Merge branch 'anchore-3.0.0' into 'main'

Resolve "Upgrade Anchore Enterprise 2.4.x -> 3.0.x" Closes #4 See merge request !17

Merge branch 'anchore-3.0.0' into 'main'
Resolve "Upgrade Anchore Enterprise 2.4.x -> 3.0.x" Closes #4 See merge request !17
3e5f3018 · Micah Nagel · 3c9e4bda · 01b3d2f3 · 3e5f3018 · 3e5f3018
Commit 3e5f3018 authored Mar 11, 2021 by Micah Nagel 💰
20 changed files
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,13 +4,21 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),

 ---

+## [1.12.2-bb.0]
+### Changed
+- Bumped upstream chart version to 1.12.2
+- Bumped Anchore enterprise images to 3.0.0 from registry1
+- BREAKING UPDATE (SSO): When upgrading from 1.11.0-bb.3 and using SSO, manual config is required. See the note in the [Keycloak Docs](./docs/KEYCLOAK.md#anchore-1122-bb0-upgrade).
+
+### Fixed
+- Fixed an upgrade bug caused by sso job not being removed
+
 ## [1.11.0-bb.3]
-## Fixed
+### Fixed
 - Fixed an SSO bug caused by hashed passwords not being set consistently - BB Issue #135

-
 ## [1.11.0-bb.2]
-## Changed
+### Changed
 - Modified chart to handle monitoring more cleanly

 ## [1.11.0-bb.1]

--- a/README.md
+++ b/README.md
@@ -14,6 +14,11 @@ To deploy Anchore apart from Umbrella:
 helm upgrade -i anchore chart -n anchore --create-namespace -f chart/values.yaml
 ```

+To get the admin password (generated if you did not specify one):
+```
+kubectl get secrets -n anchore anchore-anchore-engine -o go-template='{{.data.ANCHORE_ADMIN_PASSWORD | base64decode}}' | xargs
+```
+
 To delete Anchore when deployed this way:
 ```
 helm delete anchore -n anchore

--- a/chart/Chart.lock
+++ b/chart/Chart.lock
@@ -7,6 +7,6 @@ dependencies:
  version: 1.0.1
 - name: redis
  repository: https://charts.bitnami.com/bitnami
-  version: 10.9.0
-digest: sha256:f764fed6fb7081e73c57591d26e99b82b66e643809a2ba02c1e66bb42782f2b1
-generated: "2020-12-16T13:32:27.349956-08:00"
+  version: "10"
+digest: sha256:c7ab83a0a5f6ecb74d55eb5351685835921684213e99b77b7b680b649b3804f6
+generated: "2021-03-03T08:04:23.320462-07:00"
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v2
 name: anchore-engine
-version: 1.11.0-bb.3
+version: 1.12.2-bb.0
 appVersion: 0.9.0
 description: Anchore container analysis and policy evaluation engine service
 keywords:

--- a/chart/Kptfile
+++ b/chart/Kptfile
@@ -3,9 +3,9 @@ kind: Kptfile
 metadata:
    name: chart
 upstream:
-    type: git
-    git:
-        commit: 68c6323e2b91929d2f6bb79061c0c3cdd0385e6c
-        repo: https://github.com/anchore/anchore-charts
-        directory: /stable/anchore-engine
-        ref: anchore-engine-1.11.0
+  type: git
+  git:
+    commit: bbaed019f8eb9fbcf0f1281ab6f8b4d2647b4d03
+    repo: https://github.com/anchore/anchore-charts
+    directory: /stable/anchore-engine
+    ref: anchore-engine-1.12.2
--- a/chart/README.md
+++ b/chart/README.md
--- a/chart/charts/postgresql-1.0.1.tgz
+++ b/chart/charts/postgresql-1.0.1.tgz
--- a/chart/templates/_helpers.tpl
+++ b/chart/templates/_helpers.tpl
@@ -140,6 +140,20 @@ Return Anchore Engine default admin password
 {{- end -}}
 {{- end -}}

