Add Ability to Write/Use st2.secrets.conf from K8s Secret

Author: ericreeves

CHANGELOG.md

@@ -3,6 +3,7 @@
 ## In Development
 * Temporary workaround for #311 to use previous bitnami index from: https://github.com/bitnami/charts/issues/10539 (#312 #318) (by @0xhaven)
 * Refactor label definitions to be more consistent by building labels and label selectors in partial helper templates. (#299) (by @cognifloyd)
+* New Feature: Add `existingConfigSecret` .  If this is defined, the `st2.secrets.conf` key within this secret will be written as /etc/st2/st2.secrets.conf and added to the end of the command line arguments of all pods. (#289) (by @eric-al)
 
 ## v0.100.0
 * Switch st2 to `v3.7` as a new default stable version (#274)

templates/_helpers.tpl

@@ -124,11 +124,31 @@ Reduce duplication of the st2.*.conf volume details
 - name: st2-config-vol
   mountPath: /etc/st2/st2.user.conf
   subPath: st2.user.conf
+{{- if $.Values.st2.existingConfigSecret }}
+- name: st2-config-secrets-vol
+  mountPath: /etc/st2/st2.secrets.conf
+  subPath: st2.secrets.conf
+{{- end }}
 {{- end -}}
 {{- define "stackstorm-ha.st2-config-volume" -}}
 - name: st2-config-vol
   configMap:
     name: {{ $.Release.Name }}-st2-config
+{{- if $.Values.st2.existingConfigSecret }}
+- name: st2-config-secrets-vol
+  secret:
+    secretName: {{ $.Values.st2.existingConfigSecret }}
+{{- end }}
+{{- end -}}
+
+# Override CMD CLI parameters passed to the startup of all pods to add support for /etc/st2/st2.secrets.conf
+{{- define "stackstorm-ha.st2-config-file-parameters" -}}
+- --config-file=/etc/st2/st2.conf
+- --config-file=/etc/st2/st2.docker.conf
+- --config-file=/etc/st2/st2.user.conf
+{{- if $.Values.st2.existingConfigSecret }}
+- --config-file=/etc/st2/st2.secrets.conf
+{{- end }}
 {{- end -}}
 
 {{- define "stackstorm-ha.init-containers-wait-for-db" -}}

templates/configmaps_st2-conf.yaml

@@ -7,7 +7,6 @@ metadata:
     description: Custom StackStorm config which will apply settings on top of default st2.conf
   labels: {{- include "stackstorm-ha.labels" (list $ "st2") | nindent 4 }}
 data:
-  # TODO: Bundle DB/MQ login secrets in dynamic ENV-based st2.secrets.conf, leave custom user-defined settings for st2.user.conf (?)
   # Docker/K8s-based st2 config file used for templating service names and common overrides on top of original st2.conf.
   # The order of merging: st2.conf < st2.docker.conf < st2.user.conf
   st2.docker.conf: |

