From 5672324cee4384a66d78a8698046ab72f663d57e Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 15 Apr 2021 11:26:50 -0700 Subject: [PATCH 1/4] add cloudsql configs to all upgrade jobs Signed-off-by: Brady Todhunter --- .../templates/engine_upgrade_job.yaml | 24 ++++++++++++++++++- .../enterprise_feeds_upgrade_job.yaml | 24 ++++++++++++++++++- .../templates/enterprise_upgrade_job.yaml | 24 ++++++++++++++++++- 3 files changed, 69 insertions(+), 3 deletions(-) diff --git a/stable/anchore-engine/templates/engine_upgrade_job.yaml b/stable/anchore-engine/templates/engine_upgrade_job.yaml index 363836ac..3db9ce32 100644 --- a/stable/anchore-engine/templates/engine_upgrade_job.yaml +++ b/stable/anchore-engine/templates/engine_upgrade_job.yaml @@ -42,6 +42,21 @@ spec: {{- end }} restartPolicy: Never containers: + {{- if .Values.cloudsql.enabled }} + - name: cloudsql-proxy + image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} + imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} + command: ["/cloud_sql_proxy"] + args: + - "-instances={{ .Values.cloudsql.instance }}=tcp:5432" + {{- if .Values.cloudsql.useExistingServiceAcc }} + - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}" + volumeMounts: + - mountPath: /var/{{ .Values.cloudsql.serviceAccSecretName }} + name: {{ .Values.cloudsql.serviceAccSecretName }} + readOnly: true + {{- end }} + {{- end }} - name: "{{ .Release.Name }}-enterprise-upgrade" {{- if .Values.anchoreEnterpriseGlobal.enabled }} image: {{ .Values.anchoreEnterpriseGlobal.image }} @@ -79,12 +94,19 @@ spec: mountPath: /home/anchore/certs/ readOnly: true {{- end }} - {{- with .Values.anchoreGlobal.certStoreSecretName }} + {{- if or .Values.anchoreGlobal.certStoreSecretName .Values.cloudsql.useExistingServiceAcc }} volumes: + {{- with .Values.anchoreGlobal.certStoreSecretName }} - name: certs secret: secretName: {{ . }} {{- end }} + {{- if .Values.cloudsql.useExistingServiceAcc }} + - name: {{ .Values.cloudsql.serviceAccSecretName }} + secret: + secretName: {{ .Values.cloudsql.serviceAccSecretName }} + {{- end }} + {{- end }} {{- with .Values.anchoreEngineUpgradeJob.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 }} diff --git a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml index 1b806e74..c2cb7e2f 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml @@ -35,6 +35,21 @@ spec: - name: {{ .Values.anchoreEnterpriseGlobal.imagePullSecretName }} restartPolicy: Never containers: + {{- if .Values.cloudsql.enabled }} + - name: cloudsql-proxy + image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} + imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} + command: ["/cloud_sql_proxy"] + args: + - "-instances={{ .Values.cloudsql.instance }}=tcp:5432" + {{- if .Values.cloudsql.useExistingServiceAcc }} + - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}" + volumeMounts: + - mountPath: /var/{{ .Values.cloudsql.serviceAccSecretName }} + name: {{ .Values.cloudsql.serviceAccSecretName }} + readOnly: true + {{- end }} + {{- end }} - name: "{{ .Release.Name }}-enterprise-feeds-upgrade" imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }} image: {{ .Values.anchoreEnterpriseGlobal.image }} @@ -70,12 +85,19 @@ spec: mountPath: /home/anchore/certs/ readOnly: true {{- end }} - {{- with .Values.anchoreGlobal.certStoreSecretName }} + {{- if or .Values.anchoreGlobal.certStoreSecretName .Values.cloudsql.useExistingServiceAcc }} volumes: + {{- with .Values.anchoreGlobal.certStoreSecretName }} - name: certs secret: secretName: {{ . }} {{- end }} + {{- if .Values.cloudsql.useExistingServiceAcc }} + - name: {{ .Values.cloudsql.serviceAccSecretName }} + secret: + secretName: {{ .Values.cloudsql.serviceAccSecretName }} + {{- end }} + {{- end }} {{- with .Values.anchoreEnterpriseFeedsUpgradeJob.