ensure st2.password/st2.ssh_key always override the current value

cognifloyd · cognifloyd · commit db4d3f25ec12 · 2021-06-28T15:23:58.000-05:00
diff --git a/templates/secrets_ssh.yaml b/templates/secrets_ssh.yaml
@@ -21,8 +21,9 @@ metadata:
 type: Opaque
 data:
   # SSH private key for the 'stanley' system user ('system_user.ssh_key_file' in st2.conf).
-{{- if .Release.IsUpgrade }}
-  private_key: {{ index (lookup "v1" "Secret" .Release.Namespace $name).data "private_key" }}
+{{- $previous := lookup "v1" "Secret" .Release.Namespace $name }}
+{{- if and $previous (not .Values.st2.ssh_key) }}
+  private_key: {{ $previous.data.private_key }}
 {{ else }}
   private_key: {{ default (genPrivateKey "rsa") .Values.st2.ssh_key | b64enc | quote }}
 {{ end }}
diff --git a/templates/secrets_st2auth.yaml b/templates/secrets_st2auth.yaml
@@ -24,8 +24,9 @@ data:
   # Username, used to login to StackStorm system (default: st2admin)
   username: {{ required "A valid secret 'st2.username' is required for StackStorm auth!" .Values.st2.username | b64enc | quote }}
   # Password, used to login to StackStorm system (default: auto-generated)
-{{- if and .Release.IsUpgrade (not .Values.st2.resetPassword) }}
-  password: {{ index (lookup "v1" "Secret" .Release.Namespace $name).data "password" }}
+{{- $previous := lookup "v1" "Secret" .Release.Namespace $name }}
+{{- if and $previous (not .Values.st2.password) }}
+  password: {{ $previous.data.password }}
 {{ else }}
   password: {{ default (randAlphaNum 12) .Values.st2.password | b64enc | quote }}
 {{ end }}
diff --git a/values.yaml b/values.yaml
@@ -43,18 +43,17 @@ serviceAccount:
 st2:
   # Username, used to login to StackStorm system
   username: st2admin
-  # Password, used to login to StackStorm system (auto-generated by default)
-  # The password (set here or auto-generated) is preserved across upgrades.
+  # Password, used to login to StackStorm system
+  # If set, st2.password always overrides any existing password.
+  # If not set, the password is auto-generated on install and preserved across upgrades.
   #password: Ch@ngeMe
-  # To force the password to reset (using st2.password, or a newly generated one),
-  # you can use `helm upgrade --set st2.resetPassword=true`.
-  resetPassword: false
   # ST2 crypto key for the  K/V datastore.
   # See https://docs.stackstorm.com/datastore.html#securing-secrets-admin-only for more info.
   # Warning! Replace with your own generated key!
   #datastore_crypto_key: {"hmacKey": {"hmacKeyString": "", "size": 256}, "size": 256, "aesKeyString": "", "mode": "CBC"}
   # SSH private key for the 'stanley' system user ('system_user.ssh_key_file' in st2.conf)
-  # (auto-generated by default, preserved across upgrades)
+  # If set, st2.ssh_key always overrides any existing ssh_key.
+  # If not set, the ssh_key is auto-generated on install and preserved across upgrades.
   #ssh_key: |-
   #  -----BEGIN RSA PRIVATE KEY-----
   #  ...
