Merge pull request #266 from StackStorm/generate-crypto-key

Generate datastore_crypto_key on install if not provided

Author: cognifloyd

.circleci/config.yml

@@ -14,7 +14,7 @@ jobs:
   helm-lint:
     working_directory: ~/stackstorm-ha
     docker:
-      - image: lachlanevenson/k8s-helm:v3.4.2
+      - image: lachlanevenson/k8s-helm:v3.5.3
     steps:
       - checkout
       - run:

CHANGELOG.md

@@ -16,6 +16,7 @@
 * Fix indent for lifecycle postStart hook of `st2web` pod. (#268) (by @cognifloyd)
 * Advanced Feature: Allow `st2web` to serve HTTPS when the ssl certs are provided via `st2web.extra_volumes`. To enable this, add `ST2WEB_HTTPS: "1"` to `st2web.env` in your values file. (#264) (by @cognifloyd)
 * Custom annotations now apply to deployments and jobs, not just pods. (#270) (by @cognifloyd)
+* BREAKING CHANGE: Auto-generate `datastore_crypto_key` on install if not provided. This way all HA installs will have a datastore_crypto_key configured. This is only a breaking change for installations that do not want a `datastore_crypto_key`. To disable set `datastore_crypto_key` to `disable` instead of setting it to `""`, `null`, or leaving it unset. (#266) (by @cognifloyd)
 
 ## v0.70.0
 * New feature: Shared packs volumes `st2.packs.volumes`. Allow using cluster-specific persistent volumes to store packs, virtualenvs, and (optionally) configs. This enables using `st2 pack install`. It even works with `st2packs` images in `st2.packs.images`. (#199) (by @cognifloyd)

README.md

@@ -11,7 +11,7 @@ It's more than welcome to fine-tune each component settings to fit specific avai
 
 ## Requirements
 * [Kubernetes](https://kubernetes.io/docs/setup/pick-right-solution/) cluster
-* [Helm](https://docs.helm.sh/using_helm/#install-helm) `v3.x`
+* [Helm](https://docs.helm.sh/using_helm/#install-helm) `v3.5` or greater
 
 ## Usage
 1) Edit `values.yaml` with configuration for the StackStorm HA K8s cluster.

conf/datastore_crypto_key.yaml

@@ -0,0 +1,13 @@
+# This is used to generate st2.datastore_crypto_key on install if not defined in values.
+
+# The formula is based on an st2-specific version of python's base64.urlsafe_b64encode
+# randBytes returns a base64 encoded string
+# 32 bytes = 256 bits / 8 bits/byte
+
+aesKeyString: '{{ randBytes 32 | replace "+" "-" | replace "_" "/" | replace "=" "" }}'
+mode: CBC
+size: 256
+
+hmacKey:
+  hmacKeyString: '{{ randBytes 32 | replace "+" "-" | replace "_" "/" | replace "=" "" }}'
+  size: 256

templates/configmaps_st2-conf.yaml

@@ -42,7 +42,7 @@ data:
     {{- end }}
     port = {{ index .Values "mongodb" "service" "port" }}
     {{- end }}
-    {{- if .Values.st2.datastore_crypto_key }}
+    {{- if ne "disable" (default "" .Values.st2.datastore_crypto_key) }}
     [keyvalue]
     encryption_key_path = /etc/st2/keys/datastore_key.json
     {{- end }}

