diff --git a/chart/templates/analyzer_deployment.yaml b/chart/templates/analyzer_deployment.yaml index 8afa6b80d9d670d15099e880cf9c59ad16e34c8d..d18fe032f7e438a0b04711b8060fec8e79db86ae 100644 --- a/chart/templates/analyzer_deployment.yaml +++ b/chart/templates/analyzer_deployment.yaml @@ -22,8 +22,7 @@ spec: component: {{ $component }} replicas: {{ .Values.anchoreAnalyzer.replicaCount }} strategy: - type: Recreate - rollingUpdate: null + type: RollingUpdate template: metadata: labels: @@ -42,6 +41,15 @@ spec: {{- with .Values.anchoreAnalyzer.annotations }} {{ toYaml . | nindent 8 }} {{- end }} + {{- if not .Values.inject_secrets_via_env }} + checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }} + {{- end }} + checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }} + checksum/config: {{ include (print $.Template.BasePath "/analyzer_configmap.yaml") . | sha256sum }} + checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }} + {{- if .Values.anchoreEnterpriseGlobal.enabled }} + checksum/license: {{ include (print $.Template.BasePath "/bigbang/license-secret.yaml") . | sha256sum }} + {{- end }} spec: {{- with .Values.anchoreGlobal.securityContext }} securityContext: diff --git a/chart/templates/api_deployment.yaml b/chart/templates/api_deployment.yaml index d06c98b427dc0a876c4ffd56795095e1b729bcd9..5ab8934ac3b07b4bc5520d26b407fbec77a9d7eb 100644 --- a/chart/templates/api_deployment.yaml +++ b/chart/templates/api_deployment.yaml @@ -22,8 +22,7 @@ spec: component: {{ $component }} replicas: {{ .Values.anchoreApi.replicaCount }} strategy: - type: Recreate - rollingUpdate: null + type: RollingUpdate template: metadata: labels: @@ -42,6 +41,17 @@ spec: {{- with .Values.anchoreApi.annotations }} {{ toYaml . | nindent 8 }} {{- end }} + {{- if not .Values.inject_secrets_via_env }} + checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }} + {{- end }} + checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }} + checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }} + {{- if .Values.anchoreGlobal.policyBundles }} + checksum/policy-config: {{ include (print $.Template.BasePath "/policy_bundle_configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.anchoreEnterpriseGlobal.enabled }} + checksum/license: {{ include (print $.Template.BasePath "/bigbang/license-secret.yaml") . | sha256sum }} + {{- end }} spec: {{- with .Values.anchoreGlobal.securityContext }} securityContext: diff --git a/chart/templates/bigbang/password_update_job.yaml b/chart/templates/bigbang/password_update_job.yaml new file mode 100644 index 0000000000000000000000000000000000000000..b2c47331be086263caac37b2210421a40899f223 --- /dev/null +++ b/chart/templates/bigbang/password_update_job.yaml @@ -0,0 +1,42 @@ +# Job to perform password update in Anchore DB +apiVersion: batch/v1 +kind: Job +metadata: + name: update-password + annotations: + "helm.sh/hook": post-upgrade +spec: + template: + metadata: + name: update-password + annotations: + sidecar.istio.io/inject: 'false' + spec: + imagePullSecrets: + - name: {{ .Values.anchoreEnterpriseGlobal.imagePullSecretName }} + containers: + - name: update-password + # IB engine image does not have psql + image: {{ .Values.anchoreEnterpriseGlobal.image }} + command: + {{- if .Values.anchoreGlobal.dbConfig.ssl }} + - /bin/sh + - -c + - | + psql postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} \ + -c "UPDATE public.user_access_credentials SET value = '${ANCHORE_ADMIN_PASSWORD}' WHERE username = 'admin'; COMMIT;" + {{- else }} + - /bin/sh + - -c + - | + psql postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} \ + -c "UPDATE public.user_access_credentials SET value = '${ANCHORE_ADMIN_PASSWORD}' WHERE username = 'admin'; COMMIT;" + {{- end }} + envFrom: + {{- if not .Values.inject_secrets_via_env }} + - secretRef: + name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + {{- end }} + - configMapRef: + name: {{ template "anchore-engine.fullname" . }}-env + restartPolicy: OnFailure diff --git a/chart/templates/catalog_deployment.yaml b/chart/templates/catalog_deployment.yaml index 046a8d90bdbeaa11deae996184e7e9053ad98f9d..ae712ad1a5338d8b6d8301fc6d982d6bc59034b5 100644 --- a/chart/templates/catalog_deployment.yaml +++ b/chart/templates/catalog_deployment.yaml @@ -22,8 +22,7 @@ spec: component: {{ $component }} replicas: {{ .Values.anchoreCatalog.replicaCount }} strategy: - type: Recreate - rollingUpdate: null + type: RollingUpdate template: metadata: labels: @@ -42,6 +41,17 @@ spec: {{- with .Values.anchoreCatalog.annotations }} {{ toYaml . | nindent 8 }} {{- end }} + {{- if not .Values.inject_secrets_via_env }} + checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }} + {{- end }} + checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }} + checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }} + {{- if .Values.anchoreGlobal.policyBundles }} + checksum/policy-config: {{ include (print $.Template.BasePath "/policy_bundle_configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.anchoreEnterpriseGlobal.enabled }} + checksum/license: {{ include (print $.Template.BasePath "/bigbang/license-secret.yaml") . | sha256sum }} + {{- end }} spec: {{- with .Values.anchoreGlobal.securityContext }} securityContext: diff --git a/chart/templates/engine_secret.yaml b/chart/templates/engine_secret.yaml new file mode 100644 index 0000000000000000000000000000000000000000..ec4baef2f6c281c184a12c511ff5b0c113a1ca61 --- /dev/null +++ b/chart/templates/engine_secret.yaml @@ -0,0 +1,21 @@ +{{- if not .Values.anchoreGlobal.existingSecret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "anchore-engine.fullname" . }} + labels: + app: {{ template "anchore-engine.fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.anchoreGlobal.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} +type: Opaque +stringData: + ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }} + ANCHORE_DB_PASSWORD: {{ index .Values "postgresql" "postgresPassword" | quote }} + {{- with .Values.anchoreGlobal.saml.secret }} + ANCHORE_SAML_SECRET: {{ . }} + {{- end }} +{{- end }} diff --git a/chart/templates/enterprise_feeds_deployment.yaml b/chart/templates/enterprise_feeds_deployment.yaml index 9194dc5e6af1708701de8b24b36e097d50b822de..703b449585f49abaf434f4d39b89acb1aac90fb7 100644 --- a/chart/templates/enterprise_feeds_deployment.yaml +++ b/chart/templates/enterprise_feeds_deployment.yaml @@ -23,8 +23,7 @@ spec: component: {{ $component }} replicas: 1 strategy: - type: Recreate - rollingUpdate: null + type: RollingUpdate template: metadata: labels: @@ -43,6 +42,14 @@ spec: {{- with .Values.anchoreEnterpriseFeeds.annotations }} {{ toYaml . | nindent 8 }} {{- end }} + {{- if not .Values.inject_secrets_via_env }} + checksum/secrets: {{ include (print $.Template.BasePath "/enterprise_feeds_secret.yaml") . | sha256sum }} + {{- end }} + checksum/env: {{ include (print $.Template.BasePath "/enterprise_feeds_configmap_env.yaml") . | sha256sum }} + checksum/feeds-config: {{ include (print $.Template.BasePath "/enterprise_feeds_configmap.yaml") . | sha256sum }} + {{- if .Values.anchoreEnterpriseGlobal.enabled }} + checksum/license: {{ include (print $.Template.BasePath "/bigbang/license-secret.yaml") . | sha256sum }} + {{- end }} spec: {{- with .Values.anchoreGlobal.securityContext }} securityContext: diff --git a/chart/templates/enterprise_feeds_secret.yaml b/chart/templates/enterprise_feeds_secret.yaml new file mode 100644 index 0000000000000000000000000000000000000000..f6074f7669415fe4f90d6a8617db6eb955810d6b --- /dev/null +++ b/chart/templates/enterprise_feeds_secret.yaml @@ -0,0 +1,23 @@ +{{- if not .Values.anchoreEnterpriseFeeds.existingSecret }} +{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "anchore-engine.enterprise-feeds.fullname" . }} + labels: + app: {{ template "anchore-engine.fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.anchoreGlobal.