checksum magic

2e864494 · Micah Nagel · 97cd6434 · 2e864494 · 2e864494 · 2e864494
Commit 2e864494 authored Mar 05, 2021 by Micah Nagel 💰
11 changed files
--- a/chart/templates/analyzer_deployment.yaml
+++ b/chart/templates/analyzer_deployment.yaml
@@ -22,8 +22,7 @@ spec:
      component: {{ $component }}
  replicas: {{ .Values.anchoreAnalyzer.replicaCount }}
  strategy:
-    type: Recreate
-    rollingUpdate: null
+    type: RollingUpdate
  template:
    metadata:
      labels:
@@ -42,6 +41,15 @@ spec:
      {{- with .Values.anchoreAnalyzer.annotations }}
        {{ toYaml . | nindent 8 }}
      {{- end }}
+      {{- if not .Values.inject_secrets_via_env }}
+        checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }}
+      {{- end }}
+        checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }}
+        checksum/config: {{ include (print $.Template.BasePath "/analyzer_configmap.yaml") . | sha256sum }}
+        checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }}
+      {{- if .Values.anchoreEnterpriseGlobal.enabled }}
+        checksum/license: {{ include (print $.Template.BasePath "/bigbang/license-secret.yaml") . | sha256sum }}
+      {{- end }}
    spec:
      {{- with .Values.anchoreGlobal.securityContext }}
      securityContext:

--- a/chart/templates/api_deployment.yaml
+++ b/chart/templates/api_deployment.yaml
@@ -22,8 +22,7 @@ spec:
      component: {{ $component }}
  replicas: {{ .Values.anchoreApi.replicaCount }}
  strategy:
-    type: Recreate
-    rollingUpdate: null
+    type: RollingUpdate
  template:
    metadata:
      labels:
@@ -42,6 +41,17 @@ spec:
      {{- with .Values.anchoreApi.annotations }}
        {{ toYaml . | nindent 8 }}
      {{- end }}
+      {{- if not .Values.inject_secrets_via_env }}
+        checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }}
+      {{- end }}
+        checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }}
+        checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }}
+      {{- if .Values.anchoreGlobal.policyBundles }}
+        checksum/policy-config: {{ include (print $.Template.BasePath "/policy_bundle_configmap.yaml") . | sha256sum }}
+      {{- end }}
+      {{- if .Values.anchoreEnterpriseGlobal.enabled }}
+        checksum/license: {{ include (print $.Template.BasePath "/bigbang/license-secret.yaml") . | sha256sum }}
+      {{- end }}
    spec:
      {{- with .Values.anchoreGlobal.securityContext }}
      securityContext:

--- a/chart/templates/bigbang/password_update_job.yaml
+++ b/chart/templates/bigbang/password_update_job.yaml
+# Job to perform password update in Anchore DB
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: update-password
+  annotations:
+    "helm.sh/hook": post-upgrade
+spec:
+  template:
+    metadata:
+      name: update-password
+      annotations:
+        sidecar.istio.io/inject: 'false'
+    spec:
+      imagePullSecrets:
+        - name: {{ .Values.anchoreEnterpriseGlobal.imagePullSecretName }}
+      containers:
+        - name: update-password
+          # IB engine image does not have psql
+          image: {{ .Values.anchoreEnterpriseGlobal.image }}
+          command:
+            {{- if .Values.anchoreGlobal.dbConfig.ssl }}
+            - /bin/sh
+            - -c
+            - |
+              psql postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} \
+              -c "UPDATE public.user_access_credentials SET value = '${ANCHORE_ADMIN_PASSWORD}' WHERE username = 'admin'; COMMIT;"
+            {{- else }}
+            - /bin/sh
+            - -c
+            - |
+              psql postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} \
+              -c "UPDATE public.user_access_credentials SET value = '${ANCHORE_ADMIN_PASSWORD}' WHERE username = 'admin'; COMMIT;"
+            {{- end }}
+          envFrom:
+          {{- if not .Values.inject_secrets_via_env }}
+          - secretRef:
+              name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }}
+          {{- end }}
+          - configMapRef:
+              name: {{ template "anchore-engine.fullname" . }}-env
+      restartPolicy: OnFailure
--- a/chart/templates/catalog_deployment.yaml
+++ b/chart/templates/catalog_deployment.yaml
@@ -22,8 +22,7 @@ spec:
      component: {{ $component }}
  replicas: {{ .Values.anchoreCatalog.replicaCount }}
  strategy:
-    type: Recreate
-    rollingUpdate: null
+    type: RollingUpdate
  template:
    metadata:
      labels:
@@ -42,6 +41,17 @@ spec:
      {{- with .Values.anchoreCatalog.annotations }}
        {{ toYaml . | nindent 8 }}
      {{- end }}
+      {{- if not .Values.inject_secrets_via_env }}
+        checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }}
+      {{- end }}
+        checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }}
+        checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }}
+      {{- if .Values.anchoreGlobal.policyBundles }}
+        checksum/policy-config: {{ include (print $.Template.BasePath "/policy_bundle_configmap.yaml") . | sha256sum }}
+      {{- end }}
+      {{- if .Values.anchoreEnterpriseGlobal.enabled }}
+        checksum/license: {{ include (print $.Template.BasePath "/bigbang/license-secret.yaml") . | sha256sum }}
+      {{- end }}
    spec:
      {{- with .Values.anchoreGlobal.securityContext }}
      securityContext:

