Allow for seamless upgrade to new AWS S3 CA bundle

This updates the autodetection logic to add the new AWS S3 CA
bundle to the general PGO Secret, which is then applied to clusters
on upgrade.

The logic is such that it will only overwrite the default template
if it is unmodified, i.e. it is using the CA bundle that is
provided.

Author: Jonathan S. Katz

internal/operator/cluster/upgrade.go

@@ -17,9 +17,11 @@ package cluster
 
 import (
 	"context"
+	"crypto/sha256"
 	"errors"
 	"fmt"
 	"io/ioutil"
+	"path"
 	"regexp"
 	"strconv"
 	"strings"
@@ -57,6 +59,10 @@ const (
 const nssWrapperForceCommand = `# ensure nss_wrapper env vars are set when executing commands as needed for OpenShift compatibility
 ForceCommand NSS_WRAPPER_SUBDIR=ssh . /opt/crunchy/bin/nss_wrapper_env.sh && $SSH_ORIGINAL_COMMAND`
 
+// legacyS3CASHA256Digest informs us if we should override the S3 CA with the
+// new bundle
+const legacyS3CASHA256Digest = "d1c290ea1e4544dec1934931fbfa1fb2060eb3a0f2239ba191f444ecbce35cbb"
+
 // the following regex expressions are used when upgrading the sshd_config file for a PG cluster
 var (
 	// nssWrapperRegex is the regular expression that is utilized to determine if the nss_wrapper
@@ -485,6 +491,19 @@ func recreateBackrestRepoSecret(clientset kubernetes.Interface, clustername, nam
 	if err == nil {
 		if b, ok := secret.Data["aws-s3-ca.crt"]; ok {
 			config.BackrestS3CA = b
+
+			// if this matches the old AWS S3 CA bundle, update to the new one.
+			if fmt.Sprintf("%x", sha256.Sum256(config.BackrestS3CA)) == legacyS3CASHA256Digest {
+				file := path.Join("/default-pgo-backrest-repo/aws-s3-ca.crt")
+
+				// if we can't read the contents of the file for whatever reason, warn,
+				// otherwise, update the entry in the Secret
+				if contents, err := ioutil.ReadFile(file); err != nil {
+					log.Warn(err)
+				} else {
+					config.BackrestS3CA = contents
+				}
+			}
 		}
 		if b, ok := secret.Data["aws-s3-key"]; ok {
 			config.BackrestS3Key = string(b)

internal/operator/common.go

@@ -18,6 +18,7 @@ package operator
 import (
 	"bytes"
 	"context"
+	"crypto/sha256"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
@@ -50,6 +51,9 @@ const (
 	defaultBackrestRepoConfigPath = "/default-pgo-backrest-repo/"
 	// defaultRegistry is the default registry to pull the container images from
 	defaultRegistry = "registry.developers.crunchydata.com/crunchydata"
+	// legacyS3CASHA256Digest informs us if we should override the S3 CA with the
+	// new bundle
+	legacyS3CASHA256Digest = "d1c290ea1e4544dec1934931fbfa1fb2060eb3a0f2239ba191f444ecbce35cbb"
 )
 
 var (
@@ -525,9 +529,18 @@ func initializeOperatorBackrestSecret(clientset kubernetes.Interface, namespace
 
 	// set any missing defaults
 	for _, filename := range defaultBackrestRepoConfigKeys {
-		// skip if there is already content
+		// skip if there is already content, unless this is aws-s3-ca.crt due to
+		// the change in the CA bundle
 		if len(secret.Data[filename]) != 0 {
-			continue
+			if filename != "aws-s3-ca.crt" {
+				continue
+			}
+
+			// in the case of aws-s3-ca.crt, check that this is the default
+			// certificate. if it is, override it
+			if fmt.Sprintf("%x", sha256.Sum256(secret.Data[filename])) != legacyS3CASHA256Digest {
+				continue
+			}
 		}
 
 		file := path.Join(defaultBackrestRepoConfigPath, filename)