feat(workflow): add parameters to determine that s3 enabled SSE

Author: duanhongyi

rootfs/docker-entrypoint-initdb.d/001_setup_envdir.sh

@@ -6,6 +6,7 @@ if [[ "$DATABASE_STORAGE" == "s3" || "$DATABASE_STORAGE" == "minio" ]]; then
   AWS_ACCESS_KEY_ID=$(cat /var/run/secrets/deis/objectstore/creds/accesskey)
   AWS_SECRET_ACCESS_KEY=$(cat /var/run/secrets/deis/objectstore/creds/secretkey)
   if [[ "$DATABASE_STORAGE" == "s3" ]]; then
+    S3_SSE=$(cat /var/run/secrets/deis/objectstore/creds/sse)
     AWS_REGION=$(cat /var/run/secrets/deis/objectstore/creds/region)
     BUCKET_NAME=$(cat /var/run/secrets/deis/objectstore/creds/database-bucket)
     # Convert $AWS_REGION into $WALE_S3_ENDPOINT to avoid "Connection reset by peer" from
@@ -17,6 +18,7 @@ if [[ "$DATABASE_STORAGE" == "s3" || "$DATABASE_STORAGE" == "minio" ]]; then
     else
       echo "https+path://s3-${AWS_REGION}.amazonaws.com:443" > WALE_S3_ENDPOINT
     fi
+    echo $S3_SSE > WALE_S3_SSE
   else
     AWS_REGION="us-east-1"
     BUCKET_NAME="dbwal"

rootfs/patcher-script.d/patch_wal_e_s3.py

@@ -7,10 +7,12 @@ def wrap_uri_put_file(creds, uri, fp, content_type=None, conn=None):
         k = s3_util._uri_to_key(creds, uri, conn=conn)
         if content_type is not None:
             k.content_type = content_type
+
+        # Currently WALE only supports AES256, so it's a boolean value.
+        encrypt_key = False
         if os.getenv('DATABASE_STORAGE') == 's3':
-            encrypt_key=True
-        else:
-            encrypt_key=False
+            if os.getenv('WALE_S3_SSE', 'None') == 'AES256':
+                encrypt_key = True
         k.set_contents_from_file(fp, encrypt_key=encrypt_key)
         return k
     s3.uri_put_file = wrap_uri_put_file