Allow backup config change when recreated cluster

tjmoore4 · andrewlecuyer · commit 94a536151cea · 2021-07-14T09:35:56.000-05:00
Previously, when attempting to change the backup configuration
on an existing cluster, stanza-create job will error out due to
missing S3 configuration parameters despite being provided as
part of the pgo create cluster command.

This update corrects that issue by ensuring the existing pgBackRest
repo config secret is updated to include the necessary configuration
values.
diff --git a/internal/apiserver/clusterservice/clusterimpl.go b/internal/apiserver/clusterservice/clusterimpl.go
@@ -940,43 +940,55 @@ func CreateCluster(request *msgs.CreateClusterRequest, ns, pgouser string) msgs.
 	// the deployment template always tries to mount /sshd volume
 	secretName := fmt.Sprintf("%s-%s", clusterName, config.LABEL_BACKREST_REPO_SECRET)
 
-	if _, err := apiserver.Clientset.
-		CoreV1().Secrets(request.Namespace).
-		Get(ctx, secretName, metav1.GetOptions{}); kubeapi.IsNotFound(err) {
-		// determine if a custom CA secret should be used
-		backrestS3CACert := []byte{}
-
-		if request.BackrestS3CASecretName != "" {
-			backrestSecret, err := apiserver.Clientset.
-				CoreV1().Secrets(request.Namespace).
-				Get(ctx, request.BackrestS3CASecretName, metav1.GetOptions{})
-			if err != nil {
-				log.Error(err)
-				resp.Status.Code = msgs.Error
-				resp.Status.Msg = fmt.Sprintf("Error finding pgBackRest S3 CA secret \"%s\": %s",
-					request.BackrestS3CASecretName, err.Error())
-				return resp
-			}
+	// determine if a custom CA secret should be used
+	backrestS3CACert := []byte{}
 
-			// attempt to retrieves the custom CA, assuming it has the name
-			// "aws-s3-ca.crt"
-			backrestS3CACert = backrestSecret.Data[util.BackRestRepoSecretKeyAWSS3KeyAWSS3CACert]
+	if request.BackrestS3CASecretName != "" {
+		backrestSecret, err := apiserver.Clientset.
+			CoreV1().Secrets(request.Namespace).
+			Get(ctx, request.BackrestS3CASecretName, metav1.GetOptions{})
+		if err != nil {
+			log.Error(err)
+			resp.Status.Code = msgs.Error
+			resp.Status.Msg = fmt.Sprintf("Error finding pgBackRest S3 CA secret \"%s\": %s",
+				request.BackrestS3CASecretName, err.Error())
+			return resp
 		}
 
-		// if a GCS key is provided, we need to base64 decode it
-		backrestGCSKey := []byte{}
-		if request.BackrestGCSKey != "" {
-			// try to decode the string
-			backrestGCSKey, err = base64.StdEncoding.DecodeString(request.BackrestGCSKey)
+		// attempt to retrieves the custom CA, assuming it has the name
+		// "aws-s3-ca.crt"
+		backrestS3CACert = backrestSecret.Data[util.BackRestRepoSecretKeyAWSS3KeyAWSS3CACert]
+	}
 
-			if err != nil {
-				resp.Status.Code = msgs.Error
-				resp.Status.Msg = fmt.Sprintf("could not decode GCS key: %s", err.Error())
-				return resp
-			}
+	// if a GCS key is provided, we need to base64 decode it
+	backrestGCSKey := []byte{}
+	if request.BackrestGCSKey != "" {
+		// try to decode the string
+		backrestGCSKey, err = base64.StdEncoding.DecodeString(request.BackrestGCSKey)
+
+		if err != nil {
+			resp.Status.Code = msgs.Error
+			resp.Status.Msg = fmt.Sprintf("could not decode GCS key: %s", err.Error())
+			return resp
 		}
+	}
+
+	// save the S3 credentials in a single map so it can be used to either create a new
+	// secret or update an existing one
+	s3Credentials := map[string][]byte{
+		util.BackRestRepoSecretKeyAWSS3KeyAWSS3CACert:    backrestS3CACert,
+		util.BackRestRepoSecretKeyAWSS3KeyAWSS3Key:       []byte(request.BackrestS3Key),
+		util.BackRestRepoSecretKeyAWSS3KeyAWSS3KeySecret: []byte(request.BackrestS3KeySecret),
+		util.BackRestRepoSecretKeyAWSS3KeyGCSKey:         backrestGCSKey,
+	}
 
-		// set up the secret for the cluster that contains the pgBackRest
+	_, err = apiserver.Clientset.CoreV1().Secrets(request.Namespace).
+		Get(ctx, secretName, metav1.GetOptions{})
+
+	switch {
+	case kubeapi.IsNotFound(err):
+		// The pgBackRest repo config secret was not found, create it.
+		// Set up the secret for the cluster that contains the pgBackRest
 		// information
 		secret := &v1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
@@ -987,12 +999,7 @@ func CreateCluster(request *msgs.CreateClusterRequest, ns, pgouser string) msgs.
 					config.LABEL_PGO_BACKREST_REPO: "true",
 				},
 			},
-			Data: map[string][]byte{
-				util.BackRestRepoSecretKeyAWSS3KeyAWSS3CACert:    backrestS3CACert,
-				util.BackRestRepoSecretKeyAWSS3KeyAWSS3Key:       []byte(request.BackrestS3Key),
-				util.BackRestRepoSecretKeyAWSS3KeyAWSS3KeySecret: []byte(request.BackrestS3KeySecret),
-				util.BackRestRepoSecretKeyAWSS3KeyGCSKey:         backrestGCSKey,
-			},
+			Data: s3Credentials,
 		}
 
 		for k, v := range util.GetCustomLabels(newInstance) {
@@ -1004,10 +1011,22 @@ func CreateCluster(request *msgs.CreateClusterRequest, ns, pgouser string) msgs.
 			resp.Status.Msg = fmt.Sprintf("could not create backrest repo secret: %s", err)
 			return resp
 		}
-	} else if err != nil {
+
+	case err != nil:
+		// An error occurred other than 'not found'. Log the error received when
+		// attempting to get the pgBackRest repo config secret, then return.
 		resp.Status.Code = msgs.Error
 		resp.Status.Msg = fmt.Sprintf("could not query if backrest repo secret exits: %s", err)
 		return resp
+	default:
+		// the pgBackRest repo config secret already exists, update any provided
+		// S3 credential information
+		err = updateRepoSecret(apiserver.Clientset, secretName, request.Namespace, s3Credentials)
+		if err != nil {
+			resp.Status.Code = msgs.Error
+			resp.Status.Msg = fmt.Sprintf("could not update backrest repo secret: %s", err)
+			return resp
+		}
 	}
 
 	// create a workflow for this new cluster
@@ -1040,6 +1059,30 @@ func CreateCluster(request *msgs.CreateClusterRequest, ns, pgouser string) msgs.
 	return resp
 }
 
+// updateRepoSecret updates the existing pgBackRest repo config secret with any
+// provided S3/GCS connection information.
+func updateRepoSecret(clientset kubernetes.Interface, secretName,
+	namespace string, connectionInfo map[string][]byte) error {
+	ctx := context.TODO()
+
+	// Get the secret
+	secret, err := clientset.CoreV1().Secrets(namespace).
+		Get(ctx, secretName, metav1.GetOptions{})
+	// The secret should already exist at this point. If there is any error,
+	// return.
+	if err != nil {
+		return err
+	}
+
+	// update the secret data
+	for k, v := range connectionInfo {
+		secret.Data[k] = v
+	}
+	_, err = clientset.CoreV1().Secrets(secret.Namespace).Update(ctx, secret,
+		metav1.UpdateOptions{})
+	return err
+}
+
 func validateConfigPolicies(clusterName, PoliciesFlag, ns string) error {
 	ctx := context.TODO()
 	var err error
