UI allow existing secrets (#110)

* use seperate secrets for feeds, ui & engine env vars * use seperate existing secrets for UI and Feeds * if redis isnt using an external endpoint but an existing secret is used for the ui, explicitly set the ANCHORE_REDIS_URI env var to helm managed redis Signed-off-by: Brady Todhunter <[email protected]>
anchore · Jan 27, 2021 · 8ff7bc1 · 8ff7bc1
1 parent 418a435
commit 8ff7bc1
Show file tree

Hide file tree

Showing 6 changed files with 109 additions and 25 deletions.
diff --git a/stable/anchore-engine/templates/_helpers.tpl b/stable/anchore-engine/templates/_helpers.tpl
@@ -139,3 +139,17 @@ Return Anchore Engine default admin password
     {{- randAlphaNum 32 -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Create database hostname string from supplied values file. Used for the enterprise-ui ANCHORE_APPDB_URI environment variable secret
+*/}}
+{{- define "db-hostname" }}
+  {{- if and (index .Values "postgresql" "externalEndpoint") (not (index .Values "postgresql" "enabled")) }}
+    {{- print ( index .Values "postgresql" "externalEndpoint" | quote ) }}
+  {{- else if and (index .Values "cloudsql" "enabled") (not (index .Values "postgresql" "enabled")) }}
+    {{- print "localhost:5432" }}
+  {{- else }}
+    {{- $db_host := include "postgres.fullname" . }}
+    {{- printf "%s:5432" $db_host -}}
+  {{- end }}
+{{- end }}
diff --git a/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml b/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml
@@ -90,7 +90,7 @@ spec:
         envFrom:
         {{- if not .Values.inject_secrets_via_env }}
         - secretRef:
-            name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }}
+            name: {{ default (include "anchore-engine.enterprise-feeds.fullname" .) .Values.anchoreEnterpriseFeeds.existingSecret }}
         {{- end }}
         - configMapRef:
             name: {{ template "anchore-engine.enterprise-feeds.fullname" . }}-env

diff --git a/...emplates/enterprise_ui_config_secret.yaml → ...ne/templates/enterprise_ui_configmap.yaml b/...emplates/enterprise_ui_config_secret.yaml → ...ne/templates/enterprise_ui_configmap.yaml
@@ -1,9 +1,8 @@
 {{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseUi.enabled -}}
 {{- $component := "enterprise-ui" -}}
 
-# Using a secret until UI app supports ENV vars inside the config file. Redis password is included in config.
-kind: Secret
 apiVersion: v1
+kind: ConfigMap
 metadata:
   name: {{ include "anchore-engine.enterprise-ui.fullname" . | quote }}
   labels:
@@ -15,19 +14,15 @@ metadata:
     {{- with .Values.anchoreGlobal.labels }}
     {{ toYaml . | nindent 4 }}
     {{- end }}
-type: Opaque
-stringData:
+data:
   config-ui.yaml: |
     {{- if .Values.anchoreGlobal.internalServicesSsl.enabled }}
     engine_uri: 'https://{{ template "anchore-engine.api.fullname" . }}:{{ .Values.anchoreApi.service.port }}/v1'
     {{- else }}
     engine_uri: 'http://{{ template "anchore-engine.api.fullname" . }}:{{ .Values.anchoreApi.service.port }}/v1'
     {{- end }}
-    {{- if and (index .Values "anchore-ui-redis" "externalEndpoint") (not (index .Values "anchore-ui-redis" "enabled")) }}
-    redis_uri: '{{ index .Values "anchore-ui-redis" "externalEndpoint" }}'
-    {{- else }}
-    redis_uri: 'redis://:{{ index .Values "anchore-ui-redis" "password" }}@{{ template "redis.fullname" . }}-master:6379'
-    {{- end }}
+    # This value is overridden by using the `ANCHORE_REDIS_URI` environment variable.
+    # redis_ui: $ANCHORE_REDIS_URI
   {{- if .Values.anchoreEnterpriseRbac.enabled }}
     {{- if .Values.anchoreGlobal.internalServicesSsl.enabled }}
     rbac_uri: 'https://{{ template "anchore-engine.api.fullname" . }}:{{ .Values.anchoreEnterpriseRbac.service.apiPort }}/v1'
@@ -49,15 +44,8 @@ stringData:
     notifications_uri: 'http://{{ template "anchore-engine.api.fullname" . }}:{{ .Values.anchoreEnterpriseNotifications.service.port}}/v1'
     {{- end }}
   {{- end }}
-    {{- if and (and .Values.postgresql.externalEndpoint (not .Values.postgresql.enabled)) .Values.anchoreGlobal.dbConfig.ssl }}
-    appdb_uri: 'postgresql://{{ .Values.postgresql.postgresUser }}:{{ .Values.postgresql.postgresPassword }}@{{ .Values.postgresql.externalEndpoint }}/{{ .Values.postgresql.postgresDatabase }}?ssl=verify-full'
-    {{- else if and .Values.postgresql.externalEndpoint (not .Values.postgresql.enabled) }}
-    appdb_uri: 'postgresql://{{ .Values.postgresql.postgresUser }}:{{ .Values.postgresql.postgresPassword }}@{{ .Values.postgresql.externalEndpoint }}/{{ .Values.postgresql.postgresDatabase }}'
-    {{- else if and (index .Values "cloudsql" "enabled") (not (index .Values "postgresql" "enabled")) }}
-    appdb_uri: 'postgresql://{{ .Values.postgresql.postgresUser }}:{{ .Values.postgresql.postgresPassword }}@localhost:5432/{{ .Values.postgresql.postgresDatabase }}'
-    {{- else }}
-    appdb_uri: 'postgresql://{{ .Values.postgresql.postgresUser }}:{{ .Values.postgresql.postgresPassword }}@{{ template "postgres.fullname" . }}:5432/{{ .Values.postgresql.postgresDatabase }}'
-    {{- end }}
+    # This value is overridden by using the `ANCHORE_APPDB_URI` environment variable.
+    # appdb_uri: $ANCHORE_APPDB_URI
     license_path: '/home/anchore/'
     enable_ssl: {{ .Values.anchoreEnterpriseUi.enableSsl }}
     enable_proxy: {{ .Values.anchoreEnterpriseUi.enableProxy }}

