update flow

chart/templates/engine_configmap.yaml

@@ -59,9 +59,7 @@ data:
     # Locations for keys used for signing and encryption. Only one of 'secret' or 'public_key_path'/'private_key_path' needs to be set. If all are set then the keys take precedence over the secret value
     # Secret is for a shared secret and if set, all components in anchore should have the exact same value in their configs.
     keys:
-      {{- $anchorefullname := include "anchore-engine.fullname" . -}}
-      {{- $old_secret := lookup "v1" "Secret" .Release.Namespace $anchorefullname }}
-      {{- if or .Values.anchoreGlobal.saml.secret .Values.anchoreGlobal.saml.useExistingSecret .Values.anchoreGlobal.oauthEnabled $old_secret }}
+      {{- if or .Values.anchoreGlobal.saml.secret .Values.anchoreGlobal.saml.useExistingSecret .Values.anchoreGlobal.oauthEnabled }}
       secret: ${ANCHORE_SAML_SECRET}
       {{- end }}
       {{- with .Values.anchoreGlobal.saml.publicKeyName }}

chart/templates/engine_secret.yaml

@@ -16,8 +16,10 @@ stringData:
   ANCHORE_DB_PASSWORD: {{ index .Values "postgresql" "postgresPassword" | quote }}
   {{- $anchorefullname := include "anchore-engine.fullname" . -}}
   {{- $old_secret := lookup "v1" "Secret" .Release.Namespace $anchorefullname }}
-  {{- if or (not $old_secret) (not $old_secret.data) }}
-  ANCHORE_SAML_SECRET: {{ .Values.anchoreGlobal.saml.secret | default (randAlphaNum 12) | quote }}
+  {{- if .Values.anchoreGlobal.saml.secret }}
+  ANCHORE_SAML_SECRET: {{ .Values.anchoreGlobal.saml.secret }}
+  {{- else if or (not $old_secret) (not $old_secret.data) }}
+  ANCHORE_SAML_SECRET: {{ (randAlphaNum 12) | quote }}
   {{ else }}
   ANCHORE_SAML_SECRET: {{ b64dec (index $old_secret.data "ANCHORE_SAML_SECRET") }}
   {{- end }}

chart/templates/enterprise_configmap.yaml

@@ -41,9 +41,7 @@ data:
     # Locations for keys used for signing and encryption. Only one of 'secret' or 'public_key_path'/'private_key_path' needs to be set. If all are set then the keys take precedence over the secret value
     # Secret is for a shared secret and if set, all components in anchore should have the exact same value in their configs.
     keys:
-      {{- $anchorefullname := include "anchore-engine.fullname" . -}}
-      {{- $old_secret := lookup "v1" "Secret" .Release.Namespace $anchorefullname }}
-      {{- if or .Values.anchoreGlobal.saml.secret .Values.anchoreGlobal.saml.useExistingSecret .Values.anchoreGlobal.oauthEnabled $old_secret }}
+      {{- if or .Values.anchoreGlobal.saml.secret .Values.anchoreGlobal.saml.useExistingSecret .Values.anchoreGlobal.oauthEnabled }}
       secret: ${ANCHORE_SAML_SECRET}
       {{- end }}
       {{- with .Values.anchoreGlobal.saml.publicKeyName }}

chart/templates/enterprise_feeds_configmap.yaml

@@ -35,9 +35,7 @@ data:
     # Locations for keys used for signing and encryption. Only one of 'secret' or 'public_key_path'/'private_key_path' needs to be set. If all are set then the keys take precedence over the secret value
     # Secret is for a shared secret and if set, all components in anchore should have the exact same value in their configs.
     keys:
-      {{- $anchorefullname := include "anchore-engine.fullname" . -}}
-      {{- $old_secret := lookup "v1" "Secret" .Release.Namespace $anchorefullname }}
-      {{- if or .Values.anchoreGlobal.saml.secret .Values.anchoreGlobal.saml.useExistingSecret .Values.anchoreGlobal.oauthEnabled $old_secret }}
+      {{- if or .Values.anchoreGlobal.saml.secret .Values.anchoreGlobal.saml.useExistingSecret .Values.anchoreGlobal.oauthEnabled }}
       secret: ${ANCHORE_SAML_SECRET}
       {{- end }}
       {{- with .Values.anchoreGlobal.saml.publicKeyName }}

chart/templates/enterprise_feeds_secret.yaml

@@ -17,8 +17,10 @@ stringData:
   ANCHORE_FEEDS_DB_PASSWORD: {{ index .Values "anchore-feeds-db" "postgresPassword" | quote }}
   {{- $anchorefullname := include "anchore-engine.fullname" . -}}
   {{- $old_secret := lookup "v1" "Secret" .Release.Namespace $anchorefullname }}
-  {{- if or (not $old_secret) (not $old_secret.data) }}
-  ANCHORE_SAML_SECRET: {{ .Values.anchoreGlobal.saml.secret | default (randAlphaNum 12) | quote }}
+  {{- if .Values.anchoreGlobal.saml.secret }}
+  ANCHORE_SAML_SECRET: {{ .Values.anchoreGlobal.saml.secret }}
+  {{- else if or (not $old_secret) (not $old_secret.data) }}
+  ANCHORE_SAML_SECRET: {{ (randAlphaNum 12) | quote }}
   {{ else }}
   ANCHORE_SAML_SECRET: {{ b64dec (index $old_secret.data "ANCHORE_SAML_SECRET") }}
   {{- end }}

docs/BBCHANGES.md

@@ -225,10 +225,12 @@ To resolve an issue where Anchore would redeploy after every update, `./chart/te
 ```yaml
 {{- $anchorefullname := include "anchore-engine.fullname" . -}}
 {{- $old_secret := lookup "v1" "Secret" .Release.Namespace $anchorefullname }}
-{{- if or (not $old_secret) (not $old_secret.data) }}
-ANCHORE_SAML_SECRET: {{ .Values.anchoreGlobal.saml.secret | default (randAlphaNum 12) | quote }}
+{{- if .Values.anchoreGlobal.saml.secret }}
+ANCHORE_SAML_SECRET: {{ .Values.anchoreGlobal.saml.secret }}
+{{- else if or (not $old_secret) (not $old_secret.data) }}
+ANCHORE_SAML_SECRET: {{ (randAlphaNum 12) | quote }}
 {{ else }}
-ANCHORE_SAML_SECRET: {{ index $old_secret.data "ANCHORE_SAML_SECRET" }}
+ANCHORE_SAML_SECRET: {{ b64dec (index $old_secret.data "ANCHORE_SAML_SECRET") }}
 {{- end }}
 ```
 
@@ -236,11 +238,7 @@ Additionally, `./chart/templates/engine_configmap.yaml`, `./chart/templates/ente
 
 ```yaml
 keys:
-  {{- $anchorefullname := include "anchore-engine.fullname" . -}}
-  {{- $old_secret := lookup "v1" "Secret" .Release.Namespace $anchorefullname }}
-  {{- if or .Values.anchoreGlobal.saml.secret .Values.anchoreGlobal.saml.useExistingSecret .Values.anchoreGlobal.oauthEnabled $old_secret }}
+  {{- if or .Values.anchoreGlobal.saml.secret .Values.anchoreGlobal.saml.useExistingSecret .Values.anchoreGlobal.oauthEnabled }}
   secret: ${ANCHORE_SAML_SECRET}
   {{- end }}
-```
-
-If you want to change your `ANCHORE_SAML_SECRET` value, remember to delete the previous 2 secrets so the value is not reused.
\ No newline at end of file
+```
\ No newline at end of file