Refactor secrets and auto-generate password + ssh_key

.circleci/config.yml

@@ -14,7 +14,7 @@ jobs:
   helm-lint:
     working_directory: ~/stackstorm-ha
     docker:
-      - image: lachlanevenson/k8s-helm:v3.3.4
+      - image: lachlanevenson/k8s-helm:v3.4.2
     steps:
       - checkout
       - run:

CHANGELOG.md

@@ -8,6 +8,8 @@
 * st2chatops change: If `st2chatops.env.ST2_API_KEY` is defined, do not set `ST2_AUTH_USERNAME` or `ST2_AUTH_PASSWORD` env vars any more. (#197) (by @cognifloyd)
 * Add image.tag overrides for all deployments. (#200) (by @cognifloyd)
 * If your k8s cluster admin requires custom annotations (eg: to indicate mongo or rabbitmq usage), you can now add those to each set of pods. (#195) (by @cognifloyd)
+* BREAKING CHANGE: Move secrets.st2.* values into st2.* (#203) (by @cognifloyd)
+* Auto-generate password and ssh_key secrets. (#203) (by @cognifloyd)
 * Add optional hubot-scripts volume to st2chatops pod. To add this, define `st2chatops.hubotScriptsVolume`. (#207) (by @cognifloyd)
 * Add advanced pod placment (nodeSelector, affinity, tolerations) to specs for batch Jobs pods. (#193) (by @cognifloyd)
 * Allow adding dnsPolicy and/or dnsConfig to all pods. (#201) (by @cognifloyd)

templates/NOTES.txt

@@ -39,11 +39,13 @@ Ingress is enabled. You may access following endpoints:
 {{- end }}
 {{- end }}
 
-2. Login with the following credentials:
-username: {{ .Values.secrets.st2.username }}
-password: {{ .Values.secrets.st2.password }}
+2. Get the password needed to login:
+kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.data.password}" secret {{ .Release.Name }}-st2-auth | base64 --decode
 
-3. Use st2 CLI:
+3. Login with this username and the password retrieved above:
+username: {{ .Values.st2.username }}
+
+4. Use st2 CLI:
 export ST2CLIENT=$(kubectl get --namespace {{ .Release.Namespace }} pod -l app=st2client,release={{ .Release.Name }} -o jsonpath="{.items[0].metadata.name}")
 kubectl exec -it ${ST2CLIENT} --namespace {{ .Release.Namespace }} -- st2 --version
 

templates/configmaps_st2-conf.yaml

@@ -39,7 +39,7 @@ data:
     {{- end }}
     port = {{ index .Values "mongodb" "service" "port" }}
     {{- end }}
-    {{- if .Values.secrets.st2.datastore_crypto_key }}
+    {{- if .Values.st2.datastore_crypto_key }}
     [keyvalue]
     encryption_key_path = /etc/st2/keys/datastore_key.json
     {{- end }}

templates/deployments.yaml

@@ -187,7 +187,7 @@ spec:
         - name: st2-config-vol
           mountPath: /etc/st2/st2.user.conf
           subPath: st2.user.conf
-        {{- if .Values.secrets.st2.datastore_crypto_key }}
+        {{- if .Values.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
           mountPath: /etc/st2/keys
           readOnly: true
@@ -206,7 +206,7 @@ spec:
       serviceAccountName: {{ template "stackstorm-ha.serviceAccountName" . }}
     {{- end }}
       volumes:
-        {{- if .Values.secrets.st2.datastore_crypto_key }}
+        {{- if .Values.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
           secret:
             secretName: {{ .Release.Name }}-st2-datastore-crypto-key
@@ -492,7 +492,7 @@ spec:
         - name: st2-config-vol
           configMap:
             name: {{ .Release.Name }}-st2-config
-        {{- if .Values.secrets.st2.datastore_crypto_key }}
+        {{- if .Values.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
           secret:
             secretName: {{ .Release.Name }}-st2-datastore-crypto-key
@@ -661,7 +661,7 @@ spec:
         - name: st2-config-vol
           mountPath: /etc/st2/st2.user.conf
           subPath: st2.user.conf
-        {{- if .Values.secrets.st2.datastore_crypto_key }}
+        {{- if .Values.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
           mountPath: /etc/st2/keys
           readOnly: true
@@ -675,7 +675,7 @@ spec:
         - name: st2-config-vol
           configMap:
             name: {{ .Release.Name }}-st2-config
-        {{- if .Values.secrets.st2.datastore_crypto_key }}
+        {{- if .Values.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
           secret:
             secretName: {{ .Release.Name }}-st2-datastore-crypto-key
@@ -758,7 +758,7 @@ spec:
         - name: st2-config-vol
           mountPath: /etc/st2/st2.user.conf
           subPath: st2.user.conf
-        {{- if .Values.secrets.st2.datastore_crypto_key }}
+        {{- if .Values.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
           mountPath: /etc/st2/keys
           readOnly: true
@@ -769,7 +769,7 @@ spec:
       serviceAccountName: {{ template "stackstorm-ha.serviceAccountName" . }}
     {{- end }}
       volumes:
-        {{- if .Values.secrets.st2.datastore_crypto_key }}
+        {{- if .Values.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
           secret:
             secretName: {{ .Release.Name }}-st2-datastore-crypto-key
@@ -973,7 +973,7 @@ spec:
           mountPath: /opt/stackstorm/virtualenvs
           readOnly: true
         {{- end }}
-        {{- if $.Values.secrets.st2.datastore_crypto_key }}
+        {{- if $.Values.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
           mountPath: /etc/st2/keys
           readOnly: true
@@ -984,7 +984,7 @@ spec:
       serviceAccountName: {{ template "stackstorm-ha.serviceAccountName" $ }}
     {{- end }}
       volumes:
-        {{- if $.Values.secrets.st2.datastore_crypto_key }}
+        {{- if $.Values.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
           secret:
             secretName: {{ $.Release.Name }}-st2-datastore-crypto-key
@@ -1090,7 +1090,7 @@ spec:
         - name: st2-ssh-key-vol
           mountPath: /home/stanley/.ssh/
           readOnly: true
-        {{- if .Values.secrets.st2.datastore_crypto_key }}
+        {{- if .Values.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
           mountPath: /etc/st2/keys
           readOnly: true
@@ -1109,7 +1109,7 @@ spec:
       serviceAccountName: {{ template "stackstorm-ha.serviceAccountName" . }}
     {{- end }}
       volumes:
-        {{- if .Values.secrets.st2.datastore_crypto_key }}
+        {{- if .Values.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
           secret:
             secretName: {{ .Release.Name }}-st2-datastore-crypto-key
@@ -1343,7 +1343,7 @@ spec:
         - name: st2-ssh-key-vol
           mountPath: /home/stanley/.ssh/
           readOnly: true
-        {{- if .Values.secrets.st2.datastore_crypto_key }}
+        {{- if .Values.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
           mountPath: /etc/st2/keys
           readOnly: true
@@ -1365,7 +1365,7 @@ spec:
             memory: "5Mi"
             cpu: "5m"
       volumes:
-        {{- if .Values.secrets.st2.datastore_crypto_key }}
+        {{- if .Values.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
           secret:
             secretName: {{ .Release.Name }}-st2-datastore-crypto-key

templates/secrets_datastore_crypto_key.yaml

@@ -1,4 +1,8 @@
-{{- if .Values.secrets.st2.datastore_crypto_key }}
+# Notify users about breaking change regarding secrets, to not destroy current installations
+{{- $deprecated_crypto_key := (default (dict) (default (dict) .Values.secrets).st2).datastore_crypto_key }}
+{{- if $deprecated_crypto_key }}
+{{- fail "Please update your values! The datastore_crypto_key value moved from secrets.st2.* to st2.*" }}
+{{- else if .Values.st2.datastore_crypto_key }}
 ---
 apiVersion: v1
 kind: Secret
@@ -16,6 +20,6 @@ metadata:
 type: Opaque
 data:
   # Datastore key used to encrypt/decrypt record for the KV store
-  datastore_crypto_key: {{ .Values.secrets.st2.datastore_crypto_key | b64enc }}
+  datastore_crypto_key: {{ .Values.st2.datastore_crypto_key | b64enc }}
 
 {{- end }}

templates/secrets_ssh.yaml

@@ -1,8 +1,14 @@
+# Notify users about breaking change regarding secrets, to not destroy current installations
+{{- $deprecated_ssh_key := (default (dict) (default (dict) .Values.secrets).st2).ssh_key }}
+{{- if $deprecated_ssh_key }}
+{{- fail "Please update your values! The ssh_key value moved from secrets.st2.* to st2.*" }}
+{{- end }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ .Release.Name }}-st2-ssh
+  {{- $name := print .Release.Name "-st2-ssh" }}
+  name: {{ $name }}
   annotations:
     description: StackStorm SSH secret key for 'stanley' user, used to run actions on remote machines
   labels:
@@ -15,4 +21,9 @@ metadata:
 type: Opaque
 data:
   # SSH private key for the 'stanley' system user ('system_user.ssh_key_file' in st2.conf).
-  private_key: {{ required "Secret 'st2.ssh_key' is required for StackStorm system user!" .Values.secrets.st2.ssh_key | b64enc | quote }}
+{{- $previous := lookup "v1" "Secret" .Release.Namespace $name }}
+{{- if and $previous (not .Values.st2.ssh_key) }}
+  private_key: {{ $previous.data.private_key }}
+{{ else }}
+  private_key: {{ default (genPrivateKey "rsa") .Values.st2.ssh_key | b64enc | quote }}
+{{ end }}

templates/secrets_st2auth.yaml

@@ -1,8 +1,15 @@
+# Notify users about breaking change regarding secrets, to not destroy current installations
+{{- $deprecated_username := (default (dict) (default (dict) .Values.secrets).st2).username }}
+{{- $deprecated_password := (default (dict) (default (dict) .Values.secrets).st2).pasword }}
+{{- if or $deprecated_username $deprecated_password }}
+{{- fail "Please update your values! Values for username and password moved from secrets.st2.* to st2.*" }}
+{{- end }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ .Release.Name }}-st2-auth
+  {{- $name := print .Release.Name "-st2-auth" }}
+  name: {{ $name }}
   annotations:
     description: StackStorm username and password, used for basic .htaccess auth
   labels:
@@ -15,6 +22,11 @@ metadata:
 type: Opaque
 data:
   # Username, used to login to StackStorm system (default: st2admin)
-  username: {{ required "A valid secret 'st2.username' is required for StackStorm auth!" .Values.secrets.st2.username | b64enc | quote }}
-  # Password, used to login to StackStorm system (default: Ch@ngeMe)
-  password: {{ required "A valid secret 'st2.password' is required for StackStorm auth!" .Values.secrets.st2.password | b64enc | quote }}
+  username: {{ required "A valid secret 'st2.username' is required for StackStorm auth!" .Values.st2.username | b64enc | quote }}
+  # Password, used to login to StackStorm system (default: auto-generated)
+{{- $previous := lookup "v1" "Secret" .Release.Namespace $name }}
+{{- if and $previous (not .Values.st2.password) }}
+  password: {{ $previous.data.password }}
+{{ else }}
+  password: {{ default (randAlphaNum 12) .Values.st2.password | b64enc | quote }}
+{{ end }}

values.yaml

@@ -41,6 +41,24 @@ serviceAccount:
 ## StackStorm shared variables
 ##
 st2:
+  # Username, used to login to StackStorm system
+  username: st2admin
+  # Password, used to login to StackStorm system
+  # If set, st2.password always overrides any existing password.
+  # If not set, the password is auto-generated on install and preserved across upgrades.
+  #password: Ch@ngeMe
+  # ST2 crypto key for the  K/V datastore.
+  # See https://docs.stackstorm.com/datastore.html#securing-secrets-admin-only for more info.
+  # Warning! Replace with your own generated key!
+  #datastore_crypto_key: {"hmacKey": {"hmacKeyString": "", "size": 256}, "size": 256, "aesKeyString": "", "mode": "CBC"}
+  # SSH private key for the 'stanley' system user ('system_user.ssh_key_file' in st2.conf)
+  # If set, st2.ssh_key always overrides any existing ssh_key.
+  # If not set, the ssh_key is auto-generated on install and preserved across upgrades.
+  #ssh_key: |-
+  #  -----BEGIN RSA PRIVATE KEY-----
+  #  ...
+  #  -----END RSA PRIVATE KEY-----
+
   # Custom StackStorm config (st2.user.conf) which will apply settings on top of default st2.conf
   config: |
     [api]
@@ -180,52 +198,8 @@ ingress:
   #     - chart-example.test
 