--- a/chart/templates/engine_secret.yaml
+++ b/chart/templates/engine_secret.yaml
+{{- if not .Values.anchoreGlobal.existingSecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "anchore-engine.fullname" . }}
+  labels:
+    app: {{ template "anchore-engine.fullname" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+    {{- with .Values.anchoreGlobal.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+type: Opaque
+stringData:
+  ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }}
+  ANCHORE_DB_PASSWORD: {{ index .Values "postgresql" "postgresPassword" | quote }}
+  {{- with .Values.anchoreGlobal.saml.secret }}
+  ANCHORE_SAML_SECRET: {{ . }}
+  {{- end }}
+{{- end }}
--- a/chart/templates/enterprise_feeds_deployment.yaml
+++ b/chart/templates/enterprise_feeds_deployment.yaml
@@ -23,8 +23,7 @@ spec:
      component: {{ $component }}
  replicas: 1
  strategy:
-    type: Recreate
-    rollingUpdate: null
+    type: RollingUpdate
  template:
    metadata:
      labels:
@@ -43,6 +42,14 @@ spec:
      {{- with .Values.anchoreEnterpriseFeeds.annotations }}
        {{ toYaml . | nindent 8 }}
      {{- end }}
+      {{- if not .Values.inject_secrets_via_env }}
+        checksum/secrets: {{ include (print $.Template.BasePath "/enterprise_feeds_secret.yaml") . | sha256sum }}
+      {{- end }}
+        checksum/env: {{ include (print $.Template.BasePath "/enterprise_feeds_configmap_env.yaml") . | sha256sum }}
+        checksum/feeds-config: {{ include (print $.Template.BasePath "/enterprise_feeds_configmap.yaml") . | sha256sum }}
+      {{- if .Values.anchoreEnterpriseGlobal.enabled }}
+        checksum/license: {{ include (print $.Template.BasePath "/bigbang/license-secret.yaml") . | sha256sum }}
+      {{- end }}
    spec:
      {{- with .Values.anchoreGlobal.securityContext }}
      securityContext:

--- a/chart/templates/enterprise_feeds_secret.yaml
+++ b/chart/templates/enterprise_feeds_secret.yaml
+{{- if not .Values.anchoreEnterpriseFeeds.existingSecret }}
+{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "anchore-engine.enterprise-feeds.fullname" . }}
+  labels:
+    app: {{ template "anchore-engine.fullname" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+    {{- with .Values.anchoreGlobal.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+type: Opaque
+stringData:
+  ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }}
+  ANCHORE_FEEDS_DB_PASSWORD: {{ index .Values "anchore-feeds-db" "postgresPassword" | quote }}
+  {{- with .Values.anchoreGlobal.saml.secret }}
+  ANCHORE_SAML_SECRET: {{ . }}
+  {{- end }}
+{{- end }}
+{{- end }}
--- a/chart/templates/enterprise_ui_deployment.yaml
+++ b/chart/templates/enterprise_ui_deployment.yaml
@@ -24,8 +24,7 @@ spec:
      component: {{ $component }}
  replicas: 1
  strategy:
-    type: Recreate
-    rollingUpdate: null
+    type: RollingUpdate
  template:
    metadata:
      labels:
@@ -47,6 +46,13 @@ spec:
      {{- with .Values.anchoreEnterpriseUi.annotations }}
        {{ toYaml . | nindent 8 }}
      {{- end }}
+      {{- if not .Values.inject_secrets_via_env }}
+        checksum/secrets: {{ include (print $.Template.BasePath "/enterprise_ui_secret.yaml") . | sha256sum }}
+      {{- end }}
+        checksum/config: {{ include (print $.Template.BasePath "/enterprise_ui_configmap.yaml") . | sha256sum }}
+      {{- if .Values.anchoreEnterpriseGlobal.enabled }}
+        checksum/license: {{ include (print $.Template.BasePath "/bigbang/license-secret.yaml") . | sha256sum }}
+      {{- end }}
    spec:
      {{- with .Values.anchoreGlobal.securityContext }}
      securityContext:

--- a/chart/templates/secrets.yaml
+++ b/chart/templates/secrets.yaml
-{{- if not .Values.anchoreGlobal.existingSecret }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ template "anchore-engine.fullname" . }}
-  labels:
-    app: {{ template "anchore-engine.fullname" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
-    {{- with .Values.anchoreGlobal.labels }}
-    {{ toYaml . | nindent 4 }}
-    {{- end }}
-type: Opaque
-stringData:
-  ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }}
-  ANCHORE_DB_PASSWORD: {{ index .Values "postgresql" "postgresPassword" | quote }}
-  {{- with .Values.anchoreGlobal.saml.secret }}
-  ANCHORE_SAML_SECRET: {{ . }}
-  {{- end }}
-{{- end }}
-
---
-{{- if not .Values.anchoreEnterpriseFeeds.existingSecret }}
-{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ template "anchore-engine.enterprise-feeds.fullname" . }}
-  labels:
-    app: {{ template "anchore-engine.fullname" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
-    {{- with .Values.anchoreGlobal.labels }}
-    {{ toYaml . | nindent 4 }}
-    {{- end }}
-type: Opaque
-stringData:
-  ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }}
-  ANCHORE_FEEDS_DB_PASSWORD: {{ index .Values "anchore-feeds-db" "postgresPassword" | quote }}
-  {{- with .Values.anchoreGlobal.saml.secret }}
-  ANCHORE_SAML_SECRET: {{ . }}
-  {{- end }}
-{{- end }}
-{{- end }}
-
---
 {{- if not .Values.anchoreEnterpriseUi.existingSecret }}
 {{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseUi.enabled }}
 apiVersion: v1

--- a/chart/templates/policy_engine_deployment.yaml
+++ b/chart/templates/policy_engine_deployment.yaml
@@ -22,8 +22,7 @@ spec:
      component: {{ $component }}
  replicas: {{ .Values.anchorePolicyEngine.replicaCount }}
  strategy:
-    type: Recreate
-    rollingUpdate: null
+    type: RollingUpdate
  template:
    metadata:
      labels:
@@ -42,6 +41,14 @@ spec:
      {{- with .Values.anchorePolicyEngine.annotations }}
        {{ toYaml . | nindent 8 }}
      {{- end }}
+      {{- if not .Values.inject_secrets_via_env }}
+        checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }}
+      {{- end }}
+        checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }}
+        checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }}
+      {{- if .Values.anchoreEnterpriseGlobal.enabled }}
+        checksum/license: {{ include (print $.Template.BasePath "/bigbang/license-secret.yaml") . | sha256sum }}
+      {{- end }}
    spec:
      {{- with .Values.anchoreGlobal.securityContext }}
      securityContext:

--- a/chart/templates/simplequeue_deployment.yaml
+++ b/chart/templates/simplequeue_deployment.yaml
@@ -22,8 +22,7 @@ spec:
      component: {{ $component }}
  replicas: {{ .Values.anchoreSimpleQueue.replicaCount }}
  strategy:
-    type: Recreate
-    rollingUpdate: null
+    type: RollingUpdate
  template:
    metadata:
      labels:
@@ -42,6 +41,14 @@ spec:
      {{- with .Values.anchoreSimpleQueue.annotations }}
        {{ toYaml . | nindent 8 }}
      {{- end }}
+      {{- if not .Values.inject_secrets_via_env }}
+        checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }}
+      {{- end }}
+        checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }}
+        checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }}
+      {{- if .Values.anchoreEnterpriseGlobal.enabled }}
+        checksum/license: {{ include (print $.Template.BasePath "/bigbang/license-secret.yaml") . | sha256sum }}
+      {{- end }}
    spec:
      {{- with .Values.anchoreGlobal.securityContext }}
      securityContext: