Merge branch '30-add-superuser-db-credentials' into 'main'

Resolve "Add Optional Admin DB user for DB ensure jobs" See merge request !46

Merge branch '30-add-superuser-db-credentials' into 'main'
Resolve "Add Optional Admin DB user for DB ensure jobs" See merge request !46
e2a27a8a · bhearn · b8c64437 · 7cf15c07 · e2a27a8a · e2a27a8a
Commit e2a27a8a authored Aug 17, 2021 by bhearn
6 changed files
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 ---
+## [1.13.0-bb.5]
+## Added
+- `.Values.postgresqlSuperUser.postgresUsername` and `.Values.postgresqlSuperUser.postgresPassword` for conditionally changing the commands in the ensure db jobs to allow for finer-grain postgres user permissions
+- `chart/templates/bigbang/db/superuser-db-secret.yaml` secret to populate fields in the ensure db jobs
 ## [1.13.0-bb.4]
 ### Fixed
 - update allow-kube-dns NP to conditionally add port 5353 egress when `.Values.anchoreGlobal.openShiftDeployment` is `true`

--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v2
 name: anchore-engine
-version: 1.13.0-bb.4
+version: 1.13.0-bb.5
 appVersion: 0.10.0
 description: Anchore container analysis and policy evaluation engine service
 keywords:

--- a/chart/templates/bigbang/db/ensure-anchore-db.yaml
+++ b/chart/templates/bigbang/db/ensure-anchore-db.yaml
@@ -21,17 +21,46 @@ spec:
      containers:
        - name: psql
          image: {{ .Values.postgresql.image }}
+          {{- if and .Values.postgresqlSuperUser.postgresUsername .Values.postgresqlSuperUser.postgresPassword }}
          command:
            - /bin/bash
            - -exc
-            - |   
+            - |
              echo "Ensure Anchore DB..."
+              psql -tc "SELECT 1 FROM pg_database WHERE datname = '$ANCHORE_DB'" | grep -q 1 || psql -c "CREATE DATABASE $ANCHORE_DB"
+              psql -tc "SELECT 1 FROM pg_roles WHERE rolname = '$ANCHORE_USER'" | grep -q 1 && psql -c "ALTER USER $ANCHORE_USER WITH PASSWORD '$ANCHORE_PASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $ANCHORE_DB TO $ANCHORE_USER;" | grep -q GRANT || psql -c "CREATE USER $ANCHORE_USER WITH PASSWORD '$ANCHORE_PASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $ANCHORE_DB TO $ANCHORE_USER;"
+          env:
+            - name: ANCHORE_USER
+              valueFrom:
+                secretKeyRef:
+                  name: anchore-db-credentials
+                  key: PGUSER
+            - name: ANCHORE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: anchore-db-credentials
+                  key: PGPASSWORD
+            - name: ANCHORE_DB
+              valueFrom:
+                secretKeyRef:
+                  name: anchore-db-credentials
+                  key: ANCHORE_DB
+          envFrom:
+            - secretRef:
+                name: superuser-db-credentials
+          {{- else }}
+          command:
+            - /bin/bash
+            - -exc
+            - |
+              echo "Ensure Anchore DB..."
              psql -tc "SELECT 1 FROM pg_database WHERE datname = '$ANCHORE_DB'" | grep -q 1 || psql -c "CREATE DATABASE $ANCHORE_DB"
              psql -tc "SELECT 1 FROM pg_roles WHERE rolname = '$PGUSER'" | grep -q 1 && psql -c "ALTER USER $PGUSER WITH PASSWORD '$PGPASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $ANCHORE_DB TO $PGUSER;" | grep -q GRANT || psql -c "CREATE USER $PGUSER WITH PASSWORD '$PGPASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $ANCHORE_DB TO $PGUSER;"
          envFrom:
            - secretRef:
                name: anchore-db-credentials
+          {{- end }}
      restartPolicy: OnFailure
 {{- end }}
 {{- end }}
\ No newline at end of file
--- a/chart/templates/bigbang/db/ensure-feeds-db.yaml
+++ b/chart/templates/bigbang/db/ensure-feeds-db.yaml
@@ -21,17 +21,46 @@ spec:
      containers:
        - name: psql
          image: {{ (index .Values "anchore-feeds-db" "image") }}
+          {{- if and .Values.postgresqlSuperUser.postgresUsername .Values.postgresqlSuperUser.postgresPassword }}
          command:
            - /bin/bash
            - -exc
-            - |   
+            - |
              echo "Ensure Anchore Feeds DB..."
+              psql -tc "SELECT 1 FROM pg_database WHERE datname = '$FEEDS_DB'" | grep -q 1 || psql -c "CREATE DATABASE $FEEDS_DB"
+              psql -tc "SELECT 1 FROM pg_roles WHERE rolname = '$FEEDS_USER'" | grep -q 1 && psql -c "ALTER USER $FEEDS_USER WITH PASSWORD '$FEEDS_PASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $FEEDS_DB TO $FEEDS_USER;" | grep -q GRANT || psql -c "CREATE USER   $FEEDS_USER WITH PASSWORD '$FEEDS_PASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $FEEDS_DB TO $FEEDS_USER;"
+          env:
+            - name: FEEDS_USER
+              valueFrom:
+                secretKeyRef:
+                  name: feeds-db-credentials
+                  key: PGUSER
+            - name: FEEDS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: feeds-db-credentials
+                  key: PGPASSWORD
+            - name: FEEDS_DB
+              valueFrom:
+                secretKeyRef:
+                  name: feeds-db-credentials
+                  key: FEEDS_DB
+          envFrom:
+            - secretRef:
+                name: superuser-db-credentials
+          {{- else }}
+          command:
+            - /bin/bash
+            - -exc
+            - |
+              echo "Ensure Anchore Feeds DB..."
              psql -tc "SELECT 1 FROM pg_database WHERE datname = '$FEEDS_DB'" | grep -q 1 || psql -c "CREATE DATABASE $FEEDS_DB"
              psql -tc "SELECT 1 FROM pg_roles WHERE rolname = '$PGUSER'" | grep -q 1 && psql -c "ALTER USER $PGUSER WITH PASSWORD '$PGPASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $FEEDS_DB TO $PGUSER;" | grep -q GRANT || psql -c "CREATE USER $PGUSER WITH PASSWORD '$PGPASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $FEEDS_DB TO $PGUSER;"
          envFrom:
            - secretRef:
                name: feeds-db-credentials
+          {{- end }}
      restartPolicy: OnFailure
 {{- end }}
 {{- end }}
\ No newline at end of file
--- a/chart/templates/bigbang/db/superuser-db-secret.yaml
+++ b/chart/templates/bigbang/db/superuser-db-secret.yaml
+{{- if and .Values.postgresqlSuperUser.postgresUsername .Values.postgresqlSuperUser.postgresPassword }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: superuser-db-credentials
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: superuser-db-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/part-of: anchore-enterprise
+    app.kubernetes.io/component: database
+  annotations:
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+type: Opaque
+data:
+  PGUSER: {{ b64enc .Values.postgresqlSuperUser.postgresUsername }}
+  PGPASSWORD: {{ b64enc .Values.postgresqlSuperUser.postgresPassword }}
+  PGDATABASE: {{ b64enc "postgres" }}
+  PGHOST: {{$v := .Values.postgresql.externalEndpoint | split ":"}}{{b64enc $v._0}}
+  PGPORT: "{{$v := .Values.postgresql.externalEndpoint | split ":"}}{{b64enc $v._1}}"
+  ANCHORE_DB: {{ b64enc .Values.postgresql.postgresDatabase }}
+{{- end }}
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -32,6 +32,11 @@ networkPolicies:
    app: istio-ingressgateway
    istio: ingressgateway
+# Use Database instance Superuser to create postgresql.postgresDatabase, postgresql.postgresUser, anchore-feeds-db.postgresDatabase, and anchore-feeds-db.postgresUser
+postgresqlSuperUser:
+  postgresUsername: ""
+  postgresPassword: ""
 # Enable Prometheus Monitoring
 monitoring:
  enabled: false
@@ -249,7 +254,7 @@ anchoreGlobal:
  metricsAuthDisabled: false
  # Sets the password & email address for the default anchore-engine admin user.
-  defaultAdminPassword: 
+  defaultAdminPassword:
  defaultAdminEmail: example@email.com
  saml: