<ST2 on k8s> Unable to decrypt the secret values from data store when used in webhook. st2rulesengine not mounting "st2-encryption-key-vol" volume.

[moti1992]

Webhook rule under rules/:

---
name: "wb"
pack: "xxx"
description: "Sample webhook to remote cmd run"
enabled: true

trigger:
  type: "core.st2.webhook"
  parameters:
    url: remote
criteria:
  trigger.body.name:
    pattern: "run"
    type: "equals"
action:
  ref: "xxx.yyy"
  parameters:
    cmd: "{{trigger.body.cmd}}"

Getting the below error on rulesengine pod:

error: 'Failed to render parameter "username": [Errno 2] No such file or directory: ''/etc/st2/keys/datastore_key.json'''
  traceback: "  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2reactor/rules/enforcer.py", line 237, in _invoke_action
    additional_contexts=additional_contexts,
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2reactor/rules/enforcer.py", line 83, in get_resolved_parameters
    additional_contexts=additional_contexts,
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2common/util/param.py", line 334, in render_live_params
    context = _resolve_dependencies(G)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2common/util/param.py", line 242, in _resolve_dependencies
    raise ParamException(msg)
"

[cognifloyd]

What version of the StackStorm-ha chart are you using?
What version of StackStorm?

[moti1992]

I'm using the code pulled from master in the past month. Pulled from this Commit ID: 2f9d0c9

ST2 version:
st2 3.5.0, on Python 3.6.9

Moreover, I have tried mounting the datastore on st2rulesengine (below image) and it worked after that. Just wanted to confirm if its a right fix or not. Please review and let me know if further info needed.

[cognifloyd]

Let's see. So right now we're adding a datastore_crypto_key volume in these deployments:

• st2api
• st2rulesengine
• st2workflowengine
• st2scheduler
• st2sensorcontainer
• st2actionrunner
• st2client

But we're only mounting the volume in these:

• st2api
• st2workflowengine
• st2scheduler
• st2sensorcontainer
• st2actionrunner
• st2client

So, yes. We are missing the volumeMount for the st2rulesengine. Would you please submit a PR? Thanks for finding a fix for this!

[moti1992]

Sure I will raise a PR. Thanks for the confirmation.

[moti1992]

@cognifloyd getting this error when i tried to commit to new branch from master
ERROR: Permission to StackStorm/stackstorm-ha.git denied to moti1992.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights and the repository exists.

Is there any permission required ?

UPDATE: please ignore this comment. Forgot to fork the repo.

[moti1992]

@cognifloyd PR : #224