UNCLASSIFIED - NO CUI

Skip to content

Broken ability to place passwords outside values.yaml

Summary

This is likely an issue because I'm not working with this chart within the context of Big Bang.

I can't use the ability to put passwords in a secret instead of in the values.yaml as implemented in the underlying work of Anchore's charts because the big bang templates enforce placing it in values.yaml here. https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise/-/blob/main/chart/templates/bigbang/db/anchore-db-secret.yaml#L21

Then it also runs a job that fails because the above job doesn't use the proper credentials.

Steps to reproduce

Create a secert with ANCHORE_DB_PASSWORD, ANCHORE_ADMIN_PASSWORD and ANCHORE_SAML_SECRET env set named anchore-engine.

In values.yaml, place:

anchoreGlobal:
  existingSecret: anchore-engine

postgresql:
  enabled: false
  externalEndpoint: my-host:5432
  postgresUser: anchore
  postgresDatabase: anchore

What is the current behavior?

Fail to start Anchore because it uses incorrect credentials.

What is the expected behavior?

Use the database password identified in the anchore-engine secret as the underlying Anchore charts would expect.

Possible fixes

I'd recommend following the example of Anchore's charts with handling the use of that Secret to set the ENV as an option instead of using the chart. I'd even prefer to see that enforced as a best practice in the case of the DoD.

https://github.com/anchore/anchore-charts/blob/main/stable/anchore-engine/templates/analyzer_deployment.yaml#L112

/cc {put CODEOWNERs @githandles here}

UNCLASSIFIED - NO CUI