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 }} diff --git a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml index 084ff2d3..a199f339 100644 --- a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml @@ -35,6 +35,21 @@ spec: - name: {{ .Values.anchoreEnterpriseGlobal.imagePullSecretName }} restartPolicy: Never containers: + {{- if .Values.cloudsql.enabled }} + - name: cloudsql-proxy + image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} + imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} + command: ["/cloud_sql_proxy"] + args: + - "-instances={{ .Values.cloudsql.instance }}=tcp:5432" + {{- if .Values.cloudsql.useExistingServiceAcc }} + - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}" + volumeMounts: + - mountPath: /var/{{ .Values.cloudsql.serviceAccSecretName }} + name: {{ .Values.cloudsql.serviceAccSecretName }} + readOnly: true + {{- end }} + {{- end }} - name: "{{ .Release.Name }}-enterprise-upgrade" imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }} image: {{ .Values.anchoreEnterpriseGlobal.image }} @@ -67,12 +82,19 @@ spec: mountPath: /home/anchore/certs/ readOnly: true {{- end }} - {{- with .Values.anchoreGlobal.certStoreSecretName }} + {{- if or .Values.anchoreGlobal.certStoreSecretName .Values.cloudsql.useExistingServiceAcc }} volumes: + {{- with .Values.anchoreGlobal.certStoreSecretName }} - name: certs secret: secretName: {{ . }} {{- end }} + {{- if .Values.cloudsql.useExistingServiceAcc }} + - name: {{ .Values.cloudsql.serviceAccSecretName }} + secret: + secretName: {{ .Values.cloudsql.serviceAccSecretName }} + {{- end }} + {{- end }} {{- with .Values.anchoreEnterpriseEngineUpgradeJob.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 }} From 4a40c758f9e0b8a9c173b168dd9ea3211917f34d Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 16 Apr 2021 13:40:53 -0700 Subject: [PATCH 2/4] bump chart version Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 05947900..4685112a 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.12.9 +version: 1.12.10 appVersion: 0.9.3 description: Anchore container analysis and policy evaluation engine service keywords: From b80800ce9c26442b37ea57c266cac8ca7ce486de Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 22 Apr 2021 11:02:09 -0700 Subject: [PATCH 3/4] bump cloudsql proxy image to latest Signed-off-by: Brady Todhunter --- stable/anchore-engine/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index aa358de2..ac1b8c14 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -49,7 +49,7 @@ cloudsql: image: # set repo and image tag of gce-proxy repository: gcr.io/cloudsql-docker/gce-proxy - tag: 1.12 + tag: 1.22.0 pullPolicy: IfNotPresent # Create an ingress resource for all external anchore engine services (API & Enterprise UI). From dfb0971e257d7be1f60d27259f2e08118eac1174 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 22 Apr 2021 12:48:23 -0700 Subject: [PATCH 4/4] kill cloudsql container when upgrade job finishes Signed-off-by: Brady Todhunter --- .../templates/engine_upgrade_job.yaml | 20 ++++++++++++++++--- .../enterprise_feeds_upgrade_job.yaml | 18 +++++++++++++++-- .../templates/enterprise_upgrade_job.yaml | 18 +++++++++++++++-- 3 files changed, 49 insertions(+), 7 deletions(-) diff --git a/stable/anchore-engine/templates/engine_upgrade_job.yaml b/stable/anchore-engine/templates/engine_upgrade_job.yaml index 3db9ce32..dfe591d1 100644 --- a/stable/anchore-engine/templates/engine_upgrade_job.yaml +++ b/stable/anchore-engine/templates/engine_upgrade_job.yaml @@ -41,6 +41,9 @@ spec: {{- end }} {{- end }} restartPolicy: Never + {{- if .Values.cloudsql.enabled }} + shareProcessNamespace: true + {{- end }} containers: {{- if .Values.cloudsql.enabled }} - name: cloudsql-proxy @@ -57,7 +60,7 @@ spec: readOnly: true {{- end }} {{- end }} - - name: "{{ .Release.Name }}-enterprise-upgrade" + - name: "{{ .Release.Name }}-engine-upgrade" {{- if .Values.anchoreEnterpriseGlobal.enabled }} image: {{ .Values.anchoreEnterpriseGlobal.image }} imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }} @@ -65,10 +68,21 @@ spec: image: {{ .Values.anchoreGlobal.image }} imagePullPolicy: {{ .Values.anchoreGlobal.imagePullPolicy }} {{- end }} + command: ["/bin/bash", "-c"] + args: {{- if .Values.anchoreGlobal.dbConfig.ssl }} - args: ["/bin/bash", "-c", "anchore-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask"] + - | + anchore-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; {{- else }} - args: ["/bin/bash", "-c", "anchore-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask"] + - | + anchore-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask; + {{- end }} + {{- if .Values.cloudsql.enabled }} + sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; + securityContext: + capabilities: + add: + - SYS_PTRACE {{- end }} envFrom: {{- if not .Values.inject_secrets_via_env }} diff --git a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml index c2cb7e2f..a5cb0eb8 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml @@ -34,6 +34,9 @@ spec: imagePullSecrets: - name: {{ .Values.anchoreEnterpriseGlobal.imagePullSecretName }} restartPolicy: Never + {{- if .Values.cloudsql.enabled }} + shareProcessNamespace: true + {{- end }} containers: {{- if .Values.cloudsql.enabled }} - name: cloudsql-proxy @@ -53,10 +56,21 @@ spec: - name: "{{ .Release.Name }}-enterprise-feeds-upgrade" imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }} image: {{ .Values.anchoreEnterpriseGlobal.image }} + command: ["/bin/bash", "-c"] + args: {{- if .Values.anchoreGlobal.dbConfig.ssl }} - args: ["/bin/bash", "-c", "anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask"] + - | + anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; {{- else }} - args: ["/bin/bash", "-c", "anchore-enterprise-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask"] + - | + anchore-enterprise-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask; + {{- end }} + {{- if .Values.cloudsql.enabled }} + sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; + securityContext: + capabilities: + add: + - SYS_PTRACE {{- end }} envFrom: {{- if not .Values.inject_secrets_via_env }} diff --git a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml index a199f339..446e9e78 100644 --- a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml @@ -34,6 +34,9 @@ spec: imagePullSecrets: - name: {{ .Values.anchoreEnterpriseGlobal.imagePullSecretName }} restartPolicy: Never + {{- if .Values.cloudsql.enabled }} + shareProcessNamespace: true + {{- end }} containers: {{- if .Values.cloudsql.enabled }} - name: cloudsql-proxy @@ -53,10 +56,21 @@ spec: - name: "{{ .Release.Name }}-enterprise-upgrade" imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }} image: {{ .Values.anchoreEnterpriseGlobal.image }} + command: ["/bin/bash", "-c"] + args: {{- if .Values.anchoreGlobal.dbConfig.ssl }} - args: ["/bin/bash", "-c", "anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask"] + - | + anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; {{- else }} - args: ["/bin/bash", "-c", "anchore-enterprise-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask"] + - | + anchore-enterprise-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask; + {{- end }} + {{- if .Values.cloudsql.enabled }} + sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; + securityContext: + capabilities: + add: + - SYS_PTRACE {{- end }} envFrom: {{- if not .Values.inject_secrets_via_env }}