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} +type: Opaque +stringData: + ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }} + ANCHORE_FEEDS_DB_PASSWORD: {{ index .Values "anchore-feeds-db" "postgresPassword" | quote }} + {{- with .Values.anchoreGlobal.saml.secret }} + ANCHORE_SAML_SECRET: {{ . }} + {{- end }} +{{- end }} +{{- end }} diff --git a/chart/templates/enterprise_ui_deployment.yaml b/chart/templates/enterprise_ui_deployment.yaml index 5a3bc4b09ec0de4cfa113f25baddb7c946cf882c..c5160914b1eee75037b56e96a1a131b9a6894564 100644 --- a/chart/templates/enterprise_ui_deployment.yaml +++ b/chart/templates/enterprise_ui_deployment.yaml @@ -24,8 +24,7 @@ spec: component: {{ $component }} replicas: 1 strategy: - type: Recreate - rollingUpdate: null + type: RollingUpdate template: metadata: labels: @@ -47,6 +46,13 @@ spec: {{- with .Values.anchoreEnterpriseUi.annotations }} {{ toYaml . | nindent 8 }} {{- end }} + {{- if not .Values.inject_secrets_via_env }} + checksum/secrets: {{ include (print $.Template.BasePath "/enterprise_ui_secret.yaml") . | sha256sum }} + {{- end }} + checksum/config: {{ include (print $.Template.BasePath "/enterprise_ui_configmap.yaml") . | sha256sum }} + {{- if .Values.anchoreEnterpriseGlobal.enabled }} + checksum/license: {{ include (print $.Template.BasePath "/bigbang/license-secret.yaml") . | sha256sum }} + {{- end }} spec: {{- with .Values.anchoreGlobal.securityContext }} securityContext: diff --git a/chart/templates/enterprise_ui_secret.yaml b/chart/templates/enterprise_ui_secret.yaml new file mode 100644 index 0000000000000000000000000000000000000000..12848521dd4d8c9dbd8a47c91b755df0be816f92 --- /dev/null +++ b/chart/templates/enterprise_ui_secret.yaml @@ -0,0 +1,31 @@ +{{- if not .Values.anchoreEnterpriseUi.existingSecret }} +{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseUi.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "anchore-engine.enterprise-ui.fullname" . }} + labels: + app: {{ template "anchore-engine.fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.anchoreGlobal.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} +type: Opaque +stringData: + ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }} + + {{- if .Values.anchoreGlobal.dbConfig.ssl }} + ANCHORE_APPDB_URI: 'postgresql://{{ index .Values "postgresql" "postgresUser" }}:{{ index .Values "postgresql" "postgresPassword" }}@{{ template "db-hostname" . }}/{{ index .Values "postgresql" "postgresDatabase" }}?ssl=verify-full' + {{- else }} + ANCHORE_APPDB_URI: 'postgresql://{{ index .Values "postgresql" "postgresUser" }}:{{ index .Values "postgresql" "postgresPassword" }}@{{ template "db-hostname" . }}/{{ index .Values "postgresql" "postgresDatabase" }}' + {{- end }} + + {{- if and (index .Values "anchore-ui-redis" "externalEndpoint") (not (index .Values "anchore-ui-redis" "enabled")) }} + ANCHORE_REDIS_URI: '{{ index .Values "anchore-ui-redis" "externalEndpoint" }}' + {{- else }} + ANCHORE_REDIS_URI: 'redis://:{{ index .Values "anchore-ui-redis" "password" }}@{{ template "redis.fullname" . }}-master:6379' + {{- end }} +{{- end }} +{{- end }} diff --git a/chart/templates/policy_engine_deployment.yaml b/chart/templates/policy_engine_deployment.yaml index c3c6979b6a1e4d38177e3e0a821760fa3e3e70cb..a1576e648d353c50a66f0fb9dd7b871e843b3dc2 100644 --- a/chart/templates/policy_engine_deployment.yaml +++ b/chart/templates/policy_engine_deployment.yaml @@ -22,8 +22,7 @@ spec: component: {{ $component }} replicas: {{ .Values.anchorePolicyEngine.replicaCount }} strategy: - type: Recreate - rollingUpdate: null + type: RollingUpdate template: metadata: labels: @@ -42,6 +41,14 @@ spec: {{- with .Values.anchorePolicyEngine.annotations }} {{ toYaml . | nindent 8 }} {{- end }} + {{- if not .Values.inject_secrets_via_env }} + checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }} + {{- end }} + checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }} + checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }} + {{- if .Values.anchoreEnterpriseGlobal.enabled }} + checksum/license: {{ include (print $.Template.BasePath "/bigbang/license-secret.yaml") . | sha256sum }} + {{- end }} spec: {{- with .Values.anchoreGlobal.securityContext }} securityContext: diff --git a/chart/templates/secrets.yaml b/chart/templates/secrets.yaml deleted file mode 100644 index 5fd15db42265a3b128e9e69c5db60cb1cfc8cf29..0000000000000000000000000000000000000000 --- a/chart/templates/secrets.yaml +++ /dev/null @@ -1,79 +0,0 @@ -{{- if not .Values.anchoreGlobal.existingSecret }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "anchore-engine.fullname" . }} - labels: - app: {{ template "anchore-engine.