templates/deployments.yaml

@@ -204,7 +204,7 @@ spec:
             name: {{ .Release.Name }}-st2-urls
         volumeMounts:
         {{- include "st2-config-volume-mounts" . | nindent 8 }}
-        {{- if .Values.st2.datastore_crypto_key }}
+        {{- if ne "disable" (default "" .Values.st2.datastore_crypto_key) }}
         - name: st2-encryption-key-vol
           mountPath: /etc/st2/keys
           readOnly: true
@@ -228,7 +228,7 @@ spec:
       serviceAccountName: {{ template "stackstorm-ha.serviceAccountName" . }}
     {{- end }}
       volumes:
-        {{- if .Values.st2.datastore_crypto_key }}
+        {{- if ne "disable" (default "" .Values.st2.datastore_crypto_key) }}
         - name: st2-encryption-key-vol
           secret:
             secretName: {{ .Release.Name }}-st2-datastore-crypto-key
@@ -565,7 +565,7 @@ spec:
             name: {{ .Release.Name }}-st2-urls
         volumeMounts:
         {{- include "st2-config-volume-mounts" . | nindent 8 }}
-        {{- if .Values.st2.datastore_crypto_key }}
+        {{- if ne "disable" (default "" .Values.st2.datastore_crypto_key) }}
         - name: st2-encryption-key-vol
           mountPath: /etc/st2/keys
           readOnly: true
@@ -586,7 +586,7 @@ spec:
     {{- end }}
       volumes:
         {{- include "st2-config-volume" . | nindent 8 }}
-        {{- if .Values.st2.datastore_crypto_key }}
+        {{- if ne "disable" (default "" .Values.st2.datastore_crypto_key) }}
         - name: st2-encryption-key-vol
           secret:
             secretName: {{ .Release.Name }}-st2-datastore-crypto-key
@@ -780,7 +780,7 @@ spec:
             name: {{ .Release.Name }}-st2-urls
         volumeMounts:
         {{- include "st2-config-volume-mounts" . | nindent 8 }}
-        {{- if .Values.st2.datastore_crypto_key }}
+        {{- if ne "disable" (default "" .Values.st2.datastore_crypto_key) }}
         - name: st2-encryption-key-vol
           mountPath: /etc/st2/keys
           readOnly: true
@@ -805,7 +805,7 @@ spec:
     {{- end }}
       volumes:
         {{- include "st2-config-volume" . | nindent 8 }}
-        {{- if .Values.st2.datastore_crypto_key }}
+        {{- if ne "disable" (default "" .Values.st2.datastore_crypto_key) }}
         - name: st2-encryption-key-vol
           secret:
             secretName: {{ .Release.Name }}-st2-datastore-crypto-key
@@ -901,7 +901,7 @@ spec:
             name: {{ .Release.Name }}-st2-urls
         volumeMounts:
         {{- include "st2-config-volume-mounts" . | nindent 8 }}
-        {{- if .Values.st2.datastore_crypto_key }}
+        {{- if ne "disable" (default "" .Values.st2.datastore_crypto_key) }}
         - name: st2-encryption-key-vol
           mountPath: /etc/st2/keys
           readOnly: true
@@ -921,7 +921,7 @@ spec:
       serviceAccountName: {{ template "stackstorm-ha.serviceAccountName" . }}
     {{- end }}
       volumes:
-        {{- if .Values.st2.datastore_crypto_key }}
+        {{- if ne "disable" (default "" .Values.st2.datastore_crypto_key) }}
         - name: st2-encryption-key-vol
           secret:
             secretName: {{ .Release.Name }}-st2-datastore-crypto-key
@@ -1161,7 +1161,7 @@ spec:
         volumeMounts:
         {{- include "st2-config-volume-mounts" $ | nindent 8 }}
         {{- include "packs-volume-mounts" $ | nindent 8 }}
-        {{- if $.Values.st2.datastore_crypto_key }}
+        {{- if ne "disable" (default "" $.Values.st2.datastore_crypto_key) }}
         - name: st2-encryption-key-vol
           mountPath: /etc/st2/keys
           readOnly: true
@@ -1185,7 +1185,7 @@ spec:
       serviceAccountName: {{ template "stackstorm-ha.serviceAccountName" $ }}
     {{- end }}
       volumes:
-        {{- if $.Values.st2.datastore_crypto_key }}
+        {{- if ne "disable" (default "" $.Values.st2.datastore_crypto_key) }}
         - name: st2-encryption-key-vol
           secret:
             secretName: {{ $.Release.Name }}-st2-datastore-crypto-key
@@ -1303,7 +1303,7 @@ spec:
         {{- include "st2-config-volume-mounts" . | nindent 8 }}
         - name: st2-ssh-key-vol
           mountPath: {{ tpl .Values.st2.system_user.ssh_key_file . | dir | dir }}/.ssh-key-vol/
-        {{- if .Values.st2.datastore_crypto_key }}
+        {{- if ne "disable" (default "" .Values.st2.datastore_crypto_key) }}
         - name: st2-encryption-key-vol
           mountPath: /etc/st2/keys
           readOnly: true
@@ -1329,7 +1329,7 @@ spec:
       serviceAccountName: {{ template "stackstorm-ha.serviceAccountName" . }}
     {{- end }}
       volumes:
-        {{- if .Values.st2.datastore_crypto_key }}
+        {{- if ne "disable" (default "" .Values.st2.datastore_crypto_key) }}
         - name: st2-encryption-key-vol
           secret:
             secretName: {{ .Release.Name }}-st2-datastore-crypto-key
@@ -1581,7 +1581,7 @@ spec:
           mountPath: /root/.st2/
         - name: st2-ssh-key-vol
           mountPath: {{ tpl .Values.st2.system_user.ssh_key_file . | dir | dir }}/.ssh-key-vol/
-        {{- if .Values.st2.datastore_crypto_key }}
+        {{- if ne "disable" (default "" .Values.st2.datastore_crypto_key) }}
         - name: st2-encryption-key-vol
           mountPath: /etc/st2/keys
           readOnly: true
@@ -1608,7 +1608,7 @@ spec:
             memory: "5Mi"
             cpu: "5m"
       volumes:
-        {{- if .Values.st2.datastore_crypto_key }}
+        {{- if ne "disable" (default "" .Values.st2.datastore_crypto_key) }}
         - name: st2-encryption-key-vol
           secret:
             secretName: {{ .Release.Name }}-st2-datastore-crypto-key

