Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error during rancher deployment: failed to generate datastore_crypto_key (randBytes not defined) #297

Closed
rex opened this issue Mar 15, 2022 · 3 comments
Labels
invalid This doesn't seem right question Further information is requested

Comments

@rex
Copy link

rex commented Mar 15, 2022

I apologize that I didn't have the presence of mind to open this issue when I still had the error and stack trace in front of me, but I figured I'd at least open it in retrospect.

Environment: [email protected]
Helm version: 3
Chart version: 0.80.0

Problem

I didn't define datastore_crypto_key in values.yaml so it fell back to conf/datastore_crypto_key.yaml. For some reason it failed to generate the key, error message randBytes is not defined.

Solution

I worked around it by generating it myself using openssl rand -hex 32 and defining it in datastore_crypto_key.

Hopefully this helps someone!

@cognifloyd
Copy link
Member

In order for the datastore_crypto_key generation to work, you need to use helm v3.5.0 (released January 2021) or newer.

The datastore_crypto_key generation was carefully crafted to match how StackStorm's st2-generate-symmetric-crypto-key script generates it.
If you can't use the helm-based generation, then please follow this section in the docs to generate a key:
https://docs.stackstorm.com/datastore.html#securing-secrets-admin-only

sudo st2-generate-symmetric-crypto-key --key-path datastore_key.json

And then put the contents of datastore_key.json in your values at st2.datastore_crypto_key.

NOTE: you should not need to run openssl rand ... to do this. openssl rand ... is incomplete and probably will not work in when StackStorm tries to load it to encrypt and decrypt keys.

You can do this on any ST2 installation, including in a vagrant box.


My notes from researching this:

Helm gets the randBytes function from the sprig library: https://masterminds.github.io/sprig/crypto.html#randbytes
Sprig got the randBytes function in v3.2.0 (from Masterminds/sprig#253)
Helm v3.5.0 was the first version to use sprig v3.2.0: https://github.com/helm/helm/blob/v3.5.0/go.mod#L10
Helm v3.4.2 used sprig v3.1.0: https://github.com/helm/helm/blob/v3.4.2/go.mod#L10

@cognifloyd
Copy link
Member

@cognifloyd cognifloyd added invalid This doesn't seem right question Further information is requested labels Mar 24, 2022
@cognifloyd
Copy link
Member

I'm closing this for now. If you were using v3.5 or greater, please reopen and let's diagnose further.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
invalid This doesn't seem right question Further information is requested
Projects
None yet
Development

No branches or pull requests

2 participants