diff --git a/CHANGELOG.md b/CHANGELOG.md index b3ea8408b125b33b662eca989e9478cf64ffbd33..2cdfef23a9b059170c69a4b6e9d794c4f8a7d058 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), --- +## [1.13.0-bb.7] +### Fixed +- modified `./chart/templates/engine_secret.yaml` and `./chart/templates/enterprise_feeds_secret.yaml` to set `ANCHORE_SAML_SECRET` to a randomly generated value if not set and the previous secret does not exist + ## [1.13.0-bb.6] ## Changed - updated bb-test-lib dependency to gluon `0.2.3` to resolve OPA Gatekeeper violations diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 405d6bbe4edf0b46fa93534f47d5a93933584632..780a361a351c6c5afab0fac9599660db0beb22a5 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.13.0-bb.6 +version: 1.13.0-bb.7 appVersion: 0.10.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/chart/templates/engine_secret.yaml b/chart/templates/engine_secret.yaml index e23cc6384b937ef658de6b9d24083800c0753caa..9138cf9ac0c43d95b889b24b9997f5b43c23fc56 100644 --- a/chart/templates/engine_secret.yaml +++ b/chart/templates/engine_secret.yaml @@ -14,7 +14,11 @@ metadata: type: Opaque stringData: ANCHORE_DB_PASSWORD: {{ index .Values "postgresql" "postgresPassword" | quote }} - {{- with .Values.anchoreGlobal.saml.secret }} - ANCHORE_SAML_SECRET: {{ . }} + {{- $anchorefullname := include "anchore-engine.fullname" . -}} + {{- $old_secret := lookup "v1" "Secret" .Release.Namespace $anchorefullname }} + {{- if or (not $old_secret) (not $old_secret.data) }} + ANCHORE_SAML_SECRET: {{ .Values.anchoreGlobal.saml.secret | default (randAlphaNum 12) | quote }} + {{ else }} + ANCHORE_SAML_SECRET: {{ index $old_secret.data "ANCHORE_SAML_SECRET" }} {{- end }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/chart/templates/enterprise_feeds_secret.yaml b/chart/templates/enterprise_feeds_secret.yaml index 6addc0cf06ea76cd74394c2f2e604d66c7f74b41..924c11bc918a7d789abd82f3d83cea142bdc37f0 100644 --- a/chart/templates/enterprise_feeds_secret.yaml +++ b/chart/templates/enterprise_feeds_secret.yaml @@ -15,8 +15,12 @@ metadata: type: Opaque stringData: ANCHORE_FEEDS_DB_PASSWORD: {{ index .Values "anchore-feeds-db" "postgresPassword" | quote }} - {{- with .Values.anchoreGlobal.saml.secret }} - ANCHORE_SAML_SECRET: {{ . }} + {{- $anchorefullname := include "anchore-engine.fullname" . -}} + {{- $old_secret := lookup "v1" "Secret" .Release.Namespace $anchorefullname }} + {{- if or (not $old_secret) (not $old_secret.data) }} + ANCHORE_SAML_SECRET: {{ .Values.anchoreGlobal.saml.secret | default (randAlphaNum 12) | quote }} + {{ else }} + ANCHORE_SAML_SECRET: {{ index $old_secret.data "ANCHORE_SAML_SECRET" }} {{- end }} {{- with .Values.anchoreEnterpriseFeeds.msrcApiKey }} ANCHORE_MSRC_KEY: {{ . | quote }} diff --git a/docs/BBCHANGES.md b/docs/BBCHANGES.md index 267ef24756fec1cea334f7e8772ded50c4161339..09c4f09b3c7c0b2d1a44b1433763237207d56d06 100644 --- a/docs/BBCHANGES.md +++ b/docs/BBCHANGES.md @@ -210,4 +210,16 @@ Additionally, a field was added to `chart/templates/engine_upgrade_job.yaml`, `e ```yaml resources: {{ toYaml .Values.anchoreEngineUpgradeJob.resources | nindent 10 }} +``` + +To resolve an issue where Anchore would redeploy after every update, `./chart/templates/engine_secret.yaml` and `./chart/templates/enterprise_feeds_secret.yaml` were modified to set `ANCHORE_SAML_SECRET` to a randomly generated value if not set and the previous secret does not exist: + +```yaml +{{- $anchorefullname := include "anchore-engine.fullname" . -}} +{{- $old_secret := lookup "v1" "Secret" .Release.Namespace $anchorefullname }} +{{- if or (not $old_secret) (not $old_secret.data) }} +ANCHORE_SAML_SECRET: {{ .Values.anchoreGlobal.saml.secret | default (randAlphaNum 12) | quote }} +{{ else }} +ANCHORE_SAML_SECRET: {{ index $old_secret.data "ANCHORE_SAML_SECRET" }} +{{- end }} ``` \ No newline at end of file