Merge branch 'anchore-3.0.2' into 'main'

update chart from 1.12.4 to 1.12.7 See merge request !25

Merge branch 'anchore-3.0.2' into 'main'
update chart from 1.12.4 to 1.12.7 See merge request !25
09ce263b · bhearn · ef78f431 · f859e650 · 09ce263b · 09ce263b
Commit 09ce263b authored Mar 25, 2021 by bhearn
20 changed files
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),

 ---

+## [1.12.7-bb.0]
+### Changed
+- Bumped upstream chart version to 1.12.7
+- Bumped Anchore Engine image version to 0.9.3 from Registry1
+- Bumped Anchore Enterprise image version to 3.0.2 from Registry1 (Anchore Enterprise UI is remaining at 3.0.1)
+
 ## [1.12.4-bb.1]
 ### Changed
 - Replaced Bitnami redis chart with Big Bang redis chart

--- a/README.md
+++ b/README.md
@@ -16,7 +16,7 @@ helm upgrade -i anchore chart -n anchore --create-namespace -f chart/values.yaml

 To get the admin password (generated if you did not specify one):
 ```
-kubectl get secrets -n anchore anchore-anchore-engine -o go-template='{{.data.ANCHORE_ADMIN_PASSWORD | base64decode}}' | xargs
+kubectl get secrets -n anchore anchore-anchore-engine-admin-pass -o go-template='{{.data.ANCHORE_ADMIN_PASSWORD | base64decode}}' | xargs
 ```

 To delete Anchore when deployed this way:

--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v2
 name: anchore-engine
-version: 1.12.4-bb.1
-appVersion: 0.9.2
+version: 1.12.7-bb.0
+appVersion: 0.9.3
 description: Anchore container analysis and policy evaluation engine service
 keywords:
 - analysis

--- a/chart/Kptfile
+++ b/chart/Kptfile
@@ -5,7 +5,7 @@ metadata:
 upstream:
  type: git
  git:
-    commit: 4a9ddbbf97d01a156062945922323478e1668bda
+    commit: e41ae9622408427aed876dcf91cea86d1cddf57a
    repo: https://github.com/anchore/anchore-charts
    directory: /stable/anchore-engine
-    ref: anchore-engine-1.12.4
+    ref: anchore-engine-1.12.7
--- a/chart/README.md
+++ b/chart/README.md
@@ -242,6 +242,12 @@ See the anchore-engine [CHANGELOG](https://github.com/anchore/anchore-engine/blo

 A Helm post-upgrade hook job will shut down all previously running Anchore services and perform the Anchore DB upgrade process using a kubernetes job. The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful helm upgrade.

+## Chart version 1.12.7
+
+* Anchore Engine image updated to v0.9.3
+* Anchore Enterprise image updated to v3.0.2 (Anchore Enterprise UI image remains at v3.0.1)
+* An [issue](https://github.com/anchore/anchore-engine/issues/950) was found that effects users of Anchore Engine 0.9.0 - 0.9.2 scanning certain Java images. A new version of anchore-engine 0.9.3 fixes the issue.  Anchore Enterprise customers using Anchore Enterprise 3.0.0 or 3.0.1 should upgrade to 3.0.2.
+
 ## Chart version 1.12.4

 ---

--- a/chart/templates/NOTES.txt
+++ b/chart/templates/NOTES.txt
@@ -8,7 +8,7 @@ Here are the steps to configure the anchore-cli (`pip install anchorecli`). Use
 To configure your anchore-cli run:

    ANCHORE_CLI_USER=admin
-    ANCHORE_CLI_PASS=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "anchore-engine.fullname" . }} -o jsonpath="{.data.ANCHORE_ADMIN_PASSWORD}" | base64 --decode; echo)
+    ANCHORE_CLI_PASS=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "anchore-engine.fullname" . }}-admin-pass -o jsonpath="{.data.ANCHORE_ADMIN_PASSWORD}" | base64 --decode; echo)
 {{ if .Values.ingress.enabled }}
   ANCHORE_CLI_URL={{- if .Values.anchoreGlobal.internalServicesSsl.enabled -}}https{{- else }}http{{- end -}}://$(kubectl get ingress --namespace {{ .Release.Namespace }} {{ template "anchore-engine.fullname" . }} -o jsonpath="{.status.loadBalancer.ingress[0].ip}")/v1/
 {{ else }}

--- a/chart/templates/analyzer_deployment.yaml
+++ b/chart/templates/analyzer_deployment.yaml
@@ -109,6 +109,8 @@ spec:
        {{- if not .Values.inject_secrets_via_env }}
        - secretRef:
            name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }}
+        - secretRef:
+            name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }}
        {{- end }}
        - configMapRef:
            name: {{ template "anchore-engine.fullname" . }}-env

--- a/chart/templates/anchore_admin_secret.yaml
+++ b/chart/templates/anchore_admin_secret.yaml
+{{- if not .Values.anchoreGlobal.existingSecret }}
+
+{{- $anchoreAdminPass := (include "anchore-engine.defaultAdminPassword" . | quote) }}
+
+{{- /*
+  If release is being upgraded, don't recreate the defaultAdminPassword, instead get it from the corresponding existing
+  secret. For users upgrading to chart v1.12.5 or higher, use the new admin-password secret, otherwise use the old
+  engine secret.
+*/ -}}
+{{- if and .Release.IsUpgrade (not .Values.anchoreGlobal.defaultAdminPassword) }}
+{{- $adminPassSecret := (lookup "v1" "Secret" .Release.Namespace (print (include "anchore-engine.fullname" .) "-admin-pass")) }}
+{{- $engineSecret := (lookup "v1" "Secret" .Release.Namespace (include "anchore-engine.fullname" . )) -}}
+{{- if or $engineSecret $adminPassSecret }}
+{{- $secret := (default $engineSecret $adminPassSecret) }}
+{{- $anchoreAdminPass = (index $secret.data "ANCHORE_ADMIN_PASSWORD" | b64dec) }}
+{{- end }}
+{{- end }}
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "anchore-engine.fullname" . }}-admin-pass
+  labels:
+    app: {{ template "anchore-engine.fullname" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+    {{- with .Values.anchoreGlobal.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+type: Opaque
+stringData:
+  ANCHORE_ADMIN_PASSWORD: {{ $anchoreAdminPass }}
+{{- end }}
--- a/chart/templates/api_deployment.yaml
+++ b/chart/templates/api_deployment.yaml
@@ -97,6 +97,8 @@ spec:
        {{- if not .Values.inject_secrets_via_env }}
        - secretRef:
            name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }}
+        - secretRef:
+            name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }}
        {{- end }}
        - configMapRef:
            name: {{ template "anchore-engine.fullname" . }}-env
@@ -115,7 +117,7 @@ spec:
        - name: ANCHORE_CLI_PASS
          valueFrom:
            secretKeyRef:
-              name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }}
+              name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }}
              key: ANCHORE_ADMIN_PASSWORD
        {{- end }}
        ports:
@@ -184,6 +186,8 @@ spec:
        {{- if not .Values.inject_secrets_via_env }}
        - secretRef:
            name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }}
+        - secretRef:
+            name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }}
        {{- end }}
        - configMapRef:
            name: {{ template "anchore-engine.fullname" . }}-env
@@ -254,6 +258,8 @@ spec:
        {{- if not .Values.inject_secrets_via_env }}
        - secretRef:
            name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }}
+        - secretRef:
+            name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }}
        {{- end }}
        - configMapRef:
            name: {{ template "anchore-engine.fullname" . }}-env
@@ -327,6 +333,8 @@ spec:
        {{- if not .Values.inject_secrets_via_env }}
        - secretRef:
            name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }}
+        - secretRef:
+            name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }}
        {{- end }}
        - configMapRef:
            name: {{ template "anchore-engine.fullname" . }}-env
@@ -399,6 +407,8 @@ spec:
        {{- if not .Values.inject_secrets_via_env }}
        - secretRef:
            name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }}
+        - secretRef:
+            name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }}
        {{- end }}
        - configMapRef:
            name: {{ template "anchore-engine.fullname" . }}-env

--- a/chart/templates/bigbang/sso/configure-sso.yaml
+++ b/chart/templates/bigbang/sso/configure-sso.yaml
@@ -56,7 +56,7 @@ spec:
              fi
          envFrom:
            - secretRef:
-                name: {{ template "anchore-engine.fullname" . }}
+                name: {{ template "anchore-engine.fullname" . }}-admin-pass
          volumeMounts:
            - name: anchore-sso
              mountPath: "/tmp"

--- a/chart/templates/catalog_deployment.yaml
+++ b/chart/templates/catalog_deployment.yaml
@@ -97,6 +97,8 @@ spec:
        {{- if not .Values.inject_secrets_via_env }}
        - secretRef:
            name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }}
+        - secretRef:
+            name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }}
        {{- end }}
        - configMapRef:
            name: {{ template "anchore-engine.fullname" . }}-env

