From dd9c2da2ab06669f752f7e856a26cb388fbec6d4 Mon Sep 17 00:00:00 2001
From: duanhongyi <duanhongyi@doopai.com>
Date: Sat, 1 Dec 2018 22:57:30 +0800
Subject: [PATCH] feat(workflow): add parameters to determine that s3 enabled
 SSE

---
 rootfs/docker-entrypoint-initdb.d/001_setup_envdir.sh | 2 ++
 rootfs/patcher-script.d/patch_wal_e_s3.py             | 8 +++++---
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/rootfs/docker-entrypoint-initdb.d/001_setup_envdir.sh b/rootfs/docker-entrypoint-initdb.d/001_setup_envdir.sh
index e2c00af..bdad088 100755
--- a/rootfs/docker-entrypoint-initdb.d/001_setup_envdir.sh
+++ b/rootfs/docker-entrypoint-initdb.d/001_setup_envdir.sh
@@ -6,6 +6,7 @@ if [[ "$DATABASE_STORAGE" == "s3" || "$DATABASE_STORAGE" == "minio" ]]; then
   AWS_ACCESS_KEY_ID=$(cat /var/run/secrets/deis/objectstore/creds/accesskey)
   AWS_SECRET_ACCESS_KEY=$(cat /var/run/secrets/deis/objectstore/creds/secretkey)
   if [[ "$DATABASE_STORAGE" == "s3" ]]; then
+    S3_SSE=$(cat /var/run/secrets/deis/objectstore/creds/sse)
     AWS_REGION=$(cat /var/run/secrets/deis/objectstore/creds/region)
     BUCKET_NAME=$(cat /var/run/secrets/deis/objectstore/creds/database-bucket)
     # Convert $AWS_REGION into $WALE_S3_ENDPOINT to avoid "Connection reset by peer" from
@@ -17,6 +18,7 @@ if [[ "$DATABASE_STORAGE" == "s3" || "$DATABASE_STORAGE" == "minio" ]]; then
     else
       echo "https+path://s3-${AWS_REGION}.amazonaws.com:443" > WALE_S3_ENDPOINT
     fi
+    echo $S3_SSE > WALE_S3_SSE
   else
     AWS_REGION="us-east-1"
     BUCKET_NAME="dbwal"
diff --git a/rootfs/patcher-script.d/patch_wal_e_s3.py b/rootfs/patcher-script.d/patch_wal_e_s3.py
index 1b2d4ea..642dbea 100644
--- a/rootfs/patcher-script.d/patch_wal_e_s3.py
+++ b/rootfs/patcher-script.d/patch_wal_e_s3.py
@@ -7,10 +7,12 @@ def wrap_uri_put_file(creds, uri, fp, content_type=None, conn=None):
         k = s3_util._uri_to_key(creds, uri, conn=conn)
         if content_type is not None:
             k.content_type = content_type
+
+        # Currently WALE only supports AES256, so it's a boolean value.
+        encrypt_key = False
         if os.getenv('DATABASE_STORAGE') == 's3':
-            encrypt_key=True
-        else:
-            encrypt_key=False
+            if os.getenv('WALE_S3_SSE', 'None') == 'AES256':
+                encrypt_key = True
         k.set_contents_from_file(fp, encrypt_key=encrypt_key)
         return k
     s3.uri_put_file = wrap_uri_put_file