 ##
-## StackStorm HA Cluster Secrets.
-## NB! It's highly recommended to change ALL defaults!
+## NOTE: there used to be a secrets.st2 section here. These values have moved into st2.* above. Please update your values.
 ##
-# TODO: Move to `secrets.yaml` when it gets implemented in Helm (https://github.com/kubernetes/helm/issues/2196) ? (#14)
-# TODO: Alternatively as part of reorganizing Helm values, consider moving values to existing `st2` and `st2web` sections ? (#14)
-secrets:
-  st2:
-    # Username, used to login to StackStorm system
-    username: st2admin
-    # Password, used to login to StackStorm system
-    password: Ch@ngeMe
-    # SSH private key for the 'stanley' system user ('system_user.ssh_key_file' in st2.conf)
-    # Warning! Replace with your own SSH key!
-    # TODO: For prod/stable consider auto-generating if no key provided (#15)
-    ssh_key: |-
-      -----BEGIN RSA PRIVATE KEY-----
-      MIIEowIBAAKCAQEAs73kblN3XfLR6tYsHRHyX/aQKx4amcNjT+E+2ufwqkiINDyA
-      CGim0Z4WFOEO6UtZApeOlUehp2MEFGFpl2u8vUC1b7AsWaImB4ywMIPOFblqaEag
-      DskrFp7FOggqZFWX7NwVZpm/KkvCw/fCehnxuv+za+hUtg4Qiv86qXShrlsn98B7
-      64Aq27oxkvhRU2OkDUP/wPNQnXzIZxfFYSvS7rGzKrswdZfWysscIUor4a+7GahM
-      yq8PGD6qp2wkiL7wFarZerS2Sq3M06Y89yzppCoPYI6kaEPuqrjSYZvh38CAVbGG
-      SgPv3CFgR1N3BsBEAx7OF+40R58C+3ldH8e1tQIDAQABAoIBAQCN7137YR3Zqm3p
-      q8aaDhn/fYzK/7KxyYEbCxu/cXiyfyRPW5cfDMTuso9tXWuQ/lcDnPqTF0WoEKCg
-      F2xyjjk0mWytDcl33nt5areXF/4dWZWVUnACPQkxi57i/J+9K3oVKJYdtzsmAz2B
-      0pxYHzSsHk9o3sZGHUUi/fks51TlgPNgOP8hf7/K9w9+FSE26geqjddqWwQbbStI
-      rDc3ZPMcGI4E5DuGmnrxWf4omUqScTB+bvUgN+WC02v1Bj4HaAX7PlLCUZMuTk3S
-      BcG4v7qiglxVYdBjtHNwtg1YAoVYh6sXckxqi1XudhoRXGlgYtyrcW0mWnnB4hIQ
-      vy7//uABAoGBANw8H1h93U1HNsqfIa1Ys3u6qZdHByHvA8e7Jk6GEFUEOAQSyxZ+
-      0RbFWC4knuQL+YklqeDNCXekwVEvVenf2lhZ4rHNbmv/9pWhq7sQcDOQPi5nVxJl
-      bkQoQkeNGeH8KPF1E2RsfJ8uU3NfD00yMFrNaeBUIlY44ABMOQSJREq1AoGBANDu
-      V0IV1BahqEW5mmnTdHLG6+tiSQdutrQv4hxBL59PhwyeMvpzFgwkNmymAZMLl40D
-      Y/0wg2lVr7Fb+peCrLpiNMEPWv/a38IEVTDm7YcsHZayEsc1vdjdMoZ8k5VNi25F
-      +lvQ/CxDNqJGTNEBBYmb5QHopBh8YowwIrT0yZ8BAoGAFYtAGbz+SA/+WSXl+noh
-      3Kmu62CEXxptiT1Siv3sXRSzkhpwiXvQYmTdsm3cqTxOpc7sZlRIZ87TJmj2A5Hl
-      Xx0z4ubQtXntmkedcAg0oaarnoh3aRJJDhvOGAfCj2vGaZBlXD6MllnGyhNzgL63
-      IjrT76DrVvnrV7wdG8d9yb0CgYAuQFT4wDRPPkIuDURtoO3qarbXSM654nx3rxHz
-      B0svjT9sP6kxYEDFN08FBkra7noCMXn1FsRAkUNvk9kJqVfresoK4wdWFHHsVWE2
-      jiiO/+kc7xbRGsiINY91ziYtqxjutHcT1FO+yLJTghSHQB6ls+kiXwnUkdSPDCji
-      vj3UAQKBgE19oSdfKbpKTyHu5rs+lN/KictDuMrqAriWODCygZ1/X1J1zpqvpUbt
-      WE8BWLQ1vBV6c7V4Q0Wp6LuTnNnvu/lvVugJW/TbrzFw6CFe5fEISmIHAMnqVz8x
-      OdOJyinSM1svoBGnYfyAqINKrqCSGSKmprlMo0Ma3erI7SuojWBS
-      -----END RSA PRIVATE KEY-----
-    # ST2 crypto key for the  K/V datastore.
-    # See https://docs.stackstorm.com/datastore.html#securing-secrets-admin-only for more info.
-    # Warning! Replace with your own generated key!
-    #datastore_crypto_key: {"hmacKey": {"hmacKeyString": "", "size": 256}, "size": 256, "aesKeyString": "", "mode": "CBC"}
 
 ##
 ## StackStorm HA Cluster pod settings for each individual service/component.