+{{/*
+Create database hostname string from supplied values file. Used for the enterprise-ui ANCHORE_APPDB_URI environment variable secret
+*/}}
+{{- define "db-hostname" }}
+  {{- if and (index .Values "postgresql" "externalEndpoint") (not (index .Values "postgresql" "enabled")) }}
+    {{- print ( index .Values "postgresql" "externalEndpoint" ) }}
+  {{- else if and (index .Values "cloudsql" "enabled") (not (index .Values "postgresql" "enabled")) }}
+    {{- print "localhost:5432" }}
+  {{- else }}
+    {{- $db_host := include "postgres.fullname" . }}
+    {{- printf "%s:5432" $db_host -}}
+  {{- end }}
+{{- end }}
+
 {{/*
 Expand the name of the chart.
 */}}
@@ -163,4 +177,4 @@ Generate certificates for Anchore
 {{- $cert := genSignedCert ( include "anchore.name" . ) nil $altNames 365 $ca -}}
 tls.crt: {{ $cert.Cert | b64enc }}
 tls.key: {{ $cert.Key | b64enc }}
-{{- end -}}
\ No newline at end of file
+{{- end -}}
--- a/chart/templates/analyzer_deployment.yaml
+++ b/chart/templates/analyzer_deployment.yaml
@@ -132,8 +132,6 @@ spec:
        - name: config-volume
          mountPath: /config/config.yaml
          subPath: config.yaml
-        - name: policy-bundle-volume
-          mountPath: {{ .Values.anchoreGlobal.serviceDir }}/bundles
        {{- if (.Values.anchoreGlobal.certStoreSecretName) }}
        - name: certs
          mountPath: /home/anchore/certs/
@@ -188,9 +186,6 @@ spec:
        - name: analyzer-config-volume
          configMap:
            name: {{ template "anchore-engine.analyzer.fullname" . }}
-        - name: policy-bundle-volume
-          configMap:
-            name: {{ template "anchore-engine.fullname" . }}-policy-bundles
        {{- if .Values.anchoreGlobal.openShiftDeployment }}
        - name: service-config-volume
          emptyDir: {}

--- a/chart/templates/api_deployment.yaml
+++ b/chart/templates/api_deployment.yaml
@@ -122,8 +122,13 @@ spec:
        - name: config-volume
          mountPath: /config/config.yaml
          subPath: config.yaml
+        {{- if .Values.anchoreGlobal.policyBundles }}
+        {{- range $key, $value := .Values.anchoreGlobal.policyBundles }}
        - name: policy-bundle-volume
-          mountPath: {{ .Values.anchoreGlobal.serviceDir }}/bundles
+          mountPath: {{ $.Values.anchoreGlobal.serviceDir  }}/bundles/{{ $key }}
+          subPath: {{ $key }}
+        {{- end }}
+        {{- end }}
        {{- if .Values.anchoreGlobal.openShiftDeployment }}
        - name: service-config-volume
          mountPath: /anchore_service_config
@@ -195,8 +200,6 @@ spec:
        - name: enterprise-config-volume
          mountPath: /config/config.yaml
          subPath: config.yaml
-        - name: policy-bundle-volume
-          mountPath: {{ .Values.anchoreGlobal.serviceDir }}/bundles
        {{- if (.Values.anchoreGlobal.certStoreSecretName) }}
        - name: certs
          mountPath: /home/anchore/certs/
@@ -267,8 +270,6 @@ spec:
        - name: enterprise-config-volume
          mountPath: /config/config.yaml
          subPath: config.yaml
-        - name: policy-bundle-volume
-          mountPath: {{ .Values.anchoreGlobal.serviceDir }}/bundles
        {{- if (.Values.anchoreGlobal.certStoreSecretName) }}
        - name: certs
          mountPath: /home/anchore/certs/
@@ -317,7 +318,7 @@ spec:
        envFrom:
        {{- if not .Values.inject_secrets_via_env }}
        - secretRef:
-            name: {{ template "anchore-engine.fullname" . }}
+            name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }}
        {{- end }}
        - configMapRef:
            name: {{ template "anchore-engine.fullname" . }}-env
@@ -339,8 +340,6 @@ spec:
        - name: anchore-license
          mountPath: /home/anchore/license.yaml
          subPath: license.yaml
-        - name: policy-bundle-volume
-          mountPath: {{ .Values.anchoreGlobal.serviceDir }}/bundles
        {{- if (.Values.anchoreGlobal.certStoreSecretName) }}
        - name: certs
          mountPath: /home/anchore/certs/
@@ -391,7 +390,7 @@ spec:
        envFrom:
        {{- if not .Values.inject_secrets_via_env }}
        - secretRef:
-            name: {{ template "anchore-engine.fullname" . }}
+            name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }}
        {{- end }}
        - configMapRef:
            name: {{ template "anchore-engine.fullname" . }}-env
@@ -413,8 +412,6 @@ spec:
        - name: anchore-license
          mountPath: /home/anchore/license.yaml
          subPath: license.yaml
-        - name: policy-bundle-volume
-          mountPath: {{ .Values.anchoreGlobal.serviceDir }}/bundles
        {{- if (.Values.anchoreGlobal.certStoreSecretName) }}
        - name: certs
          mountPath: /home/anchore/certs/
@@ -458,9 +455,11 @@ spec:
        - name: config-volume
          configMap:
            name: {{ template "anchore-engine.fullname" . }}
+        {{- if .Values.anchoreGlobal.policyBundles }}
        - name: policy-bundle-volume
          configMap:
            name: {{ template "anchore-engine.fullname" . }}-policy-bundles
+        {{- end }}
        {{- if .Values.anchoreGlobal.openShiftDeployment }}
        - name: service-config-volume
          emptyDir: {}

--- a/chart/templates/bigbang/sso/configure-sso.yaml
+++ b/chart/templates/bigbang/sso/configure-sso.yaml
@@ -4,6 +4,9 @@ apiVersion: batch/v1
 kind: Job
 metadata:
  name: configure-sso
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
 spec:
  template:
    metadata:

--- a/chart/templates/catalog_deployment.yaml
+++ b/chart/templates/catalog_deployment.yaml
@@ -115,8 +115,13 @@ spec:
        - name: config-volume
          mountPath: /config/config.yaml
          subPath: config.yaml
+        {{- if .Values.anchoreGlobal.policyBundles }}
+        {{- range $key, $value := .Values.anchoreGlobal.policyBundles }}
        - name: policy-bundle-volume
-          mountPath: {{ .Values.anchoreGlobal.serviceDir }}/bundles
+          mountPath: {{ $.Values.anchoreGlobal.serviceDir  }}/bundles/{{ $key }}
+          subPath: {{ $key }}
+        {{- end }}
+        {{- end }}
        {{- if .Values.anchoreGlobal.openShiftDeployment }}
        - name: service-config-volume
          mountPath: /anchore_service_config
@@ -164,9 +169,11 @@ spec:
        - name: config-volume
          configMap:
            name: {{ template "anchore-engine.fullname" . }}
+        {{- if .Values.anchoreGlobal.policyBundles }}
        - name: policy-bundle-volume
          configMap:
            name: {{ template "anchore-engine.fullname" . }}-policy-bundles
+        {{- end }}
        {{- if .Values.anchoreGlobal.openShiftDeployment }}
        - name: service-config-volume
          emptyDir: {}

--- a/chart/templates/engine_configmap.yaml
+++ b/chart/templates/engine_configmap.yaml
@@ -28,6 +28,7 @@ data:

    global_client_connect_timeout: {{ default 0 .Values.anchoreGlobal.clientConnectTimeout }}
    global_client_read_timeout: {{ default 0 .Values.anchoreGlobal.clientReadTimeout }}
+    max_compressed_image_size_mb: {{ default -1 .Values.anchoreGlobal.maxCompressedImageSizeMB }}

    metrics:
      enabled: {{ .Values.monitoring.enabled }}
@@ -99,7 +100,9 @@ data:
    # Locations for keys used for signing and encryption. Only one of 'secret' or 'public_key_path'/'private_key_path' needs to be set. If all are set then the keys take precedence over the secret value
    # Secret is for a shared secret and if set, all components in anchore should have the exact same value in their configs.
    keys:
-      secret: {{ .Values.anchoreGlobal.saml.secret }}
+      {{- if or .Values.anchoreGlobal.saml.secret .Values.anchoreGlobal.saml.useExistingSecret }}
+      secret: ${ANCHORE_SAML_SECRET}
+      {{- end }}
      {{- with .Values.anchoreGlobal.saml.publicKeyName }}
      public_key_path: /home/anchore/certs/{{- . }}
      {{- end }}

