From 54c521ba77464c11762c6549b13c0c7902a3bcb2 Mon Sep 17 00:00:00 2001
From: Sujith Kumar S <31705464+sujiplr@users.noreply.github.com>
Date: Wed, 23 Mar 2022 15:44:46 +0530
Subject: [PATCH] docs: SECRET_KEY Rotation Documentation (#19233)

* SECRET_KEY Rotation

Additional documentation for SECRET_KEY rotation and SECRET_KEY setting up.

* Bumped the helm chart version to 0.5.11

Bumped the helm chart version for the new changes.

* Removed the default secret key value from the configuration docs.

Removed the default secret key value from the configuration docs.
---
 .../installation/configuring-superset.mdx     | 20 +++++++++++--
 .../installation/running-on-kubernetes.mdx    | 29 +++++++++++++++++++
 helm/superset/Chart.yaml                      |  2 +-
 helm/superset/values.yaml                     |  5 ++++
 4 files changed, 53 insertions(+), 3 deletions(-)

diff --git a/docs/docs/installation/configuring-superset.mdx b/docs/docs/installation/configuring-superset.mdx
index 12bfb342a1..4c504e8c8c 100644
--- a/docs/docs/installation/configuring-superset.mdx
+++ b/docs/docs/installation/configuring-superset.mdx
@@ -20,8 +20,12 @@ ROW_LIMIT = 5000
 SUPERSET_WEBSERVER_PORT = 8088
 
 # Flask App Builder configuration
-# Your App secret key
-SECRET_KEY = '\2\1thisismyscretkey\1\2\e\y\y\h'
+# Your App secret key will be used for securely signing the session cookie
+# and encrypting sensitive information on the database
+# Make sure you are changing this key for your deployment with a strong key.
+# You can generate a strong key using `openssl rand -base64 42`
+
+SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY'
 
 # The SQLAlchemy connection string to your database backend
 # This connection defines the path to the database that stores your
@@ -242,3 +246,15 @@ FEATURE_FLAGS = {
 ```
 
 A current list of feature flags can be found in [RESOURCES/FEATURE_FLAGS.md](https://github.com/apache/superset/blob/master/RESOURCES/FEATURE_FLAGS.md).
+
+### SECRET_KEY Rotation
+
+If you want to rotate the SECRET_KEY(change the existing secret key), follow the below steps.
+
+# Add the new SECRET_KEY and PREVIOUS_SECRET_KEY
+
+```python
+PREVIOUS_SECRET_KEY = 'CURRENT_SECRET_KEY' # The default SECRET_KEY for deployment is '21thisismyscretkey12eyyh'
+SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY'
+```
+# Then run `superset re-encrypt-secrets`
diff --git a/docs/docs/installation/running-on-kubernetes.mdx b/docs/docs/installation/running-on-kubernetes.mdx
index f879f2e6b5..d87359f146 100644
--- a/docs/docs/installation/running-on-kubernetes.mdx
+++ b/docs/docs/installation/running-on-kubernetes.mdx
@@ -92,6 +92,35 @@ postgresql:
   postgresqlPassword: superset
 ```
 
+Make sure, you set a unique strong complex alphanumeric string for your SECRET_KEY and use a tool to help you generate
+a sufficiently random sequence.
+
+- To generate a good key you can run, `openssl rand -base64 42`
+
+```yaml
+configOverrides:
+  secret: |
+    SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY'
+```
+
+If you want to change the previous secret key then you should rotate the keys.
+Default secret key for kubernetes deployment is `thisISaSECRET_1234`
+
+```yaml
+configOverrides:
+  my_override: |
+    PREVIOUS_SECRET_KEY = 'YOUR_PREVIOUS_SECRET_KEY'
+    SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY'
+init:
+  command:
+    - /bin/sh
+    - -c
+    - |
+      . {{ .Values.configMountPath }}/superset_bootstrap.sh
+      superset re-encrypt-secrets
+      . {{ .Values.configMountPath }}/superset_init.sh
+```
+
 #### Dependencies
 
 Install additional packages and do any other bootstrap configuration in this script. For production clusters it's
diff --git a/helm/superset/Chart.yaml b/helm/superset/Chart.yaml
index ab74a648e4..64600f5973 100644
--- a/helm/superset/Chart.yaml
+++ b/helm/superset/Chart.yaml
@@ -22,7 +22,7 @@ maintainers:
   - name: craig-rueda
     email: craig@craigrueda.com
     url: https://github.com/craig-rueda
-version: 0.5.10
+version: 0.5.11
 dependencies:
 - name: postgresql
   version: 10.2.0
diff --git a/helm/superset/values.yaml b/helm/superset/values.yaml
index 1c23b056b7..ea8472ebc3 100644
--- a/helm/superset/values.yaml
+++ b/helm/superset/values.yaml
@@ -148,6 +148,9 @@ configOverrides: {}
   #   AUTH_USER_REGISTRATION = True
   #   # The default user self registration role
   #   AUTH_USER_REGISTRATION_ROLE = "Admin"
+  # secret: |
+  #   # Generate your own secret key for encryption. Use openssl rand -base64 42 to generate a good key
+  #   SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY'
 # Same as above but the values are files
 configOverridesFiles: {}
   # extend_timeout: extend_timeout.py
@@ -302,6 +305,8 @@ init:
   # Configure resources
   # Warning: fab command consumes a lot of ram and can
   # cause the process to be killed due to OOM if it exceeds limit
+  # Make sure you are giving a strong password for the admin user creation( else make sure you are changing after setup)
+  # Also change the admin email to your own custom email.
   resources: {}
     # limits:
     #   cpu: