From b6271bf8e43812ebba1c5116643c52d9264aba25 Mon Sep 17 00:00:00 2001
From: Tim Seagren <tim.seagren.ctr@us.af.mil>
Date: Fri, 13 Aug 2021 14:07:59 -0700
Subject: [PATCH 1/4] adding ability to configure a superuser for anchore
 database provisioning

---
 chart/templates/bigbang/db/2                  | 61 +++++++++++++++++++
 .../bigbang/db/ensure-anchore-db.yaml         | 35 ++++++++++-
 .../templates/bigbang/db/ensure-feeds-db.yaml | 35 ++++++++++-
 .../bigbang/db/superuser-db-secret.yaml       | 25 ++++++++
 chart/values.yaml                             |  7 ++-
 5 files changed, 156 insertions(+), 7 deletions(-)
 create mode 100644 chart/templates/bigbang/db/2
 create mode 100644 chart/templates/bigbang/db/superuser-db-secret.yaml

diff --git a/chart/templates/bigbang/db/2 b/chart/templates/bigbang/db/2
new file mode 100644
index 0000000..9eb347a
--- /dev/null
+++ b/chart/templates/bigbang/db/2
@@ -0,0 +1,61 @@
+{{- if and (hasKey (index .Values "anchore-feeds-db") "enabled")  }}
+{{- if and (not (index .Values "anchore-feeds-db" "enabled")) .Values.anchoreEnterpriseGlobal.enabled }}
+# Job to sync db and db user with external postgres for Anchore's feeds db
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: ensure-feeds-db
+  annotations:
+    "helm.sh/hook-weight": "-4"
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+  template:
+    metadata:
+      name: ensure-feeds-db
+      annotations:
+        sidecar.istio.io/inject: 'false'
+    spec:
+      imagePullSecrets:
+        - name: {{ (index .Values "anchore-feeds-db" "imagePullSecrets") }}
+      containers:
+        - name: psql
+          image: {{ (index .Values "anchore-feeds-db" "image") }}
+          {{- if and .Values.postgresqlSuperUser.postgresUsername .Values.postgresqlSuperUser.postgresPassword }}
+          command:
+            - /bin/bash
+            - -exc
+            - |
+              echo "Ensure Anchore Feeds DB..."
+              psql -tc "SELECT 1 FROM pg_database WHERE datname = '$FEEDS_DB'" | grep -q 1 || psql -c "CREATE DATABASE $FEEDS_DB"
+              psql -tc "SELECT 1 FROM pg_roles WHERE rolname = '$FEEDS_USER'" | grep -q 1 && psql -c "ALTER USER $FEEDS_USER WITH PASSWORD '$FEEDS_PASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $FEEDS_DB TO $FEEDS_USER;" | grep -q GRANT || psql -c "CREATE USER   $FEEDS_USER WITH PASSWORD '$FEEDS_PASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $FEEDS_DB TO $FEEDS_USER;"
+          env:
+            - name: FEEDS_USER
+              valueFrom:
+                secretRef:
+                  name: feeds-db-credentials
+                  key: PGUSER
+            - name: FEEDS_PASSWORD
+              valueFrom:
+                secretRef:
+                  name: feeds-db-credentials
+                  key: PGPASSWORD
+          envFrom:
+            - secretRef:
+                name: superuser-db-credentials
+          {{- else }}
+          command:
+            - /bin/bash
+            - -exc
+            - |
+              echo "Ensure Anchore Feeds DB..."
+
+              psql -tc "SELECT 1 FROM pg_database WHERE datname = '$FEEDS_DB'" | grep -q 1 || psql -c "CREATE DATABASE $FEEDS_DB"
+              psql -tc "SELECT 1 FROM pg_roles WHERE rolname = '$PGUSER'" | grep -q 1 && psql -c "ALTER USER $PGUSER WITH PASSWORD '$PGPASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $FEEDS_DB TO $PGUSER;" | grep -q GRANT || psql -c "CREATE USER $PGUSER WITH PASSWORD '$PGPASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $FEEDS_DB TO $PGUSER;"
+          envFrom:
+            - secretRef:
+                name: feeds-db-credentials
+          {{- end}}
+      restartPolicy: OnFailure
+{{- end }}
+{{- end }}
diff --git a/chart/templates/bigbang/db/ensure-anchore-db.yaml b/chart/templates/bigbang/db/ensure-anchore-db.yaml
index 99492a2..7445b7f 100644
--- a/chart/templates/bigbang/db/ensure-anchore-db.yaml
+++ b/chart/templates/bigbang/db/ensure-anchore-db.yaml
@@ -21,17 +21,46 @@ spec:
       containers:
         - name: psql
           image: {{ .Values.postgresql.image }}
+          {{- if and .Values.postgresqlSuperUser.postgresUsername .Values.postgresqlSuperUser.postgresPassword }}
           command:
             - /bin/bash
             - -exc
-            - |   
+            - |
               echo "Ensure Anchore DB..."
-              
+              psql -tc "SELECT 1 FROM pg_database WHERE datname = '$ANCHORE_DB'" | grep -q 1 || psql -c "CREATE DATABASE $ANCHORE_DB"
+              psql -tc "SELECT 1 FROM pg_roles WHERE rolname = '$ANCHORE_USER'" | grep -q 1 && psql -c "ALTER USER $ANCHORE_USER WITH PASSWORD '$ANCHORE_PASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $ANCHORE_DB TO $ANCHORE_USER;" | grep -q GRANT || psql -c "CREATE USER $ANCHORE_USER WITH PASSWORD '$ANCHORE_PASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $ANCHORE_DB TO $ANCHORE_USER;"
+          env:
+            - name: ANCHORE_USER
+              valueFrom:
+                secretRef:
+                  name: anchore-db-credentials
+                  key: PGUSER
+            - name: ANCHORE_PASSWORD
+              valueFrom:
+                secretRef:
+                  name: anchore-db-credentials
+                  key: PGPASSWORD
+            - name: ANCHORE_DB
+              valueFrom:
+                secretRef:
+                  name: anchore-db-credentials
+                  key: ANCHORE_DB
+          envFrom:
+            - secretRef:
+                name: superuser-db-credentials
+          {{- else }}
+          command:
+            - /bin/bash
+            - -exc
+            - |
+              echo "Ensure Anchore DB..."
+
               psql -tc "SELECT 1 FROM pg_database WHERE datname = '$ANCHORE_DB'" | grep -q 1 || psql -c "CREATE DATABASE $ANCHORE_DB"
               psql -tc "SELECT 1 FROM pg_roles WHERE rolname = '$PGUSER'" | grep -q 1 && psql -c "ALTER USER $PGUSER WITH PASSWORD '$PGPASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $ANCHORE_DB TO $PGUSER;" | grep -q GRANT || psql -c "CREATE USER $PGUSER WITH PASSWORD '$PGPASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $ANCHORE_DB TO $PGUSER;"
           envFrom:
             - secretRef:
                 name: anchore-db-credentials
+          {{- end }}
       restartPolicy: OnFailure
 {{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/chart/templates/bigbang/db/ensure-feeds-db.yaml b/chart/templates/bigbang/db/ensure-feeds-db.yaml
index 2bedd7c..f6230e9 100644
--- a/chart/templates/bigbang/db/ensure-feeds-db.yaml
+++ b/chart/templates/bigbang/db/ensure-feeds-db.yaml
@@ -21,17 +21,46 @@ spec:
       containers:
         - name: psql
           image: {{ (index .Values "anchore-feeds-db" "image") }}
+          {{- if and .Values.postgresqlSuperUser.postgresUsername .Values.postgresqlSuperUser.postgresPassword }}
           command:
             - /bin/bash
             - -exc
-            - |   
+            - |
               echo "Ensure Anchore Feeds DB..."
-              
+              psql -tc "SELECT 1 FROM pg_database WHERE datname = '$FEEDS_DB'" | grep -q 1 || psql -c "CREATE DATABASE $FEEDS_DB"
+              psql -tc "SELECT 1 FROM pg_roles WHERE rolname = '$FEEDS_USER'" | grep -q 1 && psql -c "ALTER USER $FEEDS_USER WITH PASSWORD '$FEEDS_PASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $FEEDS_DB TO $FEEDS_USER;" | grep -q GRANT || psql -c "CREATE USER   $FEEDS_USER WITH PASSWORD '$FEEDS_PASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $FEEDS_DB TO $FEEDS_USER;"
+          env:
+            - name: FEEDS_USER
+              valueFrom:
+                secretRef:
+                  name: feeds-db-credentials
+                  key: PGUSER
+            - name: FEEDS_PASSWORD
+              valueFrom:
+                secretRef:
+                  name: feeds-db-credentials
+                  key: PGPASSWORD
+            - name: FEEDS_DB
+              valueFrom:
+                secretRef:
+                  name: feeds-db-credentials
+                  key: FEEDS_DB
+          envFrom:
+            - secretRef:
+                name: superuser-db-credentials
+          {{- else }}
+          command:
+            - /bin/bash
+            - -exc
+            - |
+              echo "Ensure Anchore Feeds DB..."
+
               psql -tc "SELECT 1 FROM pg_database WHERE datname = '$FEEDS_DB'" | grep -q 1 || psql -c "CREATE DATABASE $FEEDS_DB"
               psql -tc "SELECT 1 FROM pg_roles WHERE rolname = '$PGUSER'" | grep -q 1 && psql -c "ALTER USER $PGUSER WITH PASSWORD '$PGPASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $FEEDS_DB TO $PGUSER;" | grep -q GRANT || psql -c "CREATE USER $PGUSER WITH PASSWORD '$PGPASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $FEEDS_DB TO $PGUSER;"
           envFrom:
             - secretRef:
                 name: feeds-db-credentials
+          {{- end }}
       restartPolicy: OnFailure
 {{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/chart/templates/bigbang/db/superuser-db-secret.yaml b/chart/templates/bigbang/db/superuser-db-secret.yaml
new file mode 100644
index 0000000..9ab6b79
--- /dev/null
+++ b/chart/templates/bigbang/db/superuser-db-secret.yaml
@@ -0,0 +1,25 @@
+{{- if and .Values.postgresqlSuperUser.postgresUsername .Values.postgresqlSuperUser.postgresPassword }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: superuser-db-credentials
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: superuser-db-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/part-of: anchore-enterprise
+    app.kubernetes.io/component: database
+  annotations:
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+type: Opaque
+data:
+  PGUSER: {{ b64enc .Values.postgresqlSuperUser.postgresUsername }}
+  PGPASSWORD: {{ b64enc .Values.postgresqlSuperUser.postgresPassword }}
+  PGDATABASE: {{ b64enc "postgres" }}
+  PGHOST: {{$v := .Values.postgresql.externalEndpoint | split ":"}}{{b64enc $v._0}}
+  PGPORT: "{{$v := .Values.postgresql.externalEndpoint | split ":"}}{{b64enc $v._1}}"
+  ANCHORE_DB: {{ b64enc .Values.postgresql.postgresDatabase }}
+{{- end }}
diff --git a/chart/values.yaml b/chart/values.yaml
index 77ccead..433cfea 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -32,6 +32,11 @@ networkPolicies:
     app: istio-ingressgateway
     istio: ingressgateway
 
+# Use Database instance Superuser to create postgresql.postgresDatabase, postgresql.postgresUser, anchore-feeds-db.postgresDatabase, and anchore-feeds-db.postgresUser
+postgresqlSuperUser:
+  postgresUsername: ""
+  postgresPassword: ""
+
 # Enable Prometheus Monitoring
 monitoring:
   enabled: false
@@ -249,7 +254,7 @@ anchoreGlobal:
   metricsAuthDisabled: false
 
   # Sets the password & email address for the default anchore-engine admin user.
-  defaultAdminPassword: 
+  defaultAdminPassword:
   defaultAdminEmail: example@email.com
 
   saml:
-- 
GitLab


From 350bb42220bf85d236268d40d2b88b71962abdfb Mon Sep 17 00:00:00 2001
From: Tim Seagren <tim.seagren.ctr@us.af.mil>
Date: Fri, 13 Aug 2021 14:09:36 -0700
Subject: [PATCH 2/4] removing '2'

---
 chart/templates/bigbang/db/2 | 61 ------------------------------------
 1 file changed, 61 deletions(-)
 delete mode 100644 chart/templates/bigbang/db/2

diff --git a/chart/templates/bigbang/db/2 b/chart/templates/bigbang/db/2
deleted file mode 100644
index 9eb347a..0000000
--- a/chart/templates/bigbang/db/2
+++ /dev/null
@@ -1,61 +0,0 @@
-{{- if and (hasKey (index .Values "anchore-feeds-db") "enabled")  }}
-{{- if and (not (index .Values "anchore-feeds-db" "enabled")) .Values.anchoreEnterpriseGlobal.enabled }}
-# Job to sync db and db user with external postgres for Anchore's feeds db
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: ensure-feeds-db
-  annotations:
-    "helm.sh/hook-weight": "-4"
-    "helm.sh/hook": pre-install,pre-upgrade
-    "helm.sh/hook-delete-policy": before-hook-creation
-spec:
-  template:
-    metadata:
-      name: ensure-feeds-db
-      annotations:
-        sidecar.istio.io/inject: 'false'
-    spec:
-      imagePullSecrets:
-        - name: {{ (index .Values "anchore-feeds-db" "imagePullSecrets") }}
-      containers:
-        - name: psql
-          image: {{ (index .Values "anchore-feeds-db" "image") }}
-          {{- if and .Values.postgresqlSuperUser.postgresUsername .Values.postgresqlSuperUser.postgresPassword }}
-          command:
-            - /bin/bash
-            - -exc
-            - |
-              echo "Ensure Anchore Feeds DB..."
-              psql -tc "SELECT 1 FROM pg_database WHERE datname = '$FEEDS_DB'" | grep -q 1 || psql -c "CREATE DATABASE $FEEDS_DB"
-              psql -tc "SELECT 1 FROM pg_roles WHERE rolname = '$FEEDS_USER'" | grep -q 1 && psql -c "ALTER USER $FEEDS_USER WITH PASSWORD '$FEEDS_PASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $FEEDS_DB TO $FEEDS_USER;" | grep -q GRANT || psql -c "CREATE USER   $FEEDS_USER WITH PASSWORD '$FEEDS_PASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $FEEDS_DB TO $FEEDS_USER;"
-          env:
-            - name: FEEDS_USER
-              valueFrom:
-                secretRef:
-                  name: feeds-db-credentials
-                  key: PGUSER
-            - name: FEEDS_PASSWORD
-              valueFrom:
-                secretRef:
-                  name: feeds-db-credentials
-                  key: PGPASSWORD
-          envFrom:
-            - secretRef:
-                name: superuser-db-credentials
-          {{- else }}
-          command:
-            - /bin/bash
-            - -exc
-            - |
-              echo "Ensure Anchore Feeds DB..."
-
-              psql -tc "SELECT 1 FROM pg_database WHERE datname = '$FEEDS_DB'" | grep -q 1 || psql -c "CREATE DATABASE $FEEDS_DB"
-              psql -tc "SELECT 1 FROM pg_roles WHERE rolname = '$PGUSER'" | grep -q 1 && psql -c "ALTER USER $PGUSER WITH PASSWORD '$PGPASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $FEEDS_DB TO $PGUSER;" | grep -q GRANT || psql -c "CREATE USER $PGUSER WITH PASSWORD '$PGPASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $FEEDS_DB TO $PGUSER;"
-          envFrom:
-            - secretRef:
-                name: feeds-db-credentials
-          {{- end}}
-      restartPolicy: OnFailure
-{{- end }}
-{{- end }}
-- 
GitLab


