Merge pull request #385 from bmarick/disableGenerateDatastoreCryptoKey

Secret DataStore Crypto Key should not be created when existing provided
StackStorm · Jan 23, 2024 · 44aa43a · 44aa43a
2 parents 70ee244 + 95ece73
commit 44aa43a
Show file tree

Hide file tree

Showing 2 changed files with 110 additions and 1 deletion.
diff --git a/templates/secrets_datastore_crypto_key.yaml b/templates/secrets_datastore_crypto_key.yaml
@@ -2,7 +2,7 @@
 {{- $deprecated_crypto_key := (default (dict) (default (dict) .Values.secrets).st2).datastore_crypto_key }}
 {{- if $deprecated_crypto_key }}
 {{- fail "Please update your values! The datastore_crypto_key value moved from secrets.st2.* to st2.*" }}
-{{- else if ne "disable" (default "" .Values.st2.datastore_crypto_key) }}
+{{- else if and (ne "disable" (default "" .Values.st2.datastore_crypto_key)) (not .Values.st2.existingDatastoreSecret) }}
 ---
 apiVersion: v1
 kind: Secret

diff --git a/tests/unit/secrets_test.yaml b/tests/unit/secrets_test.yaml
@@ -2,6 +2,7 @@
 suite: Secret files
 templates:
   # primary template files
+  - secrets_datastore_crypto_key.yaml
   - secrets_st2auth.yaml
   - deployments.yaml
   - jobs.yaml
@@ -113,3 +114,111 @@ tests:
           path: spec.template.spec.initContainers[1].envFrom[1].secretRef.name
           value: "hello-world"
         documentIndex: 1 # st2-key-load
+
+  - it: ST2 Datastore Crypto Key Secret include by default
+    template: secrets_datastore_crypto_key.yaml
+    set:
+      st2: {}
+    release:
+      name: st2ha
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isNotEmpty:
+          path: data.datastore_crypto_key
+        documentIndex: 0
+
+  - it: ST2 Datastore Crypto Key Secret set custom username and password
+    template: secrets_datastore_crypto_key.yaml
+    set:
+      st2:
+        datastore_crypto_key: >-
+          {"hmacKey": {"hmacKeyString": "", "size": 256}, "size": 256, "aesKeyString": "", "mode": "CBC"}
+    release:
+      name: st2ha
+    asserts:
+      - hasDocuments:
+          count: 1
+      - equal:
+          path: data.datastore_crypto_key
+          value: "eyJobWFjS2V5IjogeyJobWFjS2V5U3RyaW5nIjogIiIsICJzaXplIjogMjU2fSwgInNpemUiOiAyNTYsICJhZXNLZXlTdHJpbmciOiAiIiwgIm1vZGUiOiAiQ0JDIn0=" # Base64 encoded value
+
+  - it: ST2 Datastore Crypto Key Secret disable generation
+    template: secrets_datastore_crypto_key.yaml
+    set:
+      st2:
+        existingDatastoreSecret: "hello-world"
+    release:
+      name: st2ha
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: ST2 Datastore Crypto Key Secret custom secret Name
+    template: deployments.yaml
+    set:
+      st2:
+        existingDatastoreSecret: "hello-world"
+      st2chatops:
+        enabled: true
+    release:
+      name: st2ha
+    asserts:
+      - hasDocuments:
+          count: 14
+      - equal:
+          path: metadata.name
+          value: st2ha-st2api
+        documentIndex:  &deployment_st2api_doc 1
+      - equal:
+          path: spec.template.spec.volumes[0].secret.secretName
+          value: "hello-world"
+        documentIndex: *deployment_st2api_doc
+      - equal:
+          path: metadata.name
+          value: st2ha-st2rulesengine
+        documentIndex:  &deployment_st2rulesengine_doc 4
+      - equal:
+          path: spec.template.spec.volumes[1].secret.secretName
+          value: "hello-world"
+        documentIndex: *deployment_st2rulesengine_doc
+      - equal:
+          path: metadata.name
+          value: st2ha-st2workflowengine
+        documentIndex:  &deployment_st2workflowengine_doc 6
+      - equal:
+          path: spec.template.spec.volumes[1].secret.secretName
+          value: "hello-world"
+        documentIndex: *deployment_st2workflowengine_doc
+      - equal:
+          path: metadata.name
+          value: st2ha-st2scheduler
+        documentIndex:  &deployment_st2scheduler_doc 7
+      - equal:
+          path: spec.template.spec.volumes[0].secret.secretName
+          value: "hello-world"
+        documentIndex: *deployment_st2scheduler_doc
+      - equal:
+          path: metadata.name
+          value: st2ha-st2sensorcontainer
+        documentIndex:  &deployment_st2sensorcontainer_doc 9
+      - equal:
+          path: spec.template.spec.volumes[0].secret.secretName
+          value: "hello-world"
+        documentIndex: *deployment_st2sensorcontainer_doc
+      - equal:
+          path: metadata.name
+          value: st2ha-st2actionrunner
+        documentIndex:  &deployment_st2actionrunner_doc 10
+      - equal:
+          path: spec.template.spec.volumes[0].secret.secretName
+          value: "hello-world"
+        documentIndex: *deployment_st2actionrunner_doc
+      - equal:
+          path: metadata.name
+          value: st2ha-st2client
+        documentIndex:  &deployment_st2client_doc 12
+      - equal:
+          path: spec.template.spec.volumes[0].secret.secretName
+          value: "hello-world"
+        documentIndex: *deployment_st2client_doc