refactor secrets values: move datastore_crypto_key to st2.*

Author: cognifloyd

templates/configmaps_st2-conf.yaml

@@ -39,7 +39,7 @@ data:
     {{- end }}
     port = {{ index .Values "mongodb" "service" "port" }}
     {{- end }}
-    {{- if .Values.secrets.st2.datastore_crypto_key }}
+    {{- if .Values.st2.datastore_crypto_key }}
     [keyvalue]
     encryption_key_path = /etc/st2/keys/datastore_key.json
     {{- end }}

templates/deployments.yaml

@@ -184,7 +184,7 @@ spec:
         - name: st2-config-vol
           mountPath: /etc/st2/st2.user.conf
           subPath: st2.user.conf
-        {{- if .Values.secrets.st2.datastore_crypto_key }}
+        {{- if .Values.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
           mountPath: /etc/st2/keys
           readOnly: true
@@ -203,7 +203,7 @@ spec:
       serviceAccountName: {{ template "stackstorm-ha.serviceAccountName" . }}
     {{- end }}
       volumes:
-        {{- if .Values.secrets.st2.datastore_crypto_key }}
+        {{- if .Values.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
           secret:
             secretName: {{ .Release.Name }}-st2-datastore-crypto-key
@@ -480,7 +480,7 @@ spec:
         - name: st2-config-vol
           configMap:
             name: {{ .Release.Name }}-st2-config
-        {{- if .Values.secrets.st2.datastore_crypto_key }}
+        {{- if .Values.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
           secret:
             secretName: {{ .Release.Name }}-st2-datastore-crypto-key
@@ -643,7 +643,7 @@ spec:
         - name: st2-config-vol
           mountPath: /etc/st2/st2.user.conf
           subPath: st2.user.conf
-        {{- if .Values.secrets.st2.datastore_crypto_key }}
+        {{- if .Values.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
           mountPath: /etc/st2/keys
           readOnly: true
@@ -657,7 +657,7 @@ spec:
         - name: st2-config-vol
           configMap:
             name: {{ .Release.Name }}-st2-config
-        {{- if .Values.secrets.st2.datastore_crypto_key }}
+        {{- if .Values.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
           secret:
             secretName: {{ .Release.Name }}-st2-datastore-crypto-key
@@ -737,7 +737,7 @@ spec:
         - name: st2-config-vol
           mountPath: /etc/st2/st2.user.conf
           subPath: st2.user.conf
-        {{- if .Values.secrets.st2.datastore_crypto_key }}
+        {{- if .Values.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
           mountPath: /etc/st2/keys
           readOnly: true
@@ -748,7 +748,7 @@ spec:
       serviceAccountName: {{ template "stackstorm-ha.serviceAccountName" . }}
     {{- end }}
       volumes:
-        {{- if .Values.secrets.st2.datastore_crypto_key }}
+        {{- if .Values.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
           secret:
             secretName: {{ .Release.Name }}-st2-datastore-crypto-key
@@ -946,7 +946,7 @@ spec:
           mountPath: /opt/stackstorm/virtualenvs
           readOnly: true
         {{- end }}
-        {{- if $.Values.secrets.st2.datastore_crypto_key }}
+        {{- if $.Values.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
           mountPath: /etc/st2/keys
           readOnly: true
@@ -957,7 +957,7 @@ spec:
       serviceAccountName: {{ template "stackstorm-ha.serviceAccountName" $ }}
     {{- end }}
       volumes:
-        {{- if $.Values.secrets.st2.datastore_crypto_key }}
+        {{- if $.Values.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
           secret:
             secretName: {{ $.Release.Name }}-st2-datastore-crypto-key
@@ -1060,7 +1060,7 @@ spec:
         - name: st2-ssh-key-vol
           mountPath: /home/stanley/.ssh/
           readOnly: true
-        {{- if .Values.secrets.st2.datastore_crypto_key }}
+        {{- if .Values.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
           mountPath: /etc/st2/keys
           readOnly: true
@@ -1079,7 +1079,7 @@ spec:
       serviceAccountName: {{ template "stackstorm-ha.serviceAccountName" . }}
     {{- end }}
       volumes:
-        {{- if .Values.secrets.st2.datastore_crypto_key }}
+        {{- if .Values.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
           secret:
             secretName: {{ .Release.Name }}-st2-datastore-crypto-key
@@ -1307,7 +1307,7 @@ spec:
         - name: st2-ssh-key-vol
           mountPath: /home/stanley/.ssh/
           readOnly: true
-        {{- if .Values.secrets.st2.datastore_crypto_key }}
+        {{- if .Values.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
           mountPath: /etc/st2/keys
           readOnly: true
@@ -1329,7 +1329,7 @@ spec:
             memory: "5Mi"
             cpu: "5m"
       volumes:
-        {{- if .Values.secrets.st2.datastore_crypto_key }}
+        {{- if .Values.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
           secret:
             secretName: {{ .Release.Name }}-st2-datastore-crypto-key

templates/secrets_datastore_crypto_key.yaml

@@ -1,4 +1,8 @@
-{{- if .Values.secrets.st2.datastore_crypto_key }}
+# Notify users about breaking change regarding secrets, to not destroy current installations
+{{- $deprecated_crypto_key := (default (dict) (default (dict) .Values.secrets).st2).datastore_crypto_key }}
+{{- if $deprecated_crypto_key }}
+{{- fail "Please update your values! The datastore_crypto_key value moved from secrets.st2.* to st2.*" }}
+{{- else if .Values.st2.datastore_crypto_key }}
 ---
 apiVersion: v1
 kind: Secret
@@ -16,6 +20,6 @@ metadata:
 type: Opaque
 data:
   # Datastore key used to encrypt/decrypt record for the KV store
-  datastore_crypto_key: {{ .Values.secrets.st2.datastore_crypto_key | b64enc }}
+  datastore_crypto_key: {{ .Values.st2.datastore_crypto_key | b64enc }}
 
 {{- end }}

values.yaml

@@ -47,6 +47,10 @@ st2:
   username: st2admin
   # Password, used to login to StackStorm system
   password: Ch@ngeMe
+  # ST2 crypto key for the  K/V datastore.
+  # See https://docs.stackstorm.com/datastore.html#securing-secrets-admin-only for more info.
+  # Warning! Replace with your own generated key!
+  #datastore_crypto_key: {"hmacKey": {"hmacKeyString": "", "size": 256}, "size": 256, "aesKeyString": "", "mode": "CBC"}
 
   # Custom StackStorm config (st2.user.conf) which will apply settings on top of default st2.conf
   config: |
@@ -225,10 +229,6 @@ secrets:
       WE8BWLQ1vBV6c7V4Q0Wp6LuTnNnvu/lvVugJW/TbrzFw6CFe5fEISmIHAMnqVz8x
       OdOJyinSM1svoBGnYfyAqINKrqCSGSKmprlMo0Ma3erI7SuojWBS
       -----END RSA PRIVATE KEY-----
-    # ST2 crypto key for the  K/V datastore.
-    # See https://docs.stackstorm.com/datastore.html#securing-secrets-admin-only for more info.
-    # Warning! Replace with your own generated key!
-    #datastore_crypto_key: {"hmacKey": {"hmacKeyString": "", "size": 256}, "size": 256, "aesKeyString": "", "mode": "CBC"}
 
 ##
 ## StackStorm HA Cluster pod settings for each individual service/component.