UNCLASSIFIED

Skip to content

GitLab

Commit a441c2cf authored by bhearn's avatar bhearn
Browse files

Merge branch 'helm-tests-update' into 'main' 

add helm tests

See merge request !31
parents 25fd5798 9366acae
Pipeline #257154 passed with stages
in 4 minutes and 13 seconds
Hide whitespace changes
Inline Side-by-side
Showing with 237 additions and 48 deletions
.gitlab-ci.yml
View file @ a441c2cf
include:
- project: 'platform-one/big-bang/pipeline-templates/pipeline-templates'
ref: '1.0.1'
ref: master
file: '/templates/package-tests.yml'
CHANGELOG.md
View file @ a441c2cf
......@@ -3,6 +3,11 @@
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
---
## [1.12.7-bb.4]
### Changed
- Added Helm bash testing for API using approved Iron Bank image
- Bumped upstream chart version to 1.12.13
- Bumped Anchore Enterprise UI image version to 3.0.2 from Registry1
## [1.12.7-bb.3]
### Fixed
......
chart/Chart.lock
View file @ a441c2cf
......@@ -8,5 +8,8 @@ dependencies:
- name: redis
repository: file://./deps/redis
version: 12.8.3-bb.0
digest: sha256:ee26f2840524c22deb3b82377f8af573be307de5752873c9cfbfd43a592b7073
generated: "2021-03-18T13:10:12.040027-04:00"
- name: bb-test-lib
repository: oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates
version: 0.4.0
digest: sha256:cdf6e2694ba10c26845caffc96343262185f697595fdcb658c1c6e9796ddb029
generated: "2021-05-11T11:23:19.071211-04:00"
chart/Chart.yaml
View file @ a441c2cf
apiVersion: v2
name: anchore-engine
version: 1.12.7-bb.3
version: 1.12.13-bb.0
appVersion: 0.9.3
description: Anchore container analysis and policy evaluation engine service
keywords:
......@@ -37,3 +37,6 @@ dependencies:
repository: "file://./deps/redis"
condition: anchore-ui-redis.enabled,anchoreEnterpriseGlobal.enabled
alias: anchore-ui-redis
- name: bb-test-lib
version: "0.4.0"
repository: "oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates"
chart/Kptfile
View file @ a441c2cf
......@@ -5,7 +5,7 @@ metadata:
upstream:
type: git
git:
commit: e41ae9622408427aed876dcf91cea86d1cddf57a
commit: f9a34a42d694e657b5f3d493f590fc3f7a8b933e
repo: https://github.com/anchore/anchore-charts
directory: /stable/anchore-engine
ref: anchore-engine-1.12.7
ref: anchore-engine-1.12.13
chart/templates/analyzer_deployment.yaml
View file @ a441c2cf
......@@ -107,10 +107,15 @@ spec:
{{- end }}
envFrom:
{{- if not .Values.inject_secrets_via_env }}
{{- if .Values.anchoreGlobal.existingSecret }}
- secretRef:
name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }}
name: {{ .Values.anchoreGlobal.existingSecret }}
{{- else }}
- secretRef:
name: {{ include "anchore-engine.fullname" . }}
- secretRef:
name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }}
name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }}
{{- end }}
{{- end }}
- configMapRef:
name: {{ template "anchore-engine.fullname" . }}-env
......
chart/templates/api_deployment.yaml
View file @ a441c2cf
......@@ -95,10 +95,15 @@ spec:
{{- end }}
envFrom:
{{- if not .Values.inject_secrets_via_env }}
{{- if .Values.anchoreGlobal.existingSecret }}
- secretRef:
name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }}
name: {{ .Values.anchoreGlobal.existingSecret }}
{{- else }}
- secretRef:
name: {{ include "anchore-engine.fullname" . }}
- secretRef:
name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }}
name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }}
{{- end }}
{{- end }}
- configMapRef:
name: {{ template "anchore-engine.fullname" . }}-env
......@@ -184,10 +189,15 @@ spec:
args: ["anchore-enterprise-manager", "service", "start", "--no-auto-upgrade", "rbac_manager"]
envFrom:
{{- if not .Values.inject_secrets_via_env }}
{{- if .Values.anchoreGlobal.existingSecret }}
- secretRef:
name: {{ .Values.anchoreGlobal.existingSecret }}
{{- else }}
- secretRef:
name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }}
name: {{ include "anchore-engine.fullname" . }}
- secretRef:
name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }}
name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }}
{{- end }}
{{- end }}
- configMapRef:
name: {{ template "anchore-engine.fullname" . }}-env
......@@ -256,10 +266,15 @@ spec:
args: ["anchore-enterprise-manager", "service", "start", "--no-auto-upgrade", "rbac_authorizer"]
envFrom:
{{- if not .Values.inject_secrets_via_env }}
{{- if .Values.anchoreGlobal.existingSecret }}
- secretRef:
name: {{ .Values.anchoreGlobal.existingSecret }}
{{- else }}
- secretRef:
name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }}
name: {{ include "anchore-engine.fullname" . }}
- secretRef:
name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }}
name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }}
{{- end }}
{{- end }}
- configMapRef:
name: {{ template "anchore-engine.fullname" . }}-env
......@@ -331,10 +346,15 @@ spec:
name: reports-api
envFrom:
{{- if not .Values.inject_secrets_via_env }}
{{- if .Values.anchoreGlobal.existingSecret }}
- secretRef:
name: {{ .Values.anchoreGlobal.existingSecret }}
{{- else }}
- secretRef:
name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }}
name: {{ include "anchore-engine.fullname" . }}
- secretRef:
name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }}
name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }}
{{- end }}
{{- end }}
- configMapRef:
name: {{ template "anchore-engine.fullname" . }}-env
......@@ -405,10 +425,15 @@ spec:
name: notifi-api
envFrom:
{{- if not .Values.inject_secrets_via_env }}
{{- if .Values.anchoreGlobal.existingSecret }}
- secretRef:
name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }}
name: {{ .Values.anchoreGlobal.existingSecret }}
{{- else }}
- secretRef:
name: {{ include "anchore-engine.fullname" . }}
- secretRef:
name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }}
name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }}
{{- end }}
{{- end }}
- configMapRef:
name: {{ template "anchore-engine.fullname" . }}-env
......
chart/templates/catalog_deployment.yaml
View file @ a441c2cf
......@@ -95,10 +95,15 @@ spec:
{{- end }}
envFrom:
{{- if not .Values.inject_secrets_via_env }}
{{- if .Values.anchoreGlobal.existingSecret }}
- secretRef:
name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }}
name: {{ .Values.anchoreGlobal.existingSecret }}
{{- else }}
- secretRef:
name: {{ include "anchore-engine.fullname" . }}
- secretRef:
name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }}
name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }}
{{- end }}
{{- end }}
- configMapRef:
name: {{ template "anchore-engine.fullname" . }}-env
......
chart/templates/engine_configmap.yaml
View file @ a441c2cf
......@@ -45,7 +45,9 @@ data:
# If enabled only sync specific feeds instead of all that are found.
enabled: true
feeds:
{{- if not .Values.anchoreEnterpriseGlobal.enabled }}
{{- if .Values.anchoreEnterpriseGlobal.enabled }}
github: {{ .Values.anchoreEnterpriseFeeds.githubDriverEnabled }}
{{- else }}
github: {{ default "true" .Values.anchoreGlobal.syncGithub }}
{{- end }}
# Vulnerabilities feed is the feed for distro cve sources (redhat, debian, ubuntu, oracle, alpine....)
......@@ -70,8 +72,6 @@ data:
vulndb: false
microsoft: false
{{- end }}
# Sync github data if available for GHSA matches
github: {{ default "true" .Values.anchoreGlobal.syncGithub }}
{{- if .Values.anchoreEnterpriseFeeds.url }}
url: "{{- .Values.anchoreEnterpriseFeeds.url }}"
ssl_verify: {{ .Values.anchoreGlobal.internalServicesSsl.verifyCerts }}
......
chart/templates/engine_upgrade_job.yaml
View file @ a441c2cf
......@@ -41,8 +41,26 @@ spec:
{{- end }}
{{- end }}
restartPolicy: Never
{{- if .Values.cloudsql.enabled }}
shareProcessNamespace: true
{{- end }}
containers:
- name: "{{ .Release.Name }}-enterprise-upgrade"
{{- if .Values.cloudsql.enabled }}
- name: cloudsql-proxy
image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }}
imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }}
command: ["/cloud_sql_proxy"]
args:
- "-instances={{ .Values.cloudsql.instance }}=tcp:5432"
{{- if .Values.cloudsql.useExistingServiceAcc }}
- "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}"
volumeMounts:
- mountPath: /var/{{ .Values.cloudsql.serviceAccSecretName }}
name: {{ .Values.cloudsql.serviceAccSecretName }}
readOnly: true
{{- end }}
{{- end }}
- name: "{{ .Release.Name }}-engine-upgrade"
{{- if .Values.anchoreEnterpriseGlobal.enabled }}
image: {{ .Values.anchoreEnterpriseGlobal.image }}
imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }}
......@@ -50,17 +68,33 @@ spec:
image: {{ .Values.anchoreGlobal.image }}
imagePullPolicy: {{ .Values.anchoreGlobal.imagePullPolicy }}
{{- end }}
command: ["/bin/bash", "-c"]
args:
{{- if .Values.anchoreGlobal.dbConfig.ssl }}
args: ["/bin/bash", "-c", "anchore-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask"]
- |
anchore-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask;
{{- else }}
args: ["/bin/bash", "-c", "anchore-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask"]
- |
anchore-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask;
{{- end }}
{{- if .Values.cloudsql.enabled }}
sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid;
securityContext:
capabilities:
add:
- SYS_PTRACE
{{- end }}
envFrom:
{{- if not .Values.inject_secrets_via_env }}
{{- if .Values.anchoreGlobal.existingSecret }}
- secretRef:
name: {{ .Values.anchoreGlobal.existingSecret }}
{{- else }}
- secretRef:
name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }}
name: {{ include "anchore-engine.fullname" . }}
- secretRef:
name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }}
name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }}
{{- end }}
{{- end }}
- configMapRef:
name: {{ template "anchore-engine.fullname" . }}-env
......@@ -74,12 +108,19 @@ spec:
mountPath: /home/anchore/certs/
readOnly: true
{{- end }}
{{- with .Values.anchoreGlobal.certStoreSecretName }}
{{- if or .Values.anchoreGlobal.certStoreSecretName .Values.cloudsql.useExistingServiceAcc }}
volumes:
{{- with .Values.anchoreGlobal.certStoreSecretName }}
- name: certs
secret:
secretName: {{ . }}
{{- end }}
{{- if .Values.cloudsql.useExistingServiceAcc }}
- name: {{ .Values.cloudsql.serviceAccSecretName }}
secret:
secretName: {{ .Values.cloudsql.serviceAccSecretName }}
{{- end }}
{{- end }}
{{- with .Values.anchoreEngineUpgradeJob.nodeSelector }}
nodeSelector:
{{ toYaml . | nindent 8 }}
......
chart/templates/enterprise_feeds_configmap.yaml
View file @ a441c2cf
......@@ -126,16 +126,20 @@ data:
enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.nvdv2DriverEnabled }}
vulndb:
enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.vulndbDriverEnabled }}
{{- if .Values.anchoreEnterpriseFeeds.msrcDriverEnabled }}
msrc:
enabled: {{ .Values.anchoreEnterpriseFeeds.msrcDriverEnabled }}
api_key: {{ .Values.anchoreEnterpriseFeeds.msrcApiKey }}
enabled: true
api_key: ${ANCHORE_MSRC_KEY}
{{- with .Values.anchoreEnterpriseFeeds.msrcWhitelist }}
whitelist:
- {{ . }}
{{- end }}
{{- end }}
{{- if .Values.anchoreEnterpriseFeeds.githubDriverEnabled }}
github:
enabled: {{ .Values.anchoreEnterpriseFeeds.githubDriverEnabled }}
token: {{ .Values.anchoreEnterpriseFeeds.githubDriverToken }}
enabled: true
token: ${ANCHORE_GITHUB_TOKEN}
{{- end }}
{{- if .Values.anchoreGlobal.internalServicesSsl.enabled }}
ssl_enable: {{ .Values.anchoreGlobal.internalServicesSsl.enabled }}
ssl_cert: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretCertName }}"
......
chart/templates/enterprise_feeds_deployment.yaml
View file @ a441c2cf
......@@ -94,10 +94,15 @@ spec:
name: feeds-api
envFrom:
{{- if not .Values.inject_secrets_via_env }}
{{- if .Values.anchoreEnterpriseFeeds.existingSecret }}
- secretRef:
name: {{ default (include "anchore-engine.enterprise-feeds.fullname" .) .Values.anchoreEnterpriseFeeds.existingSecret }}
name: {{ .Values.anchoreEnterpriseFeeds.existingSecret }}
{{- else }}
- secretRef:
name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }}
name: {{ include "anchore-engine.enterprise-feeds.fullname" . }}
- secretRef:
name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }}
{{- end }}
{{- end }}
- configMapRef:
name: {{ template "anchore-engine.enterprise-feeds.fullname" . }}-env
......
chart/templates/enterprise_feeds_secret.yaml
View file @ a441c2cf
......@@ -18,5 +18,11 @@ stringData:
{{- with .Values.anchoreGlobal.saml.secret }}
ANCHORE_SAML_SECRET: {{ . }}
{{- end }}
{{- with .Values.anchoreEnterpriseFeeds.msrcApiKey }}
ANCHORE_MSRC_KEY: {{ . | quote }}
{{- end }}
{{- with .Values.anchoreEnterpriseFeeds.githubDriverToken }}
ANCHORE_GITHUB_TOKEN: {{ . | quote }}
{{- end }}
{{- end }}
{{- end }}
chart/templates/enterprise_feeds_upgrade_job.yaml
View file @ a441c2cf
......@@ -34,21 +34,55 @@ spec:
imagePullSecrets:
- name: {{ .Values.anchoreEnterpriseGlobal.imagePullSecretName }}
restartPolicy: Never
{{- if .Values.cloudsql.enabled }}
shareProcessNamespace: true
{{- end }}
containers:
{{- if .Values.cloudsql.enabled }}
- name: cloudsql-proxy
image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }}
imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }}
command: ["/cloud_sql_proxy"]
args:
- "-instances={{ .Values.cloudsql.instance }}=tcp:5432"
{{- if .Values.cloudsql.useExistingServiceAcc }}
- "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}"
volumeMounts:
- mountPath: /var/{{ .Values.cloudsql.serviceAccSecretName }}
name: {{ .Values.cloudsql.serviceAccSecretName }}
readOnly: true
{{- end }}
{{- end }}
- name: "{{ .Release.Name }}-enterprise-feeds-upgrade"
imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }}
image: {{ .Values.anchoreEnterpriseGlobal.image }}
command: ["/bin/bash", "-c"]
args:
{{- if .Values.anchoreGlobal.dbConfig.ssl }}
args: ["/bin/bash", "-c", "anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask"]
- |
anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask;
{{- else }}
args: ["/bin/bash", "-c", "anchore-enterprise-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask"]
- |
anchore-enterprise-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask;
{{- end }}
{{- if .Values.cloudsql.enabled }}
sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid;
securityContext:
capabilities:
add:
- SYS_PTRACE
{{- end }}
envFrom:
{{- if not .Values.inject_secrets_via_env }}
{{- if .Values.anchoreEnterpriseFeeds.existingSecret }}
- secretRef:
name: {{ default (include "anchore-engine.enterprise-feeds.fullname" .) .Values.anchoreEnterpriseFeeds.existingSecret }}
name: {{ .Values.anchoreEnterpriseFeeds.existingSecret }}
{{- else }}
- secretRef:
name: {{ include "anchore-engine.enterprise-feeds.fullname" . }}
- secretRef:
name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }}
name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }}
{{- end }}
{{- end }}
- configMapRef:
name: {{ template "anchore-engine.enterprise-feeds.fullname" . }}-env
......@@ -65,12 +99,19 @@ spec:
mountPath: /home/anchore/certs/
readOnly: true
{{- end }}
{{- with .Values.anchoreGlobal.certStoreSecretName }}
{{- if or .Values.anchoreGlobal.certStoreSecretName .Values.cloudsql.useExistingServiceAcc }}
volumes:
{{- with .Values.anchoreGlobal.certStoreSecretName }}
- name: certs
secret:
secretName: {{ . }}
{{- end }}
{{- if .Values.cloudsql.useExistingServiceAcc }}
- name: {{ .Values.cloudsql.serviceAccSecretName }}
secret:
secretName: {{ .Values.cloudsql.serviceAccSecretName }}
{{- end }}
{{- end }}
{{- with .Values.anchoreEnterpriseFeedsUpgradeJob.nodeSelector }}
nodeSelector:
{{ toYaml . | nindent 8 }}
......
chart/templates/enterprise_ui_deployment.yaml
View file @ a441c2cf
......@@ -98,10 +98,15 @@ spec:
{{- end }}
envFrom:
{{- if not .Values.inject_secrets_via_env }}
{{- if .Values.anchoreEnterpriseUi.existingSecret }}
- secretRef:
name: {{ default (include "anchore-engine.enterprise-ui.fullname" .) .Values.anchoreEnterpriseUi.existingSecret }}
name: {{ .Values.anchoreEnterpriseUi.existingSecret }}
{{- else }}
- secretRef:
name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }}
name: {{ include "anchore-engine.enterprise-ui.fullname" . }}
- secretRef:
name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }}
{{- end }}
{{- end }}
ports:
- containerPort: 3000
......
chart/templates/enterprise_ui_secret.yaml
View file @ a441c2cf
......@@ -23,7 +23,7 @@ stringData:
{{- if and (index .Values "anchore-ui-redis" "externalEndpoint") (not (index .Values "anchore-ui-redis" "enabled")) }}
ANCHORE_REDIS_URI: '{{ index .Values "anchore-ui-redis" "externalEndpoint" }}'
{{- else }}
ANCHORE_REDIS_URI: 'redis://:{{ index .Values "anchore-ui-redis" "password" }}@{{ template "redis.fullname" . }}-master:6379'
ANCHORE_REDIS_URI: 'redis://nouser:{{ index .Values "anchore-ui-redis" "password" }}@{{ template "redis.fullname" . }}-master:6379'
{{- end }}
{{- end }}
{{- end }}
chart/templates/enterprise_upgrade_job.yaml
View file @ a441c2cf
......@@ -34,21 +34,55 @@ spec:
imagePullSecrets:
- name: {{ .Values.anchoreEnterpriseGlobal.imagePullSecretName }}
restartPolicy: Never
{{- if .Values.cloudsql.enabled }}
shareProcessNamespace: true
{{- end }}
containers:
{{- if .Values.cloudsql.enabled }}
- name: cloudsql-proxy
image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }}
imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }}
command: ["/cloud_sql_proxy"]
args:
- "-instances={{ .Values.cloudsql.instance }}=tcp:5432"
{{- if .Values.cloudsql.useExistingServiceAcc }}
- "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}"
volumeMounts:
- mountPath: /var/{{ .Values.cloudsql.serviceAccSecretName }}
name: {{ .Values.cloudsql.serviceAccSecretName }}
readOnly: true
{{- end }}
{{- end }}
- name: "{{ .Release.Name }}-enterprise-upgrade"
imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }}
image: {{ .Values.anchoreEnterpriseGlobal.image }}
command: ["/bin/bash", "-c"]
args:
{{- if .Values.anchoreGlobal.dbConfig.ssl }}
args: ["/bin/bash", "-c", "anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask"]
- |
anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask;
{{- else }}
args: ["/bin/bash", "-c", "anchore-enterprise-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask"]
- |
anchore-enterprise-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask;
{{- end }}
{{- if .Values.cloudsql.enabled }}
sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid;
securityContext:
capabilities:
add:
- SYS_PTRACE
{{- end }}
envFrom:
{{- if not .Values.inject_secrets_via_env }}
{{- if .Values.anchoreGlobal.existingSecret }}
- secretRef:
name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }}
name: {{ .Values.anchoreGlobal.existingSecret }}
{{- else }}
- secretRef:
name: {{ include "anchore-engine.fullname" . }}
- secretRef:
name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }}
name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }}
{{- end }}
{{- end }}
- configMapRef:
name: {{ template "anchore-engine.fullname" . }}-env
......@@ -62,12 +96,19 @@ spec:
mountPath: /home/anchore/certs/
readOnly: true
{{- end }}
{{- with .Values.anchoreGlobal.certStoreSecretName }}
{{- if or .Values.anchoreGlobal.certStoreSecretName .Values.cloudsql.useExistingServiceAcc }}
volumes:
{{- with .Values.anchoreGlobal.certStoreSecretName }}
- name: certs
secret:
secretName: {{ . }}
{{- end }}
{{- if .Values.cloudsql.useExistingServiceAcc }}
- name: {{ .Values.cloudsql.serviceAccSecretName }}
secret:
secretName: {{ .Values.cloudsql.serviceAccSecretName }}
{{- end }}
{{- end }}
{{- with .Values.anchoreEnterpriseEngineUpgradeJob.nodeSelector }}
nodeSelector:
{{ toYaml . | nindent 8 }}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

UNCLASSIFIED