Anchore redeploys after every update due to randomly generated SAML secret
Bug
Description
After every helm update, Anchore will completely redeploy. This is because all of the resources have a checksum on the configmaps and secrets, which redeploy when the values change. And here we use a randomly generated SAML secret.
BigBang Version
1.14
Possible solution
This solution suggests the following code:
# store the secret-name as var
# in my case, the name was very long and containing a lot of fields
# so it helps me a lot
{{- $secret_name := "your-secret-name" -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ $secret_name }}
data:
# try to get the old secret
# keep in mind, that a dry-run only returns an empty map
{{- $old_sec := lookup "v1" "Secret" .Release.Namespace $secret_name }}
# check, if a secret is already set
{{- if or (not $old_sec) (not $old_sec.data) }}
# if not set, then generate a new password
db-password: {{ randAlphaNum 20 | b64enc }}
{{ else }}
# if set, then use the old value
db-password: {{ index $old_sec.data "db-password" }}
{{ end }}Activity
added Big Bang Security anchore kindbug labels
assigned to @bhearn
Thanks @michaelmcleroy, I'll see if we can get this in 1.15.0 or 1.16.0 at the latest
added statusdoing label
changed milestone to %1.15.0
changed iteration to Big Bang Iterations Aug 10, 2021 - Aug 23, 2021
-
I tried doing this at the BB level and ran into all sorts of issues, so I've decided to attempt the fix at the package level as the example solution shows
changed milestone to %1.16.0
changed iteration to Big Bang Iterations Aug 24, 2021 - Sep 6, 2021
mentioned in merge request !797 (merged)
added statusreview label and removed statusdoing label
closed with merge request !797 (merged)
mentioned in commit ebb58b20
removed statusreview label