From 7cf15c073d07653069c1473a4c0d6c8146320d86 Mon Sep 17 00:00:00 2001 From: "seagren.tim" Date: Tue, 17 Aug 2021 19:57:32 +0000 Subject: [PATCH] Resolve "Add Optional Admin DB user for DB ensure jobs" --- CHANGELOG.md | 5 +++ chart/Chart.yaml | 2 +- .../bigbang/db/ensure-anchore-db.yaml | 35 +++++++++++++++++-- .../templates/bigbang/db/ensure-feeds-db.yaml | 35 +++++++++++++++++-- .../bigbang/db/superuser-db-secret.yaml | 25 +++++++++++++ chart/values.yaml | 7 +++- 6 files changed, 101 insertions(+), 8 deletions(-) create mode 100644 chart/templates/bigbang/db/superuser-db-secret.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index e586c7e..431523c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), --- +## [1.13.0-bb.5] +## Added +- `.Values.postgresqlSuperUser.postgresUsername` and `.Values.postgresqlSuperUser.postgresPassword` for conditionally changing the commands in the ensure db jobs to allow for finer-grain postgres user permissions +- `chart/templates/bigbang/db/superuser-db-secret.yaml` secret to populate fields in the ensure db jobs + ## [1.13.0-bb.4] ### Fixed - update allow-kube-dns NP to conditionally add port 5353 egress when `.Values.anchoreGlobal.openShiftDeployment` is `true` diff --git a/chart/Chart.yaml b/chart/Chart.yaml index eeeaaee..b4bd06c 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.13.0-bb.4 +version: 1.13.0-bb.5 appVersion: 0.10.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/chart/templates/bigbang/db/ensure-anchore-db.yaml b/chart/templates/bigbang/db/ensure-anchore-db.yaml index 99492a2..b6c0242 100644 --- a/chart/templates/bigbang/db/ensure-anchore-db.yaml +++ b/chart/templates/bigbang/db/ensure-anchore-db.yaml @@ -21,17 +21,46 @@ spec: containers: - name: psql image: {{ .Values.postgresql.image }} + {{- if and .Values.postgresqlSuperUser.postgresUsername .Values.postgresqlSuperUser.postgresPassword }} command: - /bin/bash - -exc - - | + - | echo "Ensure Anchore DB..." - + psql -tc "SELECT 1 FROM pg_database WHERE datname = '$ANCHORE_DB'" | grep -q 1 || psql -c "CREATE DATABASE $ANCHORE_DB" + psql -tc "SELECT 1 FROM pg_roles WHERE rolname = '$ANCHORE_USER'" | grep -q 1 && psql -c "ALTER USER $ANCHORE_USER WITH PASSWORD '$ANCHORE_PASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $ANCHORE_DB TO $ANCHORE_USER;" | grep -q GRANT || psql -c "CREATE USER $ANCHORE_USER WITH PASSWORD '$ANCHORE_PASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $ANCHORE_DB TO $ANCHORE_USER;" + env: + - name: ANCHORE_USER + valueFrom: + secretKeyRef: + name: anchore-db-credentials + key: PGUSER + - name: ANCHORE_PASSWORD + valueFrom: + secretKeyRef: + name: anchore-db-credentials + key: PGPASSWORD + - name: ANCHORE_DB + valueFrom: + secretKeyRef: + name: anchore-db-credentials + key: ANCHORE_DB + envFrom: + - secretRef: + name: superuser-db-credentials + {{- else }} + command: + - /bin/bash + - -exc + - | + echo "Ensure Anchore DB..." + psql -tc "SELECT 1 FROM pg_database WHERE datname = '$ANCHORE_DB'" | grep -q 1 || psql -c "CREATE DATABASE $ANCHORE_DB" psql -tc "SELECT 1 FROM pg_roles WHERE rolname = '$PGUSER'" | grep -q 1 && psql -c "ALTER USER $PGUSER WITH PASSWORD '$PGPASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $ANCHORE_DB TO $PGUSER;" | grep -q GRANT || psql -c "CREATE USER $PGUSER WITH PASSWORD '$PGPASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $ANCHORE_DB TO $PGUSER;" envFrom: - secretRef: name: anchore-db-credentials + {{- end }} restartPolicy: OnFailure {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/chart/templates/bigbang/db/ensure-feeds-db.yaml b/chart/templates/bigbang/db/ensure-feeds-db.yaml index 2bedd7c..0d736c4 100644 --- a/chart/templates/bigbang/db/ensure-feeds-db.yaml +++ b/chart/templates/bigbang/db/ensure-feeds-db.yaml @@ -21,17 +21,46 @@ spec: containers: - name: psql image: {{ (index .Values "anchore-feeds-db" "image") }} + {{- if and .Values.postgresqlSuperUser.postgresUsername .Values.postgresqlSuperUser.postgresPassword }} command: - /bin/bash - -exc - - | + - | echo "Ensure Anchore Feeds DB..." - + psql -tc "SELECT 1 FROM pg_database WHERE datname = '$FEEDS_DB'" | grep -q 1 || psql -c "CREATE DATABASE $FEEDS_DB" + psql -tc "SELECT 1 FROM pg_roles WHERE rolname = '$FEEDS_USER'" | grep -q 1 && psql -c "ALTER USER $FEEDS_USER WITH PASSWORD '$FEEDS_PASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $FEEDS_DB TO $FEEDS_USER;" | grep -q GRANT || psql -c "CREATE USER $FEEDS_USER WITH PASSWORD '$FEEDS_PASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $FEEDS_DB TO $FEEDS_USER;" + env: + - name: FEEDS_USER + valueFrom: + secretKeyRef: + name: feeds-db-credentials + key: PGUSER + - name: FEEDS_PASSWORD + valueFrom: + secretKeyRef: + name: feeds-db-credentials + key: PGPASSWORD + - name: FEEDS_DB + valueFrom: + secretKeyRef: + name: feeds-db-credentials + key: FEEDS_DB + envFrom: + - secretRef: + name: superuser-db-credentials + {{- else }} + command: + - /bin/bash + - -exc + - | + echo "Ensure Anchore Feeds DB..." + psql -tc "SELECT 1 FROM pg_database WHERE datname = '$FEEDS_DB'" | grep -q 1 || psql -c "CREATE DATABASE $FEEDS_DB" psql -tc "SELECT 1 FROM pg_roles WHERE rolname = '$PGUSER'" | grep -q 1 && psql -c "ALTER USER $PGUSER WITH PASSWORD '$PGPASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $FEEDS_DB TO $PGUSER;" | grep -q GRANT || psql -c "CREATE USER $PGUSER WITH PASSWORD '$PGPASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $FEEDS_DB TO $PGUSER;" envFrom: - secretRef: name: feeds-db-credentials + {{- end }} restartPolicy: OnFailure {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/chart/templates/bigbang/db/superuser-db-secret.yaml b/chart/templates/bigbang/db/superuser-db-secret.yaml new file mode 100644 index 0000000..9ab6b79 --- /dev/null +++ b/chart/templates/bigbang/db/superuser-db-secret.yaml @@ -0,0 +1,25 @@ +{{- if and .Values.postgresqlSuperUser.postgresUsername .Values.postgresqlSuperUser.postgresPassword }} +apiVersion: v1 +kind: Secret +metadata: + name: superuser-db-credentials + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: superuser-db-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/part-of: anchore-enterprise + app.kubernetes.io/component: database + annotations: + "helm.sh/hook-weight": "-5" + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation +type: Opaque +data: + PGUSER: {{ b64enc .Values.postgresqlSuperUser.postgresUsername }} + PGPASSWORD: {{ b64enc .Values.postgresqlSuperUser.postgresPassword }} + PGDATABASE: {{ b64enc "postgres" }} + PGHOST: {{$v := .Values.postgresql.externalEndpoint | split ":"}}{{b64enc $v._0}} + PGPORT: "{{$v := .Values.postgresql.externalEndpoint | split ":"}}{{b64enc $v._1}}" + ANCHORE_DB: {{ b64enc .Values.postgresql.postgresDatabase }} +{{- end }} diff --git a/chart/values.yaml b/chart/values.yaml index 77ccead..433cfea 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -32,6 +32,11 @@ networkPolicies: app: istio-ingressgateway istio: ingressgateway +# Use Database instance Superuser to create postgresql.postgresDatabase, postgresql.postgresUser, anchore-feeds-db.postgresDatabase, and anchore-feeds-db.postgresUser +postgresqlSuperUser: + postgresUsername: "" + postgresPassword: "" + # Enable Prometheus Monitoring monitoring: enabled: false @@ -249,7 +254,7 @@ anchoreGlobal: metricsAuthDisabled: false # Sets the password & email address for the default anchore-engine admin user. - defaultAdminPassword: + defaultAdminPassword: defaultAdminEmail: example@email.com saml: -- GitLab