Merge pull request #137 from anchore/fix-google-cloud-upgrades

Fix google cloud upgrades
anchore · Apr 22, 2021 · 25d17d4 · 25d17d4
2 parents 3790a6f + dfb0971
commit 25d17d4
Show file tree

Hide file tree

Showing 5 changed files with 120 additions and 12 deletions.
diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: anchore-engine
-version: 1.12.9
+version: 1.12.10
 appVersion: 0.9.3
 description: Anchore container analysis and policy evaluation engine service
 keywords:

diff --git a/stable/anchore-engine/templates/engine_upgrade_job.yaml b/stable/anchore-engine/templates/engine_upgrade_job.yaml
@@ -41,19 +41,48 @@ spec:
       {{- end }}
     {{- end }}
       restartPolicy: Never
+      {{- if .Values.cloudsql.enabled }}
+      shareProcessNamespace: true
+      {{- end }}
       containers:
-      - name: "{{ .Release.Name }}-enterprise-upgrade"
+      {{- if .Values.cloudsql.enabled  }}
+      - name: cloudsql-proxy
+        image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }}
+        imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }}
+        command: ["/cloud_sql_proxy"]
+        args:
+        - "-instances={{ .Values.cloudsql.instance }}=tcp:5432"
+        {{- if .Values.cloudsql.useExistingServiceAcc }}
+        - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}"
+        volumeMounts:
+        - mountPath: /var/{{ .Values.cloudsql.serviceAccSecretName }}
+          name: {{ .Values.cloudsql.serviceAccSecretName }}
+          readOnly: true
+        {{- end }}
+      {{- end }}
+      - name: "{{ .Release.Name }}-engine-upgrade"
         {{- if .Values.anchoreEnterpriseGlobal.enabled }}
         image: {{ .Values.anchoreEnterpriseGlobal.image }}
         imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }}
         {{- else }}
         image: {{ .Values.anchoreGlobal.image }}
         imagePullPolicy: {{ .Values.anchoreGlobal.imagePullPolicy }}
         {{- end }}
+        command: ["/bin/bash", "-c"]
+        args:
         {{- if .Values.anchoreGlobal.dbConfig.ssl }}
-        args: ["/bin/bash", "-c", "anchore-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask"]
+          - |
+            anchore-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask;
         {{- else }}
-        args: ["/bin/bash", "-c", "anchore-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask"]
+          - |
+            anchore-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask;
+        {{- end }}
+        {{- if .Values.cloudsql.enabled }}
+            sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid;
+        securityContext:
+          capabilities:
+            add:
+              - SYS_PTRACE
         {{- end }}
         envFrom:
         {{- if not .Values.inject_secrets_via_env }}
@@ -79,12 +108,19 @@ spec:
           mountPath: /home/anchore/certs/
           readOnly: true
         {{- end }}
-      {{- with .Values.anchoreGlobal.certStoreSecretName }}
+    {{- if or .Values.anchoreGlobal.certStoreSecretName .Values.cloudsql.useExistingServiceAcc }}
       volumes:
+      {{- with .Values.anchoreGlobal.certStoreSecretName }}
       - name: certs
         secret:
           secretName: {{ . }}
       {{- end }}
+      {{- if .Values.cloudsql.useExistingServiceAcc }}
+      - name: {{ .Values.cloudsql.serviceAccSecretName }}
+        secret:
+          secretName: {{ .Values.cloudsql.serviceAccSecretName }}
+      {{- end }}
+    {{- end }}
       {{- with .Values.anchoreEngineUpgradeJob.nodeSelector }}
       nodeSelector:
         {{ toYaml . | nindent 8 }}

