Skip to content

Commit 2d44709

Browse files
cognifloydcognifloyd
committed
Allow disabling the datastore_crypto_key
1 parent ad8a4f8 commit 2d44709

File tree

5 files changed

+19
-17
lines changed

5 files changed

+19
-17
lines changed

CHANGELOG.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@
1616
* Fix indent for lifecycle postStart hook of `st2web` pod. (#268) (by @cognifloyd)
1717
* Advanced Feature: Allow `st2web` to serve HTTPS when the ssl certs are provided via `st2web.extra_volumes`. To enable this, add `ST2WEB_HTTPS: "1"` to `st2web.env` in your values file. (#264) (by @cognifloyd)
1818
* Custom annotations now apply to deployments and jobs, not just pods. (#270) (by @cognifloyd)
19-
* Auto-generate `datastore_crypto_key` on install if not provided. This way all HA installs will have a datastore_crypto_key configured. (#266) (by @cognifloyd)
19+
* BREAKING CHANGE: Auto-generate `datastore_crypto_key` on install if not provided. This way all HA installs will have a datastore_crypto_key configured. This is only a breaking change for installations that do not want a `datastore_crypto_key`. To disable set `datastore_crypto_key` to `disable` instead of setting it to `""`, `null`, or leaving it unset. (#266) (by @cognifloyd)
2020

2121
## v0.70.0
2222
* New feature: Shared packs volumes `st2.packs.volumes`. Allow using cluster-specific persistent volumes to store packs, virtualenvs, and (optionally) configs. This enables using `st2 pack install`. It even works with `st2packs` images in `st2.packs.images`. (#199) (by @cognifloyd)

templates/configmaps_st2-conf.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@ data:
4242
{{- end }}
4343
port = {{ index .Values "mongodb" "service" "port" }}
4444
{{- end }}
45-
{{- if .Values.st2.datastore_crypto_key }}
45+
{{- if ne "disable" .Values.st2.datastore_crypto_key }}
4646
[keyvalue]
4747
encryption_key_path = /etc/st2/keys/datastore_key.json
4848
{{- end }}

templates/deployments.yaml

Lines changed: 14 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -204,7 +204,7 @@ spec:
204204
name: {{ .Release.Name }}-st2-urls
205205
volumeMounts:
206206
{{- include "st2-config-volume-mounts" . | nindent 8 }}
207-
{{- if .Values.st2.datastore_crypto_key }}
207+
{{- if ne "disable" .Values.st2.datastore_crypto_key }}
208208
- name: st2-encryption-key-vol
209209
mountPath: /etc/st2/keys
210210
readOnly: true
@@ -228,7 +228,7 @@ spec:
228228
serviceAccountName: {{ template "stackstorm-ha.serviceAccountName" . }}
229229
{{- end }}
230230
volumes:
231-
{{- if .Values.st2.datastore_crypto_key }}
231+
{{- if ne "disable" .Values.st2.datastore_crypto_key }}
232232
- name: st2-encryption-key-vol
233233
secret:
234234
secretName: {{ .Release.Name }}-st2-datastore-crypto-key
@@ -565,7 +565,7 @@ spec:
565565
name: {{ .Release.Name }}-st2-urls
566566
volumeMounts:
567567
{{- include "st2-config-volume-mounts" . | nindent 8 }}
568-
{{- if .Values.st2.datastore_crypto_key }}
568+
{{- if ne "disable" .Values.st2.datastore_crypto_key }}
569569
- name: st2-encryption-key-vol
570570
mountPath: /etc/st2/keys
571571
readOnly: true
@@ -586,7 +586,7 @@ spec:
586586
{{- end }}
587587
volumes:
588588
{{- include "st2-config-volume" . | nindent 8 }}
589-
{{- if .Values.st2.datastore_crypto_key }}
589+
{{- if ne "disable" .Values.st2.datastore_crypto_key }}
590590
- name: st2-encryption-key-vol
591591
secret:
592592
secretName: {{ .Release.Name }}-st2-datastore-crypto-key
@@ -780,7 +780,7 @@ spec:
780780
name: {{ .Release.Name }}-st2-urls
781781
volumeMounts:
782782
{{- include "st2-config-volume-mounts" . | nindent 8 }}
783-
{{- if .Values.st2.datastore_crypto_key }}
783+
{{- if ne "disable" .Values.st2.datastore_crypto_key }}
784784
- name: st2-encryption-key-vol
785785
mountPath: /etc/st2/keys
786786
readOnly: true
@@ -805,7 +805,7 @@ spec:
805805
{{- end }}
806806
volumes:
807807
{{- include "st2-config-volume" . | nindent 8 }}
808-
{{- if .Values.st2.datastore_crypto_key }}
808+
{{- if ne "disable" .Values.st2.datastore_crypto_key }}
809809
- name: st2-encryption-key-vol
810810
secret:
811811
secretName: {{ .Release.Name }}-st2-datastore-crypto-key
@@ -901,7 +901,7 @@ spec:
901901
name: {{ .Release.Name }}-st2-urls
902902
volumeMounts:
903903
{{- include "st2-config-volume-mounts" . | nindent 8 }}
904-
{{- if .Values.st2.datastore_crypto_key }}
904+
{{- if ne "disable" .Values.st2.datastore_crypto_key }}
905905
- name: st2-encryption-key-vol
906906
mountPath: /etc/st2/keys
907907
readOnly: true
@@ -921,7 +921,7 @@ spec:
921921
serviceAccountName: {{ template "stackstorm-ha.serviceAccountName" . }}
922922
{{- end }}
923923
volumes:
924-
{{- if .Values.st2.datastore_crypto_key }}
924+
{{- if ne "disable" .Values.st2.datastore_crypto_key }}
925925
- name: st2-encryption-key-vol
926926
secret:
927927
secretName: {{ .Release.Name }}-st2-datastore-crypto-key
@@ -1161,7 +1161,7 @@ spec:
11611161
volumeMounts:
11621162
{{- include "st2-config-volume-mounts" $ | nindent 8 }}
11631163
{{- include "packs-volume-mounts" $ | nindent 8 }}
1164-
{{- if $.Values.st2.datastore_crypto_key }}
1164+
{{- if ne "disable" $.Values.st2.datastore_crypto_key }}
11651165
- name: st2-encryption-key-vol
11661166
mountPath: /etc/st2/keys
11671167
readOnly: true
@@ -1185,7 +1185,7 @@ spec:
11851185
serviceAccountName: {{ template "stackstorm-ha.serviceAccountName" $ }}
11861186
{{- end }}
11871187
volumes:
1188-
{{- if $.Values.st2.datastore_crypto_key }}
1188+
{{- if ne "disable" $.Values.st2.datastore_crypto_key }}
11891189
- name: st2-encryption-key-vol
11901190
secret:
11911191
secretName: {{ $.Release.Name }}-st2-datastore-crypto-key
@@ -1303,7 +1303,7 @@ spec:
13031303
{{- include "st2-config-volume-mounts" . | nindent 8 }}
13041304
- name: st2-ssh-key-vol
13051305
mountPath: {{ tpl .Values.st2.system_user.ssh_key_file . | dir | dir }}/.ssh-key-vol/
1306-
{{- if .Values.st2.datastore_crypto_key }}
1306+
{{- if ne "disable" .Values.st2.datastore_crypto_key }}
13071307
- name: st2-encryption-key-vol
13081308
mountPath: /etc/st2/keys
13091309
readOnly: true
@@ -1329,7 +1329,7 @@ spec:
13291329
serviceAccountName: {{ template "stackstorm-ha.serviceAccountName" . }}
13301330
{{- end }}
13311331
volumes:
1332-
{{- if .Values.st2.datastore_crypto_key }}
1332+
{{- if ne "disable" .Values.st2.datastore_crypto_key }}
13331333
- name: st2-encryption-key-vol
13341334
secret:
13351335
secretName: {{ .Release.Name }}-st2-datastore-crypto-key
@@ -1581,7 +1581,7 @@ spec:
15811581
mountPath: /root/.st2/
15821582
- name: st2-ssh-key-vol
15831583
mountPath: {{ tpl .Values.st2.system_user.ssh_key_file . | dir | dir }}/.ssh-key-vol/
1584-
{{- if .Values.st2.datastore_crypto_key }}
1584+
{{- if ne "disable" .Values.st2.datastore_crypto_key }}
15851585
- name: st2-encryption-key-vol
15861586
mountPath: /etc/st2/keys
15871587
readOnly: true
@@ -1608,7 +1608,7 @@ spec:
16081608
memory: "5Mi"
16091609
cpu: "5m"
16101610
volumes:
1611-
{{- if .Values.st2.datastore_crypto_key }}
1611+
{{- if ne "disable" .Values.st2.datastore_crypto_key }}
16121612
- name: st2-encryption-key-vol
16131613
secret:
16141614
secretName: {{ .Release.Name }}-st2-datastore-crypto-key

templates/secrets_datastore_crypto_key.yaml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
{{- $deprecated_crypto_key := (default (dict) (default (dict) .Values.secrets).st2).datastore_crypto_key }}
33
{{- if $deprecated_crypto_key }}
44
{{- fail "Please update your values! The datastore_crypto_key value moved from secrets.st2.* to st2.*" }}
5-
{{- end }}
5+
{{- else if ne "disable" .Values.st2.datastore_crypto_key }}
66
---
77
apiVersion: v1
88
kind: Secret
@@ -30,3 +30,4 @@ data:
3030
datastore_crypto_key: {{ tpl (.Files.Get "conf/datastore_crypto_key.yaml") . | fromYaml | toRawJson | b64enc }}
3131
{{- end }}
3232

33+
{{- end }}

values.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,7 @@ st2:
5151
# See https://docs.stackstorm.com/datastore.html#securing-secrets-admin-only for more info.
5252
# If set, st2.datastore_crypto_key always overrides any existing datastore_crypto_key.
5353
# If not set, the datastore_crypto_key is auto-generated on install and preserved across upgrades.
54+
# If you want to disable datastore encryption, set "datastore_crypto_key: disable".
5455
#datastore_crypto_key: >-
5556
# {"hmacKey": {"hmacKeyString": "", "size": 256}, "size": 256, "aesKeyString": "", "mode": "CBC"}
5657
# SSH private key for the 'stanley' system user ('system_user.ssh_key_file' in st2.conf)

0 commit comments

Comments
 (0)