Amz-Server-Side-Encryption-Customer-Key-Md5"')
+echo "Stat minio1/test-bucket/defpartsize"
+./mc stat minio1/test-bucket/defpartsize --encrypt-key "minio1/test-bucket/defpartsize=iliketobecrazybutnotsomuchreally" --insecure --json
+stat_out2=$(./mc stat minio1/test-bucket/defpartsize --encrypt-key "minio1/test-bucket/defpartsize=iliketobecrazybutnotsomuchreally" --insecure --json)
+src_obj2_etag=$(echo "${stat_out2}" | jq '.etag')
+src_obj2_size=$(echo "${stat_out2}" | jq '.size')
+src_obj2_md5=$(echo "${stat_out2}" | jq '.metadata."X-Amz-Server-Side-Encryption-Customer-Key-Md5"')
+
+# Stat the SSEC objects from replicated site
+echo "Stat minio2/test-bucket/encrypted"
+./mc stat minio2/test-bucket/encrypted --encrypt-key "minio2/test-bucket/encrypted=iliketobecrazybutnotsomuchreally" --insecure --json
+stat_out1_rep=$(./mc stat minio2/test-bucket/encrypted --encrypt-key "minio2/test-bucket/encrypted=iliketobecrazybutnotsomuchreally" --insecure --json)
+rep_obj1_etag=$(echo "${stat_out1_rep}" | jq '.etag')
+rep_obj1_size=$(echo "${stat_out1_rep}" | jq '.size')
+rep_obj1_md5=$(echo "${stat_out1_rep}" | jq '.metadata."X-Amz-Server-Side-Encryption-Customer-Key-Md5"')
+echo "Stat minio2/test-bucket/defpartsize"
+./mc stat minio2/test-bucket/defpartsize --encrypt-key "minio2/test-bucket/defpartsize=iliketobecrazybutnotsomuchreally" --insecure --json
+stat_out2_rep=$(./mc stat minio2/test-bucket/defpartsize --encrypt-key "minio2/test-bucket/defpartsize=iliketobecrazybutnotsomuchreally" --insecure --json)
+rep_obj2_etag=$(echo "${stat_out2_rep}" | jq '.etag')
+rep_obj2_size=$(echo "${stat_out2_rep}" | jq '.size')
+rep_obj2_md5=$(echo "${stat_out2_rep}" | jq '.metadata."X-Amz-Server-Side-Encryption-Customer-Key-Md5"')
+
+# Check the etag and size of replicated SSEC objects
+if [ "${rep_obj1_etag}" != "${src_obj1_etag}" ]; then
+	echo "BUG: Etag: '${rep_obj1_etag}' of replicated object: 'minio2/test-bucket/encrypted' doesn't match with source value: '${src_obj1_etag}'"
+	exit_1
+fi
+if [ "${rep_obj1_size}" != "${src_obj1_size}" ]; then
+	echo "BUG: Size: '${rep_obj1_size}' of replicated object: 'minio2/test-bucket/encrypted' doesn't match with source value: '${src_obj1_size}'"
+	exit_1
+fi
+if [ "${rep_obj2_etag}" != "${src_obj2_etag}" ]; then
+	echo "BUG: Etag: '${rep_obj2_etag}' of replicated object: 'minio2/test-bucket/defpartsize' doesn't match with source value: '${src_obj2_etag}'"
+	exit_1
+fi
+if [ "${rep_obj2_size}" != "${src_obj2_size}" ]; then
+	echo "BUG: Size: '${rep_obj2_size}' of replicated object: 'minio2/test-bucket/defpartsize' doesn't match with source value: '${src_obj2_size}'"
+	exit_1
+fi
+
+# Check content of replicated SSEC objects
+./mc cat minio2/test-bucket/encrypted --encrypt-key "minio2/test-bucket/encrypted=iliketobecrazybutnotsomuchreally" --insecure
+./mc cat minio2/test-bucket/defpartsize --encrypt-key "minio2/test-bucket/defpartsize=iliketobecrazybutnotsomuchreally" --insecure >/dev/null || exit_1
+
+# Check the MD5 checksums of encrypted objects from source and target
+if [ "${src_obj1_md5}" != "${rep_obj1_md5}" ]; then
+	echo "BUG: MD5 checksum of object 'minio2/test-bucket/encrypted' doesn't match with source. Expected: '${src_obj1_md5}', Found: '${rep_obj1_md5}'"
+	exit_1
+fi
+if [ "${src_obj2_md5}" != "${rep_obj2_md5}" ]; then
+	echo "BUG: MD5 checksum of object 'minio2/test-bucket/defpartsize' doesn't match with source. Expected: '${src_obj2_md5}', Found: '${rep_obj2_md5}'"
+	exit_1
+fi
+
+cleanup

docs/site-replication/run-ssec-object-replication.sh

@@ -0,0 +1,219 @@
+#!/usr/bin/env bash
+
+# shellcheck disable=SC2120
+exit_1() {
+	cleanup
+
+	echo "minio1 ============"
+	cat /tmp/minio1_1.log
+	echo "minio2 ============"
+	cat /tmp/minio2_1.log
+
+	exit 1
+}
+
+cleanup() {
+	echo -n "Cleaning up instances of MinIO ..."
