UNCLASSIFIED - NO CUI

Skip to content

Add Optional Admin DB user for DB ensure jobs

Summary

Currently the DB ensure jobs presupposes that the .Values.postgresql.postgresUser is an a database superuser with CREATE DB and GRANT ALL PRIVILEGES rights. This same user is then used as the user anchore uses to interface with the anchore and anchore feeds databases.

There are two problems with this:

  1. On a first-time run of this chart, these commands fail if the .Values.postgresql.postgresUser user does not already exist or does not have the aforementioned privileges.
  2. If you choose to use a superuser as the anchore db and feeds db provisioner, you are then stuck using the same superuser for day-to-day anchore operations, even if this is overkill (you only really need admin rights to feeds and anchore databases, not the entire instance).

Steps to reproduce

  1. Configure a non-superuser user as .Values.postgresql.postgresUser
  2. Create a postgresql instance reachable from the k8s cluster you deploy this chart into
  3. The ensure db jobs will fail with permission denied errors for CREATE DB

What is the current behavior?

Ensure database jobs fail if a non-superuser user is used as .Values.postgresql.postgresUser, and if a superuser is used to avoid those problems, you're suck using a superuser for day-to-day anchore operations.

What is the expected behavior?

We should be able to optionally supply a superuser for one-time use in creating anchore and feeds databases as well as creating the .Values.postgresql.postgresUser user to administer them going forward.

Relevant logs and/or screenshots

(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's very hard to read otherwise.)

Possible fixes

Below snippet is an example of how the ensure-anchore-db job could look with an additional secret for superuser credentials (PGUSER, PGPASSWORD), while changing the env variables holding .Values.postgresql.postgresUser and .Values.postgresql.postgresPassword to ANCHORE_USER and ANCHORE_PASSWORD respectively.

{{- if hasKey .Values.postgresql "enabled" }}
{{- if (not .Values.postgresql.enabled) }}
# Job to sync db and db user with external postgres for Anchore's primary data store
apiVersion: batch/v1
kind: Job
metadata:
  name: ensure-anchore-db
  annotations:
    "helm.sh/hook-weight": "-4"
    "helm.sh/hook": pre-install,pre-upgrade
    "helm.sh/hook-delete-policy": before-hook-creation
spec:
  template:
    metadata:
      name: ensure-anchore-db
      annotations:
        sidecar.istio.io/inject: 'false'
    spec:
      imagePullSecrets:
        - name: {{ .Values.postgresql.imagePullSecrets }}
      containers:
        - name: psql
          image: {{ .Values.postgresql.image }}
          command:
            - /bin/bash
            - -exc
            - |   
              echo "Ensure Anchore DB..."
              
              psql -tc "SELECT 1 FROM pg_database WHERE datname = '$ANCHORE_DB'" | grep -q 1 || psql -c "CREATE DATABASE $ANCHORE_DB"
              psql -tc "SELECT 1 FROM pg_roles WHERE rolname = '$ANCHORE_USER'" | grep -q 1 && psql -c "ALTER USER $ANCHORE_USER WITH PASSWORD '$ANCHORE_PASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $ANCHORE_DB TO $ANCHORE_USER;" | grep -q GRANT || psql -c "CREATE USER $ANCHORE_USER WITH PASSWORD 'ANCHORE_PASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $ANCHORE_DB TO $ANCHORE_USER;"
          envFrom:
            - secretRef:
                name: anchore-db-credentials
            - secretRef:
                name: superuser-db-credentials
      restartPolicy: OnFailure
{{- end }}
{{- end }}

/cc {put CODEOWNERs @githandles here}

UNCLASSIFIED - NO CUI