From 850e7bab23113235f3a8c299607d9d24226b1fff Mon Sep 17 00:00:00 2001 From: Nick Maludy Date: Tue, 22 Dec 2020 09:37:33 -0500 Subject: [PATCH 1/2] Allow datastore key to be populated from a variable. --- README.md | 1 + roles/StackStorm.st2/defaults/main.yml | 5 +++++ roles/StackStorm.st2/tasks/datastore.yml | 8 ++++++++ 3 files changed, 14 insertions(+) diff --git a/README.md b/README.md index e8e486c4..538dea93 100644 --- a/README.md +++ b/README.md @@ -45,6 +45,7 @@ Below is the list of variables you can redefine in your playbook to customize st | `st2_auth_username` | `testu` | Username used by StackStorm standalone authentication. | `st2_auth_password` | `testp` | Password used by StackStorm standalone authentication. | `st2_save_credentials` | `yes` | Save credentials for local CLI in `/root/.st2/config` file. +| `st2_datastore_key` | `null` | String for the datastore key file contents. This is useful if you're deploying StackStorm to multiple nodes and they need to share the same datastore key. By default, this variable is undefined and a new random key will be generated for each node. | `st2_packs` | `[ st2 ]` | List of packs to install. This flag does not work with a `--python3` only pack. | **st2web** | `st2web_ssl_certificate` | `null` | String with custom SSL certificate (`.crt`). If not provided, self-signed certificate will be generated. diff --git a/roles/StackStorm.st2/defaults/main.yml b/roles/StackStorm.st2/defaults/main.yml index 971c5af8..6154cafc 100644 --- a/roles/StackStorm.st2/defaults/main.yml +++ b/roles/StackStorm.st2/defaults/main.yml @@ -34,6 +34,11 @@ st2_auth_username: testu st2_auth_password: testp # Save credentials in ~/.st2/config file st2_save_credentials: yes +# The string contents of the datastore key file. If you need to distribute the same key +# to multiple StackStorm nodes, generate a datastore key and populate this variable +# when installing on each of the ndoes. +# Example: '{"hmacKey": {"hmacKeyString": "xxx", "size": 256}, "aesKeyString": "yyy", "mode": "CBC", "size": 256}' +st2_datastore_key: null # ST2 packs to be installed (list) st2_packs: - st2 diff --git a/roles/StackStorm.st2/tasks/datastore.yml b/roles/StackStorm.st2/tasks/datastore.yml index e2610d2a..f41f8c23 100644 --- a/roles/StackStorm.st2/tasks/datastore.yml +++ b/roles/StackStorm.st2/tasks/datastore.yml @@ -13,6 +13,14 @@ command: st2-generate-symmetric-crypto-key --key-path {{ st2_datastore_key_file }} args: creates: "{{ st2_datastore_key_file }}" + when: not st2_datastore_key + +- name: Copy st2 encryption key + become: yes + copy: + content: "{{ st2_datastore_key }}" + dest: "{{ st2_datastore_key_file }}" + when: st2_datastore_key - name: Fix permissions on datastore encryption key become: yes From e6f67a1237a98262c7b169afdfc378139a3f3808 Mon Sep 17 00:00:00 2001 From: Nick Maludy Date: Wed, 23 Dec 2020 08:36:36 -0500 Subject: [PATCH 2/2] Restart stackstorm services after changing encryption key --- roles/StackStorm.st2/tasks/datastore.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/StackStorm.st2/tasks/datastore.yml b/roles/StackStorm.st2/tasks/datastore.yml index f41f8c23..57f84273 100644 --- a/roles/StackStorm.st2/tasks/datastore.yml +++ b/roles/StackStorm.st2/tasks/datastore.yml @@ -14,6 +14,7 @@ args: creates: "{{ st2_datastore_key_file }}" when: not st2_datastore_key + notify: restart st2 - name: Copy st2 encryption key become: yes @@ -21,6 +22,7 @@ content: "{{ st2_datastore_key }}" dest: "{{ st2_datastore_key_file }}" when: st2_datastore_key + notify: restart st2 - name: Fix permissions on datastore encryption key become: yes @@ -37,4 +39,4 @@ section: keyvalue option: encryption_key_path value: "{{ st2_datastore_key_file }}" - notify: restart st2api + notify: restart st2