--- a/chart/templates/enterprise_configmap.yaml
+++ b/chart/templates/enterprise_configmap.yaml
@@ -41,7 +41,9 @@ data:
    # Locations for keys used for signing and encryption. Only one of 'secret' or 'public_key_path'/'private_key_path' needs to be set. If all are set then the keys take precedence over the secret value
    # Secret is for a shared secret and if set, all components in anchore should have the exact same value in their configs.
    keys:
-      secret: {{ .Values.anchoreGlobal.saml.secret }}
+      {{- if or .Values.anchoreGlobal.saml.secret .Values.anchoreGlobal.saml.useExistingSecret }}
+      secret: ${ANCHORE_SAML_SECRET}
+      {{- end }}
      {{- with .Values.anchoreGlobal.saml.publicKeyName }}
      public_key_path: /home/anchore/certs/{{- . }}
      {{- end }}
@@ -107,7 +109,7 @@ data:
      reports:
        enabled: true
        require_auth: true
-        endpoint_hostname: {{ template "anchore-engine.enterprise-reports.fullname" . }}
+        endpoint_hostname: {{ template "anchore-engine.api.fullname" . }}
        listen: '0.0.0.0'
        port: {{ .Values.anchoreEnterpriseReports.service.port }}
        max_request_threads: {{ default 50 .Values.anchoreEnterpriseReports.maxRequestThreads }}
@@ -130,7 +132,7 @@ data:
      notifications:
        enabled: true
        require_auth: true
-        endpoint_hostname: {{ template "anchore-engine.enterprise-notifications.fullname" . }}
+        endpoint_hostname: {{ template "anchore-engine.api.fullname" . }}
        listen: '0.0.0.0'
        port: {{ .Values.anchoreEnterpriseNotifications.service.port }}
        max_request_threads: {{ default 50 .Values.anchoreEnterpriseNotifications.maxRequestThreads }}

--- a/chart/templates/enterprise_feeds_configmap.yaml
+++ b/chart/templates/enterprise_feeds_configmap.yaml
@@ -33,7 +33,9 @@ data:
    # Locations for keys used for signing and encryption. Only one of 'secret' or 'public_key_path'/'private_key_path' needs to be set. If all are set then the keys take precedence over the secret value
    # Secret is for a shared secret and if set, all components in anchore should have the exact same value in their configs.
    keys:
-      secret: {{ .Values.anchoreGlobal.saml.secret }}
+      {{- if or .Values.anchoreGlobal.saml.secret .Values.anchoreGlobal.saml.useExistingSecret }}
+      secret: ${ANCHORE_SAML_SECRET}
+      {{- end }}
      {{- with .Values.anchoreGlobal.saml.publicKeyName }}
      public_key_path: /home/anchore/certs/{{- . }}
      {{- end }}
@@ -55,9 +57,9 @@ data:
    credentials:
      database:
        {{- if .Values.anchoreEnterpriseFeeds.dbConfig.ssl }}
-        db_connect: "postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}}&sslrootcert=/home/anchore/certs/{{- .Values.anchoreEnterpriseFeeds.dbConfig.sslRootCertName }}"
+        db_connect: "postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}}&sslrootcert=/home/anchore/certs/{{- .Values.anchoreEnterpriseFeeds.dbConfig.sslRootCertName }}"
        {{- else }}
-        db_connect: "postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}"
+        db_connect: "postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}"
        {{- end }}
        db_connect_args:
          timeout: {{ .Values.anchoreEnterpriseFeeds.dbConfig.timeout }}
@@ -101,7 +103,7 @@ data:
            # rubygem data comes packaged as a PostgreSQL dump file. gem driver loads the pg dump and normalizes the data.
            # To enable gem driver comment the enabled property and uncomment the db_connect property.
            enabled: {{ default "false" .Values.anchoreEnterpriseFeeds.gemDriverEnabled }}
-            db_connect: {{ default "'postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/gems'" .Values.anchoreEnterpriseFeeds.gemDbEndpoint }}
+            db_connect: {{ default "'postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/gems'" .Values.anchoreEnterpriseFeeds.gemDbEndpoint }}
          amzn:
            enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.amazonDriverEnabled }}
          centos:

