Ensure pgBackRest Settings Work When Local & S3 Storage is Enabled

tjmoore4 · web-flow · commit def079d86db1 · 2020-07-08T22:04:47.000-04:00
This update ensures that the 's3-verify-tls' &amp; 's3-uri-style' settings
work as expected when both local &amp; S3 storage are enabled for pgBackRest
when creating a pgcluster. Currently, when a new cluster is created using
Local and AWS S3 storage (e.g. by specifiying
--pgbackrest-storage-type=local,s3 with the pgo create command),
stanza creation fails and the cluster is not initialized.

Since this is failing because the 'non S3' pgBackRest command runs when
the repo1-s3-verify-tls flag is detected in the environment. This fix updates
the pgBackRest flag implementation so that the repo1-s3-verify-tls setting
is applied only for the second pgbackrest command only, i.e. the command using
--repo-type-s3, and not apply it when running the first pgbackrest command for
the local repository. This is done by using the --no-repo1-s3-verify-tls
command flag rather than the relevant environment variable or the
related configuration file setting. This method allows both commands to
execute as expected.
diff --git a/bin/pgo-backrest-repo/pgo-backrest-repo.sh b/bin/pgo-backrest-repo/pgo-backrest-repo.sh
@@ -64,12 +64,7 @@ then
 	then
 		printf "repo1-s3-uri-style=%s\n" "${PGBACKREST_REPO1_S3_URI_STYLE}" >> /etc/pgbackrest/pgbackrest.conf
 	fi
-
-        if [[ "${PGBACKREST_REPO1_S3_VERIFY_TLS}" != "" ]]
-	then
-		printf "repo1-s3-verify-tls=%s\n" "${PGBACKREST_REPO1_S3_VERIFY_TLS}" >> /etc/pgbackrest/pgbackrest.conf
-	fi
-
+	
 fi
 
 mkdir -p ~/.ssh/
diff --git a/conf/postgres-operator/backrest-job.json b/conf/postgres-operator/backrest-job.json
@@ -62,7 +62,10 @@
                     }, {
                         "name": "PGHA_PGBACKREST_LOCAL_S3_STORAGE",
                         "value": "{{.BackrestLocalAndS3Storage}}"
-                    }, {
+                    },{
+                        "name": "PGHA_PGBACKREST_S3_VERIFY_TLS",
+                        "value": "{{.PgbackrestS3VerifyTLS}}"
+                    },{
                         "name": "PGBACKREST_LOG_PATH",
                         "value": "/tmp"
                     }, {
diff --git a/conf/postgres-operator/backrest-restore-job.json b/conf/postgres-operator/backrest-restore-job.json
@@ -80,9 +80,6 @@
                     }, {
                         "name": "PGBACKREST_REPO1_HOST",
                         "value": "{{.PgbackrestRepo1Host}}"
-                    }, {
-                        "name": "PGBACKREST_REPO_TYPE",
-                        "value": "{{.PgbackrestRepoType}}"
                     }, {
                         "name": "PGBACKREST_LOG_PATH",
                         "value": "/tmp"
diff --git a/conf/postgres-operator/pgbackrest-s3-env-vars.json b/conf/postgres-operator/pgbackrest-s3-env-vars.json
@@ -39,8 +39,7 @@
 {
   "name": "PGBACKREST_REPO1_S3_URI_STYLE",
   "value": "{{.PgbackrestS3URIStyle}}"
-},
-{
-  "name": "PGBACKREST_REPO1_S3_VERIFY_TLS",
+},{
+  "name": "PGHA_PGBACKREST_S3_VERIFY_TLS",
   "value": "{{.PgbackrestS3VerifyTLS}}"
 },
diff --git a/installers/ansible/roles/pgo-operator/files/pgo-configs/backrest-job.json b/installers/ansible/roles/pgo-operator/files/pgo-configs/backrest-job.json
@@ -59,10 +59,13 @@
                     }, {
                         "name": "PGBACKREST_REPO_TYPE",
                         "value": "{{.PgbackrestRepoType}}"
-                    }, {
+                    },{
                         "name": "PGHA_PGBACKREST_LOCAL_S3_STORAGE",
                         "value": "{{.BackrestLocalAndS3Storage}}"
-                    }, {
+                    },{
+                        "name": "PGHA_PGBACKREST_S3_VERIFY_TLS",
+                        "value": "{{.PgbackrestS3VerifyTLS}}"
+                    },{
                         "name": "PGBACKREST_LOG_PATH",
                         "value": "/tmp"
                     }, {
diff --git a/installers/ansible/roles/pgo-operator/files/pgo-configs/pgbackrest-s3-env-vars.json b/installers/ansible/roles/pgo-operator/files/pgo-configs/pgbackrest-s3-env-vars.json
@@ -39,8 +39,7 @@
 {
   "name": "PGBACKREST_REPO1_S3_URI_STYLE",
   "value": "{{.PgbackrestS3URIStyle}}"
-},
-{
-  "name": "PGBACKREST_REPO1_S3_VERIFY_TLS",
+},{
+  "name": "PGHA_PGBACKREST_S3_VERIFY_TLS",
   "value": "{{.PgbackrestS3VerifyTLS}}"
 },
diff --git a/internal/apiserver/backrestservice/backrestimpl.go b/internal/apiserver/backrestservice/backrestimpl.go
@@ -20,10 +20,12 @@ import (
 	"errors"
 	"fmt"
 	"io/ioutil"
+	"strconv"
 	"strings"
 	"time"
 
 	"github.com/crunchydata/postgres-operator/internal/apiserver/backupoptions"
+	"github.com/crunchydata/postgres-operator/internal/operator"
 	"github.com/crunchydata/postgres-operator/internal/util"
 
 	"github.com/crunchydata/postgres-operator/internal/apiserver"
@@ -44,7 +46,11 @@ var pgBackRestInfoCommand = []string{"pgbackrest", "info", "--output", "json"}
 
 // repoTypeFlagS3 is used for getting the pgBackRest info for a repository that
 // is stored in S3
-var repoTypeFlagS3 = []string{"--repo-type", "s3"}
+var repoTypeFlagS3 = []string{"--repo1-type", "s3"}
+
+// noRepoS3VerifyTLS is used to disable SSL certificate verification when getting
+// the pgBackRest info for a repository that is stored in S3
+var noRepoS3VerifyTLS = "--no-repo1-s3-verify-tls"
 
 //  CreateBackup ...
 // pgo backup mycluster
@@ -212,7 +218,7 @@ func CreateBackup(request *msgs.CreateBackrestBackupRequest, ns, pgouser string)
 
 		err = kubeapi.Createpgtask(apiserver.RESTClient,
 			getBackupParams(cluster.ObjectMeta.Labels[config.LABEL_PG_CLUSTER_IDENTIFIER], clusterName, taskName, crv1.PgtaskBackrestBackup, podname, "database",
-				util.GetValueOrDefault(cluster.Spec.PGOImagePrefix, apiserver.Pgo.Pgo.PGOImagePrefix), request.BackupOpts, request.BackrestStorageType, jobName, ns, pgouser),
+				util.GetValueOrDefault(cluster.Spec.PGOImagePrefix, apiserver.Pgo.Pgo.PGOImagePrefix), request.BackupOpts, request.BackrestStorageType, operator.GetS3VerifyTLSSetting(&cluster), jobName, ns, pgouser),
 			ns)
 		if err != nil {
 			resp.Status.Code = msgs.Error
@@ -226,7 +232,7 @@ func CreateBackup(request *msgs.CreateBackrestBackupRequest, ns, pgouser string)
 	return resp
 }
 
-func getBackupParams(identifier, clusterName, taskName, action, podName, containerName, imagePrefix, backupOpts, backrestStorageType, jobName, ns, pgouser string) *crv1.Pgtask {
+func getBackupParams(identifier, clusterName, taskName, action, podName, containerName, imagePrefix, backupOpts, backrestStorageType, s3VerifyTLS, jobName, ns, pgouser string) *crv1.Pgtask {
 	var newInstance *crv1.Pgtask
 	spec := crv1.PgtaskSpec{}
 	spec.Name = taskName
@@ -244,6 +250,7 @@ func getBackupParams(identifier, clusterName, taskName, action, podName, contain
 	spec.Parameters[config.LABEL_BACKREST_COMMAND] = action
 	spec.Parameters[config.LABEL_BACKREST_OPTS] = backupOpts
 	spec.Parameters[config.LABEL_BACKREST_STORAGE_TYPE] = backrestStorageType
+	spec.Parameters[config.LABEL_BACKREST_S3_VERIFY_TLS] = s3VerifyTLS
 
 	newInstance = &crv1.Pgtask{
 		ObjectMeta: metav1.ObjectMeta{
@@ -404,8 +411,10 @@ func ShowBackrest(name, selector, ns string) msgs.ShowBackrestResponse {
 				StorageType: storageType,
 			}
 