+	pkill minio || sudo pkill minio
+	pkill -9 minio || sudo pkill -9 minio
+	rm -rf /tmp/minio{1,2}
+	echo "done"
+}
+
+cleanup
+
+export MINIO_CI_CD=1
+export MINIO_BROWSER=off
+export MINIO_ROOT_USER="minio"
+export MINIO_ROOT_PASSWORD="minio123"
+
+# Create certificates for TLS enabled MinIO
+echo -n "Setup certs for MinIO instances ..."
+wget -O certgen https://github.com/minio/certgen/releases/latest/download/certgen-linux-amd64 && chmod +x certgen
+./certgen --host localhost
+mkdir -p ~/.minio/certs
+mv public.crt ~/.minio/certs || sudo mv public.crt ~/.minio/certs
+mv private.key ~/.minio/certs || sudo mv private.key ~/.minio/certs
+echo "done"
+
+# Start MinIO instances
+echo -n "Starting MinIO instances ..."
+minio server --address ":9001" --console-address ":10000" /tmp/minio1/{1...4}/disk{1...4} /tmp/minio1/{5...8}/disk{1...4} >/tmp/minio1_1.log 2>&1 &
+minio server --address ":9002" --console-address ":11000" /tmp/minio2/{1...4}/disk{1...4} /tmp/minio2/{5...8}/disk{1...4} >/tmp/minio2_1.log 2>&1 &
+echo "done"
+
+if [ ! -f ./mc ]; then
+	echo -n "Downloading MinIO client ..."
+	wget -O mc https://dl.min.io/client/mc/release/linux-amd64/mc &&
+		chmod +x mc
+	echo "done"
+fi
+
+sleep 10
+
+export MC_HOST_minio1=https://minio:minio123@localhost:9001
+export MC_HOST_minio2=https://minio:minio123@localhost:9002
+
+# Prepare data for tests
+echo -n "Preparing test data ..."
+mkdir -p /tmp/data
+echo "Hello world" >/tmp/data/plainfile
+echo "Hello from encrypted world" >/tmp/data/encrypted
+touch /tmp/data/defpartsize
+shred -s 500M /tmp/data/defpartsize
+touch /tmp/data/custpartsize
+shred -s 500M /tmp/data/custpartsize
+echo "done"
+
+# Add replication site
+./mc admin replicate add minio1 minio2 --insecure
+# sleep for replication to complete
+sleep 30
+
+# Create bucket in source cluster
+echo "Create bucket in source MinIO instance"
+./mc mb minio1/test-bucket --insecure
+
+# Load objects to source site
+echo "Loading objects to source MinIO instance"
+./mc cp /tmp/data/plainfile minio1/test-bucket --insecure
+./mc cp /tmp/data/encrypted minio1/test-bucket --encrypt-key "minio1/test-bucket/encrypted=iliketobecrazybutnotsomuchreally" --insecure
+./mc cp /tmp/data/defpartsize minio1/test-bucket --encrypt-key "minio1/test-bucket/defpartsize=iliketobecrazybutnotsomuchreally" --insecure
+./mc put /tmp/data/custpartsize minio1/test-bucket --encrypt-key "minio1/test-bucket/custpartsize=iliketobecrazybutnotsomuchreally" --insecure --part-size 50MiB
+sleep 120
+
+# List the objects from source site
+echo "Objects from source instance"
+./mc ls minio1/test-bucket --insecure
+count1=$(./mc ls minio1/test-bucket/plainfile --insecure | wc -l)
+if [ "${count1}" -ne 1 ]; then
+	echo "BUG: object minio1/test-bucket/plainfile not found"
+	exit_1
+fi
+count2=$(./mc ls minio1/test-bucket/encrypted --insecure | wc -l)
+if [ "${count2}" -ne 1 ]; then
+	echo "BUG: object minio1/test-bucket/encrypted not found"
+	exit_1
+fi
+count3=$(./mc ls minio1/test-bucket/defpartsize --insecure | wc -l)
+if [ "${count3}" -ne 1 ]; then
+	echo "BUG: object minio1/test-bucket/defpartsize not found"
+	exit_1
+fi
+count4=$(./mc ls minio1/test-bucket/custpartsize --insecure | wc -l)
+if [ "${count4}" -ne 1 ]; then
+	echo "BUG: object minio1/test-bucket/custpartsize not found"
+	exit_1
+fi
+
+# List the objects from replicated site