From 34a9f9a365a4d3b24b49756402d869183784f7a9 Mon Sep 17 00:00:00 2001
From: Tim Seagren <tim.seagren.ctr@us.af.mil>
Date: Fri, 13 Aug 2021 16:05:54 -0700
Subject: [PATCH 3/4] changing secretRef to secretKeyRef

---
 chart/templates/bigbang/db/ensure-anchore-db.yaml | 6 +++---
 chart/templates/bigbang/db/ensure-feeds-db.yaml   | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/chart/templates/bigbang/db/ensure-anchore-db.yaml b/chart/templates/bigbang/db/ensure-anchore-db.yaml
index 7445b7f..b6c0242 100644
--- a/chart/templates/bigbang/db/ensure-anchore-db.yaml
+++ b/chart/templates/bigbang/db/ensure-anchore-db.yaml
@@ -32,17 +32,17 @@ spec:
           env:
             - name: ANCHORE_USER
               valueFrom:
-                secretRef:
+                secretKeyRef:
                   name: anchore-db-credentials
                   key: PGUSER
             - name: ANCHORE_PASSWORD
               valueFrom:
-                secretRef:
+                secretKeyRef:
                   name: anchore-db-credentials
                   key: PGPASSWORD
             - name: ANCHORE_DB
               valueFrom:
-                secretRef:
+                secretKeyRef:
                   name: anchore-db-credentials
                   key: ANCHORE_DB
           envFrom:
diff --git a/chart/templates/bigbang/db/ensure-feeds-db.yaml b/chart/templates/bigbang/db/ensure-feeds-db.yaml
index f6230e9..0d736c4 100644
--- a/chart/templates/bigbang/db/ensure-feeds-db.yaml
+++ b/chart/templates/bigbang/db/ensure-feeds-db.yaml
@@ -32,17 +32,17 @@ spec:
           env:
             - name: FEEDS_USER
               valueFrom:
-                secretRef:
+                secretKeyRef:
                   name: feeds-db-credentials
                   key: PGUSER
             - name: FEEDS_PASSWORD
               valueFrom:
-                secretRef:
+                secretKeyRef:
                   name: feeds-db-credentials
                   key: PGPASSWORD
             - name: FEEDS_DB
               valueFrom:
-                secretRef:
+                secretKeyRef:
                   name: feeds-db-credentials
                   key: FEEDS_DB
           envFrom:
-- 
GitLab


From 70bec4126cb688a0fa81a106bef94cfc2a7e4739 Mon Sep 17 00:00:00 2001
From: bhearn7 <blakeeh723@gmail.com>
Date: Tue, 17 Aug 2021 13:49:27 -0400
Subject: [PATCH 4/4] update version

---
 CHANGELOG.md     | 5 +++++
 chart/Chart.yaml | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e586c7e..431523c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ---
 
+## [1.13.0-bb.5]
+## Added
+- `.Values.postgresqlSuperUser.postgresUsername` and `.Values.postgresqlSuperUser.postgresPassword` for conditionally changing the commands in the ensure db jobs to allow for finer-grain postgres user permissions
+- `chart/templates/bigbang/db/superuser-db-secret.yaml` secret to populate fields in the ensure db jobs
+
 ## [1.13.0-bb.4]
 ### Fixed
 - update allow-kube-dns NP to conditionally add port 5353 egress when `.Values.anchoreGlobal.openShiftDeployment` is `true`
diff --git a/chart/Chart.yaml b/chart/Chart.yaml
index eeeaaee..b4bd06c 100644
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: anchore-engine
-version: 1.13.0-bb.4
+version: 1.13.0-bb.5
 appVersion: 0.10.0
 description: Anchore container analysis and policy evaluation engine service
 keywords:
-- 
GitLab