UNCLASSIFIED - NO CUI

Skip to content

Anchore redeploys after every update due to randomly generated SAML secret

Bug

Description

After every helm update, Anchore will completely redeploy. This is because all of the resources have a checksum on the configmaps and secrets, which redeploy when the values change. And here we use a randomly generated SAML secret.

BigBang Version

1.14

Possible solution

This solution suggests the following code:

# store the secret-name as var
# in my case, the name was very long and containing a lot of fields
# so it helps me a lot
{{- $secret_name := "your-secret-name" -}}

apiVersion: v1
kind: Secret
metadata:
  name: {{ $secret_name }}

data:
  # try to get the old secret
  # keep in mind, that a dry-run only returns an empty map 
  {{- $old_sec := lookup "v1" "Secret" .Release.Namespace $secret_name }}

  # check, if a secret is already set
  {{- if or (not $old_sec) (not $old_sec.data) }}
  # if not set, then generate a new password
  db-password: {{ randAlphaNum 20 | b64enc }}
  {{ else }}
  # if set, then use the old value
  db-password: {{ index $old_sec.data "db-password" }}
  {{ end }}

UNCLASSIFIED - NO CUI