+echo "Objects from replicated instance"
+./mc ls minio2/test-bucket --insecure
+repcount1=$(./mc ls minio2/test-bucket/plainfile --insecure | wc -l)
+if [ "${repcount1}" -ne 1 ]; then
+	echo "BUG: object test-bucket/plainfile not replicated"
+	exit_1
+fi
+repcount2=$(./mc ls minio2/test-bucket/encrypted --insecure | wc -l)
+if [ "${repcount2}" -ne 1 ]; then
+	echo "BUG: object test-bucket/encrypted not replicated"
+	exit_1
+fi
+repcount3=$(./mc ls minio2/test-bucket/defpartsize --insecure | wc -l)
+if [ "${repcount3}" -ne 1 ]; then
+	echo "BUG: object test-bucket/defpartsize not replicated"
+	exit_1
+fi
+
+repcount4=$(./mc ls minio2/test-bucket/custpartsize --insecure | wc -l)
+if [ "${repcount4}" -ne 1 ]; then
+	echo "BUG: object test-bucket/custpartsize not replicated"
+	exit_1
+fi
+
+# Stat the SSEC objects from source site
+echo "Stat minio1/test-bucket/encrypted"
+./mc stat minio1/test-bucket/encrypted --encrypt-key "minio1/test-bucket/encrypted=iliketobecrazybutnotsomuchreally" --insecure --json
+stat_out1=$(./mc stat minio1/test-bucket/encrypted --encrypt-key "minio1/test-bucket/encrypted=iliketobecrazybutnotsomuchreally" --insecure --json)
+src_obj1_etag=$(echo "${stat_out1}" | jq '.etag')
+src_obj1_size=$(echo "${stat_out1}" | jq '.size')
+src_obj1_md5=$(echo "${stat_out1}" | jq '.metadata."X-Amz-Server-Side-Encryption-Customer-Key-Md5"')
+echo "Stat minio1/test-bucket/defpartsize"
+./mc stat minio1/test-bucket/defpartsize --encrypt-key "minio1/test-bucket/defpartsize=iliketobecrazybutnotsomuchreally" --insecure --json
+stat_out2=$(./mc stat minio1/test-bucket/defpartsize --encrypt-key "minio1/test-bucket/defpartsize=iliketobecrazybutnotsomuchreally" --insecure --json)
+src_obj2_etag=$(echo "${stat_out2}" | jq '.etag')
+src_obj2_size=$(echo "${stat_out2}" | jq '.size')
+src_obj2_md5=$(echo "${stat_out2}" | jq '.metadata."X-Amz-Server-Side-Encryption-Customer-Key-Md5"')
+echo "Stat minio1/test-bucket/custpartsize"
+./mc stat minio1/test-bucket/custpartsize --encrypt-key "minio1/test-bucket/custpartsize=iliketobecrazybutnotsomuchreally" --insecure --json
+stat_out3=$(./mc stat minio1/test-bucket/custpartsize --encrypt-key "minio1/test-bucket/custpartsize=iliketobecrazybutnotsomuchreally" --insecure --json)
+src_obj3_etag=$(echo "${stat_out3}" | jq '.etag')
+src_obj3_size=$(echo "${stat_out3}" | jq '.size')
+src_obj3_md5=$(echo "${stat_out3}" | jq '.metadata."X-Amz-Server-Side-Encryption-Customer-Key-Md5"')
+
+# Stat the SSEC objects from replicated site
+echo "Stat minio2/test-bucket/encrypted"
+./mc stat minio2/test-bucket/encrypted --encrypt-key "minio2/test-bucket/encrypted=iliketobecrazybutnotsomuchreally" --insecure --json
+stat_out1_rep=$(./mc stat minio2/test-bucket/encrypted --encrypt-key "minio2/test-bucket/encrypted=iliketobecrazybutnotsomuchreally" --insecure --json)
+rep_obj1_etag=$(echo "${stat_out1_rep}" | jq '.etag')
+rep_obj1_size=$(echo "${stat_out1_rep}" | jq '.size')
+rep_obj1_md5=$(echo "${stat_out1_rep}" | jq '.metadata."X-Amz-Server-Side-Encryption-Customer-Key-Md5"')
+echo "Stat minio2/test-bucket/defpartsize"
+./mc stat minio2/test-bucket/defpartsize --encrypt-key "minio2/test-bucket/defpartsize=iliketobecrazybutnotsomuchreally" --insecure --json
+stat_out2_rep=$(./mc stat minio2/test-bucket/defpartsize --encrypt-key "minio2/test-bucket/defpartsize=iliketobecrazybutnotsomuchreally" --insecure --json)
+rep_obj2_etag=$(echo "${stat_out2_rep}" | jq '.etag')
+rep_obj2_size=$(echo "${stat_out2_rep}" | jq '.size')
+rep_obj2_md5=$(echo "${stat_out2_rep}" | jq '.metadata."X-Amz-Server-Side-Encryption-Customer-Key-Md5"')
+echo "Stat minio2/test-bucket/custpartsize"
+./mc stat minio2/test-bucket/custpartsize --encrypt-key "minio2/test-bucket/custpartsize=iliketobecrazybutnotsomuchreally" --insecure --json
+stat_out3_rep=$(./mc stat minio2/test-bucket/custpartsize --encrypt-key "minio2/test-bucket/custpartsize=iliketobecrazybutnotsomuchreally" --insecure --json)
+rep_obj3_etag=$(echo "${stat_out3_rep}" | jq '.etag')
+rep_obj3_size=$(echo "${stat_out3_rep}" | jq '.size')
+rep_obj3_md5=$(echo "${stat_out3_rep}" | jq '.metadata."X-Amz-Server-Side-Encryption-Customer-Key-Md5"')
+
+# Check the etag and size of replicated SSEC objects
+if [ "${rep_obj1_etag}" != "${src_obj1_etag}" ]; then
+	echo "BUG: Etag: '${rep_obj1_etag}' of replicated object: 'minio2/test-bucket/encrypted' doesn't match with source value: '${src_obj1_etag}'"
+	exit_1
+fi
+if [ "${rep_obj1_size}" != "${src_obj1_size}" ]; then
+	echo "BUG: Size: '${rep_obj1_size}' of replicated object: 'minio2/test-bucket/encrypted' doesn't match with source value: '${src_obj1_size}'"
+	exit_1
+fi
+if [ "${rep_obj2_etag}" != "${src_obj2_etag}" ]; then
+	echo "BUG: Etag: '${rep_obj2_etag}' of replicated object: 'minio2/test-bucket/defpartsize' doesn't match with source value: '${src_obj2_etag}'"
+	exit_1
+fi
+if [ "${rep_obj2_size}" != "${src_obj2_size}" ]; then
+	echo "BUG: Size: '${rep_obj2_size}' of replicated object: 'minio2/test-bucket/defpartsize' doesn't match with source value: '${src_obj2_size}'"
+	exit_1
+fi
+if [ "${rep_obj3_etag}" != "${src_obj3_etag}" ]; then
+	echo "BUG: Etag: '${rep_obj3_etag}' of replicated object: 'minio2/test-bucket/custpartsize' doesn't match with source value: '${src_obj3_etag}'"
+	exit_1
+fi
+if [ "${rep_obj3_size}" != "${src_obj3_size}" ]; then
+	echo "BUG: Size: '${rep_obj3_size}' of replicated object: 'minio2/test-bucket/custpartsize' doesn't match with source value: '${src_obj3_size}'"
+	exit_1
+fi
+
+# Check content of replicated SSEC objects
+./mc cat minio2/test-bucket/encrypted --encrypt-key "minio2/test-bucket/encrypted=iliketobecrazybutnotsomuchreally" --insecure
+./mc cat minio2/test-bucket/defpartsize --encrypt-key "minio2/test-bucket/defpartsize=iliketobecrazybutnotsomuchreally" --insecure >/dev/null || exit_1
+./mc cat minio2/test-bucket/custpartsize --encrypt-key "minio2/test-bucket/custpartsize=iliketobecrazybutnotsomuchreally" --insecure >/dev/null || exit_1
+
+# Check the MD5 checksums of encrypted objects from source and target
+if [ "${src_obj1_md5}" != "${rep_obj1_md5}" ]; then
+	echo "BUG: MD5 checksum of object 'minio2/test-bucket/encrypted' doesn't match with source. Expected: '${src_obj1_md5}', Found: '${rep_obj1_md5}'"
+	exit_1
+fi
+if [ "${src_obj2_md5}" != "${rep_obj2_md5}" ]; then
+	echo "BUG: MD5 checksum of object 'minio2/test-bucket/defpartsize' doesn't match with source. Expected: '${src_obj2_md5}', Found: '${rep_obj2_md5}'"
+	exit_1
+fi
+if [ "${src_obj3_md5}" != "${rep_obj3_md5}" ]; then
+	echo "BUG: MD5 checksum of object 'minio2/test-bucket/custpartsize' doesn't match with source. Expected: '${src_obj3_md5}', Found: '${rep_obj3_md5}'"
+	exit_1
+fi
+
+cleanup