Resolve "Add Optional Admin DB user for DB ensure jobs"

CHANGELOG.md

@@ -4,6 +4,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ---
 
+## [1.13.0-bb.5]
+## Added
+- `.Values.postgresqlSuperUser.postgresUsername` and `.Values.postgresqlSuperUser.postgresPassword` for conditionally changing the commands in the ensure db jobs to allow for finer-grain postgres user permissions
+- `chart/templates/bigbang/db/superuser-db-secret.yaml` secret to populate fields in the ensure db jobs
+
 ## [1.13.0-bb.4]
 ### Fixed
 - update allow-kube-dns NP to conditionally add port 5353 egress when `.Values.anchoreGlobal.openShiftDeployment` is `true`

chart/Chart.yaml

 apiVersion: v2
 name: anchore-engine
-version: 1.13.0-bb.4
+version: 1.13.0-bb.5
 appVersion: 0.10.0
 description: Anchore container analysis and policy evaluation engine service
 keywords:

chart/templates/bigbang/db/ensure-anchore-db.yaml

@@ -21,17 +21,46 @@ spec:
       containers:
         - name: psql
           image: {{ .Values.postgresql.image }}
+          {{- if and .Values.postgresqlSuperUser.postgresUsername .Values.postgresqlSuperUser.postgresPassword }}
           command:
             - /bin/bash
             - -exc
-            - |   
+            - |
               echo "Ensure Anchore DB..."
-              
+              psql -tc "SELECT 1 FROM pg_database WHERE datname = '$ANCHORE_DB'" | grep -q 1 || psql -c "CREATE DATABASE $ANCHORE_DB"
+              psql -tc "SELECT 1 FROM pg_roles WHERE rolname = '$ANCHORE_USER'" | grep -q 1 && psql -c "ALTER USER $ANCHORE_USER WITH PASSWORD '$ANCHORE_PASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $ANCHORE_DB TO $ANCHORE_USER;" | grep -q GRANT || psql -c "CREATE USER $ANCHORE_USER WITH PASSWORD '$ANCHORE_PASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $ANCHORE_DB TO $ANCHORE_USER;"
+          env:
+            - name: ANCHORE_USER
+              valueFrom:
+                secretKeyRef:
+                  name: anchore-db-credentials
+                  key: PGUSER
+            - name: ANCHORE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: anchore-db-credentials
+                  key: PGPASSWORD
+            - name: ANCHORE_DB
+              valueFrom:
+                secretKeyRef:
+                  name: anchore-db-credentials
+                  key: ANCHORE_DB
+          envFrom:
+            - secretRef:
+                name: superuser-db-credentials
+          {{- else }}
+          command:
+            - /bin/bash
+            - -exc
+            - |
+              echo "Ensure Anchore DB..."
+
               psql -tc "SELECT 1 FROM pg_database WHERE datname = '$ANCHORE_DB'" | grep -q 1 || psql -c "CREATE DATABASE $ANCHORE_DB"
               psql -tc "SELECT 1 FROM pg_roles WHERE rolname = '$PGUSER'" | grep -q 1 && psql -c "ALTER USER $PGUSER WITH PASSWORD '$PGPASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $ANCHORE_DB TO $PGUSER;" | grep -q GRANT || psql -c "CREATE USER $PGUSER WITH PASSWORD '$PGPASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $ANCHORE_DB TO $PGUSER;"
           envFrom:
             - secretRef:
                 name: anchore-db-credentials
+          {{- end }}
       restartPolicy: OnFailure
 {{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}

chart/templates/bigbang/db/ensure-feeds-db.yaml

@@ -21,17 +21,46 @@ spec:
       containers:
         - name: psql
           image: {{ (index .Values "anchore-feeds-db" "image") }}
+          {{- if and .Values.postgresqlSuperUser.postgresUsername .Values.postgresqlSuperUser.postgresPassword }}
           command:
             - /bin/bash
             - -exc
-            - |   
+            - |
               echo "Ensure Anchore Feeds DB..."
-              
+              psql -tc "SELECT 1 FROM pg_database WHERE datname = '$FEEDS_DB'" | grep -q 1 || psql -c "CREATE DATABASE $FEEDS_DB"
+              psql -tc "SELECT 1 FROM pg_roles WHERE rolname = '$FEEDS_USER'" | grep -q 1 && psql -c "ALTER USER $FEEDS_USER WITH PASSWORD '$FEEDS_PASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $FEEDS_DB TO $FEEDS_USER;" | grep -q GRANT || psql -c "CREATE USER   $FEEDS_USER WITH PASSWORD '$FEEDS_PASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $FEEDS_DB TO $FEEDS_USER;"
+          env:
+            - name: FEEDS_USER
+              valueFrom:
+                secretKeyRef:
+                  name: feeds-db-credentials
+                  key: PGUSER
+            - name: FEEDS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: feeds-db-credentials
+                  key: PGPASSWORD
+            - name: FEEDS_DB
+              valueFrom:
+                secretKeyRef:
+                  name: feeds-db-credentials
+                  key: FEEDS_DB
+          envFrom:
+            - secretRef:
+                name: superuser-db-credentials
+          {{- else }}
+          command:
+            - /bin/bash
+            - -exc
+            - |
+              echo "Ensure Anchore Feeds DB..."
+
               psql -tc "SELECT 1 FROM pg_database WHERE datname = '$FEEDS_DB'" | grep -q 1 || psql -c "CREATE DATABASE $FEEDS_DB"
               psql -tc "SELECT 1 FROM pg_roles WHERE rolname = '$PGUSER'" | grep -q 1 && psql -c "ALTER USER $PGUSER WITH PASSWORD '$PGPASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $FEEDS_DB TO $PGUSER;" | grep -q GRANT || psql -c "CREATE USER $PGUSER WITH PASSWORD '$PGPASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $FEEDS_DB TO $PGUSER;"
           envFrom:
             - secretRef:
                 name: feeds-db-credentials
+          {{- end }}
       restartPolicy: OnFailure
 {{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}

chart/templates/bigbang/db/superuser-db-secret.yaml

+{{- if and .Values.postgresqlSuperUser.postgresUsername .Values.postgresqlSuperUser.postgresPassword }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: superuser-db-credentials
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: superuser-db-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/part-of: anchore-enterprise
+    app.kubernetes.io/component: database
+  annotations:
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+type: Opaque
+data:
+  PGUSER: {{ b64enc .Values.postgresqlSuperUser.postgresUsername }}
+  PGPASSWORD: {{ b64enc .Values.postgresqlSuperUser.postgresPassword }}
+  PGDATABASE: {{ b64enc "postgres" }}
+  PGHOST: {{$v := .Values.postgresql.externalEndpoint | split ":"}}{{b64enc $v._0}}
+  PGPORT: "{{$v := .Values.postgresql.externalEndpoint | split ":"}}{{b64enc $v._1}}"
+  ANCHORE_DB: {{ b64enc .Values.postgresql.postgresDatabase }}
+{{- end }}

chart/values.yaml

@@ -32,6 +32,11 @@ networkPolicies:
     app: istio-ingressgateway
     istio: ingressgateway
 
+# Use Database instance Superuser to create postgresql.postgresDatabase, postgresql.postgresUser, anchore-feeds-db.postgresDatabase, and anchore-feeds-db.postgresUser
+postgresqlSuperUser:
+  postgresUsername: ""
+  postgresPassword: ""
+
 # Enable Prometheus Monitoring
 monitoring:
   enabled: false
@@ -249,7 +254,7 @@ anchoreGlobal:
   metricsAuthDisabled: false
 
   # Sets the password & email address for the default anchore-engine admin user.
-  defaultAdminPassword: 
+  defaultAdminPassword:
   defaultAdminEmail: example@email.com
 
   saml: