Merge branch 'add-db-jobs' into 'main'

add db jobs See merge request !28

Merge branch 'add-db-jobs' into 'main'
add db jobs See merge request !28
67b5cdaa · bhearn · 192f0931 · 1ee324db · 67b5cdaa · 67b5cdaa
Commit 67b5cdaa authored Apr 01, 2021 by bhearn
10 changed files
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
 include:
  - project: 'platform-one/big-bang/pipeline-templates/pipeline-templates'
-    ref: master
+    ref: '1.0.1'
    file: '/templates/package-tests.yml'
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,8 +4,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 ---
-## [1.12.7-bb.1]
+## [1.12.7-bb.2]
 ### Changed
+- Added secrets and jobs for automated external Postgres database creation and user/password synchronization
+## [1.12.7-bb.1]
+### Fixed
 - Dependency Chart Syntax Fixes
 ## [1.12.7-bb.0]

--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v2
 name: anchore-engine
-version: 1.12.7-bb.1
+version: 1.12.7-bb.2
 appVersion: 0.9.3
 description: Anchore container analysis and policy evaluation engine service
 keywords:

--- a/chart/templates/bigbang/db/anchore-db-secret.yaml
+++ b/chart/templates/bigbang/db/anchore-db-secret.yaml
+{{- if hasKey .Values.postgresql "enabled" }}
+{{- if (not .Values.postgresql.enabled) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: anchore-db-credentials
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: anchore-db-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/part-of: anchore-enterprise
+    app.kubernetes.io/component: database
+  annotations:
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded
+type: Opaque
+data:
+  PGUSER: {{ b64enc .Values.postgresql.postgresUser }}
+  PGPASSWORD: {{ b64enc .Values.postgresql.postgresPassword }}
+  PGDATABASE: {{ b64enc "postgres" }}
+  PGHOST: {{$v := .Values.postgresql.externalEndpoint | split ":"}}{{b64enc $v._0}}
+  PGPORT: "{{$v := .Values.postgresql.externalEndpoint | split ":"}}{{b64enc $v._1}}"
+  ANCHORE_DB: {{ b64enc .Values.postgresql.postgresDatabase }}
+{{- end }}
+{{- end }}
\ No newline at end of file
--- a/chart/templates/bigbang/db/ensure-anchore-db.yaml
+++ b/chart/templates/bigbang/db/ensure-anchore-db.yaml
+{{- if hasKey .Values.postgresql "enabled" }}
+{{- if (not .Values.postgresql.enabled) }}
+# Job to sync db and db user with external postgres for Anchore's primary data store
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: ensure-anchore-db
+  annotations:
+    "helm.sh/hook-weight": "-4"
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+  template:
+    metadata:
+      name: ensure-anchore-db
+      annotations:
+        sidecar.istio.io/inject: 'false'
+    spec:
+      imagePullSecrets:
+        - name: {{ .Values.postgresql.imagePullSecrets }}
+      containers:
+        - name: psql
+          image: {{ .Values.postgresql.image }}
+          command:
+            - /bin/bash
+            - -exc
+            - |   
+              echo "Ensure Anchore DB..."
+              psql -tc "SELECT 1 FROM pg_database WHERE datname = '$ANCHORE_DB'" | grep -q 1 || psql -c "CREATE DATABASE $ANCHORE_DB"
+              psql -tc "SELECT 1 FROM pg_roles WHERE rolname = '$PGUSER'" | grep -q 1 && psql -c "ALTER USER $PGUSER WITH PASSWORD '$PGPASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $ANCHORE_DB TO $PGUSER;" | grep -q GRANT || psql -c "CREATE USER $PGUSER WITH PASSWORD '$PGPASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $ANCHORE_DB TO $PGUSER;"
+          envFrom:
+            - secretRef:
+                name: anchore-db-credentials
+      restartPolicy: OnFailure
+{{- end }}
+{{- end }}
\ No newline at end of file
--- a/chart/templates/bigbang/db/ensure-feeds-db.yaml
+++ b/chart/templates/bigbang/db/ensure-feeds-db.yaml
+{{- if and (hasKey (index .Values "anchore-feeds-db") "enabled")  }}
+{{- if and (not (index .Values "anchore-feeds-db" "enabled")) .Values.anchoreEnterpriseGlobal.enabled }}
+# Job to sync db and db user with external postgres for Anchore's feeds db
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: ensure-feeds-db
+  annotations:
+    "helm.sh/hook-weight": "-4"
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+  template:
+    metadata:
+      name: ensure-feeds-db
+      annotations:
+        sidecar.istio.io/inject: 'false'
+    spec:
+      imagePullSecrets:
+        - name: {{ (index .Values "anchore-feeds-db" "imagePullSecrets") }}
+      containers:
+        - name: psql
+          image: {{ (index .Values "anchore-feeds-db" "image") }}
+          command:
+            - /bin/bash
+            - -exc
+            - |   
+              echo "Ensure Anchore Feeds DB..."
+              psql -tc "SELECT 1 FROM pg_database WHERE datname = '$FEEDS_DB'" | grep -q 1 || psql -c "CREATE DATABASE $FEEDS_DB"
+              psql -tc "SELECT 1 FROM pg_roles WHERE rolname = '$PGUSER'" | grep -q 1 && psql -c "ALTER USER $PGUSER WITH PASSWORD '$PGPASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $FEEDS_DB TO $PGUSER;" | grep -q GRANT || psql -c "CREATE USER $PGUSER WITH PASSWORD '$PGPASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $FEEDS_DB TO $PGUSER;"
+          envFrom:
+            - secretRef:
+                name: feeds-db-credentials
+      restartPolicy: OnFailure
+{{- end }}
+{{- end }}
\ No newline at end of file
--- a/chart/templates/bigbang/db/feeds-db-secret.yaml
+++ b/chart/templates/bigbang/db/feeds-db-secret.yaml
+{{- if and (hasKey (index .Values "anchore-feeds-db") "enabled")  }}
+{{- if and (not (index .Values "anchore-feeds-db" "enabled")) .Values.anchoreEnterpriseGlobal.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: feeds-db-credentials
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: feeds-db-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/part-of: anchore-enterprise
+    app.kubernetes.io/component: database
+  annotations:
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded
+type: Opaque
+data:
+  PGUSER: {{ b64enc (index .Values "anchore-feeds-db" "postgresUser") }}
+  PGPASSWORD: {{ b64enc (index .Values "anchore-feeds-db" "postgresPassword") }}
+  PGDATABASE: {{ b64enc "postgres" }}
+  PGHOST: {{$v := (index .Values "anchore-feeds-db" "externalEndpoint") | split ":"}}{{b64enc $v._0}}
+  PGPORT: "{{$v := (index .Values "anchore-feeds-db" "externalEndpoint") | split ":"}}{{b64enc $v._1}}"
+  FEEDS_DB: {{ b64enc (index .Values "anchore-feeds-db" "postgresDatabase") }}
+{{- end }}
+{{- end }}
\ No newline at end of file
--- a/docs/BBCHANGES.md
+++ b/docs/BBCHANGES.md
@@ -51,6 +51,8 @@ All chart changes are located under the `chart/templates/bigbang` directory. In
 - Creation of an SSO secret with the above SSO values
 - Automation of SSO configuration through a k8s job
 - Automated creation of an OAuth cert secret if needed (and this secret name is referenced under `anchoreGlobal.saml`)
+- Creation of secrets with database credentials from postgres and anchore-feeds-db values
+- Automated creation and synchronization of the Postgres databases, database users, and passwords through k8s jobs
 As additional Big Bang changes are made they should be added in these spots and this doc updated to reflect that.

--- a/docs/CHART.md
+++ b/docs/CHART.md
@@ -106,53 +106,64 @@ addons:
 ## Handling Dependencies
-Anchore relies on a single Postgres instance by default, as well as an additional Postgres database and Redis server if certain Enterprise configs are enabled. For development work and non-production workflows you can use the embedded dependency charts to automatically spin these dependencies up. In this case you don't need to provide any values but may still wish to override the default user or password.
+Anchore relies on a single Postgres instance by default, as well as an additional Postgres database and Redis server if certain Enterprise configs are enabled. For development work and non-production workflows you can use the embedded dependency charts to automatically spin these dependencies up. In this case you don't need to provide any values.
 ```yaml
 stringData:
  values.yaml: |-
    addons:
      anchore:
-        postgresql:
+        database:
-          external: false
+          host: ""
-          user: "username"
+          port: ""
-          password: "password" 
+          username: ""
+          password: ""
+          database: "" 
+          feeds_database: ""
 ```
 Big Bang does not currently provide a production solution to be utilized, so it is recommended that you connect to existing external instances. Using the embedded instances in production is AT YOUR OWN RISK.
-To externalize the dependency on postgres see the values below. Since some of these values are sensitive they should be added to your encrypted `secrets.enc.yaml` file.
+To externalize the dependency on postgres see the values below. Since some of these values are sensitive they should be added to your encrypted `secrets.enc.yaml` file (be sure you don't name your databases with hyphens or psql will throw errors).
 ```yaml
 stringData:
  values.yaml: |-
    addons:
      anchore:
-        postgresql:
+        database:
-          external: true
+          host: "testing.amazon.rds.com"
-          user: "username"
-          password: "password"
-          host: "postgres.mydomain.com"
          port: "5432"
-          mainDB: "databaseName"
+          username: "username"
-          feedsDB: "databaseName" # Only used for enterprise deployments
+          password: "password"
+          database: "anchore" 
+          feeds_database: "anchorefeeds"
 ```
-If you plan to use the UI:
+By default, when using an external postgres setup, the `feeds_database` will use the same username, password, host, and port as the main `database`. This is for streamlined ease of use for customers. However, if you'd like to configure the `feeds_database` with separate credentials, you can do so by overriding the upstream values (be sure you don't name your databases with hyphens or psql will throw errors):
-You should at a minimum set a non-default password for the redis instance:
 ```yaml
 stringData:
  values.yaml: |-
    addons:
      anchore:
-        redis:
+        database:
-          external: false
+          host: "testing.amazon.rds.com"
+          port: "5432"
+          username: "username"
          password: "password"
+          database: "anchore" 
+          feeds_database: ""
+        values:
+          anchore-feeds-db:
+            enabled: false
+            postgresUser: "user2"
+            postgresPassword: "password2"
+            postgresDatabase: "anchorefeeds"                                  
+            externalEndpoint: "postgres-postgresql.postgres.svc.cluster.local:5432"
 ```
-For production, you may want to externalize your Redis instance:
+For production, you may want to externalize your Redis instance for Anchore Enterprise UI:
 ```yaml
 stringData:
@@ -160,10 +171,9 @@ stringData:
    addons:
      anchore:
        redis:
-          external: true
-          password: "password"
          host: "redis.mydomain.com"
          port: "6379"
+          password: "password"
 ```
 ### Enable SSO

--- a/tests/test-values.yml
+++ b/tests/test-values.yml
@@ -17,6 +17,6 @@ anchoreEnterpriseGlobal:
 anchore-feeds-db:
  imagePullSecrets: private-registry-mil
 anchore-ui-redis:
-  image:
+  global:
-    pullSecrets:
+    imagePullSecrets:
      - private-registry-mil