Skip to content

Getting started

Anchore Engine is an open-source project that provides a centralized service for inspection, analysis, and certification of container images. With Kubernetes, it also brings nice features like preventing unscanned images from being deployed into your clusters

Installing with Helm

There are several parts of the installation that require credentials these being :-

ANCHORE_ADMIN_USERNAME ANCHORE_ADMIN_PASSWORD ANCHORE_DB_PASSWORD db-url db-user postgres-password

Creating the following external secret ensure the credentials are drawn from the backend provider of choice. The example shown here works with Hashicorp Vault and AWS Secrets Manager providers.

Hashicorp Vault

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: anchore-access-credentials
  namespace: security
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: vault-backend
    kind: ClusterSecretStore
  target:
    name: anchore-access-credentials
    template:

      data:
        ANCHORE_ADMIN_USERNAME: >-
          {{ printf "{{ .username | toString }}" }}
        ANCHORE_ADMIN_PASSWORD: >-
          {{ printf "{{ .password | toString }}" }}
        ANCHORE_DB_PASSWORD: >-
          {{ printf "{{ .dbPassword | toString }}" }}
        db-url: >-
          {{ printf "{{ .dbUrl | toString }}" }}
        db-user: >-
          {{ printf "{{ .dbUser | toString }}" }}
        postgres-password: >-
          {{ printf "{{ .postgresPassword | toString }}" }}

  data:
    - secretKey: password
      remoteRef:
        key: anchore-engine
        property: ANCHORE_ADMIN_PASSWORD
    - secretKey: username
      remoteRef:
        key: anchore-engine
        property: ANCHORE_ADMIN_USERNAME
    - secretKey: dbPassword
      remoteRef:
        key: anchore-engine
        property: ANCHORE_DB_PASSWORD
    - secretKey: dbUrl
      remoteRef:
        key: anchore-engine
        property: db-url
    - secretKey: dbUser
      remoteRef:
        key: anchore-engine
        property: db-user
    - secretKey: postgresPassword
      remoteRef:
        key: anchore-engine
        property: postgres-password

AWS Secrets Manager

---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: anchore-access-credentials
  namespace: ci
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: cluster-secrets-store
    kind: ClusterSecretStore
  target:
    name: anchore-access-credentials
  dataFrom:
  - extract:
      key: service/anchore-engine/engineAccess