From 2e8644946dd06e4b2216814a82c0545c42ecc32d Mon Sep 17 00:00:00 2001 From: Micah Nagel Date: Fri, 5 Mar 2021 14:02:17 -0700 Subject: [PATCH] checksum magic --- chart/templates/analyzer_deployment.yaml | 12 ++- chart/templates/api_deployment.yaml | 14 +++- .../bigbang/password_update_job.yaml | 42 ++++++++++ chart/templates/catalog_deployment.yaml | 14 +++- chart/templates/engine_secret.yaml | 21 +++++ .../enterprise_feeds_deployment.yaml | 11 ++- chart/templates/enterprise_feeds_secret.yaml | 23 ++++++ chart/templates/enterprise_ui_deployment.yaml | 10 ++- chart/templates/enterprise_ui_secret.yaml | 31 ++++++++ chart/templates/policy_engine_deployment.yaml | 11 ++- chart/templates/secrets.yaml | 79 ------------------- chart/templates/simplequeue_deployment.yaml | 11 ++- 12 files changed, 186 insertions(+), 93 deletions(-) create mode 100644 chart/templates/bigbang/password_update_job.yaml create mode 100644 chart/templates/engine_secret.yaml create mode 100644 chart/templates/enterprise_feeds_secret.yaml create mode 100644 chart/templates/enterprise_ui_secret.yaml delete mode 100644 chart/templates/secrets.yaml diff --git a/chart/templates/analyzer_deployment.yaml b/chart/templates/analyzer_deployment.yaml index 8afa6b8..d18fe03 100644 --- a/chart/templates/analyzer_deployment.yaml +++ b/chart/templates/analyzer_deployment.yaml @@ -22,8 +22,7 @@ spec: component: {{ $component }} replicas: {{ .Values.anchoreAnalyzer.replicaCount }} strategy: - type: Recreate - rollingUpdate: null + type: RollingUpdate template: metadata: labels: @@ -42,6 +41,15 @@ spec: {{- with .Values.anchoreAnalyzer.annotations }} {{ toYaml . | nindent 8 }} {{- end }} + {{- if not .Values.inject_secrets_via_env }} + checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }} + {{- end }} + checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }} + checksum/config: {{ include (print $.Template.BasePath "/analyzer_configmap.yaml") . | sha256sum }} + checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }} + {{- if .Values.anchoreEnterpriseGlobal.enabled }} + checksum/license: {{ include (print $.Template.BasePath "/bigbang/license-secret.yaml") . | sha256sum }} + {{- end }} spec: {{- with .Values.anchoreGlobal.securityContext }} securityContext: diff --git a/chart/templates/api_deployment.yaml b/chart/templates/api_deployment.yaml index d06c98b..5ab8934 100644 --- a/chart/templates/api_deployment.yaml +++ b/chart/templates/api_deployment.yaml @@ -22,8 +22,7 @@ spec: component: {{ $component }} replicas: {{ .Values.anchoreApi.replicaCount }} strategy: - type: Recreate - rollingUpdate: null + type: RollingUpdate template: metadata: labels: @@ -42,6 +41,17 @@ spec: {{- with .Values.anchoreApi.annotations }} {{ toYaml . | nindent 8 }} {{- end }} + {{- if not .Values.inject_secrets_via_env }} + checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }} + {{- end }} + checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }} + checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }} + {{- if .Values.anchoreGlobal.policyBundles }} + checksum/policy-config: {{ include (print $.Template.BasePath "/policy_bundle_configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.anchoreEnterpriseGlobal.enabled }} + checksum/license: {{ include (print $.Template.BasePath "/bigbang/license-secret.yaml") . | sha256sum }} + {{- end }} spec: {{- with .Values.anchoreGlobal.securityContext }} securityContext: diff --git a/chart/templates/bigbang/password_update_job.yaml b/chart/templates/bigbang/password_update_job.yaml new file mode 100644 index 0000000..b2c4733 --- /dev/null +++ b/chart/templates/bigbang/password_update_job.yaml @@ -0,0 +1,42 @@ +# Job to perform password update in Anchore DB +apiVersion: batch/v1 +kind: Job +metadata: + name: update-password + annotations: + "helm.sh/hook": post-upgrade +spec: + template: + metadata: + name: update-password + annotations: + sidecar.istio.io/inject: 'false' + spec: + imagePullSecrets: + - name: {{ .Values.anchoreEnterpriseGlobal.imagePullSecretName }} + containers: + - name: update-password + # IB engine image does not have psql + image: {{ .Values.anchoreEnterpriseGlobal.image }} + command: + {{- if .Values.anchoreGlobal.dbConfig.ssl }} + - /bin/sh + - -c + - | + psql postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} \ + -c "UPDATE public.user_access_credentials SET value = '${ANCHORE_ADMIN_PASSWORD}' WHERE username = 'admin'; COMMIT;" + {{- else }} + - /bin/sh + - -c + - | + psql postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} \ + -c "UPDATE public.user_access_credentials SET value = '${ANCHORE_ADMIN_PASSWORD}' WHERE username = 'admin'; COMMIT;" + {{- end }} + envFrom: + {{- if not .Values.inject_secrets_via_env }} + - secretRef: + name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + {{- end }} + - configMapRef: + name: {{ template "anchore-engine.fullname" . }}-env + restartPolicy: OnFailure diff --git a/chart/templates/catalog_deployment.yaml b/chart/templates/catalog_deployment.yaml index 046a8d9..ae712ad 100644 --- a/chart/templates/catalog_deployment.yaml +++ b/chart/templates/catalog_deployment.yaml @@ -22,8 +22,7 @@ spec: component: {{ $component }} replicas: {{ .Values.anchoreCatalog.replicaCount }} strategy: - type: Recreate - rollingUpdate: null + type: RollingUpdate template: metadata: labels: @@ -42,6 +41,17 @@ spec: {{- with .Values.anchoreCatalog.annotations }} {{ toYaml . | nindent 8 }} {{- end }} + {{- if not .Values.inject_secrets_via_env }} + checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }} + {{- end }} + checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }} + checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }} + {{- if .Values.anchoreGlobal.policyBundles }} + checksum/policy-config: {{ include (print $.Template.BasePath "/policy_bundle_configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.anchoreEnterpriseGlobal.enabled }} + checksum/license: {{ include (print $.Template.BasePath "/bigbang/license-secret.yaml") . | sha256sum }} + {{- end }} spec: {{- with .Values.anchoreGlobal.securityContext }} securityContext: diff --git a/chart/templates/engine_secret.yaml b/chart/templates/engine_secret.yaml new file mode 100644 index 0000000..ec4baef --- /dev/null +++ b/chart/templates/engine_secret.yaml @@ -0,0 +1,21 @@ +{{- if not .Values.anchoreGlobal.existingSecret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "anchore-engine.fullname" . }} + labels: + app: {{ template "anchore-engine.fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.anchoreGlobal.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} +type: Opaque +stringData: + ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }} + ANCHORE_DB_PASSWORD: {{ index .Values "postgresql" "postgresPassword" | quote }} + {{- with .Values.anchoreGlobal.saml.secret }} + ANCHORE_SAML_SECRET: {{ . }} + {{- end }} +{{- end }} diff --git a/chart/templates/enterprise_feeds_deployment.yaml b/chart/templates/enterprise_feeds_deployment.yaml index 9194dc5..703b449 100644 --- a/chart/templates/enterprise_feeds_deployment.yaml +++ b/chart/templates/enterprise_feeds_deployment.yaml @@ -23,8 +23,7 @@ spec: component: {{ $component }} replicas: 1 strategy: - type: Recreate - rollingUpdate: null + type: RollingUpdate template: metadata: labels: @@ -43,6 +42,14 @@ spec: {{- with .Values.anchoreEnterpriseFeeds.annotations }} {{ toYaml . | nindent 8 }} {{- end }} + {{- if not .Values.inject_secrets_via_env }} + checksum/secrets: {{ include (print $.Template.BasePath "/enterprise_feeds_secret.yaml") . | sha256sum }} + {{- end }} + checksum/env: {{ include (print $.Template.BasePath "/enterprise_feeds_configmap_env.yaml") . | sha256sum }} + checksum/feeds-config: {{ include (print $.Template.BasePath "/enterprise_feeds_configmap.yaml") . | sha256sum }} + {{- if .Values.anchoreEnterpriseGlobal.enabled }} + checksum/license: {{ include (print $.Template.BasePath "/bigbang/license-secret.yaml") . | sha256sum }} + {{- end }} spec: {{- with .Values.anchoreGlobal.securityContext }} securityContext: diff --git a/chart/templates/enterprise_feeds_secret.yaml b/chart/templates/enterprise_feeds_secret.yaml new file mode 100644 index 0000000..f6074f7 --- /dev/null +++ b/chart/templates/enterprise_feeds_secret.yaml @@ -0,0 +1,23 @@ +{{- if not .Values.anchoreEnterpriseFeeds.existingSecret }} +{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "anchore-engine.enterprise-feeds.fullname" . }} + labels: + app: {{ template "anchore-engine.fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.anchoreGlobal.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} +type: Opaque +stringData: + ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }} + ANCHORE_FEEDS_DB_PASSWORD: {{ index .Values "anchore-feeds-db" "postgresPassword" | quote }} + {{- with .Values.anchoreGlobal.saml.secret }} + ANCHORE_SAML_SECRET: {{ . }} + {{- end }} +{{- end }} +{{- end }} diff --git a/chart/templates/enterprise_ui_deployment.yaml b/chart/templates/enterprise_ui_deployment.yaml index 5a3bc4b..c516091 100644 --- a/chart/templates/enterprise_ui_deployment.yaml +++ b/chart/templates/enterprise_ui_deployment.yaml @@ -24,8 +24,7 @@ spec: component: {{ $component }} replicas: 1 strategy: - type: Recreate - rollingUpdate: null + type: RollingUpdate template: metadata: labels: @@ -47,6 +46,13 @@ spec: {{- with .Values.anchoreEnterpriseUi.annotations }} {{ toYaml . | nindent 8 }} {{- end }} + {{- if not .Values.inject_secrets_via_env }} + checksum/secrets: {{ include (print $.Template.BasePath "/enterprise_ui_secret.yaml") . | sha256sum }} + {{- end }} + checksum/config: {{ include (print $.Template.BasePath "/enterprise_ui_configmap.yaml") . | sha256sum }} + {{- if .Values.anchoreEnterpriseGlobal.enabled }} + checksum/license: {{ include (print $.Template.BasePath "/bigbang/license-secret.yaml") . | sha256sum }} + {{- end }} spec: {{- with .Values.anchoreGlobal.securityContext }} securityContext: diff --git a/chart/templates/enterprise_ui_secret.yaml b/chart/templates/enterprise_ui_secret.yaml new file mode 100644 index 0000000..1284852 --- /dev/null +++ b/chart/templates/enterprise_ui_secret.yaml @@ -0,0 +1,31 @@ +{{- if not .Values.anchoreEnterpriseUi.existingSecret }} +{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseUi.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "anchore-engine.enterprise-ui.fullname" . }} + labels: + app: {{ template "anchore-engine.fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.anchoreGlobal.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} +type: Opaque +stringData: + ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }} + + {{- if .Values.anchoreGlobal.dbConfig.ssl }} + ANCHORE_APPDB_URI: 'postgresql://{{ index .Values "postgresql" "postgresUser" }}:{{ index .Values "postgresql" "postgresPassword" }}@{{ template "db-hostname" . }}/{{ index .Values "postgresql" "postgresDatabase" }}?ssl=verify-full' + {{- else }} + ANCHORE_APPDB_URI: 'postgresql://{{ index .Values "postgresql" "postgresUser" }}:{{ index .Values "postgresql" "postgresPassword" }}@{{ template "db-hostname" . }}/{{ index .Values "postgresql" "postgresDatabase" }}' + {{- end }} + + {{- if and (index .Values "anchore-ui-redis" "externalEndpoint") (not (index .Values "anchore-ui-redis" "enabled")) }} + ANCHORE_REDIS_URI: '{{ index .Values "anchore-ui-redis" "externalEndpoint" }}' + {{- else }} + ANCHORE_REDIS_URI: 'redis://:{{ index .Values "anchore-ui-redis" "password" }}@{{ template "redis.fullname" . }}-master:6379' + {{- end }} +{{- end }} +{{- end }} diff --git a/chart/templates/policy_engine_deployment.yaml b/chart/templates/policy_engine_deployment.yaml index c3c6979..a1576e6 100644 --- a/chart/templates/policy_engine_deployment.yaml +++ b/chart/templates/policy_engine_deployment.yaml @@ -22,8 +22,7 @@ spec: component: {{ $component }} replicas: {{ .Values.anchorePolicyEngine.replicaCount }} strategy: - type: Recreate - rollingUpdate: null + type: RollingUpdate template: metadata: labels: @@ -42,6 +41,14 @@ spec: {{- with .Values.anchorePolicyEngine.annotations }} {{ toYaml . | nindent 8 }} {{- end }} + {{- if not .Values.inject_secrets_via_env }} + checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }} + {{- end }} + checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }} + checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }} + {{- if .Values.anchoreEnterpriseGlobal.enabled }} + checksum/license: {{ include (print $.Template.BasePath "/bigbang/license-secret.yaml") . | sha256sum }} + {{- end }} spec: {{- with .Values.anchoreGlobal.securityContext }} securityContext: diff --git a/chart/templates/secrets.yaml b/chart/templates/secrets.yaml deleted file mode 100644 index 5fd15db..0000000 --- a/chart/templates/secrets.yaml +++ /dev/null @@ -1,79 +0,0 @@ -{{- if not .Values.anchoreGlobal.existingSecret }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "anchore-engine.fullname" . }} - labels: - app: {{ template "anchore-engine.