+			verifyTLS, _ := strconv.ParseBool(operator.GetS3VerifyTLSSetting(&c))
+
 			// get the pgBackRest info using this legacy function
-			info, err := getInfo(c.Name, storageType, podname, ns)
+			info, err := getInfo(c.Name, storageType, podname, ns, verifyTLS)
 
 			// see if the function returned successfully, and if so, unmarshal the JSON
 			if err != nil {
@@ -433,13 +442,17 @@ func ShowBackrest(name, selector, ns string) msgs.ShowBackrestResponse {
 	return response
 }
 
-func getInfo(clusterName, storageType, podname, ns string) (string, error) {
+func getInfo(clusterName, storageType, podname, ns string, verifyTLS bool) (string, error) {
 	log.Debug("backrest info command requested")
 
 	cmd := pgBackRestInfoCommand
 
 	if storageType == "s3" {
 		cmd = append(cmd, repoTypeFlagS3...)
+
+		if !verifyTLS {
+			cmd = append(cmd, noRepoS3VerifyTLS)
+		}
 	}
 
 	output, stderr, err := kubeapi.ExecToPodThroughAPI(apiserver.RESTConfig, apiserver.Clientset, cmd, containername, podname, ns, nil)
@@ -572,6 +585,7 @@ func getRestoreParams(request *msgs.RestoreRequest, ns string, cluster crv1.Pgcl
 	spec.Parameters[config.LABEL_PGBACKREST_REPO_PATH] = "/backrestrepo/" + request.FromCluster + "-backrest-shared-repo"
 	spec.Parameters[config.LABEL_PGBACKREST_REPO_HOST] = request.FromCluster + "-backrest-shared-repo"
 	spec.Parameters[config.LABEL_BACKREST_STORAGE_TYPE] = request.BackrestStorageType
+	spec.Parameters[config.LABEL_BACKREST_S3_VERIFY_TLS] = operator.GetS3VerifyTLSSetting(&cluster)
 
 	// validate & parse nodeLabel if exists
 	if request.NodeLabel != "" {
diff --git a/internal/apiserver/backupoptions/pgbackrestoptions.go b/internal/apiserver/backupoptions/pgbackrestoptions.go
@@ -54,7 +54,7 @@ var pgBackRestOptsDenyList = []string{
 	"--repo-s3-endpoint",
 	"--repo-s3-host",
 	"--repo-s3-region",
-	"--repo-s3-verify-tls",
+	"--no-repo-s3-verify-tls",
 	"--repo-s3-uri-style",
 	"--stanza",
 	"--tablespace-map",
diff --git a/internal/apiserver/clusterservice/clusterimpl.go b/internal/apiserver/clusterservice/clusterimpl.go
@@ -1374,17 +1374,26 @@ func getClusterParams(request *msgs.CreateClusterRequest, name string, userLabel
 	spec.SyncReplication = request.SyncReplication
 
 	// set pgBackRest S3 settings in the spec if included in the request
+	// otherwise set to the default configuration value
 	if request.BackrestS3Bucket != "" {
 		spec.BackrestS3Bucket = request.BackrestS3Bucket
+	} else {
+		spec.BackrestS3Bucket = apiserver.Pgo.Cluster.BackrestS3Bucket
 	}
 	if request.BackrestS3Endpoint != "" {
 		spec.BackrestS3Endpoint = request.BackrestS3Endpoint
+	} else {
+		spec.BackrestS3Endpoint = apiserver.Pgo.Cluster.BackrestS3Endpoint
 	}
 	if request.BackrestS3Region != "" {
 		spec.BackrestS3Region = request.BackrestS3Region
+	} else {
+		spec.BackrestS3Region = apiserver.Pgo.Cluster.BackrestS3Region
 	}
 	if request.BackrestS3URIStyle != "" {
 		spec.BackrestS3URIStyle = request.BackrestS3URIStyle
+	} else {
+		spec.BackrestS3URIStyle = apiserver.Pgo.Cluster.BackrestS3URIStyle
 	}
 
