Policybundles fix (#170)

* use subpath for mounting custom PolicyBundles * bump chart version * add range for policy keys * copy policies into accesible directory * fix tests --------- Signed-off-by: Keohn Akins <[email protected]>
anchore · Nov 28, 2023 · 3caf60c · 3caf60c
1 parent 4f2c2c6
commit 3caf60c
Show file tree

Hide file tree

Showing 14 changed files with 28 additions and 20 deletions.
diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: enterprise
-version: "2.0.1"
+version: "2.0.2"
 appVersion: "5.0.0"
 kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.28.x-x
 description: |

diff --git a/stable/enterprise/templates/_common.tpl b/stable/enterprise/templates/_common.tpl
@@ -53,7 +53,7 @@ Setup a container for the cloudsql proxy to run in all pods when .Values.cloudsq
 Setup the common docker-entrypoint command for all Anchore Enterprise containers
 */}}
 {{- define "enterprise.common.dockerEntrypoint" -}}
-{{ print (include "enterprise.doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade
+mkdir -p {{ $.Values.anchoreConfig.service_dir  }}/policies {{ $.Values.anchoreConfig.service_dir  }}/tempPolicies && cp -rp {{ $.Values.anchoreConfig.service_dir  }}/tempPolicies/* {{ $.Values.anchoreConfig.service_dir  }}/policies || echo && {{ print (include "enterprise.doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade
 {{- end -}}
 
 

diff --git a/stable/enterprise/templates/api_deployment.yaml b/stable/enterprise/templates/api_deployment.yaml
@@ -60,8 +60,11 @@ spec:
               containerPort: {{ .Values.api.service.port }}
           volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }}
         {{- if .Values.anchoreConfig.policyBundles }}
+          {{- range $key, $value := .Values.anchoreConfig.policyBundles }}
             - name: policy-bundle-volume
-              mountPath: "{{ $.Values.anchoreConfig.service_dir  }}/policies/"
+              mountPath: {{ $.Values.anchoreConfig.service_dir  }}/tempPolicies/{{ $key }}
+              subPath: {{ $key }}
+          {{- end }}
         {{- end }}
           livenessProbe: {{- include "enterprise.common.livenessProbe" (merge (dict "component" $component) .) | nindent 12 }}
           readinessProbe: {{- include "enterprise.common.readinessProbe" (merge (dict "component" $component) .) | nindent 12 }}

diff --git a/stable/enterprise/templates/catalog_deployment.yaml b/stable/enterprise/templates/catalog_deployment.yaml
@@ -65,8 +65,11 @@ spec:
             - name: anchore-scratch
               mountPath: {{ .Values.scratchVolume.mountPath }}
         {{- if .Values.anchoreConfig.policyBundles }}
+          {{- range $key, $value := .Values.anchoreConfig.policyBundles }}
             - name: policy-bundle-volume
-              mountPath: "{{ $.Values.anchoreConfig.service_dir  }}/policies/"
+              mountPath: {{ $.Values.anchoreConfig.service_dir  }}/tempPolicies/{{ $key }}
+              subPath: {{ $key }}
+          {{- end }}
         {{- end }}
           livenessProbe: {{- include "enterprise.common.livenessProbe" (merge (dict "component" $component) .) | nindent 12 }}
           readinessProbe: {{- include "enterprise.common.readinessProbe" (merge (dict "component" $component) .) | nindent 12 }}

diff --git a/stable/enterprise/tests/analyzer_resources_test.yaml b/stable/enterprise/tests/analyzer_resources_test.yaml
@@ -188,7 +188,7 @@ tests:
     asserts:
       - matchRegex:
           path: spec.template.spec.containers[0].args[0]
-          pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade analyzer$
+          pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo &&  /docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade analyzer$
         count: 1
 
   - it: should render component environment variables

diff --git a/stable/enterprise/tests/api_resources_test.yaml b/stable/enterprise/tests/api_resources_test.yaml
@@ -178,11 +178,11 @@ tests:
     asserts:
       - matchRegex:
           path: spec.template.spec.containers[1].args[0]
-          pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade reports$
+          pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo &&  /docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade reports$
         count: 1
       - matchRegex:
           path: spec.template.spec.containers[0].args[0]
-          pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade apiext$
+          pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo &&  /docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade apiext$
         count: 1
 
   - it: should render api component environment variables
@@ -306,7 +306,8 @@ tests:
           path: spec.template.spec.containers[0].volumeMounts
           content:
             name: policy-bundle-volume
-            mountPath: /anchore_service/policies/
+            mountPath: /anchore_service/tempPolicies/custom_policy_bundle1.json
+            subPath: custom_policy_bundle1.json
         count: 1
         any: true
 

diff --git a/stable/enterprise/tests/catalog_resources_test.yaml b/stable/enterprise/tests/catalog_resources_test.yaml
@@ -201,7 +201,7 @@ tests:
     asserts:
       - matchRegex:
           path: spec.template.spec.containers[0].args[0]
-          pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade catalog$
+          pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo &&  /docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade catalog$
         count: 1
 
   - it: should render catalog component environment variables
@@ -272,7 +272,8 @@ tests:
           path: spec.template.spec.containers[0].volumeMounts
           content:
             name: policy-bundle-volume
-            mountPath: /anchore_service/policies/
+            mountPath: /anchore_service/tempPolicies/custom_policy_bundle1.json
+            subPath: custom_policy_bundle1.json
         count: 1
         any: true
 

diff --git a/stable/enterprise/tests/common_helpers_test.yaml b/stable/enterprise/tests/common_helpers_test.yaml
@@ -102,7 +102,7 @@ tests:
     asserts:
       - matchRegex:
           path: spec.template.spec.containers[0].args[0]
-          pattern: ^\/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade
+          pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo &&  \/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade
 
   - it: should render docker entrypoint with doSourceAtEntry and no filePaths
     templates: *backend_test_templates
@@ -112,7 +112,7 @@ tests:
     asserts:
       - matchRegex:
           path: spec.template.spec.containers[0].args[0]
-          pattern: ^\/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade
+          pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo &&  /docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade
 
   - it: should render docker entrypoint with doSourceAtEntry and some filePaths
     templates: *test_templates
@@ -123,7 +123,7 @@ tests:
     asserts:
       - matchRegex:
           path: spec.template.spec.containers[0].args[0]
-          pattern: ^if \[ -f myscript\.sh \];then source myscript\.sh;fi;if \[ -f myotherscript\.sh \];then source myotherscript\.sh;fi; .*$
+          pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo && if \[ -f myscript\.sh \];then source myscript\.sh;fi;if \[ -f myotherscript\.sh \];then source myotherscript\.sh;fi; .*$
 
   - it: should render envFrom without an existing secret
     templates:
@@ -445,7 +445,7 @@ tests:
           path: spec.template.spec.containers
           content:
             args:
-              - /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade rbac_authorizer
+              - mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo &&  /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade rbac_authorizer
             name: rbac-auth
             ports:
               - containerPort: 8089

diff --git a/stable/enterprise/tests/notifications_resources_test.yaml b/stable/enterprise/tests/notifications_resources_test.yaml
@@ -159,7 +159,7 @@ tests:
     asserts:
       - matchRegex:
           path: spec.template.spec.containers[0].args[0]
-          pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade notifications$
+          pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo &&  /docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade notifications$
         count: 1
 
   - it: should render notifications component environment variables

diff --git a/stable/enterprise/tests/policyengine_resources_test.yaml b/stable/enterprise/tests/policyengine_resources_test.yaml
@@ -185,7 +185,7 @@ tests:
     asserts:
       - matchRegex:
           path: spec.template.spec.containers[0].args[0]
-          pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade policy_engine$
+          pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo &&  /docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade policy_engine$
         count: 1
 
   - it: should render policyEngine component environment variables

diff --git a/stable/enterprise/tests/rbacmanager_resources_test.yaml b/stable/enterprise/tests/rbacmanager_resources_test.yaml
@@ -156,7 +156,7 @@ tests:
     asserts:
       - matchRegex:
           path: spec.template.spec.containers[0].args[0]
-          pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade rbac_manager$
+          pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo &&  /docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade rbac_manager$
         count: 1
 
   - it: should render rbacManager component environment variables

diff --git a/stable/enterprise/tests/reports_resources_test.yaml b/stable/enterprise/tests/reports_resources_test.yaml
@@ -156,7 +156,7 @@ tests:
     asserts:
       - matchRegex:
           path: spec.template.spec.containers[0].args[0]
-          pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade reports_worker$
+          pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo &&  /docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade reports_worker$
         count: 1
 
   - it: should render reports component environment variables

diff --git a/stable/enterprise/tests/simplequeue_resources_test.yaml b/stable/enterprise/tests/simplequeue_resources_test.yaml
@@ -156,7 +156,7 @@ tests:
     asserts:
       - matchRegex:
           path: spec.template.spec.containers[0].args[0]
-          pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade simplequeue$
+          pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo &&  /docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade simplequeue$
         count: 1
 
   - it: should render simplequeue component environment variables

diff --git a/stable/enterprise/tests/ui_resources_test.yaml b/stable/enterprise/tests/ui_resources_test.yaml
@@ -146,7 +146,7 @@ tests:
     asserts:
       - matchRegex:
           path: spec.template.spec.containers[0].args[0]
-          pattern: ^/docker-entrypoint\.sh node \/home\/node\/aui\/build\/server.js$
+          pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo &&  /docker-entrypoint\.sh node \/home\/node\/aui\/build\/server.js$
         count: 1
 
   - it: should render ui component environment variables