templates/secrets_datastore_crypto_key.yaml

@@ -2,12 +2,13 @@
 {{- $deprecated_crypto_key := (default (dict) (default (dict) .Values.secrets).st2).datastore_crypto_key }}
 {{- if $deprecated_crypto_key }}
 {{- fail "Please update your values! The datastore_crypto_key value moved from secrets.st2.* to st2.*" }}
-{{- else if .Values.st2.datastore_crypto_key }}
+{{- else if ne "disable" (default "" .Values.st2.datastore_crypto_key) }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ .Release.Name }}-st2-datastore-crypto-key
+  {{- $name := print .Release.Name "-st2-datastore-crypto-key" }}
+  name: {{ $name }}
   annotations:
     description: StackStorm crypto key used to encrypt/decrypt KV records
   labels:
@@ -20,6 +21,13 @@ metadata:
 type: Opaque
 data:
   # Datastore key used to encrypt/decrypt record for the KV store
+{{- $previous := lookup "v1" "Secret" .Release.Namespace $name }}
+{{- if .Values.st2.datastore_crypto_key }}
   datastore_crypto_key: {{ .Values.st2.datastore_crypto_key | b64enc }}
+{{- else if $previous }}
+  datastore_crypto_key: {{ $previous.data.datastore_crypto_key }}
+{{- else }}
+  datastore_crypto_key: {{ tpl (.Files.Get "conf/datastore_crypto_key.yaml") . | fromYaml | toRawJson | b64enc }}
+{{- end }}
 
 {{- end }}

values.yaml

@@ -49,7 +49,9 @@ st2:
   #password: Ch@ngeMe
   # ST2 crypto key for the  K/V datastore.
   # See https://docs.stackstorm.com/datastore.html#securing-secrets-admin-only for more info.
-  # Warning! Replace with your own generated key!
+  # If set, st2.datastore_crypto_key always overrides any existing datastore_crypto_key.
+  # If not set, the datastore_crypto_key is auto-generated on install and preserved across upgrades.
+  # If you want to disable datastore encryption, set "datastore_crypto_key: disable".
   #datastore_crypto_key: >-
   #  {"hmacKey": {"hmacKeyString": "", "size": 256}, "size": 256, "aesKeyString": "", "mode": "CBC"}
   # SSH private key for the 'stanley' system user ('system_user.ssh_key_file' in st2.conf)