Getting started
Anchore Engine is an open-source platform that provides centralized inspection, analysis, and certification of container images. When integrated with Kubernetes, it adds powerful features—such as preventing unscanned images from being deployed into your clusters.
Installation with Helm
There are several parts of the installation that require credentials these being:
ANCHORE_ADMIN_USERNAME
ANCHORE_ADMIN_PASSWORD
ANCHORE_DB_PASSWORD
db-url
db-user
postgres-password
You can use an ExternalSecret to automatically fetch these credentials from your preferred backend provider. The following examples demonstrate how to configure it with HashiCorp Vault and AWS Secrets Manager.
Hashicorp Vault
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: anchore-access-credentials
namespace: security
spec:
refreshInterval: 1h
secretStoreRef:
name: vault-backend
kind: ClusterSecretStore
target:
name: anchore-access-credentials
template:
data:
ANCHORE_ADMIN_USERNAME: >-
{{ printf "{{ .username | toString }}" }}
ANCHORE_ADMIN_PASSWORD: >-
{{ printf "{{ .password | toString }}" }}
ANCHORE_DB_PASSWORD: >-
{{ printf "{{ .dbPassword | toString }}" }}
db-url: >-
{{ printf "{{ .dbUrl | toString }}" }}
db-user: >-
{{ printf "{{ .dbUser | toString }}" }}
postgres-password: >-
{{ printf "{{ .postgresPassword | toString }}" }}
data:
- secretKey: password
remoteRef:
key: anchore-engine
property: ANCHORE_ADMIN_PASSWORD
- secretKey: username
remoteRef:
key: anchore-engine
property: ANCHORE_ADMIN_USERNAME
- secretKey: dbPassword
remoteRef:
key: anchore-engine
property: ANCHORE_DB_PASSWORD
- secretKey: dbUrl
remoteRef:
key: anchore-engine
property: db-url
- secretKey: dbUser
remoteRef:
key: anchore-engine
property: db-user
- secretKey: postgresPassword
remoteRef:
key: anchore-engine
property: postgres-password
AWS Secrets Manager
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: anchore-access-credentials
namespace: ci
spec:
refreshInterval: 1h
secretStoreRef:
name: cluster-secrets-store
kind: ClusterSecretStore
target:
name: anchore-access-credentials
dataFrom:
- extract:
key: service/anchore-engine/engineAccess