--- a/chart/templates/enterprise_feeds_deployment.yaml
+++ b/chart/templates/enterprise_feeds_deployment.yaml
@@ -90,7 +90,7 @@ spec:
        envFrom:
        {{- if not .Values.inject_secrets_via_env }}
        - secretRef:
-            name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }}
+            name: {{ default (include "anchore-engine.enterprise-feeds.fullname" .) .Values.anchoreEnterpriseFeeds.existingSecret }}
        {{- end }}
        - configMapRef:
            name: {{ template "anchore-engine.enterprise-feeds.fullname" . }}-env
@@ -101,13 +101,6 @@ spec:
        {{- with .Values.anchoreEnterpriseFeeds.extraEnv }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
-        {{- if not .Values.inject_secrets_via_env }}
-        - name: ANCHORE_DB_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: {{ template "anchore-engine.fullname" . }}
-              key: .feedsDbPassword
-        {{- end }}
        - name: ANCHORE_POD_NAME
          valueFrom:
            fieldRef:

--- a/chart/templates/enterprise_feeds_upgrade_job.yaml
+++ b/chart/templates/enterprise_feeds_upgrade_job.yaml
-{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeedsUpgradeJob.enabled }}
+{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled .Values.anchoreEnterpriseFeedsUpgradeJob.enabled }}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -39,14 +39,14 @@ spec:
        imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }}
        image: {{ .Values.anchoreEnterpriseGlobal.image }}
        {{- if .Values.anchoreGlobal.dbConfig.ssl }}
-        args: ["/bin/bash", "-c", "anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask"]
+        args: ["/bin/bash", "-c", "anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask"]
        {{- else }}
-        args: ["/bin/bash", "-c", "anchore-enterprise-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask"]
+        args: ["/bin/bash", "-c", "anchore-enterprise-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask"]
        {{- end }}
        envFrom:
        {{- if not .Values.inject_secrets_via_env }}
        - secretRef:
-            name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }}
+            name: {{ default (include "anchore-engine.enterprise-feeds.fullname" .) .Values.anchoreEnterpriseFeeds.existingSecret }}
        {{- end }}
        - configMapRef:
            name: {{ template "anchore-engine.enterprise-feeds.fullname" . }}-env
@@ -57,11 +57,6 @@ spec:
        {{- with .Values.anchoreEnterpriseFeeds.extraEnv }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
-        - name: ANCHORE_DB_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: {{ template "anchore-engine.fullname" . }}
-              key: .feedsDbPassword
        {{- if (.Values.anchoreGlobal.certStoreSecretName) }}
        volumeMounts:
        - name: certs

--- a/chart/templates/enterprise_ui_config_secret.yaml
+++ b/chart/templates/enterprise_ui_config_secret.yaml
 {{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseUi.enabled -}}
 {{- $component := "enterprise-ui" -}}

