Fix Permissions init container fixes (#333)

* configurable initContainer image for mode-fixer
* update readme to remove unused secret in custom certs section
* escape `&` in pre-upgrade hook job when using DB root cert
* remove path to certs dir in pre-upgrade job as its included in env var
* allow fixGroupPermissions on feeds workspace directory
* update tests
* update README table


---------

Signed-off-by: Hung Nguyen <[email protected]>
Signed-off-by: Brady Todhunter <[email protected]>
Co-authored-by: Hung Nguyen <[email protected]>
Co-authored-by: osiagwe <[email protected]>

stable/anchore-engine/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: anchore-engine
-version: 1.28.5
+version: 1.28.6
 appVersion: 1.1.0
 description: Anchore container analysis and policy evaluation engine service
 keywords:

stable/anchore-engine/templates/analyzer_deployment.yaml

@@ -73,7 +73,7 @@ spec:
     {{- if and .Values.anchoreGlobal.scratchVolume.fixGroupPermissions .Values.anchoreGlobal.securityContext.fsGroup }}
       initContainers:
         - name: mode-fixer
-          image: alpine
+          image: {{ .Values.anchoreGlobal.scratchVolume.initContainerImage }}
           securityContext:
             runAsUser: 0
           volumeMounts:

stable/anchore-engine/templates/catalog_deployment.yaml

@@ -75,7 +75,7 @@ spec:
     {{- if and .Values.anchoreGlobal.scratchVolume.fixGroupPermissions .Values.anchoreGlobal.securityContext.fsGroup }}
       initContainers:
         - name: mode-fixer
-          image: alpine
+          image: {{ .Values.anchoreGlobal.scratchVolume.initContainerImage }}
           securityContext:
             runAsUser: 0
           volumeMounts:

stable/anchore-engine/templates/enterprise_feeds_deployment.yaml

@@ -66,7 +66,7 @@ spec:
     {{- if and (or .Values.anchoreGlobal.scratchVolume.fixGroupPermissions .Values.anchoreEnterpriseFeeds.persistence.fixGroupPermissions) .Values.anchoreGlobal.securityContext.fsGroup }}
       initContainers:
         - name: mode-fixer
-          image: alpine
+          image: {{ .Values.anchoreGlobal.scratchVolume.initContainerImage }}
           securityContext:
             runAsUser: 0
           volumeMounts:

stable/anchore-engine/templates/policy_engine_deployment.yaml

@@ -72,7 +72,7 @@ spec:
     {{- if and .Values.anchoreGlobal.scratchVolume.fixGroupPermissions .Values.anchoreGlobal.securityContext.fsGroup }}
       initContainers:
         - name: mode-fixer
-          image: alpine
+          image: {{ .Values.anchoreGlobal.scratchVolume.initContainerImage }}
           securityContext:
             runAsUser: 0
           volumeMounts:

stable/anchore-engine/values.yaml

@@ -173,6 +173,7 @@ anchoreGlobal:
     # Some k8s Volumes do not properly respect the fsGroup permissions. These volumes will get mounted as root:root
     # regardless of the security permissions requested. The fixGroupPermissions will create an initContainer that will
     # fixup the permissions.
+    initContainerImage: alpine
     fixGroupPermissions: false
     mountPath: /analysis_scratch
     details: {}

stable/enterprise/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: enterprise
-version: "2.2.2"
+version: "2.2.3"
 appVersion: "5.1.1"
 kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.28.x-x
 description: |

stable/enterprise/templates/_common.tpl

@@ -115,7 +115,7 @@ Setup the common fix permissions init container for all pods using a scratch vol
 */}}
 {{- define "enterprise.common.fixPermissionsInitContainer" -}}
 - name: mode-fixer
-  image: alpine
+  image: {{ .Values.scratchVolume.fixerInitContainerImage }}
   securityContext:
     runAsUser: 0
   volumeMounts:

stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml

@@ -71,7 +71,7 @@ spec:
                   CONNSTR=${CONNSTR}?sslmode=${ANCHORE_DB_SSL_MODE}
                 fi
                 if [[ ${ANCHORE_DB_SSL_ROOT_CERT} != null ]]; then
-                  CONNSTR=${CONNSTR}&sslrootcert=/home/anchore/certs/${ANCHORE_DB_SSL_ROOT_CERT}
+                  CONNSTR=${CONNSTR}\&sslrootcert=${ANCHORE_DB_SSL_ROOT_CERT}
                 fi
                 err=$(anchore-enterprise-manager db --db-connect ${CONNSTR} pre-upgrade-check 2>&1 > /dev/null)
                 if [[ !$err ]]; then

stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap

@@ -117,7 +117,7 @@ should render proper initContainers:
               CONNSTR=${CONNSTR}?sslmode=${ANCHORE_DB_SSL_MODE}
             fi
             if [[ ${ANCHORE_DB_SSL_ROOT_CERT} != null ]]; then
-              CONNSTR=${CONNSTR}&sslrootcert=/home/anchore/certs/${ANCHORE_DB_SSL_ROOT_CERT}
+              CONNSTR=${CONNSTR}\&sslrootcert=${ANCHORE_DB_SSL_ROOT_CERT}
             fi
             err=$(anchore-enterprise-manager db --db-connect ${CONNSTR} pre-upgrade-check 2>&1 > /dev/null)
             if [[ !$err ]]; then

stable/enterprise/values.yaml

@@ -102,13 +102,15 @@ annotations: {}
 
 ## @param scratchVolume.mountPath The mount path of an external volume for scratch space for image analysis
 ## @param scratchVolume.fixGroupPermissions Enable an initContainer that will fix the fsGroup permissions
+## @param scratchVolume.fixerInitContainerImage The image to use for the mode-fixer initContainer
 ## @param scratchVolume.details [object] Details for the k8s volume to be created
 ## Generally speaking you need to provision 3x the size of the largest image (uncompressed) that you want to analyze
 ## ref: https://kubernetes.io/docs/concepts/storage/volumes/
 ##
 scratchVolume:
   mountPath: /analysis_scratch
   fixGroupPermissions: false
+  fixerInitContainerImage: alpine
   details: {}
 
 ## @param extraVolumes mounts additional volumes to each pod

stable/feeds/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: feeds
 type: application
-version: "2.1.2"
+version: "2.1.3"
 appVersion: "5.1.1"
 kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.28.x-x
 description: Anchore feeds service