Getting started
Anchore Engine is an open-source project that provides a centralized service for inspection, analysis, and certification of container images. With Kubernetes, it also brings nice features like preventing unscanned images from being deployed into your clusters
Installing with Helm
There are several parts of the installation that require credentials these being :-
ANCHORE_ADMIN_USERNAME ANCHORE_ADMIN_PASSWORD ANCHORE_DB_PASSWORD db-url db-user postgres-password
Creating the following external secret ensure the credentials are drawn from the backend provider of choice. The example shown here works with Hashicorp Vault and AWS Secrets Manager providers.
Hashicorp Vault
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: anchore-access-credentials
namespace: security
spec:
refreshInterval: 1h
secretStoreRef:
name: vault-backend
kind: ClusterSecretStore
target:
name: anchore-access-credentials
template:
data:
ANCHORE_ADMIN_USERNAME: >-
{{ printf "{{ .username | toString }}" }}
ANCHORE_ADMIN_PASSWORD: >-
{{ printf "{{ .password | toString }}" }}
ANCHORE_DB_PASSWORD: >-
{{ printf "{{ .dbPassword | toString }}" }}
db-url: >-
{{ printf "{{ .dbUrl | toString }}" }}
db-user: >-
{{ printf "{{ .dbUser | toString }}" }}
postgres-password: >-
{{ printf "{{ .postgresPassword | toString }}" }}
data:
- secretKey: password
remoteRef:
key: anchore-engine
property: ANCHORE_ADMIN_PASSWORD
- secretKey: username
remoteRef:
key: anchore-engine
property: ANCHORE_ADMIN_USERNAME
- secretKey: dbPassword
remoteRef:
key: anchore-engine
property: ANCHORE_DB_PASSWORD
- secretKey: dbUrl
remoteRef:
key: anchore-engine
property: db-url
- secretKey: dbUser
remoteRef:
key: anchore-engine
property: db-user
- secretKey: postgresPassword
remoteRef:
key: anchore-engine
property: postgres-password
AWS Secrets Manager
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: anchore-access-credentials
namespace: ci
spec:
refreshInterval: 1h
secretStoreRef:
name: cluster-secrets-store
kind: ClusterSecretStore
target:
name: anchore-access-credentials
dataFrom:
- extract:
key: service/anchore-engine/engineAccess