Allow for seamless upgrade to new AWS S3 CA bundle

Jonathan S. Katz · Jonathan S. Katz · commit 2b7085937a07 · 2021-11-22T11:12:46.000-05:00
This updates the autodetection logic to add the new AWS S3 CA
bundle to the general PGO Secret, which is then applied to clusters
on upgrade.

The logic is such that it will only overwrite the default template
if it is unmodified, i.e. it is using the CA bundle that is
provided.
diff --git a/internal/operator/cluster/upgrade.go b/internal/operator/cluster/upgrade.go
@@ -17,9 +17,11 @@ package cluster
 
 import (
 	"context"
+	"crypto/sha256"
 	"errors"
 	"fmt"
 	"io/ioutil"
+	"path"
 	"regexp"
 	"strconv"
 	"strings"
@@ -57,6 +59,10 @@ const (
 // v4.5.2 and v4.4.3)
 var usePAMRegex = regexp.MustCompile(`(?im)^UsePAM\s*yes`)
 
+// legacyS3CASHA256Digest informs us if we should override the S3 CA with the
+// new bundle
+const legacyS3CASHA256Digest = "d1c290ea1e4544dec1934931fbfa1fb2060eb3a0f2239ba191f444ecbce35cbb"
+
 // AddUpgrade implements the upgrade workflow in accordance with the received pgtask
 // the general process is outlined below:
 // 1) get the existing pgcluster CRD instance that matches the name provided in the pgtask
@@ -465,6 +471,19 @@ func recreateBackrestRepoSecret(clientset kubernetes.Interface, clustername, nam
 	if err == nil {
 		if b, ok := secret.Data["aws-s3-ca.crt"]; ok {
 			config.BackrestS3CA = b
+
+			// if this matches the old AWS S3 CA bundle, update to the new one.
+			if fmt.Sprintf("%x", sha256.Sum256(config.BackrestS3CA)) == legacyS3CASHA256Digest {
+				file := path.Join("/default-pgo-backrest-repo/aws-s3-ca.crt")
+
+				// if we can't read the contents of the file for whatever reason, warn,
+				// otherwise, update the entry in the Secret
+				if contents, err := ioutil.ReadFile(file); err != nil {
+					log.Warn(err)
+				} else {
+					config.BackrestS3CA = contents
+				}
+			}
 		}
 		if b, ok := secret.Data["aws-s3-key"]; ok {
 			config.BackrestS3Key = string(b)
diff --git a/internal/operator/common.go b/internal/operator/common.go
@@ -18,6 +18,7 @@ package operator
 import (
 	"bytes"
 	"context"
+	"crypto/sha256"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
@@ -47,6 +48,9 @@ const (
 	defaultBackrestRepoConfigPath = "/default-pgo-backrest-repo/"
 	// defaultRegistry is the default registry to pull the container images from
 	defaultRegistry = "registry.developers.crunchydata.com/crunchydata"
+	// legacyS3CASHA256Digest informs us if we should override the S3 CA with the
+	// new bundle
+	legacyS3CASHA256Digest = "d1c290ea1e4544dec1934931fbfa1fb2060eb3a0f2239ba191f444ecbce35cbb"
 )
 
 var (
@@ -484,9 +488,18 @@ func initializeOperatorBackrestSecret(clientset kubernetes.Interface, namespace
 
 	// set any missing defaults
 	for _, filename := range defaultBackrestRepoConfigKeys {
-		// skip if there is already content
+		// skip if there is already content, unless this is aws-s3-ca.crt due to
+		// the change in the CA bundle
 		if len(secret.Data[filename]) != 0 {
-			continue
+			if filename != "aws-s3-ca.crt" {
+				continue
+			}
+
+			// in the case of aws-s3-ca.crt, check that this is the default
+			// certificate. if it is, override it
+			if fmt.Sprintf("%x", sha256.Sum256(secret.Data[filename])) != legacyS3CASHA256Digest {
+				continue
+			}
 		}
 
 		file := path.Join(defaultBackrestRepoConfigPath, filename)