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - {{- with .Values.anchoreGlobal.labels }} - {{ toYaml . | nindent 4 }} - {{- end }} -type: Opaque -stringData: - ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }} - ANCHORE_DB_PASSWORD: {{ index .Values "postgresql" "postgresPassword" | quote }} - {{- with .Values.anchoreGlobal.saml.secret }} - ANCHORE_SAML_SECRET: {{ . }} - {{- end }} -{{- end }} - ---- -{{- if not .Values.anchoreEnterpriseFeeds.existingSecret }} -{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "anchore-engine.enterprise-feeds.fullname" . }} - labels: - app: {{ template "anchore-engine.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - {{- with .Values.anchoreGlobal.labels }} - {{ toYaml . | nindent 4 }} - {{- end }} -type: Opaque -stringData: - ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }} - ANCHORE_FEEDS_DB_PASSWORD: {{ index .Values "anchore-feeds-db" "postgresPassword" | quote }} - {{- with .Values.anchoreGlobal.saml.secret }} - ANCHORE_SAML_SECRET: {{ . }} - {{- end }} -{{- end }} -{{- end }} - ---- -{{- if not .Values.anchoreEnterpriseUi.existingSecret }} -{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseUi.enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "anchore-engine.enterprise-ui.fullname" . }} - labels: - app: {{ template "anchore-engine.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - {{- with .Values.anchoreGlobal.labels }} - {{ toYaml . | nindent 4 }} - {{- end }} -type: Opaque -stringData: - ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }} - - {{- if .Values.anchoreGlobal.dbConfig.ssl }} - ANCHORE_APPDB_URI: 'postgresql://{{ index .Values "postgresql" "postgresUser" }}:{{ index .Values "postgresql" "postgresPassword" }}@{{ template "db-hostname" . }}/{{ index .Values "postgresql" "postgresDatabase" }}?ssl=verify-full' - {{- else }} - ANCHORE_APPDB_URI: 'postgresql://{{ index .Values "postgresql" "postgresUser" }}:{{ index .Values "postgresql" "postgresPassword" }}@{{ template "db-hostname" . }}/{{ index .Values "postgresql" "postgresDatabase" }}' - {{- end }} - - {{- if and (index .Values "anchore-ui-redis" "externalEndpoint") (not (index .Values "anchore-ui-redis" "enabled")) }} - ANCHORE_REDIS_URI: '{{ index .Values "anchore-ui-redis" "externalEndpoint" }}' - {{- else }} - ANCHORE_REDIS_URI: 'redis://:{{ index .Values "anchore-ui-redis" "password" }}@{{ template "redis.fullname" . }}-master:6379' - {{- end }} -{{- end }} -{{- end }} diff --git a/chart/templates/simplequeue_deployment.yaml b/chart/templates/simplequeue_deployment.yaml index 62e50f3c5312db35a2e7dddf56160eabc7475974..82b9e56231e5fd7a74b417d985215585c92e8328 100644 --- a/chart/templates/simplequeue_deployment.yaml +++ b/chart/templates/simplequeue_deployment.yaml @@ -22,8 +22,7 @@ spec: component: {{ $component }} replicas: {{ .Values.anchoreSimpleQueue.replicaCount }} strategy: - type: Recreate - rollingUpdate: null + type: RollingUpdate template: metadata: labels: @@ -42,6 +41,14 @@ spec: {{- with .Values.anchoreSimpleQueue.annotations }} {{ toYaml . | nindent 8 }} {{- end }} + {{- if not .Values.inject_secrets_via_env }} + checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }} + {{- end }} + checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }} + checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }} + {{- if .Values.anchoreEnterpriseGlobal.enabled }} + checksum/license: {{ include (print $.Template.BasePath "/bigbang/license-secret.yaml") . | sha256sum }} + {{- end }} spec: {{- with .Values.anchoreGlobal.securityContext }} securityContext: