diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index c73eb125a03c..81c06b4b0579 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: anchore-engine -version: 1.0.4 +version: 1.0.5 appVersion: 0.4.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index 81eebf0a04fa..35535f26858a 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -309,6 +309,10 @@ anchoreGlobal: cloudsql: enabled: true instance: "project:zone:cloudsqlinstancename" + # Optional existing service account secret to use. + useExistingServiceAcc: true + serviceAccSecretName: my_service_acc + serviceAccJsonName: for_cloudsql.json image: repository: gcr.io/cloudsql-docker/gce-proxy tag: 1.12 diff --git a/stable/anchore-engine/templates/analyzer_deployment.yaml b/stable/anchore-engine/templates/analyzer_deployment.yaml index 38296215727f..ad8bdca1ec2d 100644 --- a/stable/anchore-engine/templates/analyzer_deployment.yaml +++ b/stable/anchore-engine/templates/analyzer_deployment.yaml @@ -31,7 +31,15 @@ spec: image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} command: ["/cloud_sql_proxy"] - args: ["-instances={{ .Values.cloudsql.instance }}=tcp:5432"] + args: + - "-instances={{ .Values.cloudsql.instance }}=tcp:5432" + {{- if .Values.cloudsql.useExistingServiceAcc }} + - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}" + volumeMounts: + - mountPath: /var/{{ .Values.cloudsql.serviceAccSecretName }} + name: {{ .Values.cloudsql.serviceAccSecretName }} + readOnly: true + {{- end }} {{- end }} - name: {{ .Chart.Name }}-{{ $component }} image: {{ .Values.anchoreGlobal.image }} @@ -98,6 +106,11 @@ spec: {{- end }} - name: {{ $component }}-scratch {{ toYaml .Values.anchoreGlobal.scratchVolume.details | indent 10 | trim }} + {{- if .Values.cloudsql.useExistingServiceAcc }} + - name: {{ .Values.cloudsql.serviceAccSecretName }} + secret: + secretName: {{ .Values.cloudsql.serviceAccSecretName }} + {{- end }} {{- with .Values.anchoreAnalyzer.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 | trim }} diff --git a/stable/anchore-engine/templates/api_deployment.yaml b/stable/anchore-engine/templates/api_deployment.yaml index f843fc7722e7..53e8c809165a 100644 --- a/stable/anchore-engine/templates/api_deployment.yaml +++ b/stable/anchore-engine/templates/api_deployment.yaml @@ -35,7 +35,15 @@ spec: image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} command: ["/cloud_sql_proxy"] - args: ["-instances={{ .Values.cloudsql.instance }}=tcp:5432"] + args: + - "-instances={{ .Values.cloudsql.instance }}=tcp:5432" + {{- if .Values.cloudsql.useExistingServiceAcc }} + - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}" + volumeMounts: + - mountPath: /var/{{ .Values.cloudsql.serviceAccSecretName }} + name: {{ .Values.cloudsql.serviceAccSecretName }} + readOnly: true + {{- end }} {{- end }} - name: "{{ .Chart.Name }}-{{ $component }}" image: {{ .Values.anchoreGlobal.image }} @@ -279,6 +287,11 @@ spec: secret: secretName: {{ .Values.anchoreGlobal.internalServicesSsl.certSecret }} {{- end }} + {{- if .Values.cloudsql.useExistingServiceAcc }} + - name: {{ .Values.cloudsql.serviceAccSecretName }} + secret: + secretName: {{ .Values.cloudsql.serviceAccSecretName }} + {{- end }} {{- with .Values.anchoreApi.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 | trim }} diff --git a/stable/anchore-engine/templates/catalog_deployment.yaml b/stable/anchore-engine/templates/catalog_deployment.yaml index 33d38539ef85..13fdd0d43aae 100644 --- a/stable/anchore-engine/templates/catalog_deployment.yaml +++ b/stable/anchore-engine/templates/catalog_deployment.yaml @@ -31,7 +31,15 @@ spec: image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} command: ["/cloud_sql_proxy"] - args: ["-instances={{ .Values.cloudsql.instance }}=tcp:5432"] + args: + - "-instances={{ .Values.cloudsql.instance }}=tcp:5432" + {{- if .Values.cloudsql.useExistingServiceAcc }} + - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}" + volumeMounts: + - mountPath: /var/{{ .Values.cloudsql.serviceAccSecretName }} + name: {{ .Values.cloudsql.serviceAccSecretName }} + readOnly: true + {{- end }} {{- end }} - name: {{ .Chart.Name }}-{{ $component }} image: {{ .Values.anchoreGlobal.image }} @@ -94,6 +102,11 @@ spec: secret: secretName: {{ .Values.anchoreGlobal.internalServicesSsl.certSecret }} {{- end }} + {{- if .Values.cloudsql.useExistingServiceAcc }} + - name: {{ .Values.cloudsql.serviceAccSecretName }} + secret: + secretName: {{ .Values.cloudsql.serviceAccSecretName }} + {{- end }} {{- with .Values.anchoreCatalog.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 | trim }} diff --git a/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml b/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml index 38a3af4cea75..3381b57a0cb6 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml @@ -34,7 +34,15 @@ spec: image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} command: ["/cloud_sql_proxy"] - args: ["-instances={{ .Values.cloudsql.instance }}=tcp:5432"] + args: + - "-instances={{ .Values.cloudsql.instance }}=tcp:5432" + {{- if .Values.cloudsql.useExistingServiceAcc }} + - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}" + volumeMounts: + - mountPath: /var/{{ .Values.cloudsql.serviceAccSecretName }} + name: {{ .Values.cloudsql.serviceAccSecretName }} + readOnly: true + {{- end }} {{- end }} - name: "{{ .Chart.Name }}-{{ $component }}" image: {{ .Values.anchoreEnterpriseGlobal.image }} @@ -102,6 +110,11 @@ spec: - name: anchore-license secret: secretName: {{ .Values.anchoreEnterpriseGlobal.licenseSecretName }} + {{- if .Values.cloudsql.useExistingServiceAcc }} + - name: {{ .Values.cloudsql.serviceAccSecretName }} + secret: + secretName: {{ .Values.cloudsql.serviceAccSecretName }} + {{- end }} {{- with .Values.anchoreEnterpriseFeeds.nodeSelector }} nodeSelector: {{ toYaml .Values.anchoreEnterpriseFeeds.nodeSelector | nindent 8 | trim }} diff --git a/stable/anchore-engine/templates/enterprise_ui_deployment.yaml b/stable/anchore-engine/templates/enterprise_ui_deployment.yaml index fd1e81b6b463..6a95e9cb2b05 100644 --- a/stable/anchore-engine/templates/enterprise_ui_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_ui_deployment.yaml @@ -38,7 +38,15 @@ spec: image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} command: ["/cloud_sql_proxy"] - args: ["-instances={{ .Values.cloudsql.instance }}=tcp:5432"] + args: + - "-instances={{ .Values.cloudsql.instance }}=tcp:5432" + {{- if .Values.cloudsql.useExistingServiceAcc }} + - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}" + volumeMounts: + - mountPath: /var/{{ .Values.cloudsql.serviceAccSecretName }} + name: {{ .Values.cloudsql.serviceAccSecretName }} + readOnly: true + {{- end }} {{- end }} - name: "{{ .Chart.Name }}-{{ $component }}" image: {{ .Values.anchoreEnterpriseUi.image }} @@ -84,6 +92,11 @@ spec: - name: anchore-ui-config secret: secretName: {{ template "anchore-engine.enterprise-ui.fullname" . }} + {{- if .Values.cloudsql.useExistingServiceAcc }} + - name: {{ .Values.cloudsql.serviceAccSecretName }} + secret: + secretName: {{ .Values.cloudsql.serviceAccSecretName }} + {{- end }} {{- with .Values.anchoreEnterpriseUi.nodeSelector }} nodeSelector: {{ toYaml .Values.anchoreEnterpriseUi.nodeSelector | nindent 8 | trim }} diff --git a/stable/anchore-engine/templates/policy_engine_deployment.yaml b/stable/anchore-engine/templates/policy_engine_deployment.yaml index 6a905211ff43..b3cfff22a0de 100644 --- a/stable/anchore-engine/templates/policy_engine_deployment.yaml +++ b/stable/anchore-engine/templates/policy_engine_deployment.yaml @@ -31,7 +31,15 @@ spec: image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} command: ["/cloud_sql_proxy"] - args: ["-instances={{ .Values.cloudsql.instance }}=tcp:5432"] + args: + - "-instances={{ .Values.cloudsql.instance }}=tcp:5432" + {{- if .Values.cloudsql.useExistingServiceAcc }} + - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}" + volumeMounts: + - mountPath: /var/{{ .Values.cloudsql.serviceAccSecretName }} + name: {{ .Values.cloudsql.serviceAccSecretName }} + readOnly: true + {{- end }} {{- end }} - name: {{ .Chart.Name }}-{{ $component }} image: {{ .Values.anchoreGlobal.image }} @@ -94,6 +102,11 @@ spec: secret: secretName: {{ .Values.anchoreGlobal.internalServicesSsl.certSecret }} {{- end }} + {{- if .Values.cloudsql.useExistingServiceAcc }} + - name: {{ .Values.cloudsql.serviceAccSecretName }} + secret: + secretName: {{ .Values.cloudsql.serviceAccSecretName }} + {{- end }} {{- with .Values.anchorePolicyEngine.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 | trim }} diff --git a/stable/anchore-engine/templates/simplequeue_deployment.yaml b/stable/anchore-engine/templates/simplequeue_deployment.yaml index f222570e929f..22dcf8f455a9 100644 --- a/stable/anchore-engine/templates/simplequeue_deployment.yaml +++ b/stable/anchore-engine/templates/simplequeue_deployment.yaml @@ -31,7 +31,15 @@ spec: image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} command: ["/cloud_sql_proxy"] - args: ["-instances={{ .Values.cloudsql.instance }}=tcp:5432"] + args: + - "-instances={{ .Values.cloudsql.instance }}=tcp:5432" + {{- if .Values.cloudsql.useExistingServiceAcc }} + - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}" + volumeMounts: + - mountPath: /var/{{ .Values.cloudsql.serviceAccSecretName }} + name: {{ .Values.cloudsql.serviceAccSecretName }} + readOnly: true + {{- end }} {{- end }} - name: "{{ .Chart.Name }}-{{ $component }}" image: {{ .Values.anchoreGlobal.image }} @@ -94,6 +102,11 @@ spec: secret: secretName: {{ .Values.anchoreGlobal.internalServicesSsl.certSecret }} {{- end }} + {{- if .Values.cloudsql.useExistingServiceAcc }} + - name: {{ .Values.cloudsql.serviceAccSecretName }} + secret: + secretName: {{ .Values.cloudsql.serviceAccSecretName }} + {{- end }} {{- with .Values.anchoreSimpleQueue.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 | trim }} diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 98aedb805e96..7978810bf538 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -25,6 +25,10 @@ cloudsql: enabled: false # set CloudSQL instance: 'project:zone:instancname' instance: "" + # Optional existing service account secret to use. + # useExistingServiceAcc: false + # serviceAccSecretName: service_acc + # serviceAccJsonName: for_cloudsql.json image: # set repo and image tag of gce-proxy repository: gcr.io/cloudsql-docker/gce-proxy