UNCLASSIFIED - NO CUI

Skip to content

Draft: Handle Config Changes -- DO NOT MERGE :)

Micah Nagel requested to merge update-on-config-changes into anchore-3.0.0

This is a WIP MR for testing things. Ideally these changes (or different ones to solve the same problems) would be incorporated in the upstream chart.

Summary of changes:

  • Changes all deployments to use RollingUpdates to increase availability (have not extensively tested if there are DB issue with this, but everything seems to work)
  • Adds checksum annotations to every deployment - This is a trick from Helm that provides a way to automatically roll deployments when a configmap/secret changes. This is necessary for Anchore because most deployments pull configs/secrets into their environment and don't update when those change. Some of these checksums are Big Bang specific to roll pods based on the license file changing.
  • Splits secrets into separate files - This was done to make checksums more accurate and roll a minimal amount of pods per change.
  • Adds a job to update the password in the DB - When the password is changed in the Helm values, the checksums take care of making sure that pods are rolled and updated. The database however is never updated with the password which is the source of truth used by the UI and CLI for auth. This job runs post-upgrade to connect to the DB and update that value. The enterprise image is used since it has psql. This job would not work with hashed passwords, its a very basic proof of concept. Ideally this password update would be wrapped into the already existing DB update jobs.

Merge request reports

Loading