diff --git a/CHANGELOG.md b/CHANGELOG.md index e586c7e5f05b3232c792215b482c8251db148fde..431523c473c78df0a7bc020993e53ae83391a0f7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), --- +## [1.13.0-bb.5] +## Added +- `.Values.postgresqlSuperUser.postgresUsername` and `.Values.postgresqlSuperUser.postgresPassword` for conditionally changing the commands in the ensure db jobs to allow for finer-grain postgres user permissions +- `chart/templates/bigbang/db/superuser-db-secret.yaml` secret to populate fields in the ensure db jobs + ## [1.13.0-bb.4] ### Fixed - update allow-kube-dns NP to conditionally add port 5353 egress when `.Values.anchoreGlobal.openShiftDeployment` is `true` diff --git a/chart/Chart.yaml b/chart/Chart.yaml index eeeaaee2c9108852b50545c961f4c3ad2d3393c3..b4bd06c2e64827b702f6488c6f0802bb9351802b 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.13.0-bb.4 +version: 1.13.0-bb.5 appVersion: 0.10.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/chart/templates/bigbang/db/ensure-anchore-db.yaml b/chart/templates/bigbang/db/ensure-anchore-db.yaml index 99492a2a8e201c00497fc065a65b5c50a516af84..b6c024271dc00e44f702952a603c7196d5802419 100644 --- a/chart/templates/bigbang/db/ensure-anchore-db.yaml +++ b/chart/templates/bigbang/db/ensure-anchore-db.yaml @@ -21,17 +21,46 @@ spec: containers: - name: psql image: {{ .Values.postgresql.image }} + {{- if and .Values.postgresqlSuperUser.postgresUsername .Values.postgresqlSuperUser.postgresPassword }} command: - /bin/bash - -exc - - | + - | echo "Ensure Anchore DB..." - + psql -tc "SELECT 1 FROM pg_database WHERE datname = '$ANCHORE_DB'" | grep -q 1 || psql -c "CREATE DATABASE $ANCHORE_DB" + psql -tc "SELECT 1 FROM pg_roles WHERE rolname = '$ANCHORE_USER'" | grep -q 1 && psql -c "ALTER USER $ANCHORE_USER WITH PASSWORD '$ANCHORE_PASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $ANCHORE_DB TO $ANCHORE_USER;" | grep -q GRANT || psql -c "CREATE USER $ANCHORE_USER WITH PASSWORD '$ANCHORE_PASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $ANCHORE_DB TO $ANCHORE_USER;" + env: + - name: ANCHORE_USER + valueFrom: + secretKeyRef: + name: anchore-db-credentials + key: PGUSER + - name: ANCHORE_PASSWORD + valueFrom: + secretKeyRef: + name: anchore-db-credentials + key: PGPASSWORD + - name: ANCHORE_DB + valueFrom: + secretKeyRef: + name: anchore-db-credentials + key: ANCHORE_DB + envFrom: + - secretRef: + name: superuser-db-credentials + {{- else }} + command: + - /bin/bash + - -exc + - | + echo "Ensure Anchore DB..." + psql -tc "SELECT 1 FROM pg_database WHERE datname = '$ANCHORE_DB'" | grep -q 1 || psql -c "CREATE DATABASE $ANCHORE_DB" psql -tc "SELECT 1 FROM pg_roles WHERE rolname = '$PGUSER'" | grep -q 1 && psql -c "ALTER USER $PGUSER WITH PASSWORD '$PGPASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $ANCHORE_DB TO $PGUSER;" | grep -q GRANT || psql -c "CREATE USER $PGUSER WITH PASSWORD '$PGPASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $ANCHORE_DB TO $PGUSER;" envFrom: - secretRef: name: anchore-db-credentials + {{- end }} restartPolicy: OnFailure {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/chart/templates/bigbang/db/ensure-feeds-db.yaml b/chart/templates/bigbang/db/ensure-feeds-db.yaml index 2bedd7c886b8742a54fc686f8aeea94075ace523..0d736c42daf7d6b0f017041cc3460fc913cf8e07 100644 --- a/chart/templates/bigbang/db/ensure-feeds-db.yaml +++ b/chart/templates/bigbang/db/ensure-feeds-db.yaml @@ -21,17 +21,46 @@ spec: containers: - name: psql image: {{ (index .Values "anchore-feeds-db" "image") }} + {{- if and .Values.postgresqlSuperUser.postgresUsername .Values.postgresqlSuperUser.postgresPassword }} command: - /bin/bash - -exc - - | + - | echo "Ensure Anchore Feeds DB..." - + psql -tc "SELECT 1 FROM pg_database WHERE datname = '$FEEDS_DB'" | grep -q 1 || psql -c "CREATE DATABASE $FEEDS_DB" + psql -tc "SELECT 1 FROM pg_roles WHERE rolname = '$FEEDS_USER'" | grep -q 1 && psql -c "ALTER USER $FEEDS_USER WITH PASSWORD '$FEEDS_PASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $FEEDS_DB TO $FEEDS_USER;" | grep -q GRANT || psql -c "CREATE USER $FEEDS_USER WITH PASSWORD '$FEEDS_PASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $FEEDS_DB TO $FEEDS_USER;" + env: + - name: FEEDS_USER + valueFrom: + secretKeyRef: + name: feeds-db-credentials + key: PGUSER + - name: FEEDS_PASSWORD + valueFrom: + secretKeyRef: + name: feeds-db-credentials + key: PGPASSWORD + - name: FEEDS_DB + valueFrom: + secretKeyRef: + name: feeds-db-credentials + key: FEEDS_DB + envFrom: + - secretRef: + name: superuser-db-credentials + {{- else }} + command: + - /bin/bash + - -exc + - | + echo "Ensure Anchore Feeds DB..." + psql -tc "SELECT 1 FROM pg_database WHERE datname = '$FEEDS_DB'" | grep -q 1 || psql -c "CREATE DATABASE $FEEDS_DB" psql -tc "SELECT 1 FROM pg_roles WHERE rolname = '$PGUSER'" | grep -q 1 && psql -c "ALTER USER $PGUSER WITH PASSWORD '$PGPASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $FEEDS_DB TO $PGUSER;" | grep -q GRANT || psql -c "CREATE USER $PGUSER WITH PASSWORD '$PGPASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $FEEDS_DB TO $PGUSER;" envFrom: - secretRef: name: feeds-db-credentials + {{- end }} restartPolicy: OnFailure {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/chart/templates/bigbang/db/superuser-db-secret.yaml b/chart/templates/bigbang/db/superuser-db-secret.yaml new file mode 100644 index 0000000000000000000000000000000000000000..9ab6b792eb716e65b87093312da6f3734a813e93 --- /dev/null +++ b/chart/templates/bigbang/db/superuser-db-secret.yaml @@ -0,0 +1,25 @@ +{{- if and .Values.postgresqlSuperUser.postgresUsername .Values.postgresqlSuperUser.postgresPassword }} +apiVersion: v1 +kind: Secret +metadata: + name: superuser-db-credentials + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: superuser-db-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/part-of: anchore-enterprise + app.kubernetes.io/component: database + annotations: + "helm.sh/hook-weight": "-5" + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +type: Opaque +data: + PGUSER: {{ b64enc .Values.postgresqlSuperUser.postgresUsername }} + PGPASSWORD: {{ b64enc .Values.postgresqlSuperUser.postgresPassword }} + PGDATABASE: {{ b64enc "postgres" }} + PGHOST: {{$v := .Values.postgresql.externalEndpoint | split ":"}}{{b64enc $v._0}} + PGPORT: "{{$v := .Values.postgresql.externalEndpoint | split ":"}}{{b64enc $v._1}}" + ANCHORE_DB: {{ b64enc .Values.postgresql.postgresDatabase }} +{{- end }} diff --git a/chart/values.yaml b/chart/values.yaml index 77ccead858deaaa71b51bd367fc6dc61b87720b8..433cfea37a299eed357de35b71c596ab6704fbd4 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -32,6 +32,11 @@ networkPolicies: app: istio-ingressgateway istio: ingressgateway +# Use Database instance Superuser to create postgresql.postgresDatabase, postgresql.postgresUser, anchore-feeds-db.postgresDatabase, and anchore-feeds-db.postgresUser +postgresqlSuperUser: + postgresUsername: "" + postgresPassword: "" + # Enable Prometheus Monitoring monitoring: enabled: false @@ -249,7 +254,7 @@ anchoreGlobal: metricsAuthDisabled: false # Sets the password & email address for the default anchore-engine admin user. - defaultAdminPassword: + defaultAdminPassword: defaultAdminEmail: example@email.com saml: