From 0ccd8396d3e04da56552d3b2c6cec4597153ecce Mon Sep 17 00:00:00 2001
From: sujiplr <sujiplr@gmail.com>
Date: Thu, 17 Mar 2022 13:49:03 +0530
Subject: [PATCH 1/3] SECRET_KEY Rotation

Additional documentation for SECRET_KEY rotation and SECRET_KEY setting up.
---
 .../installation/configuring-superset.mdx     | 17 ++++++++++-
 .../installation/running-on-kubernetes.mdx    | 28 +++++++++++++++++++
 helm/superset/values.yaml                     |  5 ++++
 3 files changed, 49 insertions(+), 1 deletion(-)

diff --git a/docs/docs/installation/configuring-superset.mdx b/docs/docs/installation/configuring-superset.mdx
index 12bfb342a1970..26f4892c92f72 100644
--- a/docs/docs/installation/configuring-superset.mdx
+++ b/docs/docs/installation/configuring-superset.mdx
@@ -20,7 +20,10 @@ ROW_LIMIT = 5000
 SUPERSET_WEBSERVER_PORT = 8088
 
 # Flask App Builder configuration
-# Your App secret key
+# Your App secret key, this will be used for encrypting the data.
+# Make sure you are changing this key for your deployment with a strong key.
+# You can generate a strong key using `openssl rand -base64 42`
+
 SECRET_KEY = '\2\1thisismyscretkey\1\2\e\y\y\h'
 
 # The SQLAlchemy connection string to your database backend
@@ -242,3 +245,15 @@ FEATURE_FLAGS = {
 ```
 
 A current list of feature flags can be found in [RESOURCES/FEATURE_FLAGS.md](https://github.com/apache/superset/blob/master/RESOURCES/FEATURE_FLAGS.md).
+
+### SECRET_KEY Rotation
+
+If you want to rotate the SECRET_KEY(change the existing secret key), follow the below steps.
+
+# Add the new SECRET_KEY and PREVIOUS_SECRET_KEY
+
+```python
+PREVIOUS_SECRET_KEY = 'CURRENT_SECRET_KEY' # The default SECRET_KEY for deployment is '21thisismyscretkey12eyyh'
+SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY'
+```
+# Then run `superset re-encrypt-secrets`
diff --git a/docs/docs/installation/running-on-kubernetes.mdx b/docs/docs/installation/running-on-kubernetes.mdx
index f879f2e6b5092..0d5caec6ff65e 100644
--- a/docs/docs/installation/running-on-kubernetes.mdx
+++ b/docs/docs/installation/running-on-kubernetes.mdx
@@ -92,6 +92,34 @@ postgresql:
   postgresqlPassword: superset
 ```
 
+Make sure you are giving your own SECRET_KEY for the encryption instead of default SECRET_KEY.
+
+- To generate a good key you can run, `openssl rand -base64 42`
+
+```yaml
+configOverrides:
+  secret: |
+    SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY'
+```
+
+If you want to change the previous secret key then you should rotate the keys.
+Default secret key for kubernetes deployment is `thisISaSECRET_1234`
+
+```yaml
+configOverrides:
+  my_override: |
+    PREVIOUS_SECRET_KEY = 'YOUR_PREVIOUS_SECRET_KEY'
+    SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY'
+init:
+  command:
+    - /bin/sh
+    - -c
+    - |
+      . {{ .Values.configMountPath }}/superset_bootstrap.sh
+      superset re-encrypt-secrets
+      . {{ .Values.configMountPath }}/superset_init.sh
+```
+
 #### Dependencies
 
 Install additional packages and do any other bootstrap configuration in this script. For production clusters it's
diff --git a/helm/superset/values.yaml b/helm/superset/values.yaml
index 1c23b056b7a34..ea8472ebc31da 100644
--- a/helm/superset/values.yaml
+++ b/helm/superset/values.yaml
@@ -148,6 +148,9 @@ configOverrides: {}
   #   AUTH_USER_REGISTRATION = True
   #   # The default user self registration role
   #   AUTH_USER_REGISTRATION_ROLE = "Admin"
+  # secret: |
+  #   # Generate your own secret key for encryption. Use openssl rand -base64 42 to generate a good key
+  #   SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY'
 # Same as above but the values are files
 configOverridesFiles: {}
   # extend_timeout: extend_timeout.py
@@ -302,6 +305,8 @@ init:
   # Configure resources
   # Warning: fab command consumes a lot of ram and can
   # cause the process to be killed due to OOM if it exceeds limit
+  # Make sure you are giving a strong password for the admin user creation( else make sure you are changing after setup)
+  # Also change the admin email to your own custom email.
   resources: {}
     # limits:
     #   cpu:

From f79de655006919f5a045cf37ab1a72e21e7fb1c4 Mon Sep 17 00:00:00 2001
From: sujiplr <sujiplr@gmail.com>
Date: Thu, 17 Mar 2022 15:24:26 +0530
Subject: [PATCH 2/3] Bumped the helm chart version to 0.5.11

Bumped the helm chart version for the new changes.
---
 helm/superset/Chart.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/helm/superset/Chart.yaml b/helm/superset/Chart.yaml
index ab74a648e4f0f..64600f5973ed4 100644
--- a/helm/superset/Chart.yaml
+++ b/helm/superset/Chart.yaml
@@ -22,7 +22,7 @@ maintainers:
   - name: craig-rueda
     email: craig@craigrueda.com
     url: https://github.com/craig-rueda
-version: 0.5.10
+version: 0.5.11
 dependencies:
 - name: postgresql
   version: 10.2.0

From 59442085facce47562d4cf82431071a5b5164cce Mon Sep 17 00:00:00 2001
From: sujiplr <sujiplr@gmail.com>
Date: Thu, 17 Mar 2022 15:34:54 +0530
Subject: [PATCH 3/3] Removed the default secret key value from the
 configuration docs.

Removed the default secret key value from the configuration docs.
---
 docs/docs/installation/configuring-superset.mdx  | 5 +++--
 docs/docs/installation/running-on-kubernetes.mdx | 3 ++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/docs/docs/installation/configuring-superset.mdx b/docs/docs/installation/configuring-superset.mdx
index 26f4892c92f72..4c504e8c8c7b2 100644
--- a/docs/docs/installation/configuring-superset.mdx
+++ b/docs/docs/installation/configuring-superset.mdx
@@ -20,11 +20,12 @@ ROW_LIMIT = 5000
 SUPERSET_WEBSERVER_PORT = 8088
 
 # Flask App Builder configuration
-# Your App secret key, this will be used for encrypting the data.
+# Your App secret key will be used for securely signing the session cookie
+# and encrypting sensitive information on the database
 # Make sure you are changing this key for your deployment with a strong key.
 # You can generate a strong key using `openssl rand -base64 42`
 
-SECRET_KEY = '\2\1thisismyscretkey\1\2\e\y\y\h'
+SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY'
 
 # The SQLAlchemy connection string to your database backend
 # This connection defines the path to the database that stores your
diff --git a/docs/docs/installation/running-on-kubernetes.mdx b/docs/docs/installation/running-on-kubernetes.mdx
index 0d5caec6ff65e..d87359f146089 100644
--- a/docs/docs/installation/running-on-kubernetes.mdx
+++ b/docs/docs/installation/running-on-kubernetes.mdx
@@ -92,7 +92,8 @@ postgresql:
   postgresqlPassword: superset
 ```
 
-Make sure you are giving your own SECRET_KEY for the encryption instead of default SECRET_KEY.
+Make sure, you set a unique strong complex alphanumeric string for your SECRET_KEY and use a tool to help you generate
+a sufficiently random sequence.
 
 - To generate a good key you can run, `openssl rand -base64 42`