Merge pull request #115 from AngryDeveloper/inject-datastore-encrypti…

…on-key Allow usage of datastore encryption with a pregenerated key
StackStorm · Jun 9, 2020 · cc2697b · cc2697b
2 parents 6d8e12a + d4e747d
commit cc2697b
Show file tree

Hide file tree

Showing 5 changed files with 110 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,7 @@
 # Changelog
 
 ## In Development
+* Allow injection of datastore key in cluster (#115) (by @AngryDeveloper)
 
 ## v0.30.0
 * Pin st2 version to `v3.3dev` as a new latest development version (#129)

diff --git a/templates/configmaps_st2-conf.yaml b/templates/configmaps_st2-conf.yaml
@@ -39,6 +39,10 @@ data:
  {{- end }}
  port = {{ index .Values "mongodb-ha" "port" }}
  {{- end }}
+ {{- if .Values.secrets.st2.datastore_crypto_key }}
+ [keyvalue]
+ encryption_key_path = /etc/st2/keys/datastore_key.json
+ {{- end }}
 
  # User-defined st2 config with custom settings applied on top of everything else.
  # The order of merging: st2.conf < st2.docker.conf < st2.user.conf

diff --git a/templates/deployments.yaml b/templates/deployments.yaml
@@ -143,6 +143,7 @@ spec:
  heritage: {{ .Release.Service }}
  annotations:
  checksum/config: {{ include (print $.Template.BasePath "/configmaps_st2-conf.yaml") . | sha256sum }}
+ checksum/datastore-key: {{ include (print $.Template.BasePath "/secrets_datastore_crypto_key.yaml") . | sha256sum }}
  spec:
  imagePullSecrets:
  {{- if .Values.enterprise.enabled }}
@@ -204,6 +205,11 @@ spec:
  - name: st2-config-vol
  mountPath: /etc/st2/st2.user.conf
  subPath: st2.user.conf
+ {{- if .Values.secrets.st2.datastore_crypto_key }}
+ - name: st2-encryption-key-vol
+ mountPath: /etc/st2/keys
+ readOnly: true
+ {{- end }}
  {{- if .Values.st2.packs.image.repository }}
  - name: st2-packs-vol
  mountPath: /opt/stackstorm/packs
@@ -218,6 +224,14 @@ spec:
  serviceAccountName: {{ template "stackstorm-ha.serviceAccountName" . }}
  {{- end }}
  volumes:
+ {{- if .Values.secrets.st2.datastore_crypto_key }}
+ - name: st2-encryption-key-vol
+ secret:
+ secretName: {{ .Release.Name }}-st2-datastore-crypto-key
+ items:
+ - key: datastore_crypto_key
+ path: datastore_key.json
+ {{- end }}
  - name: st2-config-vol
  configMap:
  name: {{ .Release.Name }}-st2-config
@@ -468,6 +482,14 @@ spec:
  - name: st2-config-vol
  configMap:
  name: {{ .Release.Name }}-st2-config
+ {{- if .Values.secrets.st2.datastore_crypto_key }}
+ - name: st2-encryption-key-vol
+ secret:
+ secretName: datastore_crypto_key
+ items:
+ - key: datastore_crypto_key
+ path: datastore_key.json
+ {{- end }}
  {{- with .Values.st2rulesengine.nodeSelector }}
  nodeSelector:
 {{ toYaml . | indent 8 }}
@@ -594,6 +616,7 @@ spec:
  heritage: {{ .Release.Service }}
  annotations:
  checksum/config: {{ include (print $.Template.BasePath "/configmaps_st2-conf.yaml") . | sha256sum }}
+ checksum/datastore-key: {{ include (print $.Template.BasePath "/secrets_datastore_crypto_key.yaml") . | sha256sum }}
  spec:
  {{- if .Values.enterprise.enabled }}
  imagePullSecrets:
@@ -616,6 +639,11 @@ spec:
  - name: st2-config-vol
  mountPath: /etc/st2/st2.user.conf
  subPath: st2.user.conf
+ {{- if .Values.secrets.st2.datastore_crypto_key }}
+ - name: st2-encryption-key-vol
+ mountPath: /etc/st2/keys
+ readOnly: true
+ {{- end }}
  resources:
 {{ toYaml .Values.st2workflowengine.resources | indent 10 }}
  {{- if .Values.st2workflowengine.serviceAccount.attach }}
@@ -625,6 +653,14 @@ spec:
  - name: st2-config-vol
  configMap:
  name: {{ .Release.Name }}-st2-config
+ {{- if .Values.secrets.st2.datastore_crypto_key }}
+ - name: st2-encryption-key-vol
+ secret:
+ secretName: {{ .Release.Name }}-st2-datastore-crypto-key
+ items:
+ - key: datastore_crypto_key
+ path: datastore_key.json
+ {{- end }}