 	// if the pgbackrest-s3-verify-tls flag was set, update the CR spec
@@ -1395,6 +1404,8 @@ func getClusterParams(request *msgs.CreateClusterRequest, name string, userLabel
 		} else {
 			spec.BackrestS3VerifyTLS = "true"
 		}
+	} else {
+		spec.BackrestS3VerifyTLS = apiserver.Pgo.Cluster.BackrestS3VerifyTLS
 	}
 
 	// set the data source that should be utilized to bootstrap the cluster
diff --git a/internal/config/labels.go b/internal/config/labels.go
@@ -80,6 +80,7 @@ const LABEL_BACKREST_BACKUP_OPTS = "backrest-backup-opts"
 const LABEL_BACKREST_OPTS = "backrest-opts"
 const LABEL_BACKREST_PITR_TARGET = "backrest-pitr-target"
 const LABEL_BACKREST_STORAGE_TYPE = "backrest-storage-type"
+const LABEL_BACKREST_S3_VERIFY_TLS = "backrest-s3-verify-tls"
 const LABEL_BADGER = "crunchy-pgbadger"
 const LABEL_BADGER_CCPIMAGE = "crunchy-pgbadger"
 const LABEL_BACKUP_TYPE_BACKREST = "pgbackrest"
diff --git a/internal/operator/backrest/backup.go b/internal/operator/backrest/backup.go
@@ -55,6 +55,7 @@ type backrestJobTemplateFields struct {
 	PgbackrestRepoPath            string
 	PgbackrestRepoType            string
 	BackrestLocalAndS3Storage     bool
+	PgbackrestS3VerifyTLS         string
 	PgbackrestRestoreVolumes      string
 	PgbackrestRestoreVolumeMounts string
 }
@@ -86,6 +87,7 @@ func Backrest(namespace string, clientset kubernetes.Interface, task *crv1.Pgtas
 		PgbackrestRestoreVolumeMounts: "",
 		PgbackrestRepoType:            operator.GetRepoType(task.Spec.Parameters[config.LABEL_BACKREST_STORAGE_TYPE]),
 		BackrestLocalAndS3Storage:     operator.IsLocalAndS3Storage(task.Spec.Parameters[config.LABEL_BACKREST_STORAGE_TYPE]),
+		PgbackrestS3VerifyTLS:         task.Spec.Parameters[config.LABEL_BACKREST_S3_VERIFY_TLS],
 	}
 
 	podCommandOpts, err := getCommandOptsFromPod(clientset, task, namespace)
@@ -200,6 +202,8 @@ func CreateBackup(restclient *rest.RESTClient, namespace, clusterName, podName s
 	spec.Parameters[config.LABEL_BACKREST_COMMAND] = crv1.PgtaskBackrestBackup
 	spec.Parameters[config.LABEL_BACKREST_OPTS] = backupOpts
 	spec.Parameters[config.LABEL_BACKREST_STORAGE_TYPE] = cluster.Spec.UserLabels[config.LABEL_BACKREST_STORAGE_TYPE]
+	// Get 'true' or 'false' for setting the pgBackRest S3 verify TLS value
+	spec.Parameters[config.LABEL_BACKREST_S3_VERIFY_TLS] = operator.GetS3VerifyTLSSetting(&cluster)
 
 	for k, v := range params {
 		spec.Parameters[k] = v
diff --git a/internal/operator/backrest/restore.go b/internal/operator/backrest/restore.go
@@ -20,6 +20,7 @@ import (
 	"encoding/json"
 	"errors"
 	"os"
+	"strconv"
 	"strings"
 	"time"
 
