Skip to content

Commit

Permalink
docs: SECRET_KEY Rotation Documentation (#19233)
Browse files Browse the repository at this point in the history
* SECRET_KEY Rotation

Additional documentation for SECRET_KEY rotation and SECRET_KEY setting up.

* Bumped the helm chart version to 0.5.11

Bumped the helm chart version for the new changes.

* Removed the default secret key value from the configuration docs.

Removed the default secret key value from the configuration docs.
  • Loading branch information
sujiplr authored Mar 23, 2022
1 parent 87e36d6 commit 54c521b
Show file tree
Hide file tree
Showing 4 changed files with 53 additions and 3 deletions.
20 changes: 18 additions & 2 deletions docs/docs/installation/configuring-superset.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,12 @@ ROW_LIMIT = 5000
SUPERSET_WEBSERVER_PORT = 8088
# Flask App Builder configuration
# Your App secret key
SECRET_KEY = '\2\1thisismyscretkey\1\2\e\y\y\h'
# Your App secret key will be used for securely signing the session cookie
# and encrypting sensitive information on the database
# Make sure you are changing this key for your deployment with a strong key.
# You can generate a strong key using `openssl rand -base64 42`
SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY'
# The SQLAlchemy connection string to your database backend
# This connection defines the path to the database that stores your
Expand Down Expand Up @@ -242,3 +246,15 @@ FEATURE_FLAGS = {
```

A current list of feature flags can be found in [RESOURCES/FEATURE_FLAGS.md](https://github.com/apache/superset/blob/master/RESOURCES/FEATURE_FLAGS.md).

### SECRET_KEY Rotation

If you want to rotate the SECRET_KEY(change the existing secret key), follow the below steps.

# Add the new SECRET_KEY and PREVIOUS_SECRET_KEY

```python
PREVIOUS_SECRET_KEY = 'CURRENT_SECRET_KEY' # The default SECRET_KEY for deployment is '21thisismyscretkey12eyyh'
SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY'
```
# Then run `superset re-encrypt-secrets`
29 changes: 29 additions & 0 deletions docs/docs/installation/running-on-kubernetes.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,35 @@ postgresql:
postgresqlPassword: superset
```
Make sure, you set a unique strong complex alphanumeric string for your SECRET_KEY and use a tool to help you generate
a sufficiently random sequence.
- To generate a good key you can run, `openssl rand -base64 42`

```yaml
configOverrides:
secret: |
SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY'
```

If you want to change the previous secret key then you should rotate the keys.
Default secret key for kubernetes deployment is `thisISaSECRET_1234`

```yaml
configOverrides:
my_override: |
PREVIOUS_SECRET_KEY = 'YOUR_PREVIOUS_SECRET_KEY'
SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY'
init:
command:
- /bin/sh
- -c
- |
. {{ .Values.configMountPath }}/superset_bootstrap.sh
superset re-encrypt-secrets
. {{ .Values.configMountPath }}/superset_init.sh
```

#### Dependencies

Install additional packages and do any other bootstrap configuration in this script. For production clusters it's
Expand Down
2 changes: 1 addition & 1 deletion helm/superset/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ maintainers:
- name: craig-rueda
email: [email protected]
url: https://github.com/craig-rueda
version: 0.5.10
version: 0.5.11
dependencies:
- name: postgresql
version: 10.2.0
Expand Down
5 changes: 5 additions & 0 deletions helm/superset/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,9 @@ configOverrides: {}
# AUTH_USER_REGISTRATION = True
# # The default user self registration role
# AUTH_USER_REGISTRATION_ROLE = "Admin"
# secret: |
# # Generate your own secret key for encryption. Use openssl rand -base64 42 to generate a good key
# SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY'
# Same as above but the values are files
configOverridesFiles: {}
# extend_timeout: extend_timeout.py
Expand Down Expand Up @@ -302,6 +305,8 @@ init:
# Configure resources
# Warning: fab command consumes a lot of ram and can
# cause the process to be killed due to OOM if it exceeds limit
# Make sure you are giving a strong password for the admin user creation( else make sure you are changing after setup)
# Also change the admin email to your own custom email.
resources: {}
# limits:
# cpu:
Expand Down

0 comments on commit 54c521b

Please sign in to comment.