-# Using a secret until UI app supports ENV vars inside the config file. Redis password is included in config.
-kind: Secret
 apiVersion: v1
+kind: ConfigMap
 metadata:
  name: {{ include "anchore-engine.enterprise-ui.fullname" . | quote }}
  labels:
@@ -15,19 +14,15 @@ metadata:
    {{- with .Values.anchoreGlobal.labels }}
    {{ toYaml . | nindent 4 }}
    {{- end }}
-type: Opaque
-stringData:
+data:
  config-ui.yaml: |
    {{- if .Values.anchoreGlobal.internalServicesSsl.enabled }}
    engine_uri: 'https://{{ template "anchore-engine.api.fullname" . }}:{{ .Values.anchoreApi.service.port }}/v1'
    {{- else }}
    engine_uri: 'http://{{ template "anchore-engine.api.fullname" . }}:{{ .Values.anchoreApi.service.port }}/v1'
    {{- end }}
-    {{- if and (index .Values "anchore-ui-redis" "externalEndpoint") (not (index .Values "anchore-ui-redis" "enabled")) }}
-    redis_uri: '{{ index .Values "anchore-ui-redis" "externalEndpoint" }}'
-    {{- else }}
-    redis_uri: 'redis://:{{ index .Values "anchore-ui-redis" "password" }}@{{ template "redis.fullname" . }}-master:6379'
-    {{- end }}
+    # This value is overridden by using the `ANCHORE_REDIS_URI` environment variable.
+    # redis_ui: $ANCHORE_REDIS_URI
  {{- if .Values.anchoreEnterpriseRbac.enabled }}
    {{- if .Values.anchoreGlobal.internalServicesSsl.enabled }}
    rbac_uri: 'https://{{ template "anchore-engine.api.fullname" . }}:{{ .Values.anchoreEnterpriseRbac.service.apiPort }}/v1'
@@ -49,21 +44,13 @@ stringData:
    notifications_uri: 'http://{{ template "anchore-engine.api.fullname" . }}:{{ .Values.anchoreEnterpriseNotifications.service.port}}/v1'
    {{- end }}
  {{- end }}
-    {{- if and (and .Values.postgresql.externalEndpoint (not .Values.postgresql.enabled)) .Values.anchoreGlobal.dbConfig.ssl }}
-    appdb_uri: 'postgresql://{{ .Values.postgresql.postgresUser }}:{{ .Values.postgresql.postgresPassword }}@{{ .Values.postgresql.externalEndpoint }}/{{ .Values.postgresql.postgresDatabase }}?ssl=verify-full'
-    {{- else if and .Values.postgresql.externalEndpoint (not .Values.postgresql.enabled) }}
-    appdb_uri: 'postgresql://{{ .Values.postgresql.postgresUser }}:{{ .Values.postgresql.postgresPassword }}@{{ .Values.postgresql.externalEndpoint }}/{{ .Values.postgresql.postgresDatabase }}'
-    {{- else if and (index .Values "cloudsql" "enabled") (not (index .Values "postgresql" "enabled")) }}
-    appdb_uri: 'postgresql://{{ .Values.postgresql.postgresUser }}:{{ .Values.postgresql.postgresPassword }}@localhost:5432/{{ .Values.postgresql.postgresDatabase }}'
-    {{- else }}
-    appdb_uri: 'postgresql://{{ .Values.postgresql.postgresUser }}:{{ .Values.postgresql.postgresPassword }}@{{ template "postgres.fullname" . }}:5432/{{ .Values.postgresql.postgresDatabase }}'
-    {{- end }}
+    # This value is overridden by using the `ANCHORE_APPDB_URI` environment variable.
+    # appdb_uri: $ANCHORE_APPDB_URI
    license_path: '/home/anchore/'
    enable_ssl: {{ .Values.anchoreEnterpriseUi.enableSsl }}
    enable_proxy: {{ .Values.anchoreEnterpriseUi.enableProxy }}
    allow_shared_login: {{ .Values.anchoreEnterpriseUi.enableSharedLogin }}
    redis_flushdb: {{ .Values.anchoreEnterpriseUi.redisFlushdb }}
-    policy_hub_uri: {{ .Values.anchoreEnterpriseUi.policyHubUri }}
    {{- with .Values.anchoreEnterpriseUi.customLinks }}
    custom_links:
      title: {{ .title }}

--- a/chart/templates/enterprise_ui_deployment.yaml
+++ b/chart/templates/enterprise_ui_deployment.yaml
@@ -74,6 +74,10 @@ spec:
        image: {{ .Values.anchoreEnterpriseUi.image }}
        imagePullPolicy: {{ .Values.anchoreEnterpriseUi.imagePullPolicy }}
        env:
+        {{- if and (index .Values "anchoreEnterpriseUi" "existingSecret") (not (index .Values "anchore-ui-redis" "externalEndpoint")) }}
+        - name: ANCHORE_REDIS_URI
+          value: redis://:{{ index .Values "anchore-ui-redis" "password" }}@{{ template "redis.fullname" . }}-master:6379
+        {{- end }}
        {{ if .Values.anchoreGlobal.dbConfig.ssl }}
        - name: PGSSLROOTCERT
          value: /home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }}
@@ -88,6 +92,11 @@ spec:
        {{- with .Values.anchoreEnterpriseUi.extraEnv }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
+        envFrom:
+        {{- if not .Values.inject_secrets_via_env }}
+        - secretRef:
+            name: {{ default (include "anchore-engine.enterprise-ui.fullname" .) .Values.anchoreEnterpriseUi.existingSecret }}
+        {{- end }}
        ports:
        - containerPort: 3000
          protocol: TCP
@@ -127,8 +136,8 @@ spec:
        secret:
          secretName: {{ .Values.anchoreEnterpriseGlobal.licenseSecretName }}
      - name: anchore-ui-config
-        secret:
-          secretName: {{ template "anchore-engine.enterprise-ui.fullname" . }}
+        configMap:
+          name: {{ template "anchore-engine.enterprise-ui.fullname" . }}
      {{- with .Values.anchoreGlobal.certStoreSecretName }}
      - name: certs
        secret:

