From 071c253025b8fcbdbfaf7c693f4ee8b8ed124a39 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Thu, 2 Jun 2022 18:28:30 -0400 Subject: [PATCH 001/329] updating redis version from 10 to 16.9.0; change redis architecture to standalone Signed-off-by: Hung Nguyen --- stable/anchore-engine/Chart.lock | 6 +++--- stable/anchore-engine/Chart.yaml | 4 ++-- stable/anchore-engine/values.yaml | 3 +-- 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/stable/anchore-engine/Chart.lock b/stable/anchore-engine/Chart.lock index 2071d680..360df330 100644 --- a/stable/anchore-engine/Chart.lock +++ b/stable/anchore-engine/Chart.lock @@ -10,6 +10,6 @@ dependencies: version: 1.0.1 - name: redis repository: https://charts.bitnami.com/bitnami - version: 10.9.0 -digest: sha256:44c16b3d5756edfaa4d86b8e57e6047de3ac0672d932f5cdf9fe1f28220b4fb0 -generated: "2021-09-29T23:16:53.207614-07:00" + version: 16.9.0 +digest: sha256:b47e602eda542006b955de605c50598d188c3cbf5f4516847c1755310c048d29 +generated: "2022-06-02T20:46:06.723716+05:30" diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 387fbc76..16d943f4 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.18.7 +version: 1.18.8 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: @@ -38,7 +38,7 @@ dependencies: condition: anchore-feeds-gem-db.enabled,anchoreEnterpriseFeeds.gemDriverEnabled alias: anchore-feeds-gem-db - name: redis - version: "10" + version: "16.9.0" repository: "https://charts.bitnami.com/bitnami" condition: anchore-ui-redis.enabled,anchoreEnterpriseGlobal.enabled alias: anchore-ui-redis diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 5dff946c..c2b26f6a 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -1195,8 +1195,7 @@ anchoreEnterpriseUi: # Only utilized if 'anchoreEnterpriseUi.enabled: true' anchore-ui-redis: password: anchore-redis,123 - cluster: - enabled: false + architecture: standalone persistence: enabled: false From 25fded70b2f3a8f82088036c8118098117c2e150 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Fri, 3 Jun 2022 18:01:13 -0400 Subject: [PATCH 002/329] updating redis name from anchore-ui-redis to ui-redis Signed-off-by: Hung Nguyen --- stable/anchore-engine/Chart.lock | 2 +- stable/anchore-engine/Chart.yaml | 4 ++-- stable/anchore-engine/README.md | 6 +++--- stable/anchore-engine/templates/_helpers.tpl | 2 +- .../anchore-engine/templates/enterprise_ui_deployment.yaml | 4 ++-- stable/anchore-engine/templates/enterprise_ui_secret.yaml | 6 +++--- stable/anchore-engine/values.yaml | 4 ++-- 7 files changed, 14 insertions(+), 14 deletions(-) diff --git a/stable/anchore-engine/Chart.lock b/stable/anchore-engine/Chart.lock index 360df330..06d4e59f 100644 --- a/stable/anchore-engine/Chart.lock +++ b/stable/anchore-engine/Chart.lock @@ -12,4 +12,4 @@ dependencies: repository: https://charts.bitnami.com/bitnami version: 16.9.0 digest: sha256:b47e602eda542006b955de605c50598d188c3cbf5f4516847c1755310c048d29 -generated: "2022-06-02T20:46:06.723716+05:30" +generated: "2022-06-03T09:48:26.068871-04:00" diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 16d943f4..cd49d37d 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -40,5 +40,5 @@ dependencies: - name: redis version: "16.9.0" repository: "https://charts.bitnami.com/bitnami" - condition: anchore-ui-redis.enabled,anchoreEnterpriseGlobal.enabled - alias: anchore-ui-redis + condition: ui-redis.enabled,anchoreEnterpriseGlobal.enabled + alias: ui-redis diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index c11fbc43..84d1cabf 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -134,7 +134,7 @@ anchore-feeds-db: persistence: size: 20Gi -anchore-ui-redis: +ui-redis: password: ``` @@ -231,7 +231,7 @@ anchore-feeds-db: persistence: size: 50Gi -anchore-ui-redis: +ui-redis: password: ``` @@ -416,7 +416,7 @@ release "my-anchore" uninstalled Anchore Enterprise users will want to remove the Redis DB PersistentVolumeClaim. This will delete all current session data but will not affect stability of the deployment: ```bash -kubectl delete pvc redis-data-my-anchore-anchore-ui-redis-master-0 +kubectl delete pvc redis-data-my-anchore-ui-redis-master-0 ``` Your other PersistentVolumeClaims will still be resident in your cluster (we're showing results from an Anchore Enterprise installation that has a standalone Feeds Service below. Anchore Enterprise users without a standalone Feeds Service, and Anchore Engine users will not see `my-anchore-anchore-feeds-db`): diff --git a/stable/anchore-engine/templates/_helpers.tpl b/stable/anchore-engine/templates/_helpers.tpl index 418a0ec3..f993db89 100755 --- a/stable/anchore-engine/templates/_helpers.tpl +++ b/stable/anchore-engine/templates/_helpers.tpl @@ -143,7 +143,7 @@ Create a default fully qualified dependency name for the db. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). */}} {{- define "redis.fullname" -}} -{{- printf "%s-%s" .Release.Name "anchore-ui-redis" | trunc 63 | trimSuffix "-" -}} +{{- printf "%s-%s" .Release.Name "ui-redis" | trunc 63 | trimSuffix "-" -}} {{- end -}} {{/* diff --git a/stable/anchore-engine/templates/enterprise_ui_deployment.yaml b/stable/anchore-engine/templates/enterprise_ui_deployment.yaml index 3704697c..2e9f5e4e 100644 --- a/stable/anchore-engine/templates/enterprise_ui_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_ui_deployment.yaml @@ -87,9 +87,9 @@ spec: image: {{ .Values.anchoreEnterpriseUi.image }} imagePullPolicy: {{ .Values.anchoreEnterpriseUi.imagePullPolicy }} env: - {{- if and (index .Values "anchoreEnterpriseUi" "existingSecret") (not (index .Values "anchore-ui-redis" "externalEndpoint")) }} + {{- if and (index .Values "anchoreEnterpriseUi" "existingSecret") (not (index .Values "ui-redis" "externalEndpoint")) }} - name: ANCHORE_REDIS_URI - value: redis://nouser:{{ index .Values "anchore-ui-redis" "password" }}@{{ template "redis.fullname" . }}-master:6379 + value: redis://nouser:{{ index .Values "ui-redis" "password" }}@{{ template "redis.fullname" . }}-master:6379 {{- end }} {{ if .Values.anchoreGlobal.dbConfig.ssl }} - name: PGSSLROOTCERT diff --git a/stable/anchore-engine/templates/enterprise_ui_secret.yaml b/stable/anchore-engine/templates/enterprise_ui_secret.yaml index 90df31cf..185ef8cf 100644 --- a/stable/anchore-engine/templates/enterprise_ui_secret.yaml +++ b/stable/anchore-engine/templates/enterprise_ui_secret.yaml @@ -20,10 +20,10 @@ stringData: ANCHORE_APPDB_URI: 'postgresql://{{ index .Values "postgresql" "postgresUser" }}:{{ index .Values "postgresql" "postgresPassword" }}@{{ template "db-hostname" . }}/{{ index .Values "postgresql" "postgresDatabase" }}' {{- end }} - {{- if and (index .Values "anchore-ui-redis" "externalEndpoint") (not (index .Values "anchore-ui-redis" "enabled")) }} - ANCHORE_REDIS_URI: '{{ index .Values "anchore-ui-redis" "externalEndpoint" }}' + {{- if and (index .Values "ui-redis" "externalEndpoint") (not (index .Values "ui-redis" "enabled")) }} + ANCHORE_REDIS_URI: '{{ index .Values "ui-redis" "externalEndpoint" }}' {{- else }} - ANCHORE_REDIS_URI: 'redis://nouser:{{ index .Values "anchore-ui-redis" "password" }}@{{ template "redis.fullname" . }}-master:6379' + ANCHORE_REDIS_URI: 'redis://nouser:{{ index .Values "ui-redis" "password" }}@{{ template "redis.fullname" . }}-master:6379' {{- end }} {{- end }} {{- end }} diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index c2b26f6a..fcd54732 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -1030,7 +1030,7 @@ anchoreEnterpriseNotifications: # Configure the Anchore Enterprise UI. anchoreEnterpriseUi: - # If enabled is set to false, set anchore-ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. + # If enabled is set to false, set ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. enabled: true image: docker.io/anchore/enterprise-ui:v4.0.0 imagePullPolicy: IfNotPresent @@ -1193,7 +1193,7 @@ anchoreEnterpriseUi: # Anchore Engine Enterprise UI is dependent on redis for storing sessions # Only utilized if 'anchoreEnterpriseUi.enabled: true' -anchore-ui-redis: +ui-redis: password: anchore-redis,123 architecture: standalone persistence: From debb4434d7f4da19376fb5b97acf6512a188e5f3 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Fri, 3 Jun 2022 18:03:54 -0400 Subject: [PATCH 003/329] updating dependencies Chart.lock Signed-off-by: Hung Nguyen --- stable/anchore-engine/Chart.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/stable/anchore-engine/Chart.lock b/stable/anchore-engine/Chart.lock index 06d4e59f..b51bb4f6 100644 --- a/stable/anchore-engine/Chart.lock +++ b/stable/anchore-engine/Chart.lock @@ -11,5 +11,5 @@ dependencies: - name: redis repository: https://charts.bitnami.com/bitnami version: 16.9.0 -digest: sha256:b47e602eda542006b955de605c50598d188c3cbf5f4516847c1755310c048d29 -generated: "2022-06-03T09:48:26.068871-04:00" +digest: sha256:1db3ab8a332664af77a5d7bb79216646595ce4ce582e2c4d7cfd3965a2d42ecc +generated: "2022-06-03T18:03:29.6425-04:00" From b0b74695dc8e407683dfc892c5fe1f116bf53c01 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Fri, 3 Jun 2022 23:25:57 -0400 Subject: [PATCH 004/329] bump chart minor version and update README.md Signed-off-by: Hung Nguyen --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/README.md | 14 ++++++++++++++ stable/anchore-engine/values.yaml | 2 ++ 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index cd49d37d..8aa80574 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.18.8 +version: 1.19.0 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index 84d1cabf..e567be08 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -136,6 +136,8 @@ anchore-feeds-db: ui-redis: password: + auth: + password: ``` ## Installing on OpenShift @@ -233,6 +235,8 @@ anchore-feeds-db: ui-redis: password: + auth: + password: ``` # Chart Updates @@ -245,6 +249,16 @@ A Helm post-upgrade hook job will shut down all previously running Anchore servi The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful Helm upgrade. +## Chart version 1.19.0 + +* Redis chart updated from version 10 to 16.9.0 updated to the latest version as bitnami has started removing older version of their charts. +* * redis will by default run in the `standalone` architecture. +* `anchore-ui-redis` in the helm values should now be `ui-redis` +* * if you've set the the `password` value under `anchore-ui-redis`, you will now have to set the `auth.password` as well, making the end change `ui-redis.auth.password` and `ui-redis.password` should be set. Not setting both will result in the ui not being able to reach the reporting services. + +* WARNING: Users may be logged out from the platform after this happens since this will delete the old redis deployment and spin up a new one in its place + * For more information on why this is necessary, see [the breaking change here](https://github.com/bitnami/charts/tree/master/bitnami/redis/#to-1400) + ## Chart version 1.18.0 * Anchore Enterprise image updated to v4.0.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/400/) diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index fcd54732..c85f9a6b 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -1194,6 +1194,8 @@ anchoreEnterpriseUi: # Anchore Engine Enterprise UI is dependent on redis for storing sessions # Only utilized if 'anchoreEnterpriseUi.enabled: true' ui-redis: + auth: + password: anchore-redis,123 password: anchore-redis,123 architecture: standalone persistence: From a3fc816ccdaa047c7093853f91f83c1e051b1514 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Mon, 6 Jun 2022 10:02:54 -0400 Subject: [PATCH 005/329] remove redundant ui-redis value password Signed-off-by: Hung Nguyen --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/README.md | 6 ++---- stable/anchore-engine/templates/enterprise_ui_secret.yaml | 2 +- stable/anchore-engine/values.yaml | 1 - 4 files changed, 4 insertions(+), 7 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 8aa80574..c2484473 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.19.0 +version: 1.19.1 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index e567be08..b5397111 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -135,7 +135,6 @@ anchore-feeds-db: size: 20Gi ui-redis: - password: auth: password: ``` @@ -234,7 +233,6 @@ anchore-feeds-db: size: 50Gi ui-redis: - password: auth: password: ``` @@ -249,12 +247,12 @@ A Helm post-upgrade hook job will shut down all previously running Anchore servi The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful Helm upgrade. -## Chart version 1.19.0 +## Chart version 1.19.1 * Redis chart updated from version 10 to 16.9.0 updated to the latest version as bitnami has started removing older version of their charts. * * redis will by default run in the `standalone` architecture. * `anchore-ui-redis` in the helm values should now be `ui-redis` -* * if you've set the the `password` value under `anchore-ui-redis`, you will now have to set the `auth.password` as well, making the end change `ui-redis.auth.password` and `ui-redis.password` should be set. Not setting both will result in the ui not being able to reach the reporting services. +* * if you've set the the `password` value under `anchore-ui-redis`, you will now have to change it to `auth.password`, making the end change `ui-redis.auth.password` * WARNING: Users may be logged out from the platform after this happens since this will delete the old redis deployment and spin up a new one in its place * For more information on why this is necessary, see [the breaking change here](https://github.com/bitnami/charts/tree/master/bitnami/redis/#to-1400) diff --git a/stable/anchore-engine/templates/enterprise_ui_secret.yaml b/stable/anchore-engine/templates/enterprise_ui_secret.yaml index 185ef8cf..13f46aad 100644 --- a/stable/anchore-engine/templates/enterprise_ui_secret.yaml +++ b/stable/anchore-engine/templates/enterprise_ui_secret.yaml @@ -23,7 +23,7 @@ stringData: {{- if and (index .Values "ui-redis" "externalEndpoint") (not (index .Values "ui-redis" "enabled")) }} ANCHORE_REDIS_URI: '{{ index .Values "ui-redis" "externalEndpoint" }}' {{- else }} - ANCHORE_REDIS_URI: 'redis://nouser:{{ index .Values "ui-redis" "password" }}@{{ template "redis.fullname" . }}-master:6379' + ANCHORE_REDIS_URI: 'redis://nouser:{{ index .Values "ui-redis" "auth" "password" }}@{{ template "redis.fullname" . }}-master:6379' {{- end }} {{- end }} {{- end }} diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index c85f9a6b..d286f71f 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -1196,7 +1196,6 @@ anchoreEnterpriseUi: ui-redis: auth: password: anchore-redis,123 - password: anchore-redis,123 architecture: standalone persistence: enabled: false From 0082d9b1a59ccbb576e97117295c4092e4a4fc05 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Mon, 6 Jun 2022 19:57:41 -0400 Subject: [PATCH 006/329] bumping down chart version, ui_deployment logic Signed-off-by: Hung Nguyen --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/README.md | 2 +- stable/anchore-engine/templates/enterprise_ui_deployment.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index c2484473..8aa80574 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.19.1 +version: 1.19.0 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index b5397111..7a4b738d 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -247,7 +247,7 @@ A Helm post-upgrade hook job will shut down all previously running Anchore servi The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful Helm upgrade. -## Chart version 1.19.1 +## Chart version 1.19.0 * Redis chart updated from version 10 to 16.9.0 updated to the latest version as bitnami has started removing older version of their charts. * * redis will by default run in the `standalone` architecture. diff --git a/stable/anchore-engine/templates/enterprise_ui_deployment.yaml b/stable/anchore-engine/templates/enterprise_ui_deployment.yaml index 2e9f5e4e..c3461451 100644 --- a/stable/anchore-engine/templates/enterprise_ui_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_ui_deployment.yaml @@ -87,7 +87,7 @@ spec: image: {{ .Values.anchoreEnterpriseUi.image }} imagePullPolicy: {{ .Values.anchoreEnterpriseUi.imagePullPolicy }} env: - {{- if and (index .Values "anchoreEnterpriseUi" "existingSecret") (not (index .Values "ui-redis" "externalEndpoint")) }} + {{- if and (not (index .Values "anchoreEnterpriseUi" "existingSecret")) (not (index .Values "ui-redis" "externalEndpoint")) }} - name: ANCHORE_REDIS_URI value: redis://nouser:{{ index .Values "ui-redis" "password" }}@{{ template "redis.fullname" . }}-master:6379 {{- end }} From 10dde47c59b173ebc3de30744a10cc120e3e4344 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Tue, 7 Jun 2022 10:36:00 -0700 Subject: [PATCH 007/329] use latest version of redis chart Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.lock | 6 +++--- stable/anchore-engine/Chart.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/stable/anchore-engine/Chart.lock b/stable/anchore-engine/Chart.lock index b51bb4f6..8feca4ef 100644 --- a/stable/anchore-engine/Chart.lock +++ b/stable/anchore-engine/Chart.lock @@ -10,6 +10,6 @@ dependencies: version: 1.0.1 - name: redis repository: https://charts.bitnami.com/bitnami - version: 16.9.0 -digest: sha256:1db3ab8a332664af77a5d7bb79216646595ce4ce582e2c4d7cfd3965a2d42ecc -generated: "2022-06-03T18:03:29.6425-04:00" + version: 16.11.3 +digest: sha256:5bdfacf8fe535b57e509811f1a4e4f5563905ca74e205c2547ef6eb7b71972a5 +generated: "2022-06-07T02:10:46.327103-07:00" diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 8aa80574..1c4bca8a 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -38,7 +38,7 @@ dependencies: condition: anchore-feeds-gem-db.enabled,anchoreEnterpriseFeeds.gemDriverEnabled alias: anchore-feeds-gem-db - name: redis - version: "16.9.0" + version: "16.11.3" repository: "https://charts.bitnami.com/bitnami" condition: ui-redis.enabled,anchoreEnterpriseGlobal.enabled alias: ui-redis From 3a2a209c524e60ed11730020fdf21161dbea27e3 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Tue, 7 Jun 2022 10:36:38 -0700 Subject: [PATCH 008/329] fix ui redis env var, clean up readme, disable persistence Signed-off-by: Brady Todhunter --- stable/anchore-engine/README.md | 4 ++-- .../anchore-engine/templates/enterprise_ui_deployment.yaml | 2 +- stable/anchore-engine/values.yaml | 5 +++-- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index 7a4b738d..d7c347c6 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -250,9 +250,9 @@ The upgrade will only be considered successful when this job completes successfu ## Chart version 1.19.0 * Redis chart updated from version 10 to 16.9.0 updated to the latest version as bitnami has started removing older version of their charts. -* * redis will by default run in the `standalone` architecture. +* redis will by default run in the `standalone` architecture. * `anchore-ui-redis` in the helm values should now be `ui-redis` -* * if you've set the the `password` value under `anchore-ui-redis`, you will now have to change it to `auth.password`, making the end change `ui-redis.auth.password` + * if you've set the the `password` value under `anchore-ui-redis`, you will now have to change it to `auth.password`, making the end change `ui-redis.auth.password` * WARNING: Users may be logged out from the platform after this happens since this will delete the old redis deployment and spin up a new one in its place * For more information on why this is necessary, see [the breaking change here](https://github.com/bitnami/charts/tree/master/bitnami/redis/#to-1400) diff --git a/stable/anchore-engine/templates/enterprise_ui_deployment.yaml b/stable/anchore-engine/templates/enterprise_ui_deployment.yaml index c3461451..238fa151 100644 --- a/stable/anchore-engine/templates/enterprise_ui_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_ui_deployment.yaml @@ -89,7 +89,7 @@ spec: env: {{- if and (not (index .Values "anchoreEnterpriseUi" "existingSecret")) (not (index .Values "ui-redis" "externalEndpoint")) }} - name: ANCHORE_REDIS_URI - value: redis://nouser:{{ index .Values "ui-redis" "password" }}@{{ template "redis.fullname" . }}-master:6379 + value: redis://nouser:{{ index .Values "ui-redis" "auth" "password" }}@{{ template "redis.fullname" . }}-master:6379 {{- end }} {{ if .Values.anchoreGlobal.dbConfig.ssl }} - name: PGSSLROOTCERT diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index d286f71f..ba27c8b7 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -1197,8 +1197,9 @@ ui-redis: auth: password: anchore-redis,123 architecture: standalone - persistence: - enabled: false + master: + persistence: + enabled: false # To use an external redis endpoint, uncomment to set 'enabled: false' # enabled: false From f4273161c1f4faebc87e0764714828222d6b81c5 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Tue, 7 Jun 2022 11:01:55 -0700 Subject: [PATCH 009/329] fix redis version in readme Signed-off-by: Brady Todhunter --- stable/anchore-engine/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index d7c347c6..6a3d8fc1 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -249,7 +249,7 @@ The upgrade will only be considered successful when this job completes successfu ## Chart version 1.19.0 -* Redis chart updated from version 10 to 16.9.0 updated to the latest version as bitnami has started removing older version of their charts. +* Redis chart updated from version 10 to 16.11.3 updated to the latest version as bitnami has started removing older version of their charts. * redis will by default run in the `standalone` architecture. * `anchore-ui-redis` in the helm values should now be `ui-redis` * if you've set the the `password` value under `anchore-ui-redis`, you will now have to change it to `auth.password`, making the end change `ui-redis.auth.password` From e6f49f07d9e5d93744b0f31be48ad108a74d856c Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 16 Jun 2022 10:32:24 -0700 Subject: [PATCH 010/329] update enterprise image tags to v4.0.2 Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/values.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 1c4bca8a..8c2a9d56 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.19.0 +version: 1.19.1 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index ba27c8b7..c26d5a53 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -709,7 +709,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: docker.io/anchore/enterprise:v4.0.1 + image: docker.io/anchore/enterprise:v4.0.2 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. # Create this secret with the following command - kubectl create secret docker-registry anchore-enterprise-pullcreds --docker-server=docker.io --docker-username= --docker-password= --docker-email= @@ -1032,7 +1032,7 @@ anchoreEnterpriseNotifications: anchoreEnterpriseUi: # If enabled is set to false, set ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. enabled: true - image: docker.io/anchore/enterprise-ui:v4.0.0 + image: docker.io/anchore/enterprise-ui:v4.0.2 imagePullPolicy: IfNotPresent # Set extra environment variables. These will be set on all UI containers. From 2b4d0e18f42e7566d2eecc77527943cf158140e1 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 27 Jul 2022 16:44:10 -0400 Subject: [PATCH 011/329] bumping chart version and image tag Signed-off-by: Hung Nguyen --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/values.yaml | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 8c2a9d56..db6623f7 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.19.1 +version: 1.19.2 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index c26d5a53..f80945a7 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -709,7 +709,8 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: docker.io/anchore/enterprise:v4.0.2 + image: docker.io/anchore/enterprise:v4.0.3 + imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. # Create this secret with the following command - kubectl create secret docker-registry anchore-enterprise-pullcreds --docker-server=docker.io --docker-username= --docker-password= --docker-email= @@ -1032,7 +1033,7 @@ anchoreEnterpriseNotifications: anchoreEnterpriseUi: # If enabled is set to false, set ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. enabled: true - image: docker.io/anchore/enterprise-ui:v4.0.2 + image: docker.io/anchore/enterprise-ui:v4.0.3 imagePullPolicy: IfNotPresent # Set extra environment variables. These will be set on all UI containers. From 2038a96df821b507bfa55e01676d7beac98bb014 Mon Sep 17 00:00:00 2001 From: James Petersen Date: Mon, 22 Aug 2022 13:03:52 -0600 Subject: [PATCH 012/329] add scratch volume for catalog Signed-off-by: James Petersen --- .../templates/catalog_deployment.yaml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/stable/anchore-engine/templates/catalog_deployment.yaml b/stable/anchore-engine/templates/catalog_deployment.yaml index 6901fa9a..1ac58d66 100644 --- a/stable/anchore-engine/templates/catalog_deployment.yaml +++ b/stable/anchore-engine/templates/catalog_deployment.yaml @@ -73,6 +73,20 @@ spec: - name: {{ . }} {{- end }} {{- end }} + {{- if and .Values.anchoreGlobal.scratchVolume.fixGroupPermissions .Values.anchoreGlobal.securityContext.fsGroup }} + initContainers: + - name: mode-fixer + image: alpine + securityContext: + runAsUser: 0 + volumeMounts: + - name: {{ $component }}-scratch + mountPath: {{ .Values.anchoreGlobal.scratchVolume.mountPath }} + command: + - sh + - -c + - (chmod 0775 {{ .Values.anchoreGlobal.scratchVolume.mountPath }}; chgrp {{ .Values.anchoreGlobal.securityContext.fsGroup }} {{ .Values.anchoreGlobal.scratchVolume.mountPath }} ) + {{- end }} containers: {{- if .Values.cloudsql.enabled }} - name: cloudsql-proxy @@ -139,6 +153,8 @@ spec: - name: config-volume mountPath: /config/config.yaml subPath: config.yaml + - name: {{ $component }}-scratch + mountPath: {{ .Values.anchoreGlobal.scratchVolume.mountPath }} {{- if .Values.anchoreGlobal.policyBundles }} {{- range $key, $value := .Values.anchoreGlobal.policyBundles }} - name: policy-bundle-volume @@ -193,6 +209,12 @@ spec: - name: config-volume configMap: name: {{ template "anchore-engine.fullname" . }} + - name: {{ $component }}-scratch + {{- if .Values.anchoreGlobal.scratchVolume.details }} + {{- toYaml .Values.anchoreGlobal.scratchVolume.details | nindent 10 }} + {{- else }} + emptyDir: {} + {{- end }} {{- if .Values.anchoreGlobal.policyBundles }} - name: policy-bundle-volume configMap: From 1d34a848920a958aa2f9043b835601e63e75dd3a Mon Sep 17 00:00:00 2001 From: Weston Steimel Date: Mon, 22 Aug 2022 20:25:09 +0100 Subject: [PATCH 013/329] allow enabling/disabling new anchore_match_exclusion feed Signed-off-by: Weston Steimel --- stable/anchore-engine/templates/enterprise_feeds_configmap.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml index deae4f5b..6c16b828 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml @@ -163,6 +163,8 @@ data: grypedb: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.grypeDriverEnabled | quote) }} external_feeds_url: {{ $grypeProviderFeedsExternalURL }} + anchore_match_exclusions: + enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.anchoreMatchExclusionsEnabled | quote) }} {{- if .Values.anchoreGlobal.internalServicesSsl.enabled }} ssl_enable: {{ .Values.anchoreGlobal.internalServicesSsl.enabled }} ssl_cert: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretCertName }}" From 3d853b834335f4c493f467a12e1dc0dbb5c99670 Mon Sep 17 00:00:00 2001 From: Weston Steimel Date: Mon, 22 Aug 2022 20:25:56 +0100 Subject: [PATCH 014/329] remove vulndb feed driver configuration Signed-off-by: Weston Steimel --- stable/anchore-engine/templates/enterprise_feeds_configmap.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml index 6c16b828..ac38a1de 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml @@ -145,8 +145,6 @@ data: {{- end }} nvdv2: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.nvdv2DriverEnabled | quote) }} - vulndb: - enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.vulndbDriverEnabled | quote) }} sles: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.slesDriverEnabled | quote) }} msrc: From 3a61a676625978350123b868f7a56b7b3face217 Mon Sep 17 00:00:00 2001 From: James Petersen Date: Mon, 22 Aug 2022 14:03:52 -0600 Subject: [PATCH 015/329] upgrade chart version Signed-off-by: James Petersen --- stable/anchore-engine/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index db6623f7..f27b6a74 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.19.2 +version: 1.19.3 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: From 646e068f6d71dc761d270267fdfaba82338c53be Mon Sep 17 00:00:00 2001 From: Weston Steimel Date: Tue, 23 Aug 2022 14:51:11 +0100 Subject: [PATCH 016/329] bump chart version Signed-off-by: Weston Steimel --- stable/anchore-engine/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index db6623f7..f27b6a74 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.19.2 +version: 1.19.3 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: From b7bde4f4fd8baa84b5f111f9b2b8cda55c021b24 Mon Sep 17 00:00:00 2001 From: Weston Steimel Date: Tue, 23 Aug 2022 15:06:36 +0100 Subject: [PATCH 017/329] remove vulndb from engine configmap Signed-off-by: Weston Steimel --- stable/anchore-engine/templates/engine_configmap.yaml | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/stable/anchore-engine/templates/engine_configmap.yaml b/stable/anchore-engine/templates/engine_configmap.yaml index 578d8aa4..a852af47 100644 --- a/stable/anchore-engine/templates/engine_configmap.yaml +++ b/stable/anchore-engine/templates/engine_configmap.yaml @@ -282,15 +282,6 @@ data: {{- end }} url: {{ $anchoreFeedsURL }} {{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }} - vulndb: - enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.vulndbDriverEnabled | quote) }} - url: {{ $anchoreFeedsURL }} - {{- else if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreGlobal.syncVulnDB }} - vulndb: - enabled: true - url: {{ $anchoreFeedsURL }} - {{- end }} - {{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }} microsoft: enabled: {{ .Values.anchoreEnterpriseFeeds.msrcDriverEnabled }} url: {{ $anchoreFeedsURL }} @@ -303,4 +294,4 @@ data: ssl_enable: {{ .Values.anchoreGlobal.internalServicesSsl.enabled }} ssl_cert: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretCertName }}" ssl_key: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretKeyName }}" - {{- end }} \ No newline at end of file + {{- end }} From 01b149beeb9f84a55e80013f9568561918efd32e Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 24 Aug 2022 15:45:23 -0400 Subject: [PATCH 018/329] syncing chart for release Signed-off-by: Hung Nguyen --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/values.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index f27b6a74..4a9502fd 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.19.3 +version: 1.19.4 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index f80945a7..d00ab564 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -709,7 +709,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: docker.io/anchore/enterprise:v4.0.3 + image: docker.io/anchore/enterprise:v4.1.0 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. @@ -1033,7 +1033,7 @@ anchoreEnterpriseNotifications: anchoreEnterpriseUi: # If enabled is set to false, set ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. enabled: true - image: docker.io/anchore/enterprise-ui:v4.0.3 + image: docker.io/anchore/enterprise-ui:v4.1.0 imagePullPolicy: IfNotPresent # Set extra environment variables. These will be set on all UI containers. From 4342537a4d2d4c85469aa354950c6a0e1431e97e Mon Sep 17 00:00:00 2001 From: James Petersen Date: Mon, 29 Aug 2022 13:49:00 -0600 Subject: [PATCH 019/329] Switch KAI to XDG config When KAI runs on open shift clusters it will assign a random user. The underlying viper code will fail when looking in /home/nonroot so the config file should exist in $XDG_CONFIG_DIRS so the container can be run as any user and still function properly Signed-off-by: James Petersen --- stable/kai/Chart.yaml | 4 ++-- stable/kai/templates/configmap.yaml | 2 +- stable/kai/templates/deployment.yaml | 4 ++-- stable/kai/values.yaml | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/stable/kai/Chart.yaml b/stable/kai/Chart.yaml index 1af3746f..3a6d0328 100644 --- a/stable/kai/Chart.yaml +++ b/stable/kai/Chart.yaml @@ -28,11 +28,11 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.3.0 +version: 0.3.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 0.3.0 +appVersion: 0.3.2 icon: https://anchore.com/wp-content/uploads/2016/08/anchore.png diff --git a/stable/kai/templates/configmap.yaml b/stable/kai/templates/configmap.yaml index 5bd774ff..8da985f0 100644 --- a/stable/kai/templates/configmap.yaml +++ b/stable/kai/templates/configmap.yaml @@ -8,7 +8,7 @@ metadata: release: {{ .Release.Name }} heritage: {{ .Release.Service }} data: - .kai.yaml: | + config.yaml: | kubeconfig: path: {{ .Values.kai.kubeconfig.path }} cluster: {{ .Values.kai.kubeconfig.cluster }} diff --git a/stable/kai/templates/deployment.yaml b/stable/kai/templates/deployment.yaml index 04aee624..c8b49df6 100644 --- a/stable/kai/templates/deployment.yaml +++ b/stable/kai/templates/deployment.yaml @@ -60,8 +60,8 @@ spec: {{- toYaml .Values.resources | nindent 12 }} volumeMounts: - name: config-volume - mountPath: /home/nonroot/.kai.yaml - subPath: .kai.yaml + mountPath: /etc/xdg/kai/config.yaml + subPath: config.yaml envFrom: {{- if not .Values.inject_secrets_via_env }} - secretRef: diff --git a/stable/kai/values.yaml b/stable/kai/values.yaml index de53de73..10a5bb96 100644 --- a/stable/kai/values.yaml +++ b/stable/kai/values.yaml @@ -8,7 +8,7 @@ image: repository: anchore/kai pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: "v0.3.0" + tag: "v0.3.2" imagePullSecrets: [] nameOverride: "" From 996e754510a599cf790cf224947ef82e3689a9f3 Mon Sep 17 00:00:00 2001 From: Hung Nguyen <97040806+hunguyen1@users.noreply.github.com> Date: Tue, 20 Sep 2022 14:04:10 -0400 Subject: [PATCH 020/329] provide option for overriding grypeProviderFeedsxternalURL (#220) Co-authored-by: James Petersen --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/templates/engine_configmap.yaml | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 4a9502fd..959a9c3e 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.19.4 +version: 1.19.5 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/templates/engine_configmap.yaml b/stable/anchore-engine/templates/engine_configmap.yaml index a852af47..96f70b15 100644 --- a/stable/anchore-engine/templates/engine_configmap.yaml +++ b/stable/anchore-engine/templates/engine_configmap.yaml @@ -1,5 +1,5 @@ {{- $anchoreFeedsURL := "https://ancho.re/v1/service/feeds" -}} -{{- $grypeProviderFeedsExternalURL := "https://toolbox-data.anchore.io/grype/databases/listing.json" -}} +{{- $grypeProviderFeedsExternalURL := "" -}} {{- if .Values.anchoreEnterpriseFeeds.url -}} {{- $urlPathSuffix := (default "" (regexFind "/v1.*$" .Values.anchoreEnterpriseFeeds.url)) -}} @@ -16,6 +16,11 @@ {{- end -}} {{- end -}} +{{- /* Set the grypeProviderFeedsExternalURL to upstream feeds if still unset or if specifically overridden */}} +{{- if or (empty $grypeProviderFeedsExternalURL) .Values.anchorePolicyEngine.overrideFeedsToUpstream -}} + {{- $grypeProviderFeedsExternalURL = "https://toolbox-data.anchore.io/grype/databases/listing.json" -}} +{{- end -}} + {{- $vulnerabilityProvider := .Values.anchorePolicyEngine.vulnerabilityProvider -}} {{- if and .Values.anchoreEnterpriseGlobal.enabled (ne $vulnerabilityProvider "grype") -}} {{ fail "The v2 (grype) vulnerability scanner is the only valid configuration for chart v1.18.0 and higher. Please set the following: `.Values.anchorePolicyEngine.vulnerabilityProvider=grype`." }} From 7ed6be3354cf1bb90c70591dcced1f90cf8bf36a Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 22 Sep 2022 12:20:36 -0700 Subject: [PATCH 021/329] remove vulnerability provider config & change default image_analyzer cycle timer to 1 Signed-off-by: Brady Todhunter --- stable/anchore-engine/templates/engine_configmap.yaml | 6 ------ stable/anchore-engine/values.yaml | 2 +- 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/stable/anchore-engine/templates/engine_configmap.yaml b/stable/anchore-engine/templates/engine_configmap.yaml index 96f70b15..06961e95 100644 --- a/stable/anchore-engine/templates/engine_configmap.yaml +++ b/stable/anchore-engine/templates/engine_configmap.yaml @@ -21,11 +21,6 @@ {{- $grypeProviderFeedsExternalURL = "https://toolbox-data.anchore.io/grype/databases/listing.json" -}} {{- end -}} -{{- $vulnerabilityProvider := .Values.anchorePolicyEngine.vulnerabilityProvider -}} -{{- if and .Values.anchoreEnterpriseGlobal.enabled (ne $vulnerabilityProvider "grype") -}} - {{ fail "The v2 (grype) vulnerability scanner is the only valid configuration for chart v1.18.0 and higher. Please set the following: `.Values.anchorePolicyEngine.vulnerabilityProvider=grype`." }} -{{- end -}} - kind: ConfigMap apiVersion: v1 metadata: @@ -250,7 +245,6 @@ data: cycle_timers: {{- toYaml .Values.anchorePolicyEngine.cycleTimers | nindent 10 }} vulnerabilities: - provider: {{ $vulnerabilityProvider }} sync: enabled: true ssl_verify: {{ .Values.anchoreGlobal.internalServicesSsl.verifyCerts }} diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index d00ab564..26cbd8fb 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -290,7 +290,7 @@ anchoreAnalyzer: # The cycle timer is the interval between checks to the work queue for new jobs cycleTimers: - image_analyzer: 5 + image_analyzer: 1 # Controls the concurrency of the analyzer itself. Can be configured to process more than one task at a time, but it IO bound, so may not # necessarily be faster depending on hardware. Should test and balance this value vs. number of analyzers for your deployment cluster performance. From f7907b6b20ce14710f5491e7bee929cc4bfdbeb0 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 22 Sep 2022 12:20:58 -0700 Subject: [PATCH 022/329] add logging config to ui Signed-off-by: Brady Todhunter --- .../templates/enterprise_ui_configmap.yaml | 1 + stable/anchore-engine/values.yaml | 23 ++++++++++++++++--- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/stable/anchore-engine/templates/enterprise_ui_configmap.yaml b/stable/anchore-engine/templates/enterprise_ui_configmap.yaml index 2d9db880..85f4c3e6 100644 --- a/stable/anchore-engine/templates/enterprise_ui_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_ui_configmap.yaml @@ -72,4 +72,5 @@ data: admin: {{ .admin }} standard: {{ .standard }} {{- end }} + log_level: {{ .Values.anchoreEnterpriseUi.logLevel | squote }} {{- end -}} diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 26cbd8fb..d66d5127 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -625,9 +625,6 @@ anchorePolicyEngine: # 1 minute between checks to verify local grype-db is up to date grypedb_sync: 60 - # After chart v1.18.0 the only valid vulnerabilityProvider setting is `grype`, any other settings will fail - vulnerabilityProvider: grype - cacheTTL: 3600 # 1 hour # kubernetes service configuration for anchore policy engine api @@ -1072,6 +1069,26 @@ anchoreEnterpriseUi: # If using LDAPS with a custom CA certificate, add the certificate to the secret specified at anchoreGlobal.certStoreSecretName and specify the name of the cert here ldapsRootCaCertName: Null + # The (optional) `logLevel` key allows you to set the descriptive detail of the + # application log output. The key value must be a string selected from the + # following priority-ordered list: + # + # - error + # - warn + # - info + # - http + # - debug + # + # Once set, each level will automatically include the output for any levels + # above it—for example, `info` will include the log output for details at the + # `warn` and `error` details, whereas `error` will only show error output. + # + # This value can be overridden by using the `ANCHORE_LOG_LEVEL` environment + # variable. When no level is set, either within this configuration file or by the + # environment variable, a default level of `http` is used. + # + logLevel: http + # Specifies whether to trust a reverse proxy when setting secure cookies (via the `X-Forwarded-Proto` header). enableProxy: false From b5f9231ccd50a95c7b55acb9631c8e0dba345b85 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 22 Sep 2022 12:21:10 -0700 Subject: [PATCH 023/329] bump chart version Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 959a9c3e..8bed0496 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.19.5 +version: 1.19.6 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: From e00b35afc3f9ca345d6852d53d3601804aa64d23 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Mon, 26 Sep 2022 13:34:53 -0400 Subject: [PATCH 024/329] set grype as only vulnerabilities.provider Signed-off-by: Hung Nguyen --- stable/anchore-engine/templates/engine_configmap.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/stable/anchore-engine/templates/engine_configmap.yaml b/stable/anchore-engine/templates/engine_configmap.yaml index 06961e95..a94e0f2e 100644 --- a/stable/anchore-engine/templates/engine_configmap.yaml +++ b/stable/anchore-engine/templates/engine_configmap.yaml @@ -245,6 +245,7 @@ data: cycle_timers: {{- toYaml .Values.anchorePolicyEngine.cycleTimers | nindent 10 }} vulnerabilities: + provider: grype sync: enabled: true ssl_verify: {{ .Values.anchoreGlobal.internalServicesSsl.verifyCerts }} From 5ef6a4bc55b999a91d78e32775c9fee87bb329fa Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Fri, 30 Sep 2022 16:00:14 -0400 Subject: [PATCH 025/329] bumping version to 4.1.1 in anchore-engine values Signed-off-by: Hung Nguyen --- stable/anchore-engine/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index d66d5127..2a6cdf96 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -706,7 +706,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: docker.io/anchore/enterprise:v4.1.0 + image: docker.io/anchore/enterprise:v4.1.1 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. @@ -1030,7 +1030,7 @@ anchoreEnterpriseNotifications: anchoreEnterpriseUi: # If enabled is set to false, set ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. enabled: true - image: docker.io/anchore/enterprise-ui:v4.1.0 + image: docker.io/anchore/enterprise-ui:v4.1.1 imagePullPolicy: IfNotPresent # Set extra environment variables. These will be set on all UI containers. From 7b77d99365adc82a8c76a261c2cea2f591ba4d04 Mon Sep 17 00:00:00 2001 From: Hung Nguyen <97040806+hunguyen1@users.noreply.github.com> Date: Tue, 4 Oct 2022 11:43:38 -0400 Subject: [PATCH 026/329] update chart-testing-action version for lint and test(#49) --- .github/workflows/test.yaml | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index de7cfbcf..9447e4d9 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -20,12 +20,21 @@ jobs: - name: Shellcheck uses: ludeeus/action-shellcheck@1.0.0 + - name: Set up chart-testing + uses: helm/chart-testing-action@v2.3.1 + + - name: Run chart-testing (list-changed) + id: list-changed + run: | + changed=$(ct list-changed --config 'ct-config.yaml' --target-branch ${{ github.event.repository.default_branch }}) + if [[ -n "$changed" ]]; then + echo "::set-output name=changed::true" + fi + - name: Run chart-testing (lint) id: lint - uses: helm/chart-testing-action@v1.1.0 - with: - command: lint - config: ct-config.yaml + run: ct lint --config 'ct-config.yaml' + if: steps.list-changed.outputs.changed == 'true' - name: Install kind uses: helm/kind-action@v1.2.0 @@ -33,13 +42,12 @@ jobs: node_image: "kindest/node:${{ matrix.kubernetesVersion }}" config: kind-config.yaml wait: 600s - if: steps.lint.outputs.changed == 'true' + if: steps.list-changed.outputs.changed == 'true' - name: Check kind nodes run: kubectl describe nodes + if: steps.list-changed.outputs.changed == 'true' - name: Run chart-testing (install) - uses: helm/chart-testing-action@v1.1.0 - with: - command: install - config: ct-config.yaml + run: ct install --config 'ct-config.yaml' + if: steps.list-changed.outputs.changed == 'true' \ No newline at end of file From f8a9ddc095537e6d40349f5d59d43146317dc514 Mon Sep 17 00:00:00 2001 From: Jeff Date: Tue, 4 Oct 2022 16:06:00 -0700 Subject: [PATCH 027/329] add configureable service names and service account names (#204) --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/templates/NOTES.txt | 4 +- stable/anchore-engine/templates/_helpers.tpl | 244 +++++++++++++++++- .../templates/analyzer_deployment.yaml | 2 +- .../templates/api_deployment.yaml | 4 +- .../templates/catalog_deployment.yaml | 8 +- .../templates/catalog_rbac.yaml | 10 +- .../templates/engine_configmap.yaml | 16 +- .../templates/enterprise_configmap.yaml | 10 +- .../templates/enterprise_feeds_configmap.yaml | 6 +- .../enterprise_feeds_deployment.yaml | 4 +- .../enterprise_notifications_deployment.yaml | 6 +- .../enterprise_rbac_manager_deployment.yaml | 4 +- .../enterprise_reports_deployment.yaml | 6 +- .../templates/enterprise_ui_configmap.yaml | 18 +- .../templates/enterprise_ui_deployment.yaml | 6 +- stable/anchore-engine/templates/ingress.yaml | 32 +-- .../templates/policy_engine_deployment.yaml | 4 +- .../templates/simplequeue_deployment.yaml | 4 +- stable/anchore-engine/values.yaml | 47 +++- 20 files changed, 363 insertions(+), 74 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 8bed0496..d1e95a5c 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.19.6 +version: 1.19.7 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/templates/NOTES.txt b/stable/anchore-engine/templates/NOTES.txt index 97204862..9e92e760 100644 --- a/stable/anchore-engine/templates/NOTES.txt +++ b/stable/anchore-engine/templates/NOTES.txt @@ -1,7 +1,7 @@ To use Anchore Engine you need the URL, username, and password to access the API. Anchore Engine can be accessed via port {{ .Values.anchoreApi.service.port }} on the following DNS name from within the cluster: -{{ template "anchore-engine.api.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local +{{ template "anchore-engine.api.serviceName" . }}.{{ .Release.Namespace }}.svc.cluster.local Here are the steps to configure the anchore-cli (`pip install anchorecli`). Use these same values for direct API access as well. @@ -13,7 +13,7 @@ To configure your anchore-cli run: ANCHORE_CLI_URL={{- if .Values.anchoreGlobal.internalServicesSsl.enabled -}}https{{- else }}http{{- end -}}://$(kubectl get ingress --namespace {{ .Release.Namespace }} {{ template "anchore-engine.fullname" . }} -o jsonpath="{.status.loadBalancer.ingress[0].ip}")/v1/ {{ else }} Using the service endpoint from within the cluster you can use: - ANCHORE_CLI_URL={{- if .Values.anchoreGlobal.internalServicesSsl.enabled -}}https{{- else }}http{{- end -}}://{{ template "anchore-engine.api.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.anchoreApi.service.port}}/v1/ + ANCHORE_CLI_URL={{- if .Values.anchoreGlobal.internalServicesSsl.enabled -}}https{{- else }}http{{- end -}}://{{ template "anchore-engine.api.serviceName" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.anchoreApi.service.port}}/v1/ {{ end }} To verify the service is up and running, you can run container for the Anchore Engine CLI: diff --git a/stable/anchore-engine/templates/_helpers.tpl b/stable/anchore-engine/templates/_helpers.tpl index f993db89..fe096d92 100755 --- a/stable/anchore-engine/templates/_helpers.tpl +++ b/stable/anchore-engine/templates/_helpers.tpl @@ -24,6 +24,30 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- printf "%s-%s-%s" .Release.Name $name "analyzer"| trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Set the appropriate kubernetes service name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "anchore-engine.analyzer.serviceName" -}} +{{- if .Values.anchoreAnalyzer.service.name }} + {{- print .Values.anchoreAnalyzer.service.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} + {{- include "anchore-engine.analyzer.fullname" . -}} +{{- end -}} +{{- end -}} + +{{/* +Set the appropriate kubernetes service account name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "anchore-engine.analyzer.serviceAccountName" -}} +{{- if .Values.anchoreAnalyzer.serviceAccountName }} + {{- print .Values.anchoreAnalyzer.serviceAccountName | trunc 63 | trimSuffix "-" -}} +{{- else if .Values.anchoreGlobal.serviceAccountName -}} + {{- print .Values.anchoreGlobal.serviceAccountName | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). @@ -33,6 +57,32 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- printf "%s-%s-%s" .Release.Name $name "catalog"| trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Set the appropriate kubernetes service name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "anchore-engine.catalog.serviceName" -}} +{{- if .Values.anchoreCatalog.service.name }} + {{- print .Values.anchoreCatalog.service.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} + {{- include "anchore-engine.catalog.fullname" . -}} +{{- end -}} +{{- end -}} + +{{/* +Set the appropriate kubernetes service account name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "anchore-engine.catalog.serviceAccountName" -}} +{{- if .Values.anchoreCatalog.serviceAccountName }} + {{- print .Values.anchoreCatalog.serviceAccountName | trunc 63 | trimSuffix "-" -}} +{{- else if .Values.anchoreGlobal.serviceAccountName -}} + {{- print .Values.anchoreGlobal.serviceAccountName | trunc 63 | trimSuffix "-" -}} +{{- else -}} + {{- include "anchore-engine.catalog.fullname" . -}} +{{- end -}} +{{- end -}} + {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). @@ -42,6 +92,30 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- printf "%s-%s-%s" .Release.Name $name "api"| trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Set the appropriate kubernetes service name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "anchore-engine.api.serviceName" -}} +{{- if .Values.anchoreApi.service.name }} + {{- print .Values.anchoreApi.service.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} + {{- include "anchore-engine.api.fullname" . -}} +{{- end -}} +{{- end -}} + +{{/* +Set the appropriate kubernetes service account name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "anchore-engine.api.serviceAccountName" -}} +{{- if .Values.anchoreApi.serviceAccountName }} + {{- print .Values.anchoreApi.serviceAccountName | trunc 63 | trimSuffix "-" -}} +{{- else if .Values.anchoreGlobal.serviceAccountName -}} + {{- print .Values.anchoreGlobal.serviceAccountName | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). @@ -51,6 +125,30 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- printf "%s-%s-%s" .Release.Name $name "policy"| trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Set the appropriate kubernetes service name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "anchore-engine.policy-engine.serviceName" -}} +{{- if .Values.anchorePolicyEngine.service.name }} + {{- print .Values.anchorePolicyEngine.service.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} + {{- include "anchore-engine.policy-engine.fullname" . -}} +{{- end -}} +{{- end -}} + +{{/* +Set the appropriate kubernetes service account name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "anchore-engine.policy-engine.serviceAccountName" -}} +{{- if .Values.anchorePolicyEngine.serviceAccountName }} + {{- print .Values.anchorePolicyEngine.serviceAccountName | trunc 63 | trimSuffix "-" -}} +{{- else if .Values.anchoreGlobal.serviceAccountName -}} + {{- print .Values.anchoreGlobal.serviceAccountName | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). @@ -60,6 +158,30 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- printf "%s-%s-%s" .Release.Name $name "simplequeue"| trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Set the appropriate kubernetes service name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "anchore-engine.simplequeue.serviceName" -}} +{{- if .Values.anchoreSimpleQueue.service.name }} + {{- print .Values.anchoreSimpleQueue.service.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} + {{- include "anchore-engine.simplequeue.fullname" . -}} +{{- end -}} +{{- end -}} + +{{/* +Set the appropriate kubernetes service account name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "anchore-engine.simplequeue.serviceAccountName" -}} +{{- if .Values.anchoreSimpleQueue.serviceAccountName }} + {{- print .Values.anchoreSimpleQueue.serviceAccountName | trunc 63 | trimSuffix "-" -}} +{{- else if .Values.anchoreGlobal.serviceAccountName -}} + {{- print .Values.anchoreGlobal.serviceAccountName | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). @@ -78,6 +200,30 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- printf "%s-%s-%s" .Release.Name $name "enterprise-ui"| trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Set the appropriate kubernetes service name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "anchore-engine.enterprise-ui.serviceName" -}} +{{- if .Values.anchoreEnterpriseUi.service.name }} + {{- print .Values.anchoreEnterpriseUi.service.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} + {{- include "anchore-engine.enterprise-ui.fullname" . -}} +{{- end -}} +{{- end -}} + +{{/* +Set the appropriate kubernetes service account name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "anchore-engine.enterprise-ui.serviceAccountName" -}} +{{- if .Values.anchoreEnterpriseUi.serviceAccountName }} + {{- print .Values.anchoreEnterpriseUi.serviceAccountName | trunc 63 | trimSuffix "-" -}} +{{- else if .Values.anchoreGlobal.serviceAccountName -}} + {{- print .Values.anchoreGlobal.serviceAccountName | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). @@ -87,6 +233,30 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- printf "%s-%s-%s" .Release.Name $name "enterprise-feeds"| trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Set the appropriate kubernetes service name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "anchore-engine.enterprise-feeds.serviceName" -}} +{{- if .Values.anchoreEnterpriseFeeds.service.name }} + {{- print .Values.anchoreEnterpriseFeeds.service.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} + {{- include "anchore-engine.enterprise-feeds.fullname" . -}} +{{- end -}} +{{- end -}} + +{{/* +Set the appropriate kubernetes service account name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "anchore-engine.enterprise-feeds.serviceAccountName" -}} +{{- if .Values.anchoreEnterpriseFeeds.serviceAccountName }} + {{- print .Values.anchoreEnterpriseFeeds.serviceAccountName | trunc 63 | trimSuffix "-" -}} +{{- else if .Values.anchoreGlobal.serviceAccountName -}} + {{- print .Values.anchoreGlobal.serviceAccountName | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). @@ -96,6 +266,30 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- printf "%s-%s-%s" .Release.Name $name "enterprise-reports"| trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Set the appropriate kubernetes service name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "anchore-engine.enterprise-reports.serviceName" -}} +{{- if .Values.anchoreEnterpriseReports.service.name }} + {{- print .Values.anchoreEnterpriseReports.service.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} + {{- include "anchore-engine.enterprise-reports.fullname" . -}} +{{- end -}} +{{- end -}} + +{{/* +Set the appropriate kubernetes service account name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "anchore-engine.enterprise-reports.serviceAccountName" -}} +{{- if .Values.anchoreEnterpriseReports.serviceAccountName }} + {{- print .Values.anchoreEnterpriseReports.serviceAccountName | trunc 63 | trimSuffix "-" -}} +{{- else if .Values.anchoreGlobal.serviceAccountName -}} + {{- print .Values.anchoreGlobal.serviceAccountName | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). @@ -105,6 +299,30 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- printf "%s-%s-%s" .Release.Name $name "enterprise-notifications"| trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Set the appropriate kubernetes service name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "anchore-engine.enterprise-notifications.serviceName" -}} +{{- if .Values.anchoreEnterpriseNotifications.service.name }} + {{- print .Values.anchoreEnterpriseNotifications.service.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} + {{- include "anchore-engine.enterprise-notifications.fullname" . -}} +{{- end -}} +{{- end -}} + +{{/* +Set the appropriate kubernetes service account name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "anchore-engine.enterprise-notifications.serviceAccountName" -}} +{{- if .Values.anchoreEnterpriseNotifications.serviceAccountName }} + {{- print .Values.anchoreEnterpriseNotifications.serviceAccountName | trunc 63 | trimSuffix "-" -}} +{{- else if .Values.anchoreGlobal.serviceAccountName -}} + {{- print .Values.anchoreGlobal.serviceAccountName | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + {{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). @@ -114,6 +332,30 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- printf "%s-%s-%s" .Release.Name $name "enterprise-rbac"| trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Set the appropriate kubernetes service name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "anchore-engine.enterprise-rbac.serviceName" -}} +{{- if .Values.anchoreEnterpriseRbac.service.name }} + {{- print .Values.anchoreEnterpriseRbac.service.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} + {{- include "anchore-engine.enterprise-rbac.fullname" . -}} +{{- end -}} +{{- end -}} + +{{/* +Set the appropriate kubernetes service account name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "anchore-engine.enterprise-rbac.serviceAccountName" -}} +{{- if .Values.anchoreEnterpriseRbac.serviceAccountName }} + {{- print .Values.anchoreEnterpriseRbac.serviceAccountName | trunc 63 | trimSuffix "-" -}} +{{- else if .Values.anchoreGlobal.serviceAccountName -}} + {{- print .Values.anchoreGlobal.serviceAccountName | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + {{/* Create a default fully qualified dependency name for the db. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). @@ -169,4 +411,4 @@ Create database hostname string from supplied values file. Used for the enterpri {{- $db_host := include "postgres.fullname" . }} {{- printf "%s:5432" $db_host -}} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/stable/anchore-engine/templates/analyzer_deployment.yaml b/stable/anchore-engine/templates/analyzer_deployment.yaml index 77ae0c24..e2901ef4 100644 --- a/stable/anchore-engine/templates/analyzer_deployment.yaml +++ b/stable/anchore-engine/templates/analyzer_deployment.yaml @@ -242,6 +242,6 @@ spec: tolerations: {{ toYaml . | nindent 8 }} {{- end }} - {{- with .Values.anchoreGlobal.serviceAccountName }} + {{- with include "anchore-engine.analyzer.serviceAccountName" . }} serviceAccountName: {{ . }} {{- end }} diff --git a/stable/anchore-engine/templates/api_deployment.yaml b/stable/anchore-engine/templates/api_deployment.yaml index a63dc265..959b6ea7 100644 --- a/stable/anchore-engine/templates/api_deployment.yaml +++ b/stable/anchore-engine/templates/api_deployment.yaml @@ -394,7 +394,7 @@ spec: tolerations: {{ toYaml . | nindent 8 }} {{- end }} - {{- with .Values.anchoreGlobal.serviceAccountName }} + {{- with include "anchore-engine.api.serviceAccountName" . }} serviceAccountName: {{ . }} {{- end }} @@ -402,7 +402,7 @@ spec: apiVersion: v1 kind: Service metadata: - name: {{ template "anchore-engine.api.fullname" . }} + name: {{ template "anchore-engine.api.serviceName" . }} labels: app: {{ template "anchore-engine.fullname" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} diff --git a/stable/anchore-engine/templates/catalog_deployment.yaml b/stable/anchore-engine/templates/catalog_deployment.yaml index 1ac58d66..4703f70a 100644 --- a/stable/anchore-engine/templates/catalog_deployment.yaml +++ b/stable/anchore-engine/templates/catalog_deployment.yaml @@ -250,17 +250,15 @@ spec: tolerations: {{ toYaml . | nindent 8 }} {{- end }} - {{- if .Values.anchoreGlobal.serviceAccountName }} - serviceAccountName: {{ .Values.anchoreGlobal.serviceAccountName }} - {{- else if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreCatalog.createServiceAccount .Values.anchoreCatalog.runtimeInventory.reportAnchoreCluster.enabled }} - serviceAccountName: {{ template "anchore-engine.catalog.fullname" . }} + {{- if or (or .Values.anchoreGlobal.serviceAccountName .Values.anchoreEnterpriseRbac.serviceAccountName) (and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreCatalog.createServiceAccount .Values.anchoreCatalog.runtimeInventory.reportAnchoreCluster.enabled) }} + serviceAccountName: {{ template "anchore-engine.catalog.serviceAccountName" . }} {{- end }} --- apiVersion: v1 kind: Service metadata: - name: {{ template "anchore-engine.catalog.fullname" . }} + name: {{ template "anchore-engine.catalog.serviceName" . }} labels: app: {{ template "anchore-engine.fullname" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} diff --git a/stable/anchore-engine/templates/catalog_rbac.yaml b/stable/anchore-engine/templates/catalog_rbac.yaml index 6898a1d8..08a23e5a 100644 --- a/stable/anchore-engine/templates/catalog_rbac.yaml +++ b/stable/anchore-engine/templates/catalog_rbac.yaml @@ -1,9 +1,12 @@ +# if the user is setting a global service account name and not overriding it +# for this component, then there is no need to create this service account. +{{- if or (not .Values.anchoreGlobal.serviceAccountName) .Values.anchoreCatalog.serviceAccountName }} {{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreCatalog.createServiceAccount .Values.anchoreCatalog.runtimeInventory.reportAnchoreCluster.enabled }} --- apiVersion: v1 kind: ServiceAccount metadata: - name: {{ template "anchore-engine.catalog.fullname" . }} + name: {{ template "anchore-engine.catalog.serviceAccountName" . }} labels: {{- with .Values.anchoreCatalog.labels }} {{ toYaml . | nindent 4 }} @@ -55,10 +58,11 @@ metadata: {{- end }} subjects: - kind: ServiceAccount - name: {{ template "anchore-engine.catalog.fullname" . }} + name: {{ template "anchore-engine.catalog.serviceAccountName" . }} namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole name: {{ template "anchore-engine.catalog.fullname" . }} apiGroup: rbac.authorization.k8s.io -{{- end }} \ No newline at end of file +{{- end }} +{{- end }} diff --git a/stable/anchore-engine/templates/engine_configmap.yaml b/stable/anchore-engine/templates/engine_configmap.yaml index a94e0f2e..37d034e4 100644 --- a/stable/anchore-engine/templates/engine_configmap.yaml +++ b/stable/anchore-engine/templates/engine_configmap.yaml @@ -8,11 +8,11 @@ {{- $grypeProviderFeedsExternalURL = (printf "%s/v1/databases/grypedb" $anchoreFeedsHost) -}} {{- else if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled -}} {{- if .Values.anchoreGlobal.internalServicesSsl.enabled -}} - {{- $anchoreFeedsURL = (printf "https://%s:%s/v1/feeds" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}} - {{- $grypeProviderFeedsExternalURL = (printf "https://%s:%s/v1/databases/grypedb" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}} + {{- $anchoreFeedsURL = (printf "https://%s:%s/v1/feeds" (include "anchore-engine.enterprise-feeds.serviceName" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}} + {{- $grypeProviderFeedsExternalURL = (printf "https://%s:%s/v1/databases/grypedb" (include "anchore-engine.enterprise-feeds.serviceName" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}} {{- else -}} - {{- $anchoreFeedsURL = (printf "http://%s:%s/v1/feeds" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}} - {{- $grypeProviderFeedsExternalURL = (printf "http://%s:%s/v1/databases/grypedb" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}} + {{- $anchoreFeedsURL = (printf "http://%s:%s/v1/feeds" (include "anchore-engine.enterprise-feeds.serviceName" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}} + {{- $grypeProviderFeedsExternalURL = (printf "http://%s:%s/v1/databases/grypedb" (include "anchore-engine.enterprise-feeds.serviceName" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}} {{- end -}} {{- end -}} @@ -114,7 +114,7 @@ data: apiext: enabled: true require_auth: true - endpoint_hostname: {{ template "anchore-engine.api.fullname" . }} + endpoint_hostname: {{ template "anchore-engine.api.serviceName" . }} max_request_threads: {{ default 50 .Values.anchoreApi.maxRequestThreads }} listen: 0.0.0.0 port: {{ .Values.anchoreApi.service.port }} @@ -165,7 +165,7 @@ data: catalog: enabled: true require_auth: true - endpoint_hostname: {{ template "anchore-engine.catalog.fullname" . }} + endpoint_hostname: {{ template "anchore-engine.catalog.serviceName" . }} listen: 0.0.0.0 port: {{ .Values.anchoreCatalog.service.port }} max_request_threads: {{ default 50 .Values.anchoreCatalog.maxRequestThreads }} @@ -224,7 +224,7 @@ data: simplequeue: enabled: true require_auth: true - endpoint_hostname: {{ template "anchore-engine.simplequeue.fullname" . }} + endpoint_hostname: {{ template "anchore-engine.simplequeue.serviceName" . }} listen: 0.0.0.0 port: {{ .Values.anchoreSimpleQueue.service.port }} max_request_threads: {{ default 50 .Values.anchoreSimpleQueue.maxRequestThreads }} @@ -237,7 +237,7 @@ data: enabled: true require_auth: true max_request_threads: {{ default 50 .Values.anchorePolicyEngine.maxRequestThreads }} - endpoint_hostname: {{ template "anchore-engine.policy-engine.fullname" . }} + endpoint_hostname: {{ template "anchore-engine.policy-engine.serviceName" . }} listen: 0.0.0.0 port: {{ .Values.anchorePolicyEngine.service.port }} policy_evaluation_cache_ttl: {{ .Values.anchorePolicyEngine.cacheTTL }} diff --git a/stable/anchore-engine/templates/enterprise_configmap.yaml b/stable/anchore-engine/templates/enterprise_configmap.yaml index 3d7e6f04..e0062bd9 100644 --- a/stable/anchore-engine/templates/enterprise_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_configmap.yaml @@ -94,7 +94,7 @@ data: rbac_manager: enabled: true require_auth: true - endpoint_hostname: {{ template "anchore-engine.enterprise-rbac.fullname" . }} + endpoint_hostname: {{ template "anchore-engine.enterprise-rbac.serviceName" . }} listen: 0.0.0.0 port: {{ .Values.anchoreEnterpriseRbac.service.managerPort }} max_request_threads: {{ default 50 .Values.anchoreEnterpriseRbac.maxRequestThreads }} @@ -111,7 +111,7 @@ data: reports: enabled: true require_auth: true - endpoint_hostname: {{ template "anchore-engine.api.fullname" . }} + endpoint_hostname: {{ template "anchore-engine.api.serviceName" . }} listen: '0.0.0.0' port: {{ .Values.anchoreEnterpriseReports.service.apiPort }} max_request_threads: {{ default 50 .Values.anchoreApi.maxRequestThreads }} @@ -129,7 +129,7 @@ data: reports_worker: enabled: true require_auth: true - endpoint_hostname: {{ template "anchore-engine.enterprise-reports.fullname" . }} + endpoint_hostname: {{ template "anchore-engine.enterprise-reports.serviceName" . }} listen: '0.0.0.0' port: {{ .Values.anchoreEnterpriseReports.service.workerPort }} max_request_threads: {{ default 50 .Values.anchoreEnterpriseReports.maxRequestThreads }} @@ -155,7 +155,7 @@ data: notifications: enabled: true require_auth: true - endpoint_hostname: {{ template "anchore-engine.enterprise-notifications.fullname" . }} + endpoint_hostname: {{ template "anchore-engine.enterprise-notifications.serviceName" . }} listen: '0.0.0.0' port: {{ .Values.anchoreEnterpriseNotifications.service.port }} max_request_threads: {{ default 50 .Values.anchoreEnterpriseNotifications.maxRequestThreads }} @@ -167,7 +167,7 @@ data: {{- if .Values.anchoreEnterpriseNotifications.uiUrl }} ui_url: "{{ .Values.anchoreEnterpriseNotifications.uiUrl }}" {{- else }} - ui_url: {{ include "anchore-engine.enterprise-ui.fullname" . | quote }} + ui_url: {{ include "anchore-engine.enterprise-ui.serviceName" . | quote }} {{- end }} {{- end }} {{- end -}} diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml index ac38a1de..02322cf4 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml @@ -9,9 +9,9 @@ {{- $grypeProviderFeedsExternalURL = (printf "%s/v1/" $anchoreFeedsHost) -}} {{- else -}} {{- if .Values.anchoreGlobal.internalServicesSsl.enabled -}} - {{- $grypeProviderFeedsExternalURL = (printf "https://%s:%s/v1/" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}} + {{- $grypeProviderFeedsExternalURL = (printf "https://%s:%s/v1/" (include "anchore-engine.enterprise-feeds.serviceName" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}} {{- else -}} - {{- $grypeProviderFeedsExternalURL = (printf "http://%s:%s/v1/" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}} + {{- $grypeProviderFeedsExternalURL = (printf "http://%s:%s/v1/" (include "anchore-engine.enterprise-feeds.serviceName" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}} {{- end -}} {{- end -}} @@ -93,7 +93,7 @@ data: feeds: enabled: true require_auth: true - endpoint_hostname: {{ template "anchore-engine.enterprise-feeds.fullname" . }} + endpoint_hostname: {{ template "anchore-engine.enterprise-feeds.serviceName" . }} listen: 0.0.0.0 port: {{ .Values.anchoreEnterpriseFeeds.service.port }} max_request_threads: {{ default 50 .Values.anchoreEnterpriseFeeds.maxRequestThreads }} diff --git a/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml b/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml index 47ed57a9..e6152fb8 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml @@ -226,7 +226,7 @@ spec: tolerations: {{ toYaml . | nindent 8 }} {{- end }} - {{- with .Values.anchoreGlobal.serviceAccountName }} + {{- with include "anchore-engine.enterprise-feeds.serviceAccountName" . }} serviceAccountName: {{ . }} {{- end }} @@ -234,7 +234,7 @@ spec: apiVersion: v1 kind: Service metadata: - name: {{ template "anchore-engine.enterprise-feeds.fullname" . }} + name: {{ template "anchore-engine.enterprise-feeds.serviceName" . }} labels: app: {{ template "anchore-engine.fullname" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} diff --git a/stable/anchore-engine/templates/enterprise_notifications_deployment.yaml b/stable/anchore-engine/templates/enterprise_notifications_deployment.yaml index 4cc03314..34e82350 100644 --- a/stable/anchore-engine/templates/enterprise_notifications_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_notifications_deployment.yaml @@ -271,7 +271,7 @@ spec: tolerations: {{ toYaml . | nindent 8 }} {{- end }} - {{- with .Values.anchoreGlobal.serviceAccountName }} + {{- with include "anchore-engine.enterprise-notifications.serviceAccountName" . }} serviceAccountName: {{ . }} {{- end }} @@ -279,7 +279,7 @@ spec: apiVersion: v1 kind: Service metadata: - name: {{ template "anchore-engine.enterprise-notifications.fullname" . }} + name: {{ template "anchore-engine.enterprise-notifications.serviceName" . }} labels: app: {{ template "anchore-engine.fullname" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} @@ -306,4 +306,4 @@ spec: selector: app: {{ template "anchore-engine.fullname" . }} component: {{ $component }} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/stable/anchore-engine/templates/enterprise_rbac_manager_deployment.yaml b/stable/anchore-engine/templates/enterprise_rbac_manager_deployment.yaml index b5027ed0..df43930e 100644 --- a/stable/anchore-engine/templates/enterprise_rbac_manager_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_rbac_manager_deployment.yaml @@ -269,7 +269,7 @@ spec: tolerations: {{ toYaml . | nindent 8 }} {{- end }} - {{- with .Values.anchoreGlobal.serviceAccountName }} + {{- with include "anchore-engine.enterprise-rbac.serviceAccountName" . }} serviceAccountName: {{ . }} {{- end }} @@ -277,7 +277,7 @@ spec: apiVersion: v1 kind: Service metadata: - name: {{ template "anchore-engine.enterprise-rbac.fullname" . }} + name: {{ template "anchore-engine.enterprise-rbac.serviceName" . }} labels: app: {{ template "anchore-engine.fullname" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} diff --git a/stable/anchore-engine/templates/enterprise_reports_deployment.yaml b/stable/anchore-engine/templates/enterprise_reports_deployment.yaml index cdbbe713..dc93e7bb 100644 --- a/stable/anchore-engine/templates/enterprise_reports_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_reports_deployment.yaml @@ -194,7 +194,7 @@ spec: tolerations: {{ toYaml . | nindent 8 }} {{- end }} - {{- with .Values.anchoreGlobal.serviceAccountName }} + {{- with include "anchore-engine.enterprise-reports.serviceAccountName" . }} serviceAccountName: {{ . }} {{- end }} @@ -202,7 +202,7 @@ spec: apiVersion: v1 kind: Service metadata: - name: {{ template "anchore-engine.enterprise-reports.fullname" . }} + name: {{ template "anchore-engine.enterprise-reports.serviceName" . }} labels: app: {{ template "anchore-engine.fullname" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} @@ -229,4 +229,4 @@ spec: selector: app: {{ template "anchore-engine.fullname" . }} component: {{ $component }} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/stable/anchore-engine/templates/enterprise_ui_configmap.yaml b/stable/anchore-engine/templates/enterprise_ui_configmap.yaml index 85f4c3e6..0b05186a 100644 --- a/stable/anchore-engine/templates/enterprise_ui_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_ui_configmap.yaml @@ -17,31 +17,31 @@ metadata: data: config-ui.yaml: | {{- if .Values.anchoreGlobal.internalServicesSsl.enabled }} - engine_uri: 'https://{{ template "anchore-engine.api.fullname" . }}:{{ .Values.anchoreApi.service.port }}/v1' + engine_uri: 'https://{{ template "anchore-engine.api.serviceName" . }}:{{ .Values.anchoreApi.service.port }}/v1' {{- else }} - engine_uri: 'http://{{ template "anchore-engine.api.fullname" . }}:{{ .Values.anchoreApi.service.port }}/v1' + engine_uri: 'http://{{ template "anchore-engine.api.serviceName" . }}:{{ .Values.anchoreApi.service.port }}/v1' {{- end }} # This value is overridden by using the `ANCHORE_REDIS_URI` environment variable. # redis_ui: $ANCHORE_REDIS_URI {{- if .Values.anchoreEnterpriseRbac.enabled }} {{- if .Values.anchoreGlobal.internalServicesSsl.enabled }} - rbac_uri: 'https://{{ template "anchore-engine.enterprise-rbac.fullname" . }}:{{ .Values.anchoreEnterpriseRbac.service.managerPort }}/v1' + rbac_uri: 'https://{{ template "anchore-engine.enterprise-rbac.serviceName" . }}:{{ .Values.anchoreEnterpriseRbac.service.managerPort }}/v1' {{- else }} - rbac_uri: 'http://{{ template "anchore-engine.enterprise-rbac.fullname" . }}:{{ .Values.anchoreEnterpriseRbac.service.managerPort }}/v1' + rbac_uri: 'http://{{ template "anchore-engine.enterprise-rbac.serviceName" . }}:{{ .Values.anchoreEnterpriseRbac.service.managerPort }}/v1' {{- end }} {{- end }} {{- if .Values.anchoreEnterpriseReports.enabled }} {{- if .Values.anchoreGlobal.internalServicesSsl.enabled }} - reports_uri: 'https://{{ template "anchore-engine.api.fullname" . }}:{{ .Values.anchoreEnterpriseReports.service.apiPort}}/v1' + reports_uri: 'https://{{ template "anchore-engine.api.serviceName" . }}:{{ .Values.anchoreEnterpriseReports.service.apiPort}}/v1' {{- else}} - reports_uri: 'http://{{ template "anchore-engine.api.fullname" . }}:{{ .Values.anchoreEnterpriseReports.service.apiPort}}/v1' + reports_uri: 'http://{{ template "anchore-engine.api.serviceName" . }}:{{ .Values.anchoreEnterpriseReports.service.apiPort}}/v1' {{- end }} {{- end }} {{- if .Values.anchoreEnterpriseNotifications.enabled }} {{- if .Values.anchoreGlobal.internalServicesSsl.enabled }} - notifications_uri: 'https://{{ template "anchore-engine.enterprise-notifications.fullname" . }}:{{ .Values.anchoreEnterpriseNotifications.service.port}}/v1' + notifications_uri: 'https://{{ template "anchore-engine.enterprise-notifications.serviceName" . }}:{{ .Values.anchoreEnterpriseNotifications.service.port}}/v1' {{- else}} - notifications_uri: 'http://{{ template "anchore-engine.enterprise-notifications.fullname" . }}:{{ .Values.anchoreEnterpriseNotifications.service.port}}/v1' + notifications_uri: 'http://{{ template "anchore-engine.enterprise-notifications.serviceName" . }}:{{ .Values.anchoreEnterpriseNotifications.service.port}}/v1' {{- end }} {{- end }} # This value is overridden by using the `ANCHORE_APPDB_URI` environment variable. @@ -53,7 +53,7 @@ data: allow_shared_login: {{ .Values.anchoreEnterpriseUi.enableSharedLogin }} redis_flushdb: {{ .Values.anchoreEnterpriseUi.redisFlushdb }} force_websocket: {{ .Values.anchoreEnterpriseUi.forceWebsocket }} - authentication_lock: + authentication_lock: count: {{ .Values.anchoreEnterpriseUi.authenticationLock.count }} expires: {{ .Values.anchoreEnterpriseUi.authenticationLock.expires }} {{- with .Values.anchoreEnterpriseUi.customLinks }} diff --git a/stable/anchore-engine/templates/enterprise_ui_deployment.yaml b/stable/anchore-engine/templates/enterprise_ui_deployment.yaml index 238fa151..3e802e04 100644 --- a/stable/anchore-engine/templates/enterprise_ui_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_ui_deployment.yaml @@ -180,15 +180,15 @@ spec: tolerations: {{ toYaml . | nindent 8 }} {{- end }} - {{- with .Values.anchoreGlobal.serviceAccountName }} + {{- with include "anchore-engine.enterprise-ui.serviceAccountName" . }} serviceAccountName: {{ . }} - {{- end }} + {{- end }} --- apiVersion: v1 kind: Service metadata: - name: {{ include "anchore-engine.enterprise-ui.fullname" . | quote }} + name: {{ include "anchore-engine.enterprise-ui.serviceName" . | quote }} labels: app: {{ template "anchore-engine.fullname" . }} component: {{ $component }} diff --git a/stable/anchore-engine/templates/ingress.yaml b/stable/anchore-engine/templates/ingress.yaml index fff89203..08834ddc 100644 --- a/stable/anchore-engine/templates/ingress.yaml +++ b/stable/anchore-engine/templates/ingress.yaml @@ -49,12 +49,12 @@ spec: pathType: Prefix backend: service: - name: {{ template "anchore-engine.api.fullname" $ }} + name: {{ template "anchore-engine.api.serviceName" $ }} port: number: {{ $.Values.anchoreApi.service.port }} {{else}} backend: - serviceName: {{ template "anchore-engine.api.fullname" $ }} + serviceName: {{ template "anchore-engine.api.serviceName" $ }} servicePort: {{ $.Values.anchoreApi.service.port }} {{- end }} {{- end }} @@ -67,12 +67,12 @@ spec: pathType: Prefix backend: service: - name: {{ template "anchore-engine.enterprise-ui.fullname" $ }} + name: {{ template "anchore-engine.enterprise-ui.serviceName" $ }} port: number: {{ $.Values.anchoreEnterpriseUi.service.port }} {{- else}} backend: - serviceName: {{ template "anchore-engine.enterprise-ui.fullname" $ }} + serviceName: {{ template "anchore-engine.enterprise-ui.serviceName" $ }} servicePort: {{ $.Values.anchoreEnterpriseUi.service.port }} {{- end }} {{- end }} @@ -85,12 +85,12 @@ spec: pathType: Prefix backend: service: - name: {{ template "anchore-engine.enterprise-feeds.fullname" $ }} + name: {{ template "anchore-engine.enterprise-feeds.serviceName" $ }} port: number: {{ $.Values.anchoreEnterpriseFeeds.service.port }} {{- else}} backend: - serviceName: {{ template "anchore-engine.enterprise-feeds.fullname" $ }} + serviceName: {{ template "anchore-engine.enterprise-feeds.serviceName" $ }} servicePort: {{ $.Values.anchoreEnterpriseFeeds.service.port }} {{- end }} {{- end }} @@ -103,12 +103,12 @@ spec: pathType: Prefix backend: service: - name: {{ template "anchore-engine.api.fullname" $ }} + name: {{ template "anchore-engine.api.serviceName" $ }} port: number: {{ $.Values.anchoreEnterpriseReports.service.apiPort }} {{- else}} backend: - serviceName: {{ template "anchore-engine.api.fullname" $ }} + serviceName: {{ template "anchore-engine.api.serviceName" $ }} servicePort: {{ $.Values.anchoreEnterpriseReports.service.apiPort }} {{- end }} {{- end }} @@ -121,12 +121,12 @@ spec: pathType: Prefix backend: service: - name: {{ template "anchore-engine.api.fullname" $ }} + name: {{ template "anchore-engine.api.serviceName" $ }} port: number: {{ $.Values.anchoreApi.service.port }} {{else}} backend: - serviceName: {{ template "anchore-engine.api.fullname" $ }} + serviceName: {{ template "anchore-engine.api.serviceName" $ }} servicePort: {{ $.Values.anchoreApi.service.port }} {{- end }} {{- end }} @@ -136,12 +136,12 @@ spec: pathType: Prefix backend: service: - name: {{ template "anchore-engine.enterprise-ui.fullname" $ }} + name: {{ template "anchore-engine.enterprise-ui.serviceName" $ }} port: number: {{ $.Values.anchoreEnterpriseUi.service.port }} {{- else}} backend: - serviceName: {{ template "anchore-engine.enterprise-ui.fullname" $ }} + serviceName: {{ template "anchore-engine.enterprise-ui.serviceName" $ }} servicePort: {{ $.Values.anchoreEnterpriseUi.service.port }} {{- end }} {{- end }} @@ -151,12 +151,12 @@ spec: pathType: Prefix backend: service: - name: {{ template "anchore-engine.enterprise-feeds.fullname" $ }} + name: {{ template "anchore-engine.enterprise-feeds.serviceName" $ }} port: number: {{ $.Values.anchoreEnterpriseFeeds.service.port }} {{- else}} backend: - serviceName: {{ template "anchore-engine.enterprise-feeds.fullname" $ }} + serviceName: {{ template "anchore-engine.enterprise-feeds.serviceName" $ }} servicePort: {{ $.Values.anchoreEnterpriseFeeds.service.port }} {{- end }} {{- end }} @@ -166,12 +166,12 @@ spec: pathType: Prefix backend: service: - name: {{ template "anchore-engine.api.fullname" $ }} + name: {{ template "anchore-engine.api.serviceName" $ }} port: number: {{ $.Values.anchoreEnterpriseReports.service.apiPort }} {{- else}} backend: - serviceName: {{ template "anchore-engine.api.fullname" $ }} + serviceName: {{ template "anchore-engine.api.serviceName" $ }} servicePort: {{ $.Values.anchoreEnterpriseReports.service.apiPort }} {{- end }} {{- end }} diff --git a/stable/anchore-engine/templates/policy_engine_deployment.yaml b/stable/anchore-engine/templates/policy_engine_deployment.yaml index cf591822..8ae49716 100644 --- a/stable/anchore-engine/templates/policy_engine_deployment.yaml +++ b/stable/anchore-engine/templates/policy_engine_deployment.yaml @@ -235,7 +235,7 @@ spec: tolerations: {{ toYaml . | nindent 8 }} {{- end }} - {{- with .Values.anchoreGlobal.serviceAccountName }} + {{- with include "anchore-engine.policy-engine.serviceAccountName" . }} serviceAccountName: {{ . }} {{- end }} @@ -243,7 +243,7 @@ spec: apiVersion: v1 kind: Service metadata: - name: {{ template "anchore-engine.policy-engine.fullname" . }} + name: {{ template "anchore-engine.policy-engine.serviceName" . }} labels: app: {{ template "anchore-engine.fullname" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} diff --git a/stable/anchore-engine/templates/simplequeue_deployment.yaml b/stable/anchore-engine/templates/simplequeue_deployment.yaml index f0d36f58..db10ea20 100644 --- a/stable/anchore-engine/templates/simplequeue_deployment.yaml +++ b/stable/anchore-engine/templates/simplequeue_deployment.yaml @@ -213,7 +213,7 @@ spec: tolerations: {{ toYaml . | nindent 8 }} {{- end }} - {{- with .Values.anchoreGlobal.serviceAccountName }} + {{- with include "anchore-engine.simplequeue.serviceAccountName" . }} serviceAccountName: {{ . }} {{- end }} @@ -221,7 +221,7 @@ spec: apiVersion: v1 kind: Service metadata: - name: {{ template "anchore-engine.simplequeue.fullname" . }} + name: {{ template "anchore-engine.simplequeue.serviceName" . }} labels: app: {{ template "anchore-engine.fullname" . }} chart: {{ .Chart.Name }}-{{ .Chart.Version }} diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 2a6cdf96..aceba963 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -105,7 +105,7 @@ anchoreGlobal: imagePullSecretName: # Specify a service account name utilized to run all Anchore pods - serviceAccountName: Null + # serviceAccountName: Null # Set this value to true to setup the chart for OpenShift deployment compatibility. openShiftDeployment: false @@ -288,6 +288,9 @@ anchoreAnalyzer: # - name: foo # value: bar + # Specify the service account name utilized to run the analyzer pods + # serviceAccountName: Null + # The cycle timer is the interval between checks to the work queue for new jobs cycleTimers: image_analyzer: 1 @@ -384,11 +387,16 @@ anchoreApi: # kubernetes service configuration for anchore external API service: + # Override the service name + # name: Null type: ClusterIP port: 8228 annotations: {} label: {} + # Specify the service account name utilized to run the API pods + # serviceAccountName: Null + # (Optional) Overrides for constructing API URLs. All values are optional. # external: # use_tls: true @@ -419,6 +427,9 @@ anchoreCatalog: # - name: foo # value: bar + # Specify the service account name utilized to run the catalog pods + # serviceAccountName: Null + # Intervals to run specific events on (seconds) cycleTimers: # Interval to check for an update to a tag @@ -586,6 +597,8 @@ anchoreCatalog: # kubernetes service configuration for anchore catalog api service: + # Override the service name + # name: Null type: ClusterIP port: 8082 annotations: {} @@ -616,6 +629,9 @@ anchorePolicyEngine: # - name: foo # value: bar + # Specify the service account name utilized to run the policy engine pods + # serviceAccountName: Null + # Intervals to run specific events on (seconds) cycleTimers: # Interval to run a feed sync to get latest cve data @@ -629,6 +645,8 @@ anchorePolicyEngine: # kubernetes service configuration for anchore policy engine api service: + # Override the service name + # name: Null type: ClusterIP port: 8087 annotations: {} @@ -659,8 +677,13 @@ anchoreSimpleQueue: # - name: foo # value: bar + # Specify the service account name utilized to run the simple queue pods + # serviceAccountName: Null + # kubernetes service configuration for anchore simplequeue api service: + # Override the service name + # name: Null type: ClusterIP port: 8083 annotations: {} @@ -799,6 +822,9 @@ anchoreEnterpriseFeeds: # - name: foo # value: bar + # Specify the service account name utilized to run the feeds pods + # serviceAccountName: Null + # Time delay in seconds between consecutive driver runs for processing data cycleTimers: driver_sync: 7200 @@ -852,6 +878,8 @@ anchoreEnterpriseFeeds: # kubernetes service configuration for anchore feeds service api service: + # Override the service name + # name: Null type: ClusterIP port: 8448 annotations: {} @@ -903,6 +931,8 @@ anchoreEnterpriseRbac: # Kubernetes service config - annotations & serviceType configs must be set in anchoreApi # Due to RBAC sharing a service with the general API. service: + # Override the service name + # name: Null managerPort: 8229 authPort: 8089 type: ClusterIP @@ -937,6 +967,9 @@ anchoreEnterpriseReports: # - name: foo # value: bar + # Specify the service account name utilized to run the reports pods + # serviceAccountName: Null + # GraphiQL is a GUI for editing and testing GraphQL queries and mutations. # Set enableGraphiql to true and open http://:/v1/reports/graphql in a browser for reports API enableGraphiql: true @@ -967,6 +1000,8 @@ anchoreEnterpriseReports: reports_data_egress: 600 service: + # Override the service name + # name: Null type: ClusterIP apiPort: 8558 workerPort: 8778 @@ -998,6 +1033,9 @@ anchoreEnterpriseNotifications: # - name: foo # value: bar + # Specify the service account name utilized to run the notification pods + # serviceAccountName: Null + cycleTimers: notifications: 30 @@ -1005,6 +1043,8 @@ anchoreEnterpriseNotifications: # uiUrl: "http://" service: + # Override the service name + # name: Null type: ClusterIP port: 8668 annotations: {} @@ -1038,6 +1078,9 @@ anchoreEnterpriseUi: # - name: foo # value: bar + # Specify the service account name utilized to run the UI pods + # serviceAccountName: Null + # Specifies an existing secret to be used for db and redis endpoints # This secret should define the following ENV vars # ANCHORE_APPDB_URI @@ -1187,6 +1230,8 @@ anchoreEnterpriseUi: # kubernetes service configuration for anchore UI service: + # Override the service name + # name: Null type: ClusterIP port: 80 annotations: {} From 70cda3557928245d1f23660fc6f39328199b6404 Mon Sep 17 00:00:00 2001 From: Hung Nguyen <97040806+hunguyen1@users.noreply.github.com> Date: Tue, 11 Oct 2022 09:28:45 -0400 Subject: [PATCH 028/329] allow passing volumes and volumemounts to pods. source file on pod.(#50) --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/templates/_helpers.tpl | 6 ++++ .../templates/analyzer_deployment.yaml | 17 +++++++++-- .../templates/api_deployment.yaml | 28 ++++++++++++++++--- .../templates/catalog_deployment.yaml | 13 +++++++-- .../templates/engine_upgrade_job.yaml | 16 +++++++---- .../enterprise_feeds_deployment.yaml | 10 ++++++- .../enterprise_feeds_upgrade_job.yaml | 16 +++++++---- .../enterprise_notifications_deployment.yaml | 17 +++++++++-- .../enterprise_rbac_manager_deployment.yaml | 17 +++++++++-- .../enterprise_reports_deployment.yaml | 10 ++++++- .../templates/enterprise_ui_deployment.yaml | 9 ++++++ .../templates/enterprise_upgrade_job.yaml | 16 +++++++---- .../templates/policy_engine_deployment.yaml | 13 +++++++-- .../templates/simplequeue_deployment.yaml | 13 +++++++-- stable/anchore-engine/values.yaml | 16 +++++++++++ 16 files changed, 185 insertions(+), 34 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index d1e95a5c..81d9d109 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.19.7 +version: 1.19.8 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/templates/_helpers.tpl b/stable/anchore-engine/templates/_helpers.tpl index fe096d92..d50e11d6 100755 --- a/stable/anchore-engine/templates/_helpers.tpl +++ b/stable/anchore-engine/templates/_helpers.tpl @@ -412,3 +412,9 @@ Create database hostname string from supplied values file. Used for the enterpri {{- printf "%s:5432" $db_host -}} {{- end }} {{- end }} + +{{- define "doSourceFile" }} +{{- if .Values.anchoreGlobal.doSourceAtEntry.enabled }} + {{- printf "source %v;" .Values.anchoreGlobal.doSourceAtEntry.filePath }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/stable/anchore-engine/templates/analyzer_deployment.yaml b/stable/anchore-engine/templates/analyzer_deployment.yaml index e2901ef4..997e3792 100644 --- a/stable/anchore-engine/templates/analyzer_deployment.yaml +++ b/stable/anchore-engine/templates/analyzer_deployment.yaml @@ -109,10 +109,13 @@ spec: image: {{ .Values.anchoreGlobal.image }} imagePullPolicy: {{ .Values.anchoreGlobal.imagePullPolicy }} {{- end }} + command: ["/bin/sh", "-c"] {{- if .Values.anchoreEnterpriseGlobal.enabled }} - args: ["anchore-enterprise-manager", "service", "start", "--no-auto-upgrade", "analyzer"] + args: + - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade analyzer {{- else }} - args: ["anchore-manager", "service", "start", "--no-auto-upgrade", "analyzer"] + args: + - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh anchore-manager service start --no-auto-upgrade analyzer {{- end }} envFrom: {{- if not .Values.inject_secrets_via_env }} @@ -139,9 +142,11 @@ spec: valueFrom: fieldRef: fieldPath: metadata.name + ports: - name: analyzer-api containerPort: {{ .Values.anchoreAnalyzer.containerPort }} + volumeMounts: {{- if .Values.anchoreEnterpriseGlobal.enabled }} - name: anchore-license @@ -169,6 +174,9 @@ spec: - name: run mountPath: /var/run/anchore {{- end }} + {{- with .Values.anchoreGlobal.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} livenessProbe: httpGet: path: /health @@ -230,6 +238,11 @@ spec: secret: secretName: {{ .Values.cloudsql.serviceAccSecretName }} {{- end }} + + {{- with .Values.anchoreGlobal.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.anchoreAnalyzer.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 }} diff --git a/stable/anchore-engine/templates/api_deployment.yaml b/stable/anchore-engine/templates/api_deployment.yaml index 959b6ea7..197a9da5 100644 --- a/stable/anchore-engine/templates/api_deployment.yaml +++ b/stable/anchore-engine/templates/api_deployment.yaml @@ -97,10 +97,13 @@ spec: image: {{ .Values.anchoreGlobal.image }} imagePullPolicy: {{ .Values.anchoreGlobal.imagePullPolicy }} {{- end }} + command: ["/bin/sh", "-c"] {{- if .Values.anchoreEnterpriseGlobal.enabled }} - args: ["anchore-enterprise-manager", "service", "start", "--no-auto-upgrade", "apiext"] + args: + - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade apiext {{- else }} - args: ["anchore-manager", "service", "start", "--no-auto-upgrade", "apiext"] + args: + - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh anchore-manager service start --no-auto-upgrade apiext {{- end }} envFrom: {{- if not .Values.inject_secrets_via_env }} @@ -166,6 +169,9 @@ spec: mountPath: /home/anchore/certs/ readOnly: true {{- end }} + {{- with .Values.anchoreGlobal.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} livenessProbe: httpGet: path: /health @@ -195,7 +201,9 @@ spec: - name: {{ .Chart.Name }}-rbac-authorizer image: {{ .Values.anchoreEnterpriseGlobal.image }} imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }} - args: ["anchore-enterprise-manager", "service", "start", "--no-auto-upgrade", "rbac_authorizer"] + command: ["/bin/sh", "-c"] + args: + - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade rbac_authorizer envFrom: {{- if not .Values.inject_secrets_via_env }} {{- if .Values.anchoreGlobal.existingSecret }} @@ -244,6 +252,10 @@ spec: - name: run mountPath: /var/run/anchore {{- end }} + + {{- with .Values.anchoreGlobal.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} livenessProbe: exec: command: @@ -272,7 +284,9 @@ spec: - name: "{{ .Chart.Name }}-reports-api" image: {{ .Values.anchoreEnterpriseGlobal.image }} imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }} - args: ["anchore-enterprise-manager", "service", "start", "--no-auto-upgrade", "reports"] + command: ["/bin/sh", "-c"] + args: + - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade reports ports: - containerPort: {{ .Values.anchoreEnterpriseReports.service.apiPort }} name: reports-api @@ -321,6 +335,9 @@ spec: - name: run mountPath: /var/run/anchore {{- end }} + {{- with .Values.anchoreGlobal.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} livenessProbe: httpGet: path: /health @@ -382,6 +399,9 @@ spec: secret: secretName: {{ .Values.cloudsql.serviceAccSecretName }} {{- end }} + {{- with .Values.anchoreGlobal.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.anchoreApi.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 }} diff --git a/stable/anchore-engine/templates/catalog_deployment.yaml b/stable/anchore-engine/templates/catalog_deployment.yaml index 4703f70a..e68a8a2a 100644 --- a/stable/anchore-engine/templates/catalog_deployment.yaml +++ b/stable/anchore-engine/templates/catalog_deployment.yaml @@ -111,10 +111,13 @@ spec: image: {{ .Values.anchoreGlobal.image }} imagePullPolicy: {{ .Values.anchoreGlobal.imagePullPolicy }} {{- end }} + command: ["/bin/sh", "-c"] {{- if .Values.anchoreEnterpriseGlobal.enabled }} - args: ["anchore-enterprise-manager", "service", "start", "--no-auto-upgrade", "catalog"] + args: + - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade catalog {{- else }} - args: ["anchore-manager", "service", "start", "--no-auto-upgrade", "catalog"] + args: + - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh anchore-manager service start --no-auto-upgrade catalog {{- end }} envFrom: {{- if not .Values.inject_secrets_via_env }} @@ -175,6 +178,9 @@ spec: mountPath: /home/anchore/certs/ readOnly: true {{- end }} + {{- with .Values.anchoreGlobal.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} livenessProbe: httpGet: path: /health @@ -238,6 +244,9 @@ spec: secret: secretName: {{ .Values.cloudsql.serviceAccSecretName }} {{- end }} + {{- with .Values.anchoreGlobal.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.anchoreCatalog.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 }} diff --git a/stable/anchore-engine/templates/engine_upgrade_job.yaml b/stable/anchore-engine/templates/engine_upgrade_job.yaml index 1c97fae2..8d6220e7 100644 --- a/stable/anchore-engine/templates/engine_upgrade_job.yaml +++ b/stable/anchore-engine/templates/engine_upgrade_job.yaml @@ -72,13 +72,13 @@ spec: args: {{- if not .Values.anchoreGlobal.dbConfig.ssl }} - | - anchore-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}" upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}" upgrade --dontask; {{- else if eq .Values.anchoreGlobal.dbConfig.sslMode "require"}} - | - anchore-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; {{- else }} - | - anchore-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; {{- end }} {{- if .Values.cloudsql.enabled }} sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; @@ -105,15 +105,18 @@ spec: {{- with .Values.anchoreGlobal.extraEnv }} {{- toYaml . | nindent 8 }} {{- end }} - {{- if (.Values.anchoreGlobal.certStoreSecretName) }} volumeMounts: + {{- if (.Values.anchoreGlobal.certStoreSecretName) }} - name: certs mountPath: /home/anchore/certs/ readOnly: true {{- end }} + {{- with .Values.anchoreGlobal.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} resources: {{ toYaml .Values.anchoreEngineUpgradeJob.resources | nindent 10 }} - {{- if or .Values.anchoreGlobal.certStoreSecretName .Values.cloudsql.useExistingServiceAcc }} + {{- if or .Values.anchoreGlobal.certStoreSecretName .Values.cloudsql.useExistingServiceAcc .Values.anchoreGlobal.extraVolumes }} volumes: {{- with .Values.anchoreGlobal.certStoreSecretName }} - name: certs @@ -125,6 +128,9 @@ spec: secret: secretName: {{ .Values.cloudsql.serviceAccSecretName }} {{- end }} + {{- with .Values.anchoreGlobal.extraVolumes }} + {{- toYaml . | nindent 6 }} + {{- end }} {{- end }} {{- with .Values.anchoreEngineUpgradeJob.nodeSelector }} nodeSelector: diff --git a/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml b/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml index e6152fb8..14589c5c 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml @@ -97,7 +97,9 @@ spec: - name: "{{ .Chart.Name }}-{{ $component }}" image: {{ .Values.anchoreEnterpriseGlobal.image }} imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }} - args: ["anchore-enterprise-manager", "service", "start", "--no-auto-upgrade", "feeds"] + command: ["/bin/sh", "-c"] + args: + - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade feeds ports: - containerPort: {{ .Values.anchoreEnterpriseFeeds.service.port }} name: feeds-api @@ -151,6 +153,9 @@ spec: mountPath: /home/anchore/certs/ readOnly: true {{- end }} + {{- with .Values.anchoreGlobal.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} livenessProbe: httpGet: path: /health @@ -214,6 +219,9 @@ spec: secret: secretName: {{ . }} {{- end }} + {{- with .Values.anchoreGlobal.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.anchoreEnterpriseFeeds.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 }} diff --git a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml index 1258be81..499f3746 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml @@ -60,13 +60,13 @@ spec: args: {{- if not .Values.anchoreEnterpriseFeeds.dbConfig.ssl }} - | - anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}" upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}" upgrade --dontask; {{- else if eq .Values.anchoreEnterpriseFeeds.dbConfig.sslMode "require" }} - | - anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode }} upgrade --dontask; {{- else }} - | - anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreEnterpriseFeeds.dbConfig.sslRootCertName }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreEnterpriseFeeds.dbConfig.sslRootCertName }} upgrade --dontask; {{- end }} {{- if .Values.cloudsql.enabled }} sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; @@ -96,15 +96,18 @@ spec: {{- with .Values.anchoreEnterpriseFeeds.extraEnv }} {{- toYaml . | nindent 8 }} {{- end }} - {{- if (.Values.anchoreGlobal.certStoreSecretName) }} volumeMounts: + {{- if (.Values.anchoreGlobal.certStoreSecretName) }} - name: certs mountPath: /home/anchore/certs/ readOnly: true {{- end }} + {{- with .Values.anchoreGlobal.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} resources: {{ toYaml .Values.anchoreEnterpriseFeedsUpgradeJob.resources | nindent 10 }} - {{- if or .Values.anchoreGlobal.certStoreSecretName .Values.cloudsql.useExistingServiceAcc }} + {{- if or .Values.anchoreGlobal.certStoreSecretName .Values.cloudsql.useExistingServiceAcc .Values.anchoreGlobal.extraVolumes }} volumes: {{- with .Values.anchoreGlobal.certStoreSecretName }} - name: certs @@ -116,6 +119,9 @@ spec: secret: secretName: {{ .Values.cloudsql.serviceAccSecretName }} {{- end }} + {{- with .Values.anchoreGlobal.extraVolumes }} + {{- toYaml . | nindent 6 }} + {{- end }} {{- end }} {{- with .Values.anchoreEnterpriseFeedsUpgradeJob.nodeSelector }} nodeSelector: diff --git a/stable/anchore-engine/templates/enterprise_notifications_deployment.yaml b/stable/anchore-engine/templates/enterprise_notifications_deployment.yaml index 34e82350..3888cdc8 100644 --- a/stable/anchore-engine/templates/enterprise_notifications_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_notifications_deployment.yaml @@ -83,7 +83,9 @@ spec: - name: "{{ .Chart.Name }}-{{ $component }}" image: {{ .Values.anchoreEnterpriseGlobal.image }} imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }} - args: ["anchore-enterprise-manager", "service", "start", "--no-auto-upgrade", "notifications"] + command: ["/bin/sh", "-c"] + args: + - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade notifications ports: - containerPort: {{ .Values.anchoreEnterpriseNotifications.service.port }} name: notify @@ -132,6 +134,9 @@ spec: mountPath: /home/anchore/certs/ readOnly: true {{- end }} + {{- with .Values.anchoreGlobal.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} livenessProbe: httpGet: path: /health @@ -161,7 +166,9 @@ spec: - name: {{ .Chart.Name }}-rbac-authorizer image: {{ .Values.anchoreEnterpriseGlobal.image }} imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }} - args: ["anchore-enterprise-manager", "service", "start", "--no-auto-upgrade", "rbac_authorizer"] + command: ["/bin/sh", "-c"] + args: + - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade rbac_authorizer envFrom: {{- if not .Values.inject_secrets_via_env }} {{- if .Values.anchoreGlobal.existingSecret }} @@ -210,6 +217,9 @@ spec: - name: run mountPath: /var/run/anchore {{- end }} + {{- with .Values.anchoreGlobal.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} livenessProbe: exec: command: @@ -259,6 +269,9 @@ spec: secret: secretName: {{ . }} {{- end }} + {{- with .Values.anchoreGlobal.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.anchoreEnterpriseNotifications.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 }} diff --git a/stable/anchore-engine/templates/enterprise_rbac_manager_deployment.yaml b/stable/anchore-engine/templates/enterprise_rbac_manager_deployment.yaml index df43930e..b82941d2 100644 --- a/stable/anchore-engine/templates/enterprise_rbac_manager_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_rbac_manager_deployment.yaml @@ -83,7 +83,9 @@ spec: - name: "{{ .Chart.Name }}-{{ $component }}" image: {{ .Values.anchoreEnterpriseGlobal.image }} imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }} - args: ["anchore-enterprise-manager", "service", "start", "--no-auto-upgrade", "rbac_manager"] + command: ["/bin/sh", "-c"] + args: + - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade rbac_manager ports: - containerPort: {{ .Values.anchoreEnterpriseRbac.service.managerPort }} name: rbac @@ -132,6 +134,9 @@ spec: mountPath: /home/anchore/certs/ readOnly: true {{- end }} + {{- with .Values.anchoreGlobal.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} livenessProbe: httpGet: path: /health @@ -160,7 +165,9 @@ spec: - name: {{ .Chart.Name }}-rbac-authorizer image: {{ .Values.anchoreEnterpriseGlobal.image }} imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }} - args: ["anchore-enterprise-manager", "service", "start", "--no-auto-upgrade", "rbac_authorizer"] + command: ["/bin/sh", "-c"] + args: + - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade rbac_authorizer envFrom: {{- if not .Values.inject_secrets_via_env }} {{- if .Values.anchoreGlobal.existingSecret }} @@ -209,6 +216,9 @@ spec: - name: run mountPath: /var/run/anchore {{- end }} + {{- with .Values.anchoreGlobal.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} livenessProbe: exec: command: @@ -257,6 +267,9 @@ spec: secret: secretName: {{ . }} {{- end }} + {{- with .Values.anchoreGlobal.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.anchoreEnterpriseRbac.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 }} diff --git a/stable/anchore-engine/templates/enterprise_reports_deployment.yaml b/stable/anchore-engine/templates/enterprise_reports_deployment.yaml index dc93e7bb..60b078bf 100644 --- a/stable/anchore-engine/templates/enterprise_reports_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_reports_deployment.yaml @@ -83,7 +83,9 @@ spec: - name: "{{ .Chart.Name }}-{{ $component }}" image: {{ .Values.anchoreEnterpriseGlobal.image }} imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }} - args: ["anchore-enterprise-manager", "service", "start", "--no-auto-upgrade", "reports_worker"] + command: ["/bin/sh", "-c"] + args: + - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade reports_worker ports: - containerPort: {{ .Values.anchoreEnterpriseReports.service.workerPort }} name: reports @@ -132,6 +134,9 @@ spec: mountPath: /home/anchore/certs/ readOnly: true {{- end }} + {{- with .Values.anchoreGlobal.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} livenessProbe: httpGet: path: /health @@ -182,6 +187,9 @@ spec: secret: secretName: {{ . }} {{- end }} + {{- with .Values.anchoreGlobal.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.anchoreEnterpriseReports.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 }} diff --git a/stable/anchore-engine/templates/enterprise_ui_deployment.yaml b/stable/anchore-engine/templates/enterprise_ui_deployment.yaml index 3e802e04..e21b190d 100644 --- a/stable/anchore-engine/templates/enterprise_ui_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_ui_deployment.yaml @@ -86,6 +86,9 @@ spec: - name: "{{ .Chart.Name }}-{{ $component }}" image: {{ .Values.anchoreEnterpriseUi.image }} imagePullPolicy: {{ .Values.anchoreEnterpriseUi.imagePullPolicy }} + command: ["/bin/sh", "-c"] + args: + - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh node /home/node/aui/build/server.js env: {{- if and (not (index .Values "anchoreEnterpriseUi" "existingSecret")) (not (index .Values "ui-redis" "externalEndpoint")) }} - name: ANCHORE_REDIS_URI @@ -133,6 +136,9 @@ spec: mountPath: /home/anchore/certs/ readOnly: true {{- end }} + {{- with .Values.anchoreGlobal.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} livenessProbe: tcpSocket: port: enterprise-ui @@ -168,6 +174,9 @@ spec: secret: secretName: {{ .Values.cloudsql.serviceAccSecretName }} {{- end }} + {{- with .Values.anchoreGlobal.extraVolumes }} + {{- toYaml . | nindent 6 }} + {{- end }} {{- with .Values.anchoreEnterpriseUi.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 }} diff --git a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml index 6907a83e..49abb068 100644 --- a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml @@ -60,13 +60,13 @@ spec: args: {{- if not .Values.anchoreGlobal.dbConfig.ssl }} - | - anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}" upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}" upgrade --dontask; {{- else if eq .Values.anchoreGlobal.dbConfig.sslMode "require" }} - | - anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; {{- else }} - | - anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; {{- end }} {{- if .Values.cloudsql.enabled }} sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; @@ -93,15 +93,18 @@ spec: {{- with .Values.anchoreGlobal.extraEnv }} {{- toYaml . | nindent 8 }} {{- end }} - {{- if (.Values.anchoreGlobal.certStoreSecretName) }} volumeMounts: + {{- if (.Values.anchoreGlobal.certStoreSecretName) }} - name: certs mountPath: /home/anchore/certs/ readOnly: true {{- end }} + {{- with .Values.anchoreGlobal.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} resources: {{ toYaml .Values.anchoreEnterpriseEngineUpgradeJob.resources | nindent 10 }} - {{- if or .Values.anchoreGlobal.certStoreSecretName .Values.cloudsql.useExistingServiceAcc }} + {{- if or .Values.anchoreGlobal.certStoreSecretName .Values.cloudsql.useExistingServiceAcc .Values.anchoreGlobal.extraVolumeMounts }} volumes: {{- with .Values.anchoreGlobal.certStoreSecretName }} - name: certs @@ -113,6 +116,9 @@ spec: secret: secretName: {{ .Values.cloudsql.serviceAccSecretName }} {{- end }} + {{- with .Values.anchoreGlobal.extraVolumes }} + {{- toYaml . | nindent 6 }} + {{- end }} {{- end }} {{- with .Values.anchoreEnterpriseEngineUpgradeJob.nodeSelector }} nodeSelector: diff --git a/stable/anchore-engine/templates/policy_engine_deployment.yaml b/stable/anchore-engine/templates/policy_engine_deployment.yaml index 8ae49716..eed5c6d2 100644 --- a/stable/anchore-engine/templates/policy_engine_deployment.yaml +++ b/stable/anchore-engine/templates/policy_engine_deployment.yaml @@ -108,10 +108,13 @@ spec: image: {{ .Values.anchoreGlobal.image }} imagePullPolicy: {{ .Values.anchoreGlobal.imagePullPolicy }} {{- end }} + command: ["/bin/sh", "-c"] {{- if .Values.anchoreEnterpriseGlobal.enabled }} - args: ["anchore-enterprise-manager", "service", "start", "--no-auto-upgrade", "policy_engine"] + args: + - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade policy_engine {{- else }} - args: ["anchore-manager", "service", "start", "--no-auto-upgrade", "policy_engine"] + args: + - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh anchore-manager service start --no-auto-upgrade policy_engine {{- end }} envFrom: {{- if not .Values.inject_secrets_via_env }} @@ -165,6 +168,9 @@ spec: mountPath: /home/anchore/certs/ readOnly: true {{- end }} + {{- with .Values.anchoreGlobal.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} livenessProbe: httpGet: path: /health @@ -223,6 +229,9 @@ spec: secret: secretName: {{ .Values.cloudsql.serviceAccSecretName }} {{- end }} + {{- with .Values.anchoreGlobal.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.anchorePolicyEngine.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 }} diff --git a/stable/anchore-engine/templates/simplequeue_deployment.yaml b/stable/anchore-engine/templates/simplequeue_deployment.yaml index db10ea20..c684c595 100644 --- a/stable/anchore-engine/templates/simplequeue_deployment.yaml +++ b/stable/anchore-engine/templates/simplequeue_deployment.yaml @@ -94,10 +94,13 @@ spec: image: {{ .Values.anchoreGlobal.image }} imagePullPolicy: {{ .Values.anchoreGlobal.imagePullPolicy }} {{- end }} + command: ["/bin/sh", "-c"] {{- if .Values.anchoreEnterpriseGlobal.enabled }} - args: ["anchore-enterprise-manager", "service", "start", "--no-auto-upgrade", "simplequeue"] + args: + - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade simplequeue {{- else }} - args: ["anchore-manager", "service", "start", "--no-auto-upgrade", "simplequeue"] + args: + - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh anchore-manager service start --no-auto-upgrade simplequeue {{- end }} envFrom: {{- if not .Values.inject_secrets_via_env }} @@ -149,6 +152,9 @@ spec: mountPath: /home/anchore/certs/ readOnly: true {{- end }} + {{- with .Values.anchoreGlobal.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} livenessProbe: httpGet: path: /health @@ -201,6 +207,9 @@ spec: secret: secretName: {{ .Values.cloudsql.serviceAccSecretName }} {{- end }} + {{- with .Values.anchoreGlobal.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.anchoreSimpleQueue.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 }} diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index aceba963..175cd3bd 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -136,6 +136,22 @@ anchoreGlobal: # ANCHORE_SAML_SECRET (if applicable) existingSecret: Null + # does `source {{ filePath }}` before starting services + doSourceAtEntry: + enabled: false + filePath: "/vault/secrets/config" + + extraVolumes: [] + # - name: config + # secret: + # secretName: config + + extraVolumeMounts: [] + # - name: config + # mountPath: "/vault/secrets/config" + # subPath: config + # readOnly: true + # The scratchVolume controls the mounting of an external volume for scratch space for image analysis. Generally speaking # you need to provision 3x the size of the largest image (uncompressed) that you want to analyze for this space. scratchVolume: From 844e520482d0e6332ef4f9953c96dba5b2b44a07 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Tue, 8 Nov 2022 10:04:15 -0800 Subject: [PATCH 029/329] Update to Enterprise 4.2.0 (#223) * adding ssoRequireExistingUsers config (#51) * remove embedded kai configuration options * remove service account creation used for embedded kai * remove check for global service account in catalog template * dont use a serviceAccountName if one isnt specified in values file * remove option for catalog to create a service account * if serviceAccountName isnt specified, manually remove service account from catalog deployment * bump chart version * update README * bump image versions Signed-off-by: Brady Todhunter Co-authored-by: Hung Nguyen <97040806+hunguyen1@users.noreply.github.com> --- .gitignore | 3 +- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/README.md | 7 ++ stable/anchore-engine/templates/_helpers.tpl | 2 - .../templates/catalog_deployment.yaml | 11 ++- .../templates/catalog_rbac.yaml | 68 ------------------- .../templates/engine_configmap.yaml | 11 ++- .../templates/enterprise_configmap.yaml | 4 ++ .../templates/enterprise_feeds_configmap.yaml | 4 ++ .../templates/enterprise_ui_configmap.yaml | 1 + stable/anchore-engine/values.yaml | 43 +++++------- 11 files changed, 48 insertions(+), 108 deletions(-) delete mode 100644 stable/anchore-engine/templates/catalog_rbac.yaml diff --git a/.gitignore b/.gitignore index 20b01795..dcaaf205 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ examples/ *.tgz charts/ -.idea/ \ No newline at end of file +.idea/ +*.code-workspace \ No newline at end of file diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 81d9d109..4c6d48da 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.19.8 +version: 1.20.0 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index 6a3d8fc1..d2de69b7 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -247,6 +247,13 @@ A Helm post-upgrade hook job will shut down all previously running Anchore servi The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful Helm upgrade. +## Chart version 1.20.0 + +* Anchore Enterprise image update to v4.2.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/420/). +* Removed embedded k8s runtime inventory configurations. + * Deletes service account, role, & rolebindigs created by `.Values.anchoreCatalog.createServiceAccount`. + * To enable cluster runtime inventory use the [Kai Helm Chart](https://github.com/anchore/anchore-charts/tree/main/stable/kai). + ## Chart version 1.19.0 * Redis chart updated from version 10 to 16.11.3 updated to the latest version as bitnami has started removing older version of their charts. diff --git a/stable/anchore-engine/templates/_helpers.tpl b/stable/anchore-engine/templates/_helpers.tpl index d50e11d6..df8d4719 100755 --- a/stable/anchore-engine/templates/_helpers.tpl +++ b/stable/anchore-engine/templates/_helpers.tpl @@ -78,8 +78,6 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- print .Values.anchoreCatalog.serviceAccountName | trunc 63 | trimSuffix "-" -}} {{- else if .Values.anchoreGlobal.serviceAccountName -}} {{- print .Values.anchoreGlobal.serviceAccountName | trunc 63 | trimSuffix "-" -}} -{{- else -}} - {{- include "anchore-engine.catalog.fullname" . -}} {{- end -}} {{- end -}} diff --git a/stable/anchore-engine/templates/catalog_deployment.yaml b/stable/anchore-engine/templates/catalog_deployment.yaml index e68a8a2a..f957ca7d 100644 --- a/stable/anchore-engine/templates/catalog_deployment.yaml +++ b/stable/anchore-engine/templates/catalog_deployment.yaml @@ -86,7 +86,7 @@ spec: - sh - -c - (chmod 0775 {{ .Values.anchoreGlobal.scratchVolume.mountPath }}; chgrp {{ .Values.anchoreGlobal.securityContext.fsGroup }} {{ .Values.anchoreGlobal.scratchVolume.mountPath }} ) - {{- end }} + {{- end }} containers: {{- if .Values.cloudsql.enabled }} - name: cloudsql-proxy @@ -259,8 +259,13 @@ spec: tolerations: {{ toYaml . | nindent 8 }} {{- end }} - {{- if or (or .Values.anchoreGlobal.serviceAccountName .Values.anchoreEnterpriseRbac.serviceAccountName) (and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreCatalog.createServiceAccount .Values.anchoreCatalog.runtimeInventory.reportAnchoreCluster.enabled) }} - serviceAccountName: {{ template "anchore-engine.catalog.serviceAccountName" . }} + {{- if or .Values.anchoreCatalog.serviceAccountName .Values.anchoreGlobal.serviceAccountName }} + serviceAccountName: {{ include "anchore-engine.catalog.serviceAccountName" . }} + {{- else if .Release.IsUpgrade }} + # Including serviceAccount to remove existing service accounts from all deployments + # see - https://github.com/kubernetes/kubernetes/issues/76367 + serviceAccount: "" + serviceAccountName: "" {{- end }} --- diff --git a/stable/anchore-engine/templates/catalog_rbac.yaml b/stable/anchore-engine/templates/catalog_rbac.yaml deleted file mode 100644 index 08a23e5a..00000000 --- a/stable/anchore-engine/templates/catalog_rbac.yaml +++ /dev/null @@ -1,68 +0,0 @@ -# if the user is setting a global service account name and not overriding it -# for this component, then there is no need to create this service account. -{{- if or (not .Values.anchoreGlobal.serviceAccountName) .Values.anchoreCatalog.serviceAccountName }} -{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreCatalog.createServiceAccount .Values.anchoreCatalog.runtimeInventory.reportAnchoreCluster.enabled }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "anchore-engine.catalog.serviceAccountName" . }} - labels: - {{- with .Values.anchoreCatalog.labels }} - {{ toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.anchoreGlobal.labels }} - {{ toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.anchoreCatalog.annotations }} - annotations: - {{ toYaml . | nindent 4 }} - {{- end }} - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "anchore-engine.catalog.fullname" . }} - labels: - {{- with .Values.anchoreCatalog.labels }} - {{ toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.anchoreGlobal.labels }} - {{ toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.anchoreCatalog.annotations }} - annotations: - {{ toYaml . | nindent 4 }} - {{- end }} -rules: -- apiGroups: [""] - resources: ["pods","namespaces"] - verbs: ["get", "watch", "list"] - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "anchore-engine.catalog.fullname" . }} - labels: - {{- with .Values.anchoreCatalog.labels }} - {{ toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.anchoreGlobal.labels }} - {{ toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.anchoreCatalog.annotations }} - annotations: - {{ toYaml . | nindent 4 }} - {{- end }} -subjects: - - kind: ServiceAccount - name: {{ template "anchore-engine.catalog.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: {{ template "anchore-engine.catalog.fullname" . }} - apiGroup: rbac.authorization.k8s.io -{{- end }} -{{- end }} diff --git a/stable/anchore-engine/templates/engine_configmap.yaml b/stable/anchore-engine/templates/engine_configmap.yaml index 37d034e4..1085e7bc 100644 --- a/stable/anchore-engine/templates/engine_configmap.yaml +++ b/stable/anchore-engine/templates/engine_configmap.yaml @@ -92,6 +92,10 @@ data: # WARNING: you should not change this after a system has been initialized as it may cause a mismatch in existing passwords hashed_passwords: {{ .Values.anchoreGlobal.hashedPasswords }} + # Set this to True in order to disable the SSO JIT provisioning during authentication. This provides an additional + # layer of security and configuration for SSO users to gain access to Anchore. This is disabled by default. + sso_require_existing_users: {{ .Values.anchoreGlobal.ssoRequireExistingUsers }} + credentials: database: {{- if not .Values.anchoreGlobal.dbConfig.ssl }} @@ -192,7 +196,6 @@ data: service_watcher: {{ .Values.anchoreCatalog.cycleTimers.service_watcher }} # Interval between checks to repo for new tags repo_watcher: {{ .Values.anchoreCatalog.cycleTimers.repo_watcher }} - k8s_watcher: {{ .Values.anchoreCatalog.cycleTimers.k8s_watcher }} k8s_image_watcher: {{ .Values.anchoreCatalog.cycleTimers.k8s_image_watcher }} resource_metrics: {{ .Values.anchoreCatalog.cycleTimers.resource_metrics }} events_gc: {{ .Values.anchoreCatalog.cycleTimers.events_gc }} @@ -215,12 +218,6 @@ data: {{- end }} runtime_inventory: image_ttl_days: {{ .Values.anchoreCatalog.runtimeInventory.imageTTLDays }} - kubernetes: - report_anchore_cluster: - enabled: {{ .Values.anchoreCatalog.runtimeInventory.reportAnchoreCluster.enabled }} - anchore_cluster_name: {{ .Values.anchoreCatalog.runtimeInventory.reportAnchoreCluster.clusterName }} - namespaces: - {{- toYaml .Values.anchoreCatalog.runtimeInventory.reportAnchoreCluster.namespaces | nindent 16 }} simplequeue: enabled: true require_auth: true diff --git a/stable/anchore-engine/templates/enterprise_configmap.yaml b/stable/anchore-engine/templates/enterprise_configmap.yaml index e0062bd9..efb8bd52 100644 --- a/stable/anchore-engine/templates/enterprise_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_configmap.yaml @@ -62,6 +62,10 @@ data: # WARNING: you should not change this after a system has been initialized as it may cause a mismatch in existing passwords hashed_passwords: {{ .Values.anchoreGlobal.hashedPasswords }} + # Set this to True in order to disable the SSO JIT provisioning during authentication. This provides an additional + # layer of security and configuration for SSO users to gain access to Anchore. This is disabled by default. + sso_require_existing_users: {{ .Values.anchoreGlobal.ssoRequireExistingUsers }} + credentials: database: {{- if not .Values.anchoreGlobal.dbConfig.ssl }} diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml index 02322cf4..e24de302 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml @@ -71,6 +71,10 @@ data: # WARNING: you should not change this after a system has been initialized as it may cause a mismatch in existing passwords hashed_passwords: {{ .Values.anchoreGlobal.hashedPasswords }} + # Set this to True in order to disable the SSO JIT provisioning during authentication. This provides an additional + # layer of security and configuration for SSO users to gain access to Anchore. This is disabled by default. + sso_require_existing_users: {{ .Values.anchoreGlobal.ssoRequireExistingUsers }} + credentials: database: {{- if not .Values.anchoreEnterpriseFeeds.dbConfig.ssl }} diff --git a/stable/anchore-engine/templates/enterprise_ui_configmap.yaml b/stable/anchore-engine/templates/enterprise_ui_configmap.yaml index 0b05186a..a2d3f377 100644 --- a/stable/anchore-engine/templates/enterprise_ui_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_ui_configmap.yaml @@ -73,4 +73,5 @@ data: standard: {{ .standard }} {{- end }} log_level: {{ .Values.anchoreEnterpriseUi.logLevel | squote }} + enrich_inventory_view: {{ .Values.anchoreEnterpriseUi.enrichInventoryView }} {{- end -}} diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 175cd3bd..691bf0f5 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -213,6 +213,10 @@ anchoreGlobal: oauthEnabled: false oauthTokenExpirationSeconds: 3600 + # Set this to true in order to disable the SSO JIT provisioning during authentication. This provides an additional + # layer of security and configuration for SSO users to gain access to Anchore. This is disabled by default. + ssoRequireExistingUsers: false + # Set this to True to enable storing user passwords only as secure hashes in the db. This can dramatically increase CPU usage if you # don't also use oauth and tokens for internal communications (which requires keys/secret to be configured as well) # WARNING: you should not change this after a system has been initialized as it may cause a mismatch in existing passwords @@ -466,8 +470,6 @@ anchoreCatalog: repo_watcher: 60 # Interval for when the catalog garbage collects images marked for deletion image_gc: 60 - # Interval for the runtime inventory image execution poll - k8s_watcher: 300 k8s_image_watcher: 150 resource_metrics: 60 events_gc: 43200 # 12 hours @@ -582,13 +584,6 @@ anchoreCatalog: # **NOTE: all runtime inventory configurations only apply to Anchore Enterprise deployments - # If enabled, the Anchore Helm Chart will create a Service Account with read-only permission to the cluster (pods & namespaces) - # This is largely to support the Out-Of-The-Box Runtime Inventory feature currently. See catalog_deployment.yaml for - # detailed information on the Service Account, Cluster Role & Binding. - # If using an existing service account, set this value to `false` & use anchoreGlobal.serviceAccountName to specify - # what service account to use. Existing service account must have adequate permissions to use this feature. - createServiceAccount: true - runtimeInventory: # This setting tells Anchore how long an image can be missing from an inventory report before it is removed from # The working set. Note: The image will still have a historical record in the reports service, subject to data history @@ -596,21 +591,6 @@ anchoreCatalog: # Note: if a runtime inventory image's digest is also in anchore for regular image analysis, it won't be removed. imageTTLDays: 1 - # Since Anchore is running in Kubernetes, we can collect runtime inventory data out of the box - reportAnchoreCluster: - # If set to true, Anchore will use its own service account's permissions - # (if anchoreCatalog.createServiceAccount is true, see `catalog_deployment.yaml`) to try and collect runtime - # inventory data for all namespaces. - # - # Note: this feature requires a value for clusterName to populate inventory image context - # Note: If anchoreCatalog.createServiceAccount is set to false, and anchoreGlobal.serviceAccountName is unspecified, - # then the Anchore Catalog service won't have enough permission to be able to read cluster information - # (pods & namespaces) for the embedded runtime inventory. - enabled: true - clusterName: anchore-k8s - namespaces: - - all - # kubernetes service configuration for anchore catalog api service: # Override the service name @@ -745,7 +725,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: docker.io/anchore/enterprise:v4.1.1 + image: docker.io/anchore/enterprise:v4.2.0 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. @@ -1086,7 +1066,7 @@ anchoreEnterpriseNotifications: anchoreEnterpriseUi: # If enabled is set to false, set ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. enabled: true - image: docker.io/anchore/enterprise-ui:v4.1.1 + image: docker.io/anchore/enterprise-ui:v4.2.0 imagePullPolicy: IfNotPresent # Set extra environment variables. These will be set on all UI containers. @@ -1254,6 +1234,17 @@ anchoreEnterpriseUi: labels: {} sessionAffinity: ClientIP + # The (optional) `enrich_inventory_view` key allows you to set whether the + # Kubernetes tab should aggregate and include compliance and vulnerability data + # from the reports service. + # + # Setting this key to be `False` can increase performance on high-scale systems. + # + # This value can be overridden by using the `ANCHORE_ENRICH_INVENTORY_VIEW` + # environment variable. When no flag is set, either within this configuration + # file or by the environment variable, a default setting of `True` is used. + enrichInventoryView: true + # resources: # limits: # cpu: 1 From 89e02ea913387243a7920f6738d323f3bda6a7f6 Mon Sep 17 00:00:00 2001 From: Zach Hill Date: Wed, 7 Dec 2022 14:57:56 -0800 Subject: [PATCH 030/329] chore: update k8s test matrix for chart updates Signed-off-by: Zach Hill --- .github/workflows/test.yaml | 4 ++-- README.md | 12 +++++++++++- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 9447e4d9..24514549 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -8,7 +8,7 @@ jobs: strategy: fail-fast: false matrix: - kubernetesVersion: ["v1.14.10", "v1.22.0"] + kubernetesVersion: ["v1.19.16", "v1.22.0", "v1.25.0"] runs-on: ubuntu-latest steps: - name: Checkout @@ -50,4 +50,4 @@ jobs: - name: Run chart-testing (install) run: ct install --config 'ct-config.yaml' - if: steps.list-changed.outputs.changed == 'true' \ No newline at end of file + if: steps.list-changed.outputs.changed == 'true' diff --git a/README.md b/README.md index 3e04d2e6..e87401eb 100644 --- a/README.md +++ b/README.md @@ -23,4 +23,14 @@ For example, for anchore-engine: ``` helm dep up ``` -is needed. \ No newline at end of file +is needed. + +## Tests + +All charts are tested against a range of Kubernetes versions. This version range roughly tracks the supported versions +available from the major cloud vendors and is close, but not exactly the same as, the Kubernetes support N-3 approach. + +We aim to have at least the .0 patches for the releases for predictability and stability of the tests so that they do not have to +change with each patch update. However, specific patches may be chosen for compatibility with the test harness (kindest/node) and if there +is a specific bug fixed in a K8s release that has material impact on the results of a chart test. + From fc13142b4d5748eb7e385c345f5c63aed3d79fb1 Mon Sep 17 00:00:00 2001 From: Zach Hill Date: Thu, 8 Dec 2022 08:34:55 -0800 Subject: [PATCH 031/329] chore: update kind-action version to 1.4.0 (latest) Signed-off-by: Zach Hill --- .github/workflows/test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 24514549..3b68f473 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -37,7 +37,7 @@ jobs: if: steps.list-changed.outputs.changed == 'true' - name: Install kind - uses: helm/kind-action@v1.2.0 + uses: helm/kind-action@v1.4.0 with: node_image: "kindest/node:${{ matrix.kubernetesVersion }}" config: kind-config.yaml From 1459f4d0e7d8589a23846525783c35b196aeb2ed Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Tue, 13 Dec 2022 17:19:00 -0500 Subject: [PATCH 032/329] undo logic change Signed-off-by: Hung Nguyen --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/templates/enterprise_feeds_configmap.yaml | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 4c6d48da..edc76790 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.20.0 +version: 1.20.1 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml index e24de302..9624af14 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml @@ -167,6 +167,8 @@ data: external_feeds_url: {{ $grypeProviderFeedsExternalURL }} anchore_match_exclusions: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.anchoreMatchExclusionsEnabled | quote) }} + wolfi: + enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.wolfiDriverEnabled | quote) }} {{- if .Values.anchoreGlobal.internalServicesSsl.enabled }} ssl_enable: {{ .Values.anchoreGlobal.internalServicesSsl.enabled }} ssl_cert: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretCertName }}" From 6dbe1ccbbca717519f7b44174410458048da4735 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Tue, 13 Dec 2022 14:56:24 -0500 Subject: [PATCH 033/329] bumping chart version, update anchore image to 4.3.0, add wolfi feed driver option Signed-off-by: Hung Nguyen --- stable/anchore-engine/README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index d2de69b7..33704b5f 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -247,6 +247,11 @@ A Helm post-upgrade hook job will shut down all previously running Anchore servi The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful Helm upgrade. +## Chart version 1.20.1 + +* Anchore Enterprise image update to v4.3.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/430/). +* Add configuration options for wolfi feed driver. + ## Chart version 1.20.0 * Anchore Enterprise image update to v4.2.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/420/). From 6280651a24d73ea08a64096e70bac1093d642601 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Tue, 13 Dec 2022 17:23:01 -0500 Subject: [PATCH 034/329] bumping Anchore Enterprise image version to 4.3.0 Signed-off-by: Hung Nguyen --- stable/anchore-engine/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 691bf0f5..35d9328c 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -725,7 +725,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: docker.io/anchore/enterprise:v4.2.0 + image: docker.io/anchore/enterprise:v4.3.0 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. @@ -1066,7 +1066,7 @@ anchoreEnterpriseNotifications: anchoreEnterpriseUi: # If enabled is set to false, set ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. enabled: true - image: docker.io/anchore/enterprise-ui:v4.2.0 + image: docker.io/anchore/enterprise-ui:v4.3.0 imagePullPolicy: IfNotPresent # Set extra environment variables. These will be set on all UI containers. From 6687f3c640bc158ed7d291e546cfae26973e8ce3 Mon Sep 17 00:00:00 2001 From: Zach Hill Date: Mon, 16 Aug 2021 21:52:37 -0700 Subject: [PATCH 035/329] Update to v0.4.0 of controller Signed-off-by: Zach Hill --- stable/anchore-admission-controller/Chart.yaml | 5 +++-- .../anchore-admission-controller/templates/deployment.yaml | 4 ++-- .../templates/init-ca/init-ca-script.yaml | 2 +- stable/anchore-admission-controller/templates/webhook.yaml | 6 +++++- stable/anchore-admission-controller/values.yaml | 4 ++-- 5 files changed, 13 insertions(+), 8 deletions(-) diff --git a/stable/anchore-admission-controller/Chart.yaml b/stable/anchore-admission-controller/Chart.yaml index e34e37a7..b7863276 100644 --- a/stable/anchore-admission-controller/Chart.yaml +++ b/stable/anchore-admission-controller/Chart.yaml @@ -1,8 +1,8 @@ name: anchore-admission-controller description: A kubernetes admission controller for validating and mutating webhooks that operates against Anchore Engine to make access decisions and annotations apiVersion: v1 -appVersion: 0.3.0 -version: 0.3.0 +appVersion: 0.4.0 +version: 0.4.0 home: https://github.com/anchore/kubernetes-admission-controller maintainers: - name: zhill @@ -10,3 +10,4 @@ maintainers: - name: btodhunter email: bradyt@anchore.com icon: https://anchore.com/wp-content/uploads/2016/08/anchore.png +kubeVersion: ^1.19.0 diff --git a/stable/anchore-admission-controller/templates/deployment.yaml b/stable/anchore-admission-controller/templates/deployment.yaml index 4eb67227..e709e9c1 100644 --- a/stable/anchore-admission-controller/templates/deployment.yaml +++ b/stable/anchore-admission-controller/templates/deployment.yaml @@ -30,11 +30,11 @@ spec: image: "{{ .Values.image }}" imagePullPolicy: {{ .Values.imagePullPolicy }} command: - - "/anchore-kubernetes-admission-controller" + - "/ko-app/kubernetes-admission-controller" - "--audit-log-path=-" - "--tls-cert-file=/var/serving-cert/tls.crt" - "--tls-private-key-file=/var/serving-cert/tls.key" - - "--v={{ .Values.logVerbosity }}" + - "-v{{ .Values.logVerbosity }}" - "--secure-port={{ .Values.service.internalPort }}" ports: - containerPort: {{ .Values.service.internalPort }} diff --git a/stable/anchore-admission-controller/templates/init-ca/init-ca-script.yaml b/stable/anchore-admission-controller/templates/init-ca/init-ca-script.yaml index fd59edbb..6ffc98e6 100644 --- a/stable/anchore-admission-controller/templates/init-ca/init-ca-script.yaml +++ b/stable/anchore-admission-controller/templates/init-ca/init-ca-script.yaml @@ -88,7 +88,7 @@ data: sed "s/TLS_SERVING_KEY/$(base64 ${CERT_DIR}/serving-{{ template "anchore-admission-controller.fullname" . }}.{{ .Release.Namespace }}.svc.key | tr -d '\n')/g" | kubectl -n {{ .Release.Namespace }} apply -f - cat > api-service.yaml < Date: Fri, 16 Dec 2022 11:08:46 -0700 Subject: [PATCH 036/329] Adding annotations to admission controller Signed-off-by: Ben Lang --- stable/anchore-admission-controller/Chart.yaml | 2 +- .../templates/deployment.yaml | 8 ++++++++ stable/anchore-admission-controller/values.yaml | 6 +++++- 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/stable/anchore-admission-controller/Chart.yaml b/stable/anchore-admission-controller/Chart.yaml index b7863276..270e0abb 100644 --- a/stable/anchore-admission-controller/Chart.yaml +++ b/stable/anchore-admission-controller/Chart.yaml @@ -2,7 +2,7 @@ name: anchore-admission-controller description: A kubernetes admission controller for validating and mutating webhooks that operates against Anchore Engine to make access decisions and annotations apiVersion: v1 appVersion: 0.4.0 -version: 0.4.0 +version: 0.5.0 home: https://github.com/anchore/kubernetes-admission-controller maintainers: - name: zhill diff --git a/stable/anchore-admission-controller/templates/deployment.yaml b/stable/anchore-admission-controller/templates/deployment.yaml index e709e9c1..7c062b15 100644 --- a/stable/anchore-admission-controller/templates/deployment.yaml +++ b/stable/anchore-admission-controller/templates/deployment.yaml @@ -3,6 +3,10 @@ kind: Deployment metadata: name: {{ template "anchore-admission-controller.fullname" . }} labels: {{- include "anchore-admission-controller.labels" . | nindent 4 }} + annotations: + {{- with .Values.annotations }} + {{ toYaml . | nindent 4 }} + {{- end }} spec: replicas: {{ .Values.replicaCount }} selector: @@ -12,6 +16,10 @@ spec: template: metadata: labels: {{- include "anchore-admission-controller.labels" . | nindent 8 }} + annotations: + {{- with .Values.annotations }} + {{ toYaml . | nindent 8 }} + {{- end }} spec: serviceAccountName: {{ template "anchore-admission-controller.fullname" . }} volumes: diff --git a/stable/anchore-admission-controller/values.yaml b/stable/anchore-admission-controller/values.yaml index 6056fc6f..850e243a 100644 --- a/stable/anchore-admission-controller/values.yaml +++ b/stable/anchore-admission-controller/values.yaml @@ -62,6 +62,10 @@ policySelectors: # strict gating or analysis gating are true requestAnalysis: true +annotations: {} + # vault.security.banzaicloud.io/vault-addr: "https://vault:8200" + # vault.security.banzaicloud.io/vault-tls-secret: "vault-tls" + resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little @@ -102,4 +106,4 @@ initCa: # Define custom environment variables to pass to init-ca pod extraEnv: [] # - name: FOO - # value: "bar" + # value: "bar" \ No newline at end of file From f3757de5edd186d221d0eee533cda68b377792a5 Mon Sep 17 00:00:00 2001 From: Ben Lang Date: Fri, 16 Dec 2022 11:14:17 -0700 Subject: [PATCH 037/329] Added newline to end of values.yaml Signed-off-by: Ben Lang --- stable/anchore-admission-controller/values.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/stable/anchore-admission-controller/values.yaml b/stable/anchore-admission-controller/values.yaml index 850e243a..6acdd7f0 100644 --- a/stable/anchore-admission-controller/values.yaml +++ b/stable/anchore-admission-controller/values.yaml @@ -106,4 +106,5 @@ initCa: # Define custom environment variables to pass to init-ca pod extraEnv: [] # - name: FOO - # value: "bar" \ No newline at end of file + # value: "bar" + \ No newline at end of file From 975bdf44e174e2cba3b43c765a387f5586a1f7cd Mon Sep 17 00:00:00 2001 From: Ben Lang Date: Fri, 16 Dec 2022 11:17:00 -0700 Subject: [PATCH 038/329] Fix linting in values.yaml Signed-off-by: Ben Lang --- stable/anchore-admission-controller/values.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/stable/anchore-admission-controller/values.yaml b/stable/anchore-admission-controller/values.yaml index 6acdd7f0..2d619978 100644 --- a/stable/anchore-admission-controller/values.yaml +++ b/stable/anchore-admission-controller/values.yaml @@ -107,4 +107,3 @@ initCa: extraEnv: [] # - name: FOO # value: "bar" - \ No newline at end of file From 2936252a73870e72924db8a79339f9eccc96937c Mon Sep 17 00:00:00 2001 From: Ben Lang Date: Fri, 16 Dec 2022 11:35:05 -0700 Subject: [PATCH 039/329] Fixed semver in Chart.yaml Signed-off-by: Ben Lang --- stable/anchore-admission-controller/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-admission-controller/Chart.yaml b/stable/anchore-admission-controller/Chart.yaml index 270e0abb..a662f8a0 100644 --- a/stable/anchore-admission-controller/Chart.yaml +++ b/stable/anchore-admission-controller/Chart.yaml @@ -2,7 +2,7 @@ name: anchore-admission-controller description: A kubernetes admission controller for validating and mutating webhooks that operates against Anchore Engine to make access decisions and annotations apiVersion: v1 appVersion: 0.4.0 -version: 0.5.0 +version: 0.4.1 home: https://github.com/anchore/kubernetes-admission-controller maintainers: - name: zhill From cf208606994eefa7350da0f35b73a5af731aa193 Mon Sep 17 00:00:00 2001 From: saisatishkarra Date: Wed, 10 Aug 2022 17:46:27 +0530 Subject: [PATCH 040/329] feat(helm): Support helm full name overrides Signed-off-by: saisatishkarra --- stable/anchore-admission-controller/templates/_helpers.tpl | 2 +- stable/anchore-admission-controller/values.yaml | 2 +- stable/anchore-engine/templates/_helpers.tpl | 2 +- stable/anchore-engine/values.yaml | 1 + 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/stable/anchore-admission-controller/templates/_helpers.tpl b/stable/anchore-admission-controller/templates/_helpers.tpl index 09924947..b4c179eb 100644 --- a/stable/anchore-admission-controller/templates/_helpers.tpl +++ b/stable/anchore-admission-controller/templates/_helpers.tpl @@ -12,7 +12,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this */}} {{- define "anchore-admission-controller.fullname" -}} {{- $name := default .Chart.Name .Values.nameOverride -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- default (printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-") .Values.fullnameOverride -}} {{- end -}} {{/* diff --git a/stable/anchore-admission-controller/values.yaml b/stable/anchore-admission-controller/values.yaml index 2d619978..ccf0b3ac 100644 --- a/stable/anchore-admission-controller/values.yaml +++ b/stable/anchore-admission-controller/values.yaml @@ -1,7 +1,7 @@ # Default values for anchore-admission-controller. # This is a YAML-formatted file. # Declare variables to be passed into your templates. - +fullnameOverride: Null replicaCount: 1 logVerbosity: 3 diff --git a/stable/anchore-engine/templates/_helpers.tpl b/stable/anchore-engine/templates/_helpers.tpl index df8d4719..47fb8d24 100755 --- a/stable/anchore-engine/templates/_helpers.tpl +++ b/stable/anchore-engine/templates/_helpers.tpl @@ -12,7 +12,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this */}} {{- define "anchore-engine.fullname" -}} {{- $name := default .Chart.Name .Values.nameOverride -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- default (printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-") .Values.fullnameOverride -}} {{- end -}} {{/* diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 35d9328c..ab083ec4 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -1,5 +1,6 @@ # Default values for anchore_engine chart. +fullnameOverride: Null # Anchore engine has a dependency on Postgresql, configure here postgresql: # To use an external DB or Google CloudSQL in GKE, uncomment & set 'enabled: false' From a02cc8718fe959dd5275664ce929a0cc23d57ac5 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 21 Dec 2022 17:01:16 -0800 Subject: [PATCH 041/329] rebase & version bump Signed-off-by: Brady Todhunter --- stable/anchore-admission-controller/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-admission-controller/Chart.yaml b/stable/anchore-admission-controller/Chart.yaml index a662f8a0..57179f8d 100644 --- a/stable/anchore-admission-controller/Chart.yaml +++ b/stable/anchore-admission-controller/Chart.yaml @@ -2,7 +2,7 @@ name: anchore-admission-controller description: A kubernetes admission controller for validating and mutating webhooks that operates against Anchore Engine to make access decisions and annotations apiVersion: v1 appVersion: 0.4.0 -version: 0.4.1 +version: 0.4.2 home: https://github.com/anchore/kubernetes-admission-controller maintainers: - name: zhill From e5d36f72faa506c1b305041862091c39f9ca00e8 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 21 Dec 2022 17:03:21 -0800 Subject: [PATCH 042/329] bump anchore-engine chart version Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index edc76790..9d774b9f 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.20.1 +version: 1.20.2 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: From cc3d2772b756eb842033deaed5e3368d3fcb567f Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 21 Dec 2022 16:40:03 -0800 Subject: [PATCH 043/329] fix upgrade jobs when cloudsql is enabled Signed-off-by: Brady Todhunter --- stable/anchore-engine/templates/engine_upgrade_job.yaml | 2 +- .../anchore-engine/templates/enterprise_feeds_upgrade_job.yaml | 2 +- stable/anchore-engine/templates/enterprise_upgrade_job.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/stable/anchore-engine/templates/engine_upgrade_job.yaml b/stable/anchore-engine/templates/engine_upgrade_job.yaml index 8d6220e7..f6a1960c 100644 --- a/stable/anchore-engine/templates/engine_upgrade_job.yaml +++ b/stable/anchore-engine/templates/engine_upgrade_job.yaml @@ -81,7 +81,7 @@ spec: {{ print (include "doSourceFile" .) }} anchore-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; {{- end }} {{- if .Values.cloudsql.enabled }} - sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; + - sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; securityContext: capabilities: add: diff --git a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml index 499f3746..db0fb65e 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml @@ -69,7 +69,7 @@ spec: {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreEnterpriseFeeds.dbConfig.sslRootCertName }} upgrade --dontask; {{- end }} {{- if .Values.cloudsql.enabled }} - sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; + - sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; securityContext: capabilities: add: diff --git a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml index 49abb068..ffad02cc 100644 --- a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml @@ -69,7 +69,7 @@ spec: {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; {{- end }} {{- if .Values.cloudsql.enabled }} - sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; + - sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; securityContext: capabilities: add: From ae0a80b03022d7b134480f74ea20de438d3fe6ca Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 21 Dec 2022 16:40:15 -0800 Subject: [PATCH 044/329] allow passing a list of extra arguments to cloudsql container entrypoint Signed-off-by: Brady Todhunter --- stable/anchore-engine/templates/analyzer_deployment.yaml | 5 +++++ stable/anchore-engine/templates/api_deployment.yaml | 5 +++++ stable/anchore-engine/templates/catalog_deployment.yaml | 5 +++++ stable/anchore-engine/templates/engine_upgrade_job.yaml | 5 +++++ .../templates/enterprise_feeds_deployment.yaml | 5 +++++ .../templates/enterprise_feeds_upgrade_job.yaml | 5 +++++ .../templates/enterprise_notifications_deployment.yaml | 5 +++++ .../templates/enterprise_rbac_manager_deployment.yaml | 5 +++++ .../templates/enterprise_reports_deployment.yaml | 5 +++++ .../anchore-engine/templates/enterprise_ui_deployment.yaml | 5 +++++ stable/anchore-engine/templates/enterprise_upgrade_job.yaml | 5 +++++ .../anchore-engine/templates/policy_engine_deployment.yaml | 5 +++++ stable/anchore-engine/templates/simplequeue_deployment.yaml | 5 +++++ stable/anchore-engine/values.yaml | 5 +++++ 14 files changed, 70 insertions(+) diff --git a/stable/anchore-engine/templates/analyzer_deployment.yaml b/stable/anchore-engine/templates/analyzer_deployment.yaml index 997e3792..acc40eac 100644 --- a/stable/anchore-engine/templates/analyzer_deployment.yaml +++ b/stable/anchore-engine/templates/analyzer_deployment.yaml @@ -92,6 +92,11 @@ spec: imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} command: ["/cloud_sql_proxy"] args: + {{- if .Values.cloudsql.extraArgs }} + {{- range $arg := .Values.cloudsql.extraArgs }} + - {{ quote $arg }} + {{- end }} + {{- end }} - "-instances={{ .Values.cloudsql.instance }}=tcp:5432" {{- if .Values.cloudsql.useExistingServiceAcc }} - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}" diff --git a/stable/anchore-engine/templates/api_deployment.yaml b/stable/anchore-engine/templates/api_deployment.yaml index 197a9da5..cb89a95c 100644 --- a/stable/anchore-engine/templates/api_deployment.yaml +++ b/stable/anchore-engine/templates/api_deployment.yaml @@ -80,6 +80,11 @@ spec: imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} command: ["/cloud_sql_proxy"] args: + {{- if .Values.cloudsql.extraArgs }} + {{- range $arg := .Values.cloudsql.extraArgs }} + - {{ quote $arg }} + {{- end }} + {{- end }} - "-instances={{ .Values.cloudsql.instance }}=tcp:5432" {{- if .Values.cloudsql.useExistingServiceAcc }} - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}" diff --git a/stable/anchore-engine/templates/catalog_deployment.yaml b/stable/anchore-engine/templates/catalog_deployment.yaml index f957ca7d..e057cbaf 100644 --- a/stable/anchore-engine/templates/catalog_deployment.yaml +++ b/stable/anchore-engine/templates/catalog_deployment.yaml @@ -94,6 +94,11 @@ spec: imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} command: ["/cloud_sql_proxy"] args: + {{- if .Values.cloudsql.extraArgs }} + {{- range $arg := .Values.cloudsql.extraArgs }} + - {{ quote $arg }} + {{- end }} + {{- end }} - "-instances={{ .Values.cloudsql.instance }}=tcp:5432" {{- if .Values.cloudsql.useExistingServiceAcc }} - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}" diff --git a/stable/anchore-engine/templates/engine_upgrade_job.yaml b/stable/anchore-engine/templates/engine_upgrade_job.yaml index f6a1960c..3e44812c 100644 --- a/stable/anchore-engine/templates/engine_upgrade_job.yaml +++ b/stable/anchore-engine/templates/engine_upgrade_job.yaml @@ -51,6 +51,11 @@ spec: imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} command: ["/cloud_sql_proxy"] args: + {{- if .Values.cloudsql.extraArgs }} + {{- range $arg := .Values.cloudsql.extraArgs }} + - {{ quote $arg }} + {{- end }} + {{- end }} - "-instances={{ .Values.cloudsql.instance }}=tcp:5432" {{- if .Values.cloudsql.useExistingServiceAcc }} - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}" diff --git a/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml b/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml index 14589c5c..a2920e8a 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml @@ -85,6 +85,11 @@ spec: imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} command: ["/cloud_sql_proxy"] args: + {{- if .Values.cloudsql.extraArgs }} + {{- range $arg := .Values.cloudsql.extraArgs }} + - {{ quote $arg }} + {{- end }} + {{- end }} - "-instances={{ .Values.cloudsql.instance }}=tcp:5432" {{- if .Values.cloudsql.useExistingServiceAcc }} - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}" diff --git a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml index db0fb65e..8dec60a6 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml @@ -44,6 +44,11 @@ spec: imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} command: ["/cloud_sql_proxy"] args: + {{- if .Values.cloudsql.extraArgs }} + {{- range $arg := .Values.cloudsql.extraArgs }} + - {{ quote $arg }} + {{- end }} + {{- end }} - "-instances={{ .Values.cloudsql.instance }}=tcp:5432" {{- if .Values.cloudsql.useExistingServiceAcc }} - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}" diff --git a/stable/anchore-engine/templates/enterprise_notifications_deployment.yaml b/stable/anchore-engine/templates/enterprise_notifications_deployment.yaml index 3888cdc8..8e5918ef 100644 --- a/stable/anchore-engine/templates/enterprise_notifications_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_notifications_deployment.yaml @@ -71,6 +71,11 @@ spec: imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} command: ["/cloud_sql_proxy"] args: + {{- if .Values.cloudsql.extraArgs }} + {{- range $arg := .Values.cloudsql.extraArgs }} + - {{ quote $arg }} + {{- end }} + {{- end }} - "-instances={{ .Values.cloudsql.instance }}=tcp:5432" {{- if .Values.cloudsql.useExistingServiceAcc }} - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}" diff --git a/stable/anchore-engine/templates/enterprise_rbac_manager_deployment.yaml b/stable/anchore-engine/templates/enterprise_rbac_manager_deployment.yaml index b82941d2..1c9e9c6a 100644 --- a/stable/anchore-engine/templates/enterprise_rbac_manager_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_rbac_manager_deployment.yaml @@ -71,6 +71,11 @@ spec: imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} command: ["/cloud_sql_proxy"] args: + {{- if .Values.cloudsql.extraArgs }} + {{- range $arg := .Values.cloudsql.extraArgs }} + - {{ quote $arg }} + {{- end }} + {{- end }} - "-instances={{ .Values.cloudsql.instance }}=tcp:5432" {{- if .Values.cloudsql.useExistingServiceAcc }} - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}" diff --git a/stable/anchore-engine/templates/enterprise_reports_deployment.yaml b/stable/anchore-engine/templates/enterprise_reports_deployment.yaml index 60b078bf..4a05d218 100644 --- a/stable/anchore-engine/templates/enterprise_reports_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_reports_deployment.yaml @@ -71,6 +71,11 @@ spec: imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} command: ["/cloud_sql_proxy"] args: + {{- if .Values.cloudsql.extraArgs }} + {{- range $arg := .Values.cloudsql.extraArgs }} + - {{ quote $arg }} + {{- end }} + {{- end }} - "-instances={{ .Values.cloudsql.instance }}=tcp:5432" {{- if .Values.cloudsql.useExistingServiceAcc }} - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}" diff --git a/stable/anchore-engine/templates/enterprise_ui_deployment.yaml b/stable/anchore-engine/templates/enterprise_ui_deployment.yaml index e21b190d..813b9f69 100644 --- a/stable/anchore-engine/templates/enterprise_ui_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_ui_deployment.yaml @@ -74,6 +74,11 @@ spec: imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} command: ["/cloud_sql_proxy"] args: + {{- if .Values.cloudsql.extraArgs }} + {{- range $arg := .Values.cloudsql.extraArgs }} + - {{ quote $arg }} + {{- end }} + {{- end }} - "-instances={{ .Values.cloudsql.instance }}=tcp:5432" {{- if .Values.cloudsql.useExistingServiceAcc }} - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}" diff --git a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml index ffad02cc..d4906fd3 100644 --- a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml @@ -44,6 +44,11 @@ spec: imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} command: ["/cloud_sql_proxy"] args: + {{- if .Values.cloudsql.extraArgs }} + {{- range $arg := .Values.cloudsql.extraArgs }} + - {{ quote $arg }} + {{- end }} + {{- end }} - "-instances={{ .Values.cloudsql.instance }}=tcp:5432" {{- if .Values.cloudsql.useExistingServiceAcc }} - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}" diff --git a/stable/anchore-engine/templates/policy_engine_deployment.yaml b/stable/anchore-engine/templates/policy_engine_deployment.yaml index eed5c6d2..de3e8c3d 100644 --- a/stable/anchore-engine/templates/policy_engine_deployment.yaml +++ b/stable/anchore-engine/templates/policy_engine_deployment.yaml @@ -91,6 +91,11 @@ spec: imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} command: ["/cloud_sql_proxy"] args: + {{- if .Values.cloudsql.extraArgs }} + {{- range $arg := .Values.cloudsql.extraArgs }} + - {{ quote $arg }} + {{- end }} + {{- end }} - "-instances={{ .Values.cloudsql.instance }}=tcp:5432" {{- if .Values.cloudsql.useExistingServiceAcc }} - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}" diff --git a/stable/anchore-engine/templates/simplequeue_deployment.yaml b/stable/anchore-engine/templates/simplequeue_deployment.yaml index c684c595..41d755ba 100644 --- a/stable/anchore-engine/templates/simplequeue_deployment.yaml +++ b/stable/anchore-engine/templates/simplequeue_deployment.yaml @@ -77,6 +77,11 @@ spec: imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} command: ["/cloud_sql_proxy"] args: + {{- if .Values.cloudsql.extraArgs }} + {{- range $arg := .Values.cloudsql.extraArgs }} + - {{ quote $arg }} + {{- end }} + {{- end }} - "-instances={{ .Values.cloudsql.instance }}=tcp:5432" {{- if .Values.cloudsql.useExistingServiceAcc }} - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}" diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index ab083ec4..b23dbbab 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -40,6 +40,11 @@ postgresql: cloudsql: # To use CloudSQL in GKE set 'enable: true' enabled: false + # Inject extra arguments into the cloudsql container command, eg: + # extraArgs: + # - "-ip_address_types=PRIVATE" + # - "-enable_iam_login" + extraArgs: [] # set CloudSQL instance: 'project:zone:instancname' instance: "" # Optional existing service account secret to use. From 1b7d7c479a2e9f31aa29d415fe040dcaa4db42c3 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 21 Dec 2022 17:23:38 -0800 Subject: [PATCH 045/329] bump chart version Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 9d774b9f..cc160969 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.20.2 +version: 1.20.3 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: From a2f438f53b64c5256de55e82d1e8f29ef82828e7 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 23 Dec 2022 10:51:36 -0800 Subject: [PATCH 046/329] update anchore-charts README Signed-off-by: Brady Todhunter --- README.md | 72 +++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 51 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index e87401eb..bee5e88c 100644 --- a/README.md +++ b/README.md @@ -1,36 +1,66 @@ -# Anchore Charts +# Anchore Helm Charts -A collection of anchore charts for tooling and integrations. The charts in this repository are available from the Anchore Charts Repository at: +This repository contains Helm charts for deploying [Anchore](https://www.anchore.com/) software on Kubernetes. -https://charts.anchore.io +## Prerequisites -## Installing Charts -``` -$ helm repo add anchore https://charts.anchore.io -$ helm search repo anchore -$ helm install my-release anchore/ +- [Helm](https://helm.sh/) - Helm is a package manager for Kubernetes that makes it easy to install and manage applications on your cluster. +- [Kubernetes](https://kubernetes.io/) - Kubernetes is an open-source container orchestration platform that is required to use Helm charts. + +## Installation + +To use the charts in this repository, you will need to add it to your Helm repositories list. You can do this using the `helm repo add` command: + +```bash +helm repo add anchore https://charts.anchore.io ``` +Once the repository has been added, you can use the `helm search` command to view a list of available charts: -## Contributing +```bash +helm search repo anchore +``` -All commits must be signed with the DCO as defined in [CONTRIBUTING](CONTRIBUTING.rst) +To install a chart, use the `helm install` command and specify the chart name and any required values: -In git this can be done using the '-s' flag on commit. +```bash +RELEASE_NAME="my-release" +CHART_NAME="anchore/anchore-engine" -To test changes made to this chart, you must also synchronize the dependencies of the chart itself. -For example, for anchore-engine: +helm install "$RELEASE_NAME" "$CHART_NAME" --values values.yaml ``` -helm dep up + +### Installing from source + +It can be useful when developing to install a chart directly from the source code. To do this you must first download all dependent charts, then you are able to install from the chart directory. + +```bash +RELEASE_NAME="my-release" +CHART_PATH="anchore-charts/stable/anchore-engine" + +git clone https://github.com/anchore/anchore-charts-dev.git +helm dependency up +helm install "$RELEASE_NAME" "$CHART_PATH" --values values.yaml ``` -is needed. -## Tests +## Configuration + +The charts in this repository include a number of configuration options that can be set using the `--values` flag when installing the chart. For a full list of configuration options, see the chart's `values.yaml` file. + +## Contributing + +We welcome contributions to the anchore Helm charts repository. If you have a chart that you would like to share, please submit a pull request with your chart and any relevant documentation. + +All commits must be signed with the DCO as defined in [CONTRIBUTING](./CONTRIBUTING.rst). In git this can be done using the '-s' flag on commit. + +## Testing + +This project uses GitHub Actions and the [Helm Chart Testing](https://github.com/helm/chart-testing) tool to test chart changes. When a pull request is opened, the testing workflow will run to ensure that the charts are properly formatted and can be installed on a Kubernetes cluster. + +All charts are tested against a range of Kubernetes versions. This version range roughly tracks the supported versions available from the major cloud vendors and is close, but not exactly the same as, the Kubernetes support N-3 approach. -All charts are tested against a range of Kubernetes versions. This version range roughly tracks the supported versions -available from the major cloud vendors and is close, but not exactly the same as, the Kubernetes support N-3 approach. +We aim to have at least the .0 patches for the releases for predictability and stability of the tests so that they do not have to change with each patch update. However, specific patches may be chosen for compatibility with the test harness (kindest/node) and if there is a specific bug fixed in a K8s release that has material impact on the results of a chart test. -We aim to have at least the .0 patches for the releases for predictability and stability of the tests so that they do not have to -change with each patch update. However, specific patches may be chosen for compatibility with the test harness (kindest/node) and if there -is a specific bug fixed in a K8s release that has material impact on the results of a chart test. +## Support +If you have any questions or need assistance with the charts in this repository, please visit the [Anchore documentation](https://docs.anchore.com/) or contact the anchore support team through the channels listed on the [Anchore website](https://www.anchore.com/support/). From 94e930191b7beb396ffa58de27e7fd89262164bc Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 23 Dec 2022 10:52:12 -0800 Subject: [PATCH 047/329] format all chart.yaml files to be similar and update the anchore icon. This requires a chart version bump as well. Signed-off-by: Brady Todhunter --- .../anchore-admission-controller/Chart.yaml | 8 +-- stable/anchore-engine/Chart.yaml | 68 +++++++++---------- stable/kai/Chart.yaml | 33 +++------ 3 files changed, 46 insertions(+), 63 deletions(-) diff --git a/stable/anchore-admission-controller/Chart.yaml b/stable/anchore-admission-controller/Chart.yaml index 57179f8d..d74a6bd2 100644 --- a/stable/anchore-admission-controller/Chart.yaml +++ b/stable/anchore-admission-controller/Chart.yaml @@ -1,13 +1,13 @@ -name: anchore-admission-controller -description: A kubernetes admission controller for validating and mutating webhooks that operates against Anchore Engine to make access decisions and annotations apiVersion: v1 +name: anchore-admission-controller +version: 0.4.3 appVersion: 0.4.0 -version: 0.4.2 +description: A kubernetes admission controller for validating and mutating webhooks that operates against Anchore Engine to make access decisions and annotations home: https://github.com/anchore/kubernetes-admission-controller maintainers: - name: zhill email: zach@anchore.com - name: btodhunter email: bradyt@anchore.com -icon: https://anchore.com/wp-content/uploads/2016/08/anchore.png +icon: https://anchoreprd.wpengine.com/wp-content/uploads/2021/12/favicon.png kubeVersion: ^1.19.0 diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index cc160969..1c22eaea 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,44 +1,44 @@ apiVersion: v2 name: anchore-engine -version: 1.20.3 +version: 1.20.4 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: - - analysis - - docker - - anchore - - "anchore-engine" - - image - - security - - vulnerability - - scanner + - analysis + - docker + - anchore + - "anchore-engine" + - image + - security + - vulnerability + - scanner home: https://anchore.com sources: - - https://github.com/anchore/anchore-engine + - https://github.com/anchore/anchore-engine maintainers: - - name: zhill - email: zach@anchore.com - - name: btodhunter - email: bradyt@anchore.com + - name: zhill + email: zach@anchore.com + - name: btodhunter + email: bradyt@anchore.com engine: gotpl -icon: https://anchore.com/wp-content/uploads/2016/08/anchore.png +icon: https://anchoreprd.wpengine.com/wp-content/uploads/2021/12/favicon.png dependencies: - - name: postgresql - version: "1.0.1" - repository: "file://./deps/postgresql" - condition: postgresql.enabled - - name: postgresql - version: "1.0.1" - repository: "file://./deps/postgresql" - condition: anchore-feeds-db.enabled,anchoreEnterpriseGlobal.enabled - alias: anchore-feeds-db - - name: postgresql - version: "1.0.1" - repository: "file://./deps/postgresql" - condition: anchore-feeds-gem-db.enabled,anchoreEnterpriseFeeds.gemDriverEnabled - alias: anchore-feeds-gem-db - - name: redis - version: "16.11.3" - repository: "https://charts.bitnami.com/bitnami" - condition: ui-redis.enabled,anchoreEnterpriseGlobal.enabled - alias: ui-redis + - name: postgresql + version: "1.0.1" + repository: "file://./deps/postgresql" + condition: postgresql.enabled + - name: postgresql + version: "1.0.1" + repository: "file://./deps/postgresql" + condition: anchore-feeds-db.enabled,anchoreEnterpriseGlobal.enabled + alias: anchore-feeds-db + - name: postgresql + version: "1.0.1" + repository: "file://./deps/postgresql" + condition: anchore-feeds-gem-db.enabled,anchoreEnterpriseFeeds.gemDriverEnabled + alias: anchore-feeds-gem-db + - name: redis + version: "16.11.3" + repository: "https://charts.bitnami.com/bitnami" + condition: ui-redis.enabled,anchoreEnterpriseGlobal.enabled + alias: ui-redis diff --git a/stable/kai/Chart.yaml b/stable/kai/Chart.yaml index 3a6d0328..9b6f842e 100644 --- a/stable/kai/Chart.yaml +++ b/stable/kai/Chart.yaml @@ -1,5 +1,7 @@ apiVersion: v2 name: kai +version: 0.3.2 +appVersion: 0.3.2 description: A Helm chart for Kubernetes Automated Inventory, which describes which images are in use in a given Kubernetes Cluster keywords: - analysis @@ -10,29 +12,10 @@ keywords: - inventory - security - scanner - +home: https://anchore.com maintainers: - - name: dakaneye - email: sam.dacanay@anchore.com - -# A chart can be either an 'application' or a 'library' chart. -# -# Application charts are a collection of templates that can be packaged into versioned archives -# to be deployed. -# -# Library charts provide useful utilities or functions for the chart developer. They're included as -# a dependency of application charts to inject those utilities and functions into the rendering -# pipeline. Library charts do not define any templates and therefore cannot be deployed. -type: application - -# This is the chart version. This version number should be incremented each time you make changes -# to the chart and its templates, including the app version. -# Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.3.1 - -# This is the version number of the application being deployed. This version number should be -# incremented each time you make changes to the application. Versions are not expected to -# follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 0.3.2 - -icon: https://anchore.com/wp-content/uploads/2016/08/anchore.png + - name: zhill + email: zach@anchore.com + - name: btodhunter + email: bradyt@anchore.com +icon: https://anchoreprd.wpengine.com/wp-content/uploads/2021/12/favicon.png From 03e7e606e773c262ff90eac497a5b3074b0356d0 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 23 Dec 2022 11:34:37 -0800 Subject: [PATCH 048/329] minor fixes in readme Signed-off-by: Brady Todhunter --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index bee5e88c..532cc939 100644 --- a/README.md +++ b/README.md @@ -39,8 +39,9 @@ RELEASE_NAME="my-release" CHART_PATH="anchore-charts/stable/anchore-engine" git clone https://github.com/anchore/anchore-charts-dev.git +cd "$CHART_PATH" helm dependency up -helm install "$RELEASE_NAME" "$CHART_PATH" --values values.yaml +helm install "$RELEASE_NAME" . --values values.yaml ``` ## Configuration @@ -49,7 +50,7 @@ The charts in this repository include a number of configuration options that can ## Contributing -We welcome contributions to the anchore Helm charts repository. If you have a chart that you would like to share, please submit a pull request with your chart and any relevant documentation. +We welcome contributions to the anchore Helm charts repository. If you have a chart change that you would like to share, please submit a pull request with your change and any relevant documentation. All commits must be signed with the DCO as defined in [CONTRIBUTING](./CONTRIBUTING.rst). In git this can be done using the '-s' flag on commit. @@ -63,4 +64,4 @@ We aim to have at least the .0 patches for the releases for predictability and s ## Support -If you have any questions or need assistance with the charts in this repository, please visit the [Anchore documentation](https://docs.anchore.com/) or contact the anchore support team through the channels listed on the [Anchore website](https://www.anchore.com/support/). +If you have any questions or need assistance with the charts in this repository, please visit the [Anchore documentation](https://docs.anchore.com/) or contact the anchore support team through the channels listed on the [Anchore support site](https://www.anchore.com/support/). From ee2fe7ed2deba9204dbefa44e3024c2d2e30c314 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Tue, 15 Nov 2022 13:26:25 -0800 Subject: [PATCH 049/329] Adding implementation for separate ui database user Signed-off-by: Brandt Keller --- stable/anchore-engine/templates/engine_configmap_env.yaml | 8 +------- stable/anchore-engine/templates/enterprise_ui_secret.yaml | 4 ++-- stable/anchore-engine/values.yaml | 4 ++++ 3 files changed, 7 insertions(+), 9 deletions(-) diff --git a/stable/anchore-engine/templates/engine_configmap_env.yaml b/stable/anchore-engine/templates/engine_configmap_env.yaml index eff162dd..af5c8906 100644 --- a/stable/anchore-engine/templates/engine_configmap_env.yaml +++ b/stable/anchore-engine/templates/engine_configmap_env.yaml @@ -13,10 +13,4 @@ metadata: data: ANCHORE_DB_NAME: {{ index .Values "postgresql" "postgresDatabase" | quote }} ANCHORE_DB_USER: {{ index .Values "postgresql" "postgresUser" | quote }} - {{- if and (index .Values "postgresql" "externalEndpoint") (not (index .Values "postgresql" "enabled")) }} - ANCHORE_DB_HOST: {{ index .Values "postgresql" "externalEndpoint" | quote }} - {{- else if and (index .Values "cloudsql" "enabled") (not (index .Values "postgresql" "enabled")) }} - ANCHORE_DB_HOST: "localhost:5432" - {{- else }} - ANCHORE_DB_HOST: "{{ template "postgres.fullname" . }}:5432" - {{- end }} + ANCHORE_DB_HOST: "{{ template "db-hostname" . }}" diff --git a/stable/anchore-engine/templates/enterprise_ui_secret.yaml b/stable/anchore-engine/templates/enterprise_ui_secret.yaml index 13f46aad..1299ad34 100644 --- a/stable/anchore-engine/templates/enterprise_ui_secret.yaml +++ b/stable/anchore-engine/templates/enterprise_ui_secret.yaml @@ -15,9 +15,9 @@ metadata: type: Opaque stringData: {{- if .Values.anchoreGlobal.dbConfig.ssl }} - ANCHORE_APPDB_URI: 'postgresql://{{ index .Values "postgresql" "postgresUser" }}:{{ index .Values "postgresql" "postgresPassword" }}@{{ template "db-hostname" . }}/{{ index .Values "postgresql" "postgresDatabase" }}?ssl=verify-full' + ANCHORE_APPDB_URI: 'postgresql://{{ ternary (index .Values "anchoreEnterpriseUi" "dbUser") (index .Values "postgresql" "postgresUser") (hasKey .Values.anchoreEnterpriseUi "dbUser" ) }}:{{ index .Values "postgresql" "postgresPassword" }}@{{ template "db-hostname" . }}/{{ index .Values "postgresql" "postgresDatabase" }}?ssl=verify-full' {{- else }} - ANCHORE_APPDB_URI: 'postgresql://{{ index .Values "postgresql" "postgresUser" }}:{{ index .Values "postgresql" "postgresPassword" }}@{{ template "db-hostname" . }}/{{ index .Values "postgresql" "postgresDatabase" }}' + ANCHORE_APPDB_URI: 'postgresql://{{ ternary (index .Values "anchoreEnterpriseUi" "dbUser") (index .Values "postgresql" "postgresUser") (hasKey .Values.anchoreEnterpriseUi "dbUser" ) }}:{{ index .Values "postgresql" "postgresPassword" }}@{{ template "db-hostname" . }}/{{ index .Values "postgresql" "postgresDatabase" }}' {{- end }} {{- if and (index .Values "ui-redis" "externalEndpoint") (not (index .Values "ui-redis" "enabled")) }} diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index b23dbbab..0b4db034 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -1089,6 +1089,10 @@ anchoreEnterpriseUi: # ANCHORE_REDIS_URI existingSecret: Null + # Specify configurations for database connection user + # This should specifically allow overriding and separation of the ui database user + # dbUser: anchoreengineui + # The (optional) `appdbConfig` key specifies the connection options # for the application SQL database. # From c997f828b7f04b423381635749d93ee5785edeaa Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Fri, 23 Dec 2022 09:17:52 -0800 Subject: [PATCH 050/329] Adding support for unique ui db password --- stable/anchore-engine/templates/enterprise_ui_secret.yaml | 4 ++-- stable/anchore-engine/values.yaml | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/stable/anchore-engine/templates/enterprise_ui_secret.yaml b/stable/anchore-engine/templates/enterprise_ui_secret.yaml index 1299ad34..9ffa109b 100644 --- a/stable/anchore-engine/templates/enterprise_ui_secret.yaml +++ b/stable/anchore-engine/templates/enterprise_ui_secret.yaml @@ -15,9 +15,9 @@ metadata: type: Opaque stringData: {{- if .Values.anchoreGlobal.dbConfig.ssl }} - ANCHORE_APPDB_URI: 'postgresql://{{ ternary (index .Values "anchoreEnterpriseUi" "dbUser") (index .Values "postgresql" "postgresUser") (hasKey .Values.anchoreEnterpriseUi "dbUser" ) }}:{{ index .Values "postgresql" "postgresPassword" }}@{{ template "db-hostname" . }}/{{ index .Values "postgresql" "postgresDatabase" }}?ssl=verify-full' + ANCHORE_APPDB_URI: 'postgresql://{{ ternary (index .Values "anchoreEnterpriseUi" "dbUser") (index .Values "postgresql" "postgresUser") (hasKey .Values.anchoreEnterpriseUi "dbUser" ) }}:{{ ternary (index .Values "anchoreEnterpriseUi" "dbPass") (index .Values "postgresql" "postgresPassword") (hasKey .Values.anchoreEnterpriseUi "dbPass" ) }}@{{ template "db-hostname" . }}/{{ index .Values "postgresql" "postgresDatabase" }}?ssl=verify-full' {{- else }} - ANCHORE_APPDB_URI: 'postgresql://{{ ternary (index .Values "anchoreEnterpriseUi" "dbUser") (index .Values "postgresql" "postgresUser") (hasKey .Values.anchoreEnterpriseUi "dbUser" ) }}:{{ index .Values "postgresql" "postgresPassword" }}@{{ template "db-hostname" . }}/{{ index .Values "postgresql" "postgresDatabase" }}' + ANCHORE_APPDB_URI: 'postgresql://{{ ternary (index .Values "anchoreEnterpriseUi" "dbUser") (index .Values "postgresql" "postgresUser") (hasKey .Values.anchoreEnterpriseUi "dbUser" ) }}:{{ ternary (index .Values "anchoreEnterpriseUi" "dbPass") (index .Values "postgresql" "postgresPassword") (hasKey .Values.anchoreEnterpriseUi "dbPass" ) }}@{{ template "db-hostname" . }}/{{ index .Values "postgresql" "postgresDatabase" }}' {{- end }} {{- if and (index .Values "ui-redis" "externalEndpoint") (not (index .Values "ui-redis" "enabled")) }} diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 0b4db034..9a0e9bdb 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -1092,6 +1092,7 @@ anchoreEnterpriseUi: # Specify configurations for database connection user # This should specifically allow overriding and separation of the ui database user # dbUser: anchoreengineui + # dbPass: anchore-postgres,123ui # The (optional) `appdbConfig` key specifies the connection options # for the application SQL database. From babc1a37e3826cecd37c4109160b651e30106ce8 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 4 Jan 2023 18:08:17 -0800 Subject: [PATCH 051/329] bump chart version Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 1c22eaea..d5e50555 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.20.4 +version: 1.20.5 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: From 7d3d447272177c4f12246b6c721651341ca57c2f Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 6 Jan 2023 18:34:50 -0800 Subject: [PATCH 052/329] use secrets to store all env vars and make feeds db env vars unique Signed-off-by: Brady Todhunter --- .../templates/analyzer_deployment.yaml | 3 -- .../templates/api_deployment.yaml | 7 ----- .../templates/catalog_deployment.yaml | 3 -- .../templates/engine_configmap_env.yaml | 16 ---------- .../templates/engine_secret.yaml | 3 ++ .../templates/engine_upgrade_job.yaml | 2 -- .../templates/enterprise_feeds_configmap.yaml | 6 ++-- .../enterprise_feeds_configmap_env.yaml | 31 ------------------- .../enterprise_feeds_deployment.yaml | 3 -- .../templates/enterprise_feeds_secret.yaml | 12 +++++++ .../enterprise_feeds_upgrade_job.yaml | 8 ++--- .../enterprise_notifications_deployment.yaml | 5 --- .../enterprise_rbac_manager_deployment.yaml | 5 --- .../enterprise_reports_deployment.yaml | 3 -- .../templates/enterprise_upgrade_job.yaml | 2 -- .../templates/policy_engine_deployment.yaml | 3 -- .../templates/simplequeue_deployment.yaml | 3 -- 17 files changed, 21 insertions(+), 94 deletions(-) delete mode 100644 stable/anchore-engine/templates/engine_configmap_env.yaml delete mode 100644 stable/anchore-engine/templates/enterprise_feeds_configmap_env.yaml diff --git a/stable/anchore-engine/templates/analyzer_deployment.yaml b/stable/anchore-engine/templates/analyzer_deployment.yaml index acc40eac..965b73fb 100644 --- a/stable/anchore-engine/templates/analyzer_deployment.yaml +++ b/stable/anchore-engine/templates/analyzer_deployment.yaml @@ -54,7 +54,6 @@ spec: {{- if not (or .Values.inject_secrets_via_env .Values.anchoreGlobal.existingSecret) }} checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }} {{- end }} - checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }} checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }} checksum/analyzer-config: {{ include (print $.Template.BasePath "/analyzer_configmap.yaml") . | sha256sum }} spec: @@ -134,8 +133,6 @@ spec: name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} {{- end }} {{- end }} - - configMapRef: - name: {{ template "anchore-engine.fullname" . }}-env env: {{- with .Values.anchoreGlobal.extraEnv }} {{- toYaml . | nindent 8 }} diff --git a/stable/anchore-engine/templates/api_deployment.yaml b/stable/anchore-engine/templates/api_deployment.yaml index cb89a95c..7df9b43f 100644 --- a/stable/anchore-engine/templates/api_deployment.yaml +++ b/stable/anchore-engine/templates/api_deployment.yaml @@ -54,7 +54,6 @@ spec: {{- if not .Values.inject_secrets_via_env }} checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }} {{- end }} - checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }} checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }} {{- if .Values.anchoreGlobal.policyBundles }} checksum/policy-config: {{ include (print $.Template.BasePath "/policy_bundle_configmap.yaml") . | sha256sum }} @@ -122,8 +121,6 @@ spec: name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} {{- end }} {{- end }} - - configMapRef: - name: {{ template "anchore-engine.fullname" . }}-env env: {{- with .Values.anchoreGlobal.extraEnv }} {{- toYaml . | nindent 8 }} @@ -221,8 +218,6 @@ spec: name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} {{- end }} {{- end }} - - configMapRef: - name: {{ template "anchore-engine.fullname" . }}-env env: {{- with .Values.anchoreGlobal.extraEnv }} {{- toYaml . | nindent 8 }} @@ -307,8 +302,6 @@ spec: name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} {{- end }} {{- end }} - - configMapRef: - name: {{ template "anchore-engine.fullname" . }}-env env: {{- with .Values.anchoreGlobal.extraEnv }} {{- toYaml . | nindent 8 }} diff --git a/stable/anchore-engine/templates/catalog_deployment.yaml b/stable/anchore-engine/templates/catalog_deployment.yaml index e057cbaf..1c7dc428 100644 --- a/stable/anchore-engine/templates/catalog_deployment.yaml +++ b/stable/anchore-engine/templates/catalog_deployment.yaml @@ -54,7 +54,6 @@ spec: {{- if not .Values.inject_secrets_via_env }} checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }} {{- end }} - checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }} checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }} {{- if .Values.anchoreGlobal.policyBundles }} checksum/policy-config: {{ include (print $.Template.BasePath "/policy_bundle_configmap.yaml") . | sha256sum }} @@ -136,8 +135,6 @@ spec: name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} {{- end }} {{- end }} - - configMapRef: - name: {{ template "anchore-engine.fullname" . }}-env env: {{- with .Values.anchoreGlobal.extraEnv }} {{- toYaml . | nindent 8 }} diff --git a/stable/anchore-engine/templates/engine_configmap_env.yaml b/stable/anchore-engine/templates/engine_configmap_env.yaml deleted file mode 100644 index af5c8906..00000000 --- a/stable/anchore-engine/templates/engine_configmap_env.yaml +++ /dev/null @@ -1,16 +0,0 @@ -kind: ConfigMap -apiVersion: v1 -metadata: - name: {{ template "anchore-engine.fullname" . }}-env - labels: - app: {{ template "anchore-engine.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - {{- with .Values.anchoreGlobal.labels }} - {{ toYaml . | nindent 4 }} - {{- end }} -data: - ANCHORE_DB_NAME: {{ index .Values "postgresql" "postgresDatabase" | quote }} - ANCHORE_DB_USER: {{ index .Values "postgresql" "postgresUser" | quote }} - ANCHORE_DB_HOST: "{{ template "db-hostname" . }}" diff --git a/stable/anchore-engine/templates/engine_secret.yaml b/stable/anchore-engine/templates/engine_secret.yaml index e23cc638..c4acdcf4 100644 --- a/stable/anchore-engine/templates/engine_secret.yaml +++ b/stable/anchore-engine/templates/engine_secret.yaml @@ -13,7 +13,10 @@ metadata: {{- end }} type: Opaque stringData: + ANCHORE_DB_NAME: {{ index .Values "postgresql" "postgresDatabase" | quote }} + ANCHORE_DB_USER: {{ index .Values "postgresql" "postgresUser" | quote }} ANCHORE_DB_PASSWORD: {{ index .Values "postgresql" "postgresPassword" | quote }} + ANCHORE_DB_HOST: "{{ template "db-hostname" . }}" {{- with .Values.anchoreGlobal.saml.secret }} ANCHORE_SAML_SECRET: {{ . }} {{- end }} diff --git a/stable/anchore-engine/templates/engine_upgrade_job.yaml b/stable/anchore-engine/templates/engine_upgrade_job.yaml index 3e44812c..030c25ce 100644 --- a/stable/anchore-engine/templates/engine_upgrade_job.yaml +++ b/stable/anchore-engine/templates/engine_upgrade_job.yaml @@ -104,8 +104,6 @@ spec: name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} {{- end }} {{- end }} - - configMapRef: - name: {{ template "anchore-engine.fullname" . }}-env env: {{- with .Values.anchoreGlobal.extraEnv }} {{- toYaml . | nindent 8 }} diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml index 9624af14..1ad266fc 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml @@ -78,11 +78,11 @@ data: credentials: database: {{- if not .Values.anchoreEnterpriseFeeds.dbConfig.ssl }} - db_connect: "postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}" + db_connect: "postgresql://${ANCHORE_FEEDS_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_FEEDS_DB_HOST}/${ANCHORE_FEEDS_DB_NAME}" {{- else if eq .Values.anchoreEnterpriseFeeds.dbConfig.sslMode "require" }} - db_connect: "postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}}" + db_connect: "postgresql://${ANCHORE_FEEDS_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_FEEDS_DB_HOST}/${ANCHORE_FEEDS_DB_NAME}?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}}" {{- else }} - db_connect: "postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}}&sslrootcert=/home/anchore/certs/{{- .Values.anchoreEnterpriseFeeds.dbConfig.sslRootCertName }}" + db_connect: "postgresql://${ANCHORE_FEEDS_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_FEEDS_DB_HOST}/${ANCHORE_FEEDS_DB_NAME}?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}}&sslrootcert=/home/anchore/certs/{{- .Values.anchoreEnterpriseFeeds.dbConfig.sslRootCertName }}" {{- end }} db_connect_args: timeout: {{ .Values.anchoreEnterpriseFeeds.dbConfig.timeout }} diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap_env.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap_env.yaml deleted file mode 100644 index 7aaabbc5..00000000 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap_env.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled -}} -{{- $component := "enterprise-feeds" -}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "anchore-engine.enterprise-feeds.fullname" . }}-env - labels: - app: {{ template "anchore-engine.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - component: {{ $component }} - {{- with .Values.anchoreGlobal.labels }} - {{ toYaml . | nindent 4 }} - {{- end }} -data: - ANCHORE_DB_NAME: {{ index .Values "anchore-feeds-db" "postgresDatabase" | quote }} - ANCHORE_DB_USER: {{ index .Values "anchore-feeds-db" "postgresUser" | quote }} - {{- if and (index .Values "anchore-feeds-db" "externalEndpoint") (not (index .Values "anchore-feeds-db" "enabled")) }} - ANCHORE_DB_HOST: {{ index .Values "anchore-feeds-db" "externalEndpoint" | quote }} - {{- else if and (index .Values "cloudsql" "enabled") (not (index .Values "anchore-feeds-db" "enabled")) }} - ANCHORE_DB_HOST: "localhost:5432" - {{- else }} - ANCHORE_DB_HOST: "{{ template "postgres.anchore-feeds-db.fullname" . }}:5432" - {{- end }} - {{- if .Values.anchoreEnterpriseFeeds.gemDriverEnabled }} - ANCHORE_GEM_DB_NAME: {{ index .Values "anchore-feeds-gem-db" "postgresDatabase" | quote }} - ANCHORE_GEM_DB_USER: {{ index .Values "anchore-feeds-gem-db" "postgresUser" | quote }} - ANCHORE_GEM_DB_HOST: "{{ default (include "postgres.anchore-feeds-gem-db.fullname" .) (index .Values "anchore-feeds-gem-db" "externalEndpoint") }}:5432" - {{- end }} -{{- end }} diff --git a/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml b/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml index a2920e8a..1bc3d4dc 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml @@ -55,7 +55,6 @@ spec: {{- if not (or .Values.inject_secrets_via_env .Values.anchoreEnterpriseFeeds.existingSecret) }} checksum/secrets: {{ include (print $.Template.BasePath "/enterprise_feeds_secret.yaml") . | sha256sum }} {{- end }} - checksum/env: {{ include (print $.Template.BasePath "/enterprise_feeds_configmap_env.yaml") . | sha256sum }} checksum/feeds-config: {{ include (print $.Template.BasePath "/enterprise_feeds_configmap.yaml") . | sha256sum }} spec: {{- with .Values.anchoreGlobal.securityContext }} @@ -120,8 +119,6 @@ spec: name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} {{- end }} {{- end }} - - configMapRef: - name: {{ template "anchore-engine.enterprise-feeds.fullname" . }}-env env: {{- with .Values.anchoreGlobal.extraEnv }} {{- toYaml . | nindent 8 }} diff --git a/stable/anchore-engine/templates/enterprise_feeds_secret.yaml b/stable/anchore-engine/templates/enterprise_feeds_secret.yaml index 86da6f50..f956527a 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_secret.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_secret.yaml @@ -14,7 +14,16 @@ metadata: {{- end }} type: Opaque stringData: + ANCHORE_FEEDS_DB_NAME: {{ index .Values "anchore-feeds-db" "postgresDatabase" | quote }} + ANCHORE_FEEDS_DB_USER: {{ index .Values "anchore-feeds-db" "postgresUser" | quote }} ANCHORE_FEEDS_DB_PASSWORD: {{ index .Values "anchore-feeds-db" "postgresPassword" | quote }} + {{- if and (index .Values "anchore-feeds-db" "externalEndpoint") (not (index .Values "anchore-feeds-db" "enabled")) }} + ANCHORE_FEEDS_DB_HOST: {{ index .Values "anchore-feeds-db" "externalEndpoint" | quote }} + {{- else if and (index .Values "cloudsql" "enabled") (not (index .Values "anchore-feeds-db" "enabled")) }} + ANCHORE_FEEDS_DB_HOST: "localhost:5432" + {{- else }} + ANCHORE_FEEDS_DB_HOST: "{{ template "postgres.anchore-feeds-db.fullname" . }}:5432" + {{- end }} {{- with .Values.anchoreGlobal.saml.secret }} ANCHORE_SAML_SECRET: {{ . }} {{- end }} @@ -25,7 +34,10 @@ stringData: ANCHORE_GITHUB_TOKEN: {{ . | quote }} {{- end }} {{- if .Values.anchoreEnterpriseFeeds.gemDriverEnabled }} + ANCHORE_GEM_DB_NAME: {{ index .Values "anchore-feeds-gem-db" "postgresDatabase" | quote }} + ANCHORE_GEM_DB_USER: {{ index .Values "anchore-feeds-gem-db" "postgresUser" | quote }} ANCHORE_GEM_DB_PASSWORD: {{ index .Values "anchore-feeds-gem-db" "postgresPassword" | quote }} + ANCHORE_GEM_DB_HOST: "{{ default (include "postgres.anchore-feeds-gem-db.fullname" .) (index .Values "anchore-feeds-gem-db" "externalEndpoint") }}:5432" {{- end }} {{- end }} {{- end }} diff --git a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml index 8dec60a6..4f8a0f07 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml @@ -65,13 +65,13 @@ spec: args: {{- if not .Values.anchoreEnterpriseFeeds.dbConfig.ssl }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}" upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}"/"${ANCHORE_FEEDS_DB_NAME}" upgrade --dontask; {{- else if eq .Values.anchoreEnterpriseFeeds.dbConfig.sslMode "require" }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode }} upgrade --dontask; {{- else }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreEnterpriseFeeds.dbConfig.sslRootCertName }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreEnterpriseFeeds.dbConfig.sslRootCertName }} upgrade --dontask; {{- end }} {{- if .Values.cloudsql.enabled }} - sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; @@ -92,8 +92,6 @@ spec: name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} {{- end }} {{- end }} - - configMapRef: - name: {{ template "anchore-engine.enterprise-feeds.fullname" . }}-env env: {{- with .Values.anchoreGlobal.extraEnv }} {{- toYaml . | nindent 8 }} diff --git a/stable/anchore-engine/templates/enterprise_notifications_deployment.yaml b/stable/anchore-engine/templates/enterprise_notifications_deployment.yaml index 8e5918ef..2d58f0b7 100644 --- a/stable/anchore-engine/templates/enterprise_notifications_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_notifications_deployment.yaml @@ -55,7 +55,6 @@ spec: {{- if not .Values.inject_secrets_via_env }} checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }} {{- end }} - checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }} checksum/config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }} spec: {{- with .Values.anchoreGlobal.securityContext }} @@ -106,8 +105,6 @@ spec: name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} {{- end }} {{- end }} - - configMapRef: - name: {{ template "anchore-engine.fullname" . }}-env env: {{- with .Values.anchoreGlobal.extraEnv }} {{- toYaml . | nindent 8 }} @@ -186,8 +183,6 @@ spec: name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} {{- end }} {{- end }} - - configMapRef: - name: {{ template "anchore-engine.fullname" . }}-env env: {{- with .Values.anchoreGlobal.extraEnv }} {{- toYaml . | nindent 8 }} diff --git a/stable/anchore-engine/templates/enterprise_rbac_manager_deployment.yaml b/stable/anchore-engine/templates/enterprise_rbac_manager_deployment.yaml index 1c9e9c6a..e8f50720 100644 --- a/stable/anchore-engine/templates/enterprise_rbac_manager_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_rbac_manager_deployment.yaml @@ -55,7 +55,6 @@ spec: {{- if not .Values.inject_secrets_via_env }} checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }} {{- end }} - checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }} checksum/config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }} spec: {{- with .Values.anchoreGlobal.securityContext }} @@ -106,8 +105,6 @@ spec: name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} {{- end }} {{- end }} - - configMapRef: - name: {{ template "anchore-engine.fullname" . }}-env env: {{- with .Values.anchoreGlobal.extraEnv }} {{- toYaml . | nindent 8 }} @@ -185,8 +182,6 @@ spec: name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} {{- end }} {{- end }} - - configMapRef: - name: {{ template "anchore-engine.fullname" . }}-env env: {{- with .Values.anchoreGlobal.extraEnv }} {{- toYaml . | nindent 8 }} diff --git a/stable/anchore-engine/templates/enterprise_reports_deployment.yaml b/stable/anchore-engine/templates/enterprise_reports_deployment.yaml index 4a05d218..07c1c2d8 100644 --- a/stable/anchore-engine/templates/enterprise_reports_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_reports_deployment.yaml @@ -55,7 +55,6 @@ spec: {{- if not .Values.inject_secrets_via_env }} checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }} {{- end }} - checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }} checksum/config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }} spec: {{- with .Values.anchoreGlobal.securityContext }} @@ -106,8 +105,6 @@ spec: name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} {{- end }} {{- end }} - - configMapRef: - name: {{ template "anchore-engine.fullname" . }}-env env: {{- with .Values.anchoreGlobal.extraEnv }} {{- toYaml . | nindent 8 }} diff --git a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml index d4906fd3..b36e1867 100644 --- a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml @@ -92,8 +92,6 @@ spec: name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} {{- end }} {{- end }} - - configMapRef: - name: {{ template "anchore-engine.fullname" . }}-env env: {{- with .Values.anchoreGlobal.extraEnv }} {{- toYaml . | nindent 8 }} diff --git a/stable/anchore-engine/templates/policy_engine_deployment.yaml b/stable/anchore-engine/templates/policy_engine_deployment.yaml index de3e8c3d..8deea2b9 100644 --- a/stable/anchore-engine/templates/policy_engine_deployment.yaml +++ b/stable/anchore-engine/templates/policy_engine_deployment.yaml @@ -54,7 +54,6 @@ spec: {{- if not .Values.inject_secrets_via_env }} checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }} {{- end }} - checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }} checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }} spec: {{- with .Values.anchoreGlobal.securityContext }} @@ -133,8 +132,6 @@ spec: name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} {{- end }} {{- end }} - - configMapRef: - name: {{ template "anchore-engine.fullname" . }}-env env: {{- with .Values.anchoreGlobal.extraEnv }} {{- toYaml . | nindent 8 }} diff --git a/stable/anchore-engine/templates/simplequeue_deployment.yaml b/stable/anchore-engine/templates/simplequeue_deployment.yaml index 41d755ba..6b05b403 100644 --- a/stable/anchore-engine/templates/simplequeue_deployment.yaml +++ b/stable/anchore-engine/templates/simplequeue_deployment.yaml @@ -54,7 +54,6 @@ spec: {{- if not .Values.inject_secrets_via_env }} checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }} {{- end }} - checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }} checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }} spec: {{- with .Values.anchoreGlobal.securityContext }} @@ -119,8 +118,6 @@ spec: name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} {{- end }} {{- end }} - - configMapRef: - name: {{ template "anchore-engine.fullname" . }}-env env: {{- with .Values.anchoreGlobal.extraEnv }} {{- toYaml . | nindent 8 }} From 4652b73ee63344b9ad86a4f612963f374d3a2a32 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 6 Jan 2023 18:41:00 -0800 Subject: [PATCH 053/329] make external secrets configurable and set the secret names automatically for all components Signed-off-by: Brady Todhunter --- .../templates/analyzer_deployment.yaml | 6 +++--- .../templates/anchore_admin_secret.yaml | 2 +- .../anchore-engine/templates/api_deployment.yaml | 14 +++++++------- .../templates/catalog_deployment.yaml | 4 ++-- stable/anchore-engine/templates/engine_secret.yaml | 2 +- .../templates/engine_upgrade_job.yaml | 4 ++-- .../templates/enterprise_feeds_deployment.yaml | 6 +++--- .../templates/enterprise_feeds_secret.yaml | 2 +- .../templates/enterprise_feeds_upgrade_job.yaml | 4 ++-- .../enterprise_notifications_deployment.yaml | 8 ++++---- .../enterprise_rbac_manager_deployment.yaml | 8 ++++---- .../templates/enterprise_reports_deployment.yaml | 4 ++-- .../templates/enterprise_ui_deployment.yaml | 12 +++--------- .../templates/enterprise_ui_secret.yaml | 3 +-- .../templates/enterprise_upgrade_job.yaml | 4 ++-- .../templates/policy_engine_deployment.yaml | 4 ++-- .../templates/simplequeue_deployment.yaml | 4 ++-- 17 files changed, 42 insertions(+), 49 deletions(-) diff --git a/stable/anchore-engine/templates/analyzer_deployment.yaml b/stable/anchore-engine/templates/analyzer_deployment.yaml index 965b73fb..ec3ce1eb 100644 --- a/stable/anchore-engine/templates/analyzer_deployment.yaml +++ b/stable/anchore-engine/templates/analyzer_deployment.yaml @@ -51,7 +51,7 @@ spec: {{- with .Values.anchoreAnalyzer.annotations }} {{ toYaml . | nindent 8 }} {{- end }} - {{- if not (or .Values.inject_secrets_via_env .Values.anchoreGlobal.existingSecret) }} + {{- if not (or .Values.inject_secrets_via_env .Values.anchoreGlobal.useExistingSecrets) }} checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }} {{- end }} checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }} @@ -123,9 +123,9 @@ spec: {{- end }} envFrom: {{- if not .Values.inject_secrets_via_env }} - {{- if .Values.anchoreGlobal.existingSecret }} + {{- if .Values.anchoreGlobal.useExistingSecrets }} - secretRef: - name: {{ .Values.anchoreGlobal.existingSecret }} + name: {{ .Values.anchoreGlobal.existingSecretName }} {{- else }} - secretRef: name: {{ include "anchore-engine.fullname" . }} diff --git a/stable/anchore-engine/templates/anchore_admin_secret.yaml b/stable/anchore-engine/templates/anchore_admin_secret.yaml index 1a8724b6..08ca62d4 100644 --- a/stable/anchore-engine/templates/anchore_admin_secret.yaml +++ b/stable/anchore-engine/templates/anchore_admin_secret.yaml @@ -1,4 +1,4 @@ -{{- if not .Values.anchoreGlobal.existingSecret }} +{{- if not .Values.anchoreGlobal.useExistingSecrets }} {{- $anchoreAdminPass := (include "anchore-engine.defaultAdminPassword" . | quote) }} diff --git a/stable/anchore-engine/templates/api_deployment.yaml b/stable/anchore-engine/templates/api_deployment.yaml index 7df9b43f..dbf64e20 100644 --- a/stable/anchore-engine/templates/api_deployment.yaml +++ b/stable/anchore-engine/templates/api_deployment.yaml @@ -111,9 +111,9 @@ spec: {{- end }} envFrom: {{- if not .Values.inject_secrets_via_env }} - {{- if .Values.anchoreGlobal.existingSecret }} + {{- if .Values.anchoreGlobal.useExistingSecrets }} - secretRef: - name: {{ .Values.anchoreGlobal.existingSecret }} + name: {{ .Values.anchoreGlobal.existingSecretName }} {{- else }} - secretRef: name: {{ include "anchore-engine.fullname" . }} @@ -136,7 +136,7 @@ spec: - name: ANCHORE_CLI_PASS valueFrom: secretKeyRef: - name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} + name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecretName }} key: ANCHORE_ADMIN_PASSWORD {{- end }} ports: @@ -208,9 +208,9 @@ spec: - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade rbac_authorizer envFrom: {{- if not .Values.inject_secrets_via_env }} - {{- if .Values.anchoreGlobal.existingSecret }} + {{- if .Values.anchoreGlobal.useExistingSecrets }} - secretRef: - name: {{ .Values.anchoreGlobal.existingSecret }} + name: {{ .Values.anchoreGlobal.existingSecretName }} {{- else }} - secretRef: name: {{ include "anchore-engine.fullname" . }} @@ -292,9 +292,9 @@ spec: name: reports-api envFrom: {{- if not .Values.inject_secrets_via_env }} - {{- if .Values.anchoreGlobal.existingSecret }} + {{- if .Values.anchoreGlobal.useExistingSecrets }} - secretRef: - name: {{ .Values.anchoreGlobal.existingSecret }} + name: {{ .Values.anchoreGlobal.existingSecretName }} {{- else }} - secretRef: name: {{ include "anchore-engine.fullname" . }} diff --git a/stable/anchore-engine/templates/catalog_deployment.yaml b/stable/anchore-engine/templates/catalog_deployment.yaml index 1c7dc428..6cb7db07 100644 --- a/stable/anchore-engine/templates/catalog_deployment.yaml +++ b/stable/anchore-engine/templates/catalog_deployment.yaml @@ -125,9 +125,9 @@ spec: {{- end }} envFrom: {{- if not .Values.inject_secrets_via_env }} - {{- if .Values.anchoreGlobal.existingSecret }} + {{- if .Values.anchoreGlobal.useExistingSecrets }} - secretRef: - name: {{ .Values.anchoreGlobal.existingSecret }} + name: {{ .Values.anchoreGlobal.existingSecretName }} {{- else }} - secretRef: name: {{ include "anchore-engine.fullname" . }} diff --git a/stable/anchore-engine/templates/engine_secret.yaml b/stable/anchore-engine/templates/engine_secret.yaml index c4acdcf4..36259a6f 100644 --- a/stable/anchore-engine/templates/engine_secret.yaml +++ b/stable/anchore-engine/templates/engine_secret.yaml @@ -1,4 +1,4 @@ -{{- if not .Values.anchoreGlobal.existingSecret }} +{{- if not .Values.anchoreGlobal.useExistingSecrets }} apiVersion: v1 kind: Secret metadata: diff --git a/stable/anchore-engine/templates/engine_upgrade_job.yaml b/stable/anchore-engine/templates/engine_upgrade_job.yaml index 030c25ce..6e7ac1c4 100644 --- a/stable/anchore-engine/templates/engine_upgrade_job.yaml +++ b/stable/anchore-engine/templates/engine_upgrade_job.yaml @@ -94,9 +94,9 @@ spec: {{- end }} envFrom: {{- if not .Values.inject_secrets_via_env }} - {{- if .Values.anchoreGlobal.existingSecret }} + {{- if .Values.anchoreGlobal.useExistingSecrets }} - secretRef: - name: {{ .Values.anchoreGlobal.existingSecret }} + name: {{ .Values.anchoreGlobal.existingSecretName }} {{- else }} - secretRef: name: {{ include "anchore-engine.fullname" . }} diff --git a/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml b/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml index 1bc3d4dc..5b919888 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml @@ -52,7 +52,7 @@ spec: {{- with .Values.anchoreEnterpriseFeeds.annotations }} {{ toYaml . | nindent 8 }} {{- end }} - {{- if not (or .Values.inject_secrets_via_env .Values.anchoreEnterpriseFeeds.existingSecret) }} + {{- if not (or .Values.inject_secrets_via_env .Values.anchoreGlobal.useExistingSecrets) }} checksum/secrets: {{ include (print $.Template.BasePath "/enterprise_feeds_secret.yaml") . | sha256sum }} {{- end }} checksum/feeds-config: {{ include (print $.Template.BasePath "/enterprise_feeds_configmap.yaml") . | sha256sum }} @@ -109,9 +109,9 @@ spec: name: feeds-api envFrom: {{- if not .Values.inject_secrets_via_env }} - {{- if .Values.anchoreEnterpriseFeeds.existingSecret }} + {{- if .Values.anchoreGlobal.useExistingSecrets }} - secretRef: - name: {{ .Values.anchoreEnterpriseFeeds.existingSecret }} + name: {{ .Values.anchoreEnterpriseFeeds.existingSecretName }} {{- else }} - secretRef: name: {{ include "anchore-engine.enterprise-feeds.fullname" . }} diff --git a/stable/anchore-engine/templates/enterprise_feeds_secret.yaml b/stable/anchore-engine/templates/enterprise_feeds_secret.yaml index f956527a..72992d9e 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_secret.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_secret.yaml @@ -1,4 +1,4 @@ -{{- if not .Values.anchoreEnterpriseFeeds.existingSecret }} +{{- if not .Values.anchoreGlobal.useExistingSecrets }} {{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }} apiVersion: v1 kind: Secret diff --git a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml index 4f8a0f07..1c770340 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml @@ -82,9 +82,9 @@ spec: {{- end }} envFrom: {{- if not .Values.inject_secrets_via_env }} - {{- if .Values.anchoreEnterpriseFeeds.existingSecret }} + {{- if .Values.anchoreGlobal.useExistingSecrets }} - secretRef: - name: {{ .Values.anchoreEnterpriseFeeds.existingSecret }} + name: {{ .Values.anchoreEnterpriseFeeds.existingSecretName }} {{- else }} - secretRef: name: {{ include "anchore-engine.enterprise-feeds.fullname" . }} diff --git a/stable/anchore-engine/templates/enterprise_notifications_deployment.yaml b/stable/anchore-engine/templates/enterprise_notifications_deployment.yaml index 2d58f0b7..e2aa4db4 100644 --- a/stable/anchore-engine/templates/enterprise_notifications_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_notifications_deployment.yaml @@ -95,9 +95,9 @@ spec: name: notify envFrom: {{- if not .Values.inject_secrets_via_env }} - {{- if .Values.anchoreGlobal.existingSecret }} + {{- if .Values.anchoreGlobal.useExistingSecrets }} - secretRef: - name: {{ .Values.anchoreGlobal.existingSecret }} + name: {{ .Values.anchoreGlobal.existingSecretName }} {{- else }} - secretRef: name: {{ include "anchore-engine.fullname" . }} @@ -173,9 +173,9 @@ spec: - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade rbac_authorizer envFrom: {{- if not .Values.inject_secrets_via_env }} - {{- if .Values.anchoreGlobal.existingSecret }} + {{- if .Values.anchoreGlobal.useExistingSecrets }} - secretRef: - name: {{ .Values.anchoreGlobal.existingSecret }} + name: {{ .Values.anchoreGlobal.existingSecretName }} {{- else }} - secretRef: name: {{ include "anchore-engine.fullname" . }} diff --git a/stable/anchore-engine/templates/enterprise_rbac_manager_deployment.yaml b/stable/anchore-engine/templates/enterprise_rbac_manager_deployment.yaml index e8f50720..c466ed74 100644 --- a/stable/anchore-engine/templates/enterprise_rbac_manager_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_rbac_manager_deployment.yaml @@ -95,9 +95,9 @@ spec: name: rbac envFrom: {{- if not .Values.inject_secrets_via_env }} - {{- if .Values.anchoreGlobal.existingSecret }} + {{- if .Values.anchoreGlobal.useExistingSecrets }} - secretRef: - name: {{ .Values.anchoreGlobal.existingSecret }} + name: {{ .Values.anchoreGlobal.existingSecretName }} {{- else }} - secretRef: name: {{ include "anchore-engine.fullname" . }} @@ -172,9 +172,9 @@ spec: - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade rbac_authorizer envFrom: {{- if not .Values.inject_secrets_via_env }} - {{- if .Values.anchoreGlobal.existingSecret }} + {{- if .Values.anchoreGlobal.useExistingSecrets }} - secretRef: - name: {{ .Values.anchoreGlobal.existingSecret }} + name: {{ .Values.anchoreGlobal.existingSecretName }} {{- else }} - secretRef: name: {{ include "anchore-engine.fullname" . }} diff --git a/stable/anchore-engine/templates/enterprise_reports_deployment.yaml b/stable/anchore-engine/templates/enterprise_reports_deployment.yaml index 07c1c2d8..39facbd4 100644 --- a/stable/anchore-engine/templates/enterprise_reports_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_reports_deployment.yaml @@ -95,9 +95,9 @@ spec: name: reports envFrom: {{- if not .Values.inject_secrets_via_env }} - {{- if .Values.anchoreGlobal.existingSecret }} + {{- if .Values.anchoreGlobal.useExistingSecrets }} - secretRef: - name: {{ .Values.anchoreGlobal.existingSecret }} + name: {{ .Values.anchoreGlobal.existingSecretName }} {{- else }} - secretRef: name: {{ include "anchore-engine.fullname" . }} diff --git a/stable/anchore-engine/templates/enterprise_ui_deployment.yaml b/stable/anchore-engine/templates/enterprise_ui_deployment.yaml index 813b9f69..40ca7e5c 100644 --- a/stable/anchore-engine/templates/enterprise_ui_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_ui_deployment.yaml @@ -56,7 +56,7 @@ spec: {{- with .Values.anchoreEnterpriseUi.annotations }} {{ toYaml . | nindent 8 }} {{- end }} - {{- if not (or .Values.inject_secrets_via_env .Values.anchoreEnterpriseUi.existingSecret) }} + {{- if not (or .Values.inject_secrets_via_env .Values.anchoreGlobal.useExistingSecrets) }} checksum/secrets: {{ include (print $.Template.BasePath "/enterprise_ui_secret.yaml") . | sha256sum }} {{- end }} checksum/ui-config: {{ include (print $.Template.BasePath "/enterprise_ui_configmap.yaml") . | sha256sum }} @@ -95,10 +95,6 @@ spec: args: - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh node /home/node/aui/build/server.js env: - {{- if and (not (index .Values "anchoreEnterpriseUi" "existingSecret")) (not (index .Values "ui-redis" "externalEndpoint")) }} - - name: ANCHORE_REDIS_URI - value: redis://nouser:{{ index .Values "ui-redis" "auth" "password" }}@{{ template "redis.fullname" . }}-master:6379 - {{- end }} {{ if .Values.anchoreGlobal.dbConfig.ssl }} - name: PGSSLROOTCERT value: /home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} @@ -115,14 +111,12 @@ spec: {{- end }} envFrom: {{- if not .Values.inject_secrets_via_env }} - {{- if .Values.anchoreEnterpriseUi.existingSecret }} + {{- if .Values.anchoreGlobal.useExistingSecrets }} - secretRef: - name: {{ .Values.anchoreEnterpriseUi.existingSecret }} + name: {{ .Values.anchoreEnterpriseUi.existingSecretName }} {{- else }} - secretRef: name: {{ include "anchore-engine.enterprise-ui.fullname" . }} - - secretRef: - name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} {{- end }} {{- end }} ports: diff --git a/stable/anchore-engine/templates/enterprise_ui_secret.yaml b/stable/anchore-engine/templates/enterprise_ui_secret.yaml index 9ffa109b..bbe9b393 100644 --- a/stable/anchore-engine/templates/enterprise_ui_secret.yaml +++ b/stable/anchore-engine/templates/enterprise_ui_secret.yaml @@ -1,4 +1,4 @@ -{{- if not .Values.anchoreEnterpriseUi.existingSecret }} +{{- if not .Values.anchoreGlobal.useExistingSecrets }} {{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseUi.enabled }} apiVersion: v1 kind: Secret @@ -19,7 +19,6 @@ stringData: {{- else }} ANCHORE_APPDB_URI: 'postgresql://{{ ternary (index .Values "anchoreEnterpriseUi" "dbUser") (index .Values "postgresql" "postgresUser") (hasKey .Values.anchoreEnterpriseUi "dbUser" ) }}:{{ ternary (index .Values "anchoreEnterpriseUi" "dbPass") (index .Values "postgresql" "postgresPassword") (hasKey .Values.anchoreEnterpriseUi "dbPass" ) }}@{{ template "db-hostname" . }}/{{ index .Values "postgresql" "postgresDatabase" }}' {{- end }} - {{- if and (index .Values "ui-redis" "externalEndpoint") (not (index .Values "ui-redis" "enabled")) }} ANCHORE_REDIS_URI: '{{ index .Values "ui-redis" "externalEndpoint" }}' {{- else }} diff --git a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml index b36e1867..279bb0ba 100644 --- a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml @@ -82,9 +82,9 @@ spec: {{- end }} envFrom: {{- if not .Values.inject_secrets_via_env }} - {{- if .Values.anchoreGlobal.existingSecret }} + {{- if .Values.anchoreGlobal.useExistingSecrets }} - secretRef: - name: {{ .Values.anchoreGlobal.existingSecret }} + name: {{ .Values.anchoreGlobal.existingSecretName }} {{- else }} - secretRef: name: {{ include "anchore-engine.fullname" . }} diff --git a/stable/anchore-engine/templates/policy_engine_deployment.yaml b/stable/anchore-engine/templates/policy_engine_deployment.yaml index 8deea2b9..5e76cfd5 100644 --- a/stable/anchore-engine/templates/policy_engine_deployment.yaml +++ b/stable/anchore-engine/templates/policy_engine_deployment.yaml @@ -122,9 +122,9 @@ spec: {{- end }} envFrom: {{- if not .Values.inject_secrets_via_env }} - {{- if .Values.anchoreGlobal.existingSecret }} + {{- if .Values.anchoreGlobal.useExistingSecrets }} - secretRef: - name: {{ .Values.anchoreGlobal.existingSecret }} + name: {{ .Values.anchoreGlobal.existingSecretName }} {{- else }} - secretRef: name: {{ include "anchore-engine.fullname" . }} diff --git a/stable/anchore-engine/templates/simplequeue_deployment.yaml b/stable/anchore-engine/templates/simplequeue_deployment.yaml index 6b05b403..b32198dc 100644 --- a/stable/anchore-engine/templates/simplequeue_deployment.yaml +++ b/stable/anchore-engine/templates/simplequeue_deployment.yaml @@ -108,9 +108,9 @@ spec: {{- end }} envFrom: {{- if not .Values.inject_secrets_via_env }} - {{- if .Values.anchoreGlobal.existingSecret }} + {{- if .Values.anchoreGlobal.useExistingSecrets }} - secretRef: - name: {{ .Values.anchoreGlobal.existingSecret }} + name: {{ .Values.anchoreGlobal.existingSecretName }} {{- else }} - secretRef: name: {{ include "anchore-engine.fullname" . }} From 90198708da47b090f4355114c783efff2d8e9a08 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 6 Jan 2023 18:41:33 -0800 Subject: [PATCH 054/329] add default values and readme explaining how to use external secrets Signed-off-by: Brady Todhunter --- stable/anchore-engine/README.md | 74 ++++++++++++++++++++++--------- stable/anchore-engine/values.yaml | 22 +++++---- 2 files changed, 64 insertions(+), 32 deletions(-) diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index 33704b5f..da8e26cd 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -609,29 +609,63 @@ anchoreApi: ## Utilize an Existing Secret -Secrets should be created prior to running `helm install`. These can be used to override the secret provisioned by the Helm chart, preventing plain text passwords in your values.yaml file. +Rather than passing secrets into the Helm values file directly, users can create secrets in the namespace prior to deploying this Helm chart. When using existing secrets, the chart will load environment variables into deployments from the secret names specified by the following values: + +* `.Values.anchoreGlobal.existingSecretName` [default: anchore-engine-env] +* `.Values.anchoreEnterpriseFeeds.existingSecretName` [default: anchore-enterprise-feeds-env] +* `.Values.anchoreEnterpriseUi.existingSecretName` [default: anchore-enterprise-ui-env] + +To use existing secrets, set the following in your values file: ```yaml anchoreGlobal: - # The secret should define the following environment vars: - # ANCHORE_ADMIN_PASSWORD - # ANCHORE_DB_PASSWORD - # ANCHORE_SAML_SECRET (if applicable) - existingSecret: "anchore-engine-secrets" - - -anchoreEnterpriseFeeds: - # The secret should define the following environment vars: - # ANCHORE_ADMIN_PASSWORD - # ANCHORE_FEEDS_DB_PASSWORD - # ANCHORE_SAML_SECRET (if applicable) - existingSecret: "anchore-feeds-secrets" - -anchoreEnterpriseUI: - # This secret should define the following ENV vars - # ANCHORE_APPDB_URI - # ANCHORE_REDIS_URI - existingSeccret: "anchore-ui-secrets" + useExistingSecrets: true +``` + +Create the following secrets: +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: anchore-engine-env +type: Opaque +stringData: + ANCHORE_ADMIN_PASSWORD: foobar1234 + ANCHORE_DB_NAME: anchore + ANCHORE_DB_USER: anchoreuser + ANCHORE_DB_HOST: anchore-db.example.com:5432 + ANCHORE_DB_PASSWORD: foobar1234 + # (if applicable) ANCHORE_SAML_SECRET: foobar,saml1234 + +--- +apiVersion: v1 +kind: Secret +metadata: + name: anchore-enterprise-feeds-env +type: Opaque +stringData: + ANCHORE_ADMIN_PASSWORD: foobar1234 + ANCHORE_FEEDS_DB_NAME: anchore-feeds + ANCHORE_FEEDS_DB_USER: anchorefeedsuser + ANCHORE_FEEDS_DB_PASSWORD: foobar1234 + ANCHORE_FEEDS_DB_HOST: anchorefeeds-db.example.com:5432 + # (if applicable) ANCHORE_SAML_SECRET: foobar,saml1234 + # (if applicable) ANCHORE_MSRC_KEY: foobar1234 + # (if applicable) ANCHORE_GITHUB_TOKEN: foobar1234 + # (if applicable) ANCHORE_GEM_DB_NAME: anchore-gems + # (if applicable) ANCHORE_GEM_DB_USER: anchoregemsuser + # (if applicable) ANCHORE_GEM_DB_PASSWORD: foobar1234 + # (if applicable) ANCHORE_GEM_DB_HOST: anchorefeeds-gem-db.example.com:5432 + +--- +apiVersion: v1 +kind: Secret +metadata: + name: anchore-enterprise-feeds-env +type: Opaque +stringData: + ANCHORE_APPDB_URI: postgresql://anchoreuiuser:foobar1234@anchore-db.example.com:5432/anchore + ANCHORE_REDIS_URI: redis://nouser:foobar1234@redis.example.com:6379 ``` ## Install using an existing/external PostgreSQL instance diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 9a0e9bdb..6f31164f 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -135,12 +135,12 @@ anchoreGlobal: # - name: foo # value: bar - # Specifies an existing secret to be used for admin and db passwords - # The secret should define the following environment vars: - # ANCHORE_ADMIN_PASSWORD - # ANCHORE_DB_PASSWORD - # ANCHORE_SAML_SECRET (if applicable) - existingSecret: Null + # When useExistingSecrets is set to `true` the chart will not create secrets specifying the environment variables used in deployments. + # Instead, the chart will use secrets that have already been applied to the namespace that this chart is being deployed to. + useExistingSecrets: false + + # Set the name of your existing secret for all Anchore Engine components + existingSecretName: anchore-engine-env # does `source {{ filePath }}` before starting services doSourceAtEntry: @@ -838,7 +838,8 @@ anchoreEnterpriseFeeds: # ANCHORE_SAML_SECRET (if applicable) # ANCHORE_GITHUB_TOKEN (if applicable) - existingSecret: Null + # Set the name of your existing secret for Anchore Enterprise Feeds + existingSecretName: anchore-enterprise-feeds-env # Configure the database connection within anchore-engine & enterprise-ui. This may get split into 2 different configurations based on service utilized. dbConfig: @@ -1083,11 +1084,8 @@ anchoreEnterpriseUi: # Specify the service account name utilized to run the UI pods # serviceAccountName: Null - # Specifies an existing secret to be used for db and redis endpoints - # This secret should define the following ENV vars - # ANCHORE_APPDB_URI - # ANCHORE_REDIS_URI - existingSecret: Null + # Set the name of your existing secret for the Anchore Enterprise UI + existingSecretName: anchore-enterprise-ui-env # Specify configurations for database connection user # This should specifically allow overriding and separation of the ui database user From 7d6e719da7c14652cbfc105979c471a1fd70b51b Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 6 Jan 2023 18:49:04 -0800 Subject: [PATCH 055/329] bump chart version Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index d5e50555..9f668f3f 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.20.5 +version: 1.21.0 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: From 57f9af284c71b5a99defd121e7b5ffa8ba5bcf47 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Mon, 9 Jan 2023 16:03:48 -0800 Subject: [PATCH 056/329] add changelog to readme Signed-off-by: Brady Todhunter --- stable/anchore-engine/README.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index da8e26cd..afb81175 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -247,6 +247,16 @@ A Helm post-upgrade hook job will shut down all previously running Anchore servi The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful Helm upgrade. +## Chart version 1.21.0 + +* Revamped how the chart is configured when using existing secrets. Users upgrading from a previous chart version will need to update their values file to match the new convention. Update the following in your values file: + * Set `.Values.anchoreGlobal.useExistingSecrets=true` + * Update the following keys: + * `.Values.anchoreGlobal.existingSecret` -> `.Values.anchoreGlobal.existingSecretName` + * `.Values.anchoreEnterpriseFeeds.existingSecret` -> `.Values.anchoreEnterpriseFeeds.existingSecretName` + * `.Values.anchoreEnterpriseUi.existingSecret` -> `.Values.anchoreEnterpriseUi.existingSecretName` +* See the [existing secrets section](#utilize-an-existing-secret) for more details. + ## Chart version 1.20.1 * Anchore Enterprise image update to v4.3.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/430/). From 311d650a956ff4ba5da4bda809f6df7603472db6 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Mon, 9 Jan 2023 16:20:53 -0800 Subject: [PATCH 057/329] use a helper template for constructing the feeds db hostname Signed-off-by: Brady Todhunter --- stable/anchore-engine/templates/_helpers.tpl | 16 +++++++++++++++- .../templates/enterprise_feeds_secret.yaml | 8 +------- 2 files changed, 16 insertions(+), 8 deletions(-) diff --git a/stable/anchore-engine/templates/_helpers.tpl b/stable/anchore-engine/templates/_helpers.tpl index 47fb8d24..329194b0 100755 --- a/stable/anchore-engine/templates/_helpers.tpl +++ b/stable/anchore-engine/templates/_helpers.tpl @@ -398,7 +398,21 @@ Return Anchore Engine default admin password {{- end -}} {{/* -Create database hostname string from supplied values file. Used for the enterprise-ui ANCHORE_APPDB_URI environment variable secret +Create feeds database hostname string from supplied values file. Used for setting the ANCHORE_FEEDS_DB_HOST env var in the Feeds secret. +*/}} +{{- define "feeds-db-hostname" }} + {{- if and (index .Values "anchore-feeds-db" "externalEndpoint") (not (index .Values "anchore-feeds-db" "enabled")) }} + {{- print ( index .Values "anchore-feeds-db" "externalEndpoint" ) }} + {{- else if and (index .Values "cloudsql" "enabled") (not (index .Values "anchore-feeds-db" "enabled")) }} + {{- print "localhost:5432" }} + {{- else }} + {{- $db_host := include "postgres.anchore-feeds-db.fullname" . }} + {{- printf "%s:5432" $db_host -}} + {{- end }} +{{- end }} + +{{/* +Create database hostname string from supplied values file. Used for setting the ANCHORE_DB_HOST env var in the UI & Engine secret. */}} {{- define "db-hostname" }} {{- if and (index .Values "postgresql" "externalEndpoint") (not (index .Values "postgresql" "enabled")) }} diff --git a/stable/anchore-engine/templates/enterprise_feeds_secret.yaml b/stable/anchore-engine/templates/enterprise_feeds_secret.yaml index 72992d9e..b09090e0 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_secret.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_secret.yaml @@ -17,13 +17,7 @@ stringData: ANCHORE_FEEDS_DB_NAME: {{ index .Values "anchore-feeds-db" "postgresDatabase" | quote }} ANCHORE_FEEDS_DB_USER: {{ index .Values "anchore-feeds-db" "postgresUser" | quote }} ANCHORE_FEEDS_DB_PASSWORD: {{ index .Values "anchore-feeds-db" "postgresPassword" | quote }} - {{- if and (index .Values "anchore-feeds-db" "externalEndpoint") (not (index .Values "anchore-feeds-db" "enabled")) }} - ANCHORE_FEEDS_DB_HOST: {{ index .Values "anchore-feeds-db" "externalEndpoint" | quote }} - {{- else if and (index .Values "cloudsql" "enabled") (not (index .Values "anchore-feeds-db" "enabled")) }} - ANCHORE_FEEDS_DB_HOST: "localhost:5432" - {{- else }} - ANCHORE_FEEDS_DB_HOST: "{{ template "postgres.anchore-feeds-db.fullname" . }}:5432" - {{- end }} + ANCHORE_FEEDS_DB_HOST: "{{ template "feeds-db-hostname" . }}" {{- with .Values.anchoreGlobal.saml.secret }} ANCHORE_SAML_SECRET: {{ . }} {{- end }} From e9cb96563a668fbfa1671aef931bfad441e8ac1c Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Mon, 9 Jan 2023 17:09:26 -0800 Subject: [PATCH 058/329] be smarter about setting ANCHORE_CLI_PASS using existing secrets Signed-off-by: Brady Todhunter --- stable/anchore-engine/templates/api_deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-engine/templates/api_deployment.yaml b/stable/anchore-engine/templates/api_deployment.yaml index dbf64e20..903da784 100644 --- a/stable/anchore-engine/templates/api_deployment.yaml +++ b/stable/anchore-engine/templates/api_deployment.yaml @@ -136,7 +136,7 @@ spec: - name: ANCHORE_CLI_PASS valueFrom: secretKeyRef: - name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecretName }} + name: {{ ternary .Values.anchoreGlobal.existingSecretName (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.useExistingSecrets }} key: ANCHORE_ADMIN_PASSWORD {{- end }} ports: From 3db2bdee633b95c7b68f8f8782b4339975cb85c3 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Tue, 10 Jan 2023 09:49:58 -0800 Subject: [PATCH 059/329] fix typo in readme, update existing secrets to use values from redis/postgres helm charts Signed-off-by: Brady Todhunter --- stable/anchore-engine/README.md | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index afb81175..60178511 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -634,6 +634,9 @@ anchoreGlobal: Create the following secrets: ```yaml +# These secrets will work as-is when using helm deployed redis/postgresql with the default chart values and a helm release name of `anchore`. When utilizing these secrets, users are expected to update the environment variables with appropriate configurations for their environment. + +--- apiVersion: v1 kind: Secret metadata: @@ -642,9 +645,9 @@ type: Opaque stringData: ANCHORE_ADMIN_PASSWORD: foobar1234 ANCHORE_DB_NAME: anchore - ANCHORE_DB_USER: anchoreuser - ANCHORE_DB_HOST: anchore-db.example.com:5432 - ANCHORE_DB_PASSWORD: foobar1234 + ANCHORE_DB_USER: anchoreengine + ANCHORE_DB_HOST: anchore-postgresql:5432 + ANCHORE_DB_PASSWORD: anchore-postgres,123 # (if applicable) ANCHORE_SAML_SECRET: foobar,saml1234 --- @@ -656,12 +659,12 @@ type: Opaque stringData: ANCHORE_ADMIN_PASSWORD: foobar1234 ANCHORE_FEEDS_DB_NAME: anchore-feeds - ANCHORE_FEEDS_DB_USER: anchorefeedsuser - ANCHORE_FEEDS_DB_PASSWORD: foobar1234 - ANCHORE_FEEDS_DB_HOST: anchorefeeds-db.example.com:5432 + ANCHORE_FEEDS_DB_USER: anchoreengine + ANCHORE_FEEDS_DB_PASSWORD: anchore-postgres,123 + ANCHORE_FEEDS_DB_HOST: anchore-anchore-feeds-db:5432 # (if applicable) ANCHORE_SAML_SECRET: foobar,saml1234 - # (if applicable) ANCHORE_MSRC_KEY: foobar1234 - # (if applicable) ANCHORE_GITHUB_TOKEN: foobar1234 + # (if applicable) ANCHORE_MSRC_KEY: foobar,msrc1234 + # (if applicable) ANCHORE_GITHUB_TOKEN: foobar,github1234 # (if applicable) ANCHORE_GEM_DB_NAME: anchore-gems # (if applicable) ANCHORE_GEM_DB_USER: anchoregemsuser # (if applicable) ANCHORE_GEM_DB_PASSWORD: foobar1234 @@ -671,11 +674,11 @@ stringData: apiVersion: v1 kind: Secret metadata: - name: anchore-enterprise-feeds-env + name: anchore-enterprise-ui-env type: Opaque stringData: - ANCHORE_APPDB_URI: postgresql://anchoreuiuser:foobar1234@anchore-db.example.com:5432/anchore - ANCHORE_REDIS_URI: redis://nouser:foobar1234@redis.example.com:6379 + ANCHORE_APPDB_URI: postgresql://anchoreengine:anchore-postgres,123@anchore-postgresql:5432/anchore + ANCHORE_REDIS_URI: redis://nouser:anchore-redis,123@anchore-ui-redis-master:6379 ``` ## Install using an existing/external PostgreSQL instance From fb8e3cb5f80beaa534f9b5b32c56e1b5f5f70782 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Tue, 10 Jan 2023 14:34:58 -0800 Subject: [PATCH 060/329] add more details to 1.20.0 changelog for migrating existing secrets Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/README.md | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 9f668f3f..a57beb2f 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.21.0 +version: 1.21.1 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index 60178511..9505cdd2 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -251,6 +251,15 @@ The upgrade will only be considered successful when this job completes successfu * Revamped how the chart is configured when using existing secrets. Users upgrading from a previous chart version will need to update their values file to match the new convention. Update the following in your values file: * Set `.Values.anchoreGlobal.useExistingSecrets=true` + * Update your existing secrets to include all environment variables used by deployments + * Add to the secret specified in `.Values.anchoreGlobal.existingSecretName`: + * ANCHORE_DB_HOST + * ANCHORE_DB_USER + * ANCHORE_DB_NAME + * Add to secret specified in `.Values.anchoreEnterpriseFeeds.existingSecretName`: + * ANCHORE_FEEDS_DB_HOST + * ANCHORE_FEEDS_DB_USER + * ANCHORE_FEEDS_DB_NAME * Update the following keys: * `.Values.anchoreGlobal.existingSecret` -> `.Values.anchoreGlobal.existingSecretName` * `.Values.anchoreEnterpriseFeeds.existingSecret` -> `.Values.anchoreEnterpriseFeeds.existingSecretName` From 7799d39c2f41ca7af8fde81dacbf261b8c29827e Mon Sep 17 00:00:00 2001 From: Nicolas Degory Date: Thu, 12 Jan 2023 13:27:16 -0800 Subject: [PATCH 061/329] feat: [anchore-admission-controller] allow to set an image pull secret Signed-off-by: Nicolas Degory --- stable/anchore-admission-controller/README.md | 8 ++++++-- .../templates/deployment.yaml | 6 ++++++ .../templates/init-ca/init-ca-hook.yaml | 8 +++++++- stable/anchore-admission-controller/values.yaml | 5 +++++ 4 files changed, 24 insertions(+), 3 deletions(-) diff --git a/stable/anchore-admission-controller/README.md b/stable/anchore-admission-controller/README.md index 9389eea9..7c5579a9 100644 --- a/stable/anchore-admission-controller/README.md +++ b/stable/anchore-admission-controller/README.md @@ -75,11 +75,13 @@ It will remove kubernetes objects which are not removed by a helm delete. Pass t |---|---|---|---| |logVerbosity | int | 6 | log verbosity of controller, 1 = error, 2 warn, 3 debug.... |---|---|---|---| -|image | str | release tag | Tag including registry and repository for image to use +|image | str | release tag | Tag including registry and repository for image to use |---|---|---|---| |imagePullPolicy | str | IfNotPresent | Standard k8s pull policy setting |---|---|---|---| -|service.name | str | anchoreadmissioncontroller | Name for the svc instance +|imagePullSecrets | array | [] | Image pull secrets +|---|---|---|---| +|service.name | str | anchoreadmissioncontroller | Name for the svc instance |---|---|---|---| |service.type | str | ClusterIp | Type to use for k8s service definition |---|---|---|---| @@ -99,6 +101,8 @@ It will remove kubernetes objects which are not removed by a helm delete. Pass t |---|---|---|---| |requestAnalysis | boolean | true | Ask anchore to analyze an image that isn't already analyzed |---|---|---|---| +|initCa.image | str | cfssl/cfssl:latest | Tag including registry and repository for the initCa image +|---|---|---|---| |initCa.extraEnv | array | [] | Define custom environment variables to pass to init-ca pod | |---|---|---|---| diff --git a/stable/anchore-admission-controller/templates/deployment.yaml b/stable/anchore-admission-controller/templates/deployment.yaml index 7c062b15..ad1515d3 100644 --- a/stable/anchore-admission-controller/templates/deployment.yaml +++ b/stable/anchore-admission-controller/templates/deployment.yaml @@ -33,6 +33,12 @@ spec: - name: anchore-auth secret: secretName: {{ if .Values.existingCredentialsSecret }}{{ .Values.existingCredentialsSecret }}{{ else }}{{ template "anchore-admission-controller.fullname" . }}{{ end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} containers: - name: {{ .Chart.Name }} image: "{{ .Values.image }}" diff --git a/stable/anchore-admission-controller/templates/init-ca/init-ca-hook.yaml b/stable/anchore-admission-controller/templates/init-ca/init-ca-hook.yaml index 7a4a6e4c..b7862975 100644 --- a/stable/anchore-admission-controller/templates/init-ca/init-ca-hook.yaml +++ b/stable/anchore-admission-controller/templates/init-ca/init-ca-hook.yaml @@ -21,9 +21,15 @@ spec: - name: init-ca-script configMap: name: {{.Release.Name}}-init-ca + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} containers: - name: create-ca - image: "cfssl/cfssl:latest" + image: "{{ .Values.initCa.image }}" command: - bash - -xe diff --git a/stable/anchore-admission-controller/values.yaml b/stable/anchore-admission-controller/values.yaml index ccf0b3ac..8f70b210 100644 --- a/stable/anchore-admission-controller/values.yaml +++ b/stable/anchore-admission-controller/values.yaml @@ -7,6 +7,10 @@ logVerbosity: 3 image: "anchore/kubernetes-admission-controller:v0.4.0" imagePullPolicy: IfNotPresent +# ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] +# imagePullSecrets: +# - secretName service: name: anchoreadmissioncontroller @@ -103,6 +107,7 @@ credentials: {} # Settings related to init-ca pod initCa: + image: cfssl/cfssl:latest # Define custom environment variables to pass to init-ca pod extraEnv: [] # - name: FOO From 7b8cad98284782ceb604a78475759397919e4e36 Mon Sep 17 00:00:00 2001 From: Nicolas Degory Date: Thu, 12 Jan 2023 13:14:16 -0800 Subject: [PATCH 062/329] feat: [anchore-admission-controller] update kubeVersion for EKS compatibility Signed-off-by: Nicolas Degory --- stable/anchore-admission-controller/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/stable/anchore-admission-controller/Chart.yaml b/stable/anchore-admission-controller/Chart.yaml index d74a6bd2..8f93b04c 100644 --- a/stable/anchore-admission-controller/Chart.yaml +++ b/stable/anchore-admission-controller/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: anchore-admission-controller -version: 0.4.3 +version: 0.4.4 appVersion: 0.4.0 description: A kubernetes admission controller for validating and mutating webhooks that operates against Anchore Engine to make access decisions and annotations home: https://github.com/anchore/kubernetes-admission-controller @@ -10,4 +10,4 @@ maintainers: - name: btodhunter email: bradyt@anchore.com icon: https://anchoreprd.wpengine.com/wp-content/uploads/2021/12/favicon.png -kubeVersion: ^1.19.0 +kubeVersion: ^1.19.0-0 From 93cdaf55c0d73bc1779959ff219ef9490ae8c173 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 18 Jan 2023 15:55:31 -0800 Subject: [PATCH 063/329] Create CODEOWNERS --- CODEOWNERS | 1 + 1 file changed, 1 insertion(+) create mode 100644 CODEOWNERS diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 00000000..8262433a --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1 @@ +* @anchore/devops From bdd363d2c921b1cbe0bcfb339f6ecb658f7226cb Mon Sep 17 00:00:00 2001 From: Ben Lang Date: Fri, 13 Jan 2023 11:52:02 -0700 Subject: [PATCH 064/329] Added configuration for additional ubuntu release feed groups Signed-off-by: Ben Lang --- stable/anchore-engine/Chart.yaml | 2 +- .../anchore-engine/templates/enterprise_feeds_configmap.yaml | 4 ++++ stable/anchore-engine/values.yaml | 4 ++++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index a57beb2f..aa8f9cd4 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.21.1 +version: 1.21.2 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml index 1ad266fc..5cc8c8a4 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml @@ -132,6 +132,10 @@ data: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.olDriverEnabled | quote) }} ubuntu: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.ubuntuDriverEnabled | quote) }} + {{- if .Values.anchoreEnterpriseFeeds.ubuntuExtraReleases }} + releases: + {{- toYaml .Values.anchoreEnterpriseFeeds.ubuntuExtraReleases | nindent 14 }} + {{- end }} rhel: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.rhelDriverEnabled | quote) }} concurrency: {{ .Values.anchoreEnterpriseFeeds.rhelDriverConcurrency }} diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 6f31164f..ed140385 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -816,6 +816,10 @@ anchoreEnterpriseFeeds: # msrcWhitelist: # - 12345 + # Additional Ubuntu feed groups + # ubuntuExtraReleases: + # kinetic: '22.10' + # The number of concurrent threads used when downloading RHEL feeds rhelDriverConcurrency: 5 From b1e7fe4b042d3fb81da000def25bf718be267e17 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 18 Jan 2023 16:07:57 -0800 Subject: [PATCH 065/329] set ubuntuExtraReleases to an empty dict Signed-off-by: Brady Todhunter --- stable/anchore-engine/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index ed140385..bea29b95 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -817,7 +817,7 @@ anchoreEnterpriseFeeds: # - 12345 # Additional Ubuntu feed groups - # ubuntuExtraReleases: + ubuntuExtraReleases: {} # kinetic: '22.10' # The number of concurrent threads used when downloading RHEL feeds From 08af6cdd5ddbf377b96c6780eb5516d23d1ef459 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 18 Jan 2023 16:20:08 -0800 Subject: [PATCH 066/329] add debian extra releases config Signed-off-by: Brady Todhunter --- .../anchore-engine/templates/enterprise_feeds_configmap.yaml | 4 ++++ stable/anchore-engine/values.yaml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml index 5cc8c8a4..9ad96f8c 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml @@ -128,6 +128,10 @@ data: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.centosDriverEnabled | quote) }} debian: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.debianDriverEnabled | quote) }} + {{- if .Values.anchoreEnterpriseFeeds.debianExtraReleases }} + releases: + {{- toYaml .Values.anchoreEnterpriseFeeds.debianExtraReleases | nindent 14 }} + {{- end }} ol: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.olDriverEnabled | quote) }} ubuntu: diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index bea29b95..dac2d9ef 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -820,6 +820,10 @@ anchoreEnterpriseFeeds: ubuntuExtraReleases: {} # kinetic: '22.10' + # Additional Debian feeds groups + debianExtraReleases: {} + # trixie: '13' + # The number of concurrent threads used when downloading RHEL feeds rhelDriverConcurrency: 5 From beaf165f85ad4419b5ec099f9cde92cce65a69d4 Mon Sep 17 00:00:00 2001 From: Kaizhe Huang Date: Fri, 20 Jan 2023 04:52:39 +0000 Subject: [PATCH 067/329] init Signed-off-by: Kaizhe Huang template labels Signed-off-by: Kaizhe Huang remove file Signed-off-by: Kaizhe Huang remove anchore engine changes Signed-off-by: Kaizhe Huang --- .../templates/deployment.yaml | 6 ++++++ .../templates/init-ca/init-ca-hook.yaml | 18 +++++++++++++++--- .../templates/webhook.yaml | 3 ++- .../anchore-admission-controller/values.yaml | 19 +++++++++++++------ 4 files changed, 36 insertions(+), 10 deletions(-) diff --git a/stable/anchore-admission-controller/templates/deployment.yaml b/stable/anchore-admission-controller/templates/deployment.yaml index ad1515d3..ab3a75fa 100644 --- a/stable/anchore-admission-controller/templates/deployment.yaml +++ b/stable/anchore-admission-controller/templates/deployment.yaml @@ -3,6 +3,9 @@ kind: Deployment metadata: name: {{ template "anchore-admission-controller.fullname" . }} labels: {{- include "anchore-admission-controller.labels" . | nindent 4 }} + {{- with .Values.labels}} + {{ toYaml . | nindent 4 }} + {{- end }} annotations: {{- with .Values.annotations }} {{ toYaml . | nindent 4 }} @@ -16,6 +19,9 @@ spec: template: metadata: labels: {{- include "anchore-admission-controller.labels" . | nindent 8 }} + {{- with .Values.labels}} + {{ toYaml . | nindent 8 }} + {{- end }} annotations: {{- with .Values.annotations }} {{ toYaml . | nindent 8 }} diff --git a/stable/anchore-admission-controller/templates/init-ca/init-ca-hook.yaml b/stable/anchore-admission-controller/templates/init-ca/init-ca-hook.yaml index b7862975..2d1c7647 100644 --- a/stable/anchore-admission-controller/templates/init-ca/init-ca-hook.yaml +++ b/stable/anchore-admission-controller/templates/init-ca/init-ca-hook.yaml @@ -2,7 +2,10 @@ apiVersion: batch/v1 kind: Job metadata: name: "{{ .Release.Name }}-init-ca" - labels: + labels: {{- include "anchore-admission-controller.labels" . | nindent 4 }} + {{- with .Values.labels}} + {{ toYaml . | nindent 4 }} + {{- end }} app: {{ template "anchore-admission-controller.fullname" . }} component: admission-server annotations: @@ -11,7 +14,10 @@ metadata: spec: template: metadata: - labels: + labels: {{- include "anchore-admission-controller.labels" . | nindent 8 }} + {{- with .Values.labels}} + {{ toYaml . | nindent 8 }} + {{- end }} app: {{ template "anchore-admission-controller.fullname" . }} component: admission-server spec: @@ -41,4 +47,10 @@ spec: {{- with .Values.initCa.extraEnv }} {{- toYaml . | nindent 8 }} {{- end }} - + resources: + requests: + cpu: 100m + memory: 100Mi + limits: + cpu: 200m + memory: 200Mi diff --git a/stable/anchore-admission-controller/templates/webhook.yaml b/stable/anchore-admission-controller/templates/webhook.yaml index 6062a4c5..490b1502 100644 --- a/stable/anchore-admission-controller/templates/webhook.yaml +++ b/stable/anchore-admission-controller/templates/webhook.yaml @@ -6,6 +6,8 @@ metadata: labels: {{- include "anchore-admission-controller.labels" . | nindent 4 }} webhooks: - name: {{ template "anchore-admission-controller.name" . }}-admission.anchore.io + admissionReviewVersions: + - v1 clientConfig: service: namespace: default @@ -21,5 +23,4 @@ webhooks: sideEffects: None admissionReviewVersions: - v1 - {{- end }} diff --git a/stable/anchore-admission-controller/values.yaml b/stable/anchore-admission-controller/values.yaml index 8f70b210..89becf71 100644 --- a/stable/anchore-admission-controller/values.yaml +++ b/stable/anchore-admission-controller/values.yaml @@ -49,7 +49,7 @@ apiService: operator: NotIn values: ["true"] -anchoreEndpoint: "" +anchoreEndpoint: "https://anchore-api.cloud.aurora.tech/v1/" policySelectors: - Selector: ResourceType: "image" @@ -70,7 +70,13 @@ annotations: {} # vault.security.banzaicloud.io/vault-addr: "https://vault:8200" # vault.security.banzaicloud.io/vault-tls-secret: "vault-tls" -resources: {} +resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following @@ -93,17 +99,18 @@ tolerations: [] ## Constrain which nodes your pod is eligible to be scheduled on, based on labels on the node ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity affinity: {} +labels: {} # define name of existing secret containing anchore credentials -existingCredentialsSecret: null +existingCredentialsSecret: anchore-secret # or define credentials here to create secrets -credentials: {} - # users: +credentials: + users: # - username: user1 # password: password1 # - username: user2 -# password: password2 + # password: password2 # Settings related to init-ca pod initCa: From ed73f6900311c888e7c9d01fcb8a9d729bc0c22a Mon Sep 17 00:00:00 2001 From: Kaizhe Huang Date: Fri, 20 Jan 2023 20:55:15 +0000 Subject: [PATCH 068/329] revert values Signed-off-by: Kaizhe Huang --- .../templates/webhook.yaml | 2 -- stable/anchore-admission-controller/values.yaml | 14 ++++---------- 2 files changed, 4 insertions(+), 12 deletions(-) diff --git a/stable/anchore-admission-controller/templates/webhook.yaml b/stable/anchore-admission-controller/templates/webhook.yaml index 490b1502..5a7fdc7c 100644 --- a/stable/anchore-admission-controller/templates/webhook.yaml +++ b/stable/anchore-admission-controller/templates/webhook.yaml @@ -21,6 +21,4 @@ webhooks: failurePolicy: {{ .Values.apiService.webhook.failurePolicy }} namespaceSelector: {{- toYaml .Values.apiService.namespaceSelector | nindent 4 }} sideEffects: None - admissionReviewVersions: - - v1 {{- end }} diff --git a/stable/anchore-admission-controller/values.yaml b/stable/anchore-admission-controller/values.yaml index 89becf71..8739ac8c 100644 --- a/stable/anchore-admission-controller/values.yaml +++ b/stable/anchore-admission-controller/values.yaml @@ -49,7 +49,7 @@ apiService: operator: NotIn values: ["true"] -anchoreEndpoint: "https://anchore-api.cloud.aurora.tech/v1/" +anchoreEndpoint: "" policySelectors: - Selector: ResourceType: "image" @@ -70,13 +70,7 @@ annotations: {} # vault.security.banzaicloud.io/vault-addr: "https://vault:8200" # vault.security.banzaicloud.io/vault-tls-secret: "vault-tls" -resources: - limits: - cpu: 200m - memory: 256Mi - requests: - cpu: 100m - memory: 128Mi +resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following @@ -105,8 +99,8 @@ labels: {} existingCredentialsSecret: anchore-secret # or define credentials here to create secrets -credentials: - users: +credentials: {} + # users: # - username: user1 # password: password1 # - username: user2 From 6dcae4f06b1c621d6cd7703db58afbfc99bec93e Mon Sep 17 00:00:00 2001 From: Kaizhe Huang Date: Fri, 20 Jan 2023 21:06:41 +0000 Subject: [PATCH 069/329] remplate job resources Signed-off-by: Kaizhe Huang --- .../templates/init-ca/init-ca-hook.yaml | 11 ++++------- stable/anchore-admission-controller/values.yaml | 15 +++++++++++---- 2 files changed, 15 insertions(+), 11 deletions(-) diff --git a/stable/anchore-admission-controller/templates/init-ca/init-ca-hook.yaml b/stable/anchore-admission-controller/templates/init-ca/init-ca-hook.yaml index 2d1c7647..ab801510 100644 --- a/stable/anchore-admission-controller/templates/init-ca/init-ca-hook.yaml +++ b/stable/anchore-admission-controller/templates/init-ca/init-ca-hook.yaml @@ -3,7 +3,7 @@ kind: Job metadata: name: "{{ .Release.Name }}-init-ca" labels: {{- include "anchore-admission-controller.labels" . | nindent 4 }} - {{- with .Values.labels}} + {{- with .Values.labels }} {{ toYaml . | nindent 4 }} {{- end }} app: {{ template "anchore-admission-controller.fullname" . }} @@ -47,10 +47,7 @@ spec: {{- with .Values.initCa.extraEnv }} {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.initCa.resources }} resources: - requests: - cpu: 100m - memory: 100Mi - limits: - cpu: 200m - memory: 200Mi + {{- toYaml . | nindent 10 }} + {{- end }} diff --git a/stable/anchore-admission-controller/values.yaml b/stable/anchore-admission-controller/values.yaml index 8739ac8c..31c7d54a 100644 --- a/stable/anchore-admission-controller/values.yaml +++ b/stable/anchore-admission-controller/values.yaml @@ -96,7 +96,7 @@ affinity: {} labels: {} # define name of existing secret containing anchore credentials -existingCredentialsSecret: anchore-secret +existingCredentialsSecret: null # or define credentials here to create secrets credentials: {} @@ -110,6 +110,13 @@ credentials: {} initCa: image: cfssl/cfssl:latest # Define custom environment variables to pass to init-ca pod - extraEnv: [] - # - name: FOO - # value: "bar" + extraEnv: + #- name: FOO + # value: "bar" + resources: {} + # requests: + # cpu: 100m + # memory: 128Mi + # limits: + # cpu: 200m + # memory: 256Mi From 77efc235e73d77a75ac87bdbeaaef583e86f6f37 Mon Sep 17 00:00:00 2001 From: Kaizhe Huang Date: Fri, 20 Jan 2023 21:07:50 +0000 Subject: [PATCH 070/329] minor fix Signed-off-by: Kaizhe Huang --- stable/anchore-admission-controller/templates/webhook.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/stable/anchore-admission-controller/templates/webhook.yaml b/stable/anchore-admission-controller/templates/webhook.yaml index 5a7fdc7c..10260308 100644 --- a/stable/anchore-admission-controller/templates/webhook.yaml +++ b/stable/anchore-admission-controller/templates/webhook.yaml @@ -6,8 +6,6 @@ metadata: labels: {{- include "anchore-admission-controller.labels" . | nindent 4 }} webhooks: - name: {{ template "anchore-admission-controller.name" . }}-admission.anchore.io - admissionReviewVersions: - - v1 clientConfig: service: namespace: default @@ -21,4 +19,6 @@ webhooks: failurePolicy: {{ .Values.apiService.webhook.failurePolicy }} namespaceSelector: {{- toYaml .Values.apiService.namespaceSelector | nindent 4 }} sideEffects: None + admissionReviewVersions: + - v1 {{- end }} From 323f975193ed0ad13b9873824df9461b3223a67b Mon Sep 17 00:00:00 2001 From: Kaizhe Huang Date: Fri, 20 Jan 2023 21:13:43 +0000 Subject: [PATCH 071/329] minor fix Signed-off-by: Kaizhe Huang --- stable/anchore-admission-controller/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-admission-controller/values.yaml b/stable/anchore-admission-controller/values.yaml index 31c7d54a..a4a52cf0 100644 --- a/stable/anchore-admission-controller/values.yaml +++ b/stable/anchore-admission-controller/values.yaml @@ -110,7 +110,7 @@ credentials: {} initCa: image: cfssl/cfssl:latest # Define custom environment variables to pass to init-ca pod - extraEnv: + extraEnv: [] #- name: FOO # value: "bar" resources: {} From ffc06491d1bb0b3f5b28948d10363724e001611b Mon Sep 17 00:00:00 2001 From: Kaizhe Huang Date: Fri, 20 Jan 2023 22:45:04 +0000 Subject: [PATCH 072/329] bump chart version Signed-off-by: Kaizhe Huang --- stable/anchore-admission-controller/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-admission-controller/Chart.yaml b/stable/anchore-admission-controller/Chart.yaml index 8f93b04c..9a94ab55 100644 --- a/stable/anchore-admission-controller/Chart.yaml +++ b/stable/anchore-admission-controller/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: anchore-admission-controller -version: 0.4.4 +version: 0.4.5 appVersion: 0.4.0 description: A kubernetes admission controller for validating and mutating webhooks that operates against Anchore Engine to make access decisions and annotations home: https://github.com/anchore/kubernetes-admission-controller From 3bb55106ff3e1974789be131c0536ad0634d4dd0 Mon Sep 17 00:00:00 2001 From: Kaizhe Huang Date: Fri, 20 Jan 2023 22:59:16 +0000 Subject: [PATCH 073/329] fix lint error Signed-off-by: Kaizhe Huang --- stable/anchore-admission-controller/values.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/stable/anchore-admission-controller/values.yaml b/stable/anchore-admission-controller/values.yaml index a4a52cf0..3a1eae94 100644 --- a/stable/anchore-admission-controller/values.yaml +++ b/stable/anchore-admission-controller/values.yaml @@ -80,7 +80,7 @@ resources: {} # memory: 128Mi # requests: # cpu: 100m -# memory: 128Mi + # memory: 128Mi ## Node labels for pod assignment ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector @@ -111,8 +111,8 @@ initCa: image: cfssl/cfssl:latest # Define custom environment variables to pass to init-ca pod extraEnv: [] - #- name: FOO - # value: "bar" + # - name: FOO + # value: "bar" resources: {} # requests: # cpu: 100m From a9d1e96340eb0674a751527d5ddb1de9fdd95fa7 Mon Sep 17 00:00:00 2001 From: Kaizhe Huang Date: Mon, 23 Jan 2023 21:21:32 +0000 Subject: [PATCH 074/329] add extraLabels and used by templating helper Signed-off-by: Kaizhe Huang --- stable/anchore-admission-controller/templates/_helpers.tpl | 3 +++ .../anchore-admission-controller/templates/deployment.yaml | 6 ------ .../templates/init-ca/init-ca-hook.yaml | 6 ------ stable/anchore-admission-controller/values.yaml | 2 +- 4 files changed, 4 insertions(+), 13 deletions(-) diff --git a/stable/anchore-admission-controller/templates/_helpers.tpl b/stable/anchore-admission-controller/templates/_helpers.tpl index b4c179eb..c0bf7377 100644 --- a/stable/anchore-admission-controller/templates/_helpers.tpl +++ b/stable/anchore-admission-controller/templates/_helpers.tpl @@ -29,6 +29,9 @@ Common labels app.kubernetes.io/name: {{ include "anchore-admission-controller.name" . }} helm.sh/chart: {{ include "anchore-admission-controller.chart" . }} app.kubernetes.io/instance: {{ .Release.Name }} +{{- with .Values.extraLabels}} +{{ toYaml . }} +{{- end }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} diff --git a/stable/anchore-admission-controller/templates/deployment.yaml b/stable/anchore-admission-controller/templates/deployment.yaml index ab3a75fa..ad1515d3 100644 --- a/stable/anchore-admission-controller/templates/deployment.yaml +++ b/stable/anchore-admission-controller/templates/deployment.yaml @@ -3,9 +3,6 @@ kind: Deployment metadata: name: {{ template "anchore-admission-controller.fullname" . }} labels: {{- include "anchore-admission-controller.labels" . | nindent 4 }} - {{- with .Values.labels}} - {{ toYaml . | nindent 4 }} - {{- end }} annotations: {{- with .Values.annotations }} {{ toYaml . | nindent 4 }} @@ -19,9 +16,6 @@ spec: template: metadata: labels: {{- include "anchore-admission-controller.labels" . | nindent 8 }} - {{- with .Values.labels}} - {{ toYaml . | nindent 8 }} - {{- end }} annotations: {{- with .Values.annotations }} {{ toYaml . | nindent 8 }} diff --git a/stable/anchore-admission-controller/templates/init-ca/init-ca-hook.yaml b/stable/anchore-admission-controller/templates/init-ca/init-ca-hook.yaml index ab801510..a2b83b24 100644 --- a/stable/anchore-admission-controller/templates/init-ca/init-ca-hook.yaml +++ b/stable/anchore-admission-controller/templates/init-ca/init-ca-hook.yaml @@ -3,9 +3,6 @@ kind: Job metadata: name: "{{ .Release.Name }}-init-ca" labels: {{- include "anchore-admission-controller.labels" . | nindent 4 }} - {{- with .Values.labels }} - {{ toYaml . | nindent 4 }} - {{- end }} app: {{ template "anchore-admission-controller.fullname" . }} component: admission-server annotations: @@ -15,9 +12,6 @@ spec: template: metadata: labels: {{- include "anchore-admission-controller.labels" . | nindent 8 }} - {{- with .Values.labels}} - {{ toYaml . | nindent 8 }} - {{- end }} app: {{ template "anchore-admission-controller.fullname" . }} component: admission-server spec: diff --git a/stable/anchore-admission-controller/values.yaml b/stable/anchore-admission-controller/values.yaml index 3a1eae94..2eab2a33 100644 --- a/stable/anchore-admission-controller/values.yaml +++ b/stable/anchore-admission-controller/values.yaml @@ -93,7 +93,7 @@ tolerations: [] ## Constrain which nodes your pod is eligible to be scheduled on, based on labels on the node ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity affinity: {} -labels: {} +extraLabels: {} # define name of existing secret containing anchore credentials existingCredentialsSecret: null From fa5876a6166921a32ce3f1311dce035f9746b3e0 Mon Sep 17 00:00:00 2001 From: Zach Hill Date: Mon, 23 Jan 2023 15:53:19 -0800 Subject: [PATCH 075/329] chore: refactor CI workflow to move linter to its own flow Signed-off-by: Zach Hill --- .github/workflows/lint.yaml | 36 ++++++++++++++++++++++++++++++++++++ .github/workflows/test.yaml | 5 ----- 2 files changed, 36 insertions(+), 5 deletions(-) create mode 100644 .github/workflows/lint.yaml diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml new file mode 100644 index 00000000..e70272ec --- /dev/null +++ b/.github/workflows/lint.yaml @@ -0,0 +1,36 @@ +name: "Lint changed charts using chart-testing tool" + +on: + - pull_request + +jobs: + lint: + strategy: + fail-fast: false + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Fetch history + run: git fetch --prune --unshallow + + - name: Shellcheck + uses: ludeeus/action-shellcheck@1.0.0 + + - name: Set up chart-testing + uses: helm/chart-testing-action@v2.3.1 + + - name: Run chart-testing (list-changed) + id: list-changed + run: | + changed=$(ct list-changed --config 'ct-config.yaml' --target-branch ${{ github.event.repository.default_branch }}) + if [[ -n "$changed" ]]; then + echo "::set-output name=changed::true" + fi + + - name: Run chart-testing (lint) + id: lint + run: ct lint --config 'ct-config.yaml' + if: steps.list-changed.outputs.changed == 'true' + diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 3b68f473..4cbb87f8 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -31,11 +31,6 @@ jobs: echo "::set-output name=changed::true" fi - - name: Run chart-testing (lint) - id: lint - run: ct lint --config 'ct-config.yaml' - if: steps.list-changed.outputs.changed == 'true' - - name: Install kind uses: helm/kind-action@v1.4.0 with: From eb655830620246b6e70b43f503972649d13b0996 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Mon, 23 Jan 2023 17:18:52 -0800 Subject: [PATCH 076/329] upon upgrades, check if anchoreGlobal.existingSecret is configured. If it is, fail upgrade and refer to README Signed-off-by: Brady Todhunter --- stable/anchore-engine/templates/_helpers.tpl | 12 ++++++++++++ .../templates/anchore_admin_secret.yaml | 1 + stable/anchore-engine/templates/engine_secret.yaml | 1 + .../templates/enterprise_feeds_secret.yaml | 1 + .../templates/enterprise_ui_secret.yaml | 1 + 5 files changed, 16 insertions(+) diff --git a/stable/anchore-engine/templates/_helpers.tpl b/stable/anchore-engine/templates/_helpers.tpl index 329194b0..d312fc68 100755 --- a/stable/anchore-engine/templates/_helpers.tpl +++ b/stable/anchore-engine/templates/_helpers.tpl @@ -425,8 +425,20 @@ Create database hostname string from supplied values file. Used for setting the {{- end }} {{- end }} +{{/* +Allows sourcing of a specified file in the entrypoint of all containers when .Values.anchoreGlobal.doSourceAtEntry.enabled=true +*/}} {{- define "doSourceFile" }} {{- if .Values.anchoreGlobal.doSourceAtEntry.enabled }} {{- printf "source %v;" .Values.anchoreGlobal.doSourceAtEntry.filePath }} {{- end }} +{{- end }} + +{{/* +Upon upgrades, checks if .Values.existingSecret=true and fails the upgrade if .Values.useExistingSecret is not set. +*/}} +{{- define "checkUpgradeForExistingSecret" }} +{{- if and .Release.IsUpgrade .Values.anchoreGlobal.existingSecret (not .Values.anchoreGlobal.useExistingSecrets) }} + {{- fail "WARNING: As of chart v1.21.0 `.Values.anchoreGlobal.existingSecret` is no longer a valid configuration value. See the chart README for more instructions on configuring existing secrets - https://github.com/anchore/anchore-charts/blob/main/stable/anchore-engine/README.md#chart-version-1210" }} +{{- end }} {{- end }} \ No newline at end of file diff --git a/stable/anchore-engine/templates/anchore_admin_secret.yaml b/stable/anchore-engine/templates/anchore_admin_secret.yaml index 08ca62d4..4f9e9806 100644 --- a/stable/anchore-engine/templates/anchore_admin_secret.yaml +++ b/stable/anchore-engine/templates/anchore_admin_secret.yaml @@ -1,3 +1,4 @@ +{{- template "checkUpgradeForExistingSecret" . }} {{- if not .Values.anchoreGlobal.useExistingSecrets }} {{- $anchoreAdminPass := (include "anchore-engine.defaultAdminPassword" . | quote) }} diff --git a/stable/anchore-engine/templates/engine_secret.yaml b/stable/anchore-engine/templates/engine_secret.yaml index 36259a6f..4f16b5dd 100644 --- a/stable/anchore-engine/templates/engine_secret.yaml +++ b/stable/anchore-engine/templates/engine_secret.yaml @@ -1,3 +1,4 @@ +{{- template "checkUpgradeForExistingSecret" . }} {{- if not .Values.anchoreGlobal.useExistingSecrets }} apiVersion: v1 kind: Secret diff --git a/stable/anchore-engine/templates/enterprise_feeds_secret.yaml b/stable/anchore-engine/templates/enterprise_feeds_secret.yaml index b09090e0..a52c18f2 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_secret.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_secret.yaml @@ -1,3 +1,4 @@ +{{- template "checkUpgradeForExistingSecret" . }} {{- if not .Values.anchoreGlobal.useExistingSecrets }} {{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }} apiVersion: v1 diff --git a/stable/anchore-engine/templates/enterprise_ui_secret.yaml b/stable/anchore-engine/templates/enterprise_ui_secret.yaml index bbe9b393..e13e7688 100644 --- a/stable/anchore-engine/templates/enterprise_ui_secret.yaml +++ b/stable/anchore-engine/templates/enterprise_ui_secret.yaml @@ -1,3 +1,4 @@ +{{- template "checkUpgradeForExistingSecret" . }} {{- if not .Values.anchoreGlobal.useExistingSecrets }} {{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseUi.enabled }} apiVersion: v1 From bde7d56284e297650ba4fa8af2b0db3d39b88306 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Mon, 23 Jan 2023 17:18:57 -0800 Subject: [PATCH 077/329] bump chart version Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index aa8f9cd4..1409383b 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.21.2 +version: 1.21.3 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: From 4c35702afadc1576fa1d99b5fa07596b2ccf3cb3 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 26 Jan 2023 15:01:10 -0800 Subject: [PATCH 078/329] remove all references to the Anchore Engine project Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/README.md | 327 +++---------------- stable/anchore-engine/enterprise_values.yaml | 4 - stable/anchore-engine/templates/NOTES.txt | 61 +--- stable/anchore-engine/values.yaml | 40 +-- 5 files changed, 73 insertions(+), 361 deletions(-) delete mode 100644 stable/anchore-engine/enterprise_values.yaml diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 1409383b..584f5305 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.21.3 +version: 1.21.4 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index 9505cdd2..f3304596 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -1,65 +1,12 @@ -# Anchore Engine Helm Chart +# Anchore Helm Chart -[Instructions for migrating deployments from helm/stable to charts.anchore.io](#migrating-to-the-new-anchore-charts-repository) - -This chart deploys the Anchore Engine docker container image analysis system. Anchore Engine requires a PostgreSQL database (>=9.6) which may be handled by the chart or supplied externally, and executes in a service-based architecture utilizing the following Anchore Engine services: External API, SimpleQueue, Catalog, Policy Engine, and Analyzer. - -This chart can also be used to install the following Anchore Enterprise services: GUI, RBAC, Reporting, Notifications & On-premises Feeds. Enterprise services require a valid Anchore Enterprise license, as well as credentials with access to the private DockerHub repository hosting the images. These are not enabled by default. +This chart deploys the Anchore Enterprise container image analysis system. Anchore requires a PostgreSQL database (>=9.6) which may be handled by the chart or supplied externally, and executes in a service-based architecture utilizing the following Anchore Enterprise services: External API, SimpleQueue, Catalog, Policy Engine, Analyzer, GUI, RBAC, Reporting, Notifications and On-premises Feeds. Enterprise services require a valid Anchore Enterprise license, as well as credentials with access to the private DockerHub repository hosting the images. These are not enabled by default. Each of these services can be scaled and configured independently. -See [Anchore Engine](https://github.com/anchore/anchore-engine) for more project details. - -## Chart Details - -The chart is split into global and service specific configurations for the OSS Anchore Engine, as well as global and services specific configurations for the Enterprise components. - -* The `anchoreGlobal` section is for configuration values required by all Anchore Engine components. -* The `anchoreEnterpriseGlobal` section is for configuration values required by all Anchore Engine Enterprise components. -* Service specific configuration values allow customization for each individual service. - -For a description of each component, view the official documentation at: [Anchore Enterprise Service Overview](https://docs.anchore.com/current/docs/overview/architecture/) - -## Installing the Anchore Engine Helm Chart - -### TL;DR - -```bash -helm repo add anchore https://charts.anchore.io -helm install my-release anchore/anchore-engine -``` - -Anchore Engine will take approximately three minutes to bootstrap. After the initial bootstrap period, Anchore Engine will begin a vulnerability feed sync. During this time, image analysis will show zero vulnerabilities until the sync is completed. This sync can take multiple hours depending on which feeds are enabled. The following anchore-cli command is available to poll the system and report back when the engine is bootstrapped and the vulnerability feeds are all synced up. `anchore-cli system wait` - -The recommended way to install the Anchore Engine Helm Chart is with a customized values file and a custom release name. It is highly recommended to set non-default passwords when deploying. All passwords are set to defaults specified in the chart. It is also recommended to utilize an external database, rather then using the included postgresql chart. - -Create a new file named `anchore_values.yaml` and add all desired custom values (see the following examples); then run the following command: - -#### Helm v3 installation - -```bash -helm repo add anchore https://charts.anchore.io -helm install -f anchore_values.yaml anchore/anchore-engine -``` - -##### Example anchore_values.yaml - using chart managed PostgreSQL service with custom passwords. - -*Note: Installs with chart managed PostgreSQL database. This is not a guaranteed production ready config.* - -```yaml -## anchore_values.yaml - -postgresql: - postgresPassword: - persistence: - size: 50Gi +See the [Anchore Homepage](https://anchore.com) for more project details. -anchoreGlobal: - defaultAdminPassword: - defaultAdminEmail: -``` - -## Adding Enterprise Components +## Anchore Enterprise Components The following features are available to Anchore Enterprise customers. Please contact the Anchore team for more information about getting a license for the Enterprise features. [Anchore Enterprise Demo](https://anchore.com/demo/) @@ -76,6 +23,24 @@ anchoreGlobal: * Kubernetes runtime image inventory/scanning ``` +## Chart Details + +The chart is split into global and service specific configurations for all Anchore Enterprise components. + +* The `anchoreGlobal` section is for configuration values required by all Anchore components. +* The `anchoreEnterpriseGlobal` section is for configuration values required by all Anchore Enterprise components. +* Service specific configuration values allow customization for each individual service. + +For a description of each component, view the official documentation at: [Anchore Enterprise Service Overview](https://docs.anchore.com/current/docs/overview/architecture/) + +## Installing the Anchore Helm Chart + +Anchore will take approximately three minutes to bootstrap. After the initial bootstrap period, Anchore will begin a vulnerability feed sync. During this time, image analysis will show zero vulnerabilities until the sync is completed. This sync can take multiple hours depending on which feeds are enabled. The following anchore-cli command is available to poll the system and report back when the engine is bootstrapped and the vulnerability feeds are all synced up. `anchore-cli system wait` + +The recommended way to install the Anchore Helm Chart is with a customized values file and a custom release name. It is highly recommended to set non-default passwords when deploying. All passwords are set to defaults specified in the chart. It is also recommended to utilize an external database, rather then using the included postgresql chart. + +Create a new file named `anchore_values.yaml` and add all desired custom values (see the following examples); then run the following command: + ### Enabling Enterprise Services Enterprise services require an Anchore Enterprise license, as well as credentials with @@ -126,9 +91,6 @@ anchoreGlobal: defaultAdminEmail: enableMetrics: True -anchoreEnterpriseGlobal: - enabled: True - anchore-feeds-db: postgresPassword: persistence: @@ -139,42 +101,16 @@ ui-redis: password: ``` -## Installing on OpenShift - -As of chart version 1.3.1, deployments to OpenShift are fully supported. Due to permission constraints when utilizing OpenShift, the official RHEL postgresql image must be utilized, which requires custom environment variables to be configured for compatibility with this chart. - -### Example anchore_values.yaml - deploying on OpenShift - -*Note: Installs with chart managed PostgreSQL database. This is not a guaranteed production ready config.* +#### Helm v3 installation -```yaml -## anchore_values.yaml +```bash +helm repo add anchore https://charts.anchore.io +helm install -f anchore_values.yaml anchore/anchore-engine +``` -postgresql: - image: registry.access.redhat.com/rhscl/postgresql-96-rhel7 - imageTag: latest - extraEnv: - - name: POSTGRESQL_USER - value: anchoreengine - - name: POSTGRESQL_PASSWORD - value: anchore-postgres,123 - - name: POSTGRESQL_DATABASE - value: anchore - - name: PGUSER - value: postgres - - name: LD_LIBRARY_PATH - value: /opt/rh/rh-postgresql96/root/usr/lib64 - - name: PATH - value: /opt/rh/rh-postgresql96/root/usr/bin:/opt/app-root/src/bin:/opt/app-root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - postgresPassword: - persistence: - size: 50Gi +## Installing on OpenShift -anchoreGlobal: - defaultAdminPassword: - defaultAdminEmail: - openShiftDeployment: True -``` +As of chart version 1.3.1, deployments to OpenShift are fully supported. Due to permission constraints when utilizing OpenShift, the official RHEL postgresql image must be utilized, which requires custom environment variables to be configured for compatibility with this chart. To perform an Enterprise deployment on OpenShift, use the following anchore_values.yaml configuration @@ -209,9 +145,6 @@ anchoreGlobal: enableMetrics: True openShiftDeployment: True -anchoreEnterpriseGlobal: - enabled: True - anchore-feeds-db: image: registry.access.redhat.com/rhscl/postgresql-96-rhel7 imageTag: latest @@ -239,7 +172,7 @@ ui-redis: # Chart Updates -See the anchore-engine [CHANGELOG](https://github.com/anchore/anchore-engine/blob/master/CHANGELOG.md) for updates to Anchore Engine. +See the Anchore [Release Notes](https://docs.anchore.com/current/docs/releasenotes/) for updates to Anchore. ## Upgrading from previous chart versions @@ -304,7 +237,7 @@ The upgrade will only be considered successful when this job completes successfu ## Chart version 1.17.0 -Chart version 1.17.0 is an Enterprise focused release. Anchore Engine users will see no change in behavior from this release. +Chart version 1.17.0 is an Enterprise focused release. Anchore users will see no change in behavior from this release. For Enterprise users, this release specifically helps reduce downtime needed during the transition from the v1 scanner to the v2 scanner. This version sets the GrypeDB driver to run in the feed service v1-scanner deployments so that the GrypeDB is ready when the update to the v2 scanner is made and thus reduces effective downtime during the maintenance window needed for that configuration change. @@ -329,38 +262,38 @@ The impacts of this upgrade are as follows: * For deployments currently utilizing the V1 (legacy) vulnerability provider, configured with `.Values.anchorePolicyEngine.vulnerabilityProvider=legacy`, this upgrade will enable the GrypeDB Driver on the Enterprise Feeds service. * The GrypeDB driver can be manually disabled for legacy deployments using `.Values.anchoreEnterpriseFeeds.grypeDriverEnabled=false` -* For deployments of Anchore Engine, configured with `.Values.anchoreEnterpriseGlobal=false`, this upgrade will have zero impact. +* For deployments of Anchore, configured with `.Values.anchoreEnterpriseGlobal=false`, this upgrade will have zero impact. * For Enterprise deployments currently utilizing the Grype vulnerability provider, configured with `.Values.anchorePolicyEngine.vulnerabilityProvider=grype`, this release will have zero impact. ## Chart version 1.16.0 -* Anchore Engine image updated to v1.1.0 - [Release Notes](https://engine.anchore.io/docs/releasenotes/110/) +* Anchore image updated to v1.1.0 - [Release Notes](https://engine.anchore.io/docs/releasenotes/110/) * Anchore Enterprise image updated to v3.3.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/330/) ## Chart version 1.15.0 Chart version v1.15.0 sets the V2 vulnerability scanner, based on [Grype](https://github.com/anchore/grype), as the default for new deployments. **Users upgrading from chart versions prior to v1.15.0 will need to explicitly set their preferred vulnerability provider using `.Values.anchorePolicyEngine.vulnerabilityProvider`.** If the vulnerability provider is not explicitly set, Helm will prevent an upgrade from being initiated. -* Anchore Engine image updated to v1.0.0 - [Release Notes](https://engine.anchore.io/docs/releasenotes/100/) +* Anchore image updated to v1.0.0 - [Release Notes](https://engine.anchore.io/docs/releasenotes/100/) * Anchore Enterprise image updated to v3.2.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/320/) * Enterprise Feeds - Now uses a PVC for the persistent workspace directory. This directory is used by the vulnerability drivers for downloading vulnerability data, and should be persistent for optimal performance. * Enterprise Feeds - When enabling the Ruby Gems vulnerability driver, the Helm chart will now spin up an ephemeral Postgresql deployment for the Feeds service to load Ruby vulnerability data. ## Chart version 1.14.0 -* Anchore Engine image updated to v0.10.1 - [Release Notes](https://engine.anchore.io/docs/releasenotes/0101/) +* Anchore image updated to v0.10.1 - [Release Notes](https://engine.anchore.io/docs/releasenotes/0101/) * Anchore Enterprise image updated to v3.1.1 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/311/) * Enterprise Feeds - MSRC feeds no longer require an access token. No changes are needed, however MSRC access tokens can now be removed from values and/or existing secrets. ## Chart version 1.13.0 -* Anchore Engine image updated to v0.10.0 - [Release Notes](https://engine.anchore.io/docs/releasenotes/0100/) +* Anchore image updated to v0.10.0 - [Release Notes](https://engine.anchore.io/docs/releasenotes/0100/) * Anchore Enterprise image updated to v3.1.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/310/) * If utilizing the Enterprise Runtime Inventory feature, the catalog service can now be configured to automatically setup RBAC for image discovery within the cluster. This is configured under `.Values.anchoreCatalog.runtimeInventory` ## Chart version 1.12.0 -* Anchore Engine image updated to v0.9.1 +* Anchore image updated to v0.9.1 * Anchore Enterprise images updated to v3.0.0 * Existing secrets now work for Enterprise feeds and Enterprise UI - see [existing secrets configuration](#-Utilize-an-Existing-Secret) * Anchore admin default password no longer defaults to `foobar`. If no password is specified, a random string will be generated. @@ -371,7 +304,7 @@ Chart dependency declarations have been updated to be compatible with Helm v3.4. ## Chart version 1.8.0 -The following Anchore-Engine features were added with this version: +The following features were added with this version: * Malware scanning - see .Values.anchoreAnalyzer.configFile.malware * Binary content scanning @@ -382,183 +315,13 @@ For more details see - https://docs.anchore.com/current/docs/engine/releasenotes ## Chart version 1.7.0 -Starting with version 1.7.0, the anchore-engine chart will be hosted on charts.anchore.io. If you're upgrading from a previous version of the chart, you will need to delete your previous deployment and redeploy Anchore Engine using the chart from the Anchore Charts repository. - -This version of the chart includes the dependent Postgresql chart in the charts/ directory rather then pulling it from upstream. All apiVersions were updated for compatibility with Kubernetes v1.16+ and the postgresql image has been updated to version 9.6.18. The chart version also updates to the latest version of the Redis chart from Bitnami. These dependency updates require deleting and re-installing your chart. If the following process is performed, no data should be lost. - -## Migrating To The New Anchore Charts Repository - -For these examples, we assume that your namespace is called `my-namespace` and your Anchore installation is called `my-anchore`. - -These examples use Helm version 3 and kubectl client version 1.18, server version 1.18. - -### **ENSURE MIGRATION IS PERFORMED SEPARATELY FROM ANCHORE ENGINE UPGRADES** - -All helm installation steps will include a flag to override the Anchore Engine/Enterprise images with your current running version. You can upgrade your version of Anchore after moving to the new chart from charts.anchore.io. Record the version of your Anchore deployment and use it anytime the instructions refer to the Engine Code Version. - -### Determine Currently Running Anchore Version - -To determine the currently running Anchore version, connect to the anchore-api pod, issue the following command, and record the Engine Code Version: - -```bash -[anchore@anchore-api anchore-engine]$ anchore-cli system status -Service analyzer (anchore-anchore-engine-analyzer-7cd9c5cb78-j8n8p, http://anchore-anchore-engine-analyzer:8084): up -Service apiext (anchore-anchore-engine-api-54cff87fcd-s4htm, http://anchore-anchore-engine-api:8228): up -Service catalog (anchore-anchore-engine-catalog-5898dc67d6-64b8n, http://anchore-anchore-engine-catalog:8082): up -Service simplequeue (anchore-anchore-engine-simplequeue-5cc449cc5c-djkf7, http://anchore-anchore-engine-simplequeue:8083): up -Service policy_engine (anchore-anchore-engine-policy-68b99ddf96-d4gbl, http://anchore-anchore-engine-policy:8087): up - -Engine DB Version: 0.0.13 -Engine Code Version: 0.7.2 -``` - -## If Using An External Postgresql Database (not included as chart dependency) - -```bash -helm uninstall --namespace=my-namespace my-anchore -helm repo add anchore https://charts.anchore.io -helm repo update -export ANCHORE_VERSION=0.7.2 # USE YOUR ENGINE CODE VERSION HERE -helm install --namespace=my-namespace --set anchoreGlobal.image=docker.io/anchore/anchore-engine:v${ANCHORE_VERSION} --set anchoreEnterpriseGlobal.image=docker.io/anchore/enterprise:v${ANCHORE_VERSION} -f anchore_values.yaml my-anchore anchore/anchore-engine -``` - -## If Using The Included Postgresql Chart - -When utilizing the included Postgresql chart, you will need to reuse the persistent volume claims that are attached to your current deployment. These existing claims will be utilized when re-installing anchore-engine using the new chart from charts.anchore.io. - -### Determine Your Database PersistentVolumeClaim - -Find the name of the database PersistentVolumeClaim using `kubectl`: - -```bash -$ kubectl get persistentvolumeclaim --namespace my-namespace -NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE -my-anchore-postgresql Bound pvc-739f6f21-b73b-11ea-a2b9-42010a800176 20Gi RWO standard 2d -``` - -The name of your PersistentVolumeClaim in the example shown is `my-anchore-postgresql`. Note that, as you will need it later. - -Anchore Enterprise users with a standalone Feeds Service will see a different set of PersistentVolumeClaims: - -```bash -$ kubectl get persistentvolumeclaim --namespace my-namespace -NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE -my-anchore-anchore-feeds-db Bound pvc-cd7ebb6f-bbe0-11ea-b9bf-42010a800020 20Gi RWO standard 3d -my-anchore-postgresql Bound pvc-cd7dc7d2-bbe0-11ea-b9bf-42010a800020 20Gi RWO standard 3d -``` - -The names of the PersistentVolumeClaims in the example shown are `my-anchore-anchore-feeds-db` and `my-anchore-postgresql`. You may see other persistent volume claims, but only `my-anchore-anchore-feeds-db` and `my-anchore-postgresql` are relevant for this migration. Remember the names, as you will need them later. - -#### Uninstall Your Anchore Installation With Helm - -```bash -$ helm uninstall --namespace=my-namespace my-anchore -release "my-anchore" uninstalled -``` - -Anchore Enterprise users will want to remove the Redis DB PersistentVolumeClaim. This will delete all current session data but will not affect stability of the deployment: - -```bash -kubectl delete pvc redis-data-my-anchore-ui-redis-master-0 -``` - -Your other PersistentVolumeClaims will still be resident in your cluster (we're showing results from an Anchore Enterprise installation that has a standalone Feeds Service below. Anchore Enterprise users without a standalone Feeds Service, and Anchore Engine users will not see `my-anchore-anchore-feeds-db`): - -```bash -$ kubectl get persistentvolumeclaim --namespace my-namespace -NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE -my-anchore-anchore-feeds-db Bound pvc-a22abf70-bbb9-11ea-840b-42010a8001d8 20Gi RWO standard 3d -my-anchore-postgresql Bound pvc-e6daf90a-bbb8-11ea-840b-42010a8001d8 20Gi RWO standard 3d -``` - -#### Add The New Anchore Helm Chart Repository - -```bash -$ helm repo add anchore https://charts.anchore.io -"anchore" has been added to your repositories - -$ helm repo update -Hang tight while we grab the latest from your chart repositories... -...Successfully got an update from the "anchore" chart repository -``` - -#### Install The Anchore Helm Chart - -Update your anchore_values.yaml file as shown, using the PersistentVolumeClaim values from above: - -Engine only deployment values file example: - -```yaml -# anchore_values.yaml - - postgresql: - persistence: - existingclaim: my-anchore-postgresql -``` - -Enterprise deployment values file example: - -```yaml -# anchore_values.yaml - -postgresql: - persistence: - existingclaim: my-anchore-postgresql - -anchore-feeds-db: - persistence: - existingclaim: my-anchore-anchore-feeds-db -``` - -Install a new Anchore Engine deployment using the chart from charts.anchore.io - -```bash -$ export ANCHORE_VERSION=0.7.2 # USE YOUR ENGINE CODE VERSION HERE -$ helm install --namespace=my-namespace --set anchoreGlobal.image=docker.io/anchore/anchore-engine:v${ANCHORE_VERSION} --set anchoreEnterpriseGlobal.image=docker.io/anchore/enterprise:v${ANCHORE_VERSION} -f anchore_values.yaml my-anchore anchore/anchore-engine - -NAME: my-anchore -LAST DEPLOYED: Thu Jun 25 12:25:33 2020 -NAMESPACE: my-namespace -STATUS: deployed -REVISION: 1 -TEST SUITE: None -NOTES: -To use Anchore Engine you need the URL, username, and password to access the API. -...more instructions... -``` - -Verify that your PersistentVolumeClaims are bound (output may vary): - -```bash -$ kubectl get persistentvolumeclaim --namespace my-namespace -NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE -my-anchore-anchore-feeds-db Bound pvc-a22abf70-bbb9-11ea-840b-42010a8001d8 20Gi RWO standard 3d -my-anchore-postgresql Bound pvc-e6daf90a-bbb8-11ea-840b-42010a8001d8 20Gi RWO standard 3d -``` - -Connect to the anchore-api pod and validate that your installation still contains all of your previously scanned images. - -```bash -[anchore@anchore-api anchore-engine]$ anchore-cli image list -Full Tag Image Digest Analysis Status -docker.io/alpine:latest sha256:a15790640a6690aa1730c38cf0a440e2aa44aaca9b0e8931a9f2b0d7cc90fd65 analyzed -docker.io/anchore/anchore-engine:latest sha256:624c9f662233838d1046809135a70ab88d79bd0f2e53dd74bb3d67d10d997bd1 analyzed -docker.io/ubuntu:latest sha256:60f560e52264ed1cb7829a0d59b1ee7740d7580e0eb293aca2d722136edb1e24 analyzed -``` +Starting with version 1.7.0, the anchore-engine chart will be hosted on charts.anchore.io. If you're upgrading from a previous version of the chart, you will need to delete your previous deployment and redeploy Anchore using the chart from the Anchore Charts repository. -You are now running Anchore from the new chart repository, with your data in place. - -## Upgrade To Latest Version of Anchore - -Now that you're migrated to charts.anchore.io, you can upgrade Anchore Engine to the latest version if desired. - -```bash -helm upgrade --namespace my-namespace -f anchore_values.yaml my-anchore anchore/anchore-engine -``` +This version of the chart includes the dependent Postgresql chart in the charts/ directory rather then pulling it from upstream. All apiVersions were updated for compatibility with Kubernetes v1.16+ and the postgresql image has been updated to version 9.6.18. The chart version also updates to the latest version of the Redis chart from Bitnami. These dependency updates require deleting and re-installing your chart. # Configuration -All configurations should be appended to your custom `anchore_values.yaml` file and utilized when installing the chart. While the configuration options of Anchore Engine are extensive, the options provided by the chart are as follows: +All configurations should be appended to your custom `anchore_values.yaml` file and utilized when installing the chart. While the configuration options of Anchore are extensive, the options provided by the chart are as follows: ## Exposing the service outside the cluster using Ingress @@ -737,7 +500,7 @@ cloudsql: *Note: it is recommended to use an external archive driver for production installs.* -The archive subsystem of Anchore Engine is what stores large JSON documents, and can consume substantial storage if +The archive subsystem of Anchore is what stores large JSON documents, and can consume substantial storage if you analyze a lot of images. A general rule for storage provisioning is 10MB per image analyzed, so with thousands of analyzed images, you may need many gigabytes of storage. The Archive drivers now support other backends than just postgresql, so you can leverage external and scalable storage systems and keep the postgresql storage usage to a much lower level. @@ -859,7 +622,7 @@ This is the default archive driver and requires no additional configuration. ## Prometheus Metrics -Anchore Engine supports exporting prometheus metrics form each container. Do the following to enable metrics: +Anchore supports exporting prometheus metrics form each container. Do the following to enable metrics: ```yaml anchoreGlobal: @@ -872,11 +635,11 @@ know about each pod, and the ports it provides to scrape the metrics. ## Using custom certificates A secret needs to be created in the same namespace as the anchore-engine chart installation. This secret should contain all custom certs, including CA certs & any certs used for internal TLS communication. -This secret will be mounted to all anchore-engine pods at /home/anchore/certs to be utilized by the system. +This secret will be mounted to all Anchore pods at /home/anchore/certs to be utilized by the system. ## Event Notifications -Anchore Engine in v0.2.3 introduces a new events subsystem that exposes system-wide events via both a REST api as well +Anchore in v0.2.3 introduces a new events subsystem that exposes system-wide events via both a REST api as well as via webhooks. The webhooks support filtering to ensure only certain event classes result in webhook calls to help limit the volume of calls if you desire. Events, and all webhooks, are emitted from the core components, so configuration is done in the coreConfig. diff --git a/stable/anchore-engine/enterprise_values.yaml b/stable/anchore-engine/enterprise_values.yaml deleted file mode 100644 index 2d29b42b..00000000 --- a/stable/anchore-engine/enterprise_values.yaml +++ /dev/null @@ -1,4 +0,0 @@ -anchoreEnterpriseGlobal: - enabled: true - - diff --git a/stable/anchore-engine/templates/NOTES.txt b/stable/anchore-engine/templates/NOTES.txt index 9e92e760..83aafdeb 100644 --- a/stable/anchore-engine/templates/NOTES.txt +++ b/stable/anchore-engine/templates/NOTES.txt @@ -1,61 +1,14 @@ -To use Anchore Engine you need the URL, username, and password to access the API. +{{- if not .Values.anchoreEnterpriseGlobal.enabled }} +WARNING - As of 2023, Anchore Engine is no longer maintained. There will be no future versions released. Users are advised to use Syft and Grype. +{{- end }} -Anchore Engine can be accessed via port {{ .Values.anchoreApi.service.port }} on the following DNS name from within the cluster: -{{ template "anchore-engine.api.serviceName" . }}.{{ .Release.Namespace }}.svc.cluster.local - -Here are the steps to configure the anchore-cli (`pip install anchorecli`). Use these same values for direct API access as well. - -To configure your anchore-cli run: - - ANCHORE_CLI_USER=admin - ANCHORE_CLI_PASS=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "anchore-engine.fullname" . }}-admin-pass -o jsonpath="{.data.ANCHORE_ADMIN_PASSWORD}" | base64 --decode; echo) -{{ if .Values.ingress.enabled }} - ANCHORE_CLI_URL={{- if .Values.anchoreGlobal.internalServicesSsl.enabled -}}https{{- else }}http{{- end -}}://$(kubectl get ingress --namespace {{ .Release.Namespace }} {{ template "anchore-engine.fullname" . }} -o jsonpath="{.status.loadBalancer.ingress[0].ip}")/v1/ -{{ else }} -Using the service endpoint from within the cluster you can use: - ANCHORE_CLI_URL={{- if .Values.anchoreGlobal.internalServicesSsl.enabled -}}https{{- else }}http{{- end -}}://{{ template "anchore-engine.api.serviceName" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.anchoreApi.service.port}}/v1/ -{{ end }} - -To verify the service is up and running, you can run container for the Anchore Engine CLI: - - kubectl run -i --tty anchore-cli --restart=Always --image anchore/engine-cli {{ if and (not .Values.anchoreGlobal.internalServicesSsl.verifyCerts) .Values.anchoreGlobal.internalServicesSsl.enabled -}}--env ANCHORE_CLI_SSL_VERIFY=n{{- end }} --env ANCHORE_CLI_USER=admin --env ANCHORE_CLI_PASS=${ANCHORE_CLI_PASS} --env ANCHORE_CLI_URL=http://{{ template "anchore-engine.api.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.anchoreApi.service.port}}/v1/ +To use Anchore you need the URL, username, and password to access the API and/or the UI. -from within the container you can use 'anchore-cli' commands. +Anchore can be accessed via port {{ .Values.anchoreApi.service.port }} on the following DNS name from within the cluster: +{{ template "anchore-engine.api.serviceName" . }}.{{ .Release.Namespace }}.svc.cluster.local -* NOTE: On first startup of anchore-engine, it performs a CVE data sync which may take several minutes to complete. During this time the system status will report 'partially_down' and any images added for analysis will stay in the 'not_analyzed' state. +* NOTE: On first startup of Anchore, the policy-engine performs a CVE data sync which may take several minutes to complete. During this time the system status will report 'partially_down' and any images added for analysis will stay in the 'not_analyzed' state. Once the sync is complete, any queued images will be analyzed and the system status will change to 'all_up'. Initial setup time can be >120sec for postgresql setup and readiness checks to pass for the services as indicated by pod state. You can check with: kubectl get pods -l app={{ template "anchore-engine.fullname" .}},component=api - - -A quick primer on using the Anchore Engine CLI follows. For more info see: https://github.com/anchore/anchore-engine/wiki/Getting-Started - -View system status: - - anchore-cli system status - -Add an image to be analyzed: - - anchore-cli image add - -List images and see the analysis status (not_analyzed initially): - - anchore-cli image list - -Once the image is analyzed you'll see status change to 'analyzed'. This may take some time on first execution with a new database because -the system must first do a CVE data sync which can take several minutes. Once complete, the image will transition to 'analyzing' state. - -When the image reaches 'analyzed' state, you can view policy evaluation output with: - - anchore-cli evaluate check - -List CVEs found in the image with: - - anchore-cli image vuln os - -List OS packages found in the image with: - anchore-cli image content os - -List files found in the image with: - anchore-cli image content files diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index dac2d9ef..1e86e28e 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -1,7 +1,7 @@ # Default values for anchore_engine chart. fullnameOverride: Null -# Anchore engine has a dependency on Postgresql, configure here +# Anchore has a dependency on Postgresql, configure here postgresql: # To use an external DB or Google CloudSQL in GKE, uncomment & set 'enabled: false' # externalEndpoint, postgresUser, postgresPassword & postgresDatabase are required values for external postgres @@ -57,7 +57,7 @@ cloudsql: tag: 1.22.0 pullPolicy: IfNotPresent -# Create an ingress resource for all external anchore engine services (API & Enterprise UI). +# Create an ingress resource for all external Anchore services (API & Enterprise UI). # By default this chart is setup to use the NGINX ingress controller which needs to be installed & configured on your cluster. # To utilize a GCE/ALB ingress controller comment out the nginx annotations below, change ingress.class, edit path configurations as per the comments, & set API/UI services to use NodePort. ingress: @@ -101,13 +101,13 @@ ingress: # hosts: # - chart-example.local -# Global configuration shared by all anchore-engine services. +# Global configuration shared by all Anchore services. anchoreGlobal: - # Image used for all anchore engine deployments (excluding enterprise components). + # Image used for all Anchore deployments (excluding enterprise components). image: docker.io/anchore/anchore-engine:v1.1.0 imagePullPolicy: IfNotPresent - # Set image pull secret name if using an anchore-engine image from a private registry + # Set image pull secret name if using an Anchore image from a private registry imagePullSecretName: # Specify a service account name utilized to run all Anchore pods @@ -121,7 +121,7 @@ anchoreGlobal: # app.kubernetes.io/managed-by: Helm # foo: bar - # Add common annotations to set on all pods. Useful expecially when inject secrets directly into pods as ENV from vault via mutation-webhook-injection method. + # Add common annotations to set on all pods. Useful especially when inject secrets directly into pods as ENV from vault via mutation-webhook-injection method. # Ref: https://banzaicloud.com/docs/bank-vaults/mutating-webhook/ annotations: {} # vault.security.banzaicloud.io/vault-addr: "https://vault:8200" @@ -139,7 +139,7 @@ anchoreGlobal: # Instead, the chart will use secrets that have already been applied to the namespace that this chart is being deployed to. useExistingSecrets: false - # Set the name of your existing secret for all Anchore Engine components + # Set the name of your existing secret for all Anchore components existingSecretName: anchore-engine-env # does `source {{ filePath }}` before starting services @@ -169,7 +169,7 @@ anchoreGlobal: details: {} # Specify volume configuration here - # A secret must be created in the same namespace as anchore-engine is deployed, containing the certificates & public/private keys used for SSL, SAML & custom CAs. + # A secret must be created in the same namespace as Anchore is deployed, containing the certificates & public/private keys used for SSL, SAML & custom CAs. # Certs and keys should be added using the file name the certificate is stored at. This secret will be mounted to /home/anchore/certs. certStoreSecretName: Null @@ -181,7 +181,7 @@ anchoreGlobal: fsGroup: 1000 ### - # Start of General Anchore Engine Configurations (populates /config/config.yaml) + # Start of General Anchore Configurations (populates /config/config.yaml) ### # Set where default configs are placed at startup. This must be a writable location for the pod. serviceDir: /anchore_service @@ -203,7 +203,7 @@ anchoreGlobal: # Disable auth on prometheus metrics metricsAuthDisabled: false - # Sets the password & email address for the default anchore-engine admin user. + # Sets the password & email address for the default Anchore admin user. defaultAdminPassword: defaultAdminEmail: example@email.com @@ -228,7 +228,7 @@ anchoreGlobal: # WARNING: you should not change this after a system has been initialized as it may cause a mismatch in existing passwords hashedPasswords: false - # Configure the database connection within anchore-engine & enterprise-ui. This may get split into 2 different configurations based on service utilized. + # Configure the database connection within Anchore & enterprise-ui. This may get split into 2 different configurations based on service utilized. dbConfig: timeout: 120 # Use ssl, but the default postgresql config from the dependent chart does not support server side ssl, so this should only be enabled for external dbs @@ -245,7 +245,7 @@ anchoreGlobal: # pool_recycle: 600 internalServicesSsl: - # Enable to force all anchore-engine services to communicate internally using SSL + # Enable to force all Anchore services to communicate internally using SSL enabled: false # specify whether cert is verfied against the local certifacte bundle (allow self-signed certs if set to false) verifyCerts: false @@ -402,7 +402,7 @@ anchoreAnalyzer: affinity: {} -# Pod configuration for the anchore engine api service. +# Pod configuration for the Anchore api service. anchoreApi: replicaCount: 1 @@ -622,7 +622,7 @@ anchoreCatalog: tolerations: [] affinity: {} -# Pod configuration for the anchore engine policy service. +# Pod configuration for the Anchore policy service. anchorePolicyEngine: replicaCount: 1 @@ -670,7 +670,7 @@ anchorePolicyEngine: tolerations: [] affinity: {} -# Pod configuration for the anchore engine simplequeue service. +# Pod configuration for the Anchore simplequeue service. anchoreSimpleQueue: replicaCount: 1 @@ -726,7 +726,7 @@ anchoreEngineUpgradeJob: # This section is used for configuring anchore enterprise. anchoreEnterpriseGlobal: - enabled: false + enabled: true # Name of kubernetes secret containing your license.yaml file. # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license @@ -849,7 +849,7 @@ anchoreEnterpriseFeeds: # Set the name of your existing secret for Anchore Enterprise Feeds existingSecretName: anchore-enterprise-feeds-env - # Configure the database connection within anchore-engine & enterprise-ui. This may get split into 2 different configurations based on service utilized. + # Configure the database connection within Anchore & enterprise-ui. This may get split into 2 different configurations based on service utilized. dbConfig: timeout: 120 # Use ssl, but the default postgresql config from the dependent chart does not support server side ssl, so this should only be enabled for external dbs @@ -930,7 +930,7 @@ anchoreEnterpriseFeedsUpgradeJob: annotations: {} # Configure the Anchore Enterprise role based access control component. -# This component consists of 2 containers that run as side-cars in the anchore engine api pod. +# This component consists of 2 containers that run as side-cars in the Anchore api pod. anchoreEnterpriseRbac: enabled: true @@ -985,7 +985,7 @@ anchoreEnterpriseReports: # Set enableGraphiql to true and open http://:/v1/reports/graphql in a browser for reports API enableGraphiql: true - # Set enableDataIngress to true for periodically syncing data from anchore engine into the reports service + # Set enableDataIngress to true for periodically syncing data from Anchore into the reports service enableDataIngress: true # Set enableDataEgress to true to periodically remove reporting data that has been removed in other parts of system @@ -1278,7 +1278,7 @@ anchoreEnterpriseUi: tolerations: [] affinity: {} -# Anchore Engine Enterprise UI is dependent on redis for storing sessions +# Anchore Enterprise UI is dependent on redis for storing sessions # Only utilized if 'anchoreEnterpriseUi.enabled: true' ui-redis: auth: From 0711dc8c9cae5a818442e21fea3b41b142edff8d Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 26 Jan 2023 15:07:12 -0800 Subject: [PATCH 079/329] do not enable enterprise by default Signed-off-by: Brady Todhunter --- stable/anchore-engine/README.md | 5 +++-- stable/anchore-engine/values.yaml | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index f3304596..81d9855b 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -4,8 +4,6 @@ This chart deploys the Anchore Enterprise container image analysis system. Ancho Each of these services can be scaled and configured independently. -See the [Anchore Homepage](https://anchore.com) for more project details. - ## Anchore Enterprise Components The following features are available to Anchore Enterprise customers. Please contact the Anchore team for more information about getting a license for the Enterprise features. [Anchore Enterprise Demo](https://anchore.com/demo/) @@ -91,6 +89,9 @@ anchoreGlobal: defaultAdminEmail: enableMetrics: True +anchoreEnterpriseGlobal: + enabled: true + anchore-feeds-db: postgresPassword: persistence: diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 1e86e28e..1578ab1e 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -726,7 +726,7 @@ anchoreEngineUpgradeJob: # This section is used for configuring anchore enterprise. anchoreEnterpriseGlobal: - enabled: true + enabled: false # Name of kubernetes secret containing your license.yaml file. # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license From 825769bcafb001cf326929388296e117f80f8f59 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 26 Jan 2023 15:11:23 -0800 Subject: [PATCH 080/329] re-add the enterprise_values file Signed-off-by: Brady Todhunter --- stable/anchore-engine/enterprise_values.yaml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 stable/anchore-engine/enterprise_values.yaml diff --git a/stable/anchore-engine/enterprise_values.yaml b/stable/anchore-engine/enterprise_values.yaml new file mode 100644 index 00000000..5251187e --- /dev/null +++ b/stable/anchore-engine/enterprise_values.yaml @@ -0,0 +1,2 @@ +anchoreEnterpriseGlobal: + enabled: true From b4e78aa1482b8f21e670bd6027fbe319bf77afb1 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Tue, 24 Jan 2023 17:00:22 -0500 Subject: [PATCH 081/329] Merge pull request #60 from anchore/multiple-kai-deployments changing kai clusterrole and clusterrolebinding name to not be hard coded --- stable/kai/Chart.yaml | 2 +- stable/kai/templates/cluster-role-binding.yaml | 4 ++-- stable/kai/templates/cluster-role-readonly.yaml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/stable/kai/Chart.yaml b/stable/kai/Chart.yaml index 9b6f842e..1a9eb950 100644 --- a/stable/kai/Chart.yaml +++ b/stable/kai/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: kai -version: 0.3.2 +version: 0.3.3 appVersion: 0.3.2 description: A Helm chart for Kubernetes Automated Inventory, which describes which images are in use in a given Kubernetes Cluster keywords: diff --git a/stable/kai/templates/cluster-role-binding.yaml b/stable/kai/templates/cluster-role-binding.yaml index 96584425..0ae275bf 100644 --- a/stable/kai/templates/cluster-role-binding.yaml +++ b/stable/kai/templates/cluster-role-binding.yaml @@ -1,12 +1,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: kai-read-only-binding + name: {{ include "kai.fullname" . }}-read-only-binding subjects: - kind: ServiceAccount name: {{ include "kai.serviceAccountName" . }} namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole - name: kai-read-only + name: {{ include "kai.fullname" . }}-read-only apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/stable/kai/templates/cluster-role-readonly.yaml b/stable/kai/templates/cluster-role-readonly.yaml index ddcf9c5c..f26d9a51 100644 --- a/stable/kai/templates/cluster-role-readonly.yaml +++ b/stable/kai/templates/cluster-role-readonly.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: kai-read-only + name: {{ include "kai.fullname" . }}-read-only rules: - apiGroups: [""] resources: ["pods","namespaces"] From 2c4c52e39f4c4426cb2536090f983fb622be72ff Mon Sep 17 00:00:00 2001 From: Weston Steimel Date: Mon, 23 Jan 2023 19:08:33 +0000 Subject: [PATCH 082/329] feat: expose ubuntu driver git configuration options (#59) * feat: expose ubuntu driver git configuration options Signed-off-by: Weston Steimel * chore: bump chart version Signed-off-by: Weston Steimel --- .../templates/enterprise_feeds_configmap.yaml | 2 ++ stable/anchore-engine/values.yaml | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml index 9ad96f8c..3a85c528 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml @@ -140,6 +140,8 @@ data: releases: {{- toYaml .Values.anchoreEnterpriseFeeds.ubuntuExtraReleases | nindent 14 }} {{- end }} + git_url: {{ (.Values.anchoreEnterpriseFeeds.ubuntuDriverGitUrl | quote) }} + git_branch: {{ (.Values.anchoreEnterpriseFeeds.ubuntuDriverGitBranch | quote) }} rhel: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.rhelDriverEnabled | quote) }} concurrency: {{ .Values.anchoreEnterpriseFeeds.rhelDriverConcurrency }} diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 1578ab1e..e8fdcc92 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -827,6 +827,14 @@ anchoreEnterpriseFeeds: # The number of concurrent threads used when downloading RHEL feeds rhelDriverConcurrency: 5 + # Git Repository settings for the Ubuntu feed driver + ubuntuDriverGitUrl: "https://git.launchpad.net/ubuntu-cve-tracker" + # Switch to the git protocol endpoint for significantly improved reliability in fetches as this endpoint is not + # throttled heavily like the https one; however, the git protocol is not validated or encrypted and runs on a different + # port from https + # ubuntuDriverGitUrl: "git://git.launchpad.net/ubuntu-cve-tracker" + ubuntuDriverGitBranch: "master" + # Set extra environment variables. These will be set on all feeds containers. extraEnv: [] # - name: foo From 0215d024287bfb50a8439b52ac6db2e1be27fb1a Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 25 Jan 2023 13:28:34 -0500 Subject: [PATCH 083/329] updating configs for v4.4.0 Signed-off-by: Hung Nguyen --- stable/anchore-engine/templates/engine_configmap.yaml | 2 ++ stable/anchore-engine/templates/enterprise_configmap.yaml | 1 + .../anchore-engine/templates/enterprise_feeds_configmap.yaml | 1 + stable/anchore-engine/templates/enterprise_ui_configmap.yaml | 1 + stable/anchore-engine/values.yaml | 5 +++++ 5 files changed, 10 insertions(+) diff --git a/stable/anchore-engine/templates/engine_configmap.yaml b/stable/anchore-engine/templates/engine_configmap.yaml index 1085e7bc..adae02c1 100644 --- a/stable/anchore-engine/templates/engine_configmap.yaml +++ b/stable/anchore-engine/templates/engine_configmap.yaml @@ -86,6 +86,7 @@ data: oauth: enabled: {{ .Values.anchoreGlobal.oauthEnabled }} default_token_expiration_seconds: {{ .Values.anchoreGlobal.oauthTokenExpirationSeconds }} + refresh_token_expiration_seconds: {{ .Values.anchoreGlobal.oauthRefreshTokenExpirationSeconds }} # Set this to True to enable storing user passwords only as secure hashes in the db. This can dramatically increase CPU usage if you # don't also use oauth and tokens for internal communications (which requires keys/secret to be configured as well) @@ -241,6 +242,7 @@ data: cycle_timer_seconds: 1 cycle_timers: {{- toYaml .Values.anchorePolicyEngine.cycleTimers | nindent 10 }} + enable_package_db_load: {{ .Values.anchorePolicyEngine.enablePackageDbLoad }} vulnerabilities: provider: grype sync: diff --git a/stable/anchore-engine/templates/enterprise_configmap.yaml b/stable/anchore-engine/templates/enterprise_configmap.yaml index efb8bd52..8454d1f5 100644 --- a/stable/anchore-engine/templates/enterprise_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_configmap.yaml @@ -56,6 +56,7 @@ data: oauth: enabled: {{ .Values.anchoreGlobal.oauthEnabled }} default_token_expiration_seconds: {{ .Values.anchoreGlobal.oauthTokenExpirationSeconds }} + refresh_token_expiration_seconds: {{ .Values.anchoreGlobal.oauthRefreshTokenExpirationSeconds }} # Set this to True to enable storing user passwords only as secure hashes in the db. This can dramatically increase CPU usage if you # don't also use oauth and tokens for internal communications (which requires keys/secret to be configured as well) diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml index 3a85c528..6bc6cc67 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml @@ -65,6 +65,7 @@ data: oauth: enabled: {{ .Values.anchoreGlobal.oauthEnabled }} default_token_expiration_seconds: {{ .Values.anchoreGlobal.oauthTokenExpirationSeconds }} + refresh_token_expiration_seconds: {{ .Values.anchoreGlobal.oauthRefreshTokenExpirationSeconds }} # Set this to True to enable storing user passwords only as secure hashes in the db. This can dramatically increase CPU usage if you # don't also use oauth and tokens for internal communications (which requires keys/secret to be configured as well) diff --git a/stable/anchore-engine/templates/enterprise_ui_configmap.yaml b/stable/anchore-engine/templates/enterprise_ui_configmap.yaml index a2d3f377..10a5a106 100644 --- a/stable/anchore-engine/templates/enterprise_ui_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_ui_configmap.yaml @@ -74,4 +74,5 @@ data: {{- end }} log_level: {{ .Values.anchoreEnterpriseUi.logLevel | squote }} enrich_inventory_view: {{ .Values.anchoreEnterpriseUi.enrichInventoryView }} + enable_prometheus_metrics: {{ .Values.anchoreGlobal.enableMetrics }} {{- end -}} diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index e8fdcc92..f0d9edd2 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -218,6 +218,7 @@ anchoreGlobal: oauthEnabled: false oauthTokenExpirationSeconds: 3600 + oauthRefreshTokenExpirationSeconds: 86400 # Set this to true in order to disable the SSO JIT provisioning during authentication. This provides an additional # layer of security and configuration for SSO users to gain access to Anchore. This is disabled by default. @@ -643,6 +644,10 @@ anchorePolicyEngine: # 1 minute between checks to verify local grype-db is up to date grypedb_sync: 60 + # Controls the load of the Image Package DB Entries and disables the packages.verify gate. + # Reduces significant DB load as a result. + enablePackageDbLoad: true + cacheTTL: 3600 # 1 hour # kubernetes service configuration for anchore policy engine api From 19838369047b471249aee207f4ba399822648ffa Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Mon, 30 Jan 2023 10:13:33 -0500 Subject: [PATCH 084/329] disable feeds metrics auth Signed-off-by: Hung Nguyen --- stable/anchore-engine/templates/enterprise_feeds_configmap.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml index 6bc6cc67..e1c84d0e 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml @@ -45,7 +45,7 @@ data: license_file: /home/anchore/license.yaml metrics: enabled: {{ .Values.anchoreGlobal.enableMetrics }} - auth_disabled: {{ .Values.anchoreGlobal.metricsAuthDisabled }} + auth_disabled: true # Locations for keys used for signing and encryption. Only one of 'secret' or 'public_key_path'/'private_key_path' needs to be set. If all are set then the keys take precedence over the secret value # Secret is for a shared secret and if set, all components in anchore should have the exact same value in their configs. From b0394bd715aedbe94072dae4500d7f9e40c69b7b Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Mon, 30 Jan 2023 16:39:37 -0800 Subject: [PATCH 085/329] update enterprise image to v4.4.0 Signed-off-by: Brady Todhunter --- stable/anchore-engine/README.md | 4 ++++ stable/anchore-engine/values.yaml | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index 81d9855b..6fb98487 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -181,6 +181,10 @@ A Helm post-upgrade hook job will shut down all previously running Anchore servi The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful Helm upgrade. +## Chart version 1.22.0 + +* Anchore Enterprise image updated to v4.4.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/440/) + ## Chart version 1.21.0 * Revamped how the chart is configured when using existing secrets. Users upgrading from a previous chart version will need to update their values file to match the new convention. Update the following in your values file: diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index f0d9edd2..7ba536ba 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -736,7 +736,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: docker.io/anchore/enterprise:v4.3.0 + image: docker.io/anchore/enterprise:v4.4.0 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. @@ -1094,7 +1094,7 @@ anchoreEnterpriseNotifications: anchoreEnterpriseUi: # If enabled is set to false, set ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. enabled: true - image: docker.io/anchore/enterprise-ui:v4.3.0 + image: docker.io/anchore/enterprise-ui:v4.4.0 imagePullPolicy: IfNotPresent # Set extra environment variables. These will be set on all UI containers. From 2b966ccf655410762c2a03e3579fed8c8aa296fb Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Mon, 30 Jan 2023 16:39:53 -0800 Subject: [PATCH 086/329] bump chart version Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 584f5305..60540aae 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.21.4 +version: 1.22.0 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: From d11d4b9674d93fbb7cc13a308924abdaf7a14561 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Mon, 30 Jan 2023 16:43:37 -0800 Subject: [PATCH 087/329] update README Signed-off-by: Brady Todhunter --- stable/anchore-engine/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index 6fb98487..4a41f40c 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -184,6 +184,8 @@ The upgrade will only be considered successful when this job completes successfu ## Chart version 1.22.0 * Anchore Enterprise image updated to v4.4.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/440/) +* Allow configuration of the URL used for pulling Ubuntu vulnerability feed. +* The UI now emits prometheus metrics when `.Values.anchoreGlobal.enableMetrics=true` ## Chart version 1.21.0 From 42657b316636ac7bbad0f4db1c9fb528142a2ec8 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 2 Feb 2023 17:34:53 -0800 Subject: [PATCH 088/329] add logic that checks for Enterprise v4.4.0 upgrade compatibility Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/templates/_helpers.tpl | 14 ++++++++++++++ .../templates/engine_upgrade_job.yaml | 1 + .../templates/enterprise_feeds_upgrade_job.yaml | 1 + .../templates/enterprise_upgrade_job.yaml | 1 + 5 files changed, 18 insertions(+), 1 deletion(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 60540aae..4ea32548 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.22.0 +version: 1.22.1 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/templates/_helpers.tpl b/stable/anchore-engine/templates/_helpers.tpl index d312fc68..13dc3914 100755 --- a/stable/anchore-engine/templates/_helpers.tpl +++ b/stable/anchore-engine/templates/_helpers.tpl @@ -441,4 +441,18 @@ Upon upgrades, checks if .Values.existingSecret=true and fails the upgrade if .V {{- if and .Release.IsUpgrade .Values.anchoreGlobal.existingSecret (not .Values.anchoreGlobal.useExistingSecrets) }} {{- fail "WARNING: As of chart v1.21.0 `.Values.anchoreGlobal.existingSecret` is no longer a valid configuration value. See the chart README for more instructions on configuring existing secrets - https://github.com/anchore/anchore-charts/blob/main/stable/anchore-engine/README.md#chart-version-1210" }} {{- end }} +{{- end }} + +{{/* +Upon upgrade, check if user is upgrading to chart v1.22.0+ (Enterprise v4.4.0). If they are, ensure that they are +upgrading from Enterprise 4.3.0 only and error out if they're upgrading from an older version. +*/}} +{{- define "checkUpgradeCompatibility" }} +{{- if and .Release.IsUpgrade (regexMatch "1.22.[0-9]+" .Chart.Version) }} + {{- $apiDeploymentContainers := (lookup "apps/v1" "Deployment" .Release.Namespace (include "anchore-engine.api.fullname" .)).spec.template.spec.containers }} + {{- $installedAnchoreVersion := (regexFind "v[0-9]+\\.[0-9]+\\.[0-9]+$" (index $apiDeploymentContainers 0).image | quote) }} + {{- if not (regexMatch "v4\\.[3-9]\\.[0-9]" $installedAnchoreVersion) }} + {{- fail "WARNING - Anchore Enterprise v4.4.0 only supports upgrades from Enterprise v4.3.0. See release notes for more information - https://docs.anchore.com/current/docs/releasenotes/440/" }} + {{- end }} +{{- end }} {{- end }} \ No newline at end of file diff --git a/stable/anchore-engine/templates/engine_upgrade_job.yaml b/stable/anchore-engine/templates/engine_upgrade_job.yaml index 6e7ac1c4..9b57a838 100644 --- a/stable/anchore-engine/templates/engine_upgrade_job.yaml +++ b/stable/anchore-engine/templates/engine_upgrade_job.yaml @@ -1,3 +1,4 @@ +{{- template "checkUpgradeCompatibility" . }} {{- if .Values.anchoreEngineUpgradeJob.enabled }} apiVersion: batch/v1 kind: Job diff --git a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml index 1c770340..f30a3e52 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml @@ -1,3 +1,4 @@ +{{- template "checkUpgradeCompatibility" . }} {{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled .Values.anchoreEnterpriseFeedsUpgradeJob.enabled }} apiVersion: batch/v1 kind: Job diff --git a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml index 279bb0ba..af07c70d 100644 --- a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml @@ -1,3 +1,4 @@ +{{- template "checkUpgradeCompatibility" . }} {{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseEngineUpgradeJob.enabled }} apiVersion: batch/v1 kind: Job From 711efaa85bd1d66323ca5a5b477391e0d686cfa4 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 2 Feb 2023 17:52:51 -0800 Subject: [PATCH 089/329] be more explicit about what container from the deployment to get the image from Signed-off-by: Brady Todhunter --- stable/anchore-engine/templates/_helpers.tpl | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/stable/anchore-engine/templates/_helpers.tpl b/stable/anchore-engine/templates/_helpers.tpl index 13dc3914..f708dea9 100755 --- a/stable/anchore-engine/templates/_helpers.tpl +++ b/stable/anchore-engine/templates/_helpers.tpl @@ -450,9 +450,14 @@ upgrading from Enterprise 4.3.0 only and error out if they're upgrading from an {{- define "checkUpgradeCompatibility" }} {{- if and .Release.IsUpgrade (regexMatch "1.22.[0-9]+" .Chart.Version) }} {{- $apiDeploymentContainers := (lookup "apps/v1" "Deployment" .Release.Namespace (include "anchore-engine.api.fullname" .)).spec.template.spec.containers }} - {{- $installedAnchoreVersion := (regexFind "v[0-9]+\\.[0-9]+\\.[0-9]+$" (index $apiDeploymentContainers 0).image | quote) }} - {{- if not (regexMatch "v4\\.[3-9]\\.[0-9]" $installedAnchoreVersion) }} - {{- fail "WARNING - Anchore Enterprise v4.4.0 only supports upgrades from Enterprise v4.3.0. See release notes for more information - https://docs.anchore.com/current/docs/releasenotes/440/" }} + {{- range $index, $container := $apiDeploymentContainers }} + {{- if eq $container.name "anchore-engine-api" }} + {{- $apiContainerImage := $container.image }} + {{- $installedAnchoreVersion := (regexFind "v[0-9]+\\.[0-9]+\\.[0-9]+$" $apiContainerImage | quote) }} + {{- if not (regexMatch "v4\\.[3-9]\\.[0-9]" $installedAnchoreVersion) }} + {{- fail "WARNING - Anchore Enterprise v4.4.0 only supports upgrades from Enterprise v4.3.0. See release notes for more information - https://docs.anchore.com/current/docs/releasenotes/440/" }} + {{- end }} + {{- end }} {{- end }} {{- end }} {{- end }} \ No newline at end of file From e6520fd699a0c3dcd4af9480bf0d83ff1871e7df Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Mon, 6 Feb 2023 09:26:43 -0800 Subject: [PATCH 090/329] allow upgrades for version 4.2.0 and higher Signed-off-by: Brady Todhunter --- stable/anchore-engine/templates/_helpers.tpl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/stable/anchore-engine/templates/_helpers.tpl b/stable/anchore-engine/templates/_helpers.tpl index f708dea9..3f56243b 100755 --- a/stable/anchore-engine/templates/_helpers.tpl +++ b/stable/anchore-engine/templates/_helpers.tpl @@ -445,7 +445,7 @@ Upon upgrades, checks if .Values.existingSecret=true and fails the upgrade if .V {{/* Upon upgrade, check if user is upgrading to chart v1.22.0+ (Enterprise v4.4.0). If they are, ensure that they are -upgrading from Enterprise 4.3.0 only and error out if they're upgrading from an older version. +upgrading from Enterprise 4.2.0 or higher and error out if they're upgrading from an older version. */}} {{- define "checkUpgradeCompatibility" }} {{- if and .Release.IsUpgrade (regexMatch "1.22.[0-9]+" .Chart.Version) }} @@ -454,8 +454,8 @@ upgrading from Enterprise 4.3.0 only and error out if they're upgrading from an {{- if eq $container.name "anchore-engine-api" }} {{- $apiContainerImage := $container.image }} {{- $installedAnchoreVersion := (regexFind "v[0-9]+\\.[0-9]+\\.[0-9]+$" $apiContainerImage | quote) }} - {{- if not (regexMatch "v4\\.[3-9]\\.[0-9]" $installedAnchoreVersion) }} - {{- fail "WARNING - Anchore Enterprise v4.4.0 only supports upgrades from Enterprise v4.3.0. See release notes for more information - https://docs.anchore.com/current/docs/releasenotes/440/" }} + {{- if not (regexMatch "v4\\.[2-9]\\.[0-9]" $installedAnchoreVersion) }} + {{- fail "WARNING - Anchore Enterprise v4.4.0 only supports upgrades from Enterprise v4.2.0 and higher. See release notes for more information - https://docs.anchore.com/current/docs/releasenotes/440/" }} {{- end }} {{- end }} {{- end }} From b068bdadf96060e6acfe1066080e0125e619a92f Mon Sep 17 00:00:00 2001 From: Kaizhe Huang Date: Mon, 6 Feb 2023 20:27:51 +0000 Subject: [PATCH 091/329] production deployment update Signed-off-by: Kaizhe Huang --- .../anchore-admission-controller/Chart.yaml | 2 +- .../templates/deployment.yaml | 21 +++++++++++-------- .../templates/init-ca/init-ca-hook.yaml | 12 +++++++++++ .../anchore-admission-controller/values.yaml | 3 +++ 4 files changed, 28 insertions(+), 10 deletions(-) diff --git a/stable/anchore-admission-controller/Chart.yaml b/stable/anchore-admission-controller/Chart.yaml index 9a94ab55..e7adf65b 100644 --- a/stable/anchore-admission-controller/Chart.yaml +++ b/stable/anchore-admission-controller/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: anchore-admission-controller -version: 0.4.5 +version: 0.4.6 appVersion: 0.4.0 description: A kubernetes admission controller for validating and mutating webhooks that operates against Anchore Engine to make access decisions and annotations home: https://github.com/anchore/kubernetes-admission-controller diff --git a/stable/anchore-admission-controller/templates/deployment.yaml b/stable/anchore-admission-controller/templates/deployment.yaml index ad1515d3..6c59d50a 100644 --- a/stable/anchore-admission-controller/templates/deployment.yaml +++ b/stable/anchore-admission-controller/templates/deployment.yaml @@ -71,12 +71,15 @@ spec: - name: CREDENTIALS_FILE_PATH value: /credentials/credentials.json resources: {{- toYaml .Values.resources | nindent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: {{- toYaml .Values.nodeSelector | nindent 8 }} - {{- end }} - {{- if .Values.tolerations }} - tolerations: {{- toYaml .Values.tolerations | nindent 8 }} - {{- end }} - {{- if .Values.affinity }} - affinity: {{- toYaml .Values.affinity | nindent 8 }} - {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- toYaml .Values.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- toYaml .Values.tolerations | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{- toYaml .Values.affinity | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} diff --git a/stable/anchore-admission-controller/templates/init-ca/init-ca-hook.yaml b/stable/anchore-admission-controller/templates/init-ca/init-ca-hook.yaml index a2b83b24..3adfbe26 100644 --- a/stable/anchore-admission-controller/templates/init-ca/init-ca-hook.yaml +++ b/stable/anchore-admission-controller/templates/init-ca/init-ca-hook.yaml @@ -45,3 +45,15 @@ spec: resources: {{- toYaml . | nindent 10 }} {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- toYaml .Values.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- toYaml .Values.tolerations | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{- toYaml .Values.affinity | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} diff --git a/stable/anchore-admission-controller/values.yaml b/stable/anchore-admission-controller/values.yaml index 2eab2a33..3d1ca196 100644 --- a/stable/anchore-admission-controller/values.yaml +++ b/stable/anchore-admission-controller/values.yaml @@ -98,6 +98,9 @@ extraLabels: {} # define name of existing secret containing anchore credentials existingCredentialsSecret: null +# define priority class for anchore admission services +priorityClassName: null + # or define credentials here to create secrets credentials: {} # users: From 517f72934a5f7ce35de71ca28c825143a6b89f90 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Sun, 19 Feb 2023 12:45:21 -0500 Subject: [PATCH 092/329] only fail the upgrade if installedAnchoreVersion exist and matches (#65) * only fail the upgrade if installedAnchoreVersion exist and matches check version * change warning message * bumping chart version Signed-off-by: Hung Nguyen --------- Signed-off-by: Hung Nguyen --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/templates/_helpers.tpl | 9 ++++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 4ea32548..033ead7b 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.22.1 +version: 1.22.2 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/templates/_helpers.tpl b/stable/anchore-engine/templates/_helpers.tpl index 3f56243b..e47cd7c6 100755 --- a/stable/anchore-engine/templates/_helpers.tpl +++ b/stable/anchore-engine/templates/_helpers.tpl @@ -453,9 +453,12 @@ upgrading from Enterprise 4.2.0 or higher and error out if they're upgrading fro {{- range $index, $container := $apiDeploymentContainers }} {{- if eq $container.name "anchore-engine-api" }} {{- $apiContainerImage := $container.image }} - {{- $installedAnchoreVersion := (regexFind "v[0-9]+\\.[0-9]+\\.[0-9]+$" $apiContainerImage | quote) }} - {{- if not (regexMatch "v4\\.[2-9]\\.[0-9]" $installedAnchoreVersion) }} - {{- fail "WARNING - Anchore Enterprise v4.4.0 only supports upgrades from Enterprise v4.2.0 and higher. See release notes for more information - https://docs.anchore.com/current/docs/releasenotes/440/" }} + {{- $installedAnchoreVersion := (regexFind "v[0-9]+\\.[0-9]+\\.[0-9]+$" $apiContainerImage) }} + + {{- if $installedAnchoreVersion }} + {{- if not (regexMatch "v4\\.[2-9]\\.[0-9]" ($installedAnchoreVersion | quote)) }} + {{- fail "WARNING - Anchore Enterprise v4.4.0 and v4.4.1 only supports upgrades from Enterprise v4.2.0 and higher. See release notes for more information - https://docs.anchore.com/current/docs/releasenotes/440/" }} + {{- end }} {{- end }} {{- end }} {{- end }} From ba28f4c5ccfd5cae57d5e6f3a65ca8c87b8fa18a Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Sun, 19 Feb 2023 12:58:27 -0500 Subject: [PATCH 093/329] bumping Chart version and enterprise to 4.4.1 Signed-off-by: Hung Nguyen --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 033ead7b..18cb4b34 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.22.2 +version: 1.22.3 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 7ba536ba..9d928d8f 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -736,7 +736,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: docker.io/anchore/enterprise:v4.4.0 + image: docker.io/anchore/enterprise:v4.4.1 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. From 0795d6767fe888797d6b41c7f77f2975f7b1fb9e Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 23 Feb 2023 16:19:43 -0800 Subject: [PATCH 094/329] skip version check if api deployment cannot be found with lookup function Signed-off-by: Brady Todhunter --- stable/anchore-engine/templates/NOTES.txt | 22 +++++++++++++++----- stable/anchore-engine/templates/_helpers.tpl | 22 +++++++++++--------- 2 files changed, 29 insertions(+), 15 deletions(-) diff --git a/stable/anchore-engine/templates/NOTES.txt b/stable/anchore-engine/templates/NOTES.txt index 83aafdeb..8bc0a214 100644 --- a/stable/anchore-engine/templates/NOTES.txt +++ b/stable/anchore-engine/templates/NOTES.txt @@ -1,14 +1,26 @@ -{{- if not .Values.anchoreEnterpriseGlobal.enabled }} -WARNING - As of 2023, Anchore Engine is no longer maintained. There will be no future versions released. Users are advised to use Syft and Grype. -{{- end }} - To use Anchore you need the URL, username, and password to access the API and/or the UI. Anchore can be accessed via port {{ .Values.anchoreApi.service.port }} on the following DNS name from within the cluster: {{ template "anchore-engine.api.serviceName" . }}.{{ .Release.Namespace }}.svc.cluster.local -* NOTE: On first startup of Anchore, the policy-engine performs a CVE data sync which may take several minutes to complete. During this time the system status will report 'partially_down' and any images added for analysis will stay in the 'not_analyzed' state. +* NOTE: On first startup of Anchore, the policy-engine performs a CVE data sync which may take several minutes to complete. +During this time the system status will report 'partially_down' and any images added for analysis will stay in the 'not_analyzed' state. Once the sync is complete, any queued images will be analyzed and the system status will change to 'all_up'. Initial setup time can be >120sec for postgresql setup and readiness checks to pass for the services as indicated by pod state. You can check with: kubectl get pods -l app={{ template "anchore-engine.fullname" .}},component=api + +{{ if and .Release.IsUpgrade (regexMatch "1.22.[0-9]+" .Chart.Version) }} +{{- $apiDeployment := (lookup "apps/v1" "Deployment" .Release.Namespace (include "anchore-engine.api.fullname" .)) }} +{{- if not $apiDeployment }} +**WARNING** +Anchore Enterprise v4.4.x only supports upgrades from Enterprise v4.2.0 and higher. +See release notes for more information - https://docs.anchore.com/current/docs/releasenotes/440/ +{{- end }} +{{- end }} + +{{ if not .Values.anchoreEnterpriseGlobal.enabled }} +**WARNING** +As of January 2023, Anchore Engine is no longer maintained. +There will be no future versions released. Users are advised to use Syft and Grype. +{{- end }} \ No newline at end of file diff --git a/stable/anchore-engine/templates/_helpers.tpl b/stable/anchore-engine/templates/_helpers.tpl index e47cd7c6..9e70e893 100755 --- a/stable/anchore-engine/templates/_helpers.tpl +++ b/stable/anchore-engine/templates/_helpers.tpl @@ -439,7 +439,7 @@ Upon upgrades, checks if .Values.existingSecret=true and fails the upgrade if .V */}} {{- define "checkUpgradeForExistingSecret" }} {{- if and .Release.IsUpgrade .Values.anchoreGlobal.existingSecret (not .Values.anchoreGlobal.useExistingSecrets) }} - {{- fail "WARNING: As of chart v1.21.0 `.Values.anchoreGlobal.existingSecret` is no longer a valid configuration value. See the chart README for more instructions on configuring existing secrets - https://github.com/anchore/anchore-charts/blob/main/stable/anchore-engine/README.md#chart-version-1210" }} + {{- fail "As of chart v1.21.0 `.Values.anchoreGlobal.existingSecret` is no longer a valid configuration value. See the chart README for more instructions on configuring existing secrets - https://github.com/anchore/anchore-charts/blob/main/stable/anchore-engine/README.md#chart-version-1210" }} {{- end }} {{- end }} @@ -449,15 +449,17 @@ upgrading from Enterprise 4.2.0 or higher and error out if they're upgrading fro */}} {{- define "checkUpgradeCompatibility" }} {{- if and .Release.IsUpgrade (regexMatch "1.22.[0-9]+" .Chart.Version) }} - {{- $apiDeploymentContainers := (lookup "apps/v1" "Deployment" .Release.Namespace (include "anchore-engine.api.fullname" .)).spec.template.spec.containers }} - {{- range $index, $container := $apiDeploymentContainers }} - {{- if eq $container.name "anchore-engine-api" }} - {{- $apiContainerImage := $container.image }} - {{- $installedAnchoreVersion := (regexFind "v[0-9]+\\.[0-9]+\\.[0-9]+$" $apiContainerImage) }} - - {{- if $installedAnchoreVersion }} - {{- if not (regexMatch "v4\\.[2-9]\\.[0-9]" ($installedAnchoreVersion | quote)) }} - {{- fail "WARNING - Anchore Enterprise v4.4.0 and v4.4.1 only supports upgrades from Enterprise v4.2.0 and higher. See release notes for more information - https://docs.anchore.com/current/docs/releasenotes/440/" }} + {{- $apiDeployment := (lookup "apps/v1" "Deployment" .Release.Namespace (include "anchore-engine.api.fullname" .)) }} + {{- if $apiDeployment }} + {{- $apiDeploymentContainers := $apiDeployment.spec.template.spec.containers}} + {{- range $index, $container := $apiDeploymentContainers }} + {{- if eq $container.name "anchore-engine-api" }} + {{- $apiContainerImage := $container.image }} + {{- $installedAnchoreVersion := (regexFind ":v[0-9]+\\.[0-9]+\\.[0-9]+" $apiContainerImage | trimPrefix ":") }} + {{- if $installedAnchoreVersion }} + {{- if not (regexMatch "v4\\.[2-9]\\.[0-9]" ($installedAnchoreVersion | quote)) }} + {{- fail "Anchore Enterprise v4.4.x only supports upgrades from Enterprise v4.2.0 and higher. See release notes for more information - https://docs.anchore.com/current/docs/releasenotes/440/" }} + {{- end }} {{- end }} {{- end }} {{- end }} From f6c89353c00b89e7dd05dff9466815318ce5f508 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 23 Feb 2023 16:20:00 -0800 Subject: [PATCH 095/329] bump chart version Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 18cb4b34..0672af49 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.22.3 +version: 1.22.4 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: From f7b39e1f97bd371c2630f9bc741e21699c9b3c86 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Mon, 27 Feb 2023 09:25:12 -0500 Subject: [PATCH 096/329] Bumping enterprise versions to 4.5.0 Signed-off-by: Hung Nguyen --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/values.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 0672af49..7e4cd025 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.22.4 +version: 1.23.0 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 9d928d8f..e4c72570 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -736,7 +736,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: docker.io/anchore/enterprise:v4.4.1 + image: docker.io/anchore/enterprise:v4.5.0 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. @@ -1094,7 +1094,7 @@ anchoreEnterpriseNotifications: anchoreEnterpriseUi: # If enabled is set to false, set ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. enabled: true - image: docker.io/anchore/enterprise-ui:v4.4.0 + image: docker.io/anchore/enterprise-ui:v4.5.0 imagePullPolicy: IfNotPresent # Set extra environment variables. These will be set on all UI containers. From 720759abfec5bc55522da0cf5b220ccb2de7b746 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Mon, 27 Feb 2023 15:04:16 -0800 Subject: [PATCH 097/329] update README Signed-off-by: Brady Todhunter --- stable/anchore-engine/README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index 4a41f40c..1dd2ce5e 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -181,6 +181,10 @@ A Helm post-upgrade hook job will shut down all previously running Anchore servi The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful Helm upgrade. +## Chart version 1.23.0 + +* Anchore Enterprise image updated to v4.5.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/450/) + ## Chart version 1.22.0 * Anchore Enterprise image updated to v4.4.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/440/) From b40cfaaa04a6f98a1b48b9887c75bf5cb3810788 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Tue, 28 Mar 2023 23:31:44 -0700 Subject: [PATCH 098/329] Split db connect (#69) * update engine db config * update feeds db config * add legacy engine db config handling * update chart version * fix typos in ssl config Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/templates/_helpers.tpl | 8 +++--- .../templates/engine_configmap.yaml | 25 +++++++++++++------ .../templates/engine_secret.yaml | 1 + .../templates/enterprise_configmap.yaml | 21 ++++++++++------ .../templates/enterprise_feeds_configmap.yaml | 23 +++++++++++------ .../templates/enterprise_feeds_secret.yaml | 6 +++-- stable/anchore-engine/values.yaml | 15 ++++++----- 8 files changed, 66 insertions(+), 35 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 7e4cd025..5c0150bc 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.23.0 +version: 1.23.1 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/templates/_helpers.tpl b/stable/anchore-engine/templates/_helpers.tpl index 9e70e893..699e33ff 100755 --- a/stable/anchore-engine/templates/_helpers.tpl +++ b/stable/anchore-engine/templates/_helpers.tpl @@ -404,10 +404,10 @@ Create feeds database hostname string from supplied values file. Used for settin {{- if and (index .Values "anchore-feeds-db" "externalEndpoint") (not (index .Values "anchore-feeds-db" "enabled")) }} {{- print ( index .Values "anchore-feeds-db" "externalEndpoint" ) }} {{- else if and (index .Values "cloudsql" "enabled") (not (index .Values "anchore-feeds-db" "enabled")) }} - {{- print "localhost:5432" }} + {{- print "localhost" }} {{- else }} {{- $db_host := include "postgres.anchore-feeds-db.fullname" . }} - {{- printf "%s:5432" $db_host -}} + {{- print $db_host -}} {{- end }} {{- end }} @@ -418,10 +418,10 @@ Create database hostname string from supplied values file. Used for setting the {{- if and (index .Values "postgresql" "externalEndpoint") (not (index .Values "postgresql" "enabled")) }} {{- print ( index .Values "postgresql" "externalEndpoint" ) }} {{- else if and (index .Values "cloudsql" "enabled") (not (index .Values "postgresql" "enabled")) }} - {{- print "localhost:5432" }} + {{- print "localhost" }} {{- else }} {{- $db_host := include "postgres.fullname" . }} - {{- printf "%s:5432" $db_host -}} + {{- print $db_host -}} {{- end }} {{- end }} diff --git a/stable/anchore-engine/templates/engine_configmap.yaml b/stable/anchore-engine/templates/engine_configmap.yaml index adae02c1..77a56869 100644 --- a/stable/anchore-engine/templates/engine_configmap.yaml +++ b/stable/anchore-engine/templates/engine_configmap.yaml @@ -99,16 +99,27 @@ data: credentials: database: - {{- if not .Values.anchoreGlobal.dbConfig.ssl }} - db_connect: "postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}" - {{- else if eq .Values.anchoreGlobal.dbConfig.sslMode "require" }} - db_connect: "postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}" - {{- else }} - db_connect: "postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName -}}" - {{- end }} + {{- if .Values.anchoreEnterpriseGlobal.enabled }} + user: ${ANCHORE_DB_USER} + password: ${ANCHORE_DB_PASSWORD} + host: ${ANCHORE_DB_HOST} + port: ${ANCHORE_DB_PORT} + name: ${ANCHORE_DB_NAME} + {{- else }} + db_connect: "postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}/${ANCHORE_DB_NAME}" + {{- end }} + db_connect_args: timeout: {{ .Values.anchoreGlobal.dbConfig.timeout }} + {{- if .Values.anchoreGlobal.dbConfig.ssl }} + ssl: true + sslmode: {{ .Values.anchoreGlobal.dbConfig.sslMode -}} + {{- if not (eq .Values.anchoreGlobal.dbConfig.sslMode "require") }} + sslrootcert: /home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName -}} + {{- end }} + {{- else }} ssl: false + {{- end }} db_pool_size: {{ .Values.anchoreGlobal.dbConfig.connectionPoolSize }} db_pool_max_overflow: {{ .Values.anchoreGlobal.dbConfig.connectionPoolMaxOverflow }} {{- with .Values.anchoreGlobal.dbConfig.engineArgs }} diff --git a/stable/anchore-engine/templates/engine_secret.yaml b/stable/anchore-engine/templates/engine_secret.yaml index 4f16b5dd..95714222 100644 --- a/stable/anchore-engine/templates/engine_secret.yaml +++ b/stable/anchore-engine/templates/engine_secret.yaml @@ -18,6 +18,7 @@ stringData: ANCHORE_DB_USER: {{ index .Values "postgresql" "postgresUser" | quote }} ANCHORE_DB_PASSWORD: {{ index .Values "postgresql" "postgresPassword" | quote }} ANCHORE_DB_HOST: "{{ template "db-hostname" . }}" + ANCHORE_DB_PORT: {{ index .Values "postgresql" "postgresPort" | quote }} {{- with .Values.anchoreGlobal.saml.secret }} ANCHORE_SAML_SECRET: {{ . }} {{- end }} diff --git a/stable/anchore-engine/templates/enterprise_configmap.yaml b/stable/anchore-engine/templates/enterprise_configmap.yaml index 8454d1f5..401d3383 100644 --- a/stable/anchore-engine/templates/enterprise_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_configmap.yaml @@ -69,16 +69,23 @@ data: credentials: database: - {{- if not .Values.anchoreGlobal.dbConfig.ssl }} - db_connect: "postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}" - {{- else if eq .Values.anchoreGlobal.dbConfig.sslMode "require" }} - db_connect: "postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}" - {{- else }} - db_connect: "postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName -}}" - {{- end }} + user: ${ANCHORE_DB_USER} + password: ${ANCHORE_DB_PASSWORD} + host: ${ANCHORE_DB_HOST} + port: ${ANCHORE_DB_PORT} + name: ${ANCHORE_DB_NAME} + db_connect_args: timeout: {{ .Values.anchoreGlobal.dbConfig.timeout }} + {{- if .Values.anchoreGlobal.dbConfig.ssl }} + ssl: true + sslmode: {{ .Values.anchoreGlobal.dbConfig.sslMode -}} + {{- if not (eq .Values.anchoreGlobal.dbConfig.sslMode "require") }} + sslrootcert: /home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName -}} + {{- end }} + {{- else }} ssl: false + {{- end }} db_pool_size: {{ .Values.anchoreGlobal.dbConfig.connectionPoolSize }} db_pool_max_overflow: {{ .Values.anchoreGlobal.dbConfig.connectionPoolMaxOverflow }} {{- with .Values.anchoreGlobal.dbConfig.engineArgs }} diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml index e1c84d0e..ba79a097 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml @@ -78,16 +78,23 @@ data: credentials: database: - {{- if not .Values.anchoreEnterpriseFeeds.dbConfig.ssl }} - db_connect: "postgresql://${ANCHORE_FEEDS_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_FEEDS_DB_HOST}/${ANCHORE_FEEDS_DB_NAME}" - {{- else if eq .Values.anchoreEnterpriseFeeds.dbConfig.sslMode "require" }} - db_connect: "postgresql://${ANCHORE_FEEDS_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_FEEDS_DB_HOST}/${ANCHORE_FEEDS_DB_NAME}?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}}" - {{- else }} - db_connect: "postgresql://${ANCHORE_FEEDS_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_FEEDS_DB_HOST}/${ANCHORE_FEEDS_DB_NAME}?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}}&sslrootcert=/home/anchore/certs/{{- .Values.anchoreEnterpriseFeeds.dbConfig.sslRootCertName }}" - {{- end }} + user: ${ANCHORE_FEEDS_DB_USER} + password: ${ANCHORE_FEEDS_DB_PASSWORD} + host: ${ANCHORE_FEEDS_DB_HOST} + port: ${ANCHORE_FEEDS_DB_PORT} + name: ${ANCHORE_FEEDS_DB_NAME} + db_connect_args: timeout: {{ .Values.anchoreEnterpriseFeeds.dbConfig.timeout }} + {{- if .Values.anchoreGlobal.dbConfig.ssl }} + ssl: true + sslmode: {{ .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}} + {{- if not (eq .Values.anchoreEnterpriseFeeds.dbConfig.sslMode "require") }} + sslrootcert: /home/anchore/certs/{{- .Values.anchoreEnterpriseFeeds.dbConfig.sslRootCertName -}} + {{- end }} + {{- else }} ssl: false + {{- end }} db_pool_size: {{ .Values.anchoreEnterpriseFeeds.dbConfig.connectionPoolSize }} db_pool_max_overflow: {{ .Values.anchoreEnterpriseFeeds.dbConfig.connectionPoolMaxOverflow }} {{- with .Values.anchoreEnterpriseFeeds.dbConfig.engineArgs }} @@ -156,7 +163,7 @@ data: # To enable gem driver comment the enabled property and uncomment the db_connect property. enabled: {{ .Values.anchoreEnterpriseFeeds.gemDriverEnabled | quote }} {{- if .Values.anchoreEnterpriseFeeds.gemDriverEnabled }} - db_connect: "postgresql://${ANCHORE_GEM_DB_USER}:${ANCHORE_GEM_DB_PASSWORD}@${ANCHORE_GEM_DB_HOST}/${ANCHORE_GEM_DB_NAME}" + db_connect: "postgresql://${ANCHORE_GEM_DB_USER}:${ANCHORE_GEM_DB_PASSWORD}@${ANCHORE_GEM_DB_HOST}:${ANCHORE_GEM_DB_PORT}/${ANCHORE_GEM_DB_NAME}" {{- end }} nvdv2: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.nvdv2DriverEnabled | quote) }} diff --git a/stable/anchore-engine/templates/enterprise_feeds_secret.yaml b/stable/anchore-engine/templates/enterprise_feeds_secret.yaml index a52c18f2..3330fb4c 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_secret.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_secret.yaml @@ -15,10 +15,11 @@ metadata: {{- end }} type: Opaque stringData: - ANCHORE_FEEDS_DB_NAME: {{ index .Values "anchore-feeds-db" "postgresDatabase" | quote }} + ANCHORE_FEEDS_DB_NAME: {{ index .Values "anchore-feeds-db" "postgresDatabase" | quote }} ANCHORE_FEEDS_DB_USER: {{ index .Values "anchore-feeds-db" "postgresUser" | quote }} ANCHORE_FEEDS_DB_PASSWORD: {{ index .Values "anchore-feeds-db" "postgresPassword" | quote }} ANCHORE_FEEDS_DB_HOST: "{{ template "feeds-db-hostname" . }}" + ANCHORE_FEEDS_DB_PORT: {{ index .Values "anchore-feeds-db" "postgresPort" | quote }} {{- with .Values.anchoreGlobal.saml.secret }} ANCHORE_SAML_SECRET: {{ . }} {{- end }} @@ -32,7 +33,8 @@ stringData: ANCHORE_GEM_DB_NAME: {{ index .Values "anchore-feeds-gem-db" "postgresDatabase" | quote }} ANCHORE_GEM_DB_USER: {{ index .Values "anchore-feeds-gem-db" "postgresUser" | quote }} ANCHORE_GEM_DB_PASSWORD: {{ index .Values "anchore-feeds-gem-db" "postgresPassword" | quote }} - ANCHORE_GEM_DB_HOST: "{{ default (include "postgres.anchore-feeds-gem-db.fullname" .) (index .Values "anchore-feeds-gem-db" "externalEndpoint") }}:5432" + ANCHORE_GEM_DB_HOST: "{{ default (include "postgres.anchore-feeds-gem-db.fullname" .) (index .Values "anchore-feeds-gem-db" "externalEndpoint") }}" + ANCHORE_GEM_DB_PORT: {{ index .Values "anchore-feeds-gem-db" "postgresPort" | quote }} {{- end }} {{- end }} {{- end }} diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index e4c72570..6c01be6d 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -4,14 +4,15 @@ fullnameOverride: Null # Anchore has a dependency on Postgresql, configure here postgresql: # To use an external DB or Google CloudSQL in GKE, uncomment & set 'enabled: false' - # externalEndpoint, postgresUser, postgresPassword & postgresDatabase are required values for external postgres + # externalEndpoint, postgresUser, postgresPassword, postgresDatabase, & postgresPort are required values for external postgres # enabled: false # If enabled=false specify an external (already existing) postgres deployment for use. - # Set to the host and port. eg. mypostgres.myserver.io:5432 + # Set to the hostname eg. mypostgres.myserver.io externalEndpoint: Null postgresUser: anchoreengine postgresPassword: anchore-postgres,123 postgresDatabase: anchore + postgresPort: 5432 # Configure size of the persistent volume used with helm managed chart. # This should be commented out if using an external endpoint. @@ -747,14 +748,15 @@ anchoreEnterpriseGlobal: # Only utilized if anchoreEnterpriseGlobal.enabled: true anchore-feeds-db: # To use an external DB or Google CloudSQL, uncomment & set 'enabled: false' - # externalEndpoint, postgresUser, postgresPassword & postgresDatabase are required values for external postgres + # externalEndpoint, postgresUser, postgresPassword, postgresDatabase, & postgresPort are required values for external postgres # enabled: false # if enabled=false specify an external (already existing) postgres deployment for use. - # Set to the host and port. eg. mypostgres.myserver.io:5432 + # Set to the hostname eg. mypostgres.myserver.io externalEndpoint: Null postgresUser: anchoreengine postgresPassword: anchore-postgres,123 postgresDatabase: anchore-feeds + postgresPort: 5432 # Configure size of the persistent volume used with helm managed chart. # This should be commented out if using an external endpoint. @@ -784,14 +786,15 @@ anchore-feeds-db: # Database is used for temporarily loading the Ruby gem vulnerability data by the Enterprise Feeds service. anchore-feeds-gem-db: # To use an external DB uncomment & set 'enabled: false' - # externalEndpoint, postgresUser, postgresPassword & postgresDatabase are required values for external postgres + # externalEndpoint, postgresUser, postgresPassword, postgresDatabase, & postgresPort are required values for external postgres # enabled: false # If enabled=false specify an external (already existing) postgres deployment for use. - # Set to the host and port. eg. mypostgres.myserver.io:5432 + # Set to the hostname eg. mypostgres.myserver.io externalEndpoint: Null postgresUser: postgres postgresPassword: anchore-postgres,123 postgresDatabase: gems + postgresPort: 5432 persistence: enabled: false From c120cbd44e7ea818b8b14def780bd836fb6676e0 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 29 Mar 2023 16:43:07 -0700 Subject: [PATCH 099/329] Allow multiple source files (#71) * allow sourcing multiple files with anchoreGlobal.doSourceAtEntry.filePaths Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/README.md | 13 +++++++++++++ stable/anchore-engine/templates/_helpers.tpl | 9 +++++++-- stable/anchore-engine/values.yaml | 3 ++- 4 files changed, 23 insertions(+), 4 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 5c0150bc..76892947 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.23.1 +version: 1.23.2 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index 1dd2ce5e..d0612896 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -181,6 +181,19 @@ A Helm post-upgrade hook job will shut down all previously running Anchore servi The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful Helm upgrade. +## Chart version 1.24.0 + +* `.Values.anchoreGlobal.doSourceAtEntry.filePath` has been changed to `.Values.anchoreGlobal.doSourceAtEntry.filePaths` which accepts a list of file paths. This allows for multiple files to be sourced prior to starting the Anchore services instead of a single file. + * Remove `.Values.anchoreGlobal.doSourceAtEntry.filePath` and add the following to your values file: + + ```yaml + anchoreGlobal: + doSourceAtEntry: + filePaths: + - /path/to/file1 + - /path/to/file2 + ``` + ## Chart version 1.23.0 * Anchore Enterprise image updated to v4.5.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/450/) diff --git a/stable/anchore-engine/templates/_helpers.tpl b/stable/anchore-engine/templates/_helpers.tpl index 699e33ff..a194475b 100755 --- a/stable/anchore-engine/templates/_helpers.tpl +++ b/stable/anchore-engine/templates/_helpers.tpl @@ -430,7 +430,12 @@ Allows sourcing of a specified file in the entrypoint of all containers when .Va */}} {{- define "doSourceFile" }} {{- if .Values.anchoreGlobal.doSourceAtEntry.enabled }} - {{- printf "source %v;" .Values.anchoreGlobal.doSourceAtEntry.filePath }} + {{- if .Values.anchoreGlobal.doSourceAtEntry.filePath }} + {{- fail "As of chart v1.23.1 `.Values.anchoreGlobal.doSourceAtEntry.filePath` is no longer valid. Update your values file to set `.Values.anchoreGlobal.doSourceAtEntry.filePaths` which accepts a list of strings." }} + {{- end }} + {{- range $index, $file := .Values.anchoreGlobal.doSourceAtEntry.filePaths }} + {{- printf "if [ -f %v ];then source %v;fi;" $file $file }} + {{- end }} {{- end }} {{- end }} @@ -465,4 +470,4 @@ upgrading from Enterprise 4.2.0 or higher and error out if they're upgrading fro {{- end }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 6c01be6d..e91efc1d 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -146,7 +146,8 @@ anchoreGlobal: # does `source {{ filePath }}` before starting services doSourceAtEntry: enabled: false - filePath: "/vault/secrets/config" + filePaths: + - "/vault/secrets/config" extraVolumes: [] # - name: config From 2fa75ce4e47016911736d65269c76da3828426ff Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 29 Mar 2023 23:24:35 -0700 Subject: [PATCH 100/329] add upgrade check to all jobs and message in NOTES.txt informing users how to view upgrade compatability (#72) Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/templates/NOTES.txt | 25 +++++++++++++++---- .../templates/engine_upgrade_job.yaml | 2 ++ .../enterprise_feeds_upgrade_job.yaml | 8 +++--- .../templates/enterprise_upgrade_job.yaml | 8 +++--- 5 files changed, 33 insertions(+), 12 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 76892947..56626d2e 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.23.2 +version: 1.23.3 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/templates/NOTES.txt b/stable/anchore-engine/templates/NOTES.txt index 8bc0a214..e265d2c5 100644 --- a/stable/anchore-engine/templates/NOTES.txt +++ b/stable/anchore-engine/templates/NOTES.txt @@ -1,26 +1,41 @@ -To use Anchore you need the URL, username, and password to access the API and/or the UI. +To use Anchore you need the URL, username, and password to access the API and/or the UI. Anchore can be accessed via port {{ .Values.anchoreApi.service.port }} on the following DNS name from within the cluster: -{{ template "anchore-engine.api.serviceName" . }}.{{ .Release.Namespace }}.svc.cluster.local + + {{ template "anchore-engine.api.serviceName" . }}.{{ .Release.Namespace }}.svc.cluster.local * NOTE: On first startup of Anchore, the policy-engine performs a CVE data sync which may take several minutes to complete. During this time the system status will report 'partially_down' and any images added for analysis will stay in the 'not_analyzed' state. Once the sync is complete, any queued images will be analyzed and the system status will change to 'all_up'. -Initial setup time can be >120sec for postgresql setup and readiness checks to pass for the services as indicated by pod state. You can check with: +Initial setup time can be >120sec for postgresql setup and readiness checks to pass for the services as indicated by pod state. +You can check with: + kubectl get pods -l app={{ template "anchore-engine.fullname" .}},component=api -{{ if and .Release.IsUpgrade (regexMatch "1.22.[0-9]+" .Chart.Version) }} +{{- if and .Release.IsUpgrade (regexMatch "1.22.[0-9]+" .Chart.Version) }} {{- $apiDeployment := (lookup "apps/v1" "Deployment" .Release.Namespace (include "anchore-engine.api.fullname" .)) }} {{- if not $apiDeployment }} + **WARNING** Anchore Enterprise v4.4.x only supports upgrades from Enterprise v4.2.0 and higher. See release notes for more information - https://docs.anchore.com/current/docs/releasenotes/440/ {{- end }} {{- end }} -{{ if not .Values.anchoreEnterpriseGlobal.enabled }} +{{- if not .Values.anchoreEnterpriseGlobal.enabled }} + **WARNING** As of January 2023, Anchore Engine is no longer maintained. There will be no future versions released. Users are advised to use Syft and Grype. +{{- end }} + +{{- if and .Release.IsUpgrade .Values.anchoreEnterpriseGlobal.enabled }} + +**WARNING** +The upcoming 5.0 release of Anchore Enterprise will require Postgresql version 13.0 or higher. +To verify that your Postgresql version is compatible with Anchore Enterprise v5.0 view the log output of the upgrade jobs: + + kubectl logs -l component=anchore-enterprise-upgrade | grep WARN + kubectl logs -l component=anchore-enterprise-feeds-upgrade | grep WARN {{- end }} \ No newline at end of file diff --git a/stable/anchore-engine/templates/engine_upgrade_job.yaml b/stable/anchore-engine/templates/engine_upgrade_job.yaml index 9b57a838..1c837e23 100644 --- a/stable/anchore-engine/templates/engine_upgrade_job.yaml +++ b/stable/anchore-engine/templates/engine_upgrade_job.yaml @@ -20,6 +20,8 @@ spec: app.kubernetes.io/managed-by: {{ .Release.Service | quote }} app.kubernetes.io/instance: {{ .Release.Name | quote }} helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + app: {{ template "anchore-engine.fullname" . }} + component: anchore-engine-upgrade annotations: {{- with .Values.anchoreGlobal.annotations }} {{ toYaml . | nindent 8 }} diff --git a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml index f30a3e52..502b69f4 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml @@ -20,6 +20,8 @@ spec: app.kubernetes.io/managed-by: {{ .Release.Service | quote }} app.kubernetes.io/instance: {{ .Release.Name | quote }} helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + app: {{ template "anchore-engine.fullname" . }} + component: anchore-enterprise-feeds-upgrade annotations: {{- with .Values.anchoreGlobal.annotations }} {{ toYaml . | nindent 8 }} @@ -66,13 +68,13 @@ spec: args: {{- if not .Values.anchoreEnterpriseFeeds.dbConfig.ssl }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}"/"${ANCHORE_FEEDS_DB_NAME}" upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}" upgrade --dontask; anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}" pre-upgrade-check; {{- else if eq .Values.anchoreEnterpriseFeeds.dbConfig.sslMode "require" }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} pre-upgrade-check; {{- else }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreEnterpriseFeeds.dbConfig.sslRootCertName }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} pre-upgrade-check; {{- end }} {{- if .Values.cloudsql.enabled }} - sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; diff --git a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml index af07c70d..4b6ee388 100644 --- a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml @@ -20,6 +20,8 @@ spec: app.kubernetes.io/managed-by: {{ .Release.Service | quote }} app.kubernetes.io/instance: {{ .Release.Name | quote }} helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + app: {{ template "anchore-engine.fullname" . }} + component: anchore-enterprise-upgrade annotations: {{- with .Values.anchoreGlobal.annotations }} {{ toYaml . | nindent 8 }} @@ -66,13 +68,13 @@ spec: args: {{- if not .Values.anchoreGlobal.dbConfig.ssl }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}" upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}" upgrade --dontask; anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}" pre-upgrade-check; {{- else if eq .Values.anchoreGlobal.dbConfig.sslMode "require" }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} pre-upgrade-check; {{- else }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} pre-upgrade-check; {{- end }} {{- if .Values.cloudsql.enabled }} - sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; From 996413f7b60026e47e4a1c81eab6705992e288e7 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 30 Mar 2023 23:30:44 -0700 Subject: [PATCH 101/329] update readme and NOTES.txt (#73) Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/README.md | 19 +++++++++++++++++++ stable/anchore-engine/templates/NOTES.txt | 10 ++++++++++ 3 files changed, 30 insertions(+), 1 deletion(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 56626d2e..cec07709 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.23.3 +version: 1.24.0 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index d0612896..08630ebd 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -183,6 +183,8 @@ The upgrade will only be considered successful when this job completes successfu ## Chart version 1.24.0 +* Anchore Enterprise image updated to v4.6.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/460/) + * `.Values.anchoreGlobal.doSourceAtEntry.filePath` has been changed to `.Values.anchoreGlobal.doSourceAtEntry.filePaths` which accepts a list of file paths. This allows for multiple files to be sourced prior to starting the Anchore services instead of a single file. * Remove `.Values.anchoreGlobal.doSourceAtEntry.filePath` and add the following to your values file: @@ -194,6 +196,23 @@ The upgrade will only be considered successful when this job completes successfu - /path/to/file2 ``` +* Updated the configuration for Anchore Enterprise database connections. This will ensure that special characters are handled properly in database passwords. Also allows configuring the db hostname and port separately. + + * If your postgresql connection is using a non-standard port, you will need to update your values file to include the hostname and port. For example: + + ```yaml + postgresql: + externalEndpoint: + postgresPort: + ``` + + * If you're using external secrets and an non-standard port, you will need to update your secrets to include the hostname and port. + + ```yaml + ANCHORE_DB_HOST: + ANCHORE_DB_PORT: + ``` + ## Chart version 1.23.0 * Anchore Enterprise image updated to v4.5.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/450/) diff --git a/stable/anchore-engine/templates/NOTES.txt b/stable/anchore-engine/templates/NOTES.txt index e265d2c5..768b31ec 100644 --- a/stable/anchore-engine/templates/NOTES.txt +++ b/stable/anchore-engine/templates/NOTES.txt @@ -30,6 +30,16 @@ As of January 2023, Anchore Engine is no longer maintained. There will be no future versions released. Users are advised to use Syft and Grype. {{- end }} +{{- if and .Release.IsUpgrade .Values.anchoreGlobal.useExistingSecrets (regexMatch "1.24.[0-9]+" .Chart.Version) }} + +**WARNING** +Please update your existing secrets to use separate environment variables for the database hostname and port. +Add the following variables to your secrets: + + ANCHORE_DB_HOST: + ANCHORE_DB_PORT: +{{- end }} + {{- if and .Release.IsUpgrade .Values.anchoreEnterpriseGlobal.enabled }} **WARNING** From 748aaf14d862c604b37a1fd35cb0ded54e0cfbe0 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 31 Mar 2023 00:06:59 -0700 Subject: [PATCH 102/329] update images to v4.6.0 Signed-off-by: Brady Todhunter --- stable/anchore-engine/templates/NOTES.txt | 2 +- stable/anchore-engine/values.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/stable/anchore-engine/templates/NOTES.txt b/stable/anchore-engine/templates/NOTES.txt index 768b31ec..8438e118 100644 --- a/stable/anchore-engine/templates/NOTES.txt +++ b/stable/anchore-engine/templates/NOTES.txt @@ -35,7 +35,7 @@ There will be no future versions released. Users are advised to use Syft and Gry **WARNING** Please update your existing secrets to use separate environment variables for the database hostname and port. Add the following variables to your secrets: - +  ANCHORE_DB_HOST: ANCHORE_DB_PORT: {{- end }} diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index e91efc1d..a17c3b1d 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -738,7 +738,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: docker.io/anchore/enterprise:v4.5.0 + image: docker.io/anchore/enterprise:v4.6.0 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. @@ -1098,7 +1098,7 @@ anchoreEnterpriseNotifications: anchoreEnterpriseUi: # If enabled is set to false, set ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. enabled: true - image: docker.io/anchore/enterprise-ui:v4.5.0 + image: docker.io/anchore/enterprise-ui:v4.6.0 imagePullPolicy: IfNotPresent # Set extra environment variables. These will be set on all UI containers. From 134cb284e7496af95de3fb41dfff515fa13be003 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 31 Mar 2023 17:05:37 -0700 Subject: [PATCH 103/329] Revert "Update to Enterprise v4.6.0" --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/README.md | 32 ----------------- stable/anchore-engine/templates/NOTES.txt | 35 +++---------------- stable/anchore-engine/templates/_helpers.tpl | 17 ++++----- .../templates/engine_configmap.yaml | 25 ++++--------- .../templates/engine_secret.yaml | 1 - .../templates/engine_upgrade_job.yaml | 2 -- .../templates/enterprise_configmap.yaml | 21 ++++------- .../templates/enterprise_feeds_configmap.yaml | 23 +++++------- .../templates/enterprise_feeds_secret.yaml | 6 ++-- .../enterprise_feeds_upgrade_job.yaml | 8 ++--- .../templates/enterprise_upgrade_job.yaml | 8 ++--- stable/anchore-engine/values.yaml | 22 +++++------- 13 files changed, 51 insertions(+), 151 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index cec07709..7e4cd025 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.24.0 +version: 1.23.0 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index 08630ebd..1dd2ce5e 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -181,38 +181,6 @@ A Helm post-upgrade hook job will shut down all previously running Anchore servi The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful Helm upgrade. -## Chart version 1.24.0 - -* Anchore Enterprise image updated to v4.6.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/460/) - -* `.Values.anchoreGlobal.doSourceAtEntry.filePath` has been changed to `.Values.anchoreGlobal.doSourceAtEntry.filePaths` which accepts a list of file paths. This allows for multiple files to be sourced prior to starting the Anchore services instead of a single file. - * Remove `.Values.anchoreGlobal.doSourceAtEntry.filePath` and add the following to your values file: - - ```yaml - anchoreGlobal: - doSourceAtEntry: - filePaths: - - /path/to/file1 - - /path/to/file2 - ``` - -* Updated the configuration for Anchore Enterprise database connections. This will ensure that special characters are handled properly in database passwords. Also allows configuring the db hostname and port separately. - - * If your postgresql connection is using a non-standard port, you will need to update your values file to include the hostname and port. For example: - - ```yaml - postgresql: - externalEndpoint: - postgresPort: - ``` - - * If you're using external secrets and an non-standard port, you will need to update your secrets to include the hostname and port. - - ```yaml - ANCHORE_DB_HOST: - ANCHORE_DB_PORT: - ``` - ## Chart version 1.23.0 * Anchore Enterprise image updated to v4.5.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/450/) diff --git a/stable/anchore-engine/templates/NOTES.txt b/stable/anchore-engine/templates/NOTES.txt index 8438e118..8bc0a214 100644 --- a/stable/anchore-engine/templates/NOTES.txt +++ b/stable/anchore-engine/templates/NOTES.txt @@ -1,51 +1,26 @@ - To use Anchore you need the URL, username, and password to access the API and/or the UI. -Anchore can be accessed via port {{ .Values.anchoreApi.service.port }} on the following DNS name from within the cluster: - {{ template "anchore-engine.api.serviceName" . }}.{{ .Release.Namespace }}.svc.cluster.local +Anchore can be accessed via port {{ .Values.anchoreApi.service.port }} on the following DNS name from within the cluster: +{{ template "anchore-engine.api.serviceName" . }}.{{ .Release.Namespace }}.svc.cluster.local * NOTE: On first startup of Anchore, the policy-engine performs a CVE data sync which may take several minutes to complete. During this time the system status will report 'partially_down' and any images added for analysis will stay in the 'not_analyzed' state. Once the sync is complete, any queued images will be analyzed and the system status will change to 'all_up'. -Initial setup time can be >120sec for postgresql setup and readiness checks to pass for the services as indicated by pod state. -You can check with: - +Initial setup time can be >120sec for postgresql setup and readiness checks to pass for the services as indicated by pod state. You can check with: kubectl get pods -l app={{ template "anchore-engine.fullname" .}},component=api -{{- if and .Release.IsUpgrade (regexMatch "1.22.[0-9]+" .Chart.Version) }} +{{ if and .Release.IsUpgrade (regexMatch "1.22.[0-9]+" .Chart.Version) }} {{- $apiDeployment := (lookup "apps/v1" "Deployment" .Release.Namespace (include "anchore-engine.api.fullname" .)) }} {{- if not $apiDeployment }} - **WARNING** Anchore Enterprise v4.4.x only supports upgrades from Enterprise v4.2.0 and higher. See release notes for more information - https://docs.anchore.com/current/docs/releasenotes/440/ {{- end }} {{- end }} -{{- if not .Values.anchoreEnterpriseGlobal.enabled }} - +{{ if not .Values.anchoreEnterpriseGlobal.enabled }} **WARNING** As of January 2023, Anchore Engine is no longer maintained. There will be no future versions released. Users are advised to use Syft and Grype. -{{- end }} - -{{- if and .Release.IsUpgrade .Values.anchoreGlobal.useExistingSecrets (regexMatch "1.24.[0-9]+" .Chart.Version) }} - -**WARNING** -Please update your existing secrets to use separate environment variables for the database hostname and port. -Add the following variables to your secrets: -  - ANCHORE_DB_HOST: - ANCHORE_DB_PORT: -{{- end }} - -{{- if and .Release.IsUpgrade .Values.anchoreEnterpriseGlobal.enabled }} - -**WARNING** -The upcoming 5.0 release of Anchore Enterprise will require Postgresql version 13.0 or higher. -To verify that your Postgresql version is compatible with Anchore Enterprise v5.0 view the log output of the upgrade jobs: - - kubectl logs -l component=anchore-enterprise-upgrade | grep WARN - kubectl logs -l component=anchore-enterprise-feeds-upgrade | grep WARN {{- end }} \ No newline at end of file diff --git a/stable/anchore-engine/templates/_helpers.tpl b/stable/anchore-engine/templates/_helpers.tpl index a194475b..9e70e893 100755 --- a/stable/anchore-engine/templates/_helpers.tpl +++ b/stable/anchore-engine/templates/_helpers.tpl @@ -404,10 +404,10 @@ Create feeds database hostname string from supplied values file. Used for settin {{- if and (index .Values "anchore-feeds-db" "externalEndpoint") (not (index .Values "anchore-feeds-db" "enabled")) }} {{- print ( index .Values "anchore-feeds-db" "externalEndpoint" ) }} {{- else if and (index .Values "cloudsql" "enabled") (not (index .Values "anchore-feeds-db" "enabled")) }} - {{- print "localhost" }} + {{- print "localhost:5432" }} {{- else }} {{- $db_host := include "postgres.anchore-feeds-db.fullname" . }} - {{- print $db_host -}} + {{- printf "%s:5432" $db_host -}} {{- end }} {{- end }} @@ -418,10 +418,10 @@ Create database hostname string from supplied values file. Used for setting the {{- if and (index .Values "postgresql" "externalEndpoint") (not (index .Values "postgresql" "enabled")) }} {{- print ( index .Values "postgresql" "externalEndpoint" ) }} {{- else if and (index .Values "cloudsql" "enabled") (not (index .Values "postgresql" "enabled")) }} - {{- print "localhost" }} + {{- print "localhost:5432" }} {{- else }} {{- $db_host := include "postgres.fullname" . }} - {{- print $db_host -}} + {{- printf "%s:5432" $db_host -}} {{- end }} {{- end }} @@ -430,12 +430,7 @@ Allows sourcing of a specified file in the entrypoint of all containers when .Va */}} {{- define "doSourceFile" }} {{- if .Values.anchoreGlobal.doSourceAtEntry.enabled }} - {{- if .Values.anchoreGlobal.doSourceAtEntry.filePath }} - {{- fail "As of chart v1.23.1 `.Values.anchoreGlobal.doSourceAtEntry.filePath` is no longer valid. Update your values file to set `.Values.anchoreGlobal.doSourceAtEntry.filePaths` which accepts a list of strings." }} - {{- end }} - {{- range $index, $file := .Values.anchoreGlobal.doSourceAtEntry.filePaths }} - {{- printf "if [ -f %v ];then source %v;fi;" $file $file }} - {{- end }} + {{- printf "source %v;" .Values.anchoreGlobal.doSourceAtEntry.filePath }} {{- end }} {{- end }} @@ -470,4 +465,4 @@ upgrading from Enterprise 4.2.0 or higher and error out if they're upgrading fro {{- end }} {{- end }} {{- end }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/stable/anchore-engine/templates/engine_configmap.yaml b/stable/anchore-engine/templates/engine_configmap.yaml index 77a56869..adae02c1 100644 --- a/stable/anchore-engine/templates/engine_configmap.yaml +++ b/stable/anchore-engine/templates/engine_configmap.yaml @@ -99,27 +99,16 @@ data: credentials: database: - {{- if .Values.anchoreEnterpriseGlobal.enabled }} - user: ${ANCHORE_DB_USER} - password: ${ANCHORE_DB_PASSWORD} - host: ${ANCHORE_DB_HOST} - port: ${ANCHORE_DB_PORT} - name: ${ANCHORE_DB_NAME} - {{- else }} - db_connect: "postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}/${ANCHORE_DB_NAME}" - {{- end }} - + {{- if not .Values.anchoreGlobal.dbConfig.ssl }} + db_connect: "postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}" + {{- else if eq .Values.anchoreGlobal.dbConfig.sslMode "require" }} + db_connect: "postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}" + {{- else }} + db_connect: "postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName -}}" + {{- end }} db_connect_args: timeout: {{ .Values.anchoreGlobal.dbConfig.timeout }} - {{- if .Values.anchoreGlobal.dbConfig.ssl }} - ssl: true - sslmode: {{ .Values.anchoreGlobal.dbConfig.sslMode -}} - {{- if not (eq .Values.anchoreGlobal.dbConfig.sslMode "require") }} - sslrootcert: /home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName -}} - {{- end }} - {{- else }} ssl: false - {{- end }} db_pool_size: {{ .Values.anchoreGlobal.dbConfig.connectionPoolSize }} db_pool_max_overflow: {{ .Values.anchoreGlobal.dbConfig.connectionPoolMaxOverflow }} {{- with .Values.anchoreGlobal.dbConfig.engineArgs }} diff --git a/stable/anchore-engine/templates/engine_secret.yaml b/stable/anchore-engine/templates/engine_secret.yaml index 95714222..4f16b5dd 100644 --- a/stable/anchore-engine/templates/engine_secret.yaml +++ b/stable/anchore-engine/templates/engine_secret.yaml @@ -18,7 +18,6 @@ stringData: ANCHORE_DB_USER: {{ index .Values "postgresql" "postgresUser" | quote }} ANCHORE_DB_PASSWORD: {{ index .Values "postgresql" "postgresPassword" | quote }} ANCHORE_DB_HOST: "{{ template "db-hostname" . }}" - ANCHORE_DB_PORT: {{ index .Values "postgresql" "postgresPort" | quote }} {{- with .Values.anchoreGlobal.saml.secret }} ANCHORE_SAML_SECRET: {{ . }} {{- end }} diff --git a/stable/anchore-engine/templates/engine_upgrade_job.yaml b/stable/anchore-engine/templates/engine_upgrade_job.yaml index 1c837e23..9b57a838 100644 --- a/stable/anchore-engine/templates/engine_upgrade_job.yaml +++ b/stable/anchore-engine/templates/engine_upgrade_job.yaml @@ -20,8 +20,6 @@ spec: app.kubernetes.io/managed-by: {{ .Release.Service | quote }} app.kubernetes.io/instance: {{ .Release.Name | quote }} helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - app: {{ template "anchore-engine.fullname" . }} - component: anchore-engine-upgrade annotations: {{- with .Values.anchoreGlobal.annotations }} {{ toYaml . | nindent 8 }} diff --git a/stable/anchore-engine/templates/enterprise_configmap.yaml b/stable/anchore-engine/templates/enterprise_configmap.yaml index 401d3383..8454d1f5 100644 --- a/stable/anchore-engine/templates/enterprise_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_configmap.yaml @@ -69,23 +69,16 @@ data: credentials: database: - user: ${ANCHORE_DB_USER} - password: ${ANCHORE_DB_PASSWORD} - host: ${ANCHORE_DB_HOST} - port: ${ANCHORE_DB_PORT} - name: ${ANCHORE_DB_NAME} - + {{- if not .Values.anchoreGlobal.dbConfig.ssl }} + db_connect: "postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}" + {{- else if eq .Values.anchoreGlobal.dbConfig.sslMode "require" }} + db_connect: "postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}" + {{- else }} + db_connect: "postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName -}}" + {{- end }} db_connect_args: timeout: {{ .Values.anchoreGlobal.dbConfig.timeout }} - {{- if .Values.anchoreGlobal.dbConfig.ssl }} - ssl: true - sslmode: {{ .Values.anchoreGlobal.dbConfig.sslMode -}} - {{- if not (eq .Values.anchoreGlobal.dbConfig.sslMode "require") }} - sslrootcert: /home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName -}} - {{- end }} - {{- else }} ssl: false - {{- end }} db_pool_size: {{ .Values.anchoreGlobal.dbConfig.connectionPoolSize }} db_pool_max_overflow: {{ .Values.anchoreGlobal.dbConfig.connectionPoolMaxOverflow }} {{- with .Values.anchoreGlobal.dbConfig.engineArgs }} diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml index ba79a097..e1c84d0e 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml @@ -78,23 +78,16 @@ data: credentials: database: - user: ${ANCHORE_FEEDS_DB_USER} - password: ${ANCHORE_FEEDS_DB_PASSWORD} - host: ${ANCHORE_FEEDS_DB_HOST} - port: ${ANCHORE_FEEDS_DB_PORT} - name: ${ANCHORE_FEEDS_DB_NAME} - + {{- if not .Values.anchoreEnterpriseFeeds.dbConfig.ssl }} + db_connect: "postgresql://${ANCHORE_FEEDS_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_FEEDS_DB_HOST}/${ANCHORE_FEEDS_DB_NAME}" + {{- else if eq .Values.anchoreEnterpriseFeeds.dbConfig.sslMode "require" }} + db_connect: "postgresql://${ANCHORE_FEEDS_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_FEEDS_DB_HOST}/${ANCHORE_FEEDS_DB_NAME}?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}}" + {{- else }} + db_connect: "postgresql://${ANCHORE_FEEDS_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_FEEDS_DB_HOST}/${ANCHORE_FEEDS_DB_NAME}?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}}&sslrootcert=/home/anchore/certs/{{- .Values.anchoreEnterpriseFeeds.dbConfig.sslRootCertName }}" + {{- end }} db_connect_args: timeout: {{ .Values.anchoreEnterpriseFeeds.dbConfig.timeout }} - {{- if .Values.anchoreGlobal.dbConfig.ssl }} - ssl: true - sslmode: {{ .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}} - {{- if not (eq .Values.anchoreEnterpriseFeeds.dbConfig.sslMode "require") }} - sslrootcert: /home/anchore/certs/{{- .Values.anchoreEnterpriseFeeds.dbConfig.sslRootCertName -}} - {{- end }} - {{- else }} ssl: false - {{- end }} db_pool_size: {{ .Values.anchoreEnterpriseFeeds.dbConfig.connectionPoolSize }} db_pool_max_overflow: {{ .Values.anchoreEnterpriseFeeds.dbConfig.connectionPoolMaxOverflow }} {{- with .Values.anchoreEnterpriseFeeds.dbConfig.engineArgs }} @@ -163,7 +156,7 @@ data: # To enable gem driver comment the enabled property and uncomment the db_connect property. enabled: {{ .Values.anchoreEnterpriseFeeds.gemDriverEnabled | quote }} {{- if .Values.anchoreEnterpriseFeeds.gemDriverEnabled }} - db_connect: "postgresql://${ANCHORE_GEM_DB_USER}:${ANCHORE_GEM_DB_PASSWORD}@${ANCHORE_GEM_DB_HOST}:${ANCHORE_GEM_DB_PORT}/${ANCHORE_GEM_DB_NAME}" + db_connect: "postgresql://${ANCHORE_GEM_DB_USER}:${ANCHORE_GEM_DB_PASSWORD}@${ANCHORE_GEM_DB_HOST}/${ANCHORE_GEM_DB_NAME}" {{- end }} nvdv2: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.nvdv2DriverEnabled | quote) }} diff --git a/stable/anchore-engine/templates/enterprise_feeds_secret.yaml b/stable/anchore-engine/templates/enterprise_feeds_secret.yaml index 3330fb4c..a52c18f2 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_secret.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_secret.yaml @@ -15,11 +15,10 @@ metadata: {{- end }} type: Opaque stringData: - ANCHORE_FEEDS_DB_NAME: {{ index .Values "anchore-feeds-db" "postgresDatabase" | quote }} + ANCHORE_FEEDS_DB_NAME: {{ index .Values "anchore-feeds-db" "postgresDatabase" | quote }} ANCHORE_FEEDS_DB_USER: {{ index .Values "anchore-feeds-db" "postgresUser" | quote }} ANCHORE_FEEDS_DB_PASSWORD: {{ index .Values "anchore-feeds-db" "postgresPassword" | quote }} ANCHORE_FEEDS_DB_HOST: "{{ template "feeds-db-hostname" . }}" - ANCHORE_FEEDS_DB_PORT: {{ index .Values "anchore-feeds-db" "postgresPort" | quote }} {{- with .Values.anchoreGlobal.saml.secret }} ANCHORE_SAML_SECRET: {{ . }} {{- end }} @@ -33,8 +32,7 @@ stringData: ANCHORE_GEM_DB_NAME: {{ index .Values "anchore-feeds-gem-db" "postgresDatabase" | quote }} ANCHORE_GEM_DB_USER: {{ index .Values "anchore-feeds-gem-db" "postgresUser" | quote }} ANCHORE_GEM_DB_PASSWORD: {{ index .Values "anchore-feeds-gem-db" "postgresPassword" | quote }} - ANCHORE_GEM_DB_HOST: "{{ default (include "postgres.anchore-feeds-gem-db.fullname" .) (index .Values "anchore-feeds-gem-db" "externalEndpoint") }}" - ANCHORE_GEM_DB_PORT: {{ index .Values "anchore-feeds-gem-db" "postgresPort" | quote }} + ANCHORE_GEM_DB_HOST: "{{ default (include "postgres.anchore-feeds-gem-db.fullname" .) (index .Values "anchore-feeds-gem-db" "externalEndpoint") }}:5432" {{- end }} {{- end }} {{- end }} diff --git a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml index 502b69f4..f30a3e52 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml @@ -20,8 +20,6 @@ spec: app.kubernetes.io/managed-by: {{ .Release.Service | quote }} app.kubernetes.io/instance: {{ .Release.Name | quote }} helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - app: {{ template "anchore-engine.fullname" . }} - component: anchore-enterprise-feeds-upgrade annotations: {{- with .Values.anchoreGlobal.annotations }} {{ toYaml . | nindent 8 }} @@ -68,13 +66,13 @@ spec: args: {{- if not .Values.anchoreEnterpriseFeeds.dbConfig.ssl }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}" upgrade --dontask; anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}" pre-upgrade-check; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}"/"${ANCHORE_FEEDS_DB_NAME}" upgrade --dontask; {{- else if eq .Values.anchoreEnterpriseFeeds.dbConfig.sslMode "require" }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} pre-upgrade-check; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode }} upgrade --dontask; {{- else }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} pre-upgrade-check; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreEnterpriseFeeds.dbConfig.sslRootCertName }} upgrade --dontask; {{- end }} {{- if .Values.cloudsql.enabled }} - sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; diff --git a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml index 4b6ee388..af07c70d 100644 --- a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml @@ -20,8 +20,6 @@ spec: app.kubernetes.io/managed-by: {{ .Release.Service | quote }} app.kubernetes.io/instance: {{ .Release.Name | quote }} helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - app: {{ template "anchore-engine.fullname" . }} - component: anchore-enterprise-upgrade annotations: {{- with .Values.anchoreGlobal.annotations }} {{ toYaml . | nindent 8 }} @@ -68,13 +66,13 @@ spec: args: {{- if not .Values.anchoreGlobal.dbConfig.ssl }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}" upgrade --dontask; anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}" pre-upgrade-check; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}" upgrade --dontask; {{- else if eq .Values.anchoreGlobal.dbConfig.sslMode "require" }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} pre-upgrade-check; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; {{- else }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} pre-upgrade-check; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; {{- end }} {{- if .Values.cloudsql.enabled }} - sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index a17c3b1d..e4c72570 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -4,15 +4,14 @@ fullnameOverride: Null # Anchore has a dependency on Postgresql, configure here postgresql: # To use an external DB or Google CloudSQL in GKE, uncomment & set 'enabled: false' - # externalEndpoint, postgresUser, postgresPassword, postgresDatabase, & postgresPort are required values for external postgres + # externalEndpoint, postgresUser, postgresPassword & postgresDatabase are required values for external postgres # enabled: false # If enabled=false specify an external (already existing) postgres deployment for use. - # Set to the hostname eg. mypostgres.myserver.io + # Set to the host and port. eg. mypostgres.myserver.io:5432 externalEndpoint: Null postgresUser: anchoreengine postgresPassword: anchore-postgres,123 postgresDatabase: anchore - postgresPort: 5432 # Configure size of the persistent volume used with helm managed chart. # This should be commented out if using an external endpoint. @@ -146,8 +145,7 @@ anchoreGlobal: # does `source {{ filePath }}` before starting services doSourceAtEntry: enabled: false - filePaths: - - "/vault/secrets/config" + filePath: "/vault/secrets/config" extraVolumes: [] # - name: config @@ -738,7 +736,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: docker.io/anchore/enterprise:v4.6.0 + image: docker.io/anchore/enterprise:v4.5.0 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. @@ -749,15 +747,14 @@ anchoreEnterpriseGlobal: # Only utilized if anchoreEnterpriseGlobal.enabled: true anchore-feeds-db: # To use an external DB or Google CloudSQL, uncomment & set 'enabled: false' - # externalEndpoint, postgresUser, postgresPassword, postgresDatabase, & postgresPort are required values for external postgres + # externalEndpoint, postgresUser, postgresPassword & postgresDatabase are required values for external postgres # enabled: false # if enabled=false specify an external (already existing) postgres deployment for use. - # Set to the hostname eg. mypostgres.myserver.io + # Set to the host and port. eg. mypostgres.myserver.io:5432 externalEndpoint: Null postgresUser: anchoreengine postgresPassword: anchore-postgres,123 postgresDatabase: anchore-feeds - postgresPort: 5432 # Configure size of the persistent volume used with helm managed chart. # This should be commented out if using an external endpoint. @@ -787,15 +784,14 @@ anchore-feeds-db: # Database is used for temporarily loading the Ruby gem vulnerability data by the Enterprise Feeds service. anchore-feeds-gem-db: # To use an external DB uncomment & set 'enabled: false' - # externalEndpoint, postgresUser, postgresPassword, postgresDatabase, & postgresPort are required values for external postgres + # externalEndpoint, postgresUser, postgresPassword & postgresDatabase are required values for external postgres # enabled: false # If enabled=false specify an external (already existing) postgres deployment for use. - # Set to the hostname eg. mypostgres.myserver.io + # Set to the host and port. eg. mypostgres.myserver.io:5432 externalEndpoint: Null postgresUser: postgres postgresPassword: anchore-postgres,123 postgresDatabase: gems - postgresPort: 5432 persistence: enabled: false @@ -1098,7 +1094,7 @@ anchoreEnterpriseNotifications: anchoreEnterpriseUi: # If enabled is set to false, set ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. enabled: true - image: docker.io/anchore/enterprise-ui:v4.6.0 + image: docker.io/anchore/enterprise-ui:v4.5.0 imagePullPolicy: IfNotPresent # Set extra environment variables. These will be set on all UI containers. From 2d16e1e9d0171900e247a41d4a13dcdfdf202870 Mon Sep 17 00:00:00 2001 From: svietry Date: Sun, 2 Apr 2023 09:30:00 -0400 Subject: [PATCH 104/329] Revert "Revert "Update to Enterprise v4.6.0"" Signed-off-by: Shari Vietry --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/README.md | 32 +++++++++++++++++ stable/anchore-engine/templates/NOTES.txt | 35 ++++++++++++++++--- stable/anchore-engine/templates/_helpers.tpl | 17 +++++---- .../templates/engine_configmap.yaml | 25 +++++++++---- .../templates/engine_secret.yaml | 1 + .../templates/engine_upgrade_job.yaml | 2 ++ .../templates/enterprise_configmap.yaml | 21 +++++++---- .../templates/enterprise_feeds_configmap.yaml | 23 +++++++----- .../templates/enterprise_feeds_secret.yaml | 6 ++-- .../enterprise_feeds_upgrade_job.yaml | 8 +++-- .../templates/enterprise_upgrade_job.yaml | 8 +++-- stable/anchore-engine/values.yaml | 22 +++++++----- 13 files changed, 151 insertions(+), 51 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 7e4cd025..cec07709 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.23.0 +version: 1.24.0 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index 1dd2ce5e..08630ebd 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -181,6 +181,38 @@ A Helm post-upgrade hook job will shut down all previously running Anchore servi The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful Helm upgrade. +## Chart version 1.24.0 + +* Anchore Enterprise image updated to v4.6.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/460/) + +* `.Values.anchoreGlobal.doSourceAtEntry.filePath` has been changed to `.Values.anchoreGlobal.doSourceAtEntry.filePaths` which accepts a list of file paths. This allows for multiple files to be sourced prior to starting the Anchore services instead of a single file. + * Remove `.Values.anchoreGlobal.doSourceAtEntry.filePath` and add the following to your values file: + + ```yaml + anchoreGlobal: + doSourceAtEntry: + filePaths: + - /path/to/file1 + - /path/to/file2 + ``` + +* Updated the configuration for Anchore Enterprise database connections. This will ensure that special characters are handled properly in database passwords. Also allows configuring the db hostname and port separately. + + * If your postgresql connection is using a non-standard port, you will need to update your values file to include the hostname and port. For example: + + ```yaml + postgresql: + externalEndpoint: + postgresPort: + ``` + + * If you're using external secrets and an non-standard port, you will need to update your secrets to include the hostname and port. + + ```yaml + ANCHORE_DB_HOST: + ANCHORE_DB_PORT: + ``` + ## Chart version 1.23.0 * Anchore Enterprise image updated to v4.5.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/450/) diff --git a/stable/anchore-engine/templates/NOTES.txt b/stable/anchore-engine/templates/NOTES.txt index 8bc0a214..8438e118 100644 --- a/stable/anchore-engine/templates/NOTES.txt +++ b/stable/anchore-engine/templates/NOTES.txt @@ -1,26 +1,51 @@ -To use Anchore you need the URL, username, and password to access the API and/or the UI. +To use Anchore you need the URL, username, and password to access the API and/or the UI. Anchore can be accessed via port {{ .Values.anchoreApi.service.port }} on the following DNS name from within the cluster: -{{ template "anchore-engine.api.serviceName" . }}.{{ .Release.Namespace }}.svc.cluster.local + + {{ template "anchore-engine.api.serviceName" . }}.{{ .Release.Namespace }}.svc.cluster.local * NOTE: On first startup of Anchore, the policy-engine performs a CVE data sync which may take several minutes to complete. During this time the system status will report 'partially_down' and any images added for analysis will stay in the 'not_analyzed' state. Once the sync is complete, any queued images will be analyzed and the system status will change to 'all_up'. -Initial setup time can be >120sec for postgresql setup and readiness checks to pass for the services as indicated by pod state. You can check with: +Initial setup time can be >120sec for postgresql setup and readiness checks to pass for the services as indicated by pod state. +You can check with: + kubectl get pods -l app={{ template "anchore-engine.fullname" .}},component=api -{{ if and .Release.IsUpgrade (regexMatch "1.22.[0-9]+" .Chart.Version) }} +{{- if and .Release.IsUpgrade (regexMatch "1.22.[0-9]+" .Chart.Version) }} {{- $apiDeployment := (lookup "apps/v1" "Deployment" .Release.Namespace (include "anchore-engine.api.fullname" .)) }} {{- if not $apiDeployment }} + **WARNING** Anchore Enterprise v4.4.x only supports upgrades from Enterprise v4.2.0 and higher. See release notes for more information - https://docs.anchore.com/current/docs/releasenotes/440/ {{- end }} {{- end }} -{{ if not .Values.anchoreEnterpriseGlobal.enabled }} +{{- if not .Values.anchoreEnterpriseGlobal.enabled }} + **WARNING** As of January 2023, Anchore Engine is no longer maintained. There will be no future versions released. Users are advised to use Syft and Grype. +{{- end }} + +{{- if and .Release.IsUpgrade .Values.anchoreGlobal.useExistingSecrets (regexMatch "1.24.[0-9]+" .Chart.Version) }} + +**WARNING** +Please update your existing secrets to use separate environment variables for the database hostname and port. +Add the following variables to your secrets: +  + ANCHORE_DB_HOST: + ANCHORE_DB_PORT: +{{- end }} + +{{- if and .Release.IsUpgrade .Values.anchoreEnterpriseGlobal.enabled }} + +**WARNING** +The upcoming 5.0 release of Anchore Enterprise will require Postgresql version 13.0 or higher. +To verify that your Postgresql version is compatible with Anchore Enterprise v5.0 view the log output of the upgrade jobs: + + kubectl logs -l component=anchore-enterprise-upgrade | grep WARN + kubectl logs -l component=anchore-enterprise-feeds-upgrade | grep WARN {{- end }} \ No newline at end of file diff --git a/stable/anchore-engine/templates/_helpers.tpl b/stable/anchore-engine/templates/_helpers.tpl index 9e70e893..a194475b 100755 --- a/stable/anchore-engine/templates/_helpers.tpl +++ b/stable/anchore-engine/templates/_helpers.tpl @@ -404,10 +404,10 @@ Create feeds database hostname string from supplied values file. Used for settin {{- if and (index .Values "anchore-feeds-db" "externalEndpoint") (not (index .Values "anchore-feeds-db" "enabled")) }} {{- print ( index .Values "anchore-feeds-db" "externalEndpoint" ) }} {{- else if and (index .Values "cloudsql" "enabled") (not (index .Values "anchore-feeds-db" "enabled")) }} - {{- print "localhost:5432" }} + {{- print "localhost" }} {{- else }} {{- $db_host := include "postgres.anchore-feeds-db.fullname" . }} - {{- printf "%s:5432" $db_host -}} + {{- print $db_host -}} {{- end }} {{- end }} @@ -418,10 +418,10 @@ Create database hostname string from supplied values file. Used for setting the {{- if and (index .Values "postgresql" "externalEndpoint") (not (index .Values "postgresql" "enabled")) }} {{- print ( index .Values "postgresql" "externalEndpoint" ) }} {{- else if and (index .Values "cloudsql" "enabled") (not (index .Values "postgresql" "enabled")) }} - {{- print "localhost:5432" }} + {{- print "localhost" }} {{- else }} {{- $db_host := include "postgres.fullname" . }} - {{- printf "%s:5432" $db_host -}} + {{- print $db_host -}} {{- end }} {{- end }} @@ -430,7 +430,12 @@ Allows sourcing of a specified file in the entrypoint of all containers when .Va */}} {{- define "doSourceFile" }} {{- if .Values.anchoreGlobal.doSourceAtEntry.enabled }} - {{- printf "source %v;" .Values.anchoreGlobal.doSourceAtEntry.filePath }} + {{- if .Values.anchoreGlobal.doSourceAtEntry.filePath }} + {{- fail "As of chart v1.23.1 `.Values.anchoreGlobal.doSourceAtEntry.filePath` is no longer valid. Update your values file to set `.Values.anchoreGlobal.doSourceAtEntry.filePaths` which accepts a list of strings." }} + {{- end }} + {{- range $index, $file := .Values.anchoreGlobal.doSourceAtEntry.filePaths }} + {{- printf "if [ -f %v ];then source %v;fi;" $file $file }} + {{- end }} {{- end }} {{- end }} @@ -465,4 +470,4 @@ upgrading from Enterprise 4.2.0 or higher and error out if they're upgrading fro {{- end }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/stable/anchore-engine/templates/engine_configmap.yaml b/stable/anchore-engine/templates/engine_configmap.yaml index adae02c1..77a56869 100644 --- a/stable/anchore-engine/templates/engine_configmap.yaml +++ b/stable/anchore-engine/templates/engine_configmap.yaml @@ -99,16 +99,27 @@ data: credentials: database: - {{- if not .Values.anchoreGlobal.dbConfig.ssl }} - db_connect: "postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}" - {{- else if eq .Values.anchoreGlobal.dbConfig.sslMode "require" }} - db_connect: "postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}" - {{- else }} - db_connect: "postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName -}}" - {{- end }} + {{- if .Values.anchoreEnterpriseGlobal.enabled }} + user: ${ANCHORE_DB_USER} + password: ${ANCHORE_DB_PASSWORD} + host: ${ANCHORE_DB_HOST} + port: ${ANCHORE_DB_PORT} + name: ${ANCHORE_DB_NAME} + {{- else }} + db_connect: "postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}/${ANCHORE_DB_NAME}" + {{- end }} + db_connect_args: timeout: {{ .Values.anchoreGlobal.dbConfig.timeout }} + {{- if .Values.anchoreGlobal.dbConfig.ssl }} + ssl: true + sslmode: {{ .Values.anchoreGlobal.dbConfig.sslMode -}} + {{- if not (eq .Values.anchoreGlobal.dbConfig.sslMode "require") }} + sslrootcert: /home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName -}} + {{- end }} + {{- else }} ssl: false + {{- end }} db_pool_size: {{ .Values.anchoreGlobal.dbConfig.connectionPoolSize }} db_pool_max_overflow: {{ .Values.anchoreGlobal.dbConfig.connectionPoolMaxOverflow }} {{- with .Values.anchoreGlobal.dbConfig.engineArgs }} diff --git a/stable/anchore-engine/templates/engine_secret.yaml b/stable/anchore-engine/templates/engine_secret.yaml index 4f16b5dd..95714222 100644 --- a/stable/anchore-engine/templates/engine_secret.yaml +++ b/stable/anchore-engine/templates/engine_secret.yaml @@ -18,6 +18,7 @@ stringData: ANCHORE_DB_USER: {{ index .Values "postgresql" "postgresUser" | quote }} ANCHORE_DB_PASSWORD: {{ index .Values "postgresql" "postgresPassword" | quote }} ANCHORE_DB_HOST: "{{ template "db-hostname" . }}" + ANCHORE_DB_PORT: {{ index .Values "postgresql" "postgresPort" | quote }} {{- with .Values.anchoreGlobal.saml.secret }} ANCHORE_SAML_SECRET: {{ . }} {{- end }} diff --git a/stable/anchore-engine/templates/engine_upgrade_job.yaml b/stable/anchore-engine/templates/engine_upgrade_job.yaml index 9b57a838..1c837e23 100644 --- a/stable/anchore-engine/templates/engine_upgrade_job.yaml +++ b/stable/anchore-engine/templates/engine_upgrade_job.yaml @@ -20,6 +20,8 @@ spec: app.kubernetes.io/managed-by: {{ .Release.Service | quote }} app.kubernetes.io/instance: {{ .Release.Name | quote }} helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + app: {{ template "anchore-engine.fullname" . }} + component: anchore-engine-upgrade annotations: {{- with .Values.anchoreGlobal.annotations }} {{ toYaml . | nindent 8 }} diff --git a/stable/anchore-engine/templates/enterprise_configmap.yaml b/stable/anchore-engine/templates/enterprise_configmap.yaml index 8454d1f5..401d3383 100644 --- a/stable/anchore-engine/templates/enterprise_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_configmap.yaml @@ -69,16 +69,23 @@ data: credentials: database: - {{- if not .Values.anchoreGlobal.dbConfig.ssl }} - db_connect: "postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}" - {{- else if eq .Values.anchoreGlobal.dbConfig.sslMode "require" }} - db_connect: "postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}" - {{- else }} - db_connect: "postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName -}}" - {{- end }} + user: ${ANCHORE_DB_USER} + password: ${ANCHORE_DB_PASSWORD} + host: ${ANCHORE_DB_HOST} + port: ${ANCHORE_DB_PORT} + name: ${ANCHORE_DB_NAME} + db_connect_args: timeout: {{ .Values.anchoreGlobal.dbConfig.timeout }} + {{- if .Values.anchoreGlobal.dbConfig.ssl }} + ssl: true + sslmode: {{ .Values.anchoreGlobal.dbConfig.sslMode -}} + {{- if not (eq .Values.anchoreGlobal.dbConfig.sslMode "require") }} + sslrootcert: /home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName -}} + {{- end }} + {{- else }} ssl: false + {{- end }} db_pool_size: {{ .Values.anchoreGlobal.dbConfig.connectionPoolSize }} db_pool_max_overflow: {{ .Values.anchoreGlobal.dbConfig.connectionPoolMaxOverflow }} {{- with .Values.anchoreGlobal.dbConfig.engineArgs }} diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml index e1c84d0e..ba79a097 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml @@ -78,16 +78,23 @@ data: credentials: database: - {{- if not .Values.anchoreEnterpriseFeeds.dbConfig.ssl }} - db_connect: "postgresql://${ANCHORE_FEEDS_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_FEEDS_DB_HOST}/${ANCHORE_FEEDS_DB_NAME}" - {{- else if eq .Values.anchoreEnterpriseFeeds.dbConfig.sslMode "require" }} - db_connect: "postgresql://${ANCHORE_FEEDS_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_FEEDS_DB_HOST}/${ANCHORE_FEEDS_DB_NAME}?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}}" - {{- else }} - db_connect: "postgresql://${ANCHORE_FEEDS_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_FEEDS_DB_HOST}/${ANCHORE_FEEDS_DB_NAME}?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}}&sslrootcert=/home/anchore/certs/{{- .Values.anchoreEnterpriseFeeds.dbConfig.sslRootCertName }}" - {{- end }} + user: ${ANCHORE_FEEDS_DB_USER} + password: ${ANCHORE_FEEDS_DB_PASSWORD} + host: ${ANCHORE_FEEDS_DB_HOST} + port: ${ANCHORE_FEEDS_DB_PORT} + name: ${ANCHORE_FEEDS_DB_NAME} + db_connect_args: timeout: {{ .Values.anchoreEnterpriseFeeds.dbConfig.timeout }} + {{- if .Values.anchoreGlobal.dbConfig.ssl }} + ssl: true + sslmode: {{ .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}} + {{- if not (eq .Values.anchoreEnterpriseFeeds.dbConfig.sslMode "require") }} + sslrootcert: /home/anchore/certs/{{- .Values.anchoreEnterpriseFeeds.dbConfig.sslRootCertName -}} + {{- end }} + {{- else }} ssl: false + {{- end }} db_pool_size: {{ .Values.anchoreEnterpriseFeeds.dbConfig.connectionPoolSize }} db_pool_max_overflow: {{ .Values.anchoreEnterpriseFeeds.dbConfig.connectionPoolMaxOverflow }} {{- with .Values.anchoreEnterpriseFeeds.dbConfig.engineArgs }} @@ -156,7 +163,7 @@ data: # To enable gem driver comment the enabled property and uncomment the db_connect property. enabled: {{ .Values.anchoreEnterpriseFeeds.gemDriverEnabled | quote }} {{- if .Values.anchoreEnterpriseFeeds.gemDriverEnabled }} - db_connect: "postgresql://${ANCHORE_GEM_DB_USER}:${ANCHORE_GEM_DB_PASSWORD}@${ANCHORE_GEM_DB_HOST}/${ANCHORE_GEM_DB_NAME}" + db_connect: "postgresql://${ANCHORE_GEM_DB_USER}:${ANCHORE_GEM_DB_PASSWORD}@${ANCHORE_GEM_DB_HOST}:${ANCHORE_GEM_DB_PORT}/${ANCHORE_GEM_DB_NAME}" {{- end }} nvdv2: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.nvdv2DriverEnabled | quote) }} diff --git a/stable/anchore-engine/templates/enterprise_feeds_secret.yaml b/stable/anchore-engine/templates/enterprise_feeds_secret.yaml index a52c18f2..3330fb4c 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_secret.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_secret.yaml @@ -15,10 +15,11 @@ metadata: {{- end }} type: Opaque stringData: - ANCHORE_FEEDS_DB_NAME: {{ index .Values "anchore-feeds-db" "postgresDatabase" | quote }} + ANCHORE_FEEDS_DB_NAME: {{ index .Values "anchore-feeds-db" "postgresDatabase" | quote }} ANCHORE_FEEDS_DB_USER: {{ index .Values "anchore-feeds-db" "postgresUser" | quote }} ANCHORE_FEEDS_DB_PASSWORD: {{ index .Values "anchore-feeds-db" "postgresPassword" | quote }} ANCHORE_FEEDS_DB_HOST: "{{ template "feeds-db-hostname" . }}" + ANCHORE_FEEDS_DB_PORT: {{ index .Values "anchore-feeds-db" "postgresPort" | quote }} {{- with .Values.anchoreGlobal.saml.secret }} ANCHORE_SAML_SECRET: {{ . }} {{- end }} @@ -32,7 +33,8 @@ stringData: ANCHORE_GEM_DB_NAME: {{ index .Values "anchore-feeds-gem-db" "postgresDatabase" | quote }} ANCHORE_GEM_DB_USER: {{ index .Values "anchore-feeds-gem-db" "postgresUser" | quote }} ANCHORE_GEM_DB_PASSWORD: {{ index .Values "anchore-feeds-gem-db" "postgresPassword" | quote }} - ANCHORE_GEM_DB_HOST: "{{ default (include "postgres.anchore-feeds-gem-db.fullname" .) (index .Values "anchore-feeds-gem-db" "externalEndpoint") }}:5432" + ANCHORE_GEM_DB_HOST: "{{ default (include "postgres.anchore-feeds-gem-db.fullname" .) (index .Values "anchore-feeds-gem-db" "externalEndpoint") }}" + ANCHORE_GEM_DB_PORT: {{ index .Values "anchore-feeds-gem-db" "postgresPort" | quote }} {{- end }} {{- end }} {{- end }} diff --git a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml index f30a3e52..502b69f4 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml @@ -20,6 +20,8 @@ spec: app.kubernetes.io/managed-by: {{ .Release.Service | quote }} app.kubernetes.io/instance: {{ .Release.Name | quote }} helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + app: {{ template "anchore-engine.fullname" . }} + component: anchore-enterprise-feeds-upgrade annotations: {{- with .Values.anchoreGlobal.annotations }} {{ toYaml . | nindent 8 }} @@ -66,13 +68,13 @@ spec: args: {{- if not .Values.anchoreEnterpriseFeeds.dbConfig.ssl }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}"/"${ANCHORE_FEEDS_DB_NAME}" upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}" upgrade --dontask; anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}" pre-upgrade-check; {{- else if eq .Values.anchoreEnterpriseFeeds.dbConfig.sslMode "require" }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} pre-upgrade-check; {{- else }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreEnterpriseFeeds.dbConfig.sslRootCertName }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} pre-upgrade-check; {{- end }} {{- if .Values.cloudsql.enabled }} - sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; diff --git a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml index af07c70d..4b6ee388 100644 --- a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml @@ -20,6 +20,8 @@ spec: app.kubernetes.io/managed-by: {{ .Release.Service | quote }} app.kubernetes.io/instance: {{ .Release.Name | quote }} helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + app: {{ template "anchore-engine.fullname" . }} + component: anchore-enterprise-upgrade annotations: {{- with .Values.anchoreGlobal.annotations }} {{ toYaml . | nindent 8 }} @@ -66,13 +68,13 @@ spec: args: {{- if not .Values.anchoreGlobal.dbConfig.ssl }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}" upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}" upgrade --dontask; anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}" pre-upgrade-check; {{- else if eq .Values.anchoreGlobal.dbConfig.sslMode "require" }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} pre-upgrade-check; {{- else }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} pre-upgrade-check; {{- end }} {{- if .Values.cloudsql.enabled }} - sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index e4c72570..a17c3b1d 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -4,14 +4,15 @@ fullnameOverride: Null # Anchore has a dependency on Postgresql, configure here postgresql: # To use an external DB or Google CloudSQL in GKE, uncomment & set 'enabled: false' - # externalEndpoint, postgresUser, postgresPassword & postgresDatabase are required values for external postgres + # externalEndpoint, postgresUser, postgresPassword, postgresDatabase, & postgresPort are required values for external postgres # enabled: false # If enabled=false specify an external (already existing) postgres deployment for use. - # Set to the host and port. eg. mypostgres.myserver.io:5432 + # Set to the hostname eg. mypostgres.myserver.io externalEndpoint: Null postgresUser: anchoreengine postgresPassword: anchore-postgres,123 postgresDatabase: anchore + postgresPort: 5432 # Configure size of the persistent volume used with helm managed chart. # This should be commented out if using an external endpoint. @@ -145,7 +146,8 @@ anchoreGlobal: # does `source {{ filePath }}` before starting services doSourceAtEntry: enabled: false - filePath: "/vault/secrets/config" + filePaths: + - "/vault/secrets/config" extraVolumes: [] # - name: config @@ -736,7 +738,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: docker.io/anchore/enterprise:v4.5.0 + image: docker.io/anchore/enterprise:v4.6.0 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. @@ -747,14 +749,15 @@ anchoreEnterpriseGlobal: # Only utilized if anchoreEnterpriseGlobal.enabled: true anchore-feeds-db: # To use an external DB or Google CloudSQL, uncomment & set 'enabled: false' - # externalEndpoint, postgresUser, postgresPassword & postgresDatabase are required values for external postgres + # externalEndpoint, postgresUser, postgresPassword, postgresDatabase, & postgresPort are required values for external postgres # enabled: false # if enabled=false specify an external (already existing) postgres deployment for use. - # Set to the host and port. eg. mypostgres.myserver.io:5432 + # Set to the hostname eg. mypostgres.myserver.io externalEndpoint: Null postgresUser: anchoreengine postgresPassword: anchore-postgres,123 postgresDatabase: anchore-feeds + postgresPort: 5432 # Configure size of the persistent volume used with helm managed chart. # This should be commented out if using an external endpoint. @@ -784,14 +787,15 @@ anchore-feeds-db: # Database is used for temporarily loading the Ruby gem vulnerability data by the Enterprise Feeds service. anchore-feeds-gem-db: # To use an external DB uncomment & set 'enabled: false' - # externalEndpoint, postgresUser, postgresPassword & postgresDatabase are required values for external postgres + # externalEndpoint, postgresUser, postgresPassword, postgresDatabase, & postgresPort are required values for external postgres # enabled: false # If enabled=false specify an external (already existing) postgres deployment for use. - # Set to the host and port. eg. mypostgres.myserver.io:5432 + # Set to the hostname eg. mypostgres.myserver.io externalEndpoint: Null postgresUser: postgres postgresPassword: anchore-postgres,123 postgresDatabase: gems + postgresPort: 5432 persistence: enabled: false @@ -1094,7 +1098,7 @@ anchoreEnterpriseNotifications: anchoreEnterpriseUi: # If enabled is set to false, set ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. enabled: true - image: docker.io/anchore/enterprise-ui:v4.5.0 + image: docker.io/anchore/enterprise-ui:v4.6.0 imagePullPolicy: IfNotPresent # Set extra environment variables. These will be set on all UI containers. From a7de75463931306a7cf2e6fc82df6b31eecf51a3 Mon Sep 17 00:00:00 2001 From: "Christopher Adams (chrisad2)" Date: Tue, 4 Apr 2023 07:12:12 -0500 Subject: [PATCH 105/329] Add container securityContext Signed-off-by: Christopher Adams (chrisad2) --- .../templates/analyzer_deployment.yaml | 8 ++++++++ .../anchore-engine/templates/api_deployment.yaml | 16 ++++++++++++++++ .../templates/catalog_deployment.yaml | 8 ++++++++ .../templates/engine_upgrade_job.yaml | 12 ++++++++++++ .../templates/enterprise_feeds_deployment.yaml | 8 ++++++++ .../templates/enterprise_feeds_upgrade_job.yaml | 12 ++++++++++++ .../enterprise_notifications_deployment.yaml | 12 ++++++++++++ .../enterprise_rbac_manager_deployment.yaml | 12 ++++++++++++ .../templates/enterprise_reports_deployment.yaml | 8 ++++++++ .../templates/enterprise_ui_deployment.yaml | 8 ++++++++ .../templates/enterprise_upgrade_job.yaml | 12 ++++++++++++ .../templates/policy_engine_deployment.yaml | 8 ++++++++ .../templates/simplequeue_deployment.yaml | 8 ++++++++ stable/anchore-engine/values.yaml | 3 +++ 14 files changed, 135 insertions(+) diff --git a/stable/anchore-engine/templates/analyzer_deployment.yaml b/stable/anchore-engine/templates/analyzer_deployment.yaml index ec3ce1eb..e2a2b00e 100644 --- a/stable/anchore-engine/templates/analyzer_deployment.yaml +++ b/stable/anchore-engine/templates/analyzer_deployment.yaml @@ -89,6 +89,10 @@ spec: - name: cloudsql-proxy image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} + {{- with .Values.anchoreGlobal.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} command: ["/cloud_sql_proxy"] args: {{- if .Values.cloudsql.extraArgs }} @@ -113,6 +117,10 @@ spec: image: {{ .Values.anchoreGlobal.image }} imagePullPolicy: {{ .Values.anchoreGlobal.imagePullPolicy }} {{- end }} + {{- with .Values.anchoreGlobal.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} command: ["/bin/sh", "-c"] {{- if .Values.anchoreEnterpriseGlobal.enabled }} args: diff --git a/stable/anchore-engine/templates/api_deployment.yaml b/stable/anchore-engine/templates/api_deployment.yaml index 903da784..0aaa28b8 100644 --- a/stable/anchore-engine/templates/api_deployment.yaml +++ b/stable/anchore-engine/templates/api_deployment.yaml @@ -77,6 +77,10 @@ spec: - name: cloudsql-proxy image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} + {{- with .Values.anchoreGlobal.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} command: ["/cloud_sql_proxy"] args: {{- if .Values.cloudsql.extraArgs }} @@ -101,6 +105,10 @@ spec: image: {{ .Values.anchoreGlobal.image }} imagePullPolicy: {{ .Values.anchoreGlobal.imagePullPolicy }} {{- end }} + {{- with .Values.anchoreGlobal.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} command: ["/bin/sh", "-c"] {{- if .Values.anchoreEnterpriseGlobal.enabled }} args: @@ -203,6 +211,10 @@ spec: - name: {{ .Chart.Name }}-rbac-authorizer image: {{ .Values.anchoreEnterpriseGlobal.image }} imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }} + {{- with .Values.anchoreGlobal.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} command: ["/bin/sh", "-c"] args: - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade rbac_authorizer @@ -284,6 +296,10 @@ spec: - name: "{{ .Chart.Name }}-reports-api" image: {{ .Values.anchoreEnterpriseGlobal.image }} imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }} + {{- with .Values.anchoreGlobal.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} command: ["/bin/sh", "-c"] args: - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade reports diff --git a/stable/anchore-engine/templates/catalog_deployment.yaml b/stable/anchore-engine/templates/catalog_deployment.yaml index 6cb7db07..dd45cd57 100644 --- a/stable/anchore-engine/templates/catalog_deployment.yaml +++ b/stable/anchore-engine/templates/catalog_deployment.yaml @@ -91,6 +91,10 @@ spec: - name: cloudsql-proxy image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} + {{- with .Values.anchoreGlobal.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} command: ["/cloud_sql_proxy"] args: {{- if .Values.cloudsql.extraArgs }} @@ -115,6 +119,10 @@ spec: image: {{ .Values.anchoreGlobal.image }} imagePullPolicy: {{ .Values.anchoreGlobal.imagePullPolicy }} {{- end }} + {{- with .Values.anchoreGlobal.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} command: ["/bin/sh", "-c"] {{- if .Values.anchoreEnterpriseGlobal.enabled }} args: diff --git a/stable/anchore-engine/templates/engine_upgrade_job.yaml b/stable/anchore-engine/templates/engine_upgrade_job.yaml index 1c837e23..d1bfb4a0 100644 --- a/stable/anchore-engine/templates/engine_upgrade_job.yaml +++ b/stable/anchore-engine/templates/engine_upgrade_job.yaml @@ -52,6 +52,10 @@ spec: - name: cloudsql-proxy image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} + {{- with .Values.anchoreGlobal.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} command: ["/cloud_sql_proxy"] args: {{- if .Values.cloudsql.extraArgs }} @@ -91,9 +95,17 @@ spec: {{- if .Values.cloudsql.enabled }} - sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; securityContext: + {{- with .Values.anchoreGlobal.containerSecurityContext }} + {{ toYaml . | nindent 10 }} + {{- end }} capabilities: add: - SYS_PTRACE + {{- else }} + {{- with .Values.anchoreGlobal.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} {{- end }} envFrom: {{- if not .Values.inject_secrets_via_env }} diff --git a/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml b/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml index 5b919888..3029324b 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml @@ -82,6 +82,10 @@ spec: - name: cloudsql-proxy image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} + {{- with .Values.anchoreGlobal.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} command: ["/cloud_sql_proxy"] args: {{- if .Values.cloudsql.extraArgs }} @@ -101,6 +105,10 @@ spec: - name: "{{ .Chart.Name }}-{{ $component }}" image: {{ .Values.anchoreEnterpriseGlobal.image }} imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }} + {{- with .Values.anchoreGlobal.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} command: ["/bin/sh", "-c"] args: - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade feeds diff --git a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml index 502b69f4..46903c5b 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml @@ -45,6 +45,10 @@ spec: - name: cloudsql-proxy image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} + {{- with .Values.anchoreGlobal.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} command: ["/cloud_sql_proxy"] args: {{- if .Values.cloudsql.extraArgs }} @@ -79,9 +83,17 @@ spec: {{- if .Values.cloudsql.enabled }} - sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; securityContext: + {{- with .Values.anchoreGlobal.containerSecurityContext }} + {{ toYaml . | nindent 10 }} + {{- end }} capabilities: add: - SYS_PTRACE + {{- else }} + {{- with .Values.anchoreGlobal.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} {{- end }} envFrom: {{- if not .Values.inject_secrets_via_env }} diff --git a/stable/anchore-engine/templates/enterprise_notifications_deployment.yaml b/stable/anchore-engine/templates/enterprise_notifications_deployment.yaml index e2aa4db4..975248a8 100644 --- a/stable/anchore-engine/templates/enterprise_notifications_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_notifications_deployment.yaml @@ -68,6 +68,10 @@ spec: - name: cloudsql-proxy image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} + {{- with .Values.anchoreGlobal.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} command: ["/cloud_sql_proxy"] args: {{- if .Values.cloudsql.extraArgs }} @@ -87,6 +91,10 @@ spec: - name: "{{ .Chart.Name }}-{{ $component }}" image: {{ .Values.anchoreEnterpriseGlobal.image }} imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }} + {{- with .Values.anchoreGlobal.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} command: ["/bin/sh", "-c"] args: - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade notifications @@ -168,6 +176,10 @@ spec: - name: {{ .Chart.Name }}-rbac-authorizer image: {{ .Values.anchoreEnterpriseGlobal.image }} imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }} + {{- with .Values.anchoreGlobal.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} command: ["/bin/sh", "-c"] args: - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade rbac_authorizer diff --git a/stable/anchore-engine/templates/enterprise_rbac_manager_deployment.yaml b/stable/anchore-engine/templates/enterprise_rbac_manager_deployment.yaml index c466ed74..6b7b072d 100644 --- a/stable/anchore-engine/templates/enterprise_rbac_manager_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_rbac_manager_deployment.yaml @@ -68,6 +68,10 @@ spec: - name: cloudsql-proxy image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} + {{- with .Values.anchoreGlobal.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} command: ["/cloud_sql_proxy"] args: {{- if .Values.cloudsql.extraArgs }} @@ -87,6 +91,10 @@ spec: - name: "{{ .Chart.Name }}-{{ $component }}" image: {{ .Values.anchoreEnterpriseGlobal.image }} imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }} + {{- with .Values.anchoreGlobal.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} command: ["/bin/sh", "-c"] args: - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade rbac_manager @@ -167,6 +175,10 @@ spec: - name: {{ .Chart.Name }}-rbac-authorizer image: {{ .Values.anchoreEnterpriseGlobal.image }} imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }} + {{- with .Values.anchoreGlobal.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} command: ["/bin/sh", "-c"] args: - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade rbac_authorizer diff --git a/stable/anchore-engine/templates/enterprise_reports_deployment.yaml b/stable/anchore-engine/templates/enterprise_reports_deployment.yaml index 39facbd4..65ebc0c5 100644 --- a/stable/anchore-engine/templates/enterprise_reports_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_reports_deployment.yaml @@ -68,6 +68,10 @@ spec: - name: cloudsql-proxy image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} + {{- with .Values.anchoreGlobal.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} command: ["/cloud_sql_proxy"] args: {{- if .Values.cloudsql.extraArgs }} @@ -87,6 +91,10 @@ spec: - name: "{{ .Chart.Name }}-{{ $component }}" image: {{ .Values.anchoreEnterpriseGlobal.image }} imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }} + {{- with .Values.anchoreGlobal.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} command: ["/bin/sh", "-c"] args: - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade reports_worker diff --git a/stable/anchore-engine/templates/enterprise_ui_deployment.yaml b/stable/anchore-engine/templates/enterprise_ui_deployment.yaml index 40ca7e5c..d2f4d609 100644 --- a/stable/anchore-engine/templates/enterprise_ui_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_ui_deployment.yaml @@ -72,6 +72,10 @@ spec: - name: cloudsql-proxy image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} + {{- with .Values.anchoreGlobal.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} command: ["/cloud_sql_proxy"] args: {{- if .Values.cloudsql.extraArgs }} @@ -91,6 +95,10 @@ spec: - name: "{{ .Chart.Name }}-{{ $component }}" image: {{ .Values.anchoreEnterpriseUi.image }} imagePullPolicy: {{ .Values.anchoreEnterpriseUi.imagePullPolicy }} + {{- with .Values.anchoreGlobal.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} command: ["/bin/sh", "-c"] args: - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh node /home/node/aui/build/server.js diff --git a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml index 4b6ee388..d2b39421 100644 --- a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml @@ -45,6 +45,10 @@ spec: - name: cloudsql-proxy image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} + {{- with .Values.anchoreGlobal.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} command: ["/cloud_sql_proxy"] args: {{- if .Values.cloudsql.extraArgs }} @@ -79,9 +83,17 @@ spec: {{- if .Values.cloudsql.enabled }} - sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; securityContext: + {{- with .Values.anchoreGlobal.containerSecurityContext }} + {{ toYaml . | nindent 10 }} + {{- end }} capabilities: add: - SYS_PTRACE + {{- else }} + {{- with .Values.anchoreGlobal.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} {{- end }} envFrom: {{- if not .Values.inject_secrets_via_env }} diff --git a/stable/anchore-engine/templates/policy_engine_deployment.yaml b/stable/anchore-engine/templates/policy_engine_deployment.yaml index 5e76cfd5..317b2f5b 100644 --- a/stable/anchore-engine/templates/policy_engine_deployment.yaml +++ b/stable/anchore-engine/templates/policy_engine_deployment.yaml @@ -88,6 +88,10 @@ spec: - name: cloudsql-proxy image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} + {{- with .Values.anchoreGlobal.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} command: ["/cloud_sql_proxy"] args: {{- if .Values.cloudsql.extraArgs }} @@ -112,6 +116,10 @@ spec: image: {{ .Values.anchoreGlobal.image }} imagePullPolicy: {{ .Values.anchoreGlobal.imagePullPolicy }} {{- end }} + {{- with .Values.anchoreGlobal.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} command: ["/bin/sh", "-c"] {{- if .Values.anchoreEnterpriseGlobal.enabled }} args: diff --git a/stable/anchore-engine/templates/simplequeue_deployment.yaml b/stable/anchore-engine/templates/simplequeue_deployment.yaml index b32198dc..12b27ba3 100644 --- a/stable/anchore-engine/templates/simplequeue_deployment.yaml +++ b/stable/anchore-engine/templates/simplequeue_deployment.yaml @@ -74,6 +74,10 @@ spec: - name: cloudsql-proxy image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} + {{- with .Values.anchoreGlobal.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} command: ["/cloud_sql_proxy"] args: {{- if .Values.cloudsql.extraArgs }} @@ -98,6 +102,10 @@ spec: image: {{ .Values.anchoreGlobal.image }} imagePullPolicy: {{ .Values.anchoreGlobal.imagePullPolicy }} {{- end }} + {{- with .Values.anchoreGlobal.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} command: ["/bin/sh", "-c"] {{- if .Values.anchoreEnterpriseGlobal.enabled }} args: diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index a17c3b1d..eb442918 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -181,6 +181,9 @@ anchoreGlobal: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 + + # Specify your container securityContext here + containerSecurityContext: {} ### # Start of General Anchore Configurations (populates /config/config.yaml) From 49d7df1f210e4981edf78e46c8af2da56280eeb8 Mon Sep 17 00:00:00 2001 From: Bradley Jones Date: Fri, 24 Mar 2023 11:02:00 +0000 Subject: [PATCH 106/329] chore: add verboseInventoryReports option to KAI helm chart Signed-off-by: Bradley Jones --- stable/kai/templates/configmap.yaml | 1 + stable/kai/values.yaml | 2 ++ 2 files changed, 3 insertions(+) diff --git a/stable/kai/templates/configmap.yaml b/stable/kai/templates/configmap.yaml index 8da985f0..717f3813 100644 --- a/stable/kai/templates/configmap.yaml +++ b/stable/kai/templates/configmap.yaml @@ -40,3 +40,4 @@ data: http: insecure: {{ .Values.kai.anchore.http.insecure }} timeout-seconds: {{ .Values.kai.anchore.http.timeoutSeconds }} + verbose-inventory-reports: {{ .Values.kai.verboseInventoryReports }} diff --git a/stable/kai/values.yaml b/stable/kai/values.yaml index 10a5bb96..90582eb2 100644 --- a/stable/kai/values.yaml +++ b/stable/kai/values.yaml @@ -164,3 +164,5 @@ kai: http: insecure: true timeoutSeconds: 10 + + verboseInventoryReports: false From cf778ef70b03134e9d7d69294b7d1ddc7724954d Mon Sep 17 00:00:00 2001 From: Bradley Jones Date: Fri, 24 Mar 2023 11:13:00 +0000 Subject: [PATCH 107/329] feat: bump KAI to v0.5.0 Signed-off-by: Bradley Jones --- stable/kai/Chart.yaml | 4 ++-- stable/kai/values.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/stable/kai/Chart.yaml b/stable/kai/Chart.yaml index 1a9eb950..20dd6dc1 100644 --- a/stable/kai/Chart.yaml +++ b/stable/kai/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: kai -version: 0.3.3 -appVersion: 0.3.2 +version: 0.5.0 +appVersion: 0.5.0 description: A Helm chart for Kubernetes Automated Inventory, which describes which images are in use in a given Kubernetes Cluster keywords: - analysis diff --git a/stable/kai/values.yaml b/stable/kai/values.yaml index 90582eb2..ba3a1e9f 100644 --- a/stable/kai/values.yaml +++ b/stable/kai/values.yaml @@ -8,7 +8,7 @@ image: repository: anchore/kai pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: "v0.3.2" + tag: "v0.5.0" imagePullSecrets: [] nameOverride: "" From d982ee945bdf7414694fb15eeca69c8a5b7e9307 Mon Sep 17 00:00:00 2001 From: "Christopher Adams (chrisad2)" Date: Wed, 5 Apr 2023 06:54:55 -0500 Subject: [PATCH 108/329] Bump anchore-engine to 1.25.0 Signed-off-by: Christopher Adams (chrisad2) --- stable/anchore-engine/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index cec07709..8472ec83 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.24.0 +version: 1.25.0 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: From 8a7a60f5ebe30c5a7f4b5ec323c6e3ab1b773495 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Mon, 10 Apr 2023 15:52:48 -0700 Subject: [PATCH 109/329] Fix linting issues --- stable/anchore-engine/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index eb442918..8d292929 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -181,7 +181,7 @@ anchoreGlobal: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 - + # Specify your container securityContext here containerSecurityContext: {} From a4893674382d281c1078a7956f430dcd22fc2568 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Mon, 10 Apr 2023 16:42:50 -0700 Subject: [PATCH 110/329] bump chart version I think this is a minor enough change that it only warrants a patch version bump. Existing deployments will not be impacted upon upgrading to this version without making changes to their values file. --- stable/anchore-engine/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 8472ec83..af93d423 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.25.0 +version: 1.24.1 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: From b6324e9f1164043b835a907c8e09712de22edcd3 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 20 Apr 2023 12:52:44 -0700 Subject: [PATCH 111/329] Add quotes to db confi environment vars To prevent '!' from being interpreted by YAML we need to quote out all env vars used for db config variables. Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/templates/engine_configmap.yaml | 10 +++++----- .../anchore-engine/templates/enterprise_configmap.yaml | 10 +++++----- .../templates/enterprise_feeds_configmap.yaml | 10 +++++----- 4 files changed, 16 insertions(+), 16 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index af93d423..85170726 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.24.1 +version: 1.24.2 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/templates/engine_configmap.yaml b/stable/anchore-engine/templates/engine_configmap.yaml index 77a56869..a4314c5f 100644 --- a/stable/anchore-engine/templates/engine_configmap.yaml +++ b/stable/anchore-engine/templates/engine_configmap.yaml @@ -100,11 +100,11 @@ data: credentials: database: {{- if .Values.anchoreEnterpriseGlobal.enabled }} - user: ${ANCHORE_DB_USER} - password: ${ANCHORE_DB_PASSWORD} - host: ${ANCHORE_DB_HOST} - port: ${ANCHORE_DB_PORT} - name: ${ANCHORE_DB_NAME} + user: "${ANCHORE_DB_USER}" + password: "${ANCHORE_DB_PASSWORD}" + host: "${ANCHORE_DB_HOST}" + port: "${ANCHORE_DB_PORT}" + name: "${ANCHORE_DB_NAME}" {{- else }} db_connect: "postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}/${ANCHORE_DB_NAME}" {{- end }} diff --git a/stable/anchore-engine/templates/enterprise_configmap.yaml b/stable/anchore-engine/templates/enterprise_configmap.yaml index 401d3383..758e1b36 100644 --- a/stable/anchore-engine/templates/enterprise_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_configmap.yaml @@ -69,11 +69,11 @@ data: credentials: database: - user: ${ANCHORE_DB_USER} - password: ${ANCHORE_DB_PASSWORD} - host: ${ANCHORE_DB_HOST} - port: ${ANCHORE_DB_PORT} - name: ${ANCHORE_DB_NAME} + user: "${ANCHORE_DB_USER}" + password: "${ANCHORE_DB_PASSWORD}" + host: "${ANCHORE_DB_HOST}" + port: "${ANCHORE_DB_PORT}" + name: "${ANCHORE_DB_NAME}" db_connect_args: timeout: {{ .Values.anchoreGlobal.dbConfig.timeout }} diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml index ba79a097..dc2205f6 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml @@ -78,11 +78,11 @@ data: credentials: database: - user: ${ANCHORE_FEEDS_DB_USER} - password: ${ANCHORE_FEEDS_DB_PASSWORD} - host: ${ANCHORE_FEEDS_DB_HOST} - port: ${ANCHORE_FEEDS_DB_PORT} - name: ${ANCHORE_FEEDS_DB_NAME} + user: "${ANCHORE_FEEDS_DB_USER}" + password: "${ANCHORE_FEEDS_DB_PASSWORD}" + host: "${ANCHORE_FEEDS_DB_HOST}" + port: "${ANCHORE_FEEDS_DB_PORT}" + name: "${ANCHORE_FEEDS_DB_NAME}" db_connect_args: timeout: {{ .Values.anchoreEnterpriseFeeds.dbConfig.timeout }} From 77fb24d2a99bbe826b0df7f8f492b9060df0c0fd Mon Sep 17 00:00:00 2001 From: "Christopher Adams (chrisad2)" Date: Fri, 21 Apr 2023 14:39:46 -0500 Subject: [PATCH 112/329] Add labels from values files to upgrade jobs Signed-off-by: Christopher Adams (chrisad2) --- .../anchore-engine/templates/engine_upgrade_job.yaml | 12 ++++++++++++ .../templates/enterprise_feeds_upgrade_job.yaml | 12 ++++++++++++ .../templates/enterprise_upgrade_job.yaml | 12 ++++++++++++ stable/anchore-engine/values.yaml | 3 +++ 4 files changed, 39 insertions(+) diff --git a/stable/anchore-engine/templates/engine_upgrade_job.yaml b/stable/anchore-engine/templates/engine_upgrade_job.yaml index d1bfb4a0..ee6cd8ec 100644 --- a/stable/anchore-engine/templates/engine_upgrade_job.yaml +++ b/stable/anchore-engine/templates/engine_upgrade_job.yaml @@ -9,6 +9,12 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name | quote }} app.kubernetes.io/version: {{ .Chart.AppVersion }} helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + {{- with .Values.anchoreEngineUpgradeJob.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.anchoreGlobal.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} annotations: "helm.sh/hook": post-upgrade "helm.sh/hook-weight": "-5" @@ -22,6 +28,12 @@ spec: helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" app: {{ template "anchore-engine.fullname" . }} component: anchore-engine-upgrade + {{- with .Values.anchoreEngineUpgradeJob.labels }} + {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.anchoreGlobal.labels }} + {{ toYaml . | nindent 8 }} + {{- end }} annotations: {{- with .Values.anchoreGlobal.annotations }} {{ toYaml . | nindent 8 }} diff --git a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml index 46903c5b..de931964 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml @@ -9,6 +9,12 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name | quote }} app.kubernetes.io/version: {{ .Chart.AppVersion }} helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + {{- with .Values.anchoreEnterpriseFeedsUpgradeJob.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.anchoreGlobal.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} annotations: "helm.sh/hook": post-upgrade "helm.sh/hook-weight": "-3" @@ -22,6 +28,12 @@ spec: helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" app: {{ template "anchore-engine.fullname" . }} component: anchore-enterprise-feeds-upgrade + {{- with .Values.anchoreEnterpriseFeedsUpgradeJob.labels }} + {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.anchoreGlobal.labels }} + {{ toYaml . | nindent 8 }} + {{- end }} annotations: {{- with .Values.anchoreGlobal.annotations }} {{ toYaml . | nindent 8 }} diff --git a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml index d2b39421..76049524 100644 --- a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml @@ -9,6 +9,12 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name | quote }} app.kubernetes.io/version: {{ .Chart.AppVersion }} helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + {{- with .Values.anchoreEnterpriseEngineUpgradeJob.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.anchoreGlobal.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} annotations: "helm.sh/hook": post-upgrade "helm.sh/hook-weight": "-3" @@ -22,6 +28,12 @@ spec: helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" app: {{ template "anchore-engine.fullname" . }} component: anchore-enterprise-upgrade + {{- with .Values.anchoreEnterpriseEngineUpgradeJob.labels }} + {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.anchoreGlobal.labels }} + {{ toYaml . | nindent 8 }} + {{- end }} annotations: {{- with .Values.anchoreGlobal.annotations }} {{ toYaml . | nindent 8 }} diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 8d292929..7cfd1fb8 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -733,6 +733,7 @@ anchoreEngineUpgradeJob: tolerations: [] affinity: {} annotations: {} + labels: {} # This section is used for configuring anchore enterprise. anchoreEnterpriseGlobal: @@ -948,6 +949,7 @@ anchoreEnterpriseFeedsUpgradeJob: tolerations: [] affinity: {} annotations: {} + labels: {} # Configure the Anchore Enterprise role based access control component. # This component consists of 2 containers that run as side-cars in the Anchore api pod. @@ -1331,6 +1333,7 @@ anchoreEnterpriseEngineUpgradeJob: tolerations: [] affinity: {} annotations: {} + labels: {} # To inject secrets ( credentails data ) via env, rather k8s secrets please set this flag to true. # This feature will be useful, especially to inject secrets directly into k8s pods from hashicorp vault From 207cbab978ca7644beef65ac557311015b96e32d Mon Sep 17 00:00:00 2001 From: "Christopher Adams (chrisad2)" Date: Fri, 21 Apr 2023 14:40:05 -0500 Subject: [PATCH 113/329] Bump version Signed-off-by: Christopher Adams (chrisad2) --- stable/anchore-engine/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 85170726..8472ec83 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.24.2 +version: 1.25.0 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: From 3b5d5c99eee70a7981e2bc79be16bf51ec53ec3e Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 4 May 2023 15:08:37 -0700 Subject: [PATCH 114/329] Update Chart.yaml --- stable/anchore-engine/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 8472ec83..ee160a66 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.25.0 +version: 1.24.3 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: From c28e40bbf0ae5c1e97e1ea2e0bee51b473566fd7 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 10 May 2023 16:22:27 -0400 Subject: [PATCH 115/329] adding ecs-inventory chart Signed-off-by: Hung Nguyen --- stable/ecs-inventory/.helmignore | 23 +++ stable/ecs-inventory/Chart.yaml | 26 +++ stable/ecs-inventory/README.md | 106 +++++++++++ stable/ecs-inventory/templates/NOTES.txt | 6 + stable/ecs-inventory/templates/_helpers.tpl | 26 +++ stable/ecs-inventory/templates/_names.tpl | 38 ++++ stable/ecs-inventory/templates/configmap.yaml | 27 +++ .../ecs-inventory/templates/deployment.yaml | 100 ++++++++++ stable/ecs-inventory/templates/secrets.yaml | 15 ++ stable/ecs-inventory/values.yaml | 171 ++++++++++++++++++ 10 files changed, 538 insertions(+) create mode 100644 stable/ecs-inventory/.helmignore create mode 100644 stable/ecs-inventory/Chart.yaml create mode 100644 stable/ecs-inventory/README.md create mode 100644 stable/ecs-inventory/templates/NOTES.txt create mode 100644 stable/ecs-inventory/templates/_helpers.tpl create mode 100644 stable/ecs-inventory/templates/_names.tpl create mode 100644 stable/ecs-inventory/templates/configmap.yaml create mode 100644 stable/ecs-inventory/templates/deployment.yaml create mode 100644 stable/ecs-inventory/templates/secrets.yaml create mode 100644 stable/ecs-inventory/values.yaml diff --git a/stable/ecs-inventory/.helmignore b/stable/ecs-inventory/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/stable/ecs-inventory/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/stable/ecs-inventory/Chart.yaml b/stable/ecs-inventory/Chart.yaml new file mode 100644 index 00000000..a8b006bc --- /dev/null +++ b/stable/ecs-inventory/Chart.yaml @@ -0,0 +1,26 @@ +apiVersion: v2 + +name: ecs-inventory +description: A Helm chart for the Anchore ECS Inventory, which gathers an inventory of images in use by Amazon Elastic Container Service (ECS). + +keywords: + - analysis + - ecs + - docker + - anchore + - image + - inventory + - security + - scanner + +maintainers: + - name: btodhunter + email: bradyt@anchore.com + - name: hn23 + email: hung.nguyen@anchore.com + +type: application +version: 0.0.1 +appVersion: "1.0.0" + +icon: https://anchore.com/wp-content/uploads/2016/08/anchore.png diff --git a/stable/ecs-inventory/README.md b/stable/ecs-inventory/README.md new file mode 100644 index 00000000..9e77a2eb --- /dev/null +++ b/stable/ecs-inventory/README.md @@ -0,0 +1,106 @@ +# Anchore ECS Inventory Helm Chart +## Anchore ECS Inventory: Anchore ECS Inventory +Anchore ECS Inventory is a tool to gather an inventory of images in use by Amazon Elastic Container Service (ECS) and ship them to the Anchore platform. Anchore ECS Inventory must be able to resolve the Anchore URL and requires API credentials. The minimum version of the Anchore Enterprise platform required for K8s Inventory is 4.7. + +## Installation +Anchore ECS Inventory creates it's own secret based on your values.yaml file for the following keys that are required for successfully deploying and connecting the ecs-inventory service to the Anchore Platform and AWS ECS Service: +- ecsInventory.awsAccessKeyId +- ecsInventory.awsSecretAccessKey + +You can install the chart via via: + ``` + helm repo add anchore https://charts.anchore.io + helm install -f anchore/ecs-inventory + ``` + +A basic values file can always be found [here](https://github.com/anchore/anchore-charts/tree/master/stable/ecs-inventory/values.yaml). The key configurations are in the ecsInventory section. + +## Using your own secrets + +The (ecsInventory.useExistingSecret and ecsInventory.existingSecretName) or ecsInventory.injectSecretsViaEnv keys allows you to create your own secret and provide it in the values file or place the required secret into the pod via different means such as injecting the secrets into the pod using hashicorp vault. + +For example: + +- Create a secret in kubernetes: + + ``` + apiVersion: v1 + kind: Secret + metadata: + name: ecs-inventory-secrets + type: Opaque + stringData: + ANCHORE_ECS_INVENTORY_ANCHORE_PASSWORD: foobar + AWS_ACCESS_KEY_ID: someKeyId + AWS_SECRET_ACCESS_KEY: someSecretAccessKey + ``` + +- Provide it to the helm chart via the values file: + ``` + ecsInventory: + useExistingSecret: true + existingSecretName: "ecs-inventory-secrets" + ``` + +The Anchore API Password and required AWS secret values can also be injected into the environment of the ecs-inventory container. For injecting the environment variable + ``` + # set + ecsInventory: + injectSecretsViaEnv=true + ``` + +See the [ecs-inventory repo](https://github.com/anchore/ecs-inventory) for more information about the ECS Inventory specific configuration## Parameters + +## Parameters + +### Common Resource Parameters + +| Name | Description | Value | +| ------------------------------------- | ----------------------------------------------------------------------- | ---------------------------------------- | +| `replicaCount` | Number of replicas for the Ecs Inventory deployment | `1` | +| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/ecs-inventory:v1.0.0` | +| `imagePullPolicy` | Image pull policy used by all deployments | `Always` | +| `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `""` | +| `serviceAccountName` | Name of a service account used to run all Anchore Ecs Inventory pods | `""` | +| `useExistingSecret` | set to true to use an existing/precreated secret | `false` | +| `existingSecretName` | the name of the precreated secret | `""` | +| `injectSecretsViaEnv` | Enable secret injection into pod environment variables | `false` | +| `extraEnv` | extra environment variables. These will be set on all containers. | `[]` | +| `annotations` | Common annotations set on all Kubernetes resources | `{}` | +| `deploymentAnnotations` | annotations to set on the ecs-inventory deployment | `{}` | +| `securityContext.runAsUser` | The securityContext runAsUser for all Anchore ECS Inventory pods | `1000` | +| `securityContext.runAsGroup` | The securityContext runAsGroup for all Anchore ECS Inventory pods | `1000` | +| `securityContext.fsGroup` | The securityContext fsGroup for all Anchore ECS Inventory pods | `1000` | +| `resources` | Resource requests and limits for Anchore ECS Inventory pods | `{}` | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `tolerations` | Tolerations for pod assignment | `[]` | +| `affinity` | Affinity for pod assignment | `{}` | +| `labels` | Adds additionnal labels to all kubernetes resources | `{}` | +| `probes.liveness.initialDelaySeconds` | Initial delay seconds for liveness probe | `1` | +| `probes.liveness.timeoutSeconds` | Timeout seconds for liveness probe | `10` | +| `probes.liveness.periodSeconds` | Period seconds for liveness probe | `5` | +| `probes.liveness.failureThreshold` | Failure threshold for liveness probe | `6` | +| `probes.liveness.successThreshold` | Success threshold for liveness probe | `1` | +| `probes.readiness.timeoutSeconds` | Timeout seconds for the readiness probe | `10` | +| `probes.readiness.periodSeconds` | Period seconds for the readiness probe | `15` | +| `probes.readiness.failureThreshold` | Failure threshold for the readiness probe | `3` | +| `probes.readiness.successThreshold` | Success threshold for the readiness probe | `1` | + +### ecsInventory Parameters ## + +| Name | Description | Value | +| ---------------------------------------- | ------------------------------------------------------------------ | ----------------------- | +| `ecsInventory.quiet` | Determine whether or not to log the inventory report to stdout | `false` | +| `ecsInventory.output` | The output format of the report (options: table, json) | `json` | +| `ecsInventory.logLevel` | the level of verbosity for logs | `info` | +| `ecsInventory.logFile` | location to write the log file (default is not to have a log file) | `""` | +| `ecsInventory.pollingIntervalSeconds` | The polling interval of the ECS API in seconds | `60` | +| `ecsInventory.anchoreUrl` | the url of the anchore platform | `http://localhost:8228` | +| `ecsInventory.anchoreAccount` | the account of the anchore platform | `admin` | +| `ecsInventory.anchoreUser` | the username of the anchore platform | `admin` | +| `ecsInventory.anchorePassword` | the password of the anchore platform | `foobar` | +| `ecsInventory.anchoreHttpInsecure` | whether or not anchore is using ssl/tls | `true` | +| `ecsInventory.anchoreHttpTimeoutSeconds` | the amount of time in seconds before timing out | `10` | +| `ecsInventory.awsAccessKeyId` | the AWS Access Key ID | `foobar` | +| `ecsInventory.awsSecretAccessKey` | the AWS Secret Access Key | `foobar` | +| `ecsInventory.awsRegion` | the AWS Region | `us-west-2` | diff --git a/stable/ecs-inventory/templates/NOTES.txt b/stable/ecs-inventory/templates/NOTES.txt new file mode 100644 index 00000000..d9ae3157 --- /dev/null +++ b/stable/ecs-inventory/templates/NOTES.txt @@ -0,0 +1,6 @@ +Anchore ECS Inventory is a tool to gather an inventory of images in use by Amazon Elastic Container Service (ECS) and ship them to the Anchore platform. +Anchore ECS Inventory must be able to resolve the Anchore URL and requires API credentials. + +For more info see: https://github.com/anchore/ecs-inventory + +ECS Inventory is now installed. \ No newline at end of file diff --git a/stable/ecs-inventory/templates/_helpers.tpl b/stable/ecs-inventory/templates/_helpers.tpl new file mode 100644 index 00000000..5b0219fa --- /dev/null +++ b/stable/ecs-inventory/templates/_helpers.tpl @@ -0,0 +1,26 @@ +{{/* +Selector labels +*/}} +{{- define "ecsInventory.selectorLabels" -}} +app.kubernetes.io/name: {{ include "ecsInventory.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "ecsInventory.labels" -}} +helm.sh/chart: {{ include "ecsInventory.chart" . }} +{{ include "ecsInventory.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +chart: {{ .Chart.Name }}-{{ .Chart.Version }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- with .Values.labels }} +{{ toYaml . }} +{{- end }} +app: {{ include "ecsInventory.fullname" . }} +release: {{ .Release.Name }} +heritage: {{ .Release.Service }} +{{- end }} \ No newline at end of file diff --git a/stable/ecs-inventory/templates/_names.tpl b/stable/ecs-inventory/templates/_names.tpl new file mode 100644 index 00000000..9348254f --- /dev/null +++ b/stable/ecs-inventory/templates/_names.tpl @@ -0,0 +1,38 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "ecsInventory.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "ecsInventory.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "ecsInventory.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "ecsInventory.serviceAccountName" -}} +{{- default "default" .Values.serviceAccountName }} +{{- end }} \ No newline at end of file diff --git a/stable/ecs-inventory/templates/configmap.yaml b/stable/ecs-inventory/templates/configmap.yaml new file mode 100644 index 00000000..1921be3f --- /dev/null +++ b/stable/ecs-inventory/templates/configmap.yaml @@ -0,0 +1,27 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ include "ecsInventory.fullname" . }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + {{- include "ecsInventory.labels" . | nindent 4 }} +data: + config.yaml: | + output: {{ .Values.ecsInventory.output | quote }} + log: + level: {{ .Values.ecsInventory.logLevel | quote }} + file: {{ .Values.ecsInventory.logFile | quote }} + anchore: + url: {{ .Values.ecsInventory.anchoreUrl | quote }} + user: {{ .Values.ecsInventory.anchoreUser | quote }} + password: $ANCHORE_ECS_INVENTORY_ANCHORE_PASSWORD + account: {{ .Values.ecsInventory.anchoreAccount | quote }} + http: + insecure: {{ .Values.ecsInventory.anchoreHttpInsecure }} + timeout-seconds: {{ .Values.ecsInventory.anchoreHttpTimeoutSeconds }} + region: {{ .Values.ecsInventory.awsRegion | quote }} + polling-interval-seconds: {{ .Values.ecsInventory.pollingIntervalSeconds }} + quiet: {{ .Values.ecsInventory.quiet }} diff --git a/stable/ecs-inventory/templates/deployment.yaml b/stable/ecs-inventory/templates/deployment.yaml new file mode 100644 index 00000000..fc440b04 --- /dev/null +++ b/stable/ecs-inventory/templates/deployment.yaml @@ -0,0 +1,100 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "ecsInventory.fullname" . }} + labels: + {{- include "ecsInventory.labels" . | nindent 4 }} + annotations: + {{- with .Values.deploymentAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "ecsInventory.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if not .Values.useExistingSecrets }} + checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} + {{- end }} + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + labels: + {{- include "ecsInventory.labels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecretName }} + imagePullSecrets: + - name: {{ . }} + {{- end }} + serviceAccountName: {{ include "ecsInventory.serviceAccountName" . }} + {{- with .Values.securityContext }} + securityContext: {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + image: {{ .Values.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + livenessProbe: + exec: + command: + - /anchore-ecs-inventory + - version + initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }} + timeoutSeconds: {{ .Values.probes.liveness.timeoutSeconds }} + periodSeconds: {{ .Values.probes.liveness.periodSeconds }} + failureThreshold: {{ .Values.probes.liveness.failureThreshold }} + successThreshold: {{ .Values.probes.liveness.successThreshold }} + readinessProbe: + exec: + command: + - /anchore-ecs-inventory + - version + timeoutSeconds: {{ .Values.probes.readiness.timeoutSeconds }} + periodSeconds: {{ .Values.probes.readiness.periodSeconds }} + failureThreshold: {{ .Values.probes.readiness.failureThreshold }} + successThreshold: {{ .Values.probes.readiness.successThreshold }} + {{- with .Values.resources }} + resources: {{ toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - name: config-volume + mountPath: /etc/xdg/anchore-ecs-inventory/config.yaml + subPath: config.yaml + {{- if .Values.ecsInventory.logFile }} + - name: logs + mountPath: {{ dir .Values.ecsInventory.logFile }} + {{- end }} + envFrom: + {{- if not .Values.injectSecretsViaEnv }} + - secretRef: + name: {{ default (include "ecsInventory.fullname" .) .Values.existingSecretName }} + {{- end }} + env: + {{- with .Values.extraEnv }} + {{- toYaml . | nindent 10 }} + {{- end }} + + volumes: + {{- if .Values.ecsInventory.logFile }} + - name: logs + emptyDir: {} + {{- end }} + - name: config-volume + configMap: + name: {{ include "ecsInventory.fullname" . }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/stable/ecs-inventory/templates/secrets.yaml b/stable/ecs-inventory/templates/secrets.yaml new file mode 100644 index 00000000..ed5d0912 --- /dev/null +++ b/stable/ecs-inventory/templates/secrets.yaml @@ -0,0 +1,15 @@ +# only create the secret if injectSecret is false AND existingSecrets is false + +{{- if and (not .Values.injectSecretsViaEnv ) (not .Values.useExistingSecret) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "ecsInventory.fullname" . }} + labels: + {{- include "ecsInventory.labels" . | nindent 4 }} +type: Opaque +stringData: + ANCHORE_ECS_INVENTORY_ANCHORE_PASSWORD: {{ .Values.ecsInventory.anchorePassword | quote }} + AWS_ACCESS_KEY_ID: {{ .Values.ecsInventory.awsAccessKeyId | quote }} + AWS_SECRET_ACCESS_KEY: {{ .Values.ecsInventory.awsSecretAccessKey | quote }} +{{- end -}} diff --git a/stable/ecs-inventory/values.yaml b/stable/ecs-inventory/values.yaml new file mode 100644 index 00000000..cb6797fa --- /dev/null +++ b/stable/ecs-inventory/values.yaml @@ -0,0 +1,171 @@ +################################################### +## @section Common Resource Parameters +## Common params used by all ECS Inventory resources +################################################### + +## @param replicaCount Number of replicas for the Ecs Inventory deployment +## +replicaCount: 1 + +## @param image Image used for all Anchore Enterprise deployments, excluding Anchore UI +## +image: "docker.io/anchore/ecs-inventory:v1.0.0" + +## @param imagePullPolicy Image pull policy used by all deployments +## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy +## +imagePullPolicy: "Always" + +## @param imagePullSecretName Name of Docker credentials secret for access to private repos +## Secrets must be manually created in the same namespace as release +## +imagePullSecretName: "" + +## @param serviceAccountName Name of a service account used to run all Anchore Ecs Inventory pods +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +## +serviceAccountName: "" + + +## @param useExistingSecret set to true to use an existing/precreated secret +## +useExistingSecret: false + +## @param existingSecretName the name of the precreated secret +## +existingSecretName: "" + +## @param injectSecretsViaEnv Enable secret injection into pod environment variables +## +injectSecretsViaEnv: false + +## @param extraEnv extra environment variables. These will be set on all containers. +### - name: foo +### value: bar +## +extraEnv: [] + +## @param annotations Common annotations set on all Kubernetes resources +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +annotations: {} + +## @param deploymentAnnotations annotations to set on the ecs-inventory deployment +## +deploymentAnnotations: {} + +## @param securityContext.runAsUser The securityContext runAsUser for all Anchore ECS Inventory pods +## @param securityContext.runAsGroup The securityContext runAsGroup for all Anchore ECS Inventory pods +## @param securityContext.fsGroup The securityContext fsGroup for all Anchore ECS Inventory pods +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## +securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + +## @param resources Resource requests and limits for Anchore ECS Inventory pods +## +resources: {} + +## @param nodeSelector Node labels for pod assignment +## +nodeSelector: {} + +## @param tolerations Tolerations for pod assignment +## +tolerations: [] + +## @param affinity Affinity for pod assignment +## +affinity: {} + +## @param labels Adds additionnal labels to all kubernetes resources +## +labels: {} + +## @param probes.liveness.initialDelaySeconds Initial delay seconds for liveness probe +## @param probes.liveness.timeoutSeconds Timeout seconds for liveness probe +## @param probes.liveness.periodSeconds Period seconds for liveness probe +## @param probes.liveness.failureThreshold Failure threshold for liveness probe +## @param probes.liveness.successThreshold Success threshold for liveness probe +## @param probes.readiness.timeoutSeconds Timeout seconds for the readiness probe +## @param probes.readiness.periodSeconds Period seconds for the readiness probe +## @param probes.readiness.failureThreshold Failure threshold for the readiness probe +## @param probes.readiness.successThreshold Success threshold for the readiness probe +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes +probes: + liveness: + initialDelaySeconds: 1 + timeoutSeconds: 10 + periodSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + readiness: + timeoutSeconds: 10 + periodSeconds: 15 + failureThreshold: 3 + successThreshold: 1 + + +###################################### +## @section ecsInventory Parameters ## +###################################### + +ecsInventory: + + ## @param ecsInventory.quiet Determine whether or not to log the inventory report to stdout + ## + quiet: false + + ## @param ecsInventory.output The output format of the report (options: table, json) + ## + output: "json" + + ## @param ecsInventory.logLevel the level of verbosity for logs + ## + logLevel: "info" + + ## @param ecsInventory.logFile location to write the log file (default is not to have a log file) + ## + logFile: "" + + ## @param ecsInventory.pollingIntervalSeconds The polling interval of the ECS API in seconds + ## + pollingIntervalSeconds: 60 + + ## @param ecsInventory.anchoreUrl the url of the anchore platform + ## + anchoreUrl: "http://localhost:8228" + + ## @param ecsInventory.anchoreAccount the account of the anchore platform + ## + anchoreAccount: "admin" + + ## @param ecsInventory.anchoreUser the username of the anchore platform + ## + anchoreUser: "admin" + + ## @param ecsInventory.anchorePassword the password of the anchore platform + ## + anchorePassword: "foobar" + + ## @param ecsInventory.anchoreHttpInsecure whether or not anchore is using ssl/tls + ## + anchoreHttpInsecure: true + + ## @param ecsInventory.anchoreHttpTimeoutSeconds the amount of time in seconds before timing out + ## + anchoreHttpTimeoutSeconds: 10 + + ## @param ecsInventory.awsAccessKeyId the AWS Access Key ID + ## + awsAccessKeyId: "foobar" + + ## @param ecsInventory.awsSecretAccessKey the AWS Secret Access Key + ## + awsSecretAccessKey: "foobar" + + ## @param ecsInventory.awsRegion the AWS Region + ## + awsRegion: "us-west-2" From f795f614f3f6285fb754412f49fe228277492fe5 Mon Sep 17 00:00:00 2001 From: Weston Steimel Date: Thu, 6 Apr 2023 21:13:15 +0000 Subject: [PATCH 116/329] feat: updates for vunnel integration (#74) * feat: updates for vunnel integration Signed-off-by: Weston Steimel * chore: bump chart version Signed-off-by: Weston Steimel * feat: allow for config of nvd api key Signed-off-by: Weston Steimel --------- Signed-off-by: Weston Steimel --- .../templates/enterprise_feeds_configmap.yaml | 8 ++++++++ .../anchore-engine/templates/enterprise_feeds_secret.yaml | 3 +++ stable/anchore-engine/values.yaml | 3 +++ 3 files changed, 14 insertions(+) diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml index dc2205f6..88034540 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml @@ -167,6 +167,9 @@ data: {{- end }} nvdv2: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.nvdv2DriverEnabled | quote) }} + {{- if eq (.Values.anchoreEnterpriseFeeds.nvdv2DriverEnabled | toString) "true" }} + api_key: ${ANCHORE_NVD_API_KEY} + {{- end }} sles: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.slesDriverEnabled | quote) }} msrc: @@ -183,6 +186,11 @@ data: grypedb: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.grypeDriverEnabled | quote) }} external_feeds_url: {{ $grypeProviderFeedsExternalURL }} + preload: + enabled: {{ default true (.Values.anchoreEnterpriseFeeds.grypedbPreloadEnabled) }} + workspace_archive_path: {{ default "/preload/grype-db-workspace.tar.gz" (.Values.anchoreEnterpriseFeeds.grypedbPreloadWorkspaceArchivePath) }} + persist_provider_workspaces: {{ default true (.Values.anchoreEnterpriseFeeds.grypedbPersistProviderWorkspaces) }} + restore_provider_workspaces: {{ default true (.Values.anchoreEnterpriseFeeds.grypedbRestoreProviderWorkspaces) }} anchore_match_exclusions: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.anchoreMatchExclusionsEnabled | quote) }} wolfi: diff --git a/stable/anchore-engine/templates/enterprise_feeds_secret.yaml b/stable/anchore-engine/templates/enterprise_feeds_secret.yaml index 3330fb4c..80a7778c 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_secret.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_secret.yaml @@ -29,6 +29,9 @@ stringData: {{- with .Values.anchoreEnterpriseFeeds.githubDriverToken }} ANCHORE_GITHUB_TOKEN: {{ . | quote }} {{- end }} + {{- with .Values.anchoreEnterpriseFeeds.nvdDriverApiKey }} + ANCHORE_NVD_API_KEY: {{ . | quote }} + {{- end }} {{- if .Values.anchoreEnterpriseFeeds.gemDriverEnabled }} ANCHORE_GEM_DB_NAME: {{ index .Values "anchore-feeds-gem-db" "postgresDatabase" | quote }} ANCHORE_GEM_DB_USER: {{ index .Values "anchore-feeds-gem-db" "postgresUser" | quote }} diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 7cfd1fb8..c53dafb6 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -823,6 +823,9 @@ anchoreEnterpriseFeeds: # GitHub advisory feeds require a github developer personal access token with no permission scopes selected. githubDriverToken: null + # The NVD API allows for an API key to reduce rate limiting. Request one from https://nvd.nist.gov/developers/request-an-api-key + nvdDriverApiKey: null + # Enable microsoft feeds msrcDriverEnabled: false # Uncomment to add MSRC product IDs for generating their feed data, this extends the pre-defined list of product IDs From 927b4f2e12e1f3872efd135a777fc29f5174581f Mon Sep 17 00:00:00 2001 From: Weston Steimel Date: Fri, 14 Apr 2023 07:59:35 +0100 Subject: [PATCH 117/329] feat: config chainguard vuln provider (#75) * feat: config for chainguard vuln provider Signed-off-by: Weston Steimel * chore: bump chart version Signed-off-by: Weston Steimel --------- Signed-off-by: Weston Steimel --- stable/anchore-engine/templates/enterprise_feeds_configmap.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml index 88034540..36fde08a 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml @@ -195,6 +195,8 @@ data: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.anchoreMatchExclusionsEnabled | quote) }} wolfi: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.wolfiDriverEnabled | quote) }} + chainguard: + enabled: {{ default true (.Values.anchoreEnterpriseFeeds.chainguardDriverEnabled) }} {{- if .Values.anchoreGlobal.internalServicesSsl.enabled }} ssl_enable: {{ .Values.anchoreGlobal.internalServicesSsl.enabled }} ssl_cert: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretCertName }}" From 38edf40b0e74ef7f83f31dbeb769fe7d6e19715a Mon Sep 17 00:00:00 2001 From: Weston Steimel Date: Fri, 28 Apr 2023 08:58:31 +0100 Subject: [PATCH 118/329] fix: permanently disable centos provider (#78) The centos provider should no longer be used. Signed-off-by: Weston Steimel --- .../anchore-engine/templates/enterprise_feeds_configmap.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml index 36fde08a..e5646034 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml @@ -132,8 +132,8 @@ data: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.amazonDriverEnabled | quote) }} alpine: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.alpineDriverEnabled | quote) }} - centos: - enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.centosDriverEnabled | quote) }} + centos: + enabled: false debian: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.debianDriverEnabled | quote) }} {{- if .Values.anchoreEnterpriseFeeds.debianExtraReleases }} From f8284325c9817ee77be5c48b71e06bf554afccbb Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 10 May 2023 21:57:57 -0700 Subject: [PATCH 119/329] adds support for automatically rescheduling in-progress image Signed-off-by: Brady Todhunter --- stable/anchore-engine/templates/engine_configmap.yaml | 1 + stable/anchore-engine/values.yaml | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/stable/anchore-engine/templates/engine_configmap.yaml b/stable/anchore-engine/templates/engine_configmap.yaml index a4314c5f..b746d8d9 100644 --- a/stable/anchore-engine/templates/engine_configmap.yaml +++ b/stable/anchore-engine/templates/engine_configmap.yaml @@ -230,6 +230,7 @@ data: {{- end }} runtime_inventory: image_ttl_days: {{ .Values.anchoreCatalog.runtimeInventory.imageTTLDays }} + down_analyzer_task_requeue: {{ .Values.anchoreCatalog.downAnalyzerTaskRequeue }} simplequeue: enabled: true require_auth: true diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index c53dafb6..4d21e0d9 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -603,6 +603,10 @@ anchoreCatalog: # Note: if a runtime inventory image's digest is also in anchore for regular image analysis, it won't be removed. imageTTLDays: 1 + # checks image status and detects that an 'analyzing' state image is being processed by an analyzer that is no + # longer in the 'up' state and will revert the state of the image back to 'not_analyzed' to allow fast re-queueing. + downAnalyzerTaskRequeue: true + # kubernetes service configuration for anchore catalog api service: # Override the service name From 7a055ca635f47fe2383b49485e85dc3f62492b4d Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 10 May 2023 21:58:10 -0700 Subject: [PATCH 120/329] bump chart version Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index ee160a66..8472ec83 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.24.3 +version: 1.25.0 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: From dadfcabbd8e76ced8ded38b473c3f409130c547d Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 10 May 2023 22:00:02 -0700 Subject: [PATCH 121/329] bump anchore images to v4.7.0 Signed-off-by: Brady Todhunter --- stable/anchore-engine/README.md | 4 ++++ stable/anchore-engine/values.yaml | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index 08630ebd..b3ca7106 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -181,6 +181,10 @@ A Helm post-upgrade hook job will shut down all previously running Anchore servi The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful Helm upgrade. +## Chart version 1.25.0 + +* Anchore Enterprise image updated to v4.7.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/470/) + ## Chart version 1.24.0 * Anchore Enterprise image updated to v4.6.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/460/) diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 4d21e0d9..47f75dc5 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -746,7 +746,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: docker.io/anchore/enterprise:v4.6.0 + image: docker.io/anchore/enterprise:v4.7.0 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. @@ -1110,7 +1110,7 @@ anchoreEnterpriseNotifications: anchoreEnterpriseUi: # If enabled is set to false, set ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. enabled: true - image: docker.io/anchore/enterprise-ui:v4.6.0 + image: docker.io/anchore/enterprise-ui:v4.7.0 imagePullPolicy: IfNotPresent # Set extra environment variables. These will be set on all UI containers. From b48c4bd1ecd0b38407f8314cc309778774716555 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 10 May 2023 22:27:45 -0700 Subject: [PATCH 122/329] add nvd2 api key config to values file, clean up readme for existing secrets Signed-off-by: Brady Todhunter --- stable/anchore-engine/README.md | 8 +++++--- .../templates/enterprise_feeds_configmap.yaml | 2 +- stable/anchore-engine/values.yaml | 8 +------- 3 files changed, 7 insertions(+), 11 deletions(-) diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index b3ca7106..df216b01 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -465,7 +465,8 @@ stringData: ANCHORE_ADMIN_PASSWORD: foobar1234 ANCHORE_DB_NAME: anchore ANCHORE_DB_USER: anchoreengine - ANCHORE_DB_HOST: anchore-postgresql:5432 + ANCHORE_DB_HOST: anchore-postgresql + ANCHORE_DB_PORT: 5432 ANCHORE_DB_PASSWORD: anchore-postgres,123 # (if applicable) ANCHORE_SAML_SECRET: foobar,saml1234 @@ -480,10 +481,11 @@ stringData: ANCHORE_FEEDS_DB_NAME: anchore-feeds ANCHORE_FEEDS_DB_USER: anchoreengine ANCHORE_FEEDS_DB_PASSWORD: anchore-postgres,123 - ANCHORE_FEEDS_DB_HOST: anchore-anchore-feeds-db:5432 + ANCHORE_FEEDS_DB_HOST: anchore-anchore-feeds-db + ANCHORE_FEEDS_DB_PORT: 5432 # (if applicable) ANCHORE_SAML_SECRET: foobar,saml1234 - # (if applicable) ANCHORE_MSRC_KEY: foobar,msrc1234 # (if applicable) ANCHORE_GITHUB_TOKEN: foobar,github1234 + # (if applicable) ANCHORE_NVD_API_KEY: foobar,nvd1234 # (if applicable) ANCHORE_GEM_DB_NAME: anchore-gems # (if applicable) ANCHORE_GEM_DB_USER: anchoregemsuser # (if applicable) ANCHORE_GEM_DB_PASSWORD: foobar1234 diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml index e5646034..941c4d13 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml @@ -167,7 +167,7 @@ data: {{- end }} nvdv2: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.nvdv2DriverEnabled | quote) }} - {{- if eq (.Values.anchoreEnterpriseFeeds.nvdv2DriverEnabled | toString) "true" }} + {{- if .Values.anchoreEnterpriseFeeds.useNvdDriverApiKey }} api_key: ${ANCHORE_NVD_API_KEY} {{- end }} sles: diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 47f75dc5..b2cfc7ed 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -828,6 +828,7 @@ anchoreEnterpriseFeeds: githubDriverToken: null # The NVD API allows for an API key to reduce rate limiting. Request one from https://nvd.nist.gov/developers/request-an-api-key + useNvdDriverApiKey: false nvdDriverApiKey: null # Enable microsoft feeds @@ -867,13 +868,6 @@ anchoreEnterpriseFeeds: cycleTimers: driver_sync: 7200 - # Specifies an existing secret to be used for anchore admin and db passwords - # The secret should define the following environment vars: - # ANCHORE_ADMIN_PASSWORD - # ANCHORE_FEEDS_DB_PASSWORD - # ANCHORE_SAML_SECRET (if applicable) - # ANCHORE_GITHUB_TOKEN (if applicable) - # Set the name of your existing secret for Anchore Enterprise Feeds existingSecretName: anchore-enterprise-feeds-env From 87dd47b58cdc72798505ee0ea905937d5cf53fff Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Thu, 11 May 2023 05:49:18 -0400 Subject: [PATCH 123/329] initial k8s-inventory helm chart Signed-off-by: Hung Nguyen --- stable/k8s-inventory/.helmignore | 23 ++ stable/k8s-inventory/Chart.yaml | 20 ++ stable/k8s-inventory/README.md | 112 +++++++++ stable/k8s-inventory/templates/NOTES.txt | 6 + stable/k8s-inventory/templates/_helpers.tpl | 70 ++++++ .../templates/cluster-role-binding.yaml | 20 ++ .../templates/cluster-role-readonly.yaml | 16 ++ stable/k8s-inventory/templates/configmap.yaml | 46 ++++ .../k8s-inventory/templates/deployment.yaml | 97 ++++++++ stable/k8s-inventory/templates/secrets.yaml | 17 ++ stable/k8s-inventory/templates/service.yaml | 21 ++ .../templates/serviceaccount.yaml | 17 ++ stable/k8s-inventory/values.yaml | 212 ++++++++++++++++++ 13 files changed, 677 insertions(+) create mode 100644 stable/k8s-inventory/.helmignore create mode 100644 stable/k8s-inventory/Chart.yaml create mode 100644 stable/k8s-inventory/README.md create mode 100644 stable/k8s-inventory/templates/NOTES.txt create mode 100644 stable/k8s-inventory/templates/_helpers.tpl create mode 100644 stable/k8s-inventory/templates/cluster-role-binding.yaml create mode 100644 stable/k8s-inventory/templates/cluster-role-readonly.yaml create mode 100644 stable/k8s-inventory/templates/configmap.yaml create mode 100644 stable/k8s-inventory/templates/deployment.yaml create mode 100644 stable/k8s-inventory/templates/secrets.yaml create mode 100644 stable/k8s-inventory/templates/service.yaml create mode 100644 stable/k8s-inventory/templates/serviceaccount.yaml create mode 100644 stable/k8s-inventory/values.yaml diff --git a/stable/k8s-inventory/.helmignore b/stable/k8s-inventory/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/stable/k8s-inventory/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/stable/k8s-inventory/Chart.yaml b/stable/k8s-inventory/Chart.yaml new file mode 100644 index 00000000..79e4fffe --- /dev/null +++ b/stable/k8s-inventory/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +name: k8s-inventory +version: 0.0.1 +appVersion: "1.0.0" +description: A Helm chart for Kubernetes Automated Inventory, which describes which images are in use in a given Kubernetes Cluster +keywords: + - analysis + - docker + - anchore + - image + - inventory + - security + - scanner +home: https://anchore.com +maintainers: + - name: btodhunter + email: bradyt@anchore.com + - name: hn23 + email: hung.nguyen@anchore.com +icon: https://anchoreprd.wpengine.com/wp-content/uploads/2021/12/favicon.png diff --git a/stable/k8s-inventory/README.md b/stable/k8s-inventory/README.md new file mode 100644 index 00000000..90f541c1 --- /dev/null +++ b/stable/k8s-inventory/README.md @@ -0,0 +1,112 @@ +# K8s Inventory Helm Chart +K8s Inventory is the foundation of Anchore Enterprise's Runtime Inventory feature. Running K8s Inventory via Helm is a great way to retrieve your Kubernetes Image inventory without providing Cluster Credentials to Anchore. The minimum version of the Anchore Enterprise platform required for K8s Inventory is 4.7. + +K8s Inventory runs as a read-only service account in the cluster it's deployed to. + +In order to report the inventory to Anchore, K8s Inventory does require authentication material for your Anchore Enterprise deployment. +K8s Inventory's helm chart automatically creates a kubernetes secret for the Anchore Password based on the values file you use, Ex.: +``` +k8sInventory: + anchore: + password: foobar +``` +It will set the following environment variable based on this: `ANCHORE_K8S_INVENTORY_ANCHORE_PASSWORD=foobar`. + +If you don't want to store your Anchore password in the values file, you can create your own secret to do this: +``` +apiVersion: v1 +kind: Secret +metadata: + name: k8s-inventory-anchore-password +type: Opaque +stringData: + ANCHORE_K8S_INVENTORY_ANCHORE_PASSWORD: foobar +``` +and then provide it to the helm chart via the values file: +``` +useExistingSecret: true +existingSecretName: k8s-inventory-anchore-password +``` +You can install the chart via via: +``` +helm repo add anchore https://charts.anchore.io +helm install -f anchore/k8s-inventory +``` +A basic values file can always be found [here](https://github.com/anchore/anchore-charts/tree/master/stable/k8s-inventory/values.yaml) + +The key configurations are in the k8sInventory.anchore section. K8s Inventory must be able to resolve the Anchore URL and requires API credentials. + +Note: the Anchore API Password can be provided via a kubernetes secret, or injected into the environment of the K8s Inventory container +* For injecting the environment variable, see: injectSecretsViaEnv +* For providing your own secret for the Anchore API Password, see: useExistingSecret. K8s Inventory creates it's own secret based on your values.yaml file for key k8sInventory.anchore.password, but the k8sInventory.useExistingSecret key allows you to create your own secret and provide it in the values file. + +See the [K8s Inventory repo](https://github.com/anchore/k8s-inventory) for more information about the K8s Inventory specific configuration + +## Parameters + +### Common Resource Parameters + +| Name | Description | Value | +| ------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | ----------------------- | +| `replicaCount` | Number of replicas for the K8s Inventory deployment | `1` | +| `image.repository` | Image used for the K8s Inventory deployment | `anchore/k8s-inventory` | +| `image.pullPolicy` | Image pull policy used by the K8s Inventory deployment | `Always` | +| `image.tag` | Image tag used for the K8s Inventory deployment | `v1.0.0-alpha.2` | +| `imagePullSecrets` | secrets where Kubernetes should get the credentials for pulling private images | `[]` | +| `nameOverride` | overrides the name set on resources | `""` | +| `fullnameOverride` | overrides the fullname set on resources | `""` | +| `injectSecretsViaEnv` | Enable secret injection into pod via environment variables instead of via k8s secrets | `false` | +| `serviceAccount.create` | Create a service account for k8s-inventory to use | `true` | +| `serviceAccount.annotations` | Annotations to add to the service account | `{}` | +| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. | `k8s-inventory` | +| `podAnnotations` | Annotations set on all pods | `{}` | +| `annotations` | Common annotations set on all Kubernetes resources | `{}` | +| `podSecurityContext` | Security context set on all pods | `{}` | +| `securityContext` | Security context set on all containers | `{}` | +| `service.type` | Service type for K8s Inventory | `ClusterIP` | +| `service.port` | Service port for K8s Inventory | `80` | +| `resources` | Resource requests and limits for K8s Inventory pods | `{}` | +| `nodeSelector` | Node labels for K8s Inventory pods assignment | `{}` | +| `tolerations` | Tolerations for K8s Inventory pods assignment | `[]` | +| `affinity` | Affinity for K8s Inventory pods assignment | `{}` | +| `labels` | Adds additionnal labels to all kubernetes resources | `{}` | +| `probes.liveness.initialDelaySeconds` | Initial delay seconds for liveness probe | `1` | +| `probes.liveness.timeoutSeconds` | Timeout seconds for liveness probe | `10` | +| `probes.liveness.periodSeconds` | Period seconds for liveness probe | `5` | +| `probes.liveness.failureThreshold` | Failure threshold for liveness probe | `6` | +| `probes.liveness.successThreshold` | Success threshold for liveness probe | `1` | +| `probes.readiness.timeoutSeconds` | Timeout seconds for the readiness probe | `10` | +| `probes.readiness.periodSeconds` | Period seconds for the readiness probe | `15` | +| `probes.readiness.failureThreshold` | Failure threshold for the readiness probe | `3` | +| `probes.readiness.successThreshold` | Success threshold for the readiness probe | `1` | +| `useExistingSecret` | Specify whether to use an existing secret | `false` | +| `existingSecretName` | if using an existing secret, specify the existing secret name | `""` | + +### k8sInventory Parameters ## + +| Name | Description | Value | +| ----------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | ----------------------- | +| `k8sInventory.output` | The output format of the report (options: table, json) | `json` | +| `k8sInventory.quiet` | Determine whether or not to log the inventory report to stdout | `false` | +| `k8sInventory.verboseInventoryReports` | Determine whether or not to log the inventory report to stdout | `false` | +| `k8sInventory.log.structured` | Determine whether or not to use structured logs | `false` | +| `k8sInventory.log.level` | the level of verbosity for logs | `debug` | +| `k8sInventory.log.file` | location to write the log file (default is not to have a log file) | `""` | +| `k8sInventory.kubeconfig.path` | Path should not be changed | `use-in-cluster` | +| `k8sInventory.kubeconfig.cluster` | Tells Anchore which cluster this inventory is coming from | `docker-desktop` | +| `k8sInventory.namespaceSelectors.include` | Which namespaces to search as explicit strings, not regex; Will search all namespaces if empty array | `[]` | +| `k8sInventory.namespaceSelectors.exclude` | Which namespaces to exclude can use explicit strings and/or regexes. | `[]` | +| `k8sInventory.mode` | Can be one of adhoc, periodic (defaults to adhoc) | `periodic` | +| `k8sInventory.pollingIntervalSeconds` | Only respected if mode is periodic | `60` | +| `k8sInventory.kubernetes.requestTimeoutSeconds` | Sets the request timeout for kubernetes API requests | `60` | +| `k8sInventory.kubernetes.requestBatchSize` | Sets the number of objects to iteratively return when listing resources | `100` | +| `k8sInventory.kubernetes.workerPoolSize` | Worker pool size for collecting pods from namespaces. Adjust this if the api-server gets overwhelmed | `100` | +| `k8sInventory.missingTagPolicy.policy` | One of the following options [digest, insert, drop]. Default is 'digest' | `digest` | +| `k8sInventory.missingTagPolicy.tag` | Dummy tag to use. Only applicable if policy is 'insert'. Defaults to UNKNOWN | `UNKNOWN` | +| `k8sInventory.ignoreNotRunning` | Ignore images out of pods that are not in a Running state | `true` | +| `k8sInventory.anchore.url` | the url of the anchore platform | `http://localhost:8228` | +| `k8sInventory.anchore.user` | the username of the anchore platform. The user specified must be an admin user or have full-control, or read-write RBAC permissions | `admin` | +| `k8sInventory.anchore.password` | the password of the anchore platform | `foobar` | +| `k8sInventory.anchore.account` | the account to send data to | `admin` | +| `k8sInventory.anchore.http.insecure` | whether or not anchore is using ssl/tls | `true` | +| `k8sInventory.anchore.http.timeoutSeconds` | the amount of time in seconds before timing out | `10` | diff --git a/stable/k8s-inventory/templates/NOTES.txt b/stable/k8s-inventory/templates/NOTES.txt new file mode 100644 index 00000000..58271b4d --- /dev/null +++ b/stable/k8s-inventory/templates/NOTES.txt @@ -0,0 +1,6 @@ +K8s Inventory is a tool to gather an inventory of images in use in your cluster and ship them to the Anchore platform. +K8s Inventory must be able to resolve the Anchore URL and requires API credentials. + +For more info see: https://github.com/anchore/k8s-inventory + +K8s Inventory is now installed. \ No newline at end of file diff --git a/stable/k8s-inventory/templates/_helpers.tpl b/stable/k8s-inventory/templates/_helpers.tpl new file mode 100644 index 00000000..b048ac64 --- /dev/null +++ b/stable/k8s-inventory/templates/_helpers.tpl @@ -0,0 +1,70 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "k8sInventory.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "k8sInventory.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "k8sInventory.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "k8sInventory.labels" -}} +helm.sh/chart: {{ include "k8sInventory.chart" . }} +{{ include "k8sInventory.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +chart: {{ .Chart.Name }}-{{ .Chart.Version }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- with .Values.labels }} +{{ toYaml . }} +{{- end }} +app: {{ include "k8sInventory.fullname" . }} +release: {{ .Release.Name }} +heritage: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "k8sInventory.selectorLabels" -}} +app.kubernetes.io/name: {{ include "k8sInventory.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "k8sInventory.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "k8sInventory.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + diff --git a/stable/k8s-inventory/templates/cluster-role-binding.yaml b/stable/k8s-inventory/templates/cluster-role-binding.yaml new file mode 100644 index 00000000..533bbc59 --- /dev/null +++ b/stable/k8s-inventory/templates/cluster-role-binding.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "k8sInventory.fullname" . }}-read-only-binding + {{- if .Values.annotations }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + labels: + {{- include "k8sInventory.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ include "k8sInventory.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ include "k8sInventory.fullname" . }}-read-only + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/stable/k8s-inventory/templates/cluster-role-readonly.yaml b/stable/k8s-inventory/templates/cluster-role-readonly.yaml new file mode 100644 index 00000000..2559a844 --- /dev/null +++ b/stable/k8s-inventory/templates/cluster-role-readonly.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "k8sInventory.fullname" . }}-read-only + {{- if .Values.annotations }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + labels: + {{- include "k8sInventory.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + resources: ["pods","namespaces", "nodes"] + verbs: ["get", "watch", "list"] \ No newline at end of file diff --git a/stable/k8s-inventory/templates/configmap.yaml b/stable/k8s-inventory/templates/configmap.yaml new file mode 100644 index 00000000..3198ca6d --- /dev/null +++ b/stable/k8s-inventory/templates/configmap.yaml @@ -0,0 +1,46 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ include "k8sInventory.fullname" . }} + {{- if .Values.annotations }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + labels: + {{- include "k8sInventory.labels" . | nindent 4 }} +data: + config.yaml: | + verbose-inventory-reports: {{ .Values.k8sInventory.verboseInventoryReports | quote }} + kubeconfig: + path: {{ .Values.k8sInventory.kubeconfig.path }} + cluster: {{ .Values.k8sInventory.kubeconfig.cluster }} + output: {{ .Values.k8sInventory.output }} + quiet: {{ .Values.k8sInventory.quiet }} + log: + structured: {{ .Values.k8sInventory.log.structured }} + level: {{ .Values.k8sInventory.log.level }} + file: {{ .Values.k8sInventory.log.file }} + namespaces: + {{- toYaml .Values.k8sInventory.namespaces | nindent 6 }} + namespace-selectors: + {{- toYaml .Values.k8sInventory.namespaceSelectors | nindent 6 }} + mode: {{ .Values.k8sInventory.mode }} + polling-interval-seconds: {{ .Values.k8sInventory.pollingIntervalSeconds }} + kubernetes-request-timeout-seconds: {{ .Values.k8sInventory.kubernetesRequestTimeoutSeconds }} + kubernetes: + request-timeout-seconds: {{ .Values.k8sInventory.kubernetes.requestTimeoutSeconds }} + request-batch-size: {{ .Values.k8sInventory.kubernetes.requestBatchSize }} + worker-pool-size: {{ .Values.k8sInventory.kubernetes.workerPoolSize }} + ignore-not-running: {{ .Values.k8sInventory.ignoreNotRunning }} + missing-tag-policy: + {{- toYaml .Values.k8sInventory.missingTagPolicy | nindent 6 }} + anchore: + url: {{ .Values.k8sInventory.anchore.url }} + user: {{ .Values.k8sInventory.anchore.user }} + password: $ANCHORE_K8S_INVENTORY_ANCHORE_PASSWORD + account: {{ .Values.k8sInventory.anchore.account }} + http: + insecure: {{ .Values.k8sInventory.anchore.http.insecure }} + timeout-seconds: {{ .Values.k8sInventory.anchore.http.timeoutSeconds }} diff --git a/stable/k8s-inventory/templates/deployment.yaml b/stable/k8s-inventory/templates/deployment.yaml new file mode 100644 index 00000000..bed2a5e4 --- /dev/null +++ b/stable/k8s-inventory/templates/deployment.yaml @@ -0,0 +1,97 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "k8sInventory.fullname" . }} + {{- if .Values.annotations }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + labels: + {{- include "k8sInventory.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "k8sInventory.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if not .Values.useExistingSecrets }} + checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} + {{- end }} + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + labels: + {{- include "k8sInventory.labels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "k8sInventory.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: ["anchore-k8s-inventory"] + ports: + - name: http + containerPort: 80 + protocol: TCP + livenessProbe: + exec: + command: + - anchore-k8s-inventory + - version + initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }} + timeoutSeconds: {{ .Values.probes.liveness.timeoutSeconds }} + periodSeconds: {{ .Values.probes.liveness.periodSeconds }} + failureThreshold: {{ .Values.probes.liveness.failureThreshold }} + successThreshold: {{ .Values.probes.liveness.successThreshold }} + readinessProbe: + exec: + command: + - anchore-k8s-inventory + - version + timeoutSeconds: {{ .Values.probes.readiness.timeoutSeconds }} + periodSeconds: {{ .Values.probes.readiness.periodSeconds }} + failureThreshold: {{ .Values.probes.readiness.failureThreshold }} + successThreshold: {{ .Values.probes.readiness.successThreshold }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/xdg/anchore-k8s-inventory/config.yaml + subPath: config.yaml + envFrom: + {{- if not .Values.injectSecretsViaEnv }} + - secretRef: + name: {{ default (include "k8sInventory.fullname" .) .Values.existingSecretName }} + {{- end }} + volumes: + - name: config-volume + configMap: + name: {{ include "k8sInventory.fullname" . }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/stable/k8s-inventory/templates/secrets.yaml b/stable/k8s-inventory/templates/secrets.yaml new file mode 100644 index 00000000..c4c90896 --- /dev/null +++ b/stable/k8s-inventory/templates/secrets.yaml @@ -0,0 +1,17 @@ +{{- if not .Values.useExistingSecrets }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "k8sInventory.fullname" . }} + {{- if .Values.annotations }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + labels: + {{- include "k8sInventory.labels" . | nindent 4 }} +type: Opaque +stringData: + ANCHORE_K8S_INVENTORY_ANCHORE_PASSWORD: {{ .Values.k8sInventory.anchore.password }} +{{- end }} diff --git a/stable/k8s-inventory/templates/service.yaml b/stable/k8s-inventory/templates/service.yaml new file mode 100644 index 00000000..a2e4bc47 --- /dev/null +++ b/stable/k8s-inventory/templates/service.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "k8sInventory.fullname" . }} + {{- if .Values.annotations }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + labels: + {{- include "k8sInventory.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "k8sInventory.selectorLabels" . | nindent 4 }} diff --git a/stable/k8s-inventory/templates/serviceaccount.yaml b/stable/k8s-inventory/templates/serviceaccount.yaml new file mode 100644 index 00000000..fc424607 --- /dev/null +++ b/stable/k8s-inventory/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "k8sInventory.serviceAccountName" . }} + labels: + {{- include "k8sInventory.labels" . | nindent 4 }} + {{- if or (.Values.annotations) (.Values.serviceAccount.annotations)}} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.serviceAccount.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end -}} +{{- end }} diff --git a/stable/k8s-inventory/values.yaml b/stable/k8s-inventory/values.yaml new file mode 100644 index 00000000..df2769f8 --- /dev/null +++ b/stable/k8s-inventory/values.yaml @@ -0,0 +1,212 @@ +################################################### +## @section Common Resource Parameters +## Common params used by all K8s Inventory resources +################################################### + +## @param replicaCount Number of replicas for the K8s Inventory deployment +## +replicaCount: 1 + +## @param image.pullPolicy Image pull policy used by the K8s Inventory deployment +## @param image.repository Image used for the K8s Inventory deployment +## @param image.tag Image tag used for the K8s Inventory deployment +## +image: + pullPolicy: Always + repository: anchore/k8s-inventory + tag: "v1.0.0" + +## @param imagePullSecrets secrets where Kubernetes should get the credentials for pulling private images +## +imagePullSecrets: [] + +## @param nameOverride overrides the name set on resources +## +nameOverride: "" + +## @param fullnameOverride overrides the fullname set on resources +## +fullnameOverride: "" + +## @param injectSecretsViaEnv Enable secret injection into pod via environment variables instead of via k8s secrets +## Useful for injecting secrets directly into k8s pods from Hashicorp vault +## +injectSecretsViaEnv: false + +## @param serviceAccount.create Create a service account for k8s-inventory to use +## @param serviceAccount.annotations Annotations to add to the service account +## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated using the fullname template. +## +serviceAccount: + create: true + annotations: {} + name: "k8s-inventory" + +## @param podAnnotations Annotations set on all pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} + +## @param annotations Common annotations set on all Kubernetes resources +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +annotations: {} + +## @param podSecurityContext Security context set on all pods +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## +podSecurityContext: {} + # fsGroup: 2000 + +## @param securityContext Security context set on all containers +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +## +securityContext: {} + +## @param service.type Service type for K8s Inventory +## @param service.port Service port for K8s Inventory +service: + type: ClusterIP + port: 80 + +## @param resources Resource requests and limits for K8s Inventory pods +## +resources: {} + +## @param nodeSelector Node labels for K8s Inventory pods assignment +## +nodeSelector: {} + +## @param tolerations Tolerations for K8s Inventory pods assignment +## +tolerations: [] + +## @param affinity Affinity for K8s Inventory pods assignment +## +affinity: {} + +## @param labels Adds additionnal labels to all kubernetes resources +## +labels: {} + +## @param probes.liveness.initialDelaySeconds Initial delay seconds for liveness probe +## @param probes.liveness.timeoutSeconds Timeout seconds for liveness probe +## @param probes.liveness.periodSeconds Period seconds for liveness probe +## @param probes.liveness.failureThreshold Failure threshold for liveness probe +## @param probes.liveness.successThreshold Success threshold for liveness probe +## @param probes.readiness.timeoutSeconds Timeout seconds for the readiness probe +## @param probes.readiness.periodSeconds Period seconds for the readiness probe +## @param probes.readiness.failureThreshold Failure threshold for the readiness probe +## @param probes.readiness.successThreshold Success threshold for the readiness probe +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes +## +probes: + liveness: + initialDelaySeconds: 1 + timeoutSeconds: 10 + periodSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + readiness: + timeoutSeconds: 10 + periodSeconds: 15 + failureThreshold: 3 + successThreshold: 1 + +## @param useExistingSecret Specify whether to use an existing secret +## +useExistingSecret: false + +## @param existingSecretName if using an existing secret, specify the existing secret name +## +existingSecretName: "" + +###################################### +## @section k8sInventory Parameters ## +###################################### + +k8sInventory: + + ## @param k8sInventory.output The output format of the report (options: table, json) + ## + output: "json" + + ## @param k8sInventory.quiet Determine whether or not to log the inventory report to stdout + ## + quiet: false + + ## @param k8sInventory.verboseInventoryReports Determine whether or not to log the inventory report to stdout + ## + verboseInventoryReports: false + + ## @param k8sInventory.log.structured Determine whether or not to use structured logs + ## @param k8sInventory.log.level the level of verbosity for logs + ## @param k8sInventory.log.file location to write the log file (default is not to have a log file) + ## + log: + structured: false + level: "debug" + file: "" + + ## @param k8sInventory.kubeconfig.path Path should not be changed + ## @param k8sInventory.kubeconfig.cluster Tells Anchore which cluster this inventory is coming from + ## + kubeconfig: + path: use-in-cluster + cluster: docker-desktop + + ## @param k8sInventory.namespaceSelectors.include Which namespaces to search as explicit strings, not regex; Will search all namespaces if empty array + ## @param k8sInventory.namespaceSelectors.exclude Which namespaces to exclude can use explicit strings and/or regexes. + ## + namespaceSelectors: + include: [] + exclude: [] + + ## @param k8sInventory.mode Can be one of adhoc, periodic (defaults to adhoc) + ## + mode: periodic + + ## @param k8sInventory.pollingIntervalSeconds Only respected if mode is periodic + ## + pollingIntervalSeconds: 60 + + ### k8sInventory.kubernetes Kubernetes API configuration parameters (should not need tuning) + ## @param k8sInventory.kubernetes.requestTimeoutSeconds Sets the request timeout for kubernetes API requests + ## @param k8sInventory.kubernetes.requestBatchSize Sets the number of objects to iteratively return when listing resources + ## @param k8sInventory.kubernetes.workerPoolSize Worker pool size for collecting pods from namespaces. Adjust this if the api-server gets overwhelmed + # + kubernetes: + requestTimeoutSeconds: 60 + requestBatchSize: 100 + workerPoolSize: 100 + + ### k8sInventory.missingTagPolicy Handle cases where a tag is missing. For example - images designated by digest + ## @param k8sInventory.missingTagPolicy.policy One of the following options [digest, insert, drop]. Default is 'digest' + ### [digest] will use the image's digest as a dummy tag. + ### [insert] will insert a default tag in as a dummy tag. The dummy tag is + ### [drop] will drop images that do not have tags associated with them. Not recommended. + ## @param k8sInventory.missingTagPolicy.tag Dummy tag to use. Only applicable if policy is 'insert'. Defaults to UNKNOWN + ## + missingTagPolicy: + policy: digest + tag: UNKNOWN + + ## @param k8sInventory.ignoreNotRunning Ignore images out of pods that are not in a Running state + ## + ignoreNotRunning: true + + ## @param k8sInventory.anchore.url the url of the anchore platform + ## @param k8sInventory.anchore.user the username of the anchore platform. The user specified must be an admin user or have full-control, or read-write RBAC permissions + ## @param k8sInventory.anchore.password the password of the anchore platform + ## @param k8sInventory.anchore.account the account to send data to + ## @param k8sInventory.anchore.http.insecure whether or not anchore is using ssl/tls + ## @param k8sInventory.anchore.http.timeoutSeconds the amount of time in seconds before timing out + ## + anchore: + url: "http://localhost:8228" + user: "admin" + password: "foobar" + account: "admin" + http: + insecure: true + timeoutSeconds: 10 From 753a98de5695ea90a46bfdd139d1dade9a2fea8e Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Thu, 11 May 2023 09:03:56 -0400 Subject: [PATCH 124/329] update README for k8s inv. Signed-off-by: Hung Nguyen --- stable/k8s-inventory/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/stable/k8s-inventory/README.md b/stable/k8s-inventory/README.md index 90f541c1..06953983 100644 --- a/stable/k8s-inventory/README.md +++ b/stable/k8s-inventory/README.md @@ -49,9 +49,9 @@ See the [K8s Inventory repo](https://github.com/anchore/k8s-inventory) for more | Name | Description | Value | | ------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | ----------------------- | | `replicaCount` | Number of replicas for the K8s Inventory deployment | `1` | -| `image.repository` | Image used for the K8s Inventory deployment | `anchore/k8s-inventory` | | `image.pullPolicy` | Image pull policy used by the K8s Inventory deployment | `Always` | -| `image.tag` | Image tag used for the K8s Inventory deployment | `v1.0.0-alpha.2` | +| `image.repository` | Image used for the K8s Inventory deployment | `anchore/k8s-inventory` | +| `image.tag` | Image tag used for the K8s Inventory deployment | `v1.0.0` | | `imagePullSecrets` | secrets where Kubernetes should get the credentials for pulling private images | `[]` | | `nameOverride` | overrides the name set on resources | `""` | | `fullnameOverride` | overrides the fullname set on resources | `""` | From e0e6eb6715cee53951cd0a3f52c01fd0e6bab4d8 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Tue, 23 May 2023 22:57:46 -0700 Subject: [PATCH 125/329] update enterprise image to v4.7.1 Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 8472ec83..e4280eb4 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.25.0 +version: 1.25.1 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index b2cfc7ed..2f55c21b 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -746,7 +746,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: docker.io/anchore/enterprise:v4.7.0 + image: docker.io/anchore/enterprise:v4.7.1 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. From 40d7e9dc740773cb0bfe615813a8c3775c8cdcc0 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 7 Jun 2023 15:08:17 -0700 Subject: [PATCH 126/329] add option to disable /query/images_by_vulnerability API Signed-off-by: Brady Todhunter --- stable/anchore-engine/templates/engine_configmap.yaml | 2 ++ stable/anchore-engine/values.yaml | 3 +++ 2 files changed, 5 insertions(+) diff --git a/stable/anchore-engine/templates/engine_configmap.yaml b/stable/anchore-engine/templates/engine_configmap.yaml index b746d8d9..7c3d95f0 100644 --- a/stable/anchore-engine/templates/engine_configmap.yaml +++ b/stable/anchore-engine/templates/engine_configmap.yaml @@ -178,6 +178,7 @@ data: ssl_key: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretKeyName }}" {{- end }} enable_owned_package_filtering: {{ .Values.anchoreAnalyzer.enableOwnedPackageFiltering }} + keep_image_analysis_tmpfiles: {{ default false .Values.anchoreAnalyzer.keepImageAnalysisTmpfiles }} catalog: enabled: true require_auth: true @@ -255,6 +256,7 @@ data: cycle_timers: {{- toYaml .Values.anchorePolicyEngine.cycleTimers | nindent 10 }} enable_package_db_load: {{ .Values.anchorePolicyEngine.enablePackageDbLoad }} + enable_images_by_vulnerability_api: {{ .Values.anchorePolicyEngine.enableImagesByVulnerabilityAPI }} vulnerabilities: provider: grype sync: diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 2f55c21b..9a6fd7ef 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -657,6 +657,9 @@ anchorePolicyEngine: # Reduces significant DB load as a result. enablePackageDbLoad: true + # Reduces load by not requiring a re-scan of every sbom for vulnerabilities after each feed sync + enableImagesByVulnerabilityAPI: true + cacheTTL: 3600 # 1 hour # kubernetes service configuration for anchore policy engine api From 79cca24dab7d56e4d7831f4f193f0e227a63ec98 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 7 Jun 2023 15:08:32 -0700 Subject: [PATCH 127/329] bump image to 4.8.0 and bump chart version Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/README.md | 4 ++++ stable/anchore-engine/values.yaml | 4 ++-- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index e4280eb4..2f37e3b9 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.25.1 +version: 1.26.0 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index df216b01..48f5e294 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -181,6 +181,10 @@ A Helm post-upgrade hook job will shut down all previously running Anchore servi The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful Helm upgrade. +# Chart version 1.26.0 + +* Anchore Enterprise image updated to v4.8.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/480/) + ## Chart version 1.25.0 * Anchore Enterprise image updated to v4.7.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/470/) diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 9a6fd7ef..ad43707f 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -749,7 +749,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: docker.io/anchore/enterprise:v4.7.1 + image: docker.io/anchore/enterprise:v4.8.0 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. @@ -1107,7 +1107,7 @@ anchoreEnterpriseNotifications: anchoreEnterpriseUi: # If enabled is set to false, set ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. enabled: true - image: docker.io/anchore/enterprise-ui:v4.7.0 + image: docker.io/anchore/enterprise-ui:v4.8.0 imagePullPolicy: IfNotPresent # Set extra environment variables. These will be set on all UI containers. From 9da411471389c56ec13d6d416518e8f7df4699c3 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Thu, 15 Jun 2023 19:42:57 -0400 Subject: [PATCH 128/329] adding upgrade job via preupgrade hook in helm Signed-off-by: Hung Nguyen --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/README.md | 4 + .../templates/anchore_upgrade_role.yaml | 41 ++++++ .../anchore_upgrade_rolebinding.yaml | 30 ++++ .../anchore_upgrade_service_account.yaml | 22 +++ .../templates/engine_upgrade_job.yaml | 2 +- .../enterprise_feeds_upgrade_job.yaml | 2 +- .../templates/enterprise_upgrade_job.yaml | 2 +- .../hooks/pre-upgrade/0-db-upgrade.yaml | 130 ++++++++++++++++++ stable/anchore-engine/values.yaml | 4 + 10 files changed, 235 insertions(+), 4 deletions(-) create mode 100644 stable/anchore-engine/templates/anchore_upgrade_role.yaml create mode 100644 stable/anchore-engine/templates/anchore_upgrade_rolebinding.yaml create mode 100644 stable/anchore-engine/templates/anchore_upgrade_service_account.yaml create mode 100644 stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 2f37e3b9..c299ed4f 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.26.0 +version: 1.26.1 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index 48f5e294..50b95905 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -181,6 +181,10 @@ A Helm post-upgrade hook job will shut down all previously running Anchore servi The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful Helm upgrade. +# Chart version 1.26.1 + +* Added `.Values.anchoreGlobal.usePreupgradeHook` to enable doing the upgrades using helm's pre-upgrade hook. Doing so requires creating a service account and role with permissions to get/update/patch deployments. See templates/anchore_upgrade_role.yaml for a complete list of roles. This is disabled by default. + # Chart version 1.26.0 * Anchore Enterprise image updated to v4.8.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/480/) diff --git a/stable/anchore-engine/templates/anchore_upgrade_role.yaml b/stable/anchore-engine/templates/anchore_upgrade_role.yaml new file mode 100644 index 00000000..343f4182 --- /dev/null +++ b/stable/anchore-engine/templates/anchore_upgrade_role.yaml @@ -0,0 +1,41 @@ +{{- if .Values.anchoreGlobal.usePreupgradeHook -}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "anchore-engine.fullname" . }}-upgrade-role + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "anchore-engine.fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.anchoreGlobal.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- if .Values.anchoreGlobal.annotations }} + annotations: + {{- with .anchoreGlobal.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +rules: + - apiGroups: + - extensions + - apps + resources: + - deployments + verbs: + - get + - list + - watch + - update + - patch + - apiGroups: + - apps + resources: + - deployments/scale + verbs: + - patch + +{{- end }} \ No newline at end of file diff --git a/stable/anchore-engine/templates/anchore_upgrade_rolebinding.yaml b/stable/anchore-engine/templates/anchore_upgrade_rolebinding.yaml new file mode 100644 index 00000000..9e6e0c05 --- /dev/null +++ b/stable/anchore-engine/templates/anchore_upgrade_rolebinding.yaml @@ -0,0 +1,30 @@ +{{- if .Values.anchoreGlobal.usePreupgradeHook -}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "anchore-engine.fullname" . }}-upgrade-role-binding + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "anchore-engine.fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.anchoreGlobal.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- if .Values.anchoreGlobal.annotations }} + annotations: + {{- with .anchoreGlobal.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "anchore-engine.fullname" . }}-upgrade-role +subjects: + - kind: ServiceAccount + name: {{ template "anchore-engine.fullname" . }}-upgrade-sa + namespace: {{ .Release.Namespace }} +{{- end }} \ No newline at end of file diff --git a/stable/anchore-engine/templates/anchore_upgrade_service_account.yaml b/stable/anchore-engine/templates/anchore_upgrade_service_account.yaml new file mode 100644 index 00000000..281e14b1 --- /dev/null +++ b/stable/anchore-engine/templates/anchore_upgrade_service_account.yaml @@ -0,0 +1,22 @@ +{{- if .Values.anchoreGlobal.usePreupgradeHook -}} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "anchore-engine.fullname" . }}-upgrade-sa + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "anchore-engine.fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.anchoreGlobal.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- if .Values.anchoreGlobal.annotations }} + annotations: + {{- with .anchoreGlobal.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} \ No newline at end of file diff --git a/stable/anchore-engine/templates/engine_upgrade_job.yaml b/stable/anchore-engine/templates/engine_upgrade_job.yaml index ee6cd8ec..e3fbfc8f 100644 --- a/stable/anchore-engine/templates/engine_upgrade_job.yaml +++ b/stable/anchore-engine/templates/engine_upgrade_job.yaml @@ -1,5 +1,5 @@ {{- template "checkUpgradeCompatibility" . }} -{{- if .Values.anchoreEngineUpgradeJob.enabled }} +{{- if and .Values.anchoreEngineUpgradeJob.enabled (not .Values.anchoreGlobal.usePreupgradeHook) }} apiVersion: batch/v1 kind: Job metadata: diff --git a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml index de931964..3d06f6e4 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml @@ -1,5 +1,5 @@ {{- template "checkUpgradeCompatibility" . }} -{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled .Values.anchoreEnterpriseFeedsUpgradeJob.enabled }} +{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled .Values.anchoreEnterpriseFeedsUpgradeJob.enabled (not .Values.anchoreGlobal.usePreupgradeHook) }} apiVersion: batch/v1 kind: Job metadata: diff --git a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml index 76049524..77e7888f 100644 --- a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml @@ -1,5 +1,5 @@ {{- template "checkUpgradeCompatibility" . }} -{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseEngineUpgradeJob.enabled }} +{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseEngineUpgradeJob.enabled (not .Values.anchoreGlobal.usePreupgradeHook) }} apiVersion: batch/v1 kind: Job metadata: diff --git a/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml b/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml new file mode 100644 index 00000000..4fa982eb --- /dev/null +++ b/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml @@ -0,0 +1,130 @@ +{{- if and .Values.anchoreGlobal.usePreupgradeHook .Values.anchoreEnterpriseGlobal.enabled -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: "{{ .Release.Name }}-pre-upgrade-job" + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + {{- with .Values.anchoreGlobal.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + template: + metadata: + name: "{{ .Release.Name }}-pre-upgrade" + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + app: {{ template "anchore-engine.fullname" . }} + component: anchore-upgrade + {{- with .Values.anchoreGlobal.labels }} + {{- toYaml . | nindent 8 }} + {{- end }} + annotations: + {{- with .Values.anchoreGlobal.annotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.anchoreGlobal.securityContext }} + securityContext: + {{ toYaml . | nindent 8 }} + {{- end }} + + {{- if .Values.anchoreEnterpriseGlobal.enabled }} + imagePullSecrets: + - name: {{ .Values.anchoreEnterpriseGlobal.imagePullSecretName }} + {{- else }} + {{- with .Values.anchoreGlobal.imagePullSecretName }} + imagePullSecrets: + - name: {{ . }} + {{- end }} + {{- end }} + restartPolicy: Never + serviceAccountName: {{ template "anchore-engine.fullname" . }}-upgrade-sa + initContainers: + - name: scale-down-anchore + image: bitnami/kubectl:1.27 + command: ["kubectl", "scale", "deployments", "--all", "--replicas=0", "-l", "app={{ template "anchore-engine.fullname" . }}"] + containers: + {{- if .Values.cloudsql.enabled }} + - name: cloudsql-proxy + image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} + imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} + {{- with .Values.anchoreGlobal.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 10 }} + {{- end }} + command: ["/cloud_sql_proxy"] + args: + {{- if .Values.cloudsql.extraArgs }} + {{- range $arg := .Values.cloudsql.extraArgs }} + - {{ quote $arg }} + {{- end }} + {{- end }} + - "-instances={{ .Values.cloudsql.instance }}=tcp:5432" + {{- if .Values.cloudsql.useExistingServiceAcc }} + - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}" + volumeMounts: + - mountPath: /var/{{ .Values.cloudsql.serviceAccSecretName }} + name: {{ .Values.cloudsql.serviceAccSecretName }} + readOnly: true + {{- end }} + {{- end }} + - name: upgrade-db + image: {{ .Values.anchoreEnterpriseGlobal.image }} + imagePullPolicy: Always + envFrom: + {{- if not .Values.inject_secrets_via_env }} + {{- if .Values.anchoreGlobal.useExistingSecrets }} + - secretRef: + name: {{ .Values.anchoreGlobal.existingSecretName }} + {{- else }} + - secretRef: + name: {{ include "anchore-engine.fullname" . }} + - secretRef: + name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} + {{- end }} + + {{- if .Values.anchoreEnterpriseFeeds.enabled }} + - secretRef: + name: {{ include "anchore-engine.enterprise-feeds.fullname" . }} + {{- end }} + {{- end }} + + command: ["/bin/bash", "-c"] + args: + {{- if not .Values.anchoreGlobal.dbConfig.ssl }} + - | + {{ print (include "doSourceFile" .) }} anchore-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}" upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}" upgrade --dontask; anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}" pre-upgrade-check; + {{- else if eq .Values.anchoreGlobal.dbConfig.sslMode "require" }} + - | + {{ print (include "doSourceFile" .) }} anchore-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} pre-upgrade-check; + {{- else }} + - | + {{ print (include "doSourceFile" .) }} anchore-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} pre-upgrade-check; + {{- end }} + + {{- if not .Values.anchoreEnterpriseFeeds.dbConfig.ssl }} + - | + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}" upgrade --dontask; anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}" pre-upgrade-check; + {{- else if eq .Values.anchoreEnterpriseFeeds.dbConfig.sslMode "require" }} + - | + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} pre-upgrade-check; + {{- else }} + - | + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} pre-upgrade-check; + {{- end }} + + {{- if .Values.cloudsql.enabled }} + - sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; + {{- end }} + +{{- end }} \ No newline at end of file diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index ad43707f..e6d33537 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -308,6 +308,10 @@ anchoreGlobal: failureThreshold: 3 successThreshold: 1 + # using the preupgrade hook will create a service account that will use + # kubectl to scale down the deployment before running the upgrade job + usePreupgradeHook: false + # Configuration for the analyzer pods that perform image analysis # There may be many of these analyzers but best practice is to not have more than one per node since analysis # is very IO intensive. Use of affinity/anti-affinity rules for scheduling the analyzers is future work. From 552366cea24151b27184e3f789f27b95f7e5cdc7 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Fri, 16 Jun 2023 15:43:50 -0400 Subject: [PATCH 129/329] adding all labels, annotations, tolerations, etc to prehook upgrade job Signed-off-by: Hung Nguyen --- .../templates/anchore_upgrade_role.yaml | 22 ++- .../anchore_upgrade_rolebinding.yaml | 22 ++- .../anchore_upgrade_service_account.yaml | 26 +++- .../hooks/pre-upgrade/0-db-upgrade.yaml | 134 ++++++++++++++++-- 4 files changed, 187 insertions(+), 17 deletions(-) diff --git a/stable/anchore-engine/templates/anchore_upgrade_role.yaml b/stable/anchore-engine/templates/anchore_upgrade_role.yaml index 343f4182..224384e1 100644 --- a/stable/anchore-engine/templates/anchore_upgrade_role.yaml +++ b/stable/anchore-engine/templates/anchore_upgrade_role.yaml @@ -13,11 +13,29 @@ metadata: {{- with .Values.anchoreGlobal.labels }} {{ toYaml . | nindent 4 }} {{- end }} - {{- if .Values.anchoreGlobal.annotations }} + {{- with .Values.anchoreEngineUpgradeJob.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.anchoreEnterpriseEngineUpgradeJob.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.anchoreEnterpriseFeedsUpgradeJob.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- if or .Values.anchoreGlobal.annotations .Values.anchoreEngineUpgradeJob.annotations .Values.anchoreEnterpriseEngineUpgradeJob.annotations .Values.anchoreEnterpriseFeedsUpgradeJob.annotations }} annotations: - {{- with .anchoreGlobal.annotations }} + {{- with .Values.anchoreGlobal.annotations }} {{- toYaml . | nindent 4 }} {{- end }} + {{- with .Values.anchoreEngineUpgradeJob.annotations }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.anchoreEnterpriseEngineUpgradeJob.annotations }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.anchoreEnterpriseFeedsUpgradeJob.annotations }} + {{ toYaml . | nindent 4 }} + {{- end }} {{- end }} rules: - apiGroups: diff --git a/stable/anchore-engine/templates/anchore_upgrade_rolebinding.yaml b/stable/anchore-engine/templates/anchore_upgrade_rolebinding.yaml index 9e6e0c05..7c1a6052 100644 --- a/stable/anchore-engine/templates/anchore_upgrade_rolebinding.yaml +++ b/stable/anchore-engine/templates/anchore_upgrade_rolebinding.yaml @@ -13,11 +13,29 @@ metadata: {{- with .Values.anchoreGlobal.labels }} {{ toYaml . | nindent 4 }} {{- end }} - {{- if .Values.anchoreGlobal.annotations }} + {{- with .Values.anchoreEngineUpgradeJob.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.anchoreEnterpriseEngineUpgradeJob.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.anchoreEnterpriseFeedsUpgradeJob.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- if or .Values.anchoreGlobal.annotations .Values.anchoreEngineUpgradeJob.annotations .Values.anchoreEnterpriseEngineUpgradeJob.annotations .Values.anchoreEnterpriseFeedsUpgradeJob.annotations }} annotations: - {{- with .anchoreGlobal.annotations }} + {{- with .Values.anchoreGlobal.annotations }} {{- toYaml . | nindent 4 }} {{- end }} + {{- with .Values.anchoreEngineUpgradeJob.annotations }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.anchoreEnterpriseEngineUpgradeJob.annotations }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.anchoreEnterpriseFeedsUpgradeJob.annotations }} + {{ toYaml . | nindent 4 }} + {{- end }} {{- end }} roleRef: apiGroup: rbac.authorization.k8s.io diff --git a/stable/anchore-engine/templates/anchore_upgrade_service_account.yaml b/stable/anchore-engine/templates/anchore_upgrade_service_account.yaml index 281e14b1..75e3b10e 100644 --- a/stable/anchore-engine/templates/anchore_upgrade_service_account.yaml +++ b/stable/anchore-engine/templates/anchore_upgrade_service_account.yaml @@ -13,10 +13,28 @@ metadata: {{- with .Values.anchoreGlobal.labels }} {{ toYaml . | nindent 4 }} {{- end }} - {{- if .Values.anchoreGlobal.annotations }} + {{- with .Values.anchoreEngineUpgradeJob.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.anchoreEnterpriseEngineUpgradeJob.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.anchoreEnterpriseFeedsUpgradeJob.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- if or .Values.anchoreGlobal.annotations .Values.anchoreEngineUpgradeJob.annotations .Values.anchoreEnterpriseEngineUpgradeJob.annotations .Values.anchoreEnterpriseFeedsUpgradeJob.annotations }} annotations: - {{- with .anchoreGlobal.annotations }} - {{- toYaml . | nindent 4 }} - {{- end }} + {{- with .Values.anchoreGlobal.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.anchoreEngineUpgradeJob.annotations }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.anchoreEnterpriseEngineUpgradeJob.annotations }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.anchoreEnterpriseFeedsUpgradeJob.annotations }} + {{ toYaml . | nindent 4 }} + {{- end }} {{- end }} {{- end -}} \ No newline at end of file diff --git a/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml b/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml index 4fa982eb..755ecd44 100644 --- a/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml +++ b/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml @@ -9,8 +9,20 @@ metadata: app.kubernetes.io/version: {{ .Chart.AppVersion }} helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" {{- with .Values.anchoreGlobal.labels }} - {{- toYaml . | nindent 4 }} + {{ toYaml . | nindent 4 }} {{- end }} + {{- with .Values.anchoreEngineUpgradeJob.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.anchoreEnterpriseEngineUpgradeJob.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.anchoreEnterpriseFeedsUpgradeJob.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "2" spec: template: metadata: @@ -23,18 +35,35 @@ spec: app: {{ template "anchore-engine.fullname" . }} component: anchore-upgrade {{- with .Values.anchoreGlobal.labels }} - {{- toYaml . | nindent 8 }} + {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.anchoreEngineUpgradeJob.labels }} + {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.anchoreEnterpriseEngineUpgradeJob.labels }} + {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.anchoreEnterpriseFeedsUpgradeJob.labels }} + {{ toYaml . | nindent 8 }} {{- end }} annotations: {{- with .Values.anchoreGlobal.annotations }} {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.anchoreEngineUpgradeJob.annotations }} + {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.anchoreEnterpriseEngineUpgradeJob.annotations }} + {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.anchoreEnterpriseFeedsUpgradeJob.annotations }} + {{ toYaml . | nindent 8 }} + {{- end }} spec: {{- with .Values.anchoreGlobal.securityContext }} securityContext: {{ toYaml . | nindent 8 }} {{- end }} - {{- if .Values.anchoreEnterpriseGlobal.enabled }} imagePullSecrets: - name: {{ .Values.anchoreEnterpriseGlobal.imagePullSecretName }} @@ -46,10 +75,76 @@ spec: {{- end }} restartPolicy: Never serviceAccountName: {{ template "anchore-engine.fullname" . }}-upgrade-sa + {{- with .Values.anchoreEnterpriseEngineUpgradeJob.nodeSelector }} + nodeSelector: + {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.anchoreEnterpriseEngineUpgradeJob.affinity }} + affinity: + {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.anchoreEnterpriseEngineUpgradeJob.tolerations }} + tolerations: + {{ toYaml . | nindent 8 }} + {{- end }} + {{- if or .Values.anchoreGlobal.certStoreSecretName .Values.cloudsql.useExistingServiceAcc .Values.anchoreGlobal.extraVolumeMounts }} + volumes: + {{- with .Values.anchoreGlobal.certStoreSecretName }} + - name: certs + secret: + secretName: {{ . }} + {{- end }} + {{- if .Values.cloudsql.useExistingServiceAcc }} + - name: {{ .Values.cloudsql.serviceAccSecretName }} + secret: + secretName: {{ .Values.cloudsql.serviceAccSecretName }} + {{- end }} + {{- with .Values.anchoreGlobal.extraVolumes }} + {{- toYaml . | nindent 6 }} + {{- end }} + {{- end }} initContainers: - name: scale-down-anchore image: bitnami/kubectl:1.27 command: ["kubectl", "scale", "deployments", "--all", "--replicas=0", "-l", "app={{ template "anchore-engine.fullname" . }}"] + {{- if or .Values.anchoreGlobal.containerSecurityContext .Values.cloudsql.enabled }} + securityContext: + {{- with .Values.anchoreGlobal.containerSecurityContext }} + {{ toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.cloudsql.enabled }} + capabilities: + add: + - SYS_PTRACE + {{- end }} + {{- end }} + envFrom: + {{- if not .Values.inject_secrets_via_env }} + {{- if .Values.anchoreGlobal.useExistingSecrets }} + - secretRef: + name: {{ .Values.anchoreGlobal.existingSecretName }} + {{- else }} + - secretRef: + name: {{ include "anchore-engine.fullname" . }} + - secretRef: + name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} + {{- end }} + {{- end }} + env: + {{- with .Values.anchoreGlobal.extraEnv }} + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + {{- if (.Values.anchoreGlobal.certStoreSecretName) }} + - name: certs + mountPath: /home/anchore/certs/ + readOnly: true + {{- end }} + {{- with .Values.anchoreGlobal.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + resources: + {{ toYaml .Values.anchoreEnterpriseEngineUpgradeJob.resources | nindent 12 }} containers: {{- if .Values.cloudsql.enabled }} - name: cloudsql-proxy @@ -57,7 +152,7 @@ spec: imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} {{- with .Values.anchoreGlobal.containerSecurityContext }} securityContext: - {{ toYaml . | nindent 10 }} + {{ toYaml . | nindent 12 }} {{- end }} command: ["/cloud_sql_proxy"] args: @@ -78,6 +173,17 @@ spec: - name: upgrade-db image: {{ .Values.anchoreEnterpriseGlobal.image }} imagePullPolicy: Always + {{- if or .Values.anchoreGlobal.containerSecurityContext .Values.cloudsql.enabled }} + securityContext: + {{- with .Values.anchoreGlobal.containerSecurityContext }} + {{ toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.cloudsql.enabled }} + capabilities: + add: + - SYS_PTRACE + {{- end }} + {{- end }} envFrom: {{- if not .Values.inject_secrets_via_env }} {{- if .Values.anchoreGlobal.useExistingSecrets }} @@ -89,13 +195,26 @@ spec: - secretRef: name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} {{- end }} - {{- if .Values.anchoreEnterpriseFeeds.enabled }} - secretRef: name: {{ include "anchore-engine.enterprise-feeds.fullname" . }} {{- end }} {{- end }} - + env: + {{- with .Values.anchoreGlobal.extraEnv }} + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + {{- if (.Values.anchoreGlobal.certStoreSecretName) }} + - name: certs + mountPath: /home/anchore/certs/ + readOnly: true + {{- end }} + {{- with .Values.anchoreGlobal.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + resources: + {{ toYaml .Values.anchoreEnterpriseEngineUpgradeJob.resources | nindent 12 }} command: ["/bin/bash", "-c"] args: {{- if not .Values.anchoreGlobal.dbConfig.ssl }} @@ -111,7 +230,6 @@ spec: {{ print (include "doSourceFile" .) }} anchore-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} pre-upgrade-check; {{- end }} - {{- if not .Values.anchoreEnterpriseFeeds.dbConfig.ssl }} - | {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}" upgrade --dontask; anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}" pre-upgrade-check; @@ -122,9 +240,7 @@ spec: - | {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} pre-upgrade-check; {{- end }} - {{- if .Values.cloudsql.enabled }} - sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; {{- end }} - {{- end }} \ No newline at end of file From 1fb783aecec85cfcc9df25c5cb07d494fd55b7f7 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Fri, 16 Jun 2023 23:31:46 -0400 Subject: [PATCH 130/329] adding compatability check Signed-off-by: Hung Nguyen --- stable/anchore-engine/templates/_helpers.tpl | 13 +++ .../hooks/pre-upgrade/0-db-upgrade.yaml | 105 ++++++++++++++++-- .../pre-upgrade}/anchore_upgrade_role.yaml | 14 ++- .../anchore_upgrade_rolebinding.yaml | 4 +- .../anchore_upgrade_service_account.yaml | 4 +- 5 files changed, 127 insertions(+), 13 deletions(-) rename stable/anchore-engine/templates/{ => hooks/pre-upgrade}/anchore_upgrade_role.yaml (87%) rename stable/anchore-engine/templates/{ => hooks/pre-upgrade}/anchore_upgrade_rolebinding.yaml (87%) rename stable/anchore-engine/templates/{ => hooks/pre-upgrade}/anchore_upgrade_service_account.yaml (85%) diff --git a/stable/anchore-engine/templates/_helpers.tpl b/stable/anchore-engine/templates/_helpers.tpl index a194475b..09b42b68 100755 --- a/stable/anchore-engine/templates/_helpers.tpl +++ b/stable/anchore-engine/templates/_helpers.tpl @@ -448,6 +448,19 @@ Upon upgrades, checks if .Values.existingSecret=true and fails the upgrade if .V {{- end }} {{- end }} + +{{- define "checkPreupgradeHookCompatibility" -}} +{{- $minVersion := "1.24.0" -}} +{{- $apiDeployment := (lookup "apps/v1" "Deployment" .Release.Namespace (include "anchore-engine.api.fullname" .)) }} +{{- $chartVersion := $apiDeployment.metadata.labels.chart}} +{{- $chartName := .Chart.Name}} +{{- $version := (regexFind "[0-9]+\\.[0-9]+\\.[0-9]+" $chartVersion | trimPrefix "$chartName-") -}} +{{- $compareResult := semver $minVersion | (semver $version).Compare -}} +{{- if lt $compareResult 0 -}} + {{- fail "using the preupgrade hook for upgrades requires the chart to be on at least version 1.24.0. Please upgrade to 1.24.0 or newer before using the preupgrade hook." }} +{{- end -}} +{{- end -}} + {{/* Upon upgrade, check if user is upgrading to chart v1.22.0+ (Enterprise v4.4.0). If they are, ensure that they are upgrading from Enterprise 4.2.0 or higher and error out if they're upgrading from an older version. diff --git a/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml b/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml index 755ecd44..6adf3bbb 100644 --- a/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml +++ b/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml @@ -1,3 +1,4 @@ +{{- template "checkPreupgradeHookCompatibility" . }} {{- if and .Values.anchoreGlobal.usePreupgradeHook .Values.anchoreEnterpriseGlobal.enabled -}} apiVersion: batch/v1 kind: Job @@ -145,6 +146,49 @@ spec: {{- end }} resources: {{ toYaml .Values.anchoreEnterpriseEngineUpgradeJob.resources | nindent 12 }} + - name: confirm-service-scaled-down + image: bitnami/kubectl:1.27 + command: ["/bin/bash", "-c"] + args: ["while [[ $(kubectl get pods -l app={{ template "anchore-engine.fullname" . }} --field-selector=status.phase=Running --no-headers | wc -l) -gt 0 ]]; do echo 'waiting for pods to go down' && sleep 5; done"] + {{- if or .Values.anchoreGlobal.containerSecurityContext .Values.cloudsql.enabled }} + securityContext: + {{- with .Values.anchoreGlobal.containerSecurityContext }} + {{ toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.cloudsql.enabled }} + capabilities: + add: + - SYS_PTRACE + {{- end }} + {{- end }} + envFrom: + {{- if not .Values.inject_secrets_via_env }} + {{- if .Values.anchoreGlobal.useExistingSecrets }} + - secretRef: + name: {{ .Values.anchoreGlobal.existingSecretName }} + {{- else }} + - secretRef: + name: {{ include "anchore-engine.fullname" . }} + - secretRef: + name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} + {{- end }} + {{- end }} + env: + {{- with .Values.anchoreGlobal.extraEnv }} + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + {{- if (.Values.anchoreGlobal.certStoreSecretName) }} + - name: certs + mountPath: /home/anchore/certs/ + readOnly: true + {{- end }} + {{- with .Values.anchoreGlobal.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + resources: + {{ toYaml .Values.anchoreEnterpriseEngineUpgradeJob.resources | nindent 12 }} + containers: {{- if .Values.cloudsql.enabled }} - name: cloudsql-proxy @@ -170,7 +214,7 @@ spec: readOnly: true {{- end }} {{- end }} - - name: upgrade-db + - name: upgrade-enterprise-db image: {{ .Values.anchoreEnterpriseGlobal.image }} imagePullPolicy: Always {{- if or .Values.anchoreGlobal.containerSecurityContext .Values.cloudsql.enabled }} @@ -195,10 +239,6 @@ spec: - secretRef: name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} {{- end }} - {{- if .Values.anchoreEnterpriseFeeds.enabled }} - - secretRef: - name: {{ include "anchore-engine.enterprise-feeds.fullname" . }} - {{- end }} {{- end }} env: {{- with .Values.anchoreGlobal.extraEnv }} @@ -221,7 +261,7 @@ spec: - | {{ print (include "doSourceFile" .) }} anchore-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}" upgrade --dontask; {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}" upgrade --dontask; anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}" pre-upgrade-check; - {{- else if eq .Values.anchoreGlobal.dbConfig.sslMode "require" }} + {{- else if eq .Values.anchoreGlobal.dbConfig.sslMode "require"}} - | {{ print (include "doSourceFile" .) }} anchore-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} pre-upgrade-check; @@ -230,6 +270,56 @@ spec: {{ print (include "doSourceFile" .) }} anchore-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} pre-upgrade-check; {{- end }} + {{- if .Values.cloudsql.enabled }} + - | + sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; + {{- end }} + + - name: upgrade-feeds-db + image: {{ .Values.anchoreEnterpriseGlobal.image }} + imagePullPolicy: Always + {{- if or .Values.anchoreGlobal.containerSecurityContext .Values.cloudsql.enabled }} + securityContext: + {{- with .Values.anchoreGlobal.containerSecurityContext }} + {{ toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.cloudsql.enabled }} + capabilities: + add: + - SYS_PTRACE + {{- end }} + {{- end }} + envFrom: + {{- if not .Values.inject_secrets_via_env }} + {{- if .Values.anchoreGlobal.useExistingSecrets }} + - secretRef: + name: {{ .Values.anchoreGlobal.existingSecretName }} + {{- else }} + - secretRef: + name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} + {{- end }} + {{- if .Values.anchoreEnterpriseFeeds.enabled }} + - secretRef: + name: {{ include "anchore-engine.enterprise-feeds.fullname" . }} + {{- end }} + {{- end }} + env: + {{- with .Values.anchoreGlobal.extraEnv }} + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + {{- if (.Values.anchoreGlobal.certStoreSecretName) }} + - name: certs + mountPath: /home/anchore/certs/ + readOnly: true + {{- end }} + {{- with .Values.anchoreGlobal.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + resources: + {{ toYaml .Values.anchoreEnterpriseEngineUpgradeJob.resources | nindent 12 }} + command: ["/bin/bash", "-c"] + args: {{- if not .Values.anchoreEnterpriseFeeds.dbConfig.ssl }} - | {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}" upgrade --dontask; anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}" pre-upgrade-check; @@ -241,6 +331,7 @@ spec: {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} pre-upgrade-check; {{- end }} {{- if .Values.cloudsql.enabled }} - - sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; + - | + sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; {{- end }} {{- end }} \ No newline at end of file diff --git a/stable/anchore-engine/templates/anchore_upgrade_role.yaml b/stable/anchore-engine/templates/hooks/pre-upgrade/anchore_upgrade_role.yaml similarity index 87% rename from stable/anchore-engine/templates/anchore_upgrade_role.yaml rename to stable/anchore-engine/templates/hooks/pre-upgrade/anchore_upgrade_role.yaml index 224384e1..12a61043 100644 --- a/stable/anchore-engine/templates/anchore_upgrade_role.yaml +++ b/stable/anchore-engine/templates/hooks/pre-upgrade/anchore_upgrade_role.yaml @@ -22,8 +22,10 @@ metadata: {{- with .Values.anchoreEnterpriseFeedsUpgradeJob.labels }} {{ toYaml . | nindent 4 }} {{- end }} - {{- if or .Values.anchoreGlobal.annotations .Values.anchoreEngineUpgradeJob.annotations .Values.anchoreEnterpriseEngineUpgradeJob.annotations .Values.anchoreEnterpriseFeedsUpgradeJob.annotations }} + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "1" {{- with .Values.anchoreGlobal.annotations }} {{- toYaml . | nindent 4 }} {{- end }} @@ -36,7 +38,7 @@ metadata: {{- with .Values.anchoreEnterpriseFeedsUpgradeJob.annotations }} {{ toYaml . | nindent 4 }} {{- end }} - {{- end }} + rules: - apiGroups: - extensions @@ -55,5 +57,13 @@ rules: - deployments/scale verbs: - patch + - apiGroups: + - "" + resources: + - pods + verbs: + - watch + - list + - get {{- end }} \ No newline at end of file diff --git a/stable/anchore-engine/templates/anchore_upgrade_rolebinding.yaml b/stable/anchore-engine/templates/hooks/pre-upgrade/anchore_upgrade_rolebinding.yaml similarity index 87% rename from stable/anchore-engine/templates/anchore_upgrade_rolebinding.yaml rename to stable/anchore-engine/templates/hooks/pre-upgrade/anchore_upgrade_rolebinding.yaml index 7c1a6052..dc3e2848 100644 --- a/stable/anchore-engine/templates/anchore_upgrade_rolebinding.yaml +++ b/stable/anchore-engine/templates/hooks/pre-upgrade/anchore_upgrade_rolebinding.yaml @@ -22,8 +22,9 @@ metadata: {{- with .Values.anchoreEnterpriseFeedsUpgradeJob.labels }} {{ toYaml . | nindent 4 }} {{- end }} - {{- if or .Values.anchoreGlobal.annotations .Values.anchoreEngineUpgradeJob.annotations .Values.anchoreEnterpriseEngineUpgradeJob.annotations .Values.anchoreEnterpriseFeedsUpgradeJob.annotations }} annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "1" {{- with .Values.anchoreGlobal.annotations }} {{- toYaml . | nindent 4 }} {{- end }} @@ -36,7 +37,6 @@ metadata: {{- with .Values.anchoreEnterpriseFeedsUpgradeJob.annotations }} {{ toYaml . | nindent 4 }} {{- end }} - {{- end }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role diff --git a/stable/anchore-engine/templates/anchore_upgrade_service_account.yaml b/stable/anchore-engine/templates/hooks/pre-upgrade/anchore_upgrade_service_account.yaml similarity index 85% rename from stable/anchore-engine/templates/anchore_upgrade_service_account.yaml rename to stable/anchore-engine/templates/hooks/pre-upgrade/anchore_upgrade_service_account.yaml index 75e3b10e..f30e037a 100644 --- a/stable/anchore-engine/templates/anchore_upgrade_service_account.yaml +++ b/stable/anchore-engine/templates/hooks/pre-upgrade/anchore_upgrade_service_account.yaml @@ -22,8 +22,9 @@ metadata: {{- with .Values.anchoreEnterpriseFeedsUpgradeJob.labels }} {{ toYaml . | nindent 4 }} {{- end }} - {{- if or .Values.anchoreGlobal.annotations .Values.anchoreEngineUpgradeJob.annotations .Values.anchoreEnterpriseEngineUpgradeJob.annotations .Values.anchoreEnterpriseFeedsUpgradeJob.annotations }} annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "1" {{- with .Values.anchoreGlobal.annotations }} {{- toYaml . | nindent 4 }} {{- end }} @@ -36,5 +37,4 @@ metadata: {{- with .Values.anchoreEnterpriseFeedsUpgradeJob.annotations }} {{ toYaml . | nindent 4 }} {{- end }} - {{- end }} {{- end -}} \ No newline at end of file From 676830c2d42a3a2897f6f7c71408b6f907f4bc33 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Fri, 16 Jun 2023 23:41:50 -0400 Subject: [PATCH 131/329] update comments and readme for preUpgradeHook Signed-off-by: Hung Nguyen --- stable/anchore-engine/README.md | 2 +- stable/anchore-engine/templates/_helpers.tpl | 15 ++++++++------- stable/anchore-engine/values.yaml | 5 +++-- 3 files changed, 12 insertions(+), 10 deletions(-) diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index 50b95905..b03c737a 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -183,7 +183,7 @@ The upgrade will only be considered successful when this job completes successfu # Chart version 1.26.1 -* Added `.Values.anchoreGlobal.usePreupgradeHook` to enable doing the upgrades using helm's pre-upgrade hook. Doing so requires creating a service account and role with permissions to get/update/patch deployments. See templates/anchore_upgrade_role.yaml for a complete list of roles. This is disabled by default. +* Added `.Values.anchoreGlobal.usePreupgradeHook` to enable doing the enterprise and feeds upgrade jobs using a helm pre-upgrade hook. This is useful when doing helm upgrade with the --wait flag, or for ArgoCD. Enabling this option will create a service account and role with permissions to get/update/patch deployments and list pods. See templates/hooks/pre-upgrade/anchore_upgrade_role.yaml for a complete list of roles. This is disabled by default. # Chart version 1.26.0 diff --git a/stable/anchore-engine/templates/_helpers.tpl b/stable/anchore-engine/templates/_helpers.tpl index 09b42b68..73213129 100755 --- a/stable/anchore-engine/templates/_helpers.tpl +++ b/stable/anchore-engine/templates/_helpers.tpl @@ -452,15 +452,16 @@ Upon upgrades, checks if .Values.existingSecret=true and fails the upgrade if .V {{- define "checkPreupgradeHookCompatibility" -}} {{- $minVersion := "1.24.0" -}} {{- $apiDeployment := (lookup "apps/v1" "Deployment" .Release.Namespace (include "anchore-engine.api.fullname" .)) }} -{{- $chartVersion := $apiDeployment.metadata.labels.chart}} -{{- $chartName := .Chart.Name}} -{{- $version := (regexFind "[0-9]+\\.[0-9]+\\.[0-9]+" $chartVersion | trimPrefix "$chartName-") -}} -{{- $compareResult := semver $minVersion | (semver $version).Compare -}} -{{- if lt $compareResult 0 -}} - {{- fail "using the preupgrade hook for upgrades requires the chart to be on at least version 1.24.0. Please upgrade to 1.24.0 or newer before using the preupgrade hook." }} +{{- if $apiDeployment }} + {{- $chartVersion := $apiDeployment.metadata.labels.chart}} + {{- $chartName := .Chart.Name}} + {{- $version := (regexFind "[0-9]+\\.[0-9]+\\.[0-9]+" $chartVersion | trimPrefix "$chartName-") -}} + {{- $compareResult := semver $minVersion | (semver $version).Compare -}} + {{- if lt $compareResult 0 -}} + {{- fail "using the preupgrade hook for upgrades requires the chart to be on at least version 1.24.0. Please upgrade to 1.24.0 or newer before using the preupgrade hook." }} + {{- end -}} {{- end -}} {{- end -}} - {{/* Upon upgrade, check if user is upgrading to chart v1.22.0+ (Enterprise v4.4.0). If they are, ensure that they are upgrading from Enterprise 4.2.0 or higher and error out if they're upgrading from an older version. diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index e6d33537..aa4e662b 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -308,8 +308,9 @@ anchoreGlobal: failureThreshold: 3 successThreshold: 1 - # using the preupgrade hook will create a service account that will use - # kubectl to scale down the deployment before running the upgrade job + # Using the preupgrade hook will use a job annotated with helm's pre-upgrade hook. This job utilizes a service account that will be created to call kubectl to scale down the deployment before running the upgrade job. + # The service account is granted deployment, deployment/scale, and pod permissions. See templates/hooks/pre-upgrade/anchore_upgrade_role.yaml for the full list. + # This can be useful for deployments using helm upgrade --wait or ArgoCD. usePreupgradeHook: false # Configuration for the analyzer pods that perform image analysis From 0851f4aef531fb8f85e6555c50b6db2806d89c39 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Tue, 20 Jun 2023 14:39:17 -0400 Subject: [PATCH 132/329] removing compatibility check and just doing the upgrade based on db values Signed-off-by: Hung Nguyen --- stable/anchore-engine/templates/_helpers.tpl | 36 +++++++++++-------- .../hooks/pre-upgrade/0-db-upgrade.yaml | 19 +++++----- 2 files changed, 31 insertions(+), 24 deletions(-) diff --git a/stable/anchore-engine/templates/_helpers.tpl b/stable/anchore-engine/templates/_helpers.tpl index 73213129..96804e2c 100755 --- a/stable/anchore-engine/templates/_helpers.tpl +++ b/stable/anchore-engine/templates/_helpers.tpl @@ -411,6 +411,17 @@ Create feeds database hostname string from supplied values file. Used for settin {{- end }} {{- end }} +{{/* +Sets the port of the feeds-db. Used for the upgrade jobs. +*/}} +{{- define "postgres.anchore-feeds-db.port" -}} + {{- if (index .Values "anchore-feeds-db" "postgresPort") }} + {{- print (index .Values "anchore-feeds-db" "postgresPort" | quote) }} + {{- else }} + {{- print "5432" }} + {{- end }} +{{- end -}} + {{/* Create database hostname string from supplied values file. Used for setting the ANCHORE_DB_HOST env var in the UI & Engine secret. */}} @@ -425,6 +436,17 @@ Create database hostname string from supplied values file. Used for setting the {{- end }} {{- end }} +{{/* +Sets the port of the anchore-db. Used for the upgrade jobs. +*/}} +{{- define "postgres.anchore-db.port" -}} + {{- if (index .Values "postgresql" "postgresPort") }} + {{- print (index .Values "postgresql" "postgresPort" | quote) }} + {{- else }} + {{- print "5432" }} + {{- end }} +{{- end -}} + {{/* Allows sourcing of a specified file in the entrypoint of all containers when .Values.anchoreGlobal.doSourceAtEntry.enabled=true */}} @@ -448,20 +470,6 @@ Upon upgrades, checks if .Values.existingSecret=true and fails the upgrade if .V {{- end }} {{- end }} - -{{- define "checkPreupgradeHookCompatibility" -}} -{{- $minVersion := "1.24.0" -}} -{{- $apiDeployment := (lookup "apps/v1" "Deployment" .Release.Namespace (include "anchore-engine.api.fullname" .)) }} -{{- if $apiDeployment }} - {{- $chartVersion := $apiDeployment.metadata.labels.chart}} - {{- $chartName := .Chart.Name}} - {{- $version := (regexFind "[0-9]+\\.[0-9]+\\.[0-9]+" $chartVersion | trimPrefix "$chartName-") -}} - {{- $compareResult := semver $minVersion | (semver $version).Compare -}} - {{- if lt $compareResult 0 -}} - {{- fail "using the preupgrade hook for upgrades requires the chart to be on at least version 1.24.0. Please upgrade to 1.24.0 or newer before using the preupgrade hook." }} - {{- end -}} -{{- end -}} -{{- end -}} {{/* Upon upgrade, check if user is upgrading to chart v1.22.0+ (Enterprise v4.4.0). If they are, ensure that they are upgrading from Enterprise 4.2.0 or higher and error out if they're upgrading from an older version. diff --git a/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml b/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml index 6adf3bbb..921f7998 100644 --- a/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml +++ b/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml @@ -1,4 +1,3 @@ -{{- template "checkPreupgradeHookCompatibility" . }} {{- if and .Values.anchoreGlobal.usePreupgradeHook .Values.anchoreEnterpriseGlobal.enabled -}} apiVersion: batch/v1 kind: Job @@ -259,16 +258,16 @@ spec: args: {{- if not .Values.anchoreGlobal.dbConfig.ssl }} - | - {{ print (include "doSourceFile" .) }} anchore-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}" upgrade --dontask; - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}" upgrade --dontask; anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}" pre-upgrade-check; + {{ print (include "doSourceFile" .) }} anchore-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}"/"${ANCHORE_DB_NAME}" upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}" upgrade --dontask; anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}" pre-upgrade-check; {{- else if eq .Values.anchoreGlobal.dbConfig.sslMode "require"}} - | - {{ print (include "doSourceFile" .) }} anchore-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} pre-upgrade-check; + {{ print (include "doSourceFile" .) }} anchore-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} pre-upgrade-check; {{- else }} - | - {{ print (include "doSourceFile" .) }} anchore-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} pre-upgrade-check; + {{ print (include "doSourceFile" .) }} anchore-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} pre-upgrade-check; {{- end }} {{- if .Values.cloudsql.enabled }} - | @@ -322,13 +321,13 @@ spec: args: {{- if not .Values.anchoreEnterpriseFeeds.dbConfig.ssl }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}" upgrade --dontask; anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}" pre-upgrade-check; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"{{- print (include "feeds-db-hostname" .) -}}:{{- print (include "postgres.anchore-feeds-db.port" .) -}}"/"${ANCHORE_FEEDS_DB_NAME}" upgrade --dontask; anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"{{- print (include "feeds-db-hostname" .) -}}:{{- print (include "postgres.anchore-feeds-db.port" .) -}}"/"${ANCHORE_FEEDS_DB_NAME}" pre-upgrade-check; {{- else if eq .Values.anchoreEnterpriseFeeds.dbConfig.sslMode "require" }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} pre-upgrade-check; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"{{- print (include "feeds-db-hostname" .) -}}:{{- print (include "postgres.anchore-feeds-db.port" .) -}}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"{{- print (include "feeds-db-hostname" .) -}}:{{- print (include "postgres.anchore-feeds-db.port" .) -}}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} pre-upgrade-check; {{- else }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} pre-upgrade-check; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"{{- print (include "feeds-db-hostname" .) -}}:{{- print (include "postgres.anchore-feeds-db.port" .) -}}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"{{- print (include "feeds-db-hostname" .) -}}:{{- print (include "postgres.anchore-feeds-db.port" .) -}}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} pre-upgrade-check; {{- end }} {{- if .Values.cloudsql.enabled }} - | From 68266477fb813126ce27fbdc387bd653a9933221 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 28 Jun 2023 15:28:55 -0400 Subject: [PATCH 133/329] updating secret value for engine preupgrade hook for feeds Signed-off-by: Hung Nguyen --- stable/anchore-engine/Chart.yaml | 2 +- .../templates/hooks/pre-upgrade/0-db-upgrade.yaml | 9 ++++----- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index c299ed4f..9fc0467c 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.26.1 +version: 1.26.2 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml b/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml index 921f7998..77737425 100644 --- a/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml +++ b/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml @@ -292,15 +292,14 @@ spec: {{- if not .Values.inject_secrets_via_env }} {{- if .Values.anchoreGlobal.useExistingSecrets }} - secretRef: - name: {{ .Values.anchoreGlobal.existingSecretName }} + name: {{ .Values.anchoreEnterpriseFeeds.existingSecretName }} {{- else }} - - secretRef: - name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} - {{- end }} - {{- if .Values.anchoreEnterpriseFeeds.enabled }} - secretRef: name: {{ include "anchore-engine.enterprise-feeds.fullname" . }} + - secretRef: + name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} {{- end }} + {{- end }} env: {{- with .Values.anchoreGlobal.extraEnv }} From 4a742ddcdc9fb1146ab8f0980d00d86f6491ecda Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 28 Jun 2023 16:43:03 -0400 Subject: [PATCH 134/329] change anchoreGlobal to anchoreEnterpriseFeeds, feeds upgrade command structure, slim down kubectl containers Signed-off-by: Hung Nguyen --- .../enterprise_feeds_upgrade_job.yaml | 4 +- .../hooks/pre-upgrade/0-db-upgrade.yaml | 64 +++---------------- 2 files changed, 12 insertions(+), 56 deletions(-) diff --git a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml index 3d06f6e4..7fd35652 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml @@ -87,10 +87,10 @@ spec: {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}" upgrade --dontask; anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}" pre-upgrade-check; {{- else if eq .Values.anchoreEnterpriseFeeds.dbConfig.sslMode "require" }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} pre-upgrade-check; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode }} pre-upgrade-check; {{- else }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} pre-upgrade-check; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreEnterpriseFeeds.dbConfig.sslRootCertName }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreEnterpriseFeeds.dbConfig.sslRootCertName }} pre-upgrade-check; {{- end }} {{- if .Values.cloudsql.enabled }} - sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; diff --git a/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml b/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml index 77737425..0e760a63 100644 --- a/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml +++ b/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml @@ -118,31 +118,6 @@ spec: - SYS_PTRACE {{- end }} {{- end }} - envFrom: - {{- if not .Values.inject_secrets_via_env }} - {{- if .Values.anchoreGlobal.useExistingSecrets }} - - secretRef: - name: {{ .Values.anchoreGlobal.existingSecretName }} - {{- else }} - - secretRef: - name: {{ include "anchore-engine.fullname" . }} - - secretRef: - name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} - {{- end }} - {{- end }} - env: - {{- with .Values.anchoreGlobal.extraEnv }} - {{- toYaml . | nindent 12 }} - {{- end }} - volumeMounts: - {{- if (.Values.anchoreGlobal.certStoreSecretName) }} - - name: certs - mountPath: /home/anchore/certs/ - readOnly: true - {{- end }} - {{- with .Values.anchoreGlobal.extraVolumeMounts }} - {{- toYaml . | nindent 12 }} - {{- end }} resources: {{ toYaml .Values.anchoreEnterpriseEngineUpgradeJob.resources | nindent 12 }} - name: confirm-service-scaled-down @@ -160,31 +135,6 @@ spec: - SYS_PTRACE {{- end }} {{- end }} - envFrom: - {{- if not .Values.inject_secrets_via_env }} - {{- if .Values.anchoreGlobal.useExistingSecrets }} - - secretRef: - name: {{ .Values.anchoreGlobal.existingSecretName }} - {{- else }} - - secretRef: - name: {{ include "anchore-engine.fullname" . }} - - secretRef: - name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} - {{- end }} - {{- end }} - env: - {{- with .Values.anchoreGlobal.extraEnv }} - {{- toYaml . | nindent 12 }} - {{- end }} - volumeMounts: - {{- if (.Values.anchoreGlobal.certStoreSecretName) }} - - name: certs - mountPath: /home/anchore/certs/ - readOnly: true - {{- end }} - {{- with .Values.anchoreGlobal.extraVolumeMounts }} - {{- toYaml . | nindent 12 }} - {{- end }} resources: {{ toYaml .Values.anchoreEnterpriseEngineUpgradeJob.resources | nindent 12 }} @@ -305,6 +255,9 @@ spec: {{- with .Values.anchoreGlobal.extraEnv }} {{- toYaml . | nindent 12 }} {{- end }} + {{- with .Values.anchoreEnterpriseFeeds.extraEnv }} + {{- toYaml . | nindent 12 }} + {{- end }} volumeMounts: {{- if (.Values.anchoreGlobal.certStoreSecretName) }} - name: certs @@ -315,18 +268,21 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} resources: - {{ toYaml .Values.anchoreEnterpriseEngineUpgradeJob.resources | nindent 12 }} + {{ toYaml .Values.anchoreEnterpriseFeedsUpgradeJob.resources | nindent 12 }} command: ["/bin/bash", "-c"] args: {{- if not .Values.anchoreEnterpriseFeeds.dbConfig.ssl }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"{{- print (include "feeds-db-hostname" .) -}}:{{- print (include "postgres.anchore-feeds-db.port" .) -}}"/"${ANCHORE_FEEDS_DB_NAME}" upgrade --dontask; anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"{{- print (include "feeds-db-hostname" .) -}}:{{- print (include "postgres.anchore-feeds-db.port" .) -}}"/"${ANCHORE_FEEDS_DB_NAME}" pre-upgrade-check; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"{{- print (include "feeds-db-hostname" .) -}}:{{- print (include "postgres.anchore-feeds-db.port" .) -}}"/"${ANCHORE_FEEDS_DB_NAME}" upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"{{- print (include "feeds-db-hostname" .) -}}:{{- print (include "postgres.anchore-feeds-db.port" .) -}}"/"${ANCHORE_FEEDS_DB_NAME}" pre-upgrade-check; {{- else if eq .Values.anchoreEnterpriseFeeds.dbConfig.sslMode "require" }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"{{- print (include "feeds-db-hostname" .) -}}:{{- print (include "postgres.anchore-feeds-db.port" .) -}}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"{{- print (include "feeds-db-hostname" .) -}}:{{- print (include "postgres.anchore-feeds-db.port" .) -}}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} pre-upgrade-check; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"{{- print (include "feeds-db-hostname" .) -}}:{{- print (include "postgres.anchore-feeds-db.port" .) -}}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"{{- print (include "feeds-db-hostname" .) -}}:{{- print (include "postgres.anchore-feeds-db.port" .) -}}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode }} pre-upgrade-check; {{- else }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"{{- print (include "feeds-db-hostname" .) -}}:{{- print (include "postgres.anchore-feeds-db.port" .) -}}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"{{- print (include "feeds-db-hostname" .) -}}:{{- print (include "postgres.anchore-feeds-db.port" .) -}}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} pre-upgrade-check; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"{{- print (include "feeds-db-hostname" .) -}}:{{- print (include "postgres.anchore-feeds-db.port" .) -}}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreEnterpriseFeeds.dbConfig.sslRootCertName }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"{{- print (include "feeds-db-hostname" .) -}}:{{- print (include "postgres.anchore-feeds-db.port" .) -}}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreEnterpriseFeeds.dbConfig.sslRootCertName }} pre-upgrade-check; {{- end }} {{- if .Values.cloudsql.enabled }} - | From 413f1663f0dc61319c900c207bb502eb95d4edfa Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 28 Jun 2023 16:58:17 -0400 Subject: [PATCH 135/329] adding hostname and port to engine upgrade Signed-off-by: Hung Nguyen --- .../templates/engine_upgrade_job.yaml | 6 ++-- .../hooks/pre-upgrade/0-db-upgrade.yaml | 29 +++++++------------ 2 files changed, 14 insertions(+), 21 deletions(-) diff --git a/stable/anchore-engine/templates/engine_upgrade_job.yaml b/stable/anchore-engine/templates/engine_upgrade_job.yaml index e3fbfc8f..4ddd5898 100644 --- a/stable/anchore-engine/templates/engine_upgrade_job.yaml +++ b/stable/anchore-engine/templates/engine_upgrade_job.yaml @@ -96,13 +96,13 @@ spec: args: {{- if not .Values.anchoreGlobal.dbConfig.ssl }} - | - {{ print (include "doSourceFile" .) }} anchore-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}" upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}" upgrade --dontask; {{- else if eq .Values.anchoreGlobal.dbConfig.sslMode "require"}} - | - {{ print (include "doSourceFile" .) }} anchore-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; {{- else }} - | - {{ print (include "doSourceFile" .) }} anchore-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; {{- end }} {{- if .Values.cloudsql.enabled }} - sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; diff --git a/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml b/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml index 0e760a63..e29fd886 100644 --- a/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml +++ b/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml @@ -107,16 +107,11 @@ spec: - name: scale-down-anchore image: bitnami/kubectl:1.27 command: ["kubectl", "scale", "deployments", "--all", "--replicas=0", "-l", "app={{ template "anchore-engine.fullname" . }}"] - {{- if or .Values.anchoreGlobal.containerSecurityContext .Values.cloudsql.enabled }} + {{- if .Values.anchoreGlobal.containerSecurityContext }} securityContext: {{- with .Values.anchoreGlobal.containerSecurityContext }} {{ toYaml . | nindent 12 }} {{- end }} - {{- if .Values.cloudsql.enabled }} - capabilities: - add: - - SYS_PTRACE - {{- end }} {{- end }} resources: {{ toYaml .Values.anchoreEnterpriseEngineUpgradeJob.resources | nindent 12 }} @@ -124,16 +119,11 @@ spec: image: bitnami/kubectl:1.27 command: ["/bin/bash", "-c"] args: ["while [[ $(kubectl get pods -l app={{ template "anchore-engine.fullname" . }} --field-selector=status.phase=Running --no-headers | wc -l) -gt 0 ]]; do echo 'waiting for pods to go down' && sleep 5; done"] - {{- if or .Values.anchoreGlobal.containerSecurityContext .Values.cloudsql.enabled }} + {{- if .Values.anchoreGlobal.containerSecurityContext }} securityContext: {{- with .Values.anchoreGlobal.containerSecurityContext }} {{ toYaml . | nindent 12 }} {{- end }} - {{- if .Values.cloudsql.enabled }} - capabilities: - add: - - SYS_PTRACE - {{- end }} {{- end }} resources: {{ toYaml .Values.anchoreEnterpriseEngineUpgradeJob.resources | nindent 12 }} @@ -208,16 +198,19 @@ spec: args: {{- if not .Values.anchoreGlobal.dbConfig.ssl }} - | - {{ print (include "doSourceFile" .) }} anchore-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}"/"${ANCHORE_DB_NAME}" upgrade --dontask; - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}" upgrade --dontask; anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}" pre-upgrade-check; + {{ print (include "doSourceFile" .) }} anchore-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}" upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}" upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}" pre-upgrade-check; {{- else if eq .Values.anchoreGlobal.dbConfig.sslMode "require"}} - | - {{ print (include "doSourceFile" .) }} anchore-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} pre-upgrade-check; + {{ print (include "doSourceFile" .) }} anchore-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} pre-upgrade-check; {{- else }} - | - {{ print (include "doSourceFile" .) }} anchore-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} pre-upgrade-check; + {{ print (include "doSourceFile" .) }} anchore-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} pre-upgrade-check; {{- end }} {{- if .Values.cloudsql.enabled }} - | From c2b7f37f9bb2afceb153aa672cd18bb9b6fb567a Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 28 Jun 2023 17:14:59 -0400 Subject: [PATCH 136/329] changing component label of pre upgrade job Signed-off-by: Hung Nguyen --- .../templates/hooks/pre-upgrade/0-db-upgrade.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml b/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml index e29fd886..07d38220 100644 --- a/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml +++ b/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml @@ -33,7 +33,7 @@ spec: app.kubernetes.io/version: {{ .Chart.AppVersion }} helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" app: {{ template "anchore-engine.fullname" . }} - component: anchore-upgrade + component: anchore-enterprise-upgrade {{- with .Values.anchoreGlobal.labels }} {{ toYaml . | nindent 8 }} {{- end }} From 08374549ca5ad703f02763fb3392b45744457142 Mon Sep 17 00:00:00 2001 From: Shari Vietry Date: Thu, 6 Jul 2023 15:23:01 -0400 Subject: [PATCH 137/329] feat: added config values for runtime report generation Signed-off-by: Shari Vietry --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/templates/enterprise_configmap.yaml | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 9fc0467c..1be1f47e 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.26.2 +version: 1.26.3 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/templates/enterprise_configmap.yaml b/stable/anchore-engine/templates/enterprise_configmap.yaml index 758e1b36..280f417f 100644 --- a/stable/anchore-engine/templates/enterprise_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_configmap.yaml @@ -152,6 +152,11 @@ data: data_load_max_workers: {{ .Values.anchoreEnterpriseReports.dataLoadMaxWorkers }} cycle_timers: {{- toYaml .Values.anchoreEnterpriseReports.cycleTimers | nindent 10 }} + runtime_report_generation: + inventory_images_by_vulnerability: true + vulnerabilities_by_k8s_namespace: {{ default true .Values.anchoreEnterpriseReports.vulnerabilitiesByK8sNamespace }} + vulnerabilities_by_k8s_container: {{ default true .Values.anchoreEnterpriseReports.vulnerabilitiesByK8sContainer }} + vulnerabilities_by_ecs_container: {{ default true .Values.anchoreEnterpriseReports.vulnerabilitiesByEcsContainer }} {{- if .Values.anchoreEnterpriseRbac.enabled }} authorization_handler: external authorization_handler_config: From 69b1da21c25b6595d677ea70fd764850906b28b2 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 6 Jul 2023 16:29:36 -0700 Subject: [PATCH 138/329] bump image to v4.8.1 Signed-off-by: Brady Todhunter --- stable/anchore-engine/README.md | 4 ++++ stable/anchore-engine/values.yaml | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index b03c737a..0c886aa7 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -181,6 +181,10 @@ A Helm post-upgrade hook job will shut down all previously running Anchore servi The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful Helm upgrade. +# Chart Version 1.26.3 + +* Anchore Enterprise image updated to v4.8.1 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/481/) + # Chart version 1.26.1 * Added `.Values.anchoreGlobal.usePreupgradeHook` to enable doing the enterprise and feeds upgrade jobs using a helm pre-upgrade hook. This is useful when doing helm upgrade with the --wait flag, or for ArgoCD. Enabling this option will create a service account and role with permissions to get/update/patch deployments and list pods. See templates/hooks/pre-upgrade/anchore_upgrade_role.yaml for a complete list of roles. This is disabled by default. diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index aa4e662b..38f9c917 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -754,7 +754,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: docker.io/anchore/enterprise:v4.8.0 + image: docker.io/anchore/enterprise:v4.8.1 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. From 0808bbf36970aa81fe70d35696e6719eb06110ae Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Thu, 18 May 2023 09:26:51 -0400 Subject: [PATCH 139/329] changing pullPolicy to not be always Signed-off-by: Hung Nguyen --- stable/k8s-inventory/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/stable/k8s-inventory/values.yaml b/stable/k8s-inventory/values.yaml index df2769f8..6cae8857 100644 --- a/stable/k8s-inventory/values.yaml +++ b/stable/k8s-inventory/values.yaml @@ -12,8 +12,8 @@ replicaCount: 1 ## @param image.tag Image tag used for the K8s Inventory deployment ## image: - pullPolicy: Always - repository: anchore/k8s-inventory + pullPolicy: "IfNotPresent" + repository: "anchore/k8s-inventory" tag: "v1.0.0" ## @param imagePullSecrets secrets where Kubernetes should get the credentials for pulling private images From 2a790562e585caaedfb40010f6f7a839397f9a3a Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Thu, 18 May 2023 09:28:32 -0400 Subject: [PATCH 140/329] bump chart version for k8s-inventory Signed-off-by: Hung Nguyen --- stable/k8s-inventory/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/k8s-inventory/Chart.yaml b/stable/k8s-inventory/Chart.yaml index 79e4fffe..c9216728 100644 --- a/stable/k8s-inventory/Chart.yaml +++ b/stable/k8s-inventory/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: k8s-inventory -version: 0.0.1 +version: 0.0.2 appVersion: "1.0.0" description: A Helm chart for Kubernetes Automated Inventory, which describes which images are in use in a given Kubernetes Cluster keywords: From 6c009112129122f01b4b909f92c6c2974c3e78c6 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Thu, 18 May 2023 09:27:53 -0400 Subject: [PATCH 141/329] changing pullPolicy to not be always Signed-off-by: Hung Nguyen --- stable/ecs-inventory/Chart.yaml | 2 +- stable/ecs-inventory/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/stable/ecs-inventory/Chart.yaml b/stable/ecs-inventory/Chart.yaml index a8b006bc..a4d302c4 100644 --- a/stable/ecs-inventory/Chart.yaml +++ b/stable/ecs-inventory/Chart.yaml @@ -20,7 +20,7 @@ maintainers: email: hung.nguyen@anchore.com type: application -version: 0.0.1 +version: 0.0.2 appVersion: "1.0.0" icon: https://anchore.com/wp-content/uploads/2016/08/anchore.png diff --git a/stable/ecs-inventory/values.yaml b/stable/ecs-inventory/values.yaml index cb6797fa..f19cd0f9 100644 --- a/stable/ecs-inventory/values.yaml +++ b/stable/ecs-inventory/values.yaml @@ -14,7 +14,7 @@ image: "docker.io/anchore/ecs-inventory:v1.0.0" ## @param imagePullPolicy Image pull policy used by all deployments ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy ## -imagePullPolicy: "Always" +imagePullPolicy: "IfNotPresent" ## @param imagePullSecretName Name of Docker credentials secret for access to private repos ## Secrets must be manually created in the same namespace as release From 94989b815ca09b348638f8d30bed8fb0c91d5606 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Mon, 10 Jul 2023 11:33:58 -0400 Subject: [PATCH 142/329] using ne to set boolean values instead of default Signed-off-by: Hung Nguyen --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/templates/enterprise_configmap.yaml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 1be1f47e..b8bf4a2b 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.26.3 +version: 1.26.4 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/templates/enterprise_configmap.yaml b/stable/anchore-engine/templates/enterprise_configmap.yaml index 280f417f..22ce3f75 100644 --- a/stable/anchore-engine/templates/enterprise_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_configmap.yaml @@ -154,9 +154,9 @@ data: {{- toYaml .Values.anchoreEnterpriseReports.cycleTimers | nindent 10 }} runtime_report_generation: inventory_images_by_vulnerability: true - vulnerabilities_by_k8s_namespace: {{ default true .Values.anchoreEnterpriseReports.vulnerabilitiesByK8sNamespace }} - vulnerabilities_by_k8s_container: {{ default true .Values.anchoreEnterpriseReports.vulnerabilitiesByK8sContainer }} - vulnerabilities_by_ecs_container: {{ default true .Values.anchoreEnterpriseReports.vulnerabilitiesByEcsContainer }} + vulnerabilities_by_k8s_namespace: {{ ne .Values.anchoreEnterpriseReports.vulnerabilitiesByK8sNamespace false }} + vulnerabilities_by_k8s_container: {{ ne .Values.anchoreEnterpriseReports.vulnerabilitiesByK8sContainer false }} + vulnerabilities_by_ecs_container: {{ ne .Values.anchoreEnterpriseReports.vulnerabilitiesByEcsContainer false }} {{- if .Values.anchoreEnterpriseRbac.enabled }} authorization_handler: external authorization_handler_config: From 1d82b52474e755d7f3932940d93a4d6334484190 Mon Sep 17 00:00:00 2001 From: Zach Hill Date: Tue, 30 May 2023 10:34:37 -0700 Subject: [PATCH 143/329] feat: updates mountPath for RedHat sourced Postgres image when using OpenShift to ensure stable PVC Signed-off-by: Zach Hill --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/values.yaml | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index b8bf4a2b..074b099e 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.26.4 +version: 1.26.5 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 38f9c917..da468b13 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -19,9 +19,15 @@ postgresql: persistence: resourcePolicy: keep size: 20Gi + # If running on OpenShift using the RedHat images for PostgreSQL, uncomment this line to ensure the PVC is mounted properly + # mountPath: /var/lib/pgsql/data # If running on OpenShift - uncomment the image, imageTag & extraEnv values below. + # For upgrades from previous deployments on PG9.6, use this # image: registry.access.redhat.com/rhscl/postgresql-96-rhel7 + + # For new installs, please use PG v13 instead of 9.6 + # image: registry.redhat.io/rhel9/postgresql-13 # imageTag: latest # extraEnv: # - name: POSTGRESQL_USER From 43d087f5d87ae80acafb4aefb0f0e0a817c756e0 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Mon, 10 Jul 2023 17:55:25 -0400 Subject: [PATCH 144/329] updating README for anchore on openshift deployment Signed-off-by: Hung Nguyen --- stable/anchore-engine/README.md | 25 +++++++++++++++++++++---- stable/anchore-engine/values.yaml | 6 ++++++ 2 files changed, 27 insertions(+), 4 deletions(-) diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index 0c886aa7..1e96193e 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -127,7 +127,7 @@ postgresql: - name: POSTGRESQL_USER value: anchoreengine - name: POSTGRESQL_PASSWORD - value: anchore-postgres,123 + value: - name: POSTGRESQL_DATABASE value: anchore - name: PGUSER @@ -136,7 +136,7 @@ postgresql: value: /opt/rh/rh-postgresql96/root/usr/lib64 - name: PATH value: /opt/rh/rh-postgresql96/root/usr/bin:/opt/app-root/src/bin:/opt/app-root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - postgresPassword: + postgresPassword: persistence: size: 20Gi @@ -145,6 +145,10 @@ anchoreGlobal: defaultAdminEmail: enableMetrics: True openShiftDeployment: True + securityContext: + runAsUser: null + runAsGroup: null + fsGroup: null anchore-feeds-db: image: registry.access.redhat.com/rhscl/postgresql-96-rhel7 @@ -153,7 +157,7 @@ anchore-feeds-db: - name: POSTGRESQL_USER value: anchoreengine - name: POSTGRESQL_PASSWORD - value: anchore-postgres,123 + value: - name: POSTGRESQL_DATABASE value: anchore - name: PGUSER @@ -162,13 +166,26 @@ anchore-feeds-db: value: /opt/rh/rh-postgresql96/root/usr/lib64 - name: PATH value: /opt/rh/rh-postgresql96/root/usr/bin:/opt/app-root/src/bin:/opt/app-root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - postgresPassword: + postgresPassword: persistence: size: 50Gi ui-redis: auth: password: + master: + podSecurityContext: + enabled: true + fsGroup: 1000670000 + containerSecurityContext: + enabled: true + runAsUser: 1000670000 + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" ``` # Chart Updates diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index da468b13..84b351e6 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -786,9 +786,15 @@ anchore-feeds-db: persistence: resourcePolicy: keep size: 20Gi + # If running on OpenShift using the RedHat images for PostgreSQL, uncomment this line to ensure the PVC is mounted properly + # mountPath: /var/lib/pgsql/data # If running on OpenShift - uncomment the image, imageTag & extraEnv values below. + # For upgrades from previous deployments on PG9.6, use this # image: registry.access.redhat.com/rhscl/postgresql-96-rhel7 + + # For new installs, please use PG v13 instead of 9.6 + # image: registry.redhat.io/rhel9/postgresql-13 # imageTag: latest # extraEnv: # - name: POSTGRESQL_USER From 4cce3bb2a85babaebc3eaeaeac6774782f2d5e34 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Mon, 17 Jul 2023 21:43:24 -0400 Subject: [PATCH 145/329] update upgrade jobs to use variables instead of lookup Signed-off-by: Hung Nguyen --- .../templates/engine_upgrade_job.yaml | 6 ++-- .../enterprise_feeds_upgrade_job.yaml | 6 ++-- .../templates/enterprise_upgrade_job.yaml | 6 ++-- .../hooks/pre-upgrade/0-db-upgrade.yaml | 30 +++++++++---------- 4 files changed, 24 insertions(+), 24 deletions(-) diff --git a/stable/anchore-engine/templates/engine_upgrade_job.yaml b/stable/anchore-engine/templates/engine_upgrade_job.yaml index 4ddd5898..c0b7bd0d 100644 --- a/stable/anchore-engine/templates/engine_upgrade_job.yaml +++ b/stable/anchore-engine/templates/engine_upgrade_job.yaml @@ -96,13 +96,13 @@ spec: args: {{- if not .Values.anchoreGlobal.dbConfig.ssl }} - | - {{ print (include "doSourceFile" .) }} anchore-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}" upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST/:5432}:${ANCHORE_DB_PORT:-5432}"/"${ANCHORE_DB_NAME}" upgrade --dontask; {{- else if eq .Values.anchoreGlobal.dbConfig.sslMode "require"}} - | - {{ print (include "doSourceFile" .) }} anchore-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST/:5432}:${ANCHORE_DB_PORT:-5432}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; {{- else }} - | - {{ print (include "doSourceFile" .) }} anchore-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST/:5432}:${ANCHORE_DB_PORT:-5432}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; {{- end }} {{- if .Values.cloudsql.enabled }} - sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; diff --git a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml index 7fd35652..03473ec1 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_upgrade_job.yaml @@ -84,13 +84,13 @@ spec: args: {{- if not .Values.anchoreEnterpriseFeeds.dbConfig.ssl }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}" upgrade --dontask; anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}" pre-upgrade-check; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST/:5432}:${ANCHORE_FEEDS_DB_PORT:-5432}"/"${ANCHORE_FEEDS_DB_NAME}" upgrade --dontask; anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST/:5432}:${ANCHORE_FEEDS_DB_PORT:-5432}"/"${ANCHORE_FEEDS_DB_NAME}" pre-upgrade-check; {{- else if eq .Values.anchoreEnterpriseFeeds.dbConfig.sslMode "require" }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode }} pre-upgrade-check; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST/:5432}:${ANCHORE_FEEDS_DB_PORT:-5432}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST/:5432}:${ANCHORE_FEEDS_DB_PORT:-5432}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode }} pre-upgrade-check; {{- else }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreEnterpriseFeeds.dbConfig.sslRootCertName }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}:${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreEnterpriseFeeds.dbConfig.sslRootCertName }} pre-upgrade-check; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST/:5432}:${ANCHORE_FEEDS_DB_PORT:-5432}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreEnterpriseFeeds.dbConfig.sslRootCertName }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST/:5432}:${ANCHORE_FEEDS_DB_PORT:-5432}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreEnterpriseFeeds.dbConfig.sslRootCertName }} pre-upgrade-check; {{- end }} {{- if .Values.cloudsql.enabled }} - sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; diff --git a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml index 77e7888f..b80ed0cb 100644 --- a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml @@ -84,13 +84,13 @@ spec: args: {{- if not .Values.anchoreGlobal.dbConfig.ssl }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}" upgrade --dontask; anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}" pre-upgrade-check; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST/:5432}:${ANCHORE_DB_PORT:-5432}"/"${ANCHORE_DB_NAME}" upgrade --dontask; anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST/:5432}:${ANCHORE_DB_PORT:-5432}"/"${ANCHORE_DB_NAME}" pre-upgrade-check; {{- else if eq .Values.anchoreGlobal.dbConfig.sslMode "require" }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} pre-upgrade-check; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST/:5432}:${ANCHORE_DB_PORT:-5432}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST/:5432}:${ANCHORE_DB_PORT:-5432}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} pre-upgrade-check; {{- else }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} pre-upgrade-check; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST/:5432}:${ANCHORE_DB_PORT:-5432}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST/:5432}:${ANCHORE_DB_PORT:-5432}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} pre-upgrade-check; {{- end }} {{- if .Values.cloudsql.enabled }} - sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; diff --git a/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml b/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml index 07d38220..41785829 100644 --- a/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml +++ b/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml @@ -198,19 +198,19 @@ spec: args: {{- if not .Values.anchoreGlobal.dbConfig.ssl }} - | - {{ print (include "doSourceFile" .) }} anchore-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}" upgrade --dontask; - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}" upgrade --dontask; - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}" pre-upgrade-check; + {{ print (include "doSourceFile" .) }} anchore-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST/:5432}:${ANCHORE_DB_PORT:-5432}"/"${ANCHORE_DB_NAME}" upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST/:5432}:${ANCHORE_DB_PORT:-5432}"/"${ANCHORE_DB_NAME}" upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST/:5432}:${ANCHORE_DB_PORT:-5432}"/"${ANCHORE_DB_NAME}" pre-upgrade-check; {{- else if eq .Values.anchoreGlobal.dbConfig.sslMode "require"}} - | - {{ print (include "doSourceFile" .) }} anchore-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} pre-upgrade-check; + {{ print (include "doSourceFile" .) }} anchore-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST/:5432}:${ANCHORE_DB_PORT:-5432}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST/:5432}:${ANCHORE_DB_PORT:-5432}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST/:5432}:${ANCHORE_DB_PORT:-5432}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode }} pre-upgrade-check; {{- else }} - | - {{ print (include "doSourceFile" .) }} anchore-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"{{- print (include "db-hostname" .) -}}:{{- print (include "postgres.anchore-db.port" .) -}}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} pre-upgrade-check; + {{ print (include "doSourceFile" .) }} anchore-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST/:5432}:${ANCHORE_DB_PORT:-5432}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST/:5432}:${ANCHORE_DB_PORT:-5432}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST/:5432}:${ANCHORE_DB_PORT:-5432}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreGlobal.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreGlobal.dbConfig.sslRootCertName }} pre-upgrade-check; {{- end }} {{- if .Values.cloudsql.enabled }} - | @@ -266,16 +266,16 @@ spec: args: {{- if not .Values.anchoreEnterpriseFeeds.dbConfig.ssl }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"{{- print (include "feeds-db-hostname" .) -}}:{{- print (include "postgres.anchore-feeds-db.port" .) -}}"/"${ANCHORE_FEEDS_DB_NAME}" upgrade --dontask; - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"{{- print (include "feeds-db-hostname" .) -}}:{{- print (include "postgres.anchore-feeds-db.port" .) -}}"/"${ANCHORE_FEEDS_DB_NAME}" pre-upgrade-check; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST/:5432}:${ANCHORE_FEEDS_DB_PORT:-5432}"/"${ANCHORE_FEEDS_DB_NAME}" upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST/:5432}:${ANCHORE_FEEDS_DB_PORT:-5432}"/"${ANCHORE_FEEDS_DB_NAME}" pre-upgrade-check; {{- else if eq .Values.anchoreEnterpriseFeeds.dbConfig.sslMode "require" }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"{{- print (include "feeds-db-hostname" .) -}}:{{- print (include "postgres.anchore-feeds-db.port" .) -}}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode }} upgrade --dontask; - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"{{- print (include "feeds-db-hostname" .) -}}:{{- print (include "postgres.anchore-feeds-db.port" .) -}}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode }} pre-upgrade-check; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST/:5432}:${ANCHORE_FEEDS_DB_PORT:-5432}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST/:5432}:${ANCHORE_FEEDS_DB_PORT:-5432}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode }} pre-upgrade-check; {{- else }} - | - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"{{- print (include "feeds-db-hostname" .) -}}:{{- print (include "postgres.anchore-feeds-db.port" .) -}}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreEnterpriseFeeds.dbConfig.sslRootCertName }} upgrade --dontask; - {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"{{- print (include "feeds-db-hostname" .) -}}:{{- print (include "postgres.anchore-feeds-db.port" .) -}}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreEnterpriseFeeds.dbConfig.sslRootCertName }} pre-upgrade-check; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST/:5432}:${ANCHORE_FEEDS_DB_PORT:-5432}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreEnterpriseFeeds.dbConfig.sslRootCertName }} upgrade --dontask; + {{ print (include "doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST/:5432}:${ANCHORE_FEEDS_DB_PORT:-5432}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreEnterpriseFeeds.dbConfig.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreEnterpriseFeeds.dbConfig.sslRootCertName }} pre-upgrade-check; {{- end }} {{- if .Values.cloudsql.enabled }} - | From 7cd480c95b5c0b28f6a14b93d6166b0a9cfcf8d2 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Tue, 18 Jul 2023 10:15:10 -0400 Subject: [PATCH 146/329] bump chart version Signed-off-by: Hung Nguyen --- stable/anchore-engine/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 074b099e..54cdeb94 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.26.5 +version: 1.26.6 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: From 95077bfe87f76f2001bc3c96a4e338107cbc9c2f Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Tue, 18 Jul 2023 10:16:51 -0400 Subject: [PATCH 147/329] remove unused functions in helpers Signed-off-by: Hung Nguyen --- stable/anchore-engine/templates/_helpers.tpl | 22 -------------------- 1 file changed, 22 deletions(-) diff --git a/stable/anchore-engine/templates/_helpers.tpl b/stable/anchore-engine/templates/_helpers.tpl index 96804e2c..a194475b 100755 --- a/stable/anchore-engine/templates/_helpers.tpl +++ b/stable/anchore-engine/templates/_helpers.tpl @@ -411,17 +411,6 @@ Create feeds database hostname string from supplied values file. Used for settin {{- end }} {{- end }} -{{/* -Sets the port of the feeds-db. Used for the upgrade jobs. -*/}} -{{- define "postgres.anchore-feeds-db.port" -}} - {{- if (index .Values "anchore-feeds-db" "postgresPort") }} - {{- print (index .Values "anchore-feeds-db" "postgresPort" | quote) }} - {{- else }} - {{- print "5432" }} - {{- end }} -{{- end -}} - {{/* Create database hostname string from supplied values file. Used for setting the ANCHORE_DB_HOST env var in the UI & Engine secret. */}} @@ -436,17 +425,6 @@ Create database hostname string from supplied values file. Used for setting the {{- end }} {{- end }} -{{/* -Sets the port of the anchore-db. Used for the upgrade jobs. -*/}} -{{- define "postgres.anchore-db.port" -}} - {{- if (index .Values "postgresql" "postgresPort") }} - {{- print (index .Values "postgresql" "postgresPort" | quote) }} - {{- else }} - {{- print "5432" }} - {{- end }} -{{- end -}} - {{/* Allows sourcing of a specified file in the entrypoint of all containers when .Values.anchoreGlobal.doSourceAtEntry.enabled=true */}} From 19dd4963174198c3777563833300822f70ad0e72 Mon Sep 17 00:00:00 2001 From: Weston Steimel Date: Mon, 3 Jul 2023 14:00:03 +0100 Subject: [PATCH 148/329] feat: enable mariner vulnerability provider by default Signed-off-by: Weston Steimel --- stable/anchore-engine/templates/enterprise_feeds_configmap.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml index 941c4d13..bcddecca 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml @@ -172,6 +172,8 @@ data: {{- end }} sles: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.slesDriverEnabled | quote) }} + mariner: + enabled: {{ default true (.Values.anchoreEnterpriseFeeds.marinerDriverEnabled) }} msrc: enabled: {{ .Values.anchoreEnterpriseFeeds.msrcDriverEnabled | quote }} {{- with .Values.anchoreEnterpriseFeeds.msrcWhitelist }} From 084289a2ad8bfa6260920271963690c476fa5370 Mon Sep 17 00:00:00 2001 From: Weston Steimel Date: Mon, 3 Jul 2023 15:31:18 +0100 Subject: [PATCH 149/329] chore: bump dev chart version Signed-off-by: Weston Steimel --- stable/anchore-engine/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 54cdeb94..ebaa78f8 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.26.6 +version: 1.27.0 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: From c53fe9cb59dc5b2ddb4a640ef88fd950d46e4b14 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 12 Jul 2023 13:28:32 -0400 Subject: [PATCH 150/329] change mariner true value to string Signed-off-by: Hung Nguyen --- stable/anchore-engine/templates/enterprise_feeds_configmap.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml index bcddecca..abe5e3ab 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml @@ -173,7 +173,7 @@ data: sles: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.slesDriverEnabled | quote) }} mariner: - enabled: {{ default true (.Values.anchoreEnterpriseFeeds.marinerDriverEnabled) }} + enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.marinerDriverEnabled) }} msrc: enabled: {{ .Values.anchoreEnterpriseFeeds.msrcDriverEnabled | quote }} {{- with .Values.anchoreEnterpriseFeeds.msrcWhitelist }} From ce3673925c264517ec9aaa3cd915cdb53d0065e1 Mon Sep 17 00:00:00 2001 From: Christopher Phillips Date: Thu, 13 Jul 2023 12:17:04 -0400 Subject: [PATCH 151/329] chore: add required versions to readme Signed-off-by: Christopher Phillips --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 532cc939..d3774568 100644 --- a/README.md +++ b/README.md @@ -4,8 +4,8 @@ This repository contains Helm charts for deploying [Anchore](https://www.anchore ## Prerequisites -- [Helm](https://helm.sh/) - Helm is a package manager for Kubernetes that makes it easy to install and manage applications on your cluster. -- [Kubernetes](https://kubernetes.io/) - Kubernetes is an open-source container orchestration platform that is required to use Helm charts. +- [Helm](https://helm.sh/) (>=3.8) - Helm is a package manager for Kubernetes that makes it easy to install and manage applications on your cluster. +- [Kubernetes](https://kubernetes.io/) (>=1.25) - Kubernetes is an open-source container orchestration platform that is required to use Helm charts. ## Installation From 7ebd07e285da10f563015878c2f33cfb5b4673cd Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Fri, 14 Jul 2023 09:58:06 -0400 Subject: [PATCH 152/329] updating ecs image Signed-off-by: Hung Nguyen --- stable/ecs-inventory/values.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/stable/ecs-inventory/values.yaml b/stable/ecs-inventory/values.yaml index f19cd0f9..09ef6f7f 100644 --- a/stable/ecs-inventory/values.yaml +++ b/stable/ecs-inventory/values.yaml @@ -7,9 +7,10 @@ ## replicaCount: 1 -## @param image Image used for all Anchore Enterprise deployments, excluding Anchore UI +## @param image Image used for all Ecs Inventory deployment deployments +## use docker.io/anchore/ecs-inventory:v1.1.0-fips if you want an image built for fips use ## -image: "docker.io/anchore/ecs-inventory:v1.0.0" +image: "docker.io/anchore/ecs-inventory:v1.1.0" ## @param imagePullPolicy Image pull policy used by all deployments ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy From f8cb505a978b6dc232a629d791ff47dd7d80f909 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Fri, 14 Jul 2023 09:59:43 -0400 Subject: [PATCH 153/329] updating k8s-inventory tag Signed-off-by: Hung Nguyen --- stable/k8s-inventory/values.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/stable/k8s-inventory/values.yaml b/stable/k8s-inventory/values.yaml index 6cae8857..c449527d 100644 --- a/stable/k8s-inventory/values.yaml +++ b/stable/k8s-inventory/values.yaml @@ -10,11 +10,12 @@ replicaCount: 1 ## @param image.pullPolicy Image pull policy used by the K8s Inventory deployment ## @param image.repository Image used for the K8s Inventory deployment ## @param image.tag Image tag used for the K8s Inventory deployment +## use tag v1.0.2-fips if you want an image built for fips use ## image: pullPolicy: "IfNotPresent" repository: "anchore/k8s-inventory" - tag: "v1.0.0" + tag: "v1.0.2" ## @param imagePullSecrets secrets where Kubernetes should get the credentials for pulling private images ## From 55380ccc4866ceb27dda3e9f68dfe8d43f5b85c8 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Fri, 14 Jul 2023 10:00:47 -0400 Subject: [PATCH 154/329] bumping chart version Signed-off-by: Hung Nguyen --- stable/ecs-inventory/Chart.yaml | 2 +- stable/k8s-inventory/Chart.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/stable/ecs-inventory/Chart.yaml b/stable/ecs-inventory/Chart.yaml index a4d302c4..87596fe2 100644 --- a/stable/ecs-inventory/Chart.yaml +++ b/stable/ecs-inventory/Chart.yaml @@ -20,7 +20,7 @@ maintainers: email: hung.nguyen@anchore.com type: application -version: 0.0.2 +version: 0.0.3 appVersion: "1.0.0" icon: https://anchore.com/wp-content/uploads/2016/08/anchore.png diff --git a/stable/k8s-inventory/Chart.yaml b/stable/k8s-inventory/Chart.yaml index c9216728..daf843fb 100644 --- a/stable/k8s-inventory/Chart.yaml +++ b/stable/k8s-inventory/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: k8s-inventory -version: 0.0.2 +version: 0.0.3 appVersion: "1.0.0" description: A Helm chart for Kubernetes Automated Inventory, which describes which images are in use in a given Kubernetes Cluster keywords: From a7aa5a71b1dc607595bbb27a3c550fe099238f1d Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Fri, 14 Jul 2023 10:20:56 -0400 Subject: [PATCH 155/329] update image comment for ecs-inventory and k8s-inventory Signed-off-by: Hung Nguyen --- stable/ecs-inventory/values.yaml | 2 +- stable/k8s-inventory/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/stable/ecs-inventory/values.yaml b/stable/ecs-inventory/values.yaml index 09ef6f7f..ce4624ef 100644 --- a/stable/ecs-inventory/values.yaml +++ b/stable/ecs-inventory/values.yaml @@ -8,7 +8,7 @@ replicaCount: 1 ## @param image Image used for all Ecs Inventory deployment deployments -## use docker.io/anchore/ecs-inventory:v1.1.0-fips if you want an image built for fips use +## use docker.io/anchore/ecs-inventory:v1.1.0-fips-amd64 if you want an image built for fips use ## image: "docker.io/anchore/ecs-inventory:v1.1.0" diff --git a/stable/k8s-inventory/values.yaml b/stable/k8s-inventory/values.yaml index c449527d..0e81749d 100644 --- a/stable/k8s-inventory/values.yaml +++ b/stable/k8s-inventory/values.yaml @@ -10,7 +10,7 @@ replicaCount: 1 ## @param image.pullPolicy Image pull policy used by the K8s Inventory deployment ## @param image.repository Image used for the K8s Inventory deployment ## @param image.tag Image tag used for the K8s Inventory deployment -## use tag v1.0.2-fips if you want an image built for fips use +## use tag v1.0.2-fips-amd64 if you want an image built for fips use ## image: pullPolicy: "IfNotPresent" From b793fef3ac239725db9324539c2fb73699e8bf2b Mon Sep 17 00:00:00 2001 From: Bradley Jones Date: Thu, 17 Aug 2023 09:43:40 +0100 Subject: [PATCH 156/329] feat: bump to latest k8s-inventory version Signed-off-by: Bradley Jones --- stable/k8s-inventory/Chart.yaml | 2 +- stable/k8s-inventory/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/stable/k8s-inventory/Chart.yaml b/stable/k8s-inventory/Chart.yaml index daf843fb..85002f75 100644 --- a/stable/k8s-inventory/Chart.yaml +++ b/stable/k8s-inventory/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: k8s-inventory -version: 0.0.3 +version: 0.0.4 appVersion: "1.0.0" description: A Helm chart for Kubernetes Automated Inventory, which describes which images are in use in a given Kubernetes Cluster keywords: diff --git a/stable/k8s-inventory/values.yaml b/stable/k8s-inventory/values.yaml index 0e81749d..2438eb41 100644 --- a/stable/k8s-inventory/values.yaml +++ b/stable/k8s-inventory/values.yaml @@ -15,7 +15,7 @@ replicaCount: 1 image: pullPolicy: "IfNotPresent" repository: "anchore/k8s-inventory" - tag: "v1.0.2" + tag: "v1.1.1" ## @param imagePullSecrets secrets where Kubernetes should get the credentials for pulling private images ## From 01dab04807edc8fc7ab587302aabb8e3eb3b62a2 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Thu, 17 Aug 2023 10:20:23 -0400 Subject: [PATCH 157/329] updating for enterprise 4.9 Signed-off-by: Hung Nguyen --- stable/anchore-engine/templates/engine_configmap.yaml | 2 ++ stable/anchore-engine/values.yaml | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/stable/anchore-engine/templates/engine_configmap.yaml b/stable/anchore-engine/templates/engine_configmap.yaml index 7c3d95f0..fde3c424 100644 --- a/stable/anchore-engine/templates/engine_configmap.yaml +++ b/stable/anchore-engine/templates/engine_configmap.yaml @@ -67,6 +67,8 @@ data: # Defines a maximum compressed image size (MB) to be added for analysis # Value < 0 disables feature. Disabled by default max_compressed_image_size_mb: {{ default -1 .Values.anchoreGlobal.maxCompressedImageSizeMB }} + max_source_import_size_mb: {{ default 100 .Values.anchoreGlobal.maxSourceImportSizeMB }} + max_import_content_size_mb: {{ default 100 .Values.anchoreGlobal.maxImportContentSizeMB }} # Locations for keys used for signing and encryption. Only one of 'secret' or 'public_key_path'/'private_key_path' needs to be set. If all are set then the keys take precedence over the secret value # Secret is for a shared secret and if set, all components in anchore should have the exact same value in their configs. diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 84b351e6..3ff6c7c8 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -760,7 +760,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: docker.io/anchore/enterprise:v4.8.1 + image: docker.io/anchore/enterprise:v4.9.0 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. @@ -1124,7 +1124,7 @@ anchoreEnterpriseNotifications: anchoreEnterpriseUi: # If enabled is set to false, set ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. enabled: true - image: docker.io/anchore/enterprise-ui:v4.8.0 + image: docker.io/anchore/enterprise-ui:v4.9.0 imagePullPolicy: IfNotPresent # Set extra environment variables. These will be set on all UI containers. From abb86ad43b1cf31b0df5f48a68d83a3e2de3861a Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 23 Aug 2023 08:57:47 -0700 Subject: [PATCH 158/329] update readme Signed-off-by: Brady Todhunter --- stable/anchore-engine/README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index 1e96193e..1a60793b 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -198,6 +198,10 @@ A Helm post-upgrade hook job will shut down all previously running Anchore servi The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful Helm upgrade. +# Chart Version 1.27.0 + +* Anchore Enterprise image updated to v4.9.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/490/) + # Chart Version 1.26.3 * Anchore Enterprise image updated to v4.8.1 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/481/) @@ -527,6 +531,7 @@ metadata: name: anchore-enterprise-ui-env type: Opaque stringData: + # if using TLS to connect to Postgresql you must add the ?ssl=[require|verify-ca|verify-full] parameter to the end of the URI ANCHORE_APPDB_URI: postgresql://anchoreengine:anchore-postgres,123@anchore-postgresql:5432/anchore ANCHORE_REDIS_URI: redis://nouser:anchore-redis,123@anchore-ui-redis-master:6379 ``` From 8b94131203d5d869fc22637d74d0b0197171f9e5 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 23 Aug 2023 09:06:07 -0700 Subject: [PATCH 159/329] bump kind node images to test k8s 1.25 -> 1.28 Signed-off-by: Brady Todhunter --- .github/workflows/test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 4cbb87f8..dfd7cbae 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -8,7 +8,7 @@ jobs: strategy: fail-fast: false matrix: - kubernetesVersion: ["v1.19.16", "v1.22.0", "v1.25.0"] + kubernetesVersion: ["v1.25.11", "1.26.6", "1.27.3", "1.28.0"] runs-on: ubuntu-latest steps: - name: Checkout From df2b10dc6ae809549be9c3d8e6c7642111f4d7e7 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 23 Aug 2023 09:09:02 -0700 Subject: [PATCH 160/329] use kind node images that match what k8s versions are available on EKS Signed-off-by: Brady Todhunter --- .github/workflows/test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index dfd7cbae..a6792ae3 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -8,7 +8,7 @@ jobs: strategy: fail-fast: false matrix: - kubernetesVersion: ["v1.25.11", "1.26.6", "1.27.3", "1.28.0"] + kubernetesVersion: ["v1.23.17", "v1.24.14", "v1.25.11", "1.26.6", "1.27.3"] runs-on: ubuntu-latest steps: - name: Checkout From 43b72c022cec0ec90691a0593761db1f89a32484 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 23 Aug 2023 09:12:35 -0700 Subject: [PATCH 161/329] fix typos on kind node tags Signed-off-by: Brady Todhunter --- .github/workflows/test.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index a6792ae3..42586b41 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -2,13 +2,12 @@ name: "Test using kind and chart-testing tool" on: - pull_request - jobs: test: strategy: fail-fast: false matrix: - kubernetesVersion: ["v1.23.17", "v1.24.14", "v1.25.11", "1.26.6", "1.27.3"] + kubernetesVersion: ["v1.23.17", "v1.24.15", "v1.25.11", "v1.26.6", "v1.27.3"] runs-on: ubuntu-latest steps: - name: Checkout From 49b1907e8a649982f658cbf8bdc2e11600dd3154 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 1 Sep 2023 15:14:21 -0700 Subject: [PATCH 162/329] Update Github Actions for Enterprise/Feeds charts Signed-off-by: Brady Todhunter Co-authored-by: Hung Nguyen --- .../chart-readme-table-generator.yaml | 57 +++++++++++++++++++ .github/workflows/deploy.yaml | 2 +- .github/workflows/helm-unittests.yaml | 50 ++++++++++++++++ .github/workflows/lint.yaml | 10 ++-- .github/workflows/test.yaml | 41 +++++++++---- 5 files changed, 144 insertions(+), 16 deletions(-) create mode 100644 .github/workflows/chart-readme-table-generator.yaml create mode 100644 .github/workflows/helm-unittests.yaml diff --git a/.github/workflows/chart-readme-table-generator.yaml b/.github/workflows/chart-readme-table-generator.yaml new file mode 100644 index 00000000..c16027c7 --- /dev/null +++ b/.github/workflows/chart-readme-table-generator.yaml @@ -0,0 +1,57 @@ +# Copyright VMware, Inc. +# SPDX-License-Identifier: APACHE-2.0 + +name: 'CHART README TABLE GENERATOR' + +on: + pull_request_target: + branches: + - main + paths: + # specify this for now until we get the readme table for all charts + - 'stable/enterprise/values.yaml' + - 'stable/feeds/values.yaml' +# Remove all permissions by default +permissions: {} +jobs: + update-readme-metadata: + env: + REPO: "${{ github.repository }}" + REPO_NAME: "${{ github.event.repository.name }}" + TARGET_BRANCH: "${{ github.event.pull_request.base.ref }}" + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - name: Install readme-generator-for-helm + run: npm install -g @bitnami/readme-generator-for-helm + + - name: Checkout charts + uses: actions/checkout@v3 + with: + path: ${{ github.repository }} + ref: ${{github.event.pull_request.head.ref}} + repository: ${{github.event.pull_request.head.repo.full_name}} + token: ${{ secrets.CI_WRITE_GITHUB_TOKEN }} + + - run: cd "${REPO}" && git fetch origin ${TARGET_BRANCH} + + - name: Execute readme-generator-for-helm + run: | + cd "${REPO}" + files_changed="$(git diff --name-only origin/${TARGET_BRANCH} | sort | uniq)" + # Adding || true to avoid "Process exited with code 1" errors + charts_dirs_changed="$(echo "$files_changed" | xargs dirname | grep -o "stable/[^/]*" | sort | uniq || true)" + for chart in ${charts_dirs_changed}; do + echo "Updating README.md for ${chart}" + readme-generator --values "${chart}/values.yaml" --readme "${chart}/README.md" --schema "/tmp/schema.json" + done + - name: Push changes + run: | + # Push all the changes + cd "${REPO}" + if git status -s | grep stable; then + git config user.name "Anchore BitnamiReadmeGenerator" + git config user.email "anchoreops-ci@anchore.com" + git add stable && git commit -m "Update README.md with readme-generator-for-helm" --signoff && git push + fi diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 3d7643ad..dae5d278 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -21,7 +21,7 @@ jobs: git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - name: Run chart-releaser - uses: helm/chart-releaser-action@v1.0.0 + uses: helm/chart-releaser-action@v1.5.0 with: charts_dir: stable charts_repo_url: https://charts.anchore.io diff --git a/.github/workflows/helm-unittests.yaml b/.github/workflows/helm-unittests.yaml new file mode 100644 index 00000000..ad3e39b2 --- /dev/null +++ b/.github/workflows/helm-unittests.yaml @@ -0,0 +1,50 @@ +# Copyright VMware, Inc. +# SPDX-License-Identifier: APACHE-2.0 + +name: 'Helm Unit Tests' + +on: + - pull_request + +# Remove all permissions by default +permissions: {} +jobs: + helm-unittests: + env: + REPO: "${{ github.repository }}" + REPO_NAME: "${{ github.event.repository.name }}" + TARGET_BRANCH: "${{ github.event.pull_request.base.ref }}" + runs-on: ubuntu-latest + steps: + - name: Checkout charts + uses: actions/checkout@v3 + with: + path: ${{ github.repository }} + ref: ${{github.event.pull_request.head.ref}} + repository: ${{github.event.pull_request.head.repo.full_name}} + token: ${{ secrets.CI_WRITE_GITHUB_TOKEN }} + + - name: Set up Helm + uses: azure/setup-helm@v3 + with: + version: v3.8.0 + + - name: Install helm-unittest + run: | + helm plugin install https://github.com/helm-unittest/helm-unittest.git + + - run: cd "${REPO}" && git fetch origin ${TARGET_BRANCH} + + - name: Execute helm-unittests + run: | + cd "${REPO}" + files_changed="$(git diff --name-only origin/${TARGET_BRANCH} | sort | uniq)" + # Adding || true to avoid "Process exited with code 1" errors + charts_dirs_changed="$(echo "$files_changed" | xargs dirname | grep -o "stable/[^/]*" | sort | uniq || true)" + for chart in ${charts_dirs_changed}; do + echo "running helm unittest . for ${chart}" + pushd "${chart}" + helm dep build + helm unittest . + popd + done diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index e70272ec..1311620e 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -16,21 +16,21 @@ jobs: run: git fetch --prune --unshallow - name: Shellcheck - uses: ludeeus/action-shellcheck@1.0.0 + uses: ludeeus/action-shellcheck@2.0.0 - name: Set up chart-testing - uses: helm/chart-testing-action@v2.3.1 + uses: helm/chart-testing-action@v2.4.0 - name: Run chart-testing (list-changed) id: list-changed run: | - changed=$(ct list-changed --config 'ct-config.yaml' --target-branch ${{ github.event.repository.default_branch }}) + changed=$(ct list-changed --config 'ct-config.yaml' --target-branch ${{ github.event.pull_request.base.ref }}) if [[ -n "$changed" ]]; then - echo "::set-output name=changed::true" + echo "CHANGED=true" >> "$GITHUB_OUTPUT" fi - name: Run chart-testing (lint) id: lint run: ct lint --config 'ct-config.yaml' - if: steps.list-changed.outputs.changed == 'true' + if: steps.list-changed.outputs.CHANGED == 'true' diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 42586b41..3d59f965 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -17,31 +17,52 @@ jobs: run: git fetch --prune --unshallow - name: Shellcheck - uses: ludeeus/action-shellcheck@1.0.0 + uses: ludeeus/action-shellcheck@2.0.0 + + - uses: actions/setup-python@v2 + with: + python-version: 3.7 + + - name: Set up Helm + uses: azure/setup-helm@v3 + with: + version: v3.8.0 - name: Set up chart-testing - uses: helm/chart-testing-action@v2.3.1 + uses: helm/chart-testing-action@v2.4.0 - name: Run chart-testing (list-changed) id: list-changed run: | - changed=$(ct list-changed --config 'ct-config.yaml' --target-branch ${{ github.event.repository.default_branch }}) + changed=$(ct list-changed --config 'ct-config.yaml' --target-branch ${{ github.event.pull_request.base.ref }}) if [[ -n "$changed" ]]; then - echo "::set-output name=changed::true" + echo "CHANGED=true" >> "$GITHUB_OUTPUT" fi - name: Install kind - uses: helm/kind-action@v1.4.0 + if: steps.list-changed.outputs.CHANGED == 'true' + uses: helm/kind-action@v1.8.0 with: node_image: "kindest/node:${{ matrix.kubernetesVersion }}" config: kind-config.yaml wait: 600s - if: steps.list-changed.outputs.changed == 'true' - name: Check kind nodes + if: steps.list-changed.outputs.CHANGED == 'true' run: kubectl describe nodes - if: steps.list-changed.outputs.changed == 'true' - - name: Run chart-testing (install) - run: ct install --config 'ct-config.yaml' - if: steps.list-changed.outputs.changed == 'true' + - name: Create pullcreds and license secrets + if: steps.list-changed.outputs.CHANGED == 'true' + run: | + kubectl create namespace anchore + echo "${ANCHORE_LICENSE}" | base64 --decode > /tmp/anchore-license + kubectl --namespace anchore create secret generic anchore-enterprise-license --from-file=license.yaml=/tmp/anchore-license + kubectl --namespace anchore create secret docker-registry anchore-enterprise-pullcreds --docker-server=docker.io --docker-username="${DOCKER_USER}" --docker-password="${DOCKER_PASS}" + env: + ANCHORE_LICENSE: ${{ secrets.B64_ANCHORE_LICENSE }} + DOCKER_USER: ${{ secrets.ANCHORECI_DOCKER_USER }} + DOCKER_PASS: ${{ secrets.ANCHORECI_DOCKER_PASS }} + + - name: Run chart-testing + if: steps.list-changed.outputs.CHANGED == 'true' + run: ct install --config ct-config.yaml From b8298eabc246aad2b5c6558256af9300cefa37c8 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 1 Sep 2023 15:15:18 -0700 Subject: [PATCH 163/329] Add Enterprise Feeds Chart Signed-off-by: Brady Todhunter Co-authored-by: Hung Nguyen --- stable/feeds/.helmignore | 23 + stable/feeds/Chart.lock | 9 + stable/feeds/Chart.yaml | 29 + stable/feeds/README.md | 392 ++++++++++ stable/feeds/files/default_config.yaml | 127 +++ stable/feeds/templates/NOTES.txt | 10 + stable/feeds/templates/_common.tpl | 81 ++ stable/feeds/templates/_helpers.tpl | 35 + stable/feeds/templates/_names.tpl | 35 + .../templates/anchore_vars_configmap.yaml | 90 +++ stable/feeds/templates/feeds-configmap.yaml | 16 + stable/feeds/templates/feeds-deployment.yaml | 179 +++++ stable/feeds/templates/feeds-pvc.yaml | 26 + stable/feeds/templates/feeds-secret.yaml | 32 + .../hooks/post-upgrade/upgrade_job.yaml | 116 +++ .../hooks/pre-upgrade/upgrade_job.yaml | 126 +++ .../hooks/pre-upgrade/upgrade_rbac.yaml | 75 ++ stable/feeds/templates/ingress.yaml | 70 ++ .../__snapshot__/configmap_test.yaml.snap | 132 ++++ .../prehook_upgrade_resources_test.yaml.snap | 109 +++ stable/feeds/tests/common_helpers_test.yaml | 724 ++++++++++++++++++ stable/feeds/tests/configmap_test.yaml | 12 + stable/feeds/tests/feeds_resources_test.yaml | 312 ++++++++ .../posthook_upgrade_resources_test.yaml | 178 +++++ .../tests/prehook_upgrade_resources_test.yaml | 253 ++++++ stable/feeds/tests/values.yaml | 13 + stable/feeds/values.yaml | 580 ++++++++++++++ 27 files changed, 3784 insertions(+) create mode 100644 stable/feeds/.helmignore create mode 100644 stable/feeds/Chart.lock create mode 100644 stable/feeds/Chart.yaml create mode 100644 stable/feeds/README.md create mode 100644 stable/feeds/files/default_config.yaml create mode 100644 stable/feeds/templates/NOTES.txt create mode 100644 stable/feeds/templates/_common.tpl create mode 100644 stable/feeds/templates/_helpers.tpl create mode 100644 stable/feeds/templates/_names.tpl create mode 100644 stable/feeds/templates/anchore_vars_configmap.yaml create mode 100644 stable/feeds/templates/feeds-configmap.yaml create mode 100644 stable/feeds/templates/feeds-deployment.yaml create mode 100644 stable/feeds/templates/feeds-pvc.yaml create mode 100644 stable/feeds/templates/feeds-secret.yaml create mode 100644 stable/feeds/templates/hooks/post-upgrade/upgrade_job.yaml create mode 100644 stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml create mode 100644 stable/feeds/templates/hooks/pre-upgrade/upgrade_rbac.yaml create mode 100644 stable/feeds/templates/ingress.yaml create mode 100644 stable/feeds/tests/__snapshot__/configmap_test.yaml.snap create mode 100644 stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap create mode 100644 stable/feeds/tests/common_helpers_test.yaml create mode 100644 stable/feeds/tests/configmap_test.yaml create mode 100644 stable/feeds/tests/feeds_resources_test.yaml create mode 100644 stable/feeds/tests/posthook_upgrade_resources_test.yaml create mode 100644 stable/feeds/tests/prehook_upgrade_resources_test.yaml create mode 100644 stable/feeds/tests/values.yaml create mode 100644 stable/feeds/values.yaml diff --git a/stable/feeds/.helmignore b/stable/feeds/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/stable/feeds/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/stable/feeds/Chart.lock b/stable/feeds/Chart.lock new file mode 100644 index 00000000..caa7f617 --- /dev/null +++ b/stable/feeds/Chart.lock @@ -0,0 +1,9 @@ +dependencies: +- name: postgresql + repository: oci://registry-1.docker.io/bitnamicharts + version: 12.5.9 +- name: postgresql + repository: oci://registry-1.docker.io/bitnamicharts + version: 12.5.9 +digest: sha256:6670b5909223600bcf27ee6d17622a027aabcff38256ac2352ca58ab0e059fc8 +generated: "2023-07-12T14:26:05.057884-07:00" diff --git a/stable/feeds/Chart.yaml b/stable/feeds/Chart.yaml new file mode 100644 index 00000000..20bd7734 --- /dev/null +++ b/stable/feeds/Chart.yaml @@ -0,0 +1,29 @@ +apiVersion: v2 +name: feeds +type: application +version: "0.0.1" +appVersion: "4.9.0" +kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x +description: Anchore feeds service +keywords: + - "anchore" + - "anchore-feeds" +maintainers: + - name: zhill + email: zach@anchore.com + - name: btodhunter + email: bradyt@anchore.com + - name: hnguyen + email: hung.nguyen@anchore.com +icon: https://anchore.com/wp-content/uploads/2016/08/anchore.png +dependencies: + - name: postgresql + version: "12.5" + repository: "oci://registry-1.docker.io/bitnamicharts" + condition: feeds-db.chartEnabled + alias: feeds-db + - name: postgresql + version: "~12.5" + repository: "oci://registry-1.docker.io/bitnamicharts" + condition: gem-db.chartEnabled,anchoreConfig.feeds.drivers.gem.enabled + alias: gem-db diff --git a/stable/feeds/README.md b/stable/feeds/README.md new file mode 100644 index 00000000..4966bc27 --- /dev/null +++ b/stable/feeds/README.md @@ -0,0 +1,392 @@ +# Anchore Enterprise Feeds Helm Chart + +This Helm chart deploys the Anchore Enterprise Feeds service on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +Anchore Enterprise Feeds is an On-Premises service that supplies operating system and non-operating system vulnerability data and package data for consumption by Anchore Policy Engine. Policy Engine uses this data for finding vulnerabilities and evaluating policies. + +See the [Anchore Feeds Documentation](https://docs.anchore.com/current/docs/overview/feeds/) for more details. + +## Table of Contents + +- [Prerequisites](#prerequisites) +- [Installing the Chart](#installing-the-chart) +- [Uninstalling the Chart](#uninstalling-the-chart) +- [Configuration](#configuration) + - [Feeds External Database Configuration](#feeds-external-database-configuration) + - [Feeds Driver Configuration](#feeds-driver-configuration) + - [Existing Secrets](#existing-secrets) + - [Ingress](#ingress) + - [Installing on Openshift](#installing-on-openshift) +- [Parameters](#parameters) +- [Release Notes](#release-notes) + +## Prerequisites + +* [Helm](https://helm.sh/) >=3.8 +* [Kubernetes](https://kubernetes.io/) >=1.23 + +## Installing the Chart + +**View the [Chart Release Notes](#release-notes) for the latest changes prior to installation or upgrading.** + +Create a kubernetes secret containing your license file + +```shell +export LICENSE_PATH="PATH TO LICENSE.YAML" + +kubectl create secret generic anchore-enterprise-license --from-file=license.yaml=${LICENSE_PATH} +``` + +Create a kubernetes secret containing DockerHub credentials with access to the private Anchore Enterprise repositories. Contact [Anchore Support](https://get.anchore.com/contact/) for access. + +```shell +export DOCKERHUB_PASSWORD="YOUR DOCKERHUB PASSWORD" +export DOCKERHUB_USER="YOUR DOCKERHUB USERNAME" +export DOCKERHUB_EMAIL="YOUR EMAIL ADDRESS" + +kubectl create secret docker-registry anchore-enterprise-pullcreds --docker-server=docker.io --docker-username=${DOCKERHUB_USER} --docker-password=${DOCKERHUB_PASSWORD} --docker-email=${DOCKERHUB_EMAIL} +``` + +Add Helm Chart Repository And Install Chart + +```shell +helm repo add anchore https://charts.anchore.io +``` + +Create a new file named `anchore_values.yaml` and add all desired custom [values](#parameters); then run the following command: + +```shell +export RELEASE="YOUR RELEASE NAME" + +helm install ${RELEASE} -f anchore_values.yaml anchore/feeds +``` + +> **Note:** This installs Anchore Feeds with a chart-managed Postgresql database, which may not be a production ready configuration. + +> **Tip**: List all releases using `helm list` + +These commands deploy the Anchore Enterprise Feeds service on the Kubernetes cluster with default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +## Uninstalling the Chart + +To uninstall/delete the deployment: + +```bash +export RELEASE="YOUR RELEASE NAME" + +helm delete ${RELEASE} +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Configuration + +The following sections describe the various configuration options available for Anchore Enterprise. The default configuration is set in the included [values file](https://github.com/anchore/anchore-charts-dev/blob/main/stable/enterprise/values.yaml). To override these values, create a custom `anchore_values.yaml` file and add the desired configuration options. You custom values file can be passed to `helm install` using the `-f` flag. + +Contact [Anchore Support](get.anchore.com/contact/) for more assistance with configuring your deployment. + +### Feeds External Database Configuration + +Anchore Enterprise Feeds require access to a Postgres-compatible database, version 12 or higher to operate. Note that this is a separate database from the primary Anchore Enterprise database. For Enterprise Feeds, an external database such as AWS RDS or Google CloudSQL is recommended for production deployments. The Helm chart provides a chart-managed database by default unless otherwise configured. + +See previous examples of configuring RDS Postgres and Google CloudSQL. + +```yaml +anchoreConfig: + database: + ssl: true + sslMode: require + +feeds-db: + # enabled: false disables the chart-managed Postgres instance; this is a Helmism + enabled: false + + # auth.username, auth.password & auth.database are required values for external Postgres + auth.password: + auth.username: + auth.database: + + # Required for external Postgres. + # Specify an external (already existing) Postgres deployment for use. + # Set to the host eg. mypostgres.myserver.io + externalEndpoint: +``` + +### Feeds Driver Configuration + +This service is comprised of different drivers for different vulnerability feeds. The drivers can be configured separately, and some drivers require a token or other credential. + +See the [Anchore Enterprise Feeds](https://docs.anchore.com/current/docs/configuration/feeds/) documentation for details. + +```yaml +anchoreConfig: + feeds: + github: + enabled: true + # The GitHub feeds driver requires a GitHub developer personal access token with no permission scopes selected. + # See https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token + token: your-github-token + + # Enable microsoft feeds + msrc: + enabled: true +``` + +### Existing Secrets + +For deployment scenarios that require version-controlled configuration to be used, it is recommended that credentials not be stored in values files. To accomplish this, you can manually create Kubernetes secrets and specify them as existing secrets in your values files. + +Below we show example Kubernetes secret objects, and how they would be used in Anchore Enterprise configuration. + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: anchore-enterprise-feeds-env + app: anchore +type: Opaque +stringData: + ANCHORE_ADMIN_PASSWORD: "" + ANCHORE_FEEDS_DB_PASSWORD: "" +``` + +```yaml +useExistingSecrets: true +``` + +### Ingress + +[Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource. Kubernetes supports a variety of ingress controllers, including AWS ALB controllers and GCE controllers. + +This Helm chart provides basic ingress configuration suitable for customization. You can expose routes for Anchore Feeds APIs by configuring the `ingress:` section in your values file. + +Ingress is disabled by default in the Helm chart. The NGINX ingress controller with the core API and UI routes can be enabled by changing the `ingress.enabled` value to `true`. + +Note that the [Kubernetes NGINX ingress controller](https://kubernetes.github.io/ingress-nginx/) must be installed into the cluster for this configuration to work. + +```yaml +ingress: + enabled: true +``` + +### Installing on Openshift + +By default, we assign the `securityContext.fsGroup`, `securityContext.runAsGroup`, and `securityContext.runAsUser` to `1000`. This will most likely fail on openshift for not being in the range determined by the `openshift.io/sa.scc.uid-range` annotation openshift attaches to the namespace when created. If using the chartEnabled postgresql, postgres will fail to come up as well due to this reason. + +1. Either disable the securityContext or set the appropriate values. +2. If using the chartEnabled postgres, you will also need to either disable the feeds-db.primary.podSecurityContext and feeds-db.primary.containerSecurityContext, or set the appropriate values for them + +Note: disabling the containerSecurityContext and podSecurityContext may not be suitable for production. See [Redhat's documentation](https://docs.openshift.com/container-platform/4.13/authentication/managing-security-context-constraints.html#managing-pod-security-policies) on what may be suitable for production. + +For more information on the openshift.io/sa.scc.uid-range annotation, see the [openshift docs](https://docs.openshift.com/dedicated/authentication/managing-security-context-constraints.html#security-context-constraints-pre-allocated-values_configuring-internal-oauth) + +```shell +helm install feedsy anchore/feeds \ + --set securityContext.fsGroup=null \ + --set securityContext.runAsGroup=null \ + --set securityContext.runAsUser=null \ + --set feeds-db.primary.containerSecurityContext.enabled=false \ + --set feeds-db.primary.podSecurityContext.enabled=false +``` + +#### Example OpenShift values file + +```yaml +# NOTE: This is not a production ready values file for an openshift deployment. +securityContext: + fsGroup: null + runAsGroup: null + runAsUser: null + +feeds-db: + primary: + containerSecurityContext: + enabled: false + podSecurityContext: + enabled: false +``` + +## Parameters + +### Common Resource Parameters + +| Name | Description | Value | +| ------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | +| `standalone` | Enable running the Anchore Feeds service in standalone mode | `true` | +| `enterpriseFullname` | set the fullname on enterprise resources. Only needed when standalone=false and fullnameOverride is set for the enterprise chart. | `""` | +| `fullnameOverride` | overrides the fullname set on resources | `""` | +| `nameOverride` | overrides the name set on resources | `""` | +| `image` | Image used for feeds deployment | `docker.io/anchore/enterprise:v4.9.0` | +| `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | +| `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | +| `serviceAccountName` | Name of a service account used to run all Feeds pods | `""` | +| `injectSecretsViaEnv` | Enable secret injection into pod via environment variables instead of via k8s secrets | `false` | +| `licenseSecretName` | Name of the Kubernetes secret containing your license.yaml file | `anchore-enterprise-license` | +| `certStoreSecretName` | Name of secret containing the certificates & keys used for SSL, SAML & CAs | `""` | +| `extraEnv` | Common environment variables set on all containers | `[]` | +| `labels` | Common labels set on all Kubernetes resources | `{}` | +| `annotations` | Common annotations set on all Kubernetes resources | `{}` | +| `resources` | Resource requests and limits for Anchore Feeds pods | `{}` | +| `nodeSelector` | Node labels for Anchore Feeds pod assignment | `{}` | +| `tolerations` | Tolerations for Anchore Feeds pod assignment | `[]` | +| `affinity` | Affinity for Anchore Feeds pod assignment | `{}` | +| `service.type` | Service type for Anchore Feeds | `ClusterIP` | +| `service.port` | Service port for Anchore Feeds | `8448` | +| `service.annotations` | Annotations for Anchore Feeds service | `{}` | +| `service.labels` | Labels for Anchore Feeds service | `{}` | +| `scratchVolume.mountPath` | The mount path of an external volume for scratch space for image analysis | `/anchore_scratch` | +| `scratchVolume.fixGroupPermissions` | Enable an initContainer that will fix the fsGroup permissions | `false` | +| `scratchVolume.details` | Details for the k8s volume to be created | `{}` | +| `persistence.enabled` | Enable mounting an external volume for feeds driver workspace | `true` | +| `persistence.resourcePolicy` | Resource policy Helm annotation on PVC. Can be nil or "keep" | `keep` | +| `persistence.existingClaim` | Specify an existing volume claim | `""` | +| `persistence.storageClass` | Persistent volume storage class | `""` | +| `persistence.accessMode` | Access Mode for persistent volume | `ReadWriteOnce` | +| `persistence.size` | Size of persistent volume | `40Gi` | +| `persistence.mountPath` | Mount path on Anchore Feeds container for persistent volume | `/workspace` | +| `persistence.subPath` | Directory name used for persistent volume storage | `feeds-workspace` | +| `persistence.annotations` | Annotations for PVC | `{}` | +| `extraVolumes` | mounts additional volumes to each pod | `[]` | +| `extraVolumeMounts` | mounts additional volumes to each pod | `[]` | +| `securityContext.runAsUser` | The securityContext runAsUser for all Feeds pods | `1000` | +| `securityContext.runAsGroup` | The securityContext runAsGroup for all Feeds pods | `1000` | +| `securityContext.fsGroup` | The securityContext fsGroup for all Feeds pods | `1000` | +| `containerSecurityContext` | The securityContext for all Feeds containers | `{}` | +| `probes.liveness.initialDelaySeconds` | Initial delay seconds for liveness probe | `120` | +| `probes.liveness.timeoutSeconds` | Timeout seconds for liveness probe | `10` | +| `probes.liveness.periodSeconds` | Period seconds for liveness probe | `10` | +| `probes.liveness.failureThreshold` | Failure threshold for liveness probe | `6` | +| `probes.liveness.successThreshold` | Success threshold for liveness probe | `1` | +| `probes.readiness.timeoutSeconds` | Timeout seconds for the readiness probe | `10` | +| `probes.readiness.periodSeconds` | Period seconds for the readiness probe | `10` | +| `probes.readiness.failureThreshold` | Failure threshold for the readiness probe | `3` | +| `probes.readiness.successThreshold` | Success threshold for the readiness probe | `1` | +| `doSourceAtEntry.enabled` | Does a `source` of the file paths defined before starting Anchore services | `false` | +| `doSourceAtEntry.filePaths` | List of file paths to `source` before starting Anchore services | `[]` | +| `useExistingSecrets` | forgoes secret creation and uses the secret defined in existingSecretName | `false` | +| `existingSecretName` | Name of the existing secret to be used for Anchore Feeds Service | `anchore-enterprise-feeds-env` | +| `configOverride` | Allows for overriding the default Anchore configuration file | `{}` | + + +### Anchore Feeds Configuration Parameters + +| Name | Description | Value | +| -------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | +| `anchoreConfig.service_dir` | Path to directory where default Anchore configs are placed at startup | `/anchore_service` | +| `anchoreConfig.log_level` | The log level for Anchore services | `INFO` | +| `anchoreConfig.keys.secret` | The shared secret used for signing & encryption, auto-generated by Helm if not set | `""` | +| `anchoreConfig.keys.privateKeyFileName` | The file name of the private key used for signing & encryption, found in the k8s secret specified in .Values.certStoreSecretName | `""` | +| `anchoreConfig.keys.publicKeyFileName` | The file name of the public key used for signing & encryption, found in the k8s secret specified in .Values.certStoreSecretName | `""` | +| `anchoreConfig.user_authentication.oauth.enabled` | Enable OAuth for Anchore user authentication | `false` | +| `anchoreConfig.user_authentication.oauth.default_token_expiration_seconds` | The expiration, in seconds, for OAuth tokens | `3600` | +| `anchoreConfig.user_authentication.oauth.refresh_token_expiration_seconds` | The expiration, in seconds, for OAuth refresh tokens | `86400` | +| `anchoreConfig.user_authentication.hashed_passwords` | Enable storing passwords as secure hashes in the database | `false` | +| `anchoreConfig.user_authentication.sso_require_existing_users` | set to true in order to disable the SSO JIT provisioning during authentication | `false` | +| `anchoreConfig.metrics.enabled` | Enable Prometheus metrics for all Anchore services | `false` | +| `anchoreConfig.metrics.auth_disabled` | Disable auth on Prometheus metrics for all Anchore services | `false` | +| `anchoreConfig.database.timeout` | | `120` | +| `anchoreConfig.database.ssl` | Enable SSL/TLS for the database connection | `false` | +| `anchoreConfig.database.sslMode` | The SSL mode to use for database connection | `require` | +| `anchoreConfig.database.sslRootCertFileName` | File name of the database root CA certificate stored in the k8s secret specified with .Values.certStoreSecretName | `""` | +| `anchoreConfig.database.db_pool_size` | The database max connection pool size | `30` | +| `anchoreConfig.database.db_pool_max_overflow` | The maximum overflow size of the database connection pool | `100` | +| `anchoreConfig.database.engineArgs` | Set custom database engine arguments for SQLAlchemy | `{}` | +| `anchoreConfig.internalServicesSSL.enabled` | Force all Enterprise services to use SSL for internal communication | `false` | +| `anchoreConfig.internalServicesSSL.verifyCerts` | Enable cert verification against the local cert bundle, if this set to false self-signed certs are allowed | `false` | +| `anchoreConfig.internalServicesSSL.certSecretKeyFileName` | File name of the private key used for internal SSL stored in the secret specified in .Values.certStoreSecretName | `""` | +| `anchoreConfig.internalServicesSSL.certSecretCertFileName` | File name of the root CA certificate used for internal SSL stored in the secret specified in .Values.certStoreSecretName | `""` | +| `anchoreConfig.feeds.cycle_timers.driver_sync` | Time delay in seconds between consecutive driver runs for processing data | `7200` | +| `anchoreConfig.feeds.drivers.debian.releases` | Additional Debian feeds groups | `{}` | +| `anchoreConfig.feeds.drivers.ubuntu.releases` | Additional Ubuntu feed groups | `{}` | +| `anchoreConfig.feeds.drivers.npm.enabled` | Enable vulnerability drivers for npm data | `false` | +| `anchoreConfig.feeds.drivers.gem.enabled` | Enable vulnerability drivers for gem data | `false` | +| `anchoreConfig.feeds.drivers.gem.db_connect` | Defines the database endpoint used for loading the rubygems package data as a PostgreSQL dump | `postgresql://${ANCHORE_GEM_DB_USER}:${ANCHORE_GEM_DB_PASSWORD}@${ANCHORE_GEM_DB_HOST}:${ANCHORE_GEM_DB_PORT}/${ANCHORE_GEM_DB_NAME}` | +| `anchoreConfig.feeds.drivers.nvdv2.api_key` | The NVD API key value | `nil` | +| `anchoreConfig.feeds.drivers.msrc.enabled` | Enable Microsoft feeds | `false` | +| `anchoreConfig.feeds.drivers.msrc.whitelist` | MSRC product IDs for generating feed data, this extends the pre-defined list of product IDs | `[]` | +| `anchoreConfig.feeds.drivers.github.enabled` | Enable GitHub advisory feeds (requires GitHub PAT) | `false` | +| `anchoreConfig.feeds.drivers.github.token` | GitHub developer personal access token with zero permission scopes | `nil` | + + +### Anchore Feeds Database Parameters + +| Name | Description | Value | +| ------------------------------------------- | ------------------------------------------------------------------------------------------------- | ----------------------- | +| `feeds-db.chartEnabled` | Use the dependent chart for Feeds Postgresql deployment | `true` | +| `feeds-db.externalEndpoint` | External Feeds Postgresql hostname when not using Helm managed chart (eg. mypostgres.myserver.io) | `""` | +| `feeds-db.auth.username` | Username used to connect to Postgresql | `anchore-feeds` | +| `feeds-db.auth.password` | Password used to connect to Postgresql | `anchore-postgres,123` | +| `feeds-db.auth.database` | Database name used when connecting to Postgresql | `anchore-feeds` | +| `feeds-db.primary.service.ports.postgresql` | Port used to connect to Postgresql | `5432` | +| `feeds-db.primary.persistence.size` | Configure size of the persistent volume used with helm managed chart | `20Gi` | +| `feeds-db.primary.extraEnvVars` | An array to add extra environment variables | `[]` | +| `feeds-db.image.tag` | Specifies the image to use for this chart. | `13.11.0-debian-11-r15` | + + +### Feeds Gem Database Parameters + +| Name | Description | Value | +| ----------------------------------------- | ------------------------------------------------------------------------------------------- | ----------------------- | +| `gem-db.chartEnabled` | Use the dependent chart for Postgresql deployment | `false` | +| `gem-db.externalEndpoint` | External Postgresql hostname when not using Helm managed chart (eg. mypostgres.myserver.io) | `""` | +| `gem-db.auth.username` | Username used to connect to Postgresql | `anchore-gem-feeds` | +| `gem-db.auth.password` | Password used to connect to Postgresql | `anchore-postgres,123` | +| `gem-db.auth.database` | Database name used when connecting to Postgresql | `anchore-gem-feeds` | +| `gem-db.primary.service.ports.postgresql` | Port used to connect to Postgresql | `5432` | +| `gem-db.primary.persistence.size` | Configure size of the persistent volume used with helm managed chart | `20Gi` | +| `gem-db.primary.extraEnvVars` | An array to add extra environment variables | `[]` | +| `gem-db.image.tag` | Specifies the image to use for this chart. | `13.11.0-debian-11-r15` | + + +### Anchore Feeds Upgrade Job Parameters + +| Name | Description | Value | +| ------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `feedsUpgradeJob.enabled` | Enable the Anchore Feeds database upgrade job | `true` | +| `feedsUpgradeJob.force` | Force the Anchore Feeds database upgrade job to run as a regular job instead of as a Helm hook | `false` | +| `feedsUpgradeJob.rbacCreate` | Create RBAC resources for the upgrade job | `true` | +| `feedsUpgradeJob.serviceAccountName` | Use an existing service account for the upgrade job | `""` | +| `feedsUpgradeJob.usePostUpgradeHook` | Use a Helm post-upgrade hook to run the upgrade job instead of the default pre-upgrade hook. This job does not require creating RBAC resources. | `false` | +| `feedsUpgradeJob.nodeSelector` | Node labels for the Anchore Feeds upgrade job pod assignment | `{}` | +| `feedsUpgradeJob.tolerations` | Tolerations for the Anchore Feeds upgrade job pod assignment | `[]` | +| `feedsUpgradeJob.affinity` | Affinity for the Anchore Feeds upgrade job pod assignment | `{}` | +| `feedsUpgradeJob.annotations` | Annotations for the Anchore Feeds upgrade job | `{}` | +| `feedsUpgradeJob.labels` | Labels for the Anchore Feeds upgrade job | `{}` | +| `feedsUpgradeJob.resources` | Resources for the Anchore Feeds upgrade job | `{}` | + + +### Ingress Parameters + +| Name | Description | Value | +| -------------------------- | ------------------------------------------------------------------ | ----------- | +| `ingress.enabled` | Create an ingress resource for external Anchore service APIs | `false` | +| `ingress.labels` | Labels for the ingress resource | `{}` | +| `ingress.annotations` | Annotations for the ingress resource | `{}` | +| `ingress.hosts` | List of custom hostnames for the Anchore Feeds API | `[]` | +| `ingress.path` | The path used for accessing the Anchore Feeds API | `/v1/feeds` | +| `ingress.tls` | Configure tls for the ingress resource | `[]` | +| `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` | + + +### Google CloudSQL DB Parameters + +| Name | Description | Value | +| -------------------------------- | ------------------------------------------------------------------------------ | ----------------------------------------- | +| `cloudsql.enabled` | Use CloudSQL proxy container for GCP database access | `false` | +| `cloudsql.image` | Image to use for GCE CloudSQL Proxy | `gcr.io/cloudsql-docker/gce-proxy:1.25.0` | +| `cloudsql.imagePullPolicy` | Image Pull Policy to use for CloudSQL image | `IfNotPresent` | +| `cloudsql.instance` | CloudSQL instance, eg: 'project:zone:instancename' | `""` | +| `cloudsql.useExistingServiceAcc` | Use existing service account | `false` | +| `cloudsql.serviceAccSecretName` | | `""` | +| `cloudsql.serviceAccJsonName` | | `""` | +| `cloudsql.extraArgs` | a list of extra arguments to be passed into the cloudsql container command. eg | `[]` | + +## Release Notes + +A major chart version change (v0.1.2 -> v1.0.0) indicates that there is an **incompatible breaking change needing manual actions.** + +A minor chart version change (v0.1.2 -> v0.2.0) indicates a change that **may require updates to your values file.** + +### v0.0.1 + +* This is a pre-release version of the Anchore Enterprise Helm chart. It is not intended for production use. diff --git a/stable/feeds/files/default_config.yaml b/stable/feeds/files/default_config.yaml new file mode 100644 index 00000000..ed3d1b8f --- /dev/null +++ b/stable/feeds/files/default_config.yaml @@ -0,0 +1,127 @@ +service_dir: ${ANCHORE_SERVICE_DIR} +tmp_dir: ${ANCHORE_TMP_DIR} +log_level: ${ANCHORE_LOG_LEVEL} + +host_id: "${ANCHORE_HOST_ID}" +internal_ssl_verify: ${ANCHORE_INTERNAL_SSL_VERIFY} + +global_client_connect_timeout: ${ANCHORE_GLOBAL_CLIENT_CONNECT_TIMEOUT} +global_client_read_timeout: ${ANCHORE_GLOBAL_CLIENT_READ_TIMEOUT} +server_request_timeout_seconds: ${ANCHORE_GLOBAL_SERVER_REQUEST_TIMEOUT_SEC} + +license_file: ${ANCHORE_LICENSE_FILE} +auto_restart_services: false + +metrics: + enabled: ${ANCHORE_ENABLE_METRICS} + auth_disabled: ${ANCHORE_DISABLE_METRICS_AUTH} + +keys: + secret: ${ANCHORE_SAML_SECRET} + public_key_path: ${ANCHORE_AUTH_PRIVKEY} + private_key_path: ${ANCHORE_AUTH_PUBKEY} + +user_authentication: + hashed_passwords: ${ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS} + sso_require_existing_users: ${ANCHORE_SSO_REQUIRES_EXISTING_USERS} + oauth: + enabled: ${ANCHORE_OAUTH_ENABLED} + default_token_expiration_seconds: ${ANCHORE_OAUTH_TOKEN_EXPIRATION} + refresh_token_expiration_seconds: ${ANCHORE_OAUTH_REFRESH_TOKEN_EXPIRATION} + +credentials: + database: + user: "${ANCHORE_FEEDS_DB_USER}" + password: "${ANCHORE_FEEDS_DB_PASSWORD}" + host: "${ANCHORE_FEEDS_DB_HOST}" + port: "${ANCHORE_FEEDS_DB_PORT}" + name: "${ANCHORE_FEEDS_DB_NAME}" + db_connect_args: + timeout: ${ANCHORE_FEEDS_DB_TIMEOUT} + ssl: ${ANCHORE_FEEDS_DB_SSL} + {{- if .Values.anchoreConfig.database.ssl }} + sslmode: ${ANCHORE_FEEDS_DB_SSL_MODE} + sslrootcert: ${ANCHORE_FEEDS_DB_SSL_ROOT_CERT} + {{- end }} + db_pool_size: ${ANCHORE_FEEDS_DB_POOL_SIZE} + db_pool_max_overflow: ${ANCHORE_FEEDS_DB_POOL_MAX_OVERFLOW} + {{- with .Values.anchoreConfig.database.engineArgs }} + db_engine_args: {{- toYaml . | nindent 6 }} + {{- end }} + +services: + feeds: + enabled: true + require_auth: true + endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} + listen: '0.0.0.0' + port: ${ANCHORE_PORT} + max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} + cycle_timers: {{- toYaml .Values.anchoreConfig.feeds.cycle_timers | nindent 6 }} + local_workspace: ${ANCHORE_FEEDS_LOCAL_WORKSPACE} + workspace_preload: + enabled: ${ANCHORE_FEEDS_WORKSPACE_PRELOAD} + workspace_preload_file: "/workspace_preload/data.tar.gz" + api_only: ${ANCHORE_FEEDS_API_ONLY} + drivers: + amzn: + enabled: ${ANCHORE_FEEDS_DRIVER_AMAZON_ENABLED} + alpine: + enabled: ${ANCHORE_FEEDS_DRIVER_ALPINE_ENABLED} + centos: + enabled: false + debian: + enabled: ${ANCHORE_FEEDS_DRIVER_DEBIAN_ENABLED} + {{- with .Values.anchoreConfig.feeds.drivers.debian.releases }} + releases: {{- toYaml . | nindent 10 }} + {{- end }} + ol: + enabled: ${ANCHORE_FEEDS_DRIVER_OL_ENABLED} + ubuntu: + enabled: ${ANCHORE_FEEDS_DRIVER_UBUNTU_ENABLED} + git_url: ${ANCHORE_FEEDS_DRIVER_UBUNTU_URL} + git_branch: ${ANCHORE_FEEDS_DRIVER_UBUNTU_BRANCH} + {{- with .Values.anchoreConfig.feeds.drivers.ubuntu.releases }} + releases: {{- toYaml . | nindent 10 }} + {{- end }} + rhel: + enabled: ${ANCHORE_FEEDS_DRIVER_RHEL_ENBALED} + concurrency: ${ANCHORE_FEEDS_DRIVER_RHEL_CONCURRENCY} + npm: + enabled: ${ANCHORE_FEEDS_DRIVER_NPM_ENABLED} + gem: + enabled: ${ANCHORE_FEEDS_DRIVER_GEM_ENABLED} + {{- if .Values.anchoreConfig.feeds.drivers.gem.enabled }} + db_connect: {{ .Values.anchoreConfig.feeds.drivers.gem.db_connect }} + {{- end }} + nvdv2: + enabled: ${ANCHORE_FEEDS_DRIVER_NVDV2_ENABLED} + api_key: ${ANCHORE_NVD_API_KEY} + msrc: + enabled: ${ANCHORE_FEEDS_DRIVER_MSRC_ENABLED} + {{- with .Values.anchoreConfig.feeds.drivers.msrc.whitelist }} + whitelist: + - {{ . }} + {{- end }} + github: + enabled: ${ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED} + token: ${ANCHORE_GITHUB_TOKEN} + grypedb: + enabled: ${ANCHORE_FEEDS_DRIVER_GRYPEDB_ENABLED} + external_feeds_url: "${ANCHORE_FEEDS_EXTERNAL_URL}" + preload: + enabled: ${ANCHORE_FEEDS_GRYPEDB_PRELOAD_ENABLED} + workspace_archive_path: ${ANCHORE_FEEDS_GRYPEDB_PRELOAD_PATH} + persist_provider_workspaces: ${ANCHORE_FEEDS_GRYPEDB_PERSIST_WORKSPACE} + restore_provider_workspaces: ${ANCHORE_FEEDS_GRYPEDB_RESTORE_WORKSPACE} + sles: + enabled: ${ANCHORE_FEEDS_DRIVER_SLES_ENABLED} + anchore_match_exclusions: + enabled: ${ANCHORE_FEEDS_DRIVER_MATCH_EXCLUSIONS} + wolfi: + enabled: ${ANCHORE_FEEDS_DRIVER_WOLFI_ENABLED} + chainguard: + enabled: ${ANCHORE_FEEDS_DRIVER_CHAINGUARD_ENABLED} + ssl_enable: ${ANCHORE_SSL_ENABLED} + ssl_cert: ${ANCHORE_SSL_CERT} + ssl_key: ${ANCHORE_SSL_KEY} \ No newline at end of file diff --git a/stable/feeds/templates/NOTES.txt b/stable/feeds/templates/NOTES.txt new file mode 100644 index 00000000..ef6fda7e --- /dev/null +++ b/stable/feeds/templates/NOTES.txt @@ -0,0 +1,10 @@ +You need the URL, username, and password to access the Feeds API + +The Feeds API can be accessed via port {{ .Values.service.port }} on the following DNS name from within the cluster: + + {{ include "feeds.fullname" . -}}.{{- .Release.Namespace -}}.svc.cluster.local + +Initial setup time can be >120sec for postgresql setup and readiness checks to pass for the services as indicated by pod state. +You can check with: + + kubectl get pods -l app.kubernetes.io/name={{- template "feeds.fullname" . -}},app.kubernetes.io/component=feeds \ No newline at end of file diff --git a/stable/feeds/templates/_common.tpl b/stable/feeds/templates/_common.tpl new file mode 100644 index 00000000..b8b473a5 --- /dev/null +++ b/stable/feeds/templates/_common.tpl @@ -0,0 +1,81 @@ +{{/* +Common annotations +*/}} +{{- define "feeds.common.annotations" -}} +{{- if and (not .nil) (not .Values.annotations) }} + {{- print "{}" }} +{{- else }} + {{- with .Values.annotations }} + {{- toYaml . }} + {{- end }} +{{- end }} +{{- end -}} + +{{/* +Setup a container for the cloudsql proxy to run in all pods when .Values.cloudsql.enabled = true +*/}} +{{- define "feeds.common.cloudsqlContainer" -}} +- name: cloudsql-proxy + image: {{ .Values.cloudsql.image }} + imagePullPolicy: {{ .Values.cloudsql.imagePullPolicy }} +{{- with .Values.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 4 }} +{{- end }} + command: ["/cloud_sql_proxy"] + args: + - "-instances={{ .Values.cloudsql.instance }}=tcp:5432" + {{- if .Values.cloudsql.extraArgs }} + {{- range $arg := .Values.cloudsql.extraArgs }} + - {{ quote $arg }} + {{- end }} + {{- end }} + {{- if .Values.cloudsql.useExistingServiceAcc }} + - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}" + volumeMounts: + - mountPath: /var/{{ .Values.cloudsql.serviceAccSecretName }} + name: {{ .Values.cloudsql.serviceAccSecretName }} + readOnly: true +{{- end }} +{{- end -}} + +{{/* +Common environment variables +*/}} +{{- define "feeds.common.environment" -}} +{{- with .Values.extraEnv }} + {{- toYaml . }} +{{- end }} +- name: ANCHORE_HOST_ID + valueFrom: + fieldRef: + fieldPath: metadata.name +- name: ANCHORE_ENDPOINT_HOSTNAME + value: {{ template "feeds.fullname" . }} +- name: ANCHORE_PORT + value: {{ .Values.service.port | quote }} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "feeds.common.labels" -}} +app.kubernetes.io/name: {{ template "feeds.fullname" . }} +app.kubernetes.io/component: feeds +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/version: {{ .Chart.AppVersion }} +app.kubernetes.io/part-of: anchore +app.kubernetes.io/managed-by: {{ .Release.Service }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- with .Values.labels }} +{{ toYaml . }} +{{- end }} +{{- end -}} + +{{/* +Return anchore default selector match labels +*/}} +{{- define "feeds.common.matchLabels" -}} +app.kubernetes.io/name: {{ template "feeds.fullname" . }} +app.kubernetes.io/component: feeds +{{- end -}} \ No newline at end of file diff --git a/stable/feeds/templates/_helpers.tpl b/stable/feeds/templates/_helpers.tpl new file mode 100644 index 00000000..1b35b3a0 --- /dev/null +++ b/stable/feeds/templates/_helpers.tpl @@ -0,0 +1,35 @@ +{{/* +Create feeds database hostname string from supplied values file. Used for setting the ANCHORE_FEEDS_DB_HOST env var in the Feeds secret. +*/}} +{{- define "feeds.dbHostname" -}} +{{- if and (index .Values "feeds-db" "externalEndpoint") (not (index .Values "feeds-db" "enabled")) }} + {{- print ( index .Values "feeds-db" "externalEndpoint" ) }} +{{- else if and (index .Values "cloudsql" "enabled") (not (index .Values "feeds-db" "enabled")) }} + {{- print "localhost" }} +{{- else }} + {{- $db_host := include "feeds-db.fullname" . }} + {{- printf "%s" $db_host }} +{{- end }} +{{- end -}} + +{{/* +Allows sourcing of a specified file in the entrypoint of all containers when .Values.doSourceAtEntry.enabled = true +*/}} +{{- define "feeds.doSourceFile" -}} +{{- if .Values.doSourceAtEntry.enabled }} + {{- range $index, $file := .Values.doSourceAtEntry.filePaths }} + {{- printf "if [ -f %v ];then source %v;fi;" $file $file }} + {{- end }} +{{- end }} +{{- end -}} + +{{/* +Return the proper protocol when internal SSL is enabled +*/}} +{{- define "feeds.setProtocol" -}} +{{- if .Values.anchoreConfig.internalServicesSSL.enabled }} + {{- print "https" }} +{{- else }} + {{- print "http" }} +{{- end }} +{{- end -}} \ No newline at end of file diff --git a/stable/feeds/templates/_names.tpl b/stable/feeds/templates/_names.tpl new file mode 100644 index 00000000..951a0665 --- /dev/null +++ b/stable/feeds/templates/_names.tpl @@ -0,0 +1,35 @@ +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} + +{{- define "feeds.enterprise.fullname" -}} +{{- if .Values.enterpriseFullname }} + {{- .Values.enterpriseFullname | trunc 63 | trimSuffix "-" }} +{{- else }} + {{- printf "%s-%s" .Release.Name "enterprise" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} + +{{- define "feeds.fullname" -}} +{{- if .Values.fullnameOverride }} + {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} + {{- $name := default .Chart.Name .Values.nameOverride }} + {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} + +{{- define "feeds.upgradeJob.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- printf "%s-%s-%s-%s" .Release.Name $name (.Chart.AppVersion | replace "." "") "upgrade" | trunc 63 | trimSuffix "-" }} +{{- end -}} + +{{- define "feeds-db.fullname" -}} +{{- printf "%s-%s" .Release.Name "feeds-db" | trunc 63 | trimSuffix "-" }} +{{- end -}} + +{{- define "gem-db.fullname" -}} +{{- printf "%s-%s" .Release.Name "gem-db" | trunc 63 | trimSuffix "-" }} +{{- end -}} diff --git a/stable/feeds/templates/anchore_vars_configmap.yaml b/stable/feeds/templates/anchore_vars_configmap.yaml new file mode 100644 index 00000000..11cf9cfd --- /dev/null +++ b/stable/feeds/templates/anchore_vars_configmap.yaml @@ -0,0 +1,90 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ template "feeds.fullname" . }}-config-env-vars + namespace: {{ .Release.Namespace }} + labels: {{- include "feeds.common.labels" . | nindent 4 }} + annotations: {{- include "feeds.common.annotations" . | nindent 4 }} +data: + ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS: "{{ .Values.anchoreConfig.user_authentication.hashed_passwords }}" +{{- with .Values.anchoreConfig.keys.publicKeyFileName }} + ANCHORE_AUTH_PRIVKEY: "/home/anchore/certs/{{- . }}" +{{- else }} + ANCHORE_AUTH_PRIVKEY: "null" +{{- end }} +{{- with .Values.anchoreConfig.keys.privateKeyFileName }} + ANCHORE_AUTH_PUBKEY: "/home/anchore/certs/{{- . }}" +{{- else }} + ANCHORE_AUTH_PUBKEY: "null" +{{- end }} + ANCHORE_CLI_URL: "http://localhost:8228" + ANCHORE_CLI_USER: "admin" + ANCHORECTL_URL: "http://localhost:8228" + ANCHORECTL_USERNAME: "admin" + ANCHORE_DISABLE_METRICS_AUTH: "{{ .Values.anchoreConfig.metrics.auth_disabled }}" + ANCHORE_ENABLE_METRICS: "{{ .Values.anchoreConfig.metrics.enabled }}" + ANCHORE_FEEDS_API_ONLY: "false" + ANCHORE_FEEDS_DB_POOL_MAX_OVERFLOW: "{{ .Values.anchoreConfig.database.db_pool_max_overflow }}" + ANCHORE_FEEDS_DB_POOL_SIZE: "{{ .Values.anchoreConfig.database.db_pool_size }}" + ANCHORE_FEEDS_DB_SSL: "{{ .Values.anchoreConfig.database.ssl }}" + ANCHORE_FEEDS_DB_SSL_MODE: "{{ .Values.anchoreConfig.database.sslMode }}" +{{- with .Values.anchoreConfig.database.sslRootCertFileName }} + ANCHORE_FEEDS_DB_SSL_ROOT_CERT: "/home/anchore/certs/{{- . }}" +{{- else }} + ANCHORE_FEEDS_DB_SSL_ROOT_CERT: "null" +{{- end }} + ANCHORE_FEEDS_DB_TIMEOUT: "{{ .Values.anchoreConfig.database.timeout }}" + ANCHORE_FEEDS_DRIVER_ALPINE_ENABLED: "true" + ANCHORE_FEEDS_DRIVER_AMAZON_ENABLED: "true" + ANCHORE_FEEDS_DRIVER_CHAINGUARD_ENABLED: "true" + ANCHORE_FEEDS_DRIVER_DEBIAN_ENABLED: "true" + ANCHORE_FEEDS_DRIVER_GEM_ENABLED: "{{ .Values.anchoreConfig.feeds.drivers.gem.enabled }}" + ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED: "{{ .Values.anchoreConfig.feeds.drivers.github.enabled }}" + ANCHORE_FEEDS_DRIVER_GRYPEDB_ENABLED: "true" + ANCHORE_FEEDS_DRIVER_MATCH_EXCLUSIONS: "true" + ANCHORE_FEEDS_DRIVER_MSRC_ENABLED: "{{ .Values.anchoreConfig.feeds.drivers.msrc.enabled }}" + ANCHORE_FEEDS_DRIVER_NPM_ENABLED: "{{ .Values.anchoreConfig.feeds.drivers.npm.enabled }}" + ANCHORE_FEEDS_DRIVER_NVDV2_ENABLED: "true" + ANCHORE_FEEDS_DRIVER_OL_ENABLED: "true" + ANCHORE_FEEDS_DRIVER_RHEL_CONCURRENCY: "5" + ANCHORE_FEEDS_DRIVER_RHEL_ENBALED: "true" + ANCHORE_FEEDS_DRIVER_SLES_ENABLED: "true" + ANCHORE_FEEDS_DRIVER_UBUNTU_ENABLED: "true" + ANCHORE_FEEDS_DRIVER_UBUNTU_URL: "https://git.launchpad.net/ubuntu-cve-tracker" + ANCHORE_FEEDS_DRIVER_UBUNTU_BRANCH: "master" + ANCHORE_FEEDS_DRIVER_WOLFI_ENABLED: "true" + ANCHORE_FEEDS_EXTERNAL_URL: "null" + ANCHORE_FEEDS_LOCAL_WORKSPACE: "{{ .Values.persistence.mountPath }}" + ANCHORE_FEEDS_GRYPEDB_PRELOAD_ENABLED: "true" + ANCHORE_FEEDS_GRYPEDB_PRELOAD_PATH: "/preload/grype-db-workspace.tar.gz" + ANCHORE_FEEDS_GRYPEDB_PERSIST_WORKSPACE: "true" + ANCHORE_FEEDS_GRYPEDB_RESTORE_WORKSPACE: "true" + ANCHORE_FEEDS_PACKAGES_ENABLED: "false" + ANCHORE_FEEDS_WORKSPACE_PRELOAD: "true" + ANCHORE_GITHUB_TOKEN: "null" + ANCHORE_GLOBAL_CLIENT_CONNECT_TIMEOUT: "0" + ANCHORE_GLOBAL_CLIENT_READ_TIMEOUT: "0" + ANCHORE_GLOBAL_SERVER_REQUEST_TIMEOUT_SEC: "180" + ANCHORE_INTERNAL_SSL_VERIFY: "{{ .Values.anchoreConfig.internalServicesSSL.verifyCerts }}" + ANCHORE_LICENSE_FILE: "/home/anchore/license.yaml" + ANCHORE_LOG_LEVEL: "{{ .Values.anchoreConfig.log_level }}" + ANCHORE_MAX_REQUEST_THREADS: "50" + ANCHORE_NVD_API_KEY: "null" + ANCHORE_OAUTH_ENABLED: "{{ .Values.anchoreConfig.user_authentication.oauth.enabled }}" + ANCHORE_OAUTH_TOKEN_EXPIRATION: "{{ .Values.anchoreConfig.user_authentication.oauth.default_token_expiration_seconds }}" + ANCHORE_OAUTH_REFRESH_TOKEN_EXPIRATION: "{{ .Values.anchoreConfig.user_authentication.oauth.refresh_token_expiration_seconds }}" + ANCHORE_SAML_SECRET: "null" + ANCHORE_SERVICE_DIR: "{{ .Values.anchoreConfig.service_dir }}" + ANCHORE_SSL_ENABLED: "{{ .Values.anchoreConfig.internalServicesSSL.enabled }}" +{{- with .Values.anchoreConfig.internalServicesSSL.certSecretCertFileName }} + ANCHORE_SSL_CERT: "/home/anchore/certs/{{- . }}" +{{- else }} + ANCHORE_SSL_CERT: "null" +{{- end }} +{{- with .Values.anchoreConfig.internalServicesSSL.certSecretKeyFileName }} + ANCHORE_SSL_KEY: "/home/anchore/certs/{{- . }}" +{{- else }} + ANCHORE_SSL_KEY: "null" +{{- end }} + ANCHORE_SSO_REQUIRES_EXISTING_USERS: "{{ .Values.anchoreConfig.user_authentication.sso_require_existing_users }}" + ANCHORE_TMP_DIR: "{{ .Values.scratchVolume.mountPath }}" \ No newline at end of file diff --git a/stable/feeds/templates/feeds-configmap.yaml b/stable/feeds/templates/feeds-configmap.yaml new file mode 100644 index 00000000..ae8f66c0 --- /dev/null +++ b/stable/feeds/templates/feeds-configmap.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "feeds.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "feeds.common.labels" . | nindent 4 }} + annotations: {{- include "feeds.common.annotations" . | nindent 4 }} +data: + config.yaml: | + # Anchore Feeds Service Configuration File, mounted from a configmap + # +{{- if .Values.configOverride }} +{{ toYaml .Values.configOverride | indent 4 }} +{{- else }} +{{ tpl (.Files.Get "files/default_config.yaml") . | indent 4 }} +{{- end }} diff --git a/stable/feeds/templates/feeds-deployment.yaml b/stable/feeds/templates/feeds-deployment.yaml new file mode 100644 index 00000000..1f9a4af1 --- /dev/null +++ b/stable/feeds/templates/feeds-deployment.yaml @@ -0,0 +1,179 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "feeds.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "feeds.common.labels" . | nindent 4 }} + annotations: {{- include "feeds.common.annotations" . | nindent 4 }} +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: {{- include "feeds.common.matchLabels" . | nindent 6 }} + template: + metadata: + labels: {{- include "feeds.common.labels" . | nindent 8 }} + annotations: {{- include "feeds.common.annotations" (merge (dict "nil" true) .) | nindent 8 }} + {{- if not .Values.injectSecretsViaEnv }} + checksum/secrets: {{ include (print $.Template.BasePath "/feeds-secret.yaml") . | sha256sum }} + {{- end }} + checksum/feeds-config: {{ include (print $.Template.BasePath "/feeds-configmap.yaml") . | sha256sum }} + spec: + {{- with .Values.securityContext }} + securityContext: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.serviceAccountName }} + serviceAccountName: {{ . }} + {{- end }} + {{- with .Values.imagePullSecretName }} + imagePullSecrets: + - name: {{ . }} + {{- end }} + {{- if and .Values.scratchVolume.fixGroupPermissions .Values.securityContext.fsGroup }} + initContainers: + - name: mode-fixer + image: alpine + securityContext: + runAsUser: 0 + volumeMounts: + - name: "anchore-scratch" + mountPath: {{ .Values.scratchVolume.mountPath }} + command: + - sh + - -c + - (chmod 0775 {{ .Values.scratchVolume.mountPath }}; chgrp {{ .Values.securityContext.fsGroup }} {{ .Values.scratchVolume.mountPath }} ) + {{- end }} + containers: + {{- if .Values.cloudsql.enabled }} + {{- include "feeds.common.cloudsqlContainer" . | nindent 8 }} + {{- end }} + - name: "{{ .Chart.Name }}-feeds" + image: {{ .Values.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- with .Values.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 12 }} + {{- end }} + command: ["/bin/sh", "-c"] + args: + - {{ print (include "feeds.doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade feeds + ports: + - containerPort: {{ .Values.service.port }} + name: feeds-api + envFrom: + - configMapRef: + name: {{ template "feeds.fullname" . }}-config-env-vars + {{- if not .Values.standalone }} + - configMapRef: + name: {{ template "feeds.enterprise.fullname" . }}-config-env-vars + {{- end }} + {{- if not .Values.injectSecretsViaEnv }} + {{- if .Values.useExistingSecrets }} + - secretRef: + name: {{ .Values.existingSecretName }} + {{- else }} + - secretRef: + name: {{ template "feeds.fullname" . }} + {{- end }} + {{- end }} + env: {{- include "feeds.common.environment" . | nindent 12 }} + volumeMounts: + - name: data + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + - name: config-volume + mountPath: /config/config.yaml + subPath: config.yaml + - name: "anchore-scratch" + mountPath: {{ .Values.scratchVolume.mountPath }} + - name: anchore-license + mountPath: /home/anchore/license.yaml + subPath: license.yaml + {{- if (.Values.certStoreSecretName) }} + - name: certs + mountPath: /home/anchore/certs/ + readOnly: true + {{- end }} + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + livenessProbe: + httpGet: + path: /health + port: feeds-api + scheme: {{ include "feeds.setProtocol" . | upper }} + initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }} + timeoutSeconds: {{ .Values.probes.liveness.timeoutSeconds }} + periodSeconds: {{ .Values.probes.liveness.periodSeconds }} + failureThreshold: {{ .Values.probes.liveness.failureThreshold }} + successThreshold: {{ .Values.probes.liveness.successThreshold }} + readinessProbe: + httpGet: + path: /health + port: feeds-api + scheme: {{ include "feeds.setProtocol" . | upper }} + timeoutSeconds: {{ .Values.probes.readiness.timeoutSeconds }} + periodSeconds: {{ .Values.probes.readiness.periodSeconds }} + failureThreshold: {{ .Values.probes.readiness.failureThreshold }} + successThreshold: {{ .Values.probes.readiness.successThreshold }} + resources: {{- toYaml .Values.resources | nindent 12 }} + volumes: + - name: data + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ default (include "feeds.fullname" .) .Values.persistence.existingClaim }} + {{- else }} + emptyDir: {} + {{- end }} + - name: config-volume + configMap: + name: {{ template "feeds.fullname" . }} + - name: "anchore-scratch" + {{- if .Values.scratchVolume.details }} + {{- toYaml .Values.scratchVolume.details | nindent 10 }} + {{- else }} + emptyDir: {} + {{- end }} + - name: anchore-license + secret: + secretName: {{ .Values.licenseSecretName }} + {{- if .Values.cloudsql.useExistingServiceAcc }} + - name: {{ .Values.cloudsql.serviceAccSecretName }} + secret: + secretName: {{ .Values.cloudsql.serviceAccSecretName }} + {{- end }} + {{- with .Values.certStoreSecretName }} + - name: certs + secret: + secretName: {{ . }} + {{- end }} + {{- with .Values.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "feeds.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "feeds.common.labels" . | nindent 4 }} + annotations: {{- include "feeds.common.annotations" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + selector: {{- include "feeds.common.matchLabels" . | nindent 4 }} + ports: + - name: feeds-api + port: {{ .Values.service.port }} + targetPort: {{ .Values.service.port }} + protocol: TCP \ No newline at end of file diff --git a/stable/feeds/templates/feeds-pvc.yaml b/stable/feeds/templates/feeds-pvc.yaml new file mode 100644 index 00000000..ae346bfe --- /dev/null +++ b/stable/feeds/templates/feeds-pvc.yaml @@ -0,0 +1,26 @@ +{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "feeds.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "feeds.common.labels" . | nindent 4 }} + annotations: {{- include "feeds.common.annotations" (merge (dict "nil" true) .) | nindent 4 }} + "helm.sh/resource-policy": {{ default "" .Values.persistence.resourcePolicy }} + {{- with .Values.persistence.annotations }} + {{ toYaml . | indent 4 }} + {{- end }} +spec: + accessModes: + - {{ .Values.persistence.accessMode | quote }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} +{{- if .Values.persistence.storageClass }} + {{- if (eq "-" .Values.persistence.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.persistence.storageClass }}" + {{- end }} +{{- end }} +{{- end -}} \ No newline at end of file diff --git a/stable/feeds/templates/feeds-secret.yaml b/stable/feeds/templates/feeds-secret.yaml new file mode 100644 index 00000000..4d46f975 --- /dev/null +++ b/stable/feeds/templates/feeds-secret.yaml @@ -0,0 +1,32 @@ +{{- if not .Values.useExistingSecrets }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "feeds.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "feeds.common.labels" . | nindent 4 }} + annotations: {{- include "feeds.common.annotations" . | nindent 4 }} +type: Opaque +stringData: + ANCHORE_FEEDS_DB_NAME: {{ index .Values "feeds-db" "auth" "database" | quote }} + ANCHORE_FEEDS_DB_USER: {{ index .Values "feeds-db" "auth" "username" | quote }} + ANCHORE_FEEDS_DB_PASSWORD: {{ index .Values "feeds-db" "auth" "password" | quote }} + ANCHORE_FEEDS_DB_HOST: {{ include "feeds.dbHostname" . | quote }} + ANCHORE_FEEDS_DB_PORT: {{ index .Values "feeds-db" "primary" "service" "ports" "postgresql" | quote }} +{{- with .Values.anchoreConfig.keys.secret }} + ANCHORE_SAML_SECRET: {{ . | quote }} +{{- end }} +{{- with .Values.anchoreConfig.feeds.drivers.github.token }} + ANCHORE_GITHUB_TOKEN: {{ . | quote }} +{{- end }} +{{- with .Values.anchoreConfig.feeds.drivers.nvdv2.api_key }} + ANCHORE_NVD_API_KEY: {{ . | quote }} +{{- end }} +{{- if .Values.anchoreConfig.feeds.drivers.gem.enabled }} + ANCHORE_GEM_DB_HOST: {{ default (include "gem-db.fullname" .) (index .Values "gem-db" "externalEndpoint") | quote }} + ANCHORE_GEM_DB_NAME: {{ index .Values "gem-db" "auth" "database" | quote }} + ANCHORE_GEM_DB_USER: {{ index .Values "gem-db" "auth" "username" | quote }} + ANCHORE_GEM_DB_PASSWORD: {{ index .Values "gem-db" "auth" "password" | quote }} + ANCHORE_GEM_DB_PORT: {{ index .Values "gem-db" "primary" "service" "ports" "postgresql" | quote }} +{{- end }} +{{- end -}} \ No newline at end of file diff --git a/stable/feeds/templates/hooks/post-upgrade/upgrade_job.yaml b/stable/feeds/templates/hooks/post-upgrade/upgrade_job.yaml new file mode 100644 index 00000000..62cc7c9f --- /dev/null +++ b/stable/feeds/templates/hooks/post-upgrade/upgrade_job.yaml @@ -0,0 +1,116 @@ +{{- if and .Values.feedsUpgradeJob.enabled .Values.feedsUpgradeJob.usePostUpgradeHook -}} + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "feeds.upgradeJob.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "feeds.common.labels" . | nindent 4 }} + annotations: {{- include "feeds.common.annotations" (merge (dict "nil" true) .) | nindent 4 }} + {{- if not .Values.feedsUpgradeJob.force }} + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "0" + {{- end }} +spec: + template: + metadata: + name: {{ template "feeds.upgradeJob.fullname" . }} + labels: {{- include "feeds.common.labels" . | nindent 8 }} + annotations: {{- include "feeds.common.annotations" . | nindent 8 }} + spec: + {{- with .Values.securityContext }} + securityContext: {{- toYaml . | nindent 8 }} + {{- end }} + + {{- if .Values.feedsUpgradeJob.serviceAccountName }} + {{- with .Values.feedsUpgradeJob.serviceAccountName }} + serviceAccountName: {{ . }} + {{- end }} + {{- else if .Values.serviceAccountName }} + {{- with .Values.serviceAccountName }} + serviceAccountName: {{ . }} + {{- end }} + {{- end }} + + {{- with .Values.imagePullSecretName }} + imagePullSecrets: + - name: {{ . }} + {{- end }} + restartPolicy: Never + {{- with .Values.feedsUpgradeJob.nodeSelector }} + nodeSelector: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.feedsUpgradeJob.affinity }} + affinity: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.feedsUpgradeJob.tolerations }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + {{- if or .Values.certStoreSecretName .Values.cloudsql.useExistingServiceAcc .Values.extraVolumes }} + volumes: + {{- with .Values.certStoreSecretName }} + - name: certs + secret: + secretName: {{ . }} + {{- end }} + {{- if .Values.cloudsql.useExistingServiceAcc }} + - name: {{ .Values.cloudsql.serviceAccSecretName }} + secret: + secretName: {{ .Values.cloudsql.serviceAccSecretName }} + {{- end }} + {{- with .Values.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + containers: + {{- if .Values.cloudsql.enabled }} + {{- include "feeds.common.cloudsqlContainer" . | nindent 8 }} + {{- end }} + - name: feeds-upgrade + image: {{ .Values.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- with .Values.containerSecurityContext }} + securityContext: {{- toYaml . | nindent 12 }} + {{- end }} + command: ["/bin/bash", "-c"] + args: + {{- if not .Values.anchoreConfig.database.ssl }} + - | + {{ print (include "feeds.doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}":"${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}" upgrade --dontask; + {{- else if eq .Values.anchoreConfig.database.sslMode "require" }} + - | + {{ print (include "feeds.doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}":"${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreConfig.database.sslMode }} upgrade --dontask; + {{- else }} + - | + {{ print (include "feeds.doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}":"${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreConfig.database.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreConfig.database.sslRootCertFileName }} upgrade --dontask; + {{- end }} + envFrom: + - configMapRef: + name: {{ template "feeds.fullname" . }}-config-env-vars + {{- if not .Values.standalone }} + - configMapRef: + name: {{ template "feeds.enterprise.fullname" . }}-config-env-vars + {{- end }} + {{- if not .Values.injectSecretsViaEnv }} + {{- if .Values.useExistingSecrets }} + - secretRef: + name: {{ .Values.existingSecretName }} + {{- else }} + - secretRef: + name: {{ template "feeds.fullname" . }} + {{- end }} + {{- end }} + env: {{- include "feeds.common.environment" . | nindent 12 }} + volumeMounts: + {{- if (.Values.certStoreSecretName) }} + - name: certs + mountPath: /home/anchore/certs/ + readOnly: true + {{- end }} + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.feedsUpgradeJob.resources }} + resources: {{- toYaml . | nindent 12 }} + {{- end }} +{{- end -}} diff --git a/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml b/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml new file mode 100644 index 00000000..02cefd07 --- /dev/null +++ b/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml @@ -0,0 +1,126 @@ +{{- if and .Values.feedsUpgradeJob.enabled (not .Values.feedsUpgradeJob.usePostUpgradeHook) -}} + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "feeds.upgradeJob.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "feeds.common.labels" . | nindent 4 }} + annotations: {{- include "feeds.common.annotations" (merge (dict "nil" true) .) | nindent 4 }} + {{- if not .Values.feedsUpgradeJob.force }} + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "3" + {{- end }} +spec: + template: + metadata: + name: {{ template "feeds.upgradeJob.fullname" . }} + labels: {{- include "feeds.common.labels" . | nindent 8 }} + annotations: {{- include "feeds.common.annotations" . | nindent 8 }} + spec: + {{- with .Values.securityContext }} + securityContext: {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.feedsUpgradeJob.serviceAccountName }} + serviceAccountName: {{ .Values.feedsUpgradeJob.serviceAccountName }} + {{- else if .Values.feedsUpgradeJob.rbacCreate }} + serviceAccountName: {{ template "feeds.fullname" . }}-upgrade-sa + {{- else }} + serviceAccountName: {{ .Values.serviceAccountName }} + {{- end }} + {{- with .Values.imagePullSecretName }} + imagePullSecrets: + - name: {{ . }} + {{- end }} + restartPolicy: Never + {{- with .Values.feedsUpgradeJob.nodeSelector }} + nodeSelector: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.feedsUpgradeJob.affinity }} + affinity: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.feedsUpgradeJob.tolerations }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + {{- if or .Values.certStoreSecretName .Values.cloudsql.useExistingServiceAcc .Values.extraVolumes }} + volumes: + {{- with .Values.certStoreSecretName }} + - name: certs + secret: + secretName: {{ . }} + {{- end }} + {{- if .Values.cloudsql.useExistingServiceAcc }} + - name: {{ .Values.cloudsql.serviceAccSecretName }} + secret: + secretName: {{ .Values.cloudsql.serviceAccSecretName }} + {{- end }} + {{- with .Values.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + initContainers: + - name: scale-down-anchore + image: bitnami/kubectl:1.27 + command: ["/bin/bash", "-c"] + args: + - | + kubectl scale deployments --all --replicas=0 -l app.kubernetes.io/name={{ template "feeds.fullname" . }}; + while [[ $(kubectl get pods -l app.kubernetes.io/name={{ template "feeds.fullname" . }} --field-selector=status.phase=Running --no-headers | tee /dev/stderr | wc -l) -gt 0 ]]; do echo 'waiting for pods to go down...' && sleep 5; done + {{- with .Values.containerSecurityContext }} + securityContext: {{ toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.feedsUpgradeJob.resources }} + resources: {{- toYaml . | nindent 12 }} + {{- end }} + containers: + {{- if .Values.cloudsql.enabled }} + {{- include "feeds.common.cloudsqlContainer" . | nindent 8 }} + {{- end }} + - name: upgrade-feeds-db + image: {{ .Values.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- with .Values.containerSecurityContext }} + securityContext: {{ toYaml . | nindent 12 }} + {{- end }} + envFrom: + - configMapRef: + name: {{ template "feeds.fullname" . }}-config-env-vars + {{- if not .Values.standalone }} + - configMapRef: + name: {{ template "feeds.enterprise.fullname" . }}-config-env-vars + {{- end }} + {{- if not .Values.injectSecretsViaEnv }} + {{- if .Values.useExistingSecrets }} + - secretRef: + name: {{ .Values.existingSecretName }} + {{- else }} + - secretRef: + name: {{ template "feeds.fullname" . }} + {{- end }} + {{- end }} + env: {{- include "feeds.common.environment" . | nindent 12 }} + volumeMounts: + {{- if .Values.certStoreSecretName }} + - name: certs + mountPath: /home/anchore/certs/ + readOnly: true + {{- end }} + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.feedsUpgradeJob.resources }} + resources: {{- toYaml . | nindent 12 }} + {{- end }} + command: ["/bin/bash", "-c"] + args: + {{- if not .Values.anchoreConfig.database.ssl }} + - | + {{ print (include "feeds.doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}":"${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}" upgrade --dontask; + {{- else if eq .Values.anchoreConfig.database.sslMode "require" }} + - | + {{ print (include "feeds.doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}":"${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreConfig.database.sslMode }} upgrade --dontask; + {{- else }} + - | + {{ print (include "feeds.doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}":"${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreConfig.database.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreConfig.database.sslRootCertFileName }} upgrade --dontask; + {{- end }} +{{- end -}} \ No newline at end of file diff --git a/stable/feeds/templates/hooks/pre-upgrade/upgrade_rbac.yaml b/stable/feeds/templates/hooks/pre-upgrade/upgrade_rbac.yaml new file mode 100644 index 00000000..ca9c1a0d --- /dev/null +++ b/stable/feeds/templates/hooks/pre-upgrade/upgrade_rbac.yaml @@ -0,0 +1,75 @@ +{{- if and .Values.feedsUpgradeJob.enabled .Values.feedsUpgradeJob.rbacCreate (not .Values.feedsUpgradeJob.usePostUpgradeHook) -}} + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "feeds.fullname" . }}-upgrade-sa + namespace: {{ .Release.Namespace }} + labels: {{- include "feeds.common.labels" . | nindent 4 }} + annotations: {{- include "feeds.common.annotations" (merge (dict "nil" true) .) | nindent 4 }} + {{- if not .Values.feedsUpgradeJob.force }} + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "1" + {{- end }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "feeds.fullname" . }}-upgrade-role-binding + namespace: {{ .Release.Namespace }} + labels: {{- include "feeds.common.labels" . | nindent 4 }} + annotations: {{- include "feeds.common.annotations" (merge (dict "nil" true) .) | nindent 4 }} + {{- if not .Values.feedsUpgradeJob.force }} + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "1" + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "feeds.fullname" . }}-upgrade-role +subjects: + - kind: ServiceAccount + name: {{ template "feeds.fullname" . }}-upgrade-sa + namespace: {{ .Release.Namespace }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "feeds.fullname" . }}-upgrade-role + namespace: {{ .Release.Namespace }} + labels: {{- include "feeds.common.labels" . | nindent 4 }} + annotations: {{- include "feeds.common.annotations" (merge (dict "nil" true) .) | nindent 4 }} + {{- if not .Values.feedsUpgradeJob.force }} + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "1" + {{- end }} +rules: + - apiGroups: + - extensions + - apps + resources: + - deployments + verbs: + - get + - list + - watch + - update + - patch + - apiGroups: + - apps + resources: + - deployments/scale + verbs: + - patch + - apiGroups: + - "" + resources: + - pods + verbs: + - watch + - list + - get +{{- end -}} \ No newline at end of file diff --git a/stable/feeds/templates/ingress.yaml b/stable/feeds/templates/ingress.yaml new file mode 100644 index 00000000..62d99bdd --- /dev/null +++ b/stable/feeds/templates/ingress.yaml @@ -0,0 +1,70 @@ +{{- if .Values.ingress.enabled -}} +{{- $component := "ingress" -}} + +{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} +apiVersion: networking.k8s.io/v1 +{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" }} +apiVersion: networking.k8s.io/v1beta1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ template "feeds.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "feeds.common.labels" (merge (dict "component" $component) .) | nindent 4 }} + annotations: {{- include "feeds.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} +spec: +{{- if .Values.ingress.ingressClassName }} + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- end }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- if .Values.ingress.hosts }} + {{- range .Values.ingress.hosts }} + - host: {{ . | quote }} + http: + paths: + - path: {{ $.Values.ingress.path }} + {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + pathType: Prefix + backend: + service: + name: {{ template "feeds.fullname" $ }} + port: + number: {{ $.Values.service.port }} + {{- else }} + backend: + serviceName: {{ template "feeds.fullname" $ }} + servicePort: {{ $.Values.service.port }} + {{- end }} + {{- end }} + {{- else }} + - http: + paths: + {{- with .Values.ingress.path }} + - path: {{ . }} + {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + pathType: Prefix + backend: + service: + name: {{ template "feeds.fullname" $ }} + port: + number: {{ $.Values.service.port }} + {{- else }} + backend: + serviceName: {{ template "feeds.fullname" $ }} + servicePort: {{ $.Values.service.port }} + {{- end }} + {{- end }} + {{- end }} +{{- end -}} diff --git a/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap b/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap new file mode 100644 index 00000000..f3de6146 --- /dev/null +++ b/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap @@ -0,0 +1,132 @@ +should render the configmaps: + 1: | + apiVersion: v1 + data: + config.yaml: | + # Anchore Feeds Service Configuration File, mounted from a configmap + # + service_dir: ${ANCHORE_SERVICE_DIR} + tmp_dir: ${ANCHORE_TMP_DIR} + log_level: ${ANCHORE_LOG_LEVEL} + + host_id: "${ANCHORE_HOST_ID}" + internal_ssl_verify: ${ANCHORE_INTERNAL_SSL_VERIFY} + + global_client_connect_timeout: ${ANCHORE_GLOBAL_CLIENT_CONNECT_TIMEOUT} + global_client_read_timeout: ${ANCHORE_GLOBAL_CLIENT_READ_TIMEOUT} + server_request_timeout_seconds: ${ANCHORE_GLOBAL_SERVER_REQUEST_TIMEOUT_SEC} + + license_file: ${ANCHORE_LICENSE_FILE} + auto_restart_services: false + + metrics: + enabled: ${ANCHORE_ENABLE_METRICS} + auth_disabled: ${ANCHORE_DISABLE_METRICS_AUTH} + + keys: + secret: ${ANCHORE_SAML_SECRET} + public_key_path: ${ANCHORE_AUTH_PRIVKEY} + private_key_path: ${ANCHORE_AUTH_PUBKEY} + + user_authentication: + hashed_passwords: ${ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS} + sso_require_existing_users: ${ANCHORE_SSO_REQUIRES_EXISTING_USERS} + oauth: + enabled: ${ANCHORE_OAUTH_ENABLED} + default_token_expiration_seconds: ${ANCHORE_OAUTH_TOKEN_EXPIRATION} + refresh_token_expiration_seconds: ${ANCHORE_OAUTH_REFRESH_TOKEN_EXPIRATION} + + credentials: + database: + user: "${ANCHORE_FEEDS_DB_USER}" + password: "${ANCHORE_FEEDS_DB_PASSWORD}" + host: "${ANCHORE_FEEDS_DB_HOST}" + port: "${ANCHORE_FEEDS_DB_PORT}" + name: "${ANCHORE_FEEDS_DB_NAME}" + db_connect_args: + timeout: ${ANCHORE_FEEDS_DB_TIMEOUT} + ssl: ${ANCHORE_FEEDS_DB_SSL} + db_pool_size: ${ANCHORE_FEEDS_DB_POOL_SIZE} + db_pool_max_overflow: ${ANCHORE_FEEDS_DB_POOL_MAX_OVERFLOW} + + services: + feeds: + enabled: true + require_auth: true + endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} + listen: '0.0.0.0' + port: ${ANCHORE_PORT} + max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} + cycle_timers: + driver_sync: 7200 + local_workspace: ${ANCHORE_FEEDS_LOCAL_WORKSPACE} + workspace_preload: + enabled: ${ANCHORE_FEEDS_WORKSPACE_PRELOAD} + workspace_preload_file: "/workspace_preload/data.tar.gz" + api_only: ${ANCHORE_FEEDS_API_ONLY} + drivers: + amzn: + enabled: ${ANCHORE_FEEDS_DRIVER_AMAZON_ENABLED} + alpine: + enabled: ${ANCHORE_FEEDS_DRIVER_ALPINE_ENABLED} + centos: + enabled: false + debian: + enabled: ${ANCHORE_FEEDS_DRIVER_DEBIAN_ENABLED} + ol: + enabled: ${ANCHORE_FEEDS_DRIVER_OL_ENABLED} + ubuntu: + enabled: ${ANCHORE_FEEDS_DRIVER_UBUNTU_ENABLED} + git_url: ${ANCHORE_FEEDS_DRIVER_UBUNTU_URL} + git_branch: ${ANCHORE_FEEDS_DRIVER_UBUNTU_BRANCH} + rhel: + enabled: ${ANCHORE_FEEDS_DRIVER_RHEL_ENBALED} + concurrency: ${ANCHORE_FEEDS_DRIVER_RHEL_CONCURRENCY} + npm: + enabled: ${ANCHORE_FEEDS_DRIVER_NPM_ENABLED} + gem: + enabled: ${ANCHORE_FEEDS_DRIVER_GEM_ENABLED} + nvdv2: + enabled: ${ANCHORE_FEEDS_DRIVER_NVDV2_ENABLED} + api_key: ${ANCHORE_NVD_API_KEY} + msrc: + enabled: ${ANCHORE_FEEDS_DRIVER_MSRC_ENABLED} + github: + enabled: ${ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED} + token: ${ANCHORE_GITHUB_TOKEN} + grypedb: + enabled: ${ANCHORE_FEEDS_DRIVER_GRYPEDB_ENABLED} + external_feeds_url: "${ANCHORE_FEEDS_EXTERNAL_URL}" + preload: + enabled: ${ANCHORE_FEEDS_GRYPEDB_PRELOAD_ENABLED} + workspace_archive_path: ${ANCHORE_FEEDS_GRYPEDB_PRELOAD_PATH} + persist_provider_workspaces: ${ANCHORE_FEEDS_GRYPEDB_PERSIST_WORKSPACE} + restore_provider_workspaces: ${ANCHORE_FEEDS_GRYPEDB_RESTORE_WORKSPACE} + sles: + enabled: ${ANCHORE_FEEDS_DRIVER_SLES_ENABLED} + anchore_match_exclusions: + enabled: ${ANCHORE_FEEDS_DRIVER_MATCH_EXCLUSIONS} + wolfi: + enabled: ${ANCHORE_FEEDS_DRIVER_WOLFI_ENABLED} + chainguard: + enabled: ${ANCHORE_FEEDS_DRIVER_CHAINGUARD_ENABLED} + ssl_enable: ${ANCHORE_SSL_ENABLED} + ssl_cert: ${ANCHORE_SSL_CERT} + ssl_key: ${ANCHORE_SSL_KEY} + kind: ConfigMap + metadata: + annotations: + bar: baz-annotation + foo: bar-annotation + labels: + app.kubernetes.io/component: feeds + app.kubernetes.io/instance: test-release + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: test-release-feeds + app.kubernetes.io/part-of: anchore + app.kubernetes.io/version: 4.8.1 + bar: baz-label + foo: bar-label + helm.sh/chart: feeds-0.0.1 + name: test-release-feeds + namespace: test-namespace diff --git a/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap b/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap new file mode 100644 index 00000000..397565e7 --- /dev/null +++ b/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap @@ -0,0 +1,109 @@ +rbac should match snapshot: + 1: | + apiVersion: v1 + kind: ServiceAccount + metadata: + annotations: + bar: baz-annotation + foo: bar-annotation + helm.sh/hook: pre-upgrade + helm.sh/hook-weight: "1" + labels: + app.kubernetes.io/component: feeds + app.kubernetes.io/instance: test-release + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: test-release-feeds + app.kubernetes.io/part-of: anchore + app.kubernetes.io/version: 9.9.9 + bar: baz-label + foo: bar-label + helm.sh/chart: feeds-9.9.9 + name: test-release-feeds-upgrade-sa + namespace: test-namespace + 2: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + annotations: + bar: baz-annotation + foo: bar-annotation + helm.sh/hook: pre-upgrade + helm.sh/hook-weight: "1" + labels: + app.kubernetes.io/component: feeds + app.kubernetes.io/instance: test-release + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: test-release-feeds + app.kubernetes.io/part-of: anchore + app.kubernetes.io/version: 9.9.9 + bar: baz-label + foo: bar-label + helm.sh/chart: feeds-9.9.9 + name: test-release-feeds-upgrade-role-binding + namespace: test-namespace + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: test-release-feeds-upgrade-role + subjects: + - kind: ServiceAccount + name: test-release-feeds-upgrade-sa + namespace: test-namespace + 3: | + apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + annotations: + bar: baz-annotation + foo: bar-annotation + helm.sh/hook: pre-upgrade + helm.sh/hook-weight: "1" + labels: + app.kubernetes.io/component: feeds + app.kubernetes.io/instance: test-release + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: test-release-feeds + app.kubernetes.io/part-of: anchore + app.kubernetes.io/version: 9.9.9 + bar: baz-label + foo: bar-label + helm.sh/chart: feeds-9.9.9 + name: test-release-feeds-upgrade-role + namespace: test-namespace + rules: + - apiGroups: + - extensions + - apps + resources: + - deployments + verbs: + - get + - list + - watch + - update + - patch + - apiGroups: + - apps + resources: + - deployments/scale + verbs: + - patch + - apiGroups: + - "" + resources: + - pods + verbs: + - watch + - list + - get +should render proper initContainers: + 1: | + - args: + - | + kubectl scale deployments --all --replicas=0 -l app.kubernetes.io/name=test-release-feeds; + while [[ $(kubectl get pods -l app.kubernetes.io/name=test-release-feeds --field-selector=status.phase=Running --no-headers | tee /dev/stderr | wc -l) -gt 0 ]]; do echo 'waiting for pods to go down...' && sleep 5; done + command: + - /bin/bash + - -c + image: bitnami/kubectl:1.27 + name: scale-down-anchore diff --git a/stable/feeds/tests/common_helpers_test.yaml b/stable/feeds/tests/common_helpers_test.yaml new file mode 100644 index 00000000..69e75fbf --- /dev/null +++ b/stable/feeds/tests/common_helpers_test.yaml @@ -0,0 +1,724 @@ +suite: Common Helper Template Tests +templates: + - anchore_vars_configmap.yaml + - feeds-configmap.yaml + - feeds-deployment.yaml + - feeds-pvc.yaml + - feeds-secret.yaml + - ingress.yaml + - templates/hooks/pre-upgrade/upgrade_rbac.yaml + - templates/hooks/pre-upgrade/upgrade_job.yaml + - templates/hooks/post-upgrade/upgrade_job.yaml +release: + name: test-release + namespace: test-namespace +chart: + version: 9.9.9 + appVersion: 9.9.9 + +test_templates: &test_templates + - anchore_vars_configmap.yaml + - feeds-configmap.yaml + - feeds-deployment.yaml + - feeds-pvc.yaml + - feeds-secret.yaml + - templates/hooks/pre-upgrade/upgrade_rbac.yaml + - templates/hooks/pre-upgrade/upgrade_job.yaml + +flag_enabled_test_templates: &flag_enabled_test_templates + - templates/hooks/post-upgrade/upgrade_job.yaml + - ingress.yaml + +tests: + - it: should render global annotations + templates: *test_templates + documentIndex: 0 + set: + annotations: + foo: bar + bar: baz + asserts: + - isSubset: + path: metadata.annotations + content: + foo: bar + bar: baz + + - it: should render file checksum/secret annotation + template: feeds-deployment.yaml + documentIndex: 0 + asserts: + - exists: + path: spec.template.metadata.annotations['checksum/secrets'] + + - it: should render global labels + templates: *test_templates + documentIndex: 0 + set: + labels: + foo: bar + bar: baz + asserts: + - isSubset: + path: metadata.labels + content: + app.kubernetes.io/instance: test-release + helm.sh/chart: feeds-9.9.9 + app.kubernetes.io/version: 9.9.9 + app.kubernetes.io/part-of: anchore + app.kubernetes.io/managed-by: Helm + foo: bar + bar: baz + + - it: should render docker entrypoint with no doSourceAtEntry filePaths + templates: + - feeds-deployment.yaml + documentIndex: 0 + asserts: + - matchRegex: + path: spec.template.spec.containers[0].args[0] + pattern: /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade + + - it: should render docker entrypoint with doSourceAtEntry and no filePaths + templates: + - feeds-deployment.yaml + documentIndex: 0 + set: + doSourceAtEntry.enabled: true + asserts: + - matchRegex: + path: spec.template.spec.containers[0].args[0] + pattern: ^/docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade + + - it: should render docker entrypoint with doSourceAtEntry and some filePaths + templates: + - feeds-deployment.yaml + documentIndex: 0 + set: + doSourceAtEntry.enabled: true + doSourceAtEntry.filePaths: ["myscript.sh", "myotherscript.sh"] + asserts: + - matchRegex: + path: spec.template.spec.containers[0].args[0] + pattern: ^if \[ -f myscript\.sh \];then source myscript\.sh;fi;if \[ -f myotherscript\.sh \];then source myotherscript\.sh;fi; .*$ + + - it: should render envFrom without an existing secret + templates: + - feeds-deployment.yaml + - templates/hooks/pre-upgrade/upgrade_job.yaml + documentIndex: 0 + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + envFrom: + - configMapRef: + name: test-release-feeds-config-env-vars + - secretRef: + name: test-release-feeds + + - it: should render envFrom with an existing secret + set: + useExistingSecrets: true + existingSecretName: "myExistingSecretName" + templates: + - feeds-deployment.yaml + - templates/hooks/pre-upgrade/upgrade_job.yaml + documentIndex: 0 + asserts: + - isSubset: + path: spec.template.spec.containers[0] + content: + envFrom: + - configMapRef: + name: test-release-feeds-config-env-vars + - secretRef: + name: myExistingSecretName + + - it: should not render secretRef when injecting secrets via env + set: + injectSecretsViaEnv: true + useExistingSecrets: true + existingSecretName: "myExistingSecretName" + templates: + - feeds-deployment.yaml + - templates/hooks/pre-upgrade/upgrade_job.yaml + documentIndex: 0 + asserts: + - isNotSubset: + path: spec.template.spec.containers[0] + content: + envFrom: + - configMapRef: + name: test-release-feeds-config-env-vars + - secretRef: + name: myExistingSecretName + + - it: should render correct environment variables when extraEnv is set + templates: + - feeds-deployment.yaml + - templates/hooks/pre-upgrade/upgrade_job.yaml + documentIndex: 0 + set: + extraEnv: + - name: foo + value: bar + - name: bar + value: baz + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: foo + value: bar + - contains: + path: spec.template.spec.containers[0].env + content: + name: bar + value: baz + - contains: + path: spec.template.spec.containers[0].env + content: + name: ANCHORE_HOST_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + + - it: should render clouddsql container for all deployments and default upgrade job + templates: + - feeds-deployment.yaml + - templates/hooks/pre-upgrade/upgrade_job.yaml + documentIndex: 0 + set: + cloudsql.enabled: true + asserts: + - contains: + path: spec.template.spec.containers + content: + name: cloudsql-proxy + command: + - /cloud_sql_proxy + args: + - "-instances==tcp:5432" + count: 1 + any: true + + - it: should render clouddsql container and extraArgs for all deployments and default upgrade job + templates: + - feeds-deployment.yaml + - templates/hooks/pre-upgrade/upgrade_job.yaml + documentIndex: 0 + set: + cloudsql.enabled: true + cloudsql.extraArgs: + - myExtraArg + - myOtherExtraArg + asserts: + - equal: + path: spec.template.spec.containers[0].name + value: cloudsql-proxy + count: 1 + - equal: + path: spec.template.spec.containers[0].command + value: [ /cloud_sql_proxy ] + count: 1 + - equal: + path: spec.template.spec.containers[0].args + value: + - "-instances==tcp:5432" + - "myExtraArg" + - "myOtherExtraArg" + count: 1 + + - it: should render clouddsql container, additional arg, and volumeMount when useExistingServiceAcc is true for all deployments and default upgrade job + templates: + - feeds-deployment.yaml + - templates/hooks/pre-upgrade/upgrade_job.yaml + documentIndex: 0 + set: + cloudsql.enabled: true + cloudsql.extraArgs: + - myExtraArg + - myOtherExtraArg + cloudsql.useExistingServiceAcc: true + cloudsql.serviceAccSecretName: cloudsqlServiceAccSecretName + cloudsql.serviceAccJsonName: cloudsqlServiceAccJsonName + asserts: + - equal: + path: spec.template.spec.containers[0].name + value: cloudsql-proxy + count: 1 + - equal: + path: spec.template.spec.containers[0].args + value: + - "-instances==tcp:5432" + - "myExtraArg" + - "myOtherExtraArg" + - "-credential_file=/var/cloudsqlServiceAccSecretName/cloudsqlServiceAccJsonName" + count: 1 + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: "/var/cloudsqlServiceAccSecretName" + name: "cloudsqlServiceAccSecretName" + readOnly: true + count: 1 + - contains: + path: spec.template.spec.volumes + content: + name: "cloudsqlServiceAccSecretName" + secret: + secretName: "cloudsqlServiceAccSecretName" + count: 1 + + - it: should render fixPermissionsInitContainer + set: + scratchVolume.fixGroupPermissions: true + securityContext.fsGroup: 9999 + templates: + - feeds-deployment.yaml + documentIndex: 0 + asserts: + - contains: + path: spec.template.spec.initContainers + content: + name: mode-fixer + volumeMounts: + - name: "anchore-scratch" + mountPath: /anchore_scratch + command: [ sh, -c, (chmod 0775 /anchore_scratch; chgrp 9999 /anchore_scratch ) ] + count: 1 + any: true + + - it: should not render fixPermissionsInitContainer + set: + scratchVolume.fixGroupPermissions: false + securityContext.fsGroup: 9999 + templates: + - feeds-deployment.yaml + documentIndex: 0 + asserts: + - notExists: + path: spec.template.spec.initContainers + + - it: should render liveness probe + templates: + - feeds-deployment.yaml + documentIndex: 0 + asserts: + - isSubset: + path: spec.template.spec.containers[0].livenessProbe + content: + initialDelaySeconds: 120 + timeoutSeconds: 10 + periodSeconds: 10 + failureThreshold: 6 + successThreshold: 1 + + - it: should render readiness probe + templates: + - feeds-deployment.yaml + documentIndex: 0 + asserts: + - isSubset: + path: spec.template.spec.containers[0].readinessProbe + content: + timeoutSeconds: 10 + periodSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + + - it: should render pod security contexts + set: + securityContext.runAsUser: 9999 + templates: + - feeds-deployment.yaml + documentIndex: 0 + asserts: + - isSubset: + path: spec.template.spec.securityContext + content: + runAsUser: 9999 + runAsGroup: 1000 + fsGroup: 1000 + + - it: should render pod serviceAccountName + set: + serviceAccountName: myServiceAccountName + templates: + - feeds-deployment.yaml + documentIndex: 0 + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: myServiceAccountName + + - it: should not render pod serviceAccountName if not defined + templates: + - feeds-deployment.yaml + documentIndex: 0 + asserts: + - notExists: + path: spec.template.spec.serviceAccountName + + - it: should render imagePullSecretName + templates: + - feeds-deployment.yaml + documentIndex: 0 + asserts: + - equal: + path: spec.template.spec.imagePullSecrets[0].name + value: anchore-enterprise-pullcreds + + - it: should render set imagePullSecretName + set: + imagePullSecretName: mysecret + templates: + - feeds-deployment.yaml + documentIndex: 0 + asserts: + - equal: + path: spec.template.spec.imagePullSecrets[0].name + value: mysecret + + - it: should render container security contexts + set: + containerSecurityContext.runAsUser: 9999 + containerSecurityContext.runAsGroup: 9998 + templates: + - feeds-deployment.yaml + documentIndex: 0 + asserts: + - isSubset: + path: spec.template.spec.containers[0].securityContext + content: + runAsUser: 9999 + runAsGroup: 9998 + + - it: should not render container security contexts if none set + templates: + - feeds-deployment.yaml + documentIndex: 0 + asserts: + - notExists: + path: spec.template.spec.containers[0].securityContext + + - it: should render the rbacAuthContainer + templates: + - feeds-deployment.yaml + documentIndex: 0 + asserts: + - contains: + path: spec.template.spec.containers + content: + args: + - /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade feeds + name: feeds-feeds + ports: + - containerPort: 8448 + name: feeds-api + any: true + + - it: should render volumeMounts + templates: + - feeds-deployment.yaml + documentIndex: 0 + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: anchore-license + mountPath: /home/anchore/license.yaml + subPath: license.yaml + count: 1 + any: true + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: config-volume + mountPath: /config/config.yaml + subPath: config.yaml + count: 1 + any: true + + - it: should render extraVolumeMounts + set: + extraVolumeMounts: + - name: my-volume + mountPath: /my/path + subPath: my-subpath + - name: my-volume-two + mountPath: /my/other/path + subPath: my-other-subpath + templates: + - feeds-deployment.yaml + documentIndex: 0 + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: my-volume + mountPath: /my/path + subPath: my-subpath + count: 1 + any: true + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: my-volume-two + mountPath: /my/other/path + subPath: my-other-subpath + count: 1 + any: true + - notContains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: certs + count: 1 + any: true + + - it: should render certStore volumeMount and volume + set: + certStoreSecretName: mycerts + templates: + - feeds-deployment.yaml + documentIndex: 0 + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: certs + mountPath: /home/anchore/certs/ + readOnly: true + count: 1 + any: true + - contains: + path: spec.template.spec.volumes + content: + name: certs + secret: + secretName: mycerts + count: 1 + any: true + + - it: should render global extraVolumes + set: + extraVolumes: + - name: my-volume + emptyDir: {} + - name: my-volume-two + emptyDir: {} + templates: + - feeds-deployment.yaml + documentIndex: 0 + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: my-volume + emptyDir: {} + count: 1 + any: true + - contains: + path: spec.template.spec.volumes + content: + name: my-volume-two + emptyDir: {} + count: 1 + any: true + - notContains: + path: spec.template.spec.volumes + content: + name: certs + count: 1 + any: true + + - it: should render global volumes anchore-license, and config-volume + templates: + - feeds-deployment.yaml + documentIndex: 0 + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: anchore-license + secret: + secretName: anchore-enterprise-license + count: 1 + any: true + - contains: + path: spec.template.spec.volumes + content: + name: config-volume + configMap: + name: test-release-feeds + count: 1 + any: true + + - it: should render feeds.fullname + templates: *test_templates + documentIndex: 0 + asserts: + - matchRegex: + path: metadata.name + pattern: ^test-release-feeds + + - it: should render feeds.fullname with fullnameOverride for services + set: + fullnameOverride: my-fullname-override + templates: + - feeds-deployment.yaml + documentIndex: 1 + asserts: + - matchRegex: + path: spec.selector["app.kubernetes.io/name"] + pattern: ^my-fullname-override + + - it: should render feeds.fullname with nameOverride for services + set: + nameOverride: my-name-override + templates: + - feeds-deployment.yaml + documentIndex: 1 + asserts: + - matchRegex: + path: spec.selector["app.kubernetes.io/name"] + pattern: ^test-release-my-name-override + + - it: should render dbHostname for feeds-secret.yaml + templates: + - feeds-secret.yaml + documentIndex: 0 + asserts: + - isSubset: + path: stringData + content: + ANCHORE_FEEDS_DB_HOST: test-release-feeds-db + count: 1 + any: true + + - isSubset: + path: stringData + content: + ANCHORE_FEEDS_DB_NAME: anchore-feeds + count: 1 + any: true + + - isSubset: + path: stringData + content: + ANCHORE_FEEDS_DB_PASSWORD: anchore-postgres,123 + count: 1 + any: true + + - isSubset: + path: stringData + content: + ANCHORE_FEEDS_DB_PORT: "5432" + count: 1 + any: true + + - isSubset: + path: stringData + content: + ANCHORE_FEEDS_DB_USER: anchore-feeds + count: 1 + any: true + + # since postgresql is enabled, should still use the chart postgresql service name + - it: should render dbHostname with externalEndpoint defined and postgresql enabled + set: + feeds-db: + externalEndpoint: my-endpoint + enabled: true + cloudsql: + enabled: true + templates: + - feeds-secret.yaml + documentIndex: 0 + asserts: + - isSubset: + path: stringData + content: + ANCHORE_FEEDS_DB_HOST: test-release-feeds-db + count: 1 + any: true + - isNotSubset: + path: stringData + content: + ANCHORE_FEEDS_DB_HOST: localhost + + - it: should render dbHostname with externalEndpoint defined and postgresql disabled + set: + feeds-db: + externalEndpoint: my-endpoint + enabled: false + templates: + - feeds-secret.yaml + documentIndex: 0 + asserts: + - isSubset: + path: stringData + content: + ANCHORE_FEEDS_DB_HOST: my-endpoint + count: 1 + any: true + + - it: should render dbHostname with cloudsql enabled and postgresql disabled + set: + feeds-db: + enabled: false + cloudsql: + enabled: true + templates: + - feeds-secret.yaml + documentIndex: 0 + asserts: + - isSubset: + path: stringData + content: + ANCHORE_FEEDS_DB_HOST: localhost + count: 1 + any: true + + - it: should render default dbHostname with postgresql disabled, postgresql externalEndpoint not defined, and cloudsql disabled + set: + feeds-db: + enabled: false + externalEndpoint: "" + cloudsql: + enabled: false + templates: + - feeds-secret.yaml + documentIndex: 0 + asserts: + - isSubset: + path: stringData + content: + ANCHORE_FEEDS_DB_HOST: test-release-feeds-db + count: 1 + any: true + + - it: should set the correct protocol with anchoreConfig.internalServicesSSL.enabled to true for deployments + set: + anchoreConfig.internalServicesSSL.enabled: true + templates: + - feeds-deployment.yaml + documentIndex: 0 + asserts: + - isSubset: + path: spec.template.spec.containers[0].livenessProbe.httpGet + content: + scheme: HTTPS + + - it: should set the correct protocol with anchoreConfig.internalServicesSSL.enabled to false for deployments + set: + anchoreConfig.internalServicesSSL.enabled: false + templates: + - feeds-deployment.yaml + documentIndex: 0 + asserts: + - isSubset: + path: spec.template.spec.containers[0].livenessProbe.httpGet + content: + scheme: HTTP diff --git a/stable/feeds/tests/configmap_test.yaml b/stable/feeds/tests/configmap_test.yaml new file mode 100644 index 00000000..3c66be99 --- /dev/null +++ b/stable/feeds/tests/configmap_test.yaml @@ -0,0 +1,12 @@ +suite: ConfigMap Tests +templates: + - templates/feeds-configmap.yaml +values: + - values.yaml +release: + name: test-release + namespace: test-namespace +tests: + - it: should render the configmaps + asserts: + - matchSnapshot: {} diff --git a/stable/feeds/tests/feeds_resources_test.yaml b/stable/feeds/tests/feeds_resources_test.yaml new file mode 100644 index 00000000..f1fd1f0b --- /dev/null +++ b/stable/feeds/tests/feeds_resources_test.yaml @@ -0,0 +1,312 @@ +suite: Feeds Resources Tests +templates: + - feeds-deployment.yaml + - feeds-secret.yaml + - feeds-configmap.yaml +release: + name: test-release + namespace: test-namespace +chart: + version: 9.9.9 + appVersion: 9.9.9 +values: + - values.yaml + +tests: + - it: should render a valid feeds config file + template: feeds-configmap.yaml + asserts: + - matchRegex: + path: data["config.yaml"] + pattern: Anchore Feeds Service Configuration File + + - it: should set the correct resource names + asserts: + - equal: + path: metadata.name + value: test-release-feeds + + - it: should render component labels + template: feeds-deployment.yaml + documentIndex: 0 + asserts: + - isSubset: + path: metadata.labels + content: + bar: "baz-label" + foo: "bar-label" + - isSubset: + path: spec.template.metadata.labels + content: + bar: "baz-label" + foo: "bar-label" + + - it: should render component annotations + templates: + - feeds-deployment.yaml + documentIndex: 0 + asserts: + - isSubset: + path: metadata.annotations + content: + foo: "bar-annotation" + bar: "baz-annotation" + - isSubset: + path: spec.template.metadata.annotations + content: + foo: "bar-annotation" + bar: "baz-annotation" + + - it: should render component matchLabels + template: feeds-deployment.yaml + documentIndex: 0 + asserts: + - isSubset: + path: spec.selector.matchLabels + content: + app.kubernetes.io/name: test-release-feeds + app.kubernetes.io/component: feeds + + - it: should render component serviceAccountName + template: feeds-deployment.yaml + documentIndex: 0 + set: + serviceAccountName: feeds-test + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: feeds-test + + - it: should render component nodeSelector + template: feeds-deployment.yaml + documentIndex: 0 + set: + nodeSelector: + feeds: test + asserts: + - isSubset: + path: spec.template.spec.nodeSelector + content: + feeds: test + + - it: should render component affinity + template: feeds-deployment.yaml + documentIndex: 0 + set: + affinity: + feeds: test + asserts: + - isSubset: + path: spec.template.spec.affinity + content: + feeds: test + + - it: should render component tolerations + template: feeds-deployment.yaml + documentIndex: 0 + set: + tolerations: + - key: "feeds" + operator: "Equal" + value: "test" + effect: "NoSchedule" + asserts: + - contains: + path: spec.template.spec.tolerations + content: + key: "feeds" + operator: "Equal" + value: "test" + effect: "NoSchedule" + count: 1 + + - it: should render scratch volume as emptyDir by default + template: feeds-deployment.yaml + documentIndex: 0 + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: anchore-scratch + emptyDir: {} + count: 1 + + - it: should render scratch volume using details from values + template: feeds-deployment.yaml + documentIndex: 0 + set: + scratchVolume.details: + hostPath: + path: /tmp + type: Directory + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: anchore-scratch + hostPath: + path: /tmp + type: Directory + count: 1 + + - it: should render feeds-configmap volume + template: feeds-deployment.yaml + documentIndex: 0 + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: config-volume + configMap: + name: test-release-feeds + count: 1 + - contains: + path: spec.template.spec.volumes + content: + name: anchore-scratch + emptyDir: {} + count: 1 + - contains: + path: spec.template.spec.volumes + content: + name: anchore-license + secret: + secretName: anchore-enterprise-license + count: 1 + + - it: should render component container name + template: feeds-deployment.yaml + documentIndex: 0 + asserts: + - equal: + path: spec.template.spec.containers[0].name + value: feeds-feeds + + - it: should render component entrypoint args + template: feeds-deployment.yaml + documentIndex: 0 + asserts: + - matchRegex: + path: spec.template.spec.containers[0].args[0] + pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade feeds$ + count: 1 + + - it: should render component environment variables + template: feeds-deployment.yaml + documentIndex: 0 + set: + extraEnv: + - name: feeds + value: test + - name: test + value: foobar + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ANCHORE_ENDPOINT_HOSTNAME + value: test-release-feeds + count: 1 + - contains: + path: spec.template.spec.containers[0].env + content: + name: ANCHORE_PORT + value: "8448" + count: 1 + - contains: + path: spec.template.spec.containers[0].env + content: + name: feeds + value: test + count: 1 + - contains: + path: spec.template.spec.containers[0].env + content: + name: test + value: foobar + + - it: should render component ports + template: feeds-deployment.yaml + documentIndex: 0 + asserts: + - contains: + path: spec.template.spec.containers[0].ports + content: + name: feeds-api + containerPort: 8448 + count: 1 + + - it: should render component volumeMounts + template: feeds-deployment.yaml + documentIndex: 0 + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: config-volume + mountPath: /config/config.yaml + subPath: config.yaml + count: 1 + any: true + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: anchore-scratch + mountPath: /anchore_scratch + count: 1 + any: true + + - it: should render component probes + template: feeds-deployment.yaml + documentIndex: 0 + asserts: + - isSubset: + path: spec.template.spec.containers[0].livenessProbe + content: + httpGet: + path: /health + port: feeds-api + scheme: HTTP + initialDelaySeconds: 120 + timeoutSeconds: 10 + periodSeconds: 10 + failureThreshold: 6 + successThreshold: 1 + count: 1 + - isSubset: + path: spec.template.spec.containers[0].readinessProbe + content: + httpGet: + path: /health + port: feeds-api + scheme: HTTP + timeoutSeconds: 10 + periodSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + count: 1 + + - it: should render component resource requests & limits + template: feeds-deployment.yaml + documentIndex: 0 + set: + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 200m + memory: 256Mi + asserts: + - isSubset: + path: spec.template.spec.containers[0].resources.requests + content: + cpu: 100m + memory: 128Mi + count: 1 + - isSubset: + path: spec.template.spec.containers[0].resources.limits + content: + cpu: 200m + memory: 256Mi + count: 1 diff --git a/stable/feeds/tests/posthook_upgrade_resources_test.yaml b/stable/feeds/tests/posthook_upgrade_resources_test.yaml new file mode 100644 index 00000000..c5f0a032 --- /dev/null +++ b/stable/feeds/tests/posthook_upgrade_resources_test.yaml @@ -0,0 +1,178 @@ +suite: Posthook Upgrade Job Tests +templates: + - hooks/post-upgrade/upgrade_job.yaml + - secret.yaml +values: + - values.yaml +set: + feedsUpgradeJob.enabled: true + feedsUpgradeJob.usePostUpgradeHook: true +release: + name: test-release + namespace: test-namespace +chart: + version: 9.9.9 + appVersion: 9.9.9 + +tests: + - it: post-upgrade hook job gets created when feedsUpgradeJob.usePostUpgradeHook is true + template: hooks/post-upgrade/upgrade_job.yaml + asserts: + - containsDocument: + kind: Job + apiVersion: batch/v1 + name: test-release-feeds-999-upgrade + namespace: test-namespace + + - it: post-upgrade hook job does not get created when feedsUpgradeJob.usePostUpgradeHook is false + template: hooks/post-upgrade/upgrade_job.yaml + set: + feedsUpgradeJob: + usePostUpgradeHook: false + asserts: + - hasDocuments: + count: 0 + + - it: post-upgrade hook job does not get created when feedsUpgradeJob.enabled is false + template: hooks/post-upgrade/upgrade_job.yaml + set: + feedsUpgradeJob: + enabled: false + asserts: + - hasDocuments: + count: 0 + + - it: should render helm hook annotations + template: hooks/post-upgrade/upgrade_job.yaml + asserts: + - isSubset: + path: metadata.annotations + content: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "0" + + - it: should not render helm hook annotations when feedsUpgradeJob.force is true + template: hooks/post-upgrade/upgrade_job.yaml + set: + feedsUpgradeJob.force: true + asserts: + - isNotSubset: + path: metadata.annotations + content: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "0" + + - it: should render component serviceAccountName + template: hooks/post-upgrade/upgrade_job.yaml + set: + feedsUpgradeJob.serviceAccountName: feedsUpgradeJob-test + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: feedsUpgradeJob-test + + - it: should render component serviceAccountName even when global serviceAccountName is set + template: hooks/post-upgrade/upgrade_job.yaml + set: + serviceAccountName: global-test + feedsUpgradeJob.serviceAccountName: feedsUpgradeJob-test + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: feedsUpgradeJob-test + + - it: should render component nodeSelector + template: hooks/post-upgrade/upgrade_job.yaml + set: + feedsUpgradeJob.nodeSelector: + feedsUpgradeJob: test + asserts: + - isSubset: + path: spec.template.spec.nodeSelector + content: + feedsUpgradeJob: test + + - it: should render component affinity + template: hooks/post-upgrade/upgrade_job.yaml + set: + feedsUpgradeJob.affinity: + feedsUpgradeJob: test + asserts: + - isSubset: + path: spec.template.spec.affinity + content: + feedsUpgradeJob: test + + - it: should render component tolerations + template: hooks/post-upgrade/upgrade_job.yaml + set: + feedsUpgradeJob.tolerations: + - key: "feedsUpgradeJob" + operator: "Equal" + value: "test" + effect: "NoSchedule" + asserts: + - contains: + path: spec.template.spec.tolerations + content: + key: "feedsUpgradeJob" + operator: "Equal" + value: "test" + effect: "NoSchedule" + count: 1 + + - it: should render proper database endpoint on entrypoint + template: hooks/post-upgrade/upgrade_job.yaml + asserts: + - matchRegex: + path: spec.template.spec.containers[0].args[0] + pattern: anchore-enterprise-manager db --db-connect postgresql:\/\/\"\$\{ANCHORE_FEEDS_DB_USER\}\":\"\$\{ANCHORE_FEEDS_DB_PASSWORD\}\"@\"\$\{ANCHORE_FEEDS_DB_HOST\}\":\"\$\{ANCHORE_FEEDS_DB_PORT\}\"\/\"\$\{ANCHORE_FEEDS_DB_NAME\}\" upgrade --dontask; + count: 1 + + - it: should render proper database endpoint on entrypoint when ssl is enabled and mode is require + template: hooks/post-upgrade/upgrade_job.yaml + set: + anchoreConfig.database.ssl: true + anchoreConfig.database.sslMode: require + asserts: + - matchRegex: + path: spec.template.spec.containers[0].args[0] + pattern: anchore-enterprise-manager db --db-use-ssl --db-connect postgresql:\/\/\"\$\{ANCHORE_FEEDS_DB_USER\}\":\"\$\{ANCHORE_FEEDS_DB_PASSWORD\}\"@\"\$\{ANCHORE_FEEDS_DB_HOST\}\":\"\$\{ANCHORE_FEEDS_DB_PORT\}\"\/\"\$\{ANCHORE_FEEDS_DB_NAME\}\"\?sslmode\=require upgrade --dontask; + count: 1 + + - it: should render proper database endpoint on entrypoint when ssl is enabled and mode is verify-full + template: hooks/post-upgrade/upgrade_job.yaml + set: + anchoreConfig.database.ssl: true + anchoreConfig.database.sslMode: verify-full + anchoreConfig.database.sslRootCertFileName: test-root.crt + asserts: + - matchRegex: + path: spec.template.spec.containers[0].args[0] + pattern: anchore-enterprise-manager db --db-use-ssl --db-connect postgresql:\/\/\"\$\{ANCHORE_FEEDS_DB_USER\}\":\"\$\{ANCHORE_FEEDS_DB_PASSWORD\}\"@\"\$\{ANCHORE_FEEDS_DB_HOST\}\":\"\$\{ANCHORE_FEEDS_DB_PORT\}\"\/\"\$\{ANCHORE_FEEDS_DB_NAME\}\"\?sslmode\=verify-full\\&sslrootcert\=\/home\/anchore\/certs\/test-root\.crt upgrade --dontask; + count: 1 + + - it: should render component resource requests & limits + template: hooks/post-upgrade/upgrade_job.yaml + documentIndex: 0 + set: + feedsUpgradeJob.resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 200m + memory: 256Mi + asserts: + - isSubset: + path: spec.template.spec.containers[0].resources.requests + content: + cpu: 100m + memory: 128Mi + count: 1 + - isSubset: + path: spec.template.spec.containers[0].resources.limits + content: + cpu: 200m + memory: 256Mi + count: 1 \ No newline at end of file diff --git a/stable/feeds/tests/prehook_upgrade_resources_test.yaml b/stable/feeds/tests/prehook_upgrade_resources_test.yaml new file mode 100644 index 00000000..1195e72d --- /dev/null +++ b/stable/feeds/tests/prehook_upgrade_resources_test.yaml @@ -0,0 +1,253 @@ +suite: PreHook Upgrade Job Tests +templates: + - templates/hooks/pre-upgrade/upgrade_job.yaml + - templates/hooks/pre-upgrade/upgrade_rbac.yaml + - anchore_secret.yaml +values: + - values.yaml +release: + name: test-release + namespace: test-namespace +chart: + version: 9.9.9 + appVersion: 9.9.9 + +upgrade-resource: &upgrade-resources + - templates/hooks/pre-upgrade/upgrade_job.yaml + - templates/hooks/pre-upgrade/upgrade_rbac.yaml + +tests: + - it: rbac should match snapshot + template: templates/hooks/pre-upgrade/upgrade_rbac.yaml + asserts: + - matchSnapshot: {} + + - it: should render helm hook annotations on rbac + template: templates/hooks/pre-upgrade/upgrade_rbac.yaml + asserts: + - isSubset: + path: metadata.annotations + content: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "1" + + - it: should not render helm hook annotations on rbac when feedsUpgradeJob.force is true + template: templates/hooks/pre-upgrade/upgrade_rbac.yaml + set: + feedsUpgradeJob.force: true + asserts: + - isNotSubset: + path: metadata.annotations + content: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "1" + + - it: pre-hook rbac gets created by default + template: templates/hooks/pre-upgrade/upgrade_rbac.yaml + asserts: + - containsDocument: + kind: ServiceAccount + apiVersion: v1 + name: test-release-feeds-upgrade-sa + namespace: test-namespace + documentIndex: 0 + - containsDocument: + kind: RoleBinding + apiVersion: rbac.authorization.k8s.io/v1 + name: test-release-feeds-upgrade-role-binding + namespace: test-namespace + documentIndex: 1 + - containsDocument: + kind: Role + apiVersion: rbac.authorization.k8s.io/v1 + name: test-release-feeds-upgrade-role + namespace: test-namespace + documentIndex: 2 + + - it: pre-hook job does not get created when post-upgrade hook is enabled + templates: *upgrade-resources + set: + feedsUpgradeJob: + usePostUpgradeHook: true + asserts: + - hasDocuments: + count: 0 + + - it: pre-hook job does not get created when feedsUpgradeJob.enabled is false + templates: *upgrade-resources + set: + feedsUpgradeJob: + enabled: false + asserts: + - hasDocuments: + count: 0 + + - it: pre-hook job gets created by default + template: templates/hooks/pre-upgrade/upgrade_job.yaml + asserts: + - containsDocument: + kind: Job + apiVersion: batch/v1 + name: test-release-feeds-999-upgrade + namespace: test-namespace + + - it: should render helm hook annotations + template: templates/hooks/pre-upgrade/upgrade_job.yaml + asserts: + - isSubset: + path: metadata.annotations + content: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "3" + + - it: should not render helm hook annotations when feedsUpgradeJob.force is true + template: templates/hooks/pre-upgrade/upgrade_job.yaml + set: + feedsUpgradeJob.force: true + asserts: + - isNotSubset: + path: metadata.annotations + content: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "3" + + - it: should render component serviceAccountName + template: templates/hooks/pre-upgrade/upgrade_job.yaml + set: + feedsUpgradeJob.serviceAccountName: feedsUpgradeJob-test + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: feedsUpgradeJob-test + + - it: should render service account name when global serviceAccountName is set and feedsUpgradeJob.rbacCreate is true + template: templates/hooks/pre-upgrade/upgrade_job.yaml + set: + serviceAccountName: feedsUpgradeJob-global-test + feedsUpgradeJob.rbacCreate: true + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: test-release-feeds-upgrade-sa + + - it: should render global serviceAccountName when feedsUpgradeJob.rbacCreate is false + template: templates/hooks/pre-upgrade/upgrade_job.yaml + set: + serviceAccountName: feedsUpgradeJob-global-test + feedsUpgradeJob.rbacCreate: false + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: feedsUpgradeJob-global-test + + - it: should render component serviceAccountName even when global serviceAccountName is set + template: templates/hooks/pre-upgrade/upgrade_job.yaml + set: + serviceAccountName: global-test + feedsUpgradeJob.serviceAccountName: feedsUpgradeJob-test + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: feedsUpgradeJob-test + + - it: should render component nodeSelector + template: templates/hooks/pre-upgrade/upgrade_job.yaml + set: + feedsUpgradeJob.nodeSelector: + feedsUpgradeJob: test + asserts: + - isSubset: + path: spec.template.spec.nodeSelector + content: + feedsUpgradeJob: test + + - it: should render component affinity + template: templates/hooks/pre-upgrade/upgrade_job.yaml + set: + feedsUpgradeJob.affinity: + feedsUpgradeJob: test + asserts: + - isSubset: + path: spec.template.spec.affinity + content: + feedsUpgradeJob: test + + - it: should render component tolerations + template: templates/hooks/pre-upgrade/upgrade_job.yaml + set: + feedsUpgradeJob.tolerations: + - key: "feedsUpgradeJob" + operator: "Equal" + value: "test" + effect: "NoSchedule" + asserts: + - contains: + path: spec.template.spec.tolerations + content: + key: "feedsUpgradeJob" + operator: "Equal" + value: "test" + effect: "NoSchedule" + count: 1 + + - it: should render proper initContainers + template: templates/hooks/pre-upgrade/upgrade_job.yaml + asserts: + - matchSnapshot: + path: spec.template.spec.initContainers + + - it: should render proper database endpoint on entrypoint + template: templates/hooks/pre-upgrade/upgrade_job.yaml + asserts: + - matchRegex: + path: spec.template.spec.containers[0].args[0] + pattern: anchore-enterprise-manager db --db-connect postgresql:\/\/\"\$\{ANCHORE_FEEDS_DB_USER\}\":\"\$\{ANCHORE_FEEDS_DB_PASSWORD\}\"@\"\$\{ANCHORE_FEEDS_DB_HOST\}\":\"\$\{ANCHORE_FEEDS_DB_PORT\}\"\/\"\$\{ANCHORE_FEEDS_DB_NAME\}\" upgrade --dontask; + count: 1 + + - it: should render proper database endpoint on entrypoint when ssl is enabled and mode is require + template: templates/hooks/pre-upgrade/upgrade_job.yaml + set: + anchoreConfig.database.ssl: true + anchoreConfig.database.sslMode: require + asserts: + - matchRegex: + path: spec.template.spec.containers[0].args[0] + pattern: anchore-enterprise-manager db --db-use-ssl --db-connect postgresql:\/\/\"\$\{ANCHORE_FEEDS_DB_USER\}\":\"\$\{ANCHORE_FEEDS_DB_PASSWORD\}\"@\"\$\{ANCHORE_FEEDS_DB_HOST\}\":\"\$\{ANCHORE_FEEDS_DB_PORT\}\"\/\"\$\{ANCHORE_FEEDS_DB_NAME\}\"\?sslmode\=require upgrade --dontask; + count: 1 + + - it: should render proper database endpoint on entrypoint when ssl is enabled and mode is verify-full + template: templates/hooks/pre-upgrade/upgrade_job.yaml + set: + anchoreConfig.database.ssl: true + anchoreConfig.database.sslMode: verify-full + anchoreConfig.database.sslRootCertFileName: test-root.crt + asserts: + - matchRegex: + path: spec.template.spec.containers[0].args[0] + pattern: anchore-enterprise-manager db --db-use-ssl --db-connect postgresql:\/\/\"\$\{ANCHORE_FEEDS_DB_USER\}\":\"\$\{ANCHORE_FEEDS_DB_PASSWORD\}\"@\"\$\{ANCHORE_FEEDS_DB_HOST\}\":\"\$\{ANCHORE_FEEDS_DB_PORT\}\"\/\"\$\{ANCHORE_FEEDS_DB_NAME\}\"\?sslmode\=verify-full\\&sslrootcert\=\/home\/anchore\/certs\/test-root\.crt upgrade --dontask; + count: 1 + + - it: should render component resource requests & limits + template: templates/hooks/pre-upgrade/upgrade_job.yaml + documentIndex: 0 + set: + feedsUpgradeJob.resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 200m + memory: 256Mi + asserts: + - isSubset: + path: spec.template.spec.containers[0].resources.requests + content: + cpu: 100m + memory: 128Mi + count: 1 + - isSubset: + path: spec.template.spec.containers[0].resources.limits + content: + cpu: 200m + memory: 256Mi + count: 1 \ No newline at end of file diff --git a/stable/feeds/tests/values.yaml b/stable/feeds/tests/values.yaml new file mode 100644 index 00000000..9d58f1ee --- /dev/null +++ b/stable/feeds/tests/values.yaml @@ -0,0 +1,13 @@ +annotations: + foo: "bar-annotation" + bar: "baz-annotation" + +labels: + foo: "bar-label" + bar: "baz-label" + +extraEnv: + - name: foo + value: bar + - name: bar + value: baz diff --git a/stable/feeds/values.yaml b/stable/feeds/values.yaml new file mode 100644 index 00000000..113bfe53 --- /dev/null +++ b/stable/feeds/values.yaml @@ -0,0 +1,580 @@ +################################################### +## @section Common Resource Parameters +## Common params used by all Anchore Feeds k8s resources +################################################### + +## @param standalone Enable running the Anchore Feeds service in standalone mode +## +standalone: true + +## @param enterpriseFullname set the fullname on enterprise resources. Only needed when standalone=false and fullnameOverride is set for the enterprise chart. +## +enterpriseFullname: "" + +## @param fullnameOverride overrides the fullname set on resources +## +fullnameOverride: "" + +## @param nameOverride overrides the name set on resources +## +nameOverride: "" + +## @param image Image used for feeds deployment +## +image: docker.io/anchore/enterprise:v4.9.0 + +## @param imagePullPolicy Image pull policy used by all deployments +## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy +## +imagePullPolicy: IfNotPresent + +## @param imagePullSecretName Name of Docker credentials secret for access to private repos +## Pre-populated with the pull secret name specified in the Anchore docs & quickstart instructions +## Secrets must be manually created in the same namespace as release +## +imagePullSecretName: anchore-enterprise-pullcreds + +## @param serviceAccountName Name of a service account used to run all Feeds pods +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +## +serviceAccountName: "" + +## @param injectSecretsViaEnv Enable secret injection into pod via environment variables instead of via k8s secrets +## Useful for injecting secrets directly into k8s pods from Hashicorp vault +## +injectSecretsViaEnv: false + +## @param licenseSecretName Name of the Kubernetes secret containing your license.yaml file +## This must be manually created. For example with the following command: +## `kubectl create secret generic anchore-enterprise-license --from-file=license.yaml=` +## +licenseSecretName: anchore-enterprise-license + +## @param certStoreSecretName Name of secret containing the certificates & keys used for SSL, SAML & CAs +## This secret will be mounted in pods to /home/anchore/certs +## Secret must be manually created in the same namespace as release +## +certStoreSecretName: "" + +## @param extraEnv Common environment variables set on all containers +## ref: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/ +## +extraEnv: [] + +## @param labels Common labels set on all Kubernetes resources +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +labels: {} + +## @param annotations Common annotations set on all Kubernetes resources +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +annotations: {} + +## @param resources Resource requests and limits for Anchore Feeds pods +## +resources: {} + +## @param nodeSelector Node labels for Anchore Feeds pod assignment +## +nodeSelector: {} + +## @param tolerations Tolerations for Anchore Feeds pod assignment +## +tolerations: [] + +## @param affinity Affinity for Anchore Feeds pod assignment +## +affinity: {} + +## @param service.type Service type for Anchore Feeds +## @param service.port Service port for Anchore Feeds +## @param service.annotations Annotations for Anchore Feeds service +## @param service.labels Labels for Anchore Feeds service +## +service: + type: ClusterIP + port: 8448 + annotations: {} + labels: {} + +## @param scratchVolume.mountPath The mount path of an external volume for scratch space for image analysis +## @param scratchVolume.fixGroupPermissions Enable an initContainer that will fix the fsGroup permissions +## @param scratchVolume.details [object] Details for the k8s volume to be created +## Generally speaking you need to provision 3x the size of the largest image (uncompressed) that you want to analyze +## ref: https://kubernetes.io/docs/concepts/storage/volumes/ +## +scratchVolume: + mountPath: /anchore_scratch + fixGroupPermissions: false + details: {} + +## @param persistence.enabled Enable mounting an external volume for feeds driver workspace +## @param persistence.resourcePolicy Resource policy Helm annotation on PVC. Can be nil or "keep" +## @param persistence.existingClaim Specify an existing volume claim +## @param persistence.storageClass Persistent volume storage class +## If persistence.storageClass="" (the default), no storageClassName spec is set, choosing the default provisioner (gp2 on AWS, standard on GKE, AWS & OpenStack) +## @param persistence.accessMode Access Mode for persistent volume +## @param persistence.size Size of persistent volume +## @param persistence.mountPath Mount path on Anchore Feeds container for persistent volume +## @param persistence.subPath Directory name used for persistent volume storage +## @param persistence.annotations Annotations for PVC +## +persistence: + enabled: true + resourcePolicy: keep + existingClaim: "" + storageClass: "" + accessMode: ReadWriteOnce + size: 40Gi + mountPath: /workspace + subPath: "feeds-workspace" + annotations: {} + +## @param extraVolumes mounts additional volumes to each pod +## ref: https://kubernetes.io/docs/concepts/storage/volumes/ +## +extraVolumes: [] +# - name: config +# secret: +# secretName: config + +## @param extraVolumeMounts mounts additional volumes to each pod +## ref: https://kubernetes.io/docs/concepts/storage/volumes/ +## +extraVolumeMounts: [] +# - name: config +# mountPath: "/vault/secrets/config" +# subPath: config +# readOnly: true + +## @param securityContext.runAsUser The securityContext runAsUser for all Feeds pods +## @param securityContext.runAsGroup The securityContext runAsGroup for all Feeds pods +## @param securityContext.fsGroup The securityContext fsGroup for all Feeds pods +## By default the Feeds images utilize the user/group 'anchore' using uid/gid 1000 +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## +securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + +## @param containerSecurityContext The securityContext for all Feeds containers +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +## +containerSecurityContext: {} + +## @param probes.liveness.initialDelaySeconds Initial delay seconds for liveness probe +## @param probes.liveness.timeoutSeconds Timeout seconds for liveness probe +## @param probes.liveness.periodSeconds Period seconds for liveness probe +## @param probes.liveness.failureThreshold Failure threshold for liveness probe +## @param probes.liveness.successThreshold Success threshold for liveness probe +## @param probes.readiness.timeoutSeconds Timeout seconds for the readiness probe +## @param probes.readiness.periodSeconds Period seconds for the readiness probe +## @param probes.readiness.failureThreshold Failure threshold for the readiness probe +## @param probes.readiness.successThreshold Success threshold for the readiness probe +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes +## +probes: + liveness: + initialDelaySeconds: 120 + timeoutSeconds: 10 + periodSeconds: 10 + failureThreshold: 6 + successThreshold: 1 + readiness: + timeoutSeconds: 10 + periodSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + +## @param doSourceAtEntry.enabled Does a `source` of the file paths defined before starting Anchore services +## @param doSourceAtEntry.filePaths List of file paths to `source` before starting Anchore services +## For example, if using hashicorp vault, set to /vault/secrets/config +## +doSourceAtEntry: + enabled: false + filePaths: [] + # - "/vault/secrets/config" + +## @param useExistingSecrets forgoes secret creation and uses the secret defined in existingSecretName +## When useExistingSecrets is set to `true` the chart will not create secrets specifying the environment variables used in deployments. +## Instead, the chart will use secrets that have already been applied to the namespace that this chart is being deployed to. +## +useExistingSecrets: false + +## @param existingSecretName Name of the existing secret to be used for Anchore Feeds Service +## +existingSecretName: anchore-enterprise-feeds-env + +## @param configOverride Allows for overriding the default Anchore configuration file +## This value can be used to pass in a custom configuration file for Anchore services +## This config file will be templated when it is added to the configmap, so Helm values and functions can be used +## +configOverride: {} + +##################################################################### +## @section Anchore Feeds Configuration Parameters +## Params used for all Anchore Feeds service configuration files +##################################################################### + +anchoreConfig: + ## @param anchoreConfig.service_dir Path to directory where default Anchore configs are placed at startup + ## This path must be a writable location for the pod + ## + service_dir: /anchore_service + + ## @param anchoreConfig.log_level The log level for Anchore services + ## options available: FATAL, ERROR, WARN, INFO, DEBUG, SPEW + ## + log_level: INFO + + ## @param anchoreConfig.keys.secret The shared secret used for signing & encryption, auto-generated by Helm if not set + ## @param anchoreConfig.keys.privateKeyFileName The file name of the private key used for signing & encryption, found in the k8s secret specified in .Values.certStoreSecretName + ## @param anchoreConfig.keys.publicKeyFileName The file name of the public key used for signing & encryption, found in the k8s secret specified in .Values.certStoreSecretName + ## Only one of anchoreConfig.keys.secret or anchoreConfig.keys.privateKeyFileName/anchoreConfig.keys.publicKeyFileName should be configured. + ## If all are set then the keys take precedence over the secret value. + ## + keys: + secret: "" + privateKeyFileName: "" + publicKeyFileName: "" + + ## @param anchoreConfig.user_authentication.oauth.enabled Enable OAuth for Anchore user authentication + ## @param anchoreConfig.user_authentication.oauth.default_token_expiration_seconds The expiration, in seconds, for OAuth tokens + ## @param anchoreConfig.user_authentication.oauth.refresh_token_expiration_seconds The expiration, in seconds, for OAuth refresh tokens + ## ref: https://docs.anchore.com/current/docs/installation/configuration/user_credential_storage/#bearer-tokensoauth2 + ## + ## @param anchoreConfig.user_authentication.hashed_passwords Enable storing passwords as secure hashes in the database + ## This can dramatically increase CPU usage if you don't also use OAuth and tokens for internal communications + ## WARNING: You should not change this after a system has been initialized as it may cause a mismatch in existing passwords + ## ref: https://docs.anchore.com/current/docs/installation/configuration/user_credential_storage/#configuring-hashed-passwords-and-oauth + ## + ## @param anchoreConfig.user_authentication.sso_require_existing_users set to true in order to disable the SSO JIT provisioning during authentication + ## This provides an additional layer of security and configuration for SSO users to gain access to Anchore. + ## + user_authentication: + oauth: + enabled: false + default_token_expiration_seconds: 3600 + refresh_token_expiration_seconds: 86400 + hashed_passwords: false + sso_require_existing_users: false + + ## @param anchoreConfig.metrics.enabled Enable Prometheus metrics for all Anchore services + ## @param anchoreConfig.metrics.auth_disabled Disable auth on Prometheus metrics for all Anchore services + ## + metrics: + enabled: false + auth_disabled: false + + ## @param anchoreConfig.database.timeout + ## @param anchoreConfig.database.ssl Enable SSL/TLS for the database connection + ## @param anchoreConfig.database.sslMode The SSL mode to use for database connection + ## @param anchoreConfig.database.sslRootCertFileName File name of the database root CA certificate stored in the k8s secret specified with .Values.certStoreSecretName + ## @param anchoreConfig.database.db_pool_size The database max connection pool size + ## @param anchoreConfig.database.db_pool_max_overflow The maximum overflow size of the database connection pool + ## @param anchoreConfig.database.engineArgs Set custom database engine arguments for SQLAlchemy + ## ref: https://docs.sqlalchemy.org/en/14/core/engines.html#engine-creation-api + ## + database: + timeout: 120 + ssl: false + sslMode: require + sslRootCertFileName: "" + db_pool_size: 30 + db_pool_max_overflow: 100 + engineArgs: {} + + ## @param anchoreConfig.internalServicesSSL.enabled Force all Enterprise services to use SSL for internal communication + ## @param anchoreConfig.internalServicesSSL.verifyCerts Enable cert verification against the local cert bundle, if this set to false self-signed certs are allowed + ## @param anchoreConfig.internalServicesSSL.certSecretKeyFileName File name of the private key used for internal SSL stored in the secret specified in .Values.certStoreSecretName + ## @param anchoreConfig.internalServicesSSL.certSecretCertFileName File name of the root CA certificate used for internal SSL stored in the secret specified in .Values.certStoreSecretName + ## ref: https://docs.anchore.com/current/docs/installation/configuration/tls_ssl_config/ + ## + internalServicesSSL: + enabled: false + verifyCerts: false + certSecretKeyFileName: "" + certSecretCertFileName: "" + + feeds: + ## @param anchoreConfig.feeds.cycle_timers.driver_sync Time delay in seconds between consecutive driver runs for processing data + ## + cycle_timers: + driver_sync: 7200 + + drivers: + ## @param anchoreConfig.feeds.drivers.debian.releases Additional Debian feeds groups + ## + debian: + releases: {} + + ## @param anchoreConfig.feeds.drivers.ubuntu.releases Additional Ubuntu feed groups + ## + ubuntu: + releases: {} + + ## @param anchoreConfig.feeds.drivers.npm.enabled Enable vulnerability drivers for npm data + ## + npm: + enabled: false + + ## @param anchoreConfig.feeds.drivers.gem.enabled Enable vulnerability drivers for gem data + ## @param anchoreConfig.feeds.drivers.gem.db_connect Defines the database endpoint used for loading the rubygems package data as a PostgreSQL dump + ## + gem: + enabled: false + db_connect: "postgresql://${ANCHORE_GEM_DB_USER}:${ANCHORE_GEM_DB_PASSWORD}@${ANCHORE_GEM_DB_HOST}:${ANCHORE_GEM_DB_PORT}/${ANCHORE_GEM_DB_NAME}" + + ## @param anchoreConfig.feeds.drivers.nvdv2.api_key The NVD API key value + ## Request one from https://nvd.nist.gov/developers/request-an-api-key + ## + nvdv2: + api_key: null + + ## @param anchoreConfig.feeds.drivers.msrc.enabled Enable Microsoft feeds + ## @param anchoreConfig.feeds.drivers.msrc.whitelist MSRC product IDs for generating feed data, this extends the pre-defined list of product IDs + ## ref: https://docs.anchore.com/current/docs/installation/feeds/#driver-configuration + ## + msrc: + enabled: false + whitelist: [] + + ## @param anchoreConfig.feeds.drivers.github.enabled Enable GitHub advisory feeds (requires GitHub PAT) + ## ref: https://docs.anchore.com/current/docs/installation/feeds/#driver-configuration + ## @param anchoreConfig.feeds.drivers.github.token GitHub developer personal access token with zero permission scopes + ## ref: https://github.com/settings/tokens/new + ## + github: + enabled: false + token: null + +############################################# +## @section Anchore Feeds Database Parameters +############################################# + +feeds-db: + ## @param feeds-db.chartEnabled Use the dependent chart for Feeds Postgresql deployment + ## + chartEnabled: true + + ## @param feeds-db.externalEndpoint External Feeds Postgresql hostname when not using Helm managed chart (eg. mypostgres.myserver.io) + ## feeds-db.externalEndpoint, feeds-db.auth.username, feeds-db.auth.password, + ## feeds-db.auth.database, & feeds-db.postgresqlPort are required values for external Postgres + ## + externalEndpoint: "" + + ## @param feeds-db.auth.username Username used to connect to Postgresql + ## @param feeds-db.auth.password Password used to connect to Postgresql + ## @param feeds-db.auth.database Database name used when connecting to Postgresql + ## + auth: + username: anchore-feeds + password: anchore-postgres,123 + database: anchore-feeds + + primary: + ## @param feeds-db.primary.service.ports.postgresql Port used to connect to Postgresql + ## + service: + ports: + postgresql: 5432 + + ## @param feeds-db.primary.persistence.size Configure size of the persistent volume used with helm managed chart + ## + persistence: + size: 20Gi + + ## @param feeds-db.primary.extraEnvVars An array to add extra environment variables + ## + extraEnvVars: [] + + ## @param feeds-db.image.tag [obj] Specifies the image to use for this chart. + ## + image: + tag: 13.11.0-debian-11-r15 + +####################################### +## @section Feeds Gem Database Parameters +####################################### + +gem-db: + ## @param gem-db.chartEnabled Use the dependent chart for Postgresql deployment + ## Configures a separate postgres database deployment for the feeds service Ruby Gems DB + ## requires feeds.gemDriverEnabled=true + ## + chartEnabled: false + + ## @param gem-db.externalEndpoint External Postgresql hostname when not using Helm managed chart (eg. mypostgres.myserver.io) + ## gem-db.externalEndpoint, gem-db.postgresqlUsername, gem-db.postgresqlPassword, + ## gem-db.postgresqlDatabase, & gem-db.postgresqlPort are required values for external Postgres + ## + externalEndpoint: "" + + ## @param gem-db.auth.username Username used to connect to Postgresql + ## @param gem-db.auth.password Password used to connect to Postgresql + ## @param gem-db.auth.database Database name used when connecting to Postgresql + ## + auth: + username: anchore-gem-feeds + password: anchore-postgres,123 + database: anchore-gem-feeds + + primary: + ## @param gem-db.primary.service.ports.postgresql Port used to connect to Postgresql + ## + service: + ports: + postgresql: 5432 + + ## @param gem-db.primary.persistence.size Configure size of the persistent volume used with helm managed chart + ## + persistence: + size: 20Gi + + ## @param gem-db.primary.extraEnvVars An array to add extra environment variables + ## + extraEnvVars: [] + + ## @param gem-db.image.tag [obj] Specifies the image to use for this chart. + ## + image: + tag: 13.11.0-debian-11-r15 + +################################################ +## @section Anchore Feeds Upgrade Job Parameters +## Upgrade job uses a Helm post-install-hook +################################################ +feedsUpgradeJob: + ## @param feedsUpgradeJob.enabled Enable the Anchore Feeds database upgrade job + ## + enabled: true + + ## @param feedsUpgradeJob.force Force the Anchore Feeds database upgrade job to run as a regular job instead of as a Helm hook + ## + force: false + + ## @param feedsUpgradeJob.rbacCreate Create RBAC resources for the upgrade job + ## By default, the anchore upgrade job utilizes a service account that will be created to call kubectl to scale down the deployment before running the upgrade job. + ## The service account is granted deployment, deployment/scale, and pod permissions. See templates/hooks/pre-upgrade/db-upgrade-rbac.yaml for the full list of permissions + ## + rbacCreate: true + + ## @param feedsUpgradeJob.serviceAccountName Use an existing service account for the upgrade job + ## + serviceAccountName: "" + + ## @param feedsUpgradeJob.usePostUpgradeHook Use a Helm post-upgrade hook to run the upgrade job instead of the default pre-upgrade hook. This job does not require creating RBAC resources. + ## Uses the same mechanism for upgrades as the legacy anchore-engine chart. Not compatible with `helm upgrade --wait` or ArgoCD. + ## + usePostUpgradeHook: false + + ## @param feedsUpgradeJob.nodeSelector Node labels for the Anchore Feeds upgrade job pod assignment + ## + nodeSelector: {} + + ## @param feedsUpgradeJob.tolerations Tolerations for the Anchore Feeds upgrade job pod assignment + ## + tolerations: [] + + ## @param feedsUpgradeJob.affinity Affinity for the Anchore Feeds upgrade job pod assignment + ## + affinity: {} + + ## @param feedsUpgradeJob.annotations Annotations for the Anchore Feeds upgrade job + ## + annotations: {} + + ## @param feedsUpgradeJob.labels Labels for the Anchore Feeds upgrade job + ## + labels: {} + + ## @param feedsUpgradeJob.resources Resources for the Anchore Feeds upgrade job + ## + resources: {} + +############################## +## @section Ingress Parameters +############################## +ingress: + ## @param ingress.enabled Create an ingress resource for external Anchore service APIs + ## ref: https://kubernetes.io/docs/user-guide/ingress/ + ## + enabled: false + + ## @param ingress.labels Labels for the ingress resource + ## + labels: {} + + ## @param ingress.annotations [object] Annotations for the ingress resource + ## By default this chart is setup to use an NGINX ingress controller, which needs to be installed & configured on your cluster + ## ref: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/ingress/annotations/ + ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md + ## ref: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features + ## + annotations: + kubernetes.io/ingress.class: nginx + + ## @param ingress.hosts List of custom hostnames for the Anchore Feeds API + ## + hosts: [] + + ## @param ingress.path The path used for accessing the Anchore Feeds API + ## + path: /v1/feeds + + ## @param ingress.tls Configure tls for the ingress resource + ## Secrets must be manually created in the release namespace + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + + ## @param ingress.ingressClassName sets the ingress class name. As of k8s v1.18, this should be nginx + ## ref: # Reference: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: nginx + +######################################### +## @section Google CloudSQL DB Parameters +######################################### +cloudsql: + ## @param cloudsql.enabled Use CloudSQL proxy container for GCP database access + ## + enabled: false + + ## @param cloudsql.image Image to use for GCE CloudSQL Proxy + ## + image: gcr.io/cloudsql-docker/gce-proxy:1.25.0 + + ## @param cloudsql.imagePullPolicy Image Pull Policy to use for CloudSQL image + ## + imagePullPolicy: IfNotPresent + + ## @param cloudsql.instance CloudSQL instance, eg: 'project:zone:instancename' + ## + instance: "" + + ## @param cloudsql.useExistingServiceAcc Use existing service account + ## If using an existing Service Account, you must create a secret which includes the JSON token from Google's IAM + ## ref: https://cloud.google.com/sql/docs/postgres/authentication + ## + useExistingServiceAcc: false + + ## @param cloudsql.serviceAccSecretName + ## + serviceAccSecretName: "" + + ## @param cloudsql.serviceAccJsonName + ## + serviceAccJsonName: "" + + ## @param cloudsql.extraArgs a list of extra arguments to be passed into the cloudsql container command. eg + ## extraArgs: + ## - "-ip_address_types=PRIVATE" + ## - "-enable_iam_login" + ## + extraArgs: [] From 7e2d338a6ae8eb5fbd7cd04d4ee77962dd5278fb Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 1 Sep 2023 15:18:05 -0700 Subject: [PATCH 164/329] update unittest snapshots Signed-off-by: Brady Todhunter --- stable/feeds/tests/__snapshot__/configmap_test.yaml.snap | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap b/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap index f3de6146..77f9853c 100644 --- a/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap @@ -124,7 +124,7 @@ should render the configmaps: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: test-release-feeds app.kubernetes.io/part-of: anchore - app.kubernetes.io/version: 4.8.1 + app.kubernetes.io/version: 4.9.0 bar: baz-label foo: bar-label helm.sh/chart: feeds-0.0.1 From 695debc9242552ec12a92f37d4498b72d258501e Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 1 Sep 2023 15:42:56 -0700 Subject: [PATCH 165/329] add updated ct-config.yaml file Signed-off-by: Brady Todhunter --- ct-config.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ct-config.yaml b/ct-config.yaml index bce61731..3a98b7d1 100644 --- a/ct-config.yaml +++ b/ct-config.yaml @@ -2,5 +2,6 @@ remote: origin target-branch: main chart-dirs: - stable -chart-repos: - - bitnami=https://charts.bitnami.com/bitnami \ No newline at end of file +namespace: anchore +release-label: anchore +helm-extra-args: --timeout 600s \ No newline at end of file From 1bece0e948fe11c6b5f8d06bf08ed1e67f4e01e8 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 1 Sep 2023 15:51:49 -0700 Subject: [PATCH 166/329] Add Anchore Enterprise Chart Signed-off-by: Brady Todhunter Co-authored-by: Hung Nguyen --- stable/enterprise/.helmignore | 2 + stable/enterprise/Chart.lock | 12 + stable/enterprise/Chart.yaml | 45 + stable/enterprise/README.md | 1066 +++++++++++++ stable/enterprise/files/default_config.yaml | 252 ++++ stable/enterprise/templates/NOTES.txt | 22 + stable/enterprise/templates/_common.tpl | 321 ++++ stable/enterprise/templates/_helpers.tpl | 122 ++ stable/enterprise/templates/_names.tpl | 76 + .../templates/analyzer_configmap.yaml | 15 + .../templates/analyzer_deployment.yaml | 70 + .../templates/anchore_configmap.yaml | 17 + .../enterprise/templates/anchore_secret.yaml | 34 + .../enterprise/templates/api_deployment.yaml | 116 ++ .../templates/catalog_deployment.yaml | 94 ++ .../templates/envvars_configmap.yaml | 99 ++ .../hooks/post-upgrade/upgrade_job.yaml | 56 + .../hooks/pre-upgrade/upgrade_job.yaml | 70 + .../hooks/pre-upgrade/upgrade_rbac.yaml | 76 + stable/enterprise/templates/ingress.yaml | 169 +++ .../templates/notifications_deployment.yaml | 71 + .../templates/policybundle_configmap.yaml | 14 + .../templates/policyengine_deployment.yaml | 82 + .../templates/rbacmanager_deployment.yaml | 71 + .../templates/reports_deployment.yaml | 70 + .../templates/simplequeue_deployment.yaml | 69 + stable/enterprise/templates/ui_configmap.yaml | 47 + .../enterprise/templates/ui_deployment.yaml | 137 ++ stable/enterprise/templates/ui_secret.yaml | 25 + stable/enterprise/test/env_vars.yaml | 20 + .../__snapshot__/configmap_test.yaml.snap | 491 ++++++ .../prehook_upgrade_resources_test.yaml.snap | 109 ++ .../tests/analyzer_resources_test.yaml | 307 ++++ .../enterprise/tests/api_resources_test.yaml | 451 ++++++ .../tests/catalog_resources_test.yaml | 365 +++++ .../enterprise/tests/common_helpers_test.yaml | 1005 +++++++++++++ stable/enterprise/tests/configmap_test.yaml | 31 + .../tests/notifications_resources_test.yaml | 296 ++++ .../tests/policyengine_resources_test.yaml | 334 ++++ .../posthook_upgrade_resources_test.yaml | 230 +++ .../tests/prehook_upgrade_resources_test.yaml | 306 ++++ .../tests/rbacmanager_resources_test.yaml | 293 ++++ .../tests/reports_resources_test.yaml | 293 ++++ .../tests/simplequeue_resources_test.yaml | 268 ++++ .../enterprise/tests/ui_resources_test.yaml | 304 ++++ stable/enterprise/tests/values.yaml | 40 + stable/enterprise/values.yaml | 1337 +++++++++++++++++ 47 files changed, 9800 insertions(+) create mode 100644 stable/enterprise/.helmignore create mode 100644 stable/enterprise/Chart.lock create mode 100644 stable/enterprise/Chart.yaml create mode 100644 stable/enterprise/README.md create mode 100644 stable/enterprise/files/default_config.yaml create mode 100644 stable/enterprise/templates/NOTES.txt create mode 100644 stable/enterprise/templates/_common.tpl create mode 100644 stable/enterprise/templates/_helpers.tpl create mode 100644 stable/enterprise/templates/_names.tpl create mode 100644 stable/enterprise/templates/analyzer_configmap.yaml create mode 100644 stable/enterprise/templates/analyzer_deployment.yaml create mode 100644 stable/enterprise/templates/anchore_configmap.yaml create mode 100644 stable/enterprise/templates/anchore_secret.yaml create mode 100644 stable/enterprise/templates/api_deployment.yaml create mode 100644 stable/enterprise/templates/catalog_deployment.yaml create mode 100644 stable/enterprise/templates/envvars_configmap.yaml create mode 100644 stable/enterprise/templates/hooks/post-upgrade/upgrade_job.yaml create mode 100644 stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml create mode 100644 stable/enterprise/templates/hooks/pre-upgrade/upgrade_rbac.yaml create mode 100644 stable/enterprise/templates/ingress.yaml create mode 100644 stable/enterprise/templates/notifications_deployment.yaml create mode 100644 stable/enterprise/templates/policybundle_configmap.yaml create mode 100644 stable/enterprise/templates/policyengine_deployment.yaml create mode 100644 stable/enterprise/templates/rbacmanager_deployment.yaml create mode 100644 stable/enterprise/templates/reports_deployment.yaml create mode 100644 stable/enterprise/templates/simplequeue_deployment.yaml create mode 100644 stable/enterprise/templates/ui_configmap.yaml create mode 100644 stable/enterprise/templates/ui_deployment.yaml create mode 100644 stable/enterprise/templates/ui_secret.yaml create mode 100644 stable/enterprise/test/env_vars.yaml create mode 100644 stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap create mode 100644 stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap create mode 100644 stable/enterprise/tests/analyzer_resources_test.yaml create mode 100644 stable/enterprise/tests/api_resources_test.yaml create mode 100644 stable/enterprise/tests/catalog_resources_test.yaml create mode 100644 stable/enterprise/tests/common_helpers_test.yaml create mode 100644 stable/enterprise/tests/configmap_test.yaml create mode 100644 stable/enterprise/tests/notifications_resources_test.yaml create mode 100644 stable/enterprise/tests/policyengine_resources_test.yaml create mode 100644 stable/enterprise/tests/posthook_upgrade_resources_test.yaml create mode 100644 stable/enterprise/tests/prehook_upgrade_resources_test.yaml create mode 100644 stable/enterprise/tests/rbacmanager_resources_test.yaml create mode 100644 stable/enterprise/tests/reports_resources_test.yaml create mode 100644 stable/enterprise/tests/simplequeue_resources_test.yaml create mode 100644 stable/enterprise/tests/ui_resources_test.yaml create mode 100644 stable/enterprise/tests/values.yaml create mode 100644 stable/enterprise/values.yaml diff --git a/stable/enterprise/.helmignore b/stable/enterprise/.helmignore new file mode 100644 index 00000000..4f68e0e2 --- /dev/null +++ b/stable/enterprise/.helmignore @@ -0,0 +1,2 @@ +.git +tests/ \ No newline at end of file diff --git a/stable/enterprise/Chart.lock b/stable/enterprise/Chart.lock new file mode 100644 index 00000000..c5391123 --- /dev/null +++ b/stable/enterprise/Chart.lock @@ -0,0 +1,12 @@ +dependencies: +- name: postgresql + repository: oci://registry-1.docker.io/bitnamicharts + version: 12.5.9 +- name: redis + repository: oci://registry-1.docker.io/bitnamicharts + version: 17.11.8 +- name: feeds + repository: https://charts.anchore.io/stable + version: 0.0.1 +digest: sha256:6d7eeac8b08d99ba32f67ea08376555faa642520eadcfb1b966d9b2c0cbf7778 +generated: "2023-09-01T15:50:02.118283-07:00" diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml new file mode 100644 index 00000000..550fbc21 --- /dev/null +++ b/stable/enterprise/Chart.yaml @@ -0,0 +1,45 @@ +apiVersion: v2 +name: enterprise +version: "0.0.1" +appVersion: "4.9.0" +kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x +description: | + Anchore Enterprise is a complete container security workflow solution for professional teams. Easily integrating with CI/CD systems, + it allows developers to bolster security without compromising velocity and enables security teams to audit and verify compliance in real-time. + It is based on Anchore Engine, an open-source image inspection and scanning tool. +keywords: + - analysis + - docker + - anchore + - "anchore-engine" + - "anchore-enterprise" + - image + - security + - vulnerability + - scanner +home: https://anchore.com +sources: + - https://github.com/anchore/anchore-charts/tree/master/stable/enterprise +maintainers: + - name: zhill + email: zach@anchore.com + - name: btodhunter + email: bradyt@anchore.com +icon: https://anchore.com/wp-content/uploads/2016/08/anchore.png +dependencies: + - name: postgresql + version: "~12.5" + repository: "oci://registry-1.docker.io/bitnamicharts" + condition: postgresql.chartEnabled + - name: redis + version: "~17.11" + repository: "oci://registry-1.docker.io/bitnamicharts" + condition: ui-redis.chartEnabled + alias: ui-redis + - name: feeds + version: "0.0.1" + repository: "https://charts.anchore.io/stable" + condition: feeds.chartEnabled + import-values: + - child: service + parent: feeds.service diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md new file mode 100644 index 00000000..1ef55d2c --- /dev/null +++ b/stable/enterprise/README.md @@ -0,0 +1,1066 @@ +# Anchore Enterprise Helm Chart + +This Helm chart deploys Anchore Enterprise on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +Anchore Enterprise is an software bill of materials (SBOM) - powered software supply chain management solution designed for a cloud-native world. It provides continuous visibility into supply chain security risks. Anchore Enterprise takes a developer-friendly approach that minimizes friction by embedding automation into development toolchains to generate SBOMs and accurately identify vulnerabilities, malware, misconfigurations, and secrets for faster remediation. + +See the [Anchore Enterprise Documentation](https://docs.anchore.com) for more details. + +## Table of Contents + +- [Prerequisites](#prerequisites) +- [Installing the Chart](#installing-the-chart) +- [Uninstalling the Chart](#uninstalling-the-chart) +- [Configuration](#configuration) + - [External Database Setup](#external-database-setup) + - [Enterprise Feeds Configuration](#enterprise-feeds-configuration) + - [Analyzer Image Layer Cache Configuration](#analyzer-image-layer-cache-configuration) + - [Configuring Object Storage](#configuring-object-storage) + - [Configuring Analysis Archive Storage](#configuring-analysis-archive-storage) + - [Existing Secrets](#existing-secrets) + - [Ingress](#ingress) + - [Configuring The ALB Ingress Controller](#configuring-the-alb-ingress-controller) + - [SSO](#sso) + - [Prometheus Metrics](#prometheus-metrics) + - [Scaling Individual Services](#scaling-individual-services) + - [Using TLS Internally](#using-tls-internally) + - [Anchore Enterprise Notifications](#anchore-enterprise-notifications) + - [Anchore Enterprise Reports](#anchore-enterprise-reports) + - [Installing on Openshift](#installing-on-openshift) +- [Parameters](#parameters) +- [Release Notes](#release-notes) + +## Prerequisites + +* [Helm](https://helm.sh/) >=3.8- [Anchore Enterprise Helm Chart](#anchore-enterprise-helm-chart) +* [Kubernetes](https://kubernetes.io/) >=1.23 + +## Installing the Chart + +**View the [Chart Release Notes](#release-notes) for the latest changes prior to installation or upgrading.** + +Create a kubernetes secret containing your license file + +```shell +export LICENSE_PATH="PATH TO LICENSE.YAML" + +kubectl create secret generic anchore-enterprise-license --from-file=license.yaml=${LICENSE_PATH} +``` + +Create a kubernetes secret containing DockerHub credentials with access to the private Anchore Enterprise repositories. Contact [Anchore Support](https://get.anchore.com/contact/) for access. + +```shell +export DOCKERHUB_PASSWORD="YOUR DOCKERHUB PASSWORD" +export DOCKERHUB_USER="YOUR DOCKERHUB USERNAME" +export DOCKERHUB_EMAIL="YOUR EMAIL ADDRESS" + +kubectl create secret docker-registry anchore-enterprise-pullcreds --docker-server=docker.io --docker-username=${DOCKERHUB_USER} --docker-password=${DOCKERHUB_PASSWORD} --docker-email=${DOCKERHUB_EMAIL} +``` + +Add Helm Chart Repository And Install Chart + +```shell +helm repo add anchore https://charts.anchore.io +``` + +Create a new file named `anchore_values.yaml` and add all desired custom [values](#parameters); then run the following command: + +> **Note:** Passwords are set to defaults specified in the chart. It is strongly recommended to change passwords from the defaults when deploying. + +```shell +export RELEASE="YOUR RELEASE NAME" + +helm install ${RELEASE} -f anchore_values.yaml anchore/enterprise +``` + +> **Note:** This installs Anchore Enterprise with a chart-managed Postgresql database, which may not be a production ready configuration. + +Anchore Enterprise will take several minutes to bootstrap. After the initial bootstrap period, Anchore Enterprise will begin a vulnerability feed sync. Until the sync is completed, image analysis will show zero vulnerabilities. **This sync can take multiple hours depending on which feeds are enabled.** The following [anchorectl](https://docs.anchore.com/current/docs/deployment/anchorectl/) command is available to poll and report back when the system is bootstrapped and vulnerability feeds have finished syncing: + +```shell +export RELEASE="YOUR RELEASE NAME" + +export ANCHORECTL_PASSWORD=$(kubectl get secret "${RELEASE}-enterprise" -o ‘go-template={{index .data “ANCHORE_ADMIN_PASSWORD”}}’ | base64 -D -) + +# port forward or set up ingress for anchorectl; example, in another terminal: +# kubectl port-forward svc/${RELEASE}-enterprise-api 8228:8228 + +anchorectl system wait # anchorectl defaults to the user admin, and to the password ${ANCHORECTL_PASSWORD} automatically if set +``` + +> **Tip**: List all releases using `helm list` + +These commands deploy Anchore Enterprise on the Kubernetes cluster with default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +## Uninstalling the Chart + +To uninstall/delete the deployment: + +```bash +export RELEASE="YOUR RELEASE NAME" + +helm delete ${RELEASE} +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Configuration + +The following sections describe the various configuration options available for Anchore Enterprise. The default configuration is set in the included [values file](https://github.com/anchore/anchore-charts-dev/blob/main/stable/enterprise/values.yaml). To override these values, create a custom `anchore_values.yaml` file and add the desired configuration options. Your custom values file can be passed to `helm install` using the `-f` flag. + +Contact [Anchore Support](get.anchore.com/contact/) for more assistance with configuring your deployment. + +### External Database Setup + +Anchore Enterprise requires access to a Postgres-compatible database, version 13 or higher to operate. An external database such as AWS RDS or Google CloudSQL is recommended for production deployments. The Helm chart provides a chart-managed database by default unless otherwise configured. + +A minimum of 100GB allocated storage is recommended for images, tags, subscriptions, policies, and other artifacts. The database should be configured for max client connections of at least 2000. This may need to be increased when running more than the default number of Anchore services. + +#### External Postgres Database Configuration + +```yaml +postgresql: + chartEnabled: false + + # auth.username, auth.password & auth.database are required values for external Postgres + auth.password: + auth.username: + auth.database: + + # Required for external Postgres. + # Specify an external (already existing) Postgres deployment for use. + # Set to the host eg. mypostgres.myserver.io + externalEndpoint: + +anchoreConfig: + database: + ssl: true + sslMode: require + +``` + +#### RDS Postgres Database Configuration With TLS + +Note that the `postgresql:` configuration section is the same as the previous example. + +```yaml +certStoreSecretName: some-cert-store-secret + +anchoreConfig: + database: + ssl: true + sslMode: verify-full + # sslRootCertName is the name of the Postgres root CA certificate stored in certStoreSecretName + sslRootCertFileName: postgres-root-ca-cert + +``` + +To get a AWS RDS Postgres certificate bundle that contains both the intermediate and root certificates for all AWS Regions, download [here](https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem). + +An example of creating the certificate secret can be found in [TLS Configuration](#using-tls-internally). + +#### Google CloudSQL Database Configuration + +```yaml +## anchore_values.yaml +postgresql: + chartEnabled: false + auth.password: + auth.username: + auth.database: + +cloudsql: + # To use CloudSQL in GKE set 'enable: true' + enabled: true + # set CloudSQL instance: 'project:zone:instancename' + instance: "project:zone:instancename" + # Optional existing service account secret to use. See https://cloud.google.com/sql/docs/postgres/authentication + useExistingServiceAcc: true + # If using an existing Service Account, you must create a secret (named my_service_acc in the example below) + # which includes the JSON token from Google's IAM (corresponding to for_cloudsql.json in the example below) + serviceAccSecretName: my_service_acc + serviceAccJsonName: for_cloudsql.json +``` + +### Enterprise Feeds Configuration + +The Anchore Enterprise Feeds service is provided as a dependent [Helm chart](https://github.com/anchore/anchore-charts/tree/main/stable/feeds). This service is comprised of different drivers for different vulnerability feeds. The drivers can be configured separately, and some drivers require a token or other credential. + +See the [Anchore Enterprise Feeds](https://docs.anchore.com/current/docs/configuration/feeds/) documentation for details. + +```yaml +feeds: + anchoreConfig: + feeds: + github: + enabled: true + # The GitHub feeds driver requires a GitHub developer personal access token with no permission scopes selected. + # See https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token + token: your-github-token + + # Enable microsoft feeds + msrc: + enabled: true +``` + +#### Enterprise Feeds External Database Configuration + +Anchore Enterprise Feeds require access to a Postgres-compatible database, version 13 or higher to operate. Note that this is a separate database from the primary Anchore Enterprise database. For Enterprise Feeds, an external database such as AWS RDS or Google CloudSQL is recommended for production deployments. The Helm chart provides a chart-managed database by default unless otherwise configured. + +See previous examples of configuring RDS Postgres and Google CloudSQL. + +```yaml +feeds: + anchoreConfig: + database: + ssl: true + sslMode: require + + feeds-db: + # enabled: false disables the chart-managed Postgres instance; this is a Helmism + enabled: false + + # auth.username, auth.password & auth.database are required values for external Postgres + auth.password: + auth.username: + auth.database: + + # Required for external Postgres. + # Specify an external (already existing) Postgres deployment for use. + # Set to the host eg. mypostgres.myserver.io + externalEndpoint: + +``` + +### Analyzer Image Layer Cache Configuration + +To improve performance, the Anchore Enterprise Analyzer can be configured to cache image layers. This can be +particularly helpful if many images analyzed are built from the same set of base images. + +It is recommended that layer cache data is stored in an external volume to ensure that the cache does not use all +of the ephemeral storage allocated for an analyzer host. See [Anchore Enterprise Layer Caching](https://docs.anchore.com/current/docs/configuration/storage/layer_caching/) +documentation for details. + +```yaml +anchoreConfig: + analyzer: + # Enable image layer caching by setting a cache size > 0GB. + layer_cache_max_gigabytes: 6 +``` + +Refer to the default values file for configuring the analysis scratch volume. + +### Configuring Object Storage + +Anchore Enterprise stores metadata for images, tags, policies, and subscriptions. + +#### Configuring The Object Storage Backend + +In addition to a database (Postgres) storage backend, Anchore Enterprise object storage drivers +also support S3 and Swift storage. This enables scalable external object storage without burdening Postgres. + +**Note: Using external object storage is recommended for production usage.** + +- [Database backend](https://docs.anchore.com/current/docs/configuration/storage/object_store/database_driver/): Postgres database backend; this is the default, so using Postgres as the analysis archive storage backend requires no additional configuration +- [Local FS backend](https://docs.anchore.com/current/docs/configuration/storage/object_store/filesystem_driver/): A local filesystem on the core pod (Does not handle sharding or replication; generally recommended only for testing) +- [OpenStack Swift backend](https://docs.anchore.com/current/docs/configuration/storage/object_store/swift_driver/) +- [S3 backend](https://docs.anchore.com/current/docs/configuration/storage/object_store/s3_driver/): Any AWS S3 API compatible system (e.g. MinIO, Scality) + +### Configuring Analysis Archive Storage + +The analysis archive subsystem of Anchore Enterprise stores large JSON documents and can consume a large amount of storage +depending on the volume of images analyzed. A general rule for storage provisioning is 10MB per image analyzed. Thus with thousands of +analyzed images, you may need many gigabytes of storage. The analysis archive allows configuration of compression and storage backend. + +Configuration of external analysis archive storage is essentially identical to configuration of external object storage. See [Anchore Enterprise Analysis Archive](https://docs.anchore.com/current/docs/configuration/storage/analysis_archive/) documentation for details. + +**Note: Using external analysis archive storage is recommended for production usage.** + +### Existing Secrets + +For deployment scenarios that require version-controlled configuration to be used, it is recommended that credentials not be stored in values files. +To accomplish this, you can manually create Kubernetes secrets and specify them as existing secrets in your values files. + +Below we show example Kubernetes secret objects, and how they would be used in Anchore Enterprise configuration. + +```yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: anchore-enterprise-env +type: Opaque +stringData: + ANCHORE_ADMIN_PASSWORD: "" + ANCHORE_DB_PASSWORD: "" + +--- +apiVersion: v1 +kind: Secret +metadata: + name: anchore-enterprise-ui-env +type: Opaque +stringData: + ANCHORE_ADMIN_PASSWORD: "" + ANCHORE_APPDB_URI: "postgresql://:@:5432/" + ANCHORE_REDIS_URI: "redis://nouser:@:6379" + +--- +apiVersion: v1 +kind: Secret +metadata: + name: anchore-enterprise-feeds-env + app: anchore +type: Opaque +stringData: + ANCHORE_ADMIN_PASSWORD: "" + ANCHORE_FEEDS_DB_PASSWORD: "" +``` + +```yaml +useExistingSecrets: true + +feeds: + useExistingSecrets: true +``` + +### Ingress + +[Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource. Kubernetes supports a variety of ingress controllers, including AWS ALB controllers and GCE controllers. + +This Helm chart provides basic ingress configuration suitable for customization. You can expose routes for Anchore Enterprise external APIs including the core external API, UI, reporting, RBAC, and feeds by configuring the `ingress:` section in your values file. + +Ingress is disabled by default in the Helm chart. The NGINX ingress controller with the core API and UI routes can be enabled by changing the `ingress.enabled` value to `true`. + +Note that the [Kubernetes NGINX ingress controller](https://kubernetes.github.io/ingress-nginx/) must be installed into the cluster for this configuration to work. + +```yaml +ingress: + enabled: true +``` + +### Configuring The ALB Ingress Controller + +Note that the [Kubernetes ALB ingress controller](https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html) must be installed into the cluster for this configuration to work. + +```yaml +ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: alb + alb.ingress.kubernetes.io/scheme: internet-facing + apiPath: /v1/* + uiPath: /* + apiHosts: + - anchore-api.example.com + uiHosts: + - anchore-ui.example.com + +api: + service: + type: NodePort + +ui: + service: + type: NodePort +``` + +#### GCE Ingress Controller + +Note that the [Kubernetes GCE ingress controller](https://cloud.google.com/kubernetes-engine/docs/concepts/ingress) must be installed into the cluster for this configuration to work. + +```yaml +ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: gce + apiPath: /v1/* + uiPath: /* + apiHosts: + - anchore-api.example.com + uiHosts: + - anchore-ui.example.com + +api: + service: + type: NodePort + +ui: + service: + type: NodePort +``` + +### SSO + +See [Anchore Enterprise SSO](https://docs.anchore.com/current/docs/configuration/sso/) documentation for information on configuring single sign-on. + +```yaml +anchoreConfig: + user_authentication: + oauth: + enabled: true + # WARNING: You should not change hashed_paswords after a system has been initialized as it may cause a mismatch in existing passwords + hashed_passwords: true +``` + +### Prometheus Metrics + +Anchore Enterprise supports exporting Prometheus metrics from each container. + +```yaml +anchoreConfig: + metrics: + enabled: true + auth_disabled: true +``` + +When enabled, each service provides metrics over its existing service port, so your Prometheus deployment will need to +know about each pod and the ports it provides. You'll need to know this if adding Prometheus manually to your deployment. + +If using the [Prometheus operator](https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/user-guides/getting-started.md), a ServiceMonitor can be deployed into your cluster (in same namespace as your Anchore Enterprise release) and the Prometheus operator will start scraping the configured endpoints for metrics. + +#### Example ServiceMonitor Configuration + +The `targetPort` values in this example use the default Anchore Enterprise service ports. + +Note that you will require a ServiceAccount for Prometheus (referenced in the Prometheus configuration below). + +```yaml +--- +apiVersion: monitoring.coreos.com/v1 +kind: Prometheus +metadata: + name: prometheus + namespace: + labels: + prometheus: prometheus +spec: + replicas: 1 + serviceAccountName: prometheus + serviceMonitorSelector: + matchLabels: + serviceMonitorName: anchore + +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: anchore-prom-metrics + namespace: + labels: + serviceMonitorName: anchore # from Prometheus configuration above +spec: + namespaceSelector: + matchNames: + - + selector: + matchLabels: + app.kubernetes.io/instance: + endpoints: + # api + - targetPort: 8228 + interval: 30s + path: /metrics + scheme: http + # catalog + - targetPort: 8082 + interval: 30s + path: /metrics + scheme: http + # policy engine + - targetPort: 8087 + interval: 30s + path: /metrics + scheme: http + # simple queue + - targetPort: 8083 + interval: 30s + path: /metrics + scheme: http + # feeds + - targetPort: 8448 + interval: 30s + path: /metrics + scheme: http + # reports + - targetPort: 8558 + interval: 30s + path: /metrics + scheme: http + # notifications + - targetPort: 8668 + interval: 30s + path: /metrics + scheme: http + # RBAC manager + - targetPort: 8229 + interval: 30s + path: /metrics + scheme: http +``` + +### Scaling Individual Services + +Anchore Enterprise services can be scaled by adjusting replica counts. + +To set a specific number of service containers: + +```yaml +analyzer: + replicaCount: 5 + +policyEngine: + replicaCount: 3 +``` + +To update the number in a running configuration: + +```shell +export RELEASE="YOUR-RELEASE-NAME" + +helm upgrade --set analyzer.replicaCount=2 ${RELEASE} anchore/enterprise -f anchore_values.yaml +``` + +Contact [Anchore Support](https://get.anchore.com/contact/) for assistance in scaling and tuning your Anchore Enterprise installation. + +### Using TLS Internally + +Communication between Anchore Enterprise services can be configured with TLS. See the [Anchore TLS](https://docs.anchore.com/current/docs/configuration/tls_ssl/) documentation for more information. + +A Kubernetes secret needs to be created in the same namespace as the chart installation. This secret should contain all custom certificates, including CA certificates and any certificates used for internal TLS communication. + +This secret will be mounted to all Anchore Enterprise containers at `/home/anchore/certs`. The Anchore Enterprise entrypoint script configures all certificates found in `/home/anchore/certs` along with the operating system's default CA bundle. + +```yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: anchore-tls-certs + namespace: ... +type: Opaque +data: + internal-ca-cert-bundle.pam: +[base64 encoded text] + rds-combined-ca-cert-bundle.pem: +[base64 encoded text] + internal-cert.pem: +[base64 encoded text] + internal-cert-key.pem: +[base64 encoded text] + ldap-combined-ca-cert-bundle.pem: +[base64 encoded text] +``` + +Values configuration corresponding to above example secret: + +```yaml +certStoreSecretName: anchore-tls-certs + +anchoreConfig: + database: + timeout: 120 + # Use SSL, but the default Postgres config in helm's stable repo does not support SSL on server side, so this should be set for external DBs only. + # All SSL dbConfig values are only utilized when ssl=true + ssl: true + sslMode: verify-full + # sslRootCertName is the name of the Postgres root CA certificate stored in certStoreSecretName + sslRootCertFileName: rds-combined-ca-cert-bundle.pem + + internalServicesSSL: + # Set internalServicesSSL.enabled to true to force all Enterprise services to use SSL for internal communication + enabled: true + # Specify whether cert is verfied against the local certifacte bundle (If set to false, self-signed certs are allowed) + verifyCerts: true + certSecretKeyFileName: internal-cert-key.pem + certSecretCertFileName: internal-cert.pem + +ui: + ldapsRootCaCertName: ldap-combined-ca-cert-bundle.pem +``` + +### Anchore Enterprise Notifications + +Anchore Enterprise includes Notifications service to alert external endpoints about the system’s activity. Notifications can be configured to send alerts to Slack, GitHub Issues, and Jira. + +See the [Anchore Notifications](https://docs.anchore.com/current/docs/configuration/notifications/) documentation for details. + +### Anchore Enterprise Reports + +Anchore Enterprise Reports aggregates data to provide insightful analytics and metrics for account-wide artifacts. The service employs GraphQL to expose a rich API for querying the aggregated data and metrics. + +See the [Anchore Reports](https://docs.anchore.com/current/docs/configuration/reports/) documentation for details. + +### Installing on Openshift + +As of August 2nd, 2023, helm does not support passing `null` values to child/dependency charts. See the [helm issue](https://github.com/helm/helm/issues/9027) for more details. With the feeds chart being a dependency, you will need to deploy the `feeds` chart as a standalone chart and point the `enterprise` deployment to the standalone feeds deployment. Also note that you need to disable or set the appropriate values for the containerSecurityContext, runAsUser, and fsGroup for ui-redis and any postgres db you're using the enteprise chart to deploy (eg. postgresql.chartEnabled or feeds-db.chartEnabled). + +For example: + +1. deploy feeds chart as a standalone deployment +```shell +helm install feedsy anchore/feeds \ + --set securityContext.fsGroup=null \ + --set securityContext.runAsGroup=null \ + --set securityContext.runAsUser=null \ + --set feeds-db.primary.containerSecurityContext.enabled=false \ + --set feeds-db.primary.podSecurityContext.enabled=false +``` + +2. deploy the enterprise chart with appropriate values +```shell +helm install anchore . \ + --set securityContext.fsGroup=null \ + --set securityContext.runAsGroup=null \ + --set securityContext.runAsUser=null \ + --set feeds.chartEnabled=false \ + --set feeds.url=feedsy-feeds \ + --set postgresql.primary.containerSecurityContext.enabled=false \ + --set postgresql.primary.podSecurityContext.enabled=false \ + --set ui-redis.master.podSecurityContext.enabled=false \ + --set ui-redis.master.containerSecurityContext.enabled=false +``` + +Note: disabling the containerSecurityContext and podSecurityContext may not be suitable for production. See [Redhat's documentation](https://docs.openshift.com/container-platform/4.13/authentication/managing-security-context-constraints.html#managing-pod-security-policies) on what may be suitable for production. + +For more information on the openshift.io/sa.scc.uid-range annotation, see the [openshift docs](https://docs.openshift.com/dedicated/authentication/managing-security-context-constraints.html#security-context-constraints-pre-allocated-values_configuring-internal-oauth) + +#### Example Openshift values file: +```yaml +# NOTE: This is not a production ready values file for an openshift deployment. + +securityContext: + fsGroup: null + runAsGroup: null + runAsUser: null +feeds: + chartEnabled: false + url: feedsy-feeds +postgresql: + primary: + containerSecurityContext: + enabled: false + podSecurityContext: + enabled: false +ui-redis: + master: + podSecurityContext: + enabled: false + containerSecurityContext: + enabled: false +``` + +## Parameters + +### Common Resource Parameters + +| Name | Description | Value | +| ------------------------------------- | ------------------------------------------------------------------------------------- | ------------------------------------- | +| `fullnameOverride` | overrides the fullname set on resources | `""` | +| `nameOverride` | overrides the name set on resources | `""` | +| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v4.9.0` | +| `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | +| `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | +| `serviceAccountName` | Name of a service account used to run all Anchore pods | `""` | +| `injectSecretsViaEnv` | Enable secret injection into pod via environment variables instead of via k8s secrets | `false` | +| `licenseSecretName` | Name of the Kubernetes secret containing your license.yaml file | `anchore-enterprise-license` | +| `certStoreSecretName` | Name of secret containing the certificates & keys used for SSL, SAML & CAs | `""` | +| `extraEnv` | Common environment variables set on all containers | `[]` | +| `useExistingSecrets` | forgoes secret creation and uses the secret defined in existingSecretName | `false` | +| `existingSecretName` | Name of an existing secret to be used for Anchore core services, excluding Anchore UI | `anchore-enterprise-env` | +| `labels` | Common labels set on all Kubernetes resources | `{}` | +| `annotations` | Common annotations set on all Kubernetes resources | `{}` | +| `scratchVolume.mountPath` | The mount path of an external volume for scratch space for image analysis | `/analysis_scratch` | +| `scratchVolume.fixGroupPermissions` | Enable an initContainer that will fix the fsGroup permissions | `false` | +| `scratchVolume.details` | Details for the k8s volume to be created | `{}` | +| `extraVolumes` | mounts additional volumes to each pod | `[]` | +| `extraVolumeMounts` | mounts additional volumes to each pod | `[]` | +| `securityContext.runAsUser` | The securityContext runAsUser for all Anchore pods | `1000` | +| `securityContext.runAsGroup` | The securityContext runAsGroup for all Anchore pods | `1000` | +| `securityContext.fsGroup` | The securityContext fsGroup for all Anchore pods | `1000` | +| `containerSecurityContext` | The securityContext for all containers | `{}` | +| `probes.liveness.initialDelaySeconds` | Initial delay seconds for liveness probe | `120` | +| `probes.liveness.timeoutSeconds` | Timeout seconds for liveness probe | `10` | +| `probes.liveness.periodSeconds` | Period seconds for liveness probe | `10` | +| `probes.liveness.failureThreshold` | Failure threshold for liveness probe | `6` | +| `probes.liveness.successThreshold` | Success threshold for liveness probe | `1` | +| `probes.readiness.timeoutSeconds` | Timeout seconds for the readiness probe | `10` | +| `probes.readiness.periodSeconds` | Period seconds for the readiness probe | `10` | +| `probes.readiness.failureThreshold` | Failure threshold for the readiness probe | `3` | +| `probes.readiness.successThreshold` | Success threshold for the readiness probe | `1` | +| `doSourceAtEntry.enabled` | Does a `source` of the file path defined before starting Anchore services | `false` | +| `doSourceAtEntry.filePaths` | List of file paths to `source` before starting Anchore services | `[]` | +| `configOverride` | Allows for overriding the default Anchore configuration file | `""` | + + +### Anchore Configuration Parameters + +| Name | Description | Value | +| -------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------ | +| `anchoreConfig.service_dir` | Path to directory where default Anchore config files are placed at startup | `/anchore_service` | +| `anchoreConfig.log_level` | The log level for Anchore services | `INFO` | +| `anchoreConfig.allow_awsecr_iam_auto` | Enable AWS IAM instance role for ECR auth | `true` | +| `anchoreConfig.keys.secret` | The shared secret used for signing & encryption, auto-generated by Helm if not set. | `""` | +| `anchoreConfig.keys.privateKeyFileName` | The file name of the private key used for signing & encryption, found in the k8s secret specified in .Values.certStoreSecretName | `""` | +| `anchoreConfig.keys.publicKeyFileName` | The file name of the public key used for signing & encryption, found in the k8s secret specified in .Values.certStoreSecretName | `""` | +| `anchoreConfig.user_authentication.oauth.enabled` | Enable OAuth for Anchore user authentication | `false` | +| `anchoreConfig.user_authentication.oauth.default_token_expiration_seconds` | The expiration, in seconds, for OAuth tokens | `3600` | +| `anchoreConfig.user_authentication.oauth.refresh_token_expiration_seconds` | The expiration, in seconds, for OAuth refresh tokens | `86400` | +| `anchoreConfig.user_authentication.hashed_passwords` | Enable storing passwords as secure hashes in the database | `false` | +| `anchoreConfig.user_authentication.sso_require_existing_users` | set to true in order to disable the SSO JIT provisioning during authentication | `false` | +| `anchoreConfig.metrics.enabled` | Enable Prometheus metrics for all Anchore services | `false` | +| `anchoreConfig.metrics.auth_disabled` | Disable auth on Prometheus metrics for all Anchore services | `false` | +| `anchoreConfig.webhooks` | Enable Anchore services to provide webhooks for external system updates | `{}` | +| `anchoreConfig.default_admin_password` | The password for the Anchore Enterprise admin user | `""` | +| `anchoreConfig.default_admin_email` | The email address used for the Anchore Enterprise admin user | `admin@myanchore` | +| `anchoreConfig.database.timeout` | | `120` | +| `anchoreConfig.database.ssl` | Enable SSL/TLS for the database connection | `false` | +| `anchoreConfig.database.sslMode` | The SSL mode to use for database connection | `verify-full` | +| `anchoreConfig.database.sslRootCertFileName` | File name of the database root CA certificate stored in the k8s secret specified with .Values.certStoreSecretName | `""` | +| `anchoreConfig.database.db_pool_size` | The database max connection pool size | `30` | +| `anchoreConfig.database.db_pool_max_overflow` | The maximum overflow size of the database connection pool | `100` | +| `anchoreConfig.database.engineArgs` | Set custom database engine arguments for SQLAlchemy | `{}` | +| `anchoreConfig.internalServicesSSL.enabled` | Force all Enterprise services to use SSL for internal communication | `false` | +| `anchoreConfig.internalServicesSSL.verifyCerts` | Enable cert verification against the local cert bundle, if this set to false self-signed certs are allowed | `false` | +| `anchoreConfig.internalServicesSSL.certSecretKeyFileName` | File name of the private key used for internal SSL stored in the secret specified in .Values.certStoreSecretName | `""` | +| `anchoreConfig.internalServicesSSL.certSecretCertFileName` | File name of the root CA certificate used for internal SSL stored in the secret specified in .Values.certStoreSecretName | `""` | +| `anchoreConfig.policyBundles` | Include custom Anchore policy bundles | `{}` | +| `anchoreConfig.apiext.external.enabled` | Allow overrides for constructing Anchore API URLs | `false` | +| `anchoreConfig.apiext.external.useTLS` | Enable TLS for external API access | `true` | +| `anchoreConfig.apiext.external.hostname` | Hostname for the external Anchore API | `""` | +| `anchoreConfig.apiext.external.port` | Port configured for external Anchore API | `8443` | +| `anchoreConfig.analyzer.cycle_timers.image_analyzer` | The interval between checks of the work queue for new analysis jobs | `1` | +| `anchoreConfig.analyzer.max_threads` | The concurrency of the Anchore Analyzer worker process | `1` | +| `anchoreConfig.analyzer.layer_cache_max_gigabytes` | Specify a cache size > 0GB to enable image layer caching | `0` | +| `anchoreConfig.analyzer.enable_hints` | Enable a user-supplied 'hints' file to override and/or augment the software artifacts found during analysis | `false` | +| `anchoreConfig.analyzer.configFile` | Custom Anchore Analyzer configuration file contents in YAML | `{}` | +| `anchoreConfig.catalog.cycle_timers.image_watcher` | Interval (seconds) to check for an update to a tag | `3600` | +| `anchoreConfig.catalog.cycle_timers.policy_eval` | Interval (seconds) to run a policy evaluation on images with policy_eval subscription activated | `3600` | +| `anchoreConfig.catalog.cycle_timers.vulnerability_scan` | Interval to run a vulnerability scan on images with vuln_update subscription activated | `14400` | +| `anchoreConfig.catalog.cycle_timers.analyzer_queue` | Interval to add new work on the image analysis queue | `1` | +| `anchoreConfig.catalog.cycle_timers.archive_tasks` | Interval to trigger Anchore Catalog archive Tasks | `43200` | +| `anchoreConfig.catalog.cycle_timers.notifications` | Interval in which notifications will be processed for state changes | `30` | +| `anchoreConfig.catalog.cycle_timers.service_watcher` | Interval of service state update poll, used for system status | `15` | +| `anchoreConfig.catalog.cycle_timers.policy_bundle_sync` | Interval of policy bundle sync | `300` | +| `anchoreConfig.catalog.cycle_timers.repo_watcher` | Interval between checks to repo for new tags | `60` | +| `anchoreConfig.catalog.cycle_timers.image_gc` | Interval for garbage collection of images marked for deletion | `60` | +| `anchoreConfig.catalog.cycle_timers.k8s_image_watcher` | Interval for the runtime inventory image analysis poll | `150` | +| `anchoreConfig.catalog.cycle_timers.resource_metrics` | Interval (seconds) for computing metrics from the DB | `60` | +| `anchoreConfig.catalog.cycle_timers.events_gc` | Interval (seconds) for cleaning up events in the system based on timestamp | `43200` | +| `anchoreConfig.catalog.event_log` | Event log for webhooks, YAML configuration | `{}` | +| `anchoreConfig.catalog.analysis_archive` | Custom analysis archive YAML configuration | `{}` | +| `anchoreConfig.catalog.object_store` | Custom object storage YAML configuration | `{}` | +| `anchoreConfig.catalog.runtime_inventory.image_ttl_days` | TTL for images in the inventory report working set | `1` | +| `anchoreConfig.catalog.down_analyzer_task_requeue` | Allows fast re-queueing when image status is 'analyzing' on an analyzer that is no longer in the 'up' state | `true` | +| `anchoreConfig.policy_engine.cycle_timers.feed_sync` | Interval to run a feed sync to get latest cve data | `14400` | +| `anchoreConfig.policy_engine.cycle_timers.feed_sync_checker` | Interval between checks to see if there needs to be a task queued | `3600` | +| `anchoreConfig.policy_engine.overrideFeedsToUpstream` | Override the Anchore Feeds URL to use the public upstream Anchore Feeds | `false` | +| `anchoreConfig.notifications.cycle_timers.notifications` | Interval that notifications are sent | `30` | +| `anchoreConfig.notifications.ui_url` | Set the UI URL that is included in the notification, defaults to the Enterprise UI service name | `""` | +| `anchoreConfig.reports.enable_graphiql` | Enable GraphiQL, a GUI for editing and testing GraphQL queries and mutations | `true` | +| `anchoreConfig.reports_worker.enable_data_ingress` | Enable periodically syncing data into the Anchore Reports Service | `true` | +| `anchoreConfig.reports_worker.enable_data_egress` | Periodically remove reporting data that has been removed in other parts of system | `false` | +| `anchoreConfig.reports_worker.data_egress_window` | defines a number of days to keep reporting data following its deletion in the rest of system. | `0` | +| `anchoreConfig.reports_worker.data_refresh_max_workers` | The maximum number of concurrent threads to refresh existing results (etl vulnerabilities and evaluations) in reports service. | `10` | +| `anchoreConfig.reports_worker.data_load_max_workers` | The maximum number of concurrent threads to load new results (etl vulnerabilities and evaluations) to reports service. | `10` | +| `anchoreConfig.reports_worker.cycle_timers.reports_data_load` | Interval that images and tags are synced | `600` | +| `anchoreConfig.reports_worker.cycle_timers.reports_data_refresh` | Interval that policy evaluations and vulnerabilities are synced | `7200` | +| `anchoreConfig.reports_worker.cycle_timers.reports_metrics` | Interval for how often reporting metrics are generated | `3600` | +| `anchoreConfig.reports_worker.cycle_timers.reports_data_egress` | Interval that stale reporting data removal is synced | `600` | +| `anchoreConfig.ui.enable_proxy` | Trust a reverse proxy when setting secure cookies (via the `X-Forwarded-Proto` header) | `false` | +| `anchoreConfig.ui.enable_ssl` | Enable SSL in the Anchore UI container | `false` | +| `anchoreConfig.ui.enable_shared_login` | Allow single user to start multiple Anchore UI sessions | `true` | +| `anchoreConfig.ui.redis_flushdb` | Flush user session keys and empty data on Anchore UI startup | `true` | +| `anchoreConfig.ui.force_websocket` | Force WebSocket protocol for socket message communications | `false` | +| `anchoreConfig.ui.authentication_lock.count` | Number of failed authentication attempts allowed before a temporary lock is applied | `5` | +| `anchoreConfig.ui.authentication_lock.expires` | Authentication lock duration | `300` | +| `anchoreConfig.ui.custom_links` | List of up to 10 external links provided | `{}` | +| `anchoreConfig.ui.enable_add_repositories` | Specify what users can add image repositories to the Anchore UI | `{}` | +| `anchoreConfig.ui.log_level` | Descriptive detail of the application log output | `http` | +| `anchoreConfig.ui.enrich_inventory_view` | aggregate and include compliance and vulnerability data from the reports service. | `true` | +| `anchoreConfig.ui.appdb_config.native` | toggle the postgreSQL drivers used to connect to the database between the native and the NodeJS drivers. | `true` | +| `anchoreConfig.ui.appdb_config.pool.max` | maximum number of simultaneous connections allowed in the connection pool | `10` | +| `anchoreConfig.ui.appdb_config.pool.min` | minimum number of connections | `0` | +| `anchoreConfig.ui.appdb_config.pool.acquire` | the timeout in milliseconds used when acquiring a new connection | `30000` | +| `anchoreConfig.ui.appdb_config.pool.idle` | the maximum time that a connection can be idle before being released | `10000` | +| `anchoreConfig.ui.dbUser` | allows overriding and separation of the ui database user. | `""` | +| `anchoreConfig.ui.dbPassword` | allows overriding and separation of the ui database user authentication | `""` | + + +### Anchore API k8s Deployment Parameters + +| Name | Description | Value | +| ------------------------- | ---------------------------------------------------- | ----------- | +| `api.replicaCount` | Number of replicas for Anchore API deployment | `1` | +| `api.service.type` | Service type for Anchore API | `ClusterIP` | +| `api.service.port` | Service port for Anchore API | `8228` | +| `api.service.reportsPort` | Service port for Anchore Reports API | `8558` | +| `api.service.annotations` | Annotations for Anchore API service | `{}` | +| `api.service.labels` | Labels for Anchore API service | `{}` | +| `api.extraEnv` | Set extra environment variables for Anchore API pods | `[]` | +| `api.resources` | Resource requests and limits for Anchore API pods | `{}` | +| `api.labels` | Labels for Anchore API pods | `{}` | +| `api.annotations` | Annotation for Anchore API pods | `{}` | +| `api.nodeSelector` | Node labels for Anchore API pod assignment | `{}` | +| `api.tolerations` | Tolerations for Anchore API pod assignment | `[]` | +| `api.affinity` | Affinity for Anchore API pod assignment | `{}` | +| `api.serviceAccountName` | Service account name for Anchore API pods | `""` | + + +### Anchore Analyzer k8s Deployment Parameters + +| Name | Description | Value | +| ----------------------------- | --------------------------------------------------------------------- | ------ | +| `analyzer.replicaCount` | Number of replicas for the Anchore Analyzer deployment | `1` | +| `analyzer.service.port` | The port used for gatherings metrics when .Values.metricsEnabled=true | `8084` | +| `analyzer.extraEnv` | Set extra environment variables for Anchore Analyzer pods | `[]` | +| `analyzer.resources` | Resource requests and limits for Anchore Analyzer pods | `{}` | +| `analyzer.labels` | Labels for Anchore Analyzer pods | `{}` | +| `analyzer.annotations` | Annotation for Anchore Analyzer pods | `{}` | +| `analyzer.nodeSelector` | Node labels for Anchore Analyzer pod assignment | `{}` | +| `analyzer.tolerations` | Tolerations for Anchore Analyzer pod assignment | `[]` | +| `analyzer.affinity` | Affinity for Anchore Analyzer pod assignment | `{}` | +| `analyzer.serviceAccountName` | Service account name for Anchore API pods | `""` | + + +### Anchore Catalog k8s Deployment Parameters + +| Name | Description | Value | +| ----------------------------- | -------------------------------------------------------- | ----------- | +| `catalog.replicaCount` | Number of replicas for the Anchore Catalog deployment | `1` | +| `catalog.service.type` | Service type for Anchore Catalog | `ClusterIP` | +| `catalog.service.port` | Service port for Anchore Catalog | `8082` | +| `catalog.service.annotations` | Annotations for Anchore Catalog service | `{}` | +| `catalog.service.labels` | Labels for Anchore Catalog service | `{}` | +| `catalog.extraEnv` | Set extra environment variables for Anchore Catalog pods | `[]` | +| `catalog.resources` | Resource requests and limits for Anchore Catalog pods | `{}` | +| `catalog.labels` | Labels for Anchore Catalog pods | `{}` | +| `catalog.annotations` | Annotation for Anchore Catalog pods | `{}` | +| `catalog.nodeSelector` | Node labels for Anchore Catalog pod assignment | `{}` | +| `catalog.tolerations` | Tolerations for Anchore Catalog pod assignment | `[]` | +| `catalog.affinity` | Affinity for Anchore Catalog pod assignment | `{}` | +| `catalog.serviceAccountName` | Service account name for Anchore Catalog pods | `""` | + + +### Anchore Feeds Chart Parameters + +| Name | Description | Value | +| -------------------- | ---------------------------------------------------------------------------------------------- | ------- | +| `feeds.chartEnabled` | Enable the Anchore Feeds chart | `true` | +| `feeds.standalone` | Sets the Anchore Feeds chart to run into non-standalone mode, for use with Anchore Enterprise. | `false` | +| `feeds.url` | Set the URL for a standalone Feeds service. Use when chartEnabled=false. | `""` | + + +### Anchore Policy Engine k8s Deployment Parameters + +| Name | Description | Value | +| ---------------------------------- | -------------------------------------------------------------- | ----------- | +| `policyEngine.replicaCount` | Number of replicas for the Anchore Policy Engine deployment | `1` | +| `policyEngine.service.type` | Service type for Anchore Policy Engine | `ClusterIP` | +| `policyEngine.service.port` | Service port for Anchore Policy Engine | `8087` | +| `policyEngine.service.annotations` | Annotations for Anchore Policy Engine service | `{}` | +| `policyEngine.service.labels` | Labels for Anchore Policy Engine service | `{}` | +| `policyEngine.extraEnv` | Set extra environment variables for Anchore Policy Engine pods | `[]` | +| `policyEngine.resources` | Resource requests and limits for Anchore Policy Engine pods | `{}` | +| `policyEngine.labels` | Labels for Anchore Policy Engine pods | `{}` | +| `policyEngine.annotations` | Annotation for Anchore Policy Engine pods | `{}` | +| `policyEngine.nodeSelector` | Node labels for Anchore Policy Engine pod assignment | `{}` | +| `policyEngine.tolerations` | Tolerations for Anchore Policy Engine pod assignment | `[]` | +| `policyEngine.affinity` | Affinity for Anchore Policy Engine pod assignment | `{}` | +| `policyEngine.serviceAccountName` | Service account name for Anchore Policy Engine pods | `""` | + + +### Anchore Simple Queue Parameters + +| Name | Description | Value | +| --------------------------------- | ------------------------------------------------------------- | ----------- | +| `simpleQueue.replicaCount` | Number of replicas for the Anchore Simple Queue deployment | `1` | +| `simpleQueue.service.type` | Service type for Anchore Simple Queue | `ClusterIP` | +| `simpleQueue.service.port` | Service port for Anchore Simple Queue | `8083` | +| `simpleQueue.service.annotations` | Annotations for Anchore Simple Queue service | `{}` | +| `simpleQueue.service.labels` | Labels for Anchore Simple Queue service | `{}` | +| `simpleQueue.extraEnv` | Set extra environment variables for Anchore Simple Queue pods | `[]` | +| `simpleQueue.resources` | Resource requests and limits for Anchore Simple Queue pods | `{}` | +| `simpleQueue.labels` | Labels for Anchore Simple Queue pods | `{}` | +| `simpleQueue.annotations` | Annotation for Anchore Simple Queue pods | `{}` | +| `simpleQueue.nodeSelector` | Node labels for Anchore Simple Queue pod assignment | `{}` | +| `simpleQueue.tolerations` | Tolerations for Anchore Simple Queue pod assignment | `[]` | +| `simpleQueue.affinity` | Affinity for Anchore Simple Queue pod assignment | `{}` | +| `simpleQueue.serviceAccountName` | Service account name for Anchore Simple Queue pods | `""` | + + +### Anchore Notifications Parameters + +| Name | Description | Value | +| ----------------------------------- | -------------------------------------------------------------- | ----------- | +| `notifications.replicaCount` | Number of replicas for the Anchore Notifications deployment | `1` | +| `notifications.service.type` | Service type for Anchore Notifications | `ClusterIP` | +| `notifications.service.port` | Service port for Anchore Notifications | `8668` | +| `notifications.service.annotations` | Annotations for Anchore Notifications service | `{}` | +| `notifications.service.labels` | Labels for Anchore Notifications service | `{}` | +| `notifications.extraEnv` | Set extra environment variables for Anchore Notifications pods | `[]` | +| `notifications.resources` | Resource requests and limits for Anchore Notifications pods | `{}` | +| `notifications.labels` | Labels for Anchore Notifications pods | `{}` | +| `notifications.annotations` | Annotation for Anchore Notifications pods | `{}` | +| `notifications.nodeSelector` | Node labels for Anchore Notifications pod assignment | `{}` | +| `notifications.tolerations` | Tolerations for Anchore Notifications pod assignment | `[]` | +| `notifications.affinity` | Affinity for Anchore Notifications pod assignment | `{}` | +| `notifications.serviceAccountName` | Service account name for Anchore Notifications pods | `""` | + + +### Anchore Reports Parameters + +| Name | Description | Value | +| ----------------------------- | -------------------------------------------------------- | ----------- | +| `reports.replicaCount` | Number of replicas for the Anchore Reports deployment | `1` | +| `reports.service.type` | Service type for Anchore Reports | `ClusterIP` | +| `reports.service.port` | Service port for Anchore Reports Worker | `8558` | +| `reports.service.annotations` | Annotations for Anchore Reports service | `{}` | +| `reports.service.labels` | Labels for Anchore Reports service | `{}` | +| `reports.extraEnv` | Set extra environment variables for Anchore Reports pods | `[]` | +| `reports.resources` | Resource requests and limits for Anchore Reports pods | `{}` | +| `reports.labels` | Labels for Anchore Reports pods | `{}` | +| `reports.annotations` | Annotation for Anchore Reports pods | `{}` | +| `reports.nodeSelector` | Node labels for Anchore Reports pod assignment | `{}` | +| `reports.tolerations` | Tolerations for Anchore Reports pod assignment | `[]` | +| `reports.affinity` | Affinity for Anchore Reports pod assignment | `{}` | +| `reports.serviceAccountName` | Service account name for Anchore Reports pods | `""` | + + +### Anchore RBAC Authentication Parameters + +| Name | Description | Value | +| -------------------- | -------------------------------------------------------------------------- | ----- | +| `rbacAuth.extraEnv` | Set extra environment variables for Anchore RBAC Authentication containers | `[]` | +| `rbacAuth.resources` | Resource requests and limits for Anchore RBAC Authentication containers | `{}` | + + +### Anchore RBAC Manager Parameters + +| Name | Description | Value | +| --------------------------------- | ------------------------------------------------------------- | ----------- | +| `rbacManager.replicaCount` | Number of replicas for the Anchore RBAC Manager deployment | `1` | +| `rbacManager.service.type` | Service type for Anchore RBAC Manager | `ClusterIP` | +| `rbacManager.service.port` | Service port for Anchore RBAC Manager | `8229` | +| `rbacManager.service.annotations` | Annotations for Anchore RBAC Manager service | `{}` | +| `rbacManager.service.labels` | Labels for Anchore RBAC Manager service | `{}` | +| `rbacManager.extraEnv` | Set extra environment variables for Anchore RBAC Manager pods | `[]` | +| `rbacManager.resources` | Resource requests and limits for Anchore RBAC Manager pods | `{}` | +| `rbacManager.labels` | Labels for Anchore RBAC Manager pods | `{}` | +| `rbacManager.annotations` | Annotation for Anchore RBAC Manager pods | `{}` | +| `rbacManager.nodeSelector` | Node labels for Anchore RBAC Manager pod assignment | `{}` | +| `rbacManager.tolerations` | Tolerations for Anchore RBAC Manager pod assignment | `[]` | +| `rbacManager.affinity` | Affinity for Anchore RBAC Manager pod assignment | `{}` | +| `rbacManager.serviceAccountName` | Service account name for Anchore RBAC Manager pods | `""` | + + +### Anchore UI Parameters + +| Name | Description | Value | +| ---------------------------- | ----------------------------------------------------------------------------- | ---------------------------------------- | +| `ui.image` | Image used for the Anchore UI container | `docker.io/anchore/enterprise-ui:v4.8.0` | +| `ui.imagePullPolicy` | Image pull policy for Anchore UI image | `IfNotPresent` | +| `ui.existingSecretName` | Name of an existing secret to be used for Anchore UI DB and Redis endpoints | `anchore-enterprise-ui-env` | +| `ui.ldapsRootCaCertName` | Name of the custom CA certificate file store in `.Values.certStoreSecretName` | `""` | +| `ui.service.type` | Service type for Anchore UI | `ClusterIP` | +| `ui.service.port` | Service port for Anchore UI | `80` | +| `ui.service.annotations` | Annotations for Anchore UI service | `{}` | +| `ui.service.labels` | Labels for Anchore UI service | `{}` | +| `ui.service.sessionAffinity` | Session Affinity for Ui service | `ClientIP` | +| `ui.extraEnv` | Set extra environment variables for Anchore UI pods | `[]` | +| `ui.resources` | Resource requests and limits for Anchore UI pods | `{}` | +| `ui.labels` | Labels for Anchore UI pods | `{}` | +| `ui.annotations` | Annotation for Anchore UI pods | `{}` | +| `ui.nodeSelector` | Node labels for Anchore UI pod assignment | `{}` | +| `ui.tolerations` | Tolerations for Anchore UI pod assignment | `[]` | +| `ui.affinity` | Affinity for Anchore ui pod assignment | `{}` | +| `ui.serviceAccountName` | Service account name for Anchore UI pods | `""` | + + +### Anchore Upgrade Job Parameters + +| Name | Description | Value | +| ------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `upgradeJob.enabled` | Enable the Anchore Enterprise database upgrade job | `true` | +| `upgradeJob.force` | Force the Anchore Feeds database upgrade job to run as a regular job instead of as a Helm hook | `false` | +| `upgradeJob.rbacCreate` | Create RBAC resources for the Anchore upgrade job | `true` | +| `upgradeJob.serviceAccountName` | Use an existing service account for the Anchore upgrade job | `""` | +| `upgradeJob.usePostUpgradeHook` | Use a Helm post-upgrade hook to run the upgrade job instead of the default pre-upgrade hook. This job does not require creating RBAC resources. | `false` | +| `upgradeJob.nodeSelector` | Node labels for the Anchore upgrade job pod assignment | `{}` | +| `upgradeJob.tolerations` | Tolerations for the Anchore upgrade job pod assignment | `[]` | +| `upgradeJob.affinity` | Affinity for the Anchore upgrade job pod assignment | `{}` | +| `upgradeJob.annotations` | Annotations for the Anchore upgrade job | `{}` | +| `upgradeJob.resources` | Resource requests and limits for the Anchore upgrade job | `{}` | +| `upgradeJob.labels` | Labels for the Anchore upgrade job | `{}` | + + +### Ingress Parameters + +| Name | Description | Value | +| -------------------------- | ------------------------------------------------------------------ | ------- | +| `ingress.enabled` | Create an ingress resource for external Anchore service APIs | `false` | +| `ingress.labels` | Labels for the ingress resource | `{}` | +| `ingress.annotations` | Annotations for the ingress resource | `{}` | +| `ingress.apiHosts` | List of custom hostnames for the Anchore API | `[]` | +| `ingress.apiPath` | The path used for accessing the Anchore API | `/v1/` | +| `ingress.uiHosts` | List of custom hostnames for the Anchore UI | `[]` | +| `ingress.uiPath` | The path used for accessing the Anchore UI | `/` | +| `ingress.feedsHosts` | List of custom hostnames for the Anchore Feeds API | `[]` | +| `ingress.feedsPath` | The path used for accessing the Anchore Feeds API | `""` | +| `ingress.reportsHosts` | List of custom hostnames for the Anchore Reports API | `[]` | +| `ingress.reportsPath` | The path used for accessing the Anchore Reports API | `""` | +| `ingress.tls` | Configure tls for the ingress resource | `[]` | +| `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` | + + +### Google CloudSQL DB Parameters + +| Name | Description | Value | +| -------------------------------- | ------------------------------------------------------------------------------ | ----------------------------------------- | +| `cloudsql.enabled` | Use CloudSQL proxy container for GCP database access | `false` | +| `cloudsql.image` | Image to use for GCE CloudSQL Proxy | `gcr.io/cloudsql-docker/gce-proxy:1.25.0` | +| `cloudsql.imagePullPolicy` | Image Pull Policy to use for CloudSQL image | `IfNotPresent` | +| `cloudsql.instance` | CloudSQL instance, eg: 'project:zone:instancename' | `""` | +| `cloudsql.useExistingServiceAcc` | Use existing service account | `false` | +| `cloudsql.serviceAccSecretName` | | `""` | +| `cloudsql.serviceAccJsonName` | | `""` | +| `cloudsql.extraArgs` | a list of extra arguments to be passed into the cloudsql container command. eg | `[]` | + + +### Anchore UI Redis Parameters + +| Name | Description | Value | +| ------------------------------------- | ------------------------------------------------------------------------------------------------------ | ------------------- | +| `ui-redis.chartEnabled` | Use the dependent chart for the UI Redis deployment | `true` | +| `ui-redis.externalEndpoint` | External Redis endpoint when not using Helm managed chart (eg redis://nouser:@hostname:6379) | `""` | +| `ui-redis.auth.password` | Password used for connecting to Redis | `anchore-redis,123` | +| `ui-redis.architecture` | Redis deployment architecture | `standalone` | +| `ui-redis.master.persistence.enabled` | enables persistence | `false` | + + +### Anchore Database Parameters + +| Name | Description | Value | +| --------------------------------------------- | ------------------------------------------------------------------------------------------- | ----------------------- | +| `postgresql.chartEnabled` | Use the dependent chart for Postgresql deployment | `true` | +| `postgresql.externalEndpoint` | External Postgresql hostname when not using Helm managed chart (eg. mypostgres.myserver.io) | `""` | +| `postgresql.auth.username` | Username used to connect to postgresql | `anchore` | +| `postgresql.auth.password` | Password used to connect to postgresql | `anchore-postgres,123` | +| `postgresql.auth.database` | Database name used when connecting to postgresql | `anchore` | +| `postgresql.primary.service.ports.postgresql` | Port used to connect to Postgresql | `5432` | +| `postgresql.primary.persistence.size` | Configure size of the persistent volume used with helm managed chart | `20Gi` | +| `postgresql.primary.extraEnvVars` | An array to add extra environment variables | `[]` | +| `postgresql.image.tag` | Specifies the image to use for this chart. | `13.11.0-debian-11-r15` | + + +## Release Notes + +See the Anchore [Release Notes](https://docs.anchore.com/current/docs/releasenotes/) for updates to Anchore Enterprise. + +A major chart version change (v0.1.2 -> v1.0.0) indicates that there is an **incompatible breaking change needing manual actions.** + +A minor chart version change (v0.1.2 -> v0.2.0) indicates a change that **may require updates to your values file.** + +### v0.0.1 + +* This is a pre-release version of the Anchore Enterprise Helm chart. It is not intended for production use. diff --git a/stable/enterprise/files/default_config.yaml b/stable/enterprise/files/default_config.yaml new file mode 100644 index 00000000..85a633ea --- /dev/null +++ b/stable/enterprise/files/default_config.yaml @@ -0,0 +1,252 @@ +service_dir: ${ANCHORE_SERVICE_DIR} +tmp_dir: ${ANCHORE_TMP_DIR} +log_level: ${ANCHORE_LOG_LEVEL} + +allow_awsecr_iam_auto: ${ANCHORE_ALLOW_ECR_IAM_AUTO} +host_id: "${ANCHORE_HOST_ID}" +internal_ssl_verify: ${ANCHORE_INTERNAL_SSL_VERIFY} +image_analyze_timeout_seconds: ${ANCHORE_IMAGE_ANALYZE_TIMEOUT_SECONDS} + +global_client_connect_timeout: ${ANCHORE_GLOBAL_CLIENT_CONNECT_TIMEOUT} +global_client_read_timeout: ${ANCHORE_GLOBAL_CLIENT_READ_TIMEOUT} +server_request_timeout_seconds: ${ANCHORE_GLOBAL_SERVER_REQUEST_TIMEOUT_SEC} + +license_file: ${ANCHORE_LICENSE_FILE} +auto_restart_services: false + +max_compressed_image_size_mb: ${ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB} + +metrics: + enabled: ${ANCHORE_ENABLE_METRICS} + auth_disabled: ${ANCHORE_DISABLE_METRICS_AUTH} + +webhooks: {{- toYaml .Values.anchoreConfig.webhooks | nindent 2 }} + +default_admin_password: ${ANCHORE_ADMIN_PASSWORD} +default_admin_email: ${ANCHORE_ADMIN_EMAIL} + +keys: + secret: ${ANCHORE_SAML_SECRET} + public_key_path: ${ANCHORE_AUTH_PRIVKEY} + private_key_path: ${ANCHORE_AUTH_PUBKEY} + +user_authentication: + hashed_passwords: ${ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS} + sso_require_existing_users: ${ANCHORE_SSO_REQUIRES_EXISTING_USERS} + oauth: + enabled: ${ANCHORE_OAUTH_ENABLED} + default_token_expiration_seconds: ${ANCHORE_OAUTH_TOKEN_EXPIRATION} + refresh_token_expiration_seconds: ${ANCHORE_OAUTH_REFRESH_TOKEN_EXPIRATION} + +credentials: + database: + user: "${ANCHORE_DB_USER}" + password: "${ANCHORE_DB_PASSWORD}" + host: "${ANCHORE_DB_HOST}" + port: "${ANCHORE_DB_PORT}" + name: "${ANCHORE_DB_NAME}" + db_connect_args: + timeout: ${ANCHORE_DB_TIMEOUT} + ssl: ${ANCHORE_DB_SSL} + {{- if .Values.anchoreConfig.database.ssl }} + sslmode: ${ANCHORE_DB_SSL_MODE} + sslrootcert: ${ANCHORE_DB_SSL_ROOT_CERT} + {{- end }} + db_pool_size: ${ANCHORE_DB_POOL_SIZE} + db_pool_max_overflow: ${ANCHORE_DB_POOL_MAX_OVERFLOW} + {{- with .Values.anchoreConfig.database.engineArgs }} + db_engine_args: {{- toYaml . | nindent 6 }} + {{- end }} + +services: + apiext: + enabled: true + require_auth: true + endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} + max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} + listen: '0.0.0.0' + port: ${ANCHORE_PORT} + authorization_handler: ${ANCHORE_AUTHZ_HANDLER} + authorization_handler_config: + endpoint: ${ANCHORE_AUTHZ_HANDLER_ENDPOINT} + {{- if .Values.anchoreConfig.apiext.external.enabled }} + external_tls: {{ .Values.anchoreConfig.apiext.external.useTLS }} + external_hostname: {{ .Values.anchoreConfig.apiext.external.hostname }} + external_port: {{ .Values.anchoreConfig.apiext.external.port }} + {{- end }} + ssl_enable: ${ANCHORE_SSL_ENABLED} + ssl_cert: ${ANCHORE_SSL_CERT} + ssl_key: ${ANCHORE_SSL_KEY} + + analyzer: + enabled: true + require_auth: true + endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} + listen: '0.0.0.0' + port: ${ANCHORE_PORT} + max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} + cycle_timer_seconds: 1 + cycle_timers: {{- toYaml .Values.anchoreConfig.analyzer.cycle_timers | nindent 6 }} + max_threads: ${ANCHORE_ANALYZER_MAX_THREADS} + analyzer_driver: 'nodocker' + layer_cache_enable: ${ANCHORE_LAYER_CACHE_ENABLED} + layer_cache_max_gigabytes: ${ANCHORE_LAYER_CACHE_SIZE_GB} + enable_hints: ${ANCHORE_HINTS_ENABLED} + enable_owned_package_filtering: ${ANCHORE_OWNED_PACKAGE_FILTERING_ENABLED} + keep_image_analysis_tmpfiles: ${ANCHORE_KEEP_IMAGE_ANALYSIS_TMPFILES} + ssl_enable: ${ANCHORE_SSL_ENABLED} + ssl_cert: ${ANCHORE_SSL_CERT} + ssl_key: ${ANCHORE_SSL_KEY} + + catalog: + enabled: true + require_auth: true + endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} + listen: '0.0.0.0' + port: ${ANCHORE_PORT} + max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} + cycle_timer_seconds: 1 + cycle_timers: {{- toYaml .Values.anchoreConfig.catalog.cycle_timers | nindent 6 }} + event_log: {{- toYaml .Values.anchoreConfig.catalog.event_log | nindent 6 }} + runtime_inventory: + image_ttl_days: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_IMAGE_TTL_DAYS} + image_gc: + max_worker_threads: ${ANCHORE_CATALOG_IMAGE_GC_WORKERS} + runtime_compliance: + object_store_bucket: "runtime_compliance_check" + down_analyzer_task_requeue: ${ANCHORE_ANALYZER_TASK_REQUEUE} + analysis_archive: {{- toYaml .Values.anchoreConfig.catalog.analysis_archive | nindent 6 }} + object_store: {{- toYaml .Values.anchoreConfig.catalog.object_store | nindent 6 }} + ssl_enable: ${ANCHORE_SSL_ENABLED} + ssl_cert: ${ANCHORE_SSL_CERT} + ssl_key: ${ANCHORE_SSL_KEY} + + simplequeue: + enabled: true + require_auth: true + endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} + listen: '0.0.0.0' + port: ${ANCHORE_PORT} + max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} + ssl_enable: ${ANCHORE_SSL_ENABLED} + ssl_cert: ${ANCHORE_SSL_CERT} + ssl_key: ${ANCHORE_SSL_KEY} + + policy_engine: + enabled: true + require_auth: true + max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} + endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} + listen: '0.0.0.0' + port: ${ANCHORE_PORT} + policy_evaluation_cache_ttl: ${ANCHORE_POLICY_EVAL_CACHE_TTL_SECONDS} + cycle_timer_seconds: 1 + cycle_timers: {{- toYaml .Values.anchoreConfig.policy_engine.cycle_timers | nindent 6 }} + enable_package_db_load: ${ANCHORE_POLICY_ENGINE_ENABLE_PACKAGE_DB_LOAD} + enable_images_by_vulnerability_api: ${ANCHORE_POLICY_ENGINE_ENABLE_IMAGES_BY_VULN_QUERY} + vulnerabilities: + sync: + enabled: true + ssl_verify: ${ANCHORE_FEEDS_SSL_VERIFY} + connection_timeout_seconds: 3 + read_timeout_seconds: 60 + data: + grypedb: + enabled: true + url: {{ template "enterprise.grypeProviderURL" . }} + vulnerabilities: + enabled: ${ANCHORE_FEEDS_VULNERABILITIES_ENABLED} + url: {{ template "enterprise.feedsURL" . }} + nvdv2: + enabled: ${ANCHORE_FEEDS_DRIVER_NVDV2_ENABLED} + url: {{ template "enterprise.feedsURL" . }} + github: + enabled: ${ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED} + url: {{ template "enterprise.feedsURL" . }} + packages: + enabled: ${ANCHORE_FEEDS_DRIVER_PACKAGES_ENABLED} + url: {{ template "enterprise.feedsURL" . }} + microsoft: + enabled: ${ANCHORE_FEEDS_DRIVER_MSRC_ENABLED} + url: {{ template "enterprise.feedsURL" . }} + ssl_enable: ${ANCHORE_SSL_ENABLED} + ssl_cert: ${ANCHORE_SSL_CERT} + ssl_key: ${ANCHORE_SSL_KEY} + + rbac_authorizer: + enabled: true + require_auth: true + endpoint_hostname: localhost + listen: 127.0.0.1 + port: 8089 + max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} + + rbac_manager: + enabled: true + require_auth: true + endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} + listen: '0.0.0.0' + port: ${ANCHORE_PORT} + max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} + authorization_handler: ${ANCHORE_AUTHZ_HANDLER} + authorization_handler_config: + endpoint: ${ANCHORE_AUTHZ_HANDLER_ENDPOINT} + ssl_enable: ${ANCHORE_SSL_ENABLED} + ssl_cert: ${ANCHORE_SSL_CERT} + ssl_key: ${ANCHORE_SSL_KEY} + + reports: + enabled: true + require_auth: true + endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} + listen: '0.0.0.0' + port: ${ANCHORE_PORT} + max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} + enable_graphiql: ${ANCHORE_ENTERPRISE_REPORTS_ENABLE_GRAPHIQL} + authorization_handler: ${ANCHORE_AUTHZ_HANDLER} + authorization_handler_config: + endpoint: ${ANCHORE_AUTHZ_HANDLER_ENDPOINT} + ssl_enable: ${ANCHORE_SSL_ENABLED} + ssl_cert: ${ANCHORE_SSL_CERT} + ssl_key: ${ANCHORE_SSL_KEY} + + reports_worker: + enabled: true + require_auth: true + endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} + listen: '0.0.0.0' + port: ${ANCHORE_PORT} + max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} + enable_data_ingress: ${ANCHORE_ENTERPRISE_REPORTS_ENABLE_DATA_INGRESS} + enable_data_egress: ${ANCHORE_ENTERPRISE_REPORTS_ENABLE_DATA_EGRESS} + data_egress_window: ${ANCHORE_ENTERPRISE_REPORTS_DATA_EGRESS_WINDOW} + data_refresh_max_workers: ${ANCHORE_ENTERPRISE_REPORTS_DATA_REFRESH_MAX_WORKERS} + data_load_max_workers: ${ANCHORE_ENTERPRISE_REPORTS_DATA_LOAD_MAX_WORKERS} + cycle_timers: {{- toYaml .Values.anchoreConfig.reports_worker.cycle_timers | nindent 6 }} + runtime_report_generation: + inventory_images_by_vulnerability: true + vulnerabilities_by_k8s_namespace: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE} + vulnerabilities_by_k8s_container: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER} + vulnerabilities_by_ecs_container: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_ECS_CONTAINER} + authorization_handler: ${ANCHORE_AUTHZ_HANDLER} + authorization_handler_config: + endpoint: ${ANCHORE_AUTHZ_HANDLER_ENDPOINT} + ssl_enable: ${ANCHORE_SSL_ENABLED} + ssl_cert: ${ANCHORE_SSL_CERT} + ssl_key: ${ANCHORE_SSL_KEY} + + notifications: + enabled: true + require_auth: true + endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} + listen: '0.0.0.0' + port: ${ANCHORE_PORT} + max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} + authorization_handler: ${ANCHORE_AUTHZ_HANDLER} + authorization_handler_config: + endpoint: ${ANCHORE_AUTHZ_HANDLER_ENDPOINT} + cycle_timers: {{- toYaml .Values.anchoreConfig.notifications.cycle_timers | nindent 6 }} + ui_url: ${ANCHORE_ENTERPRISE_UI_URL} + ssl_enable: ${ANCHORE_SSL_ENABLED} + ssl_cert: ${ANCHORE_SSL_CERT} + ssl_key: ${ANCHORE_SSL_KEY} diff --git a/stable/enterprise/templates/NOTES.txt b/stable/enterprise/templates/NOTES.txt new file mode 100644 index 00000000..35363189 --- /dev/null +++ b/stable/enterprise/templates/NOTES.txt @@ -0,0 +1,22 @@ +To use Anchore you need the URL, username, and password to access the API and/or the UI. + +The Anchore API can be accessed via port {{ .Values.api.service.port }} on the following DNS name from within the cluster: + + {{ include "enterprise.api.fullname" . -}}.{{- .Release.Namespace -}}.svc.cluster.local + +The Anchore UI can be accessed via localhost:8080 with kubernetes port-forwarding: + + kubectl port-forward svc/{{- template "enterprise.ui.fullname" . }} 8080:{{- .Values.ui.service.port }} + +Get the default admin password using the following command: + + kubectl get secret {{ template "enterprise.fullname" . }} -o jsonpath='{.data.ANCHORE_ADMIN_PASSWORD}' | base64 -D + +* NOTE: On first startup of Anchore Enterprise, the policy-engine performs a CVE data sync which may take several minutes to complete. +During this time the system status will report 'partially_down' and any images added for analysis will stay in the 'not_analyzed' state. +Once the sync is complete, any queued images will be analyzed and the system status will change to 'all_up'. + +Initial setup time can be >120sec for postgresql setup and readiness checks to pass for the services as indicated by pod state. +You can check with: + + kubectl get pods -l app.kubernetes.io/name={{- template "enterprise.fullname" . -}},app.kubernetes.io/component=api \ No newline at end of file diff --git a/stable/enterprise/templates/_common.tpl b/stable/enterprise/templates/_common.tpl new file mode 100644 index 00000000..b4a24bf5 --- /dev/null +++ b/stable/enterprise/templates/_common.tpl @@ -0,0 +1,321 @@ +{{/* +Common annotations +When calling this template, .component can be included in the context for component specific annotations +{{- include "enterprise.common.annotations" (merge (dict "component" $component) .) }} +*/}} +{{- define "enterprise.common.annotations" -}} +{{- $component := .component -}} +{{- if and (not .nil) (not .Values.annotations) (not (index .Values (print $component)).annotations) }} + {{- print "{}" }} +{{- else }} + {{- with .Values.annotations }} +{{ toYaml . }} + {{- end }} + {{- if $component }} + {{- with (index .Values (print $component)).annotations }} +{{ toYaml . }} + {{- end }} + {{- end }} +{{- end }} +{{- end -}} + + +{{/* +Setup a container for the cloudsql proxy to run in all pods when .Values.cloudsql.enabled = true +*/}} +{{- define "enterprise.common.cloudsqlContainer" -}} +- name: cloudsql-proxy + image: {{ .Values.cloudsql.image }} + imagePullPolicy: {{ .Values.cloudsql.imagePullPolicy }} +{{- with .Values.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 4 }} +{{- end }} + command: ["/cloud_sql_proxy"] + args: + - "-instances={{ .Values.cloudsql.instance }}=tcp:5432" + {{- if .Values.cloudsql.extraArgs }} + {{- range $arg := .Values.cloudsql.extraArgs }} + - {{ quote $arg }} + {{- end }} + {{- end }} + {{- if .Values.cloudsql.useExistingServiceAcc }} + - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}" + volumeMounts: + - mountPath: "/var/{{ .Values.cloudsql.serviceAccSecretName }}" + name: {{ .Values.cloudsql.serviceAccSecretName }} + readOnly: true +{{- end }} +{{- end -}} + + +{{/* +Setup the common docker-entrypoint command for all Anchore Enterprise containers +*/}} +{{- define "enterprise.common.dockerEntrypoint" -}} +{{ print (include "enterprise.doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade +{{- end -}} + + +{{/* +Setup the common envFrom configs +*/}} +{{- define "enterprise.common.envFrom" -}} +- configMapRef: + name: {{ template "enterprise.fullname" . }}-config-env-vars +{{- if not .Values.injectSecretsViaEnv }} + {{- if .Values.useExistingSecrets }} +- secretRef: + name: {{ .Values.existingSecretName }} + {{- else }} +- secretRef: + name: {{ template "enterprise.fullname" . }} + {{- end }} +{{- end }} +{{- end -}} + + +{{/* +Common environment variables +When calling this template, .component can be included in the context for component specific env vars +{{- include "enterprise.common.environment" (merge (dict "component" $component) .) }} +*/}} +{{- define "enterprise.common.environment" -}} +{{- $component := .component -}} +{{- with .Values.extraEnv }} +{{ toYaml . }} +{{- end }} +{{- if $component }} + {{- with (index .Values (print $component)).extraEnv }} +{{ toYaml . }} + {{- end }} +- name: ANCHORE_ENDPOINT_HOSTNAME + {{- if and (eq $component "reports") (eq .api "true") }} + value: {{ template "enterprise.api.fullname" . }} + {{- else }} + value: {{ include (printf "enterprise.%s.fullname" $component) . }} + {{- end }} + {{- with (index .Values (print $component)).service }} +- name: ANCHORE_PORT + value: {{ .port | quote }} + {{- else }} +- name: ANCHORE_PORT + value: "null" + {{- end }} +{{- end }} +- name: ANCHORE_HOST_ID + valueFrom: + fieldRef: + fieldPath: metadata.name +{{- end -}} + + +{{/* +Setup the common fix permissions init container for all pods using a scratch volume +*/}} +{{- define "enterprise.common.fixPermissionsInitContainer" -}} +- name: mode-fixer + image: alpine + securityContext: + runAsUser: 0 + volumeMounts: + - name: "anchore-scratch" + mountPath: {{ .Values.scratchVolume.mountPath }} + command: + - sh + - -c + - (chmod 0775 {{ .Values.scratchVolume.mountPath }}; chgrp {{ .Values.securityContext.fsGroup }} {{ .Values.scratchVolume.mountPath }} ) +{{- end -}} + + +{{/* +Common labels +When calling this template, .component can be included in the context for component specific labels +{{- include "enterprise.common.labels" (merge (dict "component" $component) .) }} +*/}} +{{- define "enterprise.common.labels" -}} +{{- $component := .component -}} +{{- if $component }} + {{- with (index .Values (print $component)).labels }} +{{ toYaml . }} + {{- end }} +{{- end }} +{{- with .Values.labels }} +{{ toYaml . }} +{{- end }} +app.kubernetes.io/name: {{ template "enterprise.fullname" . }} + {{- with $component }} +app.kubernetes.io/component: {{ . | lower }} + {{- end }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/version: {{ .Chart.AppVersion }} +app.kubernetes.io/part-of: anchore +app.kubernetes.io/managed-by: {{ .Release.Service }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end -}} + + +{{/* +Setup the common liveness probes for all Anchore Enterprise containers +*/}} +{{- define "enterprise.common.livenessProbe" -}} +{{- $component := .component -}} +httpGet: + path: /health + port: {{ $component | lower }} + scheme: {{ include "enterprise.setProtocol" . | upper }} +initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }} +timeoutSeconds: {{ .Values.probes.liveness.timeoutSeconds }} +periodSeconds: {{ .Values.probes.liveness.periodSeconds }} +failureThreshold: {{ .Values.probes.liveness.failureThreshold }} +successThreshold: {{ .Values.probes.liveness.successThreshold }} +{{- end -}} + + +{{/* +Return anchore default selector match labels +When calling this template, .component can be included in the context for component specific env vars +{{- include "enterprise.common.matchLabels" (merge (dict "component" $component) .) }} +*/}} +{{- define "enterprise.common.matchLabels" -}} +{{- $component := .component -}} +app.kubernetes.io/name: {{ template "enterprise.fullname" . }} +app.kubernetes.io/component: {{ $component | lower }} +{{- end -}} + + +{{/* +Setup the common pod spec configs +*/}} +{{- define "enterprise.common.podSpec" -}} +{{- $component := .component -}} +{{- with .Values.securityContext }} +securityContext: {{- toYaml . | nindent 2 }} +{{- end }} +{{- if or .Values.serviceAccountName (index .Values (print $component)).serviceAccountName (eq $component "upgradeJob") }} +serviceAccountName: {{ include "enterprise.serviceAccountName" (merge (dict "component" $component) .) }} +{{- end }} +{{- with .Values.imagePullSecretName }} +imagePullSecrets: + - name: {{ . }} +{{- end }} +{{- with (index .Values (print $component)).nodeSelector }} +nodeSelector: {{- toYaml . | nindent 2 }} +{{- end }} +{{- with (index .Values (print $component)).affinity }} +affinity: {{- toYaml . | nindent 2 }} +{{- end }} +{{- with (index .Values (print $component)).tolerations }} +tolerations: {{- toYaml . | nindent 2 }} +{{- end }} +{{- end -}} + + +{{/* +Setup a container for the Anchore Enterprise RBAC Auth for pods that need to authenticate with the API +*/}} +{{- define "enterprise.common.rbacAuthContainer" -}} +- name: rbac-auth + image: {{ .Values.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} +{{- with .Values.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 4 }} +{{- end }} + command: ["/bin/sh", "-c"] + args: + - {{ print (include "enterprise.common.dockerEntrypoint" .) }} rbac_authorizer + envFrom: {{- include "enterprise.common.envFrom" . | nindent 4 }} + env: {{- include "enterprise.common.environment" (merge (dict "component" "rbacAuth") .) | nindent 4 }} + ports: + - containerPort: 8089 + name: rbac-auth + volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 4 }} + livenessProbe: + exec: + command: + - curl + - -f + - 'localhost:8089/health' + initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }} + timeoutSeconds: {{ .Values.probes.liveness.timeoutSeconds }} + periodSeconds: {{ .Values.probes.liveness.periodSeconds }} + failureThreshold: {{ .Values.probes.liveness.failureThreshold }} + successThreshold: {{ .Values.probes.liveness.successThreshold }} + readinessProbe: + exec: + command: + - curl + - -f + - 'localhost:8089/health' + timeoutSeconds: {{ .Values.probes.readiness.timeoutSeconds }} + periodSeconds: {{ .Values.probes.readiness.periodSeconds }} + failureThreshold: {{ .Values.probes.readiness.failureThreshold }} + successThreshold: {{ .Values.probes.readiness.successThreshold }} +{{- with .Values.rbacAuth.resources }} + resources: {{- toYaml . | nindent 4 }} +{{- end }} +{{- end -}} + + +{{/* +Setup the common readiness probes for all Anchore Enterprise containers +*/}} +{{- define "enterprise.common.readinessProbe" -}} +{{- $component := .component -}} +httpGet: + path: /health + port: {{ $component | lower }} + scheme: {{ include "enterprise.setProtocol" . | upper }} +timeoutSeconds: {{ .Values.probes.readiness.timeoutSeconds }} +periodSeconds: {{ .Values.probes.readiness.periodSeconds }} +failureThreshold: {{ .Values.probes.readiness.failureThreshold }} +successThreshold: {{ .Values.probes.readiness.successThreshold }} +{{- end -}} + + +{{/* +Setup the common anchore volume mounts +*/}} +{{- define "enterprise.common.volumeMounts" -}} +{{- with .Values.extraVolumeMounts }} +{{ toYaml . }} +{{- end }} +- name: anchore-license + mountPath: /home/anchore/license.yaml + subPath: license.yaml +- name: config-volume + mountPath: /config/config.yaml + subPath: config.yaml +{{- if (.Values.certStoreSecretName) }} +- name: certs + mountPath: /home/anchore/certs/ + readOnly: true +{{- end }} +{{- end -}} + + +{{/* +Setup the common anchore volumes +*/}} +{{- define "enterprise.common.volumes" -}} +{{- with .Values.extraVolumes }} +{{ toYaml . }} +{{- end }} +- name: anchore-license + secret: + secretName: {{ .Values.licenseSecretName }} +- name: config-volume + configMap: + name: {{ template "enterprise.fullname" . }} +{{- with .Values.certStoreSecretName }} +- name: certs + secret: + secretName: {{ . }} +{{- end }} +{{- if .Values.cloudsql.useExistingServiceAcc }} +- name: {{ .Values.cloudsql.serviceAccSecretName }} + secret: + secretName: {{ .Values.cloudsql.serviceAccSecretName }} +{{- end }} +{{- end -}} diff --git a/stable/enterprise/templates/_helpers.tpl b/stable/enterprise/templates/_helpers.tpl new file mode 100644 index 00000000..7e9af92b --- /dev/null +++ b/stable/enterprise/templates/_helpers.tpl @@ -0,0 +1,122 @@ +{{/* +Create database hostname string from supplied values file. Used for setting the ANCHORE_DB_HOST env var in the UI & Engine secret. +*/}} +{{- define "enterprise.dbHostname" }} + {{- if and (index .Values "postgresql" "externalEndpoint") (not (index .Values "postgresql" "enabled")) }} + {{- print ( index .Values "postgresql" "externalEndpoint" ) }} + {{- else if and (index .Values "cloudsql" "enabled") (not (index .Values "postgresql" "enabled")) }} + {{- print "localhost" }} + {{- else }} + {{- $db_host := include "postgres.fullname" . }} + {{- printf "%s" $db_host -}} + {{- end }} +{{- end }} + + +{{/* +Return Anchore default admin password +*/}} +{{- define "enterprise.defaultAdminPassword" -}} + {{- if .Values.anchoreConfig.default_admin_password }} + {{- .Values.anchoreConfig.default_admin_password -}} + {{- else -}} + {{- randAlphaNum 32 -}} + {{- end -}} +{{- end -}} + + +{{/* +Allows sourcing of a specified file in the entrypoint of all containers when .Values.doSourceAtEntry.enabled == true +*/}} +{{- define "enterprise.doSourceFile" }} + {{- if .Values.doSourceAtEntry.enabled }} + {{- range $index, $file := .Values.doSourceAtEntry.filePaths }} + {{- printf "if [ -f %v ];then source %v;fi;" $file $file }} + {{- end }} + {{- end }} +{{- end }} + + +{{/* +Returns the proper URL for the feeds service +*/}} +{{- define "enterprise.feedsURL" }} +{{- $anchoreFeedsURL := "" }} + {{- if .Values.feeds.url }} + {{- /* remove everything from the URL after /v1 to get the hostname, then use that to construct the proper URL */}} + {{- $urlPathSuffix := (default "" ( regexFind "/v1.*$" .Values.feeds.url )) -}} + {{- $anchoreFeedsHost := (trimSuffix $urlPathSuffix .Values.feeds.url) -}} + {{- $anchoreFeedsURL = (printf "%s/v1/feeds" $anchoreFeedsHost) -}} + {{- else if .Values.feeds.chartEnabled }} + {{- $anchoreFeedsURL = (printf "%s://%s:%s/v1/feeds" (include "enterprise.setProtocol" .) (include "feeds.fullname" .) (.Values.feeds.service.port | toString)) -}} + {{- end }} + {{- print $anchoreFeedsURL -}} +{{- end -}} + + +{{/* +Returns the proper URL for the grype provider +*/}} +{{- define "enterprise.grypeProviderURL" }} +{{- $grypeProviderFeedsExternalURL := "" -}} + {{- if .Values.feeds.url }} + {{- /* remove everything from the URL after /v1 to get the hostname, then use that to construct the proper URL */}} + {{- $urlPathSuffix := (default "" ( regexFind "/v1.*$" .Values.feeds.url )) -}} + {{- $anchoreFeedsHost := (trimSuffix $urlPathSuffix .Values.feeds.url) -}} + {{- $grypeProviderFeedsExternalURL = (printf "%s/v1/databases/grypedb" $anchoreFeedsHost) -}} + {{- else if .Values.feeds.chartEnabled }} + {{- $grypeProviderFeedsExternalURL = (printf "%s://%s:%s/v1/databases/grypedb" (include "enterprise.setProtocol" .) (include "feeds.fullname" .) (.Values.feeds.service.port | toString) ) -}} + {{- end }} + + {{- /* Set the grypeProviderFeedsExternalURL to upstream feeds if still unset or if specifically overridden */}} + {{- if or (empty $grypeProviderFeedsExternalURL) .Values.anchoreConfig.policy_engine.overrideFeedsToUpstream -}} + {{- $grypeProviderFeedsExternalURL = "https://toolbox-data.anchore.io/grype/databases/listing.json" -}} + {{- end }} + {{- print $grypeProviderFeedsExternalURL -}} +{{- end -}} + + +{{/* +Set the appropriate kubernetes service account name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "enterprise.serviceAccountName" -}} +{{- $component := .component -}} +{{- with (index .Values (print $component)).serviceAccountName }} + {{- print . | trunc 63 | trimSuffix "-" -}} +{{- else }} + {{- if and .Values.upgradeJob.rbacCreate (eq $component "upgradeJob") }} + {{- printf "%s-%s" (include "enterprise.fullname" .) "upgrade-sa" -}} + {{- else if .Values.serviceAccountName }} + {{- print .Values.serviceAccountName | trunc 63 | trimSuffix "-" -}} + {{- end }} +{{- end }} +{{- end -}} + + +{{/* +Return the proper protocol when Anchore internal SSL is enabled +*/}} +{{- define "enterprise.setProtocol" -}} + {{- if .Values.anchoreConfig.internalServicesSSL.enabled }} +{{- print "https" -}} + {{- else -}} +{{- print "http" -}} + {{- end }} +{{- end -}} + + +{{/* +Return the database password for the Anchore Enterprise UI config +*/}} +{{- define "enterprise.ui.dbPassword" -}} +{{ ternary .Values.postgresql.auth.password .Values.anchoreConfig.ui.dbPassword (empty .Values.anchoreConfig.ui.dbPassword) }} +{{- end -}} + + +{{/* +Return the database user for the Anchore Enterprise UI config +*/}} +{{- define "enterprise.ui.dbUser" -}} +{{ ternary .Values.postgresql.auth.username .Values.anchoreConfig.ui.dbUser (empty .Values.anchoreConfig.ui.dbUser) }} +{{- end -}} diff --git a/stable/enterprise/templates/_names.tpl b/stable/enterprise/templates/_names.tpl new file mode 100644 index 00000000..e5cfda43 --- /dev/null +++ b/stable/enterprise/templates/_names.tpl @@ -0,0 +1,76 @@ +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} + +{{- define "enterprise.fullname" -}} +{{- if .Values.fullnameOverride }} + {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} + {{- $name := default .Chart.Name .Values.nameOverride }} + {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} + +{{- define "enterprise.analyzer.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s-%s" .Release.Name $name "analyzer"| trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "enterprise.api.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s-%s" .Release.Name $name "api"| trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "enterprise.catalog.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s-%s" .Release.Name $name "catalog"| trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "enterprise.notifications.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s-%s" .Release.Name $name "notifications"| trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "enterprise.policyEngine.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s-%s" .Release.Name $name "policy"| trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "enterprise.rbacAuth.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s-%s" .Release.Name $name "rbac-auth"| trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "enterprise.rbacManager.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s-%s" .Release.Name $name "rbac-manager"| trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "enterprise.reports.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s-%s" .Release.Name $name "reports"| trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "enterprise.simpleQueue.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s-%s" .Release.Name $name "simplequeue"| trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "enterprise.ui.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s-%s" .Release.Name $name "ui"| trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "enterprise.upgradeJob.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s-%s-%s" .Release.Name $name (.Chart.AppVersion | replace "." "") "upgrade" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "postgres.fullname" -}} +{{- printf "%s-%s" .Release.Name "postgresql" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "redis.fullname" -}} +{{- printf "%s-%s" .Release.Name "ui-redis" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/stable/enterprise/templates/analyzer_configmap.yaml b/stable/enterprise/templates/analyzer_configmap.yaml new file mode 100644 index 00000000..faab4b66 --- /dev/null +++ b/stable/enterprise/templates/analyzer_configmap.yaml @@ -0,0 +1,15 @@ +{{- $component := "analyzer" -}} + +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ template "enterprise.analyzer.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} +data: + analyzer_config.yaml: | + # Anchore analyzer configuration + {{- with .Values.anchoreConfig.analyzer.configFile }} + {{- toYaml . | nindent 4 }} + {{- end }} diff --git a/stable/enterprise/templates/analyzer_deployment.yaml b/stable/enterprise/templates/analyzer_deployment.yaml new file mode 100644 index 00000000..3b074617 --- /dev/null +++ b/stable/enterprise/templates/analyzer_deployment.yaml @@ -0,0 +1,70 @@ +{{- $component := "analyzer" -}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "enterprise.analyzer.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} +spec: + selector: + matchLabels: {{- include "enterprise.common.matchLabels" (merge (dict "component" $component) .) | nindent 6 }} + replicas: {{ .Values.analyzer.replicaCount }} + strategy: + type: Recreate + template: + metadata: + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 8 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component "nil" true) .) | nindent 8 }} + {{- if and (not .Values.injectSecretsViaEnv) (not .Values.useExistingSecrets) }} + checksum/secrets: {{ include (print $.Template.BasePath "/anchore_secret.yaml") . | sha256sum }} + {{- end }} + checksum/enterprise-config: {{ include (print $.Template.BasePath "/anchore_configmap.yaml") . | sha256sum }} + checksum/analyzer-config: {{ include (print $.Template.BasePath "/analyzer_configmap.yaml") . | sha256sum }} + spec: + {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} + volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} + - name: "anchore-scratch" + {{- if .Values.scratchVolume.details }} + {{- toYaml .Values.scratchVolume.details | nindent 10 }} + {{- else }} + emptyDir: {} + {{- end }} + - name: analyzer-config-volume + configMap: + name: {{ template "enterprise.analyzer.fullname" . }} + {{- if and .Values.scratchVolume.fixGroupPermissions .Values.securityContext.fsGroup }} + initContainers: + {{- include "enterprise.common.fixPermissionsInitContainer" . | nindent 8 }} + {{- end }} + containers: + {{- if .Values.cloudsql.enabled }} + {{- include "enterprise.common.cloudsqlContainer" . | nindent 8 }} + {{- end }} + - name: "{{ .Chart.Name }}-{{ $component | lower }}" + image: {{ .Values.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- with .Values.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 12 }} + {{- end }} + command: ["/bin/sh", "-c"] + args: + - {{ print (include "enterprise.common.dockerEntrypoint" .) }} analyzer + envFrom: {{- include "enterprise.common.envFrom" . | nindent 12 }} + env: {{- include "enterprise.common.environment" (merge (dict "component" $component) .) | nindent 12 }} + ports: + - name: {{ $component | lower }} + containerPort: {{ .Values.analyzer.service.port }} + volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} + - name: analyzer-config-volume + mountPath: "{{ .Values.anchoreConfig.service_dir }}/analyzer_config.yaml" + subPath: analyzer_config.yaml + - name: "anchore-scratch" + mountPath: {{ .Values.scratchVolume.mountPath }} + livenessProbe: {{- include "enterprise.common.livenessProbe" (merge (dict "component" $component) .) | nindent 12 }} + readinessProbe: {{- include "enterprise.common.readinessProbe" (merge (dict "component" $component) .) | nindent 12 }} + {{- with .Values.analyzer.resources }} + resources: {{- toYaml . | nindent 12 }} + {{- end }} diff --git a/stable/enterprise/templates/anchore_configmap.yaml b/stable/enterprise/templates/anchore_configmap.yaml new file mode 100644 index 00000000..c77c38e3 --- /dev/null +++ b/stable/enterprise/templates/anchore_configmap.yaml @@ -0,0 +1,17 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ template "enterprise.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" . | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" . | nindent 4 }} + +data: + config.yaml: | + # Anchore Service Configuration File, mounted from a configmap + # +{{- if .Values.configOverride }} +{{ tpl .Values.configOverride . | indent 4 }} +{{- else }} +{{ tpl (.Files.Get "files/default_config.yaml") . | indent 4 }} +{{- end }} \ No newline at end of file diff --git a/stable/enterprise/templates/anchore_secret.yaml b/stable/enterprise/templates/anchore_secret.yaml new file mode 100644 index 00000000..a74fe199 --- /dev/null +++ b/stable/enterprise/templates/anchore_secret.yaml @@ -0,0 +1,34 @@ +{{- if not .Values.useExistingSecrets -}} +{{- /* + If release is being upgraded, don't recreate the defaultAdminPassword, instead get it from the corresponding existing + secret. +*/ -}} +{{- $anchoreAdminPass := (include "enterprise.defaultAdminPassword" . | quote) -}} +{{- if and .Release.IsUpgrade (not .Values.anchoreConfig.default_admin_password) -}} + {{- $adminPassSecret := (lookup "v1" "Secret" .Release.Namespace (include "enterprise.fullname" .)) -}} + {{- if $adminPassSecret -}} + {{- $anchoreAdminPass = (index $adminPassSecret.data "ANCHORE_ADMIN_PASSWORD" | b64dec) -}} + {{- end -}} +{{- end -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "enterprise.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" . | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" . | nindent 4 }} +type: Opaque +stringData: + ANCHORE_ADMIN_PASSWORD: {{ $anchoreAdminPass | quote }} + ANCHORECTL_PASSWORD: {{ $anchoreAdminPass | quote }} + ANCHORECLI_PASS: {{ $anchoreAdminPass | quote }} + ANCHORE_DB_HOST: {{ include "enterprise.dbHostname" . | quote }} + ANCHORE_DB_NAME: {{ index .Values "postgresql" "auth" "database" | quote }} + ANCHORE_DB_USER: {{ index .Values "postgresql" "auth" "username" | quote }} + ANCHORE_DB_PASSWORD: {{ index .Values "postgresql" "auth" "password" | quote }} + ANCHORE_DB_PORT: {{ index .Values "postgresql" "primary" "service" "ports" "postgresql" | quote }} +{{- with .Values.anchoreConfig.keys.secret }} + ANCHORE_SAML_SECRET: {{ . | quote }} +{{- end }} + +{{- end -}} diff --git a/stable/enterprise/templates/api_deployment.yaml b/stable/enterprise/templates/api_deployment.yaml new file mode 100644 index 00000000..40975220 --- /dev/null +++ b/stable/enterprise/templates/api_deployment.yaml @@ -0,0 +1,116 @@ +{{- $component := "api" -}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "enterprise.api.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} +spec: + selector: + matchLabels: {{- include "enterprise.common.matchLabels" (merge (dict "component" $component) .) | nindent 6 }} + replicas: {{ .Values.api.replicaCount }} + strategy: + type: Recreate + template: + metadata: + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 8 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component "nil" true) .) | nindent 8 }} + {{- if not .Values.injectSecretsViaEnv }} + checksum/secrets: {{ include (print $.Template.BasePath "/anchore_secret.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.anchoreConfig.policyBundles }} + checksum/policy-config: {{ include (print $.Template.BasePath "/policybundle_configmap.yaml") . | sha256sum }} + {{- end }} + checksum/enterprise-config: {{ include (print $.Template.BasePath "/anchore_configmap.yaml") . | sha256sum }} + spec: + {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} + volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} + {{- if .Values.anchoreConfig.policyBundles }} + - name: policy-bundle-volume + configMap: + name: {{ template "enterprise.fullname" . }}-policy-bundles + {{- end }} + containers: + {{- if .Values.cloudsql.enabled }} + {{- include "enterprise.common.cloudsqlContainer" . | nindent 8 }} + {{- end }} + {{- include "enterprise.common.rbacAuthContainer" . | nindent 8 }} + - name: "{{ .Chart.Name }}-{{ $component | lower }}" + image: {{ .Values.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- with .Values.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 12 }} + {{- end }} + command: ["/bin/sh", "-c"] + args: + - {{ print (include "enterprise.common.dockerEntrypoint" .) }} apiext + envFrom: {{- include "enterprise.common.envFrom" . | nindent 12 }} + env: {{- include "enterprise.common.environment" (merge (dict "component" $component) .) | nindent 12 }} + {{- if not .Values.injectSecretsViaEnv }} + - name: ANCHORE_CLI_PASS + valueFrom: + secretKeyRef: + name: {{ ternary .Values.existingSecretName (include "enterprise.fullname" .) .Values.useExistingSecrets }} + key: ANCHORE_ADMIN_PASSWORD + {{- end }} + ports: + - name: {{ $component | lower }} + containerPort: {{ .Values.api.service.port }} + volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} + {{- if .Values.anchoreConfig.policyBundles }} + - name: policy-bundle-volume + mountPath: "{{ $.Values.anchoreConfig.service_dir }}/bundles/" + {{- end }} + livenessProbe: {{- include "enterprise.common.livenessProbe" (merge (dict "component" $component) .) | nindent 12 }} + readinessProbe: {{- include "enterprise.common.readinessProbe" (merge (dict "component" $component) .) | nindent 12 }} + {{- with .Values.api.resources }} + resources: {{- toYaml . | nindent 12 }} + {{- end }} + + - name: "{{ .Chart.Name }}-reports-api" + image: {{ .Values.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- with .Values.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 12 }} + {{- end }} + command: ["/bin/sh", "-c"] + args: + - {{ print (include "enterprise.common.dockerEntrypoint" .) }} reports + envFrom: {{- include "enterprise.common.envFrom" . | nindent 12 }} + env: {{- include "enterprise.common.environment" (merge (dict "component" "reports" "api" "true") .) | nindent 12 }} + ports: + - containerPort: {{ .Values.reports.service.port }} + name: reports + volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} + livenessProbe: {{- include "enterprise.common.livenessProbe" (merge (dict "component" "reports") .) | nindent 12 }} + readinessProbe: {{- include "enterprise.common.readinessProbe" (merge (dict "component" "reports") .) | nindent 12 }} + {{- with .Values.reports.resources }} + resources: {{- toYaml . | nindent 12 }} + {{- end }} + +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "enterprise.api.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} +spec: + type: {{ .Values.api.service.type }} + ports: + - name: {{ $component | lower }} + port: {{ .Values.api.service.port }} + targetPort: {{ .Values.api.service.port }} + protocol: TCP + - name: reports + port: {{ .Values.reports.service.port }} + targetPort: {{ .Values.reports.service.port }} + protocol: TCP + selector: + app.kubernetes.io/name: {{ template "enterprise.fullname" . }} + app.kubernetes.io/component: {{ $component | lower }} diff --git a/stable/enterprise/templates/catalog_deployment.yaml b/stable/enterprise/templates/catalog_deployment.yaml new file mode 100644 index 00000000..aa0d9e09 --- /dev/null +++ b/stable/enterprise/templates/catalog_deployment.yaml @@ -0,0 +1,94 @@ +{{- $component := "catalog" -}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "enterprise.catalog.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} +spec: + selector: + matchLabels: {{- include "enterprise.common.matchLabels" (merge (dict "component" $component) .) | nindent 6 }} + replicas: {{ .Values.catalog.replicaCount }} + strategy: + type: Recreate + template: + metadata: + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 8 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component "nil" true) .) | nindent 8 }} + checksum/enterprise-config: {{ include (print $.Template.BasePath "/anchore_configmap.yaml") . | sha256sum }} + {{- if and (not .Values.injectSecretsViaEnv) (not .Values.useExistingSecrets) }} + checksum/secrets: {{ include (print $.Template.BasePath "/anchore_secret.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.anchoreConfig.policyBundles }} + checksum/policy-config: {{ include (print $.Template.BasePath "/policybundle_configmap.yaml") . | sha256sum }} + {{- end }} + spec: + {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} + volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} + - name: anchore-scratch + {{- if .Values.scratchVolume.details }} + {{- toYaml .Values.scratchVolume.details | nindent 10 }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.anchoreConfig.policyBundles }} + - name: policy-bundle-volume + configMap: + name: {{ template "enterprise.fullname" . }}-policy-bundles + {{- end }} + {{- if and .Values.scratchVolume.fixGroupPermissions .Values.securityContext.fsGroup }} + initContainers: + {{- include "enterprise.common.fixPermissionsInitContainer" . | nindent 8 }} + {{- end }} + containers: + {{- if .Values.cloudsql.enabled }} + {{- include "enterprise.common.cloudsqlContainer" . | nindent 8 }} + {{- end }} + - name: "{{ .Chart.Name }}-{{ $component | lower }}" + image: {{ .Values.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- with .Values.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 12 }} + {{- end }} + command: ["/bin/sh", "-c"] + args: + - {{ print (include "enterprise.common.dockerEntrypoint" .) }} catalog + envFrom: {{- include "enterprise.common.envFrom" . | nindent 12 }} + env: {{- include "enterprise.common.environment" (merge (dict "component" $component) .) | nindent 12 }} + ports: + - name: {{ $component | lower }} + containerPort: {{ .Values.catalog.service.port }} + volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} + - name: anchore-scratch + mountPath: {{ .Values.scratchVolume.mountPath }} + {{- if .Values.anchoreConfig.policyBundles }} + - name: policy-bundle-volume + mountPath: "{{ $.Values.anchoreConfig.service_dir }}/bundles/" + {{- end }} + livenessProbe: {{- include "enterprise.common.livenessProbe" (merge (dict "component" $component) .) | nindent 12 }} + readinessProbe: {{- include "enterprise.common.readinessProbe" (merge (dict "component" $component) .) | nindent 12 }} + {{- with .Values.catalog.resources }} + resources: {{- toYaml . | nindent 12 }} + {{- end }} + +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "enterprise.catalog.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} +spec: + type: {{ .Values.catalog.service.type }} + ports: + - name: {{ $component | lower }} + port: {{ .Values.catalog.service.port }} + targetPort: {{ .Values.catalog.service.port }} + protocol: TCP + selector: + app.kubernetes.io/name: {{ template "enterprise.fullname" . }} + app.kubernetes.io/component: {{ $component | lower }} diff --git a/stable/enterprise/templates/envvars_configmap.yaml b/stable/enterprise/templates/envvars_configmap.yaml new file mode 100644 index 00000000..13a23b42 --- /dev/null +++ b/stable/enterprise/templates/envvars_configmap.yaml @@ -0,0 +1,99 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ template "enterprise.fullname" . }}-config-env-vars + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" . | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" . | nindent 4 }} + +data: + ANCHORE_ADMIN_EMAIL: "{{ .Values.anchoreConfig.default_admin_email }}" + ANCHORE_ALLOW_ECR_IAM_AUTO: "{{ .Values.anchoreConfig.allow_awsecr_iam_auto }}" + ANCHORE_ANALYZER_TASK_REQUEUE: "true" + ANCHORE_ANALYZER_MAX_THREADS: "{{ .Values.anchoreConfig.analyzer.max_threads }}" + ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS: "{{ .Values.anchoreConfig.user_authentication.hashed_passwords }}" +{{- with .Values.anchoreConfig.keys.publicKeyFileName }} + ANCHORE_AUTH_PRIVKEY: "/home/anchore/certs/{{- . }}" +{{- else }} + ANCHORE_AUTH_PRIVKEY: "null" +{{- end }} +{{- with .Values.anchoreConfig.keys.privateKeyFileName }} + ANCHORE_AUTH_PUBKEY: "/home/anchore/certs/{{- . }}" +{{- else }} + ANCHORE_AUTH_PUBKEY: "null" +{{- end }} + ANCHORE_AUTHZ_HANDLER: "external" + ANCHORE_AUTHZ_HANDLER_ENDPOINT: "http://localhost:8089" + ANCHORE_CATALOG_IMAGE_GC_WORKERS: "4" + ANCHORE_CLI_URL: "http://localhost:8228" + ANCHORE_CLI_USER: "admin" + ANCHORECTL_URL: "http://localhost:8228" + ANCHORECTL_USERNAME: "admin" + ANCHORE_DISABLE_METRICS_AUTH: "{{ .Values.anchoreConfig.metrics.auth_disabled }}" + ANCHORE_DB_POOL_MAX_OVERFLOW: "{{ .Values.anchoreConfig.database.db_pool_max_overflow }}" + ANCHORE_DB_POOL_SIZE: "{{ .Values.anchoreConfig.database.db_pool_size }}" + ANCHORE_DB_SSL: "{{ .Values.anchoreConfig.database.ssl }}" + ANCHORE_DB_SSL_MODE: "{{ .Values.anchoreConfig.database.sslMode }}" +{{- with .Values.anchoreConfig.database.sslRootCertFileName }} + ANCHORE_DB_SSL_ROOT_CERT: "/home/anchore/certs/{{- . }}" +{{- else }} + ANCHORE_DB_SSL_ROOT_CERT: "null" +{{- end }} + ANCHORE_DB_TIMEOUT: "{{ .Values.anchoreConfig.database.timeout }}" + ANCHORE_ENABLE_METRICS: "{{ .Values.anchoreConfig.metrics.enabled }}" + ANCHORE_ENTERPRISE_REPORTS_ENABLE_DATA_INGRESS: "{{ .Values.anchoreConfig.reports_worker.enable_data_ingress }}" + ANCHORE_ENTERPRISE_REPORTS_ENABLE_DATA_EGRESS: "{{ .Values.anchoreConfig.reports_worker.enable_data_egress }}" + ANCHORE_ENTERPRISE_REPORTS_DATA_EGRESS_WINDOW: "{{ .Values.anchoreConfig.reports_worker.data_egress_window }}" + ANCHORE_ENTERPRISE_REPORTS_DATA_REFRESH_MAX_WORKERS: "{{ .Values.anchoreConfig.reports_worker.data_refresh_max_workers }}" + ANCHORE_ENTERPRISE_REPORTS_DATA_LOAD_MAX_WORKERS: "{{ .Values.anchoreConfig.reports_worker.data_load_max_workers }}" + ANCHORE_ENTERPRISE_REPORTS_ENABLE_GRAPHIQL: "{{ .Values.anchoreConfig.reports.enable_graphiql }}" + ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_ECS_CONTAINER: "true" + ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER: "true" + ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE: "true" + ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_IMAGE_TTL_DAYS: "120" + {{- with .Values.anchoreConfig.notifications.ui_url }} + ANCHORE_ENTERPRISE_UI_URL: "{{ . }}" + {{- else }} + ANCHORE_ENTERPRISE_UI_URL: {{ include "enterprise.ui.fullname" . | quote }} + {{- end }} + ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED: "false" + ANCHORE_FEEDS_DRIVER_MSRC_ENABLED: "false" + ANCHORE_FEEDS_DRIVER_NVDV2_ENABLED: "true" + ANCHORE_FEEDS_DRIVER_PACKAGES_ENABLED: "false" + ANCHORE_FEEDS_SSL_VERIFY: "{{ .Values.anchoreConfig.internalServicesSSL.verifyCerts }}" + ANCHORE_FEEDS_VULNERABILITIES_ENABLED: "true" + ANCHORE_GLOBAL_CLIENT_CONNECT_TIMEOUT: "0" + ANCHORE_GLOBAL_CLIENT_READ_TIMEOUT: "0" + ANCHORE_GLOBAL_SERVER_REQUEST_TIMEOUT_SEC: "180" + ANCHORE_HINTS_ENABLED: "{{ .Values.anchoreConfig.analyzer.enable_hints }}" + ANCHORE_IMAGE_ANALYZE_TIMEOUT_SECONDS: "3600" + ANCHORE_INTERNAL_SSL_VERIFY: "{{ .Values.anchoreConfig.internalServicesSSL.verifyCerts }}" + ANCHORE_KEEP_IMAGE_ANALYSIS_TMPFILES: "false" + ANCHORE_LAYER_CACHE_ENABLED: {{ ternary "true" "false" (gt .Values.anchoreConfig.analyzer.layer_cache_max_gigabytes 0.0) | quote }} + ANCHORE_LAYER_CACHE_SIZE_GB: "{{ .Values.anchoreConfig.analyzer.layer_cache_max_gigabytes }}" + ANCHORE_LICENSE_FILE: "/home/anchore/license.yaml" + ANCHORE_LOG_LEVEL: "{{ .Values.anchoreConfig.log_level }}" + ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB: "-1" + ANCHORE_MAX_REQUEST_THREADS: "50" + ANCHORE_OAUTH_ENABLED: "{{ .Values.anchoreConfig.user_authentication.oauth.enabled }}" + ANCHORE_OAUTH_TOKEN_EXPIRATION: "{{ .Values.anchoreConfig.user_authentication.oauth.default_token_expiration_seconds }}" + ANCHORE_OAUTH_REFRESH_TOKEN_EXPIRATION: "{{ .Values.anchoreConfig.user_authentication.oauth.refresh_token_expiration_seconds }}" + ANCHORE_OWNED_PACKAGE_FILTERING_ENABLED: "true" + ANCHORE_POLICY_ENGINE_ENABLE_IMAGES_BY_VULN_QUERY: "true" + ANCHORE_POLICY_ENGINE_ENABLE_PACKAGE_DB_LOAD: "true" + ANCHORE_POLICY_EVAL_CACHE_TTL_SECONDS: "3600" + ANCHORE_SAML_SECRET: "null" + ANCHORE_SERVICE_DIR: "{{ .Values.anchoreConfig.service_dir }}" + ANCHORE_SSL_ENABLED: "{{ .Values.anchoreConfig.internalServicesSSL.enabled }}" +{{- with .Values.anchoreConfig.internalServicesSSL.certSecretCertFileName }} + ANCHORE_SSL_CERT: "/home/anchore/certs/{{- . }}" +{{- else }} + ANCHORE_SSL_CERT: "null" +{{- end }} +{{- with .Values.anchoreConfig.internalServicesSSL.certSecretKeyFileName }} + ANCHORE_SSL_KEY: "/home/anchore/certs/{{- . }}" +{{- else }} + ANCHORE_SSL_KEY: "null" +{{- end }} + ANCHORE_SSO_REQUIRES_EXISTING_USERS: "{{ .Values.anchoreConfig.user_authentication.sso_require_existing_users }}" + ANCHORE_TMP_DIR: "{{ .Values.scratchVolume.mountPath }}" \ No newline at end of file diff --git a/stable/enterprise/templates/hooks/post-upgrade/upgrade_job.yaml b/stable/enterprise/templates/hooks/post-upgrade/upgrade_job.yaml new file mode 100644 index 00000000..0beaa27a --- /dev/null +++ b/stable/enterprise/templates/hooks/post-upgrade/upgrade_job.yaml @@ -0,0 +1,56 @@ +{{- if and .Values.upgradeJob.enabled .Values.upgradeJob.usePostUpgradeHook -}} +{{- $component := "upgradeJob" -}} + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "enterprise.upgradeJob.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component "nil" true) .) | nindent 4 }} + {{- if not .Values.upgradeJob.force }} + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "0" + {{- end }} +spec: + template: + metadata: + name: {{ template "enterprise.upgradeJob.fullname" . }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 8 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component "nil" true) .) | nindent 8 }} + {{- if and (not .Values.injectSecretsViaEnv) (not .Values.useExistingSecrets) }} + checksum/secrets: {{ include (print $.Template.BasePath "/anchore_secret.yaml") . | sha256sum }} + {{- end }} + spec: + {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} + restartPolicy: Never + volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} + containers: + {{- if .Values.cloudsql.enabled }} + {{- include "enterprise.common.cloudsqlContainer" . | nindent 8 }} + {{- end }} + - name: anchore-upgrade + image: {{ .Values.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- with .Values.containerSecurityContext }} + securityContext: {{- toYaml . | nindent 12 }} + {{- end }} + command: ["/bin/bash", "-c"] + args: + {{- if not .Values.anchoreConfig.database.ssl }} + - | + {{ print (include "enterprise.doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}":"${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}" upgrade --dontask; + {{- else if eq .Values.anchoreConfig.database.sslMode "require" }} + - | + {{ print (include "enterprise.doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}":"${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreConfig.database.sslMode }} upgrade --dontask; + {{- else }} + - | + {{ print (include "enterprise.doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}":"${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreConfig.database.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreConfig.database.sslRootCertFileName }} upgrade --dontask; + {{- end }} + envFrom: {{- include "enterprise.common.envFrom" . | nindent 12 }} + env: {{- include "enterprise.common.environment" (merge (dict "component" $component) .) | nindent 12 }} + volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} + {{- with .Values.upgradeJob.resources }} + resources: {{- toYaml . | nindent 12 }} + {{- end }} +{{- end -}} diff --git a/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml b/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml new file mode 100644 index 00000000..8c2915fe --- /dev/null +++ b/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml @@ -0,0 +1,70 @@ +{{- if and .Values.upgradeJob.enabled (not .Values.upgradeJob.usePostUpgradeHook) -}} +{{- $component := "upgradeJob" -}} + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "enterprise.upgradeJob.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component "nil" true) .) | nindent 4 }} + {{- if not .Values.upgradeJob.force }} + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "3" + {{- end }} +spec: + template: + metadata: + name: {{ template "enterprise.upgradeJob.fullname" . }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 8 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component "nil" true) .) | nindent 8 }} + {{- if and (not .Values.injectSecretsViaEnv) (not .Values.useExistingSecrets) }} + checksum/secrets: {{ include (print $.Template.BasePath "/anchore_secret.yaml") . | sha256sum }} + {{- end }} + spec: + {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} + restartPolicy: Never + volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} + initContainers: + - name: scale-down-anchore + image: bitnami/kubectl:1.27 + command: ["/bin/bash", "-c"] + args: + - | + kubectl scale deployments --all --replicas=0 -l app.kubernetes.io/name={{ template "enterprise.fullname" . }}; + while [[ $(kubectl get pods -l app.kubernetes.io/name={{ template "enterprise.fullname" . }} --field-selector=status.phase=Running --no-headers | tee /dev/stderr | wc -l) -gt 0 ]]; do echo 'waiting for pods to go down...' && sleep 5; done + {{- with .Values.containerSecurityContext }} + securityContext: {{ toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.upgradeJob.resources }} + resources: {{- toYaml . | nindent 10 }} + {{- end }} + containers: + {{- if .Values.cloudsql.enabled }} + {{- include "enterprise.common.cloudsqlContainer" . | nindent 8 }} + {{- end }} + - name: upgrade-enterprise-db + image: {{ .Values.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- with .Values.containerSecurityContext }} + securityContext: {{ toYaml . | nindent 12 }} + {{- end }} + envFrom: {{- include "enterprise.common.envFrom" . | nindent 12 }} + env: {{- include "enterprise.common.environment" (merge (dict "component" $component) .) | nindent 12 }} + volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} + {{- with .Values.upgradeJob.resources }} + resources: {{- toYaml . | nindent 12 }} + {{- end }} + command: ["/bin/bash", "-c"] + args: + {{- if not .Values.anchoreConfig.database.ssl }} + - | + {{ print (include "enterprise.doSourceFile" .) }} anchore-enterprise-manager db --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}":"${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}" upgrade --dontask; + {{- else if eq .Values.anchoreConfig.database.sslMode "require"}} + - | + {{ print (include "enterprise.doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}":"${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreConfig.database.sslMode }} upgrade --dontask; + {{- else }} + - | + {{ print (include "enterprise.doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}":"${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreConfig.database.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreConfig.database.sslRootCertFileName }} upgrade --dontask; + {{- end }} +{{- end -}} \ No newline at end of file diff --git a/stable/enterprise/templates/hooks/pre-upgrade/upgrade_rbac.yaml b/stable/enterprise/templates/hooks/pre-upgrade/upgrade_rbac.yaml new file mode 100644 index 00000000..5b48f70c --- /dev/null +++ b/stable/enterprise/templates/hooks/pre-upgrade/upgrade_rbac.yaml @@ -0,0 +1,76 @@ +{{- if and .Values.upgradeJob.enabled .Values.upgradeJob.rbacCreate (not .Values.upgradeJob.usePostUpgradeHook) -}} +{{- $component := "upgradeJob" -}} + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "enterprise.fullname" . }}-upgrade-sa + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component "nil" true) .) | nindent 4 }} + {{- if not .Values.upgradeJob.force }} + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "0" + {{- end }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "enterprise.fullname" . }}-upgrade-role-binding + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component "nil" true) .) | nindent 4 }} + {{- if not .Values.upgradeJob.force }} + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "0" + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "enterprise.fullname" . }}-upgrade-role +subjects: + - kind: ServiceAccount + name: {{ template "enterprise.fullname" . }}-upgrade-sa + namespace: {{ .Release.Namespace }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "enterprise.fullname" . }}-upgrade-role + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component "nil" true) .) | nindent 4 }} + {{- if not .Values.upgradeJob.force }} + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "0" + {{- end }} +rules: + - apiGroups: + - extensions + - apps + resources: + - deployments + verbs: + - get + - list + - watch + - update + - patch + - apiGroups: + - apps + resources: + - deployments/scale + verbs: + - patch + - apiGroups: + - "" + resources: + - pods + verbs: + - watch + - list + - get +{{- end -}} \ No newline at end of file diff --git a/stable/enterprise/templates/ingress.yaml b/stable/enterprise/templates/ingress.yaml new file mode 100644 index 00000000..25bec7e6 --- /dev/null +++ b/stable/enterprise/templates/ingress.yaml @@ -0,0 +1,169 @@ +{{- if .Values.ingress.enabled -}} +{{- $component := "ingress" -}} + +{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} +apiVersion: networking.k8s.io/v1 +{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" }} +apiVersion: networking.k8s.io/v1beta1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ template "enterprise.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} +spec: +{{- if .Values.ingress.ingressClassName }} + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- end }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- if or .Values.ingress.apiHosts .Values.ingress.uiHosts .Values.ingress.feedsHosts .Values.ingress.reportsHosts }} + {{- range .Values.ingress.apiHosts }} + - host: {{ . | quote }} + http: + paths: + - path: {{ $.Values.ingress.apiPath }} + {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + pathType: Prefix + backend: + service: + name: {{ template "enterprise.api.fullname" $ }} + port: + number: {{ $.Values.api.service.port }} + {{- else }} + backend: + serviceName: {{ template "enterprise.api.fullname" $ }} + servicePort: {{ $.Values.api.service.port }} + {{- end }} + {{- end }} + {{- range .Values.ingress.uiHosts }} + - host: {{ . | quote }} + http: + paths: + - path: {{ $.Values.ingress.uiPath }} + {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + pathType: Prefix + backend: + service: + name: {{ template "enterprise.ui.fullname" $ }} + port: + number: {{ $.Values.ui.service.port }} + {{- else }} + backend: + serviceName: {{ template "enterprise.ui.fullname" $ }} + servicePort: {{ $.Values.ui.service.port }} + {{- end }} + {{- end }} + {{- range .Values.ingress.feedsHosts }} + - host: {{ . | quote }} + http: + paths: + - path: {{ $.Values.ingress.feedsPath }} + {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + pathType: Prefix + backend: + service: + name: {{ template "enterprise.feeds.fullname" $ }} + port: + number: {{ $.Values.feeds.service.port }} + {{- else }} + backend: + serviceName: {{ template "enterprise.feeds.fullname" $ }} + servicePort: {{ $.Values.feeds.service.port }} + {{- end }} + {{- end }} + {{- range .Values.ingress.reportsHosts }} + - host: {{ . | quote }} + http: + paths: + - path: {{ $.Values.ingress.reportsPath }} + {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + pathType: Prefix + backend: + service: + name: {{ template "enterprise.api.fullname" $ }} + port: + number: {{ $.Values.reports.service.port }} + {{- else }} + backend: + serviceName: {{ template "enterprise.api.fullname" $ }} + servicePort: {{ $.Values.reports.service.port }} + {{- end }} + {{- end }} + {{- else }} + - http: + paths: + {{- with .Values.ingress.apiPath }} + - path: {{ . }} + {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + pathType: Prefix + backend: + service: + name: {{ template "enterprise.api.fullname" $ }} + port: + number: {{ $.Values.api.service.port }} + {{- else }} + backend: + serviceName: {{ template "enterprise.api.fullname" $ }} + servicePort: {{ $.Values.api.service.port }} + {{- end }} + {{- end }} + {{- with .Values.ingress.uiPath }} + - path: {{ . }} + {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + pathType: Prefix + backend: + service: + name: {{ template "enterprise.ui.fullname" $ }} + port: + number: {{ $.Values.ui.service.port }} + {{- else }} + backend: + serviceName: {{ template "enterprise.ui.fullname" $ }} + servicePort: {{ $.Values.ui.service.port }} + {{- end }} + {{- end }} + {{- with .Values.ingress.feedsPath }} + - path: {{ . }} + {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + pathType: Prefix + backend: + service: + name: {{ template "enterprise.feeds.fullname" $ }} + port: + number: {{ $.Values.feeds.service.port }} + {{- else }} + backend: + serviceName: {{ template "enterprise.feeds.fullname" $ }} + servicePort: {{ $.Values.feeds.feeds.service.port }} + {{- end }} + {{- end }} + {{- with .Values.ingress.reportsPath }} + - path: {{ . }} + {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + pathType: Prefix + backend: + service: + name: {{ template "enterprise.api.fullname" $ }} + port: + number: {{ $.Values.reports.service.port }} + {{- else }} + backend: + serviceName: {{ template "enterprise.api.fullname" $ }} + servicePort: {{ $.Values.reports.service.port }} + {{- end }} + {{- end }} + {{- end }} +{{- end -}} diff --git a/stable/enterprise/templates/notifications_deployment.yaml b/stable/enterprise/templates/notifications_deployment.yaml new file mode 100644 index 00000000..88ccb3b1 --- /dev/null +++ b/stable/enterprise/templates/notifications_deployment.yaml @@ -0,0 +1,71 @@ +{{- $component := "notifications" -}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "enterprise.notifications.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} +spec: + selector: + matchLabels: {{- include "enterprise.common.matchLabels" (merge (dict "component" $component) .) | nindent 6 }} + replicas: {{ .Values.notifications.replicaCount }} + strategy: + type: Recreate + template: + metadata: + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 8 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component "nil" true) .) | nindent 8 }} + {{- if and (not .Values.injectSecretsViaEnv) (not .Values.useExistingSecrets) }} + checksum/secrets: {{ include (print $.Template.BasePath "/anchore_secret.yaml") . | sha256sum }} + {{- end }} + checksum/enterprise-config: {{ include (print $.Template.BasePath "/anchore_configmap.yaml") . | sha256sum }} + spec: + {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} + volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} + containers: + {{- if .Values.cloudsql.enabled }} + {{- include "enterprise.common.cloudsqlContainer" . | nindent 8 }} + {{- end }} + {{- include "enterprise.common.rbacAuthContainer" . | nindent 8 }} + - name: "{{ .Chart.Name }}-{{ $component | lower }}" + image: {{ .Values.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- with .Values.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 12 }} + {{- end }} + command: ["/bin/sh", "-c"] + args: + - {{ print (include "enterprise.common.dockerEntrypoint" .) }} notifications + ports: + - containerPort: {{ .Values.notifications.service.port }} + name: {{ $component | lower }} + envFrom: {{- include "enterprise.common.envFrom" . | nindent 12 }} + env: {{- include "enterprise.common.environment" (merge (dict "component" $component) .) | nindent 12 }} + volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} + livenessProbe: {{- include "enterprise.common.livenessProbe" (merge (dict "component" $component) .) | nindent 12 }} + readinessProbe: {{- include "enterprise.common.readinessProbe" (merge (dict "component" $component) .) | nindent 12 }} + {{- with .Values.notifications.resources }} + resources: {{- toYaml . | nindent 12 }} + {{- end }} + +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "enterprise.notifications.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} +spec: + type: {{ .Values.notifications.service.type }} + ports: + - name: {{ $component | lower }} + port: {{ .Values.notifications.service.port }} + targetPort: {{ .Values.notifications.service.port }} + protocol: TCP + selector: + app.kubernetes.io/name: {{ template "enterprise.fullname" . }} + app.kubernetes.io/component: {{ $component | lower }} diff --git a/stable/enterprise/templates/policybundle_configmap.yaml b/stable/enterprise/templates/policybundle_configmap.yaml new file mode 100644 index 00000000..a03a3417 --- /dev/null +++ b/stable/enterprise/templates/policybundle_configmap.yaml @@ -0,0 +1,14 @@ +{{- if .Values.anchoreConfig.policyBundles -}} +{{- $component := "policyEngine" -}} +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ template "enterprise.fullname" . }}-policy-bundles + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} +data: +{{- with .Values.anchoreConfig.policyBundles }} + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end -}} diff --git a/stable/enterprise/templates/policyengine_deployment.yaml b/stable/enterprise/templates/policyengine_deployment.yaml new file mode 100644 index 00000000..a1ab0024 --- /dev/null +++ b/stable/enterprise/templates/policyengine_deployment.yaml @@ -0,0 +1,82 @@ +{{- $component := "policyEngine" -}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "enterprise.policyEngine.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} +spec: + selector: + matchLabels: {{- include "enterprise.common.matchLabels" (merge (dict "component" $component) .) | nindent 6 }} + replicas: {{ .Values.policyEngine.replicaCount }} + strategy: + type: Recreate + template: + metadata: + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 8 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component "nil" true) .) | nindent 8 }} + {{- if and (not .Values.injectSecretsViaEnv) (not .Values.useExistingSecrets) }} + checksum/secrets: {{ include (print $.Template.BasePath "/anchore_secret.yaml") . | sha256sum }} + {{- end }} + checksum/enterprise-config: {{ include (print $.Template.BasePath "/anchore_configmap.yaml") . | sha256sum }} + spec: + {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} + volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} + - name: anchore-scratch + {{- if .Values.scratchVolume.details }} + {{- toYaml .Values.scratchVolume.details | nindent 10 }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if and .Values.scratchVolume.fixGroupPermissions .Values.securityContext.fsGroup }} + initContainers: + {{- include "enterprise.common.fixPermissionsInitContainer" . | nindent 8 }} + {{- end }} + containers: + {{- if .Values.cloudsql.enabled }} + {{- include "enterprise.common.cloudsqlContainer" . | nindent 8 }} + {{- end }} + - name: "{{ .Chart.Name }}-{{ $component | lower }}" + image: {{ .Values.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- with .Values.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 12 }} + {{- end }} + command: ["/bin/sh", "-c"] + args: + - {{ print (include "enterprise.common.dockerEntrypoint" .) }} policy_engine + envFrom: {{- include "enterprise.common.envFrom" . | nindent 12 }} + env: {{- include "enterprise.common.environment" (merge (dict "component" $component) .) | nindent 12 }} + ports: + - name: {{ $component | lower }} + containerPort: {{ .Values.policyEngine.service.port }} + volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} + - name: "anchore-scratch" + mountPath: {{ .Values.scratchVolume.mountPath }} + livenessProbe: {{- include "enterprise.common.livenessProbe" (merge (dict "component" $component) .) | nindent 12 }} + readinessProbe: {{- include "enterprise.common.readinessProbe" (merge (dict "component" $component) .) | nindent 12 }} + {{- with .Values.policyEngine.resources }} + resources: {{- toYaml . | nindent 12 }} + {{- end }} + +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "enterprise.policyEngine.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} +spec: + type: {{ .Values.policyEngine.service.type }} + ports: + - name: {{ $component | lower }} + port: {{ .Values.policyEngine.service.port }} + targetPort: {{ .Values.policyEngine.service.port }} + protocol: TCP + selector: + app.kubernetes.io/name: {{ template "enterprise.fullname" . }} + app.kubernetes.io/component: {{ $component | lower }} diff --git a/stable/enterprise/templates/rbacmanager_deployment.yaml b/stable/enterprise/templates/rbacmanager_deployment.yaml new file mode 100644 index 00000000..7e2349aa --- /dev/null +++ b/stable/enterprise/templates/rbacmanager_deployment.yaml @@ -0,0 +1,71 @@ +{{- $component := "rbacManager" -}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "enterprise.rbacManager.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} +spec: + selector: + matchLabels: {{- include "enterprise.common.matchLabels" (merge (dict "component" $component) .) | nindent 6 }} + replicas: {{ .Values.rbacManager.replicaCount }} + strategy: + type: Recreate + template: + metadata: + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 8 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component "nil" true) .) | nindent 8 }} + {{- if and (not .Values.injectSecretsViaEnv) (not .Values.useExistingSecrets) }} + checksum/secrets: {{ include (print $.Template.BasePath "/anchore_secret.yaml") . | sha256sum }} + {{- end }} + checksum/enterprise-config: {{ include (print $.Template.BasePath "/anchore_configmap.yaml") . | sha256sum }} + spec: + {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} + volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} + containers: + {{- if .Values.cloudsql.enabled }} + {{- include "enterprise.common.cloudsqlContainer" . | nindent 8 }} + {{- end }} + - name: "{{ .Chart.Name }}-{{ $component | lower }}" + image: {{ .Values.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- with .Values.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 12 }} + {{- end }} + command: ["/bin/sh", "-c"] + args: + - {{ print (include "enterprise.common.dockerEntrypoint" .) }} rbac_manager + ports: + - containerPort: {{ .Values.rbacManager.service.port }} + name: {{ $component | lower }} + envFrom: {{- include "enterprise.common.envFrom" . | nindent 12 }} + env: {{- include "enterprise.common.environment" (merge (dict "component" $component) .) | nindent 12 }} + volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} + livenessProbe: {{- include "enterprise.common.livenessProbe" (merge (dict "component" $component) .) | nindent 12 }} + readinessProbe: {{- include "enterprise.common.readinessProbe" (merge (dict "component" $component) .) | nindent 12 }} + {{- with .Values.rbacManager.resources }} + resources: {{- toYaml . | nindent 12 }} + {{- end }} + {{- include "enterprise.common.rbacAuthContainer" . | nindent 8 }} + +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "enterprise.rbacManager.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} +spec: + type: {{ .Values.rbacManager.service.type }} + ports: + - name: {{ $component | lower }} + port: {{ .Values.rbacManager.service.port }} + targetPort: {{ .Values.rbacManager.service.port }} + protocol: TCP + selector: + app.kubernetes.io/name: {{ template "enterprise.fullname" . }} + app.kubernetes.io/component: {{ $component | lower }} diff --git a/stable/enterprise/templates/reports_deployment.yaml b/stable/enterprise/templates/reports_deployment.yaml new file mode 100644 index 00000000..1a833537 --- /dev/null +++ b/stable/enterprise/templates/reports_deployment.yaml @@ -0,0 +1,70 @@ +{{- $component := "reports" -}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "enterprise.reports.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} +spec: + selector: + matchLabels: {{- include "enterprise.common.matchLabels" (merge (dict "component" $component) .) | nindent 6 }} + replicas: {{ .Values.reports.replicaCount }} + strategy: + type: Recreate + template: + metadata: + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 8 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component "nil" true) .) | nindent 8 }} + {{- if and (not .Values.injectSecretsViaEnv) (not .Values.useExistingSecrets) }} + checksum/secrets: {{ include (print $.Template.BasePath "/anchore_secret.yaml") . | sha256sum }} + {{- end }} + checksum/enterprise-config: {{ include (print $.Template.BasePath "/anchore_configmap.yaml") . | sha256sum }} + spec: + {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} + volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} + containers: + {{- if .Values.cloudsql.enabled }} + {{- include "enterprise.common.cloudsqlContainer" . | nindent 8 }} + {{- end }} + - name: "{{ .Chart.Name }}-{{ $component | lower }}" + image: {{ .Values.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- with .Values.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 12 }} + {{- end }} + command: ["/bin/sh", "-c"] + args: + - {{ print (include "enterprise.common.dockerEntrypoint" .) }} reports_worker + ports: + - containerPort: {{ .Values.reports.service.port }} + name: {{ $component | lower }} + envFrom: {{- include "enterprise.common.envFrom" . | nindent 12 }} + env: {{- include "enterprise.common.environment" (merge (dict "component" $component) .) | nindent 12 }} + volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} + livenessProbe: {{- include "enterprise.common.livenessProbe" (merge (dict "component" $component) .) | nindent 12 }} + readinessProbe: {{- include "enterprise.common.readinessProbe" (merge (dict "component" $component) .) | nindent 12 }} + {{- with .Values.reports.resources }} + resources: {{- toYaml . | nindent 12 }} + {{- end }} + +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "enterprise.reports.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} +spec: + type: {{ .Values.reports.service.type }} + ports: + - name: {{ $component | lower }} + port: {{ .Values.reports.service.port }} + targetPort: {{ .Values.reports.service.port }} + protocol: TCP + selector: + app.kubernetes.io/name: {{ template "enterprise.fullname" . }} + app.kubernetes.io/component: {{ $component | lower }} diff --git a/stable/enterprise/templates/simplequeue_deployment.yaml b/stable/enterprise/templates/simplequeue_deployment.yaml new file mode 100644 index 00000000..5ba1dbc4 --- /dev/null +++ b/stable/enterprise/templates/simplequeue_deployment.yaml @@ -0,0 +1,69 @@ +{{- $component := "simpleQueue" -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "enterprise.simpleQueue.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} +spec: + selector: + matchLabels: {{- include "enterprise.common.matchLabels" (merge (dict "component" $component) .) | nindent 6 }} + replicas: {{ .Values.simpleQueue.replicaCount }} + strategy: + type: Recreate + template: + metadata: + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 8 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component "nil" true) .) | nindent 8 }} + {{- if and (not .Values.injectSecretsViaEnv) (not .Values.useExistingSecrets) }} + checksum/secrets: {{ include (print $.Template.BasePath "/anchore_secret.yaml") . | sha256sum }} + {{- end }} + checksum/enterprise-config: {{ include (print $.Template.BasePath "/anchore_configmap.yaml") . | sha256sum }} + spec: + {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} + volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} + containers: + {{- if .Values.cloudsql.enabled }} + {{- include "enterprise.common.cloudsqlContainer" . | nindent 8 }} + {{- end }} + - name: {{ .Chart.Name }}-{{ $component | lower }} + image: {{ .Values.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- with .Values.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 12 }} + {{- end }} + command: ["/bin/sh", "-c"] + args: + - {{ print (include "enterprise.common.dockerEntrypoint" .) }} simplequeue + envFrom: {{- include "enterprise.common.envFrom" . | nindent 12 }} + env: {{- include "enterprise.common.environment" (merge (dict "component" $component) .) | nindent 12 }} + ports: + - name: {{ $component | lower }} + containerPort: {{ .Values.simpleQueue.service.port }} + volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} + livenessProbe: {{- include "enterprise.common.livenessProbe" (merge (dict "component" $component) .) | nindent 12 }} + readinessProbe: {{- include "enterprise.common.readinessProbe" (merge (dict "component" $component) .) | nindent 12 }} + {{- with .Values.simpleQueue.resources }} + resources: {{- toYaml . | nindent 12 }} + {{- end }} + +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "enterprise.simpleQueue.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} +spec: + type: {{ .Values.simpleQueue.service.type }} + ports: + - name: {{ $component | lower }} + port: {{ .Values.simpleQueue.service.port }} + targetPort: {{ .Values.simpleQueue.service.port }} + protocol: TCP + selector: + app.kubernetes.io/name: {{ template "enterprise.fullname" . }} + app.kubernetes.io/component: {{ $component | lower }} diff --git a/stable/enterprise/templates/ui_configmap.yaml b/stable/enterprise/templates/ui_configmap.yaml new file mode 100644 index 00000000..5f5eed0f --- /dev/null +++ b/stable/enterprise/templates/ui_configmap.yaml @@ -0,0 +1,47 @@ +{{- $component := "ui" -}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "enterprise.ui.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} +data: + config-ui.yaml: | + # Anchore UI configuration + {{- with .Values.anchoreConfig.ui.custom_links }} + custom_links: + title: {{ .title }} + links: + {{- range .links }} + {{- with . }} + - title: {{ .title }} + uri: {{ .uri }} + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.anchoreConfig.ui.enable_add_repositories }} + enable_add_repositories: + admin: {{ .admin }} + standard: {{ .standard }} + {{- end }} + engine_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.api.fullname" . -}}:{{- .Values.api.service.port -}}/v1' + reports_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.api.fullname" . -}}:{{- .Values.reports.service.port -}}/v1' + notifications_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.notifications.fullname" . -}}:{{- .Values.notifications.service.port -}}/v1' + rbac_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.rbacManager.fullname" . -}}:{{- .Values.rbacManager.service.port -}}/v1' + # redis_uri: overridden in deployment using the `ANCHORE_REDIS_URI` environment variable + # appdb_uri: overridden in deployment using the `ANCHORE_APPDB_URI` environment variable + license_path: '/home/anchore/' + enable_ssl: {{ .Values.anchoreConfig.ui.enable_ssl }} + enable_proxy: {{ .Values.anchoreConfig.ui.enable_proxy }} + allow_shared_login: {{ .Values.anchoreConfig.ui.enable_shared_login }} + redis_flushdb: {{ .Values.anchoreConfig.ui.redis_flushdb }} + force_websocket: {{ .Values.anchoreConfig.ui.force_websocket }} + authentication_lock: + count: {{ .Values.anchoreConfig.ui.authentication_lock.count }} + expires: {{ .Values.anchoreConfig.ui.authentication_lock.expires }} + appdb_config: {{ toYaml .Values.anchoreConfig.ui.appdb_config | nindent 6}} + log_level: {{ .Values.anchoreConfig.ui.log_level | squote }} + enrich_inventory_view: {{ .Values.anchoreConfig.ui.enrich_inventory_view }} + enable_prometheus_metrics: {{ .Values.anchoreConfig.metrics.enabled }} \ No newline at end of file diff --git a/stable/enterprise/templates/ui_deployment.yaml b/stable/enterprise/templates/ui_deployment.yaml new file mode 100644 index 00000000..bc8cec5c --- /dev/null +++ b/stable/enterprise/templates/ui_deployment.yaml @@ -0,0 +1,137 @@ +{{- $component := "ui" -}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "enterprise.ui.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} +spec: + selector: + matchLabels: {{- include "enterprise.common.matchLabels" (merge (dict "component" $component) .) | nindent 6 }} + replicas: 1 + strategy: + type: Recreate + template: + metadata: + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 8 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component "nil" true) .) | nindent 8 }} + {{- if and (not .Values.injectSecretsViaEnv) (not .Values.useExistingSecrets) }} + checksum/secrets: {{ include (print $.Template.BasePath "/ui_secret.yaml") . | sha256sum }} + {{- end }} + checksum/ui-config: {{ include (print $.Template.BasePath "/ui_configmap.yaml") . | sha256sum }} + spec: + {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} + volumes: + - name: anchore-license + secret: + secretName: {{ .Values.licenseSecretName }} + - name: anchore-ui-config + configMap: + name: {{ template "enterprise.ui.fullname" . }} + {{- with .Values.certStoreSecretName }} + - name: certs + secret: + secretName: {{ . }} + {{- end }} + {{- if .Values.cloudsql.useExistingServiceAcc }} + - name: {{ .Values.cloudsql.serviceAccSecretName }} + secret: + secretName: {{ .Values.cloudsql.serviceAccSecretName }} + {{- end }} + {{- with .Values.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + {{- if .Values.cloudsql.enabled }} + {{- include "enterprise.common.cloudsqlContainer" . | nindent 8 }} + {{- end }} + - name: "{{ .Chart.Name }}-{{ $component | lower }}" + image: {{ .Values.ui.image }} + imagePullPolicy: {{ .Values.ui.imagePullPolicy }} + {{- with .Values.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 12 }} + {{- end }} + command: ["/bin/sh", "-c"] + args: + - {{ print (include "enterprise.doSourceFile" .) }} /docker-entrypoint.sh node /home/node/aui/build/server.js + env: {{- include "enterprise.common.environment" (merge (dict "component" $component) .) | nindent 12 }} + {{- if .Values.anchoreConfig.database.ssl }} + - name: PGSSLROOTCERT + value: /home/anchore/certs/{{ .Values.anchoreConfig.database.sslRootCertFileName }} + {{- end }} + {{- with .Values.ui.ldapsRootCaCertName }} + - name: NODE_EXTRA_CA_CERTS + value: /home/anchore/certs/{{- . }} + {{- end }} + envFrom: + {{- if not .Values.injectSecretsViaEnv }} + {{- if .Values.useExistingSecrets }} + - secretRef: + name: {{ .Values.ui.existingSecretName }} + {{- else }} + - secretRef: + name: {{ template "enterprise.ui.fullname" . }} + {{- end }} + {{- end }} + ports: + - containerPort: 3000 + protocol: TCP + name: {{ $component | lower }} + volumeMounts: + - name: anchore-license + mountPath: /home/anchore/license.yaml + subPath: license.yaml + - name: anchore-ui-config + mountPath: /config/config-ui.yaml + subPath: config-ui.yaml + {{- if (.Values.certStoreSecretName) }} + - name: certs + mountPath: /home/anchore/certs/ + readOnly: true + {{- end }} + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + livenessProbe: + tcpSocket: + port: {{ $component | lower }} + initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }} + timeoutSeconds: {{ .Values.probes.liveness.timeoutSeconds }} + periodSeconds: {{ .Values.probes.liveness.periodSeconds }} + failureThreshold: {{ .Values.probes.liveness.failureThreshold }} + successThreshold: {{ .Values.probes.liveness.successThreshold }} + readinessProbe: + httpGet: + path: /service/health + port: {{ $component | lower }} + scheme: HTTP + timeoutSeconds: {{ .Values.probes.readiness.timeoutSeconds }} + periodSeconds: {{ .Values.probes.readiness.periodSeconds }} + failureThreshold: {{ .Values.probes.readiness.failureThreshold }} + successThreshold: {{ .Values.probes.readiness.successThreshold }} + {{- with .Values.ui.resources }} + resources: {{- toYaml . | nindent 12 }} + {{- end }} + +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "enterprise.ui.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} +spec: + sessionAffinity: {{ .Values.ui.service.sessionAffinity }} + type: {{ .Values.ui.service.type }} + ports: + - name: {{ $component | lower }} + port: {{ .Values.ui.service.port }} + protocol: TCP + targetPort: 3000 + selector: + app.kubernetes.io/name: {{ template "enterprise.fullname" . }} + app.kubernetes.io/component: {{ $component | lower }} diff --git a/stable/enterprise/templates/ui_secret.yaml b/stable/enterprise/templates/ui_secret.yaml new file mode 100644 index 00000000..606b8f51 --- /dev/null +++ b/stable/enterprise/templates/ui_secret.yaml @@ -0,0 +1,25 @@ +{{- if (not .Values.useExistingSecrets) -}} +{{- $component := "ui" -}} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "enterprise.ui.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} +type: Opaque +stringData: + +{{- if .Values.anchoreConfig.database.ssl }} + ANCHORE_APPDB_URI: 'postgresql://{{- template "enterprise.ui.dbUser" . -}}:{{- template "enterprise.ui.dbPassword" . -}}@{{ template "enterprise.dbHostname" . }}/{{ index .Values "postgresql" "auth" "database" }}?ssl={{- .Values.anchoreConfig.database.sslMode -}}' +{{- else }} + ANCHORE_APPDB_URI: 'postgresql://{{- template "enterprise.ui.dbUser" . -}}:{{- template "enterprise.ui.dbPassword" . -}}@{{ template "enterprise.dbHostname" . }}/{{ index .Values "postgresql" "auth" "database" }}' +{{- end }} + +{{- if and (index .Values "ui-redis" "externalEndpoint") (not (index .Values "ui-redis" "chartEnabled")) }} + ANCHORE_REDIS_URI: '{{ index .Values "ui-redis" "externalEndpoint" }}' +{{- else }} + ANCHORE_REDIS_URI: 'redis://nouser:{{ index .Values "ui-redis" "auth" "password" }}@{{ template "redis.fullname" . }}-master:6379' +{{- end }} +{{- end }} diff --git a/stable/enterprise/test/env_vars.yaml b/stable/enterprise/test/env_vars.yaml new file mode 100644 index 00000000..48a0bd06 --- /dev/null +++ b/stable/enterprise/test/env_vars.yaml @@ -0,0 +1,20 @@ +labels: + foo: bar + +annotations: + foo: bar + +extraEnv: +- name: foo + value: bar + +analyzer: + labels: + test: analyzer + + annotations: + test: analyzer + + extraEnv: + - name: test + value: analyzer diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap new file mode 100644 index 00000000..d22e1130 --- /dev/null +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -0,0 +1,491 @@ +should render the configmaps: + 1: | + apiVersion: v1 + data: + analyzer_config.yaml: | + # Anchore analyzer configuration + retrieve_files: + file_list: + - /etc/passwd + secret_search: + malware: + clamav: + db_update_enabled: true + enabled: false + match_params: + - MAXFILESIZE=10000 + - STOREONMATCH=n + regexp_match: + - AWS_ACCESS_KEY=(?i).*aws_access_key_id( *=+ *).*(?` +## +licenseSecretName: anchore-enterprise-license + +## @param certStoreSecretName Name of secret containing the certificates & keys used for SSL, SAML & CAs +## The chart will mount the secret specified in certStoreSecretName to /home/anchore/certs +## Secret must be manually created in the same namespace as release +## ref: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod +## +certStoreSecretName: "" + +## @param extraEnv Common environment variables set on all containers +## ref: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/ +## +extraEnv: [] + +## @param useExistingSecrets forgoes secret creation and uses the secret defined in existingSecretName +## When useExistingSecrets is set to `true` the chart will not create secrets specifying the environment variables used in deployments. +## Instead, the chart will use secrets that have already been applied to the namespace that this chart is being deployed to. +## +useExistingSecrets: false + +## @param existingSecretName Name of an existing secret to be used for Anchore core services, excluding Anchore UI +## This secret must be created manually & should define the following environment variables: +## ANCHORE_ADMIN_PASSWORD +## ANCHORE_DB_PASSWORD +## ANCHORE_DB_USER +## ANCHORE_DB_NAME +## ANCHORE_DB_HOST +## ANCHORE_DB_PORT +## ANCHORE_SAML_SECRET (if applicable) +## ANCHORE_GITHUB_TOKEN (if applicable) +## +existingSecretName: anchore-enterprise-env + +## @param labels Common labels set on all Kubernetes resources +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +labels: {} + +## @param annotations Common annotations set on all Kubernetes resources +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +annotations: {} + +## @param scratchVolume.mountPath The mount path of an external volume for scratch space for image analysis +## @param scratchVolume.fixGroupPermissions Enable an initContainer that will fix the fsGroup permissions +## @param scratchVolume.details [object] Details for the k8s volume to be created +## Generally speaking you need to provision 3x the size of the largest image (uncompressed) that you want to analyze +## ref: https://kubernetes.io/docs/concepts/storage/volumes/ +## +scratchVolume: + mountPath: /analysis_scratch + fixGroupPermissions: false + details: {} + +## @param extraVolumes mounts additional volumes to each pod +## ref: https://kubernetes.io/docs/concepts/storage/volumes/ +## +extraVolumes: [] +# - name: config +# secret: +# secretName: config + +## @param extraVolumeMounts mounts additional volumes to each pod +## ref: https://kubernetes.io/docs/concepts/storage/volumes/ +## +extraVolumeMounts: [] +# - name: config +# mountPath: "/vault/secrets/config" +# subPath: config +# readOnly: true + +## @param securityContext.runAsUser The securityContext runAsUser for all Anchore pods +## @param securityContext.runAsGroup The securityContext runAsGroup for all Anchore pods +## @param securityContext.fsGroup The securityContext fsGroup for all Anchore pods +## By default the Anchore Enterprise images utilize the user/group 'anchore' using uid/gid 1000 +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## +securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + +## @param containerSecurityContext The securityContext for all containers +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +## +containerSecurityContext: {} + +## @param probes.liveness.initialDelaySeconds Initial delay seconds for liveness probe +## @param probes.liveness.timeoutSeconds Timeout seconds for liveness probe +## @param probes.liveness.periodSeconds Period seconds for liveness probe +## @param probes.liveness.failureThreshold Failure threshold for liveness probe +## @param probes.liveness.successThreshold Success threshold for liveness probe +## @param probes.readiness.timeoutSeconds Timeout seconds for the readiness probe +## @param probes.readiness.periodSeconds Period seconds for the readiness probe +## @param probes.readiness.failureThreshold Failure threshold for the readiness probe +## @param probes.readiness.successThreshold Success threshold for the readiness probe +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes +## +probes: + liveness: + initialDelaySeconds: 120 + timeoutSeconds: 10 + periodSeconds: 10 + failureThreshold: 6 + successThreshold: 1 + readiness: + timeoutSeconds: 10 + periodSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + +## @param doSourceAtEntry.enabled Does a `source` of the file path defined before starting Anchore services +## @param doSourceAtEntry.filePaths List of file paths to `source` before starting Anchore services +## For example, if using hashicorp vault, set to /vault/secrets/config +## +doSourceAtEntry: + enabled: false + filePaths: [] + # - "/vault/secrets/config" + +## @param configOverride Allows for overriding the default Anchore configuration file +## This value can be used to pass in a custom configuration file for Anchore services using a block literal string +## This config file will be templated when it is added to the configmap, so Helm values and functions can be used +## +configOverride: "" + +##################################################################### +## @section Anchore Configuration Parameters +## Params used for all Anchore Enterprise service configuration files +##################################################################### + +anchoreConfig: + ## @param anchoreConfig.service_dir Path to directory where default Anchore config files are placed at startup + ## This path must be a writable location for the pod + ## + service_dir: /anchore_service + + ## @param anchoreConfig.log_level The log level for Anchore services + ## options available: FATAL, ERROR, WARN, INFO, DEBUG, SPEW + ## + log_level: INFO + + ## @param anchoreConfig.allow_awsecr_iam_auto Enable AWS IAM instance role for ECR auth + ## When set, if a registry credential username is set to 'iamauto' for an ecr registry, the engine will + ## use whatever aws creds are available in the standard boto search path (.aws, env, etc) + ## + allow_awsecr_iam_auto: true + + ## @param anchoreConfig.keys.secret The shared secret used for signing & encryption, auto-generated by Helm if not set. + ## If using useExistingSecrets=true, this can be set with the env var ANCHORE_SAML_SECRET + ## @param anchoreConfig.keys.privateKeyFileName The file name of the private key used for signing & encryption, found in the k8s secret specified in .Values.certStoreSecretName + ## @param anchoreConfig.keys.publicKeyFileName The file name of the public key used for signing & encryption, found in the k8s secret specified in .Values.certStoreSecretName + ## Only one of anchoreConfig.keys.secret or anchoreConfig.keys.privateKeyFileName/anchoreConfig.keys.publicKeyFileName should be configured. + ## If all are set then the keys take precedence over the secret value. + ## + keys: + secret: "" + privateKeyFileName: "" + publicKeyFileName: "" + + ## @param anchoreConfig.user_authentication.oauth.enabled Enable OAuth for Anchore user authentication + ## @param anchoreConfig.user_authentication.oauth.default_token_expiration_seconds The expiration, in seconds, for OAuth tokens + ## @param anchoreConfig.user_authentication.oauth.refresh_token_expiration_seconds The expiration, in seconds, for OAuth refresh tokens + ## ref: https://docs.anchore.com/current/docs/installation/configuration/user_credential_storage/#bearer-tokensoauth2 + ## + ## @param anchoreConfig.user_authentication.hashed_passwords Enable storing passwords as secure hashes in the database + ## This can dramatically increase CPU usage if you don't also use OAuth and tokens for internal communications + ## WARNING: You should not change this after a system has been initialized as it may cause a mismatch in existing passwords + ## ref: https://docs.anchore.com/current/docs/installation/configuration/user_credential_storage/#configuring-hashed-passwords-and-oauth + ## + ## @param anchoreConfig.user_authentication.sso_require_existing_users set to true in order to disable the SSO JIT provisioning during authentication + ## This provides an additional layer of security and configuration for SSO users to gain access to Anchore. + ## + user_authentication: + oauth: + enabled: false + default_token_expiration_seconds: 3600 + refresh_token_expiration_seconds: 86400 + hashed_passwords: false + sso_require_existing_users: false + + ## @param anchoreConfig.metrics.enabled Enable Prometheus metrics for all Anchore services + ## @param anchoreConfig.metrics.auth_disabled Disable auth on Prometheus metrics for all Anchore services + ## + metrics: + enabled: false + auth_disabled: false + + ## @param anchoreConfig.webhooks Enable Anchore services to provide webhooks for external system updates + ## Used to configure an endpoint for general notification delivery. These events are image/tag updates etc + ## This is globally configured and updates for all users are sent to the same host but with a different path for each user + ## / are required as documented at end of URI - only hostname:port should be configured + ## ref: https://docs.anchore.com/current/docs/using/cli_usage/subscriptions/#webhook-configuration + ## + webhooks: {} + # webhook_user: 'user' + # webhook_pass: 'pass' + # ssl_verify: true + # general: {} + # url: "http://somehost:9090//" + # policy_eval: {} + # event_log: {} + + ## @param anchoreConfig.default_admin_password The password for the Anchore Enterprise admin user + ## This value is only used during creation of the admin user, cannot be used to change the password + ## + default_admin_password: "" + + ## @param anchoreConfig.default_admin_email The email address used for the Anchore Enterprise admin user + ## This value is only used during creation of the admin user, cannot be used to change the email address + ## + default_admin_email: "admin@myanchore" + + ## @param anchoreConfig.database.timeout + ## @param anchoreConfig.database.ssl Enable SSL/TLS for the database connection + ## @param anchoreConfig.database.sslMode The SSL mode to use for database connection + ## @param anchoreConfig.database.sslRootCertFileName File name of the database root CA certificate stored in the k8s secret specified with .Values.certStoreSecretName + ## @param anchoreConfig.database.db_pool_size The database max connection pool size + ## @param anchoreConfig.database.db_pool_max_overflow The maximum overflow size of the database connection pool + ## @param anchoreConfig.database.engineArgs Set custom database engine arguments for SQLAlchemy + ## ref: https://docs.sqlalchemy.org/en/14/core/engines.html#engine-creation-api + ## + database: + timeout: 120 + ssl: false + sslMode: verify-full + sslRootCertFileName: "" + db_pool_size: 30 + db_pool_max_overflow: 100 + engineArgs: {} + + ## @param anchoreConfig.internalServicesSSL.enabled Force all Enterprise services to use SSL for internal communication + ## @param anchoreConfig.internalServicesSSL.verifyCerts Enable cert verification against the local cert bundle, if this set to false self-signed certs are allowed + ## @param anchoreConfig.internalServicesSSL.certSecretKeyFileName File name of the private key used for internal SSL stored in the secret specified in .Values.certStoreSecretName + ## @param anchoreConfig.internalServicesSSL.certSecretCertFileName File name of the root CA certificate used for internal SSL stored in the secret specified in .Values.certStoreSecretName + ## ref: https://docs.anchore.com/current/docs/installation/configuration/tls_ssl_config/ + ## + internalServicesSSL: + enabled: false + verifyCerts: false + certSecretKeyFileName: "" + certSecretCertFileName: "" + + ## @param anchoreConfig.policyBundles Include custom Anchore policy bundles + ## This object represents the data of a configmap that is mounted to /bundles of all Anchore services + ## ref: https://docs.anchore.com/current/docs/overview/concepts/policy/bundles/ + ## + policyBundles: {} + # custom_policy_bundle1.json: | + # { + # "id": "custom1", + # "version": "1_0", + # "name": "My custom bundle", + # "comment": "My system's custom bundle", + # "whitelisted_images": [], + # "blacklisted_images": [], + # "mappings": [], + # "whitelists": [], + # "policies": [] + # } + # custom_policy_bundle2.json: | + # { + # .... + # } + + apiext: + ## TODO - get better documentation for the 'external' option + ## @param anchoreConfig.apiext.external.enabled Allow overrides for constructing Anchore API URLs + ## @param anchoreConfig.apiext.external.useTLS Enable TLS for external API access + ## @param anchoreConfig.apiext.external.hostname Hostname for the external Anchore API + ## @param anchoreConfig.apiext.external.port Port configured for external Anchore API + ## + external: + enabled: false + useTLS: true + hostname: "" + port: 8443 + + analyzer: + ## @param anchoreConfig.analyzer.cycle_timers.image_analyzer The interval between checks of the work queue for new analysis jobs + ## + cycle_timers: + image_analyzer: 1 + + ## @param anchoreConfig.analyzer.max_threads The concurrency of the Anchore Analyzer worker process + ## Can be configured to process more than one task at a time. This is IO bound so may not necessarily be faster depending on hardware. + ## Operators should test and balance this value vs. number of Anchore Analyzer replicas deployed. + ## + max_threads: 1 + + ## @param anchoreConfig.analyzer.layer_cache_max_gigabytes Specify a cache size > 0GB to enable image layer caching + ## This chart sets up a scratch directory for all Anchore Analyzer pods using the values found at .Values.scratchVolume + ## When setting .Values.anchoreConfig.analyzer.layer_cache_max_gigabytes, ensure the scratch volume has sufficient storage space + ## ref: https://docs.anchore.com/current/docs/installation/storage/layer_caching/ + ## + layer_cache_max_gigabytes: 0 + + ## @param anchoreConfig.analyzer.enable_hints Enable a user-supplied 'hints' file to override and/or augment the software artifacts found during analysis + ## Once enabled, the Anchore Analyzer services will look for a file with a specific name, location and format located within the container image - /anchore_hints.json + ## ref: https://docs.anchore.com/current/docs/installation/configuration/content_hints/ + ## + enable_hints: false + + ## @param anchoreConfig.analyzer.configFile [object] Custom Anchore Analyzer configuration file contents in YAML + ## This configuration file is used to configure regex matching, file content searching and malware scanning + ## ref: https://docs.anchore.com/current/docs/overview/concepts/policy/policy_checks/#gate-files + ## ref: https://docs.anchore.com/current/docs/overview/concepts/images/analysis/malware_scanning/ + ## + configFile: + # Anchore Analyzer config file + ## WARNING - malforming this file can cause the Anchore Analyzer to fail on all image analysis + # + retrieve_files: + file_list: + - '/etc/passwd' + # - '/etc/services' + # - '/etc/sudoers' + secret_search: + match_params: + - MAXFILESIZE=10000 + - STOREONMATCH=n + regexp_match: + - "AWS_ACCESS_KEY=(?i).*aws_access_key_id( *=+ *).*(?:/v1/reports/graphql in a browser for the reports API + ## ref: https://docs.anchore.com/current/docs/using/api_usage/reports/ + ## + enable_graphiql: true + + reports_worker: + ## @param anchoreConfig.reports_worker.enable_data_ingress Enable periodically syncing data into the Anchore Reports Service + ## + enable_data_ingress: true + + ## @param anchoreConfig.reports_worker.enable_data_egress Periodically remove reporting data that has been removed in other parts of system + ## + enable_data_egress: false + + ## @param anchoreConfig.reports_worker.data_egress_window defines a number of days to keep reporting data following its deletion in the rest of system. + ## Default value of 0 will remove it on next task run + ## + data_egress_window: 0 + + ## @param anchoreConfig.reports_worker.data_refresh_max_workers The maximum number of concurrent threads to refresh existing results (etl vulnerabilities and evaluations) in reports service. + ## + data_refresh_max_workers: 10 + + ## @param anchoreConfig.reports_worker.data_load_max_workers The maximum number of concurrent threads to load new results (etl vulnerabilities and evaluations) to reports service. + ## + data_load_max_workers: 10 + + ## @param anchoreConfig.reports_worker.cycle_timers.reports_data_load Interval that images and tags are synced + ## @param anchoreConfig.reports_worker.cycle_timers.reports_data_refresh Interval that policy evaluations and vulnerabilities are synced + ## @param anchoreConfig.reports_worker.cycle_timers.reports_metrics Interval for how often reporting metrics are generated + ## @param anchoreConfig.reports_worker.cycle_timers.reports_data_egress Interval that stale reporting data removal is synced + ## + cycle_timers: + reports_data_load: 600 + reports_data_refresh: 7200 + reports_metrics: 3600 + reports_data_egress: 600 + + ui: + ## @param anchoreConfig.ui.enable_proxy Trust a reverse proxy when setting secure cookies (via the `X-Forwarded-Proto` header) + ## + enable_proxy: false + + ## @param anchoreConfig.ui.enable_ssl Enable SSL in the Anchore UI container + ## + enable_ssl: false + + ## @param anchoreConfig.ui.enable_shared_login Allow single user to start multiple Anchore UI sessions + ## When set to `false`, only one session per credential is permitted at a time, and logging in will invalidate any other + ## sessions that are using the same set of credentials. + ## + enable_shared_login: true + + ## @param anchoreConfig.ui.redis_flushdb Flush user session keys and empty data on Anchore UI startup + ## If the datastore is flushed, any users with active sessions will be required to re-authenticate + ## + redis_flushdb: true + + ## @param anchoreConfig.ui.force_websocket Force WebSocket protocol for socket message communications + ## + force_websocket: false + + ## @param anchoreConfig.ui.authentication_lock.count Number of failed authentication attempts allowed before a temporary lock is applied + ## @param anchoreConfig.ui.authentication_lock.expires Authentication lock duration + ## + authentication_lock: + count: 5 + expires: 300 + + ## @param anchoreConfig.ui.custom_links List of up to 10 external links provided + ## Each link entry must have a title of greater than 0-length and a valid URI. If either item is invalid, the entry will be excluded. + ## + custom_links: {} + # title: Custom External Links + # links: + # - title: Example Link 1 + # uri: https://example.com + + ## @param anchoreConfig.ui.enable_add_repositories Specify what users can add image repositories to the Anchore UI + ## + enable_add_repositories: {} + # admin: True + # standard: True + + ## @param anchoreConfig.ui.log_level Descriptive detail of the application log output + ## valid values are error, warn, info, http, debug + ## + log_level: http + + ## @param anchoreConfig.ui.enrich_inventory_view aggregate and include compliance and vulnerability data from the reports service. + ## + enrich_inventory_view: true + + ## @param anchoreConfig.ui.appdb_config.native toggle the postgreSQL drivers used to connect to the database between the native and the NodeJS drivers. + ## @param anchoreConfig.ui.appdb_config.pool.max maximum number of simultaneous connections allowed in the connection pool + ## @param anchoreConfig.ui.appdb_config.pool.min minimum number of connections + ## @param anchoreConfig.ui.appdb_config.pool.acquire the timeout in milliseconds used when acquiring a new connection + ## @param anchoreConfig.ui.appdb_config.pool.idle the maximum time that a connection can be idle before being released + ## + appdb_config: + native: true + pool: + max: 10 + min: 0 + acquire: 30000 + idle: 10000 + + ## @param anchoreConfig.ui.dbUser allows overriding and separation of the ui database user. + ## The UI config defaults to postgresql.auth.username if not set + ## + dbUser: "" + + ## @param anchoreConfig.ui.dbPassword allows overriding and separation of the ui database user authentication + ## The UI config defaults to postgresql.auth.password if not set + ## + dbPassword: "" + + +################################################# +## @section Anchore API k8s Deployment Parameters +################################################# +api: + ## @param api.replicaCount Number of replicas for Anchore API deployment + ## + replicaCount: 1 + + ## @param api.service.type Service type for Anchore API + ## @param api.service.port Service port for Anchore API + ## @param api.service.reportsPort Service port for Anchore Reports API + ## @param api.service.annotations Annotations for Anchore API service + ## @param api.service.labels Labels for Anchore API service + ## + service: + type: ClusterIP + port: 8228 + reportsPort: 8558 + annotations: {} + labels: {} + + ## @param api.extraEnv Set extra environment variables for Anchore API pods + ## + extraEnv: [] + + ## @param api.resources Resource requests and limits for Anchore API pods + ## + resources: {} + + ## @param api.labels Labels for Anchore API pods + ## + labels: {} + + ## @param api.annotations Annotation for Anchore API pods + ## + annotations: {} + + ## @param api.nodeSelector Node labels for Anchore API pod assignment + ## + nodeSelector: {} + + ## @param api.tolerations Tolerations for Anchore API pod assignment + ## + tolerations: [] + + ## @param api.affinity Affinity for Anchore API pod assignment + ## + affinity: {} + + ## @param api.serviceAccountName Service account name for Anchore API pods + ## + serviceAccountName: "" + +###################################################### +## @section Anchore Analyzer k8s Deployment Parameters +###################################################### +analyzer: + ## @param analyzer.replicaCount Number of replicas for the Anchore Analyzer deployment + ## + replicaCount: 1 + + ## @param analyzer.service.port The port used for gatherings metrics when .Values.metricsEnabled=true + ## + service: + port: 8084 + + ## @param analyzer.extraEnv Set extra environment variables for Anchore Analyzer pods + ## + extraEnv: [] + + ## @param analyzer.resources Resource requests and limits for Anchore Analyzer pods + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + + ## @param analyzer.labels Labels for Anchore Analyzer pods + ## + labels: {} + + ## @param analyzer.annotations Annotation for Anchore Analyzer pods + ## + annotations: {} + + ## @param analyzer.nodeSelector Node labels for Anchore Analyzer pod assignment + ## + nodeSelector: {} + + ## @param analyzer.tolerations Tolerations for Anchore Analyzer pod assignment + ## + tolerations: [] + + ## @param analyzer.affinity Affinity for Anchore Analyzer pod assignment + ## + affinity: {} + + ## @param analyzer.serviceAccountName Service account name for Anchore API pods + ## + serviceAccountName: "" + +##################################################### +## @section Anchore Catalog k8s Deployment Parameters +##################################################### +catalog: + ## @param catalog.replicaCount Number of replicas for the Anchore Catalog deployment + ## + replicaCount: 1 + + ## @param catalog.service.type Service type for Anchore Catalog + ## @param catalog.service.port Service port for Anchore Catalog + ## @param catalog.service.annotations Annotations for Anchore Catalog service + ## @param catalog.service.labels Labels for Anchore Catalog service + ## + service: + type: ClusterIP + port: 8082 + annotations: {} + labels: {} + + ## @param catalog.extraEnv Set extra environment variables for Anchore Catalog pods + ## + extraEnv: [] + + ## @param catalog.resources Resource requests and limits for Anchore Catalog pods + ## + resources: {} + + ## @param catalog.labels Labels for Anchore Catalog pods + ## + labels: {} + + ## @param catalog.annotations Annotation for Anchore Catalog pods + ## + annotations: {} + + ## @param catalog.nodeSelector Node labels for Anchore Catalog pod assignment + ## + nodeSelector: {} + + ## @param catalog.tolerations Tolerations for Anchore Catalog pod assignment + ## + tolerations: [] + + ## @param catalog.affinity Affinity for Anchore Catalog pod assignment + ## + affinity: {} + + ## @param catalog.serviceAccountName Service account name for Anchore Catalog pods + ## + serviceAccountName: "" + +########################################## +## @section Anchore Feeds Chart Parameters +########################################## +feeds: + ## @param feeds.chartEnabled Enable the Anchore Feeds chart + ## + chartEnabled: true + + ## @param feeds.standalone Sets the Anchore Feeds chart to run into non-standalone mode, for use with Anchore Enterprise. + ## This should never be set to true when chartEnabled=true. + ## + standalone: false + + ## @param feeds.url Set the URL for a standalone Feeds service. Use when chartEnabled=false. + ## + url: "" + +########################################################### +## @section Anchore Policy Engine k8s Deployment Parameters +########################################################### +policyEngine: + ## @param policyEngine.replicaCount Number of replicas for the Anchore Policy Engine deployment + ## + replicaCount: 1 + + ## @param policyEngine.service.type Service type for Anchore Policy Engine + ## @param policyEngine.service.port Service port for Anchore Policy Engine + ## @param policyEngine.service.annotations Annotations for Anchore Policy Engine service + ## @param policyEngine.service.labels Labels for Anchore Policy Engine service + ## + service: + type: ClusterIP + port: 8087 + annotations: {} + labels: {} + + ## @param policyEngine.extraEnv Set extra environment variables for Anchore Policy Engine pods + ## + extraEnv: [] + + ## @param policyEngine.resources Resource requests and limits for Anchore Policy Engine pods + ## + resources: {} + + ## @param policyEngine.labels Labels for Anchore Policy Engine pods + ## + labels: {} + + ## @param policyEngine.annotations Annotation for Anchore Policy Engine pods + ## + annotations: {} + + ## @param policyEngine.nodeSelector Node labels for Anchore Policy Engine pod assignment + ## + nodeSelector: {} + + ## @param policyEngine.tolerations Tolerations for Anchore Policy Engine pod assignment + ## + tolerations: [] + + ## @param policyEngine.affinity Affinity for Anchore Policy Engine pod assignment + ## + affinity: {} + + ## @param policyEngine.serviceAccountName Service account name for Anchore Policy Engine pods + ## + serviceAccountName: "" + +########################################### +## @section Anchore Simple Queue Parameters +########################################### +simpleQueue: + ## @param simpleQueue.replicaCount Number of replicas for the Anchore Simple Queue deployment + ## + replicaCount: 1 + + ## @param simpleQueue.service.type Service type for Anchore Simple Queue + ## @param simpleQueue.service.port Service port for Anchore Simple Queue + ## @param simpleQueue.service.annotations Annotations for Anchore Simple Queue service + ## @param simpleQueue.service.labels Labels for Anchore Simple Queue service + ## + service: + type: ClusterIP + port: 8083 + annotations: {} + labels: {} + + ## @param simpleQueue.extraEnv Set extra environment variables for Anchore Simple Queue pods + ## + extraEnv: [] + + ## @param simpleQueue.resources Resource requests and limits for Anchore Simple Queue pods + ## + resources: {} + + ## @param simpleQueue.labels Labels for Anchore Simple Queue pods + ## + labels: {} + + ## @param simpleQueue.annotations Annotation for Anchore Simple Queue pods + ## + annotations: {} + + ## @param simpleQueue.nodeSelector Node labels for Anchore Simple Queue pod assignment + ## + nodeSelector: {} + + ## @param simpleQueue.tolerations Tolerations for Anchore Simple Queue pod assignment + ## + tolerations: [] + + ## @param simpleQueue.affinity Affinity for Anchore Simple Queue pod assignment + ## + affinity: {} + + ## @param simpleQueue.serviceAccountName Service account name for Anchore Simple Queue pods + ## + serviceAccountName: "" + +############################################ +## @section Anchore Notifications Parameters +############################################ +notifications: + ## @param notifications.replicaCount Number of replicas for the Anchore Notifications deployment + ## + replicaCount: 1 + + ## @param notifications.service.type Service type for Anchore Notifications + ## @param notifications.service.port Service port for Anchore Notifications + ## @param notifications.service.annotations Annotations for Anchore Notifications service + ## @param notifications.service.labels Labels for Anchore Notifications service + ## + service: + type: ClusterIP + port: 8668 + annotations: {} + labels: {} + + ## @param notifications.extraEnv Set extra environment variables for Anchore Notifications pods + ## + extraEnv: [] + + ## @param notifications.resources Resource requests and limits for Anchore Notifications pods + ## + resources: {} + + ## @param notifications.labels Labels for Anchore Notifications pods + ## + labels: {} + + ## @param notifications.annotations Annotation for Anchore Notifications pods + ## + annotations: {} + + ## @param notifications.nodeSelector Node labels for Anchore Notifications pod assignment + ## + nodeSelector: {} + + ## @param notifications.tolerations Tolerations for Anchore Notifications pod assignment + ## + tolerations: [] + + ## @param notifications.affinity Affinity for Anchore Notifications pod assignment + ## + affinity: {} + + ## @param notifications.serviceAccountName Service account name for Anchore Notifications pods + ## + serviceAccountName: "" + +######################################## +## @section Anchore Reports Parameters +######################################## +reports: + ## @param reports.replicaCount Number of replicas for the Anchore Reports deployment + ## + replicaCount: 1 + + ## @param reports.service.type Service type for Anchore Reports + ## @param reports.service.port Service port for Anchore Reports Worker + ## @param reports.service.annotations Annotations for Anchore Reports service + ## @param reports.service.labels Labels for Anchore Reports service + ## + service: + type: ClusterIP + port: 8558 + annotations: {} + labels: {} + + ## @param reports.extraEnv Set extra environment variables for Anchore Reports pods + ## + extraEnv: [] + + ## @param reports.resources Resource requests and limits for Anchore Reports pods + ## + resources: {} + + ## @param reports.labels Labels for Anchore Reports pods + ## + labels: {} + + ## @param reports.annotations Annotation for Anchore Reports pods + ## + annotations: {} + + ## @param reports.nodeSelector Node labels for Anchore Reports pod assignment + ## + nodeSelector: {} + + ## @param reports.tolerations Tolerations for Anchore Reports pod assignment + ## + tolerations: [] + + ## @param reports.affinity Affinity for Anchore Reports pod assignment + ## + affinity: {} + + ## @param reports.serviceAccountName Service account name for Anchore Reports pods + ## + serviceAccountName: "" + +################################################## +## @section Anchore RBAC Authentication Parameters +################################################## +rbacAuth: + ## @param rbacAuth.extraEnv Set extra environment variables for Anchore RBAC Authentication containers + ## + extraEnv: [] + + ## @param rbacAuth.resources Resource requests and limits for Anchore RBAC Authentication containers + ## + resources: {} + +########################################### +## @section Anchore RBAC Manager Parameters +########################################### +rbacManager: + ## @param rbacManager.replicaCount Number of replicas for the Anchore RBAC Manager deployment + ## + replicaCount: 1 + + ## @param rbacManager.service.type Service type for Anchore RBAC Manager + ## @param rbacManager.service.port Service port for Anchore RBAC Manager + ## @param rbacManager.service.annotations Annotations for Anchore RBAC Manager service + ## @param rbacManager.service.labels Labels for Anchore RBAC Manager service + ## + service: + type: ClusterIP + port: 8229 + annotations: {} + labels: {} + + ## @param rbacManager.extraEnv Set extra environment variables for Anchore RBAC Manager pods + ## + extraEnv: [] + + ## @param rbacManager.resources Resource requests and limits for Anchore RBAC Manager pods + ## + resources: {} + + ## @param rbacManager.labels Labels for Anchore RBAC Manager pods + ## + labels: {} + + ## @param rbacManager.annotations Annotation for Anchore RBAC Manager pods + ## + annotations: {} + + ## @param rbacManager.nodeSelector Node labels for Anchore RBAC Manager pod assignment + ## + nodeSelector: {} + + ## @param rbacManager.tolerations Tolerations for Anchore RBAC Manager pod assignment + ## + tolerations: [] + + ## @param rbacManager.affinity Affinity for Anchore RBAC Manager pod assignment + ## + affinity: {} + + ## @param rbacManager.serviceAccountName Service account name for Anchore RBAC Manager pods + ## + serviceAccountName: "" + +################################# +## @section Anchore UI Parameters +################################# +ui: + ## @param ui.image Image used for the Anchore UI container + ## + image: docker.io/anchore/enterprise-ui:v4.9.0 + + ## @param ui.imagePullPolicy Image pull policy for Anchore UI image + ## + imagePullPolicy: IfNotPresent + + ## @param ui.existingSecretName Name of an existing secret to be used for Anchore UI DB and Redis endpoints + ## This secret should define the following ENV vars + ## ANCHORE_APPDB_URI + ## ANCHORE_REDIS_URI + ## + # Set the name of your existing secret for the Anchore Enterprise UI + existingSecretName: anchore-enterprise-ui-env + + ## @param ui.ldapsRootCaCertName Name of the custom CA certificate file store in `.Values.certStoreSecretName` + ## + ldapsRootCaCertName: "" + + ## @param ui.service.type Service type for Anchore UI + ## @param ui.service.port Service port for Anchore UI + ## @param ui.service.annotations Annotations for Anchore UI service + ## @param ui.service.labels Labels for Anchore UI service + ## @param ui.service.sessionAffinity Session Affinity for Ui service + ## + service: + type: ClusterIP + port: 80 + ## TODO - add service specific annotations & labels to ALL services + annotations: {} + labels: {} + sessionAffinity: ClientIP + + ## @param ui.extraEnv Set extra environment variables for Anchore UI pods + ## + extraEnv: [] + + ## @param ui.resources Resource requests and limits for Anchore UI pods + ## + resources: {} + + ## @param ui.labels Labels for Anchore UI pods + ## + labels: {} + + ## @param ui.annotations Annotation for Anchore UI pods + ## + annotations: {} + + ## @param ui.nodeSelector Node labels for Anchore UI pod assignment + ## + nodeSelector: {} + + ## @param ui.tolerations Tolerations for Anchore UI pod assignment + ## + tolerations: [] + + ## @param ui.affinity Affinity for Anchore ui pod assignment + ## + affinity: {} + + ## @param ui.serviceAccountName Service account name for Anchore UI pods + ## + serviceAccountName: "" + +############################################ +## @section Anchore Upgrade Job Parameters +## Upgrade job uses a Helm post-install-hook +############################################ +upgradeJob: + ## @param upgradeJob.enabled Enable the Anchore Enterprise database upgrade job + ## + enabled: true + + ## @param upgradeJob.force Force the Anchore Feeds database upgrade job to run as a regular job instead of as a Helm hook + ## + force: false + + ## @param upgradeJob.rbacCreate Create RBAC resources for the Anchore upgrade job + ## By default, the anchore upgrade job utilizes a service account that will be created to call kubectl to scale down the deployment before running the upgrade job. + ## The service account is granted deployment, deployment/scale, and pod permissions. See templates/hooks/pre-upgrade/db-upgrade-rbac.yaml for the full list of permissions + ## + rbacCreate: true + + ## @param upgradeJob.serviceAccountName Use an existing service account for the Anchore upgrade job + ## + serviceAccountName: "" + + ## @param upgradeJob.usePostUpgradeHook Use a Helm post-upgrade hook to run the upgrade job instead of the default pre-upgrade hook. This job does not require creating RBAC resources. + ## Uses the same mechanism for upgrades as the legacy anchore-engine chart. Not compatible with `helm upgrade --wait` or ArgoCD. + ## + usePostUpgradeHook: false + + ## @param upgradeJob.nodeSelector Node labels for the Anchore upgrade job pod assignment + ## + nodeSelector: {} + + ## @param upgradeJob.tolerations Tolerations for the Anchore upgrade job pod assignment + ## + tolerations: [] + + ## @param upgradeJob.affinity Affinity for the Anchore upgrade job pod assignment + ## + affinity: {} + + ## @param upgradeJob.annotations Annotations for the Anchore upgrade job + ## + annotations: {} + + ## @param upgradeJob.resources Resource requests and limits for the Anchore upgrade job + ## + resources: {} + + ## @param upgradeJob.labels Labels for the Anchore upgrade job + ## + labels: {} + +############################## +## @section Ingress Parameters +############################## +ingress: + ## @param ingress.enabled Create an ingress resource for external Anchore service APIs + ## ref: https://kubernetes.io/docs/user-guide/ingress/ + ## + enabled: false + + ## @param ingress.labels Labels for the ingress resource + ## + labels: {} + + ## @param ingress.annotations [object] Annotations for the ingress resource + ## By default this chart is setup to use an NGINX ingress controller, which needs to be installed & configured on your cluster + ## ref: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/ingress/annotations/ + ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md + ## ref: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features + ## + annotations: + kubernetes.io/ingress.class: nginx + + ## @param ingress.apiHosts List of custom hostnames for the Anchore API + ## + apiHosts: [] + + ## @param ingress.apiPath The path used for accessing the Anchore API + ## + apiPath: /v1/ + + ## @param ingress.uiHosts List of custom hostnames for the Anchore UI + ## + uiHosts: [] + + ## @param ingress.uiPath The path used for accessing the Anchore UI + ## + uiPath: / + + ## @param ingress.feedsHosts List of custom hostnames for the Anchore Feeds API + ## + feedsHosts: [] + + ## @param ingress.feedsPath The path used for accessing the Anchore Feeds API + ## Exposing the feeds API is for special cases only, use /v1/feeds for ingress.feedsPath + ## + feedsPath: "" + + ## @param ingress.reportsHosts List of custom hostnames for the Anchore Reports API + ## + reportsHosts: [] + + ## @param ingress.reportsPath The path used for accessing the Anchore Reports API + ## Exposing the reports API enables the GraphQL interface, use /v1/reports/graphql for ingress.reportsPath + ## + reportsPath: "" + + ## @param ingress.tls Configure tls for the ingress resource + ## Secrets must be manually created in the release namespace + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + + ## @param ingress.ingressClassName sets the ingress class name. As of k8s v1.18, this should be nginx + ## ref: # Reference: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: nginx + +######################################### +## @section Google CloudSQL DB Parameters +######################################### +cloudsql: + ## @param cloudsql.enabled Use CloudSQL proxy container for GCP database access + ## + enabled: false + + ## @param cloudsql.image Image to use for GCE CloudSQL Proxy + ## + image: gcr.io/cloudsql-docker/gce-proxy:1.25.0 + + ## @param cloudsql.imagePullPolicy Image Pull Policy to use for CloudSQL image + ## + imagePullPolicy: IfNotPresent + + ## @param cloudsql.instance CloudSQL instance, eg: 'project:zone:instancename' + ## + instance: "" + + ## @param cloudsql.useExistingServiceAcc Use existing service account + ## If using an existing Service Account, you must create a secret which includes the JSON token from Google's IAM + ## ref: https://cloud.google.com/sql/docs/postgres/authentication + ## + useExistingServiceAcc: false + + ## @param cloudsql.serviceAccSecretName + ## + serviceAccSecretName: "" + + ## @param cloudsql.serviceAccJsonName + ## + serviceAccJsonName: "" + + ## @param cloudsql.extraArgs a list of extra arguments to be passed into the cloudsql container command. eg + ## extraArgs: + ## - "-ip_address_types=PRIVATE" + ## - "-enable_iam_login" + ## + extraArgs: [] + +####################################### +## @section Anchore UI Redis Parameters +####################################### + +ui-redis: + ## @param ui-redis.chartEnabled Use the dependent chart for the UI Redis deployment + ## + chartEnabled: true + + ## @param ui-redis.externalEndpoint External Redis endpoint when not using Helm managed chart (eg redis://nouser:@hostname:6379) + ## + externalEndpoint: "" + + ## @param ui-redis.auth.password Password used for connecting to Redis + ## + auth: + password: anchore-redis,123 + + ## @param ui-redis.architecture Redis deployment architecture + ## + architecture: standalone + + ## @param ui-redis.master.persistence.enabled enables persistence + master: + persistence: + enabled: false + +####################################### +## @section Anchore Database Parameters +####################################### +postgresql: + ## @param postgresql.chartEnabled Use the dependent chart for Postgresql deployment + ## + chartEnabled: true + + ## @param postgresql.externalEndpoint External Postgresql hostname when not using Helm managed chart (eg. mypostgres.myserver.io) + ## externalEndpoint, auth.username, auth.password, auth.database, & primary.service.ports.postgresql are required values for external Postgres + ## + externalEndpoint: "" + + ## @param postgresql.auth.username Username used to connect to postgresql + ## @param postgresql.auth.password Password used to connect to postgresql + ## @param postgresql.auth.database Database name used when connecting to postgresql + ## + auth: + username: anchore + password: anchore-postgres,123 + database: anchore + + primary: + ## @param postgresql.primary.service.ports.postgresql Port used to connect to Postgresql + ## + service: + ports: + postgresql: 5432 + + ## @param postgresql.primary.persistence.size Configure size of the persistent volume used with helm managed chart + ## + persistence: + size: 20Gi + + ## @param postgresql.primary.extraEnvVars An array to add extra environment variables + ## + extraEnvVars: [] + + ## @param postgresql.image.tag [obj] Specifies the image to use for this chart. + ## + image: + tag: 13.11.0-debian-11-r15 From 56f89175d81ec8125381e56db08e2426ab60a7d0 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 1 Sep 2023 16:00:09 -0700 Subject: [PATCH 167/329] fix readme generator errors Signed-off-by: Brady Todhunter --- stable/enterprise/README.md | 2 +- stable/enterprise/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 1ef55d2c..8979a829 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -958,7 +958,7 @@ ui-redis: | Name | Description | Value | | ---------------------------- | ----------------------------------------------------------------------------- | ---------------------------------------- | -| `ui.image` | Image used for the Anchore UI container | `docker.io/anchore/enterprise-ui:v4.8.0` | +| `ui.image` | Image used for the Anchore UI container | `docker.io/anchore/enterprise-ui:v4.9.0` | | `ui.imagePullPolicy` | Image pull policy for Anchore UI image | `IfNotPresent` | | `ui.existingSecretName` | Name of an existing secret to be used for Anchore UI DB and Redis endpoints | `anchore-enterprise-ui-env` | | `ui.ldapsRootCaCertName` | Name of the custom CA certificate file store in `.Values.certStoreSecretName` | `""` | diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index 36bb37f1..b6842ce7 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -1331,7 +1331,7 @@ postgresql: ## extraEnvVars: [] - ## @param postgresql.image.tag [obj] Specifies the image to use for this chart. + ## @param postgresql.image.tag Specifies the image to use for this chart. ## image: tag: 13.11.0-debian-11-r15 From bb903a5dc0e037ae351465262f3b0b4ff146148d Mon Sep 17 00:00:00 2001 From: Anchore BitnamiReadmeGenerator Date: Fri, 1 Sep 2023 23:06:15 +0000 Subject: [PATCH 168/329] Update README.md with readme-generator-for-helm Signed-off-by: Anchore BitnamiReadmeGenerator --- stable/enterprise/README.md | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 8979a829..8df63574 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -692,7 +692,6 @@ ui-redis: | `doSourceAtEntry.filePaths` | List of file paths to `source` before starting Anchore services | `[]` | | `configOverride` | Allows for overriding the default Anchore configuration file | `""` | - ### Anchore Configuration Parameters | Name | Description | Value | @@ -786,7 +785,6 @@ ui-redis: | `anchoreConfig.ui.dbUser` | allows overriding and separation of the ui database user. | `""` | | `anchoreConfig.ui.dbPassword` | allows overriding and separation of the ui database user authentication | `""` | - ### Anchore API k8s Deployment Parameters | Name | Description | Value | @@ -806,7 +804,6 @@ ui-redis: | `api.affinity` | Affinity for Anchore API pod assignment | `{}` | | `api.serviceAccountName` | Service account name for Anchore API pods | `""` | - ### Anchore Analyzer k8s Deployment Parameters | Name | Description | Value | @@ -822,7 +819,6 @@ ui-redis: | `analyzer.affinity` | Affinity for Anchore Analyzer pod assignment | `{}` | | `analyzer.serviceAccountName` | Service account name for Anchore API pods | `""` | - ### Anchore Catalog k8s Deployment Parameters | Name | Description | Value | @@ -841,7 +837,6 @@ ui-redis: | `catalog.affinity` | Affinity for Anchore Catalog pod assignment | `{}` | | `catalog.serviceAccountName` | Service account name for Anchore Catalog pods | `""` | - ### Anchore Feeds Chart Parameters | Name | Description | Value | @@ -850,7 +845,6 @@ ui-redis: | `feeds.standalone` | Sets the Anchore Feeds chart to run into non-standalone mode, for use with Anchore Enterprise. | `false` | | `feeds.url` | Set the URL for a standalone Feeds service. Use when chartEnabled=false. | `""` | - ### Anchore Policy Engine k8s Deployment Parameters | Name | Description | Value | @@ -869,7 +863,6 @@ ui-redis: | `policyEngine.affinity` | Affinity for Anchore Policy Engine pod assignment | `{}` | | `policyEngine.serviceAccountName` | Service account name for Anchore Policy Engine pods | `""` | - ### Anchore Simple Queue Parameters | Name | Description | Value | @@ -888,7 +881,6 @@ ui-redis: | `simpleQueue.affinity` | Affinity for Anchore Simple Queue pod assignment | `{}` | | `simpleQueue.serviceAccountName` | Service account name for Anchore Simple Queue pods | `""` | - ### Anchore Notifications Parameters | Name | Description | Value | @@ -907,7 +899,6 @@ ui-redis: | `notifications.affinity` | Affinity for Anchore Notifications pod assignment | `{}` | | `notifications.serviceAccountName` | Service account name for Anchore Notifications pods | `""` | - ### Anchore Reports Parameters | Name | Description | Value | @@ -926,7 +917,6 @@ ui-redis: | `reports.affinity` | Affinity for Anchore Reports pod assignment | `{}` | | `reports.serviceAccountName` | Service account name for Anchore Reports pods | `""` | - ### Anchore RBAC Authentication Parameters | Name | Description | Value | @@ -934,7 +924,6 @@ ui-redis: | `rbacAuth.extraEnv` | Set extra environment variables for Anchore RBAC Authentication containers | `[]` | | `rbacAuth.resources` | Resource requests and limits for Anchore RBAC Authentication containers | `{}` | - ### Anchore RBAC Manager Parameters | Name | Description | Value | @@ -953,7 +942,6 @@ ui-redis: | `rbacManager.affinity` | Affinity for Anchore RBAC Manager pod assignment | `{}` | | `rbacManager.serviceAccountName` | Service account name for Anchore RBAC Manager pods | `""` | - ### Anchore UI Parameters | Name | Description | Value | @@ -976,7 +964,6 @@ ui-redis: | `ui.affinity` | Affinity for Anchore ui pod assignment | `{}` | | `ui.serviceAccountName` | Service account name for Anchore UI pods | `""` | - ### Anchore Upgrade Job Parameters | Name | Description | Value | @@ -993,7 +980,6 @@ ui-redis: | `upgradeJob.resources` | Resource requests and limits for the Anchore upgrade job | `{}` | | `upgradeJob.labels` | Labels for the Anchore upgrade job | `{}` | - ### Ingress Parameters | Name | Description | Value | @@ -1012,7 +998,6 @@ ui-redis: | `ingress.tls` | Configure tls for the ingress resource | `[]` | | `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` | - ### Google CloudSQL DB Parameters | Name | Description | Value | @@ -1026,7 +1011,6 @@ ui-redis: | `cloudsql.serviceAccJsonName` | | `""` | | `cloudsql.extraArgs` | a list of extra arguments to be passed into the cloudsql container command. eg | `[]` | - ### Anchore UI Redis Parameters | Name | Description | Value | @@ -1037,7 +1021,6 @@ ui-redis: | `ui-redis.architecture` | Redis deployment architecture | `standalone` | | `ui-redis.master.persistence.enabled` | enables persistence | `false` | - ### Anchore Database Parameters | Name | Description | Value | From 1291616cea66f16d24e8910ffd5cd2c2884dc686 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 1 Sep 2023 16:20:06 -0700 Subject: [PATCH 169/329] fix helm deps for lintings, unit tests & ct tests Signed-off-by: Brady Todhunter --- .github/workflows/helm-unittests.yaml | 2 +- ct-config.yaml | 2 ++ stable/enterprise/Chart.yaml | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/helm-unittests.yaml b/.github/workflows/helm-unittests.yaml index ad3e39b2..e2feba60 100644 --- a/.github/workflows/helm-unittests.yaml +++ b/.github/workflows/helm-unittests.yaml @@ -44,7 +44,7 @@ jobs: for chart in ${charts_dirs_changed}; do echo "running helm unittest . for ${chart}" pushd "${chart}" - helm dep build + helm dep up helm unittest . popd done diff --git a/ct-config.yaml b/ct-config.yaml index 3a98b7d1..ac747128 100644 --- a/ct-config.yaml +++ b/ct-config.yaml @@ -2,6 +2,8 @@ remote: origin target-branch: main chart-dirs: - stable +chart-repos: + - anchore=https://charts.anchore.io/stable namespace: anchore release-label: anchore helm-extra-args: --timeout 600s \ No newline at end of file diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 550fbc21..12e5dfcd 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -38,7 +38,7 @@ dependencies: alias: ui-redis - name: feeds version: "0.0.1" - repository: "https://charts.anchore.io/stable" + repository: "@anchore" condition: feeds.chartEnabled import-values: - child: service From c15fa12ab4fa4369e2722d675fa7fab273f5798b Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 1 Sep 2023 16:21:33 -0700 Subject: [PATCH 170/329] add anchore repo to unit tests Signed-off-by: Brady Todhunter --- .github/workflows/helm-unittests.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/helm-unittests.yaml b/.github/workflows/helm-unittests.yaml index e2feba60..22fda974 100644 --- a/.github/workflows/helm-unittests.yaml +++ b/.github/workflows/helm-unittests.yaml @@ -44,6 +44,7 @@ jobs: for chart in ${charts_dirs_changed}; do echo "running helm unittest . for ${chart}" pushd "${chart}" + helm repo add anchore https://charts.anchore.io/stable helm dep up helm unittest . popd From 0a10471e895fb90e2fa874268a4172399285811d Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 1 Sep 2023 16:23:22 -0700 Subject: [PATCH 171/329] update unittest snapshots Signed-off-by: Brady Todhunter --- .../tests/__snapshot__/configmap_test.yaml.snap | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index d22e1130..39367b60 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -32,7 +32,7 @@ should render the configmaps: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: test-release-enterprise app.kubernetes.io/part-of: anchore - app.kubernetes.io/version: 4.8.1 + app.kubernetes.io/version: 4.9.0 bar: baz foo: bar helm.sh/chart: enterprise-0.0.1 @@ -333,7 +333,7 @@ should render the configmaps: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: test-release-enterprise app.kubernetes.io/part-of: anchore - app.kubernetes.io/version: 4.8.1 + app.kubernetes.io/version: 4.9.0 bar: baz foo: bar helm.sh/chart: enterprise-0.0.1 @@ -418,7 +418,7 @@ should render the configmaps: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: test-release-enterprise app.kubernetes.io/part-of: anchore - app.kubernetes.io/version: 4.8.1 + app.kubernetes.io/version: 4.9.0 bar: baz foo: bar helm.sh/chart: enterprise-0.0.1 @@ -462,7 +462,7 @@ should render the configmaps: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: test-release-enterprise app.kubernetes.io/part-of: anchore - app.kubernetes.io/version: 4.8.1 + app.kubernetes.io/version: 4.9.0 bar: baz foo: bar helm.sh/chart: enterprise-0.0.1 @@ -483,7 +483,7 @@ should render the configmaps: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: test-release-enterprise app.kubernetes.io/part-of: anchore - app.kubernetes.io/version: 4.8.1 + app.kubernetes.io/version: 4.9.0 bar: baz foo: bar helm.sh/chart: enterprise-0.0.1 From 60095fb9a55abc6dc8e1e915afe5aeb10864e54b Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 1 Sep 2023 16:42:34 -0700 Subject: [PATCH 172/329] run helm dep up on enterprise chart when it has changes for chart-releaser Signed-off-by: Brady Todhunter --- .github/workflows/deploy.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index dae5d278..e8ec4acc 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -7,6 +7,10 @@ on: jobs: release: + env: + REPO: "${{ github.repository }}" + REPO_NAME: "${{ github.event.repository.name }}" + TARGET_BRANCH: "${{ github.event.pull_request.base.ref }}" runs-on: ubuntu-latest steps: - name: Checkout @@ -20,6 +24,21 @@ jobs: git config user.name "$GITHUB_ACTOR" git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + - name: Update chart deps + run: | + cd "${REPO}" + files_changed="$(git diff --name-only origin/${TARGET_BRANCH} | sort | uniq)" + # Adding || true to avoid "Process exited with code 1" errors + charts_dirs_changed="$(echo "$files_changed" | xargs dirname | grep -o "stable/[^/]*" | sort | uniq || true)" + for chart in ${charts_dirs_changed}; do + if [[ "${chart}" == "stable/enterprise" ]]; then + pushd "${chart}" + helm repo add anchore https://charts.anchore.io/stable + helm dep up + popd + fi + done + - name: Run chart-releaser uses: helm/chart-releaser-action@v1.5.0 with: From 015339c173eb3b461cf8bd15440cc0044b4f3d04 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 1 Sep 2023 16:46:12 -0700 Subject: [PATCH 173/329] add anchore helm repo Signed-off-by: Brady Todhunter --- .github/workflows/deploy.yaml | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index e8ec4acc..2f869d7a 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -24,20 +24,8 @@ jobs: git config user.name "$GITHUB_ACTOR" git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - - name: Update chart deps - run: | - cd "${REPO}" - files_changed="$(git diff --name-only origin/${TARGET_BRANCH} | sort | uniq)" - # Adding || true to avoid "Process exited with code 1" errors - charts_dirs_changed="$(echo "$files_changed" | xargs dirname | grep -o "stable/[^/]*" | sort | uniq || true)" - for chart in ${charts_dirs_changed}; do - if [[ "${chart}" == "stable/enterprise" ]]; then - pushd "${chart}" - helm repo add anchore https://charts.anchore.io/stable - helm dep up - popd - fi - done + - name: Add Anchore Helm repo + run: helm repo add anchore https://charts.anchore.io/stable - name: Run chart-releaser uses: helm/chart-releaser-action@v1.5.0 From c522225ee93c84e5f9ed3bdc1b05b1ee6b8094ea Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 1 Sep 2023 16:49:07 -0700 Subject: [PATCH 174/329] add Hung Nguyen to maintainers Signed-off-by: Brady Todhunter --- stable/enterprise/Chart.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 12e5dfcd..01e22ff9 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -25,6 +25,8 @@ maintainers: email: zach@anchore.com - name: btodhunter email: bradyt@anchore.com + - name: hnguyen + email: hung.nguyen@anchore.com icon: https://anchore.com/wp-content/uploads/2016/08/anchore.png dependencies: - name: postgresql From 744707a20f6d09062c266f7ec66bda4d225ab232 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 1 Sep 2023 16:53:49 -0700 Subject: [PATCH 175/329] lint charts prior to testing to fail fast if version isnt bumped Signed-off-by: Brady Todhunter --- .github/workflows/test.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 3d59f965..e2abf54e 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -39,6 +39,11 @@ jobs: echo "CHANGED=true" >> "$GITHUB_OUTPUT" fi + - name: Run chart-testing (lint) + id: lint + run: ct lint --config 'ct-config.yaml' + if: steps.list-changed.outputs.CHANGED == 'true' + - name: Install kind if: steps.list-changed.outputs.CHANGED == 'true' uses: helm/kind-action@v1.8.0 From e538277441b3e7b38020d36e6eda8d0d7bd44189 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 1 Sep 2023 17:12:23 -0700 Subject: [PATCH 176/329] add bitnami repo back Signed-off-by: Brady Todhunter --- ct-config.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/ct-config.yaml b/ct-config.yaml index ac747128..bbd1fc0c 100644 --- a/ct-config.yaml +++ b/ct-config.yaml @@ -4,6 +4,7 @@ chart-dirs: - stable chart-repos: - anchore=https://charts.anchore.io/stable + - bitnami=https://charts.bitnami.com/bitnami namespace: anchore release-label: anchore helm-extra-args: --timeout 600s \ No newline at end of file From 36551859294f71d1af28a0669c9bd9c056e90071 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 1 Sep 2023 17:17:19 -0700 Subject: [PATCH 177/329] use alias for bitnami dep Signed-off-by: Brady Todhunter --- .github/workflows/deploy.yaml | 4 +++- stable/anchore-engine/Chart.yaml | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 2f869d7a..38a6bc15 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -25,7 +25,9 @@ jobs: git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - name: Add Anchore Helm repo - run: helm repo add anchore https://charts.anchore.io/stable + run: | + helm repo add anchore https://charts.anchore.io/stable + helm repo add bitnami https://charts.bitnami.com/bitnami - name: Run chart-releaser uses: helm/chart-releaser-action@v1.5.0 diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index ebaa78f8..de9072ce 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -39,6 +39,6 @@ dependencies: alias: anchore-feeds-gem-db - name: redis version: "16.11.3" - repository: "https://charts.bitnami.com/bitnami" + repository: "@bitnami" condition: ui-redis.enabled,anchoreEnterpriseGlobal.enabled alias: ui-redis From 5837afedd0b8b43943f66ab888f392151d18a106 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 1 Sep 2023 17:23:42 -0700 Subject: [PATCH 178/329] bump chart version Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index de9072ce..a25c9b1e 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.27.0 +version: 1.27.1 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: From 984a96238a684905071a2266b781db8aee03fc27 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 1 Sep 2023 17:28:27 -0700 Subject: [PATCH 179/329] only run unit tests on enterprise & feeds charts Signed-off-by: Brady Todhunter --- .github/workflows/helm-unittests.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/helm-unittests.yaml b/.github/workflows/helm-unittests.yaml index 22fda974..86739418 100644 --- a/.github/workflows/helm-unittests.yaml +++ b/.github/workflows/helm-unittests.yaml @@ -4,7 +4,12 @@ name: 'Helm Unit Tests' on: - - pull_request + pull_request_target: + branches: + - main + paths: + - 'stable/enterprise' + - 'stable/feeds' # Remove all permissions by default permissions: {} From b98cad83c3809a9ec8c73dfd8a872b7afe1a0c88 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 1 Sep 2023 17:31:39 -0700 Subject: [PATCH 180/329] fix indentation Signed-off-by: Brady Todhunter --- .github/workflows/helm-unittests.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/helm-unittests.yaml b/.github/workflows/helm-unittests.yaml index 86739418..cc82bc90 100644 --- a/.github/workflows/helm-unittests.yaml +++ b/.github/workflows/helm-unittests.yaml @@ -4,7 +4,7 @@ name: 'Helm Unit Tests' on: - pull_request_target: + pull_request_target: branches: - main paths: From c12646472f4f37654076f823e4ae21a2145c2c56 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 1 Sep 2023 17:34:46 -0700 Subject: [PATCH 181/329] run unit tests on all pr target branches Signed-off-by: Brady Todhunter --- .github/workflows/helm-unittests.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/helm-unittests.yaml b/.github/workflows/helm-unittests.yaml index cc82bc90..eba43f56 100644 --- a/.github/workflows/helm-unittests.yaml +++ b/.github/workflows/helm-unittests.yaml @@ -5,8 +5,6 @@ name: 'Helm Unit Tests' on: pull_request_target: - branches: - - main paths: - 'stable/enterprise' - 'stable/feeds' From 72f2ba8f2caf4b3cca177bc79506cf1fd8762f7c Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Tue, 5 Sep 2023 15:50:51 -0400 Subject: [PATCH 182/329] adding to README of anchore-engine about bitnami alias Signed-off-by: Hung Nguyen --- stable/anchore-engine/README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index 1a60793b..394b2b58 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -198,6 +198,10 @@ A Helm post-upgrade hook job will shut down all previously running Anchore servi The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful Helm upgrade. +# Chart Version 1.27.1 + +* Updating chart-releaser-action to v1.5.0 required using an alias for the bitnami dependency because chart-releaser doesn't currently support using a url directly in the dependency declaration. You may be required to add bitnami as an alias to the bitnami repos. eg `helm repo add bitnami https://charts.bitnami.com/bitnami` + # Chart Version 1.27.0 * Anchore Enterprise image updated to v4.9.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/490/) From b45c4e51d817fb6309fdfbb6d9fc55b571ddb3b3 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 6 Sep 2023 12:44:17 -0400 Subject: [PATCH 183/329] bumping anchore enterprise image version to 4.9.1 (#116) * bumping anchore enterprise image version to 4.9.1 Signed-off-by: Hung Nguyen --------- Signed-off-by: Hung Nguyen --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/README.md | 4 ++++ stable/anchore-engine/values.yaml | 4 ++-- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index a25c9b1e..3a56c32e 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.27.1 +version: 1.27.2 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index 394b2b58..9d957844 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -198,6 +198,10 @@ A Helm post-upgrade hook job will shut down all previously running Anchore servi The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful Helm upgrade. +# Chart Version 1.27.2 + +* Anchore Enterprise image updated to v4.9.1 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/491/) + # Chart Version 1.27.1 * Updating chart-releaser-action to v1.5.0 required using an alias for the bitnami dependency because chart-releaser doesn't currently support using a url directly in the dependency declaration. You may be required to add bitnami as an alias to the bitnami repos. eg `helm repo add bitnami https://charts.bitnami.com/bitnami` diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 3ff6c7c8..32f15638 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -760,7 +760,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: docker.io/anchore/enterprise:v4.9.0 + image: docker.io/anchore/enterprise:v4.9.1 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. @@ -1124,7 +1124,7 @@ anchoreEnterpriseNotifications: anchoreEnterpriseUi: # If enabled is set to false, set ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. enabled: true - image: docker.io/anchore/enterprise-ui:v4.9.0 + image: docker.io/anchore/enterprise-ui:v4.9.1 imagePullPolicy: IfNotPresent # Set extra environment variables. These will be set on all UI containers. From f22c193b5fd805703e73d7600ea37fe840dbb5a0 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 6 Sep 2023 12:49:08 -0400 Subject: [PATCH 184/329] bump version of engine ui (#117) Signed-off-by: Hung Nguyen --- stable/anchore-engine/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 32f15638..8e4ab86c 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -1124,7 +1124,7 @@ anchoreEnterpriseNotifications: anchoreEnterpriseUi: # If enabled is set to false, set ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. enabled: true - image: docker.io/anchore/enterprise-ui:v4.9.1 + image: docker.io/anchore/enterprise-ui:v4.9.0 imagePullPolicy: IfNotPresent # Set extra environment variables. These will be set on all UI containers. From 43413879d39eb47dc6a649b0922d8f3baa7f4045 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 6 Sep 2023 12:18:57 -0700 Subject: [PATCH 185/329] bump redis chart to latest version and use oci url instead of alias for dep Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.lock | 8 ++++---- stable/anchore-engine/Chart.yaml | 4 ++-- stable/anchore-engine/README.md | 2 ++ 3 files changed, 8 insertions(+), 6 deletions(-) diff --git a/stable/anchore-engine/Chart.lock b/stable/anchore-engine/Chart.lock index 8feca4ef..0e94a5ef 100644 --- a/stable/anchore-engine/Chart.lock +++ b/stable/anchore-engine/Chart.lock @@ -9,7 +9,7 @@ dependencies: repository: file://./deps/postgresql version: 1.0.1 - name: redis - repository: https://charts.bitnami.com/bitnami - version: 16.11.3 -digest: sha256:5bdfacf8fe535b57e509811f1a4e4f5563905ca74e205c2547ef6eb7b71972a5 -generated: "2022-06-07T02:10:46.327103-07:00" + repository: oci://registry-1.docker.io/bitnamicharts + version: 18.0.2 +digest: sha256:cad30648f26d16150e511a104881369c3840e5fdbc1f38d0a2c05b81c46813a3 +generated: "2023-09-06T12:10:06.713465-07:00" diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 3a56c32e..f6045452 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -38,7 +38,7 @@ dependencies: condition: anchore-feeds-gem-db.enabled,anchoreEnterpriseFeeds.gemDriverEnabled alias: anchore-feeds-gem-db - name: redis - version: "16.11.3" - repository: "@bitnami" + version: "~18" + repository: "oci://registry-1.docker.io/bitnamicharts" condition: ui-redis.enabled,anchoreEnterpriseGlobal.enabled alias: ui-redis diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index 9d957844..b8b5c606 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -201,6 +201,8 @@ The upgrade will only be considered successful when this job completes successfu # Chart Version 1.27.2 * Anchore Enterprise image updated to v4.9.1 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/491/) +* Bumped Redis chart to the latest version. +* Reverted the change in v1.27.1 to use an alias for the bitnami dependency. This dependency is now using an OCI url which is supported by the latest version of chart-releaser-action. # Chart Version 1.27.1 From 7be07d9c1998cdf1c7eee44dc49fa47a3448e3bc Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 6 Sep 2023 13:24:17 -0700 Subject: [PATCH 186/329] bump enterprise image to v4.9.1 Signed-off-by: Brady Todhunter --- stable/feeds/Chart.yaml | 4 ++-- stable/feeds/values.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/stable/feeds/Chart.yaml b/stable/feeds/Chart.yaml index 20bd7734..f01d86df 100644 --- a/stable/feeds/Chart.yaml +++ b/stable/feeds/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 name: feeds type: application -version: "0.0.1" -appVersion: "4.9.0" +version: "0.0.2" +appVersion: "4.9.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: Anchore feeds service keywords: diff --git a/stable/feeds/values.yaml b/stable/feeds/values.yaml index 113bfe53..173d9180 100644 --- a/stable/feeds/values.yaml +++ b/stable/feeds/values.yaml @@ -21,7 +21,7 @@ nameOverride: "" ## @param image Image used for feeds deployment ## -image: docker.io/anchore/enterprise:v4.9.0 +image: docker.io/anchore/enterprise:v4.9.1 ## @param imagePullPolicy Image pull policy used by all deployments ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy From db6ccb9a6aea78e911a0f59c8524271ee779091e Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 6 Sep 2023 13:29:42 -0700 Subject: [PATCH 187/329] remove [obj] param def for db image.tag Signed-off-by: Brady Todhunter --- stable/feeds/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/stable/feeds/values.yaml b/stable/feeds/values.yaml index 173d9180..eb58ac9f 100644 --- a/stable/feeds/values.yaml +++ b/stable/feeds/values.yaml @@ -390,7 +390,7 @@ feeds-db: ## extraEnvVars: [] - ## @param feeds-db.image.tag [obj] Specifies the image to use for this chart. + ## @param feeds-db.image.tag Specifies the image to use for this chart. ## image: tag: 13.11.0-debian-11-r15 @@ -437,7 +437,7 @@ gem-db: ## extraEnvVars: [] - ## @param gem-db.image.tag [obj] Specifies the image to use for this chart. + ## @param gem-db.image.tag Specifies the image to use for this chart. ## image: tag: 13.11.0-debian-11-r15 From a429d59d684105efd17b85c34ac5748d542d2cd0 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 6 Sep 2023 13:31:19 -0700 Subject: [PATCH 188/329] use empty quotes instead of null for values Signed-off-by: Brady Todhunter --- stable/feeds/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/stable/feeds/values.yaml b/stable/feeds/values.yaml index eb58ac9f..619ce950 100644 --- a/stable/feeds/values.yaml +++ b/stable/feeds/values.yaml @@ -331,7 +331,7 @@ anchoreConfig: ## Request one from https://nvd.nist.gov/developers/request-an-api-key ## nvdv2: - api_key: null + api_key: "" ## @param anchoreConfig.feeds.drivers.msrc.enabled Enable Microsoft feeds ## @param anchoreConfig.feeds.drivers.msrc.whitelist MSRC product IDs for generating feed data, this extends the pre-defined list of product IDs @@ -348,7 +348,7 @@ anchoreConfig: ## github: enabled: false - token: null + token: "" ############################################# ## @section Anchore Feeds Database Parameters From 6a82675b6a71139f0392dc20f49db7165e7b1b36 Mon Sep 17 00:00:00 2001 From: Anchore BitnamiReadmeGenerator Date: Wed, 6 Sep 2023 20:31:38 +0000 Subject: [PATCH 189/329] Update README.md with readme-generator-for-helm Signed-off-by: Anchore BitnamiReadmeGenerator --- stable/feeds/README.md | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/stable/feeds/README.md b/stable/feeds/README.md index 4966bc27..5e3d2b9d 100644 --- a/stable/feeds/README.md +++ b/stable/feeds/README.md @@ -216,7 +216,7 @@ feeds-db: | `enterpriseFullname` | set the fullname on enterprise resources. Only needed when standalone=false and fullnameOverride is set for the enterprise chart. | `""` | | `fullnameOverride` | overrides the fullname set on resources | `""` | | `nameOverride` | overrides the name set on resources | `""` | -| `image` | Image used for feeds deployment | `docker.io/anchore/enterprise:v4.9.0` | +| `image` | Image used for feeds deployment | `docker.io/anchore/enterprise:v4.9.1` | | `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | | `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | | `serviceAccountName` | Name of a service account used to run all Feeds pods | `""` | @@ -267,7 +267,6 @@ feeds-db: | `existingSecretName` | Name of the existing secret to be used for Anchore Feeds Service | `anchore-enterprise-feeds-env` | | `configOverride` | Allows for overriding the default Anchore configuration file | `{}` | - ### Anchore Feeds Configuration Parameters | Name | Description | Value | @@ -301,12 +300,11 @@ feeds-db: | `anchoreConfig.feeds.drivers.npm.enabled` | Enable vulnerability drivers for npm data | `false` | | `anchoreConfig.feeds.drivers.gem.enabled` | Enable vulnerability drivers for gem data | `false` | | `anchoreConfig.feeds.drivers.gem.db_connect` | Defines the database endpoint used for loading the rubygems package data as a PostgreSQL dump | `postgresql://${ANCHORE_GEM_DB_USER}:${ANCHORE_GEM_DB_PASSWORD}@${ANCHORE_GEM_DB_HOST}:${ANCHORE_GEM_DB_PORT}/${ANCHORE_GEM_DB_NAME}` | -| `anchoreConfig.feeds.drivers.nvdv2.api_key` | The NVD API key value | `nil` | +| `anchoreConfig.feeds.drivers.nvdv2.api_key` | The NVD API key value | `""` | | `anchoreConfig.feeds.drivers.msrc.enabled` | Enable Microsoft feeds | `false` | | `anchoreConfig.feeds.drivers.msrc.whitelist` | MSRC product IDs for generating feed data, this extends the pre-defined list of product IDs | `[]` | | `anchoreConfig.feeds.drivers.github.enabled` | Enable GitHub advisory feeds (requires GitHub PAT) | `false` | -| `anchoreConfig.feeds.drivers.github.token` | GitHub developer personal access token with zero permission scopes | `nil` | - +| `anchoreConfig.feeds.drivers.github.token` | GitHub developer personal access token with zero permission scopes | `""` | ### Anchore Feeds Database Parameters @@ -322,7 +320,6 @@ feeds-db: | `feeds-db.primary.extraEnvVars` | An array to add extra environment variables | `[]` | | `feeds-db.image.tag` | Specifies the image to use for this chart. | `13.11.0-debian-11-r15` | - ### Feeds Gem Database Parameters | Name | Description | Value | @@ -337,7 +334,6 @@ feeds-db: | `gem-db.primary.extraEnvVars` | An array to add extra environment variables | `[]` | | `gem-db.image.tag` | Specifies the image to use for this chart. | `13.11.0-debian-11-r15` | - ### Anchore Feeds Upgrade Job Parameters | Name | Description | Value | @@ -354,7 +350,6 @@ feeds-db: | `feedsUpgradeJob.labels` | Labels for the Anchore Feeds upgrade job | `{}` | | `feedsUpgradeJob.resources` | Resources for the Anchore Feeds upgrade job | `{}` | - ### Ingress Parameters | Name | Description | Value | @@ -367,7 +362,6 @@ feeds-db: | `ingress.tls` | Configure tls for the ingress resource | `[]` | | `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` | - ### Google CloudSQL DB Parameters | Name | Description | Value | From 2cd31e53d22df736f470efc57b5dd2140bf0963e Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 6 Sep 2023 14:06:43 -0700 Subject: [PATCH 190/329] bump enterprise image to v4.9.1 and feeds chart to 0.0.2 Signed-off-by: Brady Todhunter --- stable/enterprise/Chart.lock | 6 +++--- stable/enterprise/Chart.yaml | 6 +++--- stable/enterprise/values.yaml | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/stable/enterprise/Chart.lock b/stable/enterprise/Chart.lock index c5391123..d0f73c8d 100644 --- a/stable/enterprise/Chart.lock +++ b/stable/enterprise/Chart.lock @@ -7,6 +7,6 @@ dependencies: version: 17.11.8 - name: feeds repository: https://charts.anchore.io/stable - version: 0.0.1 -digest: sha256:6d7eeac8b08d99ba32f67ea08376555faa642520eadcfb1b966d9b2c0cbf7778 -generated: "2023-09-01T15:50:02.118283-07:00" + version: 0.0.2 +digest: sha256:23485379ed6b385e257be94156cb0e5ed255e6fad733b8534ec605679549cbf2 +generated: "2023-09-06T14:04:35.141202-07:00" diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 01e22ff9..20e16725 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: enterprise -version: "0.0.1" -appVersion: "4.9.0" +version: "0.0.2" +appVersion: "4.9.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | Anchore Enterprise is a complete container security workflow solution for professional teams. Easily integrating with CI/CD systems, @@ -39,7 +39,7 @@ dependencies: condition: ui-redis.chartEnabled alias: ui-redis - name: feeds - version: "0.0.1" + version: "0.0.2" repository: "@anchore" condition: feeds.chartEnabled import-values: diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index b6842ce7..47c1d1df 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -13,7 +13,7 @@ nameOverride: "" ## @param image Image used for all Anchore Enterprise deployments, excluding Anchore UI ## -image: docker.io/anchore/enterprise:v4.9.0 +image: docker.io/anchore/enterprise:v4.9.1 ## @param imagePullPolicy Image pull policy used by all deployments ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy From e2b3112882ecebee635f2aae90623048f734c357 Mon Sep 17 00:00:00 2001 From: Anchore BitnamiReadmeGenerator Date: Wed, 6 Sep 2023 21:07:47 +0000 Subject: [PATCH 191/329] Update README.md with readme-generator-for-helm Signed-off-by: Anchore BitnamiReadmeGenerator --- stable/enterprise/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 8df63574..8ca2942f 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -658,7 +658,7 @@ ui-redis: | ------------------------------------- | ------------------------------------------------------------------------------------- | ------------------------------------- | | `fullnameOverride` | overrides the fullname set on resources | `""` | | `nameOverride` | overrides the name set on resources | `""` | -| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v4.9.0` | +| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v4.9.1` | | `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | | `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | | `serviceAccountName` | Name of a service account used to run all Anchore pods | `""` | From b600179a90ed208bbcbed23f1fe669f17c186516 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Mon, 11 Sep 2023 13:39:15 -0400 Subject: [PATCH 192/329] adding script for values migration (#115) Signed-off-by: Hung Nguyen --- .gitignore | 3 +- scripts/Dockerfile | 13 + scripts/README.md | 43 + scripts/convert.py | 25 + scripts/helpers.py | 269 ++++++ scripts/mappings.py | 328 ++++++++ .../configs/test_convert_values_file.yaml | 15 + .../test_convert_values_file_result.yaml | 11 + .../test_anchoreAnalyzer_value_mapping.py | 345 ++++++++ .../tests/test_anchoreApi_value_mapping.py | 247 ++++++ .../test_anchoreCatalog_value_mapping.py | 401 +++++++++ ...t_anchoreEngineUpgradeJob_value_mapping.py | 86 ++ ...nterpriseEngineUpgradeJob_value_mapping.py | 183 +++++ ...EnterpriseFeedsUpgradeJob_value_mapping.py | 200 +++++ ...st_anchoreEnterpriseFeeds_value_mapping.py | 776 ++++++++++++++++++ ...reEnterpriseNotifications_value_mapping.py | 270 ++++++ ...est_anchoreEnterpriseRbac_value_mapping.py | 302 +++++++ ..._anchoreEnterpriseReports_value_mapping.py | 335 ++++++++ .../test_anchoreEnterpriseUi_value_mapping.py | 550 +++++++++++++ .../tests/test_anchoreGlobal_value_mapping.py | 757 +++++++++++++++++ .../test_anchorePolicyEngine_value_mapping.py | 299 +++++++ .../test_anchoreSimpleQueue_value_mapping.py | 236 ++++++ scripts/tests/test_helpers.py | 313 +++++++ 23 files changed, 6006 insertions(+), 1 deletion(-) create mode 100644 scripts/Dockerfile create mode 100644 scripts/README.md create mode 100644 scripts/convert.py create mode 100644 scripts/helpers.py create mode 100644 scripts/mappings.py create mode 100644 scripts/tests/configs/test_convert_values_file.yaml create mode 100644 scripts/tests/configs/test_convert_values_file_result.yaml create mode 100644 scripts/tests/test_anchoreAnalyzer_value_mapping.py create mode 100644 scripts/tests/test_anchoreApi_value_mapping.py create mode 100644 scripts/tests/test_anchoreCatalog_value_mapping.py create mode 100644 scripts/tests/test_anchoreEngineUpgradeJob_value_mapping.py create mode 100644 scripts/tests/test_anchoreEnterpriseEngineUpgradeJob_value_mapping.py create mode 100644 scripts/tests/test_anchoreEnterpriseFeedsUpgradeJob_value_mapping.py create mode 100644 scripts/tests/test_anchoreEnterpriseFeeds_value_mapping.py create mode 100644 scripts/tests/test_anchoreEnterpriseNotifications_value_mapping.py create mode 100644 scripts/tests/test_anchoreEnterpriseRbac_value_mapping.py create mode 100644 scripts/tests/test_anchoreEnterpriseReports_value_mapping.py create mode 100644 scripts/tests/test_anchoreEnterpriseUi_value_mapping.py create mode 100644 scripts/tests/test_anchoreGlobal_value_mapping.py create mode 100644 scripts/tests/test_anchorePolicyEngine_value_mapping.py create mode 100644 scripts/tests/test_anchoreSimpleQueue_value_mapping.py create mode 100644 scripts/tests/test_helpers.py diff --git a/.gitignore b/.gitignore index dcaaf205..24be4a11 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ +__pycache__ examples/ *.tgz charts/ .idea/ -*.code-workspace \ No newline at end of file +*.code-workspace diff --git a/scripts/Dockerfile b/scripts/Dockerfile new file mode 100644 index 00000000..d29166ff --- /dev/null +++ b/scripts/Dockerfile @@ -0,0 +1,13 @@ +FROM python:3 + +WORKDIR /app + +COPY helpers.py /app/ +COPY convert.py /app/ +COPY mappings.py /app/ + +RUN pip install argparse pyyaml + +ENTRYPOINT ["python3", "convert.py"] + +CMD ["-e", "values.yaml"] \ No newline at end of file diff --git a/scripts/README.md b/scripts/README.md new file mode 100644 index 00000000..8fd1eaba --- /dev/null +++ b/scripts/README.md @@ -0,0 +1,43 @@ +# Anchore Engine to Enterprise Helm Chart Value File Converter + +This script converts the values file of Anchore Engine to the values file format suitable for the Anchore Enterprise Helm chart. + +## Prerequisites + +- Docker: Make sure you have Docker installed on your machine. + +## Usage + +1. **The Docker Image**: + To build the docker image yourself, from the `scripts` directory, build the Docker image using the following command: + + ```bash + docker build -t script-container . + ``` + + Alternatively, a docker image is available at `docker.io/anchore/enterprise-helm-migrator:latest` + +2. **Run the Docker Container**: + + Run the Docker container with the following command. Change the name of the file as needed: + + ```bash + export VALUES_FILE_NAME=my-values-file.yaml + docker run -v ${PWD}:/tmp -v ${PWD}/${VALUES_FILE_NAME}:/app/${VALUES_FILE_NAME} docker.io/anchore/enterprise-helm-migrator:latest -e /app/${VALUES_FILE_NAME} -d /tmp/output + ``` + + This command mounts a local volume to store the output files and mounts the input file to be converted, and passes it using the `-e` flag. + +3. **Retrieve Output**: + + After running the Docker container, the converted Helm chart values file will be available in the `${PWD}/output` directory on your local machine. + +## Important Note + +Please ensure that you have reviewed and understood the content of the input file before running the conversion. The script provided is specifically tailored to convert Anchore Engine values files to the format expected by the Anchore Enterprise Helm chart. + +## Disclaimer + +This script is provided as-is and is intended to help reduce the friction of converting from anchore-engine to enterprise. It is your responsibility to ensure that any modifications or usage of the script align with your requirements and best practices. + +For any issues or suggestions related to the script or Docker image, feel free to create an issue or pull request in this repository. diff --git a/scripts/convert.py b/scripts/convert.py new file mode 100644 index 00000000..f9f4a5a3 --- /dev/null +++ b/scripts/convert.py @@ -0,0 +1,25 @@ +import sys +sys.dont_write_bytecode = True + +import argparse +from helpers import convert_values_file + +if __name__ == "__main__": + parser = argparse.ArgumentParser(description="Ingests one values files, changes the keys based on a declared map, then spits out a different values file") + parser.add_argument( + "-e", "--engine-file", + type=str, + help="Path to the original values file being ingested", + default="" + ) + parser.add_argument( + "-d", "--results-dir", + type=str, + help="directory to put resulting files in", + default="enterprise-values" + ) + + args = parser.parse_args() + engine_file = args.engine_file + results_dir = args.results_dir + convert_values_file(file=engine_file, results_dir=results_dir) \ No newline at end of file diff --git a/scripts/helpers.py b/scripts/helpers.py new file mode 100644 index 00000000..6ec992dc --- /dev/null +++ b/scripts/helpers.py @@ -0,0 +1,269 @@ +import copy +import os +import pathlib +import shutil +import yaml + +from mappings import ( + KEYS_WITHOUT_CHANGES, + KUBERNETES_KEYS, + TOP_LEVEL_MAPPING, + FULL_CHANGE_KEY_MAPPING, LEVEL_TWO_CHANGE_KEY_MAPPING, LEVEL_THREE_CHANGE_KEY_MAPPING, + DEPENDENCY_CHARTS, + ENTERPRISE_ENV_VAR_MAPPING, FEEDS_ENV_VAR_MAPPING, + DEPRECATED_KEYS, CHECK_LAST, + POST_PROCESSING +) + +def represent_block_scalar(dumper, data): + style = "|" if "\n" in data else '"' + return dumper.represent_scalar("tag:yaml.org,2002:str", data, style=style) + +def convert_values_file(file, results_dir): + file_name = os.path.basename(file) + prep_dir(path=results_dir, clean=True) + + with open(file, 'r') as content: + parsed_data = yaml.safe_load(content) + + dot_string_dict = dict_keys_to_dot_string(parsed_data) + write_to_file(data=str("\n".join(f"{key} = {val}" for key, val in dot_string_dict.items())), output_file=os.path.join(results_dir, "dotstring.txt"), write_mode="w") + + enterprise_chart_values_dict, enterprise_chart_env_var_dict = replace_keys_with_mappings(dot_string_dict, results_dir) + + for key, val in enterprise_chart_env_var_dict.items(): + if isinstance(val, list): + enterprise_chart_values_dict[key] = enterprise_chart_values_dict[key] + val + elif isinstance(val, dict): + enterprise_chart_values_dict[key] = enterprise_chart_values_dict.get(key, {}) + enterprise_chart_values_dict[key]["extraEnv"] = enterprise_chart_values_dict[key].get("extraEnv", []) + enterprise_chart_values_dict[key]["extraEnv"] = enterprise_chart_values_dict[key]["extraEnv"] + val.get("extraEnv", []) + + yaml.add_representer(str, represent_block_scalar) + yaml_data = yaml.dump(enterprise_chart_values_dict, default_flow_style=False) + file_name = f"enterprise.{file_name}" + write_to_file(data=yaml_data, output_file=os.path.join(results_dir, file_name), write_mode="w") + +def write_to_file(data, output_file, write_mode='w'): + file_parent_dir = pathlib.Path(output_file).parent + prep_dir(file_parent_dir) + with open(f"{output_file}", write_mode) as file: + file.write(data) + return f"{output_file}" + +def prep_dir(path, clean=False): + if clean: + if pathlib.Path(path).is_dir(): + shutil.rmtree(path) + if not pathlib.Path(path).is_dir(): + pathlib.Path(path).mkdir(parents=True, exist_ok=True) + return path + +# return as the first return value, a dictionary where the keys are dot string representation of the old keys and +# the value is the original values +def dict_keys_to_dot_string(dictionary, prefix=''): + result = {} + for key, value in dictionary.items(): + full_key = f'{prefix}.{key}' if prefix else key + if isinstance(value, dict) and bool(value): + sub_dict = dict_keys_to_dot_string(value, full_key) + result.update(sub_dict) + else: + result[full_key] = value + return result + +# returns the resulting dictionary that will be used to create the new values file +def replace_keys_with_mappings(dot_string_dict, results_dir): + result = {} + env_var_results = {} + keys_without_changes = KEYS_WITHOUT_CHANGES + top_level_mapping = TOP_LEVEL_MAPPING + kubernetes_keys = KUBERNETES_KEYS + full_change_key_mapping = FULL_CHANGE_KEY_MAPPING + + level_two_change_key_mapping = LEVEL_TWO_CHANGE_KEY_MAPPING + level_three_change_key_mapping = LEVEL_THREE_CHANGE_KEY_MAPPING + + enterprise_env_var_mapping = ENTERPRISE_ENV_VAR_MAPPING + feeds_env_var_mapping = FEEDS_ENV_VAR_MAPPING + deprecated_keys = DEPRECATED_KEYS + dependency_charts_keys = DEPENDENCY_CHARTS + check_last = CHECK_LAST + post_processing = POST_PROCESSING + + env_var_mapping = {**enterprise_env_var_mapping, **feeds_env_var_mapping} + logs_dir = f"{results_dir}/logs" + for dotstring_key, val in dot_string_dict.items(): + keys = dotstring_key.split('.') + + if deprecated_keys.get(dotstring_key): + log_file_name = "warning.log" + write_to_file(f"{dotstring_key}: no longer used\n", os.path.join(logs_dir, log_file_name), "a") + continue + + # serviceName.annotations + if len(keys) > 1 and keys[1] in ['annotations', 'labels', 'nodeSelector', 'affinity', 'deploymentAnnotations']: + if val != {}: + val = { + '.'.join(keys[2:]): val + } + keys = keys[:2] + # serviceName.service.annotations + elif len(keys) > 2 and keys[2] in ['annotations', 'labels']: + if val != {}: + val = { + '.'.join(keys[3:]): val + } + keys = keys[:3] + + update_result = False + errored = True + + if dotstring_key in post_processing: + pp_val = post_processing.get(dotstring_key) + action = pp_val.get("action") + if action == "split_value": + delimeter = pp_val.get("split_on") + new_vals = val.split(delimeter) + new_keys = pp_val.get("new_keys") + combined_dict = dict(zip(new_keys, new_vals)) + for new_key, new_val in combined_dict.items(): + dict_key = create_dict_entry(new_key, new_val) + result = merge_dicts(result, dict_key) + continue + elif action == "merge": + merge_keys = pp_val.get("merge_keys") + merged_val = [] + for merge_key in merge_keys: + merged_val.append(dot_string_dict.get(merge_key)) + merged_val = ":".join(merged_val) + + dotstring_key = pp_val.get("new_key") + dict_key = create_dict_entry(dotstring_key, merged_val) + result = merge_dicts(result, dict_key) + continue + elif action == "duplicate": + new_keys = pp_val.get("new_keys") + for dotstring_key in new_keys: + dict_key = create_dict_entry(dotstring_key, copy.deepcopy(val)) + result = merge_dicts(result, dict_key) + continue + elif action == "key_addition": + new_keys = pp_val.get("new_keys") + for new_key in new_keys: + key = new_key[0] + value = new_key[1] + if value == "default": + value = val + dict_key = create_dict_entry(key, value) + result = merge_dicts(result, dict_key) + continue + + if not update_result: + if full_change_key_mapping.get(dotstring_key): + dotstring_key = full_change_key_mapping.get(dotstring_key) + update_result = True + elif len(keys) > 1: + level_three_replacement = False + if len(keys) > 2: + level_three_replacement = level_three_change_key_mapping.get(f"{keys[0]}.{keys[1]}.{keys[2]}", False) + level_two_replacement = level_two_change_key_mapping.get(f"{keys[0]}.{keys[1]}", False) + top_level_key = top_level_mapping.get(f"{keys[0]}", False) + + if level_three_replacement: + # replace the first three keys of the original + dotstring_key = create_new_dotstring(keys=keys, dotstring=level_three_replacement, level=3) + update_result = True + # if its not a level 3 replacement, check if its a level 2 replacement + elif level_two_replacement: + dotstring_key = create_new_dotstring(keys=keys, dotstring=level_two_replacement, level=2) + update_result = True + elif top_level_key and (f"{keys[1]}" in kubernetes_keys): + keys[0] = top_level_key + dotstring_key = ".".join(keys) + update_result = True + + if not update_result: + if env_var_mapping.get(dotstring_key): + extra_environment_variable = env_var_mapping.get(dotstring_key) + + environment_variable_name = extra_environment_variable.split(".")[-1] + service_name = "" + if len(extra_environment_variable.split(".")) > 1: + service_name = extra_environment_variable.split(".")[0] + + message = f"{dotstring_key} is now an environment variable: {environment_variable_name}" + log_file_name = "alert.log" + write_to_file(f"{message}\n", os.path.join(logs_dir, log_file_name), "a") + + env_dict = {"name": environment_variable_name, "value": val} + + if service_name != "": + env_var_results[service_name] = env_var_results.get(service_name, {}) + if env_var_results[service_name].get("extraEnv"): + env_var_results[service_name]["extraEnv"].append(env_dict) + else: + env_var_results[service_name]["extraEnv"] = [env_dict] + else: + env_var_results["extraEnv"] = env_var_results.get("extraEnv", []) + env_var_results["extraEnv"].append(env_dict) + continue + + elif f"{keys[0]}" in keys_without_changes: + log_file_name = "info.log" + write_to_file(f"{dotstring_key}: being carried over directly because there should be no changes\n", os.path.join(logs_dir, log_file_name), "a") + update_result = True + elif dependency_charts_keys.get(f"{keys[0]}"): + new_dep_key = dependency_charts_keys.get(f"{keys[0]}") + log_file_name = "dependency-chart-alert.log" + write_to_file(f"{dotstring_key}: {keys[0]} changed to {new_dep_key} but inner keys should be checked.\n", os.path.join(logs_dir, log_file_name), "a") + keys[0] = new_dep_key + dotstring_key = ".".join(keys) + update_result = True + elif f"{keys[0]}" in check_last: + keys.pop(0) + dotstring_key = ".".join(keys) + update_result = True + + if update_result: + dict_key = create_dict_entry(dotstring_key, val) + result = merge_dicts(result, dict_key) + elif errored: + if dotstring_key.split('.')[0] in deprecated_keys: + message = f"{dotstring_key}: not found. likely deprecated.\n" + else: + message = f"{dotstring_key}: not found.\n" + log_file_name = "error.log" + write_to_file(message, os.path.join(logs_dir, log_file_name), "a") + return result, env_var_results + +def create_new_dotstring(keys: list, dotstring: str, level: int) -> str: + new_keys = dotstring.split(".") + new_keys.extend(keys[level:]) + dotstring_key = ".".join(new_keys) + return dotstring_key + +def create_dict_entry(dotstring, value): + result = {} + current_dict = result + keys = dotstring.split('.') + + for index, key in enumerate(keys): + if index == len(keys) - 1: + current_dict[key] = value + else: + # creates the key with an empty map as a value because theres more to come + current_dict[key] = {} + current_dict = current_dict[key] + return result + +def merge_dicts(dict1, dict2): + merged_dict = dict1.copy() + + for key, value in dict2.items(): + if key in merged_dict and isinstance(merged_dict[key], dict) and isinstance(value, dict): + merged_dict[key] = merge_dicts(merged_dict[key], value) + else: + merged_dict[key] = value + + return merged_dict \ No newline at end of file diff --git a/scripts/mappings.py b/scripts/mappings.py new file mode 100644 index 00000000..90d329d1 --- /dev/null +++ b/scripts/mappings.py @@ -0,0 +1,328 @@ +# If we see this as first level, just skip them +KEYS_WITHOUT_CHANGES = { + "cloudsql", + "ingress", + "fullnameOverride" +} + +# check this last. If this is the last thing, and it starts with this, drop the key. eg anchoreGlobal.something -> something +CHECK_LAST = { + "anchoreEnterpriseGlobal", + "anchoreGlobal" +} + +# if first level in dep charts, and no matches in any of mapping, log to file +DEPENDENCY_CHARTS = { + "anchore-feeds-db": "feeds-db", + "anchore-feeds-gem-db": "gem-db", + "anchore-ui-redis": "ui-redis", + "postgresql": "postgresql", + "ui-redis": "ui-redis" +} + +# if second key is in this list, replace first key with the value from TOP_LEVEL_MAPPING +KUBERNETES_KEYS = { + "affinity", + "annotations", + "deploymentAnnotations", + "extraEnv", + "labels", + "nodeSelector", + "replicaCount", + "resources", + "service", + "tolerations", + "serviceAccountName" +} +TOP_LEVEL_MAPPING = { + "anchore-feeds-db": "feeds.feeds-db", + "anchore-feeds-gem-db": "feeds.gem-db", + "anchore-ui-redis": "ui-redis", + "anchoreAnalyzer": "analyzer", + "anchoreApi": "api", + "anchoreCatalog": "catalog", + "anchoreEnterpriseEngineUpgradeJob": "upgradeJob", + "anchoreEnterpriseFeeds": "feeds", + "anchoreEnterpriseFeedsUpgradeJob": "feeds.feedsUpgradeJob", + "anchoreEnterpriseNotifications": "notifications", + "anchoreEnterpriseRbac": "rbacManager", + "anchoreEnterpriseReports": "reports", + "anchoreEnterpriseUi": "ui", + "anchorePolicyEngine": "policyEngine", + "anchoreSimpleQueue": "simpleQueue", + "ingress": "ingress" +} + +LEVEL_TWO_CHANGE_KEY_MAPPING = { + "anchore-feeds-db.externalEndpoint": "feeds.feeds-db.externalEndpoint", + "anchoreEnterpriseUi.customLinks": "anchoreConfig.ui.custom_links", + "anchoreEnterpriseUi.enableAddRepositories": "anchoreConfig.ui.enable_add_repositories", + "anchoreEnterpriseFeeds.url": "feeds.url", + ######################################################################## + ################ TEST configfile, set malware stuff #################### + ######################################################################## + "anchoreAnalyzer.configFile": "anchoreConfig.analyzer.configFile", + "anchoreApi.external": "anchoreConfig.apiext.external", + "anchoreCatalog.analysis_archive": "anchoreConfig.catalog.analysis_archive", + "anchoreCatalog.cycleTimers": "anchoreConfig.catalog.cycle_timers", + "anchoreCatalog.events": "anchoreConfig.catalog.event_log", + "anchoreCatalog.object_store": "anchoreConfig.catalog.object_store", + "anchoreEnterpriseEngineUpgradeJob.enabled": "upgradeJob.enabled", + "anchoreEnterpriseFeeds.cycleTimers": "feeds.anchoreConfig.feeds.cycle_timers", + "anchoreEnterpriseFeeds.dbConfig": "feeds.anchoreConfig.dbConfig", + "anchoreEnterpriseFeeds.debianExtraReleases": "feeds.anchoreConfig.feeds.drivers.debian.releases", + + "anchoreEnterpriseFeeds.gemDriverEnabled": "feeds.anchoreConfig.feeds.drivers.gem.enabled", + "anchoreEnterpriseFeeds.githubDriverEnabled": "feeds.anchoreConfig.feeds.drivers.github.enabled", + "anchoreEnterpriseFeeds.githubDriverToken": "feeds.anchoreConfig.feeds.drivers.github.token", + + "anchoreEnterpriseFeeds.msrcWhitelist": "feeds.anchoreConfig.feeds.drivers.msrc.whitelist", + "anchoreEnterpriseFeeds.msrcDriverEnabled": "feeds.anchoreConfig.feeds.drivers.msrc.enabled", + + "anchoreEnterpriseFeeds.npmDriverEnabled": "feeds.anchoreConfig.feeds.drivers.npm.enabled", + + + "anchoreEnterpriseFeeds.persistence": "feeds.persistence", + "anchoreEnterpriseFeeds.ubuntuExtraReleases": "feeds.anchoreConfig.feeds.drivers.ubuntu.releases", + + "anchoreEnterpriseFeedsUpgradeJob.enabled": "feeds.feedsUpgradeJob.enabled", + "anchoreEnterpriseNotifications.cycleTimers": "anchoreConfig.notifications.cycle_timers", + "anchoreEnterpriseReports.cycleTimers": "anchoreConfig.reports_worker.cycle_timers", + "anchoreEnterpriseUi.appDBConfig": "anchoreConfig.ui.appdb_config", + "anchoreEnterpriseUi.authenticationLock": "anchoreConfig.ui.authentication_lock", + "anchoreEnterpriseUi.existingSecretName": "ui.existingSecretName", + "anchoreEnterpriseUi.image": "ui.image", + "anchoreEnterpriseUi.imagePullPolicy": "ui.imagePullPolicy", + "anchoreEnterpriseUi.ldapsRootCaCertName": "ui.ldapsRootCaCertName", + "anchoreGlobal.dbConfig": "anchoreConfig.database", + "anchoreGlobal.internalServicesSsl": "anchoreConfig.internalServicesSSL", + "anchoreGlobal.policyBundles": "anchoreConfig.policyBundles", + "anchoreGlobal.webhooks": "anchoreConfig.webhooks", + "anchorePolicyEngine.cycleTimers": "anchoreConfig.policy_engine.cycle_timers", + "anchorePolicyEngine.overrideFeedsToUpstream": "anchoreConfig.policy_engine.overrideFeedsToUpstream", + + "postgresql.externalEndpoint": "postgresql.externalEndpoint", + "postgresql.persistence": "postgresql.primary.persistence", + "postgresql.extraEnv": "postgresql.primary.extraEnvVars", + "anchore-feeds-db.extraEnv": "feeds.feeds-db.primary.extraEnvVars", + "anchore-feeds-gem-db.extraEnv": "feeds.gem-db.primary.extraEnvVars", + + "anchore-feeds-gem-db.persistence": "feeds.gem-db.primary.persistence", + "anchore-feeds-db.persistence": "feeds.feeds-db.primary.persistence", + + "anchoreEnterpriseRbac.managerResources": "rbacManager.resources", + "anchoreEnterpriseRbac.authResources": "rbacAuth.resources", +} + +LEVEL_THREE_CHANGE_KEY_MAPPING = { + "anchore-feeds-db.persistence.resourcePolicy": "feeds.feeds-db.primary.persistence.resourcePolicy", + "anchore-feeds-db.persistence.size": "feeds.feeds-db.primary.persistence.size", + "anchoreAnalyzer.cycleTimers.image_analyzer": "anchoreConfig.analyzer.cycle_timers.image_analyzer", + "anchoreGlobal.saml.secret": "anchoreConfig.keys.secret", +} + +# We need to go all the way down to the value. Replace the whole original key +FULL_CHANGE_KEY_MAPPING = { + "postgresql.enabled": "postgresql.chartEnabled", + "postgresql.postgresDatabase": "postgresql.auth.database", + "postgresql.postgresPassword": "postgresql.auth.password", + "postgresql.postgresUser": "postgresql.auth.username", + "postgresql.postgresPort": "postgresql.primary.service.ports.postgresql", + "postgresql.imageTag": "postgresql.imageTag", + + "anchore-feeds-db.imageTag": "feeds.feeds-db.image.tag", + "anchore-feeds-gem-db.imageTag": "feeds.gem-db.image.tag", + "anchore-feeds-db.enabled": "feeds.feeds-db.chartEnabled", + + "anchore-feeds-db.postgresDatabase": "feeds.feeds-db.auth.database", + "anchore-feeds-db.postgresPassword": "feeds.feeds-db.auth.password", + "anchore-feeds-db.postgresPort": "feeds.feeds-db.primary.service.ports.postgresql", + "anchore-feeds-db.postgresUser": "feeds.feeds-db.auth.username", + + "anchore-feeds-gem-db.enabled": "feeds.gem-db.chartEnabled", + "anchore-feeds-gem-db.externalEndpoint": "feeds.gem-db.externalEndpoint", + + + "anchore-feeds-gem-db.postgresDatabase": "feeds.gem-db.auth.database", + "anchore-feeds-gem-db.postgresPassword": "feeds.gem-db.auth.password", + "anchore-feeds-gem-db.postgresPort": "feeds.gem-db.primary.service.ports.postgresql", + "anchore-feeds-gem-db.postgresUser": "feeds.gem-db.auth.username", + + + "anchoreAnalyzer.concurrentTasksPerWorker": "anchoreConfig.analyzer.max_threads", + "anchoreAnalyzer.containerPort": "analyzer.service.port", + "anchoreAnalyzer.enableHints": "anchoreConfig.analyzer.enable_hints", + + "anchoreAnalyzer.layerCacheMaxGigabytes": "anchoreConfig.analyzer.layer_cache_max_gigabytes", + "anchoreApi.external.use_tls": "anchoreConfig.apiext.external.useTLS", + "anchoreCatalog.downAnalyzerTaskRequeue": "anchoreConfig.catalog.down_analyzer_task_requeue", + "anchoreCatalog.runtimeInventory.imageTTLDays": "anchoreConfig.catalog.runtime_inventory.image_ttl_days", + "anchoreEnterpriseFeeds.enabled": "feeds.chartEnabled", + "anchoreEnterpriseFeeds.nvdDriverApiKey": "feeds.anchoreConfig.feeds.drivers.nvdv2.api_key", + "anchoreEnterpriseNotifications.uiUrl": "anchoreConfig.notifications.ui_url", + + "anchoreEnterpriseRbac.service.managerPort": "rbacManager.service.port", + "anchoreEnterpriseRbac.service.type": "rbacManager.service.type", + + + "anchoreEnterpriseReports.dataEgressWindow": "anchoreConfig.reports_worker.data_egress_window", + "anchoreEnterpriseReports.dataLoadMaxWorkers": "anchoreConfig.reports_worker.data_load_max_workers", + "anchoreEnterpriseReports.dataRefreshMaxWorkers": "anchoreConfig.reports_worker.data_refresh_max_workers", + "anchoreEnterpriseReports.enableDataEgress": "anchoreConfig.reports_worker.enable_data_egress", + "anchoreEnterpriseReports.enableDataIngress": "anchoreConfig.reports_worker.enable_data_ingress", + "anchoreEnterpriseReports.enableGraphiql": "anchoreConfig.reports.enable_graphiql", + "anchoreEnterpriseReports.service.apiPort": "reports.service.port", + "anchoreEnterpriseUi.enableProxy": "anchoreConfig.ui.enable_proxy", + "anchoreEnterpriseUi.enableSharedLogin": "anchoreConfig.ui.enable_shared_login", + "anchoreEnterpriseUi.enableSsl": "anchoreConfig.ui.enable_ssl", + "anchoreEnterpriseUi.enrichInventoryView": "anchoreConfig.ui.enrich_inventory_view", + "anchoreEnterpriseUi.forceWebsocket": "anchoreConfig.ui.force_websocket", + "anchoreEnterpriseUi.logLevel": "anchoreConfig.ui.log_level", + "anchoreEnterpriseUi.dbUser": "ui.dbUser", + "anchoreEnterpriseUi.dbPass": "ui.dbPass", + "anchoreEnterpriseUi.redisHost": "anchoreConfig.ui.redis_host", + "anchoreEnterpriseUi.redisFlushdb": "anchoreConfig.ui.redis_flushdb", + "anchoreGlobal.dbConfig.connectionPoolMaxOverflow": "anchoreConfig.database.db_pool_max_overflow", + "anchoreGlobal.dbConfig.connectionPoolSize": "anchoreConfig.database.db_pool_size", + "anchoreGlobal.dbConfig.sslRootCertName": "anchoreConfig.database.sslRootCertFileName", + "anchoreGlobal.defaultAdminEmail": "anchoreConfig.default_admin_email", + "anchoreGlobal.defaultAdminPassword": "anchoreConfig.default_admin_password", + "anchoreGlobal.enableMetrics": "anchoreConfig.metrics.enabled", + "anchoreGlobal.hashedPasswords": "anchoreConfig.user_authentication.hashed_passwords", + "anchoreGlobal.internalServicesSsl.certSecretCertName": "anchoreConfig.internalServicesSSL.certSecretCertFileName", + "anchoreGlobal.internalServicesSsl.certSecretKeyName": "anchoreConfig.internalServicesSSL.certSecretKeyFileName", + "anchoreGlobal.logLevel": "anchoreConfig.log_level", + "anchoreGlobal.metricsAuthDisabled": "anchoreConfig.metrics.auth_disabled", + "anchoreGlobal.oauthEnabled": "anchoreConfig.user_authentication.oauth.enabled", + "anchoreGlobal.oauthRefreshTokenExpirationSeconds": "anchoreConfig.user_authentication.oauth.refresh_token_expiration_seconds", + "anchoreGlobal.oauthTokenExpirationSeconds": "anchoreConfig.user_authentication.oauth.default_token_expiration_seconds", + "anchoreGlobal.saml.privateKeyName": "anchoreConfig.keys.privateKeyFileName", + "anchoreGlobal.saml.publicKeyName": "anchoreConfig.keys.publicKeyFileName", + "anchoreGlobal.serviceDir": "anchoreConfig.service_dir", + "anchoreGlobal.ssoRequireExistingUsers": "anchoreConfig.user_authentication.sso_require_existing_users", + "cloudsql.image.pullPolicy": "cloudsql.imagePullPolicy", + "inject_secrets_via_env": "injectSecretsViaEnv", + + + "ui-redis.enabled": "ui-redis.chartEnabled", + "anchoreGlobal.allowECRUseIAMRole": "anchoreConfig.allow_awsecr_iam_auto", +} + +#### ENGINE TO ENTERPRISE FOR KEYS THAT ARE NOW ENV VARS #### +ENTERPRISE_ENV_VAR_MAPPING = { + "anchoreAnalyzer.maxRequestThreads": "analyzer.ANCHORE_MAX_REQUEST_THREADS", + "anchoreAnalyzer.enableOwnedPackageFiltering": "analyzer.ANCHORE_OWNED_PACKAGE_FILTERING_ENABLED", + "anchoreApi.maxRequestThreads": "api.ANCHORE_MAX_REQUEST_THREADS", + "anchoreCatalog.maxRequestThreads": "catalog.ANCHORE_MAX_REQUEST_THREADS", + "anchoreCatalog.imageGCMaxWorkerThreads": "catalog.ANCHORE_CATALOG_IMAGE_GC_WORKERS", + + "anchoreEnterpriseNotifications.maxRequestThreads": "notifications.ANCHORE_MAX_REQUEST_THREADS", + "anchoreEnterpriseRbac.maxRequestThreads": "rbacAuth.ANCHORE_MAX_REQUEST_THREADS", + "anchoreEnterpriseReports.maxRequestThreads": "reports.ANCHORE_MAX_REQUEST_THREADS", + + "anchoreGlobal.clientConnectTimeout": "ANCHORE_GLOBAL_CLIENT_CONNECT_TIMEOUT", + "anchoreGlobal.clientReadTimeout": "ANCHORE_GLOBAL_CLIENT_READ_TIMEOUT", + "anchoreGlobal.maxCompressedImageSizeMB": "ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB", + "anchoreGlobal.serverRequestTimeout": "ANCHORE_GLOBAL_SERVER_REQUEST_TIMEOUT_SEC", + "anchoreGlobal.syncGithub": "ANCHORE_FEEDS_GITHUB_ENABLED", + "anchoreGlobal.syncPackages": "ANCHORE_FEEDS_PACKAGES_ENABLED", + "anchoreGlobal.syncVulnerabilites": "ANCHORE_FEEDS_VULNERABILITIES_ENABLED", + "anchoreGlobal.syncNvd": "ANCHORE_FEEDS_DRIVER_NVDV2_ENABLED", + "anchoreGlobal.imageAnalyzeTimeoutSeconds": "ANCHORE_IMAGE_ANALYZE_TIMEOUT_SECONDS", + + "anchorePolicyEngine.cacheTTL": "policyEngine.ANCHORE_POLICY_EVAL_CACHE_TTL_SECONDS", + "anchorePolicyEngine.enablePackageDbLoad": "policyEngine.ANCHORE_POLICY_ENGINE_ENABLE_PACKAGE_DB_LOAD", + "anchorePolicyEngine.maxRequestThreads": "policyEngine.ANCHORE_MAX_REQUEST_THREADS", + "anchoreSimpleQueue.maxRequestThreads": "simpleQueue.ANCHORE_MAX_REQUEST_THREADS", + +} + +#### ENGINE TO FEEDS KEYS THAT ARE NOW ENV VARS #### +FEEDS_ENV_VAR_MAPPING = { + + "anchoreEnterpriseFeeds.alpineDriverEnabled": "feeds.ANCHORE_FEEDS_DRIVER_ALPINE_ENABLED", + "anchoreEnterpriseFeeds.amazonDriverEnabled": "feeds.ANCHORE_FEEDS_DRIVER_AMAZON_ENABLED", + "anchoreEnterpriseFeeds.anchoreMatchExclusionsEnabled": "feeds.ANCHORE_FEEDS_DRIVER_MATCH_EXCLUSIONS", + "anchoreEnterpriseFeeds.apiOnly": "feeds.ANCHORE_FEEDS_API_ONLY", + "anchoreEnterpriseFeeds.chainguardDriverEnabled": "feeds.ANCHORE_FEEDS_DRIVER_CHAINGUARD_ENABLED", + "anchoreEnterpriseFeeds.debianDriverEnabled": "feeds.ANCHORE_FEEDS_DRIVER_DEBIAN_ENABLED", + "anchoreEnterpriseFeeds.grypeDriverEnabled": "feeds.ANCHORE_FEEDS_DRIVER_GRYPEDB_ENABLED", + "anchoreEnterpriseFeeds.grypedbPersistProviderWorkspaces": "feeds.ANCHORE_FEEDS_GRYPEDB_PERSIST_WORKSPACE", + "anchoreEnterpriseFeeds.grypedbPreloadEnabled": "feeds.ANCHORE_FEEDS_GRYPEDB_PRELOAD_ENABLED", + "anchoreEnterpriseFeeds.grypedbPreloadWorkspaceArchivePath": "feeds.ANCHORE_FEEDS_GRYPEDB_PRELOAD_PATH", + "anchoreEnterpriseFeeds.grypedbRestoreProviderWorkspaces": "feeds.ANCHORE_FEEDS_GRYPEDB_RESTORE_WORKSPACE", + "anchoreEnterpriseFeeds.maxRequestThreads": "feeds.ANCHORE_MAX_REQUEST_THREADS", + + "anchoreEnterpriseFeeds.olDriverEnabled": "feeds.ANCHORE_FEEDS_DRIVER_OL_ENABLED", + "anchoreEnterpriseFeeds.rhelDriverConcurrency": "feeds.ANCHORE_FEEDS_DRIVER_RHEL_CONCURRENCY", + "anchoreEnterpriseFeeds.rhelDriverEnabled": "feeds.ANCHORE_FEEDS_DRIVER_RHEL_ENBALED", + "anchoreEnterpriseFeeds.slesDriverEnabled": "feeds.ANCHORE_FEEDS_DRIVER_SLES_ENABLED", + "anchoreEnterpriseFeeds.ubuntuDriverEnabled": "feeds.ANCHORE_FEEDS_DRIVER_UBUNTU_ENABLED", + "anchoreEnterpriseFeeds.ubuntuDriverGitBranch": "feeds.ANCHORE_FEEDS_DRIVER_UBUNTU_BRANCH", + "anchoreEnterpriseFeeds.ubuntuDriverGitUrl": "feeds.ANCHORE_FEEDS_DRIVER_UBUNTU_URL", + "anchoreEnterpriseFeeds.wolfiDriverEnabled": "feeds.ANCHORE_FEEDS_DRIVER_WOLFI_ENABLED", + "anchoreEnterpriseFeeds.nvdv2DriverEnabled": "feeds.ANCHORE_FEEDS_DRIVER_NVDV2_ENABLED", +} + +#### VALUES THAT ARE NO LONGER PART OF THE NEW CHART #### +DEPRECATED_KEYS = { + + "anchoreEngineUpgradeJob": "deprecated", + + "anchoreEnterpriseFeeds.nvdDriverEnabled": "deprecated", + "anchoreEnterpriseFeeds.useNvdDriverApiKey": "deprecated", + + "anchoreEnterpriseGlobal.enabled": "deprecated", + "anchoreEnterpriseNotifications.enabled": "deprecated", + "anchoreEnterpriseRbac.enabled": "deprecated", + "anchoreEnterpriseRbac.service.authPort": "8089", + "anchoreEnterpriseReports.enabled": "deprecated", + "anchoreEnterpriseUi.enabled": "deprecated", + "anchoreGlobal.feedsConnectionTimeout": "3", + "anchoreGlobal.feedsReadTimeout": "60", + "anchoreGlobal.image": "deprecated", + + "anchoreGlobal.imagePullPolicy": "deprecated", + "anchoreGlobal.imagePullSecretName": "deprecated", + "anchoreGlobal.syncGrypeDB": "true", + "anchoreGlobal.webhooksEnabled": "deprecated", + "postgresql.persistence.resourcePolicy": "deprecated", + "anchoreGlobal.saml.useExistingSecret": "deprecated", + "anchoreEnterpriseReports.service.workerPort": "deprecated", +} + +POST_PROCESSING = { + "postgresql.image": { + "action": "split_value", + "split_on": ":", + "new_keys": ("postgresql.image.repository", "postgresql.image.tag") + }, + "anchore-feeds-db.image": { + "action": "split_value", + "split_on": ":", + "new_keys": ("feeds.feeds-db.image.repository", "feeds.feeds-db.image.tag") + }, + "anchore-feeds-gem-db.image": { + "action": "split_value", + "split_on": ":", + "new_keys": ("feeds.gem-db.image.repository", "feeds.gem-db.image.tag") + }, + "cloudsql.image.repository": { + "action": "merge", + "merge_keys": ("cloudsql.image.repository", "cloudsql.image.tag"), + "new_key": "cloudsql.image" + }, + "cloudsql.image.tag": { + "action": "merge", + "merge_keys": ("cloudsql.image.repository", "cloudsql.image.tag"), + "new_key": "cloudsql.image" + }, + "anchoreEnterpriseRbac.extraEnv": { + "action": "duplicate", + "new_keys": ["rbacAuth.extraEnv", "rbacManager.extraEnv"] + }, + "anchoreEnterpriseFeeds.existingSecretName": { + "action": "key_addition", + "new_keys": [("feeds.existingSecretName", "default"), ("feeds.useExistingSecrets", True)] + } +} diff --git a/scripts/tests/configs/test_convert_values_file.yaml b/scripts/tests/configs/test_convert_values_file.yaml new file mode 100644 index 00000000..8d2d86e3 --- /dev/null +++ b/scripts/tests/configs/test_convert_values_file.yaml @@ -0,0 +1,15 @@ +anchoreEnterpriseGlobal: + enabled: true + +anchoreGlobal: + useExistingSecrets: true + existingSecretName: global-existing-secrets + +anchoreEnterpriseUi: + existingSecretName: ui-existing-secrets + +anchoreEnterpriseFeeds: + existingSecretName: feeds-existing-secrets + +anchoreApi: + maxRequestThreads: 9876543210 \ No newline at end of file diff --git a/scripts/tests/configs/test_convert_values_file_result.yaml b/scripts/tests/configs/test_convert_values_file_result.yaml new file mode 100644 index 00000000..18fa8a86 --- /dev/null +++ b/scripts/tests/configs/test_convert_values_file_result.yaml @@ -0,0 +1,11 @@ +"existingSecretName": "global-existing-secrets" +"feeds": + "existingSecretName": "feeds-existing-secrets" + "useExistingSecrets": true +"ui": + "existingSecretName": "ui-existing-secrets" +"useExistingSecrets": true +"api": + "extraEnv": + - "name": "ANCHORE_MAX_REQUEST_THREADS" + "value": 9876543210 \ No newline at end of file diff --git a/scripts/tests/test_anchoreAnalyzer_value_mapping.py b/scripts/tests/test_anchoreAnalyzer_value_mapping.py new file mode 100644 index 00000000..5e112c70 --- /dev/null +++ b/scripts/tests/test_anchoreAnalyzer_value_mapping.py @@ -0,0 +1,345 @@ +import os +import shutil +import unittest +from helpers import ( + replace_keys_with_mappings, +) + +class TestReplaceKeysWithMappingsAnalyzer(unittest.TestCase): + def setUp(self): + self.results_dir = "test_results_dir" + + def tearDown(self): + if os.path.exists(self.results_dir): + shutil.rmtree(self.results_dir) + + def test_anchoreAnalyzer_replicaCount_value(self): + dot_string_dict = { + "anchoreAnalyzer.replicaCount": 2, + } + expected_result = { + 'analyzer': { + 'replicaCount': 2 + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchoreAnalyzer_containerPort_value(self): + dot_string_dict = { + "anchoreAnalyzer.containerPort": 8084, + } + expected_result = { + 'analyzer': { + 'service': { + 'port': 8084 + } + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchoreAnalyzer_extraEnv_value(self): + dot_string_dict = { + "anchoreAnalyzer.extraEnv": [ + { + "name": "foo", + "value": "bar" + } + ] + } + expected_result = { + 'analyzer': { + 'extraEnv': [ + { + 'name': 'foo', + 'value': 'bar' + } + ] + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchoreAnalyzer_serviceAccountName_value(self): + dot_string_dict = { + "anchoreAnalyzer.serviceAccountName": "foo", + } + expected_result = { + 'analyzer': { + 'serviceAccountName': 'foo' + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchoreAnalyzer_resources_value(self): + dot_string_dict = { + "anchoreAnalyzer.resources.limits.cpu": 1, + "anchoreAnalyzer.resources.limits.memory": "4G", + "anchoreAnalyzer.resources.requests.cpu": 1, + "anchoreAnalyzer.resources.requests.memory": "1G", + } + expected_result = { + 'analyzer': { + 'resources': { + 'limits': { + 'cpu': 1, + 'memory': '4G' + }, + 'requests': { + 'cpu': 1, + 'memory': '1G' + } + } + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchoreAnalyzer_labels_value(self): + dot_string_dict = { + "anchoreAnalyzer.labels.name": "foo", + "anchoreAnalyzer.labels.value": "bar", + "anchoreAnalyzer.labels.kubernetes.io/description": "baz", + } + expected_result = { + 'analyzer': { + 'labels': + { + 'name': 'foo', + 'value': 'bar', + 'kubernetes.io/description': 'baz' + } + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchoreAnalyzer_annotations_value(self): + dot_string_dict = { + "anchoreAnalyzer.annotations.name": "foo", + "anchoreAnalyzer.annotations.value": "bar", + "anchoreAnalyzer.annotations.kubernetes.io/description": "baz", + } + expected_result = { + 'analyzer': { + 'annotations': + { + 'name': 'foo', + 'value': 'bar', + 'kubernetes.io/description': 'baz' + } + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchoreanalyzer_deploymentAnnotations_value(self): + dot_string_dict = { + "anchoreAnalyzer.deploymentAnnotations.name": "foo", + "anchoreAnalyzer.deploymentAnnotations.value": "bar", + } + expected_result = { + 'analyzer': { + 'deploymentAnnotations': { + 'name': 'foo', + 'value': 'bar' + } + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchoreAnalyzer_nodeSelector_value(self): + dot_string_dict = { + "anchoreAnalyzer.nodeSelector.name": "foo", + "anchoreAnalyzer.nodeSelector.value": "bar", + + } + expected_result = { + 'analyzer': { + 'nodeSelector': + { + 'name': 'foo', + 'value': 'bar' + } + + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchoreAnalyzer_tolerations_value(self): + dot_string_dict = { + "anchoreAnalyzer.tolerations": [ + { + "name": "foo", + "value": "bar" + } + ] + } + expected_result = { + 'analyzer': { + 'tolerations': [ + { + 'name': 'foo', + 'value': 'bar' + } + ] + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchoreAnalyzer_affinity_value(self): + dot_string_dict = { + "anchoreAnalyzer.affinity.name": "foo", + "anchoreAnalyzer.affinity.value": "bar", + } + expected_result = { + 'analyzer': { + 'affinity': { + 'name': 'foo', + 'value': 'bar' + } + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchoreAnalyzer_cycleTimers_image_analyzer_value(self): + dot_string_dict = { + "anchoreAnalyzer.cycleTimers.image_analyzer": 1, + } + expected_result = { + 'anchoreConfig': { + 'analyzer': { + 'cycle_timers': { + 'image_analyzer': 1 + } + } + } + + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchoreAnalyzer_concurrentTasksPerWorker_value(self): + dot_string_dict = { + "anchoreAnalyzer.concurrentTasksPerWorker": 1, + } + expected_result = { + 'anchoreConfig': { + 'analyzer': { + 'max_threads': 1 + } + } + + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchoreAnalyzer_layerCacheMaxGigabytes_value(self): + dot_string_dict = { + "anchoreAnalyzer.layerCacheMaxGigabytes": 1, + } + expected_result = { + 'anchoreConfig': { + 'analyzer': { + 'layer_cache_max_gigabytes': 1 + } + } + + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchoreAnalyzer_enableHints_value(self): + dot_string_dict = { + "anchoreAnalyzer.enableHints": False, + } + expected_result = { + 'anchoreConfig': { + 'analyzer': { + 'enable_hints': False + } + } + + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchoreAnalyzer_configFile_value(self): + dot_string_dict = { + "anchoreAnalyzer.configFile.retrieve_files.file_list": [ + "/etc/passwd" + ], + "anchoreAnalyzer.configFile.secret_search.match_params": [ + "MAXFILESIZE=10000", + "STOREONMATCH=n" + ], + "anchoreAnalyzer.configFile.secret_search.regexp_match": [ + "AWS_ACCESS_KEY=(?i).*aws_access_key_id( *=+ *).*(?/", + } + + expected_result = { + 'anchoreConfig': { + 'webhooks': { + 'ssl_verify': False, + 'url': 'http://somehost:9090//', + 'webhook_pass': 'my-webhook-pass', + 'webhook_user': 'my-webhook-user' + } + } + } + + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchoreGlobal_policyBundles_values(self): + dot_string_dict = { + 'anchoreGlobal.policyBundles.custom_policy_bundle1.json': '{\n "id": "custom1",\n "version": "1_0",\n "name": "My custom bundle",\n "comment": "My system\'s custom bundle",\n "whitelisted_images": [],\n "blacklisted_images": [],\n "mappings": [],\n "whitelists": [],\n "policies": []\n}\n' + } + + expected_result = { + 'anchoreConfig': { + 'policyBundles': { + 'custom_policy_bundle1': { + 'json': '{\n "id": "custom1",\n "version": "1_0",\n "name": "My custom bundle",\n "comment": "My system\'s custom bundle",\n "whitelisted_images": [],\n "blacklisted_images": [],\n "mappings": [],\n "whitelists": [],\n "policies": []\n}\n' + } + } + } + } + + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchoreGlobal_probes_values(self): + dot_string_dict = { + "anchoreGlobal.probes.liveness.initialDelaySeconds": 120, + "anchoreGlobal.probes.liveness.timeoutSeconds": 10, + "anchoreGlobal.probes.liveness.periodSeconds": 10, + "anchoreGlobal.probes.liveness.failureThreshold": 6, + "anchoreGlobal.probes.liveness.successThreshold": 1, + "anchoreGlobal.probes.readiness.timeoutSeconds": 10, + "anchoreGlobal.probes.readiness.periodSeconds": 10, + "anchoreGlobal.probes.readiness.failureThreshold": 3, + "anchoreGlobal.probes.readiness.successThreshold": 1, + } + + expected_result = { + 'probes': { + 'liveness': { + 'failureThreshold': 6, + 'initialDelaySeconds': 120, + 'periodSeconds': 10, + 'successThreshold': 1, + 'timeoutSeconds': 10 + }, + 'readiness': { + 'failureThreshold': 3, + 'periodSeconds': 10, + 'successThreshold': 1, + 'timeoutSeconds': 10 + } + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + # inject_secrets_via_env: false + def test_anchoreGlobal_inject_secrets_via_env_value(self): + dot_string_dict = { + "inject_secrets_via_env": True, + } + expected_result = { + 'injectSecretsViaEnv': True + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + # def test_replace_keys_with_mappings_env_var(self): + + # dot_string_dict = {"anchoreApi.maxRequestThreads": 999} + # expected_result = { + # 'api': + # {'extraEnv': [ + # {'name': 'ANCHORE_MAX_REQUEST_THREADS', 'value': 999} + # ]} + # } + # result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + # self.assertEqual(result[1], expected_result) + + # def test_replace_keys_with_mappings(self): + + # dot_string_dict = {"anchore-feeds-db.persistence.size": 100} + # expected_result = { + # "feeds": { + # "feeds-db": { + # "primary": { + # "persistence": { + # "size": 100 + # } + # } + # } + # } + # } + # result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + # self.assertEqual(result[0], expected_result) + + # now an environment variable + def test_anchoreGlobal_serverRequestTimeout_value(self): + dot_string_dict = { + "anchoreGlobal.serverRequestTimeout": 300, + } + expected_result = {} + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + expected_env_result = { + 'extraEnv': + [ + { + 'name': 'ANCHORE_GLOBAL_SERVER_REQUEST_TIMEOUT_SEC', + 'value': 300 + } + ] + } + self.assertEqual(result[1], expected_env_result) + + +if __name__ == '__main__': + unittest.main() \ No newline at end of file diff --git a/scripts/tests/test_anchorePolicyEngine_value_mapping.py b/scripts/tests/test_anchorePolicyEngine_value_mapping.py new file mode 100644 index 00000000..904166f2 --- /dev/null +++ b/scripts/tests/test_anchorePolicyEngine_value_mapping.py @@ -0,0 +1,299 @@ +import os +import shutil +import unittest +from helpers import ( + replace_keys_with_mappings, +) + +class TestReplaceKeysWithMappingsPolicyEngine(unittest.TestCase): + def setUp(self): + self.results_dir = "test_results_dir" + + def tearDown(self): + if os.path.exists(self.results_dir): + shutil.rmtree(self.results_dir) + + def test_anchorePolicyEngine_replicaCount_value(self): + dot_string_dict = { + "anchorePolicyEngine.replicaCount": 2, + } + expected_result = { + 'policyEngine': { + 'replicaCount': 2 + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + + def test_anchorePolicyEngine_resources_value(self): + dot_string_dict = { + "anchorePolicyEngine.resources.limits.cpu": 1, + "anchorePolicyEngine.resources.limits.memory": "4G", + "anchorePolicyEngine.resources.requests.cpu": 1, + "anchorePolicyEngine.resources.requests.memory": "1G" + } + expected_result = { + 'policyEngine': { + 'resources': { + 'limits': { + 'cpu': 1, + 'memory': '4G' + }, + 'requests': { + 'cpu': 1, + 'memory': '1G' + } + } + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchorePolicyEngine_labels_value(self): + dot_string_dict = { + "anchorePolicyEngine.labels.foobar": "baz", + "anchorePolicyEngine.labels.with.a.dot.foobar": "baz" + } + expected_result = { + 'policyEngine': { + 'labels': + { + 'foobar': 'baz', + 'with.a.dot.foobar': 'baz' + } + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchorePolicyEngine_annotations_value(self): + dot_string_dict = { + "anchorePolicyEngine.annotations.foobar": "baz", + "anchorePolicyEngine.annotations.with.a.dot.foobar": "baz" + } + expected_result = { + 'policyEngine': { + 'annotations': + { + 'foobar': 'baz', + 'with.a.dot.foobar': 'baz' + } + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchorePolicyEngine_deploymentAnnotations_value(self): + dot_string_dict = { + "anchorePolicyEngine.deploymentAnnotations.foobar": "baz", + "anchorePolicyEngine.deploymentAnnotations.with.a.dot.foobar": "baz" + } + expected_result = { + 'policyEngine': { + 'deploymentAnnotations': { + 'foobar': 'baz', + 'with.a.dot.foobar': 'baz' + } + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchorePolicyEngine_nodeSelector_value(self): + dot_string_dict = { + "anchorePolicyEngine.nodeSelector.name": "foo", + "anchorePolicyEngine.nodeSelector.with.a.dot.name": "bar" + } + expected_result = { + 'policyEngine': { + 'nodeSelector': { + 'name': 'foo', + 'with.a.dot.name': 'bar' + } + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchorePolicyEngine_tolerations_value(self): + dot_string_dict = { + "anchorePolicyEngine.tolerations": [ + { + "key": "key", + "operator": "Equal", + "value": "value", + "effect": "NoSchedule" + } + ] + } + expected_result = { + 'policyEngine': { + 'tolerations': [ + { + 'key': 'key', + 'operator': 'Equal', + 'value': 'value', + 'effect': 'NoSchedule' + } + ] + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchorePolicyEngine_affinity_value(self): + dot_string_dict = { + "anchorePolicyEngine.affinity.name": "foo", + "anchorePolicyEngine.affinity.with.a.dot.name": "bar" + } + expected_result = { + 'policyEngine': { + 'affinity': + { + 'name': 'foo', + 'with.a.dot.name': 'bar' + } + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchorePolicyEngine_extraEnv_value(self): + dot_string_dict = { + "anchorePolicyEngine.extraEnv": [ + { + "name": "foo", + "value": "bar" + } + ] + } + expected_result = { + 'policyEngine': { + 'extraEnv': [ + { + "name": "foo", + "value": "bar" + } + ] + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchorePolicyEngine_serviceAccountName_value(self): + dot_string_dict = { + "anchorePolicyEngine.serviceAccountName": "Null" + } + expected_result = { + 'policyEngine': { + 'serviceAccountName': "Null" + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + + def test_anchorePolicyEngine_service_value(self): + dot_string_dict = { + "anchorePolicyEngine.service.name": "Null", + "anchorePolicyEngine.service.type": "ClusterIP", + "anchorePolicyEngine.service.port": 8087, + "anchorePolicyEngine.service.annotations.foo": "bar", + "anchorePolicyEngine.service.annotations.with.a.dot": "qux", + "anchorePolicyEngine.service.labels.foobar": "baz", + "anchorePolicyEngine.service.labels.with.a.dot": "qux", + } + + expected_result = { + 'policyEngine': { + 'service': { + "name": "Null", + "type": "ClusterIP", + "port": 8087, + "annotations": { + "foo": "bar", + "with.a.dot": "qux" + }, + "labels": { + "foobar": "baz", + "with.a.dot": "qux" + } + } + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchorePolicyEngine_cycleTimers_value(self): + dot_string_dict = { + "anchorePolicyEngine.cycleTimers.feed_sync": 14400, + "anchorePolicyEngine.cycleTimers.feed_sync_checker": 3600, + "anchorePolicyEngine.cycleTimers.grypedb_sync": 60, + } + + expected_result = { + 'anchoreConfig': { + 'policy_engine': { + 'cycle_timers': { + "feed_sync": 14400, + "feed_sync_checker": 3600, + "grypedb_sync": 60, + } + } + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchorePolicyEngine_overrideFeedsToUpstream_value(self): + dot_string_dict = { + "anchorePolicyEngine.overrideFeedsToUpstream": True + } + + expected_result = { + 'anchoreConfig': { + 'policy_engine': { + 'overrideFeedsToUpstream': True + } + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + # Values that become environment variables for Anchore Policy Engine + def test_anchorePolicyEngine_cacheTTL_value(self): + dot_string_dict = { + "anchorePolicyEngine.cacheTTL": 3600, + } + + expected_result = { + 'policyEngine': { + 'extraEnv': [ + { + 'name': 'ANCHORE_POLICY_EVAL_CACHE_TTL_SECONDS', + 'value': 3600 + } + ] + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[1], expected_result) + + def test_anchorePolicyEngine_enablePackageDbLoad_value(self): + dot_string_dict = { + "anchorePolicyEngine.enablePackageDbLoad": True, + } + + expected_result = { + 'policyEngine': { + 'extraEnv': [ + { + 'name': 'ANCHORE_POLICY_ENGINE_ENABLE_PACKAGE_DB_LOAD', + 'value': True + } + ] + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[1], expected_result) \ No newline at end of file diff --git a/scripts/tests/test_anchoreSimpleQueue_value_mapping.py b/scripts/tests/test_anchoreSimpleQueue_value_mapping.py new file mode 100644 index 00000000..1f9312bf --- /dev/null +++ b/scripts/tests/test_anchoreSimpleQueue_value_mapping.py @@ -0,0 +1,236 @@ +import os +import shutil +import unittest +from helpers import ( + replace_keys_with_mappings, +) + +class TestReplaceKeysWithMappingsSimpleQueue(unittest.TestCase): + def setUp(self): + self.results_dir = "test_results_dir" + + def tearDown(self): + if os.path.exists(self.results_dir): + shutil.rmtree(self.results_dir) + + def test_anchoreSimpleQueue_replicaCount_value(self): + dot_string_dict = { + "anchoreSimpleQueue.replicaCount": 2, + } + expected_result = { + 'simpleQueue': { + 'replicaCount': 2 + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + + def test_anchoreSimpleQueue_resources_value(self): + dot_string_dict = { + "anchoreSimpleQueue.resources.limits.cpu": 1, + "anchoreSimpleQueue.resources.limits.memory": "4G", + "anchoreSimpleQueue.resources.requests.cpu": 1, + "anchoreSimpleQueue.resources.requests.memory": "1G" + } + expected_result = { + 'simpleQueue': { + 'resources': { + 'limits': { + 'cpu': 1, + 'memory': '4G' + }, + 'requests': { + 'cpu': 1, + 'memory': '1G' + } + } + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + + def test_anchoreSimpleQueue_labels_value(self): + dot_string_dict = { + "anchoreSimpleQueue.labels.myLabel": "myValue", + "anchoreSimpleQueue.labels.myOtherLabel": "myOtherValue", + "anchoreSimpleQueue.labels.anotherLabel.with.a.dot": "qux" + } + expected_result = { + 'simpleQueue': { + 'labels': + { + 'myLabel': 'myValue', + 'myOtherLabel': 'myOtherValue', + 'anotherLabel.with.a.dot': 'qux' + } + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchoreSimpleQueue_annotations_value(self): + dot_string_dict = { + "anchoreSimpleQueue.annotations.foo": "bar", + "anchoreSimpleQueue.annotations.bar": "baz", + "anchoreSimpleQueue.annotations.anotherLabel.with.a.dot": "qux" + } + expected_result = { + 'simpleQueue': { + 'annotations': + { + 'foo': 'bar', + 'bar': 'baz', + 'anotherLabel.with.a.dot': 'qux' + } + + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchoreSimpleQueue_deploymentAnnotations_value(self): + dot_string_dict = { + "anchoreSimpleQueue.deploymentAnnotations.foo": "bar", + "anchoreSimpleQueue.deploymentAnnotations.bar": "baz", + "anchoreSimpleQueue.deploymentAnnotations.anotherLabel.with.a.dot": "qux" + } + expected_result = { + 'simpleQueue': { + 'deploymentAnnotations': + { + 'foo': 'bar', + 'bar': 'baz', + 'anotherLabel.with.a.dot': 'qux' + } + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchoreSimpleQueue_nodeSelector_value(self): + dot_string_dict = { + "anchoreSimpleQueue.nodeSelector.name": "foo", + "anchoreSimpleQueue.nodeSelector.value": "bar", + "anchoreSimpleQueue.nodeSelector.anotherLabel.with.a.dot": "baz" + } + expected_result = { + 'simpleQueue': { + 'nodeSelector': + { + 'name': 'foo', + 'value': 'bar', + 'anotherLabel.with.a.dot': 'baz' + } + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchoreSimpleQueue_tolerations_value(self): + dot_string_dict = { + "anchoreSimpleQueue.tolerations": [ + { + "name": "foo", + "value": "bar" + } + ] + } + expected_result = { + 'simpleQueue': { + 'tolerations': [ + { + 'name': 'foo', + 'value': 'bar' + } + ] + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchoreSimpleQueue_affinity_value(self): + dot_string_dict = { + "anchoreSimpleQueue.affinity.name": "foo", + "anchoreSimpleQueue.affinity.value": "bar", + "anchoreSimpleQueue.affinity.anotherLabel.with.a.dot": "baz" + } + expected_result = { + 'simpleQueue': { + 'affinity':{ + 'name': 'foo', + 'value': 'bar', + 'anotherLabel.with.a.dot': 'baz' + } + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchoreSimpleQueue_extraEnv_value(self): + dot_string_dict = { + "anchoreSimpleQueue.extraEnv": [ + { + "name": "foo", + "value": "bar" + } + ] + } + expected_result = { + 'simpleQueue': { + 'extraEnv': [ + { + "name": "foo", + "value": "bar" + } + ] + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_anchoreSimpleQueue_serviceAccountName_value(self): + dot_string_dict = { + "anchoreSimpleQueue.serviceAccountName": "Null" + } + expected_result = { + 'simpleQueue': { + 'serviceAccountName': "Null" + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + + def test_anchoreSimpleQueue_service_value(self): + dot_string_dict = { + "anchoreSimpleQueue.service.name": "Null", + "anchoreSimpleQueue.service.type": "ClusterIP", + "anchoreSimpleQueue.service.port": 8082, + "anchoreSimpleQueue.service.annotations.foo": "bar", + "anchoreSimpleQueue.service.annotations.baz": "qux", + "anchoreSimpleQueue.service.annotations.with.a.dot": "quux", + "anchoreSimpleQueue.service.labels.foobar": "baz", + "anchoreSimpleQueue.service.labels.with.a.dot": "qux" + } + expected_result = { + 'simpleQueue': { + 'service': { + "name": "Null", + "type": "ClusterIP", + "port": 8082, + "annotations": { + "foo": "bar", + "baz": "qux", + "with.a.dot": "quux" + }, + "labels": { + "foobar": "baz", + "with.a.dot": "qux" + } + } + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) \ No newline at end of file diff --git a/scripts/tests/test_helpers.py b/scripts/tests/test_helpers.py new file mode 100644 index 00000000..1aded896 --- /dev/null +++ b/scripts/tests/test_helpers.py @@ -0,0 +1,313 @@ +# test_helpers.py +import os +import shutil +import unittest +import yaml +from helpers import ( + create_new_dotstring, + write_to_file, + prep_dir, + dict_keys_to_dot_string, + merge_dicts, + replace_keys_with_mappings, + create_dict_entry, + convert_values_file +) + +# write_to_file(data, file_name): writes data to file_name, returns file_name +class TestWriteToFile(unittest.TestCase): + def setUp(self): + self.test_filename = 'test_file.txt' + + def tearDown(self): + if os.path.exists(self.test_filename): + os.remove(self.test_filename) + + def test_write_to_file(self): + data = 'Hello, world!' + file_name = write_to_file(data, self.test_filename) + + self.assertTrue(os.path.exists(self.test_filename)) + self.assertEqual(file_name, self.test_filename) + + with open(self.test_filename, 'r') as file: + written_data = file.read() + + self.assertEqual(written_data, data) + +# prep_dir(directory_name, clean=False): creates directory_name if it doesn't exist, returns directory_name +class TestPrepDir(unittest.TestCase): + def empty_dir(self, directory_path): + # if listdir returns an empty list, the directory is empty, return true + return not os.listdir(directory_path) + + def setUp(self): + self.prep_dir_name = 'prep_dir_name' + if os.path.exists(self.prep_dir_name): + shutil.rmtree(self.prep_dir_name) + + def tearDown(self): + if os.path.exists(self.prep_dir_name): + shutil.rmtree(self.prep_dir_name) + + def test_prep_dir_with_clean(self): + # create the self.prep_dir_name directory with some stuff in it to confirm its cleared out + os.makedirs(self.prep_dir_name) + file_path = os.path.join(self.prep_dir_name, "test_file.txt") + + # Create and close an empty file + with open(file_path, 'w'): + pass + + self.assertFalse(self.empty_dir(self.prep_dir_name)) + + # clean=True deletes the whole directory, then recreates it + prep_dir_path = prep_dir(self.prep_dir_name, clean=True) + self.assertTrue(os.path.exists(self.prep_dir_name)) + self.assertTrue(self.empty_dir(self.prep_dir_name)) + self.assertEqual(prep_dir_path, self.prep_dir_name) + + def test_prep_dir_without_clean(self): + # create the self.prep_dir_name directory with some stuff in it to confirm its not cleared out + os.makedirs(self.prep_dir_name) + file_path = os.path.join(self.prep_dir_name, "test_file.txt") + + # Create and close an empty file + with open(file_path, 'w'): + pass + + self.assertFalse(self.empty_dir(self.prep_dir_name)) + + # clean=False just creates the directory if it doesn't exist + prep_dir_path = prep_dir(self.prep_dir_name, clean=False) + self.assertTrue(os.path.exists(self.prep_dir_name)) + self.assertEqual(prep_dir_path, self.prep_dir_name) + self.assertFalse(self.empty_dir(self.prep_dir_name)) + +# dict_keys_to_dot_string(dictionary, prefix=''): recursively converts dictionary keys to dot string representation +# # return a dictionary where the keys are dot string representation of the old keys and +# the value is the original values +class TestDictKeysToDotString(unittest.TestCase): + def test_dict_keys_to_dotstring(self): + my_dict = { + "key1": "value1", + "key2": "value2", + "key3": { + "key31": "value31", + "key32": "value32", + "key33": { + "key331": "value331", + "key332": "value332", + "key333": ["value3331", "value3332"] + } + }, + "key4": ["value41", "value42"], + "key5": 5, + "key6": False + } + + result = dict_keys_to_dot_string(my_dict) + + self.assertIn("key1", result) + self.assertEqual(result["key1"], "value1") + self.assertTrue(isinstance(result["key1"], str)) + + self.assertIn("key2", result) + self.assertEqual(result["key2"], "value2") + self.assertTrue(isinstance(result["key2"], str)) + + self.assertIn("key3.key31", result) + self.assertEqual(result["key3.key31"], "value31") + self.assertTrue(isinstance(result["key3.key31"], str)) + + self.assertIn("key3.key32", result) + self.assertEqual(result["key3.key32"], "value32") + self.assertTrue(isinstance(result["key3.key32"], str)) + + self.assertIn("key3.key33.key331", result) + self.assertEqual(result["key3.key33.key331"], "value331") + self.assertTrue(isinstance(result["key3.key33.key331"], str)) + + self.assertIn("key3.key33.key332", result) + self.assertEqual(result["key3.key33.key332"], "value332") + self.assertTrue(isinstance(result["key3.key33.key332"], str)) + + self.assertIn("key3.key33.key333", result) + self.assertEqual(result["key3.key33.key333"], ["value3331", "value3332"]) + self.assertTrue(isinstance(result["key3.key33.key333"], list)) + + self.assertIn("key4", result) + self.assertEqual(result["key4"], ["value41", "value42"]) + self.assertTrue(isinstance(result["key4"], list)) + + self.assertIn("key5", result) + self.assertEqual(result["key5"], 5) + self.assertTrue(isinstance(result["key5"], int)) + + self.assertIn("key6", result) + self.assertEqual(result["key6"], False) + self.assertTrue(isinstance(result["key6"], bool)) + + self.assertTrue(isinstance(result, dict)) + +# merge_dicts(dict1, dict2): merges dictionaries, returns merged dictionary +class TestMergeDicts(unittest.TestCase): + def test_merge_dicts(self): + dicts1 = { + "key1": "value1", + "nested_keys": { + "uncommon": "uncommon_value", + "common": "dict1_common_value" + }, + "common_key": "dict1_common_value" + } + + dict2 = { + "key2": "value2", + "nested_keys": { + "common": "dict2_common_value" + }, + "common_key": "dict2_common_value" + } + + expected_dict = { + "key1": "value1", + "key2": "value2", + "nested_keys": { + "uncommon": "uncommon_value", + "common": "dict2_common_value" + }, + "common_key": "dict2_common_value" + } + + merge_dicts_result = merge_dicts(dicts1, dict2) + + self.assertEqual(merge_dicts_result, expected_dict) + +# create_new_dotstring(keys: list, dotstring: str, level: int) -> str +# takes the original key as a list, a dotstring representation of the new key, and the level that the replacement should occur +# strips off the level number from the original key, and appends the dotstring representation of the new key as a list to the end of the original key +# returns a string +class TestCreateNewDotString(unittest.TestCase): + def test_create_new_dotstring_level_1(self): + keys = ["key1", "key2", "key3"] + dotstring = "key4" + level = 1 + + expected_result = "key4.key2.key3" + + result = create_new_dotstring(keys, dotstring, level) + + self.assertEqual(result, expected_result) + + def test_create_new_dotstring_level_2(self): + keys = ["key1", "key2", "key3"] + dotstring = "key4" + level = 2 + + expected_result = "key4.key3" + + result = create_new_dotstring(keys, dotstring, level) + + self.assertEqual(result, expected_result) + + def test_create_new_dotstring_level_3(self): + keys = ["key1", "key2", "key3"] + dotstring = "key4" + level = 3 + + expected_result = "key4" + + result = create_new_dotstring(keys, dotstring, level) + + self.assertEqual(result, expected_result) + +# create_dict_entry(dotstring, value) +# takes a dotstring and a value, returns a dictionary where the keys are created from the dot string representation +class TestCreateDictEntry(unittest.TestCase): + def test_create_dict_entry(self): + dotstring = "key1.key2.key3" + value = "value" + + expected_result = { + "key1": { + "key2": { + "key3": "value" + } + } + } + + result = create_dict_entry(dotstring, value) + + self.assertEqual(result, expected_result) + +# convert_values_file(file, results_dir) +class TestConvertValuesFile(unittest.TestCase): + def setUp(self): + original_test_config_file = 'tests/configs/test_convert_values_file.yaml' + self.expected_result_file = 'tests/configs/test_convert_values_file_result.yaml' + self.temp_test_config_file = 'test_values.yaml' + self.test_results_dir = 'test_results_dir' + shutil.copy(original_test_config_file, self.temp_test_config_file) + + def tearDown(self): + if os.path.exists(self.temp_test_config_file): + os.remove(self.temp_test_config_file) + if os.path.exists(self.test_results_dir): + shutil.rmtree(self.test_results_dir) + + def test_convert_values_file(self): + convert_values_file(self.temp_test_config_file, self.test_results_dir) + self.assertTrue(os.path.exists(self.test_results_dir)) + self.assertTrue(os.path.exists(os.path.join(self.test_results_dir, 'enterprise.test_values.yaml'))) + self.assertTrue(os.path.exists(os.path.join(self.test_results_dir, 'dotstring.txt'))) + converted = dict() + with open(os.path.join(self.test_results_dir, 'enterprise.test_values.yaml'), 'r') as content: + converted = yaml.safe_load(content) + + with open(self.expected_result_file, 'r') as expected_content: + expected_result = yaml.safe_load(expected_content) + + self.assertEqual(converted, expected_result) + +# replace_keys_with_mappings(dot_string_dict, results_dir): +# returns a dictionary where the keys are created from the dot string representation +class TestReplaceKeysWithMappings(unittest.TestCase): + def setUp(self): + self.results_dir = "test_results_dir" + + def tearDown(self): + if os.path.exists(self.results_dir): + shutil.rmtree(self.results_dir) + + def test_replace_keys_with_mappings(self): + + dot_string_dict = {"anchore-feeds-db.persistence.size": 100} + expected_result = { + "feeds": { + "feeds-db": { + "primary": { + "persistence": { + "size": 100 + } + } + } + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_replace_keys_with_mappings_env_var(self): + + dot_string_dict = {"anchoreApi.maxRequestThreads": 999} + expected_result = { + 'api': + {'extraEnv': [ + {'name': 'ANCHORE_MAX_REQUEST_THREADS', 'value': 999} + ]} + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[1], expected_result) + +if __name__ == '__main__': + unittest.main() \ No newline at end of file From f1abc9f71a99584b498ae84af15326d3a5b49205 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Mon, 11 Sep 2023 16:54:45 -0400 Subject: [PATCH 193/329] update chart readme generator to check for enterprise or feeds only Signed-off-by: Hung Nguyen --- .github/workflows/chart-readme-table-generator.yaml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/chart-readme-table-generator.yaml b/.github/workflows/chart-readme-table-generator.yaml index c16027c7..10aef747 100644 --- a/.github/workflows/chart-readme-table-generator.yaml +++ b/.github/workflows/chart-readme-table-generator.yaml @@ -42,9 +42,14 @@ jobs: files_changed="$(git diff --name-only origin/${TARGET_BRANCH} | sort | uniq)" # Adding || true to avoid "Process exited with code 1" errors charts_dirs_changed="$(echo "$files_changed" | xargs dirname | grep -o "stable/[^/]*" | sort | uniq || true)" + for chart in ${charts_dirs_changed}; do - echo "Updating README.md for ${chart}" - readme-generator --values "${chart}/values.yaml" --readme "${chart}/README.md" --schema "/tmp/schema.json" + if [[ "$chart" == "stable/enterprise" || "$chart" == "stable/feeds" ]]; then + echo "Updating README.md for ${chart}" + readme-generator --values "${chart}/values.yaml" --readme "${chart}/README.md" --schema "/tmp/schema.json" + else + echo "'chart' is not equal to 'stable/enterprise' or 'stable/feeds'. Moving on." + fi done - name: Push changes run: | From 16f87ab089f41db878939eae0d7a039ffdc4dafb Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Tue, 12 Sep 2023 15:48:04 -0400 Subject: [PATCH 194/329] allow specification of nodeport in engine chart (#118) * allow specification of nodeport in engine chart * adding nodePort for feeds service * rename feeds files to be underscore * adding feeds nodePort unit tests * adding service.nodePort annotation for README.md for feeds and enterprise * adding nodePort helper and tests for enterprise * bumping enterprise chart.yaml * bumping feeds chart.yaml * adding default value for service nodePorts Signed-off-by: Hung Nguyen --------- Signed-off-by: Hung Nguyen Signed-off-by: Anchore BitnamiReadmeGenerator Co-authored-by: Anchore BitnamiReadmeGenerator --- .github/workflows/helm-unittests.yaml | 6 +- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/README.md | 4 + .../templates/api_deployment.yaml | 6 ++ .../templates/catalog_deployment.yaml | 3 + .../enterprise_feeds_deployment.yaml | 3 + .../enterprise_notifications_deployment.yaml | 3 + .../enterprise_rbac_manager_deployment.yaml | 3 + .../enterprise_reports_deployment.yaml | 3 + .../templates/enterprise_ui_deployment.yaml | 3 + .../templates/policy_engine_deployment.yaml | 3 + .../templates/simplequeue_deployment.yaml | 3 + stable/anchore-engine/values.yaml | 10 ++ stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 8 ++ stable/enterprise/templates/_helpers.tpl | 10 ++ .../enterprise/templates/api_deployment.yaml | 2 + .../templates/catalog_deployment.yaml | 1 + .../templates/notifications_deployment.yaml | 1 + .../templates/policyengine_deployment.yaml | 1 + .../templates/rbacmanager_deployment.yaml | 1 + .../templates/reports_deployment.yaml | 1 + .../templates/simplequeue_deployment.yaml | 1 + .../enterprise/templates/ui_deployment.yaml | 1 + .../__snapshot__/configmap_test.yaml.snap | 20 ++-- .../enterprise/tests/common_helpers_test.yaml | 48 +++++++++- stable/enterprise/values.yaml | 16 ++++ stable/feeds/Chart.yaml | 2 +- stable/feeds/README.md | 1 + ...ds-configmap.yaml => feeds_configmap.yaml} | 0 ...-deployment.yaml => feeds_deployment.yaml} | 9 +- .../{feeds-pvc.yaml => feeds_pvc.yaml} | 0 .../{feeds-secret.yaml => feeds_secret.yaml} | 0 .../__snapshot__/configmap_test.yaml.snap | 4 +- stable/feeds/tests/common_helpers_test.yaml | 92 +++++++++---------- stable/feeds/tests/configmap_test.yaml | 2 +- stable/feeds/tests/feeds_resources_test.yaml | 70 +++++++++----- stable/feeds/values.yaml | 2 + 38 files changed, 256 insertions(+), 91 deletions(-) rename stable/feeds/templates/{feeds-configmap.yaml => feeds_configmap.yaml} (100%) rename stable/feeds/templates/{feeds-deployment.yaml => feeds_deployment.yaml} (97%) rename stable/feeds/templates/{feeds-pvc.yaml => feeds_pvc.yaml} (100%) rename stable/feeds/templates/{feeds-secret.yaml => feeds_secret.yaml} (100%) diff --git a/.github/workflows/helm-unittests.yaml b/.github/workflows/helm-unittests.yaml index eba43f56..c300f467 100644 --- a/.github/workflows/helm-unittests.yaml +++ b/.github/workflows/helm-unittests.yaml @@ -4,10 +4,10 @@ name: 'Helm Unit Tests' on: - pull_request_target: + pull_request: paths: - - 'stable/enterprise' - - 'stable/feeds' + - 'stable/enterprise/Chart.yaml' + - 'stable/feeds/Chart.yaml' # Remove all permissions by default permissions: {} diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index f6045452..e766bb04 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.27.2 +version: 1.27.3 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index b8b5c606..d3d9082d 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -198,6 +198,10 @@ A Helm post-upgrade hook job will shut down all previously running Anchore servi The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful Helm upgrade. +# Chart Version 1.27.3 + +* Added option to allow nodePorts to each service created as part of an anchore deployment. For more information about nodePorts, see [The Kubernetes Docs](https://kubernetes.io/docs/concepts/services-networking/service/#nodeport-custom-port) + # Chart Version 1.27.2 * Anchore Enterprise image updated to v4.9.1 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/491/) diff --git a/stable/anchore-engine/templates/api_deployment.yaml b/stable/anchore-engine/templates/api_deployment.yaml index 0aaa28b8..9019b2b8 100644 --- a/stable/anchore-engine/templates/api_deployment.yaml +++ b/stable/anchore-engine/templates/api_deployment.yaml @@ -460,11 +460,17 @@ spec: port: {{ .Values.anchoreApi.service.port }} targetPort: {{ .Values.anchoreApi.service.port }} protocol: TCP + {{- with .Values.anchoreApi.service.nodePort }} + nodePort: {{ . }} + {{- end }} {{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseReports.enabled }} - name: reports-api port: {{ .Values.anchoreEnterpriseReports.service.apiPort }} targetPort: {{ .Values.anchoreEnterpriseReports.service.apiPort }} protocol: TCP + {{- with .Values.anchoreEnterpriseReports.service.apiNodePort }} + nodePort: {{ . }} + {{- end }} {{- end }} selector: app: {{ template "anchore-engine.fullname" . }} diff --git a/stable/anchore-engine/templates/catalog_deployment.yaml b/stable/anchore-engine/templates/catalog_deployment.yaml index dd45cd57..34d769da 100644 --- a/stable/anchore-engine/templates/catalog_deployment.yaml +++ b/stable/anchore-engine/templates/catalog_deployment.yaml @@ -306,6 +306,9 @@ spec: port: {{ .Values.anchoreCatalog.service.port }} targetPort: {{ .Values.anchoreCatalog.service.port }} protocol: TCP + {{- with .Values.anchoreCatalog.service.nodePort }} + nodePort: {{ . }} + {{- end }} selector: app: {{ template "anchore-engine.fullname" . }} component: {{ $component }} diff --git a/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml b/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml index 3029324b..7f5c3786 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml @@ -276,6 +276,9 @@ spec: port: {{ .Values.anchoreEnterpriseFeeds.service.port }} targetPort: {{ .Values.anchoreEnterpriseFeeds.service.port }} protocol: TCP + {{- with .Values.anchoreEnterpriseFeeds.service.nodePort }} + nodePort: {{ . }} + {{- end }} selector: app: {{ template "anchore-engine.fullname" . }} component: {{ $component }} diff --git a/stable/anchore-engine/templates/enterprise_notifications_deployment.yaml b/stable/anchore-engine/templates/enterprise_notifications_deployment.yaml index 975248a8..d14ea071 100644 --- a/stable/anchore-engine/templates/enterprise_notifications_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_notifications_deployment.yaml @@ -328,6 +328,9 @@ spec: port: {{ .Values.anchoreEnterpriseNotifications.service.port }} targetPort: {{ .Values.anchoreEnterpriseNotifications.service.port }} protocol: TCP + {{- with .Values.anchoreEnterpriseNotifications.service.nodePort }} + nodePort: {{ . }} + {{- end }} selector: app: {{ template "anchore-engine.fullname" . }} component: {{ $component }} diff --git a/stable/anchore-engine/templates/enterprise_rbac_manager_deployment.yaml b/stable/anchore-engine/templates/enterprise_rbac_manager_deployment.yaml index 6b7b072d..2002877a 100644 --- a/stable/anchore-engine/templates/enterprise_rbac_manager_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_rbac_manager_deployment.yaml @@ -326,6 +326,9 @@ spec: port: {{ .Values.anchoreEnterpriseRbac.service.managerPort }} targetPort: {{ .Values.anchoreEnterpriseRbac.service.managerPort }} protocol: TCP + {{- with .Values.anchoreEnterpriseRbac.service.nodePort }} + nodePort: {{ . }} + {{- end }} selector: app: {{ template "anchore-engine.fullname" . }} component: {{ $component }} diff --git a/stable/anchore-engine/templates/enterprise_reports_deployment.yaml b/stable/anchore-engine/templates/enterprise_reports_deployment.yaml index 65ebc0c5..77292dc3 100644 --- a/stable/anchore-engine/templates/enterprise_reports_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_reports_deployment.yaml @@ -244,6 +244,9 @@ spec: port: {{ .Values.anchoreEnterpriseReports.service.workerPort }} targetPort: {{ .Values.anchoreEnterpriseReports.service.workerPort }} protocol: TCP + {{- with .Values.anchoreEnterpriseReports.service.nodePort }} + nodePort: {{ . }} + {{- end }} selector: app: {{ template "anchore-engine.fullname" . }} component: {{ $component }} diff --git a/stable/anchore-engine/templates/enterprise_ui_deployment.yaml b/stable/anchore-engine/templates/enterprise_ui_deployment.yaml index d2f4d609..7c5d8b31 100644 --- a/stable/anchore-engine/templates/enterprise_ui_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_ui_deployment.yaml @@ -229,6 +229,9 @@ spec: port: {{ .Values.anchoreEnterpriseUi.service.port }} protocol: TCP targetPort: 3000 + {{- with .Values.anchoreEnterpriseUi.service.nodePort }} + nodePort: {{ . }} + {{- end }} selector: app: {{ template "anchore-engine.fullname" . }} component: {{ $component }} diff --git a/stable/anchore-engine/templates/policy_engine_deployment.yaml b/stable/anchore-engine/templates/policy_engine_deployment.yaml index 317b2f5b..8695d65d 100644 --- a/stable/anchore-engine/templates/policy_engine_deployment.yaml +++ b/stable/anchore-engine/templates/policy_engine_deployment.yaml @@ -286,6 +286,9 @@ spec: port: {{ .Values.anchorePolicyEngine.service.port }} targetPort: {{ .Values.anchorePolicyEngine.service.port }} protocol: TCP + {{- with .Values.anchorePolicyEngine.service.nodePort }} + nodePort: {{ . }} + {{- end }} selector: app: {{ template "anchore-engine.fullname" . }} component: {{ $component }} diff --git a/stable/anchore-engine/templates/simplequeue_deployment.yaml b/stable/anchore-engine/templates/simplequeue_deployment.yaml index 12b27ba3..719c614e 100644 --- a/stable/anchore-engine/templates/simplequeue_deployment.yaml +++ b/stable/anchore-engine/templates/simplequeue_deployment.yaml @@ -264,6 +264,9 @@ spec: port: {{ .Values.anchoreSimpleQueue.service.port }} targetPort: {{ .Values.anchoreSimpleQueue.service.port }} protocol: TCP + {{- with .Values.anchoreSimpleQueue.service.nodePort }} + nodePort: {{ . }} + {{- end }} selector: app: {{ template "anchore-engine.fullname" . }} component: {{ $component }} diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 8e4ab86c..5115f972 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -436,6 +436,7 @@ anchoreApi: port: 8228 annotations: {} label: {} + nodePort: null # Specify the service account name utilized to run the API pods # serviceAccountName: Null @@ -626,6 +627,7 @@ anchoreCatalog: port: 8082 annotations: {} labels: {} + nodePort: null # resources: # limits: @@ -681,6 +683,7 @@ anchorePolicyEngine: port: 8087 annotations: {} labels: {} + nodePort: null # resources: # limits: @@ -718,6 +721,7 @@ anchoreSimpleQueue: port: 8083 annotations: {} labels: {} + nodePort: null # resources: # limits: @@ -937,6 +941,7 @@ anchoreEnterpriseFeeds: port: 8448 annotations: {} labels: {} + nodePort: null # resources: # limits: @@ -992,6 +997,7 @@ anchoreEnterpriseRbac: type: ClusterIP annotations: {} labels: {} + nodePort: null # authResources: # limits: @@ -1061,6 +1067,8 @@ anchoreEnterpriseReports: workerPort: 8778 annotations: {} labels: {} + nodePort: null + apinodePort: null # resources: # limits: @@ -1103,6 +1111,7 @@ anchoreEnterpriseNotifications: port: 8668 annotations: {} labels: {} + nodePort: null # resources: # limits: @@ -1293,6 +1302,7 @@ anchoreEnterpriseUi: annotations: {} labels: {} sessionAffinity: ClientIP + nodePort: null # The (optional) `enrich_inventory_view` key allows you to set whether the # Kubernetes tab should aggregate and include compliance and vulnerability data diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 20e16725..bf8f7179 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.0.2" +version: "0.0.3" appVersion: "4.9.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 8ca2942f..33c301b1 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -795,6 +795,7 @@ ui-redis: | `api.service.reportsPort` | Service port for Anchore Reports API | `8558` | | `api.service.annotations` | Annotations for Anchore API service | `{}` | | `api.service.labels` | Labels for Anchore API service | `{}` | +| `api.service.nodePort` | nodePort for Anchore API service | `""` | | `api.extraEnv` | Set extra environment variables for Anchore API pods | `[]` | | `api.resources` | Resource requests and limits for Anchore API pods | `{}` | | `api.labels` | Labels for Anchore API pods | `{}` | @@ -828,6 +829,7 @@ ui-redis: | `catalog.service.port` | Service port for Anchore Catalog | `8082` | | `catalog.service.annotations` | Annotations for Anchore Catalog service | `{}` | | `catalog.service.labels` | Labels for Anchore Catalog service | `{}` | +| `catalog.service.nodePort` | nodePort for Anchore Catalog service | `""` | | `catalog.extraEnv` | Set extra environment variables for Anchore Catalog pods | `[]` | | `catalog.resources` | Resource requests and limits for Anchore Catalog pods | `{}` | | `catalog.labels` | Labels for Anchore Catalog pods | `{}` | @@ -854,6 +856,7 @@ ui-redis: | `policyEngine.service.port` | Service port for Anchore Policy Engine | `8087` | | `policyEngine.service.annotations` | Annotations for Anchore Policy Engine service | `{}` | | `policyEngine.service.labels` | Labels for Anchore Policy Engine service | `{}` | +| `policyEngine.service.nodePort` | nodePort for Anchore Policy Engine service | `""` | | `policyEngine.extraEnv` | Set extra environment variables for Anchore Policy Engine pods | `[]` | | `policyEngine.resources` | Resource requests and limits for Anchore Policy Engine pods | `{}` | | `policyEngine.labels` | Labels for Anchore Policy Engine pods | `{}` | @@ -872,6 +875,7 @@ ui-redis: | `simpleQueue.service.port` | Service port for Anchore Simple Queue | `8083` | | `simpleQueue.service.annotations` | Annotations for Anchore Simple Queue service | `{}` | | `simpleQueue.service.labels` | Labels for Anchore Simple Queue service | `{}` | +| `simpleQueue.service.nodePort` | nodePort for Anchore Simple Queue service | `""` | | `simpleQueue.extraEnv` | Set extra environment variables for Anchore Simple Queue pods | `[]` | | `simpleQueue.resources` | Resource requests and limits for Anchore Simple Queue pods | `{}` | | `simpleQueue.labels` | Labels for Anchore Simple Queue pods | `{}` | @@ -890,6 +894,7 @@ ui-redis: | `notifications.service.port` | Service port for Anchore Notifications | `8668` | | `notifications.service.annotations` | Annotations for Anchore Notifications service | `{}` | | `notifications.service.labels` | Labels for Anchore Notifications service | `{}` | +| `notifications.service.nodePort` | nodePort for Anchore Notifications service | `""` | | `notifications.extraEnv` | Set extra environment variables for Anchore Notifications pods | `[]` | | `notifications.resources` | Resource requests and limits for Anchore Notifications pods | `{}` | | `notifications.labels` | Labels for Anchore Notifications pods | `{}` | @@ -908,6 +913,7 @@ ui-redis: | `reports.service.port` | Service port for Anchore Reports Worker | `8558` | | `reports.service.annotations` | Annotations for Anchore Reports service | `{}` | | `reports.service.labels` | Labels for Anchore Reports service | `{}` | +| `reports.service.nodePort` | nodePort for Anchore Reports service | `""` | | `reports.extraEnv` | Set extra environment variables for Anchore Reports pods | `[]` | | `reports.resources` | Resource requests and limits for Anchore Reports pods | `{}` | | `reports.labels` | Labels for Anchore Reports pods | `{}` | @@ -933,6 +939,7 @@ ui-redis: | `rbacManager.service.port` | Service port for Anchore RBAC Manager | `8229` | | `rbacManager.service.annotations` | Annotations for Anchore RBAC Manager service | `{}` | | `rbacManager.service.labels` | Labels for Anchore RBAC Manager service | `{}` | +| `rbacManager.service.nodePort` | nodePort for Anchore RBAC Manager service | `""` | | `rbacManager.extraEnv` | Set extra environment variables for Anchore RBAC Manager pods | `[]` | | `rbacManager.resources` | Resource requests and limits for Anchore RBAC Manager pods | `{}` | | `rbacManager.labels` | Labels for Anchore RBAC Manager pods | `{}` | @@ -955,6 +962,7 @@ ui-redis: | `ui.service.annotations` | Annotations for Anchore UI service | `{}` | | `ui.service.labels` | Labels for Anchore UI service | `{}` | | `ui.service.sessionAffinity` | Session Affinity for Ui service | `ClientIP` | +| `ui.service.nodePort` | nodePort for Anchore UI service | `""` | | `ui.extraEnv` | Set extra environment variables for Anchore UI pods | `[]` | | `ui.resources` | Resource requests and limits for Anchore UI pods | `{}` | | `ui.labels` | Labels for Anchore UI pods | `{}` | diff --git a/stable/enterprise/templates/_helpers.tpl b/stable/enterprise/templates/_helpers.tpl index 7e9af92b..bbe85fcc 100644 --- a/stable/enterprise/templates/_helpers.tpl +++ b/stable/enterprise/templates/_helpers.tpl @@ -120,3 +120,13 @@ Return the database user for the Anchore Enterprise UI config {{- define "enterprise.ui.dbUser" -}} {{ ternary .Values.postgresql.auth.username .Values.anchoreConfig.ui.dbUser (empty .Values.anchoreConfig.ui.dbUser) }} {{- end -}} + +{{/* +Set the nodePort for services if its defined +*/}} +{{- define "service.nodePort" -}} +{{- $component := .component -}} +{{- if (index .Values (print $component)).service.nodePort -}} +nodePort: {{ (index .Values (print $component)).service.nodePort }} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/stable/enterprise/templates/api_deployment.yaml b/stable/enterprise/templates/api_deployment.yaml index 40975220..125086bb 100644 --- a/stable/enterprise/templates/api_deployment.yaml +++ b/stable/enterprise/templates/api_deployment.yaml @@ -107,10 +107,12 @@ spec: port: {{ .Values.api.service.port }} targetPort: {{ .Values.api.service.port }} protocol: TCP + {{ include "service.nodePort" (merge (dict "component" $component) .) }} - name: reports port: {{ .Values.reports.service.port }} targetPort: {{ .Values.reports.service.port }} protocol: TCP + {{ include "service.nodePort" (merge (dict "component" "reports") .) }} selector: app.kubernetes.io/name: {{ template "enterprise.fullname" . }} app.kubernetes.io/component: {{ $component | lower }} diff --git a/stable/enterprise/templates/catalog_deployment.yaml b/stable/enterprise/templates/catalog_deployment.yaml index aa0d9e09..ecce0e79 100644 --- a/stable/enterprise/templates/catalog_deployment.yaml +++ b/stable/enterprise/templates/catalog_deployment.yaml @@ -89,6 +89,7 @@ spec: port: {{ .Values.catalog.service.port }} targetPort: {{ .Values.catalog.service.port }} protocol: TCP + {{ include "service.nodePort" (merge (dict "component" $component) .) }} selector: app.kubernetes.io/name: {{ template "enterprise.fullname" . }} app.kubernetes.io/component: {{ $component | lower }} diff --git a/stable/enterprise/templates/notifications_deployment.yaml b/stable/enterprise/templates/notifications_deployment.yaml index 88ccb3b1..25eb1749 100644 --- a/stable/enterprise/templates/notifications_deployment.yaml +++ b/stable/enterprise/templates/notifications_deployment.yaml @@ -66,6 +66,7 @@ spec: port: {{ .Values.notifications.service.port }} targetPort: {{ .Values.notifications.service.port }} protocol: TCP + {{ include "service.nodePort" (merge (dict "component" $component) .) }} selector: app.kubernetes.io/name: {{ template "enterprise.fullname" . }} app.kubernetes.io/component: {{ $component | lower }} diff --git a/stable/enterprise/templates/policyengine_deployment.yaml b/stable/enterprise/templates/policyengine_deployment.yaml index a1ab0024..b7ab8b2d 100644 --- a/stable/enterprise/templates/policyengine_deployment.yaml +++ b/stable/enterprise/templates/policyengine_deployment.yaml @@ -77,6 +77,7 @@ spec: port: {{ .Values.policyEngine.service.port }} targetPort: {{ .Values.policyEngine.service.port }} protocol: TCP + {{ include "service.nodePort" (merge (dict "component" $component) .) }} selector: app.kubernetes.io/name: {{ template "enterprise.fullname" . }} app.kubernetes.io/component: {{ $component | lower }} diff --git a/stable/enterprise/templates/rbacmanager_deployment.yaml b/stable/enterprise/templates/rbacmanager_deployment.yaml index 7e2349aa..e4d30401 100644 --- a/stable/enterprise/templates/rbacmanager_deployment.yaml +++ b/stable/enterprise/templates/rbacmanager_deployment.yaml @@ -66,6 +66,7 @@ spec: port: {{ .Values.rbacManager.service.port }} targetPort: {{ .Values.rbacManager.service.port }} protocol: TCP + {{ include "service.nodePort" (merge (dict "component" $component) .) }} selector: app.kubernetes.io/name: {{ template "enterprise.fullname" . }} app.kubernetes.io/component: {{ $component | lower }} diff --git a/stable/enterprise/templates/reports_deployment.yaml b/stable/enterprise/templates/reports_deployment.yaml index 1a833537..c452ea8d 100644 --- a/stable/enterprise/templates/reports_deployment.yaml +++ b/stable/enterprise/templates/reports_deployment.yaml @@ -65,6 +65,7 @@ spec: port: {{ .Values.reports.service.port }} targetPort: {{ .Values.reports.service.port }} protocol: TCP + {{ include "service.nodePort" (merge (dict "component" $component) .) }} selector: app.kubernetes.io/name: {{ template "enterprise.fullname" . }} app.kubernetes.io/component: {{ $component | lower }} diff --git a/stable/enterprise/templates/simplequeue_deployment.yaml b/stable/enterprise/templates/simplequeue_deployment.yaml index 5ba1dbc4..6e7fa992 100644 --- a/stable/enterprise/templates/simplequeue_deployment.yaml +++ b/stable/enterprise/templates/simplequeue_deployment.yaml @@ -64,6 +64,7 @@ spec: port: {{ .Values.simpleQueue.service.port }} targetPort: {{ .Values.simpleQueue.service.port }} protocol: TCP + {{ include "service.nodePort" (merge (dict "component" $component) .) }} selector: app.kubernetes.io/name: {{ template "enterprise.fullname" . }} app.kubernetes.io/component: {{ $component | lower }} diff --git a/stable/enterprise/templates/ui_deployment.yaml b/stable/enterprise/templates/ui_deployment.yaml index bc8cec5c..027448e9 100644 --- a/stable/enterprise/templates/ui_deployment.yaml +++ b/stable/enterprise/templates/ui_deployment.yaml @@ -132,6 +132,7 @@ spec: port: {{ .Values.ui.service.port }} protocol: TCP targetPort: 3000 + {{ include "service.nodePort" (merge (dict "component" $component) .) }} selector: app.kubernetes.io/name: {{ template "enterprise.fullname" . }} app.kubernetes.io/component: {{ $component | lower }} diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index 39367b60..37b3b177 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -32,10 +32,10 @@ should render the configmaps: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: test-release-enterprise app.kubernetes.io/part-of: anchore - app.kubernetes.io/version: 4.9.0 + app.kubernetes.io/version: 4.9.1 bar: baz foo: bar - helm.sh/chart: enterprise-0.0.1 + helm.sh/chart: enterprise-0.0.3 name: test-release-enterprise-analyzer namespace: test-namespace 2: | @@ -333,10 +333,10 @@ should render the configmaps: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: test-release-enterprise app.kubernetes.io/part-of: anchore - app.kubernetes.io/version: 4.9.0 + app.kubernetes.io/version: 4.9.1 bar: baz foo: bar - helm.sh/chart: enterprise-0.0.1 + helm.sh/chart: enterprise-0.0.3 name: test-release-enterprise namespace: test-namespace 3: | @@ -418,10 +418,10 @@ should render the configmaps: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: test-release-enterprise app.kubernetes.io/part-of: anchore - app.kubernetes.io/version: 4.9.0 + app.kubernetes.io/version: 4.9.1 bar: baz foo: bar - helm.sh/chart: enterprise-0.0.1 + helm.sh/chart: enterprise-0.0.3 name: test-release-enterprise-config-env-vars namespace: test-namespace 4: | @@ -462,10 +462,10 @@ should render the configmaps: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: test-release-enterprise app.kubernetes.io/part-of: anchore - app.kubernetes.io/version: 4.9.0 + app.kubernetes.io/version: 4.9.1 bar: baz foo: bar - helm.sh/chart: enterprise-0.0.1 + helm.sh/chart: enterprise-0.0.3 name: test-release-enterprise-policy-bundles namespace: test-namespace 5: | @@ -483,9 +483,9 @@ should render the configmaps: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: test-release-enterprise app.kubernetes.io/part-of: anchore - app.kubernetes.io/version: 4.9.0 + app.kubernetes.io/version: 4.9.1 bar: baz foo: bar - helm.sh/chart: enterprise-0.0.1 + helm.sh/chart: enterprise-0.0.3 name: test-release-enterprise-ui namespace: test-namespace diff --git a/stable/enterprise/tests/common_helpers_test.yaml b/stable/enterprise/tests/common_helpers_test.yaml index f049453b..4202595d 100644 --- a/stable/enterprise/tests/common_helpers_test.yaml +++ b/stable/enterprise/tests/common_helpers_test.yaml @@ -1002,4 +1002,50 @@ tests: pattern: "notifications_uri: 'https://test-release-enterprise-notifications:8668/v1'" - matchRegex: path: data["config-ui.yaml"] - pattern: "reports_uri: 'https://test-release-enterprise-api:8558/v1'" \ No newline at end of file + pattern: "reports_uri: 'https://test-release-enterprise-api:8558/v1'" + + - it: should render nodePort when set + set: + api.service.nodePort: 9999 + catalog.service.nodePort: 9999 + notifications.service.nodePort: 9999 + policyEngine.service.nodePort: 9999 + rbacManager.service.nodePort: 9999 + reports.service.nodePort: 9999 + simpleQueue.service.nodePort: 9999 + ui.service.nodePort: 9999 + templates: + - api_deployment.yaml + - catalog_deployment.yaml + - notifications_deployment.yaml + - policyengine_deployment.yaml + - rbacmanager_deployment.yaml + - reports_deployment.yaml + - simplequeue_deployment.yaml + - ui_deployment.yaml + documentIndex: 1 + asserts: + - isSubset: + path: spec.ports[0] + content: + protocol: TCP + nodePort: 9999 + count: 1 + + - it: should not render nodePort by default + templates: + - api_deployment.yaml + - catalog_deployment.yaml + - notifications_deployment.yaml + - policyengine_deployment.yaml + - rbacmanager_deployment.yaml + - reports_deployment.yaml + - simplequeue_deployment.yaml + - ui_deployment.yaml + documentIndex: 1 + asserts: + - isNotSubset: + path: spec.ports[0] + content: + nodePort: 9999 + count: 1 \ No newline at end of file diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index 47c1d1df..e8070119 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -612,6 +612,7 @@ api: ## @param api.service.reportsPort Service port for Anchore Reports API ## @param api.service.annotations Annotations for Anchore API service ## @param api.service.labels Labels for Anchore API service + ## @param api.service.nodePort nodePort for Anchore API service ## service: type: ClusterIP @@ -619,6 +620,7 @@ api: reportsPort: 8558 annotations: {} labels: {} + nodePort: "" ## @param api.extraEnv Set extra environment variables for Anchore API pods ## @@ -710,12 +712,14 @@ catalog: ## @param catalog.service.port Service port for Anchore Catalog ## @param catalog.service.annotations Annotations for Anchore Catalog service ## @param catalog.service.labels Labels for Anchore Catalog service + ## @param catalog.service.nodePort nodePort for Anchore Catalog service ## service: type: ClusterIP port: 8082 annotations: {} labels: {} + nodePort: "" ## @param catalog.extraEnv Set extra environment variables for Anchore Catalog pods ## @@ -778,12 +782,14 @@ policyEngine: ## @param policyEngine.service.port Service port for Anchore Policy Engine ## @param policyEngine.service.annotations Annotations for Anchore Policy Engine service ## @param policyEngine.service.labels Labels for Anchore Policy Engine service + ## @param policyEngine.service.nodePort nodePort for Anchore Policy Engine service ## service: type: ClusterIP port: 8087 annotations: {} labels: {} + nodePort: "" ## @param policyEngine.extraEnv Set extra environment variables for Anchore Policy Engine pods ## @@ -829,12 +835,14 @@ simpleQueue: ## @param simpleQueue.service.port Service port for Anchore Simple Queue ## @param simpleQueue.service.annotations Annotations for Anchore Simple Queue service ## @param simpleQueue.service.labels Labels for Anchore Simple Queue service + ## @param simpleQueue.service.nodePort nodePort for Anchore Simple Queue service ## service: type: ClusterIP port: 8083 annotations: {} labels: {} + nodePort: "" ## @param simpleQueue.extraEnv Set extra environment variables for Anchore Simple Queue pods ## @@ -880,12 +888,14 @@ notifications: ## @param notifications.service.port Service port for Anchore Notifications ## @param notifications.service.annotations Annotations for Anchore Notifications service ## @param notifications.service.labels Labels for Anchore Notifications service + ## @param notifications.service.nodePort nodePort for Anchore Notifications service ## service: type: ClusterIP port: 8668 annotations: {} labels: {} + nodePort: "" ## @param notifications.extraEnv Set extra environment variables for Anchore Notifications pods ## @@ -931,12 +941,14 @@ reports: ## @param reports.service.port Service port for Anchore Reports Worker ## @param reports.service.annotations Annotations for Anchore Reports service ## @param reports.service.labels Labels for Anchore Reports service + ## @param reports.service.nodePort nodePort for Anchore Reports service ## service: type: ClusterIP port: 8558 annotations: {} labels: {} + nodePort: "" ## @param reports.extraEnv Set extra environment variables for Anchore Reports pods ## @@ -994,12 +1006,14 @@ rbacManager: ## @param rbacManager.service.port Service port for Anchore RBAC Manager ## @param rbacManager.service.annotations Annotations for Anchore RBAC Manager service ## @param rbacManager.service.labels Labels for Anchore RBAC Manager service + ## @param rbacManager.service.nodePort nodePort for Anchore RBAC Manager service ## service: type: ClusterIP port: 8229 annotations: {} labels: {} + nodePort: "" ## @param rbacManager.extraEnv Set extra environment variables for Anchore RBAC Manager pods ## @@ -1062,6 +1076,7 @@ ui: ## @param ui.service.annotations Annotations for Anchore UI service ## @param ui.service.labels Labels for Anchore UI service ## @param ui.service.sessionAffinity Session Affinity for Ui service + ## @param ui.service.nodePort nodePort for Anchore UI service ## service: type: ClusterIP @@ -1070,6 +1085,7 @@ ui: annotations: {} labels: {} sessionAffinity: ClientIP + nodePort: "" ## @param ui.extraEnv Set extra environment variables for Anchore UI pods ## diff --git a/stable/feeds/Chart.yaml b/stable/feeds/Chart.yaml index f01d86df..2f5f2c4d 100644 --- a/stable/feeds/Chart.yaml +++ b/stable/feeds/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: feeds type: application -version: "0.0.2" +version: "0.0.3" appVersion: "4.9.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: Anchore feeds service diff --git a/stable/feeds/README.md b/stable/feeds/README.md index 5e3d2b9d..854c537e 100644 --- a/stable/feeds/README.md +++ b/stable/feeds/README.md @@ -234,6 +234,7 @@ feeds-db: | `service.port` | Service port for Anchore Feeds | `8448` | | `service.annotations` | Annotations for Anchore Feeds service | `{}` | | `service.labels` | Labels for Anchore Feeds service | `{}` | +| `service.nodePort` | nodePort for Anchore Feeds service | `""` | | `scratchVolume.mountPath` | The mount path of an external volume for scratch space for image analysis | `/anchore_scratch` | | `scratchVolume.fixGroupPermissions` | Enable an initContainer that will fix the fsGroup permissions | `false` | | `scratchVolume.details` | Details for the k8s volume to be created | `{}` | diff --git a/stable/feeds/templates/feeds-configmap.yaml b/stable/feeds/templates/feeds_configmap.yaml similarity index 100% rename from stable/feeds/templates/feeds-configmap.yaml rename to stable/feeds/templates/feeds_configmap.yaml diff --git a/stable/feeds/templates/feeds-deployment.yaml b/stable/feeds/templates/feeds_deployment.yaml similarity index 97% rename from stable/feeds/templates/feeds-deployment.yaml rename to stable/feeds/templates/feeds_deployment.yaml index 1f9a4af1..b0a30cf6 100644 --- a/stable/feeds/templates/feeds-deployment.yaml +++ b/stable/feeds/templates/feeds_deployment.yaml @@ -16,9 +16,9 @@ spec: labels: {{- include "feeds.common.labels" . | nindent 8 }} annotations: {{- include "feeds.common.annotations" (merge (dict "nil" true) .) | nindent 8 }} {{- if not .Values.injectSecretsViaEnv }} - checksum/secrets: {{ include (print $.Template.BasePath "/feeds-secret.yaml") . | sha256sum }} + checksum/secrets: {{ include (print $.Template.BasePath "/feeds_secret.yaml") . | sha256sum }} {{- end }} - checksum/feeds-config: {{ include (print $.Template.BasePath "/feeds-configmap.yaml") . | sha256sum }} + checksum/feeds-config: {{ include (print $.Template.BasePath "/feeds_configmap.yaml") . | sha256sum }} spec: {{- with .Values.securityContext }} securityContext: {{- toYaml . | nindent 8 }} @@ -176,4 +176,7 @@ spec: - name: feeds-api port: {{ .Values.service.port }} targetPort: {{ .Values.service.port }} - protocol: TCP \ No newline at end of file + protocol: TCP + {{- with .Values.service.nodePort }} + nodePort: {{ . }} + {{- end }} \ No newline at end of file diff --git a/stable/feeds/templates/feeds-pvc.yaml b/stable/feeds/templates/feeds_pvc.yaml similarity index 100% rename from stable/feeds/templates/feeds-pvc.yaml rename to stable/feeds/templates/feeds_pvc.yaml diff --git a/stable/feeds/templates/feeds-secret.yaml b/stable/feeds/templates/feeds_secret.yaml similarity index 100% rename from stable/feeds/templates/feeds-secret.yaml rename to stable/feeds/templates/feeds_secret.yaml diff --git a/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap b/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap index 77f9853c..a251d90c 100644 --- a/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap @@ -124,9 +124,9 @@ should render the configmaps: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: test-release-feeds app.kubernetes.io/part-of: anchore - app.kubernetes.io/version: 4.9.0 + app.kubernetes.io/version: 4.9.1 bar: baz-label foo: bar-label - helm.sh/chart: feeds-0.0.1 + helm.sh/chart: feeds-0.0.3 name: test-release-feeds namespace: test-namespace diff --git a/stable/feeds/tests/common_helpers_test.yaml b/stable/feeds/tests/common_helpers_test.yaml index 69e75fbf..94750df6 100644 --- a/stable/feeds/tests/common_helpers_test.yaml +++ b/stable/feeds/tests/common_helpers_test.yaml @@ -1,10 +1,10 @@ suite: Common Helper Template Tests templates: - anchore_vars_configmap.yaml - - feeds-configmap.yaml - - feeds-deployment.yaml - - feeds-pvc.yaml - - feeds-secret.yaml + - feeds_configmap.yaml + - feeds_deployment.yaml + - feeds_pvc.yaml + - feeds_secret.yaml - ingress.yaml - templates/hooks/pre-upgrade/upgrade_rbac.yaml - templates/hooks/pre-upgrade/upgrade_job.yaml @@ -18,10 +18,10 @@ chart: test_templates: &test_templates - anchore_vars_configmap.yaml - - feeds-configmap.yaml - - feeds-deployment.yaml - - feeds-pvc.yaml - - feeds-secret.yaml + - feeds_configmap.yaml + - feeds_deployment.yaml + - feeds_pvc.yaml + - feeds_secret.yaml - templates/hooks/pre-upgrade/upgrade_rbac.yaml - templates/hooks/pre-upgrade/upgrade_job.yaml @@ -45,7 +45,7 @@ tests: bar: baz - it: should render file checksum/secret annotation - template: feeds-deployment.yaml + template: feeds_deployment.yaml documentIndex: 0 asserts: - exists: @@ -72,7 +72,7 @@ tests: - it: should render docker entrypoint with no doSourceAtEntry filePaths templates: - - feeds-deployment.yaml + - feeds_deployment.yaml documentIndex: 0 asserts: - matchRegex: @@ -81,7 +81,7 @@ tests: - it: should render docker entrypoint with doSourceAtEntry and no filePaths templates: - - feeds-deployment.yaml + - feeds_deployment.yaml documentIndex: 0 set: doSourceAtEntry.enabled: true @@ -92,7 +92,7 @@ tests: - it: should render docker entrypoint with doSourceAtEntry and some filePaths templates: - - feeds-deployment.yaml + - feeds_deployment.yaml documentIndex: 0 set: doSourceAtEntry.enabled: true @@ -104,7 +104,7 @@ tests: - it: should render envFrom without an existing secret templates: - - feeds-deployment.yaml + - feeds_deployment.yaml - templates/hooks/pre-upgrade/upgrade_job.yaml documentIndex: 0 asserts: @@ -122,7 +122,7 @@ tests: useExistingSecrets: true existingSecretName: "myExistingSecretName" templates: - - feeds-deployment.yaml + - feeds_deployment.yaml - templates/hooks/pre-upgrade/upgrade_job.yaml documentIndex: 0 asserts: @@ -141,7 +141,7 @@ tests: useExistingSecrets: true existingSecretName: "myExistingSecretName" templates: - - feeds-deployment.yaml + - feeds_deployment.yaml - templates/hooks/pre-upgrade/upgrade_job.yaml documentIndex: 0 asserts: @@ -156,7 +156,7 @@ tests: - it: should render correct environment variables when extraEnv is set templates: - - feeds-deployment.yaml + - feeds_deployment.yaml - templates/hooks/pre-upgrade/upgrade_job.yaml documentIndex: 0 set: @@ -186,7 +186,7 @@ tests: - it: should render clouddsql container for all deployments and default upgrade job templates: - - feeds-deployment.yaml + - feeds_deployment.yaml - templates/hooks/pre-upgrade/upgrade_job.yaml documentIndex: 0 set: @@ -205,7 +205,7 @@ tests: - it: should render clouddsql container and extraArgs for all deployments and default upgrade job templates: - - feeds-deployment.yaml + - feeds_deployment.yaml - templates/hooks/pre-upgrade/upgrade_job.yaml documentIndex: 0 set: @@ -232,7 +232,7 @@ tests: - it: should render clouddsql container, additional arg, and volumeMount when useExistingServiceAcc is true for all deployments and default upgrade job templates: - - feeds-deployment.yaml + - feeds_deployment.yaml - templates/hooks/pre-upgrade/upgrade_job.yaml documentIndex: 0 set: @@ -276,7 +276,7 @@ tests: scratchVolume.fixGroupPermissions: true securityContext.fsGroup: 9999 templates: - - feeds-deployment.yaml + - feeds_deployment.yaml documentIndex: 0 asserts: - contains: @@ -295,7 +295,7 @@ tests: scratchVolume.fixGroupPermissions: false securityContext.fsGroup: 9999 templates: - - feeds-deployment.yaml + - feeds_deployment.yaml documentIndex: 0 asserts: - notExists: @@ -303,7 +303,7 @@ tests: - it: should render liveness probe templates: - - feeds-deployment.yaml + - feeds_deployment.yaml documentIndex: 0 asserts: - isSubset: @@ -317,7 +317,7 @@ tests: - it: should render readiness probe templates: - - feeds-deployment.yaml + - feeds_deployment.yaml documentIndex: 0 asserts: - isSubset: @@ -332,7 +332,7 @@ tests: set: securityContext.runAsUser: 9999 templates: - - feeds-deployment.yaml + - feeds_deployment.yaml documentIndex: 0 asserts: - isSubset: @@ -346,7 +346,7 @@ tests: set: serviceAccountName: myServiceAccountName templates: - - feeds-deployment.yaml + - feeds_deployment.yaml documentIndex: 0 asserts: - equal: @@ -355,7 +355,7 @@ tests: - it: should not render pod serviceAccountName if not defined templates: - - feeds-deployment.yaml + - feeds_deployment.yaml documentIndex: 0 asserts: - notExists: @@ -363,7 +363,7 @@ tests: - it: should render imagePullSecretName templates: - - feeds-deployment.yaml + - feeds_deployment.yaml documentIndex: 0 asserts: - equal: @@ -374,7 +374,7 @@ tests: set: imagePullSecretName: mysecret templates: - - feeds-deployment.yaml + - feeds_deployment.yaml documentIndex: 0 asserts: - equal: @@ -386,7 +386,7 @@ tests: containerSecurityContext.runAsUser: 9999 containerSecurityContext.runAsGroup: 9998 templates: - - feeds-deployment.yaml + - feeds_deployment.yaml documentIndex: 0 asserts: - isSubset: @@ -397,7 +397,7 @@ tests: - it: should not render container security contexts if none set templates: - - feeds-deployment.yaml + - feeds_deployment.yaml documentIndex: 0 asserts: - notExists: @@ -405,7 +405,7 @@ tests: - it: should render the rbacAuthContainer templates: - - feeds-deployment.yaml + - feeds_deployment.yaml documentIndex: 0 asserts: - contains: @@ -421,7 +421,7 @@ tests: - it: should render volumeMounts templates: - - feeds-deployment.yaml + - feeds_deployment.yaml documentIndex: 0 asserts: - contains: @@ -451,7 +451,7 @@ tests: mountPath: /my/other/path subPath: my-other-subpath templates: - - feeds-deployment.yaml + - feeds_deployment.yaml documentIndex: 0 asserts: - contains: @@ -481,7 +481,7 @@ tests: set: certStoreSecretName: mycerts templates: - - feeds-deployment.yaml + - feeds_deployment.yaml documentIndex: 0 asserts: - contains: @@ -509,7 +509,7 @@ tests: - name: my-volume-two emptyDir: {} templates: - - feeds-deployment.yaml + - feeds_deployment.yaml documentIndex: 0 asserts: - contains: @@ -535,7 +535,7 @@ tests: - it: should render global volumes anchore-license, and config-volume templates: - - feeds-deployment.yaml + - feeds_deployment.yaml documentIndex: 0 asserts: - contains: @@ -567,7 +567,7 @@ tests: set: fullnameOverride: my-fullname-override templates: - - feeds-deployment.yaml + - feeds_deployment.yaml documentIndex: 1 asserts: - matchRegex: @@ -578,16 +578,16 @@ tests: set: nameOverride: my-name-override templates: - - feeds-deployment.yaml + - feeds_deployment.yaml documentIndex: 1 asserts: - matchRegex: path: spec.selector["app.kubernetes.io/name"] pattern: ^test-release-my-name-override - - it: should render dbHostname for feeds-secret.yaml + - it: should render dbHostname for feeds_secret.yaml templates: - - feeds-secret.yaml + - feeds_secret.yaml documentIndex: 0 asserts: - isSubset: @@ -634,7 +634,7 @@ tests: cloudsql: enabled: true templates: - - feeds-secret.yaml + - feeds_secret.yaml documentIndex: 0 asserts: - isSubset: @@ -654,7 +654,7 @@ tests: externalEndpoint: my-endpoint enabled: false templates: - - feeds-secret.yaml + - feeds_secret.yaml documentIndex: 0 asserts: - isSubset: @@ -671,7 +671,7 @@ tests: cloudsql: enabled: true templates: - - feeds-secret.yaml + - feeds_secret.yaml documentIndex: 0 asserts: - isSubset: @@ -689,7 +689,7 @@ tests: cloudsql: enabled: false templates: - - feeds-secret.yaml + - feeds_secret.yaml documentIndex: 0 asserts: - isSubset: @@ -703,7 +703,7 @@ tests: set: anchoreConfig.internalServicesSSL.enabled: true templates: - - feeds-deployment.yaml + - feeds_deployment.yaml documentIndex: 0 asserts: - isSubset: @@ -715,7 +715,7 @@ tests: set: anchoreConfig.internalServicesSSL.enabled: false templates: - - feeds-deployment.yaml + - feeds_deployment.yaml documentIndex: 0 asserts: - isSubset: diff --git a/stable/feeds/tests/configmap_test.yaml b/stable/feeds/tests/configmap_test.yaml index 3c66be99..1ea291e7 100644 --- a/stable/feeds/tests/configmap_test.yaml +++ b/stable/feeds/tests/configmap_test.yaml @@ -1,6 +1,6 @@ suite: ConfigMap Tests templates: - - templates/feeds-configmap.yaml + - templates/feeds_configmap.yaml values: - values.yaml release: diff --git a/stable/feeds/tests/feeds_resources_test.yaml b/stable/feeds/tests/feeds_resources_test.yaml index f1fd1f0b..229841f9 100644 --- a/stable/feeds/tests/feeds_resources_test.yaml +++ b/stable/feeds/tests/feeds_resources_test.yaml @@ -1,8 +1,8 @@ suite: Feeds Resources Tests templates: - - feeds-deployment.yaml - - feeds-secret.yaml - - feeds-configmap.yaml + - feeds_deployment.yaml + - feeds_secret.yaml + - feeds_configmap.yaml release: name: test-release namespace: test-namespace @@ -14,7 +14,7 @@ values: tests: - it: should render a valid feeds config file - template: feeds-configmap.yaml + template: feeds_configmap.yaml asserts: - matchRegex: path: data["config.yaml"] @@ -27,7 +27,7 @@ tests: value: test-release-feeds - it: should render component labels - template: feeds-deployment.yaml + template: feeds_deployment.yaml documentIndex: 0 asserts: - isSubset: @@ -43,7 +43,7 @@ tests: - it: should render component annotations templates: - - feeds-deployment.yaml + - feeds_deployment.yaml documentIndex: 0 asserts: - isSubset: @@ -58,7 +58,7 @@ tests: bar: "baz-annotation" - it: should render component matchLabels - template: feeds-deployment.yaml + template: feeds_deployment.yaml documentIndex: 0 asserts: - isSubset: @@ -68,7 +68,7 @@ tests: app.kubernetes.io/component: feeds - it: should render component serviceAccountName - template: feeds-deployment.yaml + template: feeds_deployment.yaml documentIndex: 0 set: serviceAccountName: feeds-test @@ -78,7 +78,7 @@ tests: value: feeds-test - it: should render component nodeSelector - template: feeds-deployment.yaml + template: feeds_deployment.yaml documentIndex: 0 set: nodeSelector: @@ -90,7 +90,7 @@ tests: feeds: test - it: should render component affinity - template: feeds-deployment.yaml + template: feeds_deployment.yaml documentIndex: 0 set: affinity: @@ -102,7 +102,7 @@ tests: feeds: test - it: should render component tolerations - template: feeds-deployment.yaml + template: feeds_deployment.yaml documentIndex: 0 set: tolerations: @@ -121,7 +121,7 @@ tests: count: 1 - it: should render scratch volume as emptyDir by default - template: feeds-deployment.yaml + template: feeds_deployment.yaml documentIndex: 0 asserts: - contains: @@ -132,7 +132,7 @@ tests: count: 1 - it: should render scratch volume using details from values - template: feeds-deployment.yaml + template: feeds_deployment.yaml documentIndex: 0 set: scratchVolume.details: @@ -149,8 +149,8 @@ tests: type: Directory count: 1 - - it: should render feeds-configmap volume - template: feeds-deployment.yaml + - it: should render feeds_configmap volume + template: feeds_deployment.yaml documentIndex: 0 asserts: - contains: @@ -175,7 +175,7 @@ tests: count: 1 - it: should render component container name - template: feeds-deployment.yaml + template: feeds_deployment.yaml documentIndex: 0 asserts: - equal: @@ -183,7 +183,7 @@ tests: value: feeds-feeds - it: should render component entrypoint args - template: feeds-deployment.yaml + template: feeds_deployment.yaml documentIndex: 0 asserts: - matchRegex: @@ -192,7 +192,7 @@ tests: count: 1 - it: should render component environment variables - template: feeds-deployment.yaml + template: feeds_deployment.yaml documentIndex: 0 set: extraEnv: @@ -226,7 +226,7 @@ tests: value: foobar - it: should render component ports - template: feeds-deployment.yaml + template: feeds_deployment.yaml documentIndex: 0 asserts: - contains: @@ -237,7 +237,7 @@ tests: count: 1 - it: should render component volumeMounts - template: feeds-deployment.yaml + template: feeds_deployment.yaml documentIndex: 0 asserts: - contains: @@ -257,7 +257,7 @@ tests: any: true - it: should render component probes - template: feeds-deployment.yaml + template: feeds_deployment.yaml documentIndex: 0 asserts: - isSubset: @@ -287,7 +287,7 @@ tests: count: 1 - it: should render component resource requests & limits - template: feeds-deployment.yaml + template: feeds_deployment.yaml documentIndex: 0 set: resources: @@ -310,3 +310,29 @@ tests: cpu: 200m memory: 256Mi count: 1 + + + - it: should not render nodePorts + template: feeds_deployment.yaml + documentIndex: 1 + asserts: + - isNotSubset: + path: spec.ports[0] + content: + nodePort: 9999 + count: 1 + - it: should render nodePorts + template: feeds_deployment.yaml + documentIndex: 1 + set: + service.nodePort: 9999 + asserts: + - isSubset: + path: spec.ports[0] + content: + name: feeds-api + port: 8448 + protocol: TCP + targetPort: 8448 + nodePort: 9999 + count: 1 \ No newline at end of file diff --git a/stable/feeds/values.yaml b/stable/feeds/values.yaml index 619ce950..e53db59e 100644 --- a/stable/feeds/values.yaml +++ b/stable/feeds/values.yaml @@ -91,12 +91,14 @@ affinity: {} ## @param service.port Service port for Anchore Feeds ## @param service.annotations Annotations for Anchore Feeds service ## @param service.labels Labels for Anchore Feeds service +## @param service.nodePort nodePort for Anchore Feeds service ## service: type: ClusterIP port: 8448 annotations: {} labels: {} + nodePort: "" ## @param scratchVolume.mountPath The mount path of an external volume for scratch space for image analysis ## @param scratchVolume.fixGroupPermissions Enable an initContainer that will fix the fsGroup permissions From b0325759045023646108e3e6e3faf23aa82637ee Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Tue, 12 Sep 2023 17:17:58 -0400 Subject: [PATCH 195/329] updating ui configmap to allow specification of api version (#121) * updating ui configmap to allow specification of api version * updating tests for ui component Signed-off-by: Hung Nguyen --------- Signed-off-by: Hung Nguyen --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/templates/ui_configmap.yaml | 9 +++++---- .../tests/__snapshot__/configmap_test.yaml.snap | 12 ++++++------ stable/enterprise/tests/common_helpers_test.yaml | 16 ++++++++-------- 4 files changed, 20 insertions(+), 19 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index bf8f7179..dc4d2a8b 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.0.3" +version: "0.0.4" appVersion: "4.9.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | diff --git a/stable/enterprise/templates/ui_configmap.yaml b/stable/enterprise/templates/ui_configmap.yaml index 5f5eed0f..be6b9818 100644 --- a/stable/enterprise/templates/ui_configmap.yaml +++ b/stable/enterprise/templates/ui_configmap.yaml @@ -26,10 +26,11 @@ data: admin: {{ .admin }} standard: {{ .standard }} {{- end }} - engine_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.api.fullname" . -}}:{{- .Values.api.service.port -}}/v1' - reports_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.api.fullname" . -}}:{{- .Values.reports.service.port -}}/v1' - notifications_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.notifications.fullname" . -}}:{{- .Values.notifications.service.port -}}/v1' - rbac_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.rbacManager.fullname" . -}}:{{- .Values.rbacManager.service.port -}}/v1' + engine_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.api.fullname" . -}}:{{- .Values.api.service.port -}}/{{- default "v2" .Values.api.service.apiVersion -}}' + reports_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.api.fullname" . -}}:{{- .Values.reports.service.port -}}/{{- default "v2" .Values.reports.service.apiVersion -}}' + notifications_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.notifications.fullname" . -}}:{{- .Values.notifications.service.port -}}/{{- default "v2" .Values.notifications.service.apiVersion -}}' + rbac_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.rbacManager.fullname" . -}}:{{- .Values.rbacManager.service.port -}}/{{- default "v2" .Values.rbacManager.service.apiVersion -}}' + enterprise_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.api.fullname" . -}}:{{- .Values.api.service.port -}}/v2' # redis_uri: overridden in deployment using the `ANCHORE_REDIS_URI` environment variable # appdb_uri: overridden in deployment using the `ANCHORE_APPDB_URI` environment variable license_path: '/home/anchore/' diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index 37b3b177..eace7bf5 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -35,7 +35,7 @@ should render the configmaps: app.kubernetes.io/version: 4.9.1 bar: baz foo: bar - helm.sh/chart: enterprise-0.0.3 + helm.sh/chart: enterprise-0.0.4 name: test-release-enterprise-analyzer namespace: test-namespace 2: | @@ -336,7 +336,7 @@ should render the configmaps: app.kubernetes.io/version: 4.9.1 bar: baz foo: bar - helm.sh/chart: enterprise-0.0.3 + helm.sh/chart: enterprise-0.0.4 name: test-release-enterprise namespace: test-namespace 3: | @@ -421,7 +421,7 @@ should render the configmaps: app.kubernetes.io/version: 4.9.1 bar: baz foo: bar - helm.sh/chart: enterprise-0.0.3 + helm.sh/chart: enterprise-0.0.4 name: test-release-enterprise-config-env-vars namespace: test-namespace 4: | @@ -465,13 +465,13 @@ should render the configmaps: app.kubernetes.io/version: 4.9.1 bar: baz foo: bar - helm.sh/chart: enterprise-0.0.3 + helm.sh/chart: enterprise-0.0.4 name: test-release-enterprise-policy-bundles namespace: test-namespace 5: | apiVersion: v1 data: - config-ui.yaml: "# Anchore UI configuration\nengine_uri: 'http://test-release-enterprise-api:8228/v1' \nreports_uri: 'http://test-release-enterprise-api:8558/v1'\nnotifications_uri: 'http://test-release-enterprise-notifications:8668/v1'\nrbac_uri: 'http://test-release-enterprise-rbac-manager:8229/v1'\n# redis_uri: overridden in deployment using the `ANCHORE_REDIS_URI` environment variable\n# appdb_uri: overridden in deployment using the `ANCHORE_APPDB_URI` environment variable\nlicense_path: '/home/anchore/'\nenable_ssl: false\nenable_proxy: false\nallow_shared_login: true\nredis_flushdb: true\nforce_websocket: false\nauthentication_lock:\n count: 5\n expires: 300\nappdb_config: \n native: true\n pool:\n acquire: 30000\n idle: 10000\n max: 10\n min: 0\nlog_level: 'http'\nenrich_inventory_view: true\nenable_prometheus_metrics: false" + config-ui.yaml: "# Anchore UI configuration\nengine_uri: 'http://test-release-enterprise-api:8228/v2'\nreports_uri: 'http://test-release-enterprise-api:8558/v2'\nnotifications_uri: 'http://test-release-enterprise-notifications:8668/v2'\nrbac_uri: 'http://test-release-enterprise-rbac-manager:8229/v2'\nenterprise_uri: 'http://test-release-enterprise-api:8228/v2'\n# redis_uri: overridden in deployment using the `ANCHORE_REDIS_URI` environment variable\n# appdb_uri: overridden in deployment using the `ANCHORE_APPDB_URI` environment variable\nlicense_path: '/home/anchore/'\nenable_ssl: false\nenable_proxy: false\nallow_shared_login: true\nredis_flushdb: true\nforce_websocket: false\nauthentication_lock:\n count: 5\n expires: 300\nappdb_config: \n native: true\n pool:\n acquire: 30000\n idle: 10000\n max: 10\n min: 0\nlog_level: 'http'\nenrich_inventory_view: true\nenable_prometheus_metrics: false" kind: ConfigMap metadata: annotations: @@ -486,6 +486,6 @@ should render the configmaps: app.kubernetes.io/version: 4.9.1 bar: baz foo: bar - helm.sh/chart: enterprise-0.0.3 + helm.sh/chart: enterprise-0.0.4 name: test-release-enterprise-ui namespace: test-namespace diff --git a/stable/enterprise/tests/common_helpers_test.yaml b/stable/enterprise/tests/common_helpers_test.yaml index 4202595d..f9ea3d38 100644 --- a/stable/enterprise/tests/common_helpers_test.yaml +++ b/stable/enterprise/tests/common_helpers_test.yaml @@ -973,16 +973,16 @@ tests: asserts: - matchRegex: path: data["config-ui.yaml"] - pattern: "engine_uri: 'http://test-release-enterprise-api:8228/v1'" + pattern: "engine_uri: 'http://test-release-enterprise-api:8228/v2'" - matchRegex: path: data["config-ui.yaml"] - pattern: "rbac_uri: 'http://test-release-enterprise-rbac-manager:8229/v1'" + pattern: "rbac_uri: 'http://test-release-enterprise-rbac-manager:8229/v2'" - matchRegex: path: data["config-ui.yaml"] - pattern: "notifications_uri: 'http://test-release-enterprise-notifications:8668/v1'" + pattern: "notifications_uri: 'http://test-release-enterprise-notifications:8668/v2'" - matchRegex: path: data["config-ui.yaml"] - pattern: "reports_uri: 'http://test-release-enterprise-api:8558/v1'" + pattern: "reports_uri: 'http://test-release-enterprise-api:8558/v2'" - it: should set the correct protocol with anchoreConfig.internalServicesSSL.enabled to true for ui_configmap.yaml set: @@ -993,16 +993,16 @@ tests: asserts: - matchRegex: path: data["config-ui.yaml"] - pattern: "engine_uri: 'https://test-release-enterprise-api:8228/v1'" + pattern: "engine_uri: 'https://test-release-enterprise-api:8228/v2'" - matchRegex: path: data["config-ui.yaml"] - pattern: "rbac_uri: 'https://test-release-enterprise-rbac-manager:8229/v1'" + pattern: "rbac_uri: 'https://test-release-enterprise-rbac-manager:8229/v2'" - matchRegex: path: data["config-ui.yaml"] - pattern: "notifications_uri: 'https://test-release-enterprise-notifications:8668/v1'" + pattern: "notifications_uri: 'https://test-release-enterprise-notifications:8668/v2'" - matchRegex: path: data["config-ui.yaml"] - pattern: "reports_uri: 'https://test-release-enterprise-api:8558/v1'" + pattern: "reports_uri: 'https://test-release-enterprise-api:8558/v2'" - it: should render nodePort when set set: From ab4dbdca4436f8eab671616a9b4fb55b62ac519d Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 13 Sep 2023 10:24:50 -0400 Subject: [PATCH 196/329] bumping chart version of enterprise Signed-off-by: Hung Nguyen --- stable/enterprise/Chart.yaml | 2 +- .../tests/__snapshot__/configmap_test.yaml.snap | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index dc4d2a8b..bf8f7179 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.0.4" +version: "0.0.3" appVersion: "4.9.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index eace7bf5..5ccc7be5 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -35,7 +35,7 @@ should render the configmaps: app.kubernetes.io/version: 4.9.1 bar: baz foo: bar - helm.sh/chart: enterprise-0.0.4 + helm.sh/chart: enterprise-0.0.3 name: test-release-enterprise-analyzer namespace: test-namespace 2: | @@ -336,7 +336,7 @@ should render the configmaps: app.kubernetes.io/version: 4.9.1 bar: baz foo: bar - helm.sh/chart: enterprise-0.0.4 + helm.sh/chart: enterprise-0.0.3 name: test-release-enterprise namespace: test-namespace 3: | @@ -421,7 +421,7 @@ should render the configmaps: app.kubernetes.io/version: 4.9.1 bar: baz foo: bar - helm.sh/chart: enterprise-0.0.4 + helm.sh/chart: enterprise-0.0.3 name: test-release-enterprise-config-env-vars namespace: test-namespace 4: | @@ -465,7 +465,7 @@ should render the configmaps: app.kubernetes.io/version: 4.9.1 bar: baz foo: bar - helm.sh/chart: enterprise-0.0.4 + helm.sh/chart: enterprise-0.0.3 name: test-release-enterprise-policy-bundles namespace: test-namespace 5: | @@ -486,6 +486,6 @@ should render the configmaps: app.kubernetes.io/version: 4.9.1 bar: baz foo: bar - helm.sh/chart: enterprise-0.0.4 + helm.sh/chart: enterprise-0.0.3 name: test-release-enterprise-ui namespace: test-namespace From fffc17be69f187f3e231a10812ff2f36814cf266 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 13 Sep 2023 10:37:12 -0400 Subject: [PATCH 197/329] adding default values for service apiVersion Signed-off-by: Hung Nguyen --- .../enterprise/tests/common_helpers_test.yaml | 23 +++++++++++++++++++ stable/enterprise/values.yaml | 9 ++++++++ 2 files changed, 32 insertions(+) diff --git a/stable/enterprise/tests/common_helpers_test.yaml b/stable/enterprise/tests/common_helpers_test.yaml index f9ea3d38..1f884553 100644 --- a/stable/enterprise/tests/common_helpers_test.yaml +++ b/stable/enterprise/tests/common_helpers_test.yaml @@ -1004,6 +1004,29 @@ tests: path: data["config-ui.yaml"] pattern: "reports_uri: 'https://test-release-enterprise-api:8558/v2'" + - it: should set the correct apiVersion for ui_configmap.yaml + set: + api.service.apiVersion: "v1" + reports.service.apiVersion: "v1" + notifications.service.apiVersion: "v1" + rbacManager.service.apiVersion: "v1" + templates: + - ui_configmap.yaml + documentIndex: 0 + asserts: + - matchRegex: + path: data["config-ui.yaml"] + pattern: "engine_uri: 'http://test-release-enterprise-api:8228/v1'" + - matchRegex: + path: data["config-ui.yaml"] + pattern: "rbac_uri: 'http://test-release-enterprise-rbac-manager:8229/v1'" + - matchRegex: + path: data["config-ui.yaml"] + pattern: "notifications_uri: 'http://test-release-enterprise-notifications:8668/v1'" + - matchRegex: + path: data["config-ui.yaml"] + pattern: "reports_uri: 'http://test-release-enterprise-api:8558/v1'" + - it: should render nodePort when set set: api.service.nodePort: 9999 diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index e8070119..590a4329 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -613,6 +613,7 @@ api: ## @param api.service.annotations Annotations for Anchore API service ## @param api.service.labels Labels for Anchore API service ## @param api.service.nodePort nodePort for Anchore API service + ## @param api.service.apiVersion apiVersion for Anchore UI service to use when reaching out to the enterprise api ## service: type: ClusterIP @@ -621,6 +622,7 @@ api: annotations: {} labels: {} nodePort: "" + apiVersion: v2 ## @param api.extraEnv Set extra environment variables for Anchore API pods ## @@ -889,6 +891,7 @@ notifications: ## @param notifications.service.annotations Annotations for Anchore Notifications service ## @param notifications.service.labels Labels for Anchore Notifications service ## @param notifications.service.nodePort nodePort for Anchore Notifications service + ## @param notifications.service.apiVersion apiVersion for Anchore UI service to use when reaching out to the enterprise api ## service: type: ClusterIP @@ -896,6 +899,7 @@ notifications: annotations: {} labels: {} nodePort: "" + apiVersion: v2 ## @param notifications.extraEnv Set extra environment variables for Anchore Notifications pods ## @@ -942,6 +946,7 @@ reports: ## @param reports.service.annotations Annotations for Anchore Reports service ## @param reports.service.labels Labels for Anchore Reports service ## @param reports.service.nodePort nodePort for Anchore Reports service + ## @param reports.service.apiVersion apiVersion for Anchore UI service to use when reaching out to the enterprise api ## service: type: ClusterIP @@ -949,6 +954,7 @@ reports: annotations: {} labels: {} nodePort: "" + apiVersion: v2 ## @param reports.extraEnv Set extra environment variables for Anchore Reports pods ## @@ -1007,6 +1013,7 @@ rbacManager: ## @param rbacManager.service.annotations Annotations for Anchore RBAC Manager service ## @param rbacManager.service.labels Labels for Anchore RBAC Manager service ## @param rbacManager.service.nodePort nodePort for Anchore RBAC Manager service + ## @param rbacManager.service.apiVersion apiVersion for Anchore UI service to use when reaching out to the enterprise api ## service: type: ClusterIP @@ -1014,6 +1021,7 @@ rbacManager: annotations: {} labels: {} nodePort: "" + apiVersion: v2 ## @param rbacManager.extraEnv Set extra environment variables for Anchore RBAC Manager pods ## @@ -1087,6 +1095,7 @@ ui: sessionAffinity: ClientIP nodePort: "" + ## @param ui.extraEnv Set extra environment variables for Anchore UI pods ## extraEnv: [] From 255ead3a8c93eefaff0290df26927d3900c2868a Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 13 Sep 2023 10:51:43 -0400 Subject: [PATCH 198/329] adding check for readme generator Signed-off-by: Hung Nguyen --- .github/workflows/chart-readme-table-generator.yaml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/chart-readme-table-generator.yaml b/.github/workflows/chart-readme-table-generator.yaml index c16027c7..10aef747 100644 --- a/.github/workflows/chart-readme-table-generator.yaml +++ b/.github/workflows/chart-readme-table-generator.yaml @@ -42,9 +42,14 @@ jobs: files_changed="$(git diff --name-only origin/${TARGET_BRANCH} | sort | uniq)" # Adding || true to avoid "Process exited with code 1" errors charts_dirs_changed="$(echo "$files_changed" | xargs dirname | grep -o "stable/[^/]*" | sort | uniq || true)" + for chart in ${charts_dirs_changed}; do - echo "Updating README.md for ${chart}" - readme-generator --values "${chart}/values.yaml" --readme "${chart}/README.md" --schema "/tmp/schema.json" + if [[ "$chart" == "stable/enterprise" || "$chart" == "stable/feeds" ]]; then + echo "Updating README.md for ${chart}" + readme-generator --values "${chart}/values.yaml" --readme "${chart}/README.md" --schema "/tmp/schema.json" + else + echo "'chart' is not equal to 'stable/enterprise' or 'stable/feeds'. Moving on." + fi done - name: Push changes run: | From eff4760c27cac113f36784ae2e23439e95dcbe80 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 13 Sep 2023 10:53:31 -0400 Subject: [PATCH 199/329] remove readme generator into its own branch Signed-off-by: Hung Nguyen --- .github/workflows/chart-readme-table-generator.yaml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/.github/workflows/chart-readme-table-generator.yaml b/.github/workflows/chart-readme-table-generator.yaml index 10aef747..c16027c7 100644 --- a/.github/workflows/chart-readme-table-generator.yaml +++ b/.github/workflows/chart-readme-table-generator.yaml @@ -42,14 +42,9 @@ jobs: files_changed="$(git diff --name-only origin/${TARGET_BRANCH} | sort | uniq)" # Adding || true to avoid "Process exited with code 1" errors charts_dirs_changed="$(echo "$files_changed" | xargs dirname | grep -o "stable/[^/]*" | sort | uniq || true)" - for chart in ${charts_dirs_changed}; do - if [[ "$chart" == "stable/enterprise" || "$chart" == "stable/feeds" ]]; then - echo "Updating README.md for ${chart}" - readme-generator --values "${chart}/values.yaml" --readme "${chart}/README.md" --schema "/tmp/schema.json" - else - echo "'chart' is not equal to 'stable/enterprise' or 'stable/feeds'. Moving on." - fi + echo "Updating README.md for ${chart}" + readme-generator --values "${chart}/values.yaml" --readme "${chart}/README.md" --schema "/tmp/schema.json" done - name: Push changes run: | From a02075b888a5595bc399a5941b1ab1e69d2fec43 Mon Sep 17 00:00:00 2001 From: Anchore BitnamiReadmeGenerator Date: Wed, 13 Sep 2023 16:18:08 +0000 Subject: [PATCH 200/329] Update README.md with readme-generator-for-helm Signed-off-by: Anchore BitnamiReadmeGenerator --- stable/enterprise/README.md | 134 +++++++++++++++++++----------------- 1 file changed, 69 insertions(+), 65 deletions(-) diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 33c301b1..901bc905 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -787,23 +787,24 @@ ui-redis: ### Anchore API k8s Deployment Parameters -| Name | Description | Value | -| ------------------------- | ---------------------------------------------------- | ----------- | -| `api.replicaCount` | Number of replicas for Anchore API deployment | `1` | -| `api.service.type` | Service type for Anchore API | `ClusterIP` | -| `api.service.port` | Service port for Anchore API | `8228` | -| `api.service.reportsPort` | Service port for Anchore Reports API | `8558` | -| `api.service.annotations` | Annotations for Anchore API service | `{}` | -| `api.service.labels` | Labels for Anchore API service | `{}` | -| `api.service.nodePort` | nodePort for Anchore API service | `""` | -| `api.extraEnv` | Set extra environment variables for Anchore API pods | `[]` | -| `api.resources` | Resource requests and limits for Anchore API pods | `{}` | -| `api.labels` | Labels for Anchore API pods | `{}` | -| `api.annotations` | Annotation for Anchore API pods | `{}` | -| `api.nodeSelector` | Node labels for Anchore API pod assignment | `{}` | -| `api.tolerations` | Tolerations for Anchore API pod assignment | `[]` | -| `api.affinity` | Affinity for Anchore API pod assignment | `{}` | -| `api.serviceAccountName` | Service account name for Anchore API pods | `""` | +| Name | Description | Value | +| ------------------------- | -------------------------------------------------------------------------------- | ----------- | +| `api.replicaCount` | Number of replicas for Anchore API deployment | `1` | +| `api.service.type` | Service type for Anchore API | `ClusterIP` | +| `api.service.port` | Service port for Anchore API | `8228` | +| `api.service.reportsPort` | Service port for Anchore Reports API | `8558` | +| `api.service.annotations` | Annotations for Anchore API service | `{}` | +| `api.service.labels` | Labels for Anchore API service | `{}` | +| `api.service.nodePort` | nodePort for Anchore API service | `""` | +| `api.service.apiVersion` | apiVersion for Anchore UI service to use when reaching out to the enterprise api | `v2` | +| `api.extraEnv` | Set extra environment variables for Anchore API pods | `[]` | +| `api.resources` | Resource requests and limits for Anchore API pods | `{}` | +| `api.labels` | Labels for Anchore API pods | `{}` | +| `api.annotations` | Annotation for Anchore API pods | `{}` | +| `api.nodeSelector` | Node labels for Anchore API pod assignment | `{}` | +| `api.tolerations` | Tolerations for Anchore API pod assignment | `[]` | +| `api.affinity` | Affinity for Anchore API pod assignment | `{}` | +| `api.serviceAccountName` | Service account name for Anchore API pods | `""` | ### Anchore Analyzer k8s Deployment Parameters @@ -887,41 +888,43 @@ ui-redis: ### Anchore Notifications Parameters -| Name | Description | Value | -| ----------------------------------- | -------------------------------------------------------------- | ----------- | -| `notifications.replicaCount` | Number of replicas for the Anchore Notifications deployment | `1` | -| `notifications.service.type` | Service type for Anchore Notifications | `ClusterIP` | -| `notifications.service.port` | Service port for Anchore Notifications | `8668` | -| `notifications.service.annotations` | Annotations for Anchore Notifications service | `{}` | -| `notifications.service.labels` | Labels for Anchore Notifications service | `{}` | -| `notifications.service.nodePort` | nodePort for Anchore Notifications service | `""` | -| `notifications.extraEnv` | Set extra environment variables for Anchore Notifications pods | `[]` | -| `notifications.resources` | Resource requests and limits for Anchore Notifications pods | `{}` | -| `notifications.labels` | Labels for Anchore Notifications pods | `{}` | -| `notifications.annotations` | Annotation for Anchore Notifications pods | `{}` | -| `notifications.nodeSelector` | Node labels for Anchore Notifications pod assignment | `{}` | -| `notifications.tolerations` | Tolerations for Anchore Notifications pod assignment | `[]` | -| `notifications.affinity` | Affinity for Anchore Notifications pod assignment | `{}` | -| `notifications.serviceAccountName` | Service account name for Anchore Notifications pods | `""` | +| Name | Description | Value | +| ----------------------------------- | -------------------------------------------------------------------------------- | ----------- | +| `notifications.replicaCount` | Number of replicas for the Anchore Notifications deployment | `1` | +| `notifications.service.type` | Service type for Anchore Notifications | `ClusterIP` | +| `notifications.service.port` | Service port for Anchore Notifications | `8668` | +| `notifications.service.annotations` | Annotations for Anchore Notifications service | `{}` | +| `notifications.service.labels` | Labels for Anchore Notifications service | `{}` | +| `notifications.service.nodePort` | nodePort for Anchore Notifications service | `""` | +| `notifications.service.apiVersion` | apiVersion for Anchore UI service to use when reaching out to the enterprise api | `v2` | +| `notifications.extraEnv` | Set extra environment variables for Anchore Notifications pods | `[]` | +| `notifications.resources` | Resource requests and limits for Anchore Notifications pods | `{}` | +| `notifications.labels` | Labels for Anchore Notifications pods | `{}` | +| `notifications.annotations` | Annotation for Anchore Notifications pods | `{}` | +| `notifications.nodeSelector` | Node labels for Anchore Notifications pod assignment | `{}` | +| `notifications.tolerations` | Tolerations for Anchore Notifications pod assignment | `[]` | +| `notifications.affinity` | Affinity for Anchore Notifications pod assignment | `{}` | +| `notifications.serviceAccountName` | Service account name for Anchore Notifications pods | `""` | ### Anchore Reports Parameters -| Name | Description | Value | -| ----------------------------- | -------------------------------------------------------- | ----------- | -| `reports.replicaCount` | Number of replicas for the Anchore Reports deployment | `1` | -| `reports.service.type` | Service type for Anchore Reports | `ClusterIP` | -| `reports.service.port` | Service port for Anchore Reports Worker | `8558` | -| `reports.service.annotations` | Annotations for Anchore Reports service | `{}` | -| `reports.service.labels` | Labels for Anchore Reports service | `{}` | -| `reports.service.nodePort` | nodePort for Anchore Reports service | `""` | -| `reports.extraEnv` | Set extra environment variables for Anchore Reports pods | `[]` | -| `reports.resources` | Resource requests and limits for Anchore Reports pods | `{}` | -| `reports.labels` | Labels for Anchore Reports pods | `{}` | -| `reports.annotations` | Annotation for Anchore Reports pods | `{}` | -| `reports.nodeSelector` | Node labels for Anchore Reports pod assignment | `{}` | -| `reports.tolerations` | Tolerations for Anchore Reports pod assignment | `[]` | -| `reports.affinity` | Affinity for Anchore Reports pod assignment | `{}` | -| `reports.serviceAccountName` | Service account name for Anchore Reports pods | `""` | +| Name | Description | Value | +| ----------------------------- | -------------------------------------------------------------------------------- | ----------- | +| `reports.replicaCount` | Number of replicas for the Anchore Reports deployment | `1` | +| `reports.service.type` | Service type for Anchore Reports | `ClusterIP` | +| `reports.service.port` | Service port for Anchore Reports Worker | `8558` | +| `reports.service.annotations` | Annotations for Anchore Reports service | `{}` | +| `reports.service.labels` | Labels for Anchore Reports service | `{}` | +| `reports.service.nodePort` | nodePort for Anchore Reports service | `""` | +| `reports.service.apiVersion` | apiVersion for Anchore UI service to use when reaching out to the enterprise api | `v2` | +| `reports.extraEnv` | Set extra environment variables for Anchore Reports pods | `[]` | +| `reports.resources` | Resource requests and limits for Anchore Reports pods | `{}` | +| `reports.labels` | Labels for Anchore Reports pods | `{}` | +| `reports.annotations` | Annotation for Anchore Reports pods | `{}` | +| `reports.nodeSelector` | Node labels for Anchore Reports pod assignment | `{}` | +| `reports.tolerations` | Tolerations for Anchore Reports pod assignment | `[]` | +| `reports.affinity` | Affinity for Anchore Reports pod assignment | `{}` | +| `reports.serviceAccountName` | Service account name for Anchore Reports pods | `""` | ### Anchore RBAC Authentication Parameters @@ -932,22 +935,23 @@ ui-redis: ### Anchore RBAC Manager Parameters -| Name | Description | Value | -| --------------------------------- | ------------------------------------------------------------- | ----------- | -| `rbacManager.replicaCount` | Number of replicas for the Anchore RBAC Manager deployment | `1` | -| `rbacManager.service.type` | Service type for Anchore RBAC Manager | `ClusterIP` | -| `rbacManager.service.port` | Service port for Anchore RBAC Manager | `8229` | -| `rbacManager.service.annotations` | Annotations for Anchore RBAC Manager service | `{}` | -| `rbacManager.service.labels` | Labels for Anchore RBAC Manager service | `{}` | -| `rbacManager.service.nodePort` | nodePort for Anchore RBAC Manager service | `""` | -| `rbacManager.extraEnv` | Set extra environment variables for Anchore RBAC Manager pods | `[]` | -| `rbacManager.resources` | Resource requests and limits for Anchore RBAC Manager pods | `{}` | -| `rbacManager.labels` | Labels for Anchore RBAC Manager pods | `{}` | -| `rbacManager.annotations` | Annotation for Anchore RBAC Manager pods | `{}` | -| `rbacManager.nodeSelector` | Node labels for Anchore RBAC Manager pod assignment | `{}` | -| `rbacManager.tolerations` | Tolerations for Anchore RBAC Manager pod assignment | `[]` | -| `rbacManager.affinity` | Affinity for Anchore RBAC Manager pod assignment | `{}` | -| `rbacManager.serviceAccountName` | Service account name for Anchore RBAC Manager pods | `""` | +| Name | Description | Value | +| --------------------------------- | -------------------------------------------------------------------------------- | ----------- | +| `rbacManager.replicaCount` | Number of replicas for the Anchore RBAC Manager deployment | `1` | +| `rbacManager.service.type` | Service type for Anchore RBAC Manager | `ClusterIP` | +| `rbacManager.service.port` | Service port for Anchore RBAC Manager | `8229` | +| `rbacManager.service.annotations` | Annotations for Anchore RBAC Manager service | `{}` | +| `rbacManager.service.labels` | Labels for Anchore RBAC Manager service | `{}` | +| `rbacManager.service.nodePort` | nodePort for Anchore RBAC Manager service | `""` | +| `rbacManager.service.apiVersion` | apiVersion for Anchore UI service to use when reaching out to the enterprise api | `v2` | +| `rbacManager.extraEnv` | Set extra environment variables for Anchore RBAC Manager pods | `[]` | +| `rbacManager.resources` | Resource requests and limits for Anchore RBAC Manager pods | `{}` | +| `rbacManager.labels` | Labels for Anchore RBAC Manager pods | `{}` | +| `rbacManager.annotations` | Annotation for Anchore RBAC Manager pods | `{}` | +| `rbacManager.nodeSelector` | Node labels for Anchore RBAC Manager pod assignment | `{}` | +| `rbacManager.tolerations` | Tolerations for Anchore RBAC Manager pod assignment | `[]` | +| `rbacManager.affinity` | Affinity for Anchore RBAC Manager pod assignment | `{}` | +| `rbacManager.serviceAccountName` | Service account name for Anchore RBAC Manager pods | `""` | ### Anchore UI Parameters From 307f0ec690f1689626604a9932538a68589afc97 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 13 Sep 2023 09:15:00 -0700 Subject: [PATCH 201/329] add anchore-engine migration docs (#122) * add anchore-engine migration docs * clean up more sections * bump chart version * update unittest snapshots --------- Signed-off-by: Brady Todhunter --- README.md | 2 +- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 398 ++++++++++-------- .../__snapshot__/configmap_test.yaml.snap | 10 +- 4 files changed, 238 insertions(+), 174 deletions(-) diff --git a/README.md b/README.md index d3774568..8821742b 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ This repository contains Helm charts for deploying [Anchore](https://www.anchore ## Prerequisites - [Helm](https://helm.sh/) (>=3.8) - Helm is a package manager for Kubernetes that makes it easy to install and manage applications on your cluster. -- [Kubernetes](https://kubernetes.io/) (>=1.25) - Kubernetes is an open-source container orchestration platform that is required to use Helm charts. +- [Kubernetes](https://kubernetes.io/) (>=1.23) - Kubernetes is an open-source container orchestration platform that is required to use Helm charts. ## Installation diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index bf8f7179..1ca5b02d 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.0.3" +version: "0.0.5" appVersion: "4.9.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 901bc905..c462c18f 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -1,5 +1,7 @@ # Anchore Enterprise Helm Chart +> :exclamation: **Important:** View the **[Chart Release Notes](#release-notes)** for the latest changes prior to installation or upgrading. + This Helm chart deploys Anchore Enterprise on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. Anchore Enterprise is an software bill of materials (SBOM) - powered software supply chain management solution designed for a cloud-native world. It provides continuous visibility into supply chain security risks. Anchore Enterprise takes a developer-friendly approach that minimizes friction by embedding automation into development toolchains to generate SBOMs and accurately identify vulnerabilities, malware, misconfigurations, and secrets for faster remediation. @@ -10,16 +12,16 @@ See the [Anchore Enterprise Documentation](https://docs.anchore.com) for more de - [Prerequisites](#prerequisites) - [Installing the Chart](#installing-the-chart) +- [Upgrading](#upgrading-the-chart) - [Uninstalling the Chart](#uninstalling-the-chart) - [Configuration](#configuration) - - [External Database Setup](#external-database-setup) + - [External Database Requirements](#external-database-requirements) - [Enterprise Feeds Configuration](#enterprise-feeds-configuration) - [Analyzer Image Layer Cache Configuration](#analyzer-image-layer-cache-configuration) - [Configuring Object Storage](#configuring-object-storage) - [Configuring Analysis Archive Storage](#configuring-analysis-archive-storage) - [Existing Secrets](#existing-secrets) - [Ingress](#ingress) - - [Configuring The ALB Ingress Controller](#configuring-the-alb-ingress-controller) - [SSO](#sso) - [Prometheus Metrics](#prometheus-metrics) - [Scaling Individual Services](#scaling-individual-services) @@ -27,123 +29,124 @@ See the [Anchore Enterprise Documentation](https://docs.anchore.com) for more de - [Anchore Enterprise Notifications](#anchore-enterprise-notifications) - [Anchore Enterprise Reports](#anchore-enterprise-reports) - [Installing on Openshift](#installing-on-openshift) + - [Migrating to the Anchore Enterprise Helm Chart](#migrating-to-the-anchore-enterprise-helm-chart) - [Parameters](#parameters) - [Release Notes](#release-notes) ## Prerequisites -* [Helm](https://helm.sh/) >=3.8- [Anchore Enterprise Helm Chart](#anchore-enterprise-helm-chart) -* [Kubernetes](https://kubernetes.io/) >=1.23 +- [Helm](https://helm.sh/) >=3.8 +- [Kubernetes](https://kubernetes.io/) >=1.23 ## Installing the Chart -**View the [Chart Release Notes](#release-notes) for the latest changes prior to installation or upgrading.** - -Create a kubernetes secret containing your license file +> **Note**: For migration steps from an Anchore Engine Helm chart deployment, refer to the [Migrating to the Anchore Enterprise Helm Chart](#migrating-to-the-anchore-enterprise-helm-chart) section. -```shell -export LICENSE_PATH="PATH TO LICENSE.YAML" +This guide covers deploying Anchore Enterprise on a Kubernetes cluster with the default configuration. For further customization, refer to the [Parameters](#parameters) section. -kubectl create secret generic anchore-enterprise-license --from-file=license.yaml=${LICENSE_PATH} -``` +1. **Create a Kubernetes Secret for License File**: Generate a Kubernetes secret to store your Anchore Enterprise license file. -Create a kubernetes secret containing DockerHub credentials with access to the private Anchore Enterprise repositories. Contact [Anchore Support](https://get.anchore.com/contact/) for access. + ```shell + export LICENSE_PATH="${PWD}/license.yaml" + kubectl create secret generic anchore-enterprise-license --from-file=license.yaml=${LICENSE_PATH} + ``` -```shell -export DOCKERHUB_PASSWORD="YOUR DOCKERHUB PASSWORD" -export DOCKERHUB_USER="YOUR DOCKERHUB USERNAME" -export DOCKERHUB_EMAIL="YOUR EMAIL ADDRESS" +1. **Create a Kubernetes Secret for DockerHub Credentials**: Generate another Kubernetes secret for DockerHub credentials. These credentials should have access to private Anchore Enterprise repositories. Contact [Anchore Support](https://get.anchore.com/contact/) to obtain access. -kubectl create secret docker-registry anchore-enterprise-pullcreds --docker-server=docker.io --docker-username=${DOCKERHUB_USER} --docker-password=${DOCKERHUB_PASSWORD} --docker-email=${DOCKERHUB_EMAIL} -``` + ```shell + export DOCKERHUB_PASSWORD="password" + export DOCKERHUB_USER="username" + export DOCKERHUB_EMAIL="example@email.com" + kubectl create secret docker-registry anchore-enterprise-pullcreds --docker-server=docker.io --docker-username=${DOCKERHUB_USER} --docker-password=${DOCKERHUB_PASSWORD} --docker-email=${DOCKERHUB_EMAIL} + ``` -Add Helm Chart Repository And Install Chart +1. **Add Chart Repository & Deploy Anchore Enterprise**: Create a custom values file, named `anchore_values.yaml`, to override any chart parameters. Refer to the [Parameters](#parameters) section for available options. -```shell -helm repo add anchore https://charts.anchore.io -``` + > :exclamation: **Important**: Default passwords are specified in the chart. It's highly recommended to modify these before deploying. -Create a new file named `anchore_values.yaml` and add all desired custom [values](#parameters); then run the following command: + ```shell + export RELEASE=my-release + helm repo add anchore https://charts.anchore.io + helm install ${RELEASE} -f anchore_values.yaml anchore/enterprise + ``` -> **Note:** Passwords are set to defaults specified in the chart. It is strongly recommended to change passwords from the defaults when deploying. + > **Note**: This command installs Anchore Enterprise with a chart-managed PostgreSQL database, which may not be suitable for production use. -```shell -export RELEASE="YOUR RELEASE NAME" +1. **Post-Installation Steps**: Anchore Enterprise will take some time to initialize. After the bootstrap phase, it will begin a vulnerability feed sync. Image analysis will show zero vulnerabilities until this sync is complete. This can take several hours based on the enabled feeds. Use the following [anchorectl](https://docs.anchore.com/current/docs/deployment/anchorectl/) commands to check the system status: -helm install ${RELEASE} -f anchore_values.yaml anchore/enterprise -``` + ```shell + export RELEASE=my-release + export ANCHORECTL_PASSWORD=$(kubectl get secret "${RELEASE}-enterprise" -o ‘go-template={{index .data “ANCHORE_ADMIN_PASSWORD”}}’ | base64 -D -) + kubectl port-forward svc/${RELEASE}-enterprise-api 8228:8228 # port forward for anchorectl in another terminal + anchorectl system wait # anchorectl defaults to the user admin, and to the password ${ANCHORECTL_PASSWORD} automatically if set + ``` -> **Note:** This installs Anchore Enterprise with a chart-managed Postgresql database, which may not be a production ready configuration. + > **Tip**: List all releases using `helm list` -Anchore Enterprise will take several minutes to bootstrap. After the initial bootstrap period, Anchore Enterprise will begin a vulnerability feed sync. Until the sync is completed, image analysis will show zero vulnerabilities. **This sync can take multiple hours depending on which feeds are enabled.** The following [anchorectl](https://docs.anchore.com/current/docs/deployment/anchorectl/) command is available to poll and report back when the system is bootstrapped and vulnerability feeds have finished syncing: +## Upgrading the Chart -```shell -export RELEASE="YOUR RELEASE NAME" +A Helm pre-upgrade hook initiates a Kubernetes job that scales down all active Anchore Enterprise pods and handles the Anchore database upgrade. -export ANCHORECTL_PASSWORD=$(kubectl get secret "${RELEASE}-enterprise" -o ‘go-template={{index .data “ANCHORE_ADMIN_PASSWORD”}}’ | base64 -D -) +The Helm upgrade is marked as successful only upon the job's completion. This process causes the Helm client to pause until the job finishes and new Anchore Enterprise pods are initiated. To monitor the upgrade, follow the logs of the upgrade jobs, which are automatically removed after a successful Helm upgrade. -# port forward or set up ingress for anchorectl; example, in another terminal: -# kubectl port-forward svc/${RELEASE}-enterprise-api 8228:8228 - -anchorectl system wait # anchorectl defaults to the user admin, and to the password ${ANCHORECTL_PASSWORD} automatically if set -``` - -> **Tip**: List all releases using `helm list` - -These commands deploy Anchore Enterprise on the Kubernetes cluster with default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + ```shell + export RELEASE=my-release + helm upgrade ${RELEASE} -f anchore_values.yaml anchore/enterprise + ``` ## Uninstalling the Chart -To uninstall/delete the deployment: - -```bash -export RELEASE="YOUR RELEASE NAME" - -helm delete ${RELEASE} -``` +To completely remove the Anchore Enterprise deployment and associated Kubernetes resources, follow the steps below: -The command removes all the Kubernetes components associated with the chart and deletes the release. + ```shell + export RELEASE=my-release + helm delete ${RELEASE} + ``` ## Configuration -The following sections describe the various configuration options available for Anchore Enterprise. The default configuration is set in the included [values file](https://github.com/anchore/anchore-charts-dev/blob/main/stable/enterprise/values.yaml). To override these values, create a custom `anchore_values.yaml` file and add the desired configuration options. Your custom values file can be passed to `helm install` using the `-f` flag. +This section outlines the available configuration options for Anchore Enterprise. The default settings are specified in the bundled [values file](https://github.com/anchore/anchore-charts-dev/blob/main/stable/enterprise/values.yaml). To customize these settings, create your own `anchore_values.yaml` file and populate it with the configuration options you wish to override. To apply your custom configuration during installation, pass your custom values file to the `helm install` command: -Contact [Anchore Support](get.anchore.com/contact/) for more assistance with configuring your deployment. +```shell +helm install my-release anchore/enterprise -f custom_values.yaml +``` + +For additional guidance on customizing your Anchore Enterprise deployment, reach out to [Anchore Support](get.anchore.com/contact/). -### External Database Setup +### External Database Requirements -Anchore Enterprise requires access to a Postgres-compatible database, version 13 or higher to operate. An external database such as AWS RDS or Google CloudSQL is recommended for production deployments. The Helm chart provides a chart-managed database by default unless otherwise configured. +Anchore Enterprise requires the use of a PostgreSQL-compatible database version 13 or above. For production environments, leveraging managed database services like AWS RDS or Google Cloud SQL is advised. While the Helm chart includes a chart-managed database by default, you can override this setting to use an external database. -A minimum of 100GB allocated storage is recommended for images, tags, subscriptions, policies, and other artifacts. The database should be configured for max client connections of at least 2000. This may need to be increased when running more than the default number of Anchore services. +For optimal performance, allocate a minimum of 100GB storage to accommodate images, tags, subscriptions, policies, and other data entities. Furthermore, configure the database to support a minimum of 2,000 client connections. This limit may need to be adjusted upward if you're running more Anchore services than the default configuration. #### External Postgres Database Configuration ```yaml postgresql: chartEnabled: false - - # auth.username, auth.password & auth.database are required values for external Postgres auth.password: auth.username: auth.database: - - # Required for external Postgres. - # Specify an external (already existing) Postgres deployment for use. - # Set to the host eg. mypostgres.myserver.io externalEndpoint: anchoreConfig: database: ssl: true sslMode: require - ``` #### RDS Postgres Database Configuration With TLS -Note that the `postgresql:` configuration section is the same as the previous example. +To obtain a comprehensive AWS RDS PostgreSQL certificate bundle, which includes both intermediate and root certificates for all AWS regions, you can download it [here](https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem). An example of creating the certificate secret can be found in [TLS Configuration](#using-tls-internally). ```yaml +postgresql: + chartEnabled: false + auth.password: + auth.username: + auth.database: + externalEndpoint: + certStoreSecretName: some-cert-store-secret anchoreConfig: @@ -152,13 +155,8 @@ anchoreConfig: sslMode: verify-full # sslRootCertName is the name of the Postgres root CA certificate stored in certStoreSecretName sslRootCertFileName: postgres-root-ca-cert - ``` -To get a AWS RDS Postgres certificate bundle that contains both the intermediate and root certificates for all AWS Regions, download [here](https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem). - -An example of creating the certificate secret can be found in [TLS Configuration](#using-tls-internally). - #### Google CloudSQL Database Configuration ```yaml @@ -170,9 +168,7 @@ postgresql: auth.database: cloudsql: - # To use CloudSQL in GKE set 'enable: true' enabled: true - # set CloudSQL instance: 'project:zone:instancename' instance: "project:zone:instancename" # Optional existing service account secret to use. See https://cloud.google.com/sql/docs/postgres/authentication useExistingServiceAcc: true @@ -197,17 +193,15 @@ feeds: # The GitHub feeds driver requires a GitHub developer personal access token with no permission scopes selected. # See https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token token: your-github-token - - # Enable microsoft feeds msrc: enabled: true ``` #### Enterprise Feeds External Database Configuration -Anchore Enterprise Feeds require access to a Postgres-compatible database, version 13 or higher to operate. Note that this is a separate database from the primary Anchore Enterprise database. For Enterprise Feeds, an external database such as AWS RDS or Google CloudSQL is recommended for production deployments. The Helm chart provides a chart-managed database by default unless otherwise configured. +Anchore Enterprise Feeds requires the use of a PostgreSQL-compatible database version 13 or above. This database is distinct from the primary Anchore Enterprise database. For production environments, leveraging managed database services like AWS RDS or Google Cloud SQL is advised. While the Helm chart includes a chart-managed database by default, you can override this setting to use an external database. -See previous examples of configuring RDS Postgres and Google CloudSQL. +See previous [examples](#external-database-requirements) of configuring RDS Postgresql and Google CloudSQL. ```yaml feeds: @@ -217,49 +211,34 @@ feeds: sslMode: require feeds-db: - # enabled: false disables the chart-managed Postgres instance; this is a Helmism enabled: false - - # auth.username, auth.password & auth.database are required values for external Postgres auth.password: auth.username: auth.database: - - # Required for external Postgres. - # Specify an external (already existing) Postgres deployment for use. - # Set to the host eg. mypostgres.myserver.io externalEndpoint: - ``` ### Analyzer Image Layer Cache Configuration -To improve performance, the Anchore Enterprise Analyzer can be configured to cache image layers. This can be -particularly helpful if many images analyzed are built from the same set of base images. +To improve performance, the Anchore Enterprise Analyzer can be configured to cache image layers. This can be particularly helpful if many images analyzed are built from the same set of base images. -It is recommended that layer cache data is stored in an external volume to ensure that the cache does not use all -of the ephemeral storage allocated for an analyzer host. See [Anchore Enterprise Layer Caching](https://docs.anchore.com/current/docs/configuration/storage/layer_caching/) -documentation for details. +It is recommended that layer cache data is stored in an external volume to ensure that the cache does not use all of the ephemeral storage allocated for an analyzer host. See [Anchore Enterprise Layer Caching](https://docs.anchore.com/current/docs/configuration/storage/layer_caching/) documentation for details. Refer to the default values file for configuring the analysis scratch volume. ```yaml anchoreConfig: analyzer: - # Enable image layer caching by setting a cache size > 0GB. layer_cache_max_gigabytes: 6 ``` -Refer to the default values file for configuring the analysis scratch volume. - ### Configuring Object Storage -Anchore Enterprise stores metadata for images, tags, policies, and subscriptions. +Anchore Enterprise utilizes an object storage system to persistently store metadata related to images, tags, policies, and subscriptions. #### Configuring The Object Storage Backend -In addition to a database (Postgres) storage backend, Anchore Enterprise object storage drivers -also support S3 and Swift storage. This enables scalable external object storage without burdening Postgres. +In addition to a database (Postgres) storage backend, Anchore Enterprise object storage drivers also support S3 and Swift storage. This enables scalable external object storage without burdening Postgres. -**Note: Using external object storage is recommended for production usage.** +> **Note:** Using external object storage is recommended for production usage. - [Database backend](https://docs.anchore.com/current/docs/configuration/storage/object_store/database_driver/): Postgres database backend; this is the default, so using Postgres as the analysis archive storage backend requires no additional configuration - [Local FS backend](https://docs.anchore.com/current/docs/configuration/storage/object_store/filesystem_driver/): A local filesystem on the core pod (Does not handle sharding or replication; generally recommended only for testing) @@ -268,20 +247,17 @@ also support S3 and Swift storage. This enables scalable external object storage ### Configuring Analysis Archive Storage -The analysis archive subsystem of Anchore Enterprise stores large JSON documents and can consume a large amount of storage -depending on the volume of images analyzed. A general rule for storage provisioning is 10MB per image analyzed. Thus with thousands of -analyzed images, you may need many gigabytes of storage. The analysis archive allows configuration of compression and storage backend. +The Analysis Archive subsystem within Anchore Enterprise is designed to store extensive JSON documents, potentially requiring significant storage capacity based on the number of images analyzed. As a general guideline, allocate approximately 10MB of storage per analyzed image. Consequently, analyzing thousands of images could necessitate gigabytes of storage space. The Analysis Archive subsystem offers configurable options for both data compression and selection of the storage backend. Configuration of external analysis archive storage is essentially identical to configuration of external object storage. See [Anchore Enterprise Analysis Archive](https://docs.anchore.com/current/docs/configuration/storage/analysis_archive/) documentation for details. -**Note: Using external analysis archive storage is recommended for production usage.** +> **Note:** Using external analysis archive storage is recommended for production usage. ### Existing Secrets -For deployment scenarios that require version-controlled configuration to be used, it is recommended that credentials not be stored in values files. -To accomplish this, you can manually create Kubernetes secrets and specify them as existing secrets in your values files. +For deployments where version-controlled configurations are essential, it's advised to avoid storing credentials directly in values files. Instead, manually create Kubernetes secrets and reference them as existing secrets within your values files. -Below we show example Kubernetes secret objects, and how they would be used in Anchore Enterprise configuration. +Below are sample Kubernetes secret objects and corresponding guidelines on integrating them into your Anchore Enterprise configuration. ```yaml --- @@ -326,22 +302,20 @@ feeds: ### Ingress -[Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource. Kubernetes supports a variety of ingress controllers, including AWS ALB controllers and GCE controllers. - -This Helm chart provides basic ingress configuration suitable for customization. You can expose routes for Anchore Enterprise external APIs including the core external API, UI, reporting, RBAC, and feeds by configuring the `ingress:` section in your values file. +[Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) serves as the gateway to expose HTTP and HTTPS routes from outside the Kubernetes cluster to services within it. Routing is governed by rules specified in the Ingress resource. Kubernetes supports a variety of ingress controllers, such as AWS ALB and GCE controllers. -Ingress is disabled by default in the Helm chart. The NGINX ingress controller with the core API and UI routes can be enabled by changing the `ingress.enabled` value to `true`. +This Helm chart includes a foundational ingress configuration that is customizable. You can expose various Anchore Enterprise external APIs, including the core API, UI, reporting, RBAC, and feeds, by editing the `ingress` section in your values file. -Note that the [Kubernetes NGINX ingress controller](https://kubernetes.github.io/ingress-nginx/) must be installed into the cluster for this configuration to work. +Ingress is disabled by default in this Helm chart. To enable it, along with the [NGINX ingress controller](https://kubernetes.github.io/ingress-nginx/) for core API and UI routes, set the `ingress.enabled` value to `true`. ```yaml ingress: enabled: true ``` -### Configuring The ALB Ingress Controller +#### ALB Ingress Controller -Note that the [Kubernetes ALB ingress controller](https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html) must be installed into the cluster for this configuration to work. +The [Kubernetes ALB ingress controller](https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html) must be installed into the cluster for this configuration to work. ```yaml ingress: @@ -367,7 +341,7 @@ ui: #### GCE Ingress Controller -Note that the [Kubernetes GCE ingress controller](https://cloud.google.com/kubernetes-engine/docs/concepts/ingress) must be installed into the cluster for this configuration to work. +The [Kubernetes GCE ingress controller](https://cloud.google.com/kubernetes-engine/docs/concepts/ingress) must be installed into the cluster for this configuration to work. ```yaml ingress: @@ -405,7 +379,7 @@ anchoreConfig: ### Prometheus Metrics -Anchore Enterprise supports exporting Prometheus metrics from each container. +Anchore Enterprise offers native support for exporting Prometheus metrics from each of its containers. When this feature is enabled, each service exposes metrics via its existing service port. If you're adding Prometheus manually to your deployment, you'll need to configure it to recognize each pod and its corresponding ports. ```yaml anchoreConfig: @@ -414,16 +388,13 @@ anchoreConfig: auth_disabled: true ``` -When enabled, each service provides metrics over its existing service port, so your Prometheus deployment will need to -know about each pod and the ports it provides. You'll need to know this if adding Prometheus manually to your deployment. - -If using the [Prometheus operator](https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/user-guides/getting-started.md), a ServiceMonitor can be deployed into your cluster (in same namespace as your Anchore Enterprise release) and the Prometheus operator will start scraping the configured endpoints for metrics. +For those using the [Prometheus operator](https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/user-guides/getting-started.md), a ServiceMonitor can be deployed within the same namespace as your Anchore Enterprise release. Once deployed, the Prometheus operator will automatically begin scraping the pre-configured endpoints for metrics. #### Example ServiceMonitor Configuration The `targetPort` values in this example use the default Anchore Enterprise service ports. -Note that you will require a ServiceAccount for Prometheus (referenced in the Prometheus configuration below). +You will require a ServiceAccount for Prometheus (referenced in the Prometheus configuration below). ```yaml --- @@ -501,9 +472,7 @@ spec: ### Scaling Individual Services -Anchore Enterprise services can be scaled by adjusting replica counts. - -To set a specific number of service containers: +Anchore Enterprise services can be scaled by adjusting replica counts: ```yaml analyzer: @@ -513,23 +482,15 @@ policyEngine: replicaCount: 3 ``` -To update the number in a running configuration: - -```shell -export RELEASE="YOUR-RELEASE-NAME" - -helm upgrade --set analyzer.replicaCount=2 ${RELEASE} anchore/enterprise -f anchore_values.yaml -``` - -Contact [Anchore Support](https://get.anchore.com/contact/) for assistance in scaling and tuning your Anchore Enterprise installation. +> **Note:** Contact [Anchore Support](https://get.anchore.com/contact/) for assistance in scaling and tuning your Anchore Enterprise installation. ### Using TLS Internally -Communication between Anchore Enterprise services can be configured with TLS. See the [Anchore TLS](https://docs.anchore.com/current/docs/configuration/tls_ssl/) documentation for more information. +Anchore Enterprise supports TLS for secure communication between its services. For detailed configuration steps, refer to the [Anchore TLS documentation](https://docs.anchore.com/current/docs/configuration/tls_ssl/). -A Kubernetes secret needs to be created in the same namespace as the chart installation. This secret should contain all custom certificates, including CA certificates and any certificates used for internal TLS communication. +To implement this, create a Kubernetes secret in the same namespace where the Helm chart is installed. This secret should encapsulate all custom certificates, including CA certificates and those used for internal TLS communication. -This secret will be mounted to all Anchore Enterprise containers at `/home/anchore/certs`. The Anchore Enterprise entrypoint script configures all certificates found in `/home/anchore/certs` along with the operating system's default CA bundle. +The Kubernetes secret will be mounted into all Anchore Enterprise containers at the path `/home/anchore/certs`. Anchore Enterprise's entrypoint script will auto-configure all certificates located in this directory, supplementing them with the operating system's default CA bundle. ```yaml --- @@ -560,22 +521,20 @@ certStoreSecretName: anchore-tls-certs anchoreConfig: database: timeout: 120 - # Use SSL, but the default Postgres config in helm's stable repo does not support SSL on server side, so this should be set for external DBs only. - # All SSL dbConfig values are only utilized when ssl=true ssl: true sslMode: verify-full # sslRootCertName is the name of the Postgres root CA certificate stored in certStoreSecretName sslRootCertFileName: rds-combined-ca-cert-bundle.pem internalServicesSSL: - # Set internalServicesSSL.enabled to true to force all Enterprise services to use SSL for internal communication enabled: true - # Specify whether cert is verfied against the local certifacte bundle (If set to false, self-signed certs are allowed) + # Specify whether cert is verified against the local certificate bundle (If set to false, self-signed certs are allowed) verifyCerts: true certSecretKeyFileName: internal-cert-key.pem certSecretCertFileName: internal-cert.pem ui: + # Specify an LDAP CA cert if using LDAP authenication ldapsRootCaCertName: ldap-combined-ca-cert-bundle.pem ``` @@ -593,39 +552,42 @@ See the [Anchore Reports](https://docs.anchore.com/current/docs/configuration/re ### Installing on Openshift -As of August 2nd, 2023, helm does not support passing `null` values to child/dependency charts. See the [helm issue](https://github.com/helm/helm/issues/9027) for more details. With the feeds chart being a dependency, you will need to deploy the `feeds` chart as a standalone chart and point the `enterprise` deployment to the standalone feeds deployment. Also note that you need to disable or set the appropriate values for the containerSecurityContext, runAsUser, and fsGroup for ui-redis and any postgres db you're using the enteprise chart to deploy (eg. postgresql.chartEnabled or feeds-db.chartEnabled). +As of August 2, 2023, Helm does not offer native support for passing `null` values to child or dependency charts. For details, refer to this [Helm GitHub issue](https://github.com/helm/helm/issues/9027). Given that the `feeds` chart is a dependency, a workaround is to deploy it as a standalone chart and configure the `enterprise` deployment to point to this separate `feeds` deployment. + +Additionally, be aware that you'll need to either disable or properly set the parameters for `containerSecurityContext`, `runAsUser`, and `fsGroup` for the `ui-redis` and any PostgreSQL database that you deploy using the Enterprise chart (e.g., via `postgresql.chartEnabled` or `feeds-db.chartEnabled`). For example: -1. deploy feeds chart as a standalone deployment -```shell -helm install feedsy anchore/feeds \ - --set securityContext.fsGroup=null \ - --set securityContext.runAsGroup=null \ - --set securityContext.runAsUser=null \ - --set feeds-db.primary.containerSecurityContext.enabled=false \ - --set feeds-db.primary.podSecurityContext.enabled=false -``` +1. **deploy feeds chart as a standalone deployment:** -2. deploy the enterprise chart with appropriate values -```shell -helm install anchore . \ - --set securityContext.fsGroup=null \ - --set securityContext.runAsGroup=null \ - --set securityContext.runAsUser=null \ - --set feeds.chartEnabled=false \ - --set feeds.url=feedsy-feeds \ - --set postgresql.primary.containerSecurityContext.enabled=false \ - --set postgresql.primary.podSecurityContext.enabled=false \ - --set ui-redis.master.podSecurityContext.enabled=false \ - --set ui-redis.master.containerSecurityContext.enabled=false -``` + ```shell + helm install my-release anchore/feeds \ + --set securityContext.fsGroup=null \ + --set securityContext.runAsGroup=null \ + --set securityContext.runAsUser=null \ + --set feeds-db.primary.containerSecurityContext.enabled=false \ + --set feeds-db.primary.podSecurityContext.enabled=false + ``` + +1. **deploy the enterprise chart with appropriate values:** + + ```shell + helm install anchore . \ + --set securityContext.fsGroup=null \ + --set securityContext.runAsGroup=null \ + --set securityContext.runAsUser=null \ + --set feeds.chartEnabled=false \ + --set feeds.url=my-release-feeds \ + --set postgresql.primary.containerSecurityContext.enabled=false \ + --set postgresql.primary.podSecurityContext.enabled=false \ + --set ui-redis.master.podSecurityContext.enabled=false \ + --set ui-redis.master.containerSecurityContext.enabled=false + ``` -Note: disabling the containerSecurityContext and podSecurityContext may not be suitable for production. See [Redhat's documentation](https://docs.openshift.com/container-platform/4.13/authentication/managing-security-context-constraints.html#managing-pod-security-policies) on what may be suitable for production. + > **Note:** disabling the containerSecurityContext and podSecurityContext may not be suitable for production. See [Redhat's documentation](https://docs.openshift.com/container-platform/4.13/authentication/managing-security-context-constraints.html#managing-pod-security-policies) on what may be suitable for production. For more information on the openshift.io/sa.scc.uid-range annotation, see the [openshift docs](https://docs.openshift.com/dedicated/authentication/managing-security-context-constraints.html#security-context-constraints-pre-allocated-values_configuring-internal-oauth) -For more information on the openshift.io/sa.scc.uid-range annotation, see the [openshift docs](https://docs.openshift.com/dedicated/authentication/managing-security-context-constraints.html#security-context-constraints-pre-allocated-values_configuring-internal-oauth) +#### Example Openshift values file -#### Example Openshift values file: ```yaml # NOTE: This is not a production ready values file for an openshift deployment. @@ -635,7 +597,7 @@ securityContext: runAsUser: null feeds: chartEnabled: false - url: feedsy-feeds + url: my-release-feeds postgresql: primary: containerSecurityContext: @@ -650,6 +612,109 @@ ui-redis: enabled: false ``` +### Migrating to the Anchore Enterprise Helm Chart + +This guide provides steps for transitioning from an Anchore Engine Helm chart deployment to the updated Anchore Enterprise Helm chart, a necessary step for users planning to upgrade to Anchore Enterprise version 5.0.0 or later. + + > :warning: **Warning**: The values file used by the Anchore Enterprise Helm chart is different from the one used by the Anchore Engine Helm chart. Make sure to convert your existing values file accordingly. + +A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts) is available to automate the conversion of your Anchore Engine values file to the new Enterprise format. + +#### Migration Prerequisites + +- **Anchore Version**: Ensure that your current deployment is running Anchore Enterprise version 4.9.0 or higher. + +- **PostgreSQL Version**: You need PostgreSQL version 13 or higher. For upgrading your existing PostgreSQL installation, refer to the official [PostgreSQL documentation](https://www.postgresql.org/docs/13/upgrading.html). + > **Note:** This chart deploys PostgreSQL 13 by default. + +- **Runtime Environment**: Docker or Podman must be installed on the machine where the migration will run. + +#### Step-by-Step Migration Process + +1. **Generate a New Enterprise Values File**: Use the migration script to convert your existing Anchore Engine values file to the new Anchore Enterprise format. This command mounts a local volume to persistently store the output files, and it mounts the input values file within the container for conversion.It's imperative to review both the output and the new [values file](values.yaml) before moving forward. + + ```shell + export VALUES_FILE_NAME=my-values-file.yaml + docker run -v ${PWD}:/tmp -v ${PWD}/${VALUES_FILE_NAME}:/app/${VALUES_FILE_NAME} docker.io/anchore/enterprise-helm-migrator:latest -e /app/${VALUES_FILE_NAME} -d /tmp/output + ``` + +#### If Using an External PostgreSQL Database + +1. **Scale Down Anchore Engine**: To avoid data inconsistency, scale down your existing Anchore Engine deployment to zero replicas. + + ```shell + export ENGINE_RELEASE=my-engine-release + export NAMESPACE=anchore + kubectl scale deployment --replicas=0 -l app=${ENGINE_RELEASE}-anchore-engine -n ${NAMESPACE} + ``` + +1. **Deploy Anchore Enterprise**: Use the converted values file to deploy the new Anchore Enterprise Helm chart. + + ```shell + export ENTERPRISE_RELEASE=my-enterprise-release + export VALUES_FILE_NAME=${PWD}/output/my-values-file.yaml + helm install ${ENTERPRISE_RELEASE} -n ${NAMESPACE} -f ${VALUES_FILE_NAME} --set upgradeJob.force=true anchore/enterprise + ``` + + > **Note:** The `upgradeJob.force` flag is required to force the upgrade job to run upon installation. This value is not needed for future upgrades. + +1. **Verification and Cleanup**: After confirming that the Anchore Enterprise deployment is functional, you can safely uninstall the old Anchore Engine deployment. + + ```shell + helm uninstall ${ENGINE_RELEASE} -n ${NAMESPACE} + ``` + +#### If Using the Dependent PostgreSQL Chart + +1. **Scale Down Anchore Engine**: To avoid data inconsistency, scale down your existing Anchore Engine deployment to zero replicas. + + ```shell + export ENGINE_RELEASE=my-engine-release + export NAMESPACE=anchore + kubectl scale deployment --replicas=0 -l app=${ENGINE_RELEASE}-anchore-engine -n ${NAMESPACE} + ``` + +1. **Deploy Anchore Enterprise**: Use the converted values file to deploy the new Anchore Enterprise Helm chart. + + ```shell + export ENTERPRISE_RELEASE=my-enterprise-release + export VALUES_FILE_NAME=${PWD}/output/my-values-file.yaml + helm install ${ENTERPRISE_RELEASE} -n ${NAMESPACE} -f ${VALUES_FILE_NAME} --set upgradeJob.force=true anchore/enterprise + ``` + +1. **Scale Down Anchore Enterprise**: Before migrating the database, scale down the new Anchore Enterprise deployment to zero replicas. + + ```shell + kubectl scale deployment --replicas=0 -l app=${ENTERPRISE_RELEASE}-enterprise + ``` + +1. **Database Preparation**: Replace the existing Anchore database with a new database in PostgreSQL 13. + + ```shell + export NEW_DB_HOST=${ENTERPRISE_RELEASE}-postgresql + export ANCHORE_DATABASE_NAME=anchore + dropdb -h ${NEW_DB_HOST} -U ${PGUSER} ${ANCHORE_DATABASE_NAME}; psql -h ${NEW_DB_HOST} -c 'CREATE DATABASE ${ANCHORE_DATABASE_NAME}' + ``` + +1. **Data Migration**: Migrate data from the old Anchore Engine database to the new Anchore Enterprise database. + + ```shell + export OLD_PG_DB_HOST=${ENGINE_RELEASE}-postgresql + pg_dump -h ${OLD_PG_DB_HOST} -c ${ANCHORE_DATABASE_NAME} | psql -h ${NEW_DB_HOST} ${ANCHORE_DATABASE_NAME} + ``` + +1. **Upgrade Anchore Enterprise**: After migrating the data, upgrade the Anchore Enterprise Helm deployment. + + ```shell + helm upgrade ${ENTERPRISE_RELEASE} -n ${NAMESPACE} -f ${VALUES_FILE_NAME} anchore/enterprise + ``` + +1. **Final Verification and Cleanup**: After ensuring the new deployment is operational, uninstall the old Anchore Engine deployment. + + ```shell + helm uninstall ${ENGINE_RELEASE} -n ${NAMESPACE} + ``` + ## Parameters ### Common Resource Parameters @@ -1050,12 +1115,11 @@ ui-redis: ## Release Notes -See the Anchore [Release Notes](https://docs.anchore.com/current/docs/releasenotes/) for updates to Anchore Enterprise. - -A major chart version change (v0.1.2 -> v1.0.0) indicates that there is an **incompatible breaking change needing manual actions.** +For the latest updates and features in Anchore Enterprise, see the official [Release Notes](https://docs.anchore.com/current/docs/releasenotes/). -A minor chart version change (v0.1.2 -> v0.2.0) indicates a change that **may require updates to your values file.** +- **Major Chart Version Change (e.g., v0.1.2 -> v1.0.0)**: Signifies an incompatible breaking change that necessitates manual intervention. +- **Minor Chart Version Change (e.g., v0.1.2 -> v0.2.0)**: Indicates a modification that may require adjustments to your values file. -### v0.0.1 +### v0.0.x -* This is a pre-release version of the Anchore Enterprise Helm chart. It is not intended for production use. +- This is a pre-release version of the Anchore Enterprise Helm chart and is not recommended for production deployments. diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index 5ccc7be5..13cd5514 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -35,7 +35,7 @@ should render the configmaps: app.kubernetes.io/version: 4.9.1 bar: baz foo: bar - helm.sh/chart: enterprise-0.0.3 + helm.sh/chart: enterprise-0.0.5 name: test-release-enterprise-analyzer namespace: test-namespace 2: | @@ -336,7 +336,7 @@ should render the configmaps: app.kubernetes.io/version: 4.9.1 bar: baz foo: bar - helm.sh/chart: enterprise-0.0.3 + helm.sh/chart: enterprise-0.0.5 name: test-release-enterprise namespace: test-namespace 3: | @@ -421,7 +421,7 @@ should render the configmaps: app.kubernetes.io/version: 4.9.1 bar: baz foo: bar - helm.sh/chart: enterprise-0.0.3 + helm.sh/chart: enterprise-0.0.5 name: test-release-enterprise-config-env-vars namespace: test-namespace 4: | @@ -465,7 +465,7 @@ should render the configmaps: app.kubernetes.io/version: 4.9.1 bar: baz foo: bar - helm.sh/chart: enterprise-0.0.3 + helm.sh/chart: enterprise-0.0.5 name: test-release-enterprise-policy-bundles namespace: test-namespace 5: | @@ -486,6 +486,6 @@ should render the configmaps: app.kubernetes.io/version: 4.9.1 bar: baz foo: bar - helm.sh/chart: enterprise-0.0.3 + helm.sh/chart: enterprise-0.0.5 name: test-release-enterprise-ui namespace: test-namespace From 65a00fe489ed44e80f2694c2bf565a3f56f481f0 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Fri, 15 Sep 2023 21:57:00 +0000 Subject: [PATCH 202/329] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .../chart-readme-table-generator.yaml | 7 +- .github/workflows/deploy.yaml | 14 +++- .github/workflows/helm-unittests.yaml | 9 ++- .github/workflows/lint.yaml | 14 +++- .github/workflows/scorecards.yml | 76 +++++++++++++++++++ .github/workflows/test.yaml | 20 +++-- .pre-commit-config.yaml | 14 ++++ scripts/Dockerfile | 2 +- 8 files changed, 141 insertions(+), 15 deletions(-) create mode 100644 .github/workflows/scorecards.yml create mode 100644 .pre-commit-config.yaml diff --git a/.github/workflows/chart-readme-table-generator.yaml b/.github/workflows/chart-readme-table-generator.yaml index 10aef747..a7bdd087 100644 --- a/.github/workflows/chart-readme-table-generator.yaml +++ b/.github/workflows/chart-readme-table-generator.yaml @@ -23,11 +23,16 @@ jobs: permissions: contents: write steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + with: + egress-policy: audit + - name: Install readme-generator-for-helm run: npm install -g @bitnami/readme-generator-for-helm - name: Checkout charts - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: path: ${{ github.repository }} ref: ${{github.event.pull_request.head.ref}} diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 38a6bc15..4d16306a 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -5,16 +5,26 @@ on: branches: - main +permissions: + contents: read + jobs: release: + permissions: + contents: write # for helm/chart-releaser-action to push chart release and create a release env: REPO: "${{ github.repository }}" REPO_NAME: "${{ github.event.repository.name }}" TARGET_BRANCH: "${{ github.event.pull_request.base.ref }}" runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Fetch history run: git fetch --prune --unshallow @@ -30,7 +40,7 @@ jobs: helm repo add bitnami https://charts.bitnami.com/bitnami - name: Run chart-releaser - uses: helm/chart-releaser-action@v1.5.0 + uses: helm/chart-releaser-action@be16258da8010256c6e82849661221415f031968 # v1.5.0 with: charts_dir: stable charts_repo_url: https://charts.anchore.io diff --git a/.github/workflows/helm-unittests.yaml b/.github/workflows/helm-unittests.yaml index c300f467..cd93e8ec 100644 --- a/.github/workflows/helm-unittests.yaml +++ b/.github/workflows/helm-unittests.yaml @@ -19,8 +19,13 @@ jobs: TARGET_BRANCH: "${{ github.event.pull_request.base.ref }}" runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + with: + egress-policy: audit + - name: Checkout charts - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: path: ${{ github.repository }} ref: ${{github.event.pull_request.head.ref}} @@ -28,7 +33,7 @@ jobs: token: ${{ secrets.CI_WRITE_GITHUB_TOKEN }} - name: Set up Helm - uses: azure/setup-helm@v3 + uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 with: version: v3.8.0 diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 1311620e..c2350bd6 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -3,23 +3,31 @@ name: "Lint changed charts using chart-testing tool" on: - pull_request +permissions: + contents: read + jobs: lint: strategy: fail-fast: false runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Fetch history run: git fetch --prune --unshallow - name: Shellcheck - uses: ludeeus/action-shellcheck@2.0.0 + uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0 - name: Set up chart-testing - uses: helm/chart-testing-action@v2.4.0 + uses: helm/chart-testing-action@e8788873172cb653a90ca2e819d79d65a66d4e76 # v2.4.0 - name: Run chart-testing (list-changed) id: list-changed diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml new file mode 100644 index 00000000..9b19fb65 --- /dev/null +++ b/.github/workflows/scorecards.yml @@ -0,0 +1,76 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '20 7 * * 2' + push: + branches: ["main"] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + contents: read + actions: read + + steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + with: + egress-policy: audit + + - name: "Checkout code" + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecards on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@04daf014b50eaf774287bf3f0f1869d4b4c4b913 # v2.21.7 + with: + sarif_file: results.sarif diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index e2abf54e..968fb460 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -2,6 +2,9 @@ name: "Test using kind and chart-testing tool" on: - pull_request +permissions: + contents: read + jobs: test: strategy: @@ -10,26 +13,31 @@ jobs: kubernetesVersion: ["v1.23.17", "v1.24.15", "v1.25.11", "v1.26.6", "v1.27.3"] runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Fetch history run: git fetch --prune --unshallow - name: Shellcheck - uses: ludeeus/action-shellcheck@2.0.0 + uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0 - - uses: actions/setup-python@v2 + - uses: actions/setup-python@e9aba2c848f5ebd159c070c61ea2c4e2b122355e # v2.3.4 with: python-version: 3.7 - name: Set up Helm - uses: azure/setup-helm@v3 + uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 with: version: v3.8.0 - name: Set up chart-testing - uses: helm/chart-testing-action@v2.4.0 + uses: helm/chart-testing-action@e8788873172cb653a90ca2e819d79d65a66d4e76 # v2.4.0 - name: Run chart-testing (list-changed) id: list-changed @@ -46,7 +54,7 @@ jobs: - name: Install kind if: steps.list-changed.outputs.CHANGED == 'true' - uses: helm/kind-action@v1.8.0 + uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0 with: node_image: "kindest/node:${{ matrix.kubernetesVersion }}" config: kind-config.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 00000000..d8562a43 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,14 @@ +repos: +- repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks +- repo: https://github.com/jumanjihouse/pre-commit-hooks + rev: 3.0.0 + hooks: + - id: shellcheck +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: end-of-file-fixer + - id: trailing-whitespace diff --git a/scripts/Dockerfile b/scripts/Dockerfile index d29166ff..02266e32 100644 --- a/scripts/Dockerfile +++ b/scripts/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3 +FROM python:3@sha256:cc7372fe4746ca323f18c6bd0d45dadf22d192756abc5f73e39f9c7f10cba5aa WORKDIR /app From a5be71c072f930376e43e6bb388cdf214827a618 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 15 Sep 2023 12:06:36 -0700 Subject: [PATCH 203/329] use feeds service for grypedb external_url (#124) * use localhost for grypedb external_url instead of service * update unittest snapshots * Remove feeds_ prefix from all resource templates This prefix was causing unit tests to fail. I couldn't figure out how to get the tests passing while keeping the prefix. Since it was redundant in this chart I decided the easiest course of action was to rename all the template files. --------- Signed-off-by: Brady Todhunter --- stable/feeds/Chart.yaml | 2 +- stable/feeds/README.md | 2 +- .../templates/anchore_vars_configmap.yaml | 2 +- .../{feeds_configmap.yaml => configmap.yaml} | 0 ...{feeds_deployment.yaml => deployment.yaml} | 4 +- .../templates/{feeds_pvc.yaml => pvc.yaml} | 0 .../{feeds_secret.yaml => secret.yaml} | 0 .../__snapshot__/configmap_test.yaml.snap | 2 +- stable/feeds/tests/common_helpers_test.yaml | 92 +++++++++---------- stable/feeds/tests/configmap_test.yaml | 2 +- stable/feeds/tests/feeds_resources_test.yaml | 48 +++++----- 11 files changed, 77 insertions(+), 77 deletions(-) rename stable/feeds/templates/{feeds_configmap.yaml => configmap.yaml} (100%) rename stable/feeds/templates/{feeds_deployment.yaml => deployment.yaml} (98%) rename stable/feeds/templates/{feeds_pvc.yaml => pvc.yaml} (100%) rename stable/feeds/templates/{feeds_secret.yaml => secret.yaml} (100%) diff --git a/stable/feeds/Chart.yaml b/stable/feeds/Chart.yaml index 2f5f2c4d..136e86ca 100644 --- a/stable/feeds/Chart.yaml +++ b/stable/feeds/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: feeds type: application -version: "0.0.3" +version: "0.0.4" appVersion: "4.9.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: Anchore feeds service diff --git a/stable/feeds/README.md b/stable/feeds/README.md index 854c537e..5ee239cb 100644 --- a/stable/feeds/README.md +++ b/stable/feeds/README.md @@ -382,6 +382,6 @@ A major chart version change (v0.1.2 -> v1.0.0) indicates that there is an **inc A minor chart version change (v0.1.2 -> v0.2.0) indicates a change that **may require updates to your values file.** -### v0.0.1 +### v0.0.x * This is a pre-release version of the Anchore Enterprise Helm chart. It is not intended for production use. diff --git a/stable/feeds/templates/anchore_vars_configmap.yaml b/stable/feeds/templates/anchore_vars_configmap.yaml index 11cf9cfd..02ddc0cb 100644 --- a/stable/feeds/templates/anchore_vars_configmap.yaml +++ b/stable/feeds/templates/anchore_vars_configmap.yaml @@ -53,7 +53,7 @@ data: ANCHORE_FEEDS_DRIVER_UBUNTU_URL: "https://git.launchpad.net/ubuntu-cve-tracker" ANCHORE_FEEDS_DRIVER_UBUNTU_BRANCH: "master" ANCHORE_FEEDS_DRIVER_WOLFI_ENABLED: "true" - ANCHORE_FEEDS_EXTERNAL_URL: "null" + ANCHORE_FEEDS_EXTERNAL_URL: "{{ printf "http://localhost:%s/v2/" (.Values.service.port | toString) }}" ANCHORE_FEEDS_LOCAL_WORKSPACE: "{{ .Values.persistence.mountPath }}" ANCHORE_FEEDS_GRYPEDB_PRELOAD_ENABLED: "true" ANCHORE_FEEDS_GRYPEDB_PRELOAD_PATH: "/preload/grype-db-workspace.tar.gz" diff --git a/stable/feeds/templates/feeds_configmap.yaml b/stable/feeds/templates/configmap.yaml similarity index 100% rename from stable/feeds/templates/feeds_configmap.yaml rename to stable/feeds/templates/configmap.yaml diff --git a/stable/feeds/templates/feeds_deployment.yaml b/stable/feeds/templates/deployment.yaml similarity index 98% rename from stable/feeds/templates/feeds_deployment.yaml rename to stable/feeds/templates/deployment.yaml index b0a30cf6..9176f83d 100644 --- a/stable/feeds/templates/feeds_deployment.yaml +++ b/stable/feeds/templates/deployment.yaml @@ -16,9 +16,9 @@ spec: labels: {{- include "feeds.common.labels" . | nindent 8 }} annotations: {{- include "feeds.common.annotations" (merge (dict "nil" true) .) | nindent 8 }} {{- if not .Values.injectSecretsViaEnv }} - checksum/secrets: {{ include (print $.Template.BasePath "/feeds_secret.yaml") . | sha256sum }} + checksum/secrets: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} {{- end }} - checksum/feeds-config: {{ include (print $.Template.BasePath "/feeds_configmap.yaml") . | sha256sum }} + checksum/feeds-config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} spec: {{- with .Values.securityContext }} securityContext: {{- toYaml . | nindent 8 }} diff --git a/stable/feeds/templates/feeds_pvc.yaml b/stable/feeds/templates/pvc.yaml similarity index 100% rename from stable/feeds/templates/feeds_pvc.yaml rename to stable/feeds/templates/pvc.yaml diff --git a/stable/feeds/templates/feeds_secret.yaml b/stable/feeds/templates/secret.yaml similarity index 100% rename from stable/feeds/templates/feeds_secret.yaml rename to stable/feeds/templates/secret.yaml diff --git a/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap b/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap index a251d90c..5a26f34b 100644 --- a/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap @@ -127,6 +127,6 @@ should render the configmaps: app.kubernetes.io/version: 4.9.1 bar: baz-label foo: bar-label - helm.sh/chart: feeds-0.0.3 + helm.sh/chart: feeds-0.0.4 name: test-release-feeds namespace: test-namespace diff --git a/stable/feeds/tests/common_helpers_test.yaml b/stable/feeds/tests/common_helpers_test.yaml index 94750df6..26291ef1 100644 --- a/stable/feeds/tests/common_helpers_test.yaml +++ b/stable/feeds/tests/common_helpers_test.yaml @@ -1,10 +1,10 @@ suite: Common Helper Template Tests templates: - anchore_vars_configmap.yaml - - feeds_configmap.yaml - - feeds_deployment.yaml - - feeds_pvc.yaml - - feeds_secret.yaml + - configmap.yaml + - deployment.yaml + - pvc.yaml + - secret.yaml - ingress.yaml - templates/hooks/pre-upgrade/upgrade_rbac.yaml - templates/hooks/pre-upgrade/upgrade_job.yaml @@ -18,10 +18,10 @@ chart: test_templates: &test_templates - anchore_vars_configmap.yaml - - feeds_configmap.yaml - - feeds_deployment.yaml - - feeds_pvc.yaml - - feeds_secret.yaml + - configmap.yaml + - deployment.yaml + - pvc.yaml + - secret.yaml - templates/hooks/pre-upgrade/upgrade_rbac.yaml - templates/hooks/pre-upgrade/upgrade_job.yaml @@ -45,7 +45,7 @@ tests: bar: baz - it: should render file checksum/secret annotation - template: feeds_deployment.yaml + template: deployment.yaml documentIndex: 0 asserts: - exists: @@ -72,7 +72,7 @@ tests: - it: should render docker entrypoint with no doSourceAtEntry filePaths templates: - - feeds_deployment.yaml + - deployment.yaml documentIndex: 0 asserts: - matchRegex: @@ -81,7 +81,7 @@ tests: - it: should render docker entrypoint with doSourceAtEntry and no filePaths templates: - - feeds_deployment.yaml + - deployment.yaml documentIndex: 0 set: doSourceAtEntry.enabled: true @@ -92,7 +92,7 @@ tests: - it: should render docker entrypoint with doSourceAtEntry and some filePaths templates: - - feeds_deployment.yaml + - deployment.yaml documentIndex: 0 set: doSourceAtEntry.enabled: true @@ -104,7 +104,7 @@ tests: - it: should render envFrom without an existing secret templates: - - feeds_deployment.yaml + - deployment.yaml - templates/hooks/pre-upgrade/upgrade_job.yaml documentIndex: 0 asserts: @@ -122,7 +122,7 @@ tests: useExistingSecrets: true existingSecretName: "myExistingSecretName" templates: - - feeds_deployment.yaml + - deployment.yaml - templates/hooks/pre-upgrade/upgrade_job.yaml documentIndex: 0 asserts: @@ -141,7 +141,7 @@ tests: useExistingSecrets: true existingSecretName: "myExistingSecretName" templates: - - feeds_deployment.yaml + - deployment.yaml - templates/hooks/pre-upgrade/upgrade_job.yaml documentIndex: 0 asserts: @@ -156,7 +156,7 @@ tests: - it: should render correct environment variables when extraEnv is set templates: - - feeds_deployment.yaml + - deployment.yaml - templates/hooks/pre-upgrade/upgrade_job.yaml documentIndex: 0 set: @@ -186,7 +186,7 @@ tests: - it: should render clouddsql container for all deployments and default upgrade job templates: - - feeds_deployment.yaml + - deployment.yaml - templates/hooks/pre-upgrade/upgrade_job.yaml documentIndex: 0 set: @@ -205,7 +205,7 @@ tests: - it: should render clouddsql container and extraArgs for all deployments and default upgrade job templates: - - feeds_deployment.yaml + - deployment.yaml - templates/hooks/pre-upgrade/upgrade_job.yaml documentIndex: 0 set: @@ -232,7 +232,7 @@ tests: - it: should render clouddsql container, additional arg, and volumeMount when useExistingServiceAcc is true for all deployments and default upgrade job templates: - - feeds_deployment.yaml + - deployment.yaml - templates/hooks/pre-upgrade/upgrade_job.yaml documentIndex: 0 set: @@ -276,7 +276,7 @@ tests: scratchVolume.fixGroupPermissions: true securityContext.fsGroup: 9999 templates: - - feeds_deployment.yaml + - deployment.yaml documentIndex: 0 asserts: - contains: @@ -295,7 +295,7 @@ tests: scratchVolume.fixGroupPermissions: false securityContext.fsGroup: 9999 templates: - - feeds_deployment.yaml + - deployment.yaml documentIndex: 0 asserts: - notExists: @@ -303,7 +303,7 @@ tests: - it: should render liveness probe templates: - - feeds_deployment.yaml + - deployment.yaml documentIndex: 0 asserts: - isSubset: @@ -317,7 +317,7 @@ tests: - it: should render readiness probe templates: - - feeds_deployment.yaml + - deployment.yaml documentIndex: 0 asserts: - isSubset: @@ -332,7 +332,7 @@ tests: set: securityContext.runAsUser: 9999 templates: - - feeds_deployment.yaml + - deployment.yaml documentIndex: 0 asserts: - isSubset: @@ -346,7 +346,7 @@ tests: set: serviceAccountName: myServiceAccountName templates: - - feeds_deployment.yaml + - deployment.yaml documentIndex: 0 asserts: - equal: @@ -355,7 +355,7 @@ tests: - it: should not render pod serviceAccountName if not defined templates: - - feeds_deployment.yaml + - deployment.yaml documentIndex: 0 asserts: - notExists: @@ -363,7 +363,7 @@ tests: - it: should render imagePullSecretName templates: - - feeds_deployment.yaml + - deployment.yaml documentIndex: 0 asserts: - equal: @@ -374,7 +374,7 @@ tests: set: imagePullSecretName: mysecret templates: - - feeds_deployment.yaml + - deployment.yaml documentIndex: 0 asserts: - equal: @@ -386,7 +386,7 @@ tests: containerSecurityContext.runAsUser: 9999 containerSecurityContext.runAsGroup: 9998 templates: - - feeds_deployment.yaml + - deployment.yaml documentIndex: 0 asserts: - isSubset: @@ -397,7 +397,7 @@ tests: - it: should not render container security contexts if none set templates: - - feeds_deployment.yaml + - deployment.yaml documentIndex: 0 asserts: - notExists: @@ -405,7 +405,7 @@ tests: - it: should render the rbacAuthContainer templates: - - feeds_deployment.yaml + - deployment.yaml documentIndex: 0 asserts: - contains: @@ -421,7 +421,7 @@ tests: - it: should render volumeMounts templates: - - feeds_deployment.yaml + - deployment.yaml documentIndex: 0 asserts: - contains: @@ -451,7 +451,7 @@ tests: mountPath: /my/other/path subPath: my-other-subpath templates: - - feeds_deployment.yaml + - deployment.yaml documentIndex: 0 asserts: - contains: @@ -481,7 +481,7 @@ tests: set: certStoreSecretName: mycerts templates: - - feeds_deployment.yaml + - deployment.yaml documentIndex: 0 asserts: - contains: @@ -509,7 +509,7 @@ tests: - name: my-volume-two emptyDir: {} templates: - - feeds_deployment.yaml + - deployment.yaml documentIndex: 0 asserts: - contains: @@ -535,7 +535,7 @@ tests: - it: should render global volumes anchore-license, and config-volume templates: - - feeds_deployment.yaml + - deployment.yaml documentIndex: 0 asserts: - contains: @@ -567,7 +567,7 @@ tests: set: fullnameOverride: my-fullname-override templates: - - feeds_deployment.yaml + - deployment.yaml documentIndex: 1 asserts: - matchRegex: @@ -578,16 +578,16 @@ tests: set: nameOverride: my-name-override templates: - - feeds_deployment.yaml + - deployment.yaml documentIndex: 1 asserts: - matchRegex: path: spec.selector["app.kubernetes.io/name"] pattern: ^test-release-my-name-override - - it: should render dbHostname for feeds_secret.yaml + - it: should render dbHostname for secret.yaml templates: - - feeds_secret.yaml + - secret.yaml documentIndex: 0 asserts: - isSubset: @@ -634,7 +634,7 @@ tests: cloudsql: enabled: true templates: - - feeds_secret.yaml + - secret.yaml documentIndex: 0 asserts: - isSubset: @@ -654,7 +654,7 @@ tests: externalEndpoint: my-endpoint enabled: false templates: - - feeds_secret.yaml + - secret.yaml documentIndex: 0 asserts: - isSubset: @@ -671,7 +671,7 @@ tests: cloudsql: enabled: true templates: - - feeds_secret.yaml + - secret.yaml documentIndex: 0 asserts: - isSubset: @@ -689,7 +689,7 @@ tests: cloudsql: enabled: false templates: - - feeds_secret.yaml + - secret.yaml documentIndex: 0 asserts: - isSubset: @@ -703,7 +703,7 @@ tests: set: anchoreConfig.internalServicesSSL.enabled: true templates: - - feeds_deployment.yaml + - deployment.yaml documentIndex: 0 asserts: - isSubset: @@ -715,7 +715,7 @@ tests: set: anchoreConfig.internalServicesSSL.enabled: false templates: - - feeds_deployment.yaml + - deployment.yaml documentIndex: 0 asserts: - isSubset: diff --git a/stable/feeds/tests/configmap_test.yaml b/stable/feeds/tests/configmap_test.yaml index 1ea291e7..29e84833 100644 --- a/stable/feeds/tests/configmap_test.yaml +++ b/stable/feeds/tests/configmap_test.yaml @@ -1,6 +1,6 @@ suite: ConfigMap Tests templates: - - templates/feeds_configmap.yaml + - configmap.yaml values: - values.yaml release: diff --git a/stable/feeds/tests/feeds_resources_test.yaml b/stable/feeds/tests/feeds_resources_test.yaml index 229841f9..f71f03d5 100644 --- a/stable/feeds/tests/feeds_resources_test.yaml +++ b/stable/feeds/tests/feeds_resources_test.yaml @@ -1,8 +1,8 @@ suite: Feeds Resources Tests templates: - - feeds_deployment.yaml - - feeds_secret.yaml - - feeds_configmap.yaml + - deployment.yaml + - secret.yaml + - configmap.yaml release: name: test-release namespace: test-namespace @@ -14,7 +14,7 @@ values: tests: - it: should render a valid feeds config file - template: feeds_configmap.yaml + template: configmap.yaml asserts: - matchRegex: path: data["config.yaml"] @@ -27,7 +27,7 @@ tests: value: test-release-feeds - it: should render component labels - template: feeds_deployment.yaml + template: deployment.yaml documentIndex: 0 asserts: - isSubset: @@ -43,7 +43,7 @@ tests: - it: should render component annotations templates: - - feeds_deployment.yaml + - deployment.yaml documentIndex: 0 asserts: - isSubset: @@ -58,7 +58,7 @@ tests: bar: "baz-annotation" - it: should render component matchLabels - template: feeds_deployment.yaml + template: deployment.yaml documentIndex: 0 asserts: - isSubset: @@ -68,7 +68,7 @@ tests: app.kubernetes.io/component: feeds - it: should render component serviceAccountName - template: feeds_deployment.yaml + template: deployment.yaml documentIndex: 0 set: serviceAccountName: feeds-test @@ -78,7 +78,7 @@ tests: value: feeds-test - it: should render component nodeSelector - template: feeds_deployment.yaml + template: deployment.yaml documentIndex: 0 set: nodeSelector: @@ -90,7 +90,7 @@ tests: feeds: test - it: should render component affinity - template: feeds_deployment.yaml + template: deployment.yaml documentIndex: 0 set: affinity: @@ -102,7 +102,7 @@ tests: feeds: test - it: should render component tolerations - template: feeds_deployment.yaml + template: deployment.yaml documentIndex: 0 set: tolerations: @@ -121,7 +121,7 @@ tests: count: 1 - it: should render scratch volume as emptyDir by default - template: feeds_deployment.yaml + template: deployment.yaml documentIndex: 0 asserts: - contains: @@ -132,7 +132,7 @@ tests: count: 1 - it: should render scratch volume using details from values - template: feeds_deployment.yaml + template: deployment.yaml documentIndex: 0 set: scratchVolume.details: @@ -149,8 +149,8 @@ tests: type: Directory count: 1 - - it: should render feeds_configmap volume - template: feeds_deployment.yaml + - it: should render configmap volume + template: deployment.yaml documentIndex: 0 asserts: - contains: @@ -175,7 +175,7 @@ tests: count: 1 - it: should render component container name - template: feeds_deployment.yaml + template: deployment.yaml documentIndex: 0 asserts: - equal: @@ -183,7 +183,7 @@ tests: value: feeds-feeds - it: should render component entrypoint args - template: feeds_deployment.yaml + template: deployment.yaml documentIndex: 0 asserts: - matchRegex: @@ -192,7 +192,7 @@ tests: count: 1 - it: should render component environment variables - template: feeds_deployment.yaml + template: deployment.yaml documentIndex: 0 set: extraEnv: @@ -226,7 +226,7 @@ tests: value: foobar - it: should render component ports - template: feeds_deployment.yaml + template: deployment.yaml documentIndex: 0 asserts: - contains: @@ -237,7 +237,7 @@ tests: count: 1 - it: should render component volumeMounts - template: feeds_deployment.yaml + template: deployment.yaml documentIndex: 0 asserts: - contains: @@ -257,7 +257,7 @@ tests: any: true - it: should render component probes - template: feeds_deployment.yaml + template: deployment.yaml documentIndex: 0 asserts: - isSubset: @@ -287,7 +287,7 @@ tests: count: 1 - it: should render component resource requests & limits - template: feeds_deployment.yaml + template: deployment.yaml documentIndex: 0 set: resources: @@ -313,7 +313,7 @@ tests: - it: should not render nodePorts - template: feeds_deployment.yaml + template: deployment.yaml documentIndex: 1 asserts: - isNotSubset: @@ -322,7 +322,7 @@ tests: nodePort: 9999 count: 1 - it: should render nodePorts - template: feeds_deployment.yaml + template: deployment.yaml documentIndex: 1 set: service.nodePort: 9999 From bddabb2b79e1d3328ca2fa8f11a3030dfe387372 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Fri, 15 Sep 2023 15:37:47 -0400 Subject: [PATCH 204/329] handle hashed_passwords not being set (#123) * handle hashed_passwords not being set * migrator script update: instantiate key if doesnt exist * adding maxCompressedImageSizeMB test * fix envVar being anything other than a string * updating tests to make extraEnv a string. update mapping for postgresql.imageTag * updating script for case of postgres user being postgres admin user Signed-off-by: Hung Nguyen --------- Signed-off-by: Hung Nguyen --- scripts/helpers.py | 26 ++++++ scripts/mappings.py | 2 +- .../configs/test_convert_values_file.yaml | 5 +- .../test_convert_values_file_result.yaml | 8 +- .../test_anchoreAnalyzer_value_mapping.py | 29 ++++--- .../tests/test_anchoreApi_value_mapping.py | 23 ++--- .../test_anchoreCatalog_value_mapping.py | 28 ++++--- ...t_anchoreEngineUpgradeJob_value_mapping.py | 14 ++-- ...nterpriseEngineUpgradeJob_value_mapping.py | 18 ++-- ...EnterpriseFeedsUpgradeJob_value_mapping.py | 18 ++-- ...st_anchoreEnterpriseFeeds_value_mapping.py | 70 ++++++++-------- ...reEnterpriseNotifications_value_mapping.py | 26 +++--- ...est_anchoreEnterpriseRbac_value_mapping.py | 28 +++---- ..._anchoreEnterpriseReports_value_mapping.py | 31 ++++--- .../test_anchoreEnterpriseUi_value_mapping.py | 50 ++++++----- .../tests/test_anchoreGlobal_value_mapping.py | 83 +++++++++++++------ .../test_anchorePolicyEngine_value_mapping.py | 24 +++--- .../test_anchoreSimpleQueue_value_mapping.py | 22 ++--- scripts/tests/test_helpers.py | 6 ++ 19 files changed, 311 insertions(+), 200 deletions(-) diff --git a/scripts/helpers.py b/scripts/helpers.py index 6ec992dc..31de35cb 100644 --- a/scripts/helpers.py +++ b/scripts/helpers.py @@ -19,6 +19,13 @@ def represent_block_scalar(dumper, data): style = "|" if "\n" in data else '"' return dumper.represent_scalar("tag:yaml.org,2002:str", data, style=style) +def convert_to_str(env_var): + if isinstance(env_var, dict): + if not isinstance(env_var.get('value'), str): + env_var['value'] = str(env_var.get('value')) + else: + return str(env_var) + def convert_values_file(file, results_dir): file_name = os.path.basename(file) prep_dir(path=results_dir, clean=True) @@ -32,6 +39,17 @@ def convert_values_file(file, results_dir): enterprise_chart_values_dict, enterprise_chart_env_var_dict = replace_keys_with_mappings(dot_string_dict, results_dir) for key, val in enterprise_chart_env_var_dict.items(): + if isinstance(val, list): + for index, env_var in enumerate(val): + val[index] = convert_to_str(env_var) or env_var + elif isinstance(val, dict): + for index, env_var in enumerate(val.get("extraEnv", [])): + val["extraEnv"][index] = convert_to_str(env_var) or env_var + + # taking the environment variables and adding it into the enterprise_chart_values_dict to make one dictionary + if key not in enterprise_chart_values_dict: + val_type = type(val) + enterprise_chart_values_dict[key] = val_type() if isinstance(val, list): enterprise_chart_values_dict[key] = enterprise_chart_values_dict[key] + val elif isinstance(val, dict): @@ -39,6 +57,10 @@ def convert_values_file(file, results_dir): enterprise_chart_values_dict[key]["extraEnv"] = enterprise_chart_values_dict[key].get("extraEnv", []) enterprise_chart_values_dict[key]["extraEnv"] = enterprise_chart_values_dict[key]["extraEnv"] + val.get("extraEnv", []) + # for the current bitnami postgres chart, if your user is specifically the 'postgres' admin user, you need to override global.postgresql.auth.postgresPassword + if (enterprise_chart_values_dict.get('postgresql', {}).get('auth', {}).get('username') == 'postgres') and (enterprise_chart_values_dict.get('postgresql', {}).get('auth', {}).get('password')): + enterprise_chart_values_dict['postgresql']['auth']['postgresPassword'] = enterprise_chart_values_dict['postgresql']['auth']['password'] + yaml.add_representer(str, represent_block_scalar) yaml_data = yaml.dump(enterprise_chart_values_dict, default_flow_style=False) file_name = f"enterprise.{file_name}" @@ -93,6 +115,10 @@ def replace_keys_with_mappings(dot_string_dict, results_dir): env_var_mapping = {**enterprise_env_var_mapping, **feeds_env_var_mapping} logs_dir = f"{results_dir}/logs" + if not dot_string_dict.get("anchoreGlobal.hashedPasswords"): + log_file_name = "warning.log" + write_to_file(f"hashedPasswords is not currently used. You should _really_ consider using it. Please see docs on how to migrate to hashed passwords.\n", os.path.join(logs_dir, log_file_name), "a") + dot_string_dict["anchoreGlobal.hashedPasswords"] = False for dotstring_key, val in dot_string_dict.items(): keys = dotstring_key.split('.') diff --git a/scripts/mappings.py b/scripts/mappings.py index 90d329d1..e0cec839 100644 --- a/scripts/mappings.py +++ b/scripts/mappings.py @@ -128,7 +128,7 @@ "postgresql.postgresPassword": "postgresql.auth.password", "postgresql.postgresUser": "postgresql.auth.username", "postgresql.postgresPort": "postgresql.primary.service.ports.postgresql", - "postgresql.imageTag": "postgresql.imageTag", + "postgresql.imageTag": "postgresql.image.tag", "anchore-feeds-db.imageTag": "feeds.feeds-db.image.tag", "anchore-feeds-gem-db.imageTag": "feeds.gem-db.image.tag", diff --git a/scripts/tests/configs/test_convert_values_file.yaml b/scripts/tests/configs/test_convert_values_file.yaml index 8d2d86e3..38f527ed 100644 --- a/scripts/tests/configs/test_convert_values_file.yaml +++ b/scripts/tests/configs/test_convert_values_file.yaml @@ -4,6 +4,9 @@ anchoreEnterpriseGlobal: anchoreGlobal: useExistingSecrets: true existingSecretName: global-existing-secrets + extraEnv: + - name: ANCHORE_MAX_REQUEST_THREADS + value: "9876543210" anchoreEnterpriseUi: existingSecretName: ui-existing-secrets @@ -12,4 +15,4 @@ anchoreEnterpriseFeeds: existingSecretName: feeds-existing-secrets anchoreApi: - maxRequestThreads: 9876543210 \ No newline at end of file + maxRequestThreads: 9876543210 diff --git a/scripts/tests/configs/test_convert_values_file_result.yaml b/scripts/tests/configs/test_convert_values_file_result.yaml index 18fa8a86..3729a2bd 100644 --- a/scripts/tests/configs/test_convert_values_file_result.yaml +++ b/scripts/tests/configs/test_convert_values_file_result.yaml @@ -8,4 +8,10 @@ "api": "extraEnv": - "name": "ANCHORE_MAX_REQUEST_THREADS" - "value": 9876543210 \ No newline at end of file + "value": "9876543210" +"anchoreConfig": + "user_authentication": + "hashed_passwords": False +"extraEnv": + - "name": "ANCHORE_MAX_REQUEST_THREADS" + "value": "9876543210" \ No newline at end of file diff --git a/scripts/tests/test_anchoreAnalyzer_value_mapping.py b/scripts/tests/test_anchoreAnalyzer_value_mapping.py index 5e112c70..fef76645 100644 --- a/scripts/tests/test_anchoreAnalyzer_value_mapping.py +++ b/scripts/tests/test_anchoreAnalyzer_value_mapping.py @@ -17,7 +17,7 @@ def test_anchoreAnalyzer_replicaCount_value(self): dot_string_dict = { "anchoreAnalyzer.replicaCount": 2, } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'analyzer': { 'replicaCount': 2 } @@ -29,7 +29,7 @@ def test_anchoreAnalyzer_containerPort_value(self): dot_string_dict = { "anchoreAnalyzer.containerPort": 8084, } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'analyzer': { 'service': { 'port': 8084 @@ -48,7 +48,7 @@ def test_anchoreAnalyzer_extraEnv_value(self): } ] } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'analyzer': { 'extraEnv': [ { @@ -65,7 +65,7 @@ def test_anchoreAnalyzer_serviceAccountName_value(self): dot_string_dict = { "anchoreAnalyzer.serviceAccountName": "foo", } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'analyzer': { 'serviceAccountName': 'foo' } @@ -80,7 +80,7 @@ def test_anchoreAnalyzer_resources_value(self): "anchoreAnalyzer.resources.requests.cpu": 1, "anchoreAnalyzer.resources.requests.memory": "1G", } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'analyzer': { 'resources': { 'limits': { @@ -103,7 +103,7 @@ def test_anchoreAnalyzer_labels_value(self): "anchoreAnalyzer.labels.value": "bar", "anchoreAnalyzer.labels.kubernetes.io/description": "baz", } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'analyzer': { 'labels': { @@ -122,7 +122,7 @@ def test_anchoreAnalyzer_annotations_value(self): "anchoreAnalyzer.annotations.value": "bar", "anchoreAnalyzer.annotations.kubernetes.io/description": "baz", } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'analyzer': { 'annotations': { @@ -140,7 +140,7 @@ def test_anchoreanalyzer_deploymentAnnotations_value(self): "anchoreAnalyzer.deploymentAnnotations.name": "foo", "anchoreAnalyzer.deploymentAnnotations.value": "bar", } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'analyzer': { 'deploymentAnnotations': { 'name': 'foo', @@ -157,7 +157,7 @@ def test_anchoreAnalyzer_nodeSelector_value(self): "anchoreAnalyzer.nodeSelector.value": "bar", } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'analyzer': { 'nodeSelector': { @@ -179,7 +179,7 @@ def test_anchoreAnalyzer_tolerations_value(self): } ] } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'analyzer': { 'tolerations': [ { @@ -197,7 +197,7 @@ def test_anchoreAnalyzer_affinity_value(self): "anchoreAnalyzer.affinity.name": "foo", "anchoreAnalyzer.affinity.value": "bar", } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'analyzer': { 'affinity': { 'name': 'foo', @@ -214,6 +214,7 @@ def test_anchoreAnalyzer_cycleTimers_image_analyzer_value(self): } expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'analyzer': { 'cycle_timers': { 'image_analyzer': 1 @@ -231,6 +232,7 @@ def test_anchoreAnalyzer_concurrentTasksPerWorker_value(self): } expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'analyzer': { 'max_threads': 1 } @@ -246,6 +248,7 @@ def test_anchoreAnalyzer_layerCacheMaxGigabytes_value(self): } expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'analyzer': { 'layer_cache_max_gigabytes': 1 } @@ -261,6 +264,7 @@ def test_anchoreAnalyzer_enableHints_value(self): } expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'analyzer': { 'enable_hints': False } @@ -294,6 +298,7 @@ def test_anchoreAnalyzer_configFile_value(self): } expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'analyzer': { 'configFile': { 'retrieve_files': { @@ -341,5 +346,5 @@ def test_enableOwnedPackageFiltering_value(self): } } result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], {}) + self.assertEqual(result[0], {'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}}) self.assertEqual(result[1], expected_result) \ No newline at end of file diff --git a/scripts/tests/test_anchoreApi_value_mapping.py b/scripts/tests/test_anchoreApi_value_mapping.py index b750419e..3d7f687f 100644 --- a/scripts/tests/test_anchoreApi_value_mapping.py +++ b/scripts/tests/test_anchoreApi_value_mapping.py @@ -17,7 +17,7 @@ def test_anchoreApi_replicaCount_value(self): dot_string_dict = { "anchoreApi.replicaCount": 2, } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'api': { 'replicaCount': 2 } @@ -34,7 +34,7 @@ def test_anchoreApi_extraEnv_value(self): } ] } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'api': { 'extraEnv': [ { @@ -59,7 +59,7 @@ def test_anchoreApi_service_value(self): "anchoreApi.service.labels.with.a.dot.foobar": "baz" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'api': { 'service': { "name": "null", @@ -84,7 +84,7 @@ def test_anchoreApi_serviceAccountName_value(self): dot_string_dict = { "anchoreApi.serviceAccountName": "Null" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'api': { 'serviceAccountName': "Null" } @@ -100,7 +100,7 @@ def test_anchoreApi_resources_value(self): "anchoreApi.resources.requests.memory": "1G", } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'api': { 'resources': { 'limits': { @@ -123,7 +123,7 @@ def test_anchoreApi_labels_value(self): "anchoreApi.labels.value": "bar", "anchoreApi.labels.anotherLabel.with.a.dot": "baz", } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'api': { 'labels': { @@ -141,7 +141,7 @@ def test_anchoreApi_annotations_value(self): "anchoreApi.annotations.foo": "bar", "anchoreApi.annotations.baz": "qux" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'api': { 'annotations': { @@ -158,7 +158,7 @@ def test_anchoreApi_deploymentAnnotations_value(self): "anchoreApi.deploymentAnnotations.name": "foo", "anchoreApi.deploymentAnnotations.mydot.value": "bar" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'api': { 'deploymentAnnotations': { 'name': 'foo', @@ -174,7 +174,7 @@ def test_anchoreApi_nodeSelector_value(self): "anchoreApi.nodeSelector.name": "foo", "anchoreApi.nodeSelector.value": "bar" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'api': { 'nodeSelector': { @@ -195,7 +195,7 @@ def test_anchoreApi_tolerations_value(self): } ] } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'api': { 'tolerations': [ { @@ -213,7 +213,7 @@ def test_anchoreApi_affinity_value(self): "anchoreApi.affinity.name": "foo", "anchoreApi.affinity.value": "bar" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'api': { 'affinity': { 'name': 'foo', @@ -232,6 +232,7 @@ def test_anchoreApi_external_value(self): } expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'apiext': { 'external': { 'useTLS': True, diff --git a/scripts/tests/test_anchoreCatalog_value_mapping.py b/scripts/tests/test_anchoreCatalog_value_mapping.py index 1cc9432b..3bc1b482 100644 --- a/scripts/tests/test_anchoreCatalog_value_mapping.py +++ b/scripts/tests/test_anchoreCatalog_value_mapping.py @@ -17,7 +17,7 @@ def test_anchoreCatalog_replicaCount_value(self): dot_string_dict = { "anchoreCatalog.replicaCount": 2, } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'catalog': { 'replicaCount': 2 } @@ -34,7 +34,7 @@ def test_anchoreCatalog_extraEnv_value(self): } ] } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'catalog': { 'extraEnv': [ { @@ -51,7 +51,7 @@ def test_anchoreCatalog_serviceAccountName_value(self): dot_string_dict = { "anchoreCatalog.serviceAccountName": "Null" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'catalog': { 'serviceAccountName': "Null" } @@ -70,7 +70,7 @@ def test_anchoreCatalog_service_value(self): "anchoreCatalog.service.labels.foobar": "baz", "anchoreCatalog.service.labels.with.a.dot": "qux" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'catalog': { 'service': { "name": "Null", @@ -98,7 +98,7 @@ def test_anchoreCatalog_resources_value(self): "anchoreCatalog.resources.requests.cpu": 1, "anchoreCatalog.resources.requests.memory": "1G" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'catalog': { 'resources': { 'limits': { @@ -121,7 +121,7 @@ def test_anchoreCatalog_labels_value(self): "anchoreCatalog.labels.myOtherLabel": "myOtherValue", "anchoreCatalog.labels.anotherLabel.with.a.dot": "qux" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'catalog': { 'labels': { @@ -140,7 +140,7 @@ def test_anchoreCatalog_annotations_value(self): "anchoreCatalog.annotations.bar": "baz", "anchoreCatalog.annotations.anotherLabel.with.a.dot": "qux" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'catalog': { 'annotations': { @@ -160,7 +160,7 @@ def test_anchoreCatalog_deploymentAnnotations_value(self): "anchoreCatalog.deploymentAnnotations.bar": "baz", "anchoreCatalog.deploymentAnnotations.anotherLabel.with.a.dot": "qux" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'catalog': { 'deploymentAnnotations': { @@ -179,7 +179,7 @@ def test_anchoreCatalog_nodeSelector_value(self): "anchoreCatalog.nodeSelector.value": "bar", "anchoreCatalog.nodeSelector.anotherLabel.with.a.dot": "baz" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'catalog': { 'nodeSelector': { @@ -201,7 +201,7 @@ def test_anchoreCatalog_tolerations_value(self): } ] } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'catalog': { 'tolerations': [ { @@ -220,7 +220,7 @@ def test_anchoreCatalog_affinity_value(self): "anchoreCatalog.affinity.value": "bar", "anchoreCatalog.affinity.anotherLabel.with.a.dot": "baz" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'catalog': { 'affinity':{ 'name': 'foo', @@ -250,6 +250,7 @@ def test_anchoreCatalog_cycleTimers_value(self): expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'catalog': { 'cycle_timers': { 'analyzer_queue': 1, @@ -282,6 +283,7 @@ def test_anchoreCatalog_events_value(self): expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'catalog': { 'event_log': { 'max_retention_age_days': 0, @@ -315,6 +317,7 @@ def test_anchoreCatalog_analysis_archive_value(self): expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'catalog': { 'analysis_archive': { 'compression': { @@ -351,6 +354,7 @@ def test_anchoreCatalog_object_store_value(self): expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'catalog': { 'object_store': { 'compression': { @@ -375,6 +379,7 @@ def test_anchoreCatalog_runtimeInventory_value(self): expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'catalog': { 'runtime_inventory': { 'image_ttl_days': 1 @@ -392,6 +397,7 @@ def test_anchoreCatalog_downAnalyzerTaskRequeue_value(self): expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'catalog': { 'down_analyzer_task_requeue': True } diff --git a/scripts/tests/test_anchoreEngineUpgradeJob_value_mapping.py b/scripts/tests/test_anchoreEngineUpgradeJob_value_mapping.py index 5c69d023..2231e233 100644 --- a/scripts/tests/test_anchoreEngineUpgradeJob_value_mapping.py +++ b/scripts/tests/test_anchoreEngineUpgradeJob_value_mapping.py @@ -17,7 +17,7 @@ def test_anchoreEngineUpgradeJob_enabled_value(self): dot_string_dict = { "anchoreEngineUpgradeJob.enabled": True } - expected_result = {} + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) @@ -28,7 +28,7 @@ def test_anchoreEngineUpgradeJob_resources_value(self): "anchoreEngineUpgradeJob.resources.requests.cpu": 1, "anchoreEngineUpgradeJob.resources.requests.memory": "1G" } - expected_result = {} + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) @@ -38,7 +38,7 @@ def test_anchoreEngineUpgradeJob_labels_value(self): "anchoreEngineUpgradeJob.labels.myOtherLabel": "myOtherValue", "anchoreEngineUpgradeJob.labels.anotherLabel.with.a.dot": "qux" } - expected_result = {} + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) @@ -48,7 +48,7 @@ def test_anchoreEngineUpgradeJob_annotations_value(self): "anchoreEngineUpgradeJob.annotations.bar": "baz", "anchoreEngineUpgradeJob.annotations.anotherLabel.with.a.dot": "qux" } - expected_result = {} + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) @@ -58,7 +58,7 @@ def test_anchoreEngineUpgradeJob_nodeSelector_value(self): "anchoreEngineUpgradeJob.nodeSelector.value": "bar", "anchoreEngineUpgradeJob.nodeSelector.anotherLabel.with.a.dot": "baz" } - expected_result = {} + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) @@ -71,7 +71,7 @@ def test_anchoreEngineUpgradeJob_tolerations_value(self): } ] } - expected_result = {} + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) @@ -81,6 +81,6 @@ def test_anchoreEngineUpgradeJob_affinity_value(self): "anchoreEngineUpgradeJob.affinity.value": "bar", "anchoreEngineUpgradeJob.affinity.anotherLabel.with.a.dot": "baz" } - expected_result = {} + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) diff --git a/scripts/tests/test_anchoreEnterpriseEngineUpgradeJob_value_mapping.py b/scripts/tests/test_anchoreEnterpriseEngineUpgradeJob_value_mapping.py index 9e807d16..b7e9de79 100644 --- a/scripts/tests/test_anchoreEnterpriseEngineUpgradeJob_value_mapping.py +++ b/scripts/tests/test_anchoreEnterpriseEngineUpgradeJob_value_mapping.py @@ -17,7 +17,7 @@ def test_anchoreEnterpriseEngineUpgradeJob_enabled_value(self): dot_string_dict = { "anchoreEnterpriseEngineUpgradeJob.enabled": True } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'upgradeJob': { 'enabled': True } @@ -32,7 +32,7 @@ def test_anchoreEnterpriseEngineUpgradeJob_resources_value(self): "anchoreEnterpriseEngineUpgradeJob.resources.requests.cpu": 1, "anchoreEnterpriseEngineUpgradeJob.resources.requests.memory": "1G" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'upgradeJob': { 'resources': { 'limits': { @@ -56,7 +56,7 @@ def test_anchoreEnterpriseEngineUpgradeJob_labels_value(self): "anchoreEnterpriseEngineUpgradeJob.labels.myOtherLabel": "myOtherValue", "anchoreEnterpriseEngineUpgradeJob.labels.anotherLabel.with.a.dot": "qux" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'upgradeJob': { 'labels': { @@ -75,7 +75,7 @@ def test_anchoreEnterpriseEngineUpgradeJob_annotations_value(self): "anchoreEnterpriseEngineUpgradeJob.annotations.bar": "baz", "anchoreEnterpriseEngineUpgradeJob.annotations.anotherLabel.with.a.dot": "qux" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'upgradeJob': { 'annotations': { @@ -95,7 +95,7 @@ def test_anchoreEnterpriseEngineUpgradeJob_nodeSelector_value(self): "anchoreEnterpriseEngineUpgradeJob.nodeSelector.value": "bar", "anchoreEnterpriseEngineUpgradeJob.nodeSelector.anotherLabel.with.a.dot": "baz" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'upgradeJob': { 'nodeSelector': { @@ -117,7 +117,7 @@ def test_anchoreEnterpriseEngineUpgradeJob_tolerations_value(self): } ] } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'upgradeJob': { 'tolerations': [ { @@ -136,7 +136,7 @@ def test_anchoreEnterpriseEngineUpgradeJob_affinity_value(self): "anchoreEnterpriseEngineUpgradeJob.affinity.value": "bar", "anchoreEnterpriseEngineUpgradeJob.affinity.anotherLabel.with.a.dot": "baz" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'upgradeJob': { 'affinity':{ 'name': 'foo', @@ -157,7 +157,7 @@ def test_anchoreEnterpriseEngineUpgradeJob_extraEnv_value(self): } ] } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'upgradeJob': { 'extraEnv': [ { @@ -174,7 +174,7 @@ def test_anchoreEnterpriseEngineUpgradeJob_serviceAccountName_value(self): dot_string_dict = { "anchoreEnterpriseEngineUpgradeJob.serviceAccountName": "Null" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'upgradeJob': { 'serviceAccountName': "Null" } diff --git a/scripts/tests/test_anchoreEnterpriseFeedsUpgradeJob_value_mapping.py b/scripts/tests/test_anchoreEnterpriseFeedsUpgradeJob_value_mapping.py index 1d6f781e..88fb2630 100644 --- a/scripts/tests/test_anchoreEnterpriseFeedsUpgradeJob_value_mapping.py +++ b/scripts/tests/test_anchoreEnterpriseFeedsUpgradeJob_value_mapping.py @@ -17,7 +17,7 @@ def test_anchoreEnterpriseFeedsUpgradeJob_enabled_value(self): dot_string_dict = { "anchoreEnterpriseFeedsUpgradeJob.enabled": True, } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'feedsUpgradeJob': { 'enabled': True @@ -34,7 +34,7 @@ def test_anchoreEnterpriseFeedsUpgradeJob_resources_value(self): "anchoreEnterpriseFeedsUpgradeJob.resources.requests.cpu": 1, "anchoreEnterpriseFeedsUpgradeJob.resources.requests.memory": "1G" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'feedsUpgradeJob': { 'resources': { @@ -60,7 +60,7 @@ def test_anchoreEnterpriseFeedsUpgradeJob_labels_value(self): "anchoreEnterpriseFeedsUpgradeJob.labels.myOtherLabel": "myOtherValue", "anchoreEnterpriseFeedsUpgradeJob.labels.anotherLabel.with.a.dot": "qux" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'feedsUpgradeJob': { 'labels': @@ -81,7 +81,7 @@ def test_anchoreEnterpriseFeedsUpgradeJob_annotations_value(self): "anchoreEnterpriseFeedsUpgradeJob.annotations.bar": "baz", "anchoreEnterpriseFeedsUpgradeJob.annotations.anotherLabel.with.a.dot": "qux" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'feedsUpgradeJob': { 'annotations': @@ -102,7 +102,7 @@ def test_anchoreEnterpriseFeedsUpgradeJob_nodeSelector_value(self): "anchoreEnterpriseFeedsUpgradeJob.nodeSelector.value": "bar", "anchoreEnterpriseFeedsUpgradeJob.nodeSelector.anotherLabel.with.a.dot": "baz" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'feedsUpgradeJob': { 'nodeSelector': @@ -126,7 +126,7 @@ def test_anchoreEnterpriseFeedsUpgradeJob_tolerations_value(self): } ] } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'feedsUpgradeJob': { 'tolerations': [ @@ -147,7 +147,7 @@ def test_anchoreEnterpriseFeedsUpgradeJob_affinity_value(self): "anchoreEnterpriseFeedsUpgradeJob.affinity.value": "bar", "anchoreEnterpriseFeedsUpgradeJob.affinity.anotherLabel.with.a.dot": "baz" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'feedsUpgradeJob': { 'affinity':{ @@ -170,7 +170,7 @@ def test_anchoreEnterpriseFeedsUpgradeJob_extraEnv_value(self): } ] } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'feedsUpgradeJob': { 'extraEnv': [ @@ -189,7 +189,7 @@ def test_anchoreEnterpriseFeedsUpgradeJob_serviceAccountName_value(self): dot_string_dict = { "anchoreEnterpriseFeedsUpgradeJob.serviceAccountName": "Null" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'feedsUpgradeJob': { 'serviceAccountName': "Null" diff --git a/scripts/tests/test_anchoreEnterpriseFeeds_value_mapping.py b/scripts/tests/test_anchoreEnterpriseFeeds_value_mapping.py index eb93addc..8c5f205c 100644 --- a/scripts/tests/test_anchoreEnterpriseFeeds_value_mapping.py +++ b/scripts/tests/test_anchoreEnterpriseFeeds_value_mapping.py @@ -17,7 +17,7 @@ def test_anchoreEnterpriseFeeds_enabled_value(self): dot_string_dict = { "anchoreEnterpriseFeeds.enabled": True, } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'chartEnabled': True } @@ -29,7 +29,7 @@ def test_anchoreEnterpriseFeeds_replicaCount_value(self): dot_string_dict = { "anchoreEnterpriseFeeds.replicaCount": 2, } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'replicaCount': 2 } @@ -45,7 +45,7 @@ def test_anchoreEnterpriseFeeds_resources_value(self): "anchoreEnterpriseFeeds.resources.requests.cpu": 1, "anchoreEnterpriseFeeds.resources.requests.memory": "1G" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'resources': { 'limits': { @@ -69,7 +69,7 @@ def test_anchoreEnterpriseFeeds_labels_value(self): "anchoreEnterpriseFeeds.labels.myOtherLabel": "myOtherValue", "anchoreEnterpriseFeeds.labels.anotherLabel.with.a.dot": "qux" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'labels': { @@ -88,7 +88,7 @@ def test_anchoreEnterpriseFeeds_annotations_value(self): "anchoreEnterpriseFeeds.annotations.bar": "baz", "anchoreEnterpriseFeeds.annotations.anotherLabel.with.a.dot": "qux" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'annotations': { @@ -108,7 +108,7 @@ def test_anchoreEnterpriseFeeds_deploymentAnnotations_value(self): "anchoreEnterpriseFeeds.deploymentAnnotations.bar": "baz", "anchoreEnterpriseFeeds.deploymentAnnotations.anotherLabel.with.a.dot": "qux" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'deploymentAnnotations': { @@ -127,7 +127,7 @@ def test_anchoreEnterpriseFeeds_nodeSelector_value(self): "anchoreEnterpriseFeeds.nodeSelector.value": "bar", "anchoreEnterpriseFeeds.nodeSelector.anotherLabel.with.a.dot": "baz" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'nodeSelector': { @@ -149,7 +149,7 @@ def test_anchoreEnterpriseFeeds_tolerations_value(self): } ] } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'tolerations': [ { @@ -168,7 +168,7 @@ def test_anchoreEnterpriseFeeds_affinity_value(self): "anchoreEnterpriseFeeds.affinity.value": "bar", "anchoreEnterpriseFeeds.affinity.anotherLabel.with.a.dot": "baz" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'affinity':{ 'name': 'foo', @@ -189,7 +189,7 @@ def test_anchoreEnterpriseFeeds_extraEnv_value(self): } ] } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'extraEnv': [ { @@ -206,7 +206,7 @@ def test_anchoreEnterpriseFeeds_serviceAccountName_value(self): dot_string_dict = { "anchoreEnterpriseFeeds.serviceAccountName": "Null" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'serviceAccountName': "Null" } @@ -226,7 +226,7 @@ def test_anchoreEnterpriseFeeds_service_value(self): "anchoreEnterpriseFeeds.service.labels.foobar": "baz", "anchoreEnterpriseFeeds.service.labels.with.a.dot": "qux" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'service': { "name": "Null", @@ -251,7 +251,7 @@ def test_anchoreEnterpriseFeeds_url_value(self): dot_string_dict = { "anchoreEnterpriseFeeds.url": "https://myhostname:9999" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'url': "https://myhostname:9999" } @@ -273,7 +273,7 @@ def test_anchoreEnterpriseFeeds_driver_values(self): ] } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'anchoreConfig': { 'feeds': { @@ -297,7 +297,7 @@ def test_anchoreEnterpriseFeeds_ubuntuExtraReleases_values(self): "anchoreEnterpriseFeeds.ubuntuExtraReleases.kinetic": "22.10" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'anchoreConfig': { 'feeds': { @@ -321,7 +321,7 @@ def test_anchoreEnterpriseFeeds_ubuntuExtraReleases_empty_values(self): "anchoreEnterpriseFeeds.ubuntuExtraReleases": {} } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'anchoreConfig': { 'feeds': { @@ -343,7 +343,7 @@ def test_anchoreEnterpriseFeeds_debianExtraReleases_values(self): "anchoreEnterpriseFeeds.debianExtraReleases.trixie": "13" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'anchoreConfig': { 'feeds': { @@ -367,7 +367,7 @@ def test_anchoreEnterpriseFeeds_debianExtraReleases_empty_values(self): "anchoreEnterpriseFeeds.debianExtraReleases": {} } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'anchoreConfig': { 'feeds': { @@ -389,7 +389,7 @@ def test_anchoreEnterpriseFeeds_cycleTimers_values(self): "anchoreEnterpriseFeeds.cycleTimers.driver_sync": 7200 } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'anchoreConfig': { 'feeds': { @@ -416,7 +416,7 @@ def test_anchoreEnterpriseFeeds_dbConfig_with_engineArgs_values(self): "anchoreEnterpriseFeeds.dbConfig.engineArgs.pool_recycle": 600 } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'anchoreConfig': { 'dbConfig': { @@ -449,7 +449,7 @@ def test_anchoreEnterpriseFeeds_dbConfig_values(self): "anchoreEnterpriseFeeds.dbConfig.engineArgs": {} } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'anchoreConfig': { 'dbConfig': { @@ -475,7 +475,7 @@ def test_anchoreEnterpriseFeeds_persistence_false_values(self): "anchoreEnterpriseFeeds.persistence.resourcePolicy": None } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'persistence': { 'enabled': False, @@ -500,7 +500,7 @@ def test_anchoreEnterpriseFeeds_persistence_values(self): "anchoreEnterpriseFeeds.persistence.mountPath": "/workspace" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'persistence': { 'enabled': True, @@ -537,7 +537,9 @@ def test_anchoreEnterpriseFeeds_rhelDriverConcurrency_values(self): } result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], {}) + self.assertEqual(result[0], { + 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}} + }) self.assertEqual(result[1], expected_result) def test_anchoreEnterpriseFeeds_ubuntuDriverGit_values(self): @@ -556,7 +558,9 @@ def test_anchoreEnterpriseFeeds_ubuntuDriverGit_values(self): } result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], {}) + self.assertEqual(result[0], { + 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}} + }) self.assertEqual(result[1], expected_result) # Anchore Feeds DB values @@ -570,7 +574,7 @@ def test_anchoreFeedsDB_values(self): "anchore-feeds-db.postgresPort": 5432 } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, "feeds": { "feeds-db": { "chartEnabled": True, @@ -601,7 +605,7 @@ def test_anchoreFeedsDB_persistence_values(self): "anchore-feeds-db.persistence.size": "20Gi" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'feeds-db': { 'primary': { @@ -624,7 +628,7 @@ def test_anchoreFeedsDB_image_values(self): "anchore-feeds-db.imageTag": "latest" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'feeds-db': { 'image': { @@ -652,7 +656,7 @@ def test_anchoreFeedsDB_extraEnv_values(self): ] } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'feeds-db':{ 'primary': { @@ -678,7 +682,7 @@ def test_anchoreFeedsGemDB_values(self): "anchore-feeds-gem-db.postgresPort": 5432 } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, "feeds": { "gem-db": { "chartEnabled": True, @@ -709,7 +713,7 @@ def test_anchoreFeedsGemDB_persistence_values(self): "anchore-feeds-gem-db.persistence.size": "20Gi" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'gem-db': { 'primary': { @@ -732,7 +736,7 @@ def test_anchoreFeedsGemDB_image_values(self): "anchore-feeds-gem-db.imageTag": "latest" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'gem-db': { 'image': { @@ -760,7 +764,7 @@ def test_anchoreFeedsGemDB_extraEnv_values(self): ] } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'gem-db':{ 'primary': { diff --git a/scripts/tests/test_anchoreEnterpriseNotifications_value_mapping.py b/scripts/tests/test_anchoreEnterpriseNotifications_value_mapping.py index 54b32319..f1264207 100644 --- a/scripts/tests/test_anchoreEnterpriseNotifications_value_mapping.py +++ b/scripts/tests/test_anchoreEnterpriseNotifications_value_mapping.py @@ -17,7 +17,7 @@ def test_anchoreEnterpriseNotifications_enabled_value(self): dot_string_dict = { "anchoreEnterpriseNotifications.enabled": True, # deprecated } - expected_result = {} + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) @@ -25,7 +25,7 @@ def test_anchoreEnterpriseNotifications_replicaCount_value(self): dot_string_dict = { "anchoreEnterpriseNotifications.replicaCount": 2, } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'notifications': { 'replicaCount': 2 } @@ -41,7 +41,7 @@ def test_anchoreEnterpriseNotifications_resources_value(self): "anchoreEnterpriseNotifications.resources.requests.cpu": 1, "anchoreEnterpriseNotifications.resources.requests.memory": "1G" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'notifications': { 'resources': { 'limits': { @@ -65,7 +65,7 @@ def test_anchoreEnterpriseNotifications_labels_value(self): "anchoreEnterpriseNotifications.labels.myOtherLabel": "myOtherValue", "anchoreEnterpriseNotifications.labels.anotherLabel.with.a.dot": "qux" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'notifications': { 'labels': { @@ -84,7 +84,7 @@ def test_anchoreEnterpriseNotifications_annotations_value(self): "anchoreEnterpriseNotifications.annotations.bar": "baz", "anchoreEnterpriseNotifications.annotations.anotherLabel.with.a.dot": "qux" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'notifications': { 'annotations': { @@ -104,7 +104,7 @@ def test_anchoreEnterpriseNotifications_deploymentAnnotations_value(self): "anchoreEnterpriseNotifications.deploymentAnnotations.bar": "baz", "anchoreEnterpriseNotifications.deploymentAnnotations.anotherLabel.with.a.dot": "qux" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'notifications': { 'deploymentAnnotations': { @@ -123,7 +123,7 @@ def test_anchoreEnterpriseNotifications_nodeSelector_value(self): "anchoreEnterpriseNotifications.nodeSelector.value": "bar", "anchoreEnterpriseNotifications.nodeSelector.anotherLabel.with.a.dot": "baz" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'notifications': { 'nodeSelector': { @@ -145,7 +145,7 @@ def test_anchoreEnterpriseNotifications_tolerations_value(self): } ] } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'notifications': { 'tolerations': [ { @@ -164,7 +164,7 @@ def test_anchoreEnterpriseNotifications_affinity_value(self): "anchoreEnterpriseNotifications.affinity.value": "bar", "anchoreEnterpriseNotifications.affinity.anotherLabel.with.a.dot": "baz" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'notifications': { 'affinity':{ 'name': 'foo', @@ -185,7 +185,7 @@ def test_anchoreEnterpriseNotifications_extraEnv_value(self): } ] } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'notifications': { 'extraEnv': [ { @@ -202,7 +202,7 @@ def test_anchoreEnterpriseNotifications_serviceAccountName_value(self): dot_string_dict = { "anchoreEnterpriseNotifications.serviceAccountName": "Null" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'notifications': { 'serviceAccountName': "Null" } @@ -221,7 +221,7 @@ def test_anchoreEnterpriseNotifications_service_value(self): "anchoreEnterpriseNotifications.service.annotations.with.a.dot": "quux", "anchoreEnterpriseNotifications.service.labels": {} } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'notifications': { 'service': { "name": "Null", @@ -245,6 +245,7 @@ def test_anchoreEnterpriseNotifications_cycleTimers_value(self): } expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'notifications': { 'cycle_timers': { "notifications": 30 @@ -261,6 +262,7 @@ def test_anchoreEnterpriseNotifications_uiUrl_value(self): } expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'notifications': { 'ui_url': "http://myurl.myurl" } diff --git a/scripts/tests/test_anchoreEnterpriseRbac_value_mapping.py b/scripts/tests/test_anchoreEnterpriseRbac_value_mapping.py index cc7d953d..6c810284 100644 --- a/scripts/tests/test_anchoreEnterpriseRbac_value_mapping.py +++ b/scripts/tests/test_anchoreEnterpriseRbac_value_mapping.py @@ -17,7 +17,7 @@ def test_anchoreEnterpriseRbac_replicaCount_value(self): dot_string_dict = { "anchoreEnterpriseRbac.replicaCount": 2, } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'rbacManager': { 'replicaCount': 2 } @@ -33,7 +33,7 @@ def test_anchoreEnterpriseRbac_resources_value(self): "anchoreEnterpriseRbac.resources.requests.cpu": 1, "anchoreEnterpriseRbac.resources.requests.memory": "1G" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'rbacManager': { 'resources': { 'limits': { @@ -57,7 +57,7 @@ def test_anchoreEnterpriseRbac_labels_value(self): "anchoreEnterpriseRbac.labels.myOtherLabel": "myOtherValue", "anchoreEnterpriseRbac.labels.anotherLabel.with.a.dot": "qux" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'rbacManager': { 'labels': { @@ -76,7 +76,7 @@ def test_anchoreEnterpriseRbac_annotations_value(self): "anchoreEnterpriseRbac.annotations.bar": "baz", "anchoreEnterpriseRbac.annotations.anotherLabel.with.a.dot": "qux" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'rbacManager': { 'annotations': { @@ -96,7 +96,7 @@ def test_anchoreEnterpriseRbac_deploymentAnnotations_value(self): "anchoreEnterpriseRbac.deploymentAnnotations.bar": "baz", "anchoreEnterpriseRbac.deploymentAnnotations.anotherLabel.with.a.dot": "qux" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'rbacManager': { 'deploymentAnnotations': { @@ -115,7 +115,7 @@ def test_anchoreEnterpriseRbac_nodeSelector_value(self): "anchoreEnterpriseRbac.nodeSelector.value": "bar", "anchoreEnterpriseRbac.nodeSelector.anotherLabel.with.a.dot": "baz" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'rbacManager': { 'nodeSelector': { @@ -137,7 +137,7 @@ def test_anchoreEnterpriseRbac_tolerations_value(self): } ] } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'rbacManager': { 'tolerations': [ { @@ -156,7 +156,7 @@ def test_anchoreEnterpriseRbac_affinity_value(self): "anchoreEnterpriseRbac.affinity.value": "bar", "anchoreEnterpriseRbac.affinity.anotherLabel.with.a.dot": "baz" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'rbacManager': { 'affinity':{ 'name': 'foo', @@ -177,7 +177,7 @@ def test_anchoreEnterpriseRbac_extraEnv_value(self): } ] } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'rbacManager': { 'extraEnv': [ { @@ -203,7 +203,7 @@ def test_anchoreEnterpriseRbac_serviceAccountName_value(self): dot_string_dict = { "anchoreEnterpriseRbac.serviceAccountName": "Null" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'rbacManager': { 'serviceAccountName': "Null" } @@ -223,7 +223,7 @@ def test_anchoreEnterpriseRbac_service_value(self): "anchoreEnterpriseRbac.service.annotations.anotherLabel.with.a.dot": "qux", "anchoreEnterpriseRbac.service.labels": {}, } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'rbacManager': { 'service': { 'name': 'Null', @@ -248,7 +248,7 @@ def test_anchoreEnterpriseRbac_enabled_value(self): dot_string_dict = { "anchoreEnterpriseRbac.enabled": True # deprecated } - expected_result = {} + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) @@ -260,7 +260,7 @@ def test_anchoreEnterpriseRbac_authResources_value(self): "anchoreEnterpriseRbac.authResources.requests.cpu": "100m", "anchoreEnterpriseRbac.authResources.requests.memory": "256M" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'rbacAuth': { 'resources': { 'limits': { @@ -284,7 +284,7 @@ def test_anchoreEnterpriseRbac_managerResources_value(self): "anchoreEnterpriseRbac.managerResources.requests.cpu": "100m", "anchoreEnterpriseRbac.managerResources.requests.memory": "256M" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'rbacManager': { 'resources': { 'limits': { diff --git a/scripts/tests/test_anchoreEnterpriseReports_value_mapping.py b/scripts/tests/test_anchoreEnterpriseReports_value_mapping.py index 207c40cb..d1fe1922 100644 --- a/scripts/tests/test_anchoreEnterpriseReports_value_mapping.py +++ b/scripts/tests/test_anchoreEnterpriseReports_value_mapping.py @@ -17,7 +17,7 @@ def test_anchoreEnterpriseReports_enabled_value(self): dot_string_dict = { "anchoreEnterpriseReports.enabled": True, # deprecated } - expected_result = {} + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) @@ -25,7 +25,7 @@ def test_anchoreEnterpriseReports_replicaCount_value(self): dot_string_dict = { "anchoreEnterpriseReports.replicaCount": 2, } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'reports': { 'replicaCount': 2 } @@ -41,7 +41,7 @@ def test_anchoreEnterpriseReports_resources_value(self): "anchoreEnterpriseReports.resources.requests.cpu": 1, "anchoreEnterpriseReports.resources.requests.memory": "1G" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'reports': { 'resources': { 'limits': { @@ -65,7 +65,7 @@ def test_anchoreEnterpriseReports_labels_value(self): "anchoreEnterpriseReports.labels.myOtherLabel": "myOtherValue", "anchoreEnterpriseReports.labels.anotherLabel.with.a.dot": "qux" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'reports': { 'labels': { @@ -84,7 +84,7 @@ def test_anchoreEnterpriseReports_annotations_value(self): "anchoreEnterpriseReports.annotations.bar": "baz", "anchoreEnterpriseReports.annotations.anotherLabel.with.a.dot": "qux" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'reports': { 'annotations': { @@ -104,7 +104,7 @@ def test_anchoreEnterpriseReports_deploymentAnnotations_value(self): "anchoreEnterpriseReports.deploymentAnnotations.bar": "baz", "anchoreEnterpriseReports.deploymentAnnotations.anotherLabel.with.a.dot": "qux" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'reports': { 'deploymentAnnotations': { @@ -123,7 +123,7 @@ def test_anchoreEnterpriseReports_nodeSelector_value(self): "anchoreEnterpriseReports.nodeSelector.value": "bar", "anchoreEnterpriseReports.nodeSelector.anotherLabel.with.a.dot": "baz" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'reports': { 'nodeSelector': { @@ -145,7 +145,7 @@ def test_anchoreEnterpriseReports_tolerations_value(self): } ] } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'reports': { 'tolerations': [ { @@ -164,7 +164,7 @@ def test_anchoreEnterpriseReports_affinity_value(self): "anchoreEnterpriseReports.affinity.value": "bar", "anchoreEnterpriseReports.affinity.anotherLabel.with.a.dot": "baz" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'reports': { 'affinity':{ 'name': 'foo', @@ -180,7 +180,7 @@ def test_anchoreEnterpriseReports_extraEnv_value(self): dot_string_dict = { "anchoreEnterpriseReports.extraEnv": [] } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'reports': { 'extraEnv': [] } @@ -192,7 +192,7 @@ def test_anchoreEnterpriseReports_serviceAccountName_value(self): dot_string_dict = { "anchoreEnterpriseReports.serviceAccountName": "" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'reports': { 'serviceAccountName': "" } @@ -211,7 +211,7 @@ def test_anchoreEnterpriseReports_service_value(self): "anchoreEnterpriseReports.service.labels.foobar": "baz", "anchoreEnterpriseReports.service.labels.with.a.dot": "qux" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'reports': { 'service': { "name": "Null", @@ -234,6 +234,7 @@ def test_anchoreEnterpriseReports_enableGraphiql_value(self): } expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'reports': { 'enable_graphiql': True } @@ -248,6 +249,7 @@ def test_anchoreEnterpriseReports_enableDataIngress_value(self): } expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'reports_worker': { 'enable_data_ingress': True } @@ -262,6 +264,7 @@ def test_anchoreEnterpriseReports_enableDataEgress_value(self): } expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'reports_worker': { 'enable_data_egress': False } @@ -276,6 +279,7 @@ def test_anchoreEnterpriseReports_dataEgressWindow_value(self): } expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'reports_worker': { 'data_egress_window': 1 } @@ -290,6 +294,7 @@ def test_anchoreEnterpriseReports_dataRefreshMaxWorkers_value(self): } expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'reports_worker': { 'data_refresh_max_workers': 1 } @@ -304,6 +309,7 @@ def test_anchoreEnterpriseReports_dataLoadMaxWorkers_value(self): } expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'reports_worker': { 'data_load_max_workers': 1 } @@ -321,6 +327,7 @@ def test_anchoreEnterpriseReports_cycleTimers_value(self): } expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'reports_worker': { 'cycle_timers': { 'reports_data_load': 600, diff --git a/scripts/tests/test_anchoreEnterpriseUi_value_mapping.py b/scripts/tests/test_anchoreEnterpriseUi_value_mapping.py index 42cdb6f4..814eb997 100644 --- a/scripts/tests/test_anchoreEnterpriseUi_value_mapping.py +++ b/scripts/tests/test_anchoreEnterpriseUi_value_mapping.py @@ -17,7 +17,7 @@ def test_anchoreEnterpriseUi_enabled_value(self): dot_string_dict = { "anchoreEnterpriseUi.enabled": True, # deprecated } - expected_result = {} + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) @@ -26,7 +26,7 @@ def test_anchoreEnterpriseUi_image_value(self): "anchoreEnterpriseUi.image": "docker.io/anchore/enterprise-ui:v5.0.0", "anchoreEnterpriseUi.imagePullPolicy": "IfNotPresent" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui': { 'image': "docker.io/anchore/enterprise-ui:v5.0.0", 'imagePullPolicy': "IfNotPresent" @@ -39,7 +39,7 @@ def test_anchoreEnterpriseUi_replicaCount_value(self): dot_string_dict = { "anchoreEnterpriseUi.replicaCount": 2, } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui': { 'replicaCount': 2 } @@ -55,7 +55,7 @@ def test_anchoreEnterpriseUi_resources_value(self): "anchoreEnterpriseUi.resources.requests.cpu": 1, "anchoreEnterpriseUi.resources.requests.memory": "1G" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui': { 'resources': { 'limits': { @@ -79,7 +79,7 @@ def test_anchoreEnterpriseUi_labels_value(self): "anchoreEnterpriseUi.labels.myOtherLabel": "myOtherValue", "anchoreEnterpriseUi.labels.anotherLabel.with.a.dot": "qux" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui': { 'labels': { @@ -98,7 +98,7 @@ def test_anchoreEnterpriseUi_annotations_value(self): "anchoreEnterpriseUi.annotations.bar": "baz", "anchoreEnterpriseUi.annotations.anotherLabel.with.a.dot": "qux" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui': { 'annotations': { @@ -118,7 +118,7 @@ def test_anchoreEnterpriseUi_deploymentAnnotations_value(self): "anchoreEnterpriseUi.deploymentAnnotations.bar": "baz", "anchoreEnterpriseUi.deploymentAnnotations.anotherLabel.with.a.dot": "qux" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui': { 'deploymentAnnotations': { @@ -137,7 +137,7 @@ def test_anchoreEnterpriseUi_nodeSelector_value(self): "anchoreEnterpriseUi.nodeSelector.value": "bar", "anchoreEnterpriseUi.nodeSelector.anotherLabel.with.a.dot": "baz" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui': { 'nodeSelector': { @@ -159,7 +159,7 @@ def test_anchoreEnterpriseUi_tolerations_value(self): } ] } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui': { 'tolerations': [ { @@ -178,7 +178,7 @@ def test_anchoreEnterpriseUi_affinity_value(self): "anchoreEnterpriseUi.affinity.value": "bar", "anchoreEnterpriseUi.affinity.anotherLabel.with.a.dot": "baz" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui': { 'affinity':{ 'name': 'foo', @@ -202,7 +202,7 @@ def test_anchoreEnterpriseUi_extraEnv_value(self): } ] } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui': { 'extraEnv': [ { @@ -222,7 +222,7 @@ def test_anchoreEnterpriseUi_serviceAccountName_value(self): dot_string_dict = { "anchoreEnterpriseUi.serviceAccountName": "Null" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui': { 'serviceAccountName': "Null" } @@ -242,7 +242,7 @@ def test_anchoreEnterpriseUi_service_value(self): "anchoreEnterpriseUi.service.labels": {}, "anchoreEnterpriseUi.service.sessionAffinity": "ClientIP" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui': { 'service': { "name": "Null", @@ -266,7 +266,7 @@ def test_anchoreEnterpriseUi_db_value(self): "anchoreEnterpriseUi.dbUser": "anchoreengineui", "anchoreEnterpriseUi.dbPass": "anchore-postgres,123ui" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui': { 'dbUser': "anchoreengineui", 'dbPass': "anchore-postgres,123ui" @@ -285,6 +285,7 @@ def test_anchoreEnterpriseUi_appDBConfig_value(self): } expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'ui': { 'appdb_config': { 'native': True, @@ -305,7 +306,7 @@ def test_anchoreEnterpriseUi_ldapsRootCaCertName_value(self): dot_string_dict = { "anchoreEnterpriseUi.ldapsRootCaCertName": "Null" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui': { 'ldapsRootCaCertName': "Null" } @@ -319,6 +320,7 @@ def test_anchoreEnterpriseUi_logLevel_value(self): } expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'ui': { 'log_level': "http" } @@ -333,6 +335,7 @@ def test_anchoreEnterpriseUi_enableProxy_value(self): } expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'ui': { 'enable_proxy': False } @@ -347,6 +350,7 @@ def test_anchoreEnterpriseUi_enableSsl_value(self): } expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'ui': { 'enable_ssl': False } @@ -361,6 +365,7 @@ def test_anchoreEnterpriseUi_enableSharedLogin_value(self): } expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'ui': { 'enable_shared_login': True } @@ -375,6 +380,7 @@ def test_anchoreEnterpriseUi_redisFlushdb_value(self): } expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'ui': { 'redis_flushdb': True } @@ -389,6 +395,7 @@ def test_anchoreEnterpriseUi_forceWebsocket_value(self): } expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'ui': { 'force_websocket': False } @@ -404,6 +411,7 @@ def test_anchoreEnterpriseUi_authenticationLock_value(self): } expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'ui': { 'authentication_lock': { 'count': 5, @@ -431,6 +439,7 @@ def test_anchoreEnterpriseUi_customLinks_value(self): } expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'ui': { 'custom_links': { 'title': "Custom External Links", @@ -458,6 +467,7 @@ def test_anchoreEnterpriseUi_enableAddRepositories_value(self): } expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'ui': { 'enable_add_repositories': { 'admin': True, @@ -475,6 +485,7 @@ def test_anchoreEnterpriseUi_enrichInventoryView_value(self): } expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'ui': { 'enrich_inventory_view': True } @@ -488,6 +499,7 @@ def test_uiRedis_auth_password_value(self): "ui-redis.auth.password": "anchore-redis,123" } expected_result = { + 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui-redis': { 'auth': { 'password': "anchore-redis,123" @@ -501,7 +513,7 @@ def test_uiRedis_architecture_value(self): dot_string_dict = { "ui-redis.architecture": "standalone" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui-redis': { 'architecture': "standalone" } @@ -513,7 +525,7 @@ def test_uiRedis_master_persistence_enabled_value(self): dot_string_dict = { "ui-redis.master.persistence.enabled": False } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui-redis': { 'master': { 'persistence': { @@ -529,7 +541,7 @@ def test_uiRedis_enabled_value(self): dot_string_dict = { "ui-redis.enabled": False } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui-redis': { 'chartEnabled': False } @@ -541,7 +553,7 @@ def test_uiRedis_externalEndpoint_value(self): dot_string_dict = { "ui-redis.externalEndpoint": "my-redis-place.someplace" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui-redis': { 'externalEndpoint': "my-redis-place.someplace" } diff --git a/scripts/tests/test_anchoreGlobal_value_mapping.py b/scripts/tests/test_anchoreGlobal_value_mapping.py index 37c63f20..7dc02732 100644 --- a/scripts/tests/test_anchoreGlobal_value_mapping.py +++ b/scripts/tests/test_anchoreGlobal_value_mapping.py @@ -17,7 +17,7 @@ def tearDown(self): def test_fullnameOverride(self): dot_string_dict = {"fullnameOverride": "overridden"} - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'fullnameOverride': 'overridden' } result = replace_keys_with_mappings(dot_string_dict, self.results_dir) @@ -36,7 +36,7 @@ def test_postgresql_values(self): "postgresql.extraEnv": [{'name': 'POSTGRES_USER', 'value': 'myuser'}, {'name': 'POSTGRES_PASSWORD', 'value': 'mypass'}], } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'postgresql':{ 'chartEnabled': True, 'auth':{ @@ -79,7 +79,7 @@ def test_cloudsql_values(self): "cloudsql.image.tag": "1.11", "cloudsql.image.pullPolicy": "Always", } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'cloudsql': { 'enabled': True, 'extraArgs': ['--max_connections=1000'], @@ -118,7 +118,7 @@ def test_ingress_values(self): ] } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ingress': { 'enabled': False, 'apiPath': '/v1/', @@ -159,7 +159,7 @@ def test_anchoreGlobal_image_values(self): "anchoreEnterpriseGlobal.enabled": True, "anchoreEnterpriseGlobal.licenseSecretName": "my-anchore-enterprise-license" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'image': 'my.repo/anchore-enterprise:v4.9.0', 'imagePullPolicy': 'ifNotPresent', 'imagePullSecretName': 'enterprise-pull-secret', @@ -174,7 +174,7 @@ def test_anchoreGlobal_openShiftDeployment_value(self): dot_string_dict = { "openShiftDeployment": True, } - expected_result = {} + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) self.assertEqual(result[1], {}) @@ -183,7 +183,7 @@ def test_anchoreGlobal_serviceAccountName_value(self): dot_string_dict = { "anchoreGlobal.serviceAccountName": "my-sa-anchore-engine", } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'serviceAccountName': 'my-sa-anchore-engine' } result = replace_keys_with_mappings(dot_string_dict, self.results_dir) @@ -195,7 +195,7 @@ def test_anchoreGlobal_labels_value(self): "anchoreGlobal.labels.mylabel": "myvalue", "anchoreGlobal.labels.myotherlabel": "myothervalue", } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'labels': { 'mylabel': 'myvalue', 'myotherlabel': 'myothervalue' @@ -210,7 +210,7 @@ def test_anchoreGlobal_annotations_value(self): "anchoreGlobal.annotations.myannotation": "myvalue", "anchoreGlobal.annotations.myotherannotation": "myothervalue", } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'annotations': { 'myannotation': 'myvalue', 'myotherannotation': 'myothervalue' @@ -227,7 +227,7 @@ def test_anchoreGlobal_extraEnv_value(self): {"name": "MY_OTHER_ENV_VAR", "value": "myothervalue"} ], } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'extraEnv': [ {'name': 'MY_ENV_VAR', 'value': 'myvalue'}, {'name': 'MY_OTHER_ENV_VAR', 'value': 'myothervalue'} @@ -243,7 +243,7 @@ def test_anchoreGlobal_deploymentAnnotations_value(self): "anchoreGlobal.deploymentAnnotations.myannotation": "myvalue", "anchoreGlobal.deploymentAnnotations.myotherannotation": "myothervalue", } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'deploymentAnnotations': { 'myannotation': 'myvalue', 'myotherannotation': 'myothervalue' @@ -261,7 +261,7 @@ def test_anchoreGlobal_useExistingSecret_value(self): "anchoreEnterpriseFeeds.existingSecretName": "my-existing-secret-feeds", } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'useExistingSecret': True, 'existingSecretName': 'my-existing-secret', 'ui': { @@ -283,7 +283,7 @@ def test_anchoreGlobal_doSourceAtEntry_value(self): "anchoreGlobal.doSourceAtEntry.enabled": True, "anchoreGlobal.doSourceAtEntry.filePaths": ["/vault/secrets/config"], } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'doSourceAtEntry': { 'enabled': True, 'filePaths': ['/vault/secrets/config'] @@ -304,7 +304,7 @@ def test_anchoreGlobal_extraVolumes_value(self): } ], } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'extraVolumes': [ { 'name': 'config', @@ -329,7 +329,7 @@ def test_anchoreGlobal_extraVolumeMounts_value(self): } ], } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'extraVolumeMounts': [ { 'name': 'config', @@ -349,7 +349,7 @@ def test_anchoreGlobal_scratchVolume_value(self): "anchoreGlobal.scratchVolume.mountPath": "/analysis_scratch", "anchoreGlobal.scratchVolume.details": {}, } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'scratchVolume': { 'fixGroupPermissions': False, 'mountPath': '/analysis_scratch', @@ -364,7 +364,7 @@ def test_anchoreGlobal_certStoreSecretName_value(self): dot_string_dict = { "anchoreGlobal.certStoreSecretName": "my-cert-store-secret", } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'certStoreSecretName': 'my-cert-store-secret' } result = replace_keys_with_mappings(dot_string_dict, self.results_dir) @@ -377,7 +377,7 @@ def test_anchoreGlobal_securityContext_value(self): "anchoreGlobal.securityContext.runAsGroup": 1000, "anchoreGlobal.securityContext.fsGroup": 1000, } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'securityContext': { 'runAsUser': 1000, 'runAsGroup': 1000, @@ -393,7 +393,7 @@ def test_anchoreGlobal_containerSecurityContext_value(self): "anchoreGlobal.containerSecurityContext.securityContext.runAsGroup": 1000, "anchoreGlobal.containerSecurityContext.securityContext.fsGroup": 1000, } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'containerSecurityContext': { 'securityContext': { 'runAsUser': 1000, @@ -411,6 +411,7 @@ def test_anchoreGlobal_serviceDir_value(self): } expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'service_dir': '/anchore_service' } } @@ -423,6 +424,7 @@ def test_anchoreGlobal_logLevel_value(self): } expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'log_level': 'INFO' } } @@ -434,7 +436,7 @@ def test_anchoreGlobal_imageAnalyzeTimeoutSeconds_value(self): dot_string_dict = { "anchoreGlobal.imageAnalyzeTimeoutSeconds": 100, } - expected_result = {} + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) @@ -444,6 +446,7 @@ def test_anchoreGlobal_allowECRUseIAMRole_value(self): } expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'allow_awsecr_iam_auto': True } } @@ -456,6 +459,7 @@ def test_anchoreGlobal_enableMetrics_value(self): } expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'metrics': { 'enabled': False } @@ -470,6 +474,7 @@ def test_anchoreGlobal_metricsAuthDisabled_value(self): } expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'metrics': { 'auth_disabled': True } @@ -485,6 +490,7 @@ def test_anchoreGlobal_defaultAdmin_value(self): } expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'default_admin_password': 'myadminpassword', 'default_admin_email': 'myadminemail@email.com' } @@ -507,6 +513,7 @@ def test_anchoreGlobal_saml_values(self): expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'keys': { 'secret': 'my-saml-secret', 'privateKeyFileName': 'my-private-key-name', @@ -515,7 +522,6 @@ def test_anchoreGlobal_saml_values(self): } } - result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) @@ -528,6 +534,7 @@ def test_anchoreGlobal_oauth_values(self): expected_result = { 'anchoreConfig': { 'user_authentication': { + 'hashed_passwords': False, 'oauth': { 'enabled': True, 'default_token_expiration_seconds': 100, @@ -546,6 +553,7 @@ def test_anchoreGlobal_ssoRequireExistingUsers_value(self): expected_result = { 'anchoreConfig': { 'user_authentication': { + 'hashed_passwords': False, 'sso_require_existing_users': True } } @@ -580,6 +588,7 @@ def test_anchoreGlobal_dbConfig_values(self): expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'database': { 'timeout': 100, 'ssl': True, @@ -606,6 +615,7 @@ def test_anchoreGlobal_internalServicesSsl_values(self): expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'internalServicesSSL': { 'certSecretCertFileName': 'my-cert-secret-cert-name', 'certSecretKeyFileName': 'my-cert-secret-key-name', @@ -629,6 +639,7 @@ def test_anchoreGlobal_webhooks_values(self): expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'webhooks': { 'ssl_verify': False, 'url': 'http://somehost:9090//', @@ -648,6 +659,7 @@ def test_anchoreGlobal_policyBundles_values(self): expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'policyBundles': { 'custom_policy_bundle1': { 'json': '{\n "id": "custom1",\n "version": "1_0",\n "name": "My custom bundle",\n "comment": "My system\'s custom bundle",\n "whitelisted_images": [],\n "blacklisted_images": [],\n "mappings": [],\n "whitelists": [],\n "policies": []\n}\n' @@ -672,7 +684,7 @@ def test_anchoreGlobal_probes_values(self): "anchoreGlobal.probes.readiness.successThreshold": 1, } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'probes': { 'liveness': { 'failureThreshold': 6, @@ -697,7 +709,7 @@ def test_anchoreGlobal_inject_secrets_via_env_value(self): dot_string_dict = { "inject_secrets_via_env": True, } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'injectSecretsViaEnv': True } result = replace_keys_with_mappings(dot_string_dict, self.results_dir) @@ -706,7 +718,7 @@ def test_anchoreGlobal_inject_secrets_via_env_value(self): # def test_replace_keys_with_mappings_env_var(self): # dot_string_dict = {"anchoreApi.maxRequestThreads": 999} - # expected_result = { + # expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, # 'api': # {'extraEnv': [ # {'name': 'ANCHORE_MAX_REQUEST_THREADS', 'value': 999} @@ -718,7 +730,7 @@ def test_anchoreGlobal_inject_secrets_via_env_value(self): # def test_replace_keys_with_mappings(self): # dot_string_dict = {"anchore-feeds-db.persistence.size": 100} - # expected_result = { + # expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, # "feeds": { # "feeds-db": { # "primary": { @@ -737,7 +749,7 @@ def test_anchoreGlobal_serverRequestTimeout_value(self): dot_string_dict = { "anchoreGlobal.serverRequestTimeout": 300, } - expected_result = {} + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) @@ -752,6 +764,25 @@ def test_anchoreGlobal_serverRequestTimeout_value(self): } self.assertEqual(result[1], expected_env_result) + def test_anchoreGlobal_maxCompressedImageSizeMB_value(self): + dot_string_dict = { + "anchoreGlobal.maxCompressedImageSizeMB": 700 + } + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + } + + expected_env_result = { + 'extraEnv': + [ + { + 'name': 'ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB', + 'value': 700 + } + ] + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[1], expected_env_result) + if __name__ == '__main__': unittest.main() \ No newline at end of file diff --git a/scripts/tests/test_anchorePolicyEngine_value_mapping.py b/scripts/tests/test_anchorePolicyEngine_value_mapping.py index 904166f2..67f1a18c 100644 --- a/scripts/tests/test_anchorePolicyEngine_value_mapping.py +++ b/scripts/tests/test_anchorePolicyEngine_value_mapping.py @@ -17,7 +17,7 @@ def test_anchorePolicyEngine_replicaCount_value(self): dot_string_dict = { "anchorePolicyEngine.replicaCount": 2, } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'policyEngine': { 'replicaCount': 2 } @@ -33,7 +33,7 @@ def test_anchorePolicyEngine_resources_value(self): "anchorePolicyEngine.resources.requests.cpu": 1, "anchorePolicyEngine.resources.requests.memory": "1G" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'policyEngine': { 'resources': { 'limits': { @@ -55,7 +55,7 @@ def test_anchorePolicyEngine_labels_value(self): "anchorePolicyEngine.labels.foobar": "baz", "anchorePolicyEngine.labels.with.a.dot.foobar": "baz" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'policyEngine': { 'labels': { @@ -72,7 +72,7 @@ def test_anchorePolicyEngine_annotations_value(self): "anchorePolicyEngine.annotations.foobar": "baz", "anchorePolicyEngine.annotations.with.a.dot.foobar": "baz" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'policyEngine': { 'annotations': { @@ -89,7 +89,7 @@ def test_anchorePolicyEngine_deploymentAnnotations_value(self): "anchorePolicyEngine.deploymentAnnotations.foobar": "baz", "anchorePolicyEngine.deploymentAnnotations.with.a.dot.foobar": "baz" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'policyEngine': { 'deploymentAnnotations': { 'foobar': 'baz', @@ -105,7 +105,7 @@ def test_anchorePolicyEngine_nodeSelector_value(self): "anchorePolicyEngine.nodeSelector.name": "foo", "anchorePolicyEngine.nodeSelector.with.a.dot.name": "bar" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'policyEngine': { 'nodeSelector': { 'name': 'foo', @@ -127,7 +127,7 @@ def test_anchorePolicyEngine_tolerations_value(self): } ] } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'policyEngine': { 'tolerations': [ { @@ -147,7 +147,7 @@ def test_anchorePolicyEngine_affinity_value(self): "anchorePolicyEngine.affinity.name": "foo", "anchorePolicyEngine.affinity.with.a.dot.name": "bar" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'policyEngine': { 'affinity': { @@ -168,7 +168,7 @@ def test_anchorePolicyEngine_extraEnv_value(self): } ] } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'policyEngine': { 'extraEnv': [ { @@ -185,7 +185,7 @@ def test_anchorePolicyEngine_serviceAccountName_value(self): dot_string_dict = { "anchorePolicyEngine.serviceAccountName": "Null" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'policyEngine': { 'serviceAccountName': "Null" } @@ -205,7 +205,7 @@ def test_anchorePolicyEngine_service_value(self): "anchorePolicyEngine.service.labels.with.a.dot": "qux", } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'policyEngine': { 'service': { "name": "Null", @@ -234,6 +234,7 @@ def test_anchorePolicyEngine_cycleTimers_value(self): expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'policy_engine': { 'cycle_timers': { "feed_sync": 14400, @@ -253,6 +254,7 @@ def test_anchorePolicyEngine_overrideFeedsToUpstream_value(self): expected_result = { 'anchoreConfig': { + 'user_authentication': {'hashed_passwords': False}, 'policy_engine': { 'overrideFeedsToUpstream': True } diff --git a/scripts/tests/test_anchoreSimpleQueue_value_mapping.py b/scripts/tests/test_anchoreSimpleQueue_value_mapping.py index 1f9312bf..5fb35a48 100644 --- a/scripts/tests/test_anchoreSimpleQueue_value_mapping.py +++ b/scripts/tests/test_anchoreSimpleQueue_value_mapping.py @@ -17,7 +17,7 @@ def test_anchoreSimpleQueue_replicaCount_value(self): dot_string_dict = { "anchoreSimpleQueue.replicaCount": 2, } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'simpleQueue': { 'replicaCount': 2 } @@ -33,7 +33,7 @@ def test_anchoreSimpleQueue_resources_value(self): "anchoreSimpleQueue.resources.requests.cpu": 1, "anchoreSimpleQueue.resources.requests.memory": "1G" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'simpleQueue': { 'resources': { 'limits': { @@ -57,7 +57,7 @@ def test_anchoreSimpleQueue_labels_value(self): "anchoreSimpleQueue.labels.myOtherLabel": "myOtherValue", "anchoreSimpleQueue.labels.anotherLabel.with.a.dot": "qux" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'simpleQueue': { 'labels': { @@ -76,7 +76,7 @@ def test_anchoreSimpleQueue_annotations_value(self): "anchoreSimpleQueue.annotations.bar": "baz", "anchoreSimpleQueue.annotations.anotherLabel.with.a.dot": "qux" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'simpleQueue': { 'annotations': { @@ -96,7 +96,7 @@ def test_anchoreSimpleQueue_deploymentAnnotations_value(self): "anchoreSimpleQueue.deploymentAnnotations.bar": "baz", "anchoreSimpleQueue.deploymentAnnotations.anotherLabel.with.a.dot": "qux" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'simpleQueue': { 'deploymentAnnotations': { @@ -115,7 +115,7 @@ def test_anchoreSimpleQueue_nodeSelector_value(self): "anchoreSimpleQueue.nodeSelector.value": "bar", "anchoreSimpleQueue.nodeSelector.anotherLabel.with.a.dot": "baz" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'simpleQueue': { 'nodeSelector': { @@ -137,7 +137,7 @@ def test_anchoreSimpleQueue_tolerations_value(self): } ] } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'simpleQueue': { 'tolerations': [ { @@ -156,7 +156,7 @@ def test_anchoreSimpleQueue_affinity_value(self): "anchoreSimpleQueue.affinity.value": "bar", "anchoreSimpleQueue.affinity.anotherLabel.with.a.dot": "baz" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'simpleQueue': { 'affinity':{ 'name': 'foo', @@ -177,7 +177,7 @@ def test_anchoreSimpleQueue_extraEnv_value(self): } ] } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'simpleQueue': { 'extraEnv': [ { @@ -194,7 +194,7 @@ def test_anchoreSimpleQueue_serviceAccountName_value(self): dot_string_dict = { "anchoreSimpleQueue.serviceAccountName": "Null" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'simpleQueue': { 'serviceAccountName': "Null" } @@ -214,7 +214,7 @@ def test_anchoreSimpleQueue_service_value(self): "anchoreSimpleQueue.service.labels.foobar": "baz", "anchoreSimpleQueue.service.labels.with.a.dot": "qux" } - expected_result = { + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'simpleQueue': { 'service': { "name": "Null", diff --git a/scripts/tests/test_helpers.py b/scripts/tests/test_helpers.py index 1aded896..f312a372 100644 --- a/scripts/tests/test_helpers.py +++ b/scripts/tests/test_helpers.py @@ -284,6 +284,7 @@ def test_replace_keys_with_mappings(self): dot_string_dict = {"anchore-feeds-db.persistence.size": 100} expected_result = { + 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, "feeds": { "feeds-db": { "primary": { @@ -309,5 +310,10 @@ def test_replace_keys_with_mappings_env_var(self): result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[1], expected_result) + anchore_config_expected_results = { + 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + } + self.assertEqual(result[0], anchore_config_expected_results) + if __name__ == '__main__': unittest.main() \ No newline at end of file From 8ecc1b88e4f4eefa5164643009d8804daf8316a9 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 15 Sep 2023 17:54:58 -0700 Subject: [PATCH 205/329] Add precommit hooks (#125) * add readme generator pre-commit hook * apply fixes from running pre-commit run --all-files * bump chart versions of all charts * use GITHUB_TOKEN instead of PAT for checkout charts step * update permissions for GITHUB_TOKEN in helm-unittests job * include the ecs-inventory chart in readme-generator * add helm unit tests to pre-commit hooks (disabled by default) * use static chart version for snapshot tests * move value converter into its own directory --------- Signed-off-by: Brady Todhunter --- .../chart-readme-table-generator.yaml | 67 ------------------- .github/workflows/helm-unittests.yaml | 4 +- .github/workflows/lint.yaml | 1 - .pre-commit-config.yaml | 14 ++++ CONTRIBUTING.rst | 12 ++-- README.md | 1 + build.sh | 1 - ct-config.yaml | 2 +- .../Dockerfile | 2 +- .../README.md | 2 +- .../convert.py | 2 +- .../helpers.py | 2 +- .../mappings.py | 0 .../configs/test_convert_values_file.yaml | 0 .../test_convert_values_file_result.yaml | 2 +- .../test_anchoreAnalyzer_value_mapping.py | 2 +- .../tests/test_anchoreApi_value_mapping.py | 2 +- .../test_anchoreCatalog_value_mapping.py | 2 +- ...t_anchoreEngineUpgradeJob_value_mapping.py | 0 ...nterpriseEngineUpgradeJob_value_mapping.py | 0 ...EnterpriseFeedsUpgradeJob_value_mapping.py | 0 ...st_anchoreEnterpriseFeeds_value_mapping.py | 2 +- ...reEnterpriseNotifications_value_mapping.py | 4 +- ...est_anchoreEnterpriseRbac_value_mapping.py | 2 +- ..._anchoreEnterpriseReports_value_mapping.py | 2 +- .../test_anchoreEnterpriseUi_value_mapping.py | 2 +- .../tests/test_anchoreGlobal_value_mapping.py | 4 +- .../test_anchorePolicyEngine_value_mapping.py | 2 +- .../test_anchoreSimpleQueue_value_mapping.py | 2 +- .../tests/test_helpers.py | 2 +- scripts/hooks/helm-unittest.sh | 39 +++++++++++ scripts/hooks/readme-generator.sh | 34 ++++++++++ .../anchore-admission-controller/Chart.yaml | 2 +- stable/anchore-admission-controller/README.md | 6 +- stable/anchore-engine/.gitignore | 2 +- stable/anchore-engine/.helmignore | 1 - stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/README.md | 6 +- stable/anchore-engine/templates/NOTES.txt | 4 +- .../templates/analyzer_configmap.yaml | 2 +- .../templates/api_deployment.yaml | 4 +- .../templates/enterprise_feeds_configmap.yaml | 2 +- .../templates/enterprise_upgrade_job.yaml | 2 +- .../hooks/pre-upgrade/0-db-upgrade.yaml | 2 +- .../pre-upgrade/anchore_upgrade_role.yaml | 4 +- .../anchore_upgrade_rolebinding.yaml | 2 +- .../anchore_upgrade_service_account.yaml | 2 +- .../templates/policy_bundle_configmap.yaml | 2 +- stable/ecs-inventory/Chart.yaml | 2 +- stable/ecs-inventory/README.md | 61 ++++++++--------- stable/ecs-inventory/templates/NOTES.txt | 2 +- stable/ecs-inventory/templates/_helpers.tpl | 2 +- stable/ecs-inventory/templates/_names.tpl | 2 +- stable/enterprise/.helmignore | 2 +- stable/enterprise/Chart.lock | 6 +- stable/enterprise/Chart.yaml | 4 +- stable/enterprise/README.md | 17 +++++ stable/enterprise/templates/NOTES.txt | 4 +- stable/enterprise/templates/_helpers.tpl | 2 +- .../templates/anchore_configmap.yaml | 2 +- .../templates/envvars_configmap.yaml | 2 +- .../hooks/pre-upgrade/upgrade_job.yaml | 2 +- .../hooks/pre-upgrade/upgrade_rbac.yaml | 4 +- stable/enterprise/templates/ui_configmap.yaml | 2 +- .../__snapshot__/configmap_test.yaml.snap | 22 +++--- .../enterprise/tests/api_resources_test.yaml | 6 +- .../tests/catalog_resources_test.yaml | 2 +- .../enterprise/tests/common_helpers_test.yaml | 6 +- stable/enterprise/tests/configmap_test.yaml | 5 +- .../tests/notifications_resources_test.yaml | 2 +- .../tests/policyengine_resources_test.yaml | 2 +- .../posthook_upgrade_resources_test.yaml | 2 +- .../tests/prehook_upgrade_resources_test.yaml | 2 +- .../tests/rbacmanager_resources_test.yaml | 2 +- .../tests/reports_resources_test.yaml | 2 +- .../tests/simplequeue_resources_test.yaml | 2 +- .../enterprise/tests/ui_resources_test.yaml | 2 +- stable/enterprise/tests/values.yaml | 2 +- stable/feeds/Chart.yaml | 2 +- stable/feeds/README.md | 7 ++ stable/feeds/files/default_config.yaml | 2 +- stable/feeds/templates/NOTES.txt | 4 +- stable/feeds/templates/_common.tpl | 2 +- stable/feeds/templates/_helpers.tpl | 2 +- .../templates/anchore_vars_configmap.yaml | 2 +- stable/feeds/templates/deployment.yaml | 2 +- .../hooks/pre-upgrade/upgrade_job.yaml | 2 +- .../hooks/pre-upgrade/upgrade_rbac.yaml | 4 +- stable/feeds/templates/pvc.yaml | 2 +- stable/feeds/templates/secret.yaml | 4 +- .../__snapshot__/configmap_test.yaml.snap | 4 +- stable/feeds/tests/configmap_test.yaml | 3 + stable/feeds/tests/feeds_resources_test.yaml | 2 +- .../posthook_upgrade_resources_test.yaml | 2 +- .../tests/prehook_upgrade_resources_test.yaml | 2 +- stable/k8s-inventory/Chart.yaml | 2 +- stable/k8s-inventory/README.md | 9 +-- stable/k8s-inventory/templates/NOTES.txt | 2 +- stable/k8s-inventory/templates/_helpers.tpl | 1 - .../templates/cluster-role-binding.yaml | 2 +- .../templates/cluster-role-readonly.yaml | 2 +- .../k8s-inventory/templates/deployment.yaml | 2 +- stable/kai/Chart.yaml | 2 +- stable/kai/README.md | 6 +- .../kai/templates/cluster-role-binding.yaml | 2 +- .../kai/templates/cluster-role-readonly.yaml | 2 +- 106 files changed, 282 insertions(+), 231 deletions(-) delete mode 100644 .github/workflows/chart-readme-table-generator.yaml rename scripts/{ => enterprise-value-converter}/Dockerfile (90%) rename scripts/{ => enterprise-value-converter}/README.md (92%) rename scripts/{ => enterprise-value-converter}/convert.py (99%) rename scripts/{ => enterprise-value-converter}/helpers.py (99%) rename scripts/{ => enterprise-value-converter}/mappings.py (100%) rename scripts/{ => enterprise-value-converter}/tests/configs/test_convert_values_file.yaml (100%) rename scripts/{ => enterprise-value-converter}/tests/configs/test_convert_values_file_result.yaml (94%) rename scripts/{ => enterprise-value-converter}/tests/test_anchoreAnalyzer_value_mapping.py (99%) rename scripts/{ => enterprise-value-converter}/tests/test_anchoreApi_value_mapping.py (99%) rename scripts/{ => enterprise-value-converter}/tests/test_anchoreCatalog_value_mapping.py (99%) rename scripts/{ => enterprise-value-converter}/tests/test_anchoreEngineUpgradeJob_value_mapping.py (100%) rename scripts/{ => enterprise-value-converter}/tests/test_anchoreEnterpriseEngineUpgradeJob_value_mapping.py (100%) rename scripts/{ => enterprise-value-converter}/tests/test_anchoreEnterpriseFeedsUpgradeJob_value_mapping.py (100%) rename scripts/{ => enterprise-value-converter}/tests/test_anchoreEnterpriseFeeds_value_mapping.py (99%) rename scripts/{ => enterprise-value-converter}/tests/test_anchoreEnterpriseNotifications_value_mapping.py (99%) rename scripts/{ => enterprise-value-converter}/tests/test_anchoreEnterpriseRbac_value_mapping.py (99%) rename scripts/{ => enterprise-value-converter}/tests/test_anchoreEnterpriseReports_value_mapping.py (99%) rename scripts/{ => enterprise-value-converter}/tests/test_anchoreEnterpriseUi_value_mapping.py (99%) rename scripts/{ => enterprise-value-converter}/tests/test_anchoreGlobal_value_mapping.py (99%) rename scripts/{ => enterprise-value-converter}/tests/test_anchorePolicyEngine_value_mapping.py (99%) rename scripts/{ => enterprise-value-converter}/tests/test_anchoreSimpleQueue_value_mapping.py (99%) rename scripts/{ => enterprise-value-converter}/tests/test_helpers.py (99%) create mode 100755 scripts/hooks/helm-unittest.sh create mode 100755 scripts/hooks/readme-generator.sh diff --git a/.github/workflows/chart-readme-table-generator.yaml b/.github/workflows/chart-readme-table-generator.yaml deleted file mode 100644 index a7bdd087..00000000 --- a/.github/workflows/chart-readme-table-generator.yaml +++ /dev/null @@ -1,67 +0,0 @@ -# Copyright VMware, Inc. -# SPDX-License-Identifier: APACHE-2.0 - -name: 'CHART README TABLE GENERATOR' - -on: - pull_request_target: - branches: - - main - paths: - # specify this for now until we get the readme table for all charts - - 'stable/enterprise/values.yaml' - - 'stable/feeds/values.yaml' -# Remove all permissions by default -permissions: {} -jobs: - update-readme-metadata: - env: - REPO: "${{ github.repository }}" - REPO_NAME: "${{ github.event.repository.name }}" - TARGET_BRANCH: "${{ github.event.pull_request.base.ref }}" - runs-on: ubuntu-latest - permissions: - contents: write - steps: - - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 - with: - egress-policy: audit - - - name: Install readme-generator-for-helm - run: npm install -g @bitnami/readme-generator-for-helm - - - name: Checkout charts - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - with: - path: ${{ github.repository }} - ref: ${{github.event.pull_request.head.ref}} - repository: ${{github.event.pull_request.head.repo.full_name}} - token: ${{ secrets.CI_WRITE_GITHUB_TOKEN }} - - - run: cd "${REPO}" && git fetch origin ${TARGET_BRANCH} - - - name: Execute readme-generator-for-helm - run: | - cd "${REPO}" - files_changed="$(git diff --name-only origin/${TARGET_BRANCH} | sort | uniq)" - # Adding || true to avoid "Process exited with code 1" errors - charts_dirs_changed="$(echo "$files_changed" | xargs dirname | grep -o "stable/[^/]*" | sort | uniq || true)" - - for chart in ${charts_dirs_changed}; do - if [[ "$chart" == "stable/enterprise" || "$chart" == "stable/feeds" ]]; then - echo "Updating README.md for ${chart}" - readme-generator --values "${chart}/values.yaml" --readme "${chart}/README.md" --schema "/tmp/schema.json" - else - echo "'chart' is not equal to 'stable/enterprise' or 'stable/feeds'. Moving on." - fi - done - - name: Push changes - run: | - # Push all the changes - cd "${REPO}" - if git status -s | grep stable; then - git config user.name "Anchore BitnamiReadmeGenerator" - git config user.email "anchoreops-ci@anchore.com" - git add stable && git commit -m "Update README.md with readme-generator-for-helm" --signoff && git push - fi diff --git a/.github/workflows/helm-unittests.yaml b/.github/workflows/helm-unittests.yaml index cd93e8ec..b3c5fa01 100644 --- a/.github/workflows/helm-unittests.yaml +++ b/.github/workflows/helm-unittests.yaml @@ -13,6 +13,8 @@ on: permissions: {} jobs: helm-unittests: + permissions: + contents: read # for helm-unittest to read the chart env: REPO: "${{ github.repository }}" REPO_NAME: "${{ github.event.repository.name }}" @@ -30,7 +32,7 @@ jobs: path: ${{ github.repository }} ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} - token: ${{ secrets.CI_WRITE_GITHUB_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }} - name: Set up Helm uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index c2350bd6..f8736b42 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -41,4 +41,3 @@ jobs: id: lint run: ct lint --config 'ct-config.yaml' if: steps.list-changed.outputs.CHANGED == 'true' - diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d8562a43..2118a205 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,4 +1,18 @@ repos: +# - repo: local +# hooks: +# - id: helm-unittest +# name: helm-unittest +# entry: scripts/hooks/helm-unittest.sh +# language: script +# files: ^stable/(enterprise|feeds)/templates/.*$ +- repo: local + hooks: + - id: readme-generator + name: readme-generator + entry: scripts/hooks/readme-generator.sh + language: script + files: ^stable/(enterprise|feeds|ecs-inventory)/values\.yaml$ - repo: https://github.com/gitleaks/gitleaks rev: v8.16.3 hooks: diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst index 1aa66080..e3b516f1 100644 --- a/CONTRIBUTING.rst +++ b/CONTRIBUTING.rst @@ -10,15 +10,15 @@ way to contribute to the Anchore project. The process is to certify the below DCO 1.1 text :: - + Developer's Certificate of Origin 1.1 - + By making a contribution to this project, I certify that: - + (a) The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file; or - + (b) The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source license and I have the right under that license to submit that @@ -26,11 +26,11 @@ The process is to certify the below DCO 1.1 text by me, under the same open source license (unless I am permitted to submit under a different license), as indicated in the file; or - + (c) The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it. - + (d) I understand and agree that this project and the contribution are public and that a record of the contribution (including all personal information I submit with it, including my sign-off) is diff --git a/README.md b/README.md index 8821742b..c7a0e5f8 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,7 @@ This repository contains Helm charts for deploying [Anchore](https://www.anchore - [Helm](https://helm.sh/) (>=3.8) - Helm is a package manager for Kubernetes that makes it easy to install and manage applications on your cluster. - [Kubernetes](https://kubernetes.io/) (>=1.23) - Kubernetes is an open-source container orchestration platform that is required to use Helm charts. +- [pre-commit](https://pre-commit.com/) - pre-commit is a tool that is used to ensure that all commits to the repository are properly formatted. It is not required to use the charts in this repository, but it is recommended to install it to ensure that your commits are properly formatted. ## Installation diff --git a/build.sh b/build.sh index 398a6d46..31a082f2 100755 --- a/build.sh +++ b/build.sh @@ -32,4 +32,3 @@ if [ "${do_push}" == "true" ]; then else echo "Skipping push" fi - diff --git a/ct-config.yaml b/ct-config.yaml index bbd1fc0c..75ba48da 100644 --- a/ct-config.yaml +++ b/ct-config.yaml @@ -7,4 +7,4 @@ chart-repos: - bitnami=https://charts.bitnami.com/bitnami namespace: anchore release-label: anchore -helm-extra-args: --timeout 600s \ No newline at end of file +helm-extra-args: --timeout 600s diff --git a/scripts/Dockerfile b/scripts/enterprise-value-converter/Dockerfile similarity index 90% rename from scripts/Dockerfile rename to scripts/enterprise-value-converter/Dockerfile index 02266e32..c0a0d708 100644 --- a/scripts/Dockerfile +++ b/scripts/enterprise-value-converter/Dockerfile @@ -10,4 +10,4 @@ RUN pip install argparse pyyaml ENTRYPOINT ["python3", "convert.py"] -CMD ["-e", "values.yaml"] \ No newline at end of file +CMD ["-e", "values.yaml"] diff --git a/scripts/README.md b/scripts/enterprise-value-converter/README.md similarity index 92% rename from scripts/README.md rename to scripts/enterprise-value-converter/README.md index 8fd1eaba..13667f51 100644 --- a/scripts/README.md +++ b/scripts/enterprise-value-converter/README.md @@ -9,7 +9,7 @@ This script converts the values file of Anchore Engine to the values file format ## Usage 1. **The Docker Image**: - To build the docker image yourself, from the `scripts` directory, build the Docker image using the following command: + To build the docker image yourself, from the `scripts/enterprise-value-converter` directory, build the Docker image using the following command: ```bash docker build -t script-container . diff --git a/scripts/convert.py b/scripts/enterprise-value-converter/convert.py similarity index 99% rename from scripts/convert.py rename to scripts/enterprise-value-converter/convert.py index f9f4a5a3..5613719a 100644 --- a/scripts/convert.py +++ b/scripts/enterprise-value-converter/convert.py @@ -22,4 +22,4 @@ args = parser.parse_args() engine_file = args.engine_file results_dir = args.results_dir - convert_values_file(file=engine_file, results_dir=results_dir) \ No newline at end of file + convert_values_file(file=engine_file, results_dir=results_dir) diff --git a/scripts/helpers.py b/scripts/enterprise-value-converter/helpers.py similarity index 99% rename from scripts/helpers.py rename to scripts/enterprise-value-converter/helpers.py index 31de35cb..252c090a 100644 --- a/scripts/helpers.py +++ b/scripts/enterprise-value-converter/helpers.py @@ -292,4 +292,4 @@ def merge_dicts(dict1, dict2): else: merged_dict[key] = value - return merged_dict \ No newline at end of file + return merged_dict diff --git a/scripts/mappings.py b/scripts/enterprise-value-converter/mappings.py similarity index 100% rename from scripts/mappings.py rename to scripts/enterprise-value-converter/mappings.py diff --git a/scripts/tests/configs/test_convert_values_file.yaml b/scripts/enterprise-value-converter/tests/configs/test_convert_values_file.yaml similarity index 100% rename from scripts/tests/configs/test_convert_values_file.yaml rename to scripts/enterprise-value-converter/tests/configs/test_convert_values_file.yaml diff --git a/scripts/tests/configs/test_convert_values_file_result.yaml b/scripts/enterprise-value-converter/tests/configs/test_convert_values_file_result.yaml similarity index 94% rename from scripts/tests/configs/test_convert_values_file_result.yaml rename to scripts/enterprise-value-converter/tests/configs/test_convert_values_file_result.yaml index 3729a2bd..80be9ff8 100644 --- a/scripts/tests/configs/test_convert_values_file_result.yaml +++ b/scripts/enterprise-value-converter/tests/configs/test_convert_values_file_result.yaml @@ -14,4 +14,4 @@ "hashed_passwords": False "extraEnv": - "name": "ANCHORE_MAX_REQUEST_THREADS" - "value": "9876543210" \ No newline at end of file + "value": "9876543210" diff --git a/scripts/tests/test_anchoreAnalyzer_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreAnalyzer_value_mapping.py similarity index 99% rename from scripts/tests/test_anchoreAnalyzer_value_mapping.py rename to scripts/enterprise-value-converter/tests/test_anchoreAnalyzer_value_mapping.py index fef76645..0afacc04 100644 --- a/scripts/tests/test_anchoreAnalyzer_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreAnalyzer_value_mapping.py @@ -347,4 +347,4 @@ def test_enableOwnedPackageFiltering_value(self): } result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], {'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}}) - self.assertEqual(result[1], expected_result) \ No newline at end of file + self.assertEqual(result[1], expected_result) diff --git a/scripts/tests/test_anchoreApi_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreApi_value_mapping.py similarity index 99% rename from scripts/tests/test_anchoreApi_value_mapping.py rename to scripts/enterprise-value-converter/tests/test_anchoreApi_value_mapping.py index 3d7f687f..8edde953 100644 --- a/scripts/tests/test_anchoreApi_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreApi_value_mapping.py @@ -245,4 +245,4 @@ def test_anchoreApi_external_value(self): result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) \ No newline at end of file + self.assertEqual(result[0], expected_result) diff --git a/scripts/tests/test_anchoreCatalog_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreCatalog_value_mapping.py similarity index 99% rename from scripts/tests/test_anchoreCatalog_value_mapping.py rename to scripts/enterprise-value-converter/tests/test_anchoreCatalog_value_mapping.py index 3bc1b482..f045ca88 100644 --- a/scripts/tests/test_anchoreCatalog_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreCatalog_value_mapping.py @@ -404,4 +404,4 @@ def test_anchoreCatalog_downAnalyzerTaskRequeue_value(self): } } result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) \ No newline at end of file + self.assertEqual(result[0], expected_result) diff --git a/scripts/tests/test_anchoreEngineUpgradeJob_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEngineUpgradeJob_value_mapping.py similarity index 100% rename from scripts/tests/test_anchoreEngineUpgradeJob_value_mapping.py rename to scripts/enterprise-value-converter/tests/test_anchoreEngineUpgradeJob_value_mapping.py diff --git a/scripts/tests/test_anchoreEnterpriseEngineUpgradeJob_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseEngineUpgradeJob_value_mapping.py similarity index 100% rename from scripts/tests/test_anchoreEnterpriseEngineUpgradeJob_value_mapping.py rename to scripts/enterprise-value-converter/tests/test_anchoreEnterpriseEngineUpgradeJob_value_mapping.py diff --git a/scripts/tests/test_anchoreEnterpriseFeedsUpgradeJob_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseFeedsUpgradeJob_value_mapping.py similarity index 100% rename from scripts/tests/test_anchoreEnterpriseFeedsUpgradeJob_value_mapping.py rename to scripts/enterprise-value-converter/tests/test_anchoreEnterpriseFeedsUpgradeJob_value_mapping.py diff --git a/scripts/tests/test_anchoreEnterpriseFeeds_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseFeeds_value_mapping.py similarity index 99% rename from scripts/tests/test_anchoreEnterpriseFeeds_value_mapping.py rename to scripts/enterprise-value-converter/tests/test_anchoreEnterpriseFeeds_value_mapping.py index 8c5f205c..16e946ee 100644 --- a/scripts/tests/test_anchoreEnterpriseFeeds_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseFeeds_value_mapping.py @@ -777,4 +777,4 @@ def test_anchoreFeedsGemDB_extraEnv_values(self): } } result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) \ No newline at end of file + self.assertEqual(result[0], expected_result) diff --git a/scripts/tests/test_anchoreEnterpriseNotifications_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseNotifications_value_mapping.py similarity index 99% rename from scripts/tests/test_anchoreEnterpriseNotifications_value_mapping.py rename to scripts/enterprise-value-converter/tests/test_anchoreEnterpriseNotifications_value_mapping.py index f1264207..e0201cba 100644 --- a/scripts/tests/test_anchoreEnterpriseNotifications_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseNotifications_value_mapping.py @@ -255,7 +255,7 @@ def test_anchoreEnterpriseNotifications_cycleTimers_value(self): } result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) - + def test_anchoreEnterpriseNotifications_uiUrl_value(self): dot_string_dict = { "anchoreEnterpriseNotifications.uiUrl": "http://myurl.myurl" @@ -269,4 +269,4 @@ def test_anchoreEnterpriseNotifications_uiUrl_value(self): } } result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) \ No newline at end of file + self.assertEqual(result[0], expected_result) diff --git a/scripts/tests/test_anchoreEnterpriseRbac_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseRbac_value_mapping.py similarity index 99% rename from scripts/tests/test_anchoreEnterpriseRbac_value_mapping.py rename to scripts/enterprise-value-converter/tests/test_anchoreEnterpriseRbac_value_mapping.py index 6c810284..dbfb95b0 100644 --- a/scripts/tests/test_anchoreEnterpriseRbac_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseRbac_value_mapping.py @@ -299,4 +299,4 @@ def test_anchoreEnterpriseRbac_managerResources_value(self): } } result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) \ No newline at end of file + self.assertEqual(result[0], expected_result) diff --git a/scripts/tests/test_anchoreEnterpriseReports_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseReports_value_mapping.py similarity index 99% rename from scripts/tests/test_anchoreEnterpriseReports_value_mapping.py rename to scripts/enterprise-value-converter/tests/test_anchoreEnterpriseReports_value_mapping.py index d1fe1922..35bfd427 100644 --- a/scripts/tests/test_anchoreEnterpriseReports_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseReports_value_mapping.py @@ -339,4 +339,4 @@ def test_anchoreEnterpriseReports_cycleTimers_value(self): } } result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) \ No newline at end of file + self.assertEqual(result[0], expected_result) diff --git a/scripts/tests/test_anchoreEnterpriseUi_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseUi_value_mapping.py similarity index 99% rename from scripts/tests/test_anchoreEnterpriseUi_value_mapping.py rename to scripts/enterprise-value-converter/tests/test_anchoreEnterpriseUi_value_mapping.py index 814eb997..8b50d9bd 100644 --- a/scripts/tests/test_anchoreEnterpriseUi_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseUi_value_mapping.py @@ -559,4 +559,4 @@ def test_uiRedis_externalEndpoint_value(self): } } result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) \ No newline at end of file + self.assertEqual(result[0], expected_result) diff --git a/scripts/tests/test_anchoreGlobal_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreGlobal_value_mapping.py similarity index 99% rename from scripts/tests/test_anchoreGlobal_value_mapping.py rename to scripts/enterprise-value-converter/tests/test_anchoreGlobal_value_mapping.py index 7dc02732..d2bc7d4f 100644 --- a/scripts/tests/test_anchoreGlobal_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreGlobal_value_mapping.py @@ -189,7 +189,7 @@ def test_anchoreGlobal_serviceAccountName_value(self): result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) self.assertEqual(result[1], {}) - + def test_anchoreGlobal_labels_value(self): dot_string_dict = { "anchoreGlobal.labels.mylabel": "myvalue", @@ -785,4 +785,4 @@ def test_anchoreGlobal_maxCompressedImageSizeMB_value(self): if __name__ == '__main__': - unittest.main() \ No newline at end of file + unittest.main() diff --git a/scripts/tests/test_anchorePolicyEngine_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchorePolicyEngine_value_mapping.py similarity index 99% rename from scripts/tests/test_anchorePolicyEngine_value_mapping.py rename to scripts/enterprise-value-converter/tests/test_anchorePolicyEngine_value_mapping.py index 67f1a18c..89e1a75b 100644 --- a/scripts/tests/test_anchorePolicyEngine_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchorePolicyEngine_value_mapping.py @@ -298,4 +298,4 @@ def test_anchorePolicyEngine_enablePackageDbLoad_value(self): } } result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[1], expected_result) \ No newline at end of file + self.assertEqual(result[1], expected_result) diff --git a/scripts/tests/test_anchoreSimpleQueue_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreSimpleQueue_value_mapping.py similarity index 99% rename from scripts/tests/test_anchoreSimpleQueue_value_mapping.py rename to scripts/enterprise-value-converter/tests/test_anchoreSimpleQueue_value_mapping.py index 5fb35a48..7edb3b2d 100644 --- a/scripts/tests/test_anchoreSimpleQueue_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreSimpleQueue_value_mapping.py @@ -233,4 +233,4 @@ def test_anchoreSimpleQueue_service_value(self): } } result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) \ No newline at end of file + self.assertEqual(result[0], expected_result) diff --git a/scripts/tests/test_helpers.py b/scripts/enterprise-value-converter/tests/test_helpers.py similarity index 99% rename from scripts/tests/test_helpers.py rename to scripts/enterprise-value-converter/tests/test_helpers.py index f312a372..b488c57c 100644 --- a/scripts/tests/test_helpers.py +++ b/scripts/enterprise-value-converter/tests/test_helpers.py @@ -316,4 +316,4 @@ def test_replace_keys_with_mappings_env_var(self): self.assertEqual(result[0], anchore_config_expected_results) if __name__ == '__main__': - unittest.main() \ No newline at end of file + unittest.main() diff --git a/scripts/hooks/helm-unittest.sh b/scripts/hooks/helm-unittest.sh new file mode 100755 index 00000000..b01e4a45 --- /dev/null +++ b/scripts/hooks/helm-unittest.sh @@ -0,0 +1,39 @@ +#!/usr/bin/env bash + +readonly DEBUG=${DEBUG:-unset} +if [ "${DEBUG}" != unset ]; then + set -x +fi + +if [[ ! $(which helm) ]]; then + echo "helm not found. Please install helm and try again" + exit 1 +fi + +if ! helm plugin list | grep -q unittest; then + echo "helm-unittest plugin not found. Press 'y' to install with helm or any other key to skip" + read -r install_helm_unittest + if [[ "$install_helm_unittest" != "y" ]]; then + exit 1 + fi + helm plugin install https://github.com/helm-unittest/helm-unittest.git +fi + +files_changed="$(git diff --name-only origin/main | sort | uniq)" +# Adding || true to avoid "Process exited with code 1" errors +charts_dirs_changed="$(echo "$files_changed" | xargs dirname | grep -o "stable/[^/]*" | sort | uniq || true)" + +charts_to_test=("stable/enterprise" "stable/feeds") + +for chart in ${charts_dirs_changed}; do + for charts_to_test in "${charts_to_test[@]}"; do + if [[ "$chart" == "$charts_to_test" ]]; then + echo "Running unit tests for ${chart}" + pushd "${chart}" || exit + helm repo add anchore https://charts.anchore.io/stable + helm dep up + helm unittest . + popd || exit + fi + done +done diff --git a/scripts/hooks/readme-generator.sh b/scripts/hooks/readme-generator.sh new file mode 100755 index 00000000..ce2f11b2 --- /dev/null +++ b/scripts/hooks/readme-generator.sh @@ -0,0 +1,34 @@ +#!/usr/bin/env bash + +readonly DEBUG=${DEBUG:-unset} +if [ "${DEBUG}" != unset ]; then + set -x +fi + +if [[ ! $(which readme-generator) ]]; then + echo "readme-generator not found. Press 'y' to install with npm or any other key to skip" + read -r install_readme_generator + if [[ "$install_readme_generator" != "y" ]]; then + exit 1 + fi + if [[ ! $(which npm) ]]; then + echo "npm not found. Please install npm and try again" + exit 1 + fi + npm install -g @bitnami/readme-generator-for-helm +fi + +files_changed="$(git diff --name-only origin/main | sort | uniq)" +# Adding || true to avoid "Process exited with code 1" errors +charts_dirs_changed="$(echo "$files_changed" | xargs dirname | grep -o "stable/[^/]*" | sort | uniq || true)" + +chart_with_metadata=("stable/enterprise" "stable/feeds" "stable/ecs-inventory") + +for chart in ${charts_dirs_changed}; do + for chart_with_metadata in "${chart_with_metadata[@]}"; do + if [[ "$chart" == "$chart_with_metadata" ]]; then + echo "Updating README.md for ${chart}" + readme-generator --values "${chart}/values.yaml" --readme "${chart}/README.md" + fi + done +done diff --git a/stable/anchore-admission-controller/Chart.yaml b/stable/anchore-admission-controller/Chart.yaml index e7adf65b..ddf85753 100644 --- a/stable/anchore-admission-controller/Chart.yaml +++ b/stable/anchore-admission-controller/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: anchore-admission-controller -version: 0.4.6 +version: 0.4.7 appVersion: 0.4.0 description: A kubernetes admission controller for validating and mutating webhooks that operates against Anchore Engine to make access decisions and annotations home: https://github.com/anchore/kubernetes-admission-controller diff --git a/stable/anchore-admission-controller/README.md b/stable/anchore-admission-controller/README.md index 7c5579a9..9cd5d86e 100644 --- a/stable/anchore-admission-controller/README.md +++ b/stable/anchore-admission-controller/README.md @@ -16,7 +16,7 @@ to deploy one with: helm install --name anchore stable/anchore-engine ``` -Setup of policies and users is covered in the anchore documentation, for this readme we'll use admin user credentials, but it +Setup of policies and users is covered in the anchore documentation, for this readme we'll use admin user credentials, but it is *strongly* suggested that you use a non-admin user for the controller credential. 1. Create a secret for the anchore credentials that the controller will use to make api calls to Anchore. This must be done out-of-band of the chart creation and should be in the @@ -27,7 +27,7 @@ same namespace you will deploy the chart to. The file must be a json file with t "users": [ { "username": "user1", "password": "password"}, { "uesrname": "user2", "password": "password2"}, - ... + ... ] } ``` @@ -71,7 +71,7 @@ It will remove kubernetes objects which are not removed by a helm delete. Pass t | Key | Expected Type | Default Value | Description | |---|---|---|---| -|replicaCount | int | 1 | replicas, should generally only need one +|replicaCount | int | 1 | replicas, should generally only need one |---|---|---|---| |logVerbosity | int | 6 | log verbosity of controller, 1 = error, 2 warn, 3 debug.... |---|---|---|---| diff --git a/stable/anchore-engine/.gitignore b/stable/anchore-engine/.gitignore index 56bef8cb..d838da98 100644 --- a/stable/anchore-engine/.gitignore +++ b/stable/anchore-engine/.gitignore @@ -1 +1 @@ -examples/ \ No newline at end of file +examples/ diff --git a/stable/anchore-engine/.helmignore b/stable/anchore-engine/.helmignore index 84f81b9a..0f9b0a02 100644 --- a/stable/anchore-engine/.helmignore +++ b/stable/anchore-engine/.helmignore @@ -2,4 +2,3 @@ # OWNERS file for Kubernetes OWNERS - diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index e766bb04..200c25e4 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.27.3 +version: 1.27.4 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index d3d9082d..6b0952b0 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -247,7 +247,7 @@ The upgrade will only be considered successful when this job completes successfu - /path/to/file2 ``` -* Updated the configuration for Anchore Enterprise database connections. This will ensure that special characters are handled properly in database passwords. Also allows configuring the db hostname and port separately. +* Updated the configuration for Anchore Enterprise database connections. This will ensure that special characters are handled properly in database passwords. Also allows configuring the db hostname and port separately. * If your postgresql connection is using a non-standard port, you will need to update your values file to include the hostname and port. For example: @@ -680,7 +680,7 @@ anchoreCatalog: ```yaml anchoreCatalog: archive: - storage_driver: + storage_driver: name: swift config: auth_version: '2' @@ -731,7 +731,7 @@ know about each pod, and the ports it provides to scrape the metrics. ## Using custom certificates -A secret needs to be created in the same namespace as the anchore-engine chart installation. This secret should contain all custom certs, including CA certs & any certs used for internal TLS communication. +A secret needs to be created in the same namespace as the anchore-engine chart installation. This secret should contain all custom certs, including CA certs & any certs used for internal TLS communication. This secret will be mounted to all Anchore pods at /home/anchore/certs to be utilized by the system. ## Event Notifications diff --git a/stable/anchore-engine/templates/NOTES.txt b/stable/anchore-engine/templates/NOTES.txt index 8438e118..b324f121 100644 --- a/stable/anchore-engine/templates/NOTES.txt +++ b/stable/anchore-engine/templates/NOTES.txt @@ -8,7 +8,7 @@ Anchore can be accessed via port {{ .Values.anchoreApi.service.port }} on the fo During this time the system status will report 'partially_down' and any images added for analysis will stay in the 'not_analyzed' state. Once the sync is complete, any queued images will be analyzed and the system status will change to 'all_up'. -Initial setup time can be >120sec for postgresql setup and readiness checks to pass for the services as indicated by pod state. +Initial setup time can be >120sec for postgresql setup and readiness checks to pass for the services as indicated by pod state. You can check with: kubectl get pods -l app={{ template "anchore-engine.fullname" .}},component=api @@ -48,4 +48,4 @@ To verify that your Postgresql version is compatible with Anchore Enterprise v5. kubectl logs -l component=anchore-enterprise-upgrade | grep WARN kubectl logs -l component=anchore-enterprise-feeds-upgrade | grep WARN -{{- end }} \ No newline at end of file +{{- end }} diff --git a/stable/anchore-engine/templates/analyzer_configmap.yaml b/stable/anchore-engine/templates/analyzer_configmap.yaml index df8a3575..f75ba47c 100644 --- a/stable/anchore-engine/templates/analyzer_configmap.yaml +++ b/stable/anchore-engine/templates/analyzer_configmap.yaml @@ -16,4 +16,4 @@ data: analyzer_config.yaml: | {{- with .Values.anchoreAnalyzer.configFile }} {{- toYaml . | nindent 4 }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/stable/anchore-engine/templates/api_deployment.yaml b/stable/anchore-engine/templates/api_deployment.yaml index 9019b2b8..fa2d8e3e 100644 --- a/stable/anchore-engine/templates/api_deployment.yaml +++ b/stable/anchore-engine/templates/api_deployment.yaml @@ -216,7 +216,7 @@ spec: {{ toYaml . | nindent 10 }} {{- end }} command: ["/bin/sh", "-c"] - args: + args: - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade rbac_authorizer envFrom: {{- if not .Values.inject_secrets_via_env }} @@ -301,7 +301,7 @@ spec: {{ toYaml . | nindent 10 }} {{- end }} command: ["/bin/sh", "-c"] - args: + args: - {{ print (include "doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade reports ports: - containerPort: {{ .Values.anchoreEnterpriseReports.service.apiPort }} diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml index abe5e3ab..9c9c9b8d 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml @@ -132,7 +132,7 @@ data: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.amazonDriverEnabled | quote) }} alpine: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.alpineDriverEnabled | quote) }} - centos: + centos: enabled: false debian: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.debianDriverEnabled | quote) }} diff --git a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml index b80ed0cb..b1c48dc1 100644 --- a/stable/anchore-engine/templates/enterprise_upgrade_job.yaml +++ b/stable/anchore-engine/templates/enterprise_upgrade_job.yaml @@ -165,4 +165,4 @@ spec: {{- with .Values.anchoreGlobal.serviceAccountName }} serviceAccountName: {{ . }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml b/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml index 41785829..ddfac108 100644 --- a/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml +++ b/stable/anchore-engine/templates/hooks/pre-upgrade/0-db-upgrade.yaml @@ -281,4 +281,4 @@ spec: - | sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/stable/anchore-engine/templates/hooks/pre-upgrade/anchore_upgrade_role.yaml b/stable/anchore-engine/templates/hooks/pre-upgrade/anchore_upgrade_role.yaml index 12a61043..2277dea0 100644 --- a/stable/anchore-engine/templates/hooks/pre-upgrade/anchore_upgrade_role.yaml +++ b/stable/anchore-engine/templates/hooks/pre-upgrade/anchore_upgrade_role.yaml @@ -51,7 +51,7 @@ rules: - watch - update - patch - - apiGroups: + - apiGroups: - apps resources: - deployments/scale @@ -66,4 +66,4 @@ rules: - list - get -{{- end }} \ No newline at end of file +{{- end }} diff --git a/stable/anchore-engine/templates/hooks/pre-upgrade/anchore_upgrade_rolebinding.yaml b/stable/anchore-engine/templates/hooks/pre-upgrade/anchore_upgrade_rolebinding.yaml index dc3e2848..b75898b0 100644 --- a/stable/anchore-engine/templates/hooks/pre-upgrade/anchore_upgrade_rolebinding.yaml +++ b/stable/anchore-engine/templates/hooks/pre-upgrade/anchore_upgrade_rolebinding.yaml @@ -45,4 +45,4 @@ subjects: - kind: ServiceAccount name: {{ template "anchore-engine.fullname" . }}-upgrade-sa namespace: {{ .Release.Namespace }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/stable/anchore-engine/templates/hooks/pre-upgrade/anchore_upgrade_service_account.yaml b/stable/anchore-engine/templates/hooks/pre-upgrade/anchore_upgrade_service_account.yaml index f30e037a..07716066 100644 --- a/stable/anchore-engine/templates/hooks/pre-upgrade/anchore_upgrade_service_account.yaml +++ b/stable/anchore-engine/templates/hooks/pre-upgrade/anchore_upgrade_service_account.yaml @@ -37,4 +37,4 @@ metadata: {{- with .Values.anchoreEnterpriseFeedsUpgradeJob.annotations }} {{ toYaml . | nindent 4 }} {{- end }} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/stable/anchore-engine/templates/policy_bundle_configmap.yaml b/stable/anchore-engine/templates/policy_bundle_configmap.yaml index 10b06c68..a05a0cb0 100644 --- a/stable/anchore-engine/templates/policy_bundle_configmap.yaml +++ b/stable/anchore-engine/templates/policy_bundle_configmap.yaml @@ -15,4 +15,4 @@ data: {{- with .Values.anchoreGlobal.policyBundles }} {{- toYaml . | nindent 2 }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/stable/ecs-inventory/Chart.yaml b/stable/ecs-inventory/Chart.yaml index 87596fe2..4e9a5234 100644 --- a/stable/ecs-inventory/Chart.yaml +++ b/stable/ecs-inventory/Chart.yaml @@ -20,7 +20,7 @@ maintainers: email: hung.nguyen@anchore.com type: application -version: 0.0.3 +version: 0.0.4 appVersion: "1.0.0" icon: https://anchore.com/wp-content/uploads/2016/08/anchore.png diff --git a/stable/ecs-inventory/README.md b/stable/ecs-inventory/README.md index 9e77a2eb..9bbe2402 100644 --- a/stable/ecs-inventory/README.md +++ b/stable/ecs-inventory/README.md @@ -55,36 +55,37 @@ See the [ecs-inventory repo](https://github.com/anchore/ecs-inventory) for more ### Common Resource Parameters -| Name | Description | Value | -| ------------------------------------- | ----------------------------------------------------------------------- | ---------------------------------------- | -| `replicaCount` | Number of replicas for the Ecs Inventory deployment | `1` | -| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/ecs-inventory:v1.0.0` | -| `imagePullPolicy` | Image pull policy used by all deployments | `Always` | -| `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `""` | -| `serviceAccountName` | Name of a service account used to run all Anchore Ecs Inventory pods | `""` | -| `useExistingSecret` | set to true to use an existing/precreated secret | `false` | -| `existingSecretName` | the name of the precreated secret | `""` | -| `injectSecretsViaEnv` | Enable secret injection into pod environment variables | `false` | -| `extraEnv` | extra environment variables. These will be set on all containers. | `[]` | -| `annotations` | Common annotations set on all Kubernetes resources | `{}` | -| `deploymentAnnotations` | annotations to set on the ecs-inventory deployment | `{}` | -| `securityContext.runAsUser` | The securityContext runAsUser for all Anchore ECS Inventory pods | `1000` | -| `securityContext.runAsGroup` | The securityContext runAsGroup for all Anchore ECS Inventory pods | `1000` | -| `securityContext.fsGroup` | The securityContext fsGroup for all Anchore ECS Inventory pods | `1000` | -| `resources` | Resource requests and limits for Anchore ECS Inventory pods | `{}` | -| `nodeSelector` | Node labels for pod assignment | `{}` | -| `tolerations` | Tolerations for pod assignment | `[]` | -| `affinity` | Affinity for pod assignment | `{}` | -| `labels` | Adds additionnal labels to all kubernetes resources | `{}` | -| `probes.liveness.initialDelaySeconds` | Initial delay seconds for liveness probe | `1` | -| `probes.liveness.timeoutSeconds` | Timeout seconds for liveness probe | `10` | -| `probes.liveness.periodSeconds` | Period seconds for liveness probe | `5` | -| `probes.liveness.failureThreshold` | Failure threshold for liveness probe | `6` | -| `probes.liveness.successThreshold` | Success threshold for liveness probe | `1` | -| `probes.readiness.timeoutSeconds` | Timeout seconds for the readiness probe | `10` | -| `probes.readiness.periodSeconds` | Period seconds for the readiness probe | `15` | -| `probes.readiness.failureThreshold` | Failure threshold for the readiness probe | `3` | -| `probes.readiness.successThreshold` | Success threshold for the readiness probe | `1` | +| Name | Description | Value | +| ------------------------------------- | -------------------------------------------------------------------- | ---------------------------------------- | +| `replicaCount` | Number of replicas for the Ecs Inventory deployment | `1` | +| `image` | Image used for all Ecs Inventory deployment deployments | `docker.io/anchore/ecs-inventory:v1.1.0` | +| `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | +| `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `""` | +| `serviceAccountName` | Name of a service account used to run all Anchore Ecs Inventory pods | `""` | +| `useExistingSecret` | set to true to use an existing/precreated secret | `false` | +| `existingSecretName` | the name of the precreated secret | `""` | +| `injectSecretsViaEnv` | Enable secret injection into pod environment variables | `false` | +| `extraEnv` | extra environment variables. These will be set on all containers. | `[]` | +| `annotations` | Common annotations set on all Kubernetes resources | `{}` | +| `deploymentAnnotations` | annotations to set on the ecs-inventory deployment | `{}` | +| `securityContext.runAsUser` | The securityContext runAsUser for all Anchore ECS Inventory pods | `1000` | +| `securityContext.runAsGroup` | The securityContext runAsGroup for all Anchore ECS Inventory pods | `1000` | +| `securityContext.fsGroup` | The securityContext fsGroup for all Anchore ECS Inventory pods | `1000` | +| `resources` | Resource requests and limits for Anchore ECS Inventory pods | `{}` | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `tolerations` | Tolerations for pod assignment | `[]` | +| `affinity` | Affinity for pod assignment | `{}` | +| `labels` | Adds additionnal labels to all kubernetes resources | `{}` | +| `probes.liveness.initialDelaySeconds` | Initial delay seconds for liveness probe | `1` | +| `probes.liveness.timeoutSeconds` | Timeout seconds for liveness probe | `10` | +| `probes.liveness.periodSeconds` | Period seconds for liveness probe | `5` | +| `probes.liveness.failureThreshold` | Failure threshold for liveness probe | `6` | +| `probes.liveness.successThreshold` | Success threshold for liveness probe | `1` | +| `probes.readiness.timeoutSeconds` | Timeout seconds for the readiness probe | `10` | +| `probes.readiness.periodSeconds` | Period seconds for the readiness probe | `15` | +| `probes.readiness.failureThreshold` | Failure threshold for the readiness probe | `3` | +| `probes.readiness.successThreshold` | Success threshold for the readiness probe | `1` | + ### ecsInventory Parameters ## diff --git a/stable/ecs-inventory/templates/NOTES.txt b/stable/ecs-inventory/templates/NOTES.txt index d9ae3157..5ef3999d 100644 --- a/stable/ecs-inventory/templates/NOTES.txt +++ b/stable/ecs-inventory/templates/NOTES.txt @@ -3,4 +3,4 @@ Anchore ECS Inventory must be able to resolve the Anchore URL and requires API c For more info see: https://github.com/anchore/ecs-inventory -ECS Inventory is now installed. \ No newline at end of file +ECS Inventory is now installed. diff --git a/stable/ecs-inventory/templates/_helpers.tpl b/stable/ecs-inventory/templates/_helpers.tpl index 5b0219fa..0313182b 100644 --- a/stable/ecs-inventory/templates/_helpers.tpl +++ b/stable/ecs-inventory/templates/_helpers.tpl @@ -23,4 +23,4 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} app: {{ include "ecsInventory.fullname" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/stable/ecs-inventory/templates/_names.tpl b/stable/ecs-inventory/templates/_names.tpl index 9348254f..f975897e 100644 --- a/stable/ecs-inventory/templates/_names.tpl +++ b/stable/ecs-inventory/templates/_names.tpl @@ -35,4 +35,4 @@ Create the name of the service account to use */}} {{- define "ecsInventory.serviceAccountName" -}} {{- default "default" .Values.serviceAccountName }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/stable/enterprise/.helmignore b/stable/enterprise/.helmignore index 4f68e0e2..f188d49f 100644 --- a/stable/enterprise/.helmignore +++ b/stable/enterprise/.helmignore @@ -1,2 +1,2 @@ .git -tests/ \ No newline at end of file +tests/ diff --git a/stable/enterprise/Chart.lock b/stable/enterprise/Chart.lock index d0f73c8d..87484348 100644 --- a/stable/enterprise/Chart.lock +++ b/stable/enterprise/Chart.lock @@ -7,6 +7,6 @@ dependencies: version: 17.11.8 - name: feeds repository: https://charts.anchore.io/stable - version: 0.0.2 -digest: sha256:23485379ed6b385e257be94156cb0e5ed255e6fad733b8534ec605679549cbf2 -generated: "2023-09-06T14:04:35.141202-07:00" + version: 0.0.3 +digest: sha256:35fd0bff9327cb7033bff96e8dcff85ba6b65ba5a8675270b45a40035718db57 +generated: "2023-09-15T16:31:47.040512-07:00" diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 1ca5b02d..746d3a38 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.0.5" +version: "0.0.6" appVersion: "4.9.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | @@ -39,7 +39,7 @@ dependencies: condition: ui-redis.chartEnabled alias: ui-redis - name: feeds - version: "0.0.2" + version: "0.0.3" repository: "@anchore" condition: feeds.chartEnabled import-values: diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index c462c18f..04aedc42 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -757,6 +757,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `doSourceAtEntry.filePaths` | List of file paths to `source` before starting Anchore services | `[]` | | `configOverride` | Allows for overriding the default Anchore configuration file | `""` | + ### Anchore Configuration Parameters | Name | Description | Value | @@ -850,6 +851,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `anchoreConfig.ui.dbUser` | allows overriding and separation of the ui database user. | `""` | | `anchoreConfig.ui.dbPassword` | allows overriding and separation of the ui database user authentication | `""` | + ### Anchore API k8s Deployment Parameters | Name | Description | Value | @@ -871,6 +873,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `api.affinity` | Affinity for Anchore API pod assignment | `{}` | | `api.serviceAccountName` | Service account name for Anchore API pods | `""` | + ### Anchore Analyzer k8s Deployment Parameters | Name | Description | Value | @@ -886,6 +889,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `analyzer.affinity` | Affinity for Anchore Analyzer pod assignment | `{}` | | `analyzer.serviceAccountName` | Service account name for Anchore API pods | `""` | + ### Anchore Catalog k8s Deployment Parameters | Name | Description | Value | @@ -905,6 +909,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `catalog.affinity` | Affinity for Anchore Catalog pod assignment | `{}` | | `catalog.serviceAccountName` | Service account name for Anchore Catalog pods | `""` | + ### Anchore Feeds Chart Parameters | Name | Description | Value | @@ -913,6 +918,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `feeds.standalone` | Sets the Anchore Feeds chart to run into non-standalone mode, for use with Anchore Enterprise. | `false` | | `feeds.url` | Set the URL for a standalone Feeds service. Use when chartEnabled=false. | `""` | + ### Anchore Policy Engine k8s Deployment Parameters | Name | Description | Value | @@ -932,6 +938,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `policyEngine.affinity` | Affinity for Anchore Policy Engine pod assignment | `{}` | | `policyEngine.serviceAccountName` | Service account name for Anchore Policy Engine pods | `""` | + ### Anchore Simple Queue Parameters | Name | Description | Value | @@ -951,6 +958,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `simpleQueue.affinity` | Affinity for Anchore Simple Queue pod assignment | `{}` | | `simpleQueue.serviceAccountName` | Service account name for Anchore Simple Queue pods | `""` | + ### Anchore Notifications Parameters | Name | Description | Value | @@ -971,6 +979,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `notifications.affinity` | Affinity for Anchore Notifications pod assignment | `{}` | | `notifications.serviceAccountName` | Service account name for Anchore Notifications pods | `""` | + ### Anchore Reports Parameters | Name | Description | Value | @@ -991,6 +1000,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `reports.affinity` | Affinity for Anchore Reports pod assignment | `{}` | | `reports.serviceAccountName` | Service account name for Anchore Reports pods | `""` | + ### Anchore RBAC Authentication Parameters | Name | Description | Value | @@ -998,6 +1008,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `rbacAuth.extraEnv` | Set extra environment variables for Anchore RBAC Authentication containers | `[]` | | `rbacAuth.resources` | Resource requests and limits for Anchore RBAC Authentication containers | `{}` | + ### Anchore RBAC Manager Parameters | Name | Description | Value | @@ -1018,6 +1029,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `rbacManager.affinity` | Affinity for Anchore RBAC Manager pod assignment | `{}` | | `rbacManager.serviceAccountName` | Service account name for Anchore RBAC Manager pods | `""` | + ### Anchore UI Parameters | Name | Description | Value | @@ -1041,6 +1053,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `ui.affinity` | Affinity for Anchore ui pod assignment | `{}` | | `ui.serviceAccountName` | Service account name for Anchore UI pods | `""` | + ### Anchore Upgrade Job Parameters | Name | Description | Value | @@ -1057,6 +1070,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `upgradeJob.resources` | Resource requests and limits for the Anchore upgrade job | `{}` | | `upgradeJob.labels` | Labels for the Anchore upgrade job | `{}` | + ### Ingress Parameters | Name | Description | Value | @@ -1075,6 +1089,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `ingress.tls` | Configure tls for the ingress resource | `[]` | | `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` | + ### Google CloudSQL DB Parameters | Name | Description | Value | @@ -1088,6 +1103,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `cloudsql.serviceAccJsonName` | | `""` | | `cloudsql.extraArgs` | a list of extra arguments to be passed into the cloudsql container command. eg | `[]` | + ### Anchore UI Redis Parameters | Name | Description | Value | @@ -1098,6 +1114,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `ui-redis.architecture` | Redis deployment architecture | `standalone` | | `ui-redis.master.persistence.enabled` | enables persistence | `false` | + ### Anchore Database Parameters | Name | Description | Value | diff --git a/stable/enterprise/templates/NOTES.txt b/stable/enterprise/templates/NOTES.txt index 35363189..1cfa8a97 100644 --- a/stable/enterprise/templates/NOTES.txt +++ b/stable/enterprise/templates/NOTES.txt @@ -16,7 +16,7 @@ Get the default admin password using the following command: During this time the system status will report 'partially_down' and any images added for analysis will stay in the 'not_analyzed' state. Once the sync is complete, any queued images will be analyzed and the system status will change to 'all_up'. -Initial setup time can be >120sec for postgresql setup and readiness checks to pass for the services as indicated by pod state. +Initial setup time can be >120sec for postgresql setup and readiness checks to pass for the services as indicated by pod state. You can check with: - kubectl get pods -l app.kubernetes.io/name={{- template "enterprise.fullname" . -}},app.kubernetes.io/component=api \ No newline at end of file + kubectl get pods -l app.kubernetes.io/name={{- template "enterprise.fullname" . -}},app.kubernetes.io/component=api diff --git a/stable/enterprise/templates/_helpers.tpl b/stable/enterprise/templates/_helpers.tpl index bbe85fcc..fe0caa04 100644 --- a/stable/enterprise/templates/_helpers.tpl +++ b/stable/enterprise/templates/_helpers.tpl @@ -129,4 +129,4 @@ Set the nodePort for services if its defined {{- if (index .Values (print $component)).service.nodePort -}} nodePort: {{ (index .Values (print $component)).service.nodePort }} {{- end -}} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/stable/enterprise/templates/anchore_configmap.yaml b/stable/enterprise/templates/anchore_configmap.yaml index c77c38e3..f8683e25 100644 --- a/stable/enterprise/templates/anchore_configmap.yaml +++ b/stable/enterprise/templates/anchore_configmap.yaml @@ -14,4 +14,4 @@ data: {{ tpl .Values.configOverride . | indent 4 }} {{- else }} {{ tpl (.Files.Get "files/default_config.yaml") . | indent 4 }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/stable/enterprise/templates/envvars_configmap.yaml b/stable/enterprise/templates/envvars_configmap.yaml index 13a23b42..4b33b193 100644 --- a/stable/enterprise/templates/envvars_configmap.yaml +++ b/stable/enterprise/templates/envvars_configmap.yaml @@ -96,4 +96,4 @@ data: ANCHORE_SSL_KEY: "null" {{- end }} ANCHORE_SSO_REQUIRES_EXISTING_USERS: "{{ .Values.anchoreConfig.user_authentication.sso_require_existing_users }}" - ANCHORE_TMP_DIR: "{{ .Values.scratchVolume.mountPath }}" \ No newline at end of file + ANCHORE_TMP_DIR: "{{ .Values.scratchVolume.mountPath }}" diff --git a/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml b/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml index 8c2915fe..67e2494d 100644 --- a/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml +++ b/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml @@ -67,4 +67,4 @@ spec: - | {{ print (include "enterprise.doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}":"${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}"?sslmode={{- .Values.anchoreConfig.database.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreConfig.database.sslRootCertFileName }} upgrade --dontask; {{- end }} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/stable/enterprise/templates/hooks/pre-upgrade/upgrade_rbac.yaml b/stable/enterprise/templates/hooks/pre-upgrade/upgrade_rbac.yaml index 5b48f70c..515f4f9e 100644 --- a/stable/enterprise/templates/hooks/pre-upgrade/upgrade_rbac.yaml +++ b/stable/enterprise/templates/hooks/pre-upgrade/upgrade_rbac.yaml @@ -59,7 +59,7 @@ rules: - watch - update - patch - - apiGroups: + - apiGroups: - apps resources: - deployments/scale @@ -73,4 +73,4 @@ rules: - watch - list - get -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/stable/enterprise/templates/ui_configmap.yaml b/stable/enterprise/templates/ui_configmap.yaml index be6b9818..77e9f5d5 100644 --- a/stable/enterprise/templates/ui_configmap.yaml +++ b/stable/enterprise/templates/ui_configmap.yaml @@ -45,4 +45,4 @@ data: appdb_config: {{ toYaml .Values.anchoreConfig.ui.appdb_config | nindent 6}} log_level: {{ .Values.anchoreConfig.ui.log_level | squote }} enrich_inventory_view: {{ .Values.anchoreConfig.ui.enrich_inventory_view }} - enable_prometheus_metrics: {{ .Values.anchoreConfig.metrics.enabled }} \ No newline at end of file + enable_prometheus_metrics: {{ .Values.anchoreConfig.metrics.enabled }} diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index 13cd5514..9fa7837e 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -32,10 +32,10 @@ should render the configmaps: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: test-release-enterprise app.kubernetes.io/part-of: anchore - app.kubernetes.io/version: 4.9.1 + app.kubernetes.io/version: 9.9.9 bar: baz foo: bar - helm.sh/chart: enterprise-0.0.5 + helm.sh/chart: enterprise-9.9.9 name: test-release-enterprise-analyzer namespace: test-namespace 2: | @@ -333,10 +333,10 @@ should render the configmaps: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: test-release-enterprise app.kubernetes.io/part-of: anchore - app.kubernetes.io/version: 4.9.1 + app.kubernetes.io/version: 9.9.9 bar: baz foo: bar - helm.sh/chart: enterprise-0.0.5 + helm.sh/chart: enterprise-9.9.9 name: test-release-enterprise namespace: test-namespace 3: | @@ -418,10 +418,10 @@ should render the configmaps: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: test-release-enterprise app.kubernetes.io/part-of: anchore - app.kubernetes.io/version: 4.9.1 + app.kubernetes.io/version: 9.9.9 bar: baz foo: bar - helm.sh/chart: enterprise-0.0.5 + helm.sh/chart: enterprise-9.9.9 name: test-release-enterprise-config-env-vars namespace: test-namespace 4: | @@ -462,16 +462,16 @@ should render the configmaps: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: test-release-enterprise app.kubernetes.io/part-of: anchore - app.kubernetes.io/version: 4.9.1 + app.kubernetes.io/version: 9.9.9 bar: baz foo: bar - helm.sh/chart: enterprise-0.0.5 + helm.sh/chart: enterprise-9.9.9 name: test-release-enterprise-policy-bundles namespace: test-namespace 5: | apiVersion: v1 data: - config-ui.yaml: "# Anchore UI configuration\nengine_uri: 'http://test-release-enterprise-api:8228/v2'\nreports_uri: 'http://test-release-enterprise-api:8558/v2'\nnotifications_uri: 'http://test-release-enterprise-notifications:8668/v2'\nrbac_uri: 'http://test-release-enterprise-rbac-manager:8229/v2'\nenterprise_uri: 'http://test-release-enterprise-api:8228/v2'\n# redis_uri: overridden in deployment using the `ANCHORE_REDIS_URI` environment variable\n# appdb_uri: overridden in deployment using the `ANCHORE_APPDB_URI` environment variable\nlicense_path: '/home/anchore/'\nenable_ssl: false\nenable_proxy: false\nallow_shared_login: true\nredis_flushdb: true\nforce_websocket: false\nauthentication_lock:\n count: 5\n expires: 300\nappdb_config: \n native: true\n pool:\n acquire: 30000\n idle: 10000\n max: 10\n min: 0\nlog_level: 'http'\nenrich_inventory_view: true\nenable_prometheus_metrics: false" + config-ui.yaml: "# Anchore UI configuration\nengine_uri: 'http://test-release-enterprise-api:8228/v2'\nreports_uri: 'http://test-release-enterprise-api:8558/v2'\nnotifications_uri: 'http://test-release-enterprise-notifications:8668/v2'\nrbac_uri: 'http://test-release-enterprise-rbac-manager:8229/v2'\nenterprise_uri: 'http://test-release-enterprise-api:8228/v2'\n# redis_uri: overridden in deployment using the `ANCHORE_REDIS_URI` environment variable\n# appdb_uri: overridden in deployment using the `ANCHORE_APPDB_URI` environment variable\nlicense_path: '/home/anchore/'\nenable_ssl: false\nenable_proxy: false\nallow_shared_login: true\nredis_flushdb: true\nforce_websocket: false\nauthentication_lock:\n count: 5\n expires: 300\nappdb_config: \n native: true\n pool:\n acquire: 30000\n idle: 10000\n max: 10\n min: 0\nlog_level: 'http'\nenrich_inventory_view: true\nenable_prometheus_metrics: false\n" kind: ConfigMap metadata: annotations: @@ -483,9 +483,9 @@ should render the configmaps: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: test-release-enterprise app.kubernetes.io/part-of: anchore - app.kubernetes.io/version: 4.9.1 + app.kubernetes.io/version: 9.9.9 bar: baz foo: bar - helm.sh/chart: enterprise-0.0.5 + helm.sh/chart: enterprise-9.9.9 name: test-release-enterprise-ui namespace: test-namespace diff --git a/stable/enterprise/tests/api_resources_test.yaml b/stable/enterprise/tests/api_resources_test.yaml index 2cf64059..bd693d86 100644 --- a/stable/enterprise/tests/api_resources_test.yaml +++ b/stable/enterprise/tests/api_resources_test.yaml @@ -199,7 +199,7 @@ tests: path: spec.template.spec.containers[1].env content: name: ANCHORE_CLI_PASS - valueFrom: + valueFrom: secretKeyRef: name: test-release-enterprise key: ANCHORE_ADMIN_PASSWORD @@ -239,7 +239,7 @@ tests: path: spec.template.spec.containers[1].env content: name: ANCHORE_CLI_PASS - valueFrom: + valueFrom: secretKeyRef: name: existing-secret key: ANCHORE_ADMIN_PASSWORD @@ -448,4 +448,4 @@ tests: content: app.kubernetes.io/name: test-release-enterprise app.kubernetes.io/component: api - count: 1 \ No newline at end of file + count: 1 diff --git a/stable/enterprise/tests/catalog_resources_test.yaml b/stable/enterprise/tests/catalog_resources_test.yaml index 89332b7b..89da24d4 100644 --- a/stable/enterprise/tests/catalog_resources_test.yaml +++ b/stable/enterprise/tests/catalog_resources_test.yaml @@ -362,4 +362,4 @@ tests: content: app.kubernetes.io/name: test-release-enterprise app.kubernetes.io/component: catalog - count: 1 \ No newline at end of file + count: 1 diff --git a/stable/enterprise/tests/common_helpers_test.yaml b/stable/enterprise/tests/common_helpers_test.yaml index 1f884553..bb21d842 100644 --- a/stable/enterprise/tests/common_helpers_test.yaml +++ b/stable/enterprise/tests/common_helpers_test.yaml @@ -1,5 +1,5 @@ suite: Common Helper Template Tests -templates: +templates: - analyzer_deployment.yaml - api_deployment.yaml - catalog_deployment.yaml @@ -435,7 +435,7 @@ tests: path: spec.template.spec.containers[0].securityContext - it: should render the rbacAuthContainer - templates: + templates: - api_deployment.yaml - notifications_deployment.yaml - rbacmanager_deployment.yaml @@ -1071,4 +1071,4 @@ tests: path: spec.ports[0] content: nodePort: 9999 - count: 1 \ No newline at end of file + count: 1 diff --git a/stable/enterprise/tests/configmap_test.yaml b/stable/enterprise/tests/configmap_test.yaml index 38e979e1..d40e0d71 100644 --- a/stable/enterprise/tests/configmap_test.yaml +++ b/stable/enterprise/tests/configmap_test.yaml @@ -6,6 +6,9 @@ values: release: name: test-release namespace: test-namespace +chart: + version: 9.9.9 + appVersion: 9.9.9 tests: - it: should render the configmaps asserts: @@ -28,4 +31,4 @@ tests: service_dir: /foobar tmp_dir: /test - log_level: DEBUG \ No newline at end of file + log_level: DEBUG diff --git a/stable/enterprise/tests/notifications_resources_test.yaml b/stable/enterprise/tests/notifications_resources_test.yaml index 8b0fa16a..ec56ed44 100644 --- a/stable/enterprise/tests/notifications_resources_test.yaml +++ b/stable/enterprise/tests/notifications_resources_test.yaml @@ -293,4 +293,4 @@ tests: content: app.kubernetes.io/name: test-release-enterprise app.kubernetes.io/component: notifications - count: 1 \ No newline at end of file + count: 1 diff --git a/stable/enterprise/tests/policyengine_resources_test.yaml b/stable/enterprise/tests/policyengine_resources_test.yaml index 69c81a2a..3d1175ce 100644 --- a/stable/enterprise/tests/policyengine_resources_test.yaml +++ b/stable/enterprise/tests/policyengine_resources_test.yaml @@ -331,4 +331,4 @@ tests: content: app.kubernetes.io/name: test-release-enterprise app.kubernetes.io/component: policyengine - count: 1 \ No newline at end of file + count: 1 diff --git a/stable/enterprise/tests/posthook_upgrade_resources_test.yaml b/stable/enterprise/tests/posthook_upgrade_resources_test.yaml index 133ce4d9..8486088e 100644 --- a/stable/enterprise/tests/posthook_upgrade_resources_test.yaml +++ b/stable/enterprise/tests/posthook_upgrade_resources_test.yaml @@ -227,4 +227,4 @@ tests: content: cpu: 200m memory: 256Mi - count: 1 \ No newline at end of file + count: 1 diff --git a/stable/enterprise/tests/prehook_upgrade_resources_test.yaml b/stable/enterprise/tests/prehook_upgrade_resources_test.yaml index 6a794761..76a68385 100644 --- a/stable/enterprise/tests/prehook_upgrade_resources_test.yaml +++ b/stable/enterprise/tests/prehook_upgrade_resources_test.yaml @@ -303,4 +303,4 @@ tests: content: cpu: 200m memory: 256Mi - count: 1 \ No newline at end of file + count: 1 diff --git a/stable/enterprise/tests/rbacmanager_resources_test.yaml b/stable/enterprise/tests/rbacmanager_resources_test.yaml index 1a2ac964..01a1c81d 100644 --- a/stable/enterprise/tests/rbacmanager_resources_test.yaml +++ b/stable/enterprise/tests/rbacmanager_resources_test.yaml @@ -290,4 +290,4 @@ tests: content: app.kubernetes.io/name: test-release-enterprise app.kubernetes.io/component: rbacmanager - count: 1 \ No newline at end of file + count: 1 diff --git a/stable/enterprise/tests/reports_resources_test.yaml b/stable/enterprise/tests/reports_resources_test.yaml index 3db9a360..e602cd96 100644 --- a/stable/enterprise/tests/reports_resources_test.yaml +++ b/stable/enterprise/tests/reports_resources_test.yaml @@ -290,4 +290,4 @@ tests: content: app.kubernetes.io/name: test-release-enterprise app.kubernetes.io/component: reports - count: 1 \ No newline at end of file + count: 1 diff --git a/stable/enterprise/tests/simplequeue_resources_test.yaml b/stable/enterprise/tests/simplequeue_resources_test.yaml index 4fa713ec..5d66c2e0 100644 --- a/stable/enterprise/tests/simplequeue_resources_test.yaml +++ b/stable/enterprise/tests/simplequeue_resources_test.yaml @@ -265,4 +265,4 @@ tests: content: app.kubernetes.io/name: test-release-enterprise app.kubernetes.io/component: simplequeue - count: 1 \ No newline at end of file + count: 1 diff --git a/stable/enterprise/tests/ui_resources_test.yaml b/stable/enterprise/tests/ui_resources_test.yaml index 308873e7..ac56cc61 100644 --- a/stable/enterprise/tests/ui_resources_test.yaml +++ b/stable/enterprise/tests/ui_resources_test.yaml @@ -301,4 +301,4 @@ tests: content: app.kubernetes.io/name: test-release-enterprise app.kubernetes.io/component: ui - count: 1 \ No newline at end of file + count: 1 diff --git a/stable/enterprise/tests/values.yaml b/stable/enterprise/tests/values.yaml index 5313c36b..9b015f99 100644 --- a/stable/enterprise/tests/values.yaml +++ b/stable/enterprise/tests/values.yaml @@ -37,4 +37,4 @@ anchoreConfig: "mappings": [], "whitelists": [], "policies": [] - } \ No newline at end of file + } diff --git a/stable/feeds/Chart.yaml b/stable/feeds/Chart.yaml index 136e86ca..45ab73cc 100644 --- a/stable/feeds/Chart.yaml +++ b/stable/feeds/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: feeds type: application -version: "0.0.4" +version: "0.0.5" appVersion: "4.9.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: Anchore feeds service diff --git a/stable/feeds/README.md b/stable/feeds/README.md index 5ee239cb..2b3ccdbf 100644 --- a/stable/feeds/README.md +++ b/stable/feeds/README.md @@ -268,6 +268,7 @@ feeds-db: | `existingSecretName` | Name of the existing secret to be used for Anchore Feeds Service | `anchore-enterprise-feeds-env` | | `configOverride` | Allows for overriding the default Anchore configuration file | `{}` | + ### Anchore Feeds Configuration Parameters | Name | Description | Value | @@ -307,6 +308,7 @@ feeds-db: | `anchoreConfig.feeds.drivers.github.enabled` | Enable GitHub advisory feeds (requires GitHub PAT) | `false` | | `anchoreConfig.feeds.drivers.github.token` | GitHub developer personal access token with zero permission scopes | `""` | + ### Anchore Feeds Database Parameters | Name | Description | Value | @@ -321,6 +323,7 @@ feeds-db: | `feeds-db.primary.extraEnvVars` | An array to add extra environment variables | `[]` | | `feeds-db.image.tag` | Specifies the image to use for this chart. | `13.11.0-debian-11-r15` | + ### Feeds Gem Database Parameters | Name | Description | Value | @@ -335,6 +338,7 @@ feeds-db: | `gem-db.primary.extraEnvVars` | An array to add extra environment variables | `[]` | | `gem-db.image.tag` | Specifies the image to use for this chart. | `13.11.0-debian-11-r15` | + ### Anchore Feeds Upgrade Job Parameters | Name | Description | Value | @@ -351,6 +355,7 @@ feeds-db: | `feedsUpgradeJob.labels` | Labels for the Anchore Feeds upgrade job | `{}` | | `feedsUpgradeJob.resources` | Resources for the Anchore Feeds upgrade job | `{}` | + ### Ingress Parameters | Name | Description | Value | @@ -363,6 +368,7 @@ feeds-db: | `ingress.tls` | Configure tls for the ingress resource | `[]` | | `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` | + ### Google CloudSQL DB Parameters | Name | Description | Value | @@ -376,6 +382,7 @@ feeds-db: | `cloudsql.serviceAccJsonName` | | `""` | | `cloudsql.extraArgs` | a list of extra arguments to be passed into the cloudsql container command. eg | `[]` | + ## Release Notes A major chart version change (v0.1.2 -> v1.0.0) indicates that there is an **incompatible breaking change needing manual actions.** diff --git a/stable/feeds/files/default_config.yaml b/stable/feeds/files/default_config.yaml index ed3d1b8f..f23d98fb 100644 --- a/stable/feeds/files/default_config.yaml +++ b/stable/feeds/files/default_config.yaml @@ -124,4 +124,4 @@ services: enabled: ${ANCHORE_FEEDS_DRIVER_CHAINGUARD_ENABLED} ssl_enable: ${ANCHORE_SSL_ENABLED} ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} \ No newline at end of file + ssl_key: ${ANCHORE_SSL_KEY} diff --git a/stable/feeds/templates/NOTES.txt b/stable/feeds/templates/NOTES.txt index ef6fda7e..48b65441 100644 --- a/stable/feeds/templates/NOTES.txt +++ b/stable/feeds/templates/NOTES.txt @@ -4,7 +4,7 @@ The Feeds API can be accessed via port {{ .Values.service.port }} on the followi {{ include "feeds.fullname" . -}}.{{- .Release.Namespace -}}.svc.cluster.local -Initial setup time can be >120sec for postgresql setup and readiness checks to pass for the services as indicated by pod state. +Initial setup time can be >120sec for postgresql setup and readiness checks to pass for the services as indicated by pod state. You can check with: - kubectl get pods -l app.kubernetes.io/name={{- template "feeds.fullname" . -}},app.kubernetes.io/component=feeds \ No newline at end of file + kubectl get pods -l app.kubernetes.io/name={{- template "feeds.fullname" . -}},app.kubernetes.io/component=feeds diff --git a/stable/feeds/templates/_common.tpl b/stable/feeds/templates/_common.tpl index b8b473a5..f4f2bf3f 100644 --- a/stable/feeds/templates/_common.tpl +++ b/stable/feeds/templates/_common.tpl @@ -78,4 +78,4 @@ Return anchore default selector match labels {{- define "feeds.common.matchLabels" -}} app.kubernetes.io/name: {{ template "feeds.fullname" . }} app.kubernetes.io/component: feeds -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/stable/feeds/templates/_helpers.tpl b/stable/feeds/templates/_helpers.tpl index 1b35b3a0..1481d3e2 100644 --- a/stable/feeds/templates/_helpers.tpl +++ b/stable/feeds/templates/_helpers.tpl @@ -32,4 +32,4 @@ Return the proper protocol when internal SSL is enabled {{- else }} {{- print "http" }} {{- end }} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/stable/feeds/templates/anchore_vars_configmap.yaml b/stable/feeds/templates/anchore_vars_configmap.yaml index 02ddc0cb..d7ee24ae 100644 --- a/stable/feeds/templates/anchore_vars_configmap.yaml +++ b/stable/feeds/templates/anchore_vars_configmap.yaml @@ -87,4 +87,4 @@ data: ANCHORE_SSL_KEY: "null" {{- end }} ANCHORE_SSO_REQUIRES_EXISTING_USERS: "{{ .Values.anchoreConfig.user_authentication.sso_require_existing_users }}" - ANCHORE_TMP_DIR: "{{ .Values.scratchVolume.mountPath }}" \ No newline at end of file + ANCHORE_TMP_DIR: "{{ .Values.scratchVolume.mountPath }}" diff --git a/stable/feeds/templates/deployment.yaml b/stable/feeds/templates/deployment.yaml index 9176f83d..69ccdf22 100644 --- a/stable/feeds/templates/deployment.yaml +++ b/stable/feeds/templates/deployment.yaml @@ -179,4 +179,4 @@ spec: protocol: TCP {{- with .Values.service.nodePort }} nodePort: {{ . }} - {{- end }} \ No newline at end of file + {{- end }} diff --git a/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml b/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml index 02cefd07..2a85298a 100644 --- a/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml +++ b/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml @@ -123,4 +123,4 @@ spec: - | {{ print (include "feeds.doSourceFile" .) }} anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}":"${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}"?sslmode={{- .Values.anchoreConfig.database.sslMode -}}\&sslrootcert=/home/anchore/certs/{{- .Values.anchoreConfig.database.sslRootCertFileName }} upgrade --dontask; {{- end }} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/stable/feeds/templates/hooks/pre-upgrade/upgrade_rbac.yaml b/stable/feeds/templates/hooks/pre-upgrade/upgrade_rbac.yaml index ca9c1a0d..f7f55279 100644 --- a/stable/feeds/templates/hooks/pre-upgrade/upgrade_rbac.yaml +++ b/stable/feeds/templates/hooks/pre-upgrade/upgrade_rbac.yaml @@ -58,7 +58,7 @@ rules: - watch - update - patch - - apiGroups: + - apiGroups: - apps resources: - deployments/scale @@ -72,4 +72,4 @@ rules: - watch - list - get -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/stable/feeds/templates/pvc.yaml b/stable/feeds/templates/pvc.yaml index ae346bfe..5cc7978a 100644 --- a/stable/feeds/templates/pvc.yaml +++ b/stable/feeds/templates/pvc.yaml @@ -23,4 +23,4 @@ spec: storageClassName: "{{ .Values.persistence.storageClass }}" {{- end }} {{- end }} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/stable/feeds/templates/secret.yaml b/stable/feeds/templates/secret.yaml index 4d46f975..dc7ace82 100644 --- a/stable/feeds/templates/secret.yaml +++ b/stable/feeds/templates/secret.yaml @@ -12,7 +12,7 @@ stringData: ANCHORE_FEEDS_DB_USER: {{ index .Values "feeds-db" "auth" "username" | quote }} ANCHORE_FEEDS_DB_PASSWORD: {{ index .Values "feeds-db" "auth" "password" | quote }} ANCHORE_FEEDS_DB_HOST: {{ include "feeds.dbHostname" . | quote }} - ANCHORE_FEEDS_DB_PORT: {{ index .Values "feeds-db" "primary" "service" "ports" "postgresql" | quote }} + ANCHORE_FEEDS_DB_PORT: {{ index .Values "feeds-db" "primary" "service" "ports" "postgresql" | quote }} {{- with .Values.anchoreConfig.keys.secret }} ANCHORE_SAML_SECRET: {{ . | quote }} {{- end }} @@ -29,4 +29,4 @@ stringData: ANCHORE_GEM_DB_PASSWORD: {{ index .Values "gem-db" "auth" "password" | quote }} ANCHORE_GEM_DB_PORT: {{ index .Values "gem-db" "primary" "service" "ports" "postgresql" | quote }} {{- end }} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap b/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap index 5a26f34b..c701ed31 100644 --- a/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap @@ -124,9 +124,9 @@ should render the configmaps: app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: test-release-feeds app.kubernetes.io/part-of: anchore - app.kubernetes.io/version: 4.9.1 + app.kubernetes.io/version: 9.9.9 bar: baz-label foo: bar-label - helm.sh/chart: feeds-0.0.4 + helm.sh/chart: feeds-9.9.9 name: test-release-feeds namespace: test-namespace diff --git a/stable/feeds/tests/configmap_test.yaml b/stable/feeds/tests/configmap_test.yaml index 29e84833..b65b0eb8 100644 --- a/stable/feeds/tests/configmap_test.yaml +++ b/stable/feeds/tests/configmap_test.yaml @@ -6,6 +6,9 @@ values: release: name: test-release namespace: test-namespace +chart: + version: 9.9.9 + appVersion: 9.9.9 tests: - it: should render the configmaps asserts: diff --git a/stable/feeds/tests/feeds_resources_test.yaml b/stable/feeds/tests/feeds_resources_test.yaml index f71f03d5..a83f895e 100644 --- a/stable/feeds/tests/feeds_resources_test.yaml +++ b/stable/feeds/tests/feeds_resources_test.yaml @@ -335,4 +335,4 @@ tests: protocol: TCP targetPort: 8448 nodePort: 9999 - count: 1 \ No newline at end of file + count: 1 diff --git a/stable/feeds/tests/posthook_upgrade_resources_test.yaml b/stable/feeds/tests/posthook_upgrade_resources_test.yaml index c5f0a032..fef7578d 100644 --- a/stable/feeds/tests/posthook_upgrade_resources_test.yaml +++ b/stable/feeds/tests/posthook_upgrade_resources_test.yaml @@ -175,4 +175,4 @@ tests: content: cpu: 200m memory: 256Mi - count: 1 \ No newline at end of file + count: 1 diff --git a/stable/feeds/tests/prehook_upgrade_resources_test.yaml b/stable/feeds/tests/prehook_upgrade_resources_test.yaml index 1195e72d..b325aab2 100644 --- a/stable/feeds/tests/prehook_upgrade_resources_test.yaml +++ b/stable/feeds/tests/prehook_upgrade_resources_test.yaml @@ -250,4 +250,4 @@ tests: content: cpu: 200m memory: 256Mi - count: 1 \ No newline at end of file + count: 1 diff --git a/stable/k8s-inventory/Chart.yaml b/stable/k8s-inventory/Chart.yaml index 85002f75..599590aa 100644 --- a/stable/k8s-inventory/Chart.yaml +++ b/stable/k8s-inventory/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: k8s-inventory -version: 0.0.4 +version: 0.0.5 appVersion: "1.0.0" description: A Helm chart for Kubernetes Automated Inventory, which describes which images are in use in a given Kubernetes Cluster keywords: diff --git a/stable/k8s-inventory/README.md b/stable/k8s-inventory/README.md index 06953983..6aa26164 100644 --- a/stable/k8s-inventory/README.md +++ b/stable/k8s-inventory/README.md @@ -1,7 +1,7 @@ # K8s Inventory Helm Chart K8s Inventory is the foundation of Anchore Enterprise's Runtime Inventory feature. Running K8s Inventory via Helm is a great way to retrieve your Kubernetes Image inventory without providing Cluster Credentials to Anchore. The minimum version of the Anchore Enterprise platform required for K8s Inventory is 4.7. -K8s Inventory runs as a read-only service account in the cluster it's deployed to. +K8s Inventory runs as a read-only service account in the cluster it's deployed to. In order to report the inventory to Anchore, K8s Inventory does require authentication material for your Anchore Enterprise deployment. K8s Inventory's helm chart automatically creates a kubernetes secret for the Anchore Password based on the values file you use, Ex.: @@ -31,7 +31,7 @@ You can install the chart via via: ``` helm repo add anchore https://charts.anchore.io helm install -f anchore/k8s-inventory -``` +``` A basic values file can always be found [here](https://github.com/anchore/anchore-charts/tree/master/stable/k8s-inventory/values.yaml) The key configurations are in the k8sInventory.anchore section. K8s Inventory must be able to resolve the Anchore URL and requires API credentials. @@ -49,9 +49,9 @@ See the [K8s Inventory repo](https://github.com/anchore/k8s-inventory) for more | Name | Description | Value | | ------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | ----------------------- | | `replicaCount` | Number of replicas for the K8s Inventory deployment | `1` | -| `image.pullPolicy` | Image pull policy used by the K8s Inventory deployment | `Always` | +| `image.pullPolicy` | Image pull policy used by the K8s Inventory deployment | `IfNotPresent` | | `image.repository` | Image used for the K8s Inventory deployment | `anchore/k8s-inventory` | -| `image.tag` | Image tag used for the K8s Inventory deployment | `v1.0.0` | +| `image.tag` | Image tag used for the K8s Inventory deployment | `v1.1.1` | | `imagePullSecrets` | secrets where Kubernetes should get the credentials for pulling private images | `[]` | | `nameOverride` | overrides the name set on resources | `""` | | `fullnameOverride` | overrides the fullname set on resources | `""` | @@ -82,6 +82,7 @@ See the [K8s Inventory repo](https://github.com/anchore/k8s-inventory) for more | `useExistingSecret` | Specify whether to use an existing secret | `false` | | `existingSecretName` | if using an existing secret, specify the existing secret name | `""` | + ### k8sInventory Parameters ## | Name | Description | Value | diff --git a/stable/k8s-inventory/templates/NOTES.txt b/stable/k8s-inventory/templates/NOTES.txt index 58271b4d..df5bd75b 100644 --- a/stable/k8s-inventory/templates/NOTES.txt +++ b/stable/k8s-inventory/templates/NOTES.txt @@ -3,4 +3,4 @@ K8s Inventory must be able to resolve the Anchore URL and requires API credentia For more info see: https://github.com/anchore/k8s-inventory -K8s Inventory is now installed. \ No newline at end of file +K8s Inventory is now installed. diff --git a/stable/k8s-inventory/templates/_helpers.tpl b/stable/k8s-inventory/templates/_helpers.tpl index b048ac64..c034fc91 100644 --- a/stable/k8s-inventory/templates/_helpers.tpl +++ b/stable/k8s-inventory/templates/_helpers.tpl @@ -67,4 +67,3 @@ Create the name of the service account to use {{- default "default" .Values.serviceAccount.name }} {{- end }} {{- end }} - diff --git a/stable/k8s-inventory/templates/cluster-role-binding.yaml b/stable/k8s-inventory/templates/cluster-role-binding.yaml index 533bbc59..b9bb06ff 100644 --- a/stable/k8s-inventory/templates/cluster-role-binding.yaml +++ b/stable/k8s-inventory/templates/cluster-role-binding.yaml @@ -17,4 +17,4 @@ subjects: roleRef: kind: ClusterRole name: {{ include "k8sInventory.fullname" . }}-read-only - apiGroup: rbac.authorization.k8s.io \ No newline at end of file + apiGroup: rbac.authorization.k8s.io diff --git a/stable/k8s-inventory/templates/cluster-role-readonly.yaml b/stable/k8s-inventory/templates/cluster-role-readonly.yaml index 2559a844..45a8ab3f 100644 --- a/stable/k8s-inventory/templates/cluster-role-readonly.yaml +++ b/stable/k8s-inventory/templates/cluster-role-readonly.yaml @@ -13,4 +13,4 @@ metadata: rules: - apiGroups: [""] resources: ["pods","namespaces", "nodes"] - verbs: ["get", "watch", "list"] \ No newline at end of file + verbs: ["get", "watch", "list"] diff --git a/stable/k8s-inventory/templates/deployment.yaml b/stable/k8s-inventory/templates/deployment.yaml index bed2a5e4..9978e1f5 100644 --- a/stable/k8s-inventory/templates/deployment.yaml +++ b/stable/k8s-inventory/templates/deployment.yaml @@ -20,7 +20,7 @@ spec: annotations: {{- with .Values.annotations }} {{- toYaml . | nindent 8 }} - {{- end }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} diff --git a/stable/kai/Chart.yaml b/stable/kai/Chart.yaml index 20dd6dc1..1151bbc8 100644 --- a/stable/kai/Chart.yaml +++ b/stable/kai/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: kai -version: 0.5.0 +version: 0.5.1 appVersion: 0.5.0 description: A Helm chart for Kubernetes Automated Inventory, which describes which images are in use in a given Kubernetes Cluster keywords: diff --git a/stable/kai/README.md b/stable/kai/README.md index ee61cf1f..c7d3633e 100644 --- a/stable/kai/README.md +++ b/stable/kai/README.md @@ -1,7 +1,7 @@ # KAI Helm Chart KAI is the foundation of Anchore Enterprise's Runtime Inventory feature. Running KAI via Helm is a great way to retrieve your Kubernetes Image inventory without providing Cluster Credentials to Anchore. -KAI runs as a read-only service account in the cluster it's deployed to. +KAI runs as a read-only service account in the cluster it's deployed to. In order to report the inventory to Anchore, KAI does require authentication material for your Anchore Enterprise deployment. KAI's helm chart automatically creates a kubernetes secret for the Anchore Password based on the values file you use, Ex.: @@ -31,7 +31,7 @@ You can install the chart via via: ``` helm repo add anchore https://charts.anchore.io helm install -f anchore/kai -``` +``` A basic values file can always be found [here](https://github.com/anchore/anchore-charts/tree/master/stable/kai/values.yaml) The key configurations are in the kai.anchore section. Kai must be able to resolve the Anchore URL and requires API credentials. @@ -40,4 +40,4 @@ Note: the Anchore API Password can be provided via a kubernetes secret, or injec * For injecting the environment variable, see: inject_secrets_via_env * For providing your own secret for the Anchore API Password, see: kai.existing_secret. kai creates it's own secret based on your values.yaml file for key kai.anchore.password, but the kai.existingSecret key allows you to create your own secret and provide it in the values file. -See the [kai repo](https://github.com/anchore/kai) for more information about the KAI-specific configuration \ No newline at end of file +See the [kai repo](https://github.com/anchore/kai) for more information about the KAI-specific configuration diff --git a/stable/kai/templates/cluster-role-binding.yaml b/stable/kai/templates/cluster-role-binding.yaml index 0ae275bf..971da80b 100644 --- a/stable/kai/templates/cluster-role-binding.yaml +++ b/stable/kai/templates/cluster-role-binding.yaml @@ -9,4 +9,4 @@ subjects: roleRef: kind: ClusterRole name: {{ include "kai.fullname" . }}-read-only - apiGroup: rbac.authorization.k8s.io \ No newline at end of file + apiGroup: rbac.authorization.k8s.io diff --git a/stable/kai/templates/cluster-role-readonly.yaml b/stable/kai/templates/cluster-role-readonly.yaml index f26d9a51..abb821a4 100644 --- a/stable/kai/templates/cluster-role-readonly.yaml +++ b/stable/kai/templates/cluster-role-readonly.yaml @@ -5,4 +5,4 @@ metadata: rules: - apiGroups: [""] resources: ["pods","namespaces"] - verbs: ["get", "watch", "list"] \ No newline at end of file + verbs: ["get", "watch", "list"] From 0f05d987e72d43305dc12d472a84d1b221aa3eb2 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 15 Sep 2023 17:56:23 -0700 Subject: [PATCH 206/329] add version to pre-commit pre-req Signed-off-by: Brady Todhunter --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c7a0e5f8..f63eebeb 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ This repository contains Helm charts for deploying [Anchore](https://www.anchore - [Helm](https://helm.sh/) (>=3.8) - Helm is a package manager for Kubernetes that makes it easy to install and manage applications on your cluster. - [Kubernetes](https://kubernetes.io/) (>=1.23) - Kubernetes is an open-source container orchestration platform that is required to use Helm charts. -- [pre-commit](https://pre-commit.com/) - pre-commit is a tool that is used to ensure that all commits to the repository are properly formatted. It is not required to use the charts in this repository, but it is recommended to install it to ensure that your commits are properly formatted. +- [pre-commit](https://pre-commit.com/) (>=3.4) - pre-commit is a tool that is used to ensure that all commits to the repository are properly formatted. It is not required to use the charts in this repository, but it is recommended to install it to ensure that your commits are properly formatted. ## Installation From eb6e1d6d2d7ad05f1f0457c685a1d58eb2b783db Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 15 Sep 2023 18:01:40 -0700 Subject: [PATCH 207/329] remove step-security harden-runner action Signed-off-by: Brady Todhunter --- .github/workflows/deploy.yaml | 5 ----- .github/workflows/helm-unittests.yaml | 5 ----- .github/workflows/lint.yaml | 5 ----- .github/workflows/scorecards.yml | 5 ----- .github/workflows/test.yaml | 5 ----- 5 files changed, 25 deletions(-) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 4d16306a..0f34bc12 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -18,11 +18,6 @@ jobs: TARGET_BRANCH: "${{ github.event.pull_request.base.ref }}" runs-on: ubuntu-latest steps: - - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 - with: - egress-policy: audit - - name: Checkout uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 diff --git a/.github/workflows/helm-unittests.yaml b/.github/workflows/helm-unittests.yaml index b3c5fa01..bf30d3b1 100644 --- a/.github/workflows/helm-unittests.yaml +++ b/.github/workflows/helm-unittests.yaml @@ -21,11 +21,6 @@ jobs: TARGET_BRANCH: "${{ github.event.pull_request.base.ref }}" runs-on: ubuntu-latest steps: - - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 - with: - egress-policy: audit - - name: Checkout charts uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index f8736b42..4d240ecf 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -12,11 +12,6 @@ jobs: fail-fast: false runs-on: ubuntu-latest steps: - - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 - with: - egress-policy: audit - - name: Checkout uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 9b19fb65..64fcde50 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -30,11 +30,6 @@ jobs: actions: read steps: - - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 - with: - egress-policy: audit - - name: "Checkout code" uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 968fb460..4145807a 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -13,11 +13,6 @@ jobs: kubernetesVersion: ["v1.23.17", "v1.24.15", "v1.25.11", "v1.26.6", "v1.27.3"] runs-on: ubuntu-latest steps: - - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 - with: - egress-policy: audit - - name: Checkout uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 From 7af137248936ca2448cc986492983b8174e40c74 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Mon, 18 Sep 2023 19:14:19 -0700 Subject: [PATCH 208/329] Fix feeds external url (#126) * fix feeds external url generation * add mariner feed * use parent enterprise.fullname helper template in feeds chart * fix typo in env var mapping * use enterprise specific templates for feeds protocol & fullname * use global for fullnameOverride and nameOverride so that they are accessible by the feeds chart * update tests * bump chart versions --------- Signed-off-by: Brady Todhunter --- .../enterprise-value-converter/mappings.py | 7 ++-- stable/enterprise/Chart.lock | 4 +- stable/enterprise/Chart.yaml | 6 ++- stable/enterprise/README.md | 10 ++++- stable/enterprise/templates/_helpers.tpl | 16 +++++++- stable/enterprise/templates/_names.tpl | 37 +++++++++++------- .../__snapshot__/configmap_test.yaml.snap | 12 +++--- .../enterprise/tests/common_helpers_test.yaml | 38 +++++++++---------- stable/enterprise/values.yaml | 21 ++++++---- stable/feeds/Chart.yaml | 2 +- stable/feeds/README.md | 1 + stable/feeds/files/default_config.yaml | 14 ++++--- stable/feeds/templates/NOTES.txt | 2 - stable/feeds/templates/_helpers.tpl | 15 ++++++++ stable/feeds/templates/_names.tpl | 8 ---- .../templates/anchore_vars_configmap.yaml | 5 ++- stable/feeds/templates/deployment.yaml | 2 +- .../hooks/post-upgrade/upgrade_job.yaml | 2 +- .../hooks/pre-upgrade/upgrade_job.yaml | 2 +- .../__snapshot__/configmap_test.yaml.snap | 14 ++++--- stable/feeds/tests/feeds_resources_test.yaml | 6 --- stable/feeds/values.yaml | 4 ++ 22 files changed, 136 insertions(+), 92 deletions(-) diff --git a/scripts/enterprise-value-converter/mappings.py b/scripts/enterprise-value-converter/mappings.py index e0cec839..6a5b4e84 100644 --- a/scripts/enterprise-value-converter/mappings.py +++ b/scripts/enterprise-value-converter/mappings.py @@ -1,8 +1,7 @@ # If we see this as first level, just skip them KEYS_WITHOUT_CHANGES = { "cloudsql", - "ingress", - "fullnameOverride" + "ingress" } # check this last. If this is the last thing, and it starts with this, drop the key. eg anchoreGlobal.something -> something @@ -50,6 +49,8 @@ "anchoreEnterpriseUi": "ui", "anchorePolicyEngine": "policyEngine", "anchoreSimpleQueue": "simpleQueue", + "fullnameOverride": "global.fullnameOverride", + "nameOverride": "global.nameOverride", "ingress": "ingress" } @@ -255,7 +256,7 @@ "anchoreEnterpriseFeeds.olDriverEnabled": "feeds.ANCHORE_FEEDS_DRIVER_OL_ENABLED", "anchoreEnterpriseFeeds.rhelDriverConcurrency": "feeds.ANCHORE_FEEDS_DRIVER_RHEL_CONCURRENCY", - "anchoreEnterpriseFeeds.rhelDriverEnabled": "feeds.ANCHORE_FEEDS_DRIVER_RHEL_ENBALED", + "anchoreEnterpriseFeeds.rhelDriverEnabled": "feeds.ANCHORE_FEEDS_DRIVER_RHEL_ENABLED", "anchoreEnterpriseFeeds.slesDriverEnabled": "feeds.ANCHORE_FEEDS_DRIVER_SLES_ENABLED", "anchoreEnterpriseFeeds.ubuntuDriverEnabled": "feeds.ANCHORE_FEEDS_DRIVER_UBUNTU_ENABLED", "anchoreEnterpriseFeeds.ubuntuDriverGitBranch": "feeds.ANCHORE_FEEDS_DRIVER_UBUNTU_BRANCH", diff --git a/stable/enterprise/Chart.lock b/stable/enterprise/Chart.lock index 87484348..e5b97ae6 100644 --- a/stable/enterprise/Chart.lock +++ b/stable/enterprise/Chart.lock @@ -8,5 +8,5 @@ dependencies: - name: feeds repository: https://charts.anchore.io/stable version: 0.0.3 -digest: sha256:35fd0bff9327cb7033bff96e8dcff85ba6b65ba5a8675270b45a40035718db57 -generated: "2023-09-15T16:31:47.040512-07:00" +digest: sha256:e09008523a98c8507c12682c3f26166df583cb1a6ec68b23d5b6803a6b44a63d +generated: "2023-09-18T18:53:59.218441-07:00" diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 746d3a38..a630c3a3 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.0.6" +version: "0.0.7" appVersion: "4.9.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | @@ -39,9 +39,11 @@ dependencies: condition: ui-redis.chartEnabled alias: ui-redis - name: feeds - version: "0.0.3" + version: "~0.0" repository: "@anchore" condition: feeds.chartEnabled import-values: - child: service parent: feeds.service + - child: anchoreConfig.internalServicesSSL + parent: feeds.anchoreConfig.internalServicesSSL diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 04aedc42..44808f33 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -717,12 +717,18 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts ## Parameters +### Global Resource Parameters + +| Name | Description | Value | +| ------------------------- | --------------------------------------- | ----- | +| `global.fullnameOverride` | overrides the fullname set on resources | `""` | +| `global.nameOverride` | overrides the name set on resources | `""` | + + ### Common Resource Parameters | Name | Description | Value | | ------------------------------------- | ------------------------------------------------------------------------------------- | ------------------------------------- | -| `fullnameOverride` | overrides the fullname set on resources | `""` | -| `nameOverride` | overrides the name set on resources | `""` | | `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v4.9.1` | | `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | | `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | diff --git a/stable/enterprise/templates/_helpers.tpl b/stable/enterprise/templates/_helpers.tpl index fe0caa04..baa23784 100644 --- a/stable/enterprise/templates/_helpers.tpl +++ b/stable/enterprise/templates/_helpers.tpl @@ -48,7 +48,7 @@ Returns the proper URL for the feeds service {{- $anchoreFeedsHost := (trimSuffix $urlPathSuffix .Values.feeds.url) -}} {{- $anchoreFeedsURL = (printf "%s/v1/feeds" $anchoreFeedsHost) -}} {{- else if .Values.feeds.chartEnabled }} - {{- $anchoreFeedsURL = (printf "%s://%s:%s/v1/feeds" (include "enterprise.setProtocol" .) (include "feeds.fullname" .) (.Values.feeds.service.port | toString)) -}} + {{- $anchoreFeedsURL = (printf "%s://%s:%s/v1/feeds" (include "enterprise.feeds.setProtocol" .) (include "enterprise.feeds.fullname" .) (.Values.feeds.service.port | toString)) -}} {{- end }} {{- print $anchoreFeedsURL -}} {{- end -}} @@ -65,7 +65,7 @@ Returns the proper URL for the grype provider {{- $anchoreFeedsHost := (trimSuffix $urlPathSuffix .Values.feeds.url) -}} {{- $grypeProviderFeedsExternalURL = (printf "%s/v1/databases/grypedb" $anchoreFeedsHost) -}} {{- else if .Values.feeds.chartEnabled }} - {{- $grypeProviderFeedsExternalURL = (printf "%s://%s:%s/v1/databases/grypedb" (include "enterprise.setProtocol" .) (include "feeds.fullname" .) (.Values.feeds.service.port | toString) ) -}} + {{- $grypeProviderFeedsExternalURL = (printf "%s://%s:%s/v1/databases/grypedb" (include "enterprise.feeds.setProtocol" .) (include "enterprise.feeds.fullname" .) (.Values.feeds.service.port | toString) ) -}} {{- end }} {{- /* Set the grypeProviderFeedsExternalURL to upstream feeds if still unset or if specifically overridden */}} @@ -106,6 +106,18 @@ Return the proper protocol when Anchore internal SSL is enabled {{- end -}} +{{/* +Return the proper protocol when Anchore internal SSL is enabled +*/}} +{{- define "enterprise.feeds.setProtocol" -}} + {{- if .Values.feeds.anchoreConfig.internalServicesSSL.enabled }} +{{- print "https" -}} + {{- else -}} +{{- print "http" -}} + {{- end }} +{{- end -}} + + {{/* Return the database password for the Anchore Enterprise UI config */}} diff --git a/stable/enterprise/templates/_names.tpl b/stable/enterprise/templates/_names.tpl index e5cfda43..a710e68e 100644 --- a/stable/enterprise/templates/_names.tpl +++ b/stable/enterprise/templates/_names.tpl @@ -4,69 +4,78 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this */}} {{- define "enterprise.fullname" -}} -{{- if .Values.fullnameOverride }} - {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- if .Values.global.fullnameOverride }} + {{- .Values.global.fullnameOverride | trunc 63 | trimSuffix "-" }} {{- else }} - {{- $name := default .Chart.Name .Values.nameOverride }} + {{- $name := default .Chart.Name .Values.global.nameOverride }} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} {{- end }} {{- end -}} {{- define "enterprise.analyzer.fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- $name := default .Chart.Name .Values.global.nameOverride -}} {{- printf "%s-%s-%s" .Release.Name $name "analyzer"| trunc 63 | trimSuffix "-" -}} {{- end -}} {{- define "enterprise.api.fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- $name := default .Chart.Name .Values.global.nameOverride -}} {{- printf "%s-%s-%s" .Release.Name $name "api"| trunc 63 | trimSuffix "-" -}} {{- end -}} {{- define "enterprise.catalog.fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- $name := default .Chart.Name .Values.global.nameOverride -}} {{- printf "%s-%s-%s" .Release.Name $name "catalog"| trunc 63 | trimSuffix "-" -}} {{- end -}} {{- define "enterprise.notifications.fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- $name := default .Chart.Name .Values.global.nameOverride -}} {{- printf "%s-%s-%s" .Release.Name $name "notifications"| trunc 63 | trimSuffix "-" -}} {{- end -}} {{- define "enterprise.policyEngine.fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- $name := default .Chart.Name .Values.global.nameOverride -}} {{- printf "%s-%s-%s" .Release.Name $name "policy"| trunc 63 | trimSuffix "-" -}} {{- end -}} {{- define "enterprise.rbacAuth.fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- $name := default .Chart.Name .Values.global.nameOverride -}} {{- printf "%s-%s-%s" .Release.Name $name "rbac-auth"| trunc 63 | trimSuffix "-" -}} {{- end -}} {{- define "enterprise.rbacManager.fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- $name := default .Chart.Name .Values.global.nameOverride -}} {{- printf "%s-%s-%s" .Release.Name $name "rbac-manager"| trunc 63 | trimSuffix "-" -}} {{- end -}} {{- define "enterprise.reports.fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- $name := default .Chart.Name .Values.global.nameOverride -}} {{- printf "%s-%s-%s" .Release.Name $name "reports"| trunc 63 | trimSuffix "-" -}} {{- end -}} {{- define "enterprise.simpleQueue.fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- $name := default .Chart.Name .Values.global.nameOverride -}} {{- printf "%s-%s-%s" .Release.Name $name "simplequeue"| trunc 63 | trimSuffix "-" -}} {{- end -}} {{- define "enterprise.ui.fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- $name := default .Chart.Name .Values.global.nameOverride -}} {{- printf "%s-%s-%s" .Release.Name $name "ui"| trunc 63 | trimSuffix "-" -}} {{- end -}} {{- define "enterprise.upgradeJob.fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- $name := default .Chart.Name .Values.global.nameOverride -}} {{- printf "%s-%s-%s-%s" .Release.Name $name (.Chart.AppVersion | replace "." "") "upgrade" | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{- define "enterprise.feeds.fullname" -}} +{{- if .Values.feeds.fullnameOverride }} + {{- .Values.feeds.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} + {{- $name := default "feeds" .Values.feeds.nameOverride -}} + {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} + {{- define "postgres.fullname" -}} {{- printf "%s-%s" .Release.Name "postgresql" | trunc 63 | trimSuffix "-" -}} {{- end -}} diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index 9fa7837e..a24bb091 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -221,22 +221,22 @@ should render the configmaps: data: grypedb: enabled: true - url: http://test-release-enterprise:8448/v1/databases/grypedb + url: http://test-release-feeds:8448/v1/databases/grypedb vulnerabilities: enabled: ${ANCHORE_FEEDS_VULNERABILITIES_ENABLED} - url: http://test-release-enterprise:8448/v1/feeds + url: http://test-release-feeds:8448/v1/feeds nvdv2: enabled: ${ANCHORE_FEEDS_DRIVER_NVDV2_ENABLED} - url: http://test-release-enterprise:8448/v1/feeds + url: http://test-release-feeds:8448/v1/feeds github: enabled: ${ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED} - url: http://test-release-enterprise:8448/v1/feeds + url: http://test-release-feeds:8448/v1/feeds packages: enabled: ${ANCHORE_FEEDS_DRIVER_PACKAGES_ENABLED} - url: http://test-release-enterprise:8448/v1/feeds + url: http://test-release-feeds:8448/v1/feeds microsoft: enabled: ${ANCHORE_FEEDS_DRIVER_MSRC_ENABLED} - url: http://test-release-enterprise:8448/v1/feeds + url: http://test-release-feeds:8448/v1/feeds ssl_enable: ${ANCHORE_SSL_ENABLED} ssl_cert: ${ANCHORE_SSL_CERT} ssl_key: ${ANCHORE_SSL_KEY} diff --git a/stable/enterprise/tests/common_helpers_test.yaml b/stable/enterprise/tests/common_helpers_test.yaml index bb21d842..71ab9383 100644 --- a/stable/enterprise/tests/common_helpers_test.yaml +++ b/stable/enterprise/tests/common_helpers_test.yaml @@ -591,9 +591,9 @@ tests: path: metadata.name pattern: ^test-release-enterprise - - it: should render enterprise.fullname with fullnameOverride for services + - it: should render enterprise.fullname with global.fullnameOverride for services set: - fullnameOverride: my-fullname-override + global.fullnameOverride: my-fullname-override templates: - api_deployment.yaml - catalog_deployment.yaml @@ -609,9 +609,9 @@ tests: path: spec.selector["app.kubernetes.io/name"] pattern: ^my-fullname-override - - it: should render enterprise.fullname with nameOverride for services + - it: should render enterprise.fullname with global.nameOverride for services set: - nameOverride: my-name-override + global.nameOverride: my-name-override templates: - api_deployment.yaml - catalog_deployment.yaml @@ -849,11 +849,11 @@ tests: asserts: - matchRegex: path: data["config.yaml"] - pattern: "url: http://test-release-enterprise:8448/v1/databases/grypedb" + pattern: "url: http://test-release-feeds:8448/v1/databases/grypedb" - matchRegex: path: data["config.yaml"] - pattern: "url: http://test-release-enterprise:8448/v1/feeds" + pattern: "url: http://test-release-feeds:8448/v1/feeds" - it: should render grypeProviderURL with anchoreConfig.policy_engine.overrideFeedsToUpstream set: @@ -865,7 +865,7 @@ tests: asserts: - notMatchRegex: path: data["config.yaml"] - pattern: "url: http://test-release-enterprise:8448/v1/databases/grypedb" + pattern: "url: http://test-release-feeds:8448/v1/databases/grypedb" - matchRegex: path: data["config.yaml"] @@ -882,34 +882,34 @@ tests: asserts: - notMatchRegex: path: data["config.yaml"] - pattern: "url: http://test-release-enterprise:8448/v1/databases/grypedb" + pattern: "url: http://test-release-feeds:8448/v1/databases/grypedb" - matchRegex: path: data["config.yaml"] pattern: "url: https://toolbox-data.anchore.io/grype/databases/listing.json" - - it: should set the correct protocol with anchoreConfig.internalServicesSSL.enabled to true for anchore_configmap.yaml + - it: should set the correct protocol with feeds.anchoreConfig.internalServicesSSL.enabled to true for anchore_configmap.yaml set: - anchoreConfig.internalServicesSSL.enabled: true + feeds.anchoreConfig.internalServicesSSL.enabled: true templates: - anchore_configmap.yaml documentIndex: 0 asserts: - matchRegex: path: data["config.yaml"] - pattern: "url: https://test-release-enterprise:8448/v1/databases/grypedb" + pattern: "url: https://test-release-feeds:8448/v1/databases/grypedb" - matchRegex: path: data["config.yaml"] - pattern: "url: https://test-release-enterprise:8448/v1/feeds" + pattern: "url: https://test-release-feeds:8448/v1/feeds" - notMatchRegex: path: data["config.yaml"] - pattern: "url: http://test-release-enterprise:8448/v1/databases/grypedb" + pattern: "url: http://test-release-feeds:8448/v1/databases/grypedb" - notMatchRegex: path: data["config.yaml"] - pattern: "url: http://test-release-enterprise:8448/v1/feeds" + pattern: "url: http://test-release-feeds:8448/v1/feeds" - it: should set the correct protocol with anchoreConfig.internalServicesSSL.enabled to true for deployments set: @@ -926,7 +926,7 @@ tests: content: scheme: HTTPS - - it: should set the correct protocol with anchoreConfig.internalServicesSSL.enabled to false for anchore_configmap.yaml + - it: should set the correct protocol with feeds.anchoreConfig.internalServicesSSL.enabled to false for anchore_configmap.yaml set: anchoreConfig.internalServicesSSL.enabled: false templates: @@ -935,19 +935,19 @@ tests: asserts: - matchRegex: path: data["config.yaml"] - pattern: "url: http://test-release-enterprise:8448/v1/databases/grypedb" + pattern: "url: http://test-release-feeds:8448/v1/databases/grypedb" - matchRegex: path: data["config.yaml"] - pattern: "url: http://test-release-enterprise:8448/v1/feeds" + pattern: "url: http://test-release-feeds:8448/v1/feeds" - notMatchRegex: path: data["config.yaml"] - pattern: "url: https://test-release-enterprise:8448/v1/databases/grypedb" + pattern: "url: https://test-release-feeds:8448/v1/databases/grypedb" - notMatchRegex: path: data["config.yaml"] - pattern: "url: https://test-release-enterprise:8448/v1/feeds" + pattern: "url: https://test-release-feeds:8448/v1/feeds" - it: should set the correct protocol with anchoreConfig.internalServicesSSL.enabled to false for deployments set: diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index 590a4329..02277c96 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -1,15 +1,20 @@ ################################################### -## @section Common Resource Parameters -## Common params used by all Anchore k8s resources +## @section Global Resource Parameters +## Global params used by all child charts ################################################### +global: + ## @param global.fullnameOverride overrides the fullname set on resources + ## + fullnameOverride: "" -## @param fullnameOverride overrides the fullname set on resources -## -fullnameOverride: "" + ## @param global.nameOverride overrides the name set on resources + ## + nameOverride: "" -## @param nameOverride overrides the name set on resources -## -nameOverride: "" +################################################### +## @section Common Resource Parameters +## Common params used by all Anchore k8s resources +################################################### ## @param image Image used for all Anchore Enterprise deployments, excluding Anchore UI ## diff --git a/stable/feeds/Chart.yaml b/stable/feeds/Chart.yaml index 45ab73cc..232015e5 100644 --- a/stable/feeds/Chart.yaml +++ b/stable/feeds/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: feeds type: application -version: "0.0.5" +version: "0.0.6" appVersion: "4.9.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: Anchore feeds service diff --git a/stable/feeds/README.md b/stable/feeds/README.md index 2b3ccdbf..681cfb64 100644 --- a/stable/feeds/README.md +++ b/stable/feeds/README.md @@ -213,6 +213,7 @@ feeds-db: | Name | Description | Value | | ------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | | `standalone` | Enable running the Anchore Feeds service in standalone mode | `true` | +| `url` | Set a custom feeds URL. Useful when using a feeds service endpoint that is external from the cluster. | `""` | | `enterpriseFullname` | set the fullname on enterprise resources. Only needed when standalone=false and fullnameOverride is set for the enterprise chart. | `""` | | `fullnameOverride` | overrides the fullname set on resources | `""` | | `nameOverride` | overrides the name set on resources | `""` | diff --git a/stable/feeds/files/default_config.yaml b/stable/feeds/files/default_config.yaml index f23d98fb..83b55cc0 100644 --- a/stable/feeds/files/default_config.yaml +++ b/stable/feeds/files/default_config.yaml @@ -57,11 +57,14 @@ services: listen: '0.0.0.0' port: ${ANCHORE_PORT} max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} + ssl_enable: ${ANCHORE_SSL_ENABLED} + ssl_cert: ${ANCHORE_SSL_CERT} + ssl_key: ${ANCHORE_SSL_KEY} cycle_timers: {{- toYaml .Values.anchoreConfig.feeds.cycle_timers | nindent 6 }} local_workspace: ${ANCHORE_FEEDS_LOCAL_WORKSPACE} workspace_preload: enabled: ${ANCHORE_FEEDS_WORKSPACE_PRELOAD} - workspace_preload_file: "/workspace_preload/data.tar.gz" + workspace_preload_file: ${ANCHORE_FEEDS_LOCAL_WORKSPACE}/data.tar.gz api_only: ${ANCHORE_FEEDS_API_ONLY} drivers: amzn: @@ -85,7 +88,7 @@ services: releases: {{- toYaml . | nindent 10 }} {{- end }} rhel: - enabled: ${ANCHORE_FEEDS_DRIVER_RHEL_ENBALED} + enabled: ${ANCHORE_FEEDS_DRIVER_RHEL_ENABLED} concurrency: ${ANCHORE_FEEDS_DRIVER_RHEL_CONCURRENCY} npm: enabled: ${ANCHORE_FEEDS_DRIVER_NPM_ENABLED} @@ -97,6 +100,8 @@ services: nvdv2: enabled: ${ANCHORE_FEEDS_DRIVER_NVDV2_ENABLED} api_key: ${ANCHORE_NVD_API_KEY} + mariner: + enabled: ${ANCHORE_FEEDS_DRIVER_MARINER_ENABLED} msrc: enabled: ${ANCHORE_FEEDS_DRIVER_MSRC_ENABLED} {{- with .Values.anchoreConfig.feeds.drivers.msrc.whitelist }} @@ -108,7 +113,7 @@ services: token: ${ANCHORE_GITHUB_TOKEN} grypedb: enabled: ${ANCHORE_FEEDS_DRIVER_GRYPEDB_ENABLED} - external_feeds_url: "${ANCHORE_FEEDS_EXTERNAL_URL}" + external_feeds_url: ${ANCHORE_FEEDS_EXTERNAL_URL} preload: enabled: ${ANCHORE_FEEDS_GRYPEDB_PRELOAD_ENABLED} workspace_archive_path: ${ANCHORE_FEEDS_GRYPEDB_PRELOAD_PATH} @@ -122,6 +127,3 @@ services: enabled: ${ANCHORE_FEEDS_DRIVER_WOLFI_ENABLED} chainguard: enabled: ${ANCHORE_FEEDS_DRIVER_CHAINGUARD_ENABLED} - ssl_enable: ${ANCHORE_SSL_ENABLED} - ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} diff --git a/stable/feeds/templates/NOTES.txt b/stable/feeds/templates/NOTES.txt index 48b65441..36ca2090 100644 --- a/stable/feeds/templates/NOTES.txt +++ b/stable/feeds/templates/NOTES.txt @@ -1,5 +1,3 @@ -You need the URL, username, and password to access the Feeds API - The Feeds API can be accessed via port {{ .Values.service.port }} on the following DNS name from within the cluster: {{ include "feeds.fullname" . -}}.{{- .Release.Namespace -}}.svc.cluster.local diff --git a/stable/feeds/templates/_helpers.tpl b/stable/feeds/templates/_helpers.tpl index 1481d3e2..d4dc1f13 100644 --- a/stable/feeds/templates/_helpers.tpl +++ b/stable/feeds/templates/_helpers.tpl @@ -33,3 +33,18 @@ Return the proper protocol when internal SSL is enabled {{- print "http" }} {{- end }} {{- end -}} + +{{/* +Return a URL for the external feeds service +*/}} +{{- define "feeds.setGrypeProviderURL" -}} +{{- $grypeProviderFeedsExternalURL := "" }} +{{- if .Values.url }} + {{- $urlPathSuffix := (default "" (regexFind "/v1.*$" .Values.url) ) }} + {{- $anchoreFeedsHost := (trimSuffix $urlPathSuffix .Values.url) }} + {{- $grypeProviderFeedsExternalURL = (printf "%s/v1/" $anchoreFeedsHost) }} +{{- else }} + {{- $grypeProviderFeedsExternalURL = (printf "%s://%s:%s/v1/" (include "feeds.setProtocol" .) (include "feeds.fullname" .) (.Values.service.port | toString) ) -}} +{{- end }} +{{- print $grypeProviderFeedsExternalURL }} +{{- end -}} diff --git a/stable/feeds/templates/_names.tpl b/stable/feeds/templates/_names.tpl index 951a0665..e06257e7 100644 --- a/stable/feeds/templates/_names.tpl +++ b/stable/feeds/templates/_names.tpl @@ -4,14 +4,6 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this If release name contains chart name it will be used as a full name. */}} -{{- define "feeds.enterprise.fullname" -}} -{{- if .Values.enterpriseFullname }} - {{- .Values.enterpriseFullname | trunc 63 | trimSuffix "-" }} -{{- else }} - {{- printf "%s-%s" .Release.Name "enterprise" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} - {{- define "feeds.fullname" -}} {{- if .Values.fullnameOverride }} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} diff --git a/stable/feeds/templates/anchore_vars_configmap.yaml b/stable/feeds/templates/anchore_vars_configmap.yaml index d7ee24ae..76426105 100644 --- a/stable/feeds/templates/anchore_vars_configmap.yaml +++ b/stable/feeds/templates/anchore_vars_configmap.yaml @@ -41,19 +41,20 @@ data: ANCHORE_FEEDS_DRIVER_GEM_ENABLED: "{{ .Values.anchoreConfig.feeds.drivers.gem.enabled }}" ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED: "{{ .Values.anchoreConfig.feeds.drivers.github.enabled }}" ANCHORE_FEEDS_DRIVER_GRYPEDB_ENABLED: "true" + ANCHORE_FEEDS_DRIVER_MARINER_ENABLED: "true" ANCHORE_FEEDS_DRIVER_MATCH_EXCLUSIONS: "true" ANCHORE_FEEDS_DRIVER_MSRC_ENABLED: "{{ .Values.anchoreConfig.feeds.drivers.msrc.enabled }}" ANCHORE_FEEDS_DRIVER_NPM_ENABLED: "{{ .Values.anchoreConfig.feeds.drivers.npm.enabled }}" ANCHORE_FEEDS_DRIVER_NVDV2_ENABLED: "true" ANCHORE_FEEDS_DRIVER_OL_ENABLED: "true" ANCHORE_FEEDS_DRIVER_RHEL_CONCURRENCY: "5" - ANCHORE_FEEDS_DRIVER_RHEL_ENBALED: "true" + ANCHORE_FEEDS_DRIVER_RHEL_ENABLED: "true" ANCHORE_FEEDS_DRIVER_SLES_ENABLED: "true" ANCHORE_FEEDS_DRIVER_UBUNTU_ENABLED: "true" ANCHORE_FEEDS_DRIVER_UBUNTU_URL: "https://git.launchpad.net/ubuntu-cve-tracker" ANCHORE_FEEDS_DRIVER_UBUNTU_BRANCH: "master" ANCHORE_FEEDS_DRIVER_WOLFI_ENABLED: "true" - ANCHORE_FEEDS_EXTERNAL_URL: "{{ printf "http://localhost:%s/v2/" (.Values.service.port | toString) }}" + ANCHORE_FEEDS_EXTERNAL_URL: "{{ template "feeds.setGrypeProviderURL" . }}" ANCHORE_FEEDS_LOCAL_WORKSPACE: "{{ .Values.persistence.mountPath }}" ANCHORE_FEEDS_GRYPEDB_PRELOAD_ENABLED: "true" ANCHORE_FEEDS_GRYPEDB_PRELOAD_PATH: "/preload/grype-db-workspace.tar.gz" diff --git a/stable/feeds/templates/deployment.yaml b/stable/feeds/templates/deployment.yaml index 69ccdf22..030e8006 100644 --- a/stable/feeds/templates/deployment.yaml +++ b/stable/feeds/templates/deployment.yaml @@ -66,7 +66,7 @@ spec: name: {{ template "feeds.fullname" . }}-config-env-vars {{- if not .Values.standalone }} - configMapRef: - name: {{ template "feeds.enterprise.fullname" . }}-config-env-vars + name: {{ template "enterprise.fullname" . }}-config-env-vars {{- end }} {{- if not .Values.injectSecretsViaEnv }} {{- if .Values.useExistingSecrets }} diff --git a/stable/feeds/templates/hooks/post-upgrade/upgrade_job.yaml b/stable/feeds/templates/hooks/post-upgrade/upgrade_job.yaml index 62cc7c9f..abeda2a3 100644 --- a/stable/feeds/templates/hooks/post-upgrade/upgrade_job.yaml +++ b/stable/feeds/templates/hooks/post-upgrade/upgrade_job.yaml @@ -89,7 +89,7 @@ spec: name: {{ template "feeds.fullname" . }}-config-env-vars {{- if not .Values.standalone }} - configMapRef: - name: {{ template "feeds.enterprise.fullname" . }}-config-env-vars + name: {{ template "enterprise.fullname" . }}-config-env-vars {{- end }} {{- if not .Values.injectSecretsViaEnv }} {{- if .Values.useExistingSecrets }} diff --git a/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml b/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml index 2a85298a..0268a1aa 100644 --- a/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml +++ b/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml @@ -87,7 +87,7 @@ spec: name: {{ template "feeds.fullname" . }}-config-env-vars {{- if not .Values.standalone }} - configMapRef: - name: {{ template "feeds.enterprise.fullname" . }}-config-env-vars + name: {{ template "enterprise.fullname" . }}-config-env-vars {{- end }} {{- if not .Values.injectSecretsViaEnv }} {{- if .Values.useExistingSecrets }} diff --git a/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap b/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap index c701ed31..995d8add 100644 --- a/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap @@ -57,12 +57,15 @@ should render the configmaps: listen: '0.0.0.0' port: ${ANCHORE_PORT} max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} + ssl_enable: ${ANCHORE_SSL_ENABLED} + ssl_cert: ${ANCHORE_SSL_CERT} + ssl_key: ${ANCHORE_SSL_KEY} cycle_timers: driver_sync: 7200 local_workspace: ${ANCHORE_FEEDS_LOCAL_WORKSPACE} workspace_preload: enabled: ${ANCHORE_FEEDS_WORKSPACE_PRELOAD} - workspace_preload_file: "/workspace_preload/data.tar.gz" + workspace_preload_file: ${ANCHORE_FEEDS_LOCAL_WORKSPACE}/data.tar.gz api_only: ${ANCHORE_FEEDS_API_ONLY} drivers: amzn: @@ -80,7 +83,7 @@ should render the configmaps: git_url: ${ANCHORE_FEEDS_DRIVER_UBUNTU_URL} git_branch: ${ANCHORE_FEEDS_DRIVER_UBUNTU_BRANCH} rhel: - enabled: ${ANCHORE_FEEDS_DRIVER_RHEL_ENBALED} + enabled: ${ANCHORE_FEEDS_DRIVER_RHEL_ENABLED} concurrency: ${ANCHORE_FEEDS_DRIVER_RHEL_CONCURRENCY} npm: enabled: ${ANCHORE_FEEDS_DRIVER_NPM_ENABLED} @@ -89,6 +92,8 @@ should render the configmaps: nvdv2: enabled: ${ANCHORE_FEEDS_DRIVER_NVDV2_ENABLED} api_key: ${ANCHORE_NVD_API_KEY} + mariner: + enabled: ${ANCHORE_FEEDS_DRIVER_MARINER_ENABLED} msrc: enabled: ${ANCHORE_FEEDS_DRIVER_MSRC_ENABLED} github: @@ -96,7 +101,7 @@ should render the configmaps: token: ${ANCHORE_GITHUB_TOKEN} grypedb: enabled: ${ANCHORE_FEEDS_DRIVER_GRYPEDB_ENABLED} - external_feeds_url: "${ANCHORE_FEEDS_EXTERNAL_URL}" + external_feeds_url: ${ANCHORE_FEEDS_EXTERNAL_URL} preload: enabled: ${ANCHORE_FEEDS_GRYPEDB_PRELOAD_ENABLED} workspace_archive_path: ${ANCHORE_FEEDS_GRYPEDB_PRELOAD_PATH} @@ -110,9 +115,6 @@ should render the configmaps: enabled: ${ANCHORE_FEEDS_DRIVER_WOLFI_ENABLED} chainguard: enabled: ${ANCHORE_FEEDS_DRIVER_CHAINGUARD_ENABLED} - ssl_enable: ${ANCHORE_SSL_ENABLED} - ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} kind: ConfigMap metadata: annotations: diff --git a/stable/feeds/tests/feeds_resources_test.yaml b/stable/feeds/tests/feeds_resources_test.yaml index a83f895e..bc5e43a9 100644 --- a/stable/feeds/tests/feeds_resources_test.yaml +++ b/stable/feeds/tests/feeds_resources_test.yaml @@ -201,12 +201,6 @@ tests: - name: test value: foobar asserts: - - contains: - path: spec.template.spec.containers[0].env - content: - name: ANCHORE_ENDPOINT_HOSTNAME - value: test-release-feeds - count: 1 - contains: path: spec.template.spec.containers[0].env content: diff --git a/stable/feeds/values.yaml b/stable/feeds/values.yaml index e53db59e..1c2552ae 100644 --- a/stable/feeds/values.yaml +++ b/stable/feeds/values.yaml @@ -7,6 +7,10 @@ ## standalone: true +## @param url Set a custom feeds URL. Useful when using a feeds service endpoint that is external from the cluster. +## i.e. https://: +url: "" + ## @param enterpriseFullname set the fullname on enterprise resources. Only needed when standalone=false and fullnameOverride is set for the enterprise chart. ## enterpriseFullname: "" From 406a8e43d2e7db5f2a95f7e823d1c44fa9214ee2 Mon Sep 17 00:00:00 2001 From: Anchore BitnamiReadmeGenerator Date: Tue, 19 Sep 2023 02:15:32 +0000 Subject: [PATCH 209/329] Update README.md with readme-generator-for-helm Signed-off-by: Anchore BitnamiReadmeGenerator --- stable/enterprise/README.md | 18 ------------------ stable/feeds/README.md | 6 ------ 2 files changed, 24 deletions(-) diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 44808f33..70be02a8 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -724,7 +724,6 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `global.fullnameOverride` | overrides the fullname set on resources | `""` | | `global.nameOverride` | overrides the name set on resources | `""` | - ### Common Resource Parameters | Name | Description | Value | @@ -763,7 +762,6 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `doSourceAtEntry.filePaths` | List of file paths to `source` before starting Anchore services | `[]` | | `configOverride` | Allows for overriding the default Anchore configuration file | `""` | - ### Anchore Configuration Parameters | Name | Description | Value | @@ -857,7 +855,6 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `anchoreConfig.ui.dbUser` | allows overriding and separation of the ui database user. | `""` | | `anchoreConfig.ui.dbPassword` | allows overriding and separation of the ui database user authentication | `""` | - ### Anchore API k8s Deployment Parameters | Name | Description | Value | @@ -879,7 +876,6 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `api.affinity` | Affinity for Anchore API pod assignment | `{}` | | `api.serviceAccountName` | Service account name for Anchore API pods | `""` | - ### Anchore Analyzer k8s Deployment Parameters | Name | Description | Value | @@ -895,7 +891,6 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `analyzer.affinity` | Affinity for Anchore Analyzer pod assignment | `{}` | | `analyzer.serviceAccountName` | Service account name for Anchore API pods | `""` | - ### Anchore Catalog k8s Deployment Parameters | Name | Description | Value | @@ -915,7 +910,6 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `catalog.affinity` | Affinity for Anchore Catalog pod assignment | `{}` | | `catalog.serviceAccountName` | Service account name for Anchore Catalog pods | `""` | - ### Anchore Feeds Chart Parameters | Name | Description | Value | @@ -924,7 +918,6 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `feeds.standalone` | Sets the Anchore Feeds chart to run into non-standalone mode, for use with Anchore Enterprise. | `false` | | `feeds.url` | Set the URL for a standalone Feeds service. Use when chartEnabled=false. | `""` | - ### Anchore Policy Engine k8s Deployment Parameters | Name | Description | Value | @@ -944,7 +937,6 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `policyEngine.affinity` | Affinity for Anchore Policy Engine pod assignment | `{}` | | `policyEngine.serviceAccountName` | Service account name for Anchore Policy Engine pods | `""` | - ### Anchore Simple Queue Parameters | Name | Description | Value | @@ -964,7 +956,6 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `simpleQueue.affinity` | Affinity for Anchore Simple Queue pod assignment | `{}` | | `simpleQueue.serviceAccountName` | Service account name for Anchore Simple Queue pods | `""` | - ### Anchore Notifications Parameters | Name | Description | Value | @@ -985,7 +976,6 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `notifications.affinity` | Affinity for Anchore Notifications pod assignment | `{}` | | `notifications.serviceAccountName` | Service account name for Anchore Notifications pods | `""` | - ### Anchore Reports Parameters | Name | Description | Value | @@ -1006,7 +996,6 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `reports.affinity` | Affinity for Anchore Reports pod assignment | `{}` | | `reports.serviceAccountName` | Service account name for Anchore Reports pods | `""` | - ### Anchore RBAC Authentication Parameters | Name | Description | Value | @@ -1014,7 +1003,6 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `rbacAuth.extraEnv` | Set extra environment variables for Anchore RBAC Authentication containers | `[]` | | `rbacAuth.resources` | Resource requests and limits for Anchore RBAC Authentication containers | `{}` | - ### Anchore RBAC Manager Parameters | Name | Description | Value | @@ -1035,7 +1023,6 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `rbacManager.affinity` | Affinity for Anchore RBAC Manager pod assignment | `{}` | | `rbacManager.serviceAccountName` | Service account name for Anchore RBAC Manager pods | `""` | - ### Anchore UI Parameters | Name | Description | Value | @@ -1059,7 +1046,6 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `ui.affinity` | Affinity for Anchore ui pod assignment | `{}` | | `ui.serviceAccountName` | Service account name for Anchore UI pods | `""` | - ### Anchore Upgrade Job Parameters | Name | Description | Value | @@ -1076,7 +1062,6 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `upgradeJob.resources` | Resource requests and limits for the Anchore upgrade job | `{}` | | `upgradeJob.labels` | Labels for the Anchore upgrade job | `{}` | - ### Ingress Parameters | Name | Description | Value | @@ -1095,7 +1080,6 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `ingress.tls` | Configure tls for the ingress resource | `[]` | | `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` | - ### Google CloudSQL DB Parameters | Name | Description | Value | @@ -1109,7 +1093,6 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `cloudsql.serviceAccJsonName` | | `""` | | `cloudsql.extraArgs` | a list of extra arguments to be passed into the cloudsql container command. eg | `[]` | - ### Anchore UI Redis Parameters | Name | Description | Value | @@ -1120,7 +1103,6 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `ui-redis.architecture` | Redis deployment architecture | `standalone` | | `ui-redis.master.persistence.enabled` | enables persistence | `false` | - ### Anchore Database Parameters | Name | Description | Value | diff --git a/stable/feeds/README.md b/stable/feeds/README.md index 681cfb64..87179120 100644 --- a/stable/feeds/README.md +++ b/stable/feeds/README.md @@ -269,7 +269,6 @@ feeds-db: | `existingSecretName` | Name of the existing secret to be used for Anchore Feeds Service | `anchore-enterprise-feeds-env` | | `configOverride` | Allows for overriding the default Anchore configuration file | `{}` | - ### Anchore Feeds Configuration Parameters | Name | Description | Value | @@ -309,7 +308,6 @@ feeds-db: | `anchoreConfig.feeds.drivers.github.enabled` | Enable GitHub advisory feeds (requires GitHub PAT) | `false` | | `anchoreConfig.feeds.drivers.github.token` | GitHub developer personal access token with zero permission scopes | `""` | - ### Anchore Feeds Database Parameters | Name | Description | Value | @@ -324,7 +322,6 @@ feeds-db: | `feeds-db.primary.extraEnvVars` | An array to add extra environment variables | `[]` | | `feeds-db.image.tag` | Specifies the image to use for this chart. | `13.11.0-debian-11-r15` | - ### Feeds Gem Database Parameters | Name | Description | Value | @@ -339,7 +336,6 @@ feeds-db: | `gem-db.primary.extraEnvVars` | An array to add extra environment variables | `[]` | | `gem-db.image.tag` | Specifies the image to use for this chart. | `13.11.0-debian-11-r15` | - ### Anchore Feeds Upgrade Job Parameters | Name | Description | Value | @@ -356,7 +352,6 @@ feeds-db: | `feedsUpgradeJob.labels` | Labels for the Anchore Feeds upgrade job | `{}` | | `feedsUpgradeJob.resources` | Resources for the Anchore Feeds upgrade job | `{}` | - ### Ingress Parameters | Name | Description | Value | @@ -369,7 +364,6 @@ feeds-db: | `ingress.tls` | Configure tls for the ingress resource | `[]` | | `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` | - ### Google CloudSQL DB Parameters | Name | Description | Value | From 7d042e7fe7e78c90a85e837135c192539ea04af5 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Tue, 19 Sep 2023 13:36:28 -0400 Subject: [PATCH 210/329] updating fullNameOverride and nameOverride tests and mappings.py Signed-off-by: Hung Nguyen --- scripts/enterprise-value-converter/mappings.py | 4 ++-- .../tests/test_anchoreGlobal_value_mapping.py | 10 +++++++++- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/scripts/enterprise-value-converter/mappings.py b/scripts/enterprise-value-converter/mappings.py index 6a5b4e84..2626e925 100644 --- a/scripts/enterprise-value-converter/mappings.py +++ b/scripts/enterprise-value-converter/mappings.py @@ -49,8 +49,6 @@ "anchoreEnterpriseUi": "ui", "anchorePolicyEngine": "policyEngine", "anchoreSimpleQueue": "simpleQueue", - "fullnameOverride": "global.fullnameOverride", - "nameOverride": "global.nameOverride", "ingress": "ingress" } @@ -124,6 +122,8 @@ # We need to go all the way down to the value. Replace the whole original key FULL_CHANGE_KEY_MAPPING = { + "fullnameOverride": "global.fullnameOverride", + "nameOverride": "global.nameOverride", "postgresql.enabled": "postgresql.chartEnabled", "postgresql.postgresDatabase": "postgresql.auth.database", "postgresql.postgresPassword": "postgresql.auth.password", diff --git a/scripts/enterprise-value-converter/tests/test_anchoreGlobal_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreGlobal_value_mapping.py index d2bc7d4f..8dbbd80e 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreGlobal_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreGlobal_value_mapping.py @@ -18,7 +18,15 @@ def tearDown(self): def test_fullnameOverride(self): dot_string_dict = {"fullnameOverride": "overridden"} expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, - 'fullnameOverride': 'overridden' + 'global': {'fullnameOverride': 'overridden'} + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) + + def test_nameOverride(self): + dot_string_dict = {"nameOverride": "overridden"} + expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + 'global': {'nameOverride': 'overridden'} } result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) From 09737b2ebca77c2e6126380e5316a00121dbcb62 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 20 Sep 2023 13:08:42 -0700 Subject: [PATCH 211/329] Minor chart fixes (#130) * remove unused value `enterpriseFullname` from feeds chart * move api & notifications container to be first available container in pod * Update feeds chart dep version * update tests to reflect new container order --------- Signed-off-by: Brady Todhunter --- stable/enterprise/Chart.lock | 6 +- stable/enterprise/Chart.yaml | 2 +- .../enterprise/templates/api_deployment.yaml | 2 +- .../templates/notifications_deployment.yaml | 2 +- .../enterprise/tests/api_resources_test.yaml | 54 ++++---- .../tests/notifications_resources_test.yaml | 24 ++-- stable/feeds/Chart.yaml | 2 +- stable/feeds/README.md | 121 +++++++++--------- stable/feeds/values.yaml | 4 - 9 files changed, 109 insertions(+), 108 deletions(-) diff --git a/stable/enterprise/Chart.lock b/stable/enterprise/Chart.lock index e5b97ae6..516ebfcd 100644 --- a/stable/enterprise/Chart.lock +++ b/stable/enterprise/Chart.lock @@ -7,6 +7,6 @@ dependencies: version: 17.11.8 - name: feeds repository: https://charts.anchore.io/stable - version: 0.0.3 -digest: sha256:e09008523a98c8507c12682c3f26166df583cb1a6ec68b23d5b6803a6b44a63d -generated: "2023-09-18T18:53:59.218441-07:00" + version: 0.0.6 +digest: sha256:40d8a0173d8ea36005f8cec6677b6d436edde04ba1a2ee4f013f3016be8eb742 +generated: "2023-09-20T11:33:21.217465-07:00" diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index a630c3a3..e2cc5c20 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.0.7" +version: "0.0.8" appVersion: "4.9.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | diff --git a/stable/enterprise/templates/api_deployment.yaml b/stable/enterprise/templates/api_deployment.yaml index 125086bb..5fc5d7fc 100644 --- a/stable/enterprise/templates/api_deployment.yaml +++ b/stable/enterprise/templates/api_deployment.yaml @@ -36,7 +36,6 @@ spec: {{- if .Values.cloudsql.enabled }} {{- include "enterprise.common.cloudsqlContainer" . | nindent 8 }} {{- end }} - {{- include "enterprise.common.rbacAuthContainer" . | nindent 8 }} - name: "{{ .Chart.Name }}-{{ $component | lower }}" image: {{ .Values.image }} imagePullPolicy: {{ .Values.imagePullPolicy }} @@ -91,6 +90,7 @@ spec: {{- with .Values.reports.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} + {{- include "enterprise.common.rbacAuthContainer" . | nindent 8 }} --- apiVersion: v1 diff --git a/stable/enterprise/templates/notifications_deployment.yaml b/stable/enterprise/templates/notifications_deployment.yaml index 25eb1749..090b9c25 100644 --- a/stable/enterprise/templates/notifications_deployment.yaml +++ b/stable/enterprise/templates/notifications_deployment.yaml @@ -28,7 +28,6 @@ spec: {{- if .Values.cloudsql.enabled }} {{- include "enterprise.common.cloudsqlContainer" . | nindent 8 }} {{- end }} - {{- include "enterprise.common.rbacAuthContainer" . | nindent 8 }} - name: "{{ .Chart.Name }}-{{ $component | lower }}" image: {{ .Values.image }} imagePullPolicy: {{ .Values.imagePullPolicy }} @@ -50,6 +49,7 @@ spec: {{- with .Values.notifications.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} + {{- include "enterprise.common.rbacAuthContainer" . | nindent 8 }} --- apiVersion: v1 diff --git a/stable/enterprise/tests/api_resources_test.yaml b/stable/enterprise/tests/api_resources_test.yaml index bd693d86..1daf5be2 100644 --- a/stable/enterprise/tests/api_resources_test.yaml +++ b/stable/enterprise/tests/api_resources_test.yaml @@ -164,13 +164,13 @@ tests: asserts: - equal: path: spec.template.spec.containers[0].name - value: rbac-auth + value: enterprise-api - equal: path: spec.template.spec.containers[1].name - value: enterprise-api + value: enterprise-reports-api - equal: path: spec.template.spec.containers[2].name - value: enterprise-reports-api + value: rbac-auth - it: should render component entrypoint args template: api_deployment.yaml @@ -178,11 +178,11 @@ tests: asserts: - matchRegex: path: spec.template.spec.containers[1].args[0] - pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade apiext$ + pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade reports$ count: 1 - matchRegex: - path: spec.template.spec.containers[2].args[0] - pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade reports$ + path: spec.template.spec.containers[0].args[0] + pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade apiext$ count: 1 - it: should render api component environment variables @@ -196,7 +196,7 @@ tests: value: foobar asserts: - contains: - path: spec.template.spec.containers[1].env + path: spec.template.spec.containers[0].env content: name: ANCHORE_CLI_PASS valueFrom: @@ -205,25 +205,25 @@ tests: key: ANCHORE_ADMIN_PASSWORD count: 1 - contains: - path: spec.template.spec.containers[1].env + path: spec.template.spec.containers[0].env content: name: ANCHORE_ENDPOINT_HOSTNAME value: test-release-enterprise-api count: 1 - contains: - path: spec.template.spec.containers[1].env + path: spec.template.spec.containers[0].env content: name: ANCHORE_PORT value: "8228" count: 1 - contains: - path: spec.template.spec.containers[1].env + path: spec.template.spec.containers[0].env content: name: api value: test count: 1 - contains: - path: spec.template.spec.containers[1].env + path: spec.template.spec.containers[0].env content: name: test value: foobar @@ -236,7 +236,7 @@ tests: existingSecretName: existing-secret asserts: - contains: - path: spec.template.spec.containers[1].env + path: spec.template.spec.containers[0].env content: name: ANCHORE_CLI_PASS valueFrom: @@ -255,25 +255,25 @@ tests: value: foobar asserts: - contains: - path: spec.template.spec.containers[2].env + path: spec.template.spec.containers[1].env content: name: ANCHORE_ENDPOINT_HOSTNAME value: test-release-enterprise-api count: 1 - contains: - path: spec.template.spec.containers[2].env + path: spec.template.spec.containers[1].env content: name: ANCHORE_PORT value: "8558" count: 1 - contains: - path: spec.template.spec.containers[2].env + path: spec.template.spec.containers[1].env content: name: reports value: test count: 1 - contains: - path: spec.template.spec.containers[2].env + path: spec.template.spec.containers[1].env content: name: test value: foobar @@ -283,13 +283,13 @@ tests: documentIndex: 0 asserts: - contains: - path: spec.template.spec.containers[1].ports + path: spec.template.spec.containers[0].ports content: name: api containerPort: 8228 count: 1 - contains: - path: spec.template.spec.containers[2].ports + path: spec.template.spec.containers[1].ports content: name: reports containerPort: 8558 @@ -303,7 +303,7 @@ tests: custom_policy_bundle1.json: {} asserts: - contains: - path: spec.template.spec.containers[1].volumeMounts + path: spec.template.spec.containers[0].volumeMounts content: name: policy-bundle-volume mountPath: /anchore_service/bundles/ @@ -315,7 +315,7 @@ tests: documentIndex: 0 asserts: - isSubset: - path: spec.template.spec.containers[1].livenessProbe + path: spec.template.spec.containers[0].livenessProbe content: httpGet: path: /health @@ -328,7 +328,7 @@ tests: successThreshold: 1 count: 1 - isSubset: - path: spec.template.spec.containers[1].readinessProbe + path: spec.template.spec.containers[0].readinessProbe content: httpGet: path: /health @@ -340,7 +340,7 @@ tests: successThreshold: 1 count: 1 - isSubset: - path: spec.template.spec.containers[2].livenessProbe + path: spec.template.spec.containers[1].livenessProbe content: httpGet: path: /health @@ -353,7 +353,7 @@ tests: successThreshold: 1 count: 1 - isSubset: - path: spec.template.spec.containers[2].readinessProbe + path: spec.template.spec.containers[1].readinessProbe content: httpGet: path: /health @@ -385,25 +385,25 @@ tests: memory: 456Mi asserts: - isSubset: - path: spec.template.spec.containers[1].resources.requests + path: spec.template.spec.containers[0].resources.requests content: cpu: 100m memory: 128Mi count: 1 - isSubset: - path: spec.template.spec.containers[1].resources.limits + path: spec.template.spec.containers[0].resources.limits content: cpu: 200m memory: 256Mi count: 1 - isSubset: - path: spec.template.spec.containers[2].resources.requests + path: spec.template.spec.containers[1].resources.requests content: cpu: 200m memory: 228Mi count: 1 - isSubset: - path: spec.template.spec.containers[2].resources.limits + path: spec.template.spec.containers[1].resources.limits content: cpu: 400m memory: 456Mi diff --git a/stable/enterprise/tests/notifications_resources_test.yaml b/stable/enterprise/tests/notifications_resources_test.yaml index ec56ed44..0a3ec922 100644 --- a/stable/enterprise/tests/notifications_resources_test.yaml +++ b/stable/enterprise/tests/notifications_resources_test.yaml @@ -148,17 +148,17 @@ tests: asserts: - equal: path: spec.template.spec.containers[0].name - value: rbac-auth + value: enterprise-notifications - equal: path: spec.template.spec.containers[1].name - value: enterprise-notifications + value: rbac-auth - it: should render component entrypoint args template: notifications_deployment.yaml documentIndex: 0 asserts: - matchRegex: - path: spec.template.spec.containers[1].args[0] + path: spec.template.spec.containers[0].args[0] pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade notifications$ count: 1 @@ -173,25 +173,25 @@ tests: value: foobar asserts: - contains: - path: spec.template.spec.containers[1].env + path: spec.template.spec.containers[0].env content: name: ANCHORE_ENDPOINT_HOSTNAME value: test-release-enterprise-notifications count: 1 - contains: - path: spec.template.spec.containers[1].env + path: spec.template.spec.containers[0].env content: name: ANCHORE_PORT value: "8668" count: 1 - contains: - path: spec.template.spec.containers[1].env + path: spec.template.spec.containers[0].env content: name: notifications value: test count: 1 - contains: - path: spec.template.spec.containers[1].env + path: spec.template.spec.containers[0].env content: name: test value: foobar @@ -201,7 +201,7 @@ tests: documentIndex: 0 asserts: - contains: - path: spec.template.spec.containers[1].ports + path: spec.template.spec.containers[0].ports content: name: notifications containerPort: 8668 @@ -212,7 +212,7 @@ tests: documentIndex: 0 asserts: - isSubset: - path: spec.template.spec.containers[1].livenessProbe + path: spec.template.spec.containers[0].livenessProbe content: httpGet: path: /health @@ -225,7 +225,7 @@ tests: successThreshold: 1 count: 1 - isSubset: - path: spec.template.spec.containers[1].readinessProbe + path: spec.template.spec.containers[0].readinessProbe content: httpGet: path: /health @@ -250,13 +250,13 @@ tests: memory: 256Mi asserts: - isSubset: - path: spec.template.spec.containers[1].resources.requests + path: spec.template.spec.containers[0].resources.requests content: cpu: 100m memory: 128Mi count: 1 - isSubset: - path: spec.template.spec.containers[1].resources.limits + path: spec.template.spec.containers[0].resources.limits content: cpu: 200m memory: 256Mi diff --git a/stable/feeds/Chart.yaml b/stable/feeds/Chart.yaml index 232015e5..ade50332 100644 --- a/stable/feeds/Chart.yaml +++ b/stable/feeds/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: feeds type: application -version: "0.0.6" +version: "0.0.7" appVersion: "4.9.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: Anchore feeds service diff --git a/stable/feeds/README.md b/stable/feeds/README.md index 87179120..210443bb 100644 --- a/stable/feeds/README.md +++ b/stable/feeds/README.md @@ -210,64 +210,64 @@ feeds-db: ### Common Resource Parameters -| Name | Description | Value | -| ------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | -| `standalone` | Enable running the Anchore Feeds service in standalone mode | `true` | -| `url` | Set a custom feeds URL. Useful when using a feeds service endpoint that is external from the cluster. | `""` | -| `enterpriseFullname` | set the fullname on enterprise resources. Only needed when standalone=false and fullnameOverride is set for the enterprise chart. | `""` | -| `fullnameOverride` | overrides the fullname set on resources | `""` | -| `nameOverride` | overrides the name set on resources | `""` | -| `image` | Image used for feeds deployment | `docker.io/anchore/enterprise:v4.9.1` | -| `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | -| `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | -| `serviceAccountName` | Name of a service account used to run all Feeds pods | `""` | -| `injectSecretsViaEnv` | Enable secret injection into pod via environment variables instead of via k8s secrets | `false` | -| `licenseSecretName` | Name of the Kubernetes secret containing your license.yaml file | `anchore-enterprise-license` | -| `certStoreSecretName` | Name of secret containing the certificates & keys used for SSL, SAML & CAs | `""` | -| `extraEnv` | Common environment variables set on all containers | `[]` | -| `labels` | Common labels set on all Kubernetes resources | `{}` | -| `annotations` | Common annotations set on all Kubernetes resources | `{}` | -| `resources` | Resource requests and limits for Anchore Feeds pods | `{}` | -| `nodeSelector` | Node labels for Anchore Feeds pod assignment | `{}` | -| `tolerations` | Tolerations for Anchore Feeds pod assignment | `[]` | -| `affinity` | Affinity for Anchore Feeds pod assignment | `{}` | -| `service.type` | Service type for Anchore Feeds | `ClusterIP` | -| `service.port` | Service port for Anchore Feeds | `8448` | -| `service.annotations` | Annotations for Anchore Feeds service | `{}` | -| `service.labels` | Labels for Anchore Feeds service | `{}` | -| `service.nodePort` | nodePort for Anchore Feeds service | `""` | -| `scratchVolume.mountPath` | The mount path of an external volume for scratch space for image analysis | `/anchore_scratch` | -| `scratchVolume.fixGroupPermissions` | Enable an initContainer that will fix the fsGroup permissions | `false` | -| `scratchVolume.details` | Details for the k8s volume to be created | `{}` | -| `persistence.enabled` | Enable mounting an external volume for feeds driver workspace | `true` | -| `persistence.resourcePolicy` | Resource policy Helm annotation on PVC. Can be nil or "keep" | `keep` | -| `persistence.existingClaim` | Specify an existing volume claim | `""` | -| `persistence.storageClass` | Persistent volume storage class | `""` | -| `persistence.accessMode` | Access Mode for persistent volume | `ReadWriteOnce` | -| `persistence.size` | Size of persistent volume | `40Gi` | -| `persistence.mountPath` | Mount path on Anchore Feeds container for persistent volume | `/workspace` | -| `persistence.subPath` | Directory name used for persistent volume storage | `feeds-workspace` | -| `persistence.annotations` | Annotations for PVC | `{}` | -| `extraVolumes` | mounts additional volumes to each pod | `[]` | -| `extraVolumeMounts` | mounts additional volumes to each pod | `[]` | -| `securityContext.runAsUser` | The securityContext runAsUser for all Feeds pods | `1000` | -| `securityContext.runAsGroup` | The securityContext runAsGroup for all Feeds pods | `1000` | -| `securityContext.fsGroup` | The securityContext fsGroup for all Feeds pods | `1000` | -| `containerSecurityContext` | The securityContext for all Feeds containers | `{}` | -| `probes.liveness.initialDelaySeconds` | Initial delay seconds for liveness probe | `120` | -| `probes.liveness.timeoutSeconds` | Timeout seconds for liveness probe | `10` | -| `probes.liveness.periodSeconds` | Period seconds for liveness probe | `10` | -| `probes.liveness.failureThreshold` | Failure threshold for liveness probe | `6` | -| `probes.liveness.successThreshold` | Success threshold for liveness probe | `1` | -| `probes.readiness.timeoutSeconds` | Timeout seconds for the readiness probe | `10` | -| `probes.readiness.periodSeconds` | Period seconds for the readiness probe | `10` | -| `probes.readiness.failureThreshold` | Failure threshold for the readiness probe | `3` | -| `probes.readiness.successThreshold` | Success threshold for the readiness probe | `1` | -| `doSourceAtEntry.enabled` | Does a `source` of the file paths defined before starting Anchore services | `false` | -| `doSourceAtEntry.filePaths` | List of file paths to `source` before starting Anchore services | `[]` | -| `useExistingSecrets` | forgoes secret creation and uses the secret defined in existingSecretName | `false` | -| `existingSecretName` | Name of the existing secret to be used for Anchore Feeds Service | `anchore-enterprise-feeds-env` | -| `configOverride` | Allows for overriding the default Anchore configuration file | `{}` | +| Name | Description | Value | +| ------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------- | +| `standalone` | Enable running the Anchore Feeds service in standalone mode | `true` | +| `url` | Set a custom feeds URL. Useful when using a feeds service endpoint that is external from the cluster. | `""` | +| `fullnameOverride` | overrides the fullname set on resources | `""` | +| `nameOverride` | overrides the name set on resources | `""` | +| `image` | Image used for feeds deployment | `docker.io/anchore/enterprise:v4.9.1` | +| `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | +| `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | +| `serviceAccountName` | Name of a service account used to run all Feeds pods | `""` | +| `injectSecretsViaEnv` | Enable secret injection into pod via environment variables instead of via k8s secrets | `false` | +| `licenseSecretName` | Name of the Kubernetes secret containing your license.yaml file | `anchore-enterprise-license` | +| `certStoreSecretName` | Name of secret containing the certificates & keys used for SSL, SAML & CAs | `""` | +| `extraEnv` | Common environment variables set on all containers | `[]` | +| `labels` | Common labels set on all Kubernetes resources | `{}` | +| `annotations` | Common annotations set on all Kubernetes resources | `{}` | +| `resources` | Resource requests and limits for Anchore Feeds pods | `{}` | +| `nodeSelector` | Node labels for Anchore Feeds pod assignment | `{}` | +| `tolerations` | Tolerations for Anchore Feeds pod assignment | `[]` | +| `affinity` | Affinity for Anchore Feeds pod assignment | `{}` | +| `service.type` | Service type for Anchore Feeds | `ClusterIP` | +| `service.port` | Service port for Anchore Feeds | `8448` | +| `service.annotations` | Annotations for Anchore Feeds service | `{}` | +| `service.labels` | Labels for Anchore Feeds service | `{}` | +| `service.nodePort` | nodePort for Anchore Feeds service | `""` | +| `scratchVolume.mountPath` | The mount path of an external volume for scratch space for image analysis | `/anchore_scratch` | +| `scratchVolume.fixGroupPermissions` | Enable an initContainer that will fix the fsGroup permissions | `false` | +| `scratchVolume.details` | Details for the k8s volume to be created | `{}` | +| `persistence.enabled` | Enable mounting an external volume for feeds driver workspace | `true` | +| `persistence.resourcePolicy` | Resource policy Helm annotation on PVC. Can be nil or "keep" | `keep` | +| `persistence.existingClaim` | Specify an existing volume claim | `""` | +| `persistence.storageClass` | Persistent volume storage class | `""` | +| `persistence.accessMode` | Access Mode for persistent volume | `ReadWriteOnce` | +| `persistence.size` | Size of persistent volume | `40Gi` | +| `persistence.mountPath` | Mount path on Anchore Feeds container for persistent volume | `/workspace` | +| `persistence.subPath` | Directory name used for persistent volume storage | `feeds-workspace` | +| `persistence.annotations` | Annotations for PVC | `{}` | +| `extraVolumes` | mounts additional volumes to each pod | `[]` | +| `extraVolumeMounts` | mounts additional volumes to each pod | `[]` | +| `securityContext.runAsUser` | The securityContext runAsUser for all Feeds pods | `1000` | +| `securityContext.runAsGroup` | The securityContext runAsGroup for all Feeds pods | `1000` | +| `securityContext.fsGroup` | The securityContext fsGroup for all Feeds pods | `1000` | +| `containerSecurityContext` | The securityContext for all Feeds containers | `{}` | +| `probes.liveness.initialDelaySeconds` | Initial delay seconds for liveness probe | `120` | +| `probes.liveness.timeoutSeconds` | Timeout seconds for liveness probe | `10` | +| `probes.liveness.periodSeconds` | Period seconds for liveness probe | `10` | +| `probes.liveness.failureThreshold` | Failure threshold for liveness probe | `6` | +| `probes.liveness.successThreshold` | Success threshold for liveness probe | `1` | +| `probes.readiness.timeoutSeconds` | Timeout seconds for the readiness probe | `10` | +| `probes.readiness.periodSeconds` | Period seconds for the readiness probe | `10` | +| `probes.readiness.failureThreshold` | Failure threshold for the readiness probe | `3` | +| `probes.readiness.successThreshold` | Success threshold for the readiness probe | `1` | +| `doSourceAtEntry.enabled` | Does a `source` of the file paths defined before starting Anchore services | `false` | +| `doSourceAtEntry.filePaths` | List of file paths to `source` before starting Anchore services | `[]` | +| `useExistingSecrets` | forgoes secret creation and uses the secret defined in existingSecretName | `false` | +| `existingSecretName` | Name of the existing secret to be used for Anchore Feeds Service | `anchore-enterprise-feeds-env` | +| `configOverride` | Allows for overriding the default Anchore configuration file | `{}` | + ### Anchore Feeds Configuration Parameters @@ -308,6 +308,7 @@ feeds-db: | `anchoreConfig.feeds.drivers.github.enabled` | Enable GitHub advisory feeds (requires GitHub PAT) | `false` | | `anchoreConfig.feeds.drivers.github.token` | GitHub developer personal access token with zero permission scopes | `""` | + ### Anchore Feeds Database Parameters | Name | Description | Value | @@ -322,6 +323,7 @@ feeds-db: | `feeds-db.primary.extraEnvVars` | An array to add extra environment variables | `[]` | | `feeds-db.image.tag` | Specifies the image to use for this chart. | `13.11.0-debian-11-r15` | + ### Feeds Gem Database Parameters | Name | Description | Value | @@ -336,6 +338,7 @@ feeds-db: | `gem-db.primary.extraEnvVars` | An array to add extra environment variables | `[]` | | `gem-db.image.tag` | Specifies the image to use for this chart. | `13.11.0-debian-11-r15` | + ### Anchore Feeds Upgrade Job Parameters | Name | Description | Value | @@ -352,6 +355,7 @@ feeds-db: | `feedsUpgradeJob.labels` | Labels for the Anchore Feeds upgrade job | `{}` | | `feedsUpgradeJob.resources` | Resources for the Anchore Feeds upgrade job | `{}` | + ### Ingress Parameters | Name | Description | Value | @@ -364,6 +368,7 @@ feeds-db: | `ingress.tls` | Configure tls for the ingress resource | `[]` | | `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` | + ### Google CloudSQL DB Parameters | Name | Description | Value | diff --git a/stable/feeds/values.yaml b/stable/feeds/values.yaml index 1c2552ae..9c90b553 100644 --- a/stable/feeds/values.yaml +++ b/stable/feeds/values.yaml @@ -11,10 +11,6 @@ standalone: true ## i.e. https://: url: "" -## @param enterpriseFullname set the fullname on enterprise resources. Only needed when standalone=false and fullnameOverride is set for the enterprise chart. -## -enterpriseFullname: "" - ## @param fullnameOverride overrides the fullname set on resources ## fullnameOverride: "" From d3775d6a3c88e1901aeb387915811a89159f8a5f Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 20 Sep 2023 14:49:23 -0700 Subject: [PATCH 212/329] add workflows for value converter script (#131) * add workflows for running tests & pushing docker image on value converter * run tests on all python files in converter directory * only run docker job on main branch * only run helm workflows when files in the stable/ directory are changed --------- Signed-off-by: Brady Todhunter --- .github/workflows/deploy.yaml | 2 ++ .github/workflows/lint.yaml | 4 ++- .github/workflows/test.yaml | 5 ++- .../workflows/values-converter-docker.yaml | 33 +++++++++++++++++++ .github/workflows/values-converter-tests.yaml | 31 +++++++++++++++++ scripts/enterprise-value-converter/README.md | 9 +++++ scripts/enterprise-value-converter/convert.py | 3 ++ 7 files changed, 85 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/values-converter-docker.yaml create mode 100644 .github/workflows/values-converter-tests.yaml diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 0f34bc12..9bc08579 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -4,6 +4,8 @@ on: push: branches: - main + paths: + - 'stable/**' permissions: contents: read diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 4d240ecf..01692cba 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -1,7 +1,9 @@ name: "Lint changed charts using chart-testing tool" on: - - pull_request + pull_request: + paths: + - 'stable/**' permissions: contents: read diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 4145807a..a2d79607 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -1,7 +1,10 @@ name: "Test using kind and chart-testing tool" on: - - pull_request + pull_request: + paths: + - 'stable/**' + permissions: contents: read diff --git a/.github/workflows/values-converter-docker.yaml b/.github/workflows/values-converter-docker.yaml new file mode 100644 index 00000000..194740cd --- /dev/null +++ b/.github/workflows/values-converter-docker.yaml @@ -0,0 +1,33 @@ +name: Build & push values converter docker image + +on: + push: + branches: + - main + paths: + - 'scripts/enterprise-value-converter/**' + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + + - name: Login to DockerHub + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + username: ${{ secrets.ANCHORECI_DOCKER_USER }} + password: ${{ secrets.ANCHORECI_DOCKER_PASS }} + + - name: Build and push + id: docker_build + uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + with: + push: true + tags: | + anchore/enterprise-helm-migrator:${{ github.sha }} + anchore/enterprise-helm-migrator:latest diff --git a/.github/workflows/values-converter-tests.yaml b/.github/workflows/values-converter-tests.yaml new file mode 100644 index 00000000..8fd03d6a --- /dev/null +++ b/.github/workflows/values-converter-tests.yaml @@ -0,0 +1,31 @@ +name: Run values converter unit tests + +on: + pull_request: + paths: + - 'scripts/enterprise-value-converter/**.py' + +permissions: + contents: read + +jobs: + tests: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 + + - name: Set up Python + uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0 + with: + python-version: 3.9 + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install argparse pyyaml + + - name: Run tests + run: | + cd scripts/enterprise-value-converter + python -m unittest tests/*.py diff --git a/scripts/enterprise-value-converter/README.md b/scripts/enterprise-value-converter/README.md index 13667f51..bfe9ba91 100644 --- a/scripts/enterprise-value-converter/README.md +++ b/scripts/enterprise-value-converter/README.md @@ -32,6 +32,15 @@ This script converts the values file of Anchore Engine to the values file format After running the Docker container, the converted Helm chart values file will be available in the `${PWD}/output` directory on your local machine. +## Running tests + +To run the unit tests, run the following command from the `scripts/enterprise-value-converter` directory: + +```bash +pip install argparse pyyaml +python -m unittest tests/*.py +``` + ## Important Note Please ensure that you have reviewed and understood the content of the input file before running the conversion. The script provided is specifically tailored to convert Anchore Engine values files to the format expected by the Anchore Enterprise Helm chart. diff --git a/scripts/enterprise-value-converter/convert.py b/scripts/enterprise-value-converter/convert.py index 5613719a..579c96a8 100644 --- a/scripts/enterprise-value-converter/convert.py +++ b/scripts/enterprise-value-converter/convert.py @@ -1,3 +1,6 @@ +# Entry point for the enterprise value converter script +# This script is used to convert the values files from the anchore-engine chart to the enterprise values files + import sys sys.dont_write_bytecode = True From 7b0602880917a72a53cf5ccfd2e271ed056644a1 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 20 Sep 2023 19:35:45 -0400 Subject: [PATCH 213/329] adding a rand to upgrade job name if being forced (#132) * adding a rand to upgrade job name * bumping chart versions --------- Signed-off-by: Hung Nguyen --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/templates/_names.tpl | 6 +++++- stable/feeds/Chart.yaml | 2 +- stable/feeds/templates/_names.tpl | 6 +++++- 4 files changed, 12 insertions(+), 4 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index e2cc5c20..7526998e 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.0.8" +version: "0.0.9" appVersion: "4.9.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | diff --git a/stable/enterprise/templates/_names.tpl b/stable/enterprise/templates/_names.tpl index a710e68e..07f837aa 100644 --- a/stable/enterprise/templates/_names.tpl +++ b/stable/enterprise/templates/_names.tpl @@ -64,7 +64,11 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- define "enterprise.upgradeJob.fullname" -}} {{- $name := default .Chart.Name .Values.global.nameOverride -}} -{{- printf "%s-%s-%s-%s" .Release.Name $name (.Chart.AppVersion | replace "." "") "upgrade" | trunc 63 | trimSuffix "-" -}} +{{- $forcedRevision := "" -}} +{{- if .Values.upgradeJob.force }} +{{- $forcedRevision = printf "-forced-%s" (randAlphaNum 5 | lower) -}} +{{- end }} +{{- printf "%s-%s-%s-%s%s" .Release.Name $name (.Chart.AppVersion | replace "." "") "upgrade" $forcedRevision| trunc 63 | trimSuffix "-" -}} {{- end -}} {{- define "enterprise.feeds.fullname" -}} diff --git a/stable/feeds/Chart.yaml b/stable/feeds/Chart.yaml index ade50332..aa2d8fb2 100644 --- a/stable/feeds/Chart.yaml +++ b/stable/feeds/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: feeds type: application -version: "0.0.7" +version: "0.0.8" appVersion: "4.9.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: Anchore feeds service diff --git a/stable/feeds/templates/_names.tpl b/stable/feeds/templates/_names.tpl index e06257e7..b104ae40 100644 --- a/stable/feeds/templates/_names.tpl +++ b/stable/feeds/templates/_names.tpl @@ -15,7 +15,11 @@ If release name contains chart name it will be used as a full name. {{- define "feeds.upgradeJob.fullname" -}} {{- $name := default .Chart.Name .Values.nameOverride }} -{{- printf "%s-%s-%s-%s" .Release.Name $name (.Chart.AppVersion | replace "." "") "upgrade" | trunc 63 | trimSuffix "-" }} +{{- $forcedRevision := "" -}} +{{- if .Values.feedsUpgradeJob.force }} +{{- $forcedRevision = printf "-forced-%s" (randAlphaNum 5 | lower) -}} +{{- end }} +{{- printf "%s-%s-%s-%s%s" .Release.Name $name (.Chart.AppVersion | replace "." "") "upgrade" $forcedRevision | trunc 63 | trimSuffix "-" }} {{- end -}} {{- define "feeds-db.fullname" -}} From 1d75af73ae1f14c19d76c22a8f8a0584f4f3933f Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 20 Sep 2023 17:23:20 -0700 Subject: [PATCH 214/329] bump feeds dep version Signed-off-by: Brady Todhunter --- stable/enterprise/Chart.lock | 6 +++--- stable/enterprise/Chart.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/stable/enterprise/Chart.lock b/stable/enterprise/Chart.lock index 516ebfcd..a54f7bc0 100644 --- a/stable/enterprise/Chart.lock +++ b/stable/enterprise/Chart.lock @@ -7,6 +7,6 @@ dependencies: version: 17.11.8 - name: feeds repository: https://charts.anchore.io/stable - version: 0.0.6 -digest: sha256:40d8a0173d8ea36005f8cec6677b6d436edde04ba1a2ee4f013f3016be8eb742 -generated: "2023-09-20T11:33:21.217465-07:00" + version: 0.0.8 +digest: sha256:7d3bf18cb22105e08420375b32ce9179f4cca2db82e2b54e25ce42c0aadcccfb +generated: "2023-09-20T17:21:27.814898-07:00" diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 7526998e..2c6e0f39 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.0.9" +version: "0.0.10" appVersion: "4.9.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | From 856d50326beeefab7fafc0b878eef8007405e53b Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 20 Sep 2023 17:25:39 -0700 Subject: [PATCH 215/329] build docker image in proper context Signed-off-by: Brady Todhunter --- .github/workflows/values-converter-docker.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/values-converter-docker.yaml b/.github/workflows/values-converter-docker.yaml index 194740cd..9f0ce809 100644 --- a/.github/workflows/values-converter-docker.yaml +++ b/.github/workflows/values-converter-docker.yaml @@ -27,6 +27,7 @@ jobs: id: docker_build uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 with: + context: scripts/enterprise-value-converter push: true tags: | anchore/enterprise-helm-migrator:${{ github.sha }} From ef7bab4893d7ef10621e4347a973e8d03fcfcfc3 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 20 Sep 2023 17:43:40 -0700 Subject: [PATCH 216/329] add comment to dockerfile to force build in ci Signed-off-by: Brady Todhunter --- scripts/enterprise-value-converter/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/enterprise-value-converter/Dockerfile b/scripts/enterprise-value-converter/Dockerfile index c0a0d708..f5357ba5 100644 --- a/scripts/enterprise-value-converter/Dockerfile +++ b/scripts/enterprise-value-converter/Dockerfile @@ -1,3 +1,4 @@ +# python v3.11.5 FROM python:3@sha256:cc7372fe4746ca323f18c6bd0d45dadf22d192756abc5f73e39f9c7f10cba5aa WORKDIR /app From 7a3eb2177ae372e5d766a8c6394fbd954a9e8c7c Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 20 Sep 2023 17:48:22 -0700 Subject: [PATCH 217/329] fix docker context Signed-off-by: Brady Todhunter --- .github/workflows/values-converter-docker.yaml | 2 +- scripts/enterprise-value-converter/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/values-converter-docker.yaml b/.github/workflows/values-converter-docker.yaml index 9f0ce809..16787a6b 100644 --- a/.github/workflows/values-converter-docker.yaml +++ b/.github/workflows/values-converter-docker.yaml @@ -27,7 +27,7 @@ jobs: id: docker_build uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 with: - context: scripts/enterprise-value-converter + context: /scripts/enterprise-value-converter push: true tags: | anchore/enterprise-helm-migrator:${{ github.sha }} diff --git a/scripts/enterprise-value-converter/Dockerfile b/scripts/enterprise-value-converter/Dockerfile index f5357ba5..2d98f8f0 100644 --- a/scripts/enterprise-value-converter/Dockerfile +++ b/scripts/enterprise-value-converter/Dockerfile @@ -1,4 +1,4 @@ -# python v3.11.5 +## python v3.11.5 FROM python:3@sha256:cc7372fe4746ca323f18c6bd0d45dadf22d192756abc5f73e39f9c7f10cba5aa WORKDIR /app From 87d5b7b494410ed234ac858dbf7d37e87b3d36c3 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 20 Sep 2023 17:53:12 -0700 Subject: [PATCH 218/329] fix docker context, again Signed-off-by: Brady Todhunter --- .github/workflows/values-converter-docker.yaml | 2 +- scripts/enterprise-value-converter/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/values-converter-docker.yaml b/.github/workflows/values-converter-docker.yaml index 16787a6b..838a2bae 100644 --- a/.github/workflows/values-converter-docker.yaml +++ b/.github/workflows/values-converter-docker.yaml @@ -27,7 +27,7 @@ jobs: id: docker_build uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 with: - context: /scripts/enterprise-value-converter + context: "{{defaultContext}}:scripts/enterprise-value-converter" push: true tags: | anchore/enterprise-helm-migrator:${{ github.sha }} diff --git a/scripts/enterprise-value-converter/Dockerfile b/scripts/enterprise-value-converter/Dockerfile index 2d98f8f0..f5357ba5 100644 --- a/scripts/enterprise-value-converter/Dockerfile +++ b/scripts/enterprise-value-converter/Dockerfile @@ -1,4 +1,4 @@ -## python v3.11.5 +# python v3.11.5 FROM python:3@sha256:cc7372fe4746ca323f18c6bd0d45dadf22d192756abc5f73e39f9c7f10cba5aa WORKDIR /app From 3df532629387a2d1a56da4858a8fa703cb5477d5 Mon Sep 17 00:00:00 2001 From: Arvind Somya Date: Thu, 21 Sep 2023 10:12:43 -0400 Subject: [PATCH 219/329] fix: fixing some issues with the enterprise chart fixed the following issues: - fixed helm upgrades that failed for the upgrade job - added a helper container that can be used to perform db migrations - added a script to wait for the database for the upgrade job DEVOPS-404 Signed-off-by: Arvind Somya --- stable/enterprise/Chart.lock | 1 + stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 38 +++++++++----- stable/enterprise/templates/_common.tpl | 6 +++ .../hooks/pre-upgrade/upgrade_job.yaml | 16 ++++++ stable/enterprise/templates/migrate_pod.yaml | 46 +++++++++++++++++ .../templates/scripts_configmap.yaml | 11 +++++ .../__snapshot__/configmap_test.yaml.snap | 41 ++++++++++++++++ .../prehook_upgrade_resources_test.yaml.snap | 27 ++++++++++ stable/enterprise/values.yaml | 49 +++++++++++++++++++ 10 files changed, 223 insertions(+), 14 deletions(-) create mode 100644 stable/enterprise/templates/migrate_pod.yaml create mode 100644 stable/enterprise/templates/scripts_configmap.yaml diff --git a/stable/enterprise/Chart.lock b/stable/enterprise/Chart.lock index a54f7bc0..2a2e0791 100644 --- a/stable/enterprise/Chart.lock +++ b/stable/enterprise/Chart.lock @@ -10,3 +10,4 @@ dependencies: version: 0.0.8 digest: sha256:7d3bf18cb22105e08420375b32ce9179f4cca2db82e2b54e25ce42c0aadcccfb generated: "2023-09-20T17:21:27.814898-07:00" + diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 2c6e0f39..49f9494e 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.0.10" +version: "0.0.11" appVersion: "4.9.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 70be02a8..29266ae5 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -676,17 +676,21 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts 1. **Deploy Anchore Enterprise**: Use the converted values file to deploy the new Anchore Enterprise Helm chart. - ```shell - export ENTERPRISE_RELEASE=my-enterprise-release - export VALUES_FILE_NAME=${PWD}/output/my-values-file.yaml - helm install ${ENTERPRISE_RELEASE} -n ${NAMESPACE} -f ${VALUES_FILE_NAME} --set upgradeJob.force=true anchore/enterprise - ``` + **NOTE**: You will have to migrate data from the old database to the new one after the chart is installed. The enterprise chart contains a helper pod to aid with this, to enable this pod, use the following in your helm install command line + ```shell + --set startMigrationPod=true + ``` + ```shell + export ENTERPRISE_RELEASE=my-enterprise-release + export VALUES_FILE_NAME=${PWD}/output/my-values-file.yaml + helm install ${ENTERPRISE_RELEASE} -n ${NAMESPACE} -f ${VALUES_FILE_NAME} --set upgradeJob.force=true --set startMigrationPod=true anchore/enterprise + ``` 1. **Scale Down Anchore Enterprise**: Before migrating the database, scale down the new Anchore Enterprise deployment to zero replicas. - ```shell - kubectl scale deployment --replicas=0 -l app=${ENTERPRISE_RELEASE}-enterprise - ``` + ```shell + kubectl scale deployment --replicas=0 -l app=${ENTERPRISE_RELEASE}-enterprise + ``` 1. **Database Preparation**: Replace the existing Anchore database with a new database in PostgreSQL 13. @@ -696,11 +700,19 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts dropdb -h ${NEW_DB_HOST} -U ${PGUSER} ${ANCHORE_DATABASE_NAME}; psql -h ${NEW_DB_HOST} -c 'CREATE DATABASE ${ANCHORE_DATABASE_NAME}' ``` -1. **Data Migration**: Migrate data from the old Anchore Engine database to the new Anchore Enterprise database. - - ```shell - export OLD_PG_DB_HOST=${ENGINE_RELEASE}-postgresql - pg_dump -h ${OLD_PG_DB_HOST} -c ${ANCHORE_DATABASE_NAME} | psql -h ${NEW_DB_HOST} ${ANCHORE_DATABASE_NAME} +2. **Data Migration**: Migrate data from the old Anchore Engine database to the new Anchore Enterprise database. + 1. If you are using the included migration helper pod, the exec to that pod and run the following command: + ```shell + kubectl -n exec -it enterprise-migrate-db + PGPASSWORD=${OLD_DB_PASSWORD} pg_dump -h ${OLD_DB_HOST} -U ${OLD_DB_USERNAME} -c ${OLD_DB_NAME} | PGPASSWORD=${NEW_DB_PASSWORD} psql -h ${NEW_DB_HOST} -U ${NEW_DB_USERNAME} -c ${NEW_DB_NAME} + ``` + 2. If you are using your own pod then follow these steps + 1. Gather old DB parameters from the secret -anchore-engine + 2. Gather new DB parameters from the new secret -enterprise + 3. Start a migration pod that has all the psql binaries required e.g. docker.io/postgresql:13 + 4. Export all the required environment variables + ```shell + PGPASSWORD=${OLD_DB_PASSWORD} pg_dump -h ${OLD_DB_HOST} -U ${OLD_DB_USERNAME} -c ${OLD_DB_NAME} | PGPASSWORD=${NEW_DB_PASSWORD} psql -h ${NEW_DB_HOST} -U ${NEW_DB_USERNAME} -c ${NEW_DB_NAME} ``` 1. **Upgrade Anchore Enterprise**: After migrating the data, upgrade the Anchore Enterprise Helm deployment. diff --git a/stable/enterprise/templates/_common.tpl b/stable/enterprise/templates/_common.tpl index b4a24bf5..fc134a4f 100644 --- a/stable/enterprise/templates/_common.tpl +++ b/stable/enterprise/templates/_common.tpl @@ -287,6 +287,8 @@ Setup the common anchore volume mounts - name: config-volume mountPath: /config/config.yaml subPath: config.yaml +- name: anchore-scripts + mountPath: /scripts {{- if (.Values.certStoreSecretName) }} - name: certs mountPath: /home/anchore/certs/ @@ -305,6 +307,10 @@ Setup the common anchore volumes - name: anchore-license secret: secretName: {{ .Values.licenseSecretName }} +- name: {{ .Values.scripts.configMapName }} + configMap: + name: {{ .Values.scripts.configMapName }} + defaultMode: 0755 - name: config-volume configMap: name: {{ template "enterprise.fullname" . }} diff --git a/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml b/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml index 67e2494d..89ffb0f8 100644 --- a/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml +++ b/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml @@ -11,8 +11,12 @@ metadata: {{- if not .Values.upgradeJob.force }} "helm.sh/hook": pre-upgrade "helm.sh/hook-weight": "3" + "helm.sh/hook-delete-policy": before-hook-creation {{- end }} spec: + {{- if ne (.Values.upgradeJob.ttlAfterCompletion | quote) (-1 | quote) }} + ttlSecondsAfterFinished: {{ .Values.upgradeJob.ttlAfterCompletion }} + {{- end }} template: metadata: name: {{ template "enterprise.upgradeJob.fullname" . }} @@ -39,6 +43,18 @@ spec: {{- with .Values.upgradeJob.resources }} resources: {{- toYaml . | nindent 10 }} {{- end }} + - name: wait-for-db + image: {{ .Values.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + env: {{- include "enterprise.common.environment" (merge (dict "component" $component) .) | nindent 12 }} + command: [ "/scripts/wait-for-db.sh" ] + volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} + {{- with .Values.containerSecurityContext }} + securityContext: {{ toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.upgradeJob.resources }} + resources: {{- toYaml . | nindent 10 }} + {{- end }} containers: {{- if .Values.cloudsql.enabled }} {{- include "enterprise.common.cloudsqlContainer" . | nindent 8 }} diff --git a/stable/enterprise/templates/migrate_pod.yaml b/stable/enterprise/templates/migrate_pod.yaml new file mode 100644 index 00000000..e1e9b094 --- /dev/null +++ b/stable/enterprise/templates/migrate_pod.yaml @@ -0,0 +1,46 @@ +{{- $component := "migrate" -}} +{{- if .Values.startMigrationPod -}} +apiVersion: v1 +kind: Pod +metadata: + name: enterprise-migrate-db + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/component: upgradejob +spec: + containers: + - command: [ "/bin/bash", "-c", "--" ] + args: [ "sleep infinity" ] + image: {{ .Values.migrationPodImage }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + name: enterprise-db-migrate + env: + - name: NEW_DB_HOST + value: {{ .Release.Name }}-postgresql + - name: OLD_DB_HOST + valueFrom: + secretKeyRef: + key: ANCHORE_DB_HOST + name: {{ .Values.migrationAnchoreEngineSecretName }} + - name: NEW_DB_PASSWORD + value: {{ .Values.postgresql.auth.password }} + - name: OLD_DB_PASSWORD + valueFrom: + secretKeyRef: + key: ANCHORE_DB_PASSWORD + name: {{ .Values.migrationAnchoreEngineSecretName }} + - name: NEW_DB_USERNAME + value: {{ .Values.postgresql.auth.username }} + - name: OLD_DB_USERNAME + valueFrom: + secretKeyRef: + key: ANCHORE_DB_USER + name: {{ .Values.migrationAnchoreEngineSecretName }} + - name: OLD_DB_NAME + valueFrom: + secretKeyRef: + key: ANCHORE_DB_NAME + name: {{ .Values.migrationAnchoreEngineSecretName }} + - name: NEW_DB_NAME + value: {{ .Values.postgresql.auth.database }} +{{- end -}} diff --git a/stable/enterprise/templates/scripts_configmap.yaml b/stable/enterprise/templates/scripts_configmap.yaml new file mode 100644 index 00000000..0a441439 --- /dev/null +++ b/stable/enterprise/templates/scripts_configmap.yaml @@ -0,0 +1,11 @@ +{{- $component := "scripts" -}} + +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ .Values.scripts.configMapName }} + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} +data: + {{ .Values.scripts.scripts | toYaml | nindent 2 }} diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index a24bb091..87edba6e 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -469,6 +469,47 @@ should render the configmaps: name: test-release-enterprise-policy-bundles namespace: test-namespace 5: | + apiVersion: v1 + data: + wait-for-db.sh: | + #!/bin/bash + while true + do + CONNSTR=postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}":"${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}" + if [[ ${ANCHORE_DB_SSL_MODE} != null ]]; then + CONNSTR=${CONNSTR}?sslmode=${ANCHORE_DB_SSL_MODE} + fi + + if [[ ${ANCHORE_DB_SSL_ROOT_CERT} != null ]]; then + CONNSTR=${CONNSTR}&sslrootcert=/home/anchore/certs/${ANCHORE_DB_SSL_ROOT_CERT} + fi + + err=$(anchore-enterprise-manager db --db-connect ${CONNSTR} pre-upgrade-check 2>&1 > /dev/null) + if [[ !$err ]]; then + echo "Database is ready" + exit 0 + fi + echo "Database is not ready yet, sleeping 10 seconds..." + sleep 10 + done + kind: ConfigMap + metadata: + annotations: + bar: baz + foo: bar + labels: + app.kubernetes.io/component: scripts + app.kubernetes.io/instance: test-release + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: test-release-enterprise + app.kubernetes.io/part-of: anchore + app.kubernetes.io/version: 9.9.9 + bar: baz + foo: bar + helm.sh/chart: enterprise-9.9.9 + name: anchore-scripts + namespace: test-namespace + 6: | apiVersion: v1 data: config-ui.yaml: "# Anchore UI configuration\nengine_uri: 'http://test-release-enterprise-api:8228/v2'\nreports_uri: 'http://test-release-enterprise-api:8558/v2'\nnotifications_uri: 'http://test-release-enterprise-notifications:8668/v2'\nrbac_uri: 'http://test-release-enterprise-rbac-manager:8229/v2'\nenterprise_uri: 'http://test-release-enterprise-api:8228/v2'\n# redis_uri: overridden in deployment using the `ANCHORE_REDIS_URI` environment variable\n# appdb_uri: overridden in deployment using the `ANCHORE_APPDB_URI` environment variable\nlicense_path: '/home/anchore/'\nenable_ssl: false\nenable_proxy: false\nallow_shared_login: true\nredis_flushdb: true\nforce_websocket: false\nauthentication_lock:\n count: 5\n expires: 300\nappdb_config: \n native: true\n pool:\n acquire: 30000\n idle: 10000\n max: 10\n min: 0\nlog_level: 'http'\nenrich_inventory_view: true\nenable_prometheus_metrics: false\n" diff --git a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap index 170c728f..fe6d395f 100644 --- a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap @@ -107,3 +107,30 @@ should render proper initContainers: - -c image: bitnami/kubectl:1.27 name: scale-down-anchore + - command: + - /scripts/wait-for-db.sh + env: + - name: foo + value: bar + - name: bar + value: baz + - name: ANCHORE_ENDPOINT_HOSTNAME + value: test-release-enterprise-999-upgrade + - name: ANCHORE_PORT + value: "null" + - name: ANCHORE_HOST_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + image: docker.io/anchore/enterprise:v4.9.1 + imagePullPolicy: IfNotPresent + name: wait-for-db + volumeMounts: + - mountPath: /home/anchore/license.yaml + name: anchore-license + subPath: license.yaml + - mountPath: /config/config.yaml + name: config-volume + subPath: config.yaml + - mountPath: /scripts + name: anchore-scripts diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index 02277c96..5d85b0b8 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -31,6 +31,18 @@ imagePullPolicy: IfNotPresent ## imagePullSecretName: anchore-enterprise-pullcreds +## @param startMigrationPod Spin up a Database migration pod to help migrate the database to the new schema +## +startMigrationPod: false + +## @param migrationPodImage The image reference to the migration pod +## +migrationPodImage: docker.io/postgres:13-bookworm + +## @param migrationAnchoreEngineSecretName The name of the secret that has anchore-engine values +## +migrationAnchoreEngineSecretName: my-engine-anchore-engine + ## @param serviceAccountName Name of a service account used to run all Anchore pods ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ ## @@ -1185,6 +1197,12 @@ upgradeJob: ## labels: {} + ## @param upgradeJob.ttlAfterCompletion The time period in seconds the upgrade job, and it's related pods should be retained for + ## Defaults to 0 == immediate deletion after completion + ## Set this to -1 to disable deleting the job automatically (NOTE: This can cause issues with upgrades) + ## + ttlAfterCompletion: -1 + ############################## ## @section Ingress Parameters ############################## @@ -1365,3 +1383,34 @@ postgresql: ## image: tag: 13.11.0-debian-11-r15 + +## @param scripts Collection of helper scripts used in anchore enterprise charts +## +scripts: + ## @param configMapName Name of the configmap to store scripts + ## + configMapName: anchore-scripts + ## @param scripts Name and value of each helper script + ## + scripts: + wait-for-db.sh: | + #!/bin/bash + while true + do + CONNSTR=postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}":"${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}" + if [[ ${ANCHORE_DB_SSL_MODE} != null ]]; then + CONNSTR=${CONNSTR}?sslmode=${ANCHORE_DB_SSL_MODE} + fi + + if [[ ${ANCHORE_DB_SSL_ROOT_CERT} != null ]]; then + CONNSTR=${CONNSTR}&sslrootcert=/home/anchore/certs/${ANCHORE_DB_SSL_ROOT_CERT} + fi + + err=$(anchore-enterprise-manager db --db-connect ${CONNSTR} pre-upgrade-check 2>&1 > /dev/null) + if [[ !$err ]]; then + echo "Database is ready" + exit 0 + fi + echo "Database is not ready yet, sleeping 10 seconds..." + sleep 10 + done From b9d88de6bfbd3ed513a509818c4783a2a9c8539d Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 22 Sep 2023 17:42:33 -0700 Subject: [PATCH 220/329] Fix preupgrade hooks (#136) * check that configmap exists before mounting it (fix for pre-upgrade hooks) * hardcode script configmap name * move wait-for-db script into container args * move scripts value object into general section of readme * add anchore-config helper script for expanding env vars in /config/config.yaml * update readme param table * bump chart version * update test snapshots --------- Signed-off-by: Brady Todhunter --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 23 ++++++++++ stable/enterprise/templates/_common.tpl | 12 +++-- .../hooks/pre-upgrade/upgrade_job.yaml | 25 +++++++++-- .../templates/scripts_configmap.yaml | 4 +- .../__snapshot__/configmap_test.yaml.snap | 28 ++++-------- .../prehook_upgrade_resources_test.yaml.snap | 36 ++++++++++----- stable/enterprise/values.yaml | 44 ++++++------------- 8 files changed, 102 insertions(+), 72 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 49f9494e..918773a4 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.0.11" +version: "0.0.12" appVersion: "4.9.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 29266ae5..8e520a87 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -736,6 +736,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `global.fullnameOverride` | overrides the fullname set on resources | `""` | | `global.nameOverride` | overrides the name set on resources | `""` | + ### Common Resource Parameters | Name | Description | Value | @@ -743,6 +744,9 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v4.9.1` | | `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | | `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | +| `startMigrationPod` | Spin up a Database migration pod to help migrate the database to the new schema | `false` | +| `migrationPodImage` | The image reference to the migration pod | `docker.io/postgres:13-bookworm` | +| `migrationAnchoreEngineSecretName` | The name of the secret that has anchore-engine values | `my-engine-anchore-engine` | | `serviceAccountName` | Name of a service account used to run all Anchore pods | `""` | | `injectSecretsViaEnv` | Enable secret injection into pod via environment variables instead of via k8s secrets | `false` | | `licenseSecretName` | Name of the Kubernetes secret containing your license.yaml file | `anchore-enterprise-license` | @@ -773,6 +777,8 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `doSourceAtEntry.enabled` | Does a `source` of the file path defined before starting Anchore services | `false` | | `doSourceAtEntry.filePaths` | List of file paths to `source` before starting Anchore services | `[]` | | `configOverride` | Allows for overriding the default Anchore configuration file | `""` | +| `scripts` | Collection of helper scripts usable in all anchore enterprise pods | `{}` | + ### Anchore Configuration Parameters @@ -867,6 +873,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `anchoreConfig.ui.dbUser` | allows overriding and separation of the ui database user. | `""` | | `anchoreConfig.ui.dbPassword` | allows overriding and separation of the ui database user authentication | `""` | + ### Anchore API k8s Deployment Parameters | Name | Description | Value | @@ -888,6 +895,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `api.affinity` | Affinity for Anchore API pod assignment | `{}` | | `api.serviceAccountName` | Service account name for Anchore API pods | `""` | + ### Anchore Analyzer k8s Deployment Parameters | Name | Description | Value | @@ -903,6 +911,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `analyzer.affinity` | Affinity for Anchore Analyzer pod assignment | `{}` | | `analyzer.serviceAccountName` | Service account name for Anchore API pods | `""` | + ### Anchore Catalog k8s Deployment Parameters | Name | Description | Value | @@ -922,6 +931,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `catalog.affinity` | Affinity for Anchore Catalog pod assignment | `{}` | | `catalog.serviceAccountName` | Service account name for Anchore Catalog pods | `""` | + ### Anchore Feeds Chart Parameters | Name | Description | Value | @@ -930,6 +940,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `feeds.standalone` | Sets the Anchore Feeds chart to run into non-standalone mode, for use with Anchore Enterprise. | `false` | | `feeds.url` | Set the URL for a standalone Feeds service. Use when chartEnabled=false. | `""` | + ### Anchore Policy Engine k8s Deployment Parameters | Name | Description | Value | @@ -949,6 +960,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `policyEngine.affinity` | Affinity for Anchore Policy Engine pod assignment | `{}` | | `policyEngine.serviceAccountName` | Service account name for Anchore Policy Engine pods | `""` | + ### Anchore Simple Queue Parameters | Name | Description | Value | @@ -968,6 +980,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `simpleQueue.affinity` | Affinity for Anchore Simple Queue pod assignment | `{}` | | `simpleQueue.serviceAccountName` | Service account name for Anchore Simple Queue pods | `""` | + ### Anchore Notifications Parameters | Name | Description | Value | @@ -988,6 +1001,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `notifications.affinity` | Affinity for Anchore Notifications pod assignment | `{}` | | `notifications.serviceAccountName` | Service account name for Anchore Notifications pods | `""` | + ### Anchore Reports Parameters | Name | Description | Value | @@ -1008,6 +1022,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `reports.affinity` | Affinity for Anchore Reports pod assignment | `{}` | | `reports.serviceAccountName` | Service account name for Anchore Reports pods | `""` | + ### Anchore RBAC Authentication Parameters | Name | Description | Value | @@ -1015,6 +1030,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `rbacAuth.extraEnv` | Set extra environment variables for Anchore RBAC Authentication containers | `[]` | | `rbacAuth.resources` | Resource requests and limits for Anchore RBAC Authentication containers | `{}` | + ### Anchore RBAC Manager Parameters | Name | Description | Value | @@ -1035,6 +1051,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `rbacManager.affinity` | Affinity for Anchore RBAC Manager pod assignment | `{}` | | `rbacManager.serviceAccountName` | Service account name for Anchore RBAC Manager pods | `""` | + ### Anchore UI Parameters | Name | Description | Value | @@ -1058,6 +1075,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `ui.affinity` | Affinity for Anchore ui pod assignment | `{}` | | `ui.serviceAccountName` | Service account name for Anchore UI pods | `""` | + ### Anchore Upgrade Job Parameters | Name | Description | Value | @@ -1073,6 +1091,8 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `upgradeJob.annotations` | Annotations for the Anchore upgrade job | `{}` | | `upgradeJob.resources` | Resource requests and limits for the Anchore upgrade job | `{}` | | `upgradeJob.labels` | Labels for the Anchore upgrade job | `{}` | +| `upgradeJob.ttlAfterCompletion` | The time period in seconds the upgrade job, and it's related pods should be retained for | `-1` | + ### Ingress Parameters @@ -1092,6 +1112,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `ingress.tls` | Configure tls for the ingress resource | `[]` | | `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` | + ### Google CloudSQL DB Parameters | Name | Description | Value | @@ -1105,6 +1126,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `cloudsql.serviceAccJsonName` | | `""` | | `cloudsql.extraArgs` | a list of extra arguments to be passed into the cloudsql container command. eg | `[]` | + ### Anchore UI Redis Parameters | Name | Description | Value | @@ -1115,6 +1137,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts | `ui-redis.architecture` | Redis deployment architecture | `standalone` | | `ui-redis.master.persistence.enabled` | enables persistence | `false` | + ### Anchore Database Parameters | Name | Description | Value | diff --git a/stable/enterprise/templates/_common.tpl b/stable/enterprise/templates/_common.tpl index fc134a4f..c2a71daf 100644 --- a/stable/enterprise/templates/_common.tpl +++ b/stable/enterprise/templates/_common.tpl @@ -287,9 +287,12 @@ Setup the common anchore volume mounts - name: config-volume mountPath: /config/config.yaml subPath: config.yaml +{{- $configmap := lookup "v1" "ConfigMap" .Release.Namespace "anchore-scripts" }} +{{- if $configmap }} - name: anchore-scripts mountPath: /scripts -{{- if (.Values.certStoreSecretName) }} +{{- end }} +{{- if .Values.certStoreSecretName }} - name: certs mountPath: /home/anchore/certs/ readOnly: true @@ -307,10 +310,13 @@ Setup the common anchore volumes - name: anchore-license secret: secretName: {{ .Values.licenseSecretName }} -- name: {{ .Values.scripts.configMapName }} +{{- $configmap := lookup "v1" "ConfigMap" .Release.Namespace "anchore-scripts" }} +{{- if $configmap }} +- name: anchore-scripts configMap: - name: {{ .Values.scripts.configMapName }} + name: anchore-scripts defaultMode: 0755 +{{- end }} - name: config-volume configMap: name: {{ template "enterprise.fullname" . }} diff --git a/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml b/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml index 89ffb0f8..bcee1873 100644 --- a/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml +++ b/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml @@ -36,7 +36,9 @@ spec: args: - | kubectl scale deployments --all --replicas=0 -l app.kubernetes.io/name={{ template "enterprise.fullname" . }}; - while [[ $(kubectl get pods -l app.kubernetes.io/name={{ template "enterprise.fullname" . }} --field-selector=status.phase=Running --no-headers | tee /dev/stderr | wc -l) -gt 0 ]]; do echo 'waiting for pods to go down...' && sleep 5; done + while [[ $(kubectl get pods -l app.kubernetes.io/name={{ template "enterprise.fullname" . }} --field-selector=status.phase=Running --no-headers | tee /dev/stderr | wc -l) -gt 0 ]]; do + echo 'waiting for pods to go down...' && sleep 5; + done {{- with .Values.containerSecurityContext }} securityContext: {{ toYaml . | nindent 10 }} {{- end }} @@ -47,8 +49,25 @@ spec: image: {{ .Values.image }} imagePullPolicy: {{ .Values.imagePullPolicy }} env: {{- include "enterprise.common.environment" (merge (dict "component" $component) .) | nindent 12 }} - command: [ "/scripts/wait-for-db.sh" ] - volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} + command: ["/bin/bash", "-c"] + args: + - | + while true; do + CONNSTR=postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}":"${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}" + if [[ ${ANCHORE_DB_SSL_MODE} != null ]]; then + CONNSTR=${CONNSTR}?sslmode=${ANCHORE_DB_SSL_MODE} + fi + if [[ ${ANCHORE_DB_SSL_ROOT_CERT} != null ]]; then + CONNSTR=${CONNSTR}&sslrootcert=/home/anchore/certs/${ANCHORE_DB_SSL_ROOT_CERT} + fi + err=$(anchore-enterprise-manager db --db-connect ${CONNSTR} pre-upgrade-check 2>&1 > /dev/null) + if [[ !$err ]]; then + echo "Database is ready" + exit 0 + fi + echo "Database is not ready yet, sleeping 10 seconds..." + sleep 10 + done {{- with .Values.containerSecurityContext }} securityContext: {{ toYaml . | nindent 10 }} {{- end }} diff --git a/stable/enterprise/templates/scripts_configmap.yaml b/stable/enterprise/templates/scripts_configmap.yaml index 0a441439..e36e4643 100644 --- a/stable/enterprise/templates/scripts_configmap.yaml +++ b/stable/enterprise/templates/scripts_configmap.yaml @@ -3,9 +3,9 @@ kind: ConfigMap apiVersion: v1 metadata: - name: {{ .Values.scripts.configMapName }} + name: anchore-scripts namespace: {{ .Release.Namespace }} labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} data: - {{ .Values.scripts.scripts | toYaml | nindent 2 }} + {{ .Values.scripts | toYaml | nindent 2 }} diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index 87edba6e..5be8b0b5 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -471,27 +471,15 @@ should render the configmaps: 5: | apiVersion: v1 data: - wait-for-db.sh: | + anchore-config: | #!/bin/bash - while true - do - CONNSTR=postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}":"${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}" - if [[ ${ANCHORE_DB_SSL_MODE} != null ]]; then - CONNSTR=${CONNSTR}?sslmode=${ANCHORE_DB_SSL_MODE} - fi - - if [[ ${ANCHORE_DB_SSL_ROOT_CERT} != null ]]; then - CONNSTR=${CONNSTR}&sslrootcert=/home/anchore/certs/${ANCHORE_DB_SSL_ROOT_CERT} - fi - - err=$(anchore-enterprise-manager db --db-connect ${CONNSTR} pre-upgrade-check 2>&1 > /dev/null) - if [[ !$err ]]; then - echo "Database is ready" - exit 0 - fi - echo "Database is not ready yet, sleeping 10 seconds..." - sleep 10 - done + while IFS= read -r line; do + while [[ "$line" =~ (\$\{[a-zA-Z_][a-zA-Z_0-9]*\}) ]]; do + VAR_NAME=${BASH_REMATCH[1]#*\{}; VAR_NAME=${VAR_NAME%\}}; + line=${line//${BASH_REMATCH[1]}/${!VAR_NAME}}; + done; + printf '%s\n' "$line"; + done < /config/config.yaml kind: ConfigMap metadata: annotations: diff --git a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap index fe6d395f..25250331 100644 --- a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap @@ -101,14 +101,35 @@ should render proper initContainers: - args: - | kubectl scale deployments --all --replicas=0 -l app.kubernetes.io/name=test-release-enterprise; - while [[ $(kubectl get pods -l app.kubernetes.io/name=test-release-enterprise --field-selector=status.phase=Running --no-headers | tee /dev/stderr | wc -l) -gt 0 ]]; do echo 'waiting for pods to go down...' && sleep 5; done + while [[ $(kubectl get pods -l app.kubernetes.io/name=test-release-enterprise --field-selector=status.phase=Running --no-headers | tee /dev/stderr | wc -l) -gt 0 ]]; do + echo 'waiting for pods to go down...' && sleep 5; + done command: - /bin/bash - -c image: bitnami/kubectl:1.27 name: scale-down-anchore - - command: - - /scripts/wait-for-db.sh + - args: + - | + while true; do + CONNSTR=postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}":"${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}" + if [[ ${ANCHORE_DB_SSL_MODE} != null ]]; then + CONNSTR=${CONNSTR}?sslmode=${ANCHORE_DB_SSL_MODE} + fi + if [[ ${ANCHORE_DB_SSL_ROOT_CERT} != null ]]; then + CONNSTR=${CONNSTR}&sslrootcert=/home/anchore/certs/${ANCHORE_DB_SSL_ROOT_CERT} + fi + err=$(anchore-enterprise-manager db --db-connect ${CONNSTR} pre-upgrade-check 2>&1 > /dev/null) + if [[ !$err ]]; then + echo "Database is ready" + exit 0 + fi + echo "Database is not ready yet, sleeping 10 seconds..." + sleep 10 + done + command: + - /bin/bash + - -c env: - name: foo value: bar @@ -125,12 +146,3 @@ should render proper initContainers: image: docker.io/anchore/enterprise:v4.9.1 imagePullPolicy: IfNotPresent name: wait-for-db - volumeMounts: - - mountPath: /home/anchore/license.yaml - name: anchore-license - subPath: license.yaml - - mountPath: /config/config.yaml - name: config-volume - subPath: config.yaml - - mountPath: /scripts - name: anchore-scripts diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index 5d85b0b8..9aed9676 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -183,6 +183,19 @@ doSourceAtEntry: ## configOverride: "" +## @param scripts [object] Collection of helper scripts usable in all anchore enterprise pods +## +scripts: + anchore-config: | + #!/bin/bash + while IFS= read -r line; do + while [[ "$line" =~ (\$\{[a-zA-Z_][a-zA-Z_0-9]*\}) ]]; do + VAR_NAME=${BASH_REMATCH[1]#*\{}; VAR_NAME=${VAR_NAME%\}}; + line=${line//${BASH_REMATCH[1]}/${!VAR_NAME}}; + done; + printf '%s\n' "$line"; + done < /config/config.yaml + ##################################################################### ## @section Anchore Configuration Parameters ## Params used for all Anchore Enterprise service configuration files @@ -1383,34 +1396,3 @@ postgresql: ## image: tag: 13.11.0-debian-11-r15 - -## @param scripts Collection of helper scripts used in anchore enterprise charts -## -scripts: - ## @param configMapName Name of the configmap to store scripts - ## - configMapName: anchore-scripts - ## @param scripts Name and value of each helper script - ## - scripts: - wait-for-db.sh: | - #!/bin/bash - while true - do - CONNSTR=postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}":"${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}" - if [[ ${ANCHORE_DB_SSL_MODE} != null ]]; then - CONNSTR=${CONNSTR}?sslmode=${ANCHORE_DB_SSL_MODE} - fi - - if [[ ${ANCHORE_DB_SSL_ROOT_CERT} != null ]]; then - CONNSTR=${CONNSTR}&sslrootcert=/home/anchore/certs/${ANCHORE_DB_SSL_ROOT_CERT} - fi - - err=$(anchore-enterprise-manager db --db-connect ${CONNSTR} pre-upgrade-check 2>&1 > /dev/null) - if [[ !$err ]]; then - echo "Database is ready" - exit 0 - fi - echo "Database is not ready yet, sleeping 10 seconds..." - sleep 10 - done From a76f76c949d943f9919b8f5bcff26b2ce40af420 Mon Sep 17 00:00:00 2001 From: Zach Hill Date: Mon, 25 Sep 2023 22:58:04 -0700 Subject: [PATCH 221/329] fix: comment out analysis archive section so that it defaults to the same as the object store rather than being explicitly db (#129) Signed-off-by: Zach Hill --- stable/enterprise/Chart.yaml | 2 +- .../tests/__snapshot__/configmap_test.yaml.snap | 7 +------ stable/enterprise/values.yaml | 16 ++++++++-------- 3 files changed, 10 insertions(+), 15 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 918773a4..40874478 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.0.12" +version: "0.0.13" appVersion: "4.9.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index 5be8b0b5..97c5841c 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -170,12 +170,7 @@ should render the configmaps: object_store_bucket: "runtime_compliance_check" down_analyzer_task_requeue: ${ANCHORE_ANALYZER_TASK_REQUEUE} analysis_archive: - compression: - enabled: true - min_size_kbytes: 100 - storage_driver: - config: {} - name: db + {} object_store: compression: enabled: true diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index 9aed9676..057080f9 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -456,14 +456,14 @@ anchoreConfig: ## @param anchoreConfig.catalog.analysis_archive [object] Custom analysis archive YAML configuration ## ref: https://docs.anchore.com/current/docs/configuration/storage/analysis_archive/ ## - analysis_archive: - compression: - enabled: true - min_size_kbytes: 100 - storage_driver: - # Valid storage driver names: 'db', 's3', 'swift' - name: db - config: {} + analysis_archive: {} + ## compression: + ## enabled: true + ## min_size_kbytes: 100 + ## storage_driver: + ## # Valid storage driver names: 'db', 's3', 'swift' + ## name: db + ## config: {} ## @param anchoreConfig.catalog.object_store [object] Custom object storage YAML configuration ## ref: https://docs.anchore.com/current/docs/configuration/storage/object_store/ From ebb1112df417a04be9accb3840810882e167c9f4 Mon Sep 17 00:00:00 2001 From: Zach Hill Date: Mon, 25 Sep 2023 23:00:42 -0700 Subject: [PATCH 222/329] feat: sets default max retention age for events to 180 days instead of disabled (#127) Signed-off-by: Zach Hill --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap | 2 +- stable/enterprise/values.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 40874478..10ccc60e 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.0.13" +version: "0.0.14" appVersion: "4.9.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index 97c5841c..2cb3a861 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -157,7 +157,7 @@ should render the configmaps: service_watcher: 15 vulnerability_scan: 14400 event_log: - max_retention_age_days: 0 + max_retention_age_days: 180 notification: enabled: false level: diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index 057080f9..63d99384 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -446,7 +446,7 @@ anchoreConfig: ## ref: https://docs.anchore.com/current/docs/using/cli_usage/event/#sending-events-as-webhook-notifications ## event_log: - max_retention_age_days: 0 + max_retention_age_days: 180 notification: enabled: false level: From 5311ddfc9e09d70584929c9df427228fed688b4a Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Mon, 25 Sep 2023 23:27:22 -0700 Subject: [PATCH 223/329] Sync feeds chart with enterprise (#137) * add custom script configmap to feeds chart * use ttlSecondsAfterFinished for value name to match resource key * add ttl to feeds upgrade jobs * use predictable name for env var configmap for feeds chart consumption * use predictable name for scripts configmap for feeds chart consumption * use predictable name for migrate-db pod for README * ensure feeds pod uses proper scratch space for tmp dir * bump chart version * update test snapshots --------- Signed-off-by: Brady Todhunter --- stable/enterprise/Chart.lock | 3 +- stable/enterprise/Chart.yaml | 3 +- stable/enterprise/README.md | 30 +++++++------- stable/enterprise/templates/_common.tpl | 14 ++----- .../templates/envvars_configmap.yaml | 2 +- .../hooks/pre-upgrade/upgrade_job.yaml | 4 +- stable/enterprise/templates/migrate_pod.yaml | 4 +- .../templates/scripts_configmap.yaml | 8 ++-- .../__snapshot__/configmap_test.yaml.snap | 3 +- stable/enterprise/values.yaml | 4 +- stable/feeds/Chart.yaml | 2 +- stable/feeds/README.md | 28 +++++++------ stable/feeds/files/default_config.yaml | 2 +- stable/feeds/templates/deployment.yaml | 12 ++++-- ..._configmap.yaml => envvars_configmap.yaml} | 4 +- .../hooks/post-upgrade/upgrade_job.yaml | 4 +- .../hooks/pre-upgrade/upgrade_job.yaml | 41 +++++++++++++++++-- stable/feeds/templates/scripts_configmap.yaml | 11 +++++ .../__snapshot__/configmap_test.yaml.snap | 2 +- .../prehook_upgrade_resources_test.yaml.snap | 41 ++++++++++++++++++- stable/feeds/tests/common_helpers_test.yaml | 4 +- stable/feeds/values.yaml | 19 +++++++++ 22 files changed, 174 insertions(+), 71 deletions(-) rename stable/feeds/templates/{anchore_vars_configmap.yaml => envvars_configmap.yaml} (97%) create mode 100644 stable/feeds/templates/scripts_configmap.yaml diff --git a/stable/enterprise/Chart.lock b/stable/enterprise/Chart.lock index 2a2e0791..f4119f90 100644 --- a/stable/enterprise/Chart.lock +++ b/stable/enterprise/Chart.lock @@ -9,5 +9,4 @@ dependencies: repository: https://charts.anchore.io/stable version: 0.0.8 digest: sha256:7d3bf18cb22105e08420375b32ce9179f4cca2db82e2b54e25ce42c0aadcccfb -generated: "2023-09-20T17:21:27.814898-07:00" - +generated: "2023-09-25T22:28:23.16166-07:00" diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 10ccc60e..37e02069 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.0.14" +version: "0.0.15" appVersion: "4.9.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | @@ -41,6 +41,7 @@ dependencies: - name: feeds version: "~0.0" repository: "@anchore" + # repository: file://../feeds condition: feeds.chartEnabled import-values: - child: service diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 8e520a87..5d892672 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -703,7 +703,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts 2. **Data Migration**: Migrate data from the old Anchore Engine database to the new Anchore Enterprise database. 1. If you are using the included migration helper pod, the exec to that pod and run the following command: ```shell - kubectl -n exec -it enterprise-migrate-db + kubectl -n exec -it -enterprise-migrate-db PGPASSWORD=${OLD_DB_PASSWORD} pg_dump -h ${OLD_DB_HOST} -U ${OLD_DB_USERNAME} -c ${OLD_DB_NAME} | PGPASSWORD=${NEW_DB_PASSWORD} psql -h ${NEW_DB_HOST} -U ${NEW_DB_USERNAME} -c ${NEW_DB_NAME} ``` 2. If you are using your own pod then follow these steps @@ -1078,20 +1078,20 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts ### Anchore Upgrade Job Parameters -| Name | Description | Value | -| ------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -| `upgradeJob.enabled` | Enable the Anchore Enterprise database upgrade job | `true` | -| `upgradeJob.force` | Force the Anchore Feeds database upgrade job to run as a regular job instead of as a Helm hook | `false` | -| `upgradeJob.rbacCreate` | Create RBAC resources for the Anchore upgrade job | `true` | -| `upgradeJob.serviceAccountName` | Use an existing service account for the Anchore upgrade job | `""` | -| `upgradeJob.usePostUpgradeHook` | Use a Helm post-upgrade hook to run the upgrade job instead of the default pre-upgrade hook. This job does not require creating RBAC resources. | `false` | -| `upgradeJob.nodeSelector` | Node labels for the Anchore upgrade job pod assignment | `{}` | -| `upgradeJob.tolerations` | Tolerations for the Anchore upgrade job pod assignment | `[]` | -| `upgradeJob.affinity` | Affinity for the Anchore upgrade job pod assignment | `{}` | -| `upgradeJob.annotations` | Annotations for the Anchore upgrade job | `{}` | -| `upgradeJob.resources` | Resource requests and limits for the Anchore upgrade job | `{}` | -| `upgradeJob.labels` | Labels for the Anchore upgrade job | `{}` | -| `upgradeJob.ttlAfterCompletion` | The time period in seconds the upgrade job, and it's related pods should be retained for | `-1` | +| Name | Description | Value | +| ------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `upgradeJob.enabled` | Enable the Anchore Enterprise database upgrade job | `true` | +| `upgradeJob.force` | Force the Anchore Feeds database upgrade job to run as a regular job instead of as a Helm hook | `false` | +| `upgradeJob.rbacCreate` | Create RBAC resources for the Anchore upgrade job | `true` | +| `upgradeJob.serviceAccountName` | Use an existing service account for the Anchore upgrade job | `""` | +| `upgradeJob.usePostUpgradeHook` | Use a Helm post-upgrade hook to run the upgrade job instead of the default pre-upgrade hook. This job does not require creating RBAC resources. | `false` | +| `upgradeJob.nodeSelector` | Node labels for the Anchore upgrade job pod assignment | `{}` | +| `upgradeJob.tolerations` | Tolerations for the Anchore upgrade job pod assignment | `[]` | +| `upgradeJob.affinity` | Affinity for the Anchore upgrade job pod assignment | `{}` | +| `upgradeJob.annotations` | Annotations for the Anchore upgrade job | `{}` | +| `upgradeJob.resources` | Resource requests and limits for the Anchore upgrade job | `{}` | +| `upgradeJob.labels` | Labels for the Anchore upgrade job | `{}` | +| `upgradeJob.ttlSecondsAfterFinished` | The time period in seconds the upgrade job, and it's related pods should be retained for | `-1` | ### Ingress Parameters diff --git a/stable/enterprise/templates/_common.tpl b/stable/enterprise/templates/_common.tpl index c2a71daf..393dc574 100644 --- a/stable/enterprise/templates/_common.tpl +++ b/stable/enterprise/templates/_common.tpl @@ -62,7 +62,7 @@ Setup the common envFrom configs */}} {{- define "enterprise.common.envFrom" -}} - configMapRef: - name: {{ template "enterprise.fullname" . }}-config-env-vars + name: {{ .Release.Name }}-enterprise-config-env-vars {{- if not .Values.injectSecretsViaEnv }} {{- if .Values.useExistingSecrets }} - secretRef: @@ -287,11 +287,8 @@ Setup the common anchore volume mounts - name: config-volume mountPath: /config/config.yaml subPath: config.yaml -{{- $configmap := lookup "v1" "ConfigMap" .Release.Namespace "anchore-scripts" }} -{{- if $configmap }} -- name: anchore-scripts +- name: {{ .Release.Name -}}-enterprise-scripts mountPath: /scripts -{{- end }} {{- if .Values.certStoreSecretName }} - name: certs mountPath: /home/anchore/certs/ @@ -310,13 +307,10 @@ Setup the common anchore volumes - name: anchore-license secret: secretName: {{ .Values.licenseSecretName }} -{{- $configmap := lookup "v1" "ConfigMap" .Release.Namespace "anchore-scripts" }} -{{- if $configmap }} -- name: anchore-scripts +- name: {{ .Release.Name }}-enterprise-scripts configMap: - name: anchore-scripts + name: {{ .Release.Name }}-enterprise-scripts defaultMode: 0755 -{{- end }} - name: config-volume configMap: name: {{ template "enterprise.fullname" . }} diff --git a/stable/enterprise/templates/envvars_configmap.yaml b/stable/enterprise/templates/envvars_configmap.yaml index 4b33b193..1a90532a 100644 --- a/stable/enterprise/templates/envvars_configmap.yaml +++ b/stable/enterprise/templates/envvars_configmap.yaml @@ -1,7 +1,7 @@ kind: ConfigMap apiVersion: v1 metadata: - name: {{ template "enterprise.fullname" . }}-config-env-vars + name: {{ .Release.Name }}-enterprise-config-env-vars namespace: {{ .Release.Namespace }} labels: {{- include "enterprise.common.labels" . | nindent 4 }} annotations: {{- include "enterprise.common.annotations" . | nindent 4 }} diff --git a/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml b/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml index bcee1873..32d1d489 100644 --- a/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml +++ b/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml @@ -14,8 +14,8 @@ metadata: "helm.sh/hook-delete-policy": before-hook-creation {{- end }} spec: - {{- if ne (.Values.upgradeJob.ttlAfterCompletion | quote) (-1 | quote) }} - ttlSecondsAfterFinished: {{ .Values.upgradeJob.ttlAfterCompletion }} + {{- if ne (.Values.upgradeJob.ttlSecondsAfterFinished | quote) (-1 | quote) }} + ttlSecondsAfterFinished: {{ .Values.upgradeJob.ttlSecondsAfterFinished }} {{- end }} template: metadata: diff --git a/stable/enterprise/templates/migrate_pod.yaml b/stable/enterprise/templates/migrate_pod.yaml index e1e9b094..ff180b0f 100644 --- a/stable/enterprise/templates/migrate_pod.yaml +++ b/stable/enterprise/templates/migrate_pod.yaml @@ -3,7 +3,7 @@ apiVersion: v1 kind: Pod metadata: - name: enterprise-migrate-db + name: {{ .Release.Name }}-enterprise-migrate-db namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/component: upgradejob @@ -13,7 +13,7 @@ spec: args: [ "sleep infinity" ] image: {{ .Values.migrationPodImage }} imagePullPolicy: {{ .Values.imagePullPolicy }} - name: enterprise-db-migrate + name: enterprise-migrate-db env: - name: NEW_DB_HOST value: {{ .Release.Name }}-postgresql diff --git a/stable/enterprise/templates/scripts_configmap.yaml b/stable/enterprise/templates/scripts_configmap.yaml index e36e4643..73c913aa 100644 --- a/stable/enterprise/templates/scripts_configmap.yaml +++ b/stable/enterprise/templates/scripts_configmap.yaml @@ -1,11 +1,9 @@ -{{- $component := "scripts" -}} - kind: ConfigMap apiVersion: v1 metadata: - name: anchore-scripts + name: {{ .Release.Name }}-enterprise-scripts namespace: {{ .Release.Namespace }} - labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} - annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} + labels: {{- include "enterprise.common.labels" . | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" . | nindent 4 }} data: {{ .Values.scripts | toYaml | nindent 2 }} diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index 2cb3a861..743b3caa 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -481,7 +481,6 @@ should render the configmaps: bar: baz foo: bar labels: - app.kubernetes.io/component: scripts app.kubernetes.io/instance: test-release app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: test-release-enterprise @@ -490,7 +489,7 @@ should render the configmaps: bar: baz foo: bar helm.sh/chart: enterprise-9.9.9 - name: anchore-scripts + name: test-release-enterprise-scripts namespace: test-namespace 6: | apiVersion: v1 diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index 63d99384..31e5261e 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -1210,11 +1210,11 @@ upgradeJob: ## labels: {} - ## @param upgradeJob.ttlAfterCompletion The time period in seconds the upgrade job, and it's related pods should be retained for + ## @param upgradeJob.ttlSecondsAfterFinished The time period in seconds the upgrade job, and it's related pods should be retained for ## Defaults to 0 == immediate deletion after completion ## Set this to -1 to disable deleting the job automatically (NOTE: This can cause issues with upgrades) ## - ttlAfterCompletion: -1 + ttlSecondsAfterFinished: -1 ############################## ## @section Ingress Parameters diff --git a/stable/feeds/Chart.yaml b/stable/feeds/Chart.yaml index aa2d8fb2..3f1be6c1 100644 --- a/stable/feeds/Chart.yaml +++ b/stable/feeds/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: feeds type: application -version: "0.0.8" +version: "0.0.9" appVersion: "4.9.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: Anchore feeds service diff --git a/stable/feeds/README.md b/stable/feeds/README.md index 210443bb..f81c28e0 100644 --- a/stable/feeds/README.md +++ b/stable/feeds/README.md @@ -267,6 +267,7 @@ feeds-db: | `useExistingSecrets` | forgoes secret creation and uses the secret defined in existingSecretName | `false` | | `existingSecretName` | Name of the existing secret to be used for Anchore Feeds Service | `anchore-enterprise-feeds-env` | | `configOverride` | Allows for overriding the default Anchore configuration file | `{}` | +| `scripts` | Collection of helper scripts usable in all anchore enterprise pods | `{}` | ### Anchore Feeds Configuration Parameters @@ -341,19 +342,20 @@ feeds-db: ### Anchore Feeds Upgrade Job Parameters -| Name | Description | Value | -| ------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -| `feedsUpgradeJob.enabled` | Enable the Anchore Feeds database upgrade job | `true` | -| `feedsUpgradeJob.force` | Force the Anchore Feeds database upgrade job to run as a regular job instead of as a Helm hook | `false` | -| `feedsUpgradeJob.rbacCreate` | Create RBAC resources for the upgrade job | `true` | -| `feedsUpgradeJob.serviceAccountName` | Use an existing service account for the upgrade job | `""` | -| `feedsUpgradeJob.usePostUpgradeHook` | Use a Helm post-upgrade hook to run the upgrade job instead of the default pre-upgrade hook. This job does not require creating RBAC resources. | `false` | -| `feedsUpgradeJob.nodeSelector` | Node labels for the Anchore Feeds upgrade job pod assignment | `{}` | -| `feedsUpgradeJob.tolerations` | Tolerations for the Anchore Feeds upgrade job pod assignment | `[]` | -| `feedsUpgradeJob.affinity` | Affinity for the Anchore Feeds upgrade job pod assignment | `{}` | -| `feedsUpgradeJob.annotations` | Annotations for the Anchore Feeds upgrade job | `{}` | -| `feedsUpgradeJob.labels` | Labels for the Anchore Feeds upgrade job | `{}` | -| `feedsUpgradeJob.resources` | Resources for the Anchore Feeds upgrade job | `{}` | +| Name | Description | Value | +| ----------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `feedsUpgradeJob.enabled` | Enable the Anchore Feeds database upgrade job | `true` | +| `feedsUpgradeJob.force` | Force the Anchore Feeds database upgrade job to run as a regular job instead of as a Helm hook | `false` | +| `feedsUpgradeJob.rbacCreate` | Create RBAC resources for the upgrade job | `true` | +| `feedsUpgradeJob.serviceAccountName` | Use an existing service account for the upgrade job | `""` | +| `feedsUpgradeJob.usePostUpgradeHook` | Use a Helm post-upgrade hook to run the upgrade job instead of the default pre-upgrade hook. This job does not require creating RBAC resources. | `false` | +| `feedsUpgradeJob.nodeSelector` | Node labels for the Anchore Feeds upgrade job pod assignment | `{}` | +| `feedsUpgradeJob.tolerations` | Tolerations for the Anchore Feeds upgrade job pod assignment | `[]` | +| `feedsUpgradeJob.affinity` | Affinity for the Anchore Feeds upgrade job pod assignment | `{}` | +| `feedsUpgradeJob.annotations` | Annotations for the Anchore Feeds upgrade job | `{}` | +| `feedsUpgradeJob.labels` | Labels for the Anchore Feeds upgrade job | `{}` | +| `feedsUpgradeJob.resources` | Resources for the Anchore Feeds upgrade job | `{}` | +| `feedsUpgradeJob.ttlSecondsAfterFinished` | The time period in seconds the upgrade job, and it's related pods should be retained for | `-1` | ### Ingress Parameters diff --git a/stable/feeds/files/default_config.yaml b/stable/feeds/files/default_config.yaml index 83b55cc0..266fe303 100644 --- a/stable/feeds/files/default_config.yaml +++ b/stable/feeds/files/default_config.yaml @@ -1,5 +1,5 @@ service_dir: ${ANCHORE_SERVICE_DIR} -tmp_dir: ${ANCHORE_TMP_DIR} +tmp_dir: ${ANCHORE_FEEDS_TMP_DIR} log_level: ${ANCHORE_LOG_LEVEL} host_id: "${ANCHORE_HOST_ID}" diff --git a/stable/feeds/templates/deployment.yaml b/stable/feeds/templates/deployment.yaml index 030e8006..691a73e8 100644 --- a/stable/feeds/templates/deployment.yaml +++ b/stable/feeds/templates/deployment.yaml @@ -63,10 +63,10 @@ spec: name: feeds-api envFrom: - configMapRef: - name: {{ template "feeds.fullname" . }}-config-env-vars + name: {{ .Release.Name }}-feeds-config-env-vars {{- if not .Values.standalone }} - configMapRef: - name: {{ template "enterprise.fullname" . }}-config-env-vars + name: {{ .Release.Name }}-enterprise-config-env-vars {{- end }} {{- if not .Values.injectSecretsViaEnv }} {{- if .Values.useExistingSecrets }} @@ -90,7 +90,9 @@ spec: - name: anchore-license mountPath: /home/anchore/license.yaml subPath: license.yaml - {{- if (.Values.certStoreSecretName) }} + - name: anchore-scripts + mountPath: /scripts + {{- if .Values.certStoreSecretName }} - name: certs mountPath: /home/anchore/certs/ readOnly: true @@ -129,6 +131,10 @@ spec: - name: config-volume configMap: name: {{ template "feeds.fullname" . }} + - name: anchore-scripts + configMap: + name: {{ printf "%s-%s-scripts" .Release.Name (ternary "feeds" "enterprise" .Values.standalone) }} + defaultMode: 0755 - name: "anchore-scratch" {{- if .Values.scratchVolume.details }} {{- toYaml .Values.scratchVolume.details | nindent 10 }} diff --git a/stable/feeds/templates/anchore_vars_configmap.yaml b/stable/feeds/templates/envvars_configmap.yaml similarity index 97% rename from stable/feeds/templates/anchore_vars_configmap.yaml rename to stable/feeds/templates/envvars_configmap.yaml index 76426105..93e4eb3a 100644 --- a/stable/feeds/templates/anchore_vars_configmap.yaml +++ b/stable/feeds/templates/envvars_configmap.yaml @@ -1,7 +1,7 @@ kind: ConfigMap apiVersion: v1 metadata: - name: {{ template "feeds.fullname" . }}-config-env-vars + name: {{ .Release.Name }}-feeds-config-env-vars namespace: {{ .Release.Namespace }} labels: {{- include "feeds.common.labels" . | nindent 4 }} annotations: {{- include "feeds.common.annotations" . | nindent 4 }} @@ -61,6 +61,7 @@ data: ANCHORE_FEEDS_GRYPEDB_PERSIST_WORKSPACE: "true" ANCHORE_FEEDS_GRYPEDB_RESTORE_WORKSPACE: "true" ANCHORE_FEEDS_PACKAGES_ENABLED: "false" + ANCHORE_FEEDS_TMP_DIR: "{{ .Values.scratchVolume.mountPath }}" ANCHORE_FEEDS_WORKSPACE_PRELOAD: "true" ANCHORE_GITHUB_TOKEN: "null" ANCHORE_GLOBAL_CLIENT_CONNECT_TIMEOUT: "0" @@ -88,4 +89,3 @@ data: ANCHORE_SSL_KEY: "null" {{- end }} ANCHORE_SSO_REQUIRES_EXISTING_USERS: "{{ .Values.anchoreConfig.user_authentication.sso_require_existing_users }}" - ANCHORE_TMP_DIR: "{{ .Values.scratchVolume.mountPath }}" diff --git a/stable/feeds/templates/hooks/post-upgrade/upgrade_job.yaml b/stable/feeds/templates/hooks/post-upgrade/upgrade_job.yaml index abeda2a3..44bdfaa4 100644 --- a/stable/feeds/templates/hooks/post-upgrade/upgrade_job.yaml +++ b/stable/feeds/templates/hooks/post-upgrade/upgrade_job.yaml @@ -86,10 +86,10 @@ spec: {{- end }} envFrom: - configMapRef: - name: {{ template "feeds.fullname" . }}-config-env-vars + name: {{ .Release.Name }}-feeds-config-env-vars {{- if not .Values.standalone }} - configMapRef: - name: {{ template "enterprise.fullname" . }}-config-env-vars + name: {{ .Release.Name }}-enterprise-config-env-vars {{- end }} {{- if not .Values.injectSecretsViaEnv }} {{- if .Values.useExistingSecrets }} diff --git a/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml b/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml index 0268a1aa..45f6c6fa 100644 --- a/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml +++ b/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml @@ -10,8 +10,12 @@ metadata: {{- if not .Values.feedsUpgradeJob.force }} "helm.sh/hook": pre-upgrade "helm.sh/hook-weight": "3" + "helm.sh/hook-delete-policy": before-hook-creation {{- end }} spec: +{{- if ne (.Values.feedsUpgradeJob.ttlSecondsAfterFinished | quote) (-1 | quote) }} + ttlSecondsAfterFinished: {{ .Values.feedsUpgradeJob.ttlSecondsAfterFinished }} +{{- end }} template: metadata: name: {{ template "feeds.upgradeJob.fullname" . }} @@ -65,13 +69,44 @@ spec: args: - | kubectl scale deployments --all --replicas=0 -l app.kubernetes.io/name={{ template "feeds.fullname" . }}; - while [[ $(kubectl get pods -l app.kubernetes.io/name={{ template "feeds.fullname" . }} --field-selector=status.phase=Running --no-headers | tee /dev/stderr | wc -l) -gt 0 ]]; do echo 'waiting for pods to go down...' && sleep 5; done + while [[ $(kubectl get pods -l app.kubernetes.io/name={{ template "feeds.fullname" . }} --field-selector=status.phase=Running --no-headers | tee /dev/stderr | wc -l) -gt 0 ]]; do + echo 'waiting for pods to go down...' && sleep 5; + done {{- with .Values.containerSecurityContext }} securityContext: {{ toYaml . | nindent 12 }} {{- end }} {{- with .Values.feedsUpgradeJob.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} + - name: wait-for-db + image: {{ .Values.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + env: {{- include "feeds.common.environment" . | nindent 12 }} + command: ["/bin/bash", "-c"] + args: + - | + while true; do + CONNSTR=postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}":"${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}" + if [[ ${ANCHORE_FEEDS_DB_SSL_MODE} != null ]]; then + CONNSTR=${CONNSTR}?sslmode=${ANCHORE_FEEDS_DB_SSL_MODE} + fi + if [[ ${ANCHORE_FEEDS_DB_SSL_ROOT_CERT} != null ]]; then + CONNSTR=${CONNSTR}&sslrootcert=/home/anchore/certs/${ANCHORE_FEEDS_DB_SSL_ROOT_CERT} + fi + err=$(anchore-enterprise-manager db --db-connect ${CONNSTR} pre-upgrade-check 2>&1 > /dev/null) + if [[ !$err ]]; then + echo "Database is ready" + exit 0 + fi + echo "Database is not ready yet, sleeping 10 seconds..." + sleep 10 + done + {{- with .Values.containerSecurityContext }} + securityContext: {{ toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.feedsUpgradeJob.resources }} + resources: {{- toYaml . | nindent 10 }} + {{- end }} containers: {{- if .Values.cloudsql.enabled }} {{- include "feeds.common.cloudsqlContainer" . | nindent 8 }} @@ -84,10 +119,10 @@ spec: {{- end }} envFrom: - configMapRef: - name: {{ template "feeds.fullname" . }}-config-env-vars + name: {{ .Release.Name }}-feeds-config-env-vars {{- if not .Values.standalone }} - configMapRef: - name: {{ template "enterprise.fullname" . }}-config-env-vars + name: {{ .Release.Name }}-enterprise-config-env-vars {{- end }} {{- if not .Values.injectSecretsViaEnv }} {{- if .Values.useExistingSecrets }} diff --git a/stable/feeds/templates/scripts_configmap.yaml b/stable/feeds/templates/scripts_configmap.yaml new file mode 100644 index 00000000..f65aac75 --- /dev/null +++ b/stable/feeds/templates/scripts_configmap.yaml @@ -0,0 +1,11 @@ +{{- if .Values.standalone }} +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ .Release.Name }}-feeds-scripts + namespace: {{ .Release.Namespace }} + labels: {{- include "feeds.common.labels" . | nindent 4 }} + annotations: {{- include "feeds.common.annotations" . | nindent 4 }} +data: + {{ .Values.scripts | toYaml | nindent 2 }} +{{- end }} diff --git a/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap b/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap index 995d8add..4a2d8b89 100644 --- a/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap @@ -6,7 +6,7 @@ should render the configmaps: # Anchore Feeds Service Configuration File, mounted from a configmap # service_dir: ${ANCHORE_SERVICE_DIR} - tmp_dir: ${ANCHORE_TMP_DIR} + tmp_dir: ${ANCHORE_FEEDS_TMP_DIR} log_level: ${ANCHORE_LOG_LEVEL} host_id: "${ANCHORE_HOST_ID}" diff --git a/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap b/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap index 397565e7..c0f3f490 100644 --- a/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap +++ b/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap @@ -101,9 +101,48 @@ should render proper initContainers: - args: - | kubectl scale deployments --all --replicas=0 -l app.kubernetes.io/name=test-release-feeds; - while [[ $(kubectl get pods -l app.kubernetes.io/name=test-release-feeds --field-selector=status.phase=Running --no-headers | tee /dev/stderr | wc -l) -gt 0 ]]; do echo 'waiting for pods to go down...' && sleep 5; done + while [[ $(kubectl get pods -l app.kubernetes.io/name=test-release-feeds --field-selector=status.phase=Running --no-headers | tee /dev/stderr | wc -l) -gt 0 ]]; do + echo 'waiting for pods to go down...' && sleep 5; + done command: - /bin/bash - -c image: bitnami/kubectl:1.27 name: scale-down-anchore + - args: + - | + while true; do + CONNSTR=postgresql://"${ANCHORE_FEEDS_DB_USER}":"${ANCHORE_FEEDS_DB_PASSWORD}"@"${ANCHORE_FEEDS_DB_HOST}":"${ANCHORE_FEEDS_DB_PORT}"/"${ANCHORE_FEEDS_DB_NAME}" + if [[ ${ANCHORE_FEEDS_DB_SSL_MODE} != null ]]; then + CONNSTR=${CONNSTR}?sslmode=${ANCHORE_FEEDS_DB_SSL_MODE} + fi + if [[ ${ANCHORE_FEEDS_DB_SSL_ROOT_CERT} != null ]]; then + CONNSTR=${CONNSTR}&sslrootcert=/home/anchore/certs/${ANCHORE_FEEDS_DB_SSL_ROOT_CERT} + fi + err=$(anchore-enterprise-manager db --db-connect ${CONNSTR} pre-upgrade-check 2>&1 > /dev/null) + if [[ !$err ]]; then + echo "Database is ready" + exit 0 + fi + echo "Database is not ready yet, sleeping 10 seconds..." + sleep 10 + done + command: + - /bin/bash + - -c + env: + - name: foo + value: bar + - name: bar + value: baz + - name: ANCHORE_HOST_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: ANCHORE_ENDPOINT_HOSTNAME + value: test-release-feeds + - name: ANCHORE_PORT + value: "8448" + image: docker.io/anchore/enterprise:v4.9.1 + imagePullPolicy: IfNotPresent + name: wait-for-db diff --git a/stable/feeds/tests/common_helpers_test.yaml b/stable/feeds/tests/common_helpers_test.yaml index 26291ef1..a34c3c84 100644 --- a/stable/feeds/tests/common_helpers_test.yaml +++ b/stable/feeds/tests/common_helpers_test.yaml @@ -1,6 +1,6 @@ suite: Common Helper Template Tests templates: - - anchore_vars_configmap.yaml + - envvars_configmap.yaml - configmap.yaml - deployment.yaml - pvc.yaml @@ -17,7 +17,7 @@ chart: appVersion: 9.9.9 test_templates: &test_templates - - anchore_vars_configmap.yaml + - envvars_configmap.yaml - configmap.yaml - deployment.yaml - pvc.yaml diff --git a/stable/feeds/values.yaml b/stable/feeds/values.yaml index 9c90b553..d2e18fa8 100644 --- a/stable/feeds/values.yaml +++ b/stable/feeds/values.yaml @@ -215,6 +215,19 @@ existingSecretName: anchore-enterprise-feeds-env ## configOverride: {} +## @param scripts [object] Collection of helper scripts usable in all anchore enterprise pods +## +scripts: + anchore-config: | + #!/bin/bash + while IFS= read -r line; do + while [[ "$line" =~ (\$\{[a-zA-Z_][a-zA-Z_0-9]*\}) ]]; do + VAR_NAME=${BASH_REMATCH[1]#*\{}; VAR_NAME=${VAR_NAME%\}}; + line=${line//${BASH_REMATCH[1]}/${!VAR_NAME}}; + done; + printf '%s\n' "$line"; + done < /config/config.yaml + ##################################################################### ## @section Anchore Feeds Configuration Parameters ## Params used for all Anchore Feeds service configuration files @@ -496,6 +509,12 @@ feedsUpgradeJob: ## resources: {} + ## @param feedsUpgradeJob.ttlSecondsAfterFinished The time period in seconds the upgrade job, and it's related pods should be retained for + ## Defaults to 0 == immediate deletion after completion + ## Set this to -1 to disable deleting the job automatically (NOTE: This can cause issues with upgrades) + ## + ttlSecondsAfterFinished: -1 + ############################## ## @section Ingress Parameters ############################## From ef26ff2fc1fc610c4a044c7e2afa0116ef27d623 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Tue, 26 Sep 2023 15:22:58 -0400 Subject: [PATCH 224/329] Readme updates enterprise (#135) * updating migration script to add postgres user if not specified * fixing tests for script change * minor additions to README of enterprise * adding bit about migration anchore engine secret name in readme * adding section about existing secrets to migration prerequisites * update exec pod name in README * bumping chart version --------- Signed-off-by: Hung Nguyen --- scripts/enterprise-value-converter/helpers.py | 4 + .../test_convert_values_file_result.yaml | 3 + .../test_anchoreAnalyzer_value_mapping.py | 29 +++-- .../tests/test_anchoreApi_value_mapping.py | 23 ++-- .../test_anchoreCatalog_value_mapping.py | 28 +++-- ...t_anchoreEngineUpgradeJob_value_mapping.py | 14 +-- ...nterpriseEngineUpgradeJob_value_mapping.py | 18 +-- ...EnterpriseFeedsUpgradeJob_value_mapping.py | 18 +-- ...st_anchoreEnterpriseFeeds_value_mapping.py | 64 +++++----- ...reEnterpriseNotifications_value_mapping.py | 26 ++-- ...est_anchoreEnterpriseRbac_value_mapping.py | 28 ++--- ..._anchoreEnterpriseReports_value_mapping.py | 31 +++-- .../test_anchoreEnterpriseUi_value_mapping.py | 50 +++++--- .../tests/test_anchoreGlobal_value_mapping.py | 114 ++++++++++-------- .../test_anchorePolicyEngine_value_mapping.py | 24 ++-- .../test_anchoreSimpleQueue_value_mapping.py | 22 ++-- .../tests/test_helpers.py | 2 + stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 36 ++++-- 19 files changed, 308 insertions(+), 228 deletions(-) diff --git a/scripts/enterprise-value-converter/helpers.py b/scripts/enterprise-value-converter/helpers.py index 252c090a..5acd1e9b 100644 --- a/scripts/enterprise-value-converter/helpers.py +++ b/scripts/enterprise-value-converter/helpers.py @@ -115,6 +115,10 @@ def replace_keys_with_mappings(dot_string_dict, results_dir): env_var_mapping = {**enterprise_env_var_mapping, **feeds_env_var_mapping} logs_dir = f"{results_dir}/logs" + if not dot_string_dict.get("postgresql.postgresUser"): + log_file_name = "info.log" + write_to_file(f"setting postgres user as anchoreengine as one was not set and this value was changed in enterprise.\n", os.path.join(logs_dir, log_file_name), "a") + dot_string_dict["postgresql.postgresUser"] = "anchoreengine" if not dot_string_dict.get("anchoreGlobal.hashedPasswords"): log_file_name = "warning.log" write_to_file(f"hashedPasswords is not currently used. You should _really_ consider using it. Please see docs on how to migrate to hashed passwords.\n", os.path.join(logs_dir, log_file_name), "a") diff --git a/scripts/enterprise-value-converter/tests/configs/test_convert_values_file_result.yaml b/scripts/enterprise-value-converter/tests/configs/test_convert_values_file_result.yaml index 80be9ff8..312a5a3e 100644 --- a/scripts/enterprise-value-converter/tests/configs/test_convert_values_file_result.yaml +++ b/scripts/enterprise-value-converter/tests/configs/test_convert_values_file_result.yaml @@ -15,3 +15,6 @@ "extraEnv": - "name": "ANCHORE_MAX_REQUEST_THREADS" "value": "9876543210" +"postgresql": + "auth": + "username": "anchoreengine" \ No newline at end of file diff --git a/scripts/enterprise-value-converter/tests/test_anchoreAnalyzer_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreAnalyzer_value_mapping.py index 0afacc04..2f00ae51 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreAnalyzer_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreAnalyzer_value_mapping.py @@ -17,7 +17,7 @@ def test_anchoreAnalyzer_replicaCount_value(self): dot_string_dict = { "anchoreAnalyzer.replicaCount": 2, } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'analyzer': { 'replicaCount': 2 } @@ -29,7 +29,7 @@ def test_anchoreAnalyzer_containerPort_value(self): dot_string_dict = { "anchoreAnalyzer.containerPort": 8084, } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'analyzer': { 'service': { 'port': 8084 @@ -48,7 +48,7 @@ def test_anchoreAnalyzer_extraEnv_value(self): } ] } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'analyzer': { 'extraEnv': [ { @@ -65,7 +65,7 @@ def test_anchoreAnalyzer_serviceAccountName_value(self): dot_string_dict = { "anchoreAnalyzer.serviceAccountName": "foo", } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'analyzer': { 'serviceAccountName': 'foo' } @@ -80,7 +80,7 @@ def test_anchoreAnalyzer_resources_value(self): "anchoreAnalyzer.resources.requests.cpu": 1, "anchoreAnalyzer.resources.requests.memory": "1G", } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'analyzer': { 'resources': { 'limits': { @@ -103,7 +103,7 @@ def test_anchoreAnalyzer_labels_value(self): "anchoreAnalyzer.labels.value": "bar", "anchoreAnalyzer.labels.kubernetes.io/description": "baz", } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'analyzer': { 'labels': { @@ -122,7 +122,7 @@ def test_anchoreAnalyzer_annotations_value(self): "anchoreAnalyzer.annotations.value": "bar", "anchoreAnalyzer.annotations.kubernetes.io/description": "baz", } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'analyzer': { 'annotations': { @@ -140,7 +140,7 @@ def test_anchoreanalyzer_deploymentAnnotations_value(self): "anchoreAnalyzer.deploymentAnnotations.name": "foo", "anchoreAnalyzer.deploymentAnnotations.value": "bar", } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'analyzer': { 'deploymentAnnotations': { 'name': 'foo', @@ -157,7 +157,7 @@ def test_anchoreAnalyzer_nodeSelector_value(self): "anchoreAnalyzer.nodeSelector.value": "bar", } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'analyzer': { 'nodeSelector': { @@ -179,7 +179,7 @@ def test_anchoreAnalyzer_tolerations_value(self): } ] } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'analyzer': { 'tolerations': [ { @@ -197,7 +197,7 @@ def test_anchoreAnalyzer_affinity_value(self): "anchoreAnalyzer.affinity.name": "foo", "anchoreAnalyzer.affinity.value": "bar", } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'analyzer': { 'affinity': { 'name': 'foo', @@ -213,6 +213,7 @@ def test_anchoreAnalyzer_cycleTimers_image_analyzer_value(self): "anchoreAnalyzer.cycleTimers.image_analyzer": 1, } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'analyzer': { @@ -231,6 +232,7 @@ def test_anchoreAnalyzer_concurrentTasksPerWorker_value(self): "anchoreAnalyzer.concurrentTasksPerWorker": 1, } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'analyzer': { @@ -247,6 +249,7 @@ def test_anchoreAnalyzer_layerCacheMaxGigabytes_value(self): "anchoreAnalyzer.layerCacheMaxGigabytes": 1, } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'analyzer': { @@ -263,6 +266,7 @@ def test_anchoreAnalyzer_enableHints_value(self): "anchoreAnalyzer.enableHints": False, } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'analyzer': { @@ -297,6 +301,7 @@ def test_anchoreAnalyzer_configFile_value(self): "anchoreAnalyzer.configFile.malware.clamav.db_update_enabled": True, } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'analyzer': { @@ -346,5 +351,5 @@ def test_enableOwnedPackageFiltering_value(self): } } result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], {'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}}) + self.assertEqual(result[0], {'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}}) self.assertEqual(result[1], expected_result) diff --git a/scripts/enterprise-value-converter/tests/test_anchoreApi_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreApi_value_mapping.py index 8edde953..d6c2f215 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreApi_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreApi_value_mapping.py @@ -17,7 +17,7 @@ def test_anchoreApi_replicaCount_value(self): dot_string_dict = { "anchoreApi.replicaCount": 2, } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'api': { 'replicaCount': 2 } @@ -34,7 +34,7 @@ def test_anchoreApi_extraEnv_value(self): } ] } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'api': { 'extraEnv': [ { @@ -59,7 +59,7 @@ def test_anchoreApi_service_value(self): "anchoreApi.service.labels.with.a.dot.foobar": "baz" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'api': { 'service': { "name": "null", @@ -84,7 +84,7 @@ def test_anchoreApi_serviceAccountName_value(self): dot_string_dict = { "anchoreApi.serviceAccountName": "Null" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'api': { 'serviceAccountName': "Null" } @@ -100,7 +100,7 @@ def test_anchoreApi_resources_value(self): "anchoreApi.resources.requests.memory": "1G", } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'api': { 'resources': { 'limits': { @@ -123,7 +123,7 @@ def test_anchoreApi_labels_value(self): "anchoreApi.labels.value": "bar", "anchoreApi.labels.anotherLabel.with.a.dot": "baz", } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'api': { 'labels': { @@ -141,7 +141,7 @@ def test_anchoreApi_annotations_value(self): "anchoreApi.annotations.foo": "bar", "anchoreApi.annotations.baz": "qux" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'api': { 'annotations': { @@ -158,7 +158,7 @@ def test_anchoreApi_deploymentAnnotations_value(self): "anchoreApi.deploymentAnnotations.name": "foo", "anchoreApi.deploymentAnnotations.mydot.value": "bar" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'api': { 'deploymentAnnotations': { 'name': 'foo', @@ -174,7 +174,7 @@ def test_anchoreApi_nodeSelector_value(self): "anchoreApi.nodeSelector.name": "foo", "anchoreApi.nodeSelector.value": "bar" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'api': { 'nodeSelector': { @@ -195,7 +195,7 @@ def test_anchoreApi_tolerations_value(self): } ] } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'api': { 'tolerations': [ { @@ -213,7 +213,7 @@ def test_anchoreApi_affinity_value(self): "anchoreApi.affinity.name": "foo", "anchoreApi.affinity.value": "bar" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'api': { 'affinity': { 'name': 'foo', @@ -231,6 +231,7 @@ def test_anchoreApi_external_value(self): "anchoreApi.external.port": 8443 } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'apiext': { diff --git a/scripts/enterprise-value-converter/tests/test_anchoreCatalog_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreCatalog_value_mapping.py index f045ca88..a04a571b 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreCatalog_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreCatalog_value_mapping.py @@ -17,7 +17,7 @@ def test_anchoreCatalog_replicaCount_value(self): dot_string_dict = { "anchoreCatalog.replicaCount": 2, } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'catalog': { 'replicaCount': 2 } @@ -34,7 +34,7 @@ def test_anchoreCatalog_extraEnv_value(self): } ] } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'catalog': { 'extraEnv': [ { @@ -51,7 +51,7 @@ def test_anchoreCatalog_serviceAccountName_value(self): dot_string_dict = { "anchoreCatalog.serviceAccountName": "Null" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'catalog': { 'serviceAccountName': "Null" } @@ -70,7 +70,7 @@ def test_anchoreCatalog_service_value(self): "anchoreCatalog.service.labels.foobar": "baz", "anchoreCatalog.service.labels.with.a.dot": "qux" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'catalog': { 'service': { "name": "Null", @@ -98,7 +98,7 @@ def test_anchoreCatalog_resources_value(self): "anchoreCatalog.resources.requests.cpu": 1, "anchoreCatalog.resources.requests.memory": "1G" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'catalog': { 'resources': { 'limits': { @@ -121,7 +121,7 @@ def test_anchoreCatalog_labels_value(self): "anchoreCatalog.labels.myOtherLabel": "myOtherValue", "anchoreCatalog.labels.anotherLabel.with.a.dot": "qux" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'catalog': { 'labels': { @@ -140,7 +140,7 @@ def test_anchoreCatalog_annotations_value(self): "anchoreCatalog.annotations.bar": "baz", "anchoreCatalog.annotations.anotherLabel.with.a.dot": "qux" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'catalog': { 'annotations': { @@ -160,7 +160,7 @@ def test_anchoreCatalog_deploymentAnnotations_value(self): "anchoreCatalog.deploymentAnnotations.bar": "baz", "anchoreCatalog.deploymentAnnotations.anotherLabel.with.a.dot": "qux" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'catalog': { 'deploymentAnnotations': { @@ -179,7 +179,7 @@ def test_anchoreCatalog_nodeSelector_value(self): "anchoreCatalog.nodeSelector.value": "bar", "anchoreCatalog.nodeSelector.anotherLabel.with.a.dot": "baz" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'catalog': { 'nodeSelector': { @@ -201,7 +201,7 @@ def test_anchoreCatalog_tolerations_value(self): } ] } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'catalog': { 'tolerations': [ { @@ -220,7 +220,7 @@ def test_anchoreCatalog_affinity_value(self): "anchoreCatalog.affinity.value": "bar", "anchoreCatalog.affinity.anotherLabel.with.a.dot": "baz" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'catalog': { 'affinity':{ 'name': 'foo', @@ -249,6 +249,7 @@ def test_anchoreCatalog_cycleTimers_value(self): } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'catalog': { @@ -282,6 +283,7 @@ def test_anchoreCatalog_events_value(self): } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'catalog': { @@ -316,6 +318,7 @@ def test_anchoreCatalog_analysis_archive_value(self): } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'catalog': { @@ -353,6 +356,7 @@ def test_anchoreCatalog_object_store_value(self): } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'catalog': { @@ -378,6 +382,7 @@ def test_anchoreCatalog_runtimeInventory_value(self): } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'catalog': { @@ -396,6 +401,7 @@ def test_anchoreCatalog_downAnalyzerTaskRequeue_value(self): } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'catalog': { diff --git a/scripts/enterprise-value-converter/tests/test_anchoreEngineUpgradeJob_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEngineUpgradeJob_value_mapping.py index 2231e233..6e8c5977 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreEngineUpgradeJob_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreEngineUpgradeJob_value_mapping.py @@ -17,7 +17,7 @@ def test_anchoreEngineUpgradeJob_enabled_value(self): dot_string_dict = { "anchoreEngineUpgradeJob.enabled": True } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) @@ -28,7 +28,7 @@ def test_anchoreEngineUpgradeJob_resources_value(self): "anchoreEngineUpgradeJob.resources.requests.cpu": 1, "anchoreEngineUpgradeJob.resources.requests.memory": "1G" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) @@ -38,7 +38,7 @@ def test_anchoreEngineUpgradeJob_labels_value(self): "anchoreEngineUpgradeJob.labels.myOtherLabel": "myOtherValue", "anchoreEngineUpgradeJob.labels.anotherLabel.with.a.dot": "qux" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) @@ -48,7 +48,7 @@ def test_anchoreEngineUpgradeJob_annotations_value(self): "anchoreEngineUpgradeJob.annotations.bar": "baz", "anchoreEngineUpgradeJob.annotations.anotherLabel.with.a.dot": "qux" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) @@ -58,7 +58,7 @@ def test_anchoreEngineUpgradeJob_nodeSelector_value(self): "anchoreEngineUpgradeJob.nodeSelector.value": "bar", "anchoreEngineUpgradeJob.nodeSelector.anotherLabel.with.a.dot": "baz" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) @@ -71,7 +71,7 @@ def test_anchoreEngineUpgradeJob_tolerations_value(self): } ] } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) @@ -81,6 +81,6 @@ def test_anchoreEngineUpgradeJob_affinity_value(self): "anchoreEngineUpgradeJob.affinity.value": "bar", "anchoreEngineUpgradeJob.affinity.anotherLabel.with.a.dot": "baz" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) diff --git a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseEngineUpgradeJob_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseEngineUpgradeJob_value_mapping.py index b7e9de79..cd71e864 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseEngineUpgradeJob_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseEngineUpgradeJob_value_mapping.py @@ -17,7 +17,7 @@ def test_anchoreEnterpriseEngineUpgradeJob_enabled_value(self): dot_string_dict = { "anchoreEnterpriseEngineUpgradeJob.enabled": True } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'upgradeJob': { 'enabled': True } @@ -32,7 +32,7 @@ def test_anchoreEnterpriseEngineUpgradeJob_resources_value(self): "anchoreEnterpriseEngineUpgradeJob.resources.requests.cpu": 1, "anchoreEnterpriseEngineUpgradeJob.resources.requests.memory": "1G" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'upgradeJob': { 'resources': { 'limits': { @@ -56,7 +56,7 @@ def test_anchoreEnterpriseEngineUpgradeJob_labels_value(self): "anchoreEnterpriseEngineUpgradeJob.labels.myOtherLabel": "myOtherValue", "anchoreEnterpriseEngineUpgradeJob.labels.anotherLabel.with.a.dot": "qux" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'upgradeJob': { 'labels': { @@ -75,7 +75,7 @@ def test_anchoreEnterpriseEngineUpgradeJob_annotations_value(self): "anchoreEnterpriseEngineUpgradeJob.annotations.bar": "baz", "anchoreEnterpriseEngineUpgradeJob.annotations.anotherLabel.with.a.dot": "qux" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'upgradeJob': { 'annotations': { @@ -95,7 +95,7 @@ def test_anchoreEnterpriseEngineUpgradeJob_nodeSelector_value(self): "anchoreEnterpriseEngineUpgradeJob.nodeSelector.value": "bar", "anchoreEnterpriseEngineUpgradeJob.nodeSelector.anotherLabel.with.a.dot": "baz" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'upgradeJob': { 'nodeSelector': { @@ -117,7 +117,7 @@ def test_anchoreEnterpriseEngineUpgradeJob_tolerations_value(self): } ] } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'upgradeJob': { 'tolerations': [ { @@ -136,7 +136,7 @@ def test_anchoreEnterpriseEngineUpgradeJob_affinity_value(self): "anchoreEnterpriseEngineUpgradeJob.affinity.value": "bar", "anchoreEnterpriseEngineUpgradeJob.affinity.anotherLabel.with.a.dot": "baz" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'upgradeJob': { 'affinity':{ 'name': 'foo', @@ -157,7 +157,7 @@ def test_anchoreEnterpriseEngineUpgradeJob_extraEnv_value(self): } ] } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'upgradeJob': { 'extraEnv': [ { @@ -174,7 +174,7 @@ def test_anchoreEnterpriseEngineUpgradeJob_serviceAccountName_value(self): dot_string_dict = { "anchoreEnterpriseEngineUpgradeJob.serviceAccountName": "Null" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'upgradeJob': { 'serviceAccountName': "Null" } diff --git a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseFeedsUpgradeJob_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseFeedsUpgradeJob_value_mapping.py index 88fb2630..988f1fef 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseFeedsUpgradeJob_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseFeedsUpgradeJob_value_mapping.py @@ -17,7 +17,7 @@ def test_anchoreEnterpriseFeedsUpgradeJob_enabled_value(self): dot_string_dict = { "anchoreEnterpriseFeedsUpgradeJob.enabled": True, } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'feedsUpgradeJob': { 'enabled': True @@ -34,7 +34,7 @@ def test_anchoreEnterpriseFeedsUpgradeJob_resources_value(self): "anchoreEnterpriseFeedsUpgradeJob.resources.requests.cpu": 1, "anchoreEnterpriseFeedsUpgradeJob.resources.requests.memory": "1G" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'feedsUpgradeJob': { 'resources': { @@ -60,7 +60,7 @@ def test_anchoreEnterpriseFeedsUpgradeJob_labels_value(self): "anchoreEnterpriseFeedsUpgradeJob.labels.myOtherLabel": "myOtherValue", "anchoreEnterpriseFeedsUpgradeJob.labels.anotherLabel.with.a.dot": "qux" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'feedsUpgradeJob': { 'labels': @@ -81,7 +81,7 @@ def test_anchoreEnterpriseFeedsUpgradeJob_annotations_value(self): "anchoreEnterpriseFeedsUpgradeJob.annotations.bar": "baz", "anchoreEnterpriseFeedsUpgradeJob.annotations.anotherLabel.with.a.dot": "qux" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'feedsUpgradeJob': { 'annotations': @@ -102,7 +102,7 @@ def test_anchoreEnterpriseFeedsUpgradeJob_nodeSelector_value(self): "anchoreEnterpriseFeedsUpgradeJob.nodeSelector.value": "bar", "anchoreEnterpriseFeedsUpgradeJob.nodeSelector.anotherLabel.with.a.dot": "baz" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'feedsUpgradeJob': { 'nodeSelector': @@ -126,7 +126,7 @@ def test_anchoreEnterpriseFeedsUpgradeJob_tolerations_value(self): } ] } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'feedsUpgradeJob': { 'tolerations': [ @@ -147,7 +147,7 @@ def test_anchoreEnterpriseFeedsUpgradeJob_affinity_value(self): "anchoreEnterpriseFeedsUpgradeJob.affinity.value": "bar", "anchoreEnterpriseFeedsUpgradeJob.affinity.anotherLabel.with.a.dot": "baz" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'feedsUpgradeJob': { 'affinity':{ @@ -170,7 +170,7 @@ def test_anchoreEnterpriseFeedsUpgradeJob_extraEnv_value(self): } ] } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'feedsUpgradeJob': { 'extraEnv': [ @@ -189,7 +189,7 @@ def test_anchoreEnterpriseFeedsUpgradeJob_serviceAccountName_value(self): dot_string_dict = { "anchoreEnterpriseFeedsUpgradeJob.serviceAccountName": "Null" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'feedsUpgradeJob': { 'serviceAccountName': "Null" diff --git a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseFeeds_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseFeeds_value_mapping.py index 16e946ee..d622f560 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseFeeds_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseFeeds_value_mapping.py @@ -17,7 +17,7 @@ def test_anchoreEnterpriseFeeds_enabled_value(self): dot_string_dict = { "anchoreEnterpriseFeeds.enabled": True, } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'chartEnabled': True } @@ -29,7 +29,7 @@ def test_anchoreEnterpriseFeeds_replicaCount_value(self): dot_string_dict = { "anchoreEnterpriseFeeds.replicaCount": 2, } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'replicaCount': 2 } @@ -45,7 +45,7 @@ def test_anchoreEnterpriseFeeds_resources_value(self): "anchoreEnterpriseFeeds.resources.requests.cpu": 1, "anchoreEnterpriseFeeds.resources.requests.memory": "1G" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'resources': { 'limits': { @@ -69,7 +69,7 @@ def test_anchoreEnterpriseFeeds_labels_value(self): "anchoreEnterpriseFeeds.labels.myOtherLabel": "myOtherValue", "anchoreEnterpriseFeeds.labels.anotherLabel.with.a.dot": "qux" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'labels': { @@ -88,7 +88,7 @@ def test_anchoreEnterpriseFeeds_annotations_value(self): "anchoreEnterpriseFeeds.annotations.bar": "baz", "anchoreEnterpriseFeeds.annotations.anotherLabel.with.a.dot": "qux" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'annotations': { @@ -108,7 +108,7 @@ def test_anchoreEnterpriseFeeds_deploymentAnnotations_value(self): "anchoreEnterpriseFeeds.deploymentAnnotations.bar": "baz", "anchoreEnterpriseFeeds.deploymentAnnotations.anotherLabel.with.a.dot": "qux" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'deploymentAnnotations': { @@ -127,7 +127,7 @@ def test_anchoreEnterpriseFeeds_nodeSelector_value(self): "anchoreEnterpriseFeeds.nodeSelector.value": "bar", "anchoreEnterpriseFeeds.nodeSelector.anotherLabel.with.a.dot": "baz" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'nodeSelector': { @@ -149,7 +149,7 @@ def test_anchoreEnterpriseFeeds_tolerations_value(self): } ] } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'tolerations': [ { @@ -168,7 +168,7 @@ def test_anchoreEnterpriseFeeds_affinity_value(self): "anchoreEnterpriseFeeds.affinity.value": "bar", "anchoreEnterpriseFeeds.affinity.anotherLabel.with.a.dot": "baz" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'affinity':{ 'name': 'foo', @@ -189,7 +189,7 @@ def test_anchoreEnterpriseFeeds_extraEnv_value(self): } ] } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'extraEnv': [ { @@ -206,7 +206,7 @@ def test_anchoreEnterpriseFeeds_serviceAccountName_value(self): dot_string_dict = { "anchoreEnterpriseFeeds.serviceAccountName": "Null" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'serviceAccountName': "Null" } @@ -226,7 +226,7 @@ def test_anchoreEnterpriseFeeds_service_value(self): "anchoreEnterpriseFeeds.service.labels.foobar": "baz", "anchoreEnterpriseFeeds.service.labels.with.a.dot": "qux" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'service': { "name": "Null", @@ -251,7 +251,7 @@ def test_anchoreEnterpriseFeeds_url_value(self): dot_string_dict = { "anchoreEnterpriseFeeds.url": "https://myhostname:9999" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'url': "https://myhostname:9999" } @@ -273,7 +273,7 @@ def test_anchoreEnterpriseFeeds_driver_values(self): ] } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'anchoreConfig': { 'feeds': { @@ -297,7 +297,7 @@ def test_anchoreEnterpriseFeeds_ubuntuExtraReleases_values(self): "anchoreEnterpriseFeeds.ubuntuExtraReleases.kinetic": "22.10" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'anchoreConfig': { 'feeds': { @@ -321,7 +321,7 @@ def test_anchoreEnterpriseFeeds_ubuntuExtraReleases_empty_values(self): "anchoreEnterpriseFeeds.ubuntuExtraReleases": {} } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'anchoreConfig': { 'feeds': { @@ -343,7 +343,7 @@ def test_anchoreEnterpriseFeeds_debianExtraReleases_values(self): "anchoreEnterpriseFeeds.debianExtraReleases.trixie": "13" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'anchoreConfig': { 'feeds': { @@ -367,7 +367,7 @@ def test_anchoreEnterpriseFeeds_debianExtraReleases_empty_values(self): "anchoreEnterpriseFeeds.debianExtraReleases": {} } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'anchoreConfig': { 'feeds': { @@ -389,7 +389,7 @@ def test_anchoreEnterpriseFeeds_cycleTimers_values(self): "anchoreEnterpriseFeeds.cycleTimers.driver_sync": 7200 } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'anchoreConfig': { 'feeds': { @@ -416,7 +416,7 @@ def test_anchoreEnterpriseFeeds_dbConfig_with_engineArgs_values(self): "anchoreEnterpriseFeeds.dbConfig.engineArgs.pool_recycle": 600 } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'anchoreConfig': { 'dbConfig': { @@ -449,7 +449,7 @@ def test_anchoreEnterpriseFeeds_dbConfig_values(self): "anchoreEnterpriseFeeds.dbConfig.engineArgs": {} } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'anchoreConfig': { 'dbConfig': { @@ -475,7 +475,7 @@ def test_anchoreEnterpriseFeeds_persistence_false_values(self): "anchoreEnterpriseFeeds.persistence.resourcePolicy": None } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'persistence': { 'enabled': False, @@ -500,7 +500,7 @@ def test_anchoreEnterpriseFeeds_persistence_values(self): "anchoreEnterpriseFeeds.persistence.mountPath": "/workspace" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'persistence': { 'enabled': True, @@ -538,6 +538,7 @@ def test_anchoreEnterpriseFeeds_rhelDriverConcurrency_values(self): result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}} }) self.assertEqual(result[1], expected_result) @@ -559,6 +560,7 @@ def test_anchoreEnterpriseFeeds_ubuntuDriverGit_values(self): result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}} }) self.assertEqual(result[1], expected_result) @@ -574,7 +576,7 @@ def test_anchoreFeedsDB_values(self): "anchore-feeds-db.postgresPort": 5432 } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, "feeds": { "feeds-db": { "chartEnabled": True, @@ -605,7 +607,7 @@ def test_anchoreFeedsDB_persistence_values(self): "anchore-feeds-db.persistence.size": "20Gi" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'feeds-db': { 'primary': { @@ -628,7 +630,7 @@ def test_anchoreFeedsDB_image_values(self): "anchore-feeds-db.imageTag": "latest" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'feeds-db': { 'image': { @@ -656,7 +658,7 @@ def test_anchoreFeedsDB_extraEnv_values(self): ] } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'feeds-db':{ 'primary': { @@ -682,7 +684,7 @@ def test_anchoreFeedsGemDB_values(self): "anchore-feeds-gem-db.postgresPort": 5432 } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, "feeds": { "gem-db": { "chartEnabled": True, @@ -713,7 +715,7 @@ def test_anchoreFeedsGemDB_persistence_values(self): "anchore-feeds-gem-db.persistence.size": "20Gi" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'gem-db': { 'primary': { @@ -736,7 +738,7 @@ def test_anchoreFeedsGemDB_image_values(self): "anchore-feeds-gem-db.imageTag": "latest" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'gem-db': { 'image': { @@ -764,7 +766,7 @@ def test_anchoreFeedsGemDB_extraEnv_values(self): ] } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'gem-db':{ 'primary': { diff --git a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseNotifications_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseNotifications_value_mapping.py index e0201cba..29a7bfcb 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseNotifications_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseNotifications_value_mapping.py @@ -17,7 +17,7 @@ def test_anchoreEnterpriseNotifications_enabled_value(self): dot_string_dict = { "anchoreEnterpriseNotifications.enabled": True, # deprecated } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) @@ -25,7 +25,7 @@ def test_anchoreEnterpriseNotifications_replicaCount_value(self): dot_string_dict = { "anchoreEnterpriseNotifications.replicaCount": 2, } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'notifications': { 'replicaCount': 2 } @@ -41,7 +41,7 @@ def test_anchoreEnterpriseNotifications_resources_value(self): "anchoreEnterpriseNotifications.resources.requests.cpu": 1, "anchoreEnterpriseNotifications.resources.requests.memory": "1G" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'notifications': { 'resources': { 'limits': { @@ -65,7 +65,7 @@ def test_anchoreEnterpriseNotifications_labels_value(self): "anchoreEnterpriseNotifications.labels.myOtherLabel": "myOtherValue", "anchoreEnterpriseNotifications.labels.anotherLabel.with.a.dot": "qux" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'notifications': { 'labels': { @@ -84,7 +84,7 @@ def test_anchoreEnterpriseNotifications_annotations_value(self): "anchoreEnterpriseNotifications.annotations.bar": "baz", "anchoreEnterpriseNotifications.annotations.anotherLabel.with.a.dot": "qux" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'notifications': { 'annotations': { @@ -104,7 +104,7 @@ def test_anchoreEnterpriseNotifications_deploymentAnnotations_value(self): "anchoreEnterpriseNotifications.deploymentAnnotations.bar": "baz", "anchoreEnterpriseNotifications.deploymentAnnotations.anotherLabel.with.a.dot": "qux" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'notifications': { 'deploymentAnnotations': { @@ -123,7 +123,7 @@ def test_anchoreEnterpriseNotifications_nodeSelector_value(self): "anchoreEnterpriseNotifications.nodeSelector.value": "bar", "anchoreEnterpriseNotifications.nodeSelector.anotherLabel.with.a.dot": "baz" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'notifications': { 'nodeSelector': { @@ -145,7 +145,7 @@ def test_anchoreEnterpriseNotifications_tolerations_value(self): } ] } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'notifications': { 'tolerations': [ { @@ -164,7 +164,7 @@ def test_anchoreEnterpriseNotifications_affinity_value(self): "anchoreEnterpriseNotifications.affinity.value": "bar", "anchoreEnterpriseNotifications.affinity.anotherLabel.with.a.dot": "baz" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'notifications': { 'affinity':{ 'name': 'foo', @@ -185,7 +185,7 @@ def test_anchoreEnterpriseNotifications_extraEnv_value(self): } ] } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'notifications': { 'extraEnv': [ { @@ -202,7 +202,7 @@ def test_anchoreEnterpriseNotifications_serviceAccountName_value(self): dot_string_dict = { "anchoreEnterpriseNotifications.serviceAccountName": "Null" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'notifications': { 'serviceAccountName': "Null" } @@ -221,7 +221,7 @@ def test_anchoreEnterpriseNotifications_service_value(self): "anchoreEnterpriseNotifications.service.annotations.with.a.dot": "quux", "anchoreEnterpriseNotifications.service.labels": {} } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'notifications': { 'service': { "name": "Null", @@ -244,6 +244,7 @@ def test_anchoreEnterpriseNotifications_cycleTimers_value(self): "anchoreEnterpriseNotifications.cycleTimers.notifications": 30 } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'notifications': { @@ -261,6 +262,7 @@ def test_anchoreEnterpriseNotifications_uiUrl_value(self): "anchoreEnterpriseNotifications.uiUrl": "http://myurl.myurl" } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'notifications': { diff --git a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseRbac_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseRbac_value_mapping.py index dbfb95b0..1b8c6ec4 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseRbac_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseRbac_value_mapping.py @@ -17,7 +17,7 @@ def test_anchoreEnterpriseRbac_replicaCount_value(self): dot_string_dict = { "anchoreEnterpriseRbac.replicaCount": 2, } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'rbacManager': { 'replicaCount': 2 } @@ -33,7 +33,7 @@ def test_anchoreEnterpriseRbac_resources_value(self): "anchoreEnterpriseRbac.resources.requests.cpu": 1, "anchoreEnterpriseRbac.resources.requests.memory": "1G" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'rbacManager': { 'resources': { 'limits': { @@ -57,7 +57,7 @@ def test_anchoreEnterpriseRbac_labels_value(self): "anchoreEnterpriseRbac.labels.myOtherLabel": "myOtherValue", "anchoreEnterpriseRbac.labels.anotherLabel.with.a.dot": "qux" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'rbacManager': { 'labels': { @@ -76,7 +76,7 @@ def test_anchoreEnterpriseRbac_annotations_value(self): "anchoreEnterpriseRbac.annotations.bar": "baz", "anchoreEnterpriseRbac.annotations.anotherLabel.with.a.dot": "qux" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'rbacManager': { 'annotations': { @@ -96,7 +96,7 @@ def test_anchoreEnterpriseRbac_deploymentAnnotations_value(self): "anchoreEnterpriseRbac.deploymentAnnotations.bar": "baz", "anchoreEnterpriseRbac.deploymentAnnotations.anotherLabel.with.a.dot": "qux" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'rbacManager': { 'deploymentAnnotations': { @@ -115,7 +115,7 @@ def test_anchoreEnterpriseRbac_nodeSelector_value(self): "anchoreEnterpriseRbac.nodeSelector.value": "bar", "anchoreEnterpriseRbac.nodeSelector.anotherLabel.with.a.dot": "baz" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'rbacManager': { 'nodeSelector': { @@ -137,7 +137,7 @@ def test_anchoreEnterpriseRbac_tolerations_value(self): } ] } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'rbacManager': { 'tolerations': [ { @@ -156,7 +156,7 @@ def test_anchoreEnterpriseRbac_affinity_value(self): "anchoreEnterpriseRbac.affinity.value": "bar", "anchoreEnterpriseRbac.affinity.anotherLabel.with.a.dot": "baz" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'rbacManager': { 'affinity':{ 'name': 'foo', @@ -177,7 +177,7 @@ def test_anchoreEnterpriseRbac_extraEnv_value(self): } ] } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'rbacManager': { 'extraEnv': [ { @@ -203,7 +203,7 @@ def test_anchoreEnterpriseRbac_serviceAccountName_value(self): dot_string_dict = { "anchoreEnterpriseRbac.serviceAccountName": "Null" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'rbacManager': { 'serviceAccountName': "Null" } @@ -223,7 +223,7 @@ def test_anchoreEnterpriseRbac_service_value(self): "anchoreEnterpriseRbac.service.annotations.anotherLabel.with.a.dot": "qux", "anchoreEnterpriseRbac.service.labels": {}, } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'rbacManager': { 'service': { 'name': 'Null', @@ -248,7 +248,7 @@ def test_anchoreEnterpriseRbac_enabled_value(self): dot_string_dict = { "anchoreEnterpriseRbac.enabled": True # deprecated } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) @@ -260,7 +260,7 @@ def test_anchoreEnterpriseRbac_authResources_value(self): "anchoreEnterpriseRbac.authResources.requests.cpu": "100m", "anchoreEnterpriseRbac.authResources.requests.memory": "256M" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'rbacAuth': { 'resources': { 'limits': { @@ -284,7 +284,7 @@ def test_anchoreEnterpriseRbac_managerResources_value(self): "anchoreEnterpriseRbac.managerResources.requests.cpu": "100m", "anchoreEnterpriseRbac.managerResources.requests.memory": "256M" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'rbacManager': { 'resources': { 'limits': { diff --git a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseReports_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseReports_value_mapping.py index 35bfd427..20fad903 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseReports_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseReports_value_mapping.py @@ -17,7 +17,7 @@ def test_anchoreEnterpriseReports_enabled_value(self): dot_string_dict = { "anchoreEnterpriseReports.enabled": True, # deprecated } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) @@ -25,7 +25,7 @@ def test_anchoreEnterpriseReports_replicaCount_value(self): dot_string_dict = { "anchoreEnterpriseReports.replicaCount": 2, } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'reports': { 'replicaCount': 2 } @@ -41,7 +41,7 @@ def test_anchoreEnterpriseReports_resources_value(self): "anchoreEnterpriseReports.resources.requests.cpu": 1, "anchoreEnterpriseReports.resources.requests.memory": "1G" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'reports': { 'resources': { 'limits': { @@ -65,7 +65,7 @@ def test_anchoreEnterpriseReports_labels_value(self): "anchoreEnterpriseReports.labels.myOtherLabel": "myOtherValue", "anchoreEnterpriseReports.labels.anotherLabel.with.a.dot": "qux" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'reports': { 'labels': { @@ -84,7 +84,7 @@ def test_anchoreEnterpriseReports_annotations_value(self): "anchoreEnterpriseReports.annotations.bar": "baz", "anchoreEnterpriseReports.annotations.anotherLabel.with.a.dot": "qux" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'reports': { 'annotations': { @@ -104,7 +104,7 @@ def test_anchoreEnterpriseReports_deploymentAnnotations_value(self): "anchoreEnterpriseReports.deploymentAnnotations.bar": "baz", "anchoreEnterpriseReports.deploymentAnnotations.anotherLabel.with.a.dot": "qux" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'reports': { 'deploymentAnnotations': { @@ -123,7 +123,7 @@ def test_anchoreEnterpriseReports_nodeSelector_value(self): "anchoreEnterpriseReports.nodeSelector.value": "bar", "anchoreEnterpriseReports.nodeSelector.anotherLabel.with.a.dot": "baz" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'reports': { 'nodeSelector': { @@ -145,7 +145,7 @@ def test_anchoreEnterpriseReports_tolerations_value(self): } ] } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'reports': { 'tolerations': [ { @@ -164,7 +164,7 @@ def test_anchoreEnterpriseReports_affinity_value(self): "anchoreEnterpriseReports.affinity.value": "bar", "anchoreEnterpriseReports.affinity.anotherLabel.with.a.dot": "baz" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'reports': { 'affinity':{ 'name': 'foo', @@ -180,7 +180,7 @@ def test_anchoreEnterpriseReports_extraEnv_value(self): dot_string_dict = { "anchoreEnterpriseReports.extraEnv": [] } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'reports': { 'extraEnv': [] } @@ -192,7 +192,7 @@ def test_anchoreEnterpriseReports_serviceAccountName_value(self): dot_string_dict = { "anchoreEnterpriseReports.serviceAccountName": "" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'reports': { 'serviceAccountName': "" } @@ -211,7 +211,7 @@ def test_anchoreEnterpriseReports_service_value(self): "anchoreEnterpriseReports.service.labels.foobar": "baz", "anchoreEnterpriseReports.service.labels.with.a.dot": "qux" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'reports': { 'service': { "name": "Null", @@ -233,6 +233,7 @@ def test_anchoreEnterpriseReports_enableGraphiql_value(self): "anchoreEnterpriseReports.enableGraphiql": True } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'reports': { @@ -248,6 +249,7 @@ def test_anchoreEnterpriseReports_enableDataIngress_value(self): "anchoreEnterpriseReports.enableDataIngress": True } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'reports_worker': { @@ -263,6 +265,7 @@ def test_anchoreEnterpriseReports_enableDataEgress_value(self): "anchoreEnterpriseReports.enableDataEgress": False } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'reports_worker': { @@ -278,6 +281,7 @@ def test_anchoreEnterpriseReports_dataEgressWindow_value(self): "anchoreEnterpriseReports.dataEgressWindow": 1 } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'reports_worker': { @@ -293,6 +297,7 @@ def test_anchoreEnterpriseReports_dataRefreshMaxWorkers_value(self): "anchoreEnterpriseReports.dataRefreshMaxWorkers": 1 } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'reports_worker': { @@ -308,6 +313,7 @@ def test_anchoreEnterpriseReports_dataLoadMaxWorkers_value(self): "anchoreEnterpriseReports.dataLoadMaxWorkers": 1 } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'reports_worker': { @@ -326,6 +332,7 @@ def test_anchoreEnterpriseReports_cycleTimers_value(self): "anchoreEnterpriseReports.cycleTimers.reports_data_egress": 600 } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'reports_worker': { diff --git a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseUi_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseUi_value_mapping.py index 8b50d9bd..2ef88db1 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseUi_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseUi_value_mapping.py @@ -17,7 +17,7 @@ def test_anchoreEnterpriseUi_enabled_value(self): dot_string_dict = { "anchoreEnterpriseUi.enabled": True, # deprecated } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) @@ -26,7 +26,7 @@ def test_anchoreEnterpriseUi_image_value(self): "anchoreEnterpriseUi.image": "docker.io/anchore/enterprise-ui:v5.0.0", "anchoreEnterpriseUi.imagePullPolicy": "IfNotPresent" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui': { 'image': "docker.io/anchore/enterprise-ui:v5.0.0", 'imagePullPolicy': "IfNotPresent" @@ -39,7 +39,7 @@ def test_anchoreEnterpriseUi_replicaCount_value(self): dot_string_dict = { "anchoreEnterpriseUi.replicaCount": 2, } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui': { 'replicaCount': 2 } @@ -55,7 +55,7 @@ def test_anchoreEnterpriseUi_resources_value(self): "anchoreEnterpriseUi.resources.requests.cpu": 1, "anchoreEnterpriseUi.resources.requests.memory": "1G" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui': { 'resources': { 'limits': { @@ -79,7 +79,7 @@ def test_anchoreEnterpriseUi_labels_value(self): "anchoreEnterpriseUi.labels.myOtherLabel": "myOtherValue", "anchoreEnterpriseUi.labels.anotherLabel.with.a.dot": "qux" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui': { 'labels': { @@ -98,7 +98,7 @@ def test_anchoreEnterpriseUi_annotations_value(self): "anchoreEnterpriseUi.annotations.bar": "baz", "anchoreEnterpriseUi.annotations.anotherLabel.with.a.dot": "qux" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui': { 'annotations': { @@ -118,7 +118,7 @@ def test_anchoreEnterpriseUi_deploymentAnnotations_value(self): "anchoreEnterpriseUi.deploymentAnnotations.bar": "baz", "anchoreEnterpriseUi.deploymentAnnotations.anotherLabel.with.a.dot": "qux" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui': { 'deploymentAnnotations': { @@ -137,7 +137,7 @@ def test_anchoreEnterpriseUi_nodeSelector_value(self): "anchoreEnterpriseUi.nodeSelector.value": "bar", "anchoreEnterpriseUi.nodeSelector.anotherLabel.with.a.dot": "baz" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui': { 'nodeSelector': { @@ -159,7 +159,7 @@ def test_anchoreEnterpriseUi_tolerations_value(self): } ] } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui': { 'tolerations': [ { @@ -178,7 +178,7 @@ def test_anchoreEnterpriseUi_affinity_value(self): "anchoreEnterpriseUi.affinity.value": "bar", "anchoreEnterpriseUi.affinity.anotherLabel.with.a.dot": "baz" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui': { 'affinity':{ 'name': 'foo', @@ -202,7 +202,7 @@ def test_anchoreEnterpriseUi_extraEnv_value(self): } ] } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui': { 'extraEnv': [ { @@ -222,7 +222,7 @@ def test_anchoreEnterpriseUi_serviceAccountName_value(self): dot_string_dict = { "anchoreEnterpriseUi.serviceAccountName": "Null" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui': { 'serviceAccountName': "Null" } @@ -242,7 +242,7 @@ def test_anchoreEnterpriseUi_service_value(self): "anchoreEnterpriseUi.service.labels": {}, "anchoreEnterpriseUi.service.sessionAffinity": "ClientIP" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui': { 'service': { "name": "Null", @@ -266,7 +266,7 @@ def test_anchoreEnterpriseUi_db_value(self): "anchoreEnterpriseUi.dbUser": "anchoreengineui", "anchoreEnterpriseUi.dbPass": "anchore-postgres,123ui" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui': { 'dbUser': "anchoreengineui", 'dbPass': "anchore-postgres,123ui" @@ -284,6 +284,7 @@ def test_anchoreEnterpriseUi_appDBConfig_value(self): "anchoreEnterpriseUi.appDBConfig.pool.idle": 10000 } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'ui': { @@ -306,7 +307,7 @@ def test_anchoreEnterpriseUi_ldapsRootCaCertName_value(self): dot_string_dict = { "anchoreEnterpriseUi.ldapsRootCaCertName": "Null" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui': { 'ldapsRootCaCertName': "Null" } @@ -319,6 +320,7 @@ def test_anchoreEnterpriseUi_logLevel_value(self): "anchoreEnterpriseUi.logLevel": "http" } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'ui': { @@ -334,6 +336,7 @@ def test_anchoreEnterpriseUi_enableProxy_value(self): "anchoreEnterpriseUi.enableProxy": False } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'ui': { @@ -349,6 +352,7 @@ def test_anchoreEnterpriseUi_enableSsl_value(self): "anchoreEnterpriseUi.enableSsl": False } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'ui': { @@ -364,6 +368,7 @@ def test_anchoreEnterpriseUi_enableSharedLogin_value(self): "anchoreEnterpriseUi.enableSharedLogin": True } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'ui': { @@ -379,6 +384,7 @@ def test_anchoreEnterpriseUi_redisFlushdb_value(self): "anchoreEnterpriseUi.redisFlushdb": True } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'ui': { @@ -394,6 +400,7 @@ def test_anchoreEnterpriseUi_forceWebsocket_value(self): "anchoreEnterpriseUi.forceWebsocket": False } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'ui': { @@ -410,6 +417,7 @@ def test_anchoreEnterpriseUi_authenticationLock_value(self): "anchoreEnterpriseUi.authenticationLock.expires": 300 } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'ui': { @@ -438,6 +446,7 @@ def test_anchoreEnterpriseUi_customLinks_value(self): ] } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'ui': { @@ -466,6 +475,7 @@ def test_anchoreEnterpriseUi_enableAddRepositories_value(self): "anchoreEnterpriseUi.enableAddRepositories.standard": True } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'ui': { @@ -484,6 +494,7 @@ def test_anchoreEnterpriseUi_enrichInventoryView_value(self): "anchoreEnterpriseUi.enrichInventoryView": True } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'ui': { @@ -499,6 +510,7 @@ def test_uiRedis_auth_password_value(self): "ui-redis.auth.password": "anchore-redis,123" } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui-redis': { 'auth': { @@ -513,7 +525,7 @@ def test_uiRedis_architecture_value(self): dot_string_dict = { "ui-redis.architecture": "standalone" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui-redis': { 'architecture': "standalone" } @@ -525,7 +537,7 @@ def test_uiRedis_master_persistence_enabled_value(self): dot_string_dict = { "ui-redis.master.persistence.enabled": False } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui-redis': { 'master': { 'persistence': { @@ -541,7 +553,7 @@ def test_uiRedis_enabled_value(self): dot_string_dict = { "ui-redis.enabled": False } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui-redis': { 'chartEnabled': False } @@ -553,7 +565,7 @@ def test_uiRedis_externalEndpoint_value(self): dot_string_dict = { "ui-redis.externalEndpoint": "my-redis-place.someplace" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui-redis': { 'externalEndpoint': "my-redis-place.someplace" } diff --git a/scripts/enterprise-value-converter/tests/test_anchoreGlobal_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreGlobal_value_mapping.py index 8dbbd80e..3dd1ce9c 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreGlobal_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreGlobal_value_mapping.py @@ -17,7 +17,7 @@ def tearDown(self): def test_fullnameOverride(self): dot_string_dict = {"fullnameOverride": "overridden"} - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'global': {'fullnameOverride': 'overridden'} } result = replace_keys_with_mappings(dot_string_dict, self.results_dir) @@ -25,7 +25,7 @@ def test_fullnameOverride(self): def test_nameOverride(self): dot_string_dict = {"nameOverride": "overridden"} - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'global': {'nameOverride': 'overridden'} } result = replace_keys_with_mappings(dot_string_dict, self.results_dir) @@ -44,7 +44,7 @@ def test_postgresql_values(self): "postgresql.extraEnv": [{'name': 'POSTGRES_USER', 'value': 'myuser'}, {'name': 'POSTGRES_PASSWORD', 'value': 'mypass'}], } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'postgresql':{ 'chartEnabled': True, 'auth':{ @@ -87,7 +87,7 @@ def test_cloudsql_values(self): "cloudsql.image.tag": "1.11", "cloudsql.image.pullPolicy": "Always", } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'cloudsql': { 'enabled': True, 'extraArgs': ['--max_connections=1000'], @@ -126,7 +126,7 @@ def test_ingress_values(self): ] } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ingress': { 'enabled': False, 'apiPath': '/v1/', @@ -167,7 +167,7 @@ def test_anchoreGlobal_image_values(self): "anchoreEnterpriseGlobal.enabled": True, "anchoreEnterpriseGlobal.licenseSecretName": "my-anchore-enterprise-license" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'image': 'my.repo/anchore-enterprise:v4.9.0', 'imagePullPolicy': 'ifNotPresent', 'imagePullSecretName': 'enterprise-pull-secret', @@ -182,7 +182,7 @@ def test_anchoreGlobal_openShiftDeployment_value(self): dot_string_dict = { "openShiftDeployment": True, } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) self.assertEqual(result[1], {}) @@ -191,7 +191,7 @@ def test_anchoreGlobal_serviceAccountName_value(self): dot_string_dict = { "anchoreGlobal.serviceAccountName": "my-sa-anchore-engine", } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'serviceAccountName': 'my-sa-anchore-engine' } result = replace_keys_with_mappings(dot_string_dict, self.results_dir) @@ -203,7 +203,7 @@ def test_anchoreGlobal_labels_value(self): "anchoreGlobal.labels.mylabel": "myvalue", "anchoreGlobal.labels.myotherlabel": "myothervalue", } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'labels': { 'mylabel': 'myvalue', 'myotherlabel': 'myothervalue' @@ -218,7 +218,7 @@ def test_anchoreGlobal_annotations_value(self): "anchoreGlobal.annotations.myannotation": "myvalue", "anchoreGlobal.annotations.myotherannotation": "myothervalue", } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'annotations': { 'myannotation': 'myvalue', 'myotherannotation': 'myothervalue' @@ -235,7 +235,7 @@ def test_anchoreGlobal_extraEnv_value(self): {"name": "MY_OTHER_ENV_VAR", "value": "myothervalue"} ], } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'extraEnv': [ {'name': 'MY_ENV_VAR', 'value': 'myvalue'}, {'name': 'MY_OTHER_ENV_VAR', 'value': 'myothervalue'} @@ -251,7 +251,7 @@ def test_anchoreGlobal_deploymentAnnotations_value(self): "anchoreGlobal.deploymentAnnotations.myannotation": "myvalue", "anchoreGlobal.deploymentAnnotations.myotherannotation": "myothervalue", } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'deploymentAnnotations': { 'myannotation': 'myvalue', 'myotherannotation': 'myothervalue' @@ -269,7 +269,7 @@ def test_anchoreGlobal_useExistingSecret_value(self): "anchoreEnterpriseFeeds.existingSecretName": "my-existing-secret-feeds", } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'useExistingSecret': True, 'existingSecretName': 'my-existing-secret', 'ui': { @@ -291,7 +291,7 @@ def test_anchoreGlobal_doSourceAtEntry_value(self): "anchoreGlobal.doSourceAtEntry.enabled": True, "anchoreGlobal.doSourceAtEntry.filePaths": ["/vault/secrets/config"], } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'doSourceAtEntry': { 'enabled': True, 'filePaths': ['/vault/secrets/config'] @@ -312,7 +312,7 @@ def test_anchoreGlobal_extraVolumes_value(self): } ], } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'extraVolumes': [ { 'name': 'config', @@ -337,7 +337,7 @@ def test_anchoreGlobal_extraVolumeMounts_value(self): } ], } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'extraVolumeMounts': [ { 'name': 'config', @@ -357,7 +357,7 @@ def test_anchoreGlobal_scratchVolume_value(self): "anchoreGlobal.scratchVolume.mountPath": "/analysis_scratch", "anchoreGlobal.scratchVolume.details": {}, } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'scratchVolume': { 'fixGroupPermissions': False, 'mountPath': '/analysis_scratch', @@ -372,7 +372,7 @@ def test_anchoreGlobal_certStoreSecretName_value(self): dot_string_dict = { "anchoreGlobal.certStoreSecretName": "my-cert-store-secret", } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'certStoreSecretName': 'my-cert-store-secret' } result = replace_keys_with_mappings(dot_string_dict, self.results_dir) @@ -385,7 +385,7 @@ def test_anchoreGlobal_securityContext_value(self): "anchoreGlobal.securityContext.runAsGroup": 1000, "anchoreGlobal.securityContext.fsGroup": 1000, } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'securityContext': { 'runAsUser': 1000, 'runAsGroup': 1000, @@ -401,7 +401,7 @@ def test_anchoreGlobal_containerSecurityContext_value(self): "anchoreGlobal.containerSecurityContext.securityContext.runAsGroup": 1000, "anchoreGlobal.containerSecurityContext.securityContext.fsGroup": 1000, } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'containerSecurityContext': { 'securityContext': { 'runAsUser': 1000, @@ -418,6 +418,7 @@ def test_anchoreGlobal_serviceDir_value(self): "anchoreGlobal.serviceDir": "/anchore_service", } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'service_dir': '/anchore_service' @@ -431,6 +432,7 @@ def test_anchoreGlobal_logLevel_value(self): "anchoreGlobal.logLevel": "INFO", } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'log_level': 'INFO' @@ -444,7 +446,7 @@ def test_anchoreGlobal_imageAnalyzeTimeoutSeconds_value(self): dot_string_dict = { "anchoreGlobal.imageAnalyzeTimeoutSeconds": 100, } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) @@ -453,6 +455,7 @@ def test_anchoreGlobal_allowECRUseIAMRole_value(self): "anchoreGlobal.allowECRUseIAMRole": True, } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'allow_awsecr_iam_auto': True @@ -466,6 +469,7 @@ def test_anchoreGlobal_enableMetrics_value(self): "anchoreGlobal.enableMetrics": False, } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'metrics': { @@ -481,6 +485,7 @@ def test_anchoreGlobal_metricsAuthDisabled_value(self): "anchoreGlobal.metricsAuthDisabled": True, } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'metrics': { @@ -497,6 +502,7 @@ def test_anchoreGlobal_defaultAdmin_value(self): "anchoreGlobal.defaultAdminEmail": "myadminemail@email.com", } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'default_admin_password': 'myadminpassword', @@ -520,6 +526,7 @@ def test_anchoreGlobal_saml_values(self): } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'keys': { @@ -540,6 +547,7 @@ def test_anchoreGlobal_oauth_values(self): "anchoreGlobal.oauthRefreshTokenExpirationSeconds": 200, } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': { 'hashed_passwords': False, @@ -559,6 +567,7 @@ def test_anchoreGlobal_ssoRequireExistingUsers_value(self): "anchoreGlobal.ssoRequireExistingUsers": True, } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': { 'hashed_passwords': False, @@ -574,6 +583,7 @@ def test_anchoreGlobal_hashedPasswords_value(self): "anchoreGlobal.hashedPasswords": True, } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': { 'hashed_passwords': True @@ -595,6 +605,7 @@ def test_anchoreGlobal_dbConfig_values(self): } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'database': { @@ -622,6 +633,7 @@ def test_anchoreGlobal_internalServicesSsl_values(self): } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'internalServicesSSL': { @@ -646,6 +658,7 @@ def test_anchoreGlobal_webhooks_values(self): } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'webhooks': { @@ -666,6 +679,7 @@ def test_anchoreGlobal_policyBundles_values(self): } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'policyBundles': { @@ -692,7 +706,7 @@ def test_anchoreGlobal_probes_values(self): "anchoreGlobal.probes.readiness.successThreshold": 1, } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'probes': { 'liveness': { 'failureThreshold': 6, @@ -717,47 +731,47 @@ def test_anchoreGlobal_inject_secrets_via_env_value(self): dot_string_dict = { "inject_secrets_via_env": True, } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'injectSecretsViaEnv': True } result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) - # def test_replace_keys_with_mappings_env_var(self): + def test_replace_keys_with_mappings_env_var(self): - # dot_string_dict = {"anchoreApi.maxRequestThreads": 999} - # expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, - # 'api': - # {'extraEnv': [ - # {'name': 'ANCHORE_MAX_REQUEST_THREADS', 'value': 999} - # ]} - # } - # result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - # self.assertEqual(result[1], expected_result) + dot_string_dict = {"anchoreApi.maxRequestThreads": 999} + expected_result = { + 'api': + {'extraEnv': [ + {'name': 'ANCHORE_MAX_REQUEST_THREADS', 'value': 999} + ]} + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[1], expected_result) - # def test_replace_keys_with_mappings(self): + def test_replace_keys_with_mappings(self): - # dot_string_dict = {"anchore-feeds-db.persistence.size": 100} - # expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, - # "feeds": { - # "feeds-db": { - # "primary": { - # "persistence": { - # "size": 100 - # } - # } - # } - # } - # } - # result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - # self.assertEqual(result[0], expected_result) + dot_string_dict = {"anchore-feeds-db.persistence.size": 100} + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + "feeds": { + "feeds-db": { + "primary": { + "persistence": { + "size": 100 + } + } + } + } + } + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[0], expected_result) # now an environment variable def test_anchoreGlobal_serverRequestTimeout_value(self): dot_string_dict = { "anchoreGlobal.serverRequestTimeout": 300, } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) @@ -776,7 +790,7 @@ def test_anchoreGlobal_maxCompressedImageSizeMB_value(self): dot_string_dict = { "anchoreGlobal.maxCompressedImageSizeMB": 700 } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, } expected_env_result = { diff --git a/scripts/enterprise-value-converter/tests/test_anchorePolicyEngine_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchorePolicyEngine_value_mapping.py index 89e1a75b..17e3332f 100644 --- a/scripts/enterprise-value-converter/tests/test_anchorePolicyEngine_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchorePolicyEngine_value_mapping.py @@ -17,7 +17,7 @@ def test_anchorePolicyEngine_replicaCount_value(self): dot_string_dict = { "anchorePolicyEngine.replicaCount": 2, } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'policyEngine': { 'replicaCount': 2 } @@ -33,7 +33,7 @@ def test_anchorePolicyEngine_resources_value(self): "anchorePolicyEngine.resources.requests.cpu": 1, "anchorePolicyEngine.resources.requests.memory": "1G" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'policyEngine': { 'resources': { 'limits': { @@ -55,7 +55,7 @@ def test_anchorePolicyEngine_labels_value(self): "anchorePolicyEngine.labels.foobar": "baz", "anchorePolicyEngine.labels.with.a.dot.foobar": "baz" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'policyEngine': { 'labels': { @@ -72,7 +72,7 @@ def test_anchorePolicyEngine_annotations_value(self): "anchorePolicyEngine.annotations.foobar": "baz", "anchorePolicyEngine.annotations.with.a.dot.foobar": "baz" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'policyEngine': { 'annotations': { @@ -89,7 +89,7 @@ def test_anchorePolicyEngine_deploymentAnnotations_value(self): "anchorePolicyEngine.deploymentAnnotations.foobar": "baz", "anchorePolicyEngine.deploymentAnnotations.with.a.dot.foobar": "baz" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'policyEngine': { 'deploymentAnnotations': { 'foobar': 'baz', @@ -105,7 +105,7 @@ def test_anchorePolicyEngine_nodeSelector_value(self): "anchorePolicyEngine.nodeSelector.name": "foo", "anchorePolicyEngine.nodeSelector.with.a.dot.name": "bar" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'policyEngine': { 'nodeSelector': { 'name': 'foo', @@ -127,7 +127,7 @@ def test_anchorePolicyEngine_tolerations_value(self): } ] } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'policyEngine': { 'tolerations': [ { @@ -147,7 +147,7 @@ def test_anchorePolicyEngine_affinity_value(self): "anchorePolicyEngine.affinity.name": "foo", "anchorePolicyEngine.affinity.with.a.dot.name": "bar" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'policyEngine': { 'affinity': { @@ -168,7 +168,7 @@ def test_anchorePolicyEngine_extraEnv_value(self): } ] } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'policyEngine': { 'extraEnv': [ { @@ -185,7 +185,7 @@ def test_anchorePolicyEngine_serviceAccountName_value(self): dot_string_dict = { "anchorePolicyEngine.serviceAccountName": "Null" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'policyEngine': { 'serviceAccountName': "Null" } @@ -205,7 +205,7 @@ def test_anchorePolicyEngine_service_value(self): "anchorePolicyEngine.service.labels.with.a.dot": "qux", } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'policyEngine': { 'service': { "name": "Null", @@ -233,6 +233,7 @@ def test_anchorePolicyEngine_cycleTimers_value(self): } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'policy_engine': { @@ -253,6 +254,7 @@ def test_anchorePolicyEngine_overrideFeedsToUpstream_value(self): } expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': { 'user_authentication': {'hashed_passwords': False}, 'policy_engine': { diff --git a/scripts/enterprise-value-converter/tests/test_anchoreSimpleQueue_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreSimpleQueue_value_mapping.py index 7edb3b2d..74e6bc95 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreSimpleQueue_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreSimpleQueue_value_mapping.py @@ -17,7 +17,7 @@ def test_anchoreSimpleQueue_replicaCount_value(self): dot_string_dict = { "anchoreSimpleQueue.replicaCount": 2, } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'simpleQueue': { 'replicaCount': 2 } @@ -33,7 +33,7 @@ def test_anchoreSimpleQueue_resources_value(self): "anchoreSimpleQueue.resources.requests.cpu": 1, "anchoreSimpleQueue.resources.requests.memory": "1G" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'simpleQueue': { 'resources': { 'limits': { @@ -57,7 +57,7 @@ def test_anchoreSimpleQueue_labels_value(self): "anchoreSimpleQueue.labels.myOtherLabel": "myOtherValue", "anchoreSimpleQueue.labels.anotherLabel.with.a.dot": "qux" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'simpleQueue': { 'labels': { @@ -76,7 +76,7 @@ def test_anchoreSimpleQueue_annotations_value(self): "anchoreSimpleQueue.annotations.bar": "baz", "anchoreSimpleQueue.annotations.anotherLabel.with.a.dot": "qux" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'simpleQueue': { 'annotations': { @@ -96,7 +96,7 @@ def test_anchoreSimpleQueue_deploymentAnnotations_value(self): "anchoreSimpleQueue.deploymentAnnotations.bar": "baz", "anchoreSimpleQueue.deploymentAnnotations.anotherLabel.with.a.dot": "qux" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'simpleQueue': { 'deploymentAnnotations': { @@ -115,7 +115,7 @@ def test_anchoreSimpleQueue_nodeSelector_value(self): "anchoreSimpleQueue.nodeSelector.value": "bar", "anchoreSimpleQueue.nodeSelector.anotherLabel.with.a.dot": "baz" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'simpleQueue': { 'nodeSelector': { @@ -137,7 +137,7 @@ def test_anchoreSimpleQueue_tolerations_value(self): } ] } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'simpleQueue': { 'tolerations': [ { @@ -156,7 +156,7 @@ def test_anchoreSimpleQueue_affinity_value(self): "anchoreSimpleQueue.affinity.value": "bar", "anchoreSimpleQueue.affinity.anotherLabel.with.a.dot": "baz" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'simpleQueue': { 'affinity':{ 'name': 'foo', @@ -177,7 +177,7 @@ def test_anchoreSimpleQueue_extraEnv_value(self): } ] } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'simpleQueue': { 'extraEnv': [ { @@ -194,7 +194,7 @@ def test_anchoreSimpleQueue_serviceAccountName_value(self): dot_string_dict = { "anchoreSimpleQueue.serviceAccountName": "Null" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'simpleQueue': { 'serviceAccountName': "Null" } @@ -214,7 +214,7 @@ def test_anchoreSimpleQueue_service_value(self): "anchoreSimpleQueue.service.labels.foobar": "baz", "anchoreSimpleQueue.service.labels.with.a.dot": "qux" } - expected_result = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'simpleQueue': { 'service': { "name": "Null", diff --git a/scripts/enterprise-value-converter/tests/test_helpers.py b/scripts/enterprise-value-converter/tests/test_helpers.py index b488c57c..b99d5833 100644 --- a/scripts/enterprise-value-converter/tests/test_helpers.py +++ b/scripts/enterprise-value-converter/tests/test_helpers.py @@ -284,6 +284,7 @@ def test_replace_keys_with_mappings(self): dot_string_dict = {"anchore-feeds-db.persistence.size": 100} expected_result = { + 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, "feeds": { "feeds-db": { @@ -312,6 +313,7 @@ def test_replace_keys_with_mappings_env_var(self): anchore_config_expected_results = { 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, + 'postgresql': {'auth': {'username': 'anchoreengine'}} } self.assertEqual(result[0], anchore_config_expected_results) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 37e02069..1f5299ce 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.0.15" +version: "0.0.16" appVersion: "4.9.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 5d892672..65a41f85 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -629,6 +629,8 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts - **Runtime Environment**: Docker or Podman must be installed on the machine where the migration will run. +- **Existing Secrets**: If you are not currently using existing secrets, you will have to create them to be used for the new enterprise deployment, or you will have to update the secrets created manually. See the section on [Existing Secrets](#existing-secrets) for more information on what is required. + #### Step-by-Step Migration Process 1. **Generate a New Enterprise Values File**: Use the migration script to convert your existing Anchore Engine values file to the new Anchore Enterprise format. This command mounts a local volume to persistently store the output files, and it mounts the input values file within the container for conversion.It's imperative to review both the output and the new [values file](values.yaml) before moving forward. @@ -638,6 +640,22 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts docker run -v ${PWD}:/tmp -v ${PWD}/${VALUES_FILE_NAME}:/app/${VALUES_FILE_NAME} docker.io/anchore/enterprise-helm-migrator:latest -e /app/${VALUES_FILE_NAME} -d /tmp/output ``` +For anchore enterprise 4.9.x, you will need to additionally set the following values in your values file to use the v1 api of Anchore. +``` +api: + service: + apiVersion: v1 +notifications: + service: + apiVersion: v1 +reports: + service: + apiVersion: v1 +rbacManager: + service: + apiVersion: v1 +``` + #### If Using an External PostgreSQL Database 1. **Scale Down Anchore Engine**: To avoid data inconsistency, scale down your existing Anchore Engine deployment to zero replicas. @@ -656,7 +674,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts helm install ${ENTERPRISE_RELEASE} -n ${NAMESPACE} -f ${VALUES_FILE_NAME} --set upgradeJob.force=true anchore/enterprise ``` - > **Note:** The `upgradeJob.force` flag is required to force the upgrade job to run upon installation. This value is not needed for future upgrades. + > **Note:** The `upgradeJob.force` flag is required to force the upgrade job to run upon installation. This value is not needed for future upgrades. Remember to unset it if passing it in via the command line or helm may persist the value. 1. **Verification and Cleanup**: After confirming that the Anchore Enterprise deployment is functional, you can safely uninstall the old Anchore Engine deployment. @@ -679,32 +697,34 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts **NOTE**: You will have to migrate data from the old database to the new one after the chart is installed. The enterprise chart contains a helper pod to aid with this, to enable this pod, use the following in your helm install command line ```shell --set startMigrationPod=true + --set migrationAnchoreEngineSecretName=${ENGINE_RELEASE}-anchore-engine ``` ```shell + export ENGINE_RELEASE=my-engine-release export ENTERPRISE_RELEASE=my-enterprise-release export VALUES_FILE_NAME=${PWD}/output/my-values-file.yaml - helm install ${ENTERPRISE_RELEASE} -n ${NAMESPACE} -f ${VALUES_FILE_NAME} --set upgradeJob.force=true --set startMigrationPod=true anchore/enterprise + helm install ${ENTERPRISE_RELEASE} -n ${NAMESPACE} -f ${VALUES_FILE_NAME} --set upgradeJob.force=true --set startMigrationPod=true anchore/enterprise --set migrationAnchoreEngineSecretName=${ENGINE_RELEASE}-anchore-engine ``` 1. **Scale Down Anchore Enterprise**: Before migrating the database, scale down the new Anchore Enterprise deployment to zero replicas. ```shell - kubectl scale deployment --replicas=0 -l app=${ENTERPRISE_RELEASE}-enterprise + kubectl scale deployment --replicas=0 -l app.kubernetes.io/name=${ENTERPRISE_RELEASE}-enterprise ``` 1. **Database Preparation**: Replace the existing Anchore database with a new database in PostgreSQL 13. + 1. If you set startMigrationPod=true as per the step above, you can exec into the migrator pod to run the commands. ```shell - export NEW_DB_HOST=${ENTERPRISE_RELEASE}-postgresql - export ANCHORE_DATABASE_NAME=anchore - dropdb -h ${NEW_DB_HOST} -U ${PGUSER} ${ANCHORE_DATABASE_NAME}; psql -h ${NEW_DB_HOST} -c 'CREATE DATABASE ${ANCHORE_DATABASE_NAME}' + kubectl -n exec -it -enterprise-migrate-db + PGPASSWORD=$NEW_DB_PASSWORD dropdb -h ${NEW_DB_HOST} -U ${NEW_DB_USERNAME} ${NEW_DB_NAME}; PGPASSWORD=$NEW_DB_PASSWORD psql -h ${NEW_DB_HOST} -U ${NEW_DB_USERNAME} -c "CREATE DATABASE ${NEW_DB_NAME}" postgres ``` 2. **Data Migration**: Migrate data from the old Anchore Engine database to the new Anchore Enterprise database. 1. If you are using the included migration helper pod, the exec to that pod and run the following command: ```shell kubectl -n exec -it -enterprise-migrate-db - PGPASSWORD=${OLD_DB_PASSWORD} pg_dump -h ${OLD_DB_HOST} -U ${OLD_DB_USERNAME} -c ${OLD_DB_NAME} | PGPASSWORD=${NEW_DB_PASSWORD} psql -h ${NEW_DB_HOST} -U ${NEW_DB_USERNAME} -c ${NEW_DB_NAME} + PGPASSWORD=${OLD_DB_PASSWORD} pg_dump -h ${OLD_DB_HOST} -U ${OLD_DB_USERNAME} -c ${OLD_DB_NAME} | PGPASSWORD=${NEW_DB_PASSWORD} psql -h ${NEW_DB_HOST} -U ${NEW_DB_USERNAME} ${NEW_DB_NAME} ``` 2. If you are using your own pod then follow these steps 1. Gather old DB parameters from the secret -anchore-engine @@ -712,7 +732,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts 3. Start a migration pod that has all the psql binaries required e.g. docker.io/postgresql:13 4. Export all the required environment variables ```shell - PGPASSWORD=${OLD_DB_PASSWORD} pg_dump -h ${OLD_DB_HOST} -U ${OLD_DB_USERNAME} -c ${OLD_DB_NAME} | PGPASSWORD=${NEW_DB_PASSWORD} psql -h ${NEW_DB_HOST} -U ${NEW_DB_USERNAME} -c ${NEW_DB_NAME} + PGPASSWORD=${OLD_DB_PASSWORD} pg_dump -h ${OLD_DB_HOST} -U ${OLD_DB_USERNAME} -c ${OLD_DB_NAME} | PGPASSWORD=${NEW_DB_PASSWORD} psql -h ${NEW_DB_HOST} -U ${NEW_DB_USERNAME} ${NEW_DB_NAME} ``` 1. **Upgrade Anchore Enterprise**: After migrating the data, upgrade the Anchore Enterprise Helm deployment. From 6cd89e39380d555c062061a60e203b76453899b6 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Tue, 26 Sep 2023 13:03:23 -0700 Subject: [PATCH 225/329] dont use a dynamic name for script volume name Signed-off-by: Brady Todhunter --- stable/enterprise/templates/_common.tpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/stable/enterprise/templates/_common.tpl b/stable/enterprise/templates/_common.tpl index 393dc574..370d5b16 100644 --- a/stable/enterprise/templates/_common.tpl +++ b/stable/enterprise/templates/_common.tpl @@ -287,7 +287,7 @@ Setup the common anchore volume mounts - name: config-volume mountPath: /config/config.yaml subPath: config.yaml -- name: {{ .Release.Name -}}-enterprise-scripts +- name: anchore-scripts mountPath: /scripts {{- if .Values.certStoreSecretName }} - name: certs @@ -307,7 +307,7 @@ Setup the common anchore volumes - name: anchore-license secret: secretName: {{ .Values.licenseSecretName }} -- name: {{ .Release.Name }}-enterprise-scripts +- name: anchore-scripts configMap: name: {{ .Release.Name }}-enterprise-scripts defaultMode: 0755 From dc92654b0496c014e39b82ef412c85ac956510f2 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Tue, 26 Sep 2023 16:37:45 -0700 Subject: [PATCH 226/329] update feeds chart dep Signed-off-by: Brady Todhunter --- stable/enterprise/Chart.lock | 6 +++--- stable/enterprise/Chart.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/stable/enterprise/Chart.lock b/stable/enterprise/Chart.lock index f4119f90..dd754da9 100644 --- a/stable/enterprise/Chart.lock +++ b/stable/enterprise/Chart.lock @@ -7,6 +7,6 @@ dependencies: version: 17.11.8 - name: feeds repository: https://charts.anchore.io/stable - version: 0.0.8 -digest: sha256:7d3bf18cb22105e08420375b32ce9179f4cca2db82e2b54e25ce42c0aadcccfb -generated: "2023-09-25T22:28:23.16166-07:00" + version: 0.0.9 +digest: sha256:3bcc143fdabcb9ecd754d37c55e3c7eadad57e73367fef9476ec2463e93fdfb8 +generated: "2023-09-26T16:36:55.550736-07:00" diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 1f5299ce..b30b89af 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.0.16" +version: "0.0.17" appVersion: "4.9.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | From b9273a3aab35c3a550773b55ef7047c8c403f272 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 28 Sep 2023 16:50:07 -0700 Subject: [PATCH 227/329] allow passing multiple paths to ingress configuration Signed-off-by: Brady Todhunter --- stable/anchore-engine/templates/ingress.yaml | 20 ++++++++----- stable/anchore-engine/values.yaml | 31 ++++++++++---------- 2 files changed, 29 insertions(+), 22 deletions(-) diff --git a/stable/anchore-engine/templates/ingress.yaml b/stable/anchore-engine/templates/ingress.yaml index 08834ddc..f40fb280 100644 --- a/stable/anchore-engine/templates/ingress.yaml +++ b/stable/anchore-engine/templates/ingress.yaml @@ -44,7 +44,8 @@ spec: - host: {{ . | quote }} http: paths: - - path: {{ $.Values.ingress.apiPath }} + {{- range .Values.ingress.apiPaths }} + - path: {{ . | quote }} {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} pathType: Prefix backend: @@ -52,11 +53,12 @@ spec: name: {{ template "anchore-engine.api.serviceName" $ }} port: number: {{ $.Values.anchoreApi.service.port }} - {{else}} + {{- else }} backend: serviceName: {{ template "anchore-engine.api.serviceName" $ }} servicePort: {{ $.Values.anchoreApi.service.port }} {{- end }} + {{- end }} {{- end }} {{- range .Values.ingress.uiHosts }} - host: {{ . | quote }} @@ -80,7 +82,8 @@ spec: - host: {{ . | quote }} http: paths: - - path: {{ $.Values.ingress.feedsPath }} + {{ range .Values.ingress.feedsPaths }} + - path: {{ . }} {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} pathType: Prefix backend: @@ -93,12 +96,14 @@ spec: serviceName: {{ template "anchore-engine.enterprise-feeds.serviceName" $ }} servicePort: {{ $.Values.anchoreEnterpriseFeeds.service.port }} {{- end }} + {{- end }} {{- end }} {{- range .Values.ingress.reportsHosts }} - host: {{ . | quote }} http: paths: - - path: {{ $.Values.ingress.reportsPath }} + {{- range .Values.ingress.reportsPaths }} + - path: {{ . }} {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} pathType: Prefix backend: @@ -111,11 +116,12 @@ spec: serviceName: {{ template "anchore-engine.api.serviceName" $ }} servicePort: {{ $.Values.anchoreEnterpriseReports.service.apiPort }} {{- end }} + {{- end }} {{- end }} {{- else }} - http: paths: - {{- with .Values.ingress.apiPath }} + {{- range .Values.ingress.apiPaths }} - path: {{ . }} {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} pathType: Prefix @@ -145,7 +151,7 @@ spec: servicePort: {{ $.Values.anchoreEnterpriseUi.service.port }} {{- end }} {{- end }} - {{- with .Values.ingress.feedsPath }} + {{- range .Values.ingress.feedsPaths }} - path: {{ . }} {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} pathType: Prefix @@ -160,7 +166,7 @@ spec: servicePort: {{ $.Values.anchoreEnterpriseFeeds.service.port }} {{- end }} {{- end }} - {{- with .Values.ingress.reportsPath }} + {{- range .Values.ingress.reportsPaths }} - path: {{ . }} {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} pathType: Prefix diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 5115f972..3b315357 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -70,33 +70,34 @@ cloudsql: ingress: enabled: false labels: {} - # Use the following paths for GCE/ALB ingress controller - # feedsPath: /v1/feeds/* - # apiPath: /v1/* - # uiPath: /* # Exposing the feeds API w/ ingress is for special cases only, uncomment feedsPath if external access to the feeds API is needed - # feedsPath: /v1/feeds/ + feedsPaths: + - /v1/feeds/ + - /v2/feeds/ # Exposing the report API w/ ingress enables the GraphQL interface at /v1/reports/graphql - # reportsPath: /v1/reports/ - apiPath: /v1/ + reportsPaths: + - /v1/reports/ + - /v2/reports/ + apiPaths: + - /v1/ + - /v2/ + - /version/ uiPath: / - # uncomment `feedsPath` to add an ingress endpoint for the feeds api - # uncomment 'reportsPath' to add an ingress endpoint for the reports api # Set ingressClassName if kubernetes version is >= 1.18 # Reference: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ - # ingressClassName: nginx + # ingressClassName: alb # Uncomment the following lines to bind on specific hostnames - # apiHosts: + apiHosts: [] # - anchore-api.example.com - # uiHosts: + uiHosts: [] # - anchore-ui.example.com - # feedsHosts: + feedsHosts: [] # - anchore-feeds.example.com - # reportsHosts: + reportsHosts: [] # - anchore-api.example.com - annotations: + annotations: {} # kubernetes.io/ingress.class: gce # kubernetes.io/ingress.class: nginx # nginx.ingress.kubernetes.io/ssl-redirect: "false" From 73a026e5f4d5d647d982d8650eee855dadf9323e Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 28 Sep 2023 16:50:28 -0700 Subject: [PATCH 228/329] bump chart version & update readme Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/README.md | 73 ++++++++++++++++++++++++++++++-- 2 files changed, 70 insertions(+), 5 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 200c25e4..c5625929 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.27.4 +version: 1.28.0 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index 6b0952b0..7496908b 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -198,6 +198,29 @@ A Helm post-upgrade hook job will shut down all previously running Anchore servi The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful Helm upgrade. +# Chart Version 1.28.0 + +* Updated ingress configuration to allow exposing both v1 and v2 api endpoints. +* **WARNING** this version of the chart makes breaking changes to the following Ingress values. These values have all been updated from a string to a list. + * `.Values.ingress.apiPath` -> `.Values.ingress.apiPaths` + * `.Values.ingress.feedsPath` -> `.Values.ingress.feedsPaths` + * `.Values.ingress.reportsPath` -> `.Values.ingress.reportsPaths` +* Update your values file accordingly: + + ```yaml + ingress: + apiPaths: + - /v1/ + - /v2/ + - /version/ + feedsPaths: + - /v1/feeds/ + - /v2/feeds/ + reportsPaths: + - /v1/reports/ + - /v2/reports/ + ``` + # Chart Version 1.27.3 * Added option to allow nodePorts to each service created as part of an anchore deployment. For more information about nodePorts, see [The Kubernetes Docs](https://kubernetes.io/docs/concepts/services-networking/service/#nodeport-custom-port) @@ -436,10 +459,23 @@ ingress: annotations: kubernetes.io/ingress.class: alb alb.ingress.kubernetes.io/scheme: internet-facing - apiPath: /v1/* + apiPaths: + - /v1/* + - /v2/* + - /version/* + feedsPaths: + - /v1/feeds/* + - /v2/feeds/* + reportsPaths: + - /v1/reports/* + - /v2/reports/* uiPath: /* apiHosts: - anchore-api.example.com + feedsHosts: + - anchore-feeds.example.com + reportsHosts: + - anchore-reports.example.com uiHosts: - anchore-ui.example.com @@ -447,8 +483,16 @@ anchoreApi: service: type: NodePort +anchoreEnterpriseFeeds: + service: + type: NodePort + +anchoreEnterpriseReports: + service: + type: NodePort + anchoreEnterpriseUi: - service + service: type: NodePort ``` @@ -459,10 +503,23 @@ ingress: enabled: true annotations: kubernetes.io/ingress.class: gce - apiPath: /v1/* + apiPaths: + - /v1/* + - /v2/* + - /version/* + feedsPaths: + - /v1/feeds/* + - /v2/feeds/* + reportsPaths: + - /v1/reports/* + - /v2/reports/* uiPath: /* apiHosts: - anchore-api.example.com + feedsHosts: + - anchore-feeds.example.com + reportsHosts: + - anchore-reports.example.com uiHosts: - anchore-ui.example.com @@ -470,8 +527,16 @@ anchoreApi: service: type: NodePort +anchoreEnterpriseFeeds: + service: + type: NodePort + +anchoreEnterpriseReports: + service: + type: NodePort + anchoreEnterpriseUi: - service + service: type: NodePort ``` From 6c31f9b8658d7cc685a06928276026e3ed96479c Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 28 Sep 2023 16:50:36 -0700 Subject: [PATCH 229/329] add check for old values Signed-off-by: Brady Todhunter --- stable/anchore-engine/templates/_helpers.tpl | 9 +++++++++ stable/anchore-engine/templates/ingress.yaml | 3 +++ 2 files changed, 12 insertions(+) diff --git a/stable/anchore-engine/templates/_helpers.tpl b/stable/anchore-engine/templates/_helpers.tpl index a194475b..eb4624e4 100755 --- a/stable/anchore-engine/templates/_helpers.tpl +++ b/stable/anchore-engine/templates/_helpers.tpl @@ -471,3 +471,12 @@ upgrading from Enterprise 4.2.0 or higher and error out if they're upgrading fro {{- end }} {{- end }} {{- end }} + +{{/* +Upon upgrade, check if the user uses non-default values for ingress path configurations +*/}} +{{- define "checkIngressValues" -}} +{{- if and .Release.IsUpgrade (or .Values.ingress.feedsPath .Values.ingress.reportsPath .Values.ingress.apiPath) }} +{{- fail "As of chart v1.28.0, the `ingress.feedsPath`, `ingress.reportsPath`, and `ingress.apiPath` values are no longer valid. See README for more information - https://github.com/anchore/anchore-charts/blob/main/stable/anchore-engine/README.md#chart-version-1280" }} +{{- end }} +{{- end -}} \ No newline at end of file diff --git a/stable/anchore-engine/templates/ingress.yaml b/stable/anchore-engine/templates/ingress.yaml index f40fb280..a2872a34 100644 --- a/stable/anchore-engine/templates/ingress.yaml +++ b/stable/anchore-engine/templates/ingress.yaml @@ -1,4 +1,7 @@ {{- if .Values.ingress.enabled -}} + +{{- template "checkIngressValues" . -}} + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} apiVersion: networking.k8s.io/v1 {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" }} From 21b42d732d091a247012dd06bed40e9e22c9ecb2 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 27 Sep 2023 17:36:04 -0400 Subject: [PATCH 230/329] updating feeds url to allow for v1 and v2 (#138) * updating feeds url to allow for v1 and v2 * bumping feeds and enterprise chart.yaml version * fix feeds tests * adding more feeds url tests --------- Signed-off-by: Hung Nguyen --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 31 ++----- stable/enterprise/templates/_helpers.tpl | 18 ++-- .../__snapshot__/configmap_test.yaml.snap | 12 +-- .../enterprise/tests/common_helpers_test.yaml | 42 +++++++--- stable/enterprise/values.yaml | 14 +++- stable/feeds/Chart.yaml | 2 +- stable/feeds/README.md | 7 +- stable/feeds/templates/_helpers.tpl | 7 +- .../__snapshot__/configmap_test.yaml.snap | 83 +++++++++++++++++++ stable/feeds/tests/configmap_test.yaml | 36 ++++++++ stable/feeds/values.yaml | 2 + 12 files changed, 191 insertions(+), 65 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index b30b89af..63a56479 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.0.17" +version: "0.0.18" appVersion: "4.9.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 65a41f85..39c2042f 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -756,7 +756,6 @@ rbacManager: | `global.fullnameOverride` | overrides the fullname set on resources | `""` | | `global.nameOverride` | overrides the name set on resources | `""` | - ### Common Resource Parameters | Name | Description | Value | @@ -799,7 +798,6 @@ rbacManager: | `configOverride` | Allows for overriding the default Anchore configuration file | `""` | | `scripts` | Collection of helper scripts usable in all anchore enterprise pods | `{}` | - ### Anchore Configuration Parameters | Name | Description | Value | @@ -893,7 +891,6 @@ rbacManager: | `anchoreConfig.ui.dbUser` | allows overriding and separation of the ui database user. | `""` | | `anchoreConfig.ui.dbPassword` | allows overriding and separation of the ui database user authentication | `""` | - ### Anchore API k8s Deployment Parameters | Name | Description | Value | @@ -915,7 +912,6 @@ rbacManager: | `api.affinity` | Affinity for Anchore API pod assignment | `{}` | | `api.serviceAccountName` | Service account name for Anchore API pods | `""` | - ### Anchore Analyzer k8s Deployment Parameters | Name | Description | Value | @@ -931,7 +927,6 @@ rbacManager: | `analyzer.affinity` | Affinity for Anchore Analyzer pod assignment | `{}` | | `analyzer.serviceAccountName` | Service account name for Anchore API pods | `""` | - ### Anchore Catalog k8s Deployment Parameters | Name | Description | Value | @@ -951,15 +946,14 @@ rbacManager: | `catalog.affinity` | Affinity for Anchore Catalog pod assignment | `{}` | | `catalog.serviceAccountName` | Service account name for Anchore Catalog pods | `""` | - ### Anchore Feeds Chart Parameters -| Name | Description | Value | -| -------------------- | ---------------------------------------------------------------------------------------------- | ------- | -| `feeds.chartEnabled` | Enable the Anchore Feeds chart | `true` | -| `feeds.standalone` | Sets the Anchore Feeds chart to run into non-standalone mode, for use with Anchore Enterprise. | `false` | -| `feeds.url` | Set the URL for a standalone Feeds service. Use when chartEnabled=false. | `""` | - +| Name | Description | Value | +| -------------------------- | ---------------------------------------------------------------------------------------------- | ------- | +| `feeds.chartEnabled` | Enable the Anchore Feeds chart | `true` | +| `feeds.standalone` | Sets the Anchore Feeds chart to run into non-standalone mode, for use with Anchore Enterprise. | `false` | +| `feeds.url` | Set the URL for a standalone Feeds service. Use when chartEnabled=false. | `""` | +| `feeds.service.apiVersion` | the apiVersion for the service when communicating with Anchore Feeds | `v2` | ### Anchore Policy Engine k8s Deployment Parameters @@ -980,7 +974,6 @@ rbacManager: | `policyEngine.affinity` | Affinity for Anchore Policy Engine pod assignment | `{}` | | `policyEngine.serviceAccountName` | Service account name for Anchore Policy Engine pods | `""` | - ### Anchore Simple Queue Parameters | Name | Description | Value | @@ -1000,7 +993,6 @@ rbacManager: | `simpleQueue.affinity` | Affinity for Anchore Simple Queue pod assignment | `{}` | | `simpleQueue.serviceAccountName` | Service account name for Anchore Simple Queue pods | `""` | - ### Anchore Notifications Parameters | Name | Description | Value | @@ -1021,7 +1013,6 @@ rbacManager: | `notifications.affinity` | Affinity for Anchore Notifications pod assignment | `{}` | | `notifications.serviceAccountName` | Service account name for Anchore Notifications pods | `""` | - ### Anchore Reports Parameters | Name | Description | Value | @@ -1042,7 +1033,6 @@ rbacManager: | `reports.affinity` | Affinity for Anchore Reports pod assignment | `{}` | | `reports.serviceAccountName` | Service account name for Anchore Reports pods | `""` | - ### Anchore RBAC Authentication Parameters | Name | Description | Value | @@ -1050,7 +1040,6 @@ rbacManager: | `rbacAuth.extraEnv` | Set extra environment variables for Anchore RBAC Authentication containers | `[]` | | `rbacAuth.resources` | Resource requests and limits for Anchore RBAC Authentication containers | `{}` | - ### Anchore RBAC Manager Parameters | Name | Description | Value | @@ -1071,7 +1060,6 @@ rbacManager: | `rbacManager.affinity` | Affinity for Anchore RBAC Manager pod assignment | `{}` | | `rbacManager.serviceAccountName` | Service account name for Anchore RBAC Manager pods | `""` | - ### Anchore UI Parameters | Name | Description | Value | @@ -1095,7 +1083,6 @@ rbacManager: | `ui.affinity` | Affinity for Anchore ui pod assignment | `{}` | | `ui.serviceAccountName` | Service account name for Anchore UI pods | `""` | - ### Anchore Upgrade Job Parameters | Name | Description | Value | @@ -1113,7 +1100,6 @@ rbacManager: | `upgradeJob.labels` | Labels for the Anchore upgrade job | `{}` | | `upgradeJob.ttlSecondsAfterFinished` | The time period in seconds the upgrade job, and it's related pods should be retained for | `-1` | - ### Ingress Parameters | Name | Description | Value | @@ -1122,7 +1108,7 @@ rbacManager: | `ingress.labels` | Labels for the ingress resource | `{}` | | `ingress.annotations` | Annotations for the ingress resource | `{}` | | `ingress.apiHosts` | List of custom hostnames for the Anchore API | `[]` | -| `ingress.apiPath` | The path used for accessing the Anchore API | `/v1/` | +| `ingress.apiPath` | The path used for accessing the Anchore API | `/v2/` | | `ingress.uiHosts` | List of custom hostnames for the Anchore UI | `[]` | | `ingress.uiPath` | The path used for accessing the Anchore UI | `/` | | `ingress.feedsHosts` | List of custom hostnames for the Anchore Feeds API | `[]` | @@ -1132,7 +1118,6 @@ rbacManager: | `ingress.tls` | Configure tls for the ingress resource | `[]` | | `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` | - ### Google CloudSQL DB Parameters | Name | Description | Value | @@ -1146,7 +1131,6 @@ rbacManager: | `cloudsql.serviceAccJsonName` | | `""` | | `cloudsql.extraArgs` | a list of extra arguments to be passed into the cloudsql container command. eg | `[]` | - ### Anchore UI Redis Parameters | Name | Description | Value | @@ -1157,7 +1141,6 @@ rbacManager: | `ui-redis.architecture` | Redis deployment architecture | `standalone` | | `ui-redis.master.persistence.enabled` | enables persistence | `false` | - ### Anchore Database Parameters | Name | Description | Value | diff --git a/stable/enterprise/templates/_helpers.tpl b/stable/enterprise/templates/_helpers.tpl index baa23784..02058f8b 100644 --- a/stable/enterprise/templates/_helpers.tpl +++ b/stable/enterprise/templates/_helpers.tpl @@ -43,12 +43,13 @@ Returns the proper URL for the feeds service {{- define "enterprise.feedsURL" }} {{- $anchoreFeedsURL := "" }} {{- if .Values.feeds.url }} - {{- /* remove everything from the URL after /v1 to get the hostname, then use that to construct the proper URL */}} - {{- $urlPathSuffix := (default "" ( regexFind "/v1.*$" .Values.feeds.url )) -}} + {{- /* remove everything from the URL after /v2 to get the hostname, then use that to construct the proper URL */}} + {{- $regexSearchPattern := (printf "/%s.*$" .Values.feeds.service.apiVersion | toString) }} + {{- $urlPathSuffix := (default "" (regexFind $regexSearchPattern .Values.feeds.url) ) }} {{- $anchoreFeedsHost := (trimSuffix $urlPathSuffix .Values.feeds.url) -}} - {{- $anchoreFeedsURL = (printf "%s/v1/feeds" $anchoreFeedsHost) -}} + {{- $anchoreFeedsURL = (printf "%s/%s/feeds" $anchoreFeedsHost .Values.feeds.service.apiVersion) -}} {{- else if .Values.feeds.chartEnabled }} - {{- $anchoreFeedsURL = (printf "%s://%s:%s/v1/feeds" (include "enterprise.feeds.setProtocol" .) (include "enterprise.feeds.fullname" .) (.Values.feeds.service.port | toString)) -}} + {{- $anchoreFeedsURL = (printf "%s://%s:%s/%s/feeds" (include "enterprise.feeds.setProtocol" .) (include "enterprise.feeds.fullname" .) (.Values.feeds.service.port | toString) .Values.feeds.service.apiVersion) -}} {{- end }} {{- print $anchoreFeedsURL -}} {{- end -}} @@ -59,13 +60,14 @@ Returns the proper URL for the grype provider */}} {{- define "enterprise.grypeProviderURL" }} {{- $grypeProviderFeedsExternalURL := "" -}} +{{- $regexSearchPattern := (printf "/%s.*$" .Values.feeds.service.apiVersion | toString) }} {{- if .Values.feeds.url }} - {{- /* remove everything from the URL after /v1 to get the hostname, then use that to construct the proper URL */}} - {{- $urlPathSuffix := (default "" ( regexFind "/v1.*$" .Values.feeds.url )) -}} + {{- /* remove everything from the URL after /v2 to get the hostname, then use that to construct the proper URL */}} + {{- $urlPathSuffix := (default "" ( regexFind $regexSearchPattern .Values.feeds.url )) -}} {{- $anchoreFeedsHost := (trimSuffix $urlPathSuffix .Values.feeds.url) -}} - {{- $grypeProviderFeedsExternalURL = (printf "%s/v1/databases/grypedb" $anchoreFeedsHost) -}} + {{- $grypeProviderFeedsExternalURL = (printf "%s/%s/databases/grypedb" $anchoreFeedsHost .Values.feeds.service.apiVersion) -}} {{- else if .Values.feeds.chartEnabled }} - {{- $grypeProviderFeedsExternalURL = (printf "%s://%s:%s/v1/databases/grypedb" (include "enterprise.feeds.setProtocol" .) (include "enterprise.feeds.fullname" .) (.Values.feeds.service.port | toString) ) -}} + {{- $grypeProviderFeedsExternalURL = (printf "%s://%s:%s/%s/databases/grypedb" (include "enterprise.feeds.setProtocol" .) (include "enterprise.feeds.fullname" .) (.Values.feeds.service.port | toString) .Values.feeds.service.apiVersion ) -}} {{- end }} {{- /* Set the grypeProviderFeedsExternalURL to upstream feeds if still unset or if specifically overridden */}} diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index 743b3caa..60d6e9a2 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -216,22 +216,22 @@ should render the configmaps: data: grypedb: enabled: true - url: http://test-release-feeds:8448/v1/databases/grypedb + url: http://test-release-feeds:8448/v2/databases/grypedb vulnerabilities: enabled: ${ANCHORE_FEEDS_VULNERABILITIES_ENABLED} - url: http://test-release-feeds:8448/v1/feeds + url: http://test-release-feeds:8448/v2/feeds nvdv2: enabled: ${ANCHORE_FEEDS_DRIVER_NVDV2_ENABLED} - url: http://test-release-feeds:8448/v1/feeds + url: http://test-release-feeds:8448/v2/feeds github: enabled: ${ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED} - url: http://test-release-feeds:8448/v1/feeds + url: http://test-release-feeds:8448/v2/feeds packages: enabled: ${ANCHORE_FEEDS_DRIVER_PACKAGES_ENABLED} - url: http://test-release-feeds:8448/v1/feeds + url: http://test-release-feeds:8448/v2/feeds microsoft: enabled: ${ANCHORE_FEEDS_DRIVER_MSRC_ENABLED} - url: http://test-release-feeds:8448/v1/feeds + url: http://test-release-feeds:8448/v2/feeds ssl_enable: ${ANCHORE_SSL_ENABLED} ssl_cert: ${ANCHORE_SSL_CERT} ssl_key: ${ANCHORE_SSL_KEY} diff --git a/stable/enterprise/tests/common_helpers_test.yaml b/stable/enterprise/tests/common_helpers_test.yaml index 71ab9383..10e1dc31 100644 --- a/stable/enterprise/tests/common_helpers_test.yaml +++ b/stable/enterprise/tests/common_helpers_test.yaml @@ -830,6 +830,24 @@ tests: templates: - anchore_configmap.yaml documentIndex: 0 + asserts: + - matchRegex: + path: data["config.yaml"] + pattern: "url: my-feeds-url/v2/databases/grypedb" + + - matchRegex: + path: data["config.yaml"] + pattern: "url: my-feeds-url/v2/feeds" + + - it: should render v1 anchoreFeedsURL with feeds.url set + set: + feeds: + url: my-feeds-url + service: + apiVersion: v1 + templates: + - anchore_configmap.yaml + documentIndex: 0 asserts: - matchRegex: path: data["config.yaml"] @@ -849,11 +867,11 @@ tests: asserts: - matchRegex: path: data["config.yaml"] - pattern: "url: http://test-release-feeds:8448/v1/databases/grypedb" + pattern: "url: http://test-release-feeds:8448/v2/databases/grypedb" - matchRegex: path: data["config.yaml"] - pattern: "url: http://test-release-feeds:8448/v1/feeds" + pattern: "url: http://test-release-feeds:8448/v2/feeds" - it: should render grypeProviderURL with anchoreConfig.policy_engine.overrideFeedsToUpstream set: @@ -865,7 +883,7 @@ tests: asserts: - notMatchRegex: path: data["config.yaml"] - pattern: "url: http://test-release-feeds:8448/v1/databases/grypedb" + pattern: "url: http://test-release-feeds:8448/v2/databases/grypedb" - matchRegex: path: data["config.yaml"] @@ -882,7 +900,7 @@ tests: asserts: - notMatchRegex: path: data["config.yaml"] - pattern: "url: http://test-release-feeds:8448/v1/databases/grypedb" + pattern: "url: http://test-release-feeds:8448/v2/databases/grypedb" - matchRegex: path: data["config.yaml"] @@ -897,19 +915,19 @@ tests: asserts: - matchRegex: path: data["config.yaml"] - pattern: "url: https://test-release-feeds:8448/v1/databases/grypedb" + pattern: "url: https://test-release-feeds:8448/v2/databases/grypedb" - matchRegex: path: data["config.yaml"] - pattern: "url: https://test-release-feeds:8448/v1/feeds" + pattern: "url: https://test-release-feeds:8448/v2/feeds" - notMatchRegex: path: data["config.yaml"] - pattern: "url: http://test-release-feeds:8448/v1/databases/grypedb" + pattern: "url: http://test-release-feeds:8448/v2/databases/grypedb" - notMatchRegex: path: data["config.yaml"] - pattern: "url: http://test-release-feeds:8448/v1/feeds" + pattern: "url: http://test-release-feeds:8448/v2/feeds" - it: should set the correct protocol with anchoreConfig.internalServicesSSL.enabled to true for deployments set: @@ -935,19 +953,19 @@ tests: asserts: - matchRegex: path: data["config.yaml"] - pattern: "url: http://test-release-feeds:8448/v1/databases/grypedb" + pattern: "url: http://test-release-feeds:8448/v2/databases/grypedb" - matchRegex: path: data["config.yaml"] - pattern: "url: http://test-release-feeds:8448/v1/feeds" + pattern: "url: http://test-release-feeds:8448/v2/feeds" - notMatchRegex: path: data["config.yaml"] - pattern: "url: https://test-release-feeds:8448/v1/databases/grypedb" + pattern: "url: https://test-release-feeds:8448/v2/databases/grypedb" - notMatchRegex: path: data["config.yaml"] - pattern: "url: https://test-release-feeds:8448/v1/feeds" + pattern: "url: https://test-release-feeds:8448/v2/feeds" - it: should set the correct protocol with anchoreConfig.internalServicesSSL.enabled to false for deployments set: diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index 31e5261e..c6c28eaf 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -511,7 +511,7 @@ anchoreConfig: reports: ## @param anchoreConfig.reports.enable_graphiql Enable GraphiQL, a GUI for editing and testing GraphQL queries and mutations - ## Go to http://:/v1/reports/graphql in a browser for the reports API + ## Go to http://:/v2/reports/graphql in a browser for the reports API ## ref: https://docs.anchore.com/current/docs/using/api_usage/reports/ ## enable_graphiql: true @@ -802,6 +802,12 @@ feeds: ## url: "" + ## @param feeds.service.apiVersion the apiVersion for the service when communicating with Anchore Feeds + ## + service: + apiVersion: v2 + + ########################################################### ## @section Anchore Policy Engine k8s Deployment Parameters ########################################################### @@ -1244,7 +1250,7 @@ ingress: ## @param ingress.apiPath The path used for accessing the Anchore API ## - apiPath: /v1/ + apiPath: /v2/ ## @param ingress.uiHosts List of custom hostnames for the Anchore UI ## @@ -1259,7 +1265,7 @@ ingress: feedsHosts: [] ## @param ingress.feedsPath The path used for accessing the Anchore Feeds API - ## Exposing the feeds API is for special cases only, use /v1/feeds for ingress.feedsPath + ## Exposing the feeds API is for special cases only, use /v2/feeds for ingress.feedsPath ## feedsPath: "" @@ -1268,7 +1274,7 @@ ingress: reportsHosts: [] ## @param ingress.reportsPath The path used for accessing the Anchore Reports API - ## Exposing the reports API enables the GraphQL interface, use /v1/reports/graphql for ingress.reportsPath + ## Exposing the reports API enables the GraphQL interface, use /v2/reports/graphql for ingress.reportsPath ## reportsPath: "" diff --git a/stable/feeds/Chart.yaml b/stable/feeds/Chart.yaml index 3f1be6c1..7c08c0bf 100644 --- a/stable/feeds/Chart.yaml +++ b/stable/feeds/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: feeds type: application -version: "0.0.9" +version: "0.0.10" appVersion: "4.9.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: Anchore feeds service diff --git a/stable/feeds/README.md b/stable/feeds/README.md index f81c28e0..a6c4a207 100644 --- a/stable/feeds/README.md +++ b/stable/feeds/README.md @@ -235,6 +235,7 @@ feeds-db: | `service.annotations` | Annotations for Anchore Feeds service | `{}` | | `service.labels` | Labels for Anchore Feeds service | `{}` | | `service.nodePort` | nodePort for Anchore Feeds service | `""` | +| `service.apiVersion` | the apiVersion for the service when communicating with Anchore Feeds | `v2` | | `scratchVolume.mountPath` | The mount path of an external volume for scratch space for image analysis | `/anchore_scratch` | | `scratchVolume.fixGroupPermissions` | Enable an initContainer that will fix the fsGroup permissions | `false` | | `scratchVolume.details` | Details for the k8s volume to be created | `{}` | @@ -269,7 +270,6 @@ feeds-db: | `configOverride` | Allows for overriding the default Anchore configuration file | `{}` | | `scripts` | Collection of helper scripts usable in all anchore enterprise pods | `{}` | - ### Anchore Feeds Configuration Parameters | Name | Description | Value | @@ -309,7 +309,6 @@ feeds-db: | `anchoreConfig.feeds.drivers.github.enabled` | Enable GitHub advisory feeds (requires GitHub PAT) | `false` | | `anchoreConfig.feeds.drivers.github.token` | GitHub developer personal access token with zero permission scopes | `""` | - ### Anchore Feeds Database Parameters | Name | Description | Value | @@ -324,7 +323,6 @@ feeds-db: | `feeds-db.primary.extraEnvVars` | An array to add extra environment variables | `[]` | | `feeds-db.image.tag` | Specifies the image to use for this chart. | `13.11.0-debian-11-r15` | - ### Feeds Gem Database Parameters | Name | Description | Value | @@ -339,7 +337,6 @@ feeds-db: | `gem-db.primary.extraEnvVars` | An array to add extra environment variables | `[]` | | `gem-db.image.tag` | Specifies the image to use for this chart. | `13.11.0-debian-11-r15` | - ### Anchore Feeds Upgrade Job Parameters | Name | Description | Value | @@ -357,7 +354,6 @@ feeds-db: | `feedsUpgradeJob.resources` | Resources for the Anchore Feeds upgrade job | `{}` | | `feedsUpgradeJob.ttlSecondsAfterFinished` | The time period in seconds the upgrade job, and it's related pods should be retained for | `-1` | - ### Ingress Parameters | Name | Description | Value | @@ -370,7 +366,6 @@ feeds-db: | `ingress.tls` | Configure tls for the ingress resource | `[]` | | `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` | - ### Google CloudSQL DB Parameters | Name | Description | Value | diff --git a/stable/feeds/templates/_helpers.tpl b/stable/feeds/templates/_helpers.tpl index d4dc1f13..45010ecc 100644 --- a/stable/feeds/templates/_helpers.tpl +++ b/stable/feeds/templates/_helpers.tpl @@ -39,12 +39,13 @@ Return a URL for the external feeds service */}} {{- define "feeds.setGrypeProviderURL" -}} {{- $grypeProviderFeedsExternalURL := "" }} +{{- $regexSearchPattern := (printf "/%s.*$" .Values.service.apiVersion | toString) }} {{- if .Values.url }} - {{- $urlPathSuffix := (default "" (regexFind "/v1.*$" .Values.url) ) }} + {{- $urlPathSuffix := (default "" (regexFind $regexSearchPattern .Values.url) ) }} {{- $anchoreFeedsHost := (trimSuffix $urlPathSuffix .Values.url) }} - {{- $grypeProviderFeedsExternalURL = (printf "%s/v1/" $anchoreFeedsHost) }} + {{- $grypeProviderFeedsExternalURL = (printf "%s/%s/" $anchoreFeedsHost .Values.service.apiVersion) }} {{- else }} - {{- $grypeProviderFeedsExternalURL = (printf "%s://%s:%s/v1/" (include "feeds.setProtocol" .) (include "feeds.fullname" .) (.Values.service.port | toString) ) -}} + {{- $grypeProviderFeedsExternalURL = (printf "%s://%s:%s/%s/" (include "feeds.setProtocol" .) (include "feeds.fullname" .) (.Values.service.port | toString) .Values.service.apiVersion ) -}} {{- end }} {{- print $grypeProviderFeedsExternalURL }} {{- end -}} diff --git a/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap b/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap index 4a2d8b89..414b8ec1 100644 --- a/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap @@ -132,3 +132,86 @@ should render the configmaps: helm.sh/chart: feeds-9.9.9 name: test-release-feeds namespace: test-namespace + 2: | + apiVersion: v1 + data: + ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS: "false" + ANCHORE_AUTH_PRIVKEY: "null" + ANCHORE_AUTH_PUBKEY: "null" + ANCHORE_CLI_URL: http://localhost:8228 + ANCHORE_CLI_USER: admin + ANCHORE_DISABLE_METRICS_AUTH: "false" + ANCHORE_ENABLE_METRICS: "false" + ANCHORE_FEEDS_API_ONLY: "false" + ANCHORE_FEEDS_DB_POOL_MAX_OVERFLOW: "100" + ANCHORE_FEEDS_DB_POOL_SIZE: "30" + ANCHORE_FEEDS_DB_SSL: "false" + ANCHORE_FEEDS_DB_SSL_MODE: require + ANCHORE_FEEDS_DB_SSL_ROOT_CERT: "null" + ANCHORE_FEEDS_DB_TIMEOUT: "120" + ANCHORE_FEEDS_DRIVER_ALPINE_ENABLED: "true" + ANCHORE_FEEDS_DRIVER_AMAZON_ENABLED: "true" + ANCHORE_FEEDS_DRIVER_CHAINGUARD_ENABLED: "true" + ANCHORE_FEEDS_DRIVER_DEBIAN_ENABLED: "true" + ANCHORE_FEEDS_DRIVER_GEM_ENABLED: "false" + ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED: "false" + ANCHORE_FEEDS_DRIVER_GRYPEDB_ENABLED: "true" + ANCHORE_FEEDS_DRIVER_MARINER_ENABLED: "true" + ANCHORE_FEEDS_DRIVER_MATCH_EXCLUSIONS: "true" + ANCHORE_FEEDS_DRIVER_MSRC_ENABLED: "false" + ANCHORE_FEEDS_DRIVER_NPM_ENABLED: "false" + ANCHORE_FEEDS_DRIVER_NVDV2_ENABLED: "true" + ANCHORE_FEEDS_DRIVER_OL_ENABLED: "true" + ANCHORE_FEEDS_DRIVER_RHEL_CONCURRENCY: "5" + ANCHORE_FEEDS_DRIVER_RHEL_ENABLED: "true" + ANCHORE_FEEDS_DRIVER_SLES_ENABLED: "true" + ANCHORE_FEEDS_DRIVER_UBUNTU_BRANCH: master + ANCHORE_FEEDS_DRIVER_UBUNTU_ENABLED: "true" + ANCHORE_FEEDS_DRIVER_UBUNTU_URL: https://git.launchpad.net/ubuntu-cve-tracker + ANCHORE_FEEDS_DRIVER_WOLFI_ENABLED: "true" + ANCHORE_FEEDS_EXTERNAL_URL: http://test-release-feeds:8448/v2/ + ANCHORE_FEEDS_GRYPEDB_PERSIST_WORKSPACE: "true" + ANCHORE_FEEDS_GRYPEDB_PRELOAD_ENABLED: "true" + ANCHORE_FEEDS_GRYPEDB_PRELOAD_PATH: /preload/grype-db-workspace.tar.gz + ANCHORE_FEEDS_GRYPEDB_RESTORE_WORKSPACE: "true" + ANCHORE_FEEDS_LOCAL_WORKSPACE: /workspace + ANCHORE_FEEDS_PACKAGES_ENABLED: "false" + ANCHORE_FEEDS_TMP_DIR: /anchore_scratch + ANCHORE_FEEDS_WORKSPACE_PRELOAD: "true" + ANCHORE_GITHUB_TOKEN: "null" + ANCHORE_GLOBAL_CLIENT_CONNECT_TIMEOUT: "0" + ANCHORE_GLOBAL_CLIENT_READ_TIMEOUT: "0" + ANCHORE_GLOBAL_SERVER_REQUEST_TIMEOUT_SEC: "180" + ANCHORE_INTERNAL_SSL_VERIFY: "false" + ANCHORE_LICENSE_FILE: /home/anchore/license.yaml + ANCHORE_LOG_LEVEL: INFO + ANCHORE_MAX_REQUEST_THREADS: "50" + ANCHORE_NVD_API_KEY: "null" + ANCHORE_OAUTH_ENABLED: "false" + ANCHORE_OAUTH_REFRESH_TOKEN_EXPIRATION: "86400" + ANCHORE_OAUTH_TOKEN_EXPIRATION: "3600" + ANCHORE_SAML_SECRET: "null" + ANCHORE_SERVICE_DIR: /anchore_service + ANCHORE_SSL_CERT: "null" + ANCHORE_SSL_ENABLED: "false" + ANCHORE_SSL_KEY: "null" + ANCHORE_SSO_REQUIRES_EXISTING_USERS: "false" + ANCHORECTL_URL: http://localhost:8228 + ANCHORECTL_USERNAME: admin + kind: ConfigMap + metadata: + annotations: + bar: baz-annotation + foo: bar-annotation + labels: + app.kubernetes.io/component: feeds + app.kubernetes.io/instance: test-release + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: test-release-feeds + app.kubernetes.io/part-of: anchore + app.kubernetes.io/version: 9.9.9 + bar: baz-label + foo: bar-label + helm.sh/chart: feeds-9.9.9 + name: test-release-feeds-config-env-vars + namespace: test-namespace diff --git a/stable/feeds/tests/configmap_test.yaml b/stable/feeds/tests/configmap_test.yaml index b65b0eb8..8d05d0ea 100644 --- a/stable/feeds/tests/configmap_test.yaml +++ b/stable/feeds/tests/configmap_test.yaml @@ -1,6 +1,7 @@ suite: ConfigMap Tests templates: - configmap.yaml + - envvars_configmap.yaml values: - values.yaml release: @@ -13,3 +14,38 @@ tests: - it: should render the configmaps asserts: - matchSnapshot: {} + + - it: should render v1 correctly if service.apiVersion is set as v1 + template: envvars_configmap.yaml + set: + service.apiVersion: v1 + asserts: + - matchRegex: + path: data["ANCHORE_FEEDS_EXTERNAL_URL"] + pattern: http://test-release-feeds:8448/v1/$ + + - it: should render v1 correctly if service.apiVersion is default + template: envvars_configmap.yaml + asserts: + - matchRegex: + path: data["ANCHORE_FEEDS_EXTERNAL_URL"] + pattern: http://test-release-feeds:8448/v2/$ + + - it: should render grype url correctly if .Values.url is set + template: envvars_configmap.yaml + set: + service.apiVersion: v1 + url: https://something/v1/my-grype/something + asserts: + - matchRegex: + path: data["ANCHORE_FEEDS_EXTERNAL_URL"] + pattern: https://something/v1/$ + + - it: should render grype url correctly if .Values.url is set to a v2 url + template: envvars_configmap.yaml + set: + url: https://something/v2/my-grype/something + asserts: + - matchRegex: + path: data["ANCHORE_FEEDS_EXTERNAL_URL"] + pattern: https://something/v2/$ \ No newline at end of file diff --git a/stable/feeds/values.yaml b/stable/feeds/values.yaml index d2e18fa8..575d3e43 100644 --- a/stable/feeds/values.yaml +++ b/stable/feeds/values.yaml @@ -92,6 +92,7 @@ affinity: {} ## @param service.annotations Annotations for Anchore Feeds service ## @param service.labels Labels for Anchore Feeds service ## @param service.nodePort nodePort for Anchore Feeds service +## @param service.apiVersion the apiVersion for the service when communicating with Anchore Feeds ## service: type: ClusterIP @@ -99,6 +100,7 @@ service: annotations: {} labels: {} nodePort: "" + apiVersion: v2 ## @param scratchVolume.mountPath The mount path of an external volume for scratch space for image analysis ## @param scratchVolume.fixGroupPermissions Enable an initContainer that will fix the fsGroup permissions From d9eddc004e99d703eff19bbfe49db67fc84f4244 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Fri, 29 Sep 2023 10:35:19 -0400 Subject: [PATCH 231/329] adding pre-upgrade hook to configmap on everything other than a fresh install (#139) * adding pre-upgrade hook to configmap on everything other than a fresh install * updating feeds script configmap, bumping chart versions * update scripts configmap annotations, update tests --------- Signed-off-by: Hung Nguyen --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/templates/scripts_configmap.yaml | 11 ++++++++++- stable/enterprise/tests/configmap_test.yaml | 7 ++++++- stable/feeds/Chart.yaml | 2 +- stable/feeds/templates/scripts_configmap.yaml | 11 ++++++++++- 5 files changed, 28 insertions(+), 5 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 63a56479..b329e185 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.0.18" +version: "0.0.19" appVersion: "4.9.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | diff --git a/stable/enterprise/templates/scripts_configmap.yaml b/stable/enterprise/templates/scripts_configmap.yaml index 73c913aa..ee85866f 100644 --- a/stable/enterprise/templates/scripts_configmap.yaml +++ b/stable/enterprise/templates/scripts_configmap.yaml @@ -4,6 +4,15 @@ metadata: name: {{ .Release.Name }}-enterprise-scripts namespace: {{ .Release.Namespace }} labels: {{- include "enterprise.common.labels" . | nindent 4 }} - annotations: {{- include "enterprise.common.annotations" . | nindent 4 }} + annotations: + {{- if not .Release.IsInstall }} + {{- include "enterprise.common.annotations" (merge (dict "nil" true) .) | nindent 4}} + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": before-hook-creation + {{- else }} + {{- include "enterprise.common.annotations" . | nindent 4}} + {{- end }} + data: {{ .Values.scripts | toYaml | nindent 2 }} diff --git a/stable/enterprise/tests/configmap_test.yaml b/stable/enterprise/tests/configmap_test.yaml index d40e0d71..662459ec 100644 --- a/stable/enterprise/tests/configmap_test.yaml +++ b/stable/enterprise/tests/configmap_test.yaml @@ -1,6 +1,11 @@ suite: ConfigMap Tests templates: - - templates/*_configmap.yaml + - templates/analyzer_configmap.yaml + - templates/anchore_configmap.yaml + - templates/envvars_configmap.yaml + - templates/policybundle_configmap.yaml + - templates/scripts_configmap.yaml + - templates/ui_configmap.yaml values: - values.yaml release: diff --git a/stable/feeds/Chart.yaml b/stable/feeds/Chart.yaml index 7c08c0bf..b75aa59f 100644 --- a/stable/feeds/Chart.yaml +++ b/stable/feeds/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: feeds type: application -version: "0.0.10" +version: "0.0.11" appVersion: "4.9.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: Anchore feeds service diff --git a/stable/feeds/templates/scripts_configmap.yaml b/stable/feeds/templates/scripts_configmap.yaml index f65aac75..2234e0b8 100644 --- a/stable/feeds/templates/scripts_configmap.yaml +++ b/stable/feeds/templates/scripts_configmap.yaml @@ -5,7 +5,16 @@ metadata: name: {{ .Release.Name }}-feeds-scripts namespace: {{ .Release.Namespace }} labels: {{- include "feeds.common.labels" . | nindent 4 }} - annotations: {{- include "feeds.common.annotations" . | nindent 4 }} + annotations: + {{- if not .Release.IsInstall }} + {{- include "feeds.common.annotations" (merge (dict "nil" true) .) | nindent 4 }} + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "0" + "helm.sh/hook-delete-policy": before-hook-creation + {{- else }} + {{- include "feeds.common.annotations" . | nindent 4 }} + {{- end }} + data: {{ .Values.scripts | toYaml | nindent 2 }} {{- end }} From a5a11afce5b3c972650f30a3aeb9f10e2d9f6c3d Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 29 Sep 2023 17:06:12 -0700 Subject: [PATCH 232/329] Fix upgradejob volumes (#142) * remove hook annotations and unneeded common volumes from enterprise * remove hook annotations and unneeded common volumes from feeds * bump chart version --------- Signed-off-by: Brady Todhunter --- stable/enterprise/Chart.yaml | 2 +- .../hooks/post-upgrade/upgrade_job.yaml | 25 +++++++++++++++++-- .../hooks/pre-upgrade/upgrade_job.yaml | 25 +++++++++++++++++-- .../templates/scripts_configmap.yaml | 11 +------- stable/feeds/Chart.yaml | 2 +- stable/feeds/templates/scripts_configmap.yaml | 11 +------- 6 files changed, 50 insertions(+), 26 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index b329e185..a81278c0 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.0.19" +version: "0.0.20" appVersion: "4.9.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | diff --git a/stable/enterprise/templates/hooks/post-upgrade/upgrade_job.yaml b/stable/enterprise/templates/hooks/post-upgrade/upgrade_job.yaml index 0beaa27a..d545cb49 100644 --- a/stable/enterprise/templates/hooks/post-upgrade/upgrade_job.yaml +++ b/stable/enterprise/templates/hooks/post-upgrade/upgrade_job.yaml @@ -24,7 +24,20 @@ spec: spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} restartPolicy: Never - volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} + volumes: + {{- with .Values.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.certStoreSecretName }} + - name: certs + secret: + secretName: {{ . }} + {{- end }} + {{- if .Values.cloudsql.useExistingServiceAcc }} + - name: {{ .Values.cloudsql.serviceAccSecretName }} + secret: + secretName: {{ .Values.cloudsql.serviceAccSecretName }} + {{- end }} containers: {{- if .Values.cloudsql.enabled }} {{- include "enterprise.common.cloudsqlContainer" . | nindent 8 }} @@ -49,7 +62,15 @@ spec: {{- end }} envFrom: {{- include "enterprise.common.envFrom" . | nindent 12 }} env: {{- include "enterprise.common.environment" (merge (dict "component" $component) .) | nindent 12 }} - volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} + volumeMounts: + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.certStoreSecretName }} + - name: certs + mountPath: /home/anchore/certs/ + readOnly: true + {{- end }} {{- with .Values.upgradeJob.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} diff --git a/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml b/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml index 32d1d489..91f9f2ee 100644 --- a/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml +++ b/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml @@ -28,7 +28,20 @@ spec: spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} restartPolicy: Never - volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} + volumes: + {{- with .Values.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.certStoreSecretName }} + - name: certs + secret: + secretName: {{ . }} + {{- end }} + {{- if .Values.cloudsql.useExistingServiceAcc }} + - name: {{ .Values.cloudsql.serviceAccSecretName }} + secret: + secretName: {{ .Values.cloudsql.serviceAccSecretName }} + {{- end }} initContainers: - name: scale-down-anchore image: bitnami/kubectl:1.27 @@ -86,7 +99,15 @@ spec: {{- end }} envFrom: {{- include "enterprise.common.envFrom" . | nindent 12 }} env: {{- include "enterprise.common.environment" (merge (dict "component" $component) .) | nindent 12 }} - volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} + volumeMounts: + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.certStoreSecretName }} + - name: certs + mountPath: /home/anchore/certs/ + readOnly: true + {{- end }} {{- with .Values.upgradeJob.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} diff --git a/stable/enterprise/templates/scripts_configmap.yaml b/stable/enterprise/templates/scripts_configmap.yaml index ee85866f..47416bca 100644 --- a/stable/enterprise/templates/scripts_configmap.yaml +++ b/stable/enterprise/templates/scripts_configmap.yaml @@ -4,15 +4,6 @@ metadata: name: {{ .Release.Name }}-enterprise-scripts namespace: {{ .Release.Namespace }} labels: {{- include "enterprise.common.labels" . | nindent 4 }} - annotations: - {{- if not .Release.IsInstall }} - {{- include "enterprise.common.annotations" (merge (dict "nil" true) .) | nindent 4}} - "helm.sh/hook": pre-upgrade - "helm.sh/hook-weight": "0" - "helm.sh/hook-delete-policy": before-hook-creation - {{- else }} - {{- include "enterprise.common.annotations" . | nindent 4}} - {{- end }} - + annotations: {{- include "enterprise.common.annotations" . | nindent 4}} data: {{ .Values.scripts | toYaml | nindent 2 }} diff --git a/stable/feeds/Chart.yaml b/stable/feeds/Chart.yaml index b75aa59f..7712635e 100644 --- a/stable/feeds/Chart.yaml +++ b/stable/feeds/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: feeds type: application -version: "0.0.11" +version: "0.0.12" appVersion: "4.9.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: Anchore feeds service diff --git a/stable/feeds/templates/scripts_configmap.yaml b/stable/feeds/templates/scripts_configmap.yaml index 2234e0b8..f65aac75 100644 --- a/stable/feeds/templates/scripts_configmap.yaml +++ b/stable/feeds/templates/scripts_configmap.yaml @@ -5,16 +5,7 @@ metadata: name: {{ .Release.Name }}-feeds-scripts namespace: {{ .Release.Namespace }} labels: {{- include "feeds.common.labels" . | nindent 4 }} - annotations: - {{- if not .Release.IsInstall }} - {{- include "feeds.common.annotations" (merge (dict "nil" true) .) | nindent 4 }} - "helm.sh/hook": pre-upgrade - "helm.sh/hook-weight": "0" - "helm.sh/hook-delete-policy": before-hook-creation - {{- else }} - {{- include "feeds.common.annotations" . | nindent 4 }} - {{- end }} - + annotations: {{- include "feeds.common.annotations" . | nindent 4 }} data: {{ .Values.scripts | toYaml | nindent 2 }} {{- end }} From 44ca82231e6c5bd15e258e0119120f0abc3a6257 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Fri, 29 Sep 2023 20:20:34 -0400 Subject: [PATCH 233/329] bumping image version to 4.9.2 for enterprise (#141) * updating feeds script configmap, bumping chart versions * update scripts configmap annotations, update tests * bumping image version to 4.9.2 for enterprise * update tests --------- Signed-off-by: Hung Nguyen Signed-off-by: Brady Todhunter Co-authored-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/templates/engine_configmap.yaml | 1 + stable/anchore-engine/values.yaml | 2 +- stable/enterprise/Chart.yaml | 4 ++-- stable/enterprise/files/default_config.yaml | 4 ++++ stable/enterprise/templates/envvars_configmap.yaml | 3 +++ .../tests/__snapshot__/configmap_test.yaml.snap | 7 +++++++ .../__snapshot__/prehook_upgrade_resources_test.yaml.snap | 2 +- stable/enterprise/values.yaml | 2 +- stable/feeds/Chart.yaml | 4 ++-- stable/feeds/files/default_config.yaml | 5 +++++ stable/feeds/templates/envvars_configmap.yaml | 3 +++ stable/feeds/tests/__snapshot__/configmap_test.yaml.snap | 8 ++++++++ .../__snapshot__/prehook_upgrade_resources_test.yaml.snap | 2 +- stable/feeds/values.yaml | 2 +- 15 files changed, 41 insertions(+), 10 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index c5625929..0e4e556e 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.28.0 +version: 1.28.1 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/templates/engine_configmap.yaml b/stable/anchore-engine/templates/engine_configmap.yaml index fde3c424..48340a1c 100644 --- a/stable/anchore-engine/templates/engine_configmap.yaml +++ b/stable/anchore-engine/templates/engine_configmap.yaml @@ -233,6 +233,7 @@ data: {{- end }} runtime_inventory: image_ttl_days: {{ .Values.anchoreCatalog.runtimeInventory.imageTTLDays }} + image_ingest_overwrite: {{ default false .Values.anchoreCatalog.runtimeInventory.imageIngestOverwrite }} down_analyzer_task_requeue: {{ .Values.anchoreCatalog.downAnalyzerTaskRequeue }} simplequeue: enabled: true diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 3b315357..b2a6c565 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -765,7 +765,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: docker.io/anchore/enterprise:v4.9.1 + image: docker.io/anchore/enterprise:v4.9.2 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index a81278c0..f7bccba6 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: enterprise -version: "0.0.20" -appVersion: "4.9.1" +version: "0.0.21" +appVersion: "4.9.2" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | Anchore Enterprise is a complete container security workflow solution for professional teams. Easily integrating with CI/CD systems, diff --git a/stable/enterprise/files/default_config.yaml b/stable/enterprise/files/default_config.yaml index 85a633ea..9802d981 100644 --- a/stable/enterprise/files/default_config.yaml +++ b/stable/enterprise/files/default_config.yaml @@ -14,6 +14,9 @@ server_request_timeout_seconds: ${ANCHORE_GLOBAL_SERVER_REQUEST_TIMEOUT_SEC} license_file: ${ANCHORE_LICENSE_FILE} auto_restart_services: false +max_source_import_size_mb: ${ANCHORE_MAX_IMPORT_SOURCE_SIZE_MB} +max_import_content_size_mb: ${ANCHORE_MAX_IMPORT_CONTENT_SIZE_MB} + max_compressed_image_size_mb: ${ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB} metrics: @@ -110,6 +113,7 @@ services: event_log: {{- toYaml .Values.anchoreConfig.catalog.event_log | nindent 6 }} runtime_inventory: image_ttl_days: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_IMAGE_TTL_DAYS} + image_ingest_overwrite: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_IMAGE_INGEST_OVERWRITE} image_gc: max_worker_threads: ${ANCHORE_CATALOG_IMAGE_GC_WORKERS} runtime_compliance: diff --git a/stable/enterprise/templates/envvars_configmap.yaml b/stable/enterprise/templates/envvars_configmap.yaml index 1a90532a..482d2bc4 100644 --- a/stable/enterprise/templates/envvars_configmap.yaml +++ b/stable/enterprise/templates/envvars_configmap.yaml @@ -51,6 +51,7 @@ data: ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER: "true" ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE: "true" ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_IMAGE_TTL_DAYS: "120" + ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_IMAGE_INGEST_OVERWRITE: "false" {{- with .Values.anchoreConfig.notifications.ui_url }} ANCHORE_ENTERPRISE_UI_URL: "{{ . }}" {{- else }} @@ -74,6 +75,8 @@ data: ANCHORE_LICENSE_FILE: "/home/anchore/license.yaml" ANCHORE_LOG_LEVEL: "{{ .Values.anchoreConfig.log_level }}" ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB: "-1" + ANCHORE_MAX_IMPORT_CONTENT_SIZE_MB: "100" + ANCHORE_MAX_IMPORT_SOURCE_SIZE_MB: "100" ANCHORE_MAX_REQUEST_THREADS: "50" ANCHORE_OAUTH_ENABLED: "{{ .Values.anchoreConfig.user_authentication.oauth.enabled }}" ANCHORE_OAUTH_TOKEN_EXPIRATION: "{{ .Values.anchoreConfig.user_authentication.oauth.default_token_expiration_seconds }}" diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index 60d6e9a2..8506eb9c 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -60,6 +60,9 @@ should render the configmaps: license_file: ${ANCHORE_LICENSE_FILE} auto_restart_services: false + max_source_import_size_mb: ${ANCHORE_MAX_IMPORT_SOURCE_SIZE_MB} + max_import_content_size_mb: ${ANCHORE_MAX_IMPORT_CONTENT_SIZE_MB} + max_compressed_image_size_mb: ${ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB} metrics: @@ -164,6 +167,7 @@ should render the configmaps: - error runtime_inventory: image_ttl_days: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_IMAGE_TTL_DAYS} + image_ingest_overwrite: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_IMAGE_INGEST_OVERWRITE} image_gc: max_worker_threads: ${ANCHORE_CATALOG_IMAGE_GC_WORKERS} runtime_compliance: @@ -366,6 +370,7 @@ should render the configmaps: ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_ECS_CONTAINER: "true" ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER: "true" ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE: "true" + ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_IMAGE_INGEST_OVERWRITE: "false" ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_IMAGE_TTL_DAYS: "120" ANCHORE_ENTERPRISE_UI_URL: test-release-enterprise-ui ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED: "false" @@ -386,6 +391,8 @@ should render the configmaps: ANCHORE_LICENSE_FILE: /home/anchore/license.yaml ANCHORE_LOG_LEVEL: INFO ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB: "-1" + ANCHORE_MAX_IMPORT_CONTENT_SIZE_MB: "100" + ANCHORE_MAX_IMPORT_SOURCE_SIZE_MB: "100" ANCHORE_MAX_REQUEST_THREADS: "50" ANCHORE_OAUTH_ENABLED: "false" ANCHORE_OAUTH_REFRESH_TOKEN_EXPIRATION: "86400" diff --git a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap index 25250331..7b9a57ba 100644 --- a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap @@ -143,6 +143,6 @@ should render proper initContainers: valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v4.9.1 + image: docker.io/anchore/enterprise:v4.9.2 imagePullPolicy: IfNotPresent name: wait-for-db diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index c6c28eaf..3ca2b64c 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -18,7 +18,7 @@ global: ## @param image Image used for all Anchore Enterprise deployments, excluding Anchore UI ## -image: docker.io/anchore/enterprise:v4.9.1 +image: docker.io/anchore/enterprise:v4.9.2 ## @param imagePullPolicy Image pull policy used by all deployments ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy diff --git a/stable/feeds/Chart.yaml b/stable/feeds/Chart.yaml index 7712635e..f11e9293 100644 --- a/stable/feeds/Chart.yaml +++ b/stable/feeds/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 name: feeds type: application -version: "0.0.12" -appVersion: "4.9.1" +version: "0.0.13" +appVersion: "4.9.2" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: Anchore feeds service keywords: diff --git a/stable/feeds/files/default_config.yaml b/stable/feeds/files/default_config.yaml index 266fe303..3fe9668f 100644 --- a/stable/feeds/files/default_config.yaml +++ b/stable/feeds/files/default_config.yaml @@ -12,6 +12,11 @@ server_request_timeout_seconds: ${ANCHORE_GLOBAL_SERVER_REQUEST_TIMEOUT_SEC} license_file: ${ANCHORE_LICENSE_FILE} auto_restart_services: false +max_source_import_size_mb: ${ANCHORE_MAX_IMPORT_SOURCE_SIZE_MB} +max_import_content_size_mb: ${ANCHORE_MAX_IMPORT_CONTENT_SIZE_MB} + +max_compressed_image_size_mb: ${ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB} + metrics: enabled: ${ANCHORE_ENABLE_METRICS} auth_disabled: ${ANCHORE_DISABLE_METRICS_AUTH} diff --git a/stable/feeds/templates/envvars_configmap.yaml b/stable/feeds/templates/envvars_configmap.yaml index 93e4eb3a..60a6e3a5 100644 --- a/stable/feeds/templates/envvars_configmap.yaml +++ b/stable/feeds/templates/envvars_configmap.yaml @@ -70,6 +70,9 @@ data: ANCHORE_INTERNAL_SSL_VERIFY: "{{ .Values.anchoreConfig.internalServicesSSL.verifyCerts }}" ANCHORE_LICENSE_FILE: "/home/anchore/license.yaml" ANCHORE_LOG_LEVEL: "{{ .Values.anchoreConfig.log_level }}" + ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB: "-1" + ANCHORE_MAX_IMPORT_CONTENT_SIZE_MB: "100" + ANCHORE_MAX_IMPORT_SOURCE_SIZE_MB: "100" ANCHORE_MAX_REQUEST_THREADS: "50" ANCHORE_NVD_API_KEY: "null" ANCHORE_OAUTH_ENABLED: "{{ .Values.anchoreConfig.user_authentication.oauth.enabled }}" diff --git a/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap b/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap index 414b8ec1..2ea50bf6 100644 --- a/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap @@ -19,6 +19,11 @@ should render the configmaps: license_file: ${ANCHORE_LICENSE_FILE} auto_restart_services: false + max_source_import_size_mb: ${ANCHORE_MAX_IMPORT_SOURCE_SIZE_MB} + max_import_content_size_mb: ${ANCHORE_MAX_IMPORT_CONTENT_SIZE_MB} + + max_compressed_image_size_mb: ${ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB} + metrics: enabled: ${ANCHORE_ENABLE_METRICS} auth_disabled: ${ANCHORE_DISABLE_METRICS_AUTH} @@ -185,6 +190,9 @@ should render the configmaps: ANCHORE_INTERNAL_SSL_VERIFY: "false" ANCHORE_LICENSE_FILE: /home/anchore/license.yaml ANCHORE_LOG_LEVEL: INFO + ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB: "-1" + ANCHORE_MAX_IMPORT_CONTENT_SIZE_MB: "100" + ANCHORE_MAX_IMPORT_SOURCE_SIZE_MB: "100" ANCHORE_MAX_REQUEST_THREADS: "50" ANCHORE_NVD_API_KEY: "null" ANCHORE_OAUTH_ENABLED: "false" diff --git a/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap b/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap index c0f3f490..35c8009d 100644 --- a/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap +++ b/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap @@ -143,6 +143,6 @@ should render proper initContainers: value: test-release-feeds - name: ANCHORE_PORT value: "8448" - image: docker.io/anchore/enterprise:v4.9.1 + image: docker.io/anchore/enterprise:v4.9.2 imagePullPolicy: IfNotPresent name: wait-for-db diff --git a/stable/feeds/values.yaml b/stable/feeds/values.yaml index 575d3e43..985130cb 100644 --- a/stable/feeds/values.yaml +++ b/stable/feeds/values.yaml @@ -21,7 +21,7 @@ nameOverride: "" ## @param image Image used for feeds deployment ## -image: docker.io/anchore/enterprise:v4.9.1 +image: docker.io/anchore/enterprise:v4.9.2 ## @param imagePullPolicy Image pull policy used by all deployments ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy From 7885eaff6c39a529e916ea71f6292c10ccebe596 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Tue, 3 Oct 2023 07:47:24 -0700 Subject: [PATCH 234/329] allow specifying multiple paths on feeds chart Signed-off-by: Brady Todhunter --- stable/feeds/Chart.yaml | 2 +- stable/feeds/templates/ingress.yaml | 20 ++++++++++++++------ stable/feeds/values.yaml | 7 ++++--- 3 files changed, 19 insertions(+), 10 deletions(-) diff --git a/stable/feeds/Chart.yaml b/stable/feeds/Chart.yaml index f11e9293..148158cd 100644 --- a/stable/feeds/Chart.yaml +++ b/stable/feeds/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: feeds type: application -version: "0.0.13" +version: "0.1.0" appVersion: "4.9.2" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: Anchore feeds service diff --git a/stable/feeds/templates/ingress.yaml b/stable/feeds/templates/ingress.yaml index 62d99bdd..4e98d14f 100644 --- a/stable/feeds/templates/ingress.yaml +++ b/stable/feeds/templates/ingress.yaml @@ -12,8 +12,14 @@ kind: Ingress metadata: name: {{ template "feeds.fullname" . }} namespace: {{ .Release.Namespace }} - labels: {{- include "feeds.common.labels" (merge (dict "component" $component) .) | nindent 4 }} - annotations: {{- include "feeds.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} + labels: {{- include "feeds.common.labels" . | nindent 4 }} + {{- with .Values.ingress.labels }} + {{- . | toYaml | nindent 4 }} + {{- end }} + annotations: {{- include "feeds.common.annotations" (merge (dict "nil" true) .) | nindent 4 }} + {{- with .Values.ingress.annotations }} + {{- . | toYaml | nindent 4 }} + {{- end }} spec: {{- if .Values.ingress.ingressClassName }} ingressClassName: {{ .Values.ingress.ingressClassName }} @@ -30,11 +36,12 @@ spec: {{- end }} rules: {{- if .Values.ingress.hosts }} - {{- range .Values.ingress.hosts }} - - host: {{ . | quote }} + {{- range $hostIndex, $host := .Values.ingress.hosts }} + - host: {{ $host | quote }} http: paths: - - path: {{ $.Values.ingress.path }} + {{- range $pathIndex, $path := $.Values.ingress.paths }} + - path: {{ $path }} {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} pathType: Prefix backend: @@ -47,11 +54,12 @@ spec: serviceName: {{ template "feeds.fullname" $ }} servicePort: {{ $.Values.service.port }} {{- end }} + {{- end }} {{- end }} {{- else }} - http: paths: - {{- with .Values.ingress.path }} + {{- range .Values.ingress.paths }} - path: {{ . }} {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} pathType: Prefix diff --git a/stable/feeds/values.yaml b/stable/feeds/values.yaml index 985130cb..d2bad856 100644 --- a/stable/feeds/values.yaml +++ b/stable/feeds/values.yaml @@ -536,8 +536,7 @@ ingress: ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md ## ref: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features ## - annotations: - kubernetes.io/ingress.class: nginx + annotations: {} ## @param ingress.hosts List of custom hostnames for the Anchore Feeds API ## @@ -545,7 +544,9 @@ ingress: ## @param ingress.path The path used for accessing the Anchore Feeds API ## - path: /v1/feeds + paths: + - /v1/feeds/ + - /v2/feeds/ ## @param ingress.tls Configure tls for the ingress resource ## Secrets must be manually created in the release namespace From fca9cd55c809704ac24b534d554ef5ab6d41789b Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Tue, 3 Oct 2023 07:47:39 -0700 Subject: [PATCH 235/329] allow specifying multiple paths on enterprise chart Signed-off-by: Brady Todhunter --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 44 ++++++++++++++++++++---- stable/enterprise/templates/ingress.yaml | 44 ++++++++++++++---------- stable/enterprise/values.yaml | 16 ++++++--- 4 files changed, 75 insertions(+), 31 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index f7bccba6..c31d216e 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.0.21" +version: "0.1.0" appVersion: "4.9.2" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 39c2042f..d5f4d443 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -321,19 +321,30 @@ The [Kubernetes ALB ingress controller](https://docs.aws.amazon.com/eks/latest/u ingress: enabled: true annotations: - kubernetes.io/ingress.class: alb alb.ingress.kubernetes.io/scheme: internet-facing - apiPath: /v1/* - uiPath: /* + ingressClassName: alb + apiHosts: - anchore-api.example.com uiHosts: - anchore-ui.example.com + feedsHosts: + - anchore-feeds.example.com + reportsHosts: + - anchore-reports.example.com api: service: type: NodePort +feeds: + service: + type: NodePort + +reports: + service: + type: NodePort + ui: service: type: NodePort @@ -346,19 +357,40 @@ The [Kubernetes GCE ingress controller](https://cloud.google.com/kubernetes-engi ```yaml ingress: enabled: true - annotations: - kubernetes.io/ingress.class: gce - apiPath: /v1/* + ingressClassName: gce + apiPaths: + - /v1/* + - /v2/* + - /version/* + feedsPaths: + - /v1/feeds/* + - /v2/feeds/* + reportsPaths: + - /v1/reports/* + - /v2/reports/* uiPath: /* + apiHosts: - anchore-api.example.com uiHosts: - anchore-ui.example.com + feedsHosts: + - anchore-feeds.example.com + reportsHosts: + - anchore-reports.example.com api: service: type: NodePort +feeds: + service: + type: NodePort + +reports: + service: + type: NodePort + ui: service: type: NodePort diff --git a/stable/enterprise/templates/ingress.yaml b/stable/enterprise/templates/ingress.yaml index 25bec7e6..ed71ad72 100644 --- a/stable/enterprise/templates/ingress.yaml +++ b/stable/enterprise/templates/ingress.yaml @@ -30,11 +30,12 @@ spec: {{- end }} rules: {{- if or .Values.ingress.apiHosts .Values.ingress.uiHosts .Values.ingress.feedsHosts .Values.ingress.reportsHosts }} - {{- range .Values.ingress.apiHosts }} - - host: {{ . | quote }} + {{- range $apiHostIndex, $apiHostName := .Values.ingress.apiHosts }} + - host: {{ $apiHostName | quote }} http: paths: - - path: {{ $.Values.ingress.apiPath }} + {{- range $apiPathIndex, $apiPath := $.Values.ingress.apiPaths }} + - path: {{ $apiPath }} {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} pathType: Prefix backend: @@ -47,9 +48,10 @@ spec: serviceName: {{ template "enterprise.api.fullname" $ }} servicePort: {{ $.Values.api.service.port }} {{- end }} + {{- end }} {{- end }} - {{- range .Values.ingress.uiHosts }} - - host: {{ . | quote }} + {{- range $uiHostIndex, $uiHostName := .Values.ingress.uiHosts }} + - host: {{ $uiHostName | quote }} http: paths: - path: {{ $.Values.ingress.uiPath }} @@ -66,11 +68,12 @@ spec: servicePort: {{ $.Values.ui.service.port }} {{- end }} {{- end }} - {{- range .Values.ingress.feedsHosts }} - - host: {{ . | quote }} + {{- range $feedsHostIndex, $feedsHostName := .Values.ingress.feedsHosts }} + - host: {{ $feedsHostName | quote }} http: paths: - - path: {{ $.Values.ingress.feedsPath }} + {{- range $feedsPathIndex, $feedsPath := $.Values.ingress.feedsPaths }} + - path: {{ $feedsPath }} {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} pathType: Prefix backend: @@ -83,29 +86,32 @@ spec: serviceName: {{ template "enterprise.feeds.fullname" $ }} servicePort: {{ $.Values.feeds.service.port }} {{- end }} + {{- end }} {{- end }} - {{- range .Values.ingress.reportsHosts }} - - host: {{ . | quote }} + {{- range $reportsHostIndex, $reportsHostName := .Values.ingress.reportsHosts }} + - host: {{ $reportsHostName | quote }} http: paths: - - path: {{ $.Values.ingress.reportsPath }} + {{- range $reportsPathIndex, $reportsPath := $.Values.ingress.reportsPaths }} + - path: {{ $reportsPath }} {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} pathType: Prefix backend: service: name: {{ template "enterprise.api.fullname" $ }} port: - number: {{ $.Values.reports.service.port }} + number: {{ $.Values.api.service.reportsPort }} {{- else }} backend: serviceName: {{ template "enterprise.api.fullname" $ }} - servicePort: {{ $.Values.reports.service.port }} + servicePort: {{ $.Values.api.service.reportsPort }} {{- end }} + {{- end }} {{- end }} {{- else }} - http: paths: - {{- with .Values.ingress.apiPath }} + {{- range .Values.ingress.apiPaths }} - path: {{ . }} {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} pathType: Prefix @@ -135,7 +141,7 @@ spec: servicePort: {{ $.Values.ui.service.port }} {{- end }} {{- end }} - {{- with .Values.ingress.feedsPath }} + {{- range .Values.ingress.feedsPaths }} - path: {{ . }} {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} pathType: Prefix @@ -147,10 +153,10 @@ spec: {{- else }} backend: serviceName: {{ template "enterprise.feeds.fullname" $ }} - servicePort: {{ $.Values.feeds.feeds.service.port }} + servicePort: {{ $.Values.feeds.service.port }} {{- end }} {{- end }} - {{- with .Values.ingress.reportsPath }} + {{- range .Values.ingress.reportsPaths }} - path: {{ . }} {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} pathType: Prefix @@ -158,11 +164,11 @@ spec: service: name: {{ template "enterprise.api.fullname" $ }} port: - number: {{ $.Values.reports.service.port }} + number: {{ $.Values.api.service.reportsPort }} {{- else }} backend: serviceName: {{ template "enterprise.api.fullname" $ }} - servicePort: {{ $.Values.reports.service.port }} + servicePort: {{ $.Values.api.service.reportsPort }} {{- end }} {{- end }} {{- end }} diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index 3ca2b64c..092673bb 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -1241,8 +1241,7 @@ ingress: ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md ## ref: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features ## - annotations: - kubernetes.io/ingress.class: nginx + annotations: {} ## @param ingress.apiHosts List of custom hostnames for the Anchore API ## @@ -1250,7 +1249,10 @@ ingress: ## @param ingress.apiPath The path used for accessing the Anchore API ## - apiPath: /v2/ + apiPaths: + - /v1/ + - /v2/ + - /version/ ## @param ingress.uiHosts List of custom hostnames for the Anchore UI ## @@ -1267,7 +1269,9 @@ ingress: ## @param ingress.feedsPath The path used for accessing the Anchore Feeds API ## Exposing the feeds API is for special cases only, use /v2/feeds for ingress.feedsPath ## - feedsPath: "" + feedsPaths: + - /v1/feeds/ + - /v2/feeds/ ## @param ingress.reportsHosts List of custom hostnames for the Anchore Reports API ## @@ -1276,7 +1280,9 @@ ingress: ## @param ingress.reportsPath The path used for accessing the Anchore Reports API ## Exposing the reports API enables the GraphQL interface, use /v2/reports/graphql for ingress.reportsPath ## - reportsPath: "" + reportsPaths: + - /v1/reports/ + - /v2/reports/ ## @param ingress.tls Configure tls for the ingress resource ## Secrets must be manually created in the release namespace From 12cce9a12e96066be146a5e79cb4dd00e178824b Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Tue, 3 Oct 2023 07:48:01 -0700 Subject: [PATCH 236/329] fix anchore-engine ingress to use proper nested range loops Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/templates/ingress.yaml | 28 ++++++++++---------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 0e4e556e..e48d2ddc 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.28.1 +version: 1.28.2 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/templates/ingress.yaml b/stable/anchore-engine/templates/ingress.yaml index a2872a34..d4d7a3b0 100644 --- a/stable/anchore-engine/templates/ingress.yaml +++ b/stable/anchore-engine/templates/ingress.yaml @@ -43,12 +43,12 @@ spec: {{- end }} rules: {{- if or .Values.ingress.apiHosts .Values.ingress.uiHosts .Values.ingress.feedsHosts .Values.ingress.reportsHosts }} - {{- range .Values.ingress.apiHosts }} - - host: {{ . | quote }} + {{- range $apiHostIndex, $apiHostName := .Values.ingress.apiHosts }} + - host: {{ $apiHostName | quote }} http: paths: - {{- range .Values.ingress.apiPaths }} - - path: {{ . | quote }} + {{- range $apiPathIndex, $apiPath := $.Values.ingress.apiPaths }} + - path: {{ $apiPath | quote }} {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} pathType: Prefix backend: @@ -63,8 +63,8 @@ spec: {{- end }} {{- end }} {{- end }} - {{- range .Values.ingress.uiHosts }} - - host: {{ . | quote }} + {{- range $uiHostIndex, $uiHostName := .Values.ingress.uiHosts }} + - host: {{ $uiHostName | quote }} http: paths: - path: {{ $.Values.ingress.uiPath }} @@ -81,12 +81,12 @@ spec: servicePort: {{ $.Values.anchoreEnterpriseUi.service.port }} {{- end }} {{- end }} - {{- range .Values.ingress.feedsHosts }} - - host: {{ . | quote }} + {{- range $feedsHostIndex, $feedsHostName := .Values.ingress.feedsHosts }} + - host: {{ $feedsHostName | quote }} http: paths: - {{ range .Values.ingress.feedsPaths }} - - path: {{ . }} + {{ range $feedsPathIndex, $feedsPath := $.Values.ingress.feedsPaths }} + - path: {{ $feedsPath }} {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} pathType: Prefix backend: @@ -101,12 +101,12 @@ spec: {{- end }} {{- end }} {{- end }} - {{- range .Values.ingress.reportsHosts }} - - host: {{ . | quote }} + {{- range $reportsHostIndex, $reportsHostName := .Values.ingress.reportsHosts }} + - host: {{ $reportsHostName | quote }} http: paths: - {{- range .Values.ingress.reportsPaths }} - - path: {{ . }} + {{- range $reportsPathIndex, $reportsPath := $.Values.ingress.reportsPaths }} + - path: {{ $reportsPath }} {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} pathType: Prefix backend: From 2e1c4b61defc1c0e35bef1d22d1a9faa63a49f1a Mon Sep 17 00:00:00 2001 From: Juan Date: Mon, 9 Oct 2023 20:39:06 +0100 Subject: [PATCH 237/329] chore: update docs with improved migration guidelines (#140) * chore: update docs with improve migration guidelines --------- Signed-off-by: juanjsebgarcia --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 62 +++++++++++++++++++++--------------- 2 files changed, 37 insertions(+), 27 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index c31d216e..cc48f80c 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.1.0" +version: "0.1.1" appVersion: "4.9.2" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index d5f4d443..0e278380 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -76,7 +76,7 @@ This guide covers deploying Anchore Enterprise on a Kubernetes cluster with the ```shell export RELEASE=my-release - export ANCHORECTL_PASSWORD=$(kubectl get secret "${RELEASE}-enterprise" -o ‘go-template={{index .data “ANCHORE_ADMIN_PASSWORD”}}’ | base64 -D -) + export ANCHORECTL_PASSWORD=$(kubectl get secret "${RELEASE}-enterprise" -o ‘go-template={{index .data “ANCHORE_ADMIN_PASSWORD”}}’ | base64 -d -) kubectl port-forward svc/${RELEASE}-enterprise-api 8228:8228 # port forward for anchorectl in another terminal anchorectl system wait # anchorectl defaults to the user admin, and to the password ${ANCHORECTL_PASSWORD} automatically if set ``` @@ -646,17 +646,18 @@ ui-redis: ### Migrating to the Anchore Enterprise Helm Chart -This guide provides steps for transitioning from an Anchore Engine Helm chart deployment to the updated Anchore Enterprise Helm chart, a necessary step for users planning to upgrade to Anchore Enterprise version 5.0.0 or later. +This guide provides steps for transitioning from an Anchore Engine Helm chart deployment to the updated Anchore Enterprise Helm chart, a necessary step for users planning to upgrade to Anchore Enterprise version v5.0.0 or later. > :warning: **Warning**: The values file used by the Anchore Enterprise Helm chart is different from the one used by the Anchore Engine Helm chart. Make sure to convert your existing values file accordingly. -A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts) is available to automate the conversion of your Anchore Engine values file to the new Enterprise format. +A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts) is available to automate the conversion of your Anchore Engine values file to the new Enterprise format. A usage +example is provided below. #### Migration Prerequisites -- **Anchore Version**: Ensure that your current deployment is running Anchore Enterprise version 4.9.0 or higher. +- **Anchore Version**: Ensure that your current deployment is running Anchore Enterprise version 4.9.0 or higher (but not v5.0.0+). -- **PostgreSQL Version**: You need PostgreSQL version 13 or higher. For upgrading your existing PostgreSQL installation, refer to the official [PostgreSQL documentation](https://www.postgresql.org/docs/13/upgrading.html). +- **PostgreSQL Version**: You need PostgreSQL version 13 or higher. For upgrading your existing PostgreSQL installation, refer to the official [PostgreSQL documentation](https://www.postgresql.org/docs/13/upgrading.html). Database migration help is provided below. > **Note:** This chart deploys PostgreSQL 13 by default. - **Runtime Environment**: Docker or Podman must be installed on the machine where the migration will run. @@ -665,14 +666,14 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts #### Step-by-Step Migration Process -1. **Generate a New Enterprise Values File**: Use the migration script to convert your existing Anchore Engine values file to the new Anchore Enterprise format. This command mounts a local volume to persistently store the output files, and it mounts the input values file within the container for conversion.It's imperative to review both the output and the new [values file](values.yaml) before moving forward. +1. **Generate a New Enterprise Values File**: Use the migration script to convert your existing Anchore Engine values file to the new Anchore Enterprise format. This command mounts a local volume to persistently store the output files, and it mounts the input values file within the container for conversion. It's imperative to review both the output and the new [values file](values.yaml) before moving forward. ```shell - export VALUES_FILE_NAME=my-values-file.yaml + export VALUES_FILE_NAME=my-values-file.yaml # Existing Engine chart values file docker run -v ${PWD}:/tmp -v ${PWD}/${VALUES_FILE_NAME}:/app/${VALUES_FILE_NAME} docker.io/anchore/enterprise-helm-migrator:latest -e /app/${VALUES_FILE_NAME} -d /tmp/output ``` -For anchore enterprise 4.9.x, you will need to additionally set the following values in your values file to use the v1 api of Anchore. +:rotating_light: For Anchore enterprise ">= 4.9.0, < 5.0.0", you will need to additionally set the following values in your values file to use the v1 api of Anchore. These will need to be removed once you upgrade to v5.0.0+ ``` api: service: @@ -697,6 +698,7 @@ rbacManager: export NAMESPACE=anchore kubectl scale deployment --replicas=0 -l app=${ENGINE_RELEASE}-anchore-engine -n ${NAMESPACE} ``` +1. **Perform database upgrade**: Upgrade your external database, we suggest you make a backup first. If using a managed cloud database service refer to their documentation. 1. **Deploy Anchore Enterprise**: Use the converted values file to deploy the new Anchore Enterprise Helm chart. @@ -731,10 +733,11 @@ rbacManager: --set startMigrationPod=true --set migrationAnchoreEngineSecretName=${ENGINE_RELEASE}-anchore-engine ``` + As an example with the above commands: ```shell export ENGINE_RELEASE=my-engine-release export ENTERPRISE_RELEASE=my-enterprise-release - export VALUES_FILE_NAME=${PWD}/output/my-values-file.yaml + export VALUES_FILE_NAME=${PWD}/output/my-values-file.yaml # The converted file helm install ${ENTERPRISE_RELEASE} -n ${NAMESPACE} -f ${VALUES_FILE_NAME} --set upgradeJob.force=true --set startMigrationPod=true anchore/enterprise --set migrationAnchoreEngineSecretName=${ENGINE_RELEASE}-anchore-engine ``` @@ -746,26 +749,26 @@ rbacManager: 1. **Database Preparation**: Replace the existing Anchore database with a new database in PostgreSQL 13. - 1. If you set startMigrationPod=true as per the step above, you can exec into the migrator pod to run the commands. + 1. If you set startMigrationPod=true as per the step above, you can exec into the migrator pod to run the commands. ```shell - kubectl -n exec -it -enterprise-migrate-db - PGPASSWORD=$NEW_DB_PASSWORD dropdb -h ${NEW_DB_HOST} -U ${NEW_DB_USERNAME} ${NEW_DB_NAME}; PGPASSWORD=$NEW_DB_PASSWORD psql -h ${NEW_DB_HOST} -U ${NEW_DB_USERNAME} -c "CREATE DATABASE ${NEW_DB_NAME}" postgres + kubectl -n ${NAMESPACE} exec -it ${ENTERPRISE_RELEASE}-enterprise-migrate-db + PGPASSWORD=${NEW_DB_PASSWORD} dropdb -h ${NEW_DB_HOST} -U ${NEW_DB_USERNAME} ${NEW_DB_NAME}; PGPASSWORD=${NEW_DB_PASSWORD} psql -h ${NEW_DB_HOST} -U ${NEW_DB_USERNAME} -c "CREATE DATABASE ${NEW_DB_NAME}" postgres ``` -2. **Data Migration**: Migrate data from the old Anchore Engine database to the new Anchore Enterprise database. - 1. If you are using the included migration helper pod, the exec to that pod and run the following command: - ```shell - kubectl -n exec -it -enterprise-migrate-db - PGPASSWORD=${OLD_DB_PASSWORD} pg_dump -h ${OLD_DB_HOST} -U ${OLD_DB_USERNAME} -c ${OLD_DB_NAME} | PGPASSWORD=${NEW_DB_PASSWORD} psql -h ${NEW_DB_HOST} -U ${NEW_DB_USERNAME} ${NEW_DB_NAME} - ``` - 2. If you are using your own pod then follow these steps - 1. Gather old DB parameters from the secret -anchore-engine - 2. Gather new DB parameters from the new secret -enterprise - 3. Start a migration pod that has all the psql binaries required e.g. docker.io/postgresql:13 - 4. Export all the required environment variables - ```shell - PGPASSWORD=${OLD_DB_PASSWORD} pg_dump -h ${OLD_DB_HOST} -U ${OLD_DB_USERNAME} -c ${OLD_DB_NAME} | PGPASSWORD=${NEW_DB_PASSWORD} psql -h ${NEW_DB_HOST} -U ${NEW_DB_USERNAME} ${NEW_DB_NAME} - ``` + 1. **Data Migration**: Migrate data from the old Anchore Engine database to the new Anchore Enterprise database. + 1. If you are using the included migration helper pod, the exec to that pod and run the following command: + ```shell + kubectl -n ${NAMESPACE} exec -it ${ENTEPRRISE_RELEASE}-enterprise-migrate-db + PGPASSWORD=${OLD_DB_PASSWORD} pg_dump -h ${OLD_DB_HOST} -U ${OLD_DB_USERNAME} -c ${OLD_DB_NAME} | PGPASSWORD=${NEW_DB_PASSWORD} psql -h ${NEW_DB_HOST} -U ${NEW_DB_USERNAME} ${NEW_DB_NAME} + ``` + 2. If you are using your own pod then follow these steps + 1. Gather old DB parameters from the secret ${OLD_ENGINE_RELEASE}-anchore-engine + 2. Gather new DB parameters from the new secret ${NEW_ENTERPRISE_RELEASE}-enterprise + 3. Start a migration pod that has all the psql binaries required e.g. docker.io/postgresql:13 + 4. Export all the required environment variables + ```shell + PGPASSWORD=${OLD_DB_PASSWORD} pg_dump -h ${OLD_DB_HOST} -U ${OLD_DB_USERNAME} -c ${OLD_DB_NAME} | PGPASSWORD=${NEW_DB_PASSWORD} psql -h ${NEW_DB_HOST} -U ${NEW_DB_USERNAME} ${NEW_DB_NAME} + ``` 1. **Upgrade Anchore Enterprise**: After migrating the data, upgrade the Anchore Enterprise Helm deployment. @@ -778,6 +781,13 @@ rbacManager: ```shell helm uninstall ${ENGINE_RELEASE} -n ${NAMESPACE} ``` + You may now have old engine persistent volume claims to delete. Delete these only when you are confident with the new Enterprise Chart deployment. + ```shell + kubectl get pvc + kubectl delete pvc ${ENGINE_RELEASE}-anchore-engine-enterprise-feeds + kubectl delete pvc ${ENGINE_RELEASE}-anchore-feeds-db + kubectl delete pvc ${ENGINE_RELEASE}-postgresql + ``` ## Parameters From 886fe94a8997ee18fd5a180cfa03ae48f458318e Mon Sep 17 00:00:00 2001 From: Zach Hill Date: Mon, 9 Oct 2023 12:50:48 -0700 Subject: [PATCH 238/329] fix: udpate readme and set chart to 0.1.x instead of 0.0.x (#128) Signed-off-by: Zach Hill --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 18 ++---------------- 2 files changed, 3 insertions(+), 17 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index cc48f80c..15cec6ff 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.1.1" +version: "0.1.2" appVersion: "4.9.2" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 0e278380..42802d74 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -16,6 +16,7 @@ See the [Anchore Enterprise Documentation](https://docs.anchore.com) for more de - [Uninstalling the Chart](#uninstalling-the-chart) - [Configuration](#configuration) - [External Database Requirements](#external-database-requirements) + - [Installing on Openshift](#installing-on-openshift) - [Enterprise Feeds Configuration](#enterprise-feeds-configuration) - [Analyzer Image Layer Cache Configuration](#analyzer-image-layer-cache-configuration) - [Configuring Object Storage](#configuring-object-storage) @@ -26,9 +27,6 @@ See the [Anchore Enterprise Documentation](https://docs.anchore.com) for more de - [Prometheus Metrics](#prometheus-metrics) - [Scaling Individual Services](#scaling-individual-services) - [Using TLS Internally](#using-tls-internally) - - [Anchore Enterprise Notifications](#anchore-enterprise-notifications) - - [Anchore Enterprise Reports](#anchore-enterprise-reports) - - [Installing on Openshift](#installing-on-openshift) - [Migrating to the Anchore Enterprise Helm Chart](#migrating-to-the-anchore-enterprise-helm-chart) - [Parameters](#parameters) - [Release Notes](#release-notes) @@ -570,18 +568,6 @@ ui: ldapsRootCaCertName: ldap-combined-ca-cert-bundle.pem ``` -### Anchore Enterprise Notifications - -Anchore Enterprise includes Notifications service to alert external endpoints about the system’s activity. Notifications can be configured to send alerts to Slack, GitHub Issues, and Jira. - -See the [Anchore Notifications](https://docs.anchore.com/current/docs/configuration/notifications/) documentation for details. - -### Anchore Enterprise Reports - -Anchore Enterprise Reports aggregates data to provide insightful analytics and metrics for account-wide artifacts. The service employs GraphQL to expose a rich API for querying the aggregated data and metrics. - -See the [Anchore Reports](https://docs.anchore.com/current/docs/configuration/reports/) documentation for details. - ### Installing on Openshift As of August 2, 2023, Helm does not offer native support for passing `null` values to child or dependency charts. For details, refer to this [Helm GitHub issue](https://github.com/helm/helm/issues/9027). Given that the `feeds` chart is a dependency, a workaround is to deploy it as a standalone chart and configure the `enterprise` deployment to point to this separate `feeds` deployment. @@ -1205,6 +1191,6 @@ For the latest updates and features in Anchore Enterprise, see the official [Rel - **Major Chart Version Change (e.g., v0.1.2 -> v1.0.0)**: Signifies an incompatible breaking change that necessitates manual intervention. - **Minor Chart Version Change (e.g., v0.1.2 -> v0.2.0)**: Indicates a modification that may require adjustments to your values file. -### v0.0.x +### v0.1.x - This is a pre-release version of the Anchore Enterprise Helm chart and is not recommended for production deployments. From e427286d94facbfaa6b6cde36c2f75b5af8a73a4 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Fri, 13 Oct 2023 10:19:26 -0400 Subject: [PATCH 239/329] Enterprise 2471 hashed passwords (#143) * default oauth and hashed passwords to enabled in enterprise * readme generator update * bumping chart.yaml * updating tests * dont allow updating default admin secret on upgrade enterprise chart Signed-off-by: Hung Nguyen --------- Signed-off-by: Hung Nguyen --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 36 +++++++++---------- stable/enterprise/templates/_helpers.tpl | 10 ++++++ .../enterprise/templates/anchore_secret.yaml | 17 ++++----- .../__snapshot__/configmap_test.yaml.snap | 4 +-- stable/enterprise/values.yaml | 10 +++--- 6 files changed, 45 insertions(+), 34 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 15cec6ff..aabafea4 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.1.2" +version: "0.2.0" appVersion: "4.9.2" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 42802d74..de7a79bb 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -788,7 +788,7 @@ rbacManager: | Name | Description | Value | | ------------------------------------- | ------------------------------------------------------------------------------------- | ------------------------------------- | -| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v4.9.1` | +| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v4.9.2` | | `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | | `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | | `startMigrationPod` | Spin up a Database migration pod to help migrate the database to the new schema | `false` | @@ -836,10 +836,10 @@ rbacManager: | `anchoreConfig.keys.secret` | The shared secret used for signing & encryption, auto-generated by Helm if not set. | `""` | | `anchoreConfig.keys.privateKeyFileName` | The file name of the private key used for signing & encryption, found in the k8s secret specified in .Values.certStoreSecretName | `""` | | `anchoreConfig.keys.publicKeyFileName` | The file name of the public key used for signing & encryption, found in the k8s secret specified in .Values.certStoreSecretName | `""` | -| `anchoreConfig.user_authentication.oauth.enabled` | Enable OAuth for Anchore user authentication | `false` | +| `anchoreConfig.user_authentication.oauth.enabled` | Enable OAuth for Anchore user authentication | `true` | | `anchoreConfig.user_authentication.oauth.default_token_expiration_seconds` | The expiration, in seconds, for OAuth tokens | `3600` | | `anchoreConfig.user_authentication.oauth.refresh_token_expiration_seconds` | The expiration, in seconds, for OAuth refresh tokens | `86400` | -| `anchoreConfig.user_authentication.hashed_passwords` | Enable storing passwords as secure hashes in the database | `false` | +| `anchoreConfig.user_authentication.hashed_passwords` | Enable storing passwords as secure hashes in the database | `true` | | `anchoreConfig.user_authentication.sso_require_existing_users` | set to true in order to disable the SSO JIT provisioning during authentication | `false` | | `anchoreConfig.metrics.enabled` | Enable Prometheus metrics for all Anchore services | `false` | | `anchoreConfig.metrics.auth_disabled` | Disable auth on Prometheus metrics for all Anchore services | `false` | @@ -1130,21 +1130,21 @@ rbacManager: ### Ingress Parameters -| Name | Description | Value | -| -------------------------- | ------------------------------------------------------------------ | ------- | -| `ingress.enabled` | Create an ingress resource for external Anchore service APIs | `false` | -| `ingress.labels` | Labels for the ingress resource | `{}` | -| `ingress.annotations` | Annotations for the ingress resource | `{}` | -| `ingress.apiHosts` | List of custom hostnames for the Anchore API | `[]` | -| `ingress.apiPath` | The path used for accessing the Anchore API | `/v2/` | -| `ingress.uiHosts` | List of custom hostnames for the Anchore UI | `[]` | -| `ingress.uiPath` | The path used for accessing the Anchore UI | `/` | -| `ingress.feedsHosts` | List of custom hostnames for the Anchore Feeds API | `[]` | -| `ingress.feedsPath` | The path used for accessing the Anchore Feeds API | `""` | -| `ingress.reportsHosts` | List of custom hostnames for the Anchore Reports API | `[]` | -| `ingress.reportsPath` | The path used for accessing the Anchore Reports API | `""` | -| `ingress.tls` | Configure tls for the ingress resource | `[]` | -| `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` | +| Name | Description | Value | +| -------------------------- | ------------------------------------------------------------------ | --------------------------------- | +| `ingress.enabled` | Create an ingress resource for external Anchore service APIs | `false` | +| `ingress.labels` | Labels for the ingress resource | `{}` | +| `ingress.annotations` | Annotations for the ingress resource | `{}` | +| `ingress.apiHosts` | List of custom hostnames for the Anchore API | `[]` | +| `ingress.apiPaths` | The path used for accessing the Anchore API | `["/v1/","/v2/","/version/"]` | +| `ingress.uiHosts` | List of custom hostnames for the Anchore UI | `[]` | +| `ingress.uiPath` | The path used for accessing the Anchore UI | `/` | +| `ingress.feedsHosts` | List of custom hostnames for the Anchore Feeds API | `[]` | +| `ingress.feedsPaths` | The path used for accessing the Anchore Feeds API | `["/v1/feeds/","/v2/feeds/"]` | +| `ingress.reportsHosts` | List of custom hostnames for the Anchore Reports API | `[]` | +| `ingress.reportsPaths` | The path used for accessing the Anchore Reports API | `["/v1/reports/","/v2/reports/"]` | +| `ingress.tls` | Configure tls for the ingress resource | `[]` | +| `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` | ### Google CloudSQL DB Parameters diff --git a/stable/enterprise/templates/_helpers.tpl b/stable/enterprise/templates/_helpers.tpl index 02058f8b..fe72f726 100644 --- a/stable/enterprise/templates/_helpers.tpl +++ b/stable/enterprise/templates/_helpers.tpl @@ -24,6 +24,16 @@ Return Anchore default admin password {{- end -}} {{- end -}} +{{/* +Return Anchore SAML SECRET +*/}} +{{- define "enterprise.samlSecret" -}} + {{- if .Values.anchoreConfig.keys.secret }} + {{- .Values.anchoreConfig.keys.secret -}} + {{- else -}} + {{- randAlphaNum 32 -}} + {{- end -}} +{{- end -}} {{/* Allows sourcing of a specified file in the entrypoint of all containers when .Values.doSourceAtEntry.enabled == true diff --git a/stable/enterprise/templates/anchore_secret.yaml b/stable/enterprise/templates/anchore_secret.yaml index a74fe199..e86c5ecf 100644 --- a/stable/enterprise/templates/anchore_secret.yaml +++ b/stable/enterprise/templates/anchore_secret.yaml @@ -1,15 +1,18 @@ {{- if not .Values.useExistingSecrets -}} {{- /* - If release is being upgraded, don't recreate the defaultAdminPassword, instead get it from the corresponding existing + If release is being upgraded, don't recreate the defaultAdminPassword or samlSecret, instead get it from the corresponding existing secret. */ -}} {{- $anchoreAdminPass := (include "enterprise.defaultAdminPassword" . | quote) -}} -{{- if and .Release.IsUpgrade (not .Values.anchoreConfig.default_admin_password) -}} - {{- $adminPassSecret := (lookup "v1" "Secret" .Release.Namespace (include "enterprise.fullname" .)) -}} - {{- if $adminPassSecret -}} - {{- $anchoreAdminPass = (index $adminPassSecret.data "ANCHORE_ADMIN_PASSWORD" | b64dec) -}} +{{- $anchoreSamlSecret := (include "enterprise.samlSecret" . | quote) -}} +{{- if .Release.IsUpgrade -}} + {{- $anchoreSecret := (lookup "v1" "Secret" .Release.Namespace (include "enterprise.fullname" .)) -}} + {{- if $anchoreSecret -}} + {{- $anchoreAdminPass = (index $anchoreSecret.data "ANCHORE_ADMIN_PASSWORD" | b64dec) -}} + {{- $anchoreSamlSecret = (index $anchoreSecret.data "ANCHORE_SAML_SECRET" | b64dec) -}} {{- end -}} {{- end -}} + apiVersion: v1 kind: Secret metadata: @@ -27,8 +30,6 @@ stringData: ANCHORE_DB_USER: {{ index .Values "postgresql" "auth" "username" | quote }} ANCHORE_DB_PASSWORD: {{ index .Values "postgresql" "auth" "password" | quote }} ANCHORE_DB_PORT: {{ index .Values "postgresql" "primary" "service" "ports" "postgresql" | quote }} -{{- with .Values.anchoreConfig.keys.secret }} - ANCHORE_SAML_SECRET: {{ . | quote }} -{{- end }} + ANCHORE_SAML_SECRET: {{ $anchoreSamlSecret | quote }} {{- end -}} diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index 8506eb9c..a3e55ee1 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -345,7 +345,7 @@ should render the configmaps: ANCHORE_ALLOW_ECR_IAM_AUTO: "true" ANCHORE_ANALYZER_MAX_THREADS: "1" ANCHORE_ANALYZER_TASK_REQUEUE: "true" - ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS: "false" + ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS: "true" ANCHORE_AUTH_PRIVKEY: "null" ANCHORE_AUTH_PUBKEY: "null" ANCHORE_AUTHZ_HANDLER: external @@ -394,7 +394,7 @@ should render the configmaps: ANCHORE_MAX_IMPORT_CONTENT_SIZE_MB: "100" ANCHORE_MAX_IMPORT_SOURCE_SIZE_MB: "100" ANCHORE_MAX_REQUEST_THREADS: "50" - ANCHORE_OAUTH_ENABLED: "false" + ANCHORE_OAUTH_ENABLED: "true" ANCHORE_OAUTH_REFRESH_TOKEN_EXPIRATION: "86400" ANCHORE_OAUTH_TOKEN_EXPIRATION: "3600" ANCHORE_OWNED_PACKAGE_FILTERING_ENABLED: "true" diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index 092673bb..8eb7ce75 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -245,10 +245,10 @@ anchoreConfig: ## user_authentication: oauth: - enabled: false + enabled: true default_token_expiration_seconds: 3600 refresh_token_expiration_seconds: 86400 - hashed_passwords: false + hashed_passwords: true sso_require_existing_users: false ## @param anchoreConfig.metrics.enabled Enable Prometheus metrics for all Anchore services @@ -1247,7 +1247,7 @@ ingress: ## apiHosts: [] - ## @param ingress.apiPath The path used for accessing the Anchore API + ## @param ingress.apiPaths The path used for accessing the Anchore API ## apiPaths: - /v1/ @@ -1266,7 +1266,7 @@ ingress: ## feedsHosts: [] - ## @param ingress.feedsPath The path used for accessing the Anchore Feeds API + ## @param ingress.feedsPaths The path used for accessing the Anchore Feeds API ## Exposing the feeds API is for special cases only, use /v2/feeds for ingress.feedsPath ## feedsPaths: @@ -1277,7 +1277,7 @@ ingress: ## reportsHosts: [] - ## @param ingress.reportsPath The path used for accessing the Anchore Reports API + ## @param ingress.reportsPaths The path used for accessing the Anchore Reports API ## Exposing the reports API enables the GraphQL interface, use /v2/reports/graphql for ingress.reportsPath ## reportsPaths: From 0c4042ecd38114af9457aebe1faf873d5670bbba Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Fri, 13 Oct 2023 11:01:26 -0400 Subject: [PATCH 240/329] update engine chart to only allow upgrading anchore to versions less than 5 (#144) * update engine chart to only allow upgrading anchore to versions less than 5 * move check to enterprise configmap * bumping enterprise image version to 4.9.3 * bumping feeds image, update tests * bumping enterprise chart version * readme generator Signed-off-by: Hung Nguyen --------- Signed-off-by: Hung Nguyen --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/templates/_helpers.tpl | 11 +++++++++++ .../templates/enterprise_configmap.yaml | 1 + stable/anchore-engine/values.yaml | 2 +- stable/enterprise/Chart.yaml | 4 ++-- stable/enterprise/README.md | 2 +- .../prehook_upgrade_resources_test.yaml.snap | 2 +- stable/enterprise/values.yaml | 2 +- stable/feeds/Chart.yaml | 4 ++-- .../prehook_upgrade_resources_test.yaml.snap | 2 +- stable/feeds/values.yaml | 2 +- 11 files changed, 23 insertions(+), 11 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index e48d2ddc..9bc9c7c9 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.28.2 +version: 1.28.3 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/templates/_helpers.tpl b/stable/anchore-engine/templates/_helpers.tpl index eb4624e4..62d1396d 100755 --- a/stable/anchore-engine/templates/_helpers.tpl +++ b/stable/anchore-engine/templates/_helpers.tpl @@ -479,4 +479,15 @@ Upon upgrade, check if the user uses non-default values for ingress path configu {{- if and .Release.IsUpgrade (or .Values.ingress.feedsPath .Values.ingress.reportsPath .Values.ingress.apiPath) }} {{- fail "As of chart v1.28.0, the `ingress.feedsPath`, `ingress.reportsPath`, and `ingress.apiPath` values are no longer valid. See README for more information - https://github.com/anchore/anchore-charts/blob/main/stable/anchore-engine/README.md#chart-version-1280" }} {{- end }} +{{- end -}} + +{{/* +Fail if the enterprise image is v5.0.0 or greater +*/}} +{{- define "checkAnchoreEnterpriseCompatibility" -}} +{{- $imageVersion := (index (splitList ":" .Values.anchoreEnterpriseGlobal.image) 1) -}} +{{- $majorVersion := int (index (splitList "." (trimPrefix "v" $imageVersion)) 0) -}} +{{- if ge $majorVersion 5 -}} + {{- fail "Upgrading to Anchore 5.0.0+ is not supported with the engine chart. For information on migrating to the enterprise chart, please refer to https://github.com/anchore/anchore-charts/tree/main/stable/enterprise#migrating-to-the-anchore-enterprise-helm-chart" }} +{{- end -}} {{- end -}} \ No newline at end of file diff --git a/stable/anchore-engine/templates/enterprise_configmap.yaml b/stable/anchore-engine/templates/enterprise_configmap.yaml index 22ce3f75..9f3da5f7 100644 --- a/stable/anchore-engine/templates/enterprise_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_configmap.yaml @@ -1,3 +1,4 @@ +{{- template "checkAnchoreEnterpriseCompatibility" . }} {{- if and .Values.anchoreEnterpriseGlobal.enabled (or .Values.anchoreEnterpriseRbac.enabled .Values.anchoreEnterpriseReports.enabled) -}} {{- $component := "enterprise" -}} apiVersion: v1 diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index b2a6c565..a869ecfc 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -765,7 +765,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: docker.io/anchore/enterprise:v4.9.2 + image: docker.io/anchore/enterprise:v4.9.3 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index aabafea4..4cb93c9a 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: enterprise -version: "0.2.0" -appVersion: "4.9.2" +version: "0.2.1" +appVersion: "4.9.3" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | Anchore Enterprise is a complete container security workflow solution for professional teams. Easily integrating with CI/CD systems, diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index de7a79bb..e9fffea7 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -788,7 +788,7 @@ rbacManager: | Name | Description | Value | | ------------------------------------- | ------------------------------------------------------------------------------------- | ------------------------------------- | -| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v4.9.2` | +| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v4.9.3` | | `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | | `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | | `startMigrationPod` | Spin up a Database migration pod to help migrate the database to the new schema | `false` | diff --git a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap index 7b9a57ba..cf477381 100644 --- a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap @@ -143,6 +143,6 @@ should render proper initContainers: valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v4.9.2 + image: docker.io/anchore/enterprise:v4.9.3 imagePullPolicy: IfNotPresent name: wait-for-db diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index 8eb7ce75..e07c9e14 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -18,7 +18,7 @@ global: ## @param image Image used for all Anchore Enterprise deployments, excluding Anchore UI ## -image: docker.io/anchore/enterprise:v4.9.2 +image: docker.io/anchore/enterprise:v4.9.3 ## @param imagePullPolicy Image pull policy used by all deployments ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy diff --git a/stable/feeds/Chart.yaml b/stable/feeds/Chart.yaml index 148158cd..f394d196 100644 --- a/stable/feeds/Chart.yaml +++ b/stable/feeds/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 name: feeds type: application -version: "0.1.0" -appVersion: "4.9.2" +version: "0.1.1" +appVersion: "4.9.3" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: Anchore feeds service keywords: diff --git a/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap b/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap index 35c8009d..6e7c0b88 100644 --- a/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap +++ b/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap @@ -143,6 +143,6 @@ should render proper initContainers: value: test-release-feeds - name: ANCHORE_PORT value: "8448" - image: docker.io/anchore/enterprise:v4.9.2 + image: docker.io/anchore/enterprise:v4.9.3 imagePullPolicy: IfNotPresent name: wait-for-db diff --git a/stable/feeds/values.yaml b/stable/feeds/values.yaml index d2bad856..a79e42a5 100644 --- a/stable/feeds/values.yaml +++ b/stable/feeds/values.yaml @@ -21,7 +21,7 @@ nameOverride: "" ## @param image Image used for feeds deployment ## -image: docker.io/anchore/enterprise:v4.9.2 +image: docker.io/anchore/enterprise:v4.9.3 ## @param imagePullPolicy Image pull policy used by all deployments ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy From db86ab88f7954929b85c62f0ba621efaa84633b5 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 13 Oct 2023 17:05:17 -0400 Subject: [PATCH 241/329] check for runtime_inventory.image_ttl_days = -1 (#146) * fail when user sets runtime_inventory.image_ttl_days=-1 and prompt them to use runtime_inventory.image_ingest_overwrite * update test snapshots --------- Signed-off-by: Brady Todhunter --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/files/default_config.yaml | 1 - stable/enterprise/templates/envvars_configmap.yaml | 14 +++++++++----- .../tests/__snapshot__/configmap_test.yaml.snap | 1 - stable/enterprise/values.yaml | 8 ++++++-- 5 files changed, 16 insertions(+), 10 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 4cb93c9a..1b65d43a 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.2.1" +version: "0.2.2" appVersion: "4.9.3" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | diff --git a/stable/enterprise/files/default_config.yaml b/stable/enterprise/files/default_config.yaml index 9802d981..1d12c9c5 100644 --- a/stable/enterprise/files/default_config.yaml +++ b/stable/enterprise/files/default_config.yaml @@ -16,7 +16,6 @@ auto_restart_services: false max_source_import_size_mb: ${ANCHORE_MAX_IMPORT_SOURCE_SIZE_MB} max_import_content_size_mb: ${ANCHORE_MAX_IMPORT_CONTENT_SIZE_MB} - max_compressed_image_size_mb: ${ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB} metrics: diff --git a/stable/enterprise/templates/envvars_configmap.yaml b/stable/enterprise/templates/envvars_configmap.yaml index 482d2bc4..552bd050 100644 --- a/stable/enterprise/templates/envvars_configmap.yaml +++ b/stable/enterprise/templates/envvars_configmap.yaml @@ -50,13 +50,17 @@ data: ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_ECS_CONTAINER: "true" ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER: "true" ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE: "true" - ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_IMAGE_TTL_DAYS: "120" - ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_IMAGE_INGEST_OVERWRITE: "false" - {{- with .Values.anchoreConfig.notifications.ui_url }} +{{- if eq (toString .Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days) "-1" }} + {{- fail "The Value `-1` is no longer valid for `.Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days`. Please use `.Values.anchoreConfig.catalog.runtime_inventory.image_ingest_overwrite=true` to force runtime inventory to be overwritten upon every update. `.Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days` must be set to a value >1." -}} +{{- else }} + ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_IMAGE_TTL_DAYS: "{{ .Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days }}" + ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_IMAGE_INGEST_OVERWRITE: "{{ .Values.anchoreConfig.catalog.runtime_inventory.image_ingest_overwrite }}" +{{- end }} +{{- with .Values.anchoreConfig.notifications.ui_url }} ANCHORE_ENTERPRISE_UI_URL: "{{ . }}" - {{- else }} +{{- else }} ANCHORE_ENTERPRISE_UI_URL: {{ include "enterprise.ui.fullname" . | quote }} - {{- end }} +{{- end }} ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED: "false" ANCHORE_FEEDS_DRIVER_MSRC_ENABLED: "false" ANCHORE_FEEDS_DRIVER_NVDV2_ENABLED: "true" diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index a3e55ee1..5959ea0f 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -62,7 +62,6 @@ should render the configmaps: max_source_import_size_mb: ${ANCHORE_MAX_IMPORT_SOURCE_SIZE_MB} max_import_content_size_mb: ${ANCHORE_MAX_IMPORT_CONTENT_SIZE_MB} - max_compressed_image_size_mb: ${ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB} metrics: diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index e07c9e14..ad8f4116 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -477,11 +477,15 @@ anchoreConfig: name: db config: {} - ## @param anchoreConfig.catalog.runtime_inventory.image_ttl_days TTL for images in the inventory report working set + ## anchoreConfig.catalog.runtime_inventory.image_ttl_days TTL for images in the inventory report working set + ## @param anchoreConfig.catalog.runtime_inventory.image_ingest_overwrite disables the image_ttl cycle timer. + ## When `image_ingest_overwrite=true` upon ingestion of inventory, removes anything previously reported by the namespace and only keep the latest inventory posted. + ## This new config value is used instead of setting `image_ttl_days=-1` ## ref: https://docs.anchore.com/current/docs/configuration/runtime_inventory/ ## runtime_inventory: - image_ttl_days: 1 + image_ttl_days: 120 + image_ingest_overwrite: false ## @param anchoreConfig.catalog.down_analyzer_task_requeue Allows fast re-queueing when image status is 'analyzing' on an analyzer that is no longer in the 'up' state ## From de67afbb74178d7546320e2e43f8f0549eee1948 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Mon, 16 Oct 2023 17:17:18 -0400 Subject: [PATCH 242/329] removing analyzer concurrentTasksPerWorker (#147) Signed-off-by: Hung Nguyen --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 4 ++-- stable/enterprise/files/default_config.yaml | 1 - stable/enterprise/templates/envvars_configmap.yaml | 1 - .../tests/__snapshot__/configmap_test.yaml.snap | 2 -- stable/enterprise/values.yaml | 8 +------- 6 files changed, 4 insertions(+), 14 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 1b65d43a..cde093c7 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.2.2" +version: "0.2.3" appVersion: "4.9.3" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index e9fffea7..3ed70b32 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -863,7 +863,6 @@ rbacManager: | `anchoreConfig.apiext.external.hostname` | Hostname for the external Anchore API | `""` | | `anchoreConfig.apiext.external.port` | Port configured for external Anchore API | `8443` | | `anchoreConfig.analyzer.cycle_timers.image_analyzer` | The interval between checks of the work queue for new analysis jobs | `1` | -| `anchoreConfig.analyzer.max_threads` | The concurrency of the Anchore Analyzer worker process | `1` | | `anchoreConfig.analyzer.layer_cache_max_gigabytes` | Specify a cache size > 0GB to enable image layer caching | `0` | | `anchoreConfig.analyzer.enable_hints` | Enable a user-supplied 'hints' file to override and/or augment the software artifacts found during analysis | `false` | | `anchoreConfig.analyzer.configFile` | Custom Anchore Analyzer configuration file contents in YAML | `{}` | @@ -883,7 +882,8 @@ rbacManager: | `anchoreConfig.catalog.event_log` | Event log for webhooks, YAML configuration | `{}` | | `anchoreConfig.catalog.analysis_archive` | Custom analysis archive YAML configuration | `{}` | | `anchoreConfig.catalog.object_store` | Custom object storage YAML configuration | `{}` | -| `anchoreConfig.catalog.runtime_inventory.image_ttl_days` | TTL for images in the inventory report working set | `1` | +| `anchoreConfig.catalog.runtime_inventory.image_ttl_days` | TTL for images in the inventory report working set | `120` | +| `anchoreConfig.catalog.runtime_inventory.image_ingest_overwrite` | disables the image_ttl cycle timer. | `false` | | `anchoreConfig.catalog.down_analyzer_task_requeue` | Allows fast re-queueing when image status is 'analyzing' on an analyzer that is no longer in the 'up' state | `true` | | `anchoreConfig.policy_engine.cycle_timers.feed_sync` | Interval to run a feed sync to get latest cve data | `14400` | | `anchoreConfig.policy_engine.cycle_timers.feed_sync_checker` | Interval between checks to see if there needs to be a task queued | `3600` | diff --git a/stable/enterprise/files/default_config.yaml b/stable/enterprise/files/default_config.yaml index 1d12c9c5..c5256723 100644 --- a/stable/enterprise/files/default_config.yaml +++ b/stable/enterprise/files/default_config.yaml @@ -89,7 +89,6 @@ services: max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} cycle_timer_seconds: 1 cycle_timers: {{- toYaml .Values.anchoreConfig.analyzer.cycle_timers | nindent 6 }} - max_threads: ${ANCHORE_ANALYZER_MAX_THREADS} analyzer_driver: 'nodocker' layer_cache_enable: ${ANCHORE_LAYER_CACHE_ENABLED} layer_cache_max_gigabytes: ${ANCHORE_LAYER_CACHE_SIZE_GB} diff --git a/stable/enterprise/templates/envvars_configmap.yaml b/stable/enterprise/templates/envvars_configmap.yaml index 552bd050..b415de66 100644 --- a/stable/enterprise/templates/envvars_configmap.yaml +++ b/stable/enterprise/templates/envvars_configmap.yaml @@ -10,7 +10,6 @@ data: ANCHORE_ADMIN_EMAIL: "{{ .Values.anchoreConfig.default_admin_email }}" ANCHORE_ALLOW_ECR_IAM_AUTO: "{{ .Values.anchoreConfig.allow_awsecr_iam_auto }}" ANCHORE_ANALYZER_TASK_REQUEUE: "true" - ANCHORE_ANALYZER_MAX_THREADS: "{{ .Values.anchoreConfig.analyzer.max_threads }}" ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS: "{{ .Values.anchoreConfig.user_authentication.hashed_passwords }}" {{- with .Values.anchoreConfig.keys.publicKeyFileName }} ANCHORE_AUTH_PRIVKEY: "/home/anchore/certs/{{- . }}" diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index 5959ea0f..a55064d9 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -125,7 +125,6 @@ should render the configmaps: cycle_timer_seconds: 1 cycle_timers: image_analyzer: 1 - max_threads: ${ANCHORE_ANALYZER_MAX_THREADS} analyzer_driver: 'nodocker' layer_cache_enable: ${ANCHORE_LAYER_CACHE_ENABLED} layer_cache_max_gigabytes: ${ANCHORE_LAYER_CACHE_SIZE_GB} @@ -342,7 +341,6 @@ should render the configmaps: data: ANCHORE_ADMIN_EMAIL: admin@myanchore ANCHORE_ALLOW_ECR_IAM_AUTO: "true" - ANCHORE_ANALYZER_MAX_THREADS: "1" ANCHORE_ANALYZER_TASK_REQUEUE: "true" ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS: "true" ANCHORE_AUTH_PRIVKEY: "null" diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index ad8f4116..ae188f2b 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -354,12 +354,6 @@ anchoreConfig: cycle_timers: image_analyzer: 1 - ## @param anchoreConfig.analyzer.max_threads The concurrency of the Anchore Analyzer worker process - ## Can be configured to process more than one task at a time. This is IO bound so may not necessarily be faster depending on hardware. - ## Operators should test and balance this value vs. number of Anchore Analyzer replicas deployed. - ## - max_threads: 1 - ## @param anchoreConfig.analyzer.layer_cache_max_gigabytes Specify a cache size > 0GB to enable image layer caching ## This chart sets up a scratch directory for all Anchore Analyzer pods using the values found at .Values.scratchVolume ## When setting .Values.anchoreConfig.analyzer.layer_cache_max_gigabytes, ensure the scratch volume has sufficient storage space @@ -477,7 +471,7 @@ anchoreConfig: name: db config: {} - ## anchoreConfig.catalog.runtime_inventory.image_ttl_days TTL for images in the inventory report working set + ## @param anchoreConfig.catalog.runtime_inventory.image_ttl_days TTL for images in the inventory report working set ## @param anchoreConfig.catalog.runtime_inventory.image_ingest_overwrite disables the image_ttl cycle timer. ## When `image_ingest_overwrite=true` upon ingestion of inventory, removes anything previously reported by the namespace and only keep the latest inventory posted. ## This new config value is used instead of setting `image_ttl_days=-1` From 128f114927b8d155bd55384197033a7dffe8ac1e Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Fri, 20 Oct 2023 14:24:32 -0400 Subject: [PATCH 243/329] only add ingress classname if annotation is not set (#150) * only add ingress classname if annotation is not set * bump chart version Signed-off-by: Hung Nguyen --------- Signed-off-by: Hung Nguyen --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/templates/ingress.yaml | 2 +- .../tests/ingress_resources_test.yaml | 30 +++++++++++++++++++ 3 files changed, 32 insertions(+), 2 deletions(-) create mode 100644 stable/enterprise/tests/ingress_resources_test.yaml diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index cde093c7..ea89119b 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.2.3" +version: "0.2.4" appVersion: "4.9.3" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | diff --git a/stable/enterprise/templates/ingress.yaml b/stable/enterprise/templates/ingress.yaml index ed71ad72..ab157683 100644 --- a/stable/enterprise/templates/ingress.yaml +++ b/stable/enterprise/templates/ingress.yaml @@ -15,7 +15,7 @@ metadata: labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} spec: -{{- if .Values.ingress.ingressClassName }} +{{- if and .Values.ingress.ingressClassName (not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class")) }} ingressClassName: {{ .Values.ingress.ingressClassName }} {{- end }} {{- if .Values.ingress.tls }} diff --git a/stable/enterprise/tests/ingress_resources_test.yaml b/stable/enterprise/tests/ingress_resources_test.yaml new file mode 100644 index 00000000..11e157f2 --- /dev/null +++ b/stable/enterprise/tests/ingress_resources_test.yaml @@ -0,0 +1,30 @@ +suite: Ingress Resources Tests +templates: + - ingress.yaml +release: + name: test-release + namespace: test-namespace +chart: + version: 9.9.9 + appVersion: 9.9.9 + +tests: + - it: should render classname if annotation is not set + set: + ingress.enabled: true + template: ingress.yaml + asserts: + - equal: + path: spec.ingressClassName + value: nginx + + - it: should not render classname if annotation is set + set: + ingress.enabled: true + ingress: + annotations: + "kubernetes.io/ingress.class": "nginx" + template: ingress.yaml + asserts: + - notExists: + path: spec.ingressClassName From 7301e8b9cde2092bf36a0870b4369da9f882e5c4 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Fri, 20 Oct 2023 17:55:44 -0400 Subject: [PATCH 244/329] remove affinity from key with a dot check (#149) Signed-off-by: Hung Nguyen --- scripts/enterprise-value-converter/helpers.py | 17 +++++++++-------- .../tests/test_anchoreCatalog_value_mapping.py | 6 ++---- ...eEnterpriseEngineUpgradeJob_value_mapping.py | 6 ++---- ...reEnterpriseFeedsUpgradeJob_value_mapping.py | 6 ++---- ...test_anchoreEnterpriseFeeds_value_mapping.py | 6 ++---- ...horeEnterpriseNotifications_value_mapping.py | 6 ++---- .../test_anchoreEnterpriseRbac_value_mapping.py | 6 ++---- ...st_anchoreEnterpriseReports_value_mapping.py | 6 ++---- .../test_anchoreEnterpriseUi_value_mapping.py | 2 -- .../test_anchorePolicyEngine_value_mapping.py | 6 ++---- .../test_anchoreSimpleQueue_value_mapping.py | 2 -- 11 files changed, 25 insertions(+), 44 deletions(-) diff --git a/scripts/enterprise-value-converter/helpers.py b/scripts/enterprise-value-converter/helpers.py index 5acd1e9b..3175cb72 100644 --- a/scripts/enterprise-value-converter/helpers.py +++ b/scripts/enterprise-value-converter/helpers.py @@ -131,21 +131,22 @@ def replace_keys_with_mappings(dot_string_dict, results_dir): write_to_file(f"{dotstring_key}: no longer used\n", os.path.join(logs_dir, log_file_name), "a") continue - # serviceName.annotations - if len(keys) > 1 and keys[1] in ['annotations', 'labels', 'nodeSelector', 'affinity', 'deploymentAnnotations']: - if val != {}: - val = { - '.'.join(keys[2:]): val - } - keys = keys[:2] # serviceName.service.annotations - elif len(keys) > 2 and keys[2] in ['annotations', 'labels']: + if len(keys) > 2 and keys[2] in ['annotations', 'labels']: if val != {}: val = { '.'.join(keys[3:]): val } keys = keys[:3] + # serviceName.annotations + elif len(keys) > 1 and keys[1] in ['annotations', 'labels', 'nodeSelector', 'deploymentAnnotations']: + if val != {}: + val = { + '.'.join(keys[2:]): val + } + keys = keys[:2] + update_result = False errored = True diff --git a/scripts/enterprise-value-converter/tests/test_anchoreCatalog_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreCatalog_value_mapping.py index a04a571b..a295b8b5 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreCatalog_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreCatalog_value_mapping.py @@ -217,15 +217,13 @@ def test_anchoreCatalog_tolerations_value(self): def test_anchoreCatalog_affinity_value(self): dot_string_dict = { "anchoreCatalog.affinity.name": "foo", - "anchoreCatalog.affinity.value": "bar", - "anchoreCatalog.affinity.anotherLabel.with.a.dot": "baz" + "anchoreCatalog.affinity.value": "bar" } expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'catalog': { 'affinity':{ 'name': 'foo', - 'value': 'bar', - 'anotherLabel.with.a.dot': 'baz' + 'value': 'bar' } } } diff --git a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseEngineUpgradeJob_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseEngineUpgradeJob_value_mapping.py index cd71e864..80a0fb01 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseEngineUpgradeJob_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseEngineUpgradeJob_value_mapping.py @@ -133,15 +133,13 @@ def test_anchoreEnterpriseEngineUpgradeJob_tolerations_value(self): def test_anchoreEnterpriseEngineUpgradeJob_affinity_value(self): dot_string_dict = { "anchoreEnterpriseEngineUpgradeJob.affinity.name": "foo", - "anchoreEnterpriseEngineUpgradeJob.affinity.value": "bar", - "anchoreEnterpriseEngineUpgradeJob.affinity.anotherLabel.with.a.dot": "baz" + "anchoreEnterpriseEngineUpgradeJob.affinity.value": "bar" } expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'upgradeJob': { 'affinity':{ 'name': 'foo', - 'value': 'bar', - 'anotherLabel.with.a.dot': 'baz' + 'value': 'bar' } } } diff --git a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseFeedsUpgradeJob_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseFeedsUpgradeJob_value_mapping.py index 988f1fef..14c830f8 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseFeedsUpgradeJob_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseFeedsUpgradeJob_value_mapping.py @@ -144,16 +144,14 @@ def test_anchoreEnterpriseFeedsUpgradeJob_tolerations_value(self): def test_anchoreEnterpriseFeedsUpgradeJob_affinity_value(self): dot_string_dict = { "anchoreEnterpriseFeedsUpgradeJob.affinity.name": "foo", - "anchoreEnterpriseFeedsUpgradeJob.affinity.value": "bar", - "anchoreEnterpriseFeedsUpgradeJob.affinity.anotherLabel.with.a.dot": "baz" + "anchoreEnterpriseFeedsUpgradeJob.affinity.value": "bar" } expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'feedsUpgradeJob': { 'affinity':{ 'name': 'foo', - 'value': 'bar', - 'anotherLabel.with.a.dot': 'baz' + 'value': 'bar' } } } diff --git a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseFeeds_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseFeeds_value_mapping.py index d622f560..32268e45 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseFeeds_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseFeeds_value_mapping.py @@ -165,15 +165,13 @@ def test_anchoreEnterpriseFeeds_tolerations_value(self): def test_anchoreEnterpriseFeeds_affinity_value(self): dot_string_dict = { "anchoreEnterpriseFeeds.affinity.name": "foo", - "anchoreEnterpriseFeeds.affinity.value": "bar", - "anchoreEnterpriseFeeds.affinity.anotherLabel.with.a.dot": "baz" + "anchoreEnterpriseFeeds.affinity.value": "bar" } expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'affinity':{ 'name': 'foo', - 'value': 'bar', - 'anotherLabel.with.a.dot': 'baz' + 'value': 'bar' } } } diff --git a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseNotifications_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseNotifications_value_mapping.py index 29a7bfcb..a4abbbe8 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseNotifications_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseNotifications_value_mapping.py @@ -161,15 +161,13 @@ def test_anchoreEnterpriseNotifications_tolerations_value(self): def test_anchoreEnterpriseNotifications_affinity_value(self): dot_string_dict = { "anchoreEnterpriseNotifications.affinity.name": "foo", - "anchoreEnterpriseNotifications.affinity.value": "bar", - "anchoreEnterpriseNotifications.affinity.anotherLabel.with.a.dot": "baz" + "anchoreEnterpriseNotifications.affinity.value": "bar" } expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'notifications': { 'affinity':{ 'name': 'foo', - 'value': 'bar', - 'anotherLabel.with.a.dot': 'baz' + 'value': 'bar' } } } diff --git a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseRbac_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseRbac_value_mapping.py index 1b8c6ec4..308d545c 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseRbac_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseRbac_value_mapping.py @@ -153,15 +153,13 @@ def test_anchoreEnterpriseRbac_tolerations_value(self): def test_anchoreEnterpriseRbac_affinity_value(self): dot_string_dict = { "anchoreEnterpriseRbac.affinity.name": "foo", - "anchoreEnterpriseRbac.affinity.value": "bar", - "anchoreEnterpriseRbac.affinity.anotherLabel.with.a.dot": "baz" + "anchoreEnterpriseRbac.affinity.value": "bar" } expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'rbacManager': { 'affinity':{ 'name': 'foo', - 'value': 'bar', - 'anotherLabel.with.a.dot': 'baz' + 'value': 'bar' } } } diff --git a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseReports_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseReports_value_mapping.py index 20fad903..789ccd31 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseReports_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseReports_value_mapping.py @@ -161,15 +161,13 @@ def test_anchoreEnterpriseReports_tolerations_value(self): def test_anchoreEnterpriseReports_affinity_value(self): dot_string_dict = { "anchoreEnterpriseReports.affinity.name": "foo", - "anchoreEnterpriseReports.affinity.value": "bar", - "anchoreEnterpriseReports.affinity.anotherLabel.with.a.dot": "baz" + "anchoreEnterpriseReports.affinity.value": "bar" } expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'reports': { 'affinity':{ 'name': 'foo', - 'value': 'bar', - 'anotherLabel.with.a.dot': 'baz' + 'value': 'bar' } } } diff --git a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseUi_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseUi_value_mapping.py index 2ef88db1..57e67e72 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseUi_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseUi_value_mapping.py @@ -176,14 +176,12 @@ def test_anchoreEnterpriseUi_affinity_value(self): dot_string_dict = { "anchoreEnterpriseUi.affinity.name": "foo", "anchoreEnterpriseUi.affinity.value": "bar", - "anchoreEnterpriseUi.affinity.anotherLabel.with.a.dot": "baz" } expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui': { 'affinity':{ 'name': 'foo', 'value': 'bar', - 'anotherLabel.with.a.dot': 'baz' } } } diff --git a/scripts/enterprise-value-converter/tests/test_anchorePolicyEngine_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchorePolicyEngine_value_mapping.py index 17e3332f..00e1a821 100644 --- a/scripts/enterprise-value-converter/tests/test_anchorePolicyEngine_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchorePolicyEngine_value_mapping.py @@ -144,15 +144,13 @@ def test_anchorePolicyEngine_tolerations_value(self): def test_anchorePolicyEngine_affinity_value(self): dot_string_dict = { - "anchorePolicyEngine.affinity.name": "foo", - "anchorePolicyEngine.affinity.with.a.dot.name": "bar" + "anchorePolicyEngine.affinity.name": "foo" } expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'policyEngine': { 'affinity': { - 'name': 'foo', - 'with.a.dot.name': 'bar' + 'name': 'foo' } } } diff --git a/scripts/enterprise-value-converter/tests/test_anchoreSimpleQueue_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreSimpleQueue_value_mapping.py index 74e6bc95..69551464 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreSimpleQueue_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreSimpleQueue_value_mapping.py @@ -154,14 +154,12 @@ def test_anchoreSimpleQueue_affinity_value(self): dot_string_dict = { "anchoreSimpleQueue.affinity.name": "foo", "anchoreSimpleQueue.affinity.value": "bar", - "anchoreSimpleQueue.affinity.anotherLabel.with.a.dot": "baz" } expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'simpleQueue': { 'affinity':{ 'name': 'foo', 'value': 'bar', - 'anotherLabel.with.a.dot': 'baz' } } } From 9a97fcf15b11f4973457cf3f82aa45c1a29ff40a Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Tue, 24 Oct 2023 01:48:20 -0400 Subject: [PATCH 245/329] allow setting feeds drivers github and msrc from enterprise chart (#148) * allow setting feeds drivers github and msrc from enterprise chart --------- Signed-off-by: Hung Nguyen --- stable/enterprise/templates/envvars_configmap.yaml | 4 ++-- stable/enterprise/tests/configmap_test.yaml | 13 +++++++++++++ 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/stable/enterprise/templates/envvars_configmap.yaml b/stable/enterprise/templates/envvars_configmap.yaml index b415de66..69a5ad72 100644 --- a/stable/enterprise/templates/envvars_configmap.yaml +++ b/stable/enterprise/templates/envvars_configmap.yaml @@ -60,8 +60,8 @@ data: {{- else }} ANCHORE_ENTERPRISE_UI_URL: {{ include "enterprise.ui.fullname" . | quote }} {{- end }} - ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED: "false" - ANCHORE_FEEDS_DRIVER_MSRC_ENABLED: "false" + ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED: {{ default "false" .Values.feeds.anchoreConfig.feeds.drivers.github.enabled | quote }} + ANCHORE_FEEDS_DRIVER_MSRC_ENABLED: {{ default "false" .Values.feeds.anchoreConfig.feeds.drivers.msrc.enabled | quote }} ANCHORE_FEEDS_DRIVER_NVDV2_ENABLED: "true" ANCHORE_FEEDS_DRIVER_PACKAGES_ENABLED: "false" ANCHORE_FEEDS_SSL_VERIFY: "{{ .Values.anchoreConfig.internalServicesSSL.verifyCerts }}" diff --git a/stable/enterprise/tests/configmap_test.yaml b/stable/enterprise/tests/configmap_test.yaml index 662459ec..95f3f94a 100644 --- a/stable/enterprise/tests/configmap_test.yaml +++ b/stable/enterprise/tests/configmap_test.yaml @@ -37,3 +37,16 @@ tests: tmp_dir: /test log_level: DEBUG + + - it: should set the msrc and github drivers if set + template: templates/envvars_configmap.yaml + set: + feeds.anchoreConfig.feeds.drivers.github.enabled: true + feeds.anchoreConfig.feeds.drivers.msrc.enabled: true + asserts: + - equal: + path: data["ANCHORE_FEEDS_DRIVER_MSRC_ENABLED"] + value: "true" + - equal: + path: data["ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED"] + value: "true" From 38141889303525d13f45d8b68eff5160f4942111 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Tue, 24 Oct 2023 13:57:42 -0400 Subject: [PATCH 246/329] trying install of engine for adm. cont. (#153) * admission controller ci installs anchore engine to have endpoint * update test and ci/fake-values for adm. cont * update anchoreEndpoint with protocol Signed-off-by: Hung Nguyen --------- Signed-off-by: Hung Nguyen --- .github/workflows/test.yaml | 18 ++++++++++++++++++ stable/anchore-admission-controller/Chart.yaml | 4 ++-- .../ci/fake-values.yaml | 1 + .../anchore-admission-controller/values.yaml | 2 +- 4 files changed, 22 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index a2d79607..d19ac6d0 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -74,6 +74,24 @@ jobs: DOCKER_USER: ${{ secrets.ANCHORECI_DOCKER_USER }} DOCKER_PASS: ${{ secrets.ANCHORECI_DOCKER_PASS }} + - name: Check if anchore-engine endpoint is required for admission controller chart + id: engine_required + run: | + if [[ -n $(git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep 'anchore-admission-controller') ]]; then + echo "File in the 'stable/anchore-admission-controller' directory was changed. We need an engine deployment" + echo "::set-output name=changed::true" + else + echo "No files in 'stable/anchore-admission-controller' directory were changed. Skipping engine deployment" + echo "::set-output name=changed::false" + fi + shell: bash + + - name: Deploy Engine + if: steps.engine_required.outputs.changed == 'true' + run: | + helm install engine anchore/anchore-engine --namespace anchore --wait + kubectl --namespace anchore get pods + - name: Run chart-testing if: steps.list-changed.outputs.CHANGED == 'true' run: ct install --config ct-config.yaml diff --git a/stable/anchore-admission-controller/Chart.yaml b/stable/anchore-admission-controller/Chart.yaml index ddf85753..9b820450 100644 --- a/stable/anchore-admission-controller/Chart.yaml +++ b/stable/anchore-admission-controller/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: anchore-admission-controller -version: 0.4.7 -appVersion: 0.4.0 +version: 0.5.0 +appVersion: 0.5.0 description: A kubernetes admission controller for validating and mutating webhooks that operates against Anchore Engine to make access decisions and annotations home: https://github.com/anchore/kubernetes-admission-controller maintainers: diff --git a/stable/anchore-admission-controller/ci/fake-values.yaml b/stable/anchore-admission-controller/ci/fake-values.yaml index 3d1c6db8..2983ae32 100644 --- a/stable/anchore-admission-controller/ci/fake-values.yaml +++ b/stable/anchore-admission-controller/ci/fake-values.yaml @@ -4,3 +4,4 @@ credentials: password: password1 - username: user2 password: password2 +anchoreEndpoint: http://engine-anchore-engine-api:8228 diff --git a/stable/anchore-admission-controller/values.yaml b/stable/anchore-admission-controller/values.yaml index 3d1ca196..738365c5 100644 --- a/stable/anchore-admission-controller/values.yaml +++ b/stable/anchore-admission-controller/values.yaml @@ -5,7 +5,7 @@ fullnameOverride: Null replicaCount: 1 logVerbosity: 3 -image: "anchore/kubernetes-admission-controller:v0.4.0" +image: "anchore/kubernetes-admission-controller:v0.5.0" imagePullPolicy: IfNotPresent # ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ imagePullSecrets: [] From 23a0429d2b736bacf64b9f229dbf08eb792a32f8 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Tue, 24 Oct 2023 17:20:25 -0400 Subject: [PATCH 247/329] updating envvars to use dig for getting feeds msrc and github values (#154) * updating envvars to use dig for getting feeds msrc and github values, add test that would have caught initial error * adding addition configmap tests for feeds dig function * bumping chart version Signed-off-by: Hung Nguyen --------- Signed-off-by: Hung Nguyen --- stable/enterprise/Chart.yaml | 2 +- .../templates/envvars_configmap.yaml | 4 +- stable/enterprise/tests/configmap_test.yaml | 85 +++++++++++++++++++ 3 files changed, 88 insertions(+), 3 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index ea89119b..43d0c7d8 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.2.4" +version: "0.2.5" appVersion: "4.9.3" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | diff --git a/stable/enterprise/templates/envvars_configmap.yaml b/stable/enterprise/templates/envvars_configmap.yaml index 69a5ad72..e4da45bf 100644 --- a/stable/enterprise/templates/envvars_configmap.yaml +++ b/stable/enterprise/templates/envvars_configmap.yaml @@ -60,8 +60,8 @@ data: {{- else }} ANCHORE_ENTERPRISE_UI_URL: {{ include "enterprise.ui.fullname" . | quote }} {{- end }} - ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED: {{ default "false" .Values.feeds.anchoreConfig.feeds.drivers.github.enabled | quote }} - ANCHORE_FEEDS_DRIVER_MSRC_ENABLED: {{ default "false" .Values.feeds.anchoreConfig.feeds.drivers.msrc.enabled | quote }} + ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED: {{ dig "anchoreConfig" "feeds" "drivers" "github" "enabled" "false" .Values.feeds | quote }} + ANCHORE_FEEDS_DRIVER_MSRC_ENABLED: {{ dig "anchoreConfig" "feeds" "drivers" "msrc" "enabled" "false" .Values.feeds | quote }} ANCHORE_FEEDS_DRIVER_NVDV2_ENABLED: "true" ANCHORE_FEEDS_DRIVER_PACKAGES_ENABLED: "false" ANCHORE_FEEDS_SSL_VERIFY: "{{ .Values.anchoreConfig.internalServicesSSL.verifyCerts }}" diff --git a/stable/enterprise/tests/configmap_test.yaml b/stable/enterprise/tests/configmap_test.yaml index 95f3f94a..3433c48e 100644 --- a/stable/enterprise/tests/configmap_test.yaml +++ b/stable/enterprise/tests/configmap_test.yaml @@ -50,3 +50,88 @@ tests: - equal: path: data["ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED"] value: "true" + + - it: should not throw a templating error if feeds.something is set but drivers are not + template: templates/envvars_configmap.yaml + set: + feeds.chartEnabled: false + asserts: + - equal: + path: data["ANCHORE_FEEDS_DRIVER_MSRC_ENABLED"] + value: "false" + - equal: + path: data["ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED"] + value: "false" + + - it: should set the msrc and github drivers if set differently + template: templates/envvars_configmap.yaml + set: + feeds.anchoreConfig.feeds.drivers.github.enabled: false + feeds.anchoreConfig.feeds.drivers.msrc.enabled: true + asserts: + - equal: + path: data["ANCHORE_FEEDS_DRIVER_MSRC_ENABLED"] + value: "true" + - equal: + path: data["ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED"] + value: "false" + + - it: should not throw a templating error if feeds.anchoreConfig.something is set but drivers are not + template: templates/envvars_configmap.yaml + set: + feeds.anchoreConfig.log_level: ERROR + asserts: + - equal: + path: data["ANCHORE_FEEDS_DRIVER_MSRC_ENABLED"] + value: "false" + - equal: + path: data["ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED"] + value: "false" + + - it: should not throw a templating error if feeds.anchoreConfig.feeds.something is set but drivers are not + template: templates/envvars_configmap.yaml + set: + feeds.anchoreConfig.feeds.cycle_timers.driver_sync: 9001 + asserts: + - equal: + path: data["ANCHORE_FEEDS_DRIVER_MSRC_ENABLED"] + value: "false" + - equal: + path: data["ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED"] + value: "false" + + - it: should not throw a templating error if feeds.anchoreConfig.feeds.drivers.something is set but github and msrc drivers are not + template: templates/envvars_configmap.yaml + set: + feeds.anchoreConfig.feeds.drivers.npm.enabled: true + asserts: + - equal: + path: data["ANCHORE_FEEDS_DRIVER_MSRC_ENABLED"] + value: "false" + - equal: + path: data["ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED"] + value: "false" + + - it: should set the msrc and github drivers correctly if only one is set + template: templates/envvars_configmap.yaml + set: + feeds.anchoreConfig.feeds.drivers.github.enabled: true + asserts: + - equal: + path: data["ANCHORE_FEEDS_DRIVER_MSRC_ENABLED"] + value: "false" + - equal: + path: data["ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED"] + value: "true" + + - it: should set the msrc and github drivers correctly if only the other is set + template: templates/envvars_configmap.yaml + set: + feeds.anchoreConfig.feeds.drivers.msrc.enabled: true + asserts: + - equal: + path: data["ANCHORE_FEEDS_DRIVER_MSRC_ENABLED"] + value: "true" + - equal: + path: data["ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED"] + value: "false" \ No newline at end of file From f5ce9c57970d911b3917dad4c9bc2359a15584d0 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Tue, 24 Oct 2023 18:49:01 -0400 Subject: [PATCH 248/329] add max threads back Signed-off-by: Hung Nguyen --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 1 + stable/enterprise/files/default_config.yaml | 2 ++ stable/enterprise/templates/envvars_configmap.yaml | 1 + .../enterprise/tests/__snapshot__/configmap_test.yaml.snap | 3 +++ stable/enterprise/values.yaml | 6 ++++++ 6 files changed, 14 insertions(+), 1 deletion(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 43d0c7d8..1b65d43a 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.2.5" +version: "0.2.2" appVersion: "4.9.3" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 3ed70b32..b78fbdea 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -863,6 +863,7 @@ rbacManager: | `anchoreConfig.apiext.external.hostname` | Hostname for the external Anchore API | `""` | | `anchoreConfig.apiext.external.port` | Port configured for external Anchore API | `8443` | | `anchoreConfig.analyzer.cycle_timers.image_analyzer` | The interval between checks of the work queue for new analysis jobs | `1` | +| `anchoreConfig.analyzer.max_threads` | The concurrency of the Anchore Analyzer worker process | `1` | | `anchoreConfig.analyzer.layer_cache_max_gigabytes` | Specify a cache size > 0GB to enable image layer caching | `0` | | `anchoreConfig.analyzer.enable_hints` | Enable a user-supplied 'hints' file to override and/or augment the software artifacts found during analysis | `false` | | `anchoreConfig.analyzer.configFile` | Custom Anchore Analyzer configuration file contents in YAML | `{}` | diff --git a/stable/enterprise/files/default_config.yaml b/stable/enterprise/files/default_config.yaml index c5256723..9802d981 100644 --- a/stable/enterprise/files/default_config.yaml +++ b/stable/enterprise/files/default_config.yaml @@ -16,6 +16,7 @@ auto_restart_services: false max_source_import_size_mb: ${ANCHORE_MAX_IMPORT_SOURCE_SIZE_MB} max_import_content_size_mb: ${ANCHORE_MAX_IMPORT_CONTENT_SIZE_MB} + max_compressed_image_size_mb: ${ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB} metrics: @@ -89,6 +90,7 @@ services: max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} cycle_timer_seconds: 1 cycle_timers: {{- toYaml .Values.anchoreConfig.analyzer.cycle_timers | nindent 6 }} + max_threads: ${ANCHORE_ANALYZER_MAX_THREADS} analyzer_driver: 'nodocker' layer_cache_enable: ${ANCHORE_LAYER_CACHE_ENABLED} layer_cache_max_gigabytes: ${ANCHORE_LAYER_CACHE_SIZE_GB} diff --git a/stable/enterprise/templates/envvars_configmap.yaml b/stable/enterprise/templates/envvars_configmap.yaml index e4da45bf..17aab83b 100644 --- a/stable/enterprise/templates/envvars_configmap.yaml +++ b/stable/enterprise/templates/envvars_configmap.yaml @@ -10,6 +10,7 @@ data: ANCHORE_ADMIN_EMAIL: "{{ .Values.anchoreConfig.default_admin_email }}" ANCHORE_ALLOW_ECR_IAM_AUTO: "{{ .Values.anchoreConfig.allow_awsecr_iam_auto }}" ANCHORE_ANALYZER_TASK_REQUEUE: "true" + ANCHORE_ANALYZER_MAX_THREADS: "{{ .Values.anchoreConfig.analyzer.max_threads }}" ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS: "{{ .Values.anchoreConfig.user_authentication.hashed_passwords }}" {{- with .Values.anchoreConfig.keys.publicKeyFileName }} ANCHORE_AUTH_PRIVKEY: "/home/anchore/certs/{{- . }}" diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index a55064d9..a3e55ee1 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -62,6 +62,7 @@ should render the configmaps: max_source_import_size_mb: ${ANCHORE_MAX_IMPORT_SOURCE_SIZE_MB} max_import_content_size_mb: ${ANCHORE_MAX_IMPORT_CONTENT_SIZE_MB} + max_compressed_image_size_mb: ${ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB} metrics: @@ -125,6 +126,7 @@ should render the configmaps: cycle_timer_seconds: 1 cycle_timers: image_analyzer: 1 + max_threads: ${ANCHORE_ANALYZER_MAX_THREADS} analyzer_driver: 'nodocker' layer_cache_enable: ${ANCHORE_LAYER_CACHE_ENABLED} layer_cache_max_gigabytes: ${ANCHORE_LAYER_CACHE_SIZE_GB} @@ -341,6 +343,7 @@ should render the configmaps: data: ANCHORE_ADMIN_EMAIL: admin@myanchore ANCHORE_ALLOW_ECR_IAM_AUTO: "true" + ANCHORE_ANALYZER_MAX_THREADS: "1" ANCHORE_ANALYZER_TASK_REQUEUE: "true" ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS: "true" ANCHORE_AUTH_PRIVKEY: "null" diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index ae188f2b..f71ef032 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -354,6 +354,12 @@ anchoreConfig: cycle_timers: image_analyzer: 1 + ## @param anchoreConfig.analyzer.max_threads The concurrency of the Anchore Analyzer worker process + ## Can be configured to process more than one task at a time. This is IO bound so may not necessarily be faster depending on hardware. + ## Operators should test and balance this value vs. number of Anchore Analyzer replicas deployed. + ## + max_threads: 1 + ## @param anchoreConfig.analyzer.layer_cache_max_gigabytes Specify a cache size > 0GB to enable image layer caching ## This chart sets up a scratch directory for all Anchore Analyzer pods using the values found at .Values.scratchVolume ## When setting .Values.anchoreConfig.analyzer.layer_cache_max_gigabytes, ensure the scratch volume has sufficient storage space From d5c9de48b19d25fd86dc9a7f03cca2fd7a7ed970 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 25 Oct 2023 13:18:17 -0400 Subject: [PATCH 249/329] update script mapping to duplicate anchoreEnterpriseGlobal.imagePullSecretName (#156) Signed-off-by: Hung Nguyen --- scripts/enterprise-value-converter/mappings.py | 4 ++++ .../tests/test_anchoreGlobal_value_mapping.py | 1 + 2 files changed, 5 insertions(+) diff --git a/scripts/enterprise-value-converter/mappings.py b/scripts/enterprise-value-converter/mappings.py index 2626e925..3020ea99 100644 --- a/scripts/enterprise-value-converter/mappings.py +++ b/scripts/enterprise-value-converter/mappings.py @@ -322,6 +322,10 @@ "action": "duplicate", "new_keys": ["rbacAuth.extraEnv", "rbacManager.extraEnv"] }, + "anchoreEnterpriseGlobal.imagePullSecretName": { + "action": "duplicate", + "new_keys": ["imagePullSecretName", "feeds.imagePullSecretName"] + }, "anchoreEnterpriseFeeds.existingSecretName": { "action": "key_addition", "new_keys": [("feeds.existingSecretName", "default"), ("feeds.useExistingSecrets", True)] diff --git a/scripts/enterprise-value-converter/tests/test_anchoreGlobal_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreGlobal_value_mapping.py index 3dd1ce9c..edec34c3 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreGlobal_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreGlobal_value_mapping.py @@ -171,6 +171,7 @@ def test_anchoreGlobal_image_values(self): 'image': 'my.repo/anchore-enterprise:v4.9.0', 'imagePullPolicy': 'ifNotPresent', 'imagePullSecretName': 'enterprise-pull-secret', + 'feeds': { 'imagePullSecretName': 'enterprise-pull-secret' }, 'licenseSecretName': 'my-anchore-enterprise-license', } result = replace_keys_with_mappings(dot_string_dict, self.results_dir) From 40ce42201245c47ccb5f7f9ecb3ba48e6d4de2aa Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 27 Oct 2023 12:13:11 -0400 Subject: [PATCH 250/329] update readme and chart version for v1.0.0 (#161) Signed-off-by: Brady Todhunter --- stable/feeds/Chart.yaml | 2 +- stable/feeds/README.md | 280 ++++++++++++++++++++++++++------------- stable/feeds/values.yaml | 6 +- 3 files changed, 195 insertions(+), 93 deletions(-) diff --git a/stable/feeds/Chart.yaml b/stable/feeds/Chart.yaml index f394d196..fc13af5d 100644 --- a/stable/feeds/Chart.yaml +++ b/stable/feeds/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: feeds type: application -version: "0.1.1" +version: "1.0.0" appVersion: "4.9.3" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: Anchore feeds service diff --git a/stable/feeds/README.md b/stable/feeds/README.md index a6c4a207..d459a107 100644 --- a/stable/feeds/README.md +++ b/stable/feeds/README.md @@ -1,5 +1,7 @@ # Anchore Enterprise Feeds Helm Chart +> :exclamation: **Important:** View the **[Chart Release Notes](#release-notes)** for the latest changes prior to installation or upgrading. + This Helm chart deploys the Anchore Enterprise Feeds service on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. Anchore Enterprise Feeds is an On-Premises service that supplies operating system and non-operating system vulnerability data and package data for consumption by Anchore Policy Engine. Policy Engine uses this data for finding vulnerabilities and evaluating policies. @@ -10,80 +12,152 @@ See the [Anchore Feeds Documentation](https://docs.anchore.com/current/docs/over - [Prerequisites](#prerequisites) - [Installing the Chart](#installing-the-chart) +- [Installing on Openshift](#installing-on-openshift) - [Uninstalling the Chart](#uninstalling-the-chart) - [Configuration](#configuration) - [Feeds External Database Configuration](#feeds-external-database-configuration) - [Feeds Driver Configuration](#feeds-driver-configuration) - [Existing Secrets](#existing-secrets) - [Ingress](#ingress) - - [Installing on Openshift](#installing-on-openshift) + - [Prometheus Metrics](#prometheus-metrics) - [Parameters](#parameters) - [Release Notes](#release-notes) ## Prerequisites -* [Helm](https://helm.sh/) >=3.8 -* [Kubernetes](https://kubernetes.io/) >=1.23 +- [Helm](https://helm.sh/) >=3.8 +- [Kubernetes](https://kubernetes.io/) >=1.23 ## Installing the Chart -**View the [Chart Release Notes](#release-notes) for the latest changes prior to installation or upgrading.** +This guide covers deploying Anchore Enterprise on a Kubernetes cluster with the default configuration. -Create a kubernetes secret containing your license file +This guide covers deploying Anchore Enterprise on a Kubernetes cluster with the default configuration. For production deployments, refer to the [Configuration](#configuration) section for additional guidance. -```shell -export LICENSE_PATH="PATH TO LICENSE.YAML" +1. **Create a Kubernetes Secret for License File**: Generate a Kubernetes secret to store your Anchore Enterprise license file. -kubectl create secret generic anchore-enterprise-license --from-file=license.yaml=${LICENSE_PATH} -``` + ```shell + export NAMESPACE=anchore + export LICENSE_PATH="license.yaml" -Create a kubernetes secret containing DockerHub credentials with access to the private Anchore Enterprise repositories. Contact [Anchore Support](https://get.anchore.com/contact/) for access. + kubectl create secret generic anchore-enterprise-license --from-file=license.yaml=${LICENSE_PATH} -n ${NAMESPACE} + ``` -```shell -export DOCKERHUB_PASSWORD="YOUR DOCKERHUB PASSWORD" -export DOCKERHUB_USER="YOUR DOCKERHUB USERNAME" -export DOCKERHUB_EMAIL="YOUR EMAIL ADDRESS" +1. **Create a Kubernetes Secret for DockerHub Credentials**: Generate another Kubernetes secret for DockerHub credentials. These credentials should have access to private Anchore Enterprise repositories. We recommend that you create a brand new DockerHub user for these pull credentials. Contact [Anchore Support](https://get.anchore.com/contact/) to obtain access. -kubectl create secret docker-registry anchore-enterprise-pullcreds --docker-server=docker.io --docker-username=${DOCKERHUB_USER} --docker-password=${DOCKERHUB_PASSWORD} --docker-email=${DOCKERHUB_EMAIL} -``` + ```shell + export NAMESPACE=anchore + export DOCKERHUB_PASSWORD="password" + export DOCKERHUB_USER="username" + export DOCKERHUB_EMAIL="example@email.com" + + kubectl create secret docker-registry anchore-enterprise-pullcreds --docker-server=docker.io --docker-username=${DOCKERHUB_USER} --docker-password=${DOCKERHUB_PASSWORD} --docker-email=${DOCKERHUB_EMAIL} -n ${NAMESPACE} + ``` + +1. **Add Chart Repository & Deploy Anchore Enterprise**: Create a custom values file, named `anchore_values.yaml`, to override any chart parameters. Refer to the [Parameters](#parameters) section for available options. -Add Helm Chart Repository And Install Chart + > :exclamation: **Important**: Default passwords are specified in the chart. It's highly recommended to modify these before deploying. + + ```shell + export NAMESPACE=anchore + export RELEASE=my-release + + helm repo add anchore https://charts.anchore.io + helm install ${RELEASE} -n ${NAMESPACE} anchore/feeds -f anchore_values.yaml + ``` + + > **Note**: This command installs Anchore Enterprise with a chart-managed PostgreSQL database, which may not be suitable for production use. See the [External Database](#external-database-requirements) section for details on using an external database. + +1. **Post-Installation Steps**: Anchore Enterprise will take some time to initialize. After the bootstrap phase, it will begin a vulnerability feed sync. Image analysis will show zero vulnerabilities until this sync is complete. This can take several hours based on the enabled feeds. + + > **Tip**: List all releases using `helm list` + +### Installing on Openshift + +By default, we assign the `securityContext.fsGroup`, `securityContext.runAsGroup`, and `securityContext.runAsUser` to `1000`. This will most likely fail on openshift for not being in the range determined by the `openshift.io/sa.scc.uid-range` annotation openshift attaches to the namespace when created. If using the chartEnabled postgresql, postgres will fail to come up as well due to this reason. + +1. Either disable the securityContext or set the appropriate values. +1. If using the chartEnabled postgres, you will also need to either disable the feeds-db.primary.podSecurityContext and feeds-db.primary.containerSecurityContext, or set the appropriate values for them + +Note: disabling the containerSecurityContext and podSecurityContext may not be suitable for production. See [Redhat's documentation](https://docs.openshift.com/container-platform/4.13/authentication/managing-security-context-constraints.html#managing-pod-security-policies) on what may be suitable for production. + +For more information on the openshift.io/sa.scc.uid-range annotation, see the [openshift docs](https://docs.openshift.com/dedicated/authentication/managing-security-context-constraints.html#security-context-constraints-pre-allocated-values_configuring-internal-oauth) ```shell -helm repo add anchore https://charts.anchore.io +helm install feedsy anchore/feeds \ + --set securityContext.fsGroup=null \ + --set securityContext.runAsGroup=null \ + --set securityContext.runAsUser=null \ + --set feeds-db.primary.containerSecurityContext.enabled=false \ + --set feeds-db.primary.podSecurityContext.enabled=false ``` -Create a new file named `anchore_values.yaml` and add all desired custom [values](#parameters); then run the following command: +#### Example OpenShift values file -```shell -export RELEASE="YOUR RELEASE NAME" +```yaml +# NOTE: This is not a production ready values file for an openshift deployment. +securityContext: + fsGroup: null + runAsGroup: null + runAsUser: null -helm install ${RELEASE} -f anchore_values.yaml anchore/feeds +feeds-db: + primary: + containerSecurityContext: + enabled: false + podSecurityContext: + enabled: false ``` -> **Note:** This installs Anchore Feeds with a chart-managed Postgresql database, which may not be a production ready configuration. +## Upgrading the Chart + +A Helm pre-upgrade hook initiates a Kubernetes job that scales down all active Anchore Feeds pods and handles the Anchore database upgrade. + +The Helm upgrade is marked as successful only upon the job's completion. This process causes the Helm client to pause until the job finishes and new Anchore Enterprise pods are initiated. To monitor the upgrade, follow the logs of the upgrade job, which is automatically removed after a successful Helm upgrade. + + ```shell + export NAMESPACE=anchore + export RELEASE=my-release -> **Tip**: List all releases using `helm list` + helm upgrade ${RELEASE} -n ${NAMESPACE} anchore/feeds -f anchore_values.yaml + ``` -These commands deploy the Anchore Enterprise Feeds service on the Kubernetes cluster with default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. +An optional post-upgrade hook is available to perform Anchore Feeds upgrades without forcing all pods to terminate prior to running the upgrade. This is the same upgrade behavior that was enabled by default in the legacy anchore-engine chart. To enable the post-upgrade hook, set `feedsUpgradeJob.usePostUpgradeHook=true` in your values file. ## Uninstalling the Chart -To uninstall/delete the deployment: +To completely remove the Anchore Feeds deployment and associated Kubernetes resources, follow the steps below: -```bash -export RELEASE="YOUR RELEASE NAME" + ```shell + export NAMESPACE=anchore + export RELEASE=my-release -helm delete ${RELEASE} -``` + helm delete ${RELEASE} -n ${NAMESPACE} + ``` + +After deleting the helm release, there are still a few persistent volume claims to delete. Delete these only if you're certain you no longer need them. + + ```shell + export NAMESPACE=anchore + export RELEASE=my-release -The command removes all the Kubernetes components associated with the chart and deletes the release. + kubectl get pvc -n ${NAMESPACE} + kubectl delete pvc ${RELEASE}-feeds -n ${NAMESPACE} + kubectl delete pvc ${RELEASE}-feeds-db -n ${NAMESPACE} + ``` ## Configuration -The following sections describe the various configuration options available for Anchore Enterprise. The default configuration is set in the included [values file](https://github.com/anchore/anchore-charts-dev/blob/main/stable/enterprise/values.yaml). To override these values, create a custom `anchore_values.yaml` file and add the desired configuration options. You custom values file can be passed to `helm install` using the `-f` flag. +This section outlines the available configuration options for Anchore Enterprise. The default settings are specified in the bundled [values file](https://github.com/anchore/anchore-charts-dev/blob/main/stable/feeds/values.yaml). To customize these settings, create your own `anchore_values.yaml` file and populate it with the configuration options you wish to override. To apply your custom configuration during installation, pass your custom values file to the `helm install` command: -Contact [Anchore Support](get.anchore.com/contact/) for more assistance with configuring your deployment. +```shell +export NAMESPACE=anchore +export RELEASE="my-release" + +helm install ${RELEASE} -n ${NAMESPACE} anchore/feeds -f custom_values.yaml +``` + +For additional guidance on customizing your Anchore Enterprise deployment, reach out to [Anchore Support](get.anchore.com/contact/). ### Feeds External Database Configuration @@ -134,9 +208,15 @@ anchoreConfig: ### Existing Secrets -For deployment scenarios that require version-controlled configuration to be used, it is recommended that credentials not be stored in values files. To accomplish this, you can manually create Kubernetes secrets and specify them as existing secrets in your values files. +For deployments where version-controlled configurations are essential, it's advised to avoid storing credentials directly in values files. Instead, manually create Kubernetes secrets and reference them as existing secrets within your values files. When using existing secrets, the chart will load environment variables into deployments from the secret names specified by the following values: + +- `.Values.existingSecretName` [default: anchore-enterprise-feeds-env] -Below we show example Kubernetes secret objects, and how they would be used in Anchore Enterprise configuration. +To enable this feature, set the following values to `true` in your values file: + +```yaml +useExistingSecrets: true +``` ```yaml apiVersion: v1 @@ -146,64 +226,80 @@ metadata: app: anchore type: Opaque stringData: - ANCHORE_ADMIN_PASSWORD: "" - ANCHORE_FEEDS_DB_PASSWORD: "" -``` - -```yaml -useExistingSecrets: true + ANCHORE_ADMIN_PASSWORD: foobar1234 + ANCHORE_FEEDS_DB_NAME: anchore-feeds + ANCHORE_FEEDS_DB_USER: anchoreengine + ANCHORE_FEEDS_DB_PASSWORD: anchore-postgres,123 + ANCHORE_FEEDS_DB_HOST: anchore-enterprise-feeds-db + ANCHORE_FEEDS_DB_PORT: 5432 + # (if applicable) ANCHORE_SAML_SECRET: foobar,saml1234 + # (if applicable) ANCHORE_GITHUB_TOKEN: foobar,github1234 + # (if applicable) ANCHORE_NVD_API_KEY: foobar,nvd1234 + # (if applicable) ANCHORE_GEM_DB_NAME: anchore-gems + # (if applicable) ANCHORE_GEM_DB_USER: anchoregemsuser + # (if applicable) ANCHORE_GEM_DB_PASSWORD: foobar1234 + # (if applicable) ANCHORE_GEM_DB_HOST: anchorefeeds-gem-db.example.com:5432 ``` ### Ingress -[Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource. Kubernetes supports a variety of ingress controllers, including AWS ALB controllers and GCE controllers. +[Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) serves as the gateway to expose HTTP and HTTPS routes from outside the Kubernetes cluster to services within it. Routing is governed by rules specified in the Ingress resource. Kubernetes supports a variety of ingress controllers, such as AWS ALB and GCE controllers. -This Helm chart provides basic ingress configuration suitable for customization. You can expose routes for Anchore Feeds APIs by configuring the `ingress:` section in your values file. +This Helm chart includes a foundational ingress configuration that is customizable. You can expose various Anchore Enterprise external APIs, including the core API, UI, reporting, RBAC, and feeds, by editing the `ingress` section in your values file. -Ingress is disabled by default in the Helm chart. The NGINX ingress controller with the core API and UI routes can be enabled by changing the `ingress.enabled` value to `true`. - -Note that the [Kubernetes NGINX ingress controller](https://kubernetes.github.io/ingress-nginx/) must be installed into the cluster for this configuration to work. +Ingress is disabled by default in this Helm chart. To enable it, along with the [NGINX ingress controller](https://kubernetes.github.io/ingress-nginx/) for core API and UI routes, set the `ingress.enabled` value to `true`. ```yaml ingress: enabled: true ``` -### Installing on Openshift +#### ALB Ingress Controller -By default, we assign the `securityContext.fsGroup`, `securityContext.runAsGroup`, and `securityContext.runAsUser` to `1000`. This will most likely fail on openshift for not being in the range determined by the `openshift.io/sa.scc.uid-range` annotation openshift attaches to the namespace when created. If using the chartEnabled postgresql, postgres will fail to come up as well due to this reason. +The [Kubernetes ALB ingress controller](https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html) must be installed into the cluster for this configuration to work. -1. Either disable the securityContext or set the appropriate values. -2. If using the chartEnabled postgres, you will also need to either disable the feeds-db.primary.podSecurityContext and feeds-db.primary.containerSecurityContext, or set the appropriate values for them - -Note: disabling the containerSecurityContext and podSecurityContext may not be suitable for production. See [Redhat's documentation](https://docs.openshift.com/container-platform/4.13/authentication/managing-security-context-constraints.html#managing-pod-security-policies) on what may be suitable for production. +```yaml +ingress: + enabled: true + annotations: + alb.ingress.kubernetes.io/scheme: internet-facing + ingressClassName: alb -For more information on the openshift.io/sa.scc.uid-range annotation, see the [openshift docs](https://docs.openshift.com/dedicated/authentication/managing-security-context-constraints.html#security-context-constraints-pre-allocated-values_configuring-internal-oauth) + hosts: + - anchore-feeds.example.com -```shell -helm install feedsy anchore/feeds \ - --set securityContext.fsGroup=null \ - --set securityContext.runAsGroup=null \ - --set securityContext.runAsUser=null \ - --set feeds-db.primary.containerSecurityContext.enabled=false \ - --set feeds-db.primary.podSecurityContext.enabled=false +service: + type: NodePort ``` -#### Example OpenShift values file +#### GCE Ingress Controller + +The [Kubernetes GCE ingress controller](https://cloud.google.com/kubernetes-engine/docs/concepts/ingress) must be installed into the cluster for this configuration to work. ```yaml -# NOTE: This is not a production ready values file for an openshift deployment. -securityContext: - fsGroup: null - runAsGroup: null - runAsUser: null +ingress: + enabled: true + ingressClassName: gce + paths: + - /v1/feeds/* + - /v2/feeds/* -feeds-db: - primary: - containerSecurityContext: - enabled: false - podSecurityContext: - enabled: false + hosts: + - anchore-feeds.example.com + +service: + type: NodePort +``` + +### Prometheus Metrics + +Anchore Enterprise offers native support for exporting Prometheus metrics from each of its containers. When this feature is enabled, each service exposes metrics via its existing service port. If you're adding Prometheus manually to your deployment, you'll need to configure it to recognize each pod and its corresponding ports. + +```yaml +anchoreConfig: + metrics: + enabled: true + auth_disabled: true ``` ## Parameters @@ -216,7 +312,7 @@ feeds-db: | `url` | Set a custom feeds URL. Useful when using a feeds service endpoint that is external from the cluster. | `""` | | `fullnameOverride` | overrides the fullname set on resources | `""` | | `nameOverride` | overrides the name set on resources | `""` | -| `image` | Image used for feeds deployment | `docker.io/anchore/enterprise:v4.9.1` | +| `image` | Image used for feeds deployment | `docker.io/anchore/enterprise:v4.9.3` | | `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | | `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | | `serviceAccountName` | Name of a service account used to run all Feeds pods | `""` | @@ -270,6 +366,7 @@ feeds-db: | `configOverride` | Allows for overriding the default Anchore configuration file | `{}` | | `scripts` | Collection of helper scripts usable in all anchore enterprise pods | `{}` | + ### Anchore Feeds Configuration Parameters | Name | Description | Value | @@ -309,6 +406,7 @@ feeds-db: | `anchoreConfig.feeds.drivers.github.enabled` | Enable GitHub advisory feeds (requires GitHub PAT) | `false` | | `anchoreConfig.feeds.drivers.github.token` | GitHub developer personal access token with zero permission scopes | `""` | + ### Anchore Feeds Database Parameters | Name | Description | Value | @@ -323,11 +421,12 @@ feeds-db: | `feeds-db.primary.extraEnvVars` | An array to add extra environment variables | `[]` | | `feeds-db.image.tag` | Specifies the image to use for this chart. | `13.11.0-debian-11-r15` | + ### Feeds Gem Database Parameters | Name | Description | Value | | ----------------------------------------- | ------------------------------------------------------------------------------------------- | ----------------------- | -| `gem-db.chartEnabled` | Use the dependent chart for Postgresql deployment | `false` | +| `gem-db.chartEnabled` | Use the dependent chart for Postgresql deployment | | | `gem-db.externalEndpoint` | External Postgresql hostname when not using Helm managed chart (eg. mypostgres.myserver.io) | `""` | | `gem-db.auth.username` | Username used to connect to Postgresql | `anchore-gem-feeds` | | `gem-db.auth.password` | Password used to connect to Postgresql | `anchore-postgres,123` | @@ -337,6 +436,7 @@ feeds-db: | `gem-db.primary.extraEnvVars` | An array to add extra environment variables | `[]` | | `gem-db.image.tag` | Specifies the image to use for this chart. | `13.11.0-debian-11-r15` | + ### Anchore Feeds Upgrade Job Parameters | Name | Description | Value | @@ -354,17 +454,19 @@ feeds-db: | `feedsUpgradeJob.resources` | Resources for the Anchore Feeds upgrade job | `{}` | | `feedsUpgradeJob.ttlSecondsAfterFinished` | The time period in seconds the upgrade job, and it's related pods should be retained for | `-1` | + ### Ingress Parameters -| Name | Description | Value | -| -------------------------- | ------------------------------------------------------------------ | ----------- | -| `ingress.enabled` | Create an ingress resource for external Anchore service APIs | `false` | -| `ingress.labels` | Labels for the ingress resource | `{}` | -| `ingress.annotations` | Annotations for the ingress resource | `{}` | -| `ingress.hosts` | List of custom hostnames for the Anchore Feeds API | `[]` | -| `ingress.path` | The path used for accessing the Anchore Feeds API | `/v1/feeds` | -| `ingress.tls` | Configure tls for the ingress resource | `[]` | -| `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` | +| Name | Description | Value | +| -------------------------- | ------------------------------------------------------------------ | ----------------------------- | +| `ingress.enabled` | Create an ingress resource for external Anchore service APIs | `false` | +| `ingress.labels` | Labels for the ingress resource | `{}` | +| `ingress.annotations` | Annotations for the ingress resource | `{}` | +| `ingress.hosts` | List of custom hostnames for the Anchore Feeds API | `[]` | +| `ingress.paths` | The path used for accessing the Anchore Feeds API | `["/v1/feeds/","/v2/feeds/"]` | +| `ingress.tls` | Configure tls for the ingress resource | `[]` | +| `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` | + ### Google CloudSQL DB Parameters @@ -380,12 +482,12 @@ feeds-db: | `cloudsql.extraArgs` | a list of extra arguments to be passed into the cloudsql container command. eg | `[]` | -## Release Notes - -A major chart version change (v0.1.2 -> v1.0.0) indicates that there is an **incompatible breaking change needing manual actions.** +For the latest updates and features in Anchore Enterprise, see the official [Release Notes](https://docs.anchore.com/current/docs/releasenotes/). -A minor chart version change (v0.1.2 -> v0.2.0) indicates a change that **may require updates to your values file.** +- **Major Chart Version Change (e.g., v0.1.2 -> v1.0.0)**: Signifies an incompatible breaking change that necessitates manual intervention, such as updates to your values file or data migrations. +- **Minor Chart Version Change (e.g., v0.1.2 -> v0.2.0)**: Indicates a significant change to the deployment that does not require manual intervention. +- **Patch Chart Version Change (e.g., v0.1.2 -> v0.1.3)**: Indicates a backwards-compatible bug fix or documentation update. -### v0.0.x +### v0.x.x -* This is a pre-release version of the Anchore Enterprise Helm chart. It is not intended for production use. +- This is a pre-release version of the Anchore Enterprise Helm chart and is not recommended for production deployments. diff --git a/stable/feeds/values.yaml b/stable/feeds/values.yaml index a79e42a5..95ace0bc 100644 --- a/stable/feeds/values.yaml +++ b/stable/feeds/values.yaml @@ -417,11 +417,11 @@ feeds-db: ####################################### gem-db: - ## @param gem-db.chartEnabled Use the dependent chart for Postgresql deployment + ## @extra gem-db.chartEnabled Use the dependent chart for Postgresql deployment ## Configures a separate postgres database deployment for the feeds service Ruby Gems DB ## requires feeds.gemDriverEnabled=true ## - chartEnabled: false + ## chartEnabled: false ## @param gem-db.externalEndpoint External Postgresql hostname when not using Helm managed chart (eg. mypostgres.myserver.io) ## gem-db.externalEndpoint, gem-db.postgresqlUsername, gem-db.postgresqlPassword, @@ -542,7 +542,7 @@ ingress: ## hosts: [] - ## @param ingress.path The path used for accessing the Anchore Feeds API + ## @param ingress.paths The path used for accessing the Anchore Feeds API ## paths: - /v1/feeds/ From dad6e69393782911af34c89e233e28a943219a5e Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 27 Oct 2023 16:03:37 -0400 Subject: [PATCH 251/329] V1.0.0 feeds (#162) * hardcode metrics auth disabled * update test snapshots --------- Signed-off-by: Brady Todhunter --- stable/feeds/files/default_config.yaml | 3 +-- stable/feeds/tests/__snapshot__/configmap_test.yaml.snap | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/stable/feeds/files/default_config.yaml b/stable/feeds/files/default_config.yaml index 3fe9668f..956135e0 100644 --- a/stable/feeds/files/default_config.yaml +++ b/stable/feeds/files/default_config.yaml @@ -14,12 +14,11 @@ auto_restart_services: false max_source_import_size_mb: ${ANCHORE_MAX_IMPORT_SOURCE_SIZE_MB} max_import_content_size_mb: ${ANCHORE_MAX_IMPORT_CONTENT_SIZE_MB} - max_compressed_image_size_mb: ${ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB} metrics: enabled: ${ANCHORE_ENABLE_METRICS} - auth_disabled: ${ANCHORE_DISABLE_METRICS_AUTH} + auth_disabled: true keys: secret: ${ANCHORE_SAML_SECRET} diff --git a/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap b/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap index 2ea50bf6..a7552431 100644 --- a/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap @@ -21,12 +21,11 @@ should render the configmaps: max_source_import_size_mb: ${ANCHORE_MAX_IMPORT_SOURCE_SIZE_MB} max_import_content_size_mb: ${ANCHORE_MAX_IMPORT_CONTENT_SIZE_MB} - max_compressed_image_size_mb: ${ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB} metrics: enabled: ${ANCHORE_ENABLE_METRICS} - auth_disabled: ${ANCHORE_DISABLE_METRICS_AUTH} + auth_disabled: true keys: secret: ${ANCHORE_SAML_SECRET} From e260f66089bf2537f633021ca955e84c976e9e73 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 27 Oct 2023 22:48:38 -0400 Subject: [PATCH 252/329] Prepare chart for v1.0.0 release (#155) * make migration guide cleaner & remove redundant documentation * use v1 api by default for v4.9.3 deployment * adding pre-install hook for enterprise with backofflimit * update runtime_inventory comments * update test snapshots * bump chart version * add database backup step for external db * make data migration scripts a 1liner --------- Signed-off-by: Brady Todhunter Signed-off-by: Hung Nguyen Co-authored-by: Hung Nguyen --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 488 +++++++++++------- .../templates/envvars_configmap.yaml | 2 +- .../pre-install/preinstall_db_check.yaml | 121 +++++ .../__snapshot__/configmap_test.yaml.snap | 14 +- .../enterprise/tests/common_helpers_test.yaml | 44 +- stable/enterprise/values.yaml | 14 +- 7 files changed, 468 insertions(+), 217 deletions(-) create mode 100644 stable/enterprise/templates/hooks/pre-install/preinstall_db_check.yaml diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 1b65d43a..cde093c7 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.2.2" +version: "0.2.3" appVersion: "4.9.3" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index b78fbdea..e6f2e4b7 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -12,6 +12,7 @@ See the [Anchore Enterprise Documentation](https://docs.anchore.com) for more de - [Prerequisites](#prerequisites) - [Installing the Chart](#installing-the-chart) +- [Installing on Openshift](#installing-on-openshift) - [Upgrading](#upgrading-the-chart) - [Uninstalling the Chart](#uninstalling-the-chart) - [Configuration](#configuration) @@ -23,7 +24,6 @@ See the [Anchore Enterprise Documentation](https://docs.anchore.com) for more de - [Configuring Analysis Archive Storage](#configuring-analysis-archive-storage) - [Existing Secrets](#existing-secrets) - [Ingress](#ingress) - - [SSO](#sso) - [Prometheus Metrics](#prometheus-metrics) - [Scaling Individual Services](#scaling-individual-services) - [Using TLS Internally](#using-tls-internally) @@ -40,22 +40,26 @@ See the [Anchore Enterprise Documentation](https://docs.anchore.com) for more de > **Note**: For migration steps from an Anchore Engine Helm chart deployment, refer to the [Migrating to the Anchore Enterprise Helm Chart](#migrating-to-the-anchore-enterprise-helm-chart) section. -This guide covers deploying Anchore Enterprise on a Kubernetes cluster with the default configuration. For further customization, refer to the [Parameters](#parameters) section. +This guide covers deploying Anchore Enterprise on a Kubernetes cluster with the default configuration. For production deployments, refer to the [Configuration](#configuration) section for additional guidance. 1. **Create a Kubernetes Secret for License File**: Generate a Kubernetes secret to store your Anchore Enterprise license file. ```shell - export LICENSE_PATH="${PWD}/license.yaml" - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml=${LICENSE_PATH} + export NAMESPACE=anchore + export LICENSE_PATH="license.yaml" + + kubectl create secret generic anchore-enterprise-license --from-file=license.yaml=${LICENSE_PATH} -n ${NAMESPACE} ``` -1. **Create a Kubernetes Secret for DockerHub Credentials**: Generate another Kubernetes secret for DockerHub credentials. These credentials should have access to private Anchore Enterprise repositories. Contact [Anchore Support](https://get.anchore.com/contact/) to obtain access. +1. **Create a Kubernetes Secret for DockerHub Credentials**: Generate another Kubernetes secret for DockerHub credentials. These credentials should have access to private Anchore Enterprise repositories. We recommend that you create a brand new DockerHub user for these pull credentials. Contact [Anchore Support](https://get.anchore.com/contact/) to obtain access. ```shell + export NAMESPACE=anchore export DOCKERHUB_PASSWORD="password" export DOCKERHUB_USER="username" export DOCKERHUB_EMAIL="example@email.com" - kubectl create secret docker-registry anchore-enterprise-pullcreds --docker-server=docker.io --docker-username=${DOCKERHUB_USER} --docker-password=${DOCKERHUB_PASSWORD} --docker-email=${DOCKERHUB_EMAIL} + + kubectl create secret docker-registry anchore-enterprise-pullcreds --docker-server=docker.io --docker-username=${DOCKERHUB_USER} --docker-password=${DOCKERHUB_PASSWORD} --docker-email=${DOCKERHUB_EMAIL} -n ${NAMESPACE} ``` 1. **Add Chart Repository & Deploy Anchore Enterprise**: Create a custom values file, named `anchore_values.yaml`, to override any chart parameters. Refer to the [Parameters](#parameters) section for available options. @@ -63,24 +67,91 @@ This guide covers deploying Anchore Enterprise on a Kubernetes cluster with the > :exclamation: **Important**: Default passwords are specified in the chart. It's highly recommended to modify these before deploying. ```shell + export NAMESPACE=anchore export RELEASE=my-release + helm repo add anchore https://charts.anchore.io - helm install ${RELEASE} -f anchore_values.yaml anchore/enterprise + helm install ${RELEASE} -n ${NAMESPACE} anchore/enterprise -f anchore_values.yaml ``` - > **Note**: This command installs Anchore Enterprise with a chart-managed PostgreSQL database, which may not be suitable for production use. + > **Note**: This command installs Anchore Enterprise with a chart-managed PostgreSQL database, which may not be suitable for production use. See the [External Database](#external-database-requirements) section for details on using an external database. 1. **Post-Installation Steps**: Anchore Enterprise will take some time to initialize. After the bootstrap phase, it will begin a vulnerability feed sync. Image analysis will show zero vulnerabilities until this sync is complete. This can take several hours based on the enabled feeds. Use the following [anchorectl](https://docs.anchore.com/current/docs/deployment/anchorectl/) commands to check the system status: ```shell + export NAMESPACE=anchore export RELEASE=my-release - export ANCHORECTL_PASSWORD=$(kubectl get secret "${RELEASE}-enterprise" -o ‘go-template={{index .data “ANCHORE_ADMIN_PASSWORD”}}’ | base64 -d -) - kubectl port-forward svc/${RELEASE}-enterprise-api 8228:8228 # port forward for anchorectl in another terminal - anchorectl system wait # anchorectl defaults to the user admin, and to the password ${ANCHORECTL_PASSWORD} automatically if set + export ANCHORECTL_URL=http://localhost:8228/v1/ + export ANCHORECTL_PASSWORD=$(kubectl get secret "${RELEASE}-enterprise" -o jsonpath='{.data.ANCHORE_ADMIN_PASSWORD}' | base64 -d -) + + kubectl port-forward -n ${NAMESPACE} svc/${RELEASE}-enterprise-api 8228:8228 # port forward for anchorectl in another terminal + anchorectl system status # anchorectl defaults to the user admin, and to the password ${ANCHORECTL_PASSWORD} automatically if set ``` > **Tip**: List all releases using `helm list` +### Installing on Openshift + +As of August 2, 2023, Helm does not offer native support for passing `null` values to child or dependency charts. For details, refer to this [Helm GitHub issue](https://github.com/helm/helm/issues/9027). Given that the `feeds` chart is a dependency, a workaround is to deploy it as a standalone chart and configure the `enterprise` deployment to point to this separate `feeds` deployment. + +Additionally, be aware that you'll need to either disable or properly set the parameters for `containerSecurityContext`, `runAsUser`, and `fsGroup` for the `ui-redis` and any PostgreSQL database that you deploy using the Enterprise chart (e.g., via `postgresql.chartEnabled` or `feeds-db.chartEnabled`). + +For example: + +1. **Deploy feeds chart as a standalone deployment:** + + ```shell + helm install my-release anchore/feeds \ + --set securityContext.fsGroup=null \ + --set securityContext.runAsGroup=null \ + --set securityContext.runAsUser=null \ + --set feeds-db.primary.containerSecurityContext.enabled=false \ + --set feeds-db.primary.podSecurityContext.enabled=false + ``` + +1. **Deploy the enterprise chart with appropriate values:** + + ```shell + helm install anchore anchore/enterprise \ + --set securityContext.fsGroup=null \ + --set securityContext.runAsGroup=null \ + --set securityContext.runAsUser=null \ + --set feeds.chartEnabled=false \ + --set feeds.url=my-release-feeds \ + --set postgresql.primary.containerSecurityContext.enabled=false \ + --set postgresql.primary.podSecurityContext.enabled=false \ + --set ui-redis.master.podSecurityContext.enabled=false \ + --set ui-redis.master.containerSecurityContext.enabled=false + ``` + + > **Note:** disabling the containerSecurityContext and podSecurityContext may not be suitable for production. See [Redhat's documentation](https://docs.openshift.com/container-platform/4.13/authentication/managing-security-context-constraints.html#managing-pod-security-policies) on what may be suitable for production. For more information on the openshift.io/sa.scc.uid-range annotation, see the [openshift docs](https://docs.openshift.com/dedicated/authentication/managing-security-context-constraints.html#security-context-constraints-pre-allocated-values_configuring-internal-oauth) + +#### Example Openshift values file + +```yaml +# NOTE: This is not a production ready values file for an openshift deployment. + +securityContext: + fsGroup: null + runAsGroup: null + runAsUser: null +feeds: + chartEnabled: false + url: my-release-feeds +postgresql: + primary: + containerSecurityContext: + enabled: false + podSecurityContext: + enabled: false +ui-redis: + master: + podSecurityContext: + enabled: false + containerSecurityContext: + enabled: false +``` + ## Upgrading the Chart A Helm pre-upgrade hook initiates a Kubernetes job that scales down all active Anchore Enterprise pods and handles the Anchore database upgrade. @@ -88,17 +159,35 @@ A Helm pre-upgrade hook initiates a Kubernetes job that scales down all active A The Helm upgrade is marked as successful only upon the job's completion. This process causes the Helm client to pause until the job finishes and new Anchore Enterprise pods are initiated. To monitor the upgrade, follow the logs of the upgrade jobs, which are automatically removed after a successful Helm upgrade. ```shell + export NAMESPACE=anchore export RELEASE=my-release - helm upgrade ${RELEASE} -f anchore_values.yaml anchore/enterprise + + helm upgrade ${RELEASE} -n ${NAMESPACE} anchore/enterprise -f anchore_values.yaml ``` +An optional post-upgrade hook is available to perform Anchore Enterprise upgrades without forcing all pods to terminate prior to running the upgrade. This is the same upgrade behavior that was enabled by default in the legacy anchore-engine chart. To enable the post-upgrade hook, set `upgradeJob.usePostUpgradeHook=true` in your values file. + ## Uninstalling the Chart To completely remove the Anchore Enterprise deployment and associated Kubernetes resources, follow the steps below: ```shell + export NAMESPACE=anchore export RELEASE=my-release - helm delete ${RELEASE} + + helm delete ${RELEASE} -n ${NAMESPACE} + ``` + +After deleting the helm release, there are still a few persistent volume claims to delete. Delete these only if you're certain you no longer need them. + + ```shell + export NAMESPACE=anchore + export RELEASE=my-release + + kubectl get pvc -n ${NAMESPACE} + kubectl delete pvc ${RELEASE}-feeds -n ${NAMESPACE} + kubectl delete pvc ${RELEASE}-feeds-db -n ${NAMESPACE} + kubectl delete pvc ${RELEASE}-postgresql -n ${NAMESPACE} ``` ## Configuration @@ -106,7 +195,10 @@ To completely remove the Anchore Enterprise deployment and associated Kubernetes This section outlines the available configuration options for Anchore Enterprise. The default settings are specified in the bundled [values file](https://github.com/anchore/anchore-charts-dev/blob/main/stable/enterprise/values.yaml). To customize these settings, create your own `anchore_values.yaml` file and populate it with the configuration options you wish to override. To apply your custom configuration during installation, pass your custom values file to the `helm install` command: ```shell -helm install my-release anchore/enterprise -f custom_values.yaml +export NAMESPACE=anchore +export RELEASE="my-release" + +helm install ${RELEASE} -n ${NAMESPACE} anchore/enterprise -f custom_values.yaml ``` For additional guidance on customizing your Anchore Enterprise deployment, reach out to [Anchore Support](get.anchore.com/contact/). @@ -253,7 +345,20 @@ Configuration of external analysis archive storage is essentially identical to c ### Existing Secrets -For deployments where version-controlled configurations are essential, it's advised to avoid storing credentials directly in values files. Instead, manually create Kubernetes secrets and reference them as existing secrets within your values files. +For deployments where version-controlled configurations are essential, it's advised to avoid storing credentials directly in values files. Instead, manually create Kubernetes secrets and reference them as existing secrets within your values files. When using existing secrets, the chart will load environment variables into deployments from the secret names specified by the following values: + +- `.Values.existingSecretName` [default: anchore-enterprise-env] +- `.Values.feeds.existingSecretName` [default: anchore-enterprise-feeds-env] +- `.Values.ui.existingSecretName` [default: anchore-enterprise-ui-env] + +To enable this feature, set the following values to `true` in your values file: + +```yaml +useExistingSecrets: true + +feeds: + useExistingSecrets: true +``` Below are sample Kubernetes secret objects and corresponding guidelines on integrating them into your Anchore Enterprise configuration. @@ -265,8 +370,13 @@ metadata: name: anchore-enterprise-env type: Opaque stringData: - ANCHORE_ADMIN_PASSWORD: "" - ANCHORE_DB_PASSWORD: "" + ANCHORE_ADMIN_PASSWORD: foobar1234 + ANCHORE_DB_NAME: anchore + ANCHORE_DB_USER: anchore + ANCHORE_DB_HOST: anchore-postgresql + ANCHORE_DB_PORT: 5432 + ANCHORE_DB_PASSWORD: anchore-postgres,123 + # (if applicable) ANCHORE_SAML_SECRET: foobar,saml1234 --- apiVersion: v1 @@ -275,9 +385,9 @@ metadata: name: anchore-enterprise-ui-env type: Opaque stringData: - ANCHORE_ADMIN_PASSWORD: "" - ANCHORE_APPDB_URI: "postgresql://:@:5432/" - ANCHORE_REDIS_URI: "redis://nouser:@:6379" + # if using TLS to connect to Postgresql you must add the ?ssl=[require|verify-ca|verify-full] parameter to the end of the URI + ANCHORE_APPDB_URI: postgresql://anchoreengine:anchore-postgres,123@anchore-postgresql:5432/anchore + ANCHORE_REDIS_URI: redis://nouser:anchore-redis,123@anchore-ui-redis-master:6379 --- apiVersion: v1 @@ -287,15 +397,19 @@ metadata: app: anchore type: Opaque stringData: - ANCHORE_ADMIN_PASSWORD: "" - ANCHORE_FEEDS_DB_PASSWORD: "" -``` - -```yaml -useExistingSecrets: true - -feeds: - useExistingSecrets: true + ANCHORE_ADMIN_PASSWORD: foobar1234 + ANCHORE_FEEDS_DB_NAME: anchore-feeds + ANCHORE_FEEDS_DB_USER: anchoreengine + ANCHORE_FEEDS_DB_PASSWORD: anchore-postgres,123 + ANCHORE_FEEDS_DB_HOST: anchore-enterprise-feeds-db + ANCHORE_FEEDS_DB_PORT: 5432 + # (if applicable) ANCHORE_SAML_SECRET: foobar,saml1234 + # (if applicable) ANCHORE_GITHUB_TOKEN: foobar,github1234 + # (if applicable) ANCHORE_NVD_API_KEY: foobar,nvd1234 + # (if applicable) ANCHORE_GEM_DB_NAME: anchore-gems + # (if applicable) ANCHORE_GEM_DB_USER: anchoregemsuser + # (if applicable) ANCHORE_GEM_DB_PASSWORD: foobar1234 + # (if applicable) ANCHORE_GEM_DB_HOST: anchorefeeds-gem-db.example.com:5432 ``` ### Ingress @@ -394,19 +508,6 @@ ui: type: NodePort ``` -### SSO - -See [Anchore Enterprise SSO](https://docs.anchore.com/current/docs/configuration/sso/) documentation for information on configuring single sign-on. - -```yaml -anchoreConfig: - user_authentication: - oauth: - enabled: true - # WARNING: You should not change hashed_paswords after a system has been initialized as it may cause a mismatch in existing passwords - hashed_passwords: true -``` - ### Prometheus Metrics Anchore Enterprise offers native support for exporting Prometheus metrics from each of its containers. When this feature is enabled, each service exposes metrics via its existing service port. If you're adding Prometheus manually to your deployment, you'll need to configure it to recognize each pod and its corresponding ports. @@ -568,213 +669,223 @@ ui: ldapsRootCaCertName: ldap-combined-ca-cert-bundle.pem ``` -### Installing on Openshift - -As of August 2, 2023, Helm does not offer native support for passing `null` values to child or dependency charts. For details, refer to this [Helm GitHub issue](https://github.com/helm/helm/issues/9027). Given that the `feeds` chart is a dependency, a workaround is to deploy it as a standalone chart and configure the `enterprise` deployment to point to this separate `feeds` deployment. - -Additionally, be aware that you'll need to either disable or properly set the parameters for `containerSecurityContext`, `runAsUser`, and `fsGroup` for the `ui-redis` and any PostgreSQL database that you deploy using the Enterprise chart (e.g., via `postgresql.chartEnabled` or `feeds-db.chartEnabled`). - -For example: +### Migrating to the Anchore Enterprise Helm Chart -1. **deploy feeds chart as a standalone deployment:** +This guide provides steps for transitioning from an Anchore Engine Helm chart deployment to the updated Anchore Enterprise Helm chart, a necessary step for users planning to upgrade to Anchore Enterprise version v5.0.0 or later. - ```shell - helm install my-release anchore/feeds \ - --set securityContext.fsGroup=null \ - --set securityContext.runAsGroup=null \ - --set securityContext.runAsUser=null \ - --set feeds-db.primary.containerSecurityContext.enabled=false \ - --set feeds-db.primary.podSecurityContext.enabled=false - ``` + > :warning: **Warning**: The values file used by the Anchore Enterprise Helm chart is different from the one used by the Anchore Engine Helm chart. Make sure to convert your existing values file accordingly. -1. **deploy the enterprise chart with appropriate values:** +A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts) is available to automate the conversion of your Anchore Engine values file to the new Enterprise format. A usage example is provided below. - ```shell - helm install anchore . \ - --set securityContext.fsGroup=null \ - --set securityContext.runAsGroup=null \ - --set securityContext.runAsUser=null \ - --set feeds.chartEnabled=false \ - --set feeds.url=my-release-feeds \ - --set postgresql.primary.containerSecurityContext.enabled=false \ - --set postgresql.primary.podSecurityContext.enabled=false \ - --set ui-redis.master.podSecurityContext.enabled=false \ - --set ui-redis.master.containerSecurityContext.enabled=false - ``` +#### Migration Prerequisites - > **Note:** disabling the containerSecurityContext and podSecurityContext may not be suitable for production. See [Redhat's documentation](https://docs.openshift.com/container-platform/4.13/authentication/managing-security-context-constraints.html#managing-pod-security-policies) on what may be suitable for production. For more information on the openshift.io/sa.scc.uid-range annotation, see the [openshift docs](https://docs.openshift.com/dedicated/authentication/managing-security-context-constraints.html#security-context-constraints-pre-allocated-values_configuring-internal-oauth) +- **Anchore Version**: Ensure that your current deployment is running Anchore Enterprise version 4.9.x (but not v5.0.0+). This is required to ensure that the migration script can properly convert your values file. -#### Example Openshift values file + > **Note:** Upgrade your [anchore-engine](https://github.com/anchore/anchore-charts/tree/main/stable/anchore-engine) chart deployment to `v1.28.0` or higher to ensure that you're running Anchore Enterprise v4.9.x. -```yaml -# NOTE: This is not a production ready values file for an openshift deployment. +- **PostgreSQL Version**: You need PostgreSQL version 13 or higher. For upgrading your existing PostgreSQL installation, refer to the official [PostgreSQL documentation](https://www.postgresql.org/docs/13/upgrading.html). Database migration help for helm managed PostgreSQL deployments is provided below. -securityContext: - fsGroup: null - runAsGroup: null - runAsUser: null -feeds: - chartEnabled: false - url: my-release-feeds -postgresql: - primary: - containerSecurityContext: - enabled: false - podSecurityContext: - enabled: false -ui-redis: - master: - podSecurityContext: - enabled: false - containerSecurityContext: - enabled: false -``` - -### Migrating to the Anchore Enterprise Helm Chart + > **Note:** This chart deploys PostgreSQL 13 by default. -This guide provides steps for transitioning from an Anchore Engine Helm chart deployment to the updated Anchore Enterprise Helm chart, a necessary step for users planning to upgrade to Anchore Enterprise version v5.0.0 or later. +- **Runtime Environment**: Docker or Podman must be installed on the machine where the migration will run. - > :warning: **Warning**: The values file used by the Anchore Enterprise Helm chart is different from the one used by the Anchore Engine Helm chart. Make sure to convert your existing values file accordingly. +#### Migration Rollback Strategy -A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts) is available to automate the conversion of your Anchore Engine values file to the new Enterprise format. A usage -example is provided below. +The migration process is designed to be non-destructive by utilizing a blue/green deployment strategy. If you encounter any issues during the migration process, you can roll back to your previous deployment by simply scaling your Anchore-Engine deployment back up. -#### Migration Prerequisites +If you are using an external PostgreSQL database and were unable to use a blue/green deployment strategy for the migration, you will have to manually restore your database to the previous version using a backup that was taken prior to the migration. Then scale your Anchore-Engine deployment back up. -- **Anchore Version**: Ensure that your current deployment is running Anchore Enterprise version 4.9.0 or higher (but not v5.0.0+). +See the [Migration Rollback Steps](#migration-rollback-steps) section for more details. -- **PostgreSQL Version**: You need PostgreSQL version 13 or higher. For upgrading your existing PostgreSQL installation, refer to the official [PostgreSQL documentation](https://www.postgresql.org/docs/13/upgrading.html). Database migration help is provided below. - > **Note:** This chart deploys PostgreSQL 13 by default. +#### Step-by-Step Migration Process -- **Runtime Environment**: Docker or Podman must be installed on the machine where the migration will run. +1. **Upgrade Existing Anchore Engine Deployment**: Upgrade your existing Anchore Engine deployment to chart version 1.28.0 or higher. This will ensure that your deployment is running Anchore Enterprise v4.9.x. -- **Existing Secrets**: If you are not currently using existing secrets, you will have to create them to be used for the new enterprise deployment, or you will have to update the secrets created manually. See the section on [Existing Secrets](#existing-secrets) for more information on what is required. + ```shell + export NAMESPACE=anchore + export ENGINE_RELEASE= # Existing Engine release name + export VALUES_FILE_NAME=my-values-file.yaml # Existing Engine chart values file -#### Step-by-Step Migration Process + helm repo update + helm upgrade ${ENGINE_RELEASE} -n ${NAMESPACE} anchore/anchore-engine -f ${VALUES_FILE_NAME} --version=^1.28.0 + ``` 1. **Generate a New Enterprise Values File**: Use the migration script to convert your existing Anchore Engine values file to the new Anchore Enterprise format. This command mounts a local volume to persistently store the output files, and it mounts the input values file within the container for conversion. It's imperative to review both the output and the new [values file](values.yaml) before moving forward. ```shell export VALUES_FILE_NAME=my-values-file.yaml # Existing Engine chart values file + docker run -v ${PWD}:/tmp -v ${PWD}/${VALUES_FILE_NAME}:/app/${VALUES_FILE_NAME} docker.io/anchore/enterprise-helm-migrator:latest -e /app/${VALUES_FILE_NAME} -d /tmp/output ``` -:rotating_light: For Anchore enterprise ">= 4.9.0, < 5.0.0", you will need to additionally set the following values in your values file to use the v1 api of Anchore. These will need to be removed once you upgrade to v5.0.0+ -``` -api: - service: - apiVersion: v1 -notifications: - service: - apiVersion: v1 -reports: - service: - apiVersion: v1 -rbacManager: - service: - apiVersion: v1 -``` - #### If Using an External PostgreSQL Database 1. **Scale Down Anchore Engine**: To avoid data inconsistency, scale down your existing Anchore Engine deployment to zero replicas. ```shell - export ENGINE_RELEASE=my-engine-release export NAMESPACE=anchore + export ENGINE_RELEASE= + kubectl scale deployment --replicas=0 -l app=${ENGINE_RELEASE}-anchore-engine -n ${NAMESPACE} ``` -1. **Perform database upgrade**: Upgrade your external database, we suggest you make a backup first. If using a managed cloud database service refer to their documentation. + +1. **Perform database backup**: Backup your external database. See the official [PostgreSQL documentation](https://www.postgresql.org/docs/13/backup.html) for guidance. If using a managed cloud database service refer to their documentation. + +1. **Perform database upgrade**: Upgrade your external database. See the official [PostgreSQL documentation](https://www.postgresql.org/docs/13/upgrading.html) for guidance. If using a managed cloud database service refer to their documentation. + + > Tip: If you're able to start a new database instance using a backup, you can use that instance for your upgrade & Enterprise deployment. This allows you to perform the migration without modifying your original database. Using a blue/green deployment strategy for the migration makes for very simple rollbacks if any errors are encountered during the migration. + +1. **(Optional) Update Database Hostname**: Manually update the database hostname in your values file and/or your existing secrets to the hostname of your newly created database for the Enterprise chart. This is only necessary if you're using the blue/green deployment strategy for the database upgrade. 1. **Deploy Anchore Enterprise**: Use the converted values file to deploy the new Anchore Enterprise Helm chart. + >**Note:** If you are **not using existing secrets**, you will need to uncomment the `ADMIN_PASS` and `SET_ADMIN_PASS` export commands below. This is needed to ensure that your Enterprise deployment stores the correct Anchore admin password in the secret. + ```shell - export ENTERPRISE_RELEASE=my-enterprise-release - export VALUES_FILE_NAME=${PWD}/output/my-values-file.yaml - helm install ${ENTERPRISE_RELEASE} -n ${NAMESPACE} -f ${VALUES_FILE_NAME} --set upgradeJob.force=true anchore/enterprise - ``` + export NAMESPACE=anchore + export ENTERPRISE_RELEASE= + export ENTERPRISE_VALUES_FILE=${PWD}/output/enterprise.my-values-file.yaml + + # If you are not using existing secrets, uncomment the following export commands + # + # export ADMIN_PASS=$(kubectl get secret -n ${NAMESPACE} ${ENGINE_RELEASE}-anchore-engine-admin-pass -o jsonpath="{.data.ANCHORE_ADMIN_PASSWORD}" | base64 -d -) + # export SET_ADMIN_PASS=("--set" "anchoreConfig.default_admin_password=${ADMIN_PASS}") - > **Note:** The `upgradeJob.force` flag is required to force the upgrade job to run upon installation. This value is not needed for future upgrades. Remember to unset it if passing it in via the command line or helm may persist the value. + helm install ${ENTERPRISE_RELEASE} -n ${NAMESPACE} ${SET_ADMIN_PASS[@]} -f ${ENTERPRISE_VALUES_FILE} anchore/enterprise --version=1.0.0 + ``` 1. **Verification and Cleanup**: After confirming that the Anchore Enterprise deployment is functional, you can safely uninstall the old Anchore Engine deployment. ```shell + export NAMESPACE=anchore + export ENGINE_RELEASE= + helm uninstall ${ENGINE_RELEASE} -n ${NAMESPACE} ``` + You may now have old engine persistent volume claims to delete. Delete these only when you are confident with the state of your new Enterprise Chart deployment. + + ```shell + export NAMESPACE=anchore + export ENGINE_RELEASE= + + kubectl get pvc -n ${NAMESPACE} + kubectl delete pvc ${ENGINE_RELEASE}-anchore-engine-enterprise-feeds -n ${NAMESPACE} + #### If Using the Dependent PostgreSQL Chart 1. **Scale Down Anchore Engine**: To avoid data inconsistency, scale down your existing Anchore Engine deployment to zero replicas. ```shell - export ENGINE_RELEASE=my-engine-release export NAMESPACE=anchore + export ENGINE_RELEASE= + kubectl scale deployment --replicas=0 -l app=${ENGINE_RELEASE}-anchore-engine -n ${NAMESPACE} ``` 1. **Deploy Anchore Enterprise**: Use the converted values file to deploy the new Anchore Enterprise Helm chart. - **NOTE**: You will have to migrate data from the old database to the new one after the chart is installed. The enterprise chart contains a helper pod to aid with this, to enable this pod, use the following in your helm install command line - ```shell - --set startMigrationPod=true - --set migrationAnchoreEngineSecretName=${ENGINE_RELEASE}-anchore-engine - ``` - As an example with the above commands: - ```shell - export ENGINE_RELEASE=my-engine-release - export ENTERPRISE_RELEASE=my-enterprise-release - export VALUES_FILE_NAME=${PWD}/output/my-values-file.yaml # The converted file - helm install ${ENTERPRISE_RELEASE} -n ${NAMESPACE} -f ${VALUES_FILE_NAME} --set upgradeJob.force=true --set startMigrationPod=true anchore/enterprise --set migrationAnchoreEngineSecretName=${ENGINE_RELEASE}-anchore-engine - ``` + >**Note:** You will have to migrate data from the old database to the new one after the chart is installed. The enterprise chart contains a helper pod to aid with this. This helper pod is enabled using the `startMigrationPod=true` & `migrationAnchoreEngineSecretName=${ENGINE_RELEASE}-anchore-engine` flags in the following command. + > + > If you **are using existing secrets**, you should ignore setting the `ADMIN_PASS` and `SET_ADMIN_PASS` environment variables. + + ```shell + export NAMESPACE=anchore + export ENGINE_RELEASE= + export ENTERPRISE_RELEASE= + export ENTERPRISE_VALUES_FILE=${PWD}/output/enterprise.my-values-file.yaml # The converted file + + # If you are using existing secrets, ignore the following export commands + # + export ADMIN_PASS=$(kubectl get secret -n ${NAMESPACE} ${ENGINE_RELEASE}-anchore-engine-admin-pass -o jsonpath="{.data.ANCHORE_ADMIN_PASSWORD}" | base64 -d -) + export SET_ADMIN_PASS=("--set" "anchoreConfig.default_admin_password=${ADMIN_PASS}") + + helm install ${ENTERPRISE_RELEASE} -n ${NAMESPACE} --set startMigrationPod=true --set migrationAnchoreEngineSecretName=${ENGINE_RELEASE}-anchore-engine ${SET_ADMIN_PASS[@]} anchore/enterprise -f ${ENTERPRISE_VALUES_FILE} --version=1.0.0 + ``` 1. **Scale Down Anchore Enterprise**: Before migrating the database, scale down the new Anchore Enterprise deployment to zero replicas. - ```shell - kubectl scale deployment --replicas=0 -l app.kubernetes.io/name=${ENTERPRISE_RELEASE}-enterprise - ``` + ```shell + export NAMESPACE=anchore + export ENTERPRISE_RELEASE= + + kubectl scale deployment -n ${NAMESPACE} --replicas=0 -l app.kubernetes.io/instance=${ENTERPRISE_RELEASE} + ``` -1. **Database Preparation**: Replace the existing Anchore database with a new database in PostgreSQL 13. +1. **Database Preparation**: Replace the existing Anchore database schema with a new database schema in the PostgreSQL 13 deployment. If you set `startMigrationPod=true` as per the step above, you can exec into the migrator pod using the following commands: - 1. If you set startMigrationPod=true as per the step above, you can exec into the migrator pod to run the commands. ```shell - kubectl -n ${NAMESPACE} exec -it ${ENTERPRISE_RELEASE}-enterprise-migrate-db - PGPASSWORD=${NEW_DB_PASSWORD} dropdb -h ${NEW_DB_HOST} -U ${NEW_DB_USERNAME} ${NEW_DB_NAME}; PGPASSWORD=${NEW_DB_PASSWORD} psql -h ${NEW_DB_HOST} -U ${NEW_DB_USERNAME} -c "CREATE DATABASE ${NEW_DB_NAME}" postgres + export NAMESPACE=anchore + export ENTERPRISE_RELEASE= + + kubectl -n ${NAMESPACE} exec -it ${ENTERPRISE_RELEASE}-enterprise-migrate-db -- /bin/bash -c 'PGPASSWORD=${NEW_DB_PASSWORD} dropdb -h ${NEW_DB_HOST} -U ${NEW_DB_USERNAME} ${NEW_DB_NAME}; PGPASSWORD=${NEW_DB_PASSWORD} psql -h ${NEW_DB_HOST} -U ${NEW_DB_USERNAME} -c "CREATE DATABASE ${NEW_DB_NAME}" postgres' ``` - 1. **Data Migration**: Migrate data from the old Anchore Engine database to the new Anchore Enterprise database. - 1. If you are using the included migration helper pod, the exec to that pod and run the following command: - ```shell - kubectl -n ${NAMESPACE} exec -it ${ENTEPRRISE_RELEASE}-enterprise-migrate-db - PGPASSWORD=${OLD_DB_PASSWORD} pg_dump -h ${OLD_DB_HOST} -U ${OLD_DB_USERNAME} -c ${OLD_DB_NAME} | PGPASSWORD=${NEW_DB_PASSWORD} psql -h ${NEW_DB_HOST} -U ${NEW_DB_USERNAME} ${NEW_DB_NAME} - ``` - 2. If you are using your own pod then follow these steps - 1. Gather old DB parameters from the secret ${OLD_ENGINE_RELEASE}-anchore-engine - 2. Gather new DB parameters from the new secret ${NEW_ENTERPRISE_RELEASE}-enterprise - 3. Start a migration pod that has all the psql binaries required e.g. docker.io/postgresql:13 - 4. Export all the required environment variables - ```shell - PGPASSWORD=${OLD_DB_PASSWORD} pg_dump -h ${OLD_DB_HOST} -U ${OLD_DB_USERNAME} -c ${OLD_DB_NAME} | PGPASSWORD=${NEW_DB_PASSWORD} psql -h ${NEW_DB_HOST} -U ${NEW_DB_USERNAME} ${NEW_DB_NAME} - ``` +1. **Data Migration**: Migrate data from the old Anchore Engine database to the new Anchore Enterprise database. + + - If you are using the migration helper pod, exec into that pod and perform the database migration using following commands: + + ```shell + export NAMESPACE=anchore + export ENTERPRISE_RELEASE= + + kubectl -n ${NAMESPACE} exec -it ${ENTERPRISE_RELEASE}-enterprise-migrate-db -- /bin/bash -c 'PGPASSWORD=${OLD_DB_PASSWORD} pg_dump -h ${OLD_DB_HOST} -U ${OLD_DB_USERNAME} -c ${OLD_DB_NAME} | PGPASSWORD=${NEW_DB_PASSWORD} psql -h ${NEW_DB_HOST} -U ${NEW_DB_USERNAME} ${NEW_DB_NAME}' + ``` + + - If you are using your own pod then follow these steps + + 1. Gather old DB parameters from the secret ${OLD_ENGINE_RELEASE}-anchore-engine + 1. Gather new DB parameters from the new secret ${NEW_ENTERPRISE_RELEASE}-enterprise + 1. Start a migration pod that has all the psql binaries required e.g. docker.io/postgresql:13 + 1. Export all the required environment variables + + ```shell + PGPASSWORD=${OLD_DB_PASSWORD} pg_dump -h ${OLD_DB_HOST} -U ${OLD_DB_USERNAME} -c ${OLD_DB_NAME} | PGPASSWORD=${NEW_DB_PASSWORD} psql -h ${NEW_DB_HOST} -U ${NEW_DB_USERNAME} ${NEW_DB_NAME} + ``` 1. **Upgrade Anchore Enterprise**: After migrating the data, upgrade the Anchore Enterprise Helm deployment. ```shell - helm upgrade ${ENTERPRISE_RELEASE} -n ${NAMESPACE} -f ${VALUES_FILE_NAME} anchore/enterprise + export NAMESPACE=anchore + export ENTERPRISE_RELEASE= + export ENTERPRISE_VALUES_FILE=${PWD}/output/enterprise.my-values-file.yaml # The converted file + + helm upgrade ${ENTERPRISE_RELEASE} -n ${NAMESPACE} --set startMigrationPod=false anchore/enterprise -f ${ENTERPRISE_VALUES_FILE} --version=1.0.0 ``` 1. **Final Verification and Cleanup**: After ensuring the new deployment is operational, uninstall the old Anchore Engine deployment. ```shell + export NAMESPACE=anchore + export ENGINE_RELEASE= + helm uninstall ${ENGINE_RELEASE} -n ${NAMESPACE} ``` - You may now have old engine persistent volume claims to delete. Delete these only when you are confident with the new Enterprise Chart deployment. + + You may now have old engine persistent volume claims to delete. Delete these only when you are confident with the state of your new Enterprise Chart deployment. + ```shell - kubectl get pvc - kubectl delete pvc ${ENGINE_RELEASE}-anchore-engine-enterprise-feeds - kubectl delete pvc ${ENGINE_RELEASE}-anchore-feeds-db - kubectl delete pvc ${ENGINE_RELEASE}-postgresql + export NAMESPACE=anchore + export ENGINE_RELEASE= + + kubectl get pvc -n ${NAMESPACE} + kubectl delete pvc ${ENGINE_RELEASE}-anchore-engine-enterprise-feeds -n ${NAMESPACE} + kubectl delete pvc ${ENGINE_RELEASE}-anchore-feeds-db -n ${NAMESPACE} + kubectl delete pvc ${ENGINE_RELEASE}-postgresql -n ${NAMESPACE} ``` +#### Migration Rollback Steps + +If you encounter any issues during the migration process, a rollback can be performed by following these steps: + +1. **Uninstall Anchore Enterprise chart deployment** +1. **Delete values file created by the migration script** +1. **Delete existing secrets created for the Enterprise chart** +1. **Delete the Anchore Enterprise deployment database** +1. **(Optional)Restore the Anchore-Engine deployment database** +1. **Scale Anchore Engine chart deployment back up** +1. **Attempt migration process again** + ## Parameters ### Global Resource Parameters @@ -784,6 +895,7 @@ rbacManager: | `global.fullnameOverride` | overrides the fullname set on resources | `""` | | `global.nameOverride` | overrides the name set on resources | `""` | + ### Common Resource Parameters | Name | Description | Value | @@ -826,6 +938,7 @@ rbacManager: | `configOverride` | Allows for overriding the default Anchore configuration file | `""` | | `scripts` | Collection of helper scripts usable in all anchore enterprise pods | `{}` | + ### Anchore Configuration Parameters | Name | Description | Value | @@ -920,6 +1033,7 @@ rbacManager: | `anchoreConfig.ui.dbUser` | allows overriding and separation of the ui database user. | `""` | | `anchoreConfig.ui.dbPassword` | allows overriding and separation of the ui database user authentication | `""` | + ### Anchore API k8s Deployment Parameters | Name | Description | Value | @@ -931,7 +1045,7 @@ rbacManager: | `api.service.annotations` | Annotations for Anchore API service | `{}` | | `api.service.labels` | Labels for Anchore API service | `{}` | | `api.service.nodePort` | nodePort for Anchore API service | `""` | -| `api.service.apiVersion` | apiVersion for Anchore UI service to use when reaching out to the enterprise api | `v2` | +| `api.service.apiVersion` | apiVersion for Anchore UI service to use when reaching out to the enterprise api | `v1` | | `api.extraEnv` | Set extra environment variables for Anchore API pods | `[]` | | `api.resources` | Resource requests and limits for Anchore API pods | `{}` | | `api.labels` | Labels for Anchore API pods | `{}` | @@ -941,6 +1055,7 @@ rbacManager: | `api.affinity` | Affinity for Anchore API pod assignment | `{}` | | `api.serviceAccountName` | Service account name for Anchore API pods | `""` | + ### Anchore Analyzer k8s Deployment Parameters | Name | Description | Value | @@ -956,6 +1071,7 @@ rbacManager: | `analyzer.affinity` | Affinity for Anchore Analyzer pod assignment | `{}` | | `analyzer.serviceAccountName` | Service account name for Anchore API pods | `""` | + ### Anchore Catalog k8s Deployment Parameters | Name | Description | Value | @@ -975,6 +1091,7 @@ rbacManager: | `catalog.affinity` | Affinity for Anchore Catalog pod assignment | `{}` | | `catalog.serviceAccountName` | Service account name for Anchore Catalog pods | `""` | + ### Anchore Feeds Chart Parameters | Name | Description | Value | @@ -982,7 +1099,8 @@ rbacManager: | `feeds.chartEnabled` | Enable the Anchore Feeds chart | `true` | | `feeds.standalone` | Sets the Anchore Feeds chart to run into non-standalone mode, for use with Anchore Enterprise. | `false` | | `feeds.url` | Set the URL for a standalone Feeds service. Use when chartEnabled=false. | `""` | -| `feeds.service.apiVersion` | the apiVersion for the service when communicating with Anchore Feeds | `v2` | +| `feeds.service.apiVersion` | the apiVersion for the service when communicating with Anchore Feeds | `v1` | + ### Anchore Policy Engine k8s Deployment Parameters @@ -1003,6 +1121,7 @@ rbacManager: | `policyEngine.affinity` | Affinity for Anchore Policy Engine pod assignment | `{}` | | `policyEngine.serviceAccountName` | Service account name for Anchore Policy Engine pods | `""` | + ### Anchore Simple Queue Parameters | Name | Description | Value | @@ -1022,6 +1141,7 @@ rbacManager: | `simpleQueue.affinity` | Affinity for Anchore Simple Queue pod assignment | `{}` | | `simpleQueue.serviceAccountName` | Service account name for Anchore Simple Queue pods | `""` | + ### Anchore Notifications Parameters | Name | Description | Value | @@ -1032,7 +1152,7 @@ rbacManager: | `notifications.service.annotations` | Annotations for Anchore Notifications service | `{}` | | `notifications.service.labels` | Labels for Anchore Notifications service | `{}` | | `notifications.service.nodePort` | nodePort for Anchore Notifications service | `""` | -| `notifications.service.apiVersion` | apiVersion for Anchore UI service to use when reaching out to the enterprise api | `v2` | +| `notifications.service.apiVersion` | apiVersion for Anchore UI service to use when reaching out to the enterprise api | `v1` | | `notifications.extraEnv` | Set extra environment variables for Anchore Notifications pods | `[]` | | `notifications.resources` | Resource requests and limits for Anchore Notifications pods | `{}` | | `notifications.labels` | Labels for Anchore Notifications pods | `{}` | @@ -1042,6 +1162,7 @@ rbacManager: | `notifications.affinity` | Affinity for Anchore Notifications pod assignment | `{}` | | `notifications.serviceAccountName` | Service account name for Anchore Notifications pods | `""` | + ### Anchore Reports Parameters | Name | Description | Value | @@ -1052,7 +1173,7 @@ rbacManager: | `reports.service.annotations` | Annotations for Anchore Reports service | `{}` | | `reports.service.labels` | Labels for Anchore Reports service | `{}` | | `reports.service.nodePort` | nodePort for Anchore Reports service | `""` | -| `reports.service.apiVersion` | apiVersion for Anchore UI service to use when reaching out to the enterprise api | `v2` | +| `reports.service.apiVersion` | apiVersion for Anchore UI service to use when reaching out to the enterprise api | `v1` | | `reports.extraEnv` | Set extra environment variables for Anchore Reports pods | `[]` | | `reports.resources` | Resource requests and limits for Anchore Reports pods | `{}` | | `reports.labels` | Labels for Anchore Reports pods | `{}` | @@ -1062,6 +1183,7 @@ rbacManager: | `reports.affinity` | Affinity for Anchore Reports pod assignment | `{}` | | `reports.serviceAccountName` | Service account name for Anchore Reports pods | `""` | + ### Anchore RBAC Authentication Parameters | Name | Description | Value | @@ -1069,6 +1191,7 @@ rbacManager: | `rbacAuth.extraEnv` | Set extra environment variables for Anchore RBAC Authentication containers | `[]` | | `rbacAuth.resources` | Resource requests and limits for Anchore RBAC Authentication containers | `{}` | + ### Anchore RBAC Manager Parameters | Name | Description | Value | @@ -1079,7 +1202,7 @@ rbacManager: | `rbacManager.service.annotations` | Annotations for Anchore RBAC Manager service | `{}` | | `rbacManager.service.labels` | Labels for Anchore RBAC Manager service | `{}` | | `rbacManager.service.nodePort` | nodePort for Anchore RBAC Manager service | `""` | -| `rbacManager.service.apiVersion` | apiVersion for Anchore UI service to use when reaching out to the enterprise api | `v2` | +| `rbacManager.service.apiVersion` | apiVersion for Anchore UI service to use when reaching out to the enterprise api | `v1` | | `rbacManager.extraEnv` | Set extra environment variables for Anchore RBAC Manager pods | `[]` | | `rbacManager.resources` | Resource requests and limits for Anchore RBAC Manager pods | `{}` | | `rbacManager.labels` | Labels for Anchore RBAC Manager pods | `{}` | @@ -1089,6 +1212,7 @@ rbacManager: | `rbacManager.affinity` | Affinity for Anchore RBAC Manager pod assignment | `{}` | | `rbacManager.serviceAccountName` | Service account name for Anchore RBAC Manager pods | `""` | + ### Anchore UI Parameters | Name | Description | Value | @@ -1112,6 +1236,7 @@ rbacManager: | `ui.affinity` | Affinity for Anchore ui pod assignment | `{}` | | `ui.serviceAccountName` | Service account name for Anchore UI pods | `""` | + ### Anchore Upgrade Job Parameters | Name | Description | Value | @@ -1129,6 +1254,7 @@ rbacManager: | `upgradeJob.labels` | Labels for the Anchore upgrade job | `{}` | | `upgradeJob.ttlSecondsAfterFinished` | The time period in seconds the upgrade job, and it's related pods should be retained for | `-1` | + ### Ingress Parameters | Name | Description | Value | @@ -1147,6 +1273,7 @@ rbacManager: | `ingress.tls` | Configure tls for the ingress resource | `[]` | | `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` | + ### Google CloudSQL DB Parameters | Name | Description | Value | @@ -1160,6 +1287,7 @@ rbacManager: | `cloudsql.serviceAccJsonName` | | `""` | | `cloudsql.extraArgs` | a list of extra arguments to be passed into the cloudsql container command. eg | `[]` | + ### Anchore UI Redis Parameters | Name | Description | Value | @@ -1170,6 +1298,7 @@ rbacManager: | `ui-redis.architecture` | Redis deployment architecture | `standalone` | | `ui-redis.master.persistence.enabled` | enables persistence | `false` | + ### Anchore Database Parameters | Name | Description | Value | @@ -1189,9 +1318,10 @@ rbacManager: For the latest updates and features in Anchore Enterprise, see the official [Release Notes](https://docs.anchore.com/current/docs/releasenotes/). -- **Major Chart Version Change (e.g., v0.1.2 -> v1.0.0)**: Signifies an incompatible breaking change that necessitates manual intervention. -- **Minor Chart Version Change (e.g., v0.1.2 -> v0.2.0)**: Indicates a modification that may require adjustments to your values file. +- **Major Chart Version Change (e.g., v0.1.2 -> v1.0.0)**: Signifies an incompatible breaking change that necessitates manual intervention, such as updates to your values file or data migrations. +- **Minor Chart Version Change (e.g., v0.1.2 -> v0.2.0)**: Indicates a significant change to the deployment that does not require manual intervention. +- **Patch Chart Version Change (e.g., v0.1.2 -> v0.1.3)**: Indicates a backwards-compatible bug fix or documentation update. -### v0.1.x +### v0.x.x - This is a pre-release version of the Anchore Enterprise Helm chart and is not recommended for production deployments. diff --git a/stable/enterprise/templates/envvars_configmap.yaml b/stable/enterprise/templates/envvars_configmap.yaml index 17aab83b..500f88b9 100644 --- a/stable/enterprise/templates/envvars_configmap.yaml +++ b/stable/enterprise/templates/envvars_configmap.yaml @@ -51,7 +51,7 @@ data: ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER: "true" ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE: "true" {{- if eq (toString .Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days) "-1" }} - {{- fail "The Value `-1` is no longer valid for `.Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days`. Please use `.Values.anchoreConfig.catalog.runtime_inventory.image_ingest_overwrite=true` to force runtime inventory to be overwritten upon every update. `.Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days` must be set to a value >1." -}} + {{- fail "The Value `-1` is no longer valid for `.Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days`. Please use `.Values.anchoreConfig.catalog.runtime_inventory.image_ingest_overwrite=true` to force runtime inventory to be overwritten upon every update for that reported context. `.Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days` must be set to a value >1." -}} {{- else }} ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_IMAGE_TTL_DAYS: "{{ .Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days }}" ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_IMAGE_INGEST_OVERWRITE: "{{ .Values.anchoreConfig.catalog.runtime_inventory.image_ingest_overwrite }}" diff --git a/stable/enterprise/templates/hooks/pre-install/preinstall_db_check.yaml b/stable/enterprise/templates/hooks/pre-install/preinstall_db_check.yaml new file mode 100644 index 00000000..fa39127f --- /dev/null +++ b/stable/enterprise/templates/hooks/pre-install/preinstall_db_check.yaml @@ -0,0 +1,121 @@ +{{- if not .Values.postgresql.chartEnabled -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-db-check" (include "enterprise.fullname" .) }} + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" . | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "nil" true) .) | nindent 4 }} + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + backoffLimit: 1 + template: + metadata: + name: + labels: {{- include "enterprise.common.labels" . | nindent 8 }} + annotations: {{- include "enterprise.common.annotations" . | nindent 8 }} + spec: + {{- include "enterprise.common.podSpec" . | indent 6 }} + restartPolicy: Never + volumes: + {{- with .Values.extraVolumes }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.certStoreSecretName }} + - name: certs + secret: + secretName: {{ . }} + {{- end }} + {{- if .Values.cloudsql.useExistingServiceAcc }} + - name: {{ .Values.cloudsql.serviceAccSecretName }} + secret: + secretName: {{ .Values.cloudsql.serviceAccSecretName }} + {{- end }} + containers: + {{- if .Values.cloudsql.enabled }} + {{- include "enterprise.common.cloudsqlContainer" . | nindent 8 }} + {{- end }} + - name: check-enterprise-db + image: {{ .Values.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- with .Values.containerSecurityContext }} + securityContext: {{ toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.useExistingSecrets }} + envFrom: + - secretRef: + name: {{ .Values.existingSecretName }} + {{- end }} + {{- if or .Values.anchoreConfig.database.ssl (not .Values.useExistingSecrets) }} + env: + {{- if not .Values.useExistingSecrets }} + - name: ANCHORE_DB_USER + value: {{ .Values.postgresql.auth.username | quote }} + - name: ANCHORE_DB_PASSWORD + value: {{ .Values.postgresql.auth.password | quote }} + - name: ANCHORE_DB_HOST + value: {{ .Values.postgresql.externalEndpoint | quote }} + - name: ANCHORE_DB_PORT + value: {{ .Values.postgresql.primary.service.ports.postgresql | quote }} + - name: ANCHORE_DB_NAME + value: {{ .Values.postgresql.auth.database | quote }} + {{- end }} + {{- if .Values.anchoreConfig.database.ssl }} + - name: ANCHORE_DB_SSL_MODE + value: {{ .Values.anchoreConfig.database.sslMode | quote }} + - name: ANCHORE_DB_SSL_ROOT_CERT + value: {{ .Values.anchoreConfig.database.sslRootCertFileName | quote }} + {{- end }} + {{- end }} + volumeMounts: + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.certStoreSecretName }} + - name: certs + mountPath: /home/anchore/certs/ + readOnly: true + {{- end }} + command: ["/bin/bash", "-c"] + args: + - | + timeout=600 # 10 minutes in seconds + start_time=$(date +%s) + + CONNSTR=postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}":"${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}" + + if [[ ${ANCHORE_DB_SSL_MODE} != null ]]; then + CONNSTR=${CONNSTR}?sslmode=${ANCHORE_DB_SSL_MODE} + fi + + if [[ ${ANCHORE_DB_SSL_ROOT_CERT} != null ]]; then + CONNSTR=${CONNSTR}&sslrootcert=/home/anchore/certs/${ANCHORE_DB_SSL_ROOT_CERT} + fi + + while true; do + current_time=$(date +%s) + elapsed_time=$((current_time - start_time)) + + if [[ $elapsed_time -ge $timeout ]]; then + echo "Database connection timeout" + exit 1 + fi + + output=$(anchore-enterprise-manager db --db-connect ${CONNSTR} pre-upgrade-check 2>&1) + + if [ $? -eq 0 ]; then + echo "Database is ready" + exit 0 + elif [[ "$output" == *"Enterprise requires Postgres version 13.0 or higher"* ]]; then + echo "Error: Enterprise requires Postgres version 13.0 or higher" + exit 1 + else + echo "Database is not ready yet, sleeping 10 seconds..." + sleep 10 + fi + + done + +{{- end -}} \ No newline at end of file diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index a3e55ee1..09cbf006 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -220,22 +220,22 @@ should render the configmaps: data: grypedb: enabled: true - url: http://test-release-feeds:8448/v2/databases/grypedb + url: http://test-release-feeds:8448/v1/databases/grypedb vulnerabilities: enabled: ${ANCHORE_FEEDS_VULNERABILITIES_ENABLED} - url: http://test-release-feeds:8448/v2/feeds + url: http://test-release-feeds:8448/v1/feeds nvdv2: enabled: ${ANCHORE_FEEDS_DRIVER_NVDV2_ENABLED} - url: http://test-release-feeds:8448/v2/feeds + url: http://test-release-feeds:8448/v1/feeds github: enabled: ${ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED} - url: http://test-release-feeds:8448/v2/feeds + url: http://test-release-feeds:8448/v1/feeds packages: enabled: ${ANCHORE_FEEDS_DRIVER_PACKAGES_ENABLED} - url: http://test-release-feeds:8448/v2/feeds + url: http://test-release-feeds:8448/v1/feeds microsoft: enabled: ${ANCHORE_FEEDS_DRIVER_MSRC_ENABLED} - url: http://test-release-feeds:8448/v2/feeds + url: http://test-release-feeds:8448/v1/feeds ssl_enable: ${ANCHORE_SSL_ENABLED} ssl_cert: ${ANCHORE_SSL_CERT} ssl_key: ${ANCHORE_SSL_KEY} @@ -501,7 +501,7 @@ should render the configmaps: 6: | apiVersion: v1 data: - config-ui.yaml: "# Anchore UI configuration\nengine_uri: 'http://test-release-enterprise-api:8228/v2'\nreports_uri: 'http://test-release-enterprise-api:8558/v2'\nnotifications_uri: 'http://test-release-enterprise-notifications:8668/v2'\nrbac_uri: 'http://test-release-enterprise-rbac-manager:8229/v2'\nenterprise_uri: 'http://test-release-enterprise-api:8228/v2'\n# redis_uri: overridden in deployment using the `ANCHORE_REDIS_URI` environment variable\n# appdb_uri: overridden in deployment using the `ANCHORE_APPDB_URI` environment variable\nlicense_path: '/home/anchore/'\nenable_ssl: false\nenable_proxy: false\nallow_shared_login: true\nredis_flushdb: true\nforce_websocket: false\nauthentication_lock:\n count: 5\n expires: 300\nappdb_config: \n native: true\n pool:\n acquire: 30000\n idle: 10000\n max: 10\n min: 0\nlog_level: 'http'\nenrich_inventory_view: true\nenable_prometheus_metrics: false\n" + config-ui.yaml: "# Anchore UI configuration\nengine_uri: 'http://test-release-enterprise-api:8228/v1'\nreports_uri: 'http://test-release-enterprise-api:8558/v1'\nnotifications_uri: 'http://test-release-enterprise-notifications:8668/v1'\nrbac_uri: 'http://test-release-enterprise-rbac-manager:8229/v1'\nenterprise_uri: 'http://test-release-enterprise-api:8228/v2'\n# redis_uri: overridden in deployment using the `ANCHORE_REDIS_URI` environment variable\n# appdb_uri: overridden in deployment using the `ANCHORE_APPDB_URI` environment variable\nlicense_path: '/home/anchore/'\nenable_ssl: false\nenable_proxy: false\nallow_shared_login: true\nredis_flushdb: true\nforce_websocket: false\nauthentication_lock:\n count: 5\n expires: 300\nappdb_config: \n native: true\n pool:\n acquire: 30000\n idle: 10000\n max: 10\n min: 0\nlog_level: 'http'\nenrich_inventory_view: true\nenable_prometheus_metrics: false\n" kind: ConfigMap metadata: annotations: diff --git a/stable/enterprise/tests/common_helpers_test.yaml b/stable/enterprise/tests/common_helpers_test.yaml index 10e1dc31..1fb42067 100644 --- a/stable/enterprise/tests/common_helpers_test.yaml +++ b/stable/enterprise/tests/common_helpers_test.yaml @@ -833,11 +833,11 @@ tests: asserts: - matchRegex: path: data["config.yaml"] - pattern: "url: my-feeds-url/v2/databases/grypedb" + pattern: "url: my-feeds-url/v1/databases/grypedb" - matchRegex: path: data["config.yaml"] - pattern: "url: my-feeds-url/v2/feeds" + pattern: "url: my-feeds-url/v1/feeds" - it: should render v1 anchoreFeedsURL with feeds.url set set: @@ -867,11 +867,11 @@ tests: asserts: - matchRegex: path: data["config.yaml"] - pattern: "url: http://test-release-feeds:8448/v2/databases/grypedb" + pattern: "url: http://test-release-feeds:8448/v1/databases/grypedb" - matchRegex: path: data["config.yaml"] - pattern: "url: http://test-release-feeds:8448/v2/feeds" + pattern: "url: http://test-release-feeds:8448/v1/feeds" - it: should render grypeProviderURL with anchoreConfig.policy_engine.overrideFeedsToUpstream set: @@ -883,7 +883,7 @@ tests: asserts: - notMatchRegex: path: data["config.yaml"] - pattern: "url: http://test-release-feeds:8448/v2/databases/grypedb" + pattern: "url: http://test-release-feeds:8448/v1/databases/grypedb" - matchRegex: path: data["config.yaml"] @@ -900,7 +900,7 @@ tests: asserts: - notMatchRegex: path: data["config.yaml"] - pattern: "url: http://test-release-feeds:8448/v2/databases/grypedb" + pattern: "url: http://test-release-feeds:8448/v1/databases/grypedb" - matchRegex: path: data["config.yaml"] @@ -915,19 +915,19 @@ tests: asserts: - matchRegex: path: data["config.yaml"] - pattern: "url: https://test-release-feeds:8448/v2/databases/grypedb" + pattern: "url: https://test-release-feeds:8448/v1/databases/grypedb" - matchRegex: path: data["config.yaml"] - pattern: "url: https://test-release-feeds:8448/v2/feeds" + pattern: "url: https://test-release-feeds:8448/v1/feeds" - notMatchRegex: path: data["config.yaml"] - pattern: "url: http://test-release-feeds:8448/v2/databases/grypedb" + pattern: "url: http://test-release-feeds:8448/v1/databases/grypedb" - notMatchRegex: path: data["config.yaml"] - pattern: "url: http://test-release-feeds:8448/v2/feeds" + pattern: "url: http://test-release-feeds:8448/v1/feeds" - it: should set the correct protocol with anchoreConfig.internalServicesSSL.enabled to true for deployments set: @@ -953,19 +953,19 @@ tests: asserts: - matchRegex: path: data["config.yaml"] - pattern: "url: http://test-release-feeds:8448/v2/databases/grypedb" + pattern: "url: http://test-release-feeds:8448/v1/databases/grypedb" - matchRegex: path: data["config.yaml"] - pattern: "url: http://test-release-feeds:8448/v2/feeds" + pattern: "url: http://test-release-feeds:8448/v1/feeds" - notMatchRegex: path: data["config.yaml"] - pattern: "url: https://test-release-feeds:8448/v2/databases/grypedb" + pattern: "url: https://test-release-feeds:8448/v1/databases/grypedb" - notMatchRegex: path: data["config.yaml"] - pattern: "url: https://test-release-feeds:8448/v2/feeds" + pattern: "url: https://test-release-feeds:8448/v1/feeds" - it: should set the correct protocol with anchoreConfig.internalServicesSSL.enabled to false for deployments set: @@ -991,16 +991,16 @@ tests: asserts: - matchRegex: path: data["config-ui.yaml"] - pattern: "engine_uri: 'http://test-release-enterprise-api:8228/v2'" + pattern: "engine_uri: 'http://test-release-enterprise-api:8228/v1'" - matchRegex: path: data["config-ui.yaml"] - pattern: "rbac_uri: 'http://test-release-enterprise-rbac-manager:8229/v2'" + pattern: "rbac_uri: 'http://test-release-enterprise-rbac-manager:8229/v1'" - matchRegex: path: data["config-ui.yaml"] - pattern: "notifications_uri: 'http://test-release-enterprise-notifications:8668/v2'" + pattern: "notifications_uri: 'http://test-release-enterprise-notifications:8668/v1'" - matchRegex: path: data["config-ui.yaml"] - pattern: "reports_uri: 'http://test-release-enterprise-api:8558/v2'" + pattern: "reports_uri: 'http://test-release-enterprise-api:8558/v1'" - it: should set the correct protocol with anchoreConfig.internalServicesSSL.enabled to true for ui_configmap.yaml set: @@ -1011,16 +1011,16 @@ tests: asserts: - matchRegex: path: data["config-ui.yaml"] - pattern: "engine_uri: 'https://test-release-enterprise-api:8228/v2'" + pattern: "engine_uri: 'https://test-release-enterprise-api:8228/v1'" - matchRegex: path: data["config-ui.yaml"] - pattern: "rbac_uri: 'https://test-release-enterprise-rbac-manager:8229/v2'" + pattern: "rbac_uri: 'https://test-release-enterprise-rbac-manager:8229/v1'" - matchRegex: path: data["config-ui.yaml"] - pattern: "notifications_uri: 'https://test-release-enterprise-notifications:8668/v2'" + pattern: "notifications_uri: 'https://test-release-enterprise-notifications:8668/v1'" - matchRegex: path: data["config-ui.yaml"] - pattern: "reports_uri: 'https://test-release-enterprise-api:8558/v2'" + pattern: "reports_uri: 'https://test-release-enterprise-api:8558/v1'" - it: should set the correct apiVersion for ui_configmap.yaml set: diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index f71ef032..aebbc729 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -477,8 +477,8 @@ anchoreConfig: name: db config: {} - ## @param anchoreConfig.catalog.runtime_inventory.image_ttl_days TTL for images in the inventory report working set - ## @param anchoreConfig.catalog.runtime_inventory.image_ingest_overwrite disables the image_ttl cycle timer. + ## @param anchoreConfig.catalog.runtime_inventory.image_ttl_days TTL for runtime inventory. + ## @param anchoreConfig.catalog.runtime_inventory.image_ingest_overwrite force runtime inventory to be overwritten upon every update for that reported context. ## When `image_ingest_overwrite=true` upon ingestion of inventory, removes anything previously reported by the namespace and only keep the latest inventory posted. ## This new config value is used instead of setting `image_ttl_days=-1` ## ref: https://docs.anchore.com/current/docs/configuration/runtime_inventory/ @@ -656,7 +656,7 @@ api: annotations: {} labels: {} nodePort: "" - apiVersion: v2 + apiVersion: v1 ## @param api.extraEnv Set extra environment variables for Anchore API pods ## @@ -809,7 +809,7 @@ feeds: ## @param feeds.service.apiVersion the apiVersion for the service when communicating with Anchore Feeds ## service: - apiVersion: v2 + apiVersion: v1 ########################################################### @@ -939,7 +939,7 @@ notifications: annotations: {} labels: {} nodePort: "" - apiVersion: v2 + apiVersion: v1 ## @param notifications.extraEnv Set extra environment variables for Anchore Notifications pods ## @@ -994,7 +994,7 @@ reports: annotations: {} labels: {} nodePort: "" - apiVersion: v2 + apiVersion: v1 ## @param reports.extraEnv Set extra environment variables for Anchore Reports pods ## @@ -1061,7 +1061,7 @@ rbacManager: annotations: {} labels: {} nodePort: "" - apiVersion: v2 + apiVersion: v1 ## @param rbacManager.extraEnv Set extra environment variables for Anchore RBAC Manager pods ## From c3c79b092705d231711463317fc7b1142c076552 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 27 Oct 2023 20:07:35 -0700 Subject: [PATCH 253/329] update feeds readme Signed-off-by: Brady Todhunter --- stable/feeds/Chart.yaml | 2 +- stable/feeds/README.md | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/stable/feeds/Chart.yaml b/stable/feeds/Chart.yaml index fc13af5d..1d9c133a 100644 --- a/stable/feeds/Chart.yaml +++ b/stable/feeds/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: feeds type: application -version: "1.0.0" +version: "1.0.1" appVersion: "4.9.3" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: Anchore feeds service diff --git a/stable/feeds/README.md b/stable/feeds/README.md index d459a107..178f275a 100644 --- a/stable/feeds/README.md +++ b/stable/feeds/README.md @@ -488,6 +488,11 @@ For the latest updates and features in Anchore Enterprise, see the official [Rel - **Minor Chart Version Change (e.g., v0.1.2 -> v0.2.0)**: Indicates a significant change to the deployment that does not require manual intervention. - **Patch Chart Version Change (e.g., v0.1.2 -> v0.1.3)**: Indicates a backwards-compatible bug fix or documentation update. +### v1.0.0 + +- This is a stable release of the Anchore Feeds Helm chart and is recommended for production deployments. +- Deploys Anchore Feeds v4.9.3. + ### v0.x.x - This is a pre-release version of the Anchore Enterprise Helm chart and is not recommended for production deployments. From 65206cab7ccef27c8cb1c6886f791b095f3c0240 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 27 Oct 2023 20:08:59 -0700 Subject: [PATCH 254/329] version bump to v1.0.0 Signed-off-by: Brady Todhunter --- stable/enterprise/Chart.lock | 6 +++--- stable/enterprise/Chart.yaml | 4 ++-- stable/enterprise/README.md | 10 ++++++++-- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/stable/enterprise/Chart.lock b/stable/enterprise/Chart.lock index dd754da9..d3439c53 100644 --- a/stable/enterprise/Chart.lock +++ b/stable/enterprise/Chart.lock @@ -7,6 +7,6 @@ dependencies: version: 17.11.8 - name: feeds repository: https://charts.anchore.io/stable - version: 0.0.9 -digest: sha256:3bcc143fdabcb9ecd754d37c55e3c7eadad57e73367fef9476ec2463e93fdfb8 -generated: "2023-09-26T16:36:55.550736-07:00" + version: 1.0.0 +digest: sha256:7e86d57803a23d1bb4bb1689b3e837856ab941fb8604a1580935c777db151ac5 +generated: "2023-10-27T20:08:10.897279-07:00" diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index cde093c7..103f8e31 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.2.3" +version: "1.0.0" appVersion: "4.9.3" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | @@ -39,7 +39,7 @@ dependencies: condition: ui-redis.chartEnabled alias: ui-redis - name: feeds - version: "~0.0" + version: "~1.0" repository: "@anchore" # repository: file://../feeds condition: feeds.chartEnabled diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index e6f2e4b7..55eb7e1f 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -996,8 +996,8 @@ If you encounter any issues during the migration process, a rollback can be perf | `anchoreConfig.catalog.event_log` | Event log for webhooks, YAML configuration | `{}` | | `anchoreConfig.catalog.analysis_archive` | Custom analysis archive YAML configuration | `{}` | | `anchoreConfig.catalog.object_store` | Custom object storage YAML configuration | `{}` | -| `anchoreConfig.catalog.runtime_inventory.image_ttl_days` | TTL for images in the inventory report working set | `120` | -| `anchoreConfig.catalog.runtime_inventory.image_ingest_overwrite` | disables the image_ttl cycle timer. | `false` | +| `anchoreConfig.catalog.runtime_inventory.image_ttl_days` | TTL for runtime inventory. | `120` | +| `anchoreConfig.catalog.runtime_inventory.image_ingest_overwrite` | force runtime inventory to be overwritten upon every update for that reported context. | `false` | | `anchoreConfig.catalog.down_analyzer_task_requeue` | Allows fast re-queueing when image status is 'analyzing' on an analyzer that is no longer in the 'up' state | `true` | | `anchoreConfig.policy_engine.cycle_timers.feed_sync` | Interval to run a feed sync to get latest cve data | `14400` | | `anchoreConfig.policy_engine.cycle_timers.feed_sync_checker` | Interval between checks to see if there needs to be a task queued | `3600` | @@ -1322,6 +1322,12 @@ For the latest updates and features in Anchore Enterprise, see the official [Rel - **Minor Chart Version Change (e.g., v0.1.2 -> v0.2.0)**: Indicates a significant change to the deployment that does not require manual intervention. - **Patch Chart Version Change (e.g., v0.1.2 -> v0.1.3)**: Indicates a backwards-compatible bug fix or documentation update. +### v1.0.0 + +- This is a stable release of the Anchore Enterprise Helm chart and is recommended for production deployments. +- Deploys Anchore Enterprise v4.9.3. +- This version of the chart is required for the migration from the anchore-engine chart, and is a pre-requisite for Anchore Enterprise 5.0. + ### v0.x.x - This is a pre-release version of the Anchore Enterprise Helm chart and is not recommended for production deployments. From b297afe2143964144f7720f7e2a29e6ceae79db2 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 27 Oct 2023 20:25:39 -0700 Subject: [PATCH 255/329] fix migration guide formatting Signed-off-by: Brady Todhunter --- stable/enterprise/README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 55eb7e1f..53e194b1 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -27,7 +27,7 @@ See the [Anchore Enterprise Documentation](https://docs.anchore.com) for more de - [Prometheus Metrics](#prometheus-metrics) - [Scaling Individual Services](#scaling-individual-services) - [Using TLS Internally](#using-tls-internally) - - [Migrating to the Anchore Enterprise Helm Chart](#migrating-to-the-anchore-enterprise-helm-chart) +- [Migrating to the Anchore Enterprise Helm Chart](#migrating-to-the-anchore-enterprise-helm-chart) - [Parameters](#parameters) - [Release Notes](#release-notes) @@ -669,7 +669,7 @@ ui: ldapsRootCaCertName: ldap-combined-ca-cert-bundle.pem ``` -### Migrating to the Anchore Enterprise Helm Chart +## Migrating to the Anchore Enterprise Helm Chart This guide provides steps for transitioning from an Anchore Engine Helm chart deployment to the updated Anchore Enterprise Helm chart, a necessary step for users planning to upgrade to Anchore Enterprise version v5.0.0 or later. @@ -677,7 +677,7 @@ This guide provides steps for transitioning from an Anchore Engine Helm chart de A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts) is available to automate the conversion of your Anchore Engine values file to the new Enterprise format. A usage example is provided below. -#### Migration Prerequisites +### Migration Prerequisites - **Anchore Version**: Ensure that your current deployment is running Anchore Enterprise version 4.9.x (but not v5.0.0+). This is required to ensure that the migration script can properly convert your values file. @@ -689,7 +689,7 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts - **Runtime Environment**: Docker or Podman must be installed on the machine where the migration will run. -#### Migration Rollback Strategy +### Migration Rollback Strategy The migration process is designed to be non-destructive by utilizing a blue/green deployment strategy. If you encounter any issues during the migration process, you can roll back to your previous deployment by simply scaling your Anchore-Engine deployment back up. @@ -697,7 +697,7 @@ If you are using an external PostgreSQL database and were unable to use a blue/g See the [Migration Rollback Steps](#migration-rollback-steps) section for more details. -#### Step-by-Step Migration Process +### Step-by-Step Migration Process 1. **Upgrade Existing Anchore Engine Deployment**: Upgrade your existing Anchore Engine deployment to chart version 1.28.0 or higher. This will ensure that your deployment is running Anchore Enterprise v4.9.x. @@ -874,7 +874,7 @@ See the [Migration Rollback Steps](#migration-rollback-steps) section for more d kubectl delete pvc ${ENGINE_RELEASE}-postgresql -n ${NAMESPACE} ``` -#### Migration Rollback Steps +### Migration Rollback Steps If you encounter any issues during the migration process, a rollback can be performed by following these steps: From b482e38a96357528a2b3e371025a561ed84bacae Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 27 Oct 2023 20:49:24 -0700 Subject: [PATCH 256/329] remove extra quotes from secrets Signed-off-by: Brady Todhunter --- stable/enterprise/templates/anchore_secret.yaml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/stable/enterprise/templates/anchore_secret.yaml b/stable/enterprise/templates/anchore_secret.yaml index e86c5ecf..5556b3a5 100644 --- a/stable/enterprise/templates/anchore_secret.yaml +++ b/stable/enterprise/templates/anchore_secret.yaml @@ -8,8 +8,8 @@ {{- if .Release.IsUpgrade -}} {{- $anchoreSecret := (lookup "v1" "Secret" .Release.Namespace (include "enterprise.fullname" .)) -}} {{- if $anchoreSecret -}} - {{- $anchoreAdminPass = (index $anchoreSecret.data "ANCHORE_ADMIN_PASSWORD" | b64dec) -}} - {{- $anchoreSamlSecret = (index $anchoreSecret.data "ANCHORE_SAML_SECRET" | b64dec) -}} + {{- $anchoreAdminPass = (index $anchoreSecret.data "ANCHORE_ADMIN_PASSWORD" | b64dec) | quote -}} + {{- $anchoreSamlSecret = (index $anchoreSecret.data "ANCHORE_SAML_SECRET" | b64dec) | quote -}} {{- end -}} {{- end -}} @@ -22,14 +22,13 @@ metadata: annotations: {{- include "enterprise.common.annotations" . | nindent 4 }} type: Opaque stringData: - ANCHORE_ADMIN_PASSWORD: {{ $anchoreAdminPass | quote }} - ANCHORECTL_PASSWORD: {{ $anchoreAdminPass | quote }} - ANCHORECLI_PASS: {{ $anchoreAdminPass | quote }} + ANCHORE_ADMIN_PASSWORD: {{ $anchoreAdminPass }} + ANCHORECTL_PASSWORD: {{ $anchoreAdminPass }} ANCHORE_DB_HOST: {{ include "enterprise.dbHostname" . | quote }} ANCHORE_DB_NAME: {{ index .Values "postgresql" "auth" "database" | quote }} ANCHORE_DB_USER: {{ index .Values "postgresql" "auth" "username" | quote }} ANCHORE_DB_PASSWORD: {{ index .Values "postgresql" "auth" "password" | quote }} ANCHORE_DB_PORT: {{ index .Values "postgresql" "primary" "service" "ports" "postgresql" | quote }} - ANCHORE_SAML_SECRET: {{ $anchoreSamlSecret | quote }} + ANCHORE_SAML_SECRET: {{ $anchoreSamlSecret }} {{- end -}} From 212055a53545c2b00530dab55ac4cb91fdc09ef2 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 27 Oct 2023 21:05:06 -0700 Subject: [PATCH 257/329] update unit tests Signed-off-by: Brady Todhunter --- stable/enterprise/tests/common_helpers_test.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/stable/enterprise/tests/common_helpers_test.yaml b/stable/enterprise/tests/common_helpers_test.yaml index 1fb42067..fc030021 100644 --- a/stable/enterprise/tests/common_helpers_test.yaml +++ b/stable/enterprise/tests/common_helpers_test.yaml @@ -808,9 +808,8 @@ tests: - isSubset: path: stringData content: - ANCHORE_ADMIN_PASSWORD: '"my-password"' - ANCHORECLI_PASS: '"my-password"' - ANCHORECTL_PASSWORD: '"my-password"' + ANCHORE_ADMIN_PASSWORD: my-password + ANCHORECTL_PASSWORD: my-password count: 1 any: true @@ -821,7 +820,7 @@ tests: asserts: - matchRegex: path: stringData["ANCHORE_ADMIN_PASSWORD"] - pattern: ^\"[a-zA-Z0-9]{32}\"$ + pattern: ^[a-zA-Z0-9]{32}$ - it: should render anchoreFeedsURL with feeds.url set set: From ac29bdedc504db8a67f7504a14c0d4226e8c710e Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 27 Oct 2023 21:34:04 -0700 Subject: [PATCH 258/329] just a couple more wording updates Signed-off-by: Brady Todhunter --- stable/enterprise/README.md | 35 +++++++++++++++++++---------------- 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 53e194b1..20b17763 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -40,7 +40,7 @@ See the [Anchore Enterprise Documentation](https://docs.anchore.com) for more de > **Note**: For migration steps from an Anchore Engine Helm chart deployment, refer to the [Migrating to the Anchore Enterprise Helm Chart](#migrating-to-the-anchore-enterprise-helm-chart) section. -This guide covers deploying Anchore Enterprise on a Kubernetes cluster with the default configuration. For production deployments, refer to the [Configuration](#configuration) section for additional guidance. +This guide covers deploying Anchore Enterprise on a Kubernetes cluster with the default configuration. Refer to the [Configuration](#configuration) section for additional guidance on production deployments. 1. **Create a Kubernetes Secret for License File**: Generate a Kubernetes secret to store your Anchore Enterprise license file. @@ -156,7 +156,7 @@ ui-redis: A Helm pre-upgrade hook initiates a Kubernetes job that scales down all active Anchore Enterprise pods and handles the Anchore database upgrade. -The Helm upgrade is marked as successful only upon the job's completion. This process causes the Helm client to pause until the job finishes and new Anchore Enterprise pods are initiated. To monitor the upgrade, follow the logs of the upgrade jobs, which are automatically removed after a successful Helm upgrade. +The Helm upgrade is marked as successful only upon the job's completion. This process causes the Helm client to pause until the job finishes and new Anchore Enterprise pods are initiated. To monitor the upgrade, follow the logs of the upgrade jobs. These jobs are automatically removed after a subsequent successful Helm upgrade. ```shell export NAMESPACE=anchore @@ -192,7 +192,7 @@ After deleting the helm release, there are still a few persistent volume claims ## Configuration -This section outlines the available configuration options for Anchore Enterprise. The default settings are specified in the bundled [values file](https://github.com/anchore/anchore-charts-dev/blob/main/stable/enterprise/values.yaml). To customize these settings, create your own `anchore_values.yaml` file and populate it with the configuration options you wish to override. To apply your custom configuration during installation, pass your custom values file to the `helm install` command: +This section outlines some of the available configuration options for Anchore Enterprise. The default settings are specified in the bundled [values file](https://github.com/anchore/anchore-charts-dev/blob/main/stable/enterprise/values.yaml). To customize these settings, create your own `anchore_values.yaml` file and populate it with the configuration options you wish to override. To apply your custom configuration during installation, pass your custom values file to the `helm install` command: ```shell export NAMESPACE=anchore @@ -691,9 +691,9 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts ### Migration Rollback Strategy -The migration process is designed to be non-destructive by utilizing a blue/green deployment strategy. If you encounter any issues during the migration process, you can roll back to your previous deployment by simply scaling your Anchore-Engine deployment back up. +The migration employs a blue/green deployment strategy to minimize risk and facilitate easy rollback. Should you encounter issues during the migration, reverting to the prior state is straightforward: simply scale your Anchore-Engine deployment back up. -If you are using an external PostgreSQL database and were unable to use a blue/green deployment strategy for the migration, you will have to manually restore your database to the previous version using a backup that was taken prior to the migration. Then scale your Anchore-Engine deployment back up. +For those using an external PostgreSQL database without the benefit of a blue/green deployment strategy, a manual database restoration is necessary. Utilize a pre-migration backup to restore the database to its previous version, and then proceed to scale your Anchore-Engine deployment back up. See the [Migration Rollback Steps](#migration-rollback-steps) section for more details. @@ -710,7 +710,9 @@ See the [Migration Rollback Steps](#migration-rollback-steps) section for more d helm upgrade ${ENGINE_RELEASE} -n ${NAMESPACE} anchore/anchore-engine -f ${VALUES_FILE_NAME} --version=^1.28.0 ``` -1. **Generate a New Enterprise Values File**: Use the migration script to convert your existing Anchore Engine values file to the new Anchore Enterprise format. This command mounts a local volume to persistently store the output files, and it mounts the input values file within the container for conversion. It's imperative to review both the output and the new [values file](values.yaml) before moving forward. +1. **Generate a New Enterprise Values File**: Use the migration script to convert your existing Anchore Engine values file to the new Anchore Enterprise format. + + >**Note**: This command mounts a local volume to persistently store the output files, it also mounts the input values file within the container for conversion. It's critical to review both the output logs and the new `output/enterprise.values.yaml` file before moving forward. ```shell export VALUES_FILE_NAME=my-values-file.yaml # Existing Engine chart values file @@ -733,9 +735,9 @@ See the [Migration Rollback Steps](#migration-rollback-steps) section for more d 1. **Perform database upgrade**: Upgrade your external database. See the official [PostgreSQL documentation](https://www.postgresql.org/docs/13/upgrading.html) for guidance. If using a managed cloud database service refer to their documentation. - > Tip: If you're able to start a new database instance using a backup, you can use that instance for your upgrade & Enterprise deployment. This allows you to perform the migration without modifying your original database. Using a blue/green deployment strategy for the migration makes for very simple rollbacks if any errors are encountered during the migration. + > Tip: Leveraging a backup to instantiate a new database instance enables a non-intrusive database upgrade and Enterprise chart migration. This approach preserves the integrity of your original database. By adopting a blue/green deployment strategy for the migration, you gain the advantage of effortless rollbacks in case of migration-related issues. -1. **(Optional) Update Database Hostname**: Manually update the database hostname in your values file and/or your existing secrets to the hostname of your newly created database for the Enterprise chart. This is only necessary if you're using the blue/green deployment strategy for the database upgrade. +1. **(Optional) Update Database Hostname**: If you're employing a blue/green deployment strategy for the database upgrade, update the database hostname in your values file and/or existing Kubernetes secrets to point to your newly created database instance. This step is essential for properly configuring the Enterprise chart to use the new database. 1. **Deploy Anchore Enterprise**: Use the converted values file to deploy the new Anchore Enterprise Helm chart. @@ -876,15 +878,16 @@ See the [Migration Rollback Steps](#migration-rollback-steps) section for more d ### Migration Rollback Steps -If you encounter any issues during the migration process, a rollback can be performed by following these steps: +In case of issues during the migration, execute the following rollback steps: + +1. **Uninstall the Anchore Enterprise Chart**: Remove the Anchore Enterprise deployment from your cluster. +1. **Remove Migrated Values File**: Delete the `output` directory generated by the migration script. +1. **Erase Enterprise Database**: Delete the database associated with the Anchore Enterprise deployment. +1. **(Optional) Restore Anchore-Engine Database**: If necessary, restore the Anchore-Engine database from a backup. +1. **Reactivate Anchore Engine**: Scale the Anchore Engine deployment back to its original state. +1. **Retry Migration**: Re-attempt the migration process following the initial steps. -1. **Uninstall Anchore Enterprise chart deployment** -1. **Delete values file created by the migration script** -1. **Delete existing secrets created for the Enterprise chart** -1. **Delete the Anchore Enterprise deployment database** -1. **(Optional)Restore the Anchore-Engine deployment database** -1. **Scale Anchore Engine chart deployment back up** -1. **Attempt migration process again** +This rollback procedure is designed to revert your environment to its pre-migration state, allowing for a fresh migration attempt. ## Parameters From cdc77e7fefdb5c0b27ab39ba2562e0a38fa284ca Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Mon, 30 Oct 2023 09:27:14 -0700 Subject: [PATCH 259/329] change feeds chart to v1 api Signed-off-by: Brady Todhunter --- stable/feeds/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/feeds/values.yaml b/stable/feeds/values.yaml index 95ace0bc..486a65ac 100644 --- a/stable/feeds/values.yaml +++ b/stable/feeds/values.yaml @@ -100,7 +100,7 @@ service: annotations: {} labels: {} nodePort: "" - apiVersion: v2 + apiVersion: v1 ## @param scratchVolume.mountPath The mount path of an external volume for scratch space for image analysis ## @param scratchVolume.fixGroupPermissions Enable an initContainer that will fix the fsGroup permissions From 78e614576127bcdf89cb9b386d76dfc4956d3a08 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Mon, 30 Oct 2023 09:39:27 -0700 Subject: [PATCH 260/329] update feeds tests Signed-off-by: Brady Todhunter --- stable/feeds/tests/__snapshot__/configmap_test.yaml.snap | 2 +- stable/feeds/tests/configmap_test.yaml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap b/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap index a7552431..2605fe8f 100644 --- a/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap @@ -173,7 +173,7 @@ should render the configmaps: ANCHORE_FEEDS_DRIVER_UBUNTU_ENABLED: "true" ANCHORE_FEEDS_DRIVER_UBUNTU_URL: https://git.launchpad.net/ubuntu-cve-tracker ANCHORE_FEEDS_DRIVER_WOLFI_ENABLED: "true" - ANCHORE_FEEDS_EXTERNAL_URL: http://test-release-feeds:8448/v2/ + ANCHORE_FEEDS_EXTERNAL_URL: http://test-release-feeds:8448/v1/ ANCHORE_FEEDS_GRYPEDB_PERSIST_WORKSPACE: "true" ANCHORE_FEEDS_GRYPEDB_PRELOAD_ENABLED: "true" ANCHORE_FEEDS_GRYPEDB_PRELOAD_PATH: /preload/grype-db-workspace.tar.gz diff --git a/stable/feeds/tests/configmap_test.yaml b/stable/feeds/tests/configmap_test.yaml index 8d05d0ea..fec6610d 100644 --- a/stable/feeds/tests/configmap_test.yaml +++ b/stable/feeds/tests/configmap_test.yaml @@ -29,7 +29,7 @@ tests: asserts: - matchRegex: path: data["ANCHORE_FEEDS_EXTERNAL_URL"] - pattern: http://test-release-feeds:8448/v2/$ + pattern: http://test-release-feeds:8448/v1/$ - it: should render grype url correctly if .Values.url is set template: envvars_configmap.yaml @@ -41,11 +41,11 @@ tests: path: data["ANCHORE_FEEDS_EXTERNAL_URL"] pattern: https://something/v1/$ - - it: should render grype url correctly if .Values.url is set to a v2 url + - it: should render grype url correctly if .Values.url is set to a v1 url template: envvars_configmap.yaml set: - url: https://something/v2/my-grype/something + url: https://something/v1/my-grype/something asserts: - matchRegex: path: data["ANCHORE_FEEDS_EXTERNAL_URL"] - pattern: https://something/v2/$ \ No newline at end of file + pattern: https://something/v1/$ \ No newline at end of file From c125cf364f0504f38200d2a007341db763609826 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 1 Nov 2023 10:49:56 -0400 Subject: [PATCH 261/329] adding mapping for vulns by k8s namespace/container, ecs container Signed-off-by: Hung Nguyen --- .../enterprise-value-converter/mappings.py | 4 ++- ..._anchoreEnterpriseReports_value_mapping.py | 29 +++++++++++++++++++ 2 files changed, 32 insertions(+), 1 deletion(-) diff --git a/scripts/enterprise-value-converter/mappings.py b/scripts/enterprise-value-converter/mappings.py index 3020ea99..8355811e 100644 --- a/scripts/enterprise-value-converter/mappings.py +++ b/scripts/enterprise-value-converter/mappings.py @@ -235,7 +235,9 @@ "anchorePolicyEngine.enablePackageDbLoad": "policyEngine.ANCHORE_POLICY_ENGINE_ENABLE_PACKAGE_DB_LOAD", "anchorePolicyEngine.maxRequestThreads": "policyEngine.ANCHORE_MAX_REQUEST_THREADS", "anchoreSimpleQueue.maxRequestThreads": "simpleQueue.ANCHORE_MAX_REQUEST_THREADS", - + "anchoreEnterpriseReports.vulnerabilitiesByK8sNamespace": "ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE", + "anchoreEnterpriseReports.vulnerabilitiesByK8sContainer": "ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER", + "anchoreEnterpriseReports.vulnerabilitiesByEcsContainer": "ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_ECS_CONTAINER" } #### ENGINE TO FEEDS KEYS THAT ARE NOW ENV VARS #### diff --git a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseReports_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseReports_value_mapping.py index 789ccd31..9cf2194f 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseReports_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseReports_value_mapping.py @@ -345,3 +345,32 @@ def test_anchoreEnterpriseReports_cycleTimers_value(self): } result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) + + + def test_anchoreEnterpriseReports_vulnerabilitiesByK8sNamespace_value(self): + + dot_string_dict = {"anchoreEnterpriseReports.vulnerabilitiesByK8sNamespace": True} + expected_result = { + 'extraEnv': [ + {'name': 'ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE', 'value': True} + ]} + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[1], expected_result) + + def test_anchoreEnterpriseReports_vulnerabilitiesByK8sContainer_value(self): + dot_string_dict = {"anchoreEnterpriseReports.vulnerabilitiesByK8sContainer": True} + expected_result = { + 'extraEnv': [ + {'name': 'ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER', 'value': True} + ]} + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[1], expected_result) + + def test_anchoreEnterpriseReports_vulnerabilitiesByEcsContainer_value(self): + dot_string_dict = {"anchoreEnterpriseReports.vulnerabilitiesByEcsContainer": True} + expected_result = { + 'extraEnv': [ + {'name': 'ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_ECS_CONTAINER', 'value': True} + ]} + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[1], expected_result) \ No newline at end of file From f0572a95a2ac82edb6fa196e714765d407e2af83 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 1 Nov 2023 09:29:33 -0700 Subject: [PATCH 262/329] add migration deployment changes Signed-off-by: Brady Todhunter --- stable/enterprise/README.md | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 20b17763..2b217776 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -689,6 +689,16 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts - **Runtime Environment**: Docker or Podman must be installed on the machine where the migration will run. +### Expected Changes to Your Deployment + +The Anchore Enterprise Helm chart introduces several changes to the deployment of Anchore Enterprise. These changes are outlined below. + +- Service names all change +- Default labels, annotations and selectors changed +- The Feeds service is deployed as a dependency chart +- The upgrade jobs use pre-upgrade Helm hooks & a bitnami/kubectl init container to terminate all pods prior to running the Anchore upgrade. Legacy style post-upgrade hooks are available with `upgradeJob.usePostUpgradeHook` +- The Anchore configuration file utilizes environment variables for setting all of the configurations. These environment variables are configured in the `-enterprise-config-env-vars` configmap, the env vars are set via the values file. + ### Migration Rollback Strategy The migration employs a blue/green deployment strategy to minimize risk and facilitate easy rollback. Should you encounter issues during the migration, reverting to the prior state is straightforward: simply scale your Anchore-Engine deployment back up. @@ -720,7 +730,7 @@ See the [Migration Rollback Steps](#migration-rollback-steps) section for more d docker run -v ${PWD}:/tmp -v ${PWD}/${VALUES_FILE_NAME}:/app/${VALUES_FILE_NAME} docker.io/anchore/enterprise-helm-migrator:latest -e /app/${VALUES_FILE_NAME} -d /tmp/output ``` -#### If Using an External PostgreSQL Database +### If Using an External PostgreSQL Database 1. **Scale Down Anchore Engine**: To avoid data inconsistency, scale down your existing Anchore Engine deployment to zero replicas. @@ -774,7 +784,7 @@ See the [Migration Rollback Steps](#migration-rollback-steps) section for more d kubectl get pvc -n ${NAMESPACE} kubectl delete pvc ${ENGINE_RELEASE}-anchore-engine-enterprise-feeds -n ${NAMESPACE} -#### If Using the Dependent PostgreSQL Chart +### If Using the Dependent PostgreSQL Chart 1. **Scale Down Anchore Engine**: To avoid data inconsistency, scale down your existing Anchore Engine deployment to zero replicas. @@ -878,8 +888,6 @@ See the [Migration Rollback Steps](#migration-rollback-steps) section for more d ### Migration Rollback Steps -In case of issues during the migration, execute the following rollback steps: - 1. **Uninstall the Anchore Enterprise Chart**: Remove the Anchore Enterprise deployment from your cluster. 1. **Remove Migrated Values File**: Delete the `output` directory generated by the migration script. 1. **Erase Enterprise Database**: Delete the database associated with the Anchore Enterprise deployment. From c7aeb0ea69ea3477882c1f34fc7c74eb548488cd Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 1 Nov 2023 09:36:24 -0700 Subject: [PATCH 263/329] do not use v2 as a default for the UI api configurations Signed-off-by: Brady Todhunter --- stable/enterprise/templates/ui_configmap.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/stable/enterprise/templates/ui_configmap.yaml b/stable/enterprise/templates/ui_configmap.yaml index 77e9f5d5..889e5dba 100644 --- a/stable/enterprise/templates/ui_configmap.yaml +++ b/stable/enterprise/templates/ui_configmap.yaml @@ -26,11 +26,11 @@ data: admin: {{ .admin }} standard: {{ .standard }} {{- end }} - engine_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.api.fullname" . -}}:{{- .Values.api.service.port -}}/{{- default "v2" .Values.api.service.apiVersion -}}' - reports_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.api.fullname" . -}}:{{- .Values.reports.service.port -}}/{{- default "v2" .Values.reports.service.apiVersion -}}' - notifications_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.notifications.fullname" . -}}:{{- .Values.notifications.service.port -}}/{{- default "v2" .Values.notifications.service.apiVersion -}}' - rbac_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.rbacManager.fullname" . -}}:{{- .Values.rbacManager.service.port -}}/{{- default "v2" .Values.rbacManager.service.apiVersion -}}' - enterprise_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.api.fullname" . -}}:{{- .Values.api.service.port -}}/v2' + engine_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.api.fullname" . -}}:{{- .Values.api.service.port -}}/{{- .Values.api.service.apiVersion -}}' + reports_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.api.fullname" . -}}:{{- .Values.reports.service.port -}}/{{- .Values.reports.service.apiVersion -}}' + notifications_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.notifications.fullname" . -}}:{{- .Values.notifications.service.port -}}/{{- .Values.notifications.service.apiVersion -}}' + rbac_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.rbacManager.fullname" . -}}:{{- .Values.rbacManager.service.port -}}/{{- .Values.rbacManager.service.apiVersion -}}' + enterprise_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.api.fullname" . -}}:{{- .Values.api.service.port -}}/{{- .Values.api.service.apiVersion -}}' # redis_uri: overridden in deployment using the `ANCHORE_REDIS_URI` environment variable # appdb_uri: overridden in deployment using the `ANCHORE_APPDB_URI` environment variable license_path: '/home/anchore/' From 99094f248ee193538d09126aa9da8a71dfc83550 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 1 Nov 2023 09:38:26 -0700 Subject: [PATCH 264/329] bump chart version Signed-off-by: Brady Todhunter --- stable/enterprise/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 103f8e31..1a3860bf 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "1.0.0" +version: "1.0.1" appVersion: "4.9.3" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | From 80e55b9b3d07214d0fa78435a9549070146be49d Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 1 Nov 2023 09:42:38 -0700 Subject: [PATCH 265/329] update test snapshots Signed-off-by: Brady Todhunter --- stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index 09cbf006..6d5094ac 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -501,7 +501,7 @@ should render the configmaps: 6: | apiVersion: v1 data: - config-ui.yaml: "# Anchore UI configuration\nengine_uri: 'http://test-release-enterprise-api:8228/v1'\nreports_uri: 'http://test-release-enterprise-api:8558/v1'\nnotifications_uri: 'http://test-release-enterprise-notifications:8668/v1'\nrbac_uri: 'http://test-release-enterprise-rbac-manager:8229/v1'\nenterprise_uri: 'http://test-release-enterprise-api:8228/v2'\n# redis_uri: overridden in deployment using the `ANCHORE_REDIS_URI` environment variable\n# appdb_uri: overridden in deployment using the `ANCHORE_APPDB_URI` environment variable\nlicense_path: '/home/anchore/'\nenable_ssl: false\nenable_proxy: false\nallow_shared_login: true\nredis_flushdb: true\nforce_websocket: false\nauthentication_lock:\n count: 5\n expires: 300\nappdb_config: \n native: true\n pool:\n acquire: 30000\n idle: 10000\n max: 10\n min: 0\nlog_level: 'http'\nenrich_inventory_view: true\nenable_prometheus_metrics: false\n" + config-ui.yaml: "# Anchore UI configuration\nengine_uri: 'http://test-release-enterprise-api:8228/v1'\nreports_uri: 'http://test-release-enterprise-api:8558/v1'\nnotifications_uri: 'http://test-release-enterprise-notifications:8668/v1'\nrbac_uri: 'http://test-release-enterprise-rbac-manager:8229/v1'\nenterprise_uri: 'http://test-release-enterprise-api:8228/v1'\n# redis_uri: overridden in deployment using the `ANCHORE_REDIS_URI` environment variable\n# appdb_uri: overridden in deployment using the `ANCHORE_APPDB_URI` environment variable\nlicense_path: '/home/anchore/'\nenable_ssl: false\nenable_proxy: false\nallow_shared_login: true\nredis_flushdb: true\nforce_websocket: false\nauthentication_lock:\n count: 5\n expires: 300\nappdb_config: \n native: true\n pool:\n acquire: 30000\n idle: 10000\n max: 10\n min: 0\nlog_level: 'http'\nenrich_inventory_view: true\nenable_prometheus_metrics: false\n" kind: ConfigMap metadata: annotations: From 4076e607ca9d0b273c2184f6084c118626cdd655 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 1 Nov 2023 09:47:55 -0700 Subject: [PATCH 266/329] small update Signed-off-by: Brady Todhunter --- stable/enterprise/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 2b217776..8ea075a1 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -888,6 +888,8 @@ See the [Migration Rollback Steps](#migration-rollback-steps) section for more d ### Migration Rollback Steps +In case of issues during the migration, execute the following rollback steps: + 1. **Uninstall the Anchore Enterprise Chart**: Remove the Anchore Enterprise deployment from your cluster. 1. **Remove Migrated Values File**: Delete the `output` directory generated by the migration script. 1. **Erase Enterprise Database**: Delete the database associated with the Anchore Enterprise deployment. From 1529eac369ee006872f330934c5eb15ad3259dd7 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 1 Nov 2023 10:29:45 -0700 Subject: [PATCH 267/329] bump k8s version constraint to allow v1.28 Signed-off-by: Brady Todhunter --- stable/enterprise/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 1a3860bf..1d5b39e0 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: enterprise version: "1.0.1" appVersion: "4.9.3" -kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x +kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.28.x-x description: | Anchore Enterprise is a complete container security workflow solution for professional teams. Easily integrating with CI/CD systems, it allows developers to bolster security without compromising velocity and enables security teams to audit and verify compliance in real-time. From 0625dd04a88ed87022c88539afcde31441ec1f47 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 1 Nov 2023 15:02:10 -0400 Subject: [PATCH 268/329] update chart-testing-action Signed-off-by: Hung Nguyen --- .github/workflows/test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index d19ac6d0..155936f5 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -35,7 +35,7 @@ jobs: version: v3.8.0 - name: Set up chart-testing - uses: helm/chart-testing-action@e8788873172cb653a90ca2e819d79d65a66d4e76 # v2.4.0 + uses: helm/chart-testing-action@b43128a8b25298e1e7b043b78ea6613844e079b1 # v2.7.0 - name: Run chart-testing (list-changed) id: list-changed From fec7f65e6777844c70bdfeae3ca52f02915a9588 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 1 Nov 2023 15:06:38 -0400 Subject: [PATCH 269/329] adding missing values mapping vulnsbyk8scontainer/namespace, ecs container Signed-off-by: Hung Nguyen --- .../enterprise-value-converter/mappings.py | 4 ++- ..._anchoreEnterpriseReports_value_mapping.py | 28 +++++++++++++++++++ 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/scripts/enterprise-value-converter/mappings.py b/scripts/enterprise-value-converter/mappings.py index 3020ea99..8355811e 100644 --- a/scripts/enterprise-value-converter/mappings.py +++ b/scripts/enterprise-value-converter/mappings.py @@ -235,7 +235,9 @@ "anchorePolicyEngine.enablePackageDbLoad": "policyEngine.ANCHORE_POLICY_ENGINE_ENABLE_PACKAGE_DB_LOAD", "anchorePolicyEngine.maxRequestThreads": "policyEngine.ANCHORE_MAX_REQUEST_THREADS", "anchoreSimpleQueue.maxRequestThreads": "simpleQueue.ANCHORE_MAX_REQUEST_THREADS", - + "anchoreEnterpriseReports.vulnerabilitiesByK8sNamespace": "ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE", + "anchoreEnterpriseReports.vulnerabilitiesByK8sContainer": "ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER", + "anchoreEnterpriseReports.vulnerabilitiesByEcsContainer": "ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_ECS_CONTAINER" } #### ENGINE TO FEEDS KEYS THAT ARE NOW ENV VARS #### diff --git a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseReports_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseReports_value_mapping.py index 789ccd31..74d6e0ef 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseReports_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseReports_value_mapping.py @@ -345,3 +345,31 @@ def test_anchoreEnterpriseReports_cycleTimers_value(self): } result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) + + def test_anchoreEnterpriseReports_vulnerabilitiesByK8sNamespace_value(self): + + dot_string_dict = {"anchoreEnterpriseReports.vulnerabilitiesByK8sNamespace": True} + expected_result = { + 'extraEnv': [ + {'name': 'ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE', 'value': True} + ]} + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[1], expected_result) + + def test_anchoreEnterpriseReports_vulnerabilitiesByK8sContainer_value(self): + dot_string_dict = {"anchoreEnterpriseReports.vulnerabilitiesByK8sContainer": True} + expected_result = { + 'extraEnv': [ + {'name': 'ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER', 'value': True} + ]} + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[1], expected_result) + + def test_anchoreEnterpriseReports_vulnerabilitiesByEcsContainer_value(self): + dot_string_dict = {"anchoreEnterpriseReports.vulnerabilitiesByEcsContainer": True} + expected_result = { + 'extraEnv': [ + {'name': 'ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_ECS_CONTAINER', 'value': True} + ]} + result = replace_keys_with_mappings(dot_string_dict, self.results_dir) + self.assertEqual(result[1], expected_result) \ No newline at end of file From c4e22483739143bb34e9b02d9c036f49b7604e3c Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 1 Nov 2023 15:08:24 -0400 Subject: [PATCH 270/329] update chart-testing-action for lint gha Signed-off-by: Hung Nguyen --- .github/workflows/lint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 01692cba..7c744c68 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -24,7 +24,7 @@ jobs: uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0 - name: Set up chart-testing - uses: helm/chart-testing-action@e8788873172cb653a90ca2e819d79d65a66d4e76 # v2.4.0 + uses: helm/chart-testing-action@b43128a8b25298e1e7b043b78ea6613844e079b1 # v2.7.0 - name: Run chart-testing (list-changed) id: list-changed From e125e958fe583ad6b9967ce2d4048fd2c349fe96 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 1 Nov 2023 15:35:42 -0400 Subject: [PATCH 271/329] remove helm-extra-args timeout from ct-config due to helm lint not having a timeout option Signed-off-by: Hung Nguyen --- .github/workflows/test.yaml | 2 +- ct-config.yaml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 155936f5..50b9af50 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -94,4 +94,4 @@ jobs: - name: Run chart-testing if: steps.list-changed.outputs.CHANGED == 'true' - run: ct install --config ct-config.yaml + run: ct install --config ct-config.yaml --helm-extra-args "--timeout 600s" diff --git a/ct-config.yaml b/ct-config.yaml index 75ba48da..bb18e351 100644 --- a/ct-config.yaml +++ b/ct-config.yaml @@ -7,4 +7,3 @@ chart-repos: - bitnami=https://charts.bitnami.com/bitnami namespace: anchore release-label: anchore -helm-extra-args: --timeout 600s From e1fa90e5e4b3edc60a7b005fd057d2ee3b83b846 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 1 Nov 2023 15:51:55 -0400 Subject: [PATCH 272/329] adding k8s version 1.28.0 to chart testing Signed-off-by: Hung Nguyen --- .github/workflows/test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 50b9af50..bc1a4f03 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -13,7 +13,7 @@ jobs: strategy: fail-fast: false matrix: - kubernetesVersion: ["v1.23.17", "v1.24.15", "v1.25.11", "v1.26.6", "v1.27.3"] + kubernetesVersion: ["v1.23.17", "v1.24.15", "v1.25.11", "v1.26.6", "v1.27.3", "v1.28.0"] runs-on: ubuntu-latest steps: - name: Checkout From 9ab2f5eafafa16ba3305e84e2d44d8c28606d346 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 1 Nov 2023 13:21:56 -0700 Subject: [PATCH 273/329] add more details to deployment differences Signed-off-by: Brady Todhunter --- stable/enterprise/README.md | 41 +++++++++++++++++++++++++++++++------ 1 file changed, 35 insertions(+), 6 deletions(-) diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 8ea075a1..067db9e8 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -691,13 +691,42 @@ A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts ### Expected Changes to Your Deployment -The Anchore Enterprise Helm chart introduces several changes to the deployment of Anchore Enterprise. These changes are outlined below. +The Anchore Enterprise Helm chart introduces several changes to the deployment compared to the Anchore Engine chart deployment. These changes are outlined below. -- Service names all change -- Default labels, annotations and selectors changed -- The Feeds service is deployed as a dependency chart -- The upgrade jobs use pre-upgrade Helm hooks & a bitnami/kubectl init container to terminate all pods prior to running the Anchore upgrade. Legacy style post-upgrade hooks are available with `upgradeJob.usePostUpgradeHook` -- The Anchore configuration file utilizes environment variables for setting all of the configurations. These environment variables are configured in the `-enterprise-config-env-vars` configmap, the env vars are set via the values file. +#### Service Names + +- All service names have been updated to follow the Enterprise naming convention: + - `-anchore-engine-api` -> `-enterprise-api` + - `-anchore-engine-catalog` -> `-enterprise-catalog` + - `-anchore-engine-enterprise-feeds` -> `-feeds` + - `-anchore-engine-enterprise-notifications` -> `-enterprise-notifications` + - `-anchore-engine-enterprise-rbac` -> `-enterprise-rbac-manager` + - `-anchore-engine-enterprise-reports` -> `-enterprise-reports` + - `-anchore-engine-enterprise-ui` -> `-enterprise-ui` + - `-anchore-engine-policy` -> `-enterprise-policy` + - `-anchore-engine-simplequeue` -> `-enterprise-simplequeue` + +#### Labels, Annotations & Selectors + +- Standard Kubernetes labels and annotations replace the custom ones used in Anchore Engine: + - `component` -> `app.kubernetes.io/component` + - `release` -> `app.kubernetes.io/instance` + - `app` -> `app.kubernetes.io/name` + - `chart` -> `helm.sh/chart` + +#### Dependent Services + +- The Feeds service is now deployed as a dependent chart, it can be configured using the [Feeds Values](https://github.com/anchore/anchore-charts/blob/main/stable/feeds/values.yaml) +- The bundled PostgreSQL chart has been replaced with the Bitnami PostgreSQL Chart as a dependency. Configuration options can be found in the [Postgresql Values](https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml). + +#### Upgrade Behavior + +- Pre-upgrade Helm hooks, along with a Bitnami/kubectl init container, are used to terminate all pods before running the Anchore upgrade. You can revert to legacy post-upgrade hooks by setting `upgradeJob.usePostUpgradeHook=true`. + +#### Application Configuration + +- Configuration is now primarily managed through environment variables, specified in the `-enterprise-config-env-vars` ConfigMap and set via the values file. +- Previously, unexposed values for advanced Anchore configurations have been removed. Instead, you can use the `extraEnv` value to set the required environment variables. ### Migration Rollback Strategy From 44a77146cf97f7f13833c6217ab6d624bd19eddf Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 1 Nov 2023 13:42:28 -0700 Subject: [PATCH 274/329] bump feeds chart to 1.0.1 Signed-off-by: Brady Todhunter --- stable/enterprise/Chart.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/stable/enterprise/Chart.lock b/stable/enterprise/Chart.lock index d3439c53..e077259a 100644 --- a/stable/enterprise/Chart.lock +++ b/stable/enterprise/Chart.lock @@ -7,6 +7,6 @@ dependencies: version: 17.11.8 - name: feeds repository: https://charts.anchore.io/stable - version: 1.0.0 -digest: sha256:7e86d57803a23d1bb4bb1689b3e837856ab941fb8604a1580935c777db151ac5 -generated: "2023-10-27T20:08:10.897279-07:00" + version: 1.0.1 +digest: sha256:cab987a8327b8b87b2fa02892570623b4b4e2a1c1bbb2a5cef8fbc8c1aa1d695 +generated: "2023-11-01T13:42:09.392411-07:00" From d5d8fa1ae9eeaa74991199246158cd453ec9f479 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 1 Nov 2023 18:48:31 -0400 Subject: [PATCH 275/329] Update 5.0 feeds (#166) * update readme for 5.0 * remove configurable apiVersion and hardcode v2 into all api connection strings * bump chart version * update tests --------- Signed-off-by: Brady Todhunter --- stable/feeds/Chart.yaml | 6 ++-- stable/feeds/README.md | 30 ++++++++++++------- stable/feeds/templates/_helpers.tpl | 6 ++-- .../__snapshot__/configmap_test.yaml.snap | 2 +- .../prehook_upgrade_resources_test.yaml.snap | 2 +- stable/feeds/tests/configmap_test.yaml | 25 +++------------- stable/feeds/values.yaml | 5 +--- 7 files changed, 32 insertions(+), 44 deletions(-) diff --git a/stable/feeds/Chart.yaml b/stable/feeds/Chart.yaml index 1d9c133a..a639886e 100644 --- a/stable/feeds/Chart.yaml +++ b/stable/feeds/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 name: feeds type: application -version: "1.0.1" -appVersion: "4.9.3" -kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x +version: "2.0.0" +appVersion: "5.0.0" +kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.28.x-x description: Anchore feeds service keywords: - "anchore" diff --git a/stable/feeds/README.md b/stable/feeds/README.md index 178f275a..1beb0b75 100644 --- a/stable/feeds/README.md +++ b/stable/feeds/README.md @@ -312,7 +312,7 @@ anchoreConfig: | `url` | Set a custom feeds URL. Useful when using a feeds service endpoint that is external from the cluster. | `""` | | `fullnameOverride` | overrides the fullname set on resources | `""` | | `nameOverride` | overrides the name set on resources | `""` | -| `image` | Image used for feeds deployment | `docker.io/anchore/enterprise:v4.9.3` | +| `image` | Image used for feeds deployment | `docker.io/anchore/enterprise:v5.0.0` | | `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | | `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | | `serviceAccountName` | Name of a service account used to run all Feeds pods | `""` | @@ -331,7 +331,6 @@ anchoreConfig: | `service.annotations` | Annotations for Anchore Feeds service | `{}` | | `service.labels` | Labels for Anchore Feeds service | `{}` | | `service.nodePort` | nodePort for Anchore Feeds service | `""` | -| `service.apiVersion` | the apiVersion for the service when communicating with Anchore Feeds | `v2` | | `scratchVolume.mountPath` | The mount path of an external volume for scratch space for image analysis | `/anchore_scratch` | | `scratchVolume.fixGroupPermissions` | Enable an initContainer that will fix the fsGroup permissions | `false` | | `scratchVolume.details` | Details for the k8s volume to be created | `{}` | @@ -457,15 +456,15 @@ anchoreConfig: ### Ingress Parameters -| Name | Description | Value | -| -------------------------- | ------------------------------------------------------------------ | ----------------------------- | -| `ingress.enabled` | Create an ingress resource for external Anchore service APIs | `false` | -| `ingress.labels` | Labels for the ingress resource | `{}` | -| `ingress.annotations` | Annotations for the ingress resource | `{}` | -| `ingress.hosts` | List of custom hostnames for the Anchore Feeds API | `[]` | -| `ingress.paths` | The path used for accessing the Anchore Feeds API | `["/v1/feeds/","/v2/feeds/"]` | -| `ingress.tls` | Configure tls for the ingress resource | `[]` | -| `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` | +| Name | Description | Value | +| -------------------------- | ------------------------------------------------------------------ | ---------------- | +| `ingress.enabled` | Create an ingress resource for external Anchore service APIs | `false` | +| `ingress.labels` | Labels for the ingress resource | `{}` | +| `ingress.annotations` | Annotations for the ingress resource | `{}` | +| `ingress.hosts` | List of custom hostnames for the Anchore Feeds API | `[]` | +| `ingress.paths` | The path used for accessing the Anchore Feeds API | `["/v2/feeds/"]` | +| `ingress.tls` | Configure tls for the ingress resource | `[]` | +| `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` | ### Google CloudSQL DB Parameters @@ -482,12 +481,21 @@ anchoreConfig: | `cloudsql.extraArgs` | a list of extra arguments to be passed into the cloudsql container command. eg | `[]` | +## Release Notes + For the latest updates and features in Anchore Enterprise, see the official [Release Notes](https://docs.anchore.com/current/docs/releasenotes/). - **Major Chart Version Change (e.g., v0.1.2 -> v1.0.0)**: Signifies an incompatible breaking change that necessitates manual intervention, such as updates to your values file or data migrations. - **Minor Chart Version Change (e.g., v0.1.2 -> v0.2.0)**: Indicates a significant change to the deployment that does not require manual intervention. - **Patch Chart Version Change (e.g., v0.1.2 -> v0.1.3)**: Indicates a backwards-compatible bug fix or documentation update. +### v2.0.0 + +- Updated Anchore Feeds image to v5.0.0 +- Anchore Feeds v5.0.0 introduces a breaking change to the API endpoints, and requires updating any external integrations to use the new endpoints. See the [Migration Guide](https://docs.anchore.com/current/docs/migration_guide/) for more information. +- The following values were removed as only the `v2` API is supported in Anchore Feeds 5.0.0: + - `feeds.service.apiVersion` + ### v1.0.0 - This is a stable release of the Anchore Feeds Helm chart and is recommended for production deployments. diff --git a/stable/feeds/templates/_helpers.tpl b/stable/feeds/templates/_helpers.tpl index 45010ecc..05da1977 100644 --- a/stable/feeds/templates/_helpers.tpl +++ b/stable/feeds/templates/_helpers.tpl @@ -39,13 +39,13 @@ Return a URL for the external feeds service */}} {{- define "feeds.setGrypeProviderURL" -}} {{- $grypeProviderFeedsExternalURL := "" }} -{{- $regexSearchPattern := (printf "/%s.*$" .Values.service.apiVersion | toString) }} +{{- $regexSearchPattern := (printf "/v2.*$" | toString) }} {{- if .Values.url }} {{- $urlPathSuffix := (default "" (regexFind $regexSearchPattern .Values.url) ) }} {{- $anchoreFeedsHost := (trimSuffix $urlPathSuffix .Values.url) }} - {{- $grypeProviderFeedsExternalURL = (printf "%s/%s/" $anchoreFeedsHost .Values.service.apiVersion) }} + {{- $grypeProviderFeedsExternalURL = (printf "%s/v2/" $anchoreFeedsHost) }} {{- else }} - {{- $grypeProviderFeedsExternalURL = (printf "%s://%s:%s/%s/" (include "feeds.setProtocol" .) (include "feeds.fullname" .) (.Values.service.port | toString) .Values.service.apiVersion ) -}} + {{- $grypeProviderFeedsExternalURL = (printf "%s://%s:%s/v2/" (include "feeds.setProtocol" .) (include "feeds.fullname" .) (.Values.service.port | toString)) -}} {{- end }} {{- print $grypeProviderFeedsExternalURL }} {{- end -}} diff --git a/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap b/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap index 2605fe8f..a7552431 100644 --- a/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap @@ -173,7 +173,7 @@ should render the configmaps: ANCHORE_FEEDS_DRIVER_UBUNTU_ENABLED: "true" ANCHORE_FEEDS_DRIVER_UBUNTU_URL: https://git.launchpad.net/ubuntu-cve-tracker ANCHORE_FEEDS_DRIVER_WOLFI_ENABLED: "true" - ANCHORE_FEEDS_EXTERNAL_URL: http://test-release-feeds:8448/v1/ + ANCHORE_FEEDS_EXTERNAL_URL: http://test-release-feeds:8448/v2/ ANCHORE_FEEDS_GRYPEDB_PERSIST_WORKSPACE: "true" ANCHORE_FEEDS_GRYPEDB_PRELOAD_ENABLED: "true" ANCHORE_FEEDS_GRYPEDB_PRELOAD_PATH: /preload/grype-db-workspace.tar.gz diff --git a/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap b/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap index 6e7c0b88..098ce43a 100644 --- a/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap +++ b/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap @@ -143,6 +143,6 @@ should render proper initContainers: value: test-release-feeds - name: ANCHORE_PORT value: "8448" - image: docker.io/anchore/enterprise:v4.9.3 + image: docker.io/anchore/enterprise:v5.0.0 imagePullPolicy: IfNotPresent name: wait-for-db diff --git a/stable/feeds/tests/configmap_test.yaml b/stable/feeds/tests/configmap_test.yaml index fec6610d..6a15362c 100644 --- a/stable/feeds/tests/configmap_test.yaml +++ b/stable/feeds/tests/configmap_test.yaml @@ -15,37 +15,20 @@ tests: asserts: - matchSnapshot: {} - - it: should render v1 correctly if service.apiVersion is set as v1 - template: envvars_configmap.yaml - set: - service.apiVersion: v1 - asserts: - - matchRegex: - path: data["ANCHORE_FEEDS_EXTERNAL_URL"] - pattern: http://test-release-feeds:8448/v1/$ - - - it: should render v1 correctly if service.apiVersion is default - template: envvars_configmap.yaml - asserts: - - matchRegex: - path: data["ANCHORE_FEEDS_EXTERNAL_URL"] - pattern: http://test-release-feeds:8448/v1/$ - - it: should render grype url correctly if .Values.url is set template: envvars_configmap.yaml set: - service.apiVersion: v1 - url: https://something/v1/my-grype/something + url: https://something/v2/my-grype/something asserts: - matchRegex: path: data["ANCHORE_FEEDS_EXTERNAL_URL"] - pattern: https://something/v1/$ + pattern: https://something/v2/$ - it: should render grype url correctly if .Values.url is set to a v1 url template: envvars_configmap.yaml set: - url: https://something/v1/my-grype/something + url: https://something/v2/my-grype/something asserts: - matchRegex: path: data["ANCHORE_FEEDS_EXTERNAL_URL"] - pattern: https://something/v1/$ \ No newline at end of file + pattern: https://something/v2/$ diff --git a/stable/feeds/values.yaml b/stable/feeds/values.yaml index 486a65ac..845e778f 100644 --- a/stable/feeds/values.yaml +++ b/stable/feeds/values.yaml @@ -21,7 +21,7 @@ nameOverride: "" ## @param image Image used for feeds deployment ## -image: docker.io/anchore/enterprise:v4.9.3 +image: docker.io/anchore/enterprise:v5.0.0 ## @param imagePullPolicy Image pull policy used by all deployments ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy @@ -92,7 +92,6 @@ affinity: {} ## @param service.annotations Annotations for Anchore Feeds service ## @param service.labels Labels for Anchore Feeds service ## @param service.nodePort nodePort for Anchore Feeds service -## @param service.apiVersion the apiVersion for the service when communicating with Anchore Feeds ## service: type: ClusterIP @@ -100,7 +99,6 @@ service: annotations: {} labels: {} nodePort: "" - apiVersion: v1 ## @param scratchVolume.mountPath The mount path of an external volume for scratch space for image analysis ## @param scratchVolume.fixGroupPermissions Enable an initContainer that will fix the fsGroup permissions @@ -545,7 +543,6 @@ ingress: ## @param ingress.paths The path used for accessing the Anchore Feeds API ## paths: - - /v1/feeds/ - /v2/feeds/ ## @param ingress.tls Configure tls for the ingress resource From 489475581f5aea7b3fd51eee7d61f3ac3f778c76 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 1 Nov 2023 19:14:55 -0400 Subject: [PATCH 276/329] Update 5.0 configs (#152) * remove legacy vulnerability sync options and expose new matching config * add env vars to config & bump chart version * remove configurable apiVersion and hardcode v2 into all api connection strings * update readme for 5.0 * bump image to v5.0.0 * update tests * update feeds dep to v2.0.0 --------- Signed-off-by: Weston Steimel Signed-off-by: Brady Todhunter Co-authored-by: Weston Steimel --- stable/enterprise/Chart.lock | 6 +- stable/enterprise/Chart.yaml | 6 +- stable/enterprise/README.md | 195 +++++++++--------- stable/enterprise/files/default_config.yaml | 58 ++++-- stable/enterprise/templates/_helpers.tpl | 12 +- .../templates/envvars_configmap.yaml | 15 +- stable/enterprise/templates/ui_configmap.yaml | 9 +- .../__snapshot__/configmap_test.yaml.snap | 80 ++++--- .../prehook_upgrade_resources_test.yaml.snap | 2 +- .../enterprise/tests/common_helpers_test.yaml | 75 +++---- stable/enterprise/values.yaml | 38 ++-- 11 files changed, 266 insertions(+), 230 deletions(-) diff --git a/stable/enterprise/Chart.lock b/stable/enterprise/Chart.lock index e077259a..25788a70 100644 --- a/stable/enterprise/Chart.lock +++ b/stable/enterprise/Chart.lock @@ -7,6 +7,6 @@ dependencies: version: 17.11.8 - name: feeds repository: https://charts.anchore.io/stable - version: 1.0.1 -digest: sha256:cab987a8327b8b87b2fa02892570623b4b4e2a1c1bbb2a5cef8fbc8c1aa1d695 -generated: "2023-11-01T13:42:09.392411-07:00" + version: 2.0.0 +digest: sha256:710754bebf235a60f134179a3d3b92b0738d15eee6bb6ae687e3ea5b9afb8dad +generated: "2023-11-01T16:06:45.488156-07:00" diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 1d5b39e0..a03772ee 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: enterprise -version: "1.0.1" -appVersion: "4.9.3" +version: "2.0.0" +appVersion: "5.0.0" kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.28.x-x description: | Anchore Enterprise is a complete container security workflow solution for professional teams. Easily integrating with CI/CD systems, @@ -39,7 +39,7 @@ dependencies: condition: ui-redis.chartEnabled alias: ui-redis - name: feeds - version: "~1.0" + version: "~2.0" repository: "@anchore" # repository: file://../feeds condition: feeds.chartEnabled diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 067db9e8..69bba9ab 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -942,7 +942,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | Name | Description | Value | | ------------------------------------- | ------------------------------------------------------------------------------------- | ------------------------------------- | -| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v4.9.3` | +| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v5.0.0` | | `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | | `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | | `startMigrationPod` | Spin up a Database migration pod to help migrate the database to the new schema | `false` | @@ -1038,8 +1038,8 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `anchoreConfig.catalog.event_log` | Event log for webhooks, YAML configuration | `{}` | | `anchoreConfig.catalog.analysis_archive` | Custom analysis archive YAML configuration | `{}` | | `anchoreConfig.catalog.object_store` | Custom object storage YAML configuration | `{}` | -| `anchoreConfig.catalog.runtime_inventory.image_ttl_days` | TTL for runtime inventory. | `120` | -| `anchoreConfig.catalog.runtime_inventory.image_ingest_overwrite` | force runtime inventory to be overwritten upon every update for that reported context. | `false` | +| `anchoreConfig.catalog.runtime_inventory.inventory_ttl_days` | TTL for images in the inventory report working set | `120` | +| `anchoreConfig.catalog.runtime_inventory.inventory_ingest_overwrite` | disables the inventory_ttl cycle timer. | `false` | | `anchoreConfig.catalog.down_analyzer_task_requeue` | Allows fast re-queueing when image status is 'analyzing' on an analyzer that is no longer in the 'up' state | `true` | | `anchoreConfig.policy_engine.cycle_timers.feed_sync` | Interval to run a feed sync to get latest cve data | `14400` | | `anchoreConfig.policy_engine.cycle_timers.feed_sync_checker` | Interval between checks to see if there needs to be a task queued | `3600` | @@ -1047,6 +1047,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `anchoreConfig.notifications.cycle_timers.notifications` | Interval that notifications are sent | `30` | | `anchoreConfig.notifications.ui_url` | Set the UI URL that is included in the notification, defaults to the Enterprise UI service name | `""` | | `anchoreConfig.reports.enable_graphiql` | Enable GraphiQL, a GUI for editing and testing GraphQL queries and mutations | `true` | +| `anchoreConfig.reports.async_execution_timeout` | Configure how long a scheduled query must be running for before it is considered timed out | `48h` | | `anchoreConfig.reports_worker.enable_data_ingress` | Enable periodically syncing data into the Anchore Reports Service | `true` | | `anchoreConfig.reports_worker.enable_data_egress` | Periodically remove reporting data that has been removed in other parts of system | `false` | | `anchoreConfig.reports_worker.data_egress_window` | defines a number of days to keep reporting data following its deletion in the rest of system. | `0` | @@ -1078,24 +1079,23 @@ This rollback procedure is designed to revert your environment to its pre-migrat ### Anchore API k8s Deployment Parameters -| Name | Description | Value | -| ------------------------- | -------------------------------------------------------------------------------- | ----------- | -| `api.replicaCount` | Number of replicas for Anchore API deployment | `1` | -| `api.service.type` | Service type for Anchore API | `ClusterIP` | -| `api.service.port` | Service port for Anchore API | `8228` | -| `api.service.reportsPort` | Service port for Anchore Reports API | `8558` | -| `api.service.annotations` | Annotations for Anchore API service | `{}` | -| `api.service.labels` | Labels for Anchore API service | `{}` | -| `api.service.nodePort` | nodePort for Anchore API service | `""` | -| `api.service.apiVersion` | apiVersion for Anchore UI service to use when reaching out to the enterprise api | `v1` | -| `api.extraEnv` | Set extra environment variables for Anchore API pods | `[]` | -| `api.resources` | Resource requests and limits for Anchore API pods | `{}` | -| `api.labels` | Labels for Anchore API pods | `{}` | -| `api.annotations` | Annotation for Anchore API pods | `{}` | -| `api.nodeSelector` | Node labels for Anchore API pod assignment | `{}` | -| `api.tolerations` | Tolerations for Anchore API pod assignment | `[]` | -| `api.affinity` | Affinity for Anchore API pod assignment | `{}` | -| `api.serviceAccountName` | Service account name for Anchore API pods | `""` | +| Name | Description | Value | +| ------------------------- | ---------------------------------------------------- | ----------- | +| `api.replicaCount` | Number of replicas for Anchore API deployment | `1` | +| `api.service.type` | Service type for Anchore API | `ClusterIP` | +| `api.service.port` | Service port for Anchore API | `8228` | +| `api.service.reportsPort` | Service port for Anchore Reports API | `8558` | +| `api.service.annotations` | Annotations for Anchore API service | `{}` | +| `api.service.labels` | Labels for Anchore API service | `{}` | +| `api.service.nodePort` | nodePort for Anchore API service | `""` | +| `api.extraEnv` | Set extra environment variables for Anchore API pods | `[]` | +| `api.resources` | Resource requests and limits for Anchore API pods | `{}` | +| `api.labels` | Labels for Anchore API pods | `{}` | +| `api.annotations` | Annotation for Anchore API pods | `{}` | +| `api.nodeSelector` | Node labels for Anchore API pod assignment | `{}` | +| `api.tolerations` | Tolerations for Anchore API pod assignment | `[]` | +| `api.affinity` | Affinity for Anchore API pod assignment | `{}` | +| `api.serviceAccountName` | Service account name for Anchore API pods | `""` | ### Anchore Analyzer k8s Deployment Parameters @@ -1136,12 +1136,11 @@ This rollback procedure is designed to revert your environment to its pre-migrat ### Anchore Feeds Chart Parameters -| Name | Description | Value | -| -------------------------- | ---------------------------------------------------------------------------------------------- | ------- | -| `feeds.chartEnabled` | Enable the Anchore Feeds chart | `true` | -| `feeds.standalone` | Sets the Anchore Feeds chart to run into non-standalone mode, for use with Anchore Enterprise. | `false` | -| `feeds.url` | Set the URL for a standalone Feeds service. Use when chartEnabled=false. | `""` | -| `feeds.service.apiVersion` | the apiVersion for the service when communicating with Anchore Feeds | `v1` | +| Name | Description | Value | +| -------------------- | ---------------------------------------------------------------------------------------------- | ------- | +| `feeds.chartEnabled` | Enable the Anchore Feeds chart | `true` | +| `feeds.standalone` | Sets the Anchore Feeds chart to run into non-standalone mode, for use with Anchore Enterprise. | `false` | +| `feeds.url` | Set the URL for a standalone Feeds service. Use when chartEnabled=false. | `""` | ### Anchore Policy Engine k8s Deployment Parameters @@ -1186,44 +1185,42 @@ This rollback procedure is designed to revert your environment to its pre-migrat ### Anchore Notifications Parameters -| Name | Description | Value | -| ----------------------------------- | -------------------------------------------------------------------------------- | ----------- | -| `notifications.replicaCount` | Number of replicas for the Anchore Notifications deployment | `1` | -| `notifications.service.type` | Service type for Anchore Notifications | `ClusterIP` | -| `notifications.service.port` | Service port for Anchore Notifications | `8668` | -| `notifications.service.annotations` | Annotations for Anchore Notifications service | `{}` | -| `notifications.service.labels` | Labels for Anchore Notifications service | `{}` | -| `notifications.service.nodePort` | nodePort for Anchore Notifications service | `""` | -| `notifications.service.apiVersion` | apiVersion for Anchore UI service to use when reaching out to the enterprise api | `v1` | -| `notifications.extraEnv` | Set extra environment variables for Anchore Notifications pods | `[]` | -| `notifications.resources` | Resource requests and limits for Anchore Notifications pods | `{}` | -| `notifications.labels` | Labels for Anchore Notifications pods | `{}` | -| `notifications.annotations` | Annotation for Anchore Notifications pods | `{}` | -| `notifications.nodeSelector` | Node labels for Anchore Notifications pod assignment | `{}` | -| `notifications.tolerations` | Tolerations for Anchore Notifications pod assignment | `[]` | -| `notifications.affinity` | Affinity for Anchore Notifications pod assignment | `{}` | -| `notifications.serviceAccountName` | Service account name for Anchore Notifications pods | `""` | +| Name | Description | Value | +| ----------------------------------- | -------------------------------------------------------------- | ----------- | +| `notifications.replicaCount` | Number of replicas for the Anchore Notifications deployment | `1` | +| `notifications.service.type` | Service type for Anchore Notifications | `ClusterIP` | +| `notifications.service.port` | Service port for Anchore Notifications | `8668` | +| `notifications.service.annotations` | Annotations for Anchore Notifications service | `{}` | +| `notifications.service.labels` | Labels for Anchore Notifications service | `{}` | +| `notifications.service.nodePort` | nodePort for Anchore Notifications service | `""` | +| `notifications.extraEnv` | Set extra environment variables for Anchore Notifications pods | `[]` | +| `notifications.resources` | Resource requests and limits for Anchore Notifications pods | `{}` | +| `notifications.labels` | Labels for Anchore Notifications pods | `{}` | +| `notifications.annotations` | Annotation for Anchore Notifications pods | `{}` | +| `notifications.nodeSelector` | Node labels for Anchore Notifications pod assignment | `{}` | +| `notifications.tolerations` | Tolerations for Anchore Notifications pod assignment | `[]` | +| `notifications.affinity` | Affinity for Anchore Notifications pod assignment | `{}` | +| `notifications.serviceAccountName` | Service account name for Anchore Notifications pods | `""` | ### Anchore Reports Parameters -| Name | Description | Value | -| ----------------------------- | -------------------------------------------------------------------------------- | ----------- | -| `reports.replicaCount` | Number of replicas for the Anchore Reports deployment | `1` | -| `reports.service.type` | Service type for Anchore Reports | `ClusterIP` | -| `reports.service.port` | Service port for Anchore Reports Worker | `8558` | -| `reports.service.annotations` | Annotations for Anchore Reports service | `{}` | -| `reports.service.labels` | Labels for Anchore Reports service | `{}` | -| `reports.service.nodePort` | nodePort for Anchore Reports service | `""` | -| `reports.service.apiVersion` | apiVersion for Anchore UI service to use when reaching out to the enterprise api | `v1` | -| `reports.extraEnv` | Set extra environment variables for Anchore Reports pods | `[]` | -| `reports.resources` | Resource requests and limits for Anchore Reports pods | `{}` | -| `reports.labels` | Labels for Anchore Reports pods | `{}` | -| `reports.annotations` | Annotation for Anchore Reports pods | `{}` | -| `reports.nodeSelector` | Node labels for Anchore Reports pod assignment | `{}` | -| `reports.tolerations` | Tolerations for Anchore Reports pod assignment | `[]` | -| `reports.affinity` | Affinity for Anchore Reports pod assignment | `{}` | -| `reports.serviceAccountName` | Service account name for Anchore Reports pods | `""` | +| Name | Description | Value | +| ----------------------------- | -------------------------------------------------------- | ----------- | +| `reports.replicaCount` | Number of replicas for the Anchore Reports deployment | `1` | +| `reports.service.type` | Service type for Anchore Reports | `ClusterIP` | +| `reports.service.port` | Service port for Anchore Reports Worker | `8558` | +| `reports.service.annotations` | Annotations for Anchore Reports service | `{}` | +| `reports.service.labels` | Labels for Anchore Reports service | `{}` | +| `reports.service.nodePort` | nodePort for Anchore Reports service | `""` | +| `reports.extraEnv` | Set extra environment variables for Anchore Reports pods | `[]` | +| `reports.resources` | Resource requests and limits for Anchore Reports pods | `{}` | +| `reports.labels` | Labels for Anchore Reports pods | `{}` | +| `reports.annotations` | Annotation for Anchore Reports pods | `{}` | +| `reports.nodeSelector` | Node labels for Anchore Reports pod assignment | `{}` | +| `reports.tolerations` | Tolerations for Anchore Reports pod assignment | `[]` | +| `reports.affinity` | Affinity for Anchore Reports pod assignment | `{}` | +| `reports.serviceAccountName` | Service account name for Anchore Reports pods | `""` | ### Anchore RBAC Authentication Parameters @@ -1236,30 +1233,29 @@ This rollback procedure is designed to revert your environment to its pre-migrat ### Anchore RBAC Manager Parameters -| Name | Description | Value | -| --------------------------------- | -------------------------------------------------------------------------------- | ----------- | -| `rbacManager.replicaCount` | Number of replicas for the Anchore RBAC Manager deployment | `1` | -| `rbacManager.service.type` | Service type for Anchore RBAC Manager | `ClusterIP` | -| `rbacManager.service.port` | Service port for Anchore RBAC Manager | `8229` | -| `rbacManager.service.annotations` | Annotations for Anchore RBAC Manager service | `{}` | -| `rbacManager.service.labels` | Labels for Anchore RBAC Manager service | `{}` | -| `rbacManager.service.nodePort` | nodePort for Anchore RBAC Manager service | `""` | -| `rbacManager.service.apiVersion` | apiVersion for Anchore UI service to use when reaching out to the enterprise api | `v1` | -| `rbacManager.extraEnv` | Set extra environment variables for Anchore RBAC Manager pods | `[]` | -| `rbacManager.resources` | Resource requests and limits for Anchore RBAC Manager pods | `{}` | -| `rbacManager.labels` | Labels for Anchore RBAC Manager pods | `{}` | -| `rbacManager.annotations` | Annotation for Anchore RBAC Manager pods | `{}` | -| `rbacManager.nodeSelector` | Node labels for Anchore RBAC Manager pod assignment | `{}` | -| `rbacManager.tolerations` | Tolerations for Anchore RBAC Manager pod assignment | `[]` | -| `rbacManager.affinity` | Affinity for Anchore RBAC Manager pod assignment | `{}` | -| `rbacManager.serviceAccountName` | Service account name for Anchore RBAC Manager pods | `""` | +| Name | Description | Value | +| --------------------------------- | ------------------------------------------------------------- | ----------- | +| `rbacManager.replicaCount` | Number of replicas for the Anchore RBAC Manager deployment | `1` | +| `rbacManager.service.type` | Service type for Anchore RBAC Manager | `ClusterIP` | +| `rbacManager.service.port` | Service port for Anchore RBAC Manager | `8229` | +| `rbacManager.service.annotations` | Annotations for Anchore RBAC Manager service | `{}` | +| `rbacManager.service.labels` | Labels for Anchore RBAC Manager service | `{}` | +| `rbacManager.service.nodePort` | nodePort for Anchore RBAC Manager service | `""` | +| `rbacManager.extraEnv` | Set extra environment variables for Anchore RBAC Manager pods | `[]` | +| `rbacManager.resources` | Resource requests and limits for Anchore RBAC Manager pods | `{}` | +| `rbacManager.labels` | Labels for Anchore RBAC Manager pods | `{}` | +| `rbacManager.annotations` | Annotation for Anchore RBAC Manager pods | `{}` | +| `rbacManager.nodeSelector` | Node labels for Anchore RBAC Manager pod assignment | `{}` | +| `rbacManager.tolerations` | Tolerations for Anchore RBAC Manager pod assignment | `[]` | +| `rbacManager.affinity` | Affinity for Anchore RBAC Manager pod assignment | `{}` | +| `rbacManager.serviceAccountName` | Service account name for Anchore RBAC Manager pods | `""` | ### Anchore UI Parameters | Name | Description | Value | | ---------------------------- | ----------------------------------------------------------------------------- | ---------------------------------------- | -| `ui.image` | Image used for the Anchore UI container | `docker.io/anchore/enterprise-ui:v4.9.0` | +| `ui.image` | Image used for the Anchore UI container | `docker.io/anchore/enterprise-ui:v5.0.0` | | `ui.imagePullPolicy` | Image pull policy for Anchore UI image | `IfNotPresent` | | `ui.existingSecretName` | Name of an existing secret to be used for Anchore UI DB and Redis endpoints | `anchore-enterprise-ui-env` | | `ui.ldapsRootCaCertName` | Name of the custom CA certificate file store in `.Values.certStoreSecretName` | `""` | @@ -1299,21 +1295,21 @@ This rollback procedure is designed to revert your environment to its pre-migrat ### Ingress Parameters -| Name | Description | Value | -| -------------------------- | ------------------------------------------------------------------ | --------------------------------- | -| `ingress.enabled` | Create an ingress resource for external Anchore service APIs | `false` | -| `ingress.labels` | Labels for the ingress resource | `{}` | -| `ingress.annotations` | Annotations for the ingress resource | `{}` | -| `ingress.apiHosts` | List of custom hostnames for the Anchore API | `[]` | -| `ingress.apiPaths` | The path used for accessing the Anchore API | `["/v1/","/v2/","/version/"]` | -| `ingress.uiHosts` | List of custom hostnames for the Anchore UI | `[]` | -| `ingress.uiPath` | The path used for accessing the Anchore UI | `/` | -| `ingress.feedsHosts` | List of custom hostnames for the Anchore Feeds API | `[]` | -| `ingress.feedsPaths` | The path used for accessing the Anchore Feeds API | `["/v1/feeds/","/v2/feeds/"]` | -| `ingress.reportsHosts` | List of custom hostnames for the Anchore Reports API | `[]` | -| `ingress.reportsPaths` | The path used for accessing the Anchore Reports API | `["/v1/reports/","/v2/reports/"]` | -| `ingress.tls` | Configure tls for the ingress resource | `[]` | -| `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` | +| Name | Description | Value | +| -------------------------- | ------------------------------------------------------------------ | ---------------------- | +| `ingress.enabled` | Create an ingress resource for external Anchore service APIs | `false` | +| `ingress.labels` | Labels for the ingress resource | `{}` | +| `ingress.annotations` | Annotations for the ingress resource | `{}` | +| `ingress.apiHosts` | List of custom hostnames for the Anchore API | `[]` | +| `ingress.apiPaths` | The path used for accessing the Anchore API | `["/v2/","/version/"]` | +| `ingress.uiHosts` | List of custom hostnames for the Anchore UI | `[]` | +| `ingress.uiPath` | The path used for accessing the Anchore UI | `/` | +| `ingress.feedsHosts` | List of custom hostnames for the Anchore Feeds API | `[]` | +| `ingress.feedsPaths` | The path used for accessing the Anchore Feeds API | `["/v2/feeds/"]` | +| `ingress.reportsHosts` | List of custom hostnames for the Anchore Reports API | `[]` | +| `ingress.reportsPaths` | The path used for accessing the Anchore Reports API | `["/v2/reports/"]` | +| `ingress.tls` | Configure tls for the ingress resource | `[]` | +| `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` | ### Google CloudSQL DB Parameters @@ -1364,6 +1360,17 @@ For the latest updates and features in Anchore Enterprise, see the official [Rel - **Minor Chart Version Change (e.g., v0.1.2 -> v0.2.0)**: Indicates a significant change to the deployment that does not require manual intervention. - **Patch Chart Version Change (e.g., v0.1.2 -> v0.1.3)**: Indicates a backwards-compatible bug fix or documentation update. +### v2.0.0 + +- Deploys Anchore Enterprise v5.0.0 +- Anchore Enterprise v5.0.0 introduces a breaking change to the API endpoints, and requires updating any external integrations to use the new endpoints. See the [Migration Guide](https://docs.anchore.com/current/docs/deployment/upgrade/5.0/) for more information. +- The following values were removed as only the `v2` API is supported in Anchore Enterprise 5.0.0: + - `api.service.apiVersion` + - `notifications.service.apiVersion` + - `reports.service.apiVersion` + - `rbacManager.service.apiVersion` + - `feeds.service.apiVersion` + ### v1.0.0 - This is a stable release of the Anchore Enterprise Helm chart and is recommended for production deployments. diff --git a/stable/enterprise/files/default_config.yaml b/stable/enterprise/files/default_config.yaml index 9802d981..25ae4a48 100644 --- a/stable/enterprise/files/default_config.yaml +++ b/stable/enterprise/files/default_config.yaml @@ -112,13 +112,14 @@ services: cycle_timers: {{- toYaml .Values.anchoreConfig.catalog.cycle_timers | nindent 6 }} event_log: {{- toYaml .Values.anchoreConfig.catalog.event_log | nindent 6 }} runtime_inventory: - image_ttl_days: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_IMAGE_TTL_DAYS} - image_ingest_overwrite: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_IMAGE_INGEST_OVERWRITE} + inventory_ttl_days: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_TTL_DAYS} + inventory_ingest_overwrite: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_INGEST_OVERWRITE} image_gc: max_worker_threads: ${ANCHORE_CATALOG_IMAGE_GC_WORKERS} runtime_compliance: object_store_bucket: "runtime_compliance_check" down_analyzer_task_requeue: ${ANCHORE_ANALYZER_TASK_REQUEUE} + import_operation_expiration_days: ${ANCHORE_IMPORT_OPERATION_EXPIRATION_DAYS} analysis_archive: {{- toYaml .Values.anchoreConfig.catalog.analysis_archive | nindent 6 }} object_store: {{- toYaml .Values.anchoreConfig.catalog.object_store | nindent 6 }} ssl_enable: ${ANCHORE_SSL_ENABLED} @@ -147,7 +148,6 @@ services: cycle_timer_seconds: 1 cycle_timers: {{- toYaml .Values.anchoreConfig.policy_engine.cycle_timers | nindent 6 }} enable_package_db_load: ${ANCHORE_POLICY_ENGINE_ENABLE_PACKAGE_DB_LOAD} - enable_images_by_vulnerability_api: ${ANCHORE_POLICY_ENGINE_ENABLE_IMAGES_BY_VULN_QUERY} vulnerabilities: sync: enabled: true @@ -158,21 +158,44 @@ services: grypedb: enabled: true url: {{ template "enterprise.grypeProviderURL" . }} - vulnerabilities: - enabled: ${ANCHORE_FEEDS_VULNERABILITIES_ENABLED} - url: {{ template "enterprise.feedsURL" . }} - nvdv2: - enabled: ${ANCHORE_FEEDS_DRIVER_NVDV2_ENABLED} - url: {{ template "enterprise.feedsURL" . }} - github: - enabled: ${ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED} - url: {{ template "enterprise.feedsURL" . }} packages: enabled: ${ANCHORE_FEEDS_DRIVER_PACKAGES_ENABLED} url: {{ template "enterprise.feedsURL" . }} - microsoft: - enabled: ${ANCHORE_FEEDS_DRIVER_MSRC_ENABLED} - url: {{ template "enterprise.feedsURL" . }} + matching: + default: + search: + by_cpe: + enabled: ${ANCHORE_VULN_MATCHING_DEFAULT_SEARCH_BY_CPE_ENABLED} + ecosystem_specific: + dotnet: + search: + by_cpe: + enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_DOTNET_SEARCH_BY_CPE_ENABLED} + golang: + search: + by_cpe: + enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_GOLANG_SEARCH_BY_CPE_ENABLED} + java: + search: + by_cpe: + enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_JAVA_SEARCH_BY_CPE_ENABLED} + javascript: + search: + by_cpe: + enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_JAVASCRIPT_SEARCH_BY_CPE_ENABLED} + python: + search: + by_cpe: + enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_PYTHON_SEARCH_BY_CPE_ENABLED} + ruby: + search: + by_cpe: + enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_RUBY_SEARCH_BY_CPE_ENABLED} + stock: + search: + by_cpe: + # Disabling search by CPE for the stock matcher will entirely disable binary-only matches and is not advised + enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_STOCK_SEARCH_BY_CPE_ENABLED} ssl_enable: ${ANCHORE_SSL_ENABLED} ssl_cert: ${ANCHORE_SSL_CERT} ssl_key: ${ANCHORE_SSL_KEY} @@ -210,6 +233,8 @@ services: authorization_handler: ${ANCHORE_AUTHZ_HANDLER} authorization_handler_config: endpoint: ${ANCHORE_AUTHZ_HANDLER_ENDPOINT} + max_async_execution_threads: ${ANCHORE_ENTERPRISE_REPORTS_MAX_ASYNC_EXECUTION_THREADS} + async_execution_timeout: ${ANCHORE_ENTERPRISE_REPORTS_ASYNC_EXECUTION_TIMEOUT} ssl_enable: ${ANCHORE_SSL_ENABLED} ssl_cert: ${ANCHORE_SSL_CERT} ssl_key: ${ANCHORE_SSL_KEY} @@ -232,9 +257,6 @@ services: vulnerabilities_by_k8s_namespace: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE} vulnerabilities_by_k8s_container: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER} vulnerabilities_by_ecs_container: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_ECS_CONTAINER} - authorization_handler: ${ANCHORE_AUTHZ_HANDLER} - authorization_handler_config: - endpoint: ${ANCHORE_AUTHZ_HANDLER_ENDPOINT} ssl_enable: ${ANCHORE_SSL_ENABLED} ssl_cert: ${ANCHORE_SSL_CERT} ssl_key: ${ANCHORE_SSL_KEY} diff --git a/stable/enterprise/templates/_helpers.tpl b/stable/enterprise/templates/_helpers.tpl index fe72f726..c17a18d8 100644 --- a/stable/enterprise/templates/_helpers.tpl +++ b/stable/enterprise/templates/_helpers.tpl @@ -54,12 +54,12 @@ Returns the proper URL for the feeds service {{- $anchoreFeedsURL := "" }} {{- if .Values.feeds.url }} {{- /* remove everything from the URL after /v2 to get the hostname, then use that to construct the proper URL */}} - {{- $regexSearchPattern := (printf "/%s.*$" .Values.feeds.service.apiVersion | toString) }} + {{- $regexSearchPattern := (printf "/v2.*$" | toString) }} {{- $urlPathSuffix := (default "" (regexFind $regexSearchPattern .Values.feeds.url) ) }} {{- $anchoreFeedsHost := (trimSuffix $urlPathSuffix .Values.feeds.url) -}} - {{- $anchoreFeedsURL = (printf "%s/%s/feeds" $anchoreFeedsHost .Values.feeds.service.apiVersion) -}} + {{- $anchoreFeedsURL = (printf "%s/v2/feeds" $anchoreFeedsHost) -}} {{- else if .Values.feeds.chartEnabled }} - {{- $anchoreFeedsURL = (printf "%s://%s:%s/%s/feeds" (include "enterprise.feeds.setProtocol" .) (include "enterprise.feeds.fullname" .) (.Values.feeds.service.port | toString) .Values.feeds.service.apiVersion) -}} + {{- $anchoreFeedsURL = (printf "%s://%s:%s/v2/feeds" (include "enterprise.feeds.setProtocol" .) (include "enterprise.feeds.fullname" .) (.Values.feeds.service.port | toString)) -}} {{- end }} {{- print $anchoreFeedsURL -}} {{- end -}} @@ -70,14 +70,14 @@ Returns the proper URL for the grype provider */}} {{- define "enterprise.grypeProviderURL" }} {{- $grypeProviderFeedsExternalURL := "" -}} -{{- $regexSearchPattern := (printf "/%s.*$" .Values.feeds.service.apiVersion | toString) }} +{{- $regexSearchPattern := (printf "/v2.*$" | toString) }} {{- if .Values.feeds.url }} {{- /* remove everything from the URL after /v2 to get the hostname, then use that to construct the proper URL */}} {{- $urlPathSuffix := (default "" ( regexFind $regexSearchPattern .Values.feeds.url )) -}} {{- $anchoreFeedsHost := (trimSuffix $urlPathSuffix .Values.feeds.url) -}} - {{- $grypeProviderFeedsExternalURL = (printf "%s/%s/databases/grypedb" $anchoreFeedsHost .Values.feeds.service.apiVersion) -}} + {{- $grypeProviderFeedsExternalURL = (printf "%s/v2/databases/grypedb" $anchoreFeedsHost) -}} {{- else if .Values.feeds.chartEnabled }} - {{- $grypeProviderFeedsExternalURL = (printf "%s://%s:%s/%s/databases/grypedb" (include "enterprise.feeds.setProtocol" .) (include "enterprise.feeds.fullname" .) (.Values.feeds.service.port | toString) .Values.feeds.service.apiVersion ) -}} + {{- $grypeProviderFeedsExternalURL = (printf "%s://%s:%s/v2/databases/grypedb" (include "enterprise.feeds.setProtocol" .) (include "enterprise.feeds.fullname" .) (.Values.feeds.service.port | toString)) -}} {{- end }} {{- /* Set the grypeProviderFeedsExternalURL to upstream feeds if still unset or if specifically overridden */}} diff --git a/stable/enterprise/templates/envvars_configmap.yaml b/stable/enterprise/templates/envvars_configmap.yaml index 500f88b9..d0adb685 100644 --- a/stable/enterprise/templates/envvars_configmap.yaml +++ b/stable/enterprise/templates/envvars_configmap.yaml @@ -41,20 +41,22 @@ data: {{- end }} ANCHORE_DB_TIMEOUT: "{{ .Values.anchoreConfig.database.timeout }}" ANCHORE_ENABLE_METRICS: "{{ .Values.anchoreConfig.metrics.enabled }}" + ANCHORE_ENTERPRISE_REPORTS_ASYNC_EXECUTION_TIMEOUT: "{{ .Values.anchoreConfig.reports.async_execution_timeout }}" ANCHORE_ENTERPRISE_REPORTS_ENABLE_DATA_INGRESS: "{{ .Values.anchoreConfig.reports_worker.enable_data_ingress }}" ANCHORE_ENTERPRISE_REPORTS_ENABLE_DATA_EGRESS: "{{ .Values.anchoreConfig.reports_worker.enable_data_egress }}" ANCHORE_ENTERPRISE_REPORTS_DATA_EGRESS_WINDOW: "{{ .Values.anchoreConfig.reports_worker.data_egress_window }}" ANCHORE_ENTERPRISE_REPORTS_DATA_REFRESH_MAX_WORKERS: "{{ .Values.anchoreConfig.reports_worker.data_refresh_max_workers }}" ANCHORE_ENTERPRISE_REPORTS_DATA_LOAD_MAX_WORKERS: "{{ .Values.anchoreConfig.reports_worker.data_load_max_workers }}" ANCHORE_ENTERPRISE_REPORTS_ENABLE_GRAPHIQL: "{{ .Values.anchoreConfig.reports.enable_graphiql }}" + ANCHORE_ENTERPRISE_REPORTS_MAX_ASYNC_EXECUTION_THREADS: "1" ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_ECS_CONTAINER: "true" ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER: "true" ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE: "true" {{- if eq (toString .Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days) "-1" }} {{- fail "The Value `-1` is no longer valid for `.Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days`. Please use `.Values.anchoreConfig.catalog.runtime_inventory.image_ingest_overwrite=true` to force runtime inventory to be overwritten upon every update for that reported context. `.Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days` must be set to a value >1." -}} {{- else }} - ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_IMAGE_TTL_DAYS: "{{ .Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days }}" - ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_IMAGE_INGEST_OVERWRITE: "{{ .Values.anchoreConfig.catalog.runtime_inventory.image_ingest_overwrite }}" + ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_TTL_DAYS: "{{ .Values.anchoreConfig.catalog.runtime_inventory.inventory_ttl_days }}" + ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_INGEST_OVERWRITE: "{{ .Values.anchoreConfig.catalog.runtime_inventory.inventory_ingest_overwrite }}" {{- end }} {{- with .Values.anchoreConfig.notifications.ui_url }} ANCHORE_ENTERPRISE_UI_URL: "{{ . }}" @@ -72,6 +74,7 @@ data: ANCHORE_GLOBAL_SERVER_REQUEST_TIMEOUT_SEC: "180" ANCHORE_HINTS_ENABLED: "{{ .Values.anchoreConfig.analyzer.enable_hints }}" ANCHORE_IMAGE_ANALYZE_TIMEOUT_SECONDS: "3600" + ANCHORE_IMPORT_OPERATION_EXPIRATION_DAYS: "7" ANCHORE_INTERNAL_SSL_VERIFY: "{{ .Values.anchoreConfig.internalServicesSSL.verifyCerts }}" ANCHORE_KEEP_IMAGE_ANALYSIS_TMPFILES: "false" ANCHORE_LAYER_CACHE_ENABLED: {{ ternary "true" "false" (gt .Values.anchoreConfig.analyzer.layer_cache_max_gigabytes 0.0) | quote }} @@ -86,7 +89,6 @@ data: ANCHORE_OAUTH_TOKEN_EXPIRATION: "{{ .Values.anchoreConfig.user_authentication.oauth.default_token_expiration_seconds }}" ANCHORE_OAUTH_REFRESH_TOKEN_EXPIRATION: "{{ .Values.anchoreConfig.user_authentication.oauth.refresh_token_expiration_seconds }}" ANCHORE_OWNED_PACKAGE_FILTERING_ENABLED: "true" - ANCHORE_POLICY_ENGINE_ENABLE_IMAGES_BY_VULN_QUERY: "true" ANCHORE_POLICY_ENGINE_ENABLE_PACKAGE_DB_LOAD: "true" ANCHORE_POLICY_EVAL_CACHE_TTL_SECONDS: "3600" ANCHORE_SAML_SECRET: "null" @@ -104,3 +106,10 @@ data: {{- end }} ANCHORE_SSO_REQUIRES_EXISTING_USERS: "{{ .Values.anchoreConfig.user_authentication.sso_require_existing_users }}" ANCHORE_TMP_DIR: "{{ .Values.scratchVolume.mountPath }}" + ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_DOTNET_SEARCH_BY_CPE_ENABLED: "true" + ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_GOLANG_SEARCH_BY_CPE_ENABLED: "true" + ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_JAVA_SEARCH_BY_CPE_ENABLED: "true" + ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_JAVASCRIPT_SEARCH_BY_CPE_ENABLED: "false" + ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_PYTHON_SEARCH_BY_CPE_ENABLED: "true" + ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_RUBY_SEARCH_BY_CPE_ENABLED: "true" + ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_STOCK_SEARCH_BY_CPE_ENABLED: "true" diff --git a/stable/enterprise/templates/ui_configmap.yaml b/stable/enterprise/templates/ui_configmap.yaml index 889e5dba..2957a1d1 100644 --- a/stable/enterprise/templates/ui_configmap.yaml +++ b/stable/enterprise/templates/ui_configmap.yaml @@ -26,11 +26,10 @@ data: admin: {{ .admin }} standard: {{ .standard }} {{- end }} - engine_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.api.fullname" . -}}:{{- .Values.api.service.port -}}/{{- .Values.api.service.apiVersion -}}' - reports_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.api.fullname" . -}}:{{- .Values.reports.service.port -}}/{{- .Values.reports.service.apiVersion -}}' - notifications_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.notifications.fullname" . -}}:{{- .Values.notifications.service.port -}}/{{- .Values.notifications.service.apiVersion -}}' - rbac_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.rbacManager.fullname" . -}}:{{- .Values.rbacManager.service.port -}}/{{- .Values.rbacManager.service.apiVersion -}}' - enterprise_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.api.fullname" . -}}:{{- .Values.api.service.port -}}/{{- .Values.api.service.apiVersion -}}' + reports_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.api.fullname" . -}}:{{- .Values.api.service.port -}}/v2' + notifications_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.api.fullname" . -}}:{{- .Values.api.service.port -}}/v2' + rbac_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.api.fullname" . -}}:{{- .Values.api.service.port -}}/v2' + enterprise_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.api.fullname" . -}}:{{- .Values.api.service.port -}}/v2' # redis_uri: overridden in deployment using the `ANCHORE_REDIS_URI` environment variable # appdb_uri: overridden in deployment using the `ANCHORE_APPDB_URI` environment variable license_path: '/home/anchore/' diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index 6d5094ac..3f69792a 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -166,13 +166,14 @@ should render the configmaps: level: - error runtime_inventory: - image_ttl_days: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_IMAGE_TTL_DAYS} - image_ingest_overwrite: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_IMAGE_INGEST_OVERWRITE} + inventory_ttl_days: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_TTL_DAYS} + inventory_ingest_overwrite: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_INGEST_OVERWRITE} image_gc: max_worker_threads: ${ANCHORE_CATALOG_IMAGE_GC_WORKERS} runtime_compliance: object_store_bucket: "runtime_compliance_check" down_analyzer_task_requeue: ${ANCHORE_ANALYZER_TASK_REQUEUE} + import_operation_expiration_days: ${ANCHORE_IMPORT_OPERATION_EXPIRATION_DAYS} analysis_archive: {} object_store: @@ -182,6 +183,7 @@ should render the configmaps: storage_driver: config: {} name: db + verify_content_digests: true ssl_enable: ${ANCHORE_SSL_ENABLED} ssl_cert: ${ANCHORE_SSL_CERT} ssl_key: ${ANCHORE_SSL_KEY} @@ -210,7 +212,6 @@ should render the configmaps: feed_sync: 14400 feed_sync_checker: 3600 enable_package_db_load: ${ANCHORE_POLICY_ENGINE_ENABLE_PACKAGE_DB_LOAD} - enable_images_by_vulnerability_api: ${ANCHORE_POLICY_ENGINE_ENABLE_IMAGES_BY_VULN_QUERY} vulnerabilities: sync: enabled: true @@ -220,22 +221,45 @@ should render the configmaps: data: grypedb: enabled: true - url: http://test-release-feeds:8448/v1/databases/grypedb - vulnerabilities: - enabled: ${ANCHORE_FEEDS_VULNERABILITIES_ENABLED} - url: http://test-release-feeds:8448/v1/feeds - nvdv2: - enabled: ${ANCHORE_FEEDS_DRIVER_NVDV2_ENABLED} - url: http://test-release-feeds:8448/v1/feeds - github: - enabled: ${ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED} - url: http://test-release-feeds:8448/v1/feeds + url: http://test-release-feeds:8448/v2/databases/grypedb packages: enabled: ${ANCHORE_FEEDS_DRIVER_PACKAGES_ENABLED} - url: http://test-release-feeds:8448/v1/feeds - microsoft: - enabled: ${ANCHORE_FEEDS_DRIVER_MSRC_ENABLED} - url: http://test-release-feeds:8448/v1/feeds + url: http://test-release-feeds:8448/v2/feeds + matching: + default: + search: + by_cpe: + enabled: ${ANCHORE_VULN_MATCHING_DEFAULT_SEARCH_BY_CPE_ENABLED} + ecosystem_specific: + dotnet: + search: + by_cpe: + enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_DOTNET_SEARCH_BY_CPE_ENABLED} + golang: + search: + by_cpe: + enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_GOLANG_SEARCH_BY_CPE_ENABLED} + java: + search: + by_cpe: + enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_JAVA_SEARCH_BY_CPE_ENABLED} + javascript: + search: + by_cpe: + enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_JAVASCRIPT_SEARCH_BY_CPE_ENABLED} + python: + search: + by_cpe: + enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_PYTHON_SEARCH_BY_CPE_ENABLED} + ruby: + search: + by_cpe: + enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_RUBY_SEARCH_BY_CPE_ENABLED} + stock: + search: + by_cpe: + # Disabling search by CPE for the stock matcher will entirely disable binary-only matches and is not advised + enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_STOCK_SEARCH_BY_CPE_ENABLED} ssl_enable: ${ANCHORE_SSL_ENABLED} ssl_cert: ${ANCHORE_SSL_CERT} ssl_key: ${ANCHORE_SSL_KEY} @@ -273,6 +297,8 @@ should render the configmaps: authorization_handler: ${ANCHORE_AUTHZ_HANDLER} authorization_handler_config: endpoint: ${ANCHORE_AUTHZ_HANDLER_ENDPOINT} + max_async_execution_threads: ${ANCHORE_ENTERPRISE_REPORTS_MAX_ASYNC_EXECUTION_THREADS} + async_execution_timeout: ${ANCHORE_ENTERPRISE_REPORTS_ASYNC_EXECUTION_TIMEOUT} ssl_enable: ${ANCHORE_SSL_ENABLED} ssl_cert: ${ANCHORE_SSL_CERT} ssl_key: ${ANCHORE_SSL_KEY} @@ -299,9 +325,6 @@ should render the configmaps: vulnerabilities_by_k8s_namespace: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE} vulnerabilities_by_k8s_container: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER} vulnerabilities_by_ecs_container: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_ECS_CONTAINER} - authorization_handler: ${ANCHORE_AUTHZ_HANDLER} - authorization_handler_config: - endpoint: ${ANCHORE_AUTHZ_HANDLER_ENDPOINT} ssl_enable: ${ANCHORE_SSL_ENABLED} ssl_cert: ${ANCHORE_SSL_CERT} ssl_key: ${ANCHORE_SSL_KEY} @@ -361,17 +384,19 @@ should render the configmaps: ANCHORE_DB_TIMEOUT: "120" ANCHORE_DISABLE_METRICS_AUTH: "false" ANCHORE_ENABLE_METRICS: "false" + ANCHORE_ENTERPRISE_REPORTS_ASYNC_EXECUTION_TIMEOUT: 48h ANCHORE_ENTERPRISE_REPORTS_DATA_EGRESS_WINDOW: "0" ANCHORE_ENTERPRISE_REPORTS_DATA_LOAD_MAX_WORKERS: "10" ANCHORE_ENTERPRISE_REPORTS_DATA_REFRESH_MAX_WORKERS: "10" ANCHORE_ENTERPRISE_REPORTS_ENABLE_DATA_EGRESS: "false" ANCHORE_ENTERPRISE_REPORTS_ENABLE_DATA_INGRESS: "true" ANCHORE_ENTERPRISE_REPORTS_ENABLE_GRAPHIQL: "true" + ANCHORE_ENTERPRISE_REPORTS_MAX_ASYNC_EXECUTION_THREADS: "1" ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_ECS_CONTAINER: "true" ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER: "true" ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE: "true" - ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_IMAGE_INGEST_OVERWRITE: "false" - ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_IMAGE_TTL_DAYS: "120" + ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_INGEST_OVERWRITE: "false" + ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_TTL_DAYS: "120" ANCHORE_ENTERPRISE_UI_URL: test-release-enterprise-ui ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED: "false" ANCHORE_FEEDS_DRIVER_MSRC_ENABLED: "false" @@ -384,6 +409,7 @@ should render the configmaps: ANCHORE_GLOBAL_SERVER_REQUEST_TIMEOUT_SEC: "180" ANCHORE_HINTS_ENABLED: "false" ANCHORE_IMAGE_ANALYZE_TIMEOUT_SECONDS: "3600" + ANCHORE_IMPORT_OPERATION_EXPIRATION_DAYS: "7" ANCHORE_INTERNAL_SSL_VERIFY: "false" ANCHORE_KEEP_IMAGE_ANALYSIS_TMPFILES: "false" ANCHORE_LAYER_CACHE_ENABLED: "false" @@ -398,7 +424,6 @@ should render the configmaps: ANCHORE_OAUTH_REFRESH_TOKEN_EXPIRATION: "86400" ANCHORE_OAUTH_TOKEN_EXPIRATION: "3600" ANCHORE_OWNED_PACKAGE_FILTERING_ENABLED: "true" - ANCHORE_POLICY_ENGINE_ENABLE_IMAGES_BY_VULN_QUERY: "true" ANCHORE_POLICY_ENGINE_ENABLE_PACKAGE_DB_LOAD: "true" ANCHORE_POLICY_EVAL_CACHE_TTL_SECONDS: "3600" ANCHORE_SAML_SECRET: "null" @@ -408,6 +433,13 @@ should render the configmaps: ANCHORE_SSL_KEY: "null" ANCHORE_SSO_REQUIRES_EXISTING_USERS: "false" ANCHORE_TMP_DIR: /analysis_scratch + ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_DOTNET_SEARCH_BY_CPE_ENABLED: "true" + ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_GOLANG_SEARCH_BY_CPE_ENABLED: "true" + ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_JAVA_SEARCH_BY_CPE_ENABLED: "true" + ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_JAVASCRIPT_SEARCH_BY_CPE_ENABLED: "false" + ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_PYTHON_SEARCH_BY_CPE_ENABLED: "true" + ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_RUBY_SEARCH_BY_CPE_ENABLED: "true" + ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_STOCK_SEARCH_BY_CPE_ENABLED: "true" ANCHORECTL_URL: http://localhost:8228 ANCHORECTL_USERNAME: admin kind: ConfigMap @@ -501,7 +533,7 @@ should render the configmaps: 6: | apiVersion: v1 data: - config-ui.yaml: "# Anchore UI configuration\nengine_uri: 'http://test-release-enterprise-api:8228/v1'\nreports_uri: 'http://test-release-enterprise-api:8558/v1'\nnotifications_uri: 'http://test-release-enterprise-notifications:8668/v1'\nrbac_uri: 'http://test-release-enterprise-rbac-manager:8229/v1'\nenterprise_uri: 'http://test-release-enterprise-api:8228/v1'\n# redis_uri: overridden in deployment using the `ANCHORE_REDIS_URI` environment variable\n# appdb_uri: overridden in deployment using the `ANCHORE_APPDB_URI` environment variable\nlicense_path: '/home/anchore/'\nenable_ssl: false\nenable_proxy: false\nallow_shared_login: true\nredis_flushdb: true\nforce_websocket: false\nauthentication_lock:\n count: 5\n expires: 300\nappdb_config: \n native: true\n pool:\n acquire: 30000\n idle: 10000\n max: 10\n min: 0\nlog_level: 'http'\nenrich_inventory_view: true\nenable_prometheus_metrics: false\n" + config-ui.yaml: "# Anchore UI configuration\nreports_uri: 'http://test-release-enterprise-api:8228/v2'\nnotifications_uri: 'http://test-release-enterprise-api:8228/v2'\nrbac_uri: 'http://test-release-enterprise-api:8228/v2'\nenterprise_uri: 'http://test-release-enterprise-api:8228/v2'\n# redis_uri: overridden in deployment using the `ANCHORE_REDIS_URI` environment variable\n# appdb_uri: overridden in deployment using the `ANCHORE_APPDB_URI` environment variable\nlicense_path: '/home/anchore/'\nenable_ssl: false\nenable_proxy: false\nallow_shared_login: true\nredis_flushdb: true\nforce_websocket: false\nauthentication_lock:\n count: 5\n expires: 300\nappdb_config: \n native: true\n pool:\n acquire: 30000\n idle: 10000\n max: 10\n min: 0\nlog_level: 'http'\nenrich_inventory_view: true\nenable_prometheus_metrics: false\n" kind: ConfigMap metadata: annotations: diff --git a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap index cf477381..e3b8ac52 100644 --- a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap @@ -143,6 +143,6 @@ should render proper initContainers: valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v4.9.3 + image: docker.io/anchore/enterprise:v5.0.0 imagePullPolicy: IfNotPresent name: wait-for-db diff --git a/stable/enterprise/tests/common_helpers_test.yaml b/stable/enterprise/tests/common_helpers_test.yaml index fc030021..0fcb2be2 100644 --- a/stable/enterprise/tests/common_helpers_test.yaml +++ b/stable/enterprise/tests/common_helpers_test.yaml @@ -832,29 +832,29 @@ tests: asserts: - matchRegex: path: data["config.yaml"] - pattern: "url: my-feeds-url/v1/databases/grypedb" + pattern: "url: my-feeds-url/v2/databases/grypedb" - matchRegex: path: data["config.yaml"] - pattern: "url: my-feeds-url/v1/feeds" + pattern: "url: my-feeds-url/v2/feeds" - - it: should render v1 anchoreFeedsURL with feeds.url set + - it: should render v2 anchoreFeedsURL with feeds.url set set: feeds: url: my-feeds-url service: - apiVersion: v1 + apiVersion: v2 templates: - anchore_configmap.yaml documentIndex: 0 asserts: - matchRegex: path: data["config.yaml"] - pattern: "url: my-feeds-url/v1/databases/grypedb" + pattern: "url: my-feeds-url/v2/databases/grypedb" - matchRegex: path: data["config.yaml"] - pattern: "url: my-feeds-url/v1/feeds" + pattern: "url: my-feeds-url/v2/feeds" - it: should render anchoreFeedsURL with feeds.chartEnabled set: @@ -866,11 +866,11 @@ tests: asserts: - matchRegex: path: data["config.yaml"] - pattern: "url: http://test-release-feeds:8448/v1/databases/grypedb" + pattern: "url: http://test-release-feeds:8448/v2/databases/grypedb" - matchRegex: path: data["config.yaml"] - pattern: "url: http://test-release-feeds:8448/v1/feeds" + pattern: "url: http://test-release-feeds:8448/v2/feeds" - it: should render grypeProviderURL with anchoreConfig.policy_engine.overrideFeedsToUpstream set: @@ -882,7 +882,7 @@ tests: asserts: - notMatchRegex: path: data["config.yaml"] - pattern: "url: http://test-release-feeds:8448/v1/databases/grypedb" + pattern: "url: http://test-release-feeds:8448/v2/databases/grypedb" - matchRegex: path: data["config.yaml"] @@ -899,7 +899,7 @@ tests: asserts: - notMatchRegex: path: data["config.yaml"] - pattern: "url: http://test-release-feeds:8448/v1/databases/grypedb" + pattern: "url: http://test-release-feeds:8448/v2/databases/grypedb" - matchRegex: path: data["config.yaml"] @@ -914,19 +914,19 @@ tests: asserts: - matchRegex: path: data["config.yaml"] - pattern: "url: https://test-release-feeds:8448/v1/databases/grypedb" + pattern: "url: https://test-release-feeds:8448/v2/databases/grypedb" - matchRegex: path: data["config.yaml"] - pattern: "url: https://test-release-feeds:8448/v1/feeds" + pattern: "url: https://test-release-feeds:8448/v2/feeds" - notMatchRegex: path: data["config.yaml"] - pattern: "url: http://test-release-feeds:8448/v1/databases/grypedb" + pattern: "url: http://test-release-feeds:8448/v2/databases/grypedb" - notMatchRegex: path: data["config.yaml"] - pattern: "url: http://test-release-feeds:8448/v1/feeds" + pattern: "url: http://test-release-feeds:8448/v2/feeds" - it: should set the correct protocol with anchoreConfig.internalServicesSSL.enabled to true for deployments set: @@ -952,19 +952,19 @@ tests: asserts: - matchRegex: path: data["config.yaml"] - pattern: "url: http://test-release-feeds:8448/v1/databases/grypedb" + pattern: "url: http://test-release-feeds:8448/v2/databases/grypedb" - matchRegex: path: data["config.yaml"] - pattern: "url: http://test-release-feeds:8448/v1/feeds" + pattern: "url: http://test-release-feeds:8448/v2/feeds" - notMatchRegex: path: data["config.yaml"] - pattern: "url: https://test-release-feeds:8448/v1/databases/grypedb" + pattern: "url: https://test-release-feeds:8448/v2/databases/grypedb" - notMatchRegex: path: data["config.yaml"] - pattern: "url: https://test-release-feeds:8448/v1/feeds" + pattern: "url: https://test-release-feeds:8448/v2/feeds" - it: should set the correct protocol with anchoreConfig.internalServicesSSL.enabled to false for deployments set: @@ -990,16 +990,16 @@ tests: asserts: - matchRegex: path: data["config-ui.yaml"] - pattern: "engine_uri: 'http://test-release-enterprise-api:8228/v1'" + pattern: "enterprise_uri: 'http://test-release-enterprise-api:8228/v2'" - matchRegex: path: data["config-ui.yaml"] - pattern: "rbac_uri: 'http://test-release-enterprise-rbac-manager:8229/v1'" + pattern: "rbac_uri: 'http://test-release-enterprise-api:8228/v2'" - matchRegex: path: data["config-ui.yaml"] - pattern: "notifications_uri: 'http://test-release-enterprise-notifications:8668/v1'" + pattern: "notifications_uri: 'http://test-release-enterprise-api:8228/v2'" - matchRegex: path: data["config-ui.yaml"] - pattern: "reports_uri: 'http://test-release-enterprise-api:8558/v1'" + pattern: "reports_uri: 'http://test-release-enterprise-api:8228/v2'" - it: should set the correct protocol with anchoreConfig.internalServicesSSL.enabled to true for ui_configmap.yaml set: @@ -1010,39 +1010,16 @@ tests: asserts: - matchRegex: path: data["config-ui.yaml"] - pattern: "engine_uri: 'https://test-release-enterprise-api:8228/v1'" + pattern: "enterprise_uri: 'https://test-release-enterprise-api:8228/v2'" - matchRegex: path: data["config-ui.yaml"] - pattern: "rbac_uri: 'https://test-release-enterprise-rbac-manager:8229/v1'" + pattern: "rbac_uri: 'https://test-release-enterprise-api:8228/v2'" - matchRegex: path: data["config-ui.yaml"] - pattern: "notifications_uri: 'https://test-release-enterprise-notifications:8668/v1'" + pattern: "notifications_uri: 'https://test-release-enterprise-api:8228/v2'" - matchRegex: path: data["config-ui.yaml"] - pattern: "reports_uri: 'https://test-release-enterprise-api:8558/v1'" - - - it: should set the correct apiVersion for ui_configmap.yaml - set: - api.service.apiVersion: "v1" - reports.service.apiVersion: "v1" - notifications.service.apiVersion: "v1" - rbacManager.service.apiVersion: "v1" - templates: - - ui_configmap.yaml - documentIndex: 0 - asserts: - - matchRegex: - path: data["config-ui.yaml"] - pattern: "engine_uri: 'http://test-release-enterprise-api:8228/v1'" - - matchRegex: - path: data["config-ui.yaml"] - pattern: "rbac_uri: 'http://test-release-enterprise-rbac-manager:8229/v1'" - - matchRegex: - path: data["config-ui.yaml"] - pattern: "notifications_uri: 'http://test-release-enterprise-notifications:8668/v1'" - - matchRegex: - path: data["config-ui.yaml"] - pattern: "reports_uri: 'http://test-release-enterprise-api:8558/v1'" + pattern: "reports_uri: 'https://test-release-enterprise-api:8228/v2'" - it: should render nodePort when set set: diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index aebbc729..f6d9503e 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -18,7 +18,7 @@ global: ## @param image Image used for all Anchore Enterprise deployments, excluding Anchore UI ## -image: docker.io/anchore/enterprise:v4.9.3 +image: docker.io/anchore/enterprise:v5.0.0 ## @param imagePullPolicy Image pull policy used by all deployments ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy @@ -469,6 +469,8 @@ anchoreConfig: ## ref: https://docs.anchore.com/current/docs/configuration/storage/object_store/ ## object_store: + # Ensures the data read for the object store has the same digest as what was written. Set to false ONLY for debugging and other special cases. + verify_content_digests: true compression: enabled: true min_size_kbytes: 100 @@ -477,15 +479,15 @@ anchoreConfig: name: db config: {} - ## @param anchoreConfig.catalog.runtime_inventory.image_ttl_days TTL for runtime inventory. - ## @param anchoreConfig.catalog.runtime_inventory.image_ingest_overwrite force runtime inventory to be overwritten upon every update for that reported context. - ## When `image_ingest_overwrite=true` upon ingestion of inventory, removes anything previously reported by the namespace and only keep the latest inventory posted. + ## @param anchoreConfig.catalog.runtime_inventory.inventory_ttl_days TTL for images in the inventory report working set + ## @param anchoreConfig.catalog.runtime_inventory.inventory_ingest_overwrite disables the inventory_ttl cycle timer. + ## When `inventory_ingest_overwrite=true` upon ingestion of inventory, removes anything previously reported by the namespace and only keep the latest inventory posted. ## This new config value is used instead of setting `image_ttl_days=-1` ## ref: https://docs.anchore.com/current/docs/configuration/runtime_inventory/ ## runtime_inventory: - image_ttl_days: 120 - image_ingest_overwrite: false + inventory_ttl_days: 120 + inventory_ingest_overwrite: false ## @param anchoreConfig.catalog.down_analyzer_task_requeue Allows fast re-queueing when image status is 'analyzing' on an analyzer that is no longer in the 'up' state ## @@ -520,6 +522,11 @@ anchoreConfig: ## enable_graphiql: true + ## @param anchoreConfig.reports.async_execution_timeout Configure how long a scheduled query must be running for before it is considered timed out + ## This may need to be adjusted if the system has large amounts of data and reports are being prematurely timed out. + ## The value should be a number followed by "w", "d", or "h" to represent weeks, days or hours + async_execution_timeout: 48h + reports_worker: ## @param anchoreConfig.reports_worker.enable_data_ingress Enable periodically syncing data into the Anchore Reports Service ## @@ -647,7 +654,6 @@ api: ## @param api.service.annotations Annotations for Anchore API service ## @param api.service.labels Labels for Anchore API service ## @param api.service.nodePort nodePort for Anchore API service - ## @param api.service.apiVersion apiVersion for Anchore UI service to use when reaching out to the enterprise api ## service: type: ClusterIP @@ -656,7 +662,6 @@ api: annotations: {} labels: {} nodePort: "" - apiVersion: v1 ## @param api.extraEnv Set extra environment variables for Anchore API pods ## @@ -806,12 +811,6 @@ feeds: ## url: "" - ## @param feeds.service.apiVersion the apiVersion for the service when communicating with Anchore Feeds - ## - service: - apiVersion: v1 - - ########################################################### ## @section Anchore Policy Engine k8s Deployment Parameters ########################################################### @@ -931,7 +930,6 @@ notifications: ## @param notifications.service.annotations Annotations for Anchore Notifications service ## @param notifications.service.labels Labels for Anchore Notifications service ## @param notifications.service.nodePort nodePort for Anchore Notifications service - ## @param notifications.service.apiVersion apiVersion for Anchore UI service to use when reaching out to the enterprise api ## service: type: ClusterIP @@ -939,7 +937,6 @@ notifications: annotations: {} labels: {} nodePort: "" - apiVersion: v1 ## @param notifications.extraEnv Set extra environment variables for Anchore Notifications pods ## @@ -986,7 +983,6 @@ reports: ## @param reports.service.annotations Annotations for Anchore Reports service ## @param reports.service.labels Labels for Anchore Reports service ## @param reports.service.nodePort nodePort for Anchore Reports service - ## @param reports.service.apiVersion apiVersion for Anchore UI service to use when reaching out to the enterprise api ## service: type: ClusterIP @@ -994,7 +990,6 @@ reports: annotations: {} labels: {} nodePort: "" - apiVersion: v1 ## @param reports.extraEnv Set extra environment variables for Anchore Reports pods ## @@ -1053,7 +1048,6 @@ rbacManager: ## @param rbacManager.service.annotations Annotations for Anchore RBAC Manager service ## @param rbacManager.service.labels Labels for Anchore RBAC Manager service ## @param rbacManager.service.nodePort nodePort for Anchore RBAC Manager service - ## @param rbacManager.service.apiVersion apiVersion for Anchore UI service to use when reaching out to the enterprise api ## service: type: ClusterIP @@ -1061,7 +1055,6 @@ rbacManager: annotations: {} labels: {} nodePort: "" - apiVersion: v1 ## @param rbacManager.extraEnv Set extra environment variables for Anchore RBAC Manager pods ## @@ -1101,7 +1094,7 @@ rbacManager: ui: ## @param ui.image Image used for the Anchore UI container ## - image: docker.io/anchore/enterprise-ui:v4.9.0 + image: docker.io/anchore/enterprise-ui:v5.0.0 ## @param ui.imagePullPolicy Image pull policy for Anchore UI image ## @@ -1254,7 +1247,6 @@ ingress: ## @param ingress.apiPaths The path used for accessing the Anchore API ## apiPaths: - - /v1/ - /v2/ - /version/ @@ -1274,7 +1266,6 @@ ingress: ## Exposing the feeds API is for special cases only, use /v2/feeds for ingress.feedsPath ## feedsPaths: - - /v1/feeds/ - /v2/feeds/ ## @param ingress.reportsHosts List of custom hostnames for the Anchore Reports API @@ -1285,7 +1276,6 @@ ingress: ## Exposing the reports API enables the GraphQL interface, use /v2/reports/graphql for ingress.reportsPath ## reportsPaths: - - /v1/reports/ - /v2/reports/ ## @param ingress.tls Configure tls for the ingress resource From f63a2dfa149ed9d8e535ea522179de814b7c1eb0 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 1 Nov 2023 16:33:43 -0700 Subject: [PATCH 277/329] update feeds dep to v2.0.0 Signed-off-by: Brady Todhunter --- stable/enterprise/templates/api_deployment.yaml | 2 +- stable/enterprise/templates/catalog_deployment.yaml | 2 +- stable/enterprise/tests/api_resources_test.yaml | 2 +- stable/enterprise/tests/catalog_resources_test.yaml | 2 +- stable/enterprise/values.yaml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/stable/enterprise/templates/api_deployment.yaml b/stable/enterprise/templates/api_deployment.yaml index 5fc5d7fc..0598882e 100644 --- a/stable/enterprise/templates/api_deployment.yaml +++ b/stable/enterprise/templates/api_deployment.yaml @@ -61,7 +61,7 @@ spec: volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} {{- if .Values.anchoreConfig.policyBundles }} - name: policy-bundle-volume - mountPath: "{{ $.Values.anchoreConfig.service_dir }}/bundles/" + mountPath: "{{ $.Values.anchoreConfig.service_dir }}/policies/" {{- end }} livenessProbe: {{- include "enterprise.common.livenessProbe" (merge (dict "component" $component) .) | nindent 12 }} readinessProbe: {{- include "enterprise.common.readinessProbe" (merge (dict "component" $component) .) | nindent 12 }} diff --git a/stable/enterprise/templates/catalog_deployment.yaml b/stable/enterprise/templates/catalog_deployment.yaml index ecce0e79..06ba4737 100644 --- a/stable/enterprise/templates/catalog_deployment.yaml +++ b/stable/enterprise/templates/catalog_deployment.yaml @@ -66,7 +66,7 @@ spec: mountPath: {{ .Values.scratchVolume.mountPath }} {{- if .Values.anchoreConfig.policyBundles }} - name: policy-bundle-volume - mountPath: "{{ $.Values.anchoreConfig.service_dir }}/bundles/" + mountPath: "{{ $.Values.anchoreConfig.service_dir }}/policies/" {{- end }} livenessProbe: {{- include "enterprise.common.livenessProbe" (merge (dict "component" $component) .) | nindent 12 }} readinessProbe: {{- include "enterprise.common.readinessProbe" (merge (dict "component" $component) .) | nindent 12 }} diff --git a/stable/enterprise/tests/api_resources_test.yaml b/stable/enterprise/tests/api_resources_test.yaml index 1daf5be2..5c840f96 100644 --- a/stable/enterprise/tests/api_resources_test.yaml +++ b/stable/enterprise/tests/api_resources_test.yaml @@ -306,7 +306,7 @@ tests: path: spec.template.spec.containers[0].volumeMounts content: name: policy-bundle-volume - mountPath: /anchore_service/bundles/ + mountPath: /anchore_service/policies/ count: 1 any: true diff --git a/stable/enterprise/tests/catalog_resources_test.yaml b/stable/enterprise/tests/catalog_resources_test.yaml index 89da24d4..10a74bcd 100644 --- a/stable/enterprise/tests/catalog_resources_test.yaml +++ b/stable/enterprise/tests/catalog_resources_test.yaml @@ -272,7 +272,7 @@ tests: path: spec.template.spec.containers[0].volumeMounts content: name: policy-bundle-volume - mountPath: /anchore_service/bundles/ + mountPath: /anchore_service/policies/ count: 1 any: true diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index f6d9503e..6f6e6726 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -314,7 +314,7 @@ anchoreConfig: certSecretCertFileName: "" ## @param anchoreConfig.policyBundles Include custom Anchore policy bundles - ## This object represents the data of a configmap that is mounted to /bundles of all Anchore services + ## This object represents the data of a configmap that is mounted to /policies of all Anchore services ## ref: https://docs.anchore.com/current/docs/overview/concepts/policy/bundles/ ## policyBundles: {} From cea4474dd717bebba2fa5868c520eff75e544ec2 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 1 Nov 2023 16:39:12 -0700 Subject: [PATCH 278/329] update comments for runtime inventory Signed-off-by: Brady Todhunter --- stable/enterprise/README.md | 4 ++-- stable/enterprise/values.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 69bba9ab..ba3c370f 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -1038,8 +1038,8 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `anchoreConfig.catalog.event_log` | Event log for webhooks, YAML configuration | `{}` | | `anchoreConfig.catalog.analysis_archive` | Custom analysis archive YAML configuration | `{}` | | `anchoreConfig.catalog.object_store` | Custom object storage YAML configuration | `{}` | -| `anchoreConfig.catalog.runtime_inventory.inventory_ttl_days` | TTL for images in the inventory report working set | `120` | -| `anchoreConfig.catalog.runtime_inventory.inventory_ingest_overwrite` | disables the inventory_ttl cycle timer. | `false` | +| `anchoreConfig.catalog.runtime_inventory.inventory_ttl_days` | TTL for runtime inventory. | `120` | +| `anchoreConfig.catalog.runtime_inventory.inventory_ingest_overwrite` | force runtime inventory to be overwritten upon every update for that reported context. | `false` | | `anchoreConfig.catalog.down_analyzer_task_requeue` | Allows fast re-queueing when image status is 'analyzing' on an analyzer that is no longer in the 'up' state | `true` | | `anchoreConfig.policy_engine.cycle_timers.feed_sync` | Interval to run a feed sync to get latest cve data | `14400` | | `anchoreConfig.policy_engine.cycle_timers.feed_sync_checker` | Interval between checks to see if there needs to be a task queued | `3600` | diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index 6f6e6726..30e3e801 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -479,8 +479,8 @@ anchoreConfig: name: db config: {} - ## @param anchoreConfig.catalog.runtime_inventory.inventory_ttl_days TTL for images in the inventory report working set - ## @param anchoreConfig.catalog.runtime_inventory.inventory_ingest_overwrite disables the inventory_ttl cycle timer. + ## @param anchoreConfig.catalog.runtime_inventory.inventory_ttl_days TTL for runtime inventory. + ## @param anchoreConfig.catalog.runtime_inventory.inventory_ingest_overwrite force runtime inventory to be overwritten upon every update for that reported context. ## When `inventory_ingest_overwrite=true` upon ingestion of inventory, removes anything previously reported by the namespace and only keep the latest inventory posted. ## This new config value is used instead of setting `image_ttl_days=-1` ## ref: https://docs.anchore.com/current/docs/configuration/runtime_inventory/ From 93d3224e882870b2ef90d2e9596779ca85b6e8d6 Mon Sep 17 00:00:00 2001 From: "Paul V. Novarese" Date: Fri, 3 Nov 2023 15:47:40 -0500 Subject: [PATCH 279/329] Update README.md Signed-off-by: Paul Novarese --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f63eebeb..4357e965 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,7 @@ It can be useful when developing to install a chart directly from the source cod ```bash RELEASE_NAME="my-release" -CHART_PATH="anchore-charts/stable/anchore-engine" +CHART_PATH="anchore-charts/stable/enterprise" git clone https://github.com/anchore/anchore-charts-dev.git cd "$CHART_PATH" From 71a70ef742009f223d90d249c9722662bdbda3ca Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Tue, 7 Nov 2023 17:14:42 -0500 Subject: [PATCH 280/329] removing enterprise pre-install db check Signed-off-by: Hung Nguyen --- .../pre-install/preinstall_db_check.yaml | 121 ------------------ 1 file changed, 121 deletions(-) delete mode 100644 stable/enterprise/templates/hooks/pre-install/preinstall_db_check.yaml diff --git a/stable/enterprise/templates/hooks/pre-install/preinstall_db_check.yaml b/stable/enterprise/templates/hooks/pre-install/preinstall_db_check.yaml deleted file mode 100644 index fa39127f..00000000 --- a/stable/enterprise/templates/hooks/pre-install/preinstall_db_check.yaml +++ /dev/null @@ -1,121 +0,0 @@ -{{- if not .Values.postgresql.chartEnabled -}} -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ printf "%s-db-check" (include "enterprise.fullname" .) }} - namespace: {{ .Release.Namespace }} - labels: {{- include "enterprise.common.labels" . | nindent 4 }} - annotations: {{- include "enterprise.common.annotations" (merge (dict "nil" true) .) | nindent 4 }} - "helm.sh/hook": pre-install - "helm.sh/hook-weight": "1" - "helm.sh/hook-delete-policy": hook-succeeded -spec: - backoffLimit: 1 - template: - metadata: - name: - labels: {{- include "enterprise.common.labels" . | nindent 8 }} - annotations: {{- include "enterprise.common.annotations" . | nindent 8 }} - spec: - {{- include "enterprise.common.podSpec" . | indent 6 }} - restartPolicy: Never - volumes: - {{- with .Values.extraVolumes }} - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.certStoreSecretName }} - - name: certs - secret: - secretName: {{ . }} - {{- end }} - {{- if .Values.cloudsql.useExistingServiceAcc }} - - name: {{ .Values.cloudsql.serviceAccSecretName }} - secret: - secretName: {{ .Values.cloudsql.serviceAccSecretName }} - {{- end }} - containers: - {{- if .Values.cloudsql.enabled }} - {{- include "enterprise.common.cloudsqlContainer" . | nindent 8 }} - {{- end }} - - name: check-enterprise-db - image: {{ .Values.image }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - {{- with .Values.containerSecurityContext }} - securityContext: {{ toYaml . | nindent 12 }} - {{- end }} - {{- if .Values.useExistingSecrets }} - envFrom: - - secretRef: - name: {{ .Values.existingSecretName }} - {{- end }} - {{- if or .Values.anchoreConfig.database.ssl (not .Values.useExistingSecrets) }} - env: - {{- if not .Values.useExistingSecrets }} - - name: ANCHORE_DB_USER - value: {{ .Values.postgresql.auth.username | quote }} - - name: ANCHORE_DB_PASSWORD - value: {{ .Values.postgresql.auth.password | quote }} - - name: ANCHORE_DB_HOST - value: {{ .Values.postgresql.externalEndpoint | quote }} - - name: ANCHORE_DB_PORT - value: {{ .Values.postgresql.primary.service.ports.postgresql | quote }} - - name: ANCHORE_DB_NAME - value: {{ .Values.postgresql.auth.database | quote }} - {{- end }} - {{- if .Values.anchoreConfig.database.ssl }} - - name: ANCHORE_DB_SSL_MODE - value: {{ .Values.anchoreConfig.database.sslMode | quote }} - - name: ANCHORE_DB_SSL_ROOT_CERT - value: {{ .Values.anchoreConfig.database.sslRootCertFileName | quote }} - {{- end }} - {{- end }} - volumeMounts: - {{- with .Values.extraVolumeMounts }} - {{- toYaml . | nindent 12 }} - {{- end }} - {{- if .Values.certStoreSecretName }} - - name: certs - mountPath: /home/anchore/certs/ - readOnly: true - {{- end }} - command: ["/bin/bash", "-c"] - args: - - | - timeout=600 # 10 minutes in seconds - start_time=$(date +%s) - - CONNSTR=postgresql://"${ANCHORE_DB_USER}":"${ANCHORE_DB_PASSWORD}"@"${ANCHORE_DB_HOST}":"${ANCHORE_DB_PORT}"/"${ANCHORE_DB_NAME}" - - if [[ ${ANCHORE_DB_SSL_MODE} != null ]]; then - CONNSTR=${CONNSTR}?sslmode=${ANCHORE_DB_SSL_MODE} - fi - - if [[ ${ANCHORE_DB_SSL_ROOT_CERT} != null ]]; then - CONNSTR=${CONNSTR}&sslrootcert=/home/anchore/certs/${ANCHORE_DB_SSL_ROOT_CERT} - fi - - while true; do - current_time=$(date +%s) - elapsed_time=$((current_time - start_time)) - - if [[ $elapsed_time -ge $timeout ]]; then - echo "Database connection timeout" - exit 1 - fi - - output=$(anchore-enterprise-manager db --db-connect ${CONNSTR} pre-upgrade-check 2>&1) - - if [ $? -eq 0 ]; then - echo "Database is ready" - exit 0 - elif [[ "$output" == *"Enterprise requires Postgres version 13.0 or higher"* ]]; then - echo "Error: Enterprise requires Postgres version 13.0 or higher" - exit 1 - else - echo "Database is not ready yet, sleeping 10 seconds..." - sleep 10 - fi - - done - -{{- end -}} \ No newline at end of file From bdc17d8021ef47d666c073e40a276458ed1091e6 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Tue, 7 Nov 2023 17:16:12 -0500 Subject: [PATCH 281/329] bump chart version Signed-off-by: Hung Nguyen --- stable/enterprise/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index a03772ee..bbf0252e 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "2.0.0" +version: "2.0.1" appVersion: "5.0.0" kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.28.x-x description: | From 5b0f7b90b380afef51a3230bc26597fe0bd5004d Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Mon, 4 Dec 2023 16:48:11 -0500 Subject: [PATCH 282/329] Enterprise chart bug fixes (#317) * use subpath for mounting custom PolicyBundles * bump chart version * add range for policy keys * TEMP FIX - copy custom policies into accessible temp directory (using entrypoint) * fix tests to account for new entrypoint * update test snapshots * de-indenting for malware in values file --------- Signed-off-by: Keohn Akins Signed-off-by: Hung Nguyen Signed-off-by: Brady Todhunter --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/templates/_common.tpl | 2 +- .../enterprise/templates/api_deployment.yaml | 5 ++- .../templates/catalog_deployment.yaml | 5 ++- .../__snapshot__/configmap_test.yaml.snap | 8 ++--- .../tests/analyzer_resources_test.yaml | 2 +- .../enterprise/tests/api_resources_test.yaml | 34 ++++++++++++++++--- .../tests/catalog_resources_test.yaml | 16 +++++++-- .../enterprise/tests/common_helpers_test.yaml | 8 ++--- .../tests/notifications_resources_test.yaml | 2 +- .../tests/policyengine_resources_test.yaml | 2 +- .../tests/rbacmanager_resources_test.yaml | 2 +- .../tests/reports_resources_test.yaml | 2 +- .../tests/simplequeue_resources_test.yaml | 2 +- .../enterprise/tests/ui_resources_test.yaml | 2 +- stable/enterprise/values.yaml | 8 ++--- 16 files changed, 72 insertions(+), 30 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index bbf0252e..0d9ddb10 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "2.0.1" +version: "2.0.2" appVersion: "5.0.0" kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.28.x-x description: | diff --git a/stable/enterprise/templates/_common.tpl b/stable/enterprise/templates/_common.tpl index 370d5b16..30bea08c 100644 --- a/stable/enterprise/templates/_common.tpl +++ b/stable/enterprise/templates/_common.tpl @@ -53,7 +53,7 @@ Setup a container for the cloudsql proxy to run in all pods when .Values.cloudsq Setup the common docker-entrypoint command for all Anchore Enterprise containers */}} {{- define "enterprise.common.dockerEntrypoint" -}} -{{ print (include "enterprise.doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade +mkdir -p {{ $.Values.anchoreConfig.service_dir }}/policies {{ $.Values.anchoreConfig.service_dir }}/tempPolicies && cp -rp {{ $.Values.anchoreConfig.service_dir }}/tempPolicies/* {{ $.Values.anchoreConfig.service_dir }}/policies || echo && {{ print (include "enterprise.doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade {{- end -}} diff --git a/stable/enterprise/templates/api_deployment.yaml b/stable/enterprise/templates/api_deployment.yaml index 0598882e..e5e592cf 100644 --- a/stable/enterprise/templates/api_deployment.yaml +++ b/stable/enterprise/templates/api_deployment.yaml @@ -60,8 +60,11 @@ spec: containerPort: {{ .Values.api.service.port }} volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} {{- if .Values.anchoreConfig.policyBundles }} + {{- range $key, $value := .Values.anchoreConfig.policyBundles }} - name: policy-bundle-volume - mountPath: "{{ $.Values.anchoreConfig.service_dir }}/policies/" + mountPath: {{ $.Values.anchoreConfig.service_dir }}/tempPolicies/{{ $key }} + subPath: {{ $key }} + {{- end }} {{- end }} livenessProbe: {{- include "enterprise.common.livenessProbe" (merge (dict "component" $component) .) | nindent 12 }} readinessProbe: {{- include "enterprise.common.readinessProbe" (merge (dict "component" $component) .) | nindent 12 }} diff --git a/stable/enterprise/templates/catalog_deployment.yaml b/stable/enterprise/templates/catalog_deployment.yaml index 06ba4737..8591e28e 100644 --- a/stable/enterprise/templates/catalog_deployment.yaml +++ b/stable/enterprise/templates/catalog_deployment.yaml @@ -65,8 +65,11 @@ spec: - name: anchore-scratch mountPath: {{ .Values.scratchVolume.mountPath }} {{- if .Values.anchoreConfig.policyBundles }} + {{- range $key, $value := .Values.anchoreConfig.policyBundles }} - name: policy-bundle-volume - mountPath: "{{ $.Values.anchoreConfig.service_dir }}/policies/" + mountPath: {{ $.Values.anchoreConfig.service_dir }}/tempPolicies/{{ $key }} + subPath: {{ $key }} + {{- end }} {{- end }} livenessProbe: {{- include "enterprise.common.livenessProbe" (merge (dict "component" $component) .) | nindent 12 }} readinessProbe: {{- include "enterprise.common.readinessProbe" (merge (dict "component" $component) .) | nindent 12 }} diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index 3f69792a..44329103 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -4,14 +4,14 @@ should render the configmaps: data: analyzer_config.yaml: | # Anchore analyzer configuration + malware: + clamav: + db_update_enabled: true + enabled: false retrieve_files: file_list: - /etc/passwd secret_search: - malware: - clamav: - db_update_enabled: true - enabled: false match_params: - MAXFILESIZE=10000 - STOREONMATCH=n diff --git a/stable/enterprise/tests/analyzer_resources_test.yaml b/stable/enterprise/tests/analyzer_resources_test.yaml index 17279128..f5a8c767 100644 --- a/stable/enterprise/tests/analyzer_resources_test.yaml +++ b/stable/enterprise/tests/analyzer_resources_test.yaml @@ -188,7 +188,7 @@ tests: asserts: - matchRegex: path: spec.template.spec.containers[0].args[0] - pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade analyzer$ + pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo && /docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade analyzer$ count: 1 - it: should render component environment variables diff --git a/stable/enterprise/tests/api_resources_test.yaml b/stable/enterprise/tests/api_resources_test.yaml index 5c840f96..158d7e65 100644 --- a/stable/enterprise/tests/api_resources_test.yaml +++ b/stable/enterprise/tests/api_resources_test.yaml @@ -178,11 +178,11 @@ tests: asserts: - matchRegex: path: spec.template.spec.containers[1].args[0] - pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade reports$ + pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo && /docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade reports$ count: 1 - matchRegex: path: spec.template.spec.containers[0].args[0] - pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade apiext$ + pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo && /docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade apiext$ count: 1 - it: should render api component environment variables @@ -295,7 +295,7 @@ tests: containerPort: 8558 count: 1 - - it: should render policy bundle volumeMounts when policy bundles are provided + - it: should render policy bundle volumeMounts when a policy bundle is provided template: api_deployment.yaml documentIndex: 0 set: @@ -306,9 +306,35 @@ tests: path: spec.template.spec.containers[0].volumeMounts content: name: policy-bundle-volume - mountPath: /anchore_service/policies/ + mountPath: /anchore_service/tempPolicies/custom_policy_bundle1.json + subPath: custom_policy_bundle1.json count: 1 any: true + + - it: should render policy bundle volumeMounts when multiple policy bundles are provided + template: api_deployment.yaml + documentIndex: 0 + set: + anchoreConfig.policyBundles: + custom_policy_bundle1.json: {} + custom_policy_bundle2.json: {} + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: policy-bundle-volume + mountPath: /anchore_service/tempPolicies/custom_policy_bundle1.json + subPath: custom_policy_bundle1.json + count: 1 + any: true + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: policy-bundle-volume + mountPath: /anchore_service/tempPolicies/custom_policy_bundle2.json + subPath: custom_policy_bundle2.json + count: 1 + any: true - it: should render component probes template: api_deployment.yaml diff --git a/stable/enterprise/tests/catalog_resources_test.yaml b/stable/enterprise/tests/catalog_resources_test.yaml index 10a74bcd..64af4573 100644 --- a/stable/enterprise/tests/catalog_resources_test.yaml +++ b/stable/enterprise/tests/catalog_resources_test.yaml @@ -201,7 +201,7 @@ tests: asserts: - matchRegex: path: spec.template.spec.containers[0].args[0] - pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade catalog$ + pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo && /docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade catalog$ count: 1 - it: should render catalog component environment variables @@ -261,20 +261,30 @@ tests: count: 1 any: true - - it: should render policy bundle volumeMounts when policy bundles are provided + - it: should render policy bundle volumeMounts when multiple policy bundles are provided template: catalog_deployment.yaml documentIndex: 0 set: anchoreConfig.policyBundles: custom_policy_bundle1.json: {} + custom_policy_bundle2.json: {} asserts: - contains: path: spec.template.spec.containers[0].volumeMounts content: name: policy-bundle-volume - mountPath: /anchore_service/policies/ + mountPath: /anchore_service/tempPolicies/custom_policy_bundle1.json + subPath: custom_policy_bundle1.json count: 1 any: true + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: policy-bundle-volume + mountPath: /anchore_service/tempPolicies/custom_policy_bundle2.json + subPath: custom_policy_bundle2.json + count: 1 + any: true - it: should render component probes template: catalog_deployment.yaml diff --git a/stable/enterprise/tests/common_helpers_test.yaml b/stable/enterprise/tests/common_helpers_test.yaml index 0fcb2be2..104fe10f 100644 --- a/stable/enterprise/tests/common_helpers_test.yaml +++ b/stable/enterprise/tests/common_helpers_test.yaml @@ -102,7 +102,7 @@ tests: asserts: - matchRegex: path: spec.template.spec.containers[0].args[0] - pattern: ^\/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade + pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo && \/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade - it: should render docker entrypoint with doSourceAtEntry and no filePaths templates: *backend_test_templates @@ -112,7 +112,7 @@ tests: asserts: - matchRegex: path: spec.template.spec.containers[0].args[0] - pattern: ^\/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade + pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo && /docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade - it: should render docker entrypoint with doSourceAtEntry and some filePaths templates: *test_templates @@ -123,7 +123,7 @@ tests: asserts: - matchRegex: path: spec.template.spec.containers[0].args[0] - pattern: ^if \[ -f myscript\.sh \];then source myscript\.sh;fi;if \[ -f myotherscript\.sh \];then source myotherscript\.sh;fi; .*$ + pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo && if \[ -f myscript\.sh \];then source myscript\.sh;fi;if \[ -f myotherscript\.sh \];then source myotherscript\.sh;fi; .*$ - it: should render envFrom without an existing secret templates: @@ -445,7 +445,7 @@ tests: path: spec.template.spec.containers content: args: - - /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade rbac_authorizer + - mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo && /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade rbac_authorizer name: rbac-auth ports: - containerPort: 8089 diff --git a/stable/enterprise/tests/notifications_resources_test.yaml b/stable/enterprise/tests/notifications_resources_test.yaml index 0a3ec922..f784b4fd 100644 --- a/stable/enterprise/tests/notifications_resources_test.yaml +++ b/stable/enterprise/tests/notifications_resources_test.yaml @@ -159,7 +159,7 @@ tests: asserts: - matchRegex: path: spec.template.spec.containers[0].args[0] - pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade notifications$ + pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo && /docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade notifications$ count: 1 - it: should render notifications component environment variables diff --git a/stable/enterprise/tests/policyengine_resources_test.yaml b/stable/enterprise/tests/policyengine_resources_test.yaml index 3d1175ce..968bc934 100644 --- a/stable/enterprise/tests/policyengine_resources_test.yaml +++ b/stable/enterprise/tests/policyengine_resources_test.yaml @@ -185,7 +185,7 @@ tests: asserts: - matchRegex: path: spec.template.spec.containers[0].args[0] - pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade policy_engine$ + pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo && /docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade policy_engine$ count: 1 - it: should render policyEngine component environment variables diff --git a/stable/enterprise/tests/rbacmanager_resources_test.yaml b/stable/enterprise/tests/rbacmanager_resources_test.yaml index 01a1c81d..3ceb86a0 100644 --- a/stable/enterprise/tests/rbacmanager_resources_test.yaml +++ b/stable/enterprise/tests/rbacmanager_resources_test.yaml @@ -156,7 +156,7 @@ tests: asserts: - matchRegex: path: spec.template.spec.containers[0].args[0] - pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade rbac_manager$ + pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo && /docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade rbac_manager$ count: 1 - it: should render rbacManager component environment variables diff --git a/stable/enterprise/tests/reports_resources_test.yaml b/stable/enterprise/tests/reports_resources_test.yaml index e602cd96..ce8ff977 100644 --- a/stable/enterprise/tests/reports_resources_test.yaml +++ b/stable/enterprise/tests/reports_resources_test.yaml @@ -156,7 +156,7 @@ tests: asserts: - matchRegex: path: spec.template.spec.containers[0].args[0] - pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade reports_worker$ + pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo && /docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade reports_worker$ count: 1 - it: should render reports component environment variables diff --git a/stable/enterprise/tests/simplequeue_resources_test.yaml b/stable/enterprise/tests/simplequeue_resources_test.yaml index 5d66c2e0..054f9a89 100644 --- a/stable/enterprise/tests/simplequeue_resources_test.yaml +++ b/stable/enterprise/tests/simplequeue_resources_test.yaml @@ -156,7 +156,7 @@ tests: asserts: - matchRegex: path: spec.template.spec.containers[0].args[0] - pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade simplequeue$ + pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo && /docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade simplequeue$ count: 1 - it: should render simplequeue component environment variables diff --git a/stable/enterprise/tests/ui_resources_test.yaml b/stable/enterprise/tests/ui_resources_test.yaml index ac56cc61..fdbce391 100644 --- a/stable/enterprise/tests/ui_resources_test.yaml +++ b/stable/enterprise/tests/ui_resources_test.yaml @@ -146,7 +146,7 @@ tests: asserts: - matchRegex: path: spec.template.spec.containers[0].args[0] - pattern: ^/docker-entrypoint\.sh node \/home\/node\/aui\/build\/server.js$ + pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo && /docker-entrypoint\.sh node \/home\/node\/aui\/build\/server.js$ count: 1 - it: should render ui component environment variables diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index 30e3e801..6cdd4230 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -407,10 +407,10 @@ anchoreConfig: # - "EXAMPLE_MATCH=" # ## Malware scanning occurs only at analysis time when the image content itself is available - malware: - clamav: - enabled: false - db_update_enabled: true + malware: + clamav: + enabled: false + db_update_enabled: true catalog: ## @param anchoreConfig.catalog.cycle_timers.image_watcher Interval (seconds) to check for an update to a tag From 502dfa9c31201741783727c1cac982af05aef50f Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Tue, 12 Dec 2023 22:33:54 -0500 Subject: [PATCH 283/329] update Feeds to Enterprise v5.1.0 image (#179) (#318) * update image to Enterprise v5.1.0 * update test snapshots --------- Signed-off-by: Brady Todhunter --- stable/feeds/Chart.yaml | 4 ++-- stable/feeds/README.md | 12 +++++------- .../prehook_upgrade_resources_test.yaml.snap | 2 +- stable/feeds/values.yaml | 2 +- 4 files changed, 9 insertions(+), 11 deletions(-) diff --git a/stable/feeds/Chart.yaml b/stable/feeds/Chart.yaml index a639886e..5be6b259 100644 --- a/stable/feeds/Chart.yaml +++ b/stable/feeds/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 name: feeds type: application -version: "2.0.0" -appVersion: "5.0.0" +version: "2.1.0" +appVersion: "5.1.0" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.28.x-x description: Anchore feeds service keywords: diff --git a/stable/feeds/README.md b/stable/feeds/README.md index 1beb0b75..7b3b1c05 100644 --- a/stable/feeds/README.md +++ b/stable/feeds/README.md @@ -312,7 +312,7 @@ anchoreConfig: | `url` | Set a custom feeds URL. Useful when using a feeds service endpoint that is external from the cluster. | `""` | | `fullnameOverride` | overrides the fullname set on resources | `""` | | `nameOverride` | overrides the name set on resources | `""` | -| `image` | Image used for feeds deployment | `docker.io/anchore/enterprise:v5.0.0` | +| `image` | Image used for feeds deployment | `docker.io/anchore/enterprise:v5.1.0` | | `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | | `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | | `serviceAccountName` | Name of a service account used to run all Feeds pods | `""` | @@ -365,7 +365,6 @@ anchoreConfig: | `configOverride` | Allows for overriding the default Anchore configuration file | `{}` | | `scripts` | Collection of helper scripts usable in all anchore enterprise pods | `{}` | - ### Anchore Feeds Configuration Parameters | Name | Description | Value | @@ -405,7 +404,6 @@ anchoreConfig: | `anchoreConfig.feeds.drivers.github.enabled` | Enable GitHub advisory feeds (requires GitHub PAT) | `false` | | `anchoreConfig.feeds.drivers.github.token` | GitHub developer personal access token with zero permission scopes | `""` | - ### Anchore Feeds Database Parameters | Name | Description | Value | @@ -420,7 +418,6 @@ anchoreConfig: | `feeds-db.primary.extraEnvVars` | An array to add extra environment variables | `[]` | | `feeds-db.image.tag` | Specifies the image to use for this chart. | `13.11.0-debian-11-r15` | - ### Feeds Gem Database Parameters | Name | Description | Value | @@ -435,7 +432,6 @@ anchoreConfig: | `gem-db.primary.extraEnvVars` | An array to add extra environment variables | `[]` | | `gem-db.image.tag` | Specifies the image to use for this chart. | `13.11.0-debian-11-r15` | - ### Anchore Feeds Upgrade Job Parameters | Name | Description | Value | @@ -453,7 +449,6 @@ anchoreConfig: | `feedsUpgradeJob.resources` | Resources for the Anchore Feeds upgrade job | `{}` | | `feedsUpgradeJob.ttlSecondsAfterFinished` | The time period in seconds the upgrade job, and it's related pods should be retained for | `-1` | - ### Ingress Parameters | Name | Description | Value | @@ -466,7 +461,6 @@ anchoreConfig: | `ingress.tls` | Configure tls for the ingress resource | `[]` | | `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` | - ### Google CloudSQL DB Parameters | Name | Description | Value | @@ -489,6 +483,10 @@ For the latest updates and features in Anchore Enterprise, see the official [Rel - **Minor Chart Version Change (e.g., v0.1.2 -> v0.2.0)**: Indicates a significant change to the deployment that does not require manual intervention. - **Patch Chart Version Change (e.g., v0.1.2 -> v0.1.3)**: Indicates a backwards-compatible bug fix or documentation update. +### v2.1.0 + +- Update Anchore Feeds image to v5.1.0. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/510/) for more information. + ### v2.0.0 - Updated Anchore Feeds image to v5.0.0 diff --git a/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap b/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap index 098ce43a..4a3e7821 100644 --- a/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap +++ b/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap @@ -143,6 +143,6 @@ should render proper initContainers: value: test-release-feeds - name: ANCHORE_PORT value: "8448" - image: docker.io/anchore/enterprise:v5.0.0 + image: docker.io/anchore/enterprise:v5.1.0 imagePullPolicy: IfNotPresent name: wait-for-db diff --git a/stable/feeds/values.yaml b/stable/feeds/values.yaml index 845e778f..a1ce5a0b 100644 --- a/stable/feeds/values.yaml +++ b/stable/feeds/values.yaml @@ -21,7 +21,7 @@ nameOverride: "" ## @param image Image used for feeds deployment ## -image: docker.io/anchore/enterprise:v5.0.0 +image: docker.io/anchore/enterprise:v5.1.0 ## @param imagePullPolicy Image pull policy used by all deployments ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy From 849540cc870bf01ad6e5d2d1023d018e2e268725 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Sat, 9 Dec 2023 00:44:56 -0500 Subject: [PATCH 284/329] =?UTF-8?q?remove=20nouser=20from=20redis=20connec?= =?UTF-8?q?tion=20string=20to=20comply=20with=20latest=20iore=E2=80=A6=20(?= =?UTF-8?q?#174)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * remove nouser from redis connection string to comply with latest ioredis client --------- Signed-off-by: Brady Todhunter --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 14 +++++++------- stable/enterprise/templates/ui_secret.yaml | 2 +- stable/enterprise/values.yaml | 2 +- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 0d9ddb10..73823c1f 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "2.0.2" +version: "2.0.3" appVersion: "5.0.0" kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.28.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index ba3c370f..023228a4 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -1328,13 +1328,13 @@ This rollback procedure is designed to revert your environment to its pre-migrat ### Anchore UI Redis Parameters -| Name | Description | Value | -| ------------------------------------- | ------------------------------------------------------------------------------------------------------ | ------------------- | -| `ui-redis.chartEnabled` | Use the dependent chart for the UI Redis deployment | `true` | -| `ui-redis.externalEndpoint` | External Redis endpoint when not using Helm managed chart (eg redis://nouser:@hostname:6379) | `""` | -| `ui-redis.auth.password` | Password used for connecting to Redis | `anchore-redis,123` | -| `ui-redis.architecture` | Redis deployment architecture | `standalone` | -| `ui-redis.master.persistence.enabled` | enables persistence | `false` | +| Name | Description | Value | +| ------------------------------------- | ------------------------------------------------------------------------------------------------ | ------------------- | +| `ui-redis.chartEnabled` | Use the dependent chart for the UI Redis deployment | `true` | +| `ui-redis.externalEndpoint` | External Redis endpoint when not using Helm managed chart (eg redis://:@hostname:6379) | `""` | +| `ui-redis.auth.password` | Password used for connecting to Redis | `anchore-redis,123` | +| `ui-redis.architecture` | Redis deployment architecture | `standalone` | +| `ui-redis.master.persistence.enabled` | enables persistence | `false` | ### Anchore Database Parameters diff --git a/stable/enterprise/templates/ui_secret.yaml b/stable/enterprise/templates/ui_secret.yaml index 606b8f51..15e28a30 100644 --- a/stable/enterprise/templates/ui_secret.yaml +++ b/stable/enterprise/templates/ui_secret.yaml @@ -20,6 +20,6 @@ stringData: {{- if and (index .Values "ui-redis" "externalEndpoint") (not (index .Values "ui-redis" "chartEnabled")) }} ANCHORE_REDIS_URI: '{{ index .Values "ui-redis" "externalEndpoint" }}' {{- else }} - ANCHORE_REDIS_URI: 'redis://nouser:{{ index .Values "ui-redis" "auth" "password" }}@{{ template "redis.fullname" . }}-master:6379' + ANCHORE_REDIS_URI: 'redis://:{{ index .Values "ui-redis" "auth" "password" }}@{{ template "redis.fullname" . }}-master:6379' {{- end }} {{- end }} diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index 6cdd4230..127704e4 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -1342,7 +1342,7 @@ ui-redis: ## chartEnabled: true - ## @param ui-redis.externalEndpoint External Redis endpoint when not using Helm managed chart (eg redis://nouser:@hostname:6379) + ## @param ui-redis.externalEndpoint External Redis endpoint when not using Helm managed chart (eg redis://:@hostname:6379) ## externalEndpoint: "" From 0bb25aa25548bdda1fb7fda9f645072ae3d460be Mon Sep 17 00:00:00 2001 From: keohn-aanchore <99217298+keohn-aanchore@users.noreply.github.com> Date: Sat, 9 Dec 2023 01:33:12 -0500 Subject: [PATCH 285/329] update cycle timers (#172) * update reports_worker cycle timers * update test snapshots --------- Signed-off-by: Brady Todhunter --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 207 ++++++++---------- .../__snapshot__/configmap_test.yaml.snap | 11 +- stable/enterprise/values.yaml | 22 +- 4 files changed, 122 insertions(+), 120 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 73823c1f..3650a60a 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "2.0.3" +version: "2.0.4" appVersion: "5.0.0" kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.28.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 023228a4..fd6dd761 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -937,7 +937,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `global.fullnameOverride` | overrides the fullname set on resources | `""` | | `global.nameOverride` | overrides the name set on resources | `""` | - ### Common Resource Parameters | Name | Description | Value | @@ -980,102 +979,105 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `configOverride` | Allows for overriding the default Anchore configuration file | `""` | | `scripts` | Collection of helper scripts usable in all anchore enterprise pods | `{}` | - ### Anchore Configuration Parameters -| Name | Description | Value | -| -------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------ | -| `anchoreConfig.service_dir` | Path to directory where default Anchore config files are placed at startup | `/anchore_service` | -| `anchoreConfig.log_level` | The log level for Anchore services | `INFO` | -| `anchoreConfig.allow_awsecr_iam_auto` | Enable AWS IAM instance role for ECR auth | `true` | -| `anchoreConfig.keys.secret` | The shared secret used for signing & encryption, auto-generated by Helm if not set. | `""` | -| `anchoreConfig.keys.privateKeyFileName` | The file name of the private key used for signing & encryption, found in the k8s secret specified in .Values.certStoreSecretName | `""` | -| `anchoreConfig.keys.publicKeyFileName` | The file name of the public key used for signing & encryption, found in the k8s secret specified in .Values.certStoreSecretName | `""` | -| `anchoreConfig.user_authentication.oauth.enabled` | Enable OAuth for Anchore user authentication | `true` | -| `anchoreConfig.user_authentication.oauth.default_token_expiration_seconds` | The expiration, in seconds, for OAuth tokens | `3600` | -| `anchoreConfig.user_authentication.oauth.refresh_token_expiration_seconds` | The expiration, in seconds, for OAuth refresh tokens | `86400` | -| `anchoreConfig.user_authentication.hashed_passwords` | Enable storing passwords as secure hashes in the database | `true` | -| `anchoreConfig.user_authentication.sso_require_existing_users` | set to true in order to disable the SSO JIT provisioning during authentication | `false` | -| `anchoreConfig.metrics.enabled` | Enable Prometheus metrics for all Anchore services | `false` | -| `anchoreConfig.metrics.auth_disabled` | Disable auth on Prometheus metrics for all Anchore services | `false` | -| `anchoreConfig.webhooks` | Enable Anchore services to provide webhooks for external system updates | `{}` | -| `anchoreConfig.default_admin_password` | The password for the Anchore Enterprise admin user | `""` | -| `anchoreConfig.default_admin_email` | The email address used for the Anchore Enterprise admin user | `admin@myanchore` | -| `anchoreConfig.database.timeout` | | `120` | -| `anchoreConfig.database.ssl` | Enable SSL/TLS for the database connection | `false` | -| `anchoreConfig.database.sslMode` | The SSL mode to use for database connection | `verify-full` | -| `anchoreConfig.database.sslRootCertFileName` | File name of the database root CA certificate stored in the k8s secret specified with .Values.certStoreSecretName | `""` | -| `anchoreConfig.database.db_pool_size` | The database max connection pool size | `30` | -| `anchoreConfig.database.db_pool_max_overflow` | The maximum overflow size of the database connection pool | `100` | -| `anchoreConfig.database.engineArgs` | Set custom database engine arguments for SQLAlchemy | `{}` | -| `anchoreConfig.internalServicesSSL.enabled` | Force all Enterprise services to use SSL for internal communication | `false` | -| `anchoreConfig.internalServicesSSL.verifyCerts` | Enable cert verification against the local cert bundle, if this set to false self-signed certs are allowed | `false` | -| `anchoreConfig.internalServicesSSL.certSecretKeyFileName` | File name of the private key used for internal SSL stored in the secret specified in .Values.certStoreSecretName | `""` | -| `anchoreConfig.internalServicesSSL.certSecretCertFileName` | File name of the root CA certificate used for internal SSL stored in the secret specified in .Values.certStoreSecretName | `""` | -| `anchoreConfig.policyBundles` | Include custom Anchore policy bundles | `{}` | -| `anchoreConfig.apiext.external.enabled` | Allow overrides for constructing Anchore API URLs | `false` | -| `anchoreConfig.apiext.external.useTLS` | Enable TLS for external API access | `true` | -| `anchoreConfig.apiext.external.hostname` | Hostname for the external Anchore API | `""` | -| `anchoreConfig.apiext.external.port` | Port configured for external Anchore API | `8443` | -| `anchoreConfig.analyzer.cycle_timers.image_analyzer` | The interval between checks of the work queue for new analysis jobs | `1` | -| `anchoreConfig.analyzer.max_threads` | The concurrency of the Anchore Analyzer worker process | `1` | -| `anchoreConfig.analyzer.layer_cache_max_gigabytes` | Specify a cache size > 0GB to enable image layer caching | `0` | -| `anchoreConfig.analyzer.enable_hints` | Enable a user-supplied 'hints' file to override and/or augment the software artifacts found during analysis | `false` | -| `anchoreConfig.analyzer.configFile` | Custom Anchore Analyzer configuration file contents in YAML | `{}` | -| `anchoreConfig.catalog.cycle_timers.image_watcher` | Interval (seconds) to check for an update to a tag | `3600` | -| `anchoreConfig.catalog.cycle_timers.policy_eval` | Interval (seconds) to run a policy evaluation on images with policy_eval subscription activated | `3600` | -| `anchoreConfig.catalog.cycle_timers.vulnerability_scan` | Interval to run a vulnerability scan on images with vuln_update subscription activated | `14400` | -| `anchoreConfig.catalog.cycle_timers.analyzer_queue` | Interval to add new work on the image analysis queue | `1` | -| `anchoreConfig.catalog.cycle_timers.archive_tasks` | Interval to trigger Anchore Catalog archive Tasks | `43200` | -| `anchoreConfig.catalog.cycle_timers.notifications` | Interval in which notifications will be processed for state changes | `30` | -| `anchoreConfig.catalog.cycle_timers.service_watcher` | Interval of service state update poll, used for system status | `15` | -| `anchoreConfig.catalog.cycle_timers.policy_bundle_sync` | Interval of policy bundle sync | `300` | -| `anchoreConfig.catalog.cycle_timers.repo_watcher` | Interval between checks to repo for new tags | `60` | -| `anchoreConfig.catalog.cycle_timers.image_gc` | Interval for garbage collection of images marked for deletion | `60` | -| `anchoreConfig.catalog.cycle_timers.k8s_image_watcher` | Interval for the runtime inventory image analysis poll | `150` | -| `anchoreConfig.catalog.cycle_timers.resource_metrics` | Interval (seconds) for computing metrics from the DB | `60` | -| `anchoreConfig.catalog.cycle_timers.events_gc` | Interval (seconds) for cleaning up events in the system based on timestamp | `43200` | -| `anchoreConfig.catalog.event_log` | Event log for webhooks, YAML configuration | `{}` | -| `anchoreConfig.catalog.analysis_archive` | Custom analysis archive YAML configuration | `{}` | -| `anchoreConfig.catalog.object_store` | Custom object storage YAML configuration | `{}` | -| `anchoreConfig.catalog.runtime_inventory.inventory_ttl_days` | TTL for runtime inventory. | `120` | -| `anchoreConfig.catalog.runtime_inventory.inventory_ingest_overwrite` | force runtime inventory to be overwritten upon every update for that reported context. | `false` | -| `anchoreConfig.catalog.down_analyzer_task_requeue` | Allows fast re-queueing when image status is 'analyzing' on an analyzer that is no longer in the 'up' state | `true` | -| `anchoreConfig.policy_engine.cycle_timers.feed_sync` | Interval to run a feed sync to get latest cve data | `14400` | -| `anchoreConfig.policy_engine.cycle_timers.feed_sync_checker` | Interval between checks to see if there needs to be a task queued | `3600` | -| `anchoreConfig.policy_engine.overrideFeedsToUpstream` | Override the Anchore Feeds URL to use the public upstream Anchore Feeds | `false` | -| `anchoreConfig.notifications.cycle_timers.notifications` | Interval that notifications are sent | `30` | -| `anchoreConfig.notifications.ui_url` | Set the UI URL that is included in the notification, defaults to the Enterprise UI service name | `""` | -| `anchoreConfig.reports.enable_graphiql` | Enable GraphiQL, a GUI for editing and testing GraphQL queries and mutations | `true` | -| `anchoreConfig.reports.async_execution_timeout` | Configure how long a scheduled query must be running for before it is considered timed out | `48h` | -| `anchoreConfig.reports_worker.enable_data_ingress` | Enable periodically syncing data into the Anchore Reports Service | `true` | -| `anchoreConfig.reports_worker.enable_data_egress` | Periodically remove reporting data that has been removed in other parts of system | `false` | -| `anchoreConfig.reports_worker.data_egress_window` | defines a number of days to keep reporting data following its deletion in the rest of system. | `0` | -| `anchoreConfig.reports_worker.data_refresh_max_workers` | The maximum number of concurrent threads to refresh existing results (etl vulnerabilities and evaluations) in reports service. | `10` | -| `anchoreConfig.reports_worker.data_load_max_workers` | The maximum number of concurrent threads to load new results (etl vulnerabilities and evaluations) to reports service. | `10` | -| `anchoreConfig.reports_worker.cycle_timers.reports_data_load` | Interval that images and tags are synced | `600` | -| `anchoreConfig.reports_worker.cycle_timers.reports_data_refresh` | Interval that policy evaluations and vulnerabilities are synced | `7200` | -| `anchoreConfig.reports_worker.cycle_timers.reports_metrics` | Interval for how often reporting metrics are generated | `3600` | -| `anchoreConfig.reports_worker.cycle_timers.reports_data_egress` | Interval that stale reporting data removal is synced | `600` | -| `anchoreConfig.ui.enable_proxy` | Trust a reverse proxy when setting secure cookies (via the `X-Forwarded-Proto` header) | `false` | -| `anchoreConfig.ui.enable_ssl` | Enable SSL in the Anchore UI container | `false` | -| `anchoreConfig.ui.enable_shared_login` | Allow single user to start multiple Anchore UI sessions | `true` | -| `anchoreConfig.ui.redis_flushdb` | Flush user session keys and empty data on Anchore UI startup | `true` | -| `anchoreConfig.ui.force_websocket` | Force WebSocket protocol for socket message communications | `false` | -| `anchoreConfig.ui.authentication_lock.count` | Number of failed authentication attempts allowed before a temporary lock is applied | `5` | -| `anchoreConfig.ui.authentication_lock.expires` | Authentication lock duration | `300` | -| `anchoreConfig.ui.custom_links` | List of up to 10 external links provided | `{}` | -| `anchoreConfig.ui.enable_add_repositories` | Specify what users can add image repositories to the Anchore UI | `{}` | -| `anchoreConfig.ui.log_level` | Descriptive detail of the application log output | `http` | -| `anchoreConfig.ui.enrich_inventory_view` | aggregate and include compliance and vulnerability data from the reports service. | `true` | -| `anchoreConfig.ui.appdb_config.native` | toggle the postgreSQL drivers used to connect to the database between the native and the NodeJS drivers. | `true` | -| `anchoreConfig.ui.appdb_config.pool.max` | maximum number of simultaneous connections allowed in the connection pool | `10` | -| `anchoreConfig.ui.appdb_config.pool.min` | minimum number of connections | `0` | -| `anchoreConfig.ui.appdb_config.pool.acquire` | the timeout in milliseconds used when acquiring a new connection | `30000` | -| `anchoreConfig.ui.appdb_config.pool.idle` | the maximum time that a connection can be idle before being released | `10000` | -| `anchoreConfig.ui.dbUser` | allows overriding and separation of the ui database user. | `""` | -| `anchoreConfig.ui.dbPassword` | allows overriding and separation of the ui database user authentication | `""` | - +| Name | Description | Value | +| ------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------- | ------------------ | +| `anchoreConfig.service_dir` | Path to directory where default Anchore config files are placed at startup | `/anchore_service` | +| `anchoreConfig.log_level` | The log level for Anchore services | `INFO` | +| `anchoreConfig.allow_awsecr_iam_auto` | Enable AWS IAM instance role for ECR auth | `true` | +| `anchoreConfig.keys.secret` | The shared secret used for signing & encryption, auto-generated by Helm if not set. | `""` | +| `anchoreConfig.keys.privateKeyFileName` | The file name of the private key used for signing & encryption, found in the k8s secret specified in .Values.certStoreSecretName | `""` | +| `anchoreConfig.keys.publicKeyFileName` | The file name of the public key used for signing & encryption, found in the k8s secret specified in .Values.certStoreSecretName | `""` | +| `anchoreConfig.user_authentication.oauth.enabled` | Enable OAuth for Anchore user authentication | `true` | +| `anchoreConfig.user_authentication.oauth.default_token_expiration_seconds` | The expiration, in seconds, for OAuth tokens | `3600` | +| `anchoreConfig.user_authentication.oauth.refresh_token_expiration_seconds` | The expiration, in seconds, for OAuth refresh tokens | `86400` | +| `anchoreConfig.user_authentication.hashed_passwords` | Enable storing passwords as secure hashes in the database | `true` | +| `anchoreConfig.user_authentication.sso_require_existing_users` | set to true in order to disable the SSO JIT provisioning during authentication | `false` | +| `anchoreConfig.metrics.enabled` | Enable Prometheus metrics for all Anchore services | `false` | +| `anchoreConfig.metrics.auth_disabled` | Disable auth on Prometheus metrics for all Anchore services | `false` | +| `anchoreConfig.webhooks` | Enable Anchore services to provide webhooks for external system updates | `{}` | +| `anchoreConfig.default_admin_password` | The password for the Anchore Enterprise admin user | `""` | +| `anchoreConfig.default_admin_email` | The email address used for the Anchore Enterprise admin user | `admin@myanchore` | +| `anchoreConfig.database.timeout` | | `120` | +| `anchoreConfig.database.ssl` | Enable SSL/TLS for the database connection | `false` | +| `anchoreConfig.database.sslMode` | The SSL mode to use for database connection | `verify-full` | +| `anchoreConfig.database.sslRootCertFileName` | File name of the database root CA certificate stored in the k8s secret specified with .Values.certStoreSecretName | `""` | +| `anchoreConfig.database.db_pool_size` | The database max connection pool size | `30` | +| `anchoreConfig.database.db_pool_max_overflow` | The maximum overflow size of the database connection pool | `100` | +| `anchoreConfig.database.engineArgs` | Set custom database engine arguments for SQLAlchemy | `{}` | +| `anchoreConfig.internalServicesSSL.enabled` | Force all Enterprise services to use SSL for internal communication | `false` | +| `anchoreConfig.internalServicesSSL.verifyCerts` | Enable cert verification against the local cert bundle, if this set to false self-signed certs are allowed | `false` | +| `anchoreConfig.internalServicesSSL.certSecretKeyFileName` | File name of the private key used for internal SSL stored in the secret specified in .Values.certStoreSecretName | `""` | +| `anchoreConfig.internalServicesSSL.certSecretCertFileName` | File name of the root CA certificate used for internal SSL stored in the secret specified in .Values.certStoreSecretName | `""` | +| `anchoreConfig.policyBundles` | Include custom Anchore policy bundles | `{}` | +| `anchoreConfig.apiext.external.enabled` | Allow overrides for constructing Anchore API URLs | `false` | +| `anchoreConfig.apiext.external.useTLS` | Enable TLS for external API access | `true` | +| `anchoreConfig.apiext.external.hostname` | Hostname for the external Anchore API | `""` | +| `anchoreConfig.apiext.external.port` | Port configured for external Anchore API | `8443` | +| `anchoreConfig.analyzer.cycle_timers.image_analyzer` | The interval between checks of the work queue for new analysis jobs | `1` | +| `anchoreConfig.analyzer.max_threads` | The concurrency of the Anchore Analyzer worker process | `1` | +| `anchoreConfig.analyzer.layer_cache_max_gigabytes` | Specify a cache size > 0GB to enable image layer caching | `0` | +| `anchoreConfig.analyzer.enable_hints` | Enable a user-supplied 'hints' file to override and/or augment the software artifacts found during analysis | `false` | +| `anchoreConfig.analyzer.configFile` | Custom Anchore Analyzer configuration file contents in YAML | `{}` | +| `anchoreConfig.catalog.cycle_timers.image_watcher` | Interval (seconds) to check for an update to a tag | `3600` | +| `anchoreConfig.catalog.cycle_timers.policy_eval` | Interval (seconds) to run a policy evaluation on images with policy_eval subscription activated | `3600` | +| `anchoreConfig.catalog.cycle_timers.vulnerability_scan` | Interval to run a vulnerability scan on images with vuln_update subscription activated | `14400` | +| `anchoreConfig.catalog.cycle_timers.analyzer_queue` | Interval to add new work on the image analysis queue | `1` | +| `anchoreConfig.catalog.cycle_timers.archive_tasks` | Interval to trigger Anchore Catalog archive Tasks | `43200` | +| `anchoreConfig.catalog.cycle_timers.notifications` | Interval in which notifications will be processed for state changes | `30` | +| `anchoreConfig.catalog.cycle_timers.service_watcher` | Interval of service state update poll, used for system status | `15` | +| `anchoreConfig.catalog.cycle_timers.policy_bundle_sync` | Interval of policy bundle sync | `300` | +| `anchoreConfig.catalog.cycle_timers.repo_watcher` | Interval between checks to repo for new tags | `60` | +| `anchoreConfig.catalog.cycle_timers.image_gc` | Interval for garbage collection of images marked for deletion | `60` | +| `anchoreConfig.catalog.cycle_timers.k8s_image_watcher` | Interval for the runtime inventory image analysis poll | `150` | +| `anchoreConfig.catalog.cycle_timers.resource_metrics` | Interval (seconds) for computing metrics from the DB | `60` | +| `anchoreConfig.catalog.cycle_timers.events_gc` | Interval (seconds) for cleaning up events in the system based on timestamp | `43200` | +| `anchoreConfig.catalog.event_log` | Event log for webhooks, YAML configuration | `{}` | +| `anchoreConfig.catalog.analysis_archive` | Custom analysis archive YAML configuration | `{}` | +| `anchoreConfig.catalog.object_store` | Custom object storage YAML configuration | `{}` | +| `anchoreConfig.catalog.runtime_inventory.inventory_ttl_days` | TTL for runtime inventory. | `120` | +| `anchoreConfig.catalog.runtime_inventory.inventory_ingest_overwrite` | force runtime inventory to be overwritten upon every update for that reported context. | `false` | +| `anchoreConfig.catalog.down_analyzer_task_requeue` | Allows fast re-queueing when image status is 'analyzing' on an analyzer that is no longer in the 'up' state | `true` | +| `anchoreConfig.policy_engine.cycle_timers.feed_sync` | Interval to run a feed sync to get latest cve data | `14400` | +| `anchoreConfig.policy_engine.cycle_timers.feed_sync_checker` | Interval between checks to see if there needs to be a task queued | `3600` | +| `anchoreConfig.policy_engine.overrideFeedsToUpstream` | Override the Anchore Feeds URL to use the public upstream Anchore Feeds | `false` | +| `anchoreConfig.notifications.cycle_timers.notifications` | Interval that notifications are sent | `30` | +| `anchoreConfig.notifications.ui_url` | Set the UI URL that is included in the notification, defaults to the Enterprise UI service name | `""` | +| `anchoreConfig.reports.enable_graphiql` | Enable GraphiQL, a GUI for editing and testing GraphQL queries and mutations | `true` | +| `anchoreConfig.reports.async_execution_timeout` | Configure how long a scheduled query must be running for before it is considered timed out | `48h` | +| `anchoreConfig.reports_worker.enable_data_ingress` | Enable periodically syncing data into the Anchore Reports Service | `true` | +| `anchoreConfig.reports_worker.enable_data_egress` | Periodically remove reporting data that has been removed in other parts of system | `false` | +| `anchoreConfig.reports_worker.data_egress_window` | defines a number of days to keep reporting data following its deletion in the rest of system. | `0` | +| `anchoreConfig.reports_worker.data_refresh_max_workers` | The maximum number of concurrent threads to refresh existing results (etl vulnerabilities and evaluations) in reports service. | `10` | +| `anchoreConfig.reports_worker.data_load_max_workers` | The maximum number of concurrent threads to load new results (etl vulnerabilities and evaluations) to reports service. | `10` | +| `anchoreConfig.reports_worker.cycle_timers.reports_image_load` | Interval that vulnerabilities for images are synced | `600` | +| `anchoreConfig.reports_worker.cycle_timers.reports_tag_load` | Interval that vulnerabilties by tags are synced | `600` | +| `anchoreConfig.reports_worker.cycle_timers.reports_runtime_inventory_load` | Interval that the runtime inventory is synced | `600` | +| `anchoreConfig.reports_worker.cycle_timers.reports_extended_runtime_vuln_load` | Interval extended runtime reports are synched (ecs, k8s containers and namespaces) | `1800` | +| `anchoreConfig.reports_worker.cycle_timers.reports_image_refresh` | Interval that images are refreshed | `7200` | +| `anchoreConfig.reports_worker.cycle_timers.reports_tag_refresh` | Interval that tags are refreshed | `7200` | +| `anchoreConfig.reports_worker.cycle_timers.reports_metrics` | Interval for how often reporting metrics are generated | `3600` | +| `anchoreConfig.reports_worker.cycle_timers.reports_image_egress` | Interval stale states are removed by image | `600` | +| `anchoreConfig.reports_worker.cycle_timers.reports_tag_egress` | Interval stale states are removed by tag | `600` | +| `anchoreConfig.ui.enable_proxy` | Trust a reverse proxy when setting secure cookies (via the `X-Forwarded-Proto` header) | `false` | +| `anchoreConfig.ui.enable_ssl` | Enable SSL in the Anchore UI container | `false` | +| `anchoreConfig.ui.enable_shared_login` | Allow single user to start multiple Anchore UI sessions | `true` | +| `anchoreConfig.ui.redis_flushdb` | Flush user session keys and empty data on Anchore UI startup | `true` | +| `anchoreConfig.ui.force_websocket` | Force WebSocket protocol for socket message communications | `false` | +| `anchoreConfig.ui.authentication_lock.count` | Number of failed authentication attempts allowed before a temporary lock is applied | `5` | +| `anchoreConfig.ui.authentication_lock.expires` | Authentication lock duration | `300` | +| `anchoreConfig.ui.custom_links` | List of up to 10 external links provided | `{}` | +| `anchoreConfig.ui.enable_add_repositories` | Specify what users can add image repositories to the Anchore UI | `{}` | +| `anchoreConfig.ui.log_level` | Descriptive detail of the application log output | `http` | +| `anchoreConfig.ui.enrich_inventory_view` | aggregate and include compliance and vulnerability data from the reports service. | `true` | +| `anchoreConfig.ui.appdb_config.native` | toggle the postgreSQL drivers used to connect to the database between the native and the NodeJS drivers. | `true` | +| `anchoreConfig.ui.appdb_config.pool.max` | maximum number of simultaneous connections allowed in the connection pool | `10` | +| `anchoreConfig.ui.appdb_config.pool.min` | minimum number of connections | `0` | +| `anchoreConfig.ui.appdb_config.pool.acquire` | the timeout in milliseconds used when acquiring a new connection | `30000` | +| `anchoreConfig.ui.appdb_config.pool.idle` | the maximum time that a connection can be idle before being released | `10000` | +| `anchoreConfig.ui.dbUser` | allows overriding and separation of the ui database user. | `""` | +| `anchoreConfig.ui.dbPassword` | allows overriding and separation of the ui database user authentication | `""` | ### Anchore API k8s Deployment Parameters @@ -1097,7 +1099,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `api.affinity` | Affinity for Anchore API pod assignment | `{}` | | `api.serviceAccountName` | Service account name for Anchore API pods | `""` | - ### Anchore Analyzer k8s Deployment Parameters | Name | Description | Value | @@ -1113,7 +1114,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `analyzer.affinity` | Affinity for Anchore Analyzer pod assignment | `{}` | | `analyzer.serviceAccountName` | Service account name for Anchore API pods | `""` | - ### Anchore Catalog k8s Deployment Parameters | Name | Description | Value | @@ -1133,7 +1133,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `catalog.affinity` | Affinity for Anchore Catalog pod assignment | `{}` | | `catalog.serviceAccountName` | Service account name for Anchore Catalog pods | `""` | - ### Anchore Feeds Chart Parameters | Name | Description | Value | @@ -1142,7 +1141,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `feeds.standalone` | Sets the Anchore Feeds chart to run into non-standalone mode, for use with Anchore Enterprise. | `false` | | `feeds.url` | Set the URL for a standalone Feeds service. Use when chartEnabled=false. | `""` | - ### Anchore Policy Engine k8s Deployment Parameters | Name | Description | Value | @@ -1162,7 +1160,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `policyEngine.affinity` | Affinity for Anchore Policy Engine pod assignment | `{}` | | `policyEngine.serviceAccountName` | Service account name for Anchore Policy Engine pods | `""` | - ### Anchore Simple Queue Parameters | Name | Description | Value | @@ -1182,7 +1179,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `simpleQueue.affinity` | Affinity for Anchore Simple Queue pod assignment | `{}` | | `simpleQueue.serviceAccountName` | Service account name for Anchore Simple Queue pods | `""` | - ### Anchore Notifications Parameters | Name | Description | Value | @@ -1202,7 +1198,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `notifications.affinity` | Affinity for Anchore Notifications pod assignment | `{}` | | `notifications.serviceAccountName` | Service account name for Anchore Notifications pods | `""` | - ### Anchore Reports Parameters | Name | Description | Value | @@ -1222,7 +1217,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `reports.affinity` | Affinity for Anchore Reports pod assignment | `{}` | | `reports.serviceAccountName` | Service account name for Anchore Reports pods | `""` | - ### Anchore RBAC Authentication Parameters | Name | Description | Value | @@ -1230,7 +1224,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `rbacAuth.extraEnv` | Set extra environment variables for Anchore RBAC Authentication containers | `[]` | | `rbacAuth.resources` | Resource requests and limits for Anchore RBAC Authentication containers | `{}` | - ### Anchore RBAC Manager Parameters | Name | Description | Value | @@ -1250,7 +1243,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `rbacManager.affinity` | Affinity for Anchore RBAC Manager pod assignment | `{}` | | `rbacManager.serviceAccountName` | Service account name for Anchore RBAC Manager pods | `""` | - ### Anchore UI Parameters | Name | Description | Value | @@ -1274,7 +1266,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `ui.affinity` | Affinity for Anchore ui pod assignment | `{}` | | `ui.serviceAccountName` | Service account name for Anchore UI pods | `""` | - ### Anchore Upgrade Job Parameters | Name | Description | Value | @@ -1292,7 +1283,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `upgradeJob.labels` | Labels for the Anchore upgrade job | `{}` | | `upgradeJob.ttlSecondsAfterFinished` | The time period in seconds the upgrade job, and it's related pods should be retained for | `-1` | - ### Ingress Parameters | Name | Description | Value | @@ -1311,7 +1301,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `ingress.tls` | Configure tls for the ingress resource | `[]` | | `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` | - ### Google CloudSQL DB Parameters | Name | Description | Value | @@ -1325,7 +1314,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `cloudsql.serviceAccJsonName` | | `""` | | `cloudsql.extraArgs` | a list of extra arguments to be passed into the cloudsql container command. eg | `[]` | - ### Anchore UI Redis Parameters | Name | Description | Value | @@ -1336,7 +1324,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `ui-redis.architecture` | Redis deployment architecture | `standalone` | | `ui-redis.master.persistence.enabled` | enables persistence | `false` | - ### Anchore Database Parameters | Name | Description | Value | diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index 44329103..f952fbfd 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -316,10 +316,15 @@ should render the configmaps: data_refresh_max_workers: ${ANCHORE_ENTERPRISE_REPORTS_DATA_REFRESH_MAX_WORKERS} data_load_max_workers: ${ANCHORE_ENTERPRISE_REPORTS_DATA_LOAD_MAX_WORKERS} cycle_timers: - reports_data_egress: 600 - reports_data_load: 600 - reports_data_refresh: 7200 + reports_extended_runtime_vuln_load: 1800 + reports_image_egress: 600 + reports_image_load: 600 + reports_image_refresh: 7200 reports_metrics: 3600 + reports_runtime_inventory_load: 600 + reports_tag_egress: 600 + reports_tag_load: 600 + reports_tag_refresh: 7200 runtime_report_generation: inventory_images_by_vulnerability: true vulnerabilities_by_k8s_namespace: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE} diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index 127704e4..09bfbe47 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -549,16 +549,26 @@ anchoreConfig: ## data_load_max_workers: 10 - ## @param anchoreConfig.reports_worker.cycle_timers.reports_data_load Interval that images and tags are synced - ## @param anchoreConfig.reports_worker.cycle_timers.reports_data_refresh Interval that policy evaluations and vulnerabilities are synced + ## @param anchoreConfig.reports_worker.cycle_timers.reports_image_load Interval that vulnerabilities for images are synced + ## @param anchoreConfig.reports_worker.cycle_timers.reports_tag_load Interval that vulnerabilties by tags are synced + ## @param anchoreConfig.reports_worker.cycle_timers.reports_runtime_inventory_load Interval that the runtime inventory is synced + ## @param anchoreConfig.reports_worker.cycle_timers.reports_extended_runtime_vuln_load Interval extended runtime reports are synched (ecs, k8s containers and namespaces) + ## @param anchoreConfig.reports_worker.cycle_timers.reports_image_refresh Interval that images are refreshed + ## @param anchoreConfig.reports_worker.cycle_timers.reports_tag_refresh Interval that tags are refreshed ## @param anchoreConfig.reports_worker.cycle_timers.reports_metrics Interval for how often reporting metrics are generated - ## @param anchoreConfig.reports_worker.cycle_timers.reports_data_egress Interval that stale reporting data removal is synced + ## @param anchoreConfig.reports_worker.cycle_timers.reports_image_egress Interval stale states are removed by image + ## @param anchoreConfig.reports_worker.cycle_timers.reports_tag_egress Interval stale states are removed by tag ## cycle_timers: - reports_data_load: 600 - reports_data_refresh: 7200 + reports_image_load: 600 + reports_tag_load: 600 + reports_runtime_inventory_load: 600 + reports_extended_runtime_vuln_load: 1800 + reports_image_refresh: 7200 + reports_tag_refresh: 7200 reports_metrics: 3600 - reports_data_egress: 600 + reports_image_egress: 600 + reports_tag_egress: 600 ui: ## @param anchoreConfig.ui.enable_proxy Trust a reverse proxy when setting secure cookies (via the `X-Forwarded-Proto` header) From f8eb4d02df57a9abb06cb3ee8fdc6d63eae7ef1a Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Mon, 11 Dec 2023 13:14:25 -0500 Subject: [PATCH 286/329] Add check for requiring anchore information in k8s-inventory chart (#177) * Add check for requiring anchore information * adding fake values for ci * fix linting --------- Signed-off-by: Hung Nguyen --- stable/k8s-inventory/Chart.yaml | 4 ++-- stable/k8s-inventory/ci/fake-values.yaml | 5 +++++ stable/k8s-inventory/templates/_helpers.tpl | 9 +++++++++ stable/k8s-inventory/templates/deployment.yaml | 1 + stable/k8s-inventory/values.yaml | 6 +++--- 5 files changed, 20 insertions(+), 5 deletions(-) create mode 100644 stable/k8s-inventory/ci/fake-values.yaml diff --git a/stable/k8s-inventory/Chart.yaml b/stable/k8s-inventory/Chart.yaml index 599590aa..1981ad34 100644 --- a/stable/k8s-inventory/Chart.yaml +++ b/stable/k8s-inventory/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: k8s-inventory -version: 0.0.5 -appVersion: "1.0.0" +version: 0.1.0 +appVersion: "1.1.1" description: A Helm chart for Kubernetes Automated Inventory, which describes which images are in use in a given Kubernetes Cluster keywords: - analysis diff --git a/stable/k8s-inventory/ci/fake-values.yaml b/stable/k8s-inventory/ci/fake-values.yaml new file mode 100644 index 00000000..607ad9cc --- /dev/null +++ b/stable/k8s-inventory/ci/fake-values.yaml @@ -0,0 +1,5 @@ +k8sInventory: + anchore: + url: http://engine-anchore-engine-api:8228 + user: user1 + password: password1 diff --git a/stable/k8s-inventory/templates/_helpers.tpl b/stable/k8s-inventory/templates/_helpers.tpl index c034fc91..0b50a7e3 100644 --- a/stable/k8s-inventory/templates/_helpers.tpl +++ b/stable/k8s-inventory/templates/_helpers.tpl @@ -67,3 +67,12 @@ Create the name of the service account to use {{- default "default" .Values.serviceAccount.name }} {{- end }} {{- end }} + +{{/* +Require Anchore endpoint and Anchore credentials +*/}} +{{- define "checkAnchoreRequisites" }} +{{- if or (not .Values.k8sInventory.anchore.url) (not .Values.k8sInventory.anchore.user) (not .Values.k8sInventory.anchore.password) }} + {{- fail "Anchore endpoint and credentials are required. See the chart README for more instructions on configuring Anchore Requisites." }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/stable/k8s-inventory/templates/deployment.yaml b/stable/k8s-inventory/templates/deployment.yaml index 9978e1f5..811bc297 100644 --- a/stable/k8s-inventory/templates/deployment.yaml +++ b/stable/k8s-inventory/templates/deployment.yaml @@ -1,3 +1,4 @@ +{{- template "checkAnchoreRequisites" . }} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/stable/k8s-inventory/values.yaml b/stable/k8s-inventory/values.yaml index 2438eb41..35a2a2f5 100644 --- a/stable/k8s-inventory/values.yaml +++ b/stable/k8s-inventory/values.yaml @@ -204,9 +204,9 @@ k8sInventory: ## @param k8sInventory.anchore.http.timeoutSeconds the amount of time in seconds before timing out ## anchore: - url: "http://localhost:8228" - user: "admin" - password: "foobar" + url: "" + user: "" + password: "" account: "admin" http: insecure: true From 79660ceab216a243c4781d82261ca03ec3d8108c Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Tue, 12 Dec 2023 22:49:59 -0500 Subject: [PATCH 287/329] Update to Enterprise v5.1.0 (#180) * version lock helm unittests * add api_key config values * hardcode auth handler config * update config for 5.1 * remove custom policy bundle hack * update chart version and bump deps --------- Signed-off-by: Brady Todhunter --- .github/workflows/helm-unittests.yaml | 3 ++- stable/enterprise/Chart.lock | 6 ++--- stable/enterprise/Chart.yaml | 6 ++--- stable/enterprise/README.md | 12 ++++++++-- stable/enterprise/files/default_config.yaml | 19 +++++++++------- stable/enterprise/templates/_common.tpl | 2 +- .../enterprise/templates/api_deployment.yaml | 2 +- .../templates/catalog_deployment.yaml | 2 +- .../templates/envvars_configmap.yaml | 2 -- .../__snapshot__/configmap_test.yaml.snap | 22 ++++++++++--------- .../prehook_upgrade_resources_test.yaml.snap | 2 +- .../tests/analyzer_resources_test.yaml | 2 +- .../enterprise/tests/api_resources_test.yaml | 16 +++++++------- .../tests/catalog_resources_test.yaml | 10 ++++----- .../enterprise/tests/common_helpers_test.yaml | 8 +++---- .../tests/notifications_resources_test.yaml | 2 +- .../tests/policyengine_resources_test.yaml | 2 +- .../tests/rbacmanager_resources_test.yaml | 2 +- .../tests/reports_resources_test.yaml | 2 +- .../tests/simplequeue_resources_test.yaml | 2 +- .../enterprise/tests/ui_resources_test.yaml | 2 +- stable/enterprise/values.yaml | 13 +++++++++-- 22 files changed, 80 insertions(+), 59 deletions(-) diff --git a/.github/workflows/helm-unittests.yaml b/.github/workflows/helm-unittests.yaml index bf30d3b1..6e7ced18 100644 --- a/.github/workflows/helm-unittests.yaml +++ b/.github/workflows/helm-unittests.yaml @@ -19,6 +19,7 @@ jobs: REPO: "${{ github.repository }}" REPO_NAME: "${{ github.event.repository.name }}" TARGET_BRANCH: "${{ github.event.pull_request.base.ref }}" + HELM_UNITTEST_VERSION: 0.3.5 runs-on: ubuntu-latest steps: - name: Checkout charts @@ -36,7 +37,7 @@ jobs: - name: Install helm-unittest run: | - helm plugin install https://github.com/helm-unittest/helm-unittest.git + helm plugin install https://github.com/helm-unittest/helm-unittest.git --version ${HELM_UNITTEST_VERSION} - run: cd "${REPO}" && git fetch origin ${TARGET_BRANCH} diff --git a/stable/enterprise/Chart.lock b/stable/enterprise/Chart.lock index 25788a70..e17799df 100644 --- a/stable/enterprise/Chart.lock +++ b/stable/enterprise/Chart.lock @@ -7,6 +7,6 @@ dependencies: version: 17.11.8 - name: feeds repository: https://charts.anchore.io/stable - version: 2.0.0 -digest: sha256:710754bebf235a60f134179a3d3b92b0738d15eee6bb6ae687e3ea5b9afb8dad -generated: "2023-11-01T16:06:45.488156-07:00" + version: 2.1.0 +digest: sha256:385067b7a0ee56787d1a987313cdafd1345eb935eb73af5480453f03de36277a +generated: "2023-12-12T19:37:54.203291-08:00" diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 3650a60a..00e52ea2 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: enterprise -version: "2.0.4" -appVersion: "5.0.0" +version: "2.1.0" +appVersion: "5.1.0" kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.28.x-x description: | Anchore Enterprise is a complete container security workflow solution for professional teams. Easily integrating with CI/CD systems, @@ -39,7 +39,7 @@ dependencies: condition: ui-redis.chartEnabled alias: ui-redis - name: feeds - version: "~2.0" + version: "~2" repository: "@anchore" # repository: file://../feeds condition: feeds.chartEnabled diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index fd6dd761..c60ab1ff 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -941,7 +941,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | Name | Description | Value | | ------------------------------------- | ------------------------------------------------------------------------------------- | ------------------------------------- | -| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v5.0.0` | +| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v5.1.0` | | `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | | `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | | `startMigrationPod` | Spin up a Database migration pod to help migrate the database to the new schema | `false` | @@ -992,6 +992,9 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `anchoreConfig.user_authentication.oauth.enabled` | Enable OAuth for Anchore user authentication | `true` | | `anchoreConfig.user_authentication.oauth.default_token_expiration_seconds` | The expiration, in seconds, for OAuth tokens | `3600` | | `anchoreConfig.user_authentication.oauth.refresh_token_expiration_seconds` | The expiration, in seconds, for OAuth refresh tokens | `86400` | +| `anchoreConfig.user_authentication.oauth.allow_api_keys_for_saml_users` | Enable API key generation and authentication for SAML users | `false` | +| `anchoreConfig.user_authentication.oauth.max_api_key_age_days` | The maximum age, in days, for API keys | `365` | +| `anchoreConfig.user_authentication.oauth.max_api_keys_per_user` | The maximum number of API keys per user | `100` | | `anchoreConfig.user_authentication.hashed_passwords` | Enable storing passwords as secure hashes in the database | `true` | | `anchoreConfig.user_authentication.sso_require_existing_users` | set to true in order to disable the SSO JIT provisioning during authentication | `false` | | `anchoreConfig.metrics.enabled` | Enable Prometheus metrics for all Anchore services | `false` | @@ -1033,6 +1036,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `anchoreConfig.catalog.cycle_timers.k8s_image_watcher` | Interval for the runtime inventory image analysis poll | `150` | | `anchoreConfig.catalog.cycle_timers.resource_metrics` | Interval (seconds) for computing metrics from the DB | `60` | | `anchoreConfig.catalog.cycle_timers.events_gc` | Interval (seconds) for cleaning up events in the system based on timestamp | `43200` | +| `anchoreConfig.catalog.cycle_timers.artifact_lifecycle_policy_tasks` | Interval (seconds) for running artifact lifecycle policy tasks | `43200` | | `anchoreConfig.catalog.event_log` | Event log for webhooks, YAML configuration | `{}` | | `anchoreConfig.catalog.analysis_archive` | Custom analysis archive YAML configuration | `{}` | | `anchoreConfig.catalog.object_store` | Custom object storage YAML configuration | `{}` | @@ -1247,7 +1251,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | Name | Description | Value | | ---------------------------- | ----------------------------------------------------------------------------- | ---------------------------------------- | -| `ui.image` | Image used for the Anchore UI container | `docker.io/anchore/enterprise-ui:v5.0.0` | +| `ui.image` | Image used for the Anchore UI container | `docker.io/anchore/enterprise-ui:v5.1.0` | | `ui.imagePullPolicy` | Image pull policy for Anchore UI image | `IfNotPresent` | | `ui.existingSecretName` | Name of an existing secret to be used for Anchore UI DB and Redis endpoints | `anchore-enterprise-ui-env` | | `ui.ldapsRootCaCertName` | Name of the custom CA certificate file store in `.Values.certStoreSecretName` | `""` | @@ -1347,6 +1351,10 @@ For the latest updates and features in Anchore Enterprise, see the official [Rel - **Minor Chart Version Change (e.g., v0.1.2 -> v0.2.0)**: Indicates a significant change to the deployment that does not require manual intervention. - **Patch Chart Version Change (e.g., v0.1.2 -> v0.1.3)**: Indicates a backwards-compatible bug fix or documentation update. +### V2.1.0 + +- Deploys Anchore Enterprise v5.1.0. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/510/) for more information. + ### v2.0.0 - Deploys Anchore Enterprise v5.0.0 diff --git a/stable/enterprise/files/default_config.yaml b/stable/enterprise/files/default_config.yaml index 25ae4a48..25dab56c 100644 --- a/stable/enterprise/files/default_config.yaml +++ b/stable/enterprise/files/default_config.yaml @@ -40,6 +40,9 @@ user_authentication: enabled: ${ANCHORE_OAUTH_ENABLED} default_token_expiration_seconds: ${ANCHORE_OAUTH_TOKEN_EXPIRATION} refresh_token_expiration_seconds: ${ANCHORE_OAUTH_REFRESH_TOKEN_EXPIRATION} + allow_api_keys_for_saml_users: {{ .Values.anchoreConfig.user_authentication.oauth.allow_api_keys_for_saml_users }} + max_api_key_age_days: {{ .Values.anchoreConfig.user_authentication.oauth.max_api_key_age_days }} + max_api_keys_per_user: {{ .Values.anchoreConfig.user_authentication.oauth.max_api_keys_per_user }} credentials: database: @@ -69,9 +72,9 @@ services: max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} listen: '0.0.0.0' port: ${ANCHORE_PORT} - authorization_handler: ${ANCHORE_AUTHZ_HANDLER} + authorization_handler: external authorization_handler_config: - endpoint: ${ANCHORE_AUTHZ_HANDLER_ENDPOINT} + endpoint: http://localhost:8089 {{- if .Values.anchoreConfig.apiext.external.enabled }} external_tls: {{ .Values.anchoreConfig.apiext.external.useTLS }} external_hostname: {{ .Values.anchoreConfig.apiext.external.hostname }} @@ -215,9 +218,9 @@ services: listen: '0.0.0.0' port: ${ANCHORE_PORT} max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - authorization_handler: ${ANCHORE_AUTHZ_HANDLER} + authorization_handler: external authorization_handler_config: - endpoint: ${ANCHORE_AUTHZ_HANDLER_ENDPOINT} + endpoint: http://localhost:8089 ssl_enable: ${ANCHORE_SSL_ENABLED} ssl_cert: ${ANCHORE_SSL_CERT} ssl_key: ${ANCHORE_SSL_KEY} @@ -230,9 +233,9 @@ services: port: ${ANCHORE_PORT} max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} enable_graphiql: ${ANCHORE_ENTERPRISE_REPORTS_ENABLE_GRAPHIQL} - authorization_handler: ${ANCHORE_AUTHZ_HANDLER} + authorization_handler: external authorization_handler_config: - endpoint: ${ANCHORE_AUTHZ_HANDLER_ENDPOINT} + endpoint: http://localhost:8089 max_async_execution_threads: ${ANCHORE_ENTERPRISE_REPORTS_MAX_ASYNC_EXECUTION_THREADS} async_execution_timeout: ${ANCHORE_ENTERPRISE_REPORTS_ASYNC_EXECUTION_TIMEOUT} ssl_enable: ${ANCHORE_SSL_ENABLED} @@ -268,9 +271,9 @@ services: listen: '0.0.0.0' port: ${ANCHORE_PORT} max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - authorization_handler: ${ANCHORE_AUTHZ_HANDLER} + authorization_handler: external authorization_handler_config: - endpoint: ${ANCHORE_AUTHZ_HANDLER_ENDPOINT} + endpoint: http://localhost:8089 cycle_timers: {{- toYaml .Values.anchoreConfig.notifications.cycle_timers | nindent 6 }} ui_url: ${ANCHORE_ENTERPRISE_UI_URL} ssl_enable: ${ANCHORE_SSL_ENABLED} diff --git a/stable/enterprise/templates/_common.tpl b/stable/enterprise/templates/_common.tpl index 30bea08c..370d5b16 100644 --- a/stable/enterprise/templates/_common.tpl +++ b/stable/enterprise/templates/_common.tpl @@ -53,7 +53,7 @@ Setup a container for the cloudsql proxy to run in all pods when .Values.cloudsq Setup the common docker-entrypoint command for all Anchore Enterprise containers */}} {{- define "enterprise.common.dockerEntrypoint" -}} -mkdir -p {{ $.Values.anchoreConfig.service_dir }}/policies {{ $.Values.anchoreConfig.service_dir }}/tempPolicies && cp -rp {{ $.Values.anchoreConfig.service_dir }}/tempPolicies/* {{ $.Values.anchoreConfig.service_dir }}/policies || echo && {{ print (include "enterprise.doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade +{{ print (include "enterprise.doSourceFile" .) }} /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade {{- end -}} diff --git a/stable/enterprise/templates/api_deployment.yaml b/stable/enterprise/templates/api_deployment.yaml index e5e592cf..57e17fe0 100644 --- a/stable/enterprise/templates/api_deployment.yaml +++ b/stable/enterprise/templates/api_deployment.yaml @@ -62,7 +62,7 @@ spec: {{- if .Values.anchoreConfig.policyBundles }} {{- range $key, $value := .Values.anchoreConfig.policyBundles }} - name: policy-bundle-volume - mountPath: {{ $.Values.anchoreConfig.service_dir }}/tempPolicies/{{ $key }} + mountPath: {{ $.Values.anchoreConfig.service_dir }}/policies/{{ $key }} subPath: {{ $key }} {{- end }} {{- end }} diff --git a/stable/enterprise/templates/catalog_deployment.yaml b/stable/enterprise/templates/catalog_deployment.yaml index 8591e28e..b8aa9f77 100644 --- a/stable/enterprise/templates/catalog_deployment.yaml +++ b/stable/enterprise/templates/catalog_deployment.yaml @@ -67,7 +67,7 @@ spec: {{- if .Values.anchoreConfig.policyBundles }} {{- range $key, $value := .Values.anchoreConfig.policyBundles }} - name: policy-bundle-volume - mountPath: {{ $.Values.anchoreConfig.service_dir }}/tempPolicies/{{ $key }} + mountPath: {{ $.Values.anchoreConfig.service_dir }}/policies/{{ $key }} subPath: {{ $key }} {{- end }} {{- end }} diff --git a/stable/enterprise/templates/envvars_configmap.yaml b/stable/enterprise/templates/envvars_configmap.yaml index d0adb685..e7bca972 100644 --- a/stable/enterprise/templates/envvars_configmap.yaml +++ b/stable/enterprise/templates/envvars_configmap.yaml @@ -22,8 +22,6 @@ data: {{- else }} ANCHORE_AUTH_PUBKEY: "null" {{- end }} - ANCHORE_AUTHZ_HANDLER: "external" - ANCHORE_AUTHZ_HANDLER_ENDPOINT: "http://localhost:8089" ANCHORE_CATALOG_IMAGE_GC_WORKERS: "4" ANCHORE_CLI_URL: "http://localhost:8228" ANCHORE_CLI_USER: "admin" diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index f952fbfd..21d95bfb 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -87,6 +87,9 @@ should render the configmaps: enabled: ${ANCHORE_OAUTH_ENABLED} default_token_expiration_seconds: ${ANCHORE_OAUTH_TOKEN_EXPIRATION} refresh_token_expiration_seconds: ${ANCHORE_OAUTH_REFRESH_TOKEN_EXPIRATION} + allow_api_keys_for_saml_users: false + max_api_key_age_days: 365 + max_api_keys_per_user: 100 credentials: database: @@ -109,9 +112,9 @@ should render the configmaps: max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} listen: '0.0.0.0' port: ${ANCHORE_PORT} - authorization_handler: ${ANCHORE_AUTHZ_HANDLER} + authorization_handler: external authorization_handler_config: - endpoint: ${ANCHORE_AUTHZ_HANDLER_ENDPOINT} + endpoint: http://localhost:8089 ssl_enable: ${ANCHORE_SSL_ENABLED} ssl_cert: ${ANCHORE_SSL_CERT} ssl_key: ${ANCHORE_SSL_KEY} @@ -148,6 +151,7 @@ should render the configmaps: cycle_timers: analyzer_queue: 1 archive_tasks: 43200 + artifact_lifecycle_policy_tasks: 43200 events_gc: 43200 image_gc: 60 image_watcher: 3600 @@ -279,9 +283,9 @@ should render the configmaps: listen: '0.0.0.0' port: ${ANCHORE_PORT} max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - authorization_handler: ${ANCHORE_AUTHZ_HANDLER} + authorization_handler: external authorization_handler_config: - endpoint: ${ANCHORE_AUTHZ_HANDLER_ENDPOINT} + endpoint: http://localhost:8089 ssl_enable: ${ANCHORE_SSL_ENABLED} ssl_cert: ${ANCHORE_SSL_CERT} ssl_key: ${ANCHORE_SSL_KEY} @@ -294,9 +298,9 @@ should render the configmaps: port: ${ANCHORE_PORT} max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} enable_graphiql: ${ANCHORE_ENTERPRISE_REPORTS_ENABLE_GRAPHIQL} - authorization_handler: ${ANCHORE_AUTHZ_HANDLER} + authorization_handler: external authorization_handler_config: - endpoint: ${ANCHORE_AUTHZ_HANDLER_ENDPOINT} + endpoint: http://localhost:8089 max_async_execution_threads: ${ANCHORE_ENTERPRISE_REPORTS_MAX_ASYNC_EXECUTION_THREADS} async_execution_timeout: ${ANCHORE_ENTERPRISE_REPORTS_ASYNC_EXECUTION_TIMEOUT} ssl_enable: ${ANCHORE_SSL_ENABLED} @@ -341,9 +345,9 @@ should render the configmaps: listen: '0.0.0.0' port: ${ANCHORE_PORT} max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - authorization_handler: ${ANCHORE_AUTHZ_HANDLER} + authorization_handler: external authorization_handler_config: - endpoint: ${ANCHORE_AUTHZ_HANDLER_ENDPOINT} + endpoint: http://localhost:8089 cycle_timers: notifications: 30 ui_url: ${ANCHORE_ENTERPRISE_UI_URL} @@ -376,8 +380,6 @@ should render the configmaps: ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS: "true" ANCHORE_AUTH_PRIVKEY: "null" ANCHORE_AUTH_PUBKEY: "null" - ANCHORE_AUTHZ_HANDLER: external - ANCHORE_AUTHZ_HANDLER_ENDPOINT: http://localhost:8089 ANCHORE_CATALOG_IMAGE_GC_WORKERS: "4" ANCHORE_CLI_URL: http://localhost:8228 ANCHORE_CLI_USER: admin diff --git a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap index e3b8ac52..26315c7a 100644 --- a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap @@ -143,6 +143,6 @@ should render proper initContainers: valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v5.0.0 + image: docker.io/anchore/enterprise:v5.1.0 imagePullPolicy: IfNotPresent name: wait-for-db diff --git a/stable/enterprise/tests/analyzer_resources_test.yaml b/stable/enterprise/tests/analyzer_resources_test.yaml index f5a8c767..17279128 100644 --- a/stable/enterprise/tests/analyzer_resources_test.yaml +++ b/stable/enterprise/tests/analyzer_resources_test.yaml @@ -188,7 +188,7 @@ tests: asserts: - matchRegex: path: spec.template.spec.containers[0].args[0] - pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo && /docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade analyzer$ + pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade analyzer$ count: 1 - it: should render component environment variables diff --git a/stable/enterprise/tests/api_resources_test.yaml b/stable/enterprise/tests/api_resources_test.yaml index 158d7e65..f8c2e06c 100644 --- a/stable/enterprise/tests/api_resources_test.yaml +++ b/stable/enterprise/tests/api_resources_test.yaml @@ -178,11 +178,11 @@ tests: asserts: - matchRegex: path: spec.template.spec.containers[1].args[0] - pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo && /docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade reports$ + pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade reports$ count: 1 - matchRegex: path: spec.template.spec.containers[0].args[0] - pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo && /docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade apiext$ + pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade apiext$ count: 1 - it: should render api component environment variables @@ -306,24 +306,24 @@ tests: path: spec.template.spec.containers[0].volumeMounts content: name: policy-bundle-volume - mountPath: /anchore_service/tempPolicies/custom_policy_bundle1.json + mountPath: /anchore_service/policies/custom_policy_bundle1.json subPath: custom_policy_bundle1.json count: 1 any: true - + - it: should render policy bundle volumeMounts when multiple policy bundles are provided template: api_deployment.yaml documentIndex: 0 set: anchoreConfig.policyBundles: custom_policy_bundle1.json: {} - custom_policy_bundle2.json: {} + custom_policy_bundle2.json: {} asserts: - contains: path: spec.template.spec.containers[0].volumeMounts content: name: policy-bundle-volume - mountPath: /anchore_service/tempPolicies/custom_policy_bundle1.json + mountPath: /anchore_service/policies/custom_policy_bundle1.json subPath: custom_policy_bundle1.json count: 1 any: true @@ -331,10 +331,10 @@ tests: path: spec.template.spec.containers[0].volumeMounts content: name: policy-bundle-volume - mountPath: /anchore_service/tempPolicies/custom_policy_bundle2.json + mountPath: /anchore_service/policies/custom_policy_bundle2.json subPath: custom_policy_bundle2.json count: 1 - any: true + any: true - it: should render component probes template: api_deployment.yaml diff --git a/stable/enterprise/tests/catalog_resources_test.yaml b/stable/enterprise/tests/catalog_resources_test.yaml index 64af4573..d63817fd 100644 --- a/stable/enterprise/tests/catalog_resources_test.yaml +++ b/stable/enterprise/tests/catalog_resources_test.yaml @@ -201,7 +201,7 @@ tests: asserts: - matchRegex: path: spec.template.spec.containers[0].args[0] - pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo && /docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade catalog$ + pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade catalog$ count: 1 - it: should render catalog component environment variables @@ -267,13 +267,13 @@ tests: set: anchoreConfig.policyBundles: custom_policy_bundle1.json: {} - custom_policy_bundle2.json: {} + custom_policy_bundle2.json: {} asserts: - contains: path: spec.template.spec.containers[0].volumeMounts content: name: policy-bundle-volume - mountPath: /anchore_service/tempPolicies/custom_policy_bundle1.json + mountPath: /anchore_service/policies/custom_policy_bundle1.json subPath: custom_policy_bundle1.json count: 1 any: true @@ -281,10 +281,10 @@ tests: path: spec.template.spec.containers[0].volumeMounts content: name: policy-bundle-volume - mountPath: /anchore_service/tempPolicies/custom_policy_bundle2.json + mountPath: /anchore_service/policies/custom_policy_bundle2.json subPath: custom_policy_bundle2.json count: 1 - any: true + any: true - it: should render component probes template: catalog_deployment.yaml diff --git a/stable/enterprise/tests/common_helpers_test.yaml b/stable/enterprise/tests/common_helpers_test.yaml index 104fe10f..3465ef85 100644 --- a/stable/enterprise/tests/common_helpers_test.yaml +++ b/stable/enterprise/tests/common_helpers_test.yaml @@ -102,7 +102,7 @@ tests: asserts: - matchRegex: path: spec.template.spec.containers[0].args[0] - pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo && \/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade + pattern: ^\/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade - it: should render docker entrypoint with doSourceAtEntry and no filePaths templates: *backend_test_templates @@ -112,7 +112,7 @@ tests: asserts: - matchRegex: path: spec.template.spec.containers[0].args[0] - pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo && /docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade + pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade - it: should render docker entrypoint with doSourceAtEntry and some filePaths templates: *test_templates @@ -123,7 +123,7 @@ tests: asserts: - matchRegex: path: spec.template.spec.containers[0].args[0] - pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo && if \[ -f myscript\.sh \];then source myscript\.sh;fi;if \[ -f myotherscript\.sh \];then source myotherscript\.sh;fi; .*$ + pattern: ^if \[ -f myscript\.sh \];then source myscript\.sh;fi;if \[ -f myotherscript\.sh \];then source myotherscript\.sh;fi; .*$ - it: should render envFrom without an existing secret templates: @@ -445,7 +445,7 @@ tests: path: spec.template.spec.containers content: args: - - mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo && /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade rbac_authorizer + - /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade rbac_authorizer name: rbac-auth ports: - containerPort: 8089 diff --git a/stable/enterprise/tests/notifications_resources_test.yaml b/stable/enterprise/tests/notifications_resources_test.yaml index f784b4fd..0a3ec922 100644 --- a/stable/enterprise/tests/notifications_resources_test.yaml +++ b/stable/enterprise/tests/notifications_resources_test.yaml @@ -159,7 +159,7 @@ tests: asserts: - matchRegex: path: spec.template.spec.containers[0].args[0] - pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo && /docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade notifications$ + pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade notifications$ count: 1 - it: should render notifications component environment variables diff --git a/stable/enterprise/tests/policyengine_resources_test.yaml b/stable/enterprise/tests/policyengine_resources_test.yaml index 968bc934..3d1175ce 100644 --- a/stable/enterprise/tests/policyengine_resources_test.yaml +++ b/stable/enterprise/tests/policyengine_resources_test.yaml @@ -185,7 +185,7 @@ tests: asserts: - matchRegex: path: spec.template.spec.containers[0].args[0] - pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo && /docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade policy_engine$ + pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade policy_engine$ count: 1 - it: should render policyEngine component environment variables diff --git a/stable/enterprise/tests/rbacmanager_resources_test.yaml b/stable/enterprise/tests/rbacmanager_resources_test.yaml index 3ceb86a0..01a1c81d 100644 --- a/stable/enterprise/tests/rbacmanager_resources_test.yaml +++ b/stable/enterprise/tests/rbacmanager_resources_test.yaml @@ -156,7 +156,7 @@ tests: asserts: - matchRegex: path: spec.template.spec.containers[0].args[0] - pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo && /docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade rbac_manager$ + pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade rbac_manager$ count: 1 - it: should render rbacManager component environment variables diff --git a/stable/enterprise/tests/reports_resources_test.yaml b/stable/enterprise/tests/reports_resources_test.yaml index ce8ff977..e602cd96 100644 --- a/stable/enterprise/tests/reports_resources_test.yaml +++ b/stable/enterprise/tests/reports_resources_test.yaml @@ -156,7 +156,7 @@ tests: asserts: - matchRegex: path: spec.template.spec.containers[0].args[0] - pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo && /docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade reports_worker$ + pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade reports_worker$ count: 1 - it: should render reports component environment variables diff --git a/stable/enterprise/tests/simplequeue_resources_test.yaml b/stable/enterprise/tests/simplequeue_resources_test.yaml index 054f9a89..5d66c2e0 100644 --- a/stable/enterprise/tests/simplequeue_resources_test.yaml +++ b/stable/enterprise/tests/simplequeue_resources_test.yaml @@ -156,7 +156,7 @@ tests: asserts: - matchRegex: path: spec.template.spec.containers[0].args[0] - pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo && /docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade simplequeue$ + pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade simplequeue$ count: 1 - it: should render simplequeue component environment variables diff --git a/stable/enterprise/tests/ui_resources_test.yaml b/stable/enterprise/tests/ui_resources_test.yaml index fdbce391..ac56cc61 100644 --- a/stable/enterprise/tests/ui_resources_test.yaml +++ b/stable/enterprise/tests/ui_resources_test.yaml @@ -146,7 +146,7 @@ tests: asserts: - matchRegex: path: spec.template.spec.containers[0].args[0] - pattern: ^mkdir -p /anchore_service/policies /anchore_service/tempPolicies && cp -rp /anchore_service/tempPolicies/* /anchore_service/policies || echo && /docker-entrypoint\.sh node \/home\/node\/aui\/build\/server.js$ + pattern: ^/docker-entrypoint\.sh node \/home\/node\/aui\/build\/server.js$ count: 1 - it: should render ui component environment variables diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index 09bfbe47..e99cc0f8 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -18,7 +18,7 @@ global: ## @param image Image used for all Anchore Enterprise deployments, excluding Anchore UI ## -image: docker.io/anchore/enterprise:v5.0.0 +image: docker.io/anchore/enterprise:v5.1.0 ## @param imagePullPolicy Image pull policy used by all deployments ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy @@ -233,6 +233,10 @@ anchoreConfig: ## @param anchoreConfig.user_authentication.oauth.enabled Enable OAuth for Anchore user authentication ## @param anchoreConfig.user_authentication.oauth.default_token_expiration_seconds The expiration, in seconds, for OAuth tokens ## @param anchoreConfig.user_authentication.oauth.refresh_token_expiration_seconds The expiration, in seconds, for OAuth refresh tokens + ## @param anchoreConfig.user_authentication.oauth.allow_api_keys_for_saml_users Enable API key generation and authentication for SAML users + ## NOTE: Enterprise cannot automatically revoke or delete keys for disabled SAML users, the admin must revoke all keys assigned to a SAML user after disabling that user. + ## @param anchoreConfig.user_authentication.oauth.max_api_key_age_days The maximum age, in days, for API keys + ## @param anchoreConfig.user_authentication.oauth.max_api_keys_per_user The maximum number of API keys per user ## ref: https://docs.anchore.com/current/docs/installation/configuration/user_credential_storage/#bearer-tokensoauth2 ## ## @param anchoreConfig.user_authentication.hashed_passwords Enable storing passwords as secure hashes in the database @@ -248,6 +252,9 @@ anchoreConfig: enabled: true default_token_expiration_seconds: 3600 refresh_token_expiration_seconds: 86400 + allow_api_keys_for_saml_users: false + max_api_key_age_days: 365 + max_api_keys_per_user: 100 hashed_passwords: true sso_require_existing_users: false @@ -426,6 +433,7 @@ anchoreConfig: ## @param anchoreConfig.catalog.cycle_timers.k8s_image_watcher Interval for the runtime inventory image analysis poll ## @param anchoreConfig.catalog.cycle_timers.resource_metrics Interval (seconds) for computing metrics from the DB ## @param anchoreConfig.catalog.cycle_timers.events_gc Interval (seconds) for cleaning up events in the system based on timestamp + ## @param anchoreConfig.catalog.cycle_timers.artifact_lifecycle_policy_tasks Interval (seconds) for running artifact lifecycle policy tasks ## cycle_timers: image_watcher: 3600 @@ -441,6 +449,7 @@ anchoreConfig: k8s_image_watcher: 150 resource_metrics: 60 events_gc: 43200 + artifact_lifecycle_policy_tasks: 43200 ## @param anchoreConfig.catalog.event_log [object] Event log for webhooks, YAML configuration ## ref: https://docs.anchore.com/current/docs/using/cli_usage/event/#sending-events-as-webhook-notifications @@ -1104,7 +1113,7 @@ rbacManager: ui: ## @param ui.image Image used for the Anchore UI container ## - image: docker.io/anchore/enterprise-ui:v5.0.0 + image: docker.io/anchore/enterprise-ui:v5.1.0 ## @param ui.imagePullPolicy Image pull policy for Anchore UI image ## From a6ccd52ad7ef21333a239849fa695416de77cccc Mon Sep 17 00:00:00 2001 From: Dan Perry <905750+dperry@users.noreply.github.com> Date: Thu, 14 Dec 2023 18:55:37 +0000 Subject: [PATCH 288/329] Update support link in readme and helm delete command (#316) * Update anchore support link * Update command as it was renamed by helm --------- Signed-off-by: Daniel Perry --- README.md | 4 ++-- stable/enterprise/README.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 4357e965..872de6e9 100644 --- a/README.md +++ b/README.md @@ -51,7 +51,7 @@ The charts in this repository include a number of configuration options that can ## Contributing -We welcome contributions to the anchore Helm charts repository. If you have a chart change that you would like to share, please submit a pull request with your change and any relevant documentation. +We welcome contributions to the Anchore Helm charts repository. If you have a chart change that you would like to share, please submit a pull request with your change and any relevant documentation. All commits must be signed with the DCO as defined in [CONTRIBUTING](./CONTRIBUTING.rst). In git this can be done using the '-s' flag on commit. @@ -65,4 +65,4 @@ We aim to have at least the .0 patches for the releases for predictability and s ## Support -If you have any questions or need assistance with the charts in this repository, please visit the [Anchore documentation](https://docs.anchore.com/) or contact the anchore support team through the channels listed on the [Anchore support site](https://www.anchore.com/support/). +If you have any questions or need assistance with the charts in this repository, please visit the [Anchore documentation](https://docs.anchore.com/) or contact the Anchore support team through the [Anchore support site](https://support.anchore.com/hc/en-us). diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index c60ab1ff..69b72112 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -175,7 +175,7 @@ To completely remove the Anchore Enterprise deployment and associated Kubernetes export NAMESPACE=anchore export RELEASE=my-release - helm delete ${RELEASE} -n ${NAMESPACE} + helm uninstall ${RELEASE} -n ${NAMESPACE} ``` After deleting the helm release, there are still a few persistent volume claims to delete. Delete these only if you're certain you no longer need them. From d7e306330a66fa54a773ae6581128bbe5642744f Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 14 Dec 2023 18:25:55 -0500 Subject: [PATCH 289/329] Release enterprise 1.0.x CI workflow (#181) (#320) * update github workflow to allow releasing older versions * add release doc --------- Signed-off-by: Brady Todhunter --- .github/workflows/deploy.yaml | 15 +++++- .github/workflows/lint.yaml | 7 ++- .github/workflows/test.yaml | 7 ++- RELEASE.md | 88 +++++++++++++++++++++++++++++++++++ 4 files changed, 114 insertions(+), 3 deletions(-) create mode 100644 RELEASE.md diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 9bc08579..ac8000e1 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -4,6 +4,7 @@ on: push: branches: - main + - 'release-*' paths: - 'stable/**' @@ -36,8 +37,20 @@ jobs: helm repo add anchore https://charts.anchore.io/stable helm repo add bitnami https://charts.bitnami.com/bitnami + - name: Run chart-releaser not latest + if: github.event.pull_request.base.ref != 'main' + uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0 + with: + charts_dir: stable + charts_repo_url: https://charts.anchore.io + mark_as_latest: false + env: + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + CR_MAKE_RELEASE_LATEST: "false" + - name: Run chart-releaser - uses: helm/chart-releaser-action@be16258da8010256c6e82849661221415f031968 # v1.5.0 + if: github.event.pull_request.base.ref == 'main' + uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0 with: charts_dir: stable charts_repo_url: https://charts.anchore.io diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 7c744c68..81b8fcef 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -37,4 +37,9 @@ jobs: - name: Run chart-testing (lint) id: lint run: ct lint --config 'ct-config.yaml' - if: steps.list-changed.outputs.CHANGED == 'true' + if: steps.list-changed.outputs.CHANGED == 'true' && github.event.pull_request.base.ref == 'main' + + - name: Run chart-testing but skip version check (lint) + id: lintskipversion + run: ct lint --config 'ct-config.yaml' --check-version-increment=false + if: steps.list-changed.outputs.CHANGED == 'true' && github.event.pull_request.base.ref != 'main' diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index bc1a4f03..111fb3ce 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -48,7 +48,12 @@ jobs: - name: Run chart-testing (lint) id: lint run: ct lint --config 'ct-config.yaml' - if: steps.list-changed.outputs.CHANGED == 'true' + if: steps.list-changed.outputs.CHANGED == 'true' && github.event.pull_request.base.ref == 'main' + + - name: Run chart-testing but skip version check (lint) + id: lintskipversion + run: ct lint --config 'ct-config.yaml' --check-version-increment=false + if: steps.list-changed.outputs.CHANGED == 'true' && github.event.pull_request.base.ref != 'main' - name: Install kind if: steps.list-changed.outputs.CHANGED == 'true' diff --git a/RELEASE.md b/RELEASE.md new file mode 100644 index 00000000..ff778203 --- /dev/null +++ b/RELEASE.md @@ -0,0 +1,88 @@ +# Releasing Anchore Helm Charts + +In our Helm chart release strategy we have developed a pipeline to accommodate current and non-current versions of our enterprise software. To accomplish this, we are utilizing multiple release branches with distinct release pipelines. The `release--` branching strategy involves a release process that is dedicated to the ongoing support of non-current, but still supported, Enterprise platform versions. The `main` branch is dedicated to the ongoing support of current & future Enterprise platform versions. + +All release processes are controlled via CI using GitHub actions. Charts are linted and released using the official Helm [chart-testing](https://github.com/helm/chart-testing) and [chart-releaser](https://github.com/helm/chart-releaser) tools. + +## Release Documentation + +*Note: Ensure that Helm and GitHub credentials are configured appropriately for successful execution of the release process.* + +### Release Process for Current Charts + +1. **Create a Branch:** + - Start by creating a new branch for your changes off of the `main` branch. + + ```bash + git checkout main + git pull origin main + git checkout -b feature-update + ``` + +2. **Make and Commit Changes:** + - Implement your changes in the branch. + - Ensure Helm unit tests are updated and passing. + - Commit your changes. + - Push your branch to GitHub + + ```bash + git commit -sm "feat: implement updates" + helm unittest . + git push origin feature-update + ``` + +3. **Create Pull Request:** + - Open a pull request against the `main` branch on GitHub. + - Provide a descriptive title and description for the changes. + +4. **GitHub Actions and Chart Releasing:** + - Once the pull request is merged, GitHub Actions will automatically trigger the `chart-releaser-action`. + - This action will create the Helm release for the updated chart. + +### Release Process for Non-Current Charts + +1. **Branching:** + - Create a new release branch off the latest v1.x.x tag named `release-enterprise-1.x.x`. + - Push the release branch to GitHub. + - Create a new branch off of the `release-enterprise-1.x.x` branch using a meaningful name for your changes. + - Example: + + ```bash + git checkout v1.0.0 + git checkout -b release-enterprise-1.x.x + git push origin release-enterprise-1.x.x + git checkout -b enterprise-1.x.x-feature-xyz + ``` + +2. **Make and Commit Changes:** + - Make necessary changes in your branch. + - Ensure that any affected Helm unit tests are updated and passing. + - Commit your changes. + - Example: + + ```bash + git commit -sm "feat: update something" + helm unittest . + git push origin enterprise-1.x.x-feature-xyz + ``` + +3. **Create Pull Request:** + - Open a pull request against the `release-enterprise-1.x.x` branch on GitHub. + - Provide a concise and informative title and description for your changes. + +4. **GitHub Actions and Chart Releasing:** + - Upon merging the pull request, a GitHub Action (`chart-releaser-action`) will be triggered automatically. + - The action will create the Helm release for the updated chart. + +5. **Managing GitHub Releases Page:** + - Navigate to the GitHub Releases page. + - Locate the latest release associated with the `enterprise-1.x.x` branch and make sure its not marked as latest. If it is, manually mark the actual latest release as 'latest.' + - Note: This step is crucial to distinguish the actual latest release from patch updates. + +## Chart Distribution + +Our Helm charts are distributed via GitHub Pages and managed using the `gh-pages` branch in this repository. The chart repository is available at . The `chart-releaser-action` will automatically perform the following actions when a PR is merged to the `main` OR `release-*` branches: + +- Create a GitHub tag & release for all changed charts, using `-` as the tag name. +- Package the chart and upload the created tarball to the corresponding GitHub release page. +- Updates the `chart.yaml` file in the `gh-pages` branch with the latest chart version & package location. From a4449f0f9b400a15d15eed0a8855e69d40606010 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 14 Dec 2023 19:06:11 -0500 Subject: [PATCH 290/329] bump enterprise image to v4.9.4 (#321) Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/README.md | 4 ++++ stable/anchore-engine/values.yaml | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 9bc9c7c9..0177e49b 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.28.3 +version: 1.28.4 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index 7496908b..b0acc53e 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -198,6 +198,10 @@ A Helm post-upgrade hook job will shut down all previously running Anchore servi The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful Helm upgrade. +# Chart Version 1.28.4 + +* Anchore Enterprise image bumped to v4.9.4 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/494/) + # Chart Version 1.28.0 * Updated ingress configuration to allow exposing both v1 and v2 api endpoints. diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index a869ecfc..ff33b138 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -765,7 +765,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: docker.io/anchore/enterprise:v4.9.3 + image: docker.io/anchore/enterprise:v4.9.4 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. From fa576c45005b62d1786041f150fe3b6298a0a4d9 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 14 Dec 2023 20:43:14 -0500 Subject: [PATCH 291/329] Update enterprise readme (#323) * fix chart name in global readme * add warning to README and NOTES.txt about redis URI change * bump chart version --------- Signed-off-by: Brady Todhunter --- README.md | 4 ++-- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 9 ++++++++- stable/enterprise/templates/NOTES.txt | 11 +++++++++++ 4 files changed, 22 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 872de6e9..5e291ccf 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ To install a chart, use the `helm install` command and specify the chart name an ```bash RELEASE_NAME="my-release" -CHART_NAME="anchore/anchore-engine" +CHART_NAME="anchore/enterprise" helm install "$RELEASE_NAME" "$CHART_NAME" --values values.yaml ``` @@ -39,7 +39,7 @@ It can be useful when developing to install a chart directly from the source cod RELEASE_NAME="my-release" CHART_PATH="anchore-charts/stable/enterprise" -git clone https://github.com/anchore/anchore-charts-dev.git +git clone https://github.com/anchore/anchore-charts.git cd "$CHART_PATH" helm dependency up helm install "$RELEASE_NAME" . --values values.yaml diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 00e52ea2..6e4aa212 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "2.1.0" +version: "2.1.1" appVersion: "5.1.0" kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.28.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 69b72112..a6bd80e7 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -387,7 +387,7 @@ type: Opaque stringData: # if using TLS to connect to Postgresql you must add the ?ssl=[require|verify-ca|verify-full] parameter to the end of the URI ANCHORE_APPDB_URI: postgresql://anchoreengine:anchore-postgres,123@anchore-postgresql:5432/anchore - ANCHORE_REDIS_URI: redis://nouser:anchore-redis,123@anchore-ui-redis-master:6379 + ANCHORE_REDIS_URI: redis://:anchore-redis,123@anchore-ui-redis-master:6379 --- apiVersion: v1 @@ -1354,6 +1354,13 @@ For the latest updates and features in Anchore Enterprise, see the official [Rel ### V2.1.0 - Deploys Anchore Enterprise v5.1.0. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/510/) for more information. +- The Redis client utilized by the UI has been updated and no longer requires a username to be specified in the URI. The chart configuration has been updated to reflect this change. If you are using secrets generated by the chart, no action is required. + + - :warning: **WARNING:** If you are using existing secrets, you will need to update your ANCHORE_REDIS_URI environment variable to remove the `nouser` username. The UI will not function without this change. For example: + + ```yaml + ANCHORE_REDIS_URI: redis://:anchore-redis,123@anchore-ui-redis:6379 + ``` ### v2.0.0 diff --git a/stable/enterprise/templates/NOTES.txt b/stable/enterprise/templates/NOTES.txt index 1cfa8a97..15503e39 100644 --- a/stable/enterprise/templates/NOTES.txt +++ b/stable/enterprise/templates/NOTES.txt @@ -20,3 +20,14 @@ Initial setup time can be >120sec for postgresql setup and readiness checks to p You can check with: kubectl get pods -l app.kubernetes.io/name={{- template "enterprise.fullname" . -}},app.kubernetes.io/component=api + +{{ if and .Values.useExistingSecrets .Release.IsUpgrade (semverCompare "~2.1.0" .Chart.Version) }} +****************** + +WARNING: This deployment is utilizing Existing Secrets. Your ANCHORE_REDIS_URI environment variable needs to be updated. +A username is no longer required, please remove `nouser` from the URI. The UI will not function unless this update is performed. + +For more details see the v2.1.0 release notes - https://github.com/anchore/anchore-charts/blob/main/stable/enterprise/README.md#v210 + +****************** +{{ end }} From ad1cb29db47e70321774d536bed905c96e1fafc5 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Tue, 19 Dec 2023 16:01:10 -0500 Subject: [PATCH 292/329] Remove analyzer maxthreads (#326) * Remove anchoreConfig.analyzer.max_threads from 5.x charts * update test snapshots --------- Signed-off-by: Nicolas Simonds Signed-off-by: Brady Todhunter Co-authored-by: Nicolas Simonds --- scripts/enterprise-value-converter/mappings.py | 2 +- .../tests/test_anchoreAnalyzer_value_mapping.py | 17 ----------------- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 1 - stable/enterprise/files/default_config.yaml | 1 - .../enterprise/templates/envvars_configmap.yaml | 1 - .../tests/__snapshot__/configmap_test.yaml.snap | 2 -- stable/enterprise/values.yaml | 6 ------ 8 files changed, 2 insertions(+), 30 deletions(-) diff --git a/scripts/enterprise-value-converter/mappings.py b/scripts/enterprise-value-converter/mappings.py index 8355811e..2939b5af 100644 --- a/scripts/enterprise-value-converter/mappings.py +++ b/scripts/enterprise-value-converter/mappings.py @@ -150,7 +150,6 @@ "anchore-feeds-gem-db.postgresUser": "feeds.gem-db.auth.username", - "anchoreAnalyzer.concurrentTasksPerWorker": "anchoreConfig.analyzer.max_threads", "anchoreAnalyzer.containerPort": "analyzer.service.port", "anchoreAnalyzer.enableHints": "anchoreConfig.analyzer.enable_hints", @@ -292,6 +291,7 @@ "postgresql.persistence.resourcePolicy": "deprecated", "anchoreGlobal.saml.useExistingSecret": "deprecated", "anchoreEnterpriseReports.service.workerPort": "deprecated", + "anchoreAnalyzer.concurrentTasksPerWorker": "deprecated", } POST_PROCESSING = { diff --git a/scripts/enterprise-value-converter/tests/test_anchoreAnalyzer_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreAnalyzer_value_mapping.py index 2f00ae51..52337394 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreAnalyzer_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreAnalyzer_value_mapping.py @@ -227,23 +227,6 @@ def test_anchoreAnalyzer_cycleTimers_image_analyzer_value(self): result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) - def test_anchoreAnalyzer_concurrentTasksPerWorker_value(self): - dot_string_dict = { - "anchoreAnalyzer.concurrentTasksPerWorker": 1, - } - expected_result = { - 'postgresql': {'auth': {'username': 'anchoreengine'}}, - 'anchoreConfig': { - 'user_authentication': {'hashed_passwords': False}, - 'analyzer': { - 'max_threads': 1 - } - } - - } - result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) - def test_anchoreAnalyzer_layerCacheMaxGigabytes_value(self): dot_string_dict = { "anchoreAnalyzer.layerCacheMaxGigabytes": 1, diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 6e4aa212..543b6c4a 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "2.1.1" +version: "2.1.2" appVersion: "5.1.0" kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.28.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index a6bd80e7..57270882 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -1019,7 +1019,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `anchoreConfig.apiext.external.hostname` | Hostname for the external Anchore API | `""` | | `anchoreConfig.apiext.external.port` | Port configured for external Anchore API | `8443` | | `anchoreConfig.analyzer.cycle_timers.image_analyzer` | The interval between checks of the work queue for new analysis jobs | `1` | -| `anchoreConfig.analyzer.max_threads` | The concurrency of the Anchore Analyzer worker process | `1` | | `anchoreConfig.analyzer.layer_cache_max_gigabytes` | Specify a cache size > 0GB to enable image layer caching | `0` | | `anchoreConfig.analyzer.enable_hints` | Enable a user-supplied 'hints' file to override and/or augment the software artifacts found during analysis | `false` | | `anchoreConfig.analyzer.configFile` | Custom Anchore Analyzer configuration file contents in YAML | `{}` | diff --git a/stable/enterprise/files/default_config.yaml b/stable/enterprise/files/default_config.yaml index 25dab56c..3058bab5 100644 --- a/stable/enterprise/files/default_config.yaml +++ b/stable/enterprise/files/default_config.yaml @@ -93,7 +93,6 @@ services: max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} cycle_timer_seconds: 1 cycle_timers: {{- toYaml .Values.anchoreConfig.analyzer.cycle_timers | nindent 6 }} - max_threads: ${ANCHORE_ANALYZER_MAX_THREADS} analyzer_driver: 'nodocker' layer_cache_enable: ${ANCHORE_LAYER_CACHE_ENABLED} layer_cache_max_gigabytes: ${ANCHORE_LAYER_CACHE_SIZE_GB} diff --git a/stable/enterprise/templates/envvars_configmap.yaml b/stable/enterprise/templates/envvars_configmap.yaml index e7bca972..05867815 100644 --- a/stable/enterprise/templates/envvars_configmap.yaml +++ b/stable/enterprise/templates/envvars_configmap.yaml @@ -10,7 +10,6 @@ data: ANCHORE_ADMIN_EMAIL: "{{ .Values.anchoreConfig.default_admin_email }}" ANCHORE_ALLOW_ECR_IAM_AUTO: "{{ .Values.anchoreConfig.allow_awsecr_iam_auto }}" ANCHORE_ANALYZER_TASK_REQUEUE: "true" - ANCHORE_ANALYZER_MAX_THREADS: "{{ .Values.anchoreConfig.analyzer.max_threads }}" ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS: "{{ .Values.anchoreConfig.user_authentication.hashed_passwords }}" {{- with .Values.anchoreConfig.keys.publicKeyFileName }} ANCHORE_AUTH_PRIVKEY: "/home/anchore/certs/{{- . }}" diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index 21d95bfb..9128d237 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -129,7 +129,6 @@ should render the configmaps: cycle_timer_seconds: 1 cycle_timers: image_analyzer: 1 - max_threads: ${ANCHORE_ANALYZER_MAX_THREADS} analyzer_driver: 'nodocker' layer_cache_enable: ${ANCHORE_LAYER_CACHE_ENABLED} layer_cache_max_gigabytes: ${ANCHORE_LAYER_CACHE_SIZE_GB} @@ -375,7 +374,6 @@ should render the configmaps: data: ANCHORE_ADMIN_EMAIL: admin@myanchore ANCHORE_ALLOW_ECR_IAM_AUTO: "true" - ANCHORE_ANALYZER_MAX_THREADS: "1" ANCHORE_ANALYZER_TASK_REQUEUE: "true" ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS: "true" ANCHORE_AUTH_PRIVKEY: "null" diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index e99cc0f8..8a75ce32 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -361,12 +361,6 @@ anchoreConfig: cycle_timers: image_analyzer: 1 - ## @param anchoreConfig.analyzer.max_threads The concurrency of the Anchore Analyzer worker process - ## Can be configured to process more than one task at a time. This is IO bound so may not necessarily be faster depending on hardware. - ## Operators should test and balance this value vs. number of Anchore Analyzer replicas deployed. - ## - max_threads: 1 - ## @param anchoreConfig.analyzer.layer_cache_max_gigabytes Specify a cache size > 0GB to enable image layer caching ## This chart sets up a scratch directory for all Anchore Analyzer pods using the values found at .Values.scratchVolume ## When setting .Values.anchoreConfig.analyzer.layer_cache_max_gigabytes, ensure the scratch volume has sufficient storage space From e55e67dcfc512be8cd7ec4a697a52740fbb52d2c Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 20 Dec 2023 11:37:17 -0500 Subject: [PATCH 293/329] updating enterprise oauth keys and config Signed-off-by: Hung Nguyen --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 13 ++++++++++--- stable/enterprise/files/default_config.yaml | 6 +++--- .../tests/__snapshot__/configmap_test.yaml.snap | 6 +++--- stable/enterprise/values.yaml | 12 ++++++------ 5 files changed, 23 insertions(+), 16 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 543b6c4a..6dc9c1bc 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "2.1.2" +version: "2.2.0" appVersion: "5.1.0" kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.28.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 57270882..be0caaf4 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -992,9 +992,9 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `anchoreConfig.user_authentication.oauth.enabled` | Enable OAuth for Anchore user authentication | `true` | | `anchoreConfig.user_authentication.oauth.default_token_expiration_seconds` | The expiration, in seconds, for OAuth tokens | `3600` | | `anchoreConfig.user_authentication.oauth.refresh_token_expiration_seconds` | The expiration, in seconds, for OAuth refresh tokens | `86400` | -| `anchoreConfig.user_authentication.oauth.allow_api_keys_for_saml_users` | Enable API key generation and authentication for SAML users | `false` | -| `anchoreConfig.user_authentication.oauth.max_api_key_age_days` | The maximum age, in days, for API keys | `365` | -| `anchoreConfig.user_authentication.oauth.max_api_keys_per_user` | The maximum number of API keys per user | `100` | +| `anchoreConfig.user_authentication.allow_api_keys_for_saml_users` | Enable API key generation and authentication for SAML users | `false` | +| `anchoreConfig.user_authentication.max_api_key_age_days` | The maximum age, in days, for API keys | `365` | +| `anchoreConfig.user_authentication.max_api_keys_per_user` | The maximum number of