UNCLASSIFIED - NO CUI

Skip to content
Snippets Groups Projects

Ability to disable `ensure-anchore-db` job

    • Closed Issue created by Andrew Ravn @andrew.ravn

    Summary

    The ensure-anchore-db job is requires PSS set to baseline when that's not required by the official chart. I'd like the option to be able to disable it when using an external DB. If that's not possible, then I'd like the ability to set the istio job annotations on it to disable istio injection or set a spec.securityContext to meet a restrictive PSS.

    Steps to reproduce

    Have istio injection enabled and PSS set to restrictive. Have an external DB and attempt to install the helm chart.

    What is the current behavior?

    Job fails to deploy because istio containers don't have necessary security context to pass restrictive PSS. When setting to baseline PSS, job occasionally fails to exit the istio proxy resulting in the job getting stuck.

    What is the expected behavior?

    Be able to disable the job when it's not necessary.

    Possible fixes

    https://repo1.dso.mil/big-bang/product/packages/anchore-enterprise/-/blob/main/chart/templates/bigbang/db/ensure-anchore-db.yaml?ref_type=heads#L2

    Update this line to include a check if variable like externalDBCheckEnabled is set to true.

    Or https://repo1.dso.mil/big-bang/product/packages/anchore-enterprise/-/blob/main/chart/templates/bigbang/db/ensure-anchore-db.yaml?ref_type=heads#L16

    Add in securityContext to the the pod definition. This is whats used in the deployment specs: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }}

    Designs

      Child items 0

      2. No child items are currently assigned. Use child items to break down this issue into smaller parts.

      Activity

      Please register or sign in to reply

      UNCLASSIFIED - NO CUI