Skip to content

Commit ab225ad

Browse files
Merge pull request #605 from anchore/db-encryption-secret
adding database encryption key
2 parents c64fbc3 + d33b7a8 commit ab225ad

9 files changed

Lines changed: 271 additions & 1 deletion

File tree

stable/enterprise/files/bootstrap_ng.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,10 @@ credentials:
3939
pool_size: {{ .Values.anchoreConfig.database.db_pool_size }}
4040
max_overflow: {{ .Values.anchoreConfig.database.db_pool_max_overflow }}
4141
{{- end }}
42+
{{- if or .Values.anchoreConfig.database.encryption.keys .Values.anchoreConfig.database.encryption.existingSecret }}
43+
encryption:
44+
keys: "${ANCHORE_DB_ENCRYPTION_KEYS}"
45+
{{- end }}
4246

4347
# Authentication keys
4448
keys:

stable/enterprise/files/default_config.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -97,6 +97,10 @@ credentials:
9797
{{- end }}
9898
db_pool_size: ${ANCHORE_DB_POOL_SIZE}
9999
db_pool_max_overflow: ${ANCHORE_DB_POOL_MAX_OVERFLOW}
100+
{{- if or .Values.anchoreConfig.database.encryption.keys .Values.anchoreConfig.database.encryption.existingSecret }}
101+
encryption:
102+
keys: "${ANCHORE_DB_ENCRYPTION_KEYS}"
103+
{{- end }}
100104
{{- with .Values.anchoreConfig.database.engineArgs }}
101105
db_engine_args: {{- toYaml . | nindent 6 }}
102106
{{- end }}

stable/enterprise/files/osaa_config.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -97,6 +97,10 @@ credentials:
9797
{{- end }}
9898
db_pool_size: ${ANCHORE_DB_POOL_SIZE}
9999
db_pool_max_overflow: ${ANCHORE_DB_POOL_MAX_OVERFLOW}
100+
{{- if or .Values.anchoreConfig.database.encryption.keys .Values.anchoreConfig.database.encryption.existingSecret }}
101+
encryption:
102+
keys: "${ANCHORE_DB_ENCRYPTION_KEYS}"
103+
{{- end }}
100104
{{- with .Values.anchoreConfig.database.engineArgs }}
101105
db_engine_args: {{- toYaml . | nindent 6 }}
102106
{{- end }}

stable/enterprise/templates/_common.tpl

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -198,6 +198,7 @@ When calling this template, .component can be included in the context for compon
198198
fieldPath: metadata.name
199199
{{- include "enterprise.storageCredentialEnv" (dict "storeConfig" .Values.anchoreConfig.catalog.object_store "envPrefix" "ANCHORE_OBJECT_STORE" "storeName" "object_store" "context" .) }}
200200
{{- include "enterprise.storageCredentialEnv" (dict "storeConfig" .Values.anchoreConfig.catalog.analysis_archive "envPrefix" "ANCHORE_ANALYSIS_ARCHIVE" "storeName" "analysis_archive" "context" .) }}
201+
{{- include "enterprise.dbEncryptionKeyEnv" . }}
201202
{{- end -}}
202203

203204

stable/enterprise/templates/_helpers.tpl

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -628,6 +628,23 @@ Usage: {{ include "enterprise.storageCredentialEnv" (dict "storeConfig" .Values.
628628
{{- end -}}
629629
{{- end -}}
630630

631+
{{/*
632+
Render an env var sourced from a separate existing secret for database encryption keys.
633+
Only emitted when anchoreConfig.database.encryption.existingSecret is set.
634+
When keys are provided inline (anchoreConfig.database.encryption.keys), the value is placed in the
635+
main anchore secret and mounted via envFrom, so no extra env entry is needed.
636+
Usage: {{ include "enterprise.dbEncryptionKeyEnv" . }}
637+
*/}}
638+
{{- define "enterprise.dbEncryptionKeyEnv" -}}
639+
{{- if and (not .Values.injectSecretsViaEnv) .Values.anchoreConfig.database.encryption.existingSecret }}
640+
- name: ANCHORE_DB_ENCRYPTION_KEYS
641+
valueFrom:
642+
secretKeyRef:
643+
name: {{ .Values.anchoreConfig.database.encryption.existingSecret }}
644+
key: {{ .Values.anchoreConfig.database.encryption.existingSecretKey | default "keys" }}
645+
{{- end -}}
646+
{{- end -}}
647+
631648
{{/*
632649
Gateway API - Returns the Gateway name for parentRefs
633650
*/}}

