initial redeploy fix

b2614b49 · bhearn7 · d6ec8a0a · b2614b49 · b2614b49 · b2614b49
Commit b2614b49 authored Aug 23, 2021 by bhearn7
5 changed files
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),

 ---

+## [1.13.0-bb.7]
+### Fixed
+- modified `./chart/templates/engine_secret.yaml` and `./chart/templates/enterprise_feeds_secret.yaml` to set `ANCHORE_SAML_SECRET` to a randomly generated value if not set and the previous secret does not exist
+
 ## [1.13.0-bb.6]
 ## Changed
 - updated bb-test-lib dependency to gluon `0.2.3` to resolve OPA Gatekeeper violations

--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v2
 name: anchore-engine
-version: 1.13.0-bb.6
+version: 1.13.0-bb.7
 appVersion: 0.10.0
 description: Anchore container analysis and policy evaluation engine service
 keywords:

--- a/chart/templates/engine_secret.yaml
+++ b/chart/templates/engine_secret.yaml
@@ -14,7 +14,11 @@ metadata:
 type: Opaque
 stringData:
  ANCHORE_DB_PASSWORD: {{ index .Values "postgresql" "postgresPassword" | quote }}
-  {{- with .Values.anchoreGlobal.saml.secret }}
-  ANCHORE_SAML_SECRET: {{ . }}
+  {{- $anchorefullname := include "anchore-engine.fullname" . -}}
+  {{- $old_secret := lookup "v1" "Secret" .Release.Namespace $anchorefullname }}
+  {{- if or (not $old_secret) (not $old_secret.data) }}
+  ANCHORE_SAML_SECRET: {{ .Values.anchoreGlobal.saml.secret | default (randAlphaNum 12) | quote }}
+  {{ else }}
+  ANCHORE_SAML_SECRET: {{ index $old_secret.data "ANCHORE_SAML_SECRET" }}
  {{- end }}
-{{- end }}
+{{- end }}
\ No newline at end of file
--- a/chart/templates/enterprise_feeds_secret.yaml
+++ b/chart/templates/enterprise_feeds_secret.yaml
@@ -15,8 +15,12 @@ metadata:
 type: Opaque
 stringData:
  ANCHORE_FEEDS_DB_PASSWORD: {{ index .Values "anchore-feeds-db" "postgresPassword" | quote }}
-  {{- with .Values.anchoreGlobal.saml.secret }}
-  ANCHORE_SAML_SECRET: {{ . }}
+  {{- $anchorefullname := include "anchore-engine.fullname" . -}}
+  {{- $old_secret := lookup "v1" "Secret" .Release.Namespace $anchorefullname }}
+  {{- if or (not $old_secret) (not $old_secret.data) }}
+  ANCHORE_SAML_SECRET: {{ .Values.anchoreGlobal.saml.secret | default (randAlphaNum 12) | quote }}
+  {{ else }}
+  ANCHORE_SAML_SECRET: {{ index $old_secret.data "ANCHORE_SAML_SECRET" }}
  {{- end }}
  {{- with .Values.anchoreEnterpriseFeeds.msrcApiKey }}
  ANCHORE_MSRC_KEY: {{ . | quote }}

--- a/docs/BBCHANGES.md
+++ b/docs/BBCHANGES.md
@@ -210,4 +210,16 @@ Additionally, a field was added to `chart/templates/engine_upgrade_job.yaml`, `e
 ```yaml
 resources:
  {{ toYaml .Values.anchoreEngineUpgradeJob.resources | nindent 10 }}
+```
+
+To resolve an issue where Anchore would redeploy after every update, `./chart/templates/engine_secret.yaml` and `./chart/templates/enterprise_feeds_secret.yaml` were modified to set `ANCHORE_SAML_SECRET` to a randomly generated value if not set and the previous secret does not exist:
+
+```yaml
+{{- $anchorefullname := include "anchore-engine.fullname" . -}}
+{{- $old_secret := lookup "v1" "Secret" .Release.Namespace $anchorefullname }}
+{{- if or (not $old_secret) (not $old_secret.data) }}
+ANCHORE_SAML_SECRET: {{ .Values.anchoreGlobal.saml.secret | default (randAlphaNum 12) | quote }}
+{{ else }}
+ANCHORE_SAML_SECRET: {{ index $old_secret.data "ANCHORE_SAML_SECRET" }}
+{{- end }}
 ```
\ No newline at end of file