Re: [I] Change SECRET_KEY and get error `ValueError: Invalid decryption key` on K8s [superset]

Fri, 20 Sep 2024 13:32:16 -0700 


shanebusenitz commented on issue #8538:
URL: https://github.com/apache/superset/issues/8538#issuecomment-2364575556

   Ok so I spent all day on this and finally got it so I'm going to add some 
more detail to help others out.
   
   We had a previous deployment running on K8s deployed from Helm. I upgraded 
to 3.0.0 and tried setting the `SUPERSET_SECRET_KEY` in a variety of ways using 
the `openssl rand -base64 42` with no luck. 
   
   A couple things I found to be true for me was that setting:
   ```
     extraSecretEnv:
       SUPERSET_SECRET_KEY: SomelongBase64String
   ```
   did not in fact set the `SECRET_KEY` in the superset_config.py like the docs 
say it will. 
   Another thing that seems to be true is if you have a previous deployment you 
have to set a `PREVIOUS_SECRET_KEY` which you can only get from the previous 
version. 
   
   After all that, these are the steps I followed to get it to work:
   
   1. From 3.0.0 I downgraded to 2.1.1 (along with helm to 0.7.7) and deployed 
(we use ArgoCD so it syncs with any update)
   2. Shell logged into the running web superset running and ran `cat 
pythonpath/superset_config.py`. At the bottom there should be a 
SECRET_KEY='thisISaSECRET_56789' or something basic like that. Grab that string.
   3. Upgraded to 3.0.0 and set values.yaml like this:
   ```
     extraSecretEnv:
       SUPERSET_SECRET_KEY: <some string you generate by using `openssl rand 
-base64 42`>
       # old default secret goes here
       PREVIOUS_SECRET_KEY: thisISaSECRET_56789
   
      # you could just hardcode them here but this is was what I did when I 
figured out `extraSecretEnv` were not being used.
     configOverrides:
       secret: |
         # Secret key for signing cookies
         SECRET_KEY = os.getenv('SUPERSET_SECRET_KEY')
         PREVIOUS_SECRET_KEY = os.getenv('PREVIOUS_SECRET_KEY')
   ```
   deploy these changes.
   4. shell into the web superset again and run `superset re-encrypt-secrets`
   
   Hopefully this helps someone not spend the time I did figuring this out.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to