diff --git a/stable/anchore-engine/templates/_helpers.tpl b/stable/anchore-engine/templates/_helpers.tpl index 1f678392..f9742726 100755 --- a/stable/anchore-engine/templates/_helpers.tpl +++ b/stable/anchore-engine/templates/_helpers.tpl @@ -139,3 +139,17 @@ Return Anchore Engine default admin password {{- randAlphaNum 32 -}} {{- end -}} {{- end -}} + +{{/* +Create database hostname string from supplied values file. Used for the enterprise-ui ANCHORE_APPDB_URI environment variable secret +*/}} +{{- define "db-hostname" }} + {{- if and (index .Values "postgresql" "externalEndpoint") (not (index .Values "postgresql" "enabled")) }} + {{- print ( index .Values "postgresql" "externalEndpoint" | quote ) }} + {{- else if and (index .Values "cloudsql" "enabled") (not (index .Values "postgresql" "enabled")) }} + {{- print "localhost:5432" }} + {{- else }} + {{- $db_host := include "postgres.fullname" . }} + {{- printf "%s:5432" $db_host -}} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml b/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml index 1fa57675..9194dc5e 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml @@ -90,7 +90,7 @@ spec: envFrom: {{- if not .Values.inject_secrets_via_env }} - secretRef: - name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + name: {{ default (include "anchore-engine.enterprise-feeds.fullname" .) .Values.anchoreEnterpriseFeeds.existingSecret }} {{- end }} - configMapRef: name: {{ template "anchore-engine.enterprise-feeds.fullname" . }}-env diff --git a/stable/anchore-engine/templates/enterprise_ui_config_secret.yaml b/stable/anchore-engine/templates/enterprise_ui_configmap.yaml similarity index 64% rename from stable/anchore-engine/templates/enterprise_ui_config_secret.yaml rename to stable/anchore-engine/templates/enterprise_ui_configmap.yaml index 9d2f76b2..de609e19 100644 --- a/stable/anchore-engine/templates/enterprise_ui_config_secret.yaml +++ b/stable/anchore-engine/templates/enterprise_ui_configmap.yaml @@ -1,9 +1,8 @@ {{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseUi.enabled -}} {{- $component := "enterprise-ui" -}} -# Using a secret until UI app supports ENV vars inside the config file. Redis password is included in config. -kind: Secret apiVersion: v1 +kind: ConfigMap metadata: name: {{ include "anchore-engine.enterprise-ui.fullname" . | quote }} labels: @@ -15,19 +14,15 @@ metadata: {{- with .Values.anchoreGlobal.labels }} {{ toYaml . | nindent 4 }} {{- end }} -type: Opaque -stringData: +data: config-ui.yaml: | {{- if .Values.anchoreGlobal.internalServicesSsl.enabled }} engine_uri: 'https://{{ template "anchore-engine.api.fullname" . }}:{{ .Values.anchoreApi.service.port }}/v1' {{- else }} engine_uri: 'http://{{ template "anchore-engine.api.fullname" . }}:{{ .Values.anchoreApi.service.port }}/v1' {{- end }} - {{- if and (index .Values "anchore-ui-redis" "externalEndpoint") (not (index .Values "anchore-ui-redis" "enabled")) }} - redis_uri: '{{ index .Values "anchore-ui-redis" "externalEndpoint" }}' - {{- else }} - redis_uri: 'redis://:{{ index .Values "anchore-ui-redis" "password" }}@{{ template "redis.fullname" . }}-master:6379' - {{- end }} + # This value is overridden by using the `ANCHORE_REDIS_URI` environment variable. + # redis_ui: $ANCHORE_REDIS_URI {{- if .Values.anchoreEnterpriseRbac.enabled }} {{- if .Values.anchoreGlobal.internalServicesSsl.enabled }} rbac_uri: 'https://{{ template "anchore-engine.api.fullname" . }}:{{ .Values.anchoreEnterpriseRbac.service.apiPort }}/v1' @@ -49,15 +44,8 @@ stringData: notifications_uri: 'http://{{ template "anchore-engine.api.fullname" . }}:{{ .Values.anchoreEnterpriseNotifications.service.port}}/v1' {{- end }} {{- end }} - {{- if and (and .Values.postgresql.externalEndpoint (not .Values.postgresql.enabled)) .Values.anchoreGlobal.dbConfig.ssl }} - appdb_uri: 'postgresql://{{ .Values.postgresql.postgresUser }}:{{ .Values.postgresql.postgresPassword }}@{{ .Values.postgresql.externalEndpoint }}/{{ .Values.postgresql.postgresDatabase }}?ssl=verify-full' - {{- else if and .Values.postgresql.externalEndpoint (not .Values.postgresql.enabled) }} - appdb_uri: 'postgresql://{{ .Values.postgresql.postgresUser }}:{{ .Values.postgresql.postgresPassword }}@{{ .Values.postgresql.externalEndpoint }}/{{ .Values.postgresql.postgresDatabase }}' - {{- else if and (index .Values "cloudsql" "enabled") (not (index .Values "postgresql" "enabled")) }} - appdb_uri: 'postgresql://{{ .Values.postgresql.postgresUser }}:{{ .Values.postgresql.postgresPassword }}@localhost:5432/{{ .Values.postgresql.postgresDatabase }}' - {{- else }} - appdb_uri: 'postgresql://{{ .Values.postgresql.postgresUser }}:{{ .Values.postgresql.postgresPassword }}@{{ template "postgres.fullname" . }}:5432/{{ .Values.postgresql.postgresDatabase }}' - {{- end }} + # This value is overridden by using the `ANCHORE_APPDB_URI` environment variable. + # appdb_uri: $ANCHORE_APPDB_URI license_path: '/home/anchore/' enable_ssl: {{ .Values.anchoreEnterpriseUi.enableSsl }} enable_proxy: {{ .Values.anchoreEnterpriseUi.enableProxy }} diff --git a/stable/anchore-engine/templates/enterprise_ui_deployment.yaml b/stable/anchore-engine/templates/enterprise_ui_deployment.yaml index 5f434f1e..5a3bc4b0 100644 --- a/stable/anchore-engine/templates/enterprise_ui_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_ui_deployment.yaml @@ -74,6 +74,10 @@ spec: image: {{ .Values.anchoreEnterpriseUi.image }} imagePullPolicy: {{ .Values.anchoreEnterpriseUi.imagePullPolicy }} env: + {{- if and (index .Values "anchoreEnterpriseUi" "existingSecret") (not (index .Values "anchore-ui-redis" "externalEndpoint")) }} + - name: ANCHORE_REDIS_URI + value: redis://:{{ index .Values "anchore-ui-redis" "password" }}@{{ template "redis.fullname" . }}-master:6379 + {{- end }} {{ if .Values.anchoreGlobal.dbConfig.ssl }} - name: PGSSLROOTCERT value: /home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} @@ -88,6 +92,11 @@ spec: {{- with .Values.anchoreEnterpriseUi.extraEnv }} {{- toYaml . | nindent 8 }} {{- end }} + envFrom: + {{- if not .Values.inject_secrets_via_env }} + - secretRef: + name: {{ default (include "anchore-engine.enterprise-ui.fullname" .) .Values.anchoreEnterpriseUi.existingSecret }} + {{- end }} ports: - containerPort: 3000 protocol: TCP @@ -127,8 +136,8 @@ spec: secret: secretName: {{ .Values.anchoreEnterpriseGlobal.licenseSecretName }} - name: anchore-ui-config - secret: - secretName: {{ template "anchore-engine.enterprise-ui.fullname" . }} + configMap: + name: {{ template "anchore-engine.enterprise-ui.fullname" . }} {{- with .Values.anchoreGlobal.certStoreSecretName }} - name: certs secret: diff --git a/stable/anchore-engine/templates/secrets.yaml b/stable/anchore-engine/templates/secrets.yaml index f77138a4..5fd15db4 100644 --- a/stable/anchore-engine/templates/secrets.yaml +++ b/stable/anchore-engine/templates/secrets.yaml @@ -15,10 +15,65 @@ type: Opaque stringData: ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }} ANCHORE_DB_PASSWORD: {{ index .Values "postgresql" "postgresPassword" | quote }} - {{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }} - ANCHORE_FEEDS_DB_PASSWORD: {{ index .Values "anchore-feeds-db" "postgresPassword" | quote }} + {{- with .Values.anchoreGlobal.saml.secret }} + ANCHORE_SAML_SECRET: {{ . }} {{- end }} +{{- end }} + +--- +{{- if not .Values.anchoreEnterpriseFeeds.existingSecret }} +{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "anchore-engine.enterprise-feeds.fullname" . }} + labels: + app: {{ template "anchore-engine.fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.anchoreGlobal.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} +type: Opaque +stringData: + ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }} + ANCHORE_FEEDS_DB_PASSWORD: {{ index .Values "anchore-feeds-db" "postgresPassword" | quote }} {{- with .Values.anchoreGlobal.saml.secret }} ANCHORE_SAML_SECRET: {{ . }} {{- end }} {{- end }} +{{- end }} + +--- +{{- if not .Values.anchoreEnterpriseUi.existingSecret }} +{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseUi.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "anchore-engine.enterprise-ui.fullname" . }} + labels: + app: {{ template "anchore-engine.fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.anchoreGlobal.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} +type: Opaque +stringData: + ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }} + + {{- if .Values.anchoreGlobal.dbConfig.ssl }} + ANCHORE_APPDB_URI: 'postgresql://{{ index .Values "postgresql" "postgresUser" }}:{{ index .Values "postgresql" "postgresPassword" }}@{{ template "db-hostname" . }}/{{ index .Values "postgresql" "postgresDatabase" }}?ssl=verify-full' + {{- else }} + ANCHORE_APPDB_URI: 'postgresql://{{ index .Values "postgresql" "postgresUser" }}:{{ index .Values "postgresql" "postgresPassword" }}@{{ template "db-hostname" . }}/{{ index .Values "postgresql" "postgresDatabase" }}' + {{- end }} + + {{- if and (index .Values "anchore-ui-redis" "externalEndpoint") (not (index .Values "anchore-ui-redis" "enabled")) }} + ANCHORE_REDIS_URI: '{{ index .Values "anchore-ui-redis" "externalEndpoint" }}' + {{- else }} + ANCHORE_REDIS_URI: 'redis://:{{ index .Values "anchore-ui-redis" "password" }}@{{ template "redis.fullname" . }}-master:6379' + {{- end }} +{{- end }} +{{- end }} diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index acbbe462..6ba969cb 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -104,8 +104,8 @@ anchoreGlobal: # Specify a service account name utilized to run all Anchore pods serviceAccountName: - # Set this value to True to setup the chart for OpenShift deployment compatibility. - openShiftDeployment: False + # Set this value to true to setup the chart for OpenShift deployment compatibility. + openShiftDeployment: false # Add additionnal labels to all kubernetes resources labels: {} @@ -124,6 +124,10 @@ anchoreGlobal: # value: bar # Specifies an existing secret to be used for admin and db passwords + # The secret should define the following environment vars: + # ANCHORE_ADMIN_PASSWORD + # ANCHORE_DB_PASSWORD + # ANCHORE_SAML_SECRET (if applicable) existingSecret: Null # The scratchVolume controls the mounting of an external volume for scratch space for image analysis. Generally speaking @@ -698,6 +702,14 @@ anchoreEnterpriseFeeds: cycleTimers: driver_sync: 7200 + # Specifies an existing secret to be used for anchore admin and db passwords + # The secret should define the following environment vars: + # ANCHORE_ADMIN_PASSWORD + # ANCHORE_FEEDS_DB_PASSWORD + # ANCHORE_SAML_SECRET (if applicable) + + existingSecret: Null + # Configure the database connection within anchore-engine & enterprise-ui. This may get split into 2 different configurations based on service utilized. dbConfig: timeout: 120 @@ -861,6 +873,12 @@ anchoreEnterpriseUi: # - name: foo # value: bar + # Specifies an existing secret to be used for db and redis endpoints + # This secret should define the following ENV vars + # ANCHORE_APPDB_URI + # ANCHORE_REDIS_URI + existingSecret: Null + # If using LDAPS with a custom CA certificate, add the certificate to the secret specified at anchoreGlobal.certStoreSecretName and specify the name of the cert here ldapsRootCaCertName: Null