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - {{- with .Values.anchoreGlobal.labels }} - {{ toYaml . | nindent 4 }} - {{- end }} -type: Opaque -stringData: - ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }} - ANCHORE_DB_PASSWORD: {{ index .Values "postgresql" "postgresPassword" | quote }} - {{- with .Values.anchoreGlobal.saml.secret }} - ANCHORE_SAML_SECRET: {{ . }} - {{- end }} -{{- end }} - ---- -{{- if not .Values.anchoreEnterpriseFeeds.existingSecret }} -{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "anchore-engine.enterprise-feeds.fullname" . }} - labels: - app: {{ template "anchore-engine.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - {{- with .Values.anchoreGlobal.labels }} - {{ toYaml . | nindent 4 }} - {{- end }} -type: Opaque -stringData: - ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }} - ANCHORE_FEEDS_DB_PASSWORD: {{ index .Values "anchore-feeds-db" "postgresPassword" | quote }} - {{- with .Values.anchoreGlobal.saml.secret }} - ANCHORE_SAML_SECRET: {{ . }} - {{- end }} -{{- end }} -{{- end }} - ---- -{{- if not .Values.anchoreEnterpriseUi.existingSecret }} -{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseUi.enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "anchore-engine.enterprise-ui.fullname" . }} - labels: - app: {{ template "anchore-engine.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - {{- with .Values.anchoreGlobal.labels }} - {{ toYaml . | nindent 4 }} - {{- end }} -type: Opaque -stringData: - ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }} - - {{- if .Values.anchoreGlobal.dbConfig.ssl }} - ANCHORE_APPDB_URI: 'postgresql://{{ index .Values "postgresql" "postgresUser" }}:{{ index .Values "postgresql" "postgresPassword" }}@{{ template "db-hostname" . }}/{{ index .Values "postgresql" "postgresDatabase" }}?ssl=verify-full' - {{- else }} - ANCHORE_APPDB_URI: 'postgresql://{{ index .Values "postgresql" "postgresUser" }}:{{ index .Values "postgresql" "postgresPassword" }}@{{ template "db-hostname" . }}/{{ index .Values "postgresql" "postgresDatabase" }}' - {{- end }} - - {{- if and (index .Values "anchore-ui-redis" "externalEndpoint") (not (index .Values "anchore-ui-redis" "enabled")) }} - ANCHORE_REDIS_URI: '{{ index .Values "anchore-ui-redis" "externalEndpoint" }}' - {{- else }} - ANCHORE_REDIS_URI: 'redis://:{{ index .Values "anchore-ui-redis" "password" }}@{{ template "redis.fullname" . }}-master:6379' - {{- end }} -{{- end }} -{{- end }} diff --git a/chart/templates/simplequeue_deployment.yaml b/chart/templates/simplequeue_deployment.yaml index 62e50f3..82b9e56 100644 --- a/chart/templates/simplequeue_deployment.yaml +++ b/chart/templates/simplequeue_deployment.yaml @@ -22,8 +22,7 @@ spec: component: {{ $component }} replicas: {{ .Values.anchoreSimpleQueue.replicaCount }} strategy: - type: Recreate - rollingUpdate: null + type: RollingUpdate template: metadata: labels: @@ -42,6 +41,14 @@ spec: {{- with .Values.anchoreSimpleQueue.annotations }} {{ toYaml . | nindent 8 }} {{- end }} + {{- if not .Values.inject_secrets_via_env }} + checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }} + {{- end }} + checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }} + checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }} + {{- if .Values.anchoreEnterpriseGlobal.enabled }} + checksum/license: {{ include (print $.Template.BasePath "/bigbang/license-secret.yaml") . | sha256sum }} + {{- end }} spec: {{- with .Values.anchoreGlobal.securityContext }} securityContext: -- GitLab