Refactored secrets handling for datastore key

Valentin TORIKIAN · Valentin TORIKIAN · commit d59b8c4d9ea1 · 2020-03-03T10:41:11.000-05:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,7 @@
 * Change ingress name from `<release name>-ingress` to <release name>-st2web-ingress, useful when using `stackstorm-ha` as a requirement for another chart. (#112) (by @erenatas)
 * Fix st2web ingress which should have been defined as an Integer instead of a String (#111) (by @erenatas)
 * Add an option to inject hostAliases in the st2actionrunner containers (#114)
+* Allow injection of datastore key in cluster (#115) (by @AngryDeveloper)
 
 ## v0.24.0
 * Fix st2web ingress to use `/` path by default instead of `/*`, useful for nginx ingress controller (#103) (by @erenatas)
diff --git a/templates/configmaps_st2-conf.yaml b/templates/configmaps_st2-conf.yaml
@@ -37,9 +37,9 @@ data:
     {{- end }}
     port = {{ index .Values "mongodb-ha" "port" }}
     {{- end }}
-    {{- if .Values.st2.datastoreEncryption.enabled }}
+    {{- if .Values.secrets.st2.datastore_crypto_key }}
     [keyvalue]
-    encryption_key_path = {{ .Values.st2.datastoreEncryption.encryptionKeyPath }}/encryption_key.json
+    encryption_key_path = /etc/st2/keys/datastore_key.json
     {{- end }}
 
   # User-defined st2 config with custom settings applied on top of everything else.
diff --git a/templates/deployments.yaml b/templates/deployments.yaml
@@ -201,9 +201,9 @@ spec:
         - name: st2-config-vol
           mountPath: /etc/st2/st2.user.conf
           subPath: st2.user.conf
-        {{- if .Values.st2.datastoreEncryption.enabled }}
+        {{- if .Values.secrets.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
-          mountPath: {{ .Values.st2.datastoreEncryption.encryptionKeyPath }}
+          mountPath: /etc/st2/keys
           readOnly: true
         {{- end }}
         {{- if .Values.st2.packs.image.repository }}
@@ -217,13 +217,13 @@ spec:
         resources:
 {{ toYaml .Values.st2api.resources | indent 10 }}
       volumes:
-        {{- if .Values.st2.datastoreEncryption.enabled }}
+        {{- if .Values.secrets.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
           secret:
-            secretName: {{ .Values.st2.datastoreEncryption.secret.name }}
+            secretName: {{ .Release.Name }}-st2-datastore-crypto-key
             items:
-            - key: {{ .Values.st2.datastoreEncryption.secret.key | default "datastore_encryption_key.json"  }}
-              path: encryption_key.json
+            - key: datastore_crypto_key
+              path: datastore_key.json
         {{- end }}
         - name: st2-config-vol
           configMap:
@@ -460,9 +460,9 @@ spec:
         - name: st2-config-vol
           mountPath: /etc/st2/st2.user.conf
           subPath: st2.user.conf
-        {{- if .Values.st2.datastoreEncryption.enabled }}
+        {{- if .Values.secrets.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
-          mountPath: {{ .Values.st2.datastoreEncryption.encryptionKeyPath }}
+          mountPath: /etc/st2/keys
           readOnly: true
         {{- end }}
         resources:
@@ -471,13 +471,13 @@ spec:
         - name: st2-config-vol
           configMap:
             name: {{ .Release.Name }}-st2-config
-        {{- if .Values.st2.datastoreEncryption.enabled }}
+        {{- if .Values.secrets.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
           secret:
-            secretName: {{ .Values.st2.datastoreEncryption.secret.name }}
+            secretName: datastore_crypto_key
             items:
-            - key: {{ .Values.st2.datastoreEncryption.secret.key | default "datastore_encryption_key.json"  }}
-              path: encryption_key.json
+            - key: datastore_crypto_key
+              path: datastore_key.json
         {{- end }}
     {{- with .Values.st2rulesengine.nodeSelector }}
       nodeSelector:
@@ -624,9 +624,9 @@ spec:
         - name: st2-config-vol
           mountPath: /etc/st2/st2.user.conf
           subPath: st2.user.conf
-        {{- if .Values.st2.datastoreEncryption.enabled }}
+        {{- if .Values.secrets.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
-          mountPath: {{ .Values.st2.datastoreEncryption.encryptionKeyPath }}
+          mountPath: /etc/st2/keys
           readOnly: true
         {{- end }}
         resources:
@@ -635,12 +635,12 @@ spec:
         - name: st2-config-vol
           configMap:
             name: {{ .Release.Name }}-st2-config
-        {{- if .Values.st2.datastoreEncryption.enabled }}
+        {{- if .Values.secrets.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
           secret:
-            secretName: {{ .Values.st2.datastoreEncryption.secret.name }}
+            secretName: {{ .Release.Name }}-st2-datastore-crypto-key
             items:
-            - key: {{ .Values.st2.datastoreEncryption.secret.key | default "datastore_encryption_key.json"  }}
+            - key: datastore_crypto_key
               path: encryption_key.json
         {{- end }}
     {{- with .Values.st2workflowengine.nodeSelector }}
@@ -923,9 +923,22 @@ spec:
           mountPath: /opt/stackstorm/virtualenvs
           readOnly: true
         {{- end }}
+        {{- if $.Values.secrets.st2.datastore_crypto_key }}
+        - name: st2-encryption-key-vol
+          mountPath: /etc/st2/keys
+          readOnly: true
+        {{- end }}
         resources:
 {{ toYaml .resources | indent 10 }}
       volumes:
+        {{- if $.Values.secrets.st2.datastore_crypto_key }}
+        - name: st2-encryption-key-vol
+          secret:
+            secretName: {{ $.Release.Name }}-st2-datastore-crypto-key
+            items:
+            - key: datastore_crypto_key
+              path: datastore_key.json
+        {{- end }}
         - name: st2-config-vol
           configMap:
             name: {{ $.Release.Name }}-st2-config
@@ -1049,9 +1062,9 @@ spec:
         - name: st2-ssh-key-vol
           mountPath: /home/stanley/.ssh/
           readOnly: true
-        {{- if .Values.st2.datastoreEncryption.enabled }}
+        {{- if .Values.secrets.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
-          mountPath: {{ .Values.st2.datastoreEncryption.encryptionKeyPath }}
+          mountPath: /etc/st2/keys
           readOnly: true
         {{- end }}
         {{- if .Values.st2.packs.image.repository }}
@@ -1065,13 +1078,13 @@ spec:
         resources:
 {{ toYaml .Values.st2actionrunner.resources | indent 10 }}
       volumes:
-        {{- if .Values.st2.datastoreEncryption.enabled }}
+        {{- if .Values.secrets.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
           secret:
-            secretName: {{ .Values.st2.datastoreEncryption.secret.name }}
+            secretName: {{ .Release.Name }}-st2-datastore-crypto-key
             items:
-            - key: {{ .Values.st2.datastoreEncryption.secret.key | default "datastore_encryption_key.json"  }}
-              path: encryption_key.json
+            - key: datastore_crypto_key
+              path: datastore_key.json
         {{- end }}
         - name: st2-config-vol
           configMap:
@@ -1319,9 +1332,9 @@ spec:
         - name: st2-ssh-key-vol
           mountPath: /home/stanley/.ssh/
           readOnly: true
-        {{- if .Values.st2.datastoreEncryption.enabled }}
+        {{- if .Values.secrets.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
-          mountPath: {{ .Values.st2.datastoreEncryption.encryptionKeyPath }}
+          mountPath: /etc/st2/keys
           readOnly: true
         {{- end }}
         {{- if .Values.st2.packs.image.repository }}
@@ -1341,13 +1354,13 @@ spec:
             memory: "5Mi"
             cpu: "5m"
       volumes:
-        {{- if .Values.st2.datastoreEncryption.enabled }}
+        {{- if .Values.secrets.st2.datastore_crypto_key }}
         - name: st2-encryption-key-vol
           secret:
-            secretName: {{ .Values.st2.datastoreEncryption.secret.name }}
+            secretName: {{ .Release.Name }}-st2-datastore-crypto-key
             items:
-            - key: {{ .Values.st2.datastoreEncryption.secret.key | default "datastore_encryption_key.json"  }}
-              path: encryption_key.json
+            - key: datastore_crypto_key
+              path: datastore_key.json
         {{- end }}
         - name: st2-config-vol
           configMap:
diff --git a/templates/secrets_datastore_crypto_key.yaml b/templates/secrets_datastore_crypto_key.yaml
@@ -0,0 +1,22 @@
+{{- if .Values.secrets.st2.datastore_crypto_key }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-st2-datastore-crypto-key
+  annotations:
+    description: StackStorm crypto key used to encrypt/decrypt KV records
+  labels:
+    app: st2
+    tier: backend
+    vendor: stackstorm
+    support: {{ template "supportMethod" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+type: Opaque
+data:
+  # Datastore key used to encrypt/decrypt record for the KV store
+  datastore_crypto_key: {{ .Values.secrets.st2.datastore_crypto_key | b64enc }}
+
+{{- end }}
diff --git a/values.yaml b/values.yaml
@@ -62,17 +62,6 @@ st2:
     [api]
     allow_origin = '*'
 
-  # Optional configuration for handling a precomputed datastore encryption key
-  datastoreEncryption:
-    enabled: false
-    # Where will the key be mounted in the containers
-    encryptionKeyPath: /etc/st2/keys
-  # secret:
-  #   # The name of the secret in which the key is stored
-  #   name: st2-encryption-key
-  #   # The key containing the json formated encryption key
-  #   key: datastore_encryption_key.json
-
   # Custom pack configs and image settings.
   #
   # By default, system packs are available. However, since 'st2 pack install' cannot be run in the k8s cluster,
@@ -162,7 +151,7 @@ ingress:
   #     - chart-example.test
 
 ##
-## StackStorm HA Cluster Secrets. All fields are required!
+## StackStorm HA Cluster Secrets.
 ## NB! It's highly recommended to change ALL defaults!
 ##
 # TODO: Move to `secrets.yaml` when it gets implemented in Helm (https://github.com/kubernetes/helm/issues/2196) ? (#14)
@@ -204,6 +193,10 @@ secrets:
       WE8BWLQ1vBV6c7V4Q0Wp6LuTnNnvu/lvVugJW/TbrzFw6CFe5fEISmIHAMnqVz8x
       OdOJyinSM1svoBGnYfyAqINKrqCSGSKmprlMo0Ma3erI7SuojWBS
       -----END RSA PRIVATE KEY-----
+    # ST2 crypto key for the  K/V datastore.
+    # See https://docs.stackstorm.com/datastore.html#securing-secrets-admin-only for more info.
+    # Warning! Replace with your own generated key!
+    #datastore_crypto_key: {"hmacKey": {"hmacKeyString": "", "size": 256}, "size": 256, "aesKeyString": "", "mode": "CBC"}
 
 ##
 ## StackStorm HA Cluster pod settings for each individual service/component.