diff --git a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml
@@ -34,14 +34,43 @@ spec:
       imagePullSecrets:
       - name: {{ .Values.anchoreEnterpriseGlobal.imagePullSecretName }}
       restartPolicy: Never
+      {{- if .Values.cloudsql.enabled }}
+      shareProcessNamespace: true
+      {{- end }}
       containers:
+      {{- if .Values.cloudsql.enabled  }}
+      - name: cloudsql-proxy
+        image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }}
+        imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }}
+        command: ["/cloud_sql_proxy"]
+        args:
+        - "-instances={{ .Values.cloudsql.instance }}=tcp:5432"
+        {{- if .Values.cloudsql.useExistingServiceAcc }}
+        - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}"
+        volumeMounts:
+        - mountPath: /var/{{ .Values.cloudsql.serviceAccSecretName }}
+          name: {{ .Values.cloudsql.serviceAccSecretName }}
+          readOnly: true
+        {{- end }}
+      {{- end }}
       - name: "{{ .Release.Name }}-enterprise-feeds-upgrade"
         imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }}
         image: {{ .Values.anchoreEnterpriseGlobal.image }}
+        command: ["/bin/bash", "-c"]
+        args:
         {{- if .Values.anchoreGlobal.dbConfig.ssl }}
-        args: ["/bin/bash", "-c", "anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask"]
+          - |
+            anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask;
         {{- else }}
-        args: ["/bin/bash", "-c", "anchore-enterprise-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask"]
+          - |
+            anchore-enterprise-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask;
+        {{- end }}
+        {{- if .Values.cloudsql.enabled }}
+            sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid;
+        securityContext:
+          capabilities:
+            add:
+              - SYS_PTRACE
         {{- end }}
         envFrom:
         {{- if not .Values.inject_secrets_via_env }}
@@ -70,12 +99,19 @@ spec:
           mountPath: /home/anchore/certs/
           readOnly: true
         {{- end }}
-    {{- with .Values.anchoreGlobal.certStoreSecretName }}
+    {{- if or .Values.anchoreGlobal.certStoreSecretName .Values.cloudsql.useExistingServiceAcc }}
       volumes:
+      {{- with .Values.anchoreGlobal.certStoreSecretName }}
       - name: certs
         secret:
           secretName: {{ . }}
       {{- end }}
+      {{- if .Values.cloudsql.useExistingServiceAcc }}
+      - name: {{ .Values.cloudsql.serviceAccSecretName }}
+        secret:
+          secretName: {{ .Values.cloudsql.serviceAccSecretName }}
+      {{- end }}
+    {{- end }}
       {{- with .Values.anchoreEnterpriseFeedsUpgradeJob.nodeSelector }}
       nodeSelector:
         {{ toYaml . | nindent 8 }}

diff --git a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml
@@ -34,14 +34,43 @@ spec:
       imagePullSecrets:
       - name: {{ .Values.anchoreEnterpriseGlobal.imagePullSecretName }}
       restartPolicy: Never
+      {{- if .Values.cloudsql.enabled }}
+      shareProcessNamespace: true
+      {{- end }}
       containers:
+      {{- if .Values.cloudsql.enabled  }}
+      - name: cloudsql-proxy
+        image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }}
+        imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }}
+        command: ["/cloud_sql_proxy"]
+        args:
+        - "-instances={{ .Values.cloudsql.instance }}=tcp:5432"
+        {{- if .Values.cloudsql.useExistingServiceAcc }}
+        - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}"
+        volumeMounts:
+        - mountPath: /var/{{ .Values.cloudsql.serviceAccSecretName }}
+          name: {{ .Values.cloudsql.serviceAccSecretName }}
+          readOnly: true
+        {{- end }}
+      {{- end }}
       - name: "{{ .Release.Name }}-enterprise-upgrade"
         imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }}
         image: {{ .Values.anchoreEnterpriseGlobal.image }}
+        command: ["/bin/bash", "-c"]
+        args:
         {{- if .Values.anchoreGlobal.dbConfig.ssl }}
-        args: ["/bin/bash", "-c", "anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask"]
+          - |
+            anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask;
         {{- else }}
-        args: ["/bin/bash", "-c", "anchore-enterprise-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask"]
+          - |
+            anchore-enterprise-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask;
+        {{- end }}
+        {{- if .Values.cloudsql.enabled }}
+            sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid;
+        securityContext:
+          capabilities:
+            add:
+              - SYS_PTRACE
         {{- end }}
         envFrom:
         {{- if not .Values.inject_secrets_via_env }}
@@ -67,12 +96,19 @@ spec:
           mountPath: /home/anchore/certs/
           readOnly: true
         {{- end }}
-    {{- with .Values.anchoreGlobal.certStoreSecretName }}
+    {{- if or .Values.anchoreGlobal.certStoreSecretName .Values.cloudsql.useExistingServiceAcc }}
       volumes:
+      {{- with .Values.anchoreGlobal.certStoreSecretName }}
       - name: certs
         secret:
           secretName: {{ . }}
       {{- end }}
+      {{- if .Values.cloudsql.useExistingServiceAcc }}
+      - name: {{ .Values.cloudsql.serviceAccSecretName }}
+        secret:
+          secretName: {{ .Values.cloudsql.serviceAccSecretName }}
+      {{- end }}
+    {{- end }}
       {{- with .Values.anchoreEnterpriseEngineUpgradeJob.nodeSelector }}
       nodeSelector:
         {{ toYaml . | nindent 8 }}

diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml
@@ -49,7 +49,7 @@ cloudsql:
   image:
     # set repo and image tag of gce-proxy
     repository: gcr.io/cloudsql-docker/gce-proxy
-    tag: 1.12
+    tag: 1.22.0
     pullPolicy: IfNotPresent
 
 # Create an ingress resource for all external anchore engine services (API & Enterprise UI).