diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 05947900..4685112a 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.12.9 +version: 1.12.10 appVersion: 0.9.3 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/templates/engine_upgrade_job.yaml b/stable/anchore-engine/templates/engine_upgrade_job.yaml index 363836ac..dfe591d1 100644 --- a/stable/anchore-engine/templates/engine_upgrade_job.yaml +++ b/stable/anchore-engine/templates/engine_upgrade_job.yaml @@ -41,8 +41,26 @@ spec: {{- end }} {{- end }} restartPolicy: Never + {{- if .Values.cloudsql.enabled }} + shareProcessNamespace: true + {{- end }} containers: - - name: "{{ .Release.Name }}-enterprise-upgrade" + {{- if .Values.cloudsql.enabled }} + - name: cloudsql-proxy + image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} + imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} + command: ["/cloud_sql_proxy"] + args: + - "-instances={{ .Values.cloudsql.instance }}=tcp:5432" + {{- if .Values.cloudsql.useExistingServiceAcc }} + - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}" + volumeMounts: + - mountPath: /var/{{ .Values.cloudsql.serviceAccSecretName }} + name: {{ .Values.cloudsql.serviceAccSecretName }} + readOnly: true + {{- end }} + {{- end }} + - name: "{{ .Release.Name }}-engine-upgrade" {{- if .Values.anchoreEnterpriseGlobal.enabled }} image: {{ .Values.anchoreEnterpriseGlobal.image }} imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }} @@ -50,10 +68,21 @@ spec: image: {{ .Values.anchoreGlobal.image }} imagePullPolicy: {{ .Values.anchoreGlobal.imagePullPolicy }} {{- end }} + command: ["/bin/bash", "-c"] + args: {{- if .Values.anchoreGlobal.dbConfig.ssl }} - args: ["/bin/bash", "-c", "anchore-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask"] + - | + anchore-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; {{- else }} - args: ["/bin/bash", "-c", "anchore-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask"] + - | + anchore-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask; + {{- end }} + {{- if .Values.cloudsql.enabled }} + sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; + securityContext: + capabilities: + add: + - SYS_PTRACE {{- end }} envFrom: {{- if not .Values.inject_secrets_via_env }} @@ -79,12 +108,19 @@ spec: mountPath: /home/anchore/certs/ readOnly: true {{- end }} - {{- with .Values.anchoreGlobal.certStoreSecretName }} + {{- if or .Values.anchoreGlobal.certStoreSecretName .Values.cloudsql.useExistingServiceAcc }} volumes: + {{- with .Values.anchoreGlobal.certStoreSecretName }} - name: certs secret: secretName: {{ . }} {{- end }} + {{- if .Values.cloudsql.useExistingServiceAcc }} + - name: {{ .Values.cloudsql.serviceAccSecretName }} + secret: + secretName: {{ .Values.cloudsql.serviceAccSecretName }} + {{- end }} + {{- end }} {{- with .Values.anchoreEngineUpgradeJob.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 }} diff --git a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml index 1b806e74..a5cb0eb8 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml @@ -34,14 +34,43 @@ spec: imagePullSecrets: - name: {{ .Values.anchoreEnterpriseGlobal.imagePullSecretName }} restartPolicy: Never + {{- if .Values.cloudsql.enabled }} + shareProcessNamespace: true + {{- end }} containers: + {{- if .Values.cloudsql.enabled }} + - name: cloudsql-proxy + image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} + imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} + command: ["/cloud_sql_proxy"] + args: + - "-instances={{ .Values.cloudsql.instance }}=tcp:5432" + {{- if .Values.cloudsql.useExistingServiceAcc }} + - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}" + volumeMounts: + - mountPath: /var/{{ .Values.cloudsql.serviceAccSecretName }} + name: {{ .Values.cloudsql.serviceAccSecretName }} + readOnly: true + {{- end }} + {{- end }} - name: "{{ .Release.Name }}-enterprise-feeds-upgrade" imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }} image: {{ .Values.anchoreEnterpriseGlobal.image }} + command: ["/bin/bash", "-c"] + args: {{- if .Values.anchoreGlobal.dbConfig.ssl }} - args: ["/bin/bash", "-c", "anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask"] + - | + anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; {{- else }} - args: ["/bin/bash", "-c", "anchore-enterprise-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask"] + - | + anchore-enterprise-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask; + {{- end }} + {{- if .Values.cloudsql.enabled }} + sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; + securityContext: + capabilities: + add: + - SYS_PTRACE {{- end }} envFrom: {{- if not .Values.inject_secrets_via_env }} @@ -70,12 +99,19 @@ spec: mountPath: /home/anchore/certs/ readOnly: true {{- end }} - {{- with .Values.anchoreGlobal.certStoreSecretName }} + {{- if or .Values.anchoreGlobal.certStoreSecretName .Values.cloudsql.useExistingServiceAcc }} volumes: + {{- with .Values.anchoreGlobal.certStoreSecretName }} - name: certs secret: secretName: {{ . }} {{- end }} + {{- if .Values.cloudsql.useExistingServiceAcc }} + - name: {{ .Values.cloudsql.serviceAccSecretName }} + secret: + secretName: {{ .Values.cloudsql.serviceAccSecretName }} + {{- end }} + {{- end }} {{- with .Values.anchoreEnterpriseFeedsUpgradeJob.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 }} diff --git a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml index 084ff2d3..446e9e78 100644 --- a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml @@ -34,14 +34,43 @@ spec: imagePullSecrets: - name: {{ .Values.anchoreEnterpriseGlobal.imagePullSecretName }} restartPolicy: Never + {{- if .Values.cloudsql.enabled }} + shareProcessNamespace: true + {{- end }} containers: + {{- if .Values.cloudsql.enabled }} + - name: cloudsql-proxy + image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} + imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} + command: ["/cloud_sql_proxy"] + args: + - "-instances={{ .Values.cloudsql.instance }}=tcp:5432" + {{- if .Values.cloudsql.useExistingServiceAcc }} + - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}" + volumeMounts: + - mountPath: /var/{{ .Values.cloudsql.serviceAccSecretName }} + name: {{ .Values.cloudsql.serviceAccSecretName }} + readOnly: true + {{- end }} + {{- end }} - name: "{{ .Release.Name }}-enterprise-upgrade" imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }} image: {{ .Values.anchoreEnterpriseGlobal.image }} + command: ["/bin/bash", "-c"] + args: {{- if .Values.anchoreGlobal.dbConfig.ssl }} - args: ["/bin/bash", "-c", "anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask"] + - | + anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; {{- else }} - args: ["/bin/bash", "-c", "anchore-enterprise-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask"] + - | + anchore-enterprise-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask; + {{- end }} + {{- if .Values.cloudsql.enabled }} + sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; + securityContext: + capabilities: + add: + - SYS_PTRACE {{- end }} envFrom: {{- if not .Values.inject_secrets_via_env }} @@ -67,12 +96,19 @@ spec: mountPath: /home/anchore/certs/ readOnly: true {{- end }} - {{- with .Values.anchoreGlobal.certStoreSecretName }} + {{- if or .Values.anchoreGlobal.certStoreSecretName .Values.cloudsql.useExistingServiceAcc }} volumes: + {{- with .Values.anchoreGlobal.certStoreSecretName }} - name: certs secret: secretName: {{ . }} {{- end }} + {{- if .Values.cloudsql.useExistingServiceAcc }} + - name: {{ .Values.cloudsql.serviceAccSecretName }} + secret: + secretName: {{ .Values.cloudsql.serviceAccSecretName }} + {{- end }} + {{- end }} {{- with .Values.anchoreEnterpriseEngineUpgradeJob.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 }} diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index aa358de2..ac1b8c14 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -49,7 +49,7 @@ cloudsql: image: # set repo and image tag of gce-proxy repository: gcr.io/cloudsql-docker/gce-proxy - tag: 1.12 + tag: 1.22.0 pullPolicy: IfNotPresent # Create an ingress resource for all external anchore engine services (API & Enterprise UI).