stable/enterprise/templates/anchore_secret.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,5 +29,8 @@ stringData:
2929
ANCHORE_DB_PASSWORD: {{ required "postgresql.auth.password is required" .Values.postgresql.auth.password | quote }}
3030
ANCHORE_DB_PORT: {{ .Values.postgresql.port | quote }}
3131
ANCHORE_SAML_SECRET: {{ $anchoreSamlSecret }}
32+
{{- with .Values.anchoreConfig.database.encryption.keys }}
33+
ANCHORE_DB_ENCRYPTION_KEYS: {{ . | quote }}
34+
{{- end }}
3235

3336
{{- end -}}

stable/enterprise/tests/__snapshot__/object_store_test.yaml.snap

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -728,7 +728,7 @@ snapshot - S3 ng bootstrap configmap:
728728
# Job worker pool size (bootstrap-only, not reconciled via config compiler)
729729
domains:
730730
jobs:
731-
pool_size: 16
731+
pool_size: 8
732732

733733
# Object store configuration
734734
object_store:
Lines changed: 217 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,217 @@
1+
suite: Database Encryption Tests
2+
release:
3+
name: test-release
4+
namespace: test-namespace
5+
chart:
6+
version: 9.9.9
7+
appVersion: 9.9.9
8+
set:
9+
postgresql.externalEndpoint: test-postgresql
10+
postgresql.auth.username: test-user
11+
postgresql.auth.password: test-password
12+
postgresql.auth.database: test-db
13+
14+
tests:
15+
#
16+
# Secret tests
17+
#
18+
- it: should not include ANCHORE_DB_ENCRYPTION_KEYS in secret when encryption keys are not set
19+
templates:
20+
- anchore_secret.yaml
21+
asserts:
22+
- notExists:
23+
path: stringData.ANCHORE_DB_ENCRYPTION_KEYS
24+
25+
- it: should include ANCHORE_DB_ENCRYPTION_KEYS in secret when encryption keys are set
26+
templates:
27+
- anchore_secret.yaml
28+
set:
29+
anchoreConfig.database.encryption.keys: '["k1:dGVzdGtleWRhdGFiYXNlMTIzNDU2Nzg5MGFi"]'
30+
asserts:
31+
- isSubset:
32+
path: stringData
33+
content:
34+
ANCHORE_DB_ENCRYPTION_KEYS: '["k1:dGVzdGtleWRhdGFiYXNlMTIzNDU2Nzg5MGFi"]'
35+
36+
- it: should not create chart-managed secret when useExistingSecrets is true
37+
templates:
38+
- anchore_secret.yaml
39+
set:
40+
useExistingSecrets: true
41+
anchoreConfig.database.encryption.keys: '["k1:dGVzdGtleWRhdGFiYXNlMTIzNDU2Nzg5MGFi"]'
42+
asserts:
43+
- hasDocuments:
44+
count: 0
45+
46+
#
47+
# Config tests - default_config.yaml (via anchore_configmap.yaml)
48+
#
49+
- it: should not include encryption block in config when encryption is not configured
50+
templates:
51+
- templates/anchore_configmap.yaml
52+
asserts:
53+
- notMatchRegex:
54+
path: data["config.yaml"]
55+
pattern: "encryption:"
56+
57+
- it: should include encryption block in config when encryption keys are set
58+
templates:
59+
- templates/anchore_configmap.yaml
60+
set:
61+
anchoreConfig.database.encryption.keys: '["k1:dGVzdGtleWRhdGFiYXNlMTIzNDU2Nzg5MGFi"]'
62+
asserts:
63+
- matchRegex:
64+
path: data["config.yaml"]
65+
pattern: "encryption:\\s*\\n\\s*keys: \"\\$\\{ANCHORE_DB_ENCRYPTION_KEYS\\}\""
66+
67+
- it: should include encryption block in config when existingSecret is set
68+
templates:
69+
- templates/anchore_configmap.yaml
70+
set:
71+
anchoreConfig.database.encryption.existingSecret: my-encryption-secret
72+
asserts:
73+
- matchRegex:
74+
path: data["config.yaml"]
75+
pattern: "encryption:\\s*\\n\\s*keys: \"\\$\\{ANCHORE_DB_ENCRYPTION_KEYS\\}\""
76+
77+
#
78+
# Config tests - osaa_config.yaml (via osaa_configmap.yaml)
79+
#
80+
- it: should not include encryption block in osaa config when encryption is not configured
81+
templates:
82+
- templates/osaa_configmap.yaml
83+
set:
84+
osaaMigrationJob.enabled: true
85+
asserts:
86+
- notMatchRegex:
87+
path: data["config.yaml"]
88+
pattern: "encryption:"
89+
90+
- it: should include encryption block in osaa config when encryption keys are set
91+
templates:
92+
- templates/osaa_configmap.yaml
93+
set:
94+
osaaMigrationJob.enabled: true
95+
anchoreConfig.database.encryption.keys: '["k1:dGVzdGtleWRhdGFiYXNlMTIzNDU2Nzg5MGFi"]'
96+
asserts:
97+
- matchRegex:
98+
path: data["config.yaml"]
99+
pattern: "encryption:\\s*\\n\\s*keys: \"\\$\\{ANCHORE_DB_ENCRYPTION_KEYS\\}\""
100+
101+
#
102+
# Config tests - bootstrap_ng.yaml (via component configmaps)
103+
#
104+
- it: should not include encryption block in bootstrap_ng config when encryption is not configured
105+
templates:
106+
- templates/configmaps/componentcatalog_configmap.yaml
107+
documentIndex: 0
108+
asserts:
109+
- notMatchRegex:
110+
path: data["bootstrap_ng.yaml"]
111+
pattern: "encryption:"
112+
113+
- it: should include encryption block in bootstrap_ng config when encryption keys are set
114+
templates:
115+
- templates/configmaps/componentcatalog_configmap.yaml
116+
documentIndex: 0
117+
set:
118+
anchoreConfig.database.encryption.keys: '["k1:dGVzdGtleWRhdGFiYXNlMTIzNDU2Nzg5MGFi"]'
119+
asserts:
120+
- matchRegex:
121+
path: data["bootstrap_ng.yaml"]
122+
pattern: "encryption:\\s*\\n\\s*keys: \"\\$\\{ANCHORE_DB_ENCRYPTION_KEYS\\}\""
123+
124+
- it: should include encryption block in bootstrap_ng config when existingSecret is set
125+
templates:
126+
- templates/configmaps/componentcatalog_configmap.yaml
127+
documentIndex: 0
128+
set:
129+
anchoreConfig.database.encryption.existingSecret: my-encryption-secret
130+
asserts:
131+
- matchRegex:
132+
path: data["bootstrap_ng.yaml"]
133+
pattern: "encryption:\\s*\\n\\s*keys: \"\\$\\{ANCHORE_DB_ENCRYPTION_KEYS\\}\""
134+
135+
#
136+
# Env var injection tests - existingSecret via secretKeyRef
137+
#
138+
- it: should not inject ANCHORE_DB_ENCRYPTION_KEYS env var when encryption is not configured
139+
templates:
140+
- analyzer_deployment.yaml
141+
- api_deployment.yaml
142+
- catalog_deployment.yaml
143+
documentIndex: 0
144+
asserts:
145+
- notContains:
146+
path: spec.template.spec.containers[0].env
147+
content:
148+
name: ANCHORE_DB_ENCRYPTION_KEYS
149+
any: true
150+
151+
- it: should not inject ANCHORE_DB_ENCRYPTION_KEYS env var when using chart-managed keys
152+
templates:
153+
- analyzer_deployment.yaml
154+
documentIndex: 0
155+
set:
156+
anchoreConfig.database.encryption.keys: '["k1:dGVzdGtleWRhdGFiYXNlMTIzNDU2Nzg5MGFi"]'
157+
asserts:
158+
- notContains:
159+
path: spec.template.spec.containers[0].env
160+
content:
161+
name: ANCHORE_DB_ENCRYPTION_KEYS
162+
any: true
163+
164+
- it: should inject ANCHORE_DB_ENCRYPTION_KEYS env var from existingSecret
165+
templates:
166+
- analyzer_deployment.yaml
167+
- api_deployment.yaml
168+
- catalog_deployment.yaml
169+
- notifications_deployment.yaml
170+
- policyengine_deployment.yaml
171+
- reports_deployment.yaml
172+
- reportsworker_deployment.yaml
173+
- simplequeue_deployment.yaml
174+
- datasyncer_deployment.yaml
175+
documentIndex: 0
176+
set:
177+
anchoreConfig.database.encryption.existingSecret: my-encryption-secret
178+
asserts:
179+
- contains:
180+
path: spec.template.spec.containers[0].env
181+
content:
182+
name: ANCHORE_DB_ENCRYPTION_KEYS
183+
valueFrom:
184+
secretKeyRef:
185+
name: my-encryption-secret
186+
key: keys
187+
188+
- it: should use custom existingSecretKey when specified
189+
templates:
190+
- analyzer_deployment.yaml
191+
documentIndex: 0
192+
set:
193+
anchoreConfig.database.encryption.existingSecret: my-encryption-secret
194+
anchoreConfig.database.encryption.existingSecretKey: encryption-keys
195+
asserts:
196+
- contains:
197+
path: spec.template.spec.containers[0].env
198+
content:
199+
name: ANCHORE_DB_ENCRYPTION_KEYS
200+
valueFrom:
201+
secretKeyRef:
202+
name: my-encryption-secret
203+
key: encryption-keys
204+
205+
- it: should not inject secretKeyRef env var when injectSecretsViaEnv is true
206+
templates:
207+
- analyzer_deployment.yaml
208+
documentIndex: 0
209+
set:
210+
injectSecretsViaEnv: true
211+
anchoreConfig.database.encryption.existingSecret: my-encryption-secret
212+
asserts:
213+
- notContains:
214+
path: spec.template.spec.containers[0].env
215+
content:
216+
name: ANCHORE_DB_ENCRYPTION_KEYS
217+
any: true

stable/enterprise/values.yaml

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -116,6 +116,7 @@ useExistingSecrets: false
116116
## ANCHORE_DB_PORT
117117
## ANCHORE_SAML_SECRET (if applicable)
118118
## ANCHORE_GITHUB_TOKEN (if applicable)
119+
## ANCHORE_DB_ENCRYPTION_KEYS (if using database encryption at rest)
119120
##
120121
existingSecretName: anchore-enterprise-env
121122

@@ -485,6 +486,25 @@ anchoreConfig:
485486
ngEngineArgs: {}
486487
ngDbConnectArgs: {}
487488

489+
## Database encryption at rest configuration
490+
## Anchore Enterprise encrypts sensitive columns in the database using AES-256-GCM.
491+
## The keyring is a JSON array of "kid:base64url-32-bytes" strings, e.g. '["k1:Hk7q...=="]'
492+
## ref: https://docs.anchore.com/current/docs/configuration/storage/database/#encrypting-database-secrets-at-rest
493+
##
494+
## @param anchoreConfig.database.encryption.keys JSON-encoded keyring array for database encryption at rest. When set, chart creates a secret with this value.
495+
## @param anchoreConfig.database.encryption.existingSecret Name of an existing Kubernetes secret containing the encryption keyring
496+
## @param anchoreConfig.database.encryption.existingSecretKey Key within the existing secret that holds the keyring value (default: "keys")
497+
##
498+
encryption:
499+
## Provide the keyring value directly (chart-managed secret). Ignored when useExistingSecrets is true.
500+
## Example: '["k1:Hk7q...base64-32-bytes...=="]'
501+
keys: ""
502+
503+
## Use a pre-existing secret instead of having the chart create one.
504+
## The secret must contain the keyring JSON array string.
505+
existingSecret: ""
506+
existingSecretKey: "keys"
507+
488508
## @param anchoreConfig.policyBundles Include custom Anchore policy bundles
489509
## This object represents the data of a configmap that is mounted to <anchore_service_dir>/policies of all Anchore services
490510
## ref: https://docs.anchore.com/current/docs/overview/concepts/policy/policies/

0 commit comments

Comments
 (0)