diff --git a/stable/anchore-engine/templates/enterprise_ui_deployment.yaml b/stable/anchore-engine/templates/enterprise_ui_deployment.yaml
@@ -74,6 +74,10 @@ spec:
         image: {{ .Values.anchoreEnterpriseUi.image }}
         imagePullPolicy: {{ .Values.anchoreEnterpriseUi.imagePullPolicy }}
         env:
+        {{- if and (index .Values "anchoreEnterpriseUi" "existingSecret") (not (index .Values "anchore-ui-redis" "externalEndpoint")) }}
+        - name: ANCHORE_REDIS_URI
+          value: redis://:{{ index .Values "anchore-ui-redis" "password" }}@{{ template "redis.fullname" . }}-master:6379
+        {{- end }}
         {{ if .Values.anchoreGlobal.dbConfig.ssl }}
         - name: PGSSLROOTCERT
           value: /home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }}
@@ -88,6 +92,11 @@ spec:
         {{- with .Values.anchoreEnterpriseUi.extraEnv }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
+        envFrom:
+        {{- if not .Values.inject_secrets_via_env }}
+        - secretRef:
+            name: {{ default (include "anchore-engine.enterprise-ui.fullname" .) .Values.anchoreEnterpriseUi.existingSecret }}
+        {{- end }}
         ports:
         - containerPort: 3000
           protocol: TCP
@@ -127,8 +136,8 @@ spec:
         secret:
           secretName: {{ .Values.anchoreEnterpriseGlobal.licenseSecretName }}
       - name: anchore-ui-config
-        secret:
-          secretName: {{ template "anchore-engine.enterprise-ui.fullname" . }}
+        configMap:
+          name: {{ template "anchore-engine.enterprise-ui.fullname" . }}
       {{- with .Values.anchoreGlobal.certStoreSecretName }}
       - name: certs
         secret:

diff --git a/stable/anchore-engine/templates/secrets.yaml b/stable/anchore-engine/templates/secrets.yaml
@@ -15,10 +15,65 @@ type: Opaque
 stringData:
   ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }}
   ANCHORE_DB_PASSWORD: {{ index .Values "postgresql" "postgresPassword" | quote }}
-  {{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }}
-  ANCHORE_FEEDS_DB_PASSWORD: {{ index .Values "anchore-feeds-db" "postgresPassword" | quote }}
+  {{- with .Values.anchoreGlobal.saml.secret }}
+  ANCHORE_SAML_SECRET: {{ . }}
   {{- end }}
+{{- end }}
+
+---
+{{- if not .Values.anchoreEnterpriseFeeds.existingSecret }}
+{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "anchore-engine.enterprise-feeds.fullname" . }}
+  labels:
+    app: {{ template "anchore-engine.fullname" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+    {{- with .Values.anchoreGlobal.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+type: Opaque
+stringData:
+  ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }}
+  ANCHORE_FEEDS_DB_PASSWORD: {{ index .Values "anchore-feeds-db" "postgresPassword" | quote }}
   {{- with .Values.anchoreGlobal.saml.secret }}
   ANCHORE_SAML_SECRET: {{ . }}
   {{- end }}
 {{- end }}
+{{- end }}
+
+---
+{{- if not .Values.anchoreEnterpriseUi.existingSecret }}
+{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseUi.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "anchore-engine.enterprise-ui.fullname" . }}
+  labels:
+    app: {{ template "anchore-engine.fullname" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+    {{- with .Values.anchoreGlobal.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+type: Opaque
+stringData:
+  ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }}
+
+  {{- if .Values.anchoreGlobal.dbConfig.ssl }}
+  ANCHORE_APPDB_URI: 'postgresql://{{ index .Values "postgresql" "postgresUser" }}:{{ index .Values "postgresql" "postgresPassword" }}@{{ template "db-hostname" . }}/{{ index .Values "postgresql" "postgresDatabase" }}?ssl=verify-full'
+  {{- else }}
+  ANCHORE_APPDB_URI: 'postgresql://{{ index .Values "postgresql" "postgresUser" }}:{{ index .Values "postgresql" "postgresPassword" }}@{{ template "db-hostname" . }}/{{ index .Values "postgresql" "postgresDatabase" }}'
+  {{- end }}
+
+  {{- if and (index .Values "anchore-ui-redis" "externalEndpoint") (not (index .Values "anchore-ui-redis" "enabled")) }}
+  ANCHORE_REDIS_URI: '{{ index .Values "anchore-ui-redis" "externalEndpoint" }}'
+  {{- else }}
+  ANCHORE_REDIS_URI: 'redis://:{{ index .Values "anchore-ui-redis" "password" }}@{{ template "redis.fullname" . }}-master:6379'
+  {{- end }}
+{{- end }}
+{{- end }}
diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml
@@ -104,8 +104,8 @@ anchoreGlobal:
   # Specify a service account name utilized to run all Anchore pods
   serviceAccountName:
 
-  # Set this value to True to setup the chart for OpenShift deployment compatibility.
-  openShiftDeployment: False
+  # Set this value to true to setup the chart for OpenShift deployment compatibility.
+  openShiftDeployment: false
 
   # Add additionnal labels to all kubernetes resources
   labels: {}
@@ -124,6 +124,10 @@ anchoreGlobal:
     #   value: bar
 
   # Specifies an existing secret to be used for admin and db passwords
+  # The secret should define the following environment vars:
+  # ANCHORE_ADMIN_PASSWORD
+  # ANCHORE_DB_PASSWORD
+  # ANCHORE_SAML_SECRET (if applicable)
   existingSecret: Null
 
   # The scratchVolume controls the mounting of an external volume for scratch space for image analysis. Generally speaking
@@ -698,6 +702,14 @@ anchoreEnterpriseFeeds:
   cycleTimers:
     driver_sync: 7200
 
+  # Specifies an existing secret to be used for anchore admin and db passwords
+  # The secret should define the following environment vars:
+  # ANCHORE_ADMIN_PASSWORD
+  # ANCHORE_FEEDS_DB_PASSWORD
+  # ANCHORE_SAML_SECRET (if applicable)
+
+  existingSecret: Null
+
   # Configure the database connection within anchore-engine & enterprise-ui. This may get split into 2 different configurations based on service utilized.
   dbConfig:
     timeout: 120
@@ -861,6 +873,12 @@ anchoreEnterpriseUi:
     # - name: foo
     #   value: bar
 
+  # Specifies an existing secret to be used for db and redis endpoints
+  # This secret should define the following ENV vars
+  # ANCHORE_APPDB_URI
+  # ANCHORE_REDIS_URI
+  existingSecret: Null
+
   # If using LDAPS with a custom CA certificate, add the certificate to the secret specified at anchoreGlobal.certStoreSecretName and specify the name of the cert here
   ldapsRootCaCertName: Null