Use k8s secret for SAML shared secret (#102)

* use an ENV var stored in a k8s secret for setting SAML secret from values

Signed-off-by: Brady Todhunter <[email protected]>

stable/anchore-engine/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: anchore-engine
-version: 1.11.0
+version: 1.11.1
 appVersion: 0.9.0
 description: Anchore container analysis and policy evaluation engine service
 keywords:

stable/anchore-engine/templates/engine_configmap.yaml

@@ -99,7 +99,9 @@ data:
     # Locations for keys used for signing and encryption. Only one of 'secret' or 'public_key_path'/'private_key_path' needs to be set. If all are set then the keys take precedence over the secret value
     # Secret is for a shared secret and if set, all components in anchore should have the exact same value in their configs.
     keys:
-      secret: {{ .Values.anchoreGlobal.saml.secret }}
+      {{- if .Values.anchoreGlobal.saml.secret }}
+      secret: ${ANCHORE_SAML_SECRET}
+      {{- end }}
       {{- with .Values.anchoreGlobal.saml.publicKeyName }}
       public_key_path: /home/anchore/certs/{{- . }}
       {{- end }}

stable/anchore-engine/templates/enterprise_configmap.yaml

@@ -41,7 +41,9 @@ data:
     # Locations for keys used for signing and encryption. Only one of 'secret' or 'public_key_path'/'private_key_path' needs to be set. If all are set then the keys take precedence over the secret value
     # Secret is for a shared secret and if set, all components in anchore should have the exact same value in their configs.
     keys:
-      secret: {{ .Values.anchoreGlobal.saml.secret }}
+      {{- if .Values.anchoreGlobal.saml.secret }}
+      secret: ${ANCHORE_SAML_SECRET}
+      {{- end }}
       {{- with .Values.anchoreGlobal.saml.publicKeyName }}
       public_key_path: /home/anchore/certs/{{- . }}
       {{- end }}

stable/anchore-engine/templates/enterprise_feeds_configmap.yaml

@@ -33,7 +33,9 @@ data:
     # Locations for keys used for signing and encryption. Only one of 'secret' or 'public_key_path'/'private_key_path' needs to be set. If all are set then the keys take precedence over the secret value
     # Secret is for a shared secret and if set, all components in anchore should have the exact same value in their configs.
     keys:
-      secret: {{ .Values.anchoreGlobal.saml.secret }}
+      {{- if .Values.anchoreGlobal.saml.secret }}
+      secret: ${ANCHORE_SAML_SECRET}
+      {{- end }}
       {{- with .Values.anchoreGlobal.saml.publicKeyName }}
       public_key_path: /home/anchore/certs/{{- . }}
       {{- end }}

stable/anchore-engine/templates/secrets.yaml

@@ -18,4 +18,7 @@ stringData:
   {{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }}
   .feedsDbPassword: {{ index .Values "anchore-feeds-db" "postgresPassword" | quote }}
   {{- end }}
+  {{- with .Values.anchoreGlobal.saml.secret }}
+  ANCHORE_SAML_SECRET: {{ . }}
+  {{- end }}
 {{- end }}

stable/anchore-engine/values.yaml

@@ -173,9 +173,11 @@ anchoreGlobal:
   defaultAdminEmail: [email protected]
 
   saml:
-    # Locations for keys used for signing and encryption. Only one of 'secret' or 'public_key_path'/'private_key_path' needs to be set. If all are set then the keys take precedence over the secret value
+    # Locations for keys used for signing and encryption. Only one of 'secret' or 'privateKeyName'/'publicKeyName' needs to be set. If all are set then the keys take precedence over the secret value
     # Secret is for a shared secret and if set, all components in anchore should have the exact same value in their configs.
     secret: Null
+    # If set to true, use the secret specified in anchoreGlobal.existingSecret to set the ANCHORE_SAML_SECRET env variable
+    useExistingSecret: false
     privateKeyName: Null
     publicKeyName: Null