  {{- with .Values.st2workflowengine.nodeSelector }}
  nodeSelector:
 {{ toYaml . | indent 8 }}
@@ -831,6 +867,7 @@ spec:
  annotations:
  checksum/config: {{ include (print $.Template.BasePath "/configmaps_st2-conf.yaml") $ | sha256sum }}
  checksum/packs: {{ include (print $.Template.BasePath "/configmaps_packs.yaml") $ | sha256sum }}
+ checksum/datastore-key: {{ include (print $.Template.BasePath "/secrets_datastore_crypto_key.yaml") $ | sha256sum }}
  {{- if .annotations }}
 {{ toYaml .annotations | indent 8 }}
  {{- end }}
@@ -914,12 +951,25 @@ spec:
  mountPath: /opt/stackstorm/virtualenvs
  readOnly: true
  {{- end }}
+ {{- if $.Values.secrets.st2.datastore_crypto_key }}
+ - name: st2-encryption-key-vol
+ mountPath: /etc/st2/keys
+ readOnly: true
+ {{- end }}
  resources:
 {{ toYaml .resources | indent 10 }}
  {{- if .serviceAccount.attach }}
  serviceAccountName: {{ template "stackstorm-ha.serviceAccountName" $ }}
  {{- end }}
  volumes:
+ {{- if $.Values.secrets.st2.datastore_crypto_key }}
+ - name: st2-encryption-key-vol
+ secret:
+ secretName: {{ $.Release.Name }}-st2-datastore-crypto-key
+ items:
+ - key: datastore_crypto_key
+ path: datastore_key.json
+ {{- end }}
  - name: st2-config-vol
  configMap:
  name: {{ $.Release.Name }}-st2-config
@@ -979,6 +1029,7 @@ spec:
  annotations:
  checksum/config: {{ include (print $.Template.BasePath "/configmaps_st2-conf.yaml") . | sha256sum }}
  checksum/ssh: {{ include (print $.Template.BasePath "/secrets_ssh.yaml") . | sha256sum }}
+ checksum/datastore-key: {{ include (print $.Template.BasePath "/secrets_datastore_crypto_key.yaml") . | sha256sum }}
  {{- if .Values.st2actionrunner.annotations }}
 {{ toYaml .Values.st2actionrunner.annotations | indent 8 }}
  {{- end }}
@@ -1046,6 +1097,11 @@ spec:
  - name: st2-ssh-key-vol
  mountPath: /home/stanley/.ssh/
  readOnly: true
+ {{- if .Values.secrets.st2.datastore_crypto_key }}
+ - name: st2-encryption-key-vol
+ mountPath: /etc/st2/keys
+ readOnly: true
+ {{- end }}
  {{- if .Values.st2.packs.image.repository }}
  - name: st2-packs-vol
  mountPath: /opt/stackstorm/packs
@@ -1060,6 +1116,14 @@ spec:
  serviceAccountName: {{ template "stackstorm-ha.serviceAccountName" . }}
  {{- end }}
  volumes:
+ {{- if .Values.secrets.st2.datastore_crypto_key }}
+ - name: st2-encryption-key-vol
+ secret:
+ secretName: {{ .Release.Name }}-st2-datastore-crypto-key
+ items:
+ - key: datastore_crypto_key
+ path: datastore_key.json
+ {{- end }}
  - name: st2-config-vol
  configMap:
  name: {{ .Release.Name }}-st2-config
@@ -1206,6 +1270,7 @@ spec:
  checksum/packs: {{ include (print $.Template.BasePath "/configmaps_packs.yaml") . | sha256sum }}
  checksum/auth: {{ include (print $.Template.BasePath "/secrets_st2auth.yaml") . | sha256sum }}
  checksum/ssh: {{ include (print $.Template.BasePath "/secrets_ssh.yaml") . | sha256sum }}
+ checksum/datastore-key: {{ include (print $.Template.BasePath "/secrets_datastore_crypto_key.yaml") . | sha256sum }}
  spec:
  imagePullSecrets:
  {{- if .Values.enterprise.enabled }}
@@ -1309,6 +1374,11 @@ spec:
  - name: st2-ssh-key-vol
  mountPath: /home/stanley/.ssh/
  readOnly: true
+ {{- if .Values.secrets.st2.datastore_crypto_key }}
+ - name: st2-encryption-key-vol
+ mountPath: /etc/st2/keys
+ readOnly: true
+ {{- end }}
  {{- if .Values.st2.packs.image.repository }}
  - name: st2-packs-vol
  mountPath: /opt/stackstorm/packs
@@ -1326,6 +1396,14 @@ spec:
  memory: "5Mi"
  cpu: "5m"
  volumes:
+ {{- if .Values.secrets.st2.datastore_crypto_key }}
+ - name: st2-encryption-key-vol
+ secret:
+ secretName: {{ .Release.Name }}-st2-datastore-crypto-key
+ items:
+ - key: datastore_crypto_key
+ path: datastore_key.json
+ {{- end }}
  - name: st2-config-vol
  configMap:
  name: {{ .Release.Name }}-st2-config

diff --git a/templates/secrets_datastore_crypto_key.yaml b/templates/secrets_datastore_crypto_key.yaml
@@ -0,0 +1,22 @@
+{{- if .Values.secrets.st2.datastore_crypto_key }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ .Release.Name }}-st2-datastore-crypto-key
+ annotations:
+ description: StackStorm crypto key used to encrypt/decrypt KV records
+ labels:
+ app: st2
+ tier: backend
+ vendor: stackstorm
+ support: {{ template "supportMethod" . }}
+ chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+ release: "{{ .Release.Name }}"
+ heritage: "{{ .Release.Service }}"
+type: Opaque
+data:
+ # Datastore key used to encrypt/decrypt record for the KV store
+ datastore_crypto_key: {{ .Values.secrets.st2.datastore_crypto_key | b64enc }}
+
+{{- end }}
diff --git a/values.yaml b/values.yaml
@@ -171,7 +171,7 @@ ingress:
  # - chart-example.test
 
 ##
-## StackStorm HA Cluster Secrets. All fields are required!
+## StackStorm HA Cluster Secrets.
 ## NB! It's highly recommended to change ALL defaults!
 ##
 # TODO: Move to `secrets.yaml` when it gets implemented in Helm (https://github.com/kubernetes/helm/issues/2196) ? (#14)
@@ -213,6 +213,10 @@ secrets:
  WE8BWLQ1vBV6c7V4Q0Wp6LuTnNnvu/lvVugJW/TbrzFw6CFe5fEISmIHAMnqVz8x
  OdOJyinSM1svoBGnYfyAqINKrqCSGSKmprlMo0Ma3erI7SuojWBS
  -----END RSA PRIVATE KEY-----
+ # ST2 crypto key for the K/V datastore.
+ # See https://docs.stackstorm.com/datastore.html#securing-secrets-admin-only for more info.
+ # Warning! Replace with your own generated key!
+ #datastore_crypto_key: {"hmacKey": {"hmacKeyString": "", "size": 256}, "size": 256, "aesKeyString": "", "mode": "CBC"}
 
 ##
 ## StackStorm HA Cluster pod settings for each individual service/component.