@@ -53,7 +54,6 @@ type BackrestRestoreJobTemplateFields struct {
 	PgbackrestDBPath       string
 	PgbackrestRepo1Path    string
 	PgbackrestRepo1Host    string
-	PgbackrestRepoType     string
 	PgbackrestS3EnvVars    string
 	NodeSelector           string
 	Tablespaces            string
@@ -178,7 +178,6 @@ func Restore(restclient *rest.RESTClient, namespace string, clientset kubernetes
 		PgbackrestRepo1Path:    util.GetPGBackRestRepoPath(cluster),
 		PgbackrestRepo1Host:    task.Spec.Parameters[config.LABEL_PGBACKREST_REPO_HOST],
 		NodeSelector:           operator.GetAffinity(task.Spec.Parameters["NodeLabelKey"], task.Spec.Parameters["NodeLabelValue"], "In"),
-		PgbackrestRepoType:     operator.GetRepoType(task.Spec.Parameters[config.LABEL_BACKREST_STORAGE_TYPE]),
 		PgbackrestS3EnvVars:    operator.GetPgbackrestS3EnvVars(cluster, clientset, namespace),
 		TablespaceVolumes:      operator.GetTablespaceVolumesJSON(restoreToName, tablespaceStorageTypeMap),
 		TablespaceVolumeMounts: operator.GetTablespaceVolumeMountsJSON(tablespaceStorageTypeMap),
@@ -196,6 +195,25 @@ func Restore(restclient *rest.RESTClient, namespace string, clientset kubernetes
 		jobFields.CommandOpts = strings.TrimSpace(jobFields.CommandOpts + " --target-action=promote")
 	}
 
+	// If the pgBackRest repo type is set to 's3', pass in the relevant command line argument.
+	// This is used in place of the environment variable so that it works as expected with
+	// the --no-repo1-s3-verify-tls flag, added below
+	pgBackrestRepoType := operator.GetRepoType(task.Spec.Parameters[config.LABEL_BACKREST_STORAGE_TYPE])
+	if pgBackrestRepoType == "s3" &&
+		!strings.Contains(jobFields.CommandOpts, "--repo1-type") &&
+		!strings.Contains(jobFields.CommandOpts, "--repo-type") {
+		jobFields.CommandOpts = strings.TrimSpace(jobFields.CommandOpts + " --repo1-type=s3")
+	}
+
+	// If TLS verification is disabled for this pgcluster, pass in the appropriate
+	// flag to the restore command. Otherwise, leave the default behavior, which will
+	// perform the normal certificate validation.
+	verifyTLS, _ := strconv.ParseBool(operator.GetS3VerifyTLSSetting(&cluster))
+	if pgBackrestRepoType == "s3" && !verifyTLS &&
+		!strings.Contains(jobFields.CommandOpts, "--no-repo1-s3-verify-tls") {
+		jobFields.CommandOpts = strings.TrimSpace(jobFields.CommandOpts + " --no-repo1-s3-verify-tls")
+	}
+
 	jobTemplate := bytes.Buffer{}
 
 	if err := config.BackrestRestorejobTemplate.Execute(&jobTemplate, jobFields); err != nil {
diff --git a/internal/operator/backrest/stanza.go b/internal/operator/backrest/stanza.go
@@ -93,6 +93,9 @@ func StanzaCreate(namespace, clusterName string, clientset kubernetes.Interface,
 		spec.Parameters[config.LABEL_BACKREST_OPTS] = ""
 	}
 
+	// Get 'true' or 'false' for setting the pgBackRest S3 verify TLS value
+	spec.Parameters[config.LABEL_BACKREST_S3_VERIFY_TLS] = operator.GetS3VerifyTLSSetting(&cluster)
+
 	newInstance := &crv1.Pgtask{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: taskName,
diff --git a/internal/operator/cluster/clone.go b/internal/operator/cluster/clone.go
@@ -20,6 +20,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"strconv"
 	"strings"
 	"time"
 
@@ -353,13 +354,31 @@ func cloneStep2(clientset kubernetes.Interface, client *rest.RESTClient, restCon
 		PgbackrestDBPath:    fmt.Sprintf(targetClusterPGDATAPath, targetClusterName),
 		PgbackrestRepo1Path: util.GetPGBackRestRepoPath(targetPgcluster),
 		PgbackrestRepo1Host: fmt.Sprintf(util.BackrestRepoServiceName, targetClusterName),
-		PgbackrestRepoType:  operator.GetRepoType(task.Spec.Parameters["backrestStorageType"]),
 		PgbackrestS3EnvVars: operator.GetPgbackrestS3EnvVars(sourcePgcluster, clientset, namespace),
 
 		TablespaceVolumes:      operator.GetTablespaceVolumesJSON(targetClusterName, tablespaceStorageTypeMap),
 		TablespaceVolumeMounts: operator.GetTablespaceVolumeMountsJSON(tablespaceStorageTypeMap),
 	}
 
