move default_datastore_crypto_key from values to conf file

Author: cognifloyd

conf/datastore_crypto_key.yaml

@@ -0,0 +1,13 @@
+# This is used to generate st2.datastore_crypto_key on install if not defined in values.
+
+# The formula is based on an st2-specific version of python's base64.urlsafe_b64encode
+# randBytes returns a base64 encoded string
+# 32 bytes = 256 bits / 8 bits/byte
+
+aesKeyString: '{{ randBytes 32 | replace "+" "-" | replace "_" "/" | replace "=" "" }}'
+mode: CBC
+size: 256
+
+hmacKey:
+  hmacKeyString: '{{ randBytes 32 | replace "+" "-" | replace "_" "/" | replace "=" "" }}'
+  size: 256

templates/secrets_datastore_crypto_key.yaml

@@ -27,7 +27,6 @@ data:
 {{- else if .Values.st2.datastore_crypto_key }}
   datastore_crypto_key: {{ .Values.st2.datastore_crypto_key | b64enc }}
 {{- else }}
-  {{/* We template in Yaml to avoid excessive escaping of quotes in Json */}}
-  datastore_crypto_key: {{ tpl (.Values.default_datastore_crypto_key | toYaml) . | fromYaml | toRawJson | b64enc }}
+  datastore_crypto_key: {{ tpl (.Files.Get "conf/datastore_crypto_key.yaml") . | fromYaml | toRawJson | b64enc }}
 {{- end }}
 

values.yaml

@@ -51,7 +51,6 @@ st2:
   # See https://docs.stackstorm.com/datastore.html#securing-secrets-admin-only for more info.
   # If set, st2.datastore_crypto_key always overrides any existing datastore_crypto_key.
   # If not set, the datastore_crypto_key is auto-generated on install and preserved across upgrades.
-  # Generating datastore_crypto_key uses default_datastore_crypto_key below.
   #datastore_crypto_key: >-
   #  {"hmacKey": {"hmacKeyString": "", "size": 256}, "size": 256, "aesKeyString": "", "mode": "CBC"}
   # SSH private key for the 'stanley' system user ('system_user.ssh_key_file' in st2.conf)
@@ -934,16 +933,3 @@ external-dns:
   aws:
     zoneType: "public"
   domainFilters: []
-
-## Do not change this.
-## It is used to generate st2.datastore_crypto_key on install if not defined above.
-default_datastore_crypto_key:
-  # 32 bytes = 256 bits / 8 bits/byte
-  # randBytes returns a base64 encoded string.
-  hmacKey:
-    # this formula is based on an st2-specific version of python's base64.urlsafe_b64encode.
-    hmacKeyString: '{{ randBytes 32 | replace "+" "-" | replace "_" "/" | replace "=" "" }}'
-    size: 256
-  aesKeyString: '{{ randBytes 32 | replace "+" "-" | replace "_" "/" | replace "=" "" }}'
-  mode: CBC
-  size: 256