Project 'platform-one/big-bang/apps/security-tools/anchore-enterprise' was moved to 'big-bang/product/packages/anchore-enterprise'. Please update any links and bookmarks that may still have the old path.
anchore redeploy fix
All threads resolved!
All threads resolved!
Merge request reports
Activity
changed milestone to %1.15.0
added Big Bang Security anchore kindbug statusdoing labels
Resolved by bhearntesting scenario 1:
- installed tag
1.13.0-bb.6(last tag where SAML secret value was randomly generated)
# secret value is randomly generated $ k -n anchore get secret/anchore-anchore-engine -oyaml | grep ANCHORE_SAML_SECRET ANCHORE_SAML_SECRET: T1U1TmRGazRVMll5VkU1Qw== f:ANCHORE_SAML_SECRET: {} $ echo "T1U1TmRGazRVMll5VkU1Qw==" | base64 -d OU5NdFk4U2YyVE5C- upgraded to branch
redeploy-fix(this should be the last time anchore pods redeploy; expected since secrets and configmaps were modified)
# since secret already exists, old secret value remains the same k -n anchore get secret/anchore-anchore-engine -oyaml | grep ANCHORE_SAML_SECRET ANCHORE_SAML_SECRET: T1U1TmRGazRVMll5VkU1Qw== f:ANCHORE_SAML_SECRET: {} $ echo "T1U1TmRGazRVMll5VkU1Qw==" | base64 -d OU5NdFk4U2YyVE5C- upgrade anchore, changing the some values (ie. analyzer replicaCount from 1 to 2)
# anchore pods do not redeploy, only the new analyzer pod comes up :) $ k -n anchore get po NAME READY STATUS RESTARTS AGE anchore-anchore-feeds-db-7f59848645-xlp2n 1/1 Running 0 17m anchore-anchore-ui-redis-replicas-0 1/1 Running 0 17m anchore-anchore-ui-redis-master-0 1/1 Running 0 17m anchore-postgresql-85ddcc4b5d-g6w6c 1/1 Running 0 17m anchore-anchore-ui-redis-replicas-1 1/1 Running 0 17m anchore-anchore-engine-enterprise-ui-85f5dcc6d5-rpk59 1/1 Running 0 12m anchore-anchore-engine-api-5f98c94946-6zrfq 5/5 Running 0 12m anchore-anchore-engine-policy-6b5cc86586-78fcp 1/1 Running 0 12m anchore-anchore-engine-catalog-67b6d8489d-qsnhj 1/1 Running 0 12m anchore-anchore-engine-enterprise-feeds-6d66f4fcc5-nbdg6 1/1 Running 0 12m anchore-anchore-engine-analyzer-948d46d87-n7vfh 1/1 Running 0 12m anchore-anchore-engine-simplequeue-5f48f598cc-57z5h 1/1 Running 0 12m redis-clean-upgrade-dfrq7 0/1 Completed 0 3m38s anchore-anchore-engine-analyzer-948d46d87-v5w47 1/1 Running 0 3m34s anchore-engine-upgrade-mnnrj 0/1 Completed 0 3m33s anchore-enterprise-feeds-upgrade-47f8l 0/1 Completed 0 2m28s anchore-enterprise-upgrade-vv9j4 0/1 Completed 0 83s configure-sso-z2tvp 0/1 Completed 0 18s # secret value remains unchanged $ k -n anchore get secret/anchore-anchore-engine -oyaml | grep ANCHORE_SAML_SECRET ANCHORE_SAML_SECRET: T1U1TmRGazRVMll5VkU1Qw== f:ANCHORE_SAML_SECRET: {} $ echo "T1U1TmRGazRVMll5VkU1Qw==" | base64 -d OU5NdFk4U2YyVE5C
testing scenario 2:
- install branch
redeploy-fixwhile.Values.anchoreGlobal.oauthEnabled: true, but.Values.anchoreGlobal.saml.secret: Null(not configure; this would fail with default chart)
# secret value still gets randomly generated for the user, just not at the BB level anymore $ k -n anchore get secret/anchore-anchore-engine -oyaml | grep ANCHORE_SAML_SECRET ANCHORE_SAML_SECRET: TnZDeVFXN3Y2UzZ4 f:ANCHORE_SAML_SECRET: {} $ echo "TnZDeVFXN3Y2UzZ4" | base64 -d NvCyQW7v6S6x
testing scenario 3:
- install branch
redeploy-fixwhile.Values.anchoreGlobal.saml.secretis set tojigglypuff
# secret value gets set to "jigglypuff" $ k -n anchore get secret/anchore-anchore-engine -oyaml | grep ANCHORE_SAML_SECRET ANCHORE_SAML_SECRET: amlnZ2x5cHVmZg== f:ANCHORE_SAML_SECRET: {} $ echo "amlnZ2x5cHVmZg==" | base64 -d jigglypuff
testing scenario 4 UNSUPPORTED
User wants to change their ANCHORE_SAML_SECRET value, but the chart will first try to use the old secret, so I added a note to BBCHANGES that the user will have to delete the 2 secrets before changing the value.
Edited by bhearn- installed tag
- Last reply by bhearn
added statusreview label and removed statusdoing label
requested review from @micah.nagel
mentioned in commit 4337b4c8
mentioned in commit 68ed7559
Please register or sign in to reply