templates/deployments.yaml

@@ -72,6 +72,9 @@ spec:
         # TODO: Add liveness/readiness probes (#3)
         #livenessProbe:
         #readinessProbe:
+        command:
+          - /opt/stackstorm/st2/bin/st2auth
+          {{- include "stackstorm-ha.st2-config-file-parameters" $ | nindent 10 }}
         {{- if .Values.st2auth.env }}
         env: {{- include "stackstorm-ha.customEnv" .Values.st2auth | nindent 8 }}
         {{- end }}
@@ -188,6 +191,9 @@ spec:
         # TODO: Add liveness/readiness probes (#3)
         #livenessProbe:
         #readinessProbe:
+        command:
+          - /opt/stackstorm/st2/bin/st2api
+          {{- include "stackstorm-ha.st2-config-file-parameters" $ | nindent 10 }}
         {{- if .Values.st2api.env }}
         env: {{- include "stackstorm-ha.customEnv" .Values.st2api | nindent 8 }}
         {{- end }}
@@ -311,6 +317,9 @@ spec:
         # TODO: Add liveness/readiness probes (#3)
         #livenessProbe:
         #readinessProbe:
+        command:
+          - /opt/stackstorm/st2/bin/st2stream
+          {{- include "stackstorm-ha.st2-config-file-parameters" $ | nindent 10 }}
         {{- if .Values.st2stream.env }}
         env: {{- include "stackstorm-ha.customEnv" .Values.st2stream | nindent 8 }}
         {{- end }}
@@ -540,6 +549,9 @@ spec:
         # TODO: Add liveness/readiness probes (#3)
         #livenessProbe:
         #readinessProbe:
+        command:
+          - /opt/stackstorm/st2/bin/st2rulesengine
+          {{- include "stackstorm-ha.st2-config-file-parameters" $ | nindent 10 }}
         {{- if .Values.st2rulesengine.env }}
         env: {{- include "stackstorm-ha.customEnv" .Values.st2rulesengine | nindent 8 }}
         {{- end }}
@@ -654,6 +666,9 @@ spec:
         # TODO: Add liveness/readiness probes (#3)
         #livenessProbe:
         #readinessProbe:
+        command:
+          - /opt/stackstorm/st2/bin/st2timersengine
+          {{- include "stackstorm-ha.st2-config-file-parameters" $ | nindent 10 }}
         {{- if .Values.st2timersengine.env }}
         env: {{- include "stackstorm-ha.customEnv" .Values.st2timersengine | nindent 8 }}
         {{- end }}
@@ -755,6 +770,9 @@ spec:
         # TODO: Add liveness/readiness probes (#3)
         #livenessProbe:
         #readinessProbe:
+        command:
+          - /opt/stackstorm/st2/bin/st2workflowengine
+          {{- include "stackstorm-ha.st2-config-file-parameters" $ | nindent 10 }}
         {{- if .Values.st2workflowengine.env }}
         env: {{- include "stackstorm-ha.customEnv" .Values.st2workflowengine | nindent 8 }}
         {{- end }}
@@ -868,6 +886,9 @@ spec:
         # TODO: Add liveness/readiness probes (#3)
         #livenessProbe:
         #readinessProbe:
+        command:
+          - /opt/stackstorm/st2/bin/st2scheduler
+          {{- include "stackstorm-ha.st2-config-file-parameters" $ | nindent 10 }}
         {{- if .Values.st2scheduler.env }}
         env: {{- include "stackstorm-ha.customEnv" .Values.st2scheduler | nindent 8 }}
         {{- end }}
@@ -981,6 +1002,9 @@ spec:
         # TODO: Add liveness/readiness probes (#3)
         #livenessProbe:
         #readinessProbe:
+        command:
+          - /opt/stackstorm/st2/bin/st2notifier
+          {{- include "stackstorm-ha.st2-config-file-parameters" $ | nindent 10 }}
         {{- if .Values.st2notifier.env }}
         env: {{- include "stackstorm-ha.customEnv" .Values.st2notifier | nindent 8 }}
         {{- end }}
@@ -1150,20 +1174,16 @@ spec:
         livenessProbe:
           {{- toYaml . | nindent 10 }}
         {{- end }}
-        {{- if or $one_sensor_per_pod $some_sensors_per_pod }}{{/* ie: when there is more than one pod of sensors */}}
         command:
           - /opt/stackstorm/st2/bin/st2sensorcontainer
-          - --config-file=/etc/st2/st2.conf
-          - --config-file=/etc/st2/st2.docker.conf
-          - --config-file=/etc/st2/st2.user.conf
+          {{- include "stackstorm-ha.st2-config-file-parameters" $ | nindent 10 }}
           {{- if $one_sensor_per_pod }}{{/* only in st2.packs.sensors[] */}}
           - --single-sensor-mode
           - --sensor-ref={{ required "You must define `ref` for everything in st2.packs.sensors. This assigns each sensor to a pod." $sensor.ref }}
           {{- else if $some_sensors_per_pod }}
           # injected by {{ $name }}-init-config
           - --config-file=/etc/st2/st2.sensorcontainer.conf
           {{- end }}
-        {{- end }}
         {{- if $sensor.env }}
         env: {{- include "stackstorm-ha.customEnv" $sensor | nindent 8 }}
         {{- end }}
@@ -1308,6 +1328,9 @@ spec:
         # TODO: Add liveness/readiness probes (#3)
         #livenessProbe:
         #readinessProbe:
+        command:
+          - /opt/stackstorm/st2/bin/st2actionrunner
+          {{- include "stackstorm-ha.st2-config-file-parameters" $ | nindent 10 }}
         {{- if .Values.st2actionrunner.env }}
         env: {{- include "stackstorm-ha.customEnv" .Values.st2actionrunner | nindent 8 }}
         {{- end }}
@@ -1439,6 +1462,9 @@ spec:
         # TODO: Add liveness/readiness probes (#3)
         #livenessProbe:
         #readinessProbe:
+        command:
+          - /opt/stackstorm/st2/bin/st2garbagecollector
+          {{- include "stackstorm-ha.st2-config-file-parameters" $ | nindent 10 }}
         {{- if .Values.st2garbagecollector.env }}
         env: {{- include "stackstorm-ha.customEnv" .Values.st2garbagecollector | nindent 8 }}
         {{- end }}

templates/jobs.yaml

@@ -39,9 +39,7 @@ spec:
         command:
           - st2-apply-rbac-definitions
           - --verbose
-          - --config-file=/etc/st2/st2.conf
-          - --config-file=/etc/st2/st2.docker.conf
-          - --config-file=/etc/st2/st2.user.conf
+          {{- include "stackstorm-ha.st2-config-file-parameters" . | nindent 10 }}
         {{- if .Values.jobs.env }}
         env: {{- include "stackstorm-ha.customEnv" .Values.jobs | nindent 8 }}
         {{- end }}
@@ -413,9 +411,7 @@ spec:
         {{- end }}
         command:
           - st2-register-content
-          - --config-file=/etc/st2/st2.conf
-          - --config-file=/etc/st2/st2.docker.conf
-          - --config-file=/etc/st2/st2.user.conf
+          {{- include "stackstorm-ha.st2-config-file-parameters" . | nindent 10 }}
           - --register-all
           - --register-fail-on-failure
         {{- if .Values.jobs.env }}

values.yaml

@@ -84,6 +84,12 @@ st2:
   #          enabled: false
 
 
+  # Custom StackStorm config (st2.secret.conf) which will be created from the key 'st2.secret.conf' within this secret.
+  # If this is defined, '--config-file=/etc/st2/st2.secrets.conf' will be added to the end of the command line arguments 
+  # for all pods, superseding all other configuration values.
+  # This secret must be populated outside of this chart.
+  # existingConfigSecret: stackstorm-config-secret
+
   # This mirrors the [system_user] section of st2.conf, but makes the values available for helm templating.
   # If you change the user, you must provide a customized st2actionrunner image that includes your user.
   system_user:
@@ -971,7 +977,7 @@ mongodb:
     rootPassword: "8fAzdnksdzPFUWm4a68EfY7nMhBPaa"
     # Initial database for stackstorm
     database: "st2"
-    # Minimal key length is 6 symbols
+    # Minimal key length is 6 symbols and may only contain characters in the base64 set.
     replicaSetKey: "82PItDpqroti5RngOA7UqbHH7c6bFUwy"
     # Whether to enable the arbiter
   arbiter: