[DPE-4412] Use TLS CA chain for backups

[marceloneppel]

Issue

It's possible to configure a TLS CA chain in the S3 integrator charm. However, the PostgreSQL charm doesn't use that, so right now, it's not possible to connect to S3-compatible storages which provide a self-signed SSL certificate.

Solution

Port of canonical/postgresql-k8s-operator#493.

Push the TLS CA chain contents to a file and reference it in the pgBackRest configuration (and also in the boto3 calls), so it uses that CA when communicating with the S3-compatible storage.

Manual testing:

1. Build and install the MicroCeph snap from the https://github.com/marceloneppel/microceph/tree/rgw-https-support branch.

snapcraft -v
sudo snap install --dangerous microceph_*.snap

2. Generate the SSL files.

sudo openssl genrsa -out /var/snap/microceph/common/ca.key 2048
sudo openssl req -x509 -new -nodes -key /var/snap/microceph/common/ca.key -days 1024 -out /var/snap/microceph/common/ca.crt -outform PEM
sudo openssl genrsa -out /var/snap/microceph/common/server.key 2048
sudo openssl req -new -key /var/snap/microceph/common/server.key -out /var/snap/microceph/common/server.csr
export HOST_IP=$(lxc network list --format json | jq -r '.[]  | select(.name=="lxdbr0").config."ipv4.address"' | cut -d'/' -f1)
echo "subjectAltName = IP:$HOST_IP,DNS:$HOST_IP" > ~/extfile.cnf
sudo openssl x509 -req -in /var/snap/microceph/common/server.csr -CA /var/snap/microceph/common/ca.crt -CAkey /var/snap/microceph/common/ca.key -CAcreateserial -out /var/snap/microceph/common/server.crt -days 365 -extfile ~/extfile.cnf

3. Bootstrap the MicroCeph cluster, enable RadosGW, and create a user for RadosGW:

sudo microceph cluster bootstrap
sudo microceph disk add loop,4G,3
sudo microceph enable rgw --ssl-certificate=/var/snap/microceph/common/server.crt --ssl-private-key=/var/snap/microceph/common/server.key
sudo microceph.radosgw-admin user create --uid test --display-name test

4. Configure your access and secret keys in the AWS CLI, then create a bucket:

aws configure
aws --endpoint-url=http://localhost s3 mb s3://test --region ""

5. Deploy the charm from this PR along with the S3 integrator charm:

juju deploy s3-integrator

tox -e build-production && juju deploy ./*.charm

juju config s3-integrator endpoint="https://$(lxc network list --format json | jq -r '.[]  | select(.name=="lxdbr0").config."ipv4.address"' | cut -d'/' -f1)" bucket="test" path="/local" region="" s3-uri-style="path" tls-ca-chain="$(base64 -w0 /var/snap/microceph/common/ca.crt)"

juju run s3-integrator/leader sync-s3-credentials access-key=****** secret-key=******

juju relate postgresql s3-integrator

6. Run backup actions (like create-backup, list-backups and restore) as usual.

An integration test using MicroCeph will be added in another PR (because it depends on canonical/microceph#355).

Fixes #471.

[lucasgameiroborges]

LGTM

[taurus-forever]

Excellent!