--- a/chart/templates/policy_bundle_configmap.yaml
+++ b/chart/templates/policy_bundle_configmap.yaml
+{{- if .Values.anchoreGlobal.policyBundles }}
 kind: ConfigMap
 apiVersion: v1
 metadata:
@@ -11,142 +12,7 @@ metadata:
    {{ toYaml . | nindent 4 }}
    {{- end }}
 data:
-  anchore_default_bundle.json: |
-    {
-      "id": "2c53a13c-1765-11e8-82ef-23527761d060",
-      "version": "1_0",
-      "name": "Default bundle",
-      "comment": "Default bundle",
-      "whitelisted_images": [],
-      "blacklisted_images": [],
-      "mappings": [
-        {
-          "name": "default",
-          "repository": "*",
-          "image": {
-            "type": "tag",
-            "value": "*"
-          },
-          "whitelist_ids": [
-            "37fd763e-1765-11e8-add4-3b16c029ac5c"
-          ],
-          "registry": "*",
-          "id": "c4f9bf74-dc38-4ddf-b5cf-00e9c0074611",
-          "policy_id": "48e6f7d6-1765-11e8-b5f9-8b6f228548b6"
-        }
-      ],
-      "whitelists": [
-        {
-          "comment": "Default global whitelist",
-          "items": [],
-          "version": "1_0",
-          "id": "37fd763e-1765-11e8-add4-3b16c029ac5c",
-          "name": "Global Whitelist"
-        }
-      ],
-      "policies": [
-        {
-          "comment": "System default policy",
-          "rules": [
-            {
-              "action": "STOP",
-              "gate": "dockerfile",
-              "trigger": "exposed_ports",
-              "params": [
-                {
-                  "name": "ports",
-                  "value": "22"
-                },
-                {
-                  "name": "type",
-                  "value": "blacklist"
-                }
-              ],
-              "id": "ce7b8000-829b-4c27-8122-69cd59018400"
-            },
-            {
-              "action": "WARN",
-              "gate": "dockerfile",
-              "trigger": "instruction",
-              "params": [
-                {
-                  "name": "instruction",
-                  "value": "HEALTHCHECK"
-                },
-                {
-                  "name": "check",
-                  "value": "not_exists"
-                }
-              ],
-              "id": "312d9e41-1c05-4e2f-ad89-b7d34b0855bb"
-            },
-            {
-              "action": "WARN",
-              "gate": "vulnerabilities",
-              "trigger": "stale_feed_data",
-              "params": [
-                {
-                  "name": "max_days_since_sync",
-                  "value": "2"
-                }
-              ],
-              "id": "6b5c14e7-a6f7-48cc-99d2-959273a2c6fa"
-            },
-            {
-              "action": "WARN",
-              "gate": "vulnerabilities",
-              "trigger": "vulnerability_data_unavailable",
-              "params": [],
-              "id": "3e79ea94-18c4-4d26-9e29-3b9172a62c2e"
-            },
-            {
-              "action": "WARN",
-              "gate": "vulnerabilities",
-              "trigger": "package",
-              "params": [
-                {
-                  "name": "package_type",
-                  "value": "all"
-                },
-                {
-                  "name": "severity_comparison",
-                  "value": "="
-                },
-                {
-                  "name": "severity",
-                  "value": "medium"
-                }
-              ],
-              "id": "6063fdde-b1c5-46af-973a-915739451ac4"
-            },
-            {
-              "action": "STOP",
-              "gate": "vulnerabilities",
-              "trigger": "package",
-              "params": [
-                {
-                  "name": "package_type",
-                  "value": "all"
-                },
-                {
-                  "name": "severity_comparison",
-                  "value": ">"
-                },
-                {
-                  "name": "severity",
-                  "value": "medium"
-                }
-              ],
-              "id": "b30e8abc-444f-45b1-8a37-55be1b8c8bb5"
-            }
-          ],
-          "version": "1_0",
-          "id": "48e6f7d6-1765-11e8-b5f9-8b6f228548b6",
-          "name": "DefaultPolicy"
-        }
-      ]
-    }
-
 {{- with .Values.anchoreGlobal.policyBundles }}
 {{- toYaml . | nindent 2 }}
-{{- end }} 
\ No newline at end of file
+{{- end }}
+{{- end }}
\ No newline at end of file