Skip to content

Getting started

Anchore Engine is an open-source platform that provides centralized inspection, analysis, and certification of container images. When integrated with Kubernetes, it adds powerful features—such as preventing unscanned images from being deployed into your clusters.

Installation with Helm

There are several parts of the installation that require credentials these being:

  • ANCHORE_ADMIN_USERNAME
  • ANCHORE_ADMIN_PASSWORD
  • ANCHORE_DB_PASSWORD
  • db-url
  • db-user
  • postgres-password

You can use an ExternalSecret to automatically fetch these credentials from your preferred backend provider. The following examples demonstrate how to configure it with HashiCorp Vault and AWS Secrets Manager.

Hashicorp Vault

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: anchore-access-credentials
  namespace: security
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: vault-backend
    kind: ClusterSecretStore
  target:
    name: anchore-access-credentials
    template:

      data:
        ANCHORE_ADMIN_USERNAME: >-
          {{ printf "{{ .username | toString }}" }}
        ANCHORE_ADMIN_PASSWORD: >-
          {{ printf "{{ .password | toString }}" }}
        ANCHORE_DB_PASSWORD: >-
          {{ printf "{{ .dbPassword | toString }}" }}
        db-url: >-
          {{ printf "{{ .dbUrl | toString }}" }}
        db-user: >-
          {{ printf "{{ .dbUser | toString }}" }}
        postgres-password: >-
          {{ printf "{{ .postgresPassword | toString }}" }}

  data:
    - secretKey: password
      remoteRef:
        key: anchore-engine
        property: ANCHORE_ADMIN_PASSWORD
    - secretKey: username
      remoteRef:
        key: anchore-engine
        property: ANCHORE_ADMIN_USERNAME
    - secretKey: dbPassword
      remoteRef:
        key: anchore-engine
        property: ANCHORE_DB_PASSWORD
    - secretKey: dbUrl
      remoteRef:
        key: anchore-engine
        property: db-url
    - secretKey: dbUser
      remoteRef:
        key: anchore-engine
        property: db-user
    - secretKey: postgresPassword
      remoteRef:
        key: anchore-engine
        property: postgres-password

AWS Secrets Manager

---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: anchore-access-credentials
  namespace: ci
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: cluster-secrets-store
    kind: ClusterSecretStore
  target:
    name: anchore-access-credentials
  dataFrom:
  - extract:
      key: service/anchore-engine/engineAccess