+	// If the pgBackRest repo type is set to 's3', pass in the relevant command line argument.
+	// This is used in place of the environment variable so that it works as expected with
+	// the --no-repo1-s3-verify-tls flag, added below
+	pgBackrestRepoType := operator.GetRepoType(task.Spec.Parameters["backrestStorageType"])
+	if pgBackrestRepoType == "s3" &&
+		!strings.Contains(backrestRestoreJobFields.CommandOpts, "--repo1-type") &&
+		!strings.Contains(backrestRestoreJobFields.CommandOpts, "--repo-type") {
+		backrestRestoreJobFields.CommandOpts = strings.TrimSpace(backrestRestoreJobFields.CommandOpts + " --repo1-type=s3")
+	}
+
+	// If TLS verification is disabled for this pgcluster, pass in the appropriate
+	// flag to the restore command. Otherwise, leave the default behavior, which will
+	// perform the normal certificate validation.
+	verifyTLS, _ := strconv.ParseBool(operator.GetS3VerifyTLSSetting(&targetPgcluster))
+	if pgBackrestRepoType == "s3" && !verifyTLS &&
+		!strings.Contains(backrestRestoreJobFields.CommandOpts, "--no-repo1-s3-verify-tls") {
+		backrestRestoreJobFields.CommandOpts = strings.TrimSpace(backrestRestoreJobFields.CommandOpts + " --no-repo1-s3-verify-tls")
+	}
+
 	if sourcePgcluster.Spec.WALStorage.StorageType != "" {
 		arg, err := getLinkMap(clientset, restConfig, sourcePgcluster, targetClusterName)
 		if err != nil {
diff --git a/internal/operator/clusterutilities.go b/internal/operator/clusterutilities.go
diff --git a/pgo-backrest/pgo-backrest.go b/pgo-backrest/pgo-backrest.go

Original file line number	Diff line number	Diff line change
`@@ -1374,17 +1374,26 @@ func getClusterParams(request *msgs.CreateClusterRequest, name string, userLabel`
`1374`	`1374`	`spec.SyncReplication = request.SyncReplication`
`1375`	`1375`
`1376`	`1376`	`// set pgBackRest S3 settings in the spec if included in the request`
	`1377`	`+ // otherwise set to the default configuration value`
`1377`	`1378`	`if request.BackrestS3Bucket != "" {`
`1378`	`1379`	`spec.BackrestS3Bucket = request.BackrestS3Bucket`
	`1380`	`+ } else {`
	`1381`	`+ spec.BackrestS3Bucket = apiserver.Pgo.Cluster.BackrestS3Bucket`
`1379`	`1382`	`}`
`1380`	`1383`	`if request.BackrestS3Endpoint != "" {`
`1381`	`1384`	`spec.BackrestS3Endpoint = request.BackrestS3Endpoint`
	`1385`	`+ } else {`
	`1386`	`+ spec.BackrestS3Endpoint = apiserver.Pgo.Cluster.BackrestS3Endpoint`
`1382`	`1387`	`}`
`1383`	`1388`	`if request.BackrestS3Region != "" {`
`1384`	`1389`	`spec.BackrestS3Region = request.BackrestS3Region`
	`1390`	`+ } else {`
	`1391`	`+ spec.BackrestS3Region = apiserver.Pgo.Cluster.BackrestS3Region`
`1385`	`1392`	`}`
`1386`	`1393`	`if request.BackrestS3URIStyle != "" {`
`1387`	`1394`	`spec.BackrestS3URIStyle = request.BackrestS3URIStyle`
	`1395`	`+ } else {`
	`1396`	`+ spec.BackrestS3URIStyle = apiserver.Pgo.Cluster.BackrestS3URIStyle`
`1388`	`1397`	`}`
`1389`	`1398`
`1390`	`1399`	`// if the pgbackrest-s3-verify-tls flag was set, update the CR spec`
`@@ -1395,6 +1404,8 @@ func getClusterParams(request *msgs.CreateClusterRequest, name string, userLabel`
`1395`	`1404`	`} else {`
`1396`	`1405`	`spec.BackrestS3VerifyTLS = "true"`
`1397`	`1406`	`}`
	`1407`	`+ } else {`
	`1408`	`+ spec.BackrestS3VerifyTLS = apiserver.Pgo.Cluster.BackrestS3VerifyTLS`
`1398`	`1409`	`}`
`1399`	`1410`
`1400`	`1411`	`// set the data source that should be utilized to bootstrap the cluster`