--- a/chart/templates/engine_secret.yaml
+++ b/chart/templates/engine_secret.yaml
@@ -13,7 +13,6 @@ metadata:
    {{- end }}
 type: Opaque
 stringData:
-  ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }}
  ANCHORE_DB_PASSWORD: {{ index .Values "postgresql" "postgresPassword" | quote }}
  {{- with .Values.anchoreGlobal.saml.secret }}
  ANCHORE_SAML_SECRET: {{ . }}

--- a/chart/templates/engine_upgrade_job.yaml
+++ b/chart/templates/engine_upgrade_job.yaml
@@ -59,6 +59,8 @@ spec:
        {{- if not .Values.inject_secrets_via_env }}
        - secretRef:
            name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }}
+        - secretRef:
+            name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }}
        {{- end }}
        - configMapRef:
            name: {{ template "anchore-engine.fullname" . }}-env

--- a/chart/templates/enterprise_feeds_deployment.yaml
+++ b/chart/templates/enterprise_feeds_deployment.yaml
@@ -96,6 +96,8 @@ spec:
        {{- if not .Values.inject_secrets_via_env }}
        - secretRef:
            name: {{ default (include "anchore-engine.enterprise-feeds.fullname" .) .Values.anchoreEnterpriseFeeds.existingSecret }}
+        - secretRef:
+            name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }}
        {{- end }}
        - configMapRef:
            name: {{ template "anchore-engine.enterprise-feeds.fullname" . }}-env

--- a/chart/templates/enterprise_feeds_secret.yaml
+++ b/chart/templates/enterprise_feeds_secret.yaml
@@ -14,7 +14,6 @@ metadata:
    {{- end }}
 type: Opaque
 stringData:
-  ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }}
  ANCHORE_FEEDS_DB_PASSWORD: {{ index .Values "anchore-feeds-db" "postgresPassword" | quote }}
  {{- with .Values.anchoreGlobal.saml.secret }}
  ANCHORE_SAML_SECRET: {{ . }}

--- a/chart/templates/enterprise_feeds_upgrade_job.yaml
+++ b/chart/templates/enterprise_feeds_upgrade_job.yaml
@@ -47,6 +47,8 @@ spec:
        {{- if not .Values.inject_secrets_via_env }}
        - secretRef:
            name: {{ default (include "anchore-engine.enterprise-feeds.fullname" .) .Values.anchoreEnterpriseFeeds.existingSecret }}
+        - secretRef:
+            name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }}
        {{- end }}
        - configMapRef:
            name: {{ template "anchore-engine.enterprise-feeds.fullname" . }}-env

--- a/chart/templates/enterprise_ui_deployment.yaml
+++ b/chart/templates/enterprise_ui_deployment.yaml
@@ -100,6 +100,8 @@ spec:
        {{- if not .Values.inject_secrets_via_env }}
        - secretRef:
            name: {{ default (include "anchore-engine.enterprise-ui.fullname" .) .Values.anchoreEnterpriseUi.existingSecret }}
+        - secretRef:
+            name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }}
        {{- end }}
        ports:
        - containerPort: 3000

--- a/chart/templates/enterprise_ui_secret.yaml
+++ b/chart/templates/enterprise_ui_secret.yaml
@@ -14,8 +14,6 @@ metadata:
    {{- end }}
 type: Opaque
 stringData:
-  ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }}
-
  {{- if .Values.anchoreGlobal.dbConfig.ssl }}
  ANCHORE_APPDB_URI: 'postgresql://{{ index .Values "postgresql" "postgresUser" }}:{{ index .Values "postgresql" "postgresPassword" }}@{{ template "db-hostname" . }}/{{ index .Values "postgresql" "postgresDatabase" }}?ssl=verify-full'
  {{- else }}

--- a/chart/templates/enterprise_upgrade_job.yaml
+++ b/chart/templates/enterprise_upgrade_job.yaml
@@ -47,6 +47,8 @@ spec:
        {{- if not .Values.inject_secrets_via_env }}
        - secretRef:
            name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }}
+        - secretRef:
+            name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }}
        {{- end }}
        - configMapRef:
            name: {{ template "anchore-engine.fullname" . }}-env

--- a/chart/templates/policy_engine_deployment.yaml
+++ b/chart/templates/policy_engine_deployment.yaml
@@ -108,6 +108,8 @@ spec:
        {{- if not .Values.inject_secrets_via_env }}
        - secretRef:
            name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }}
+        - secretRef:
+            name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }}
        {{- end }}
        - configMapRef:
            name: {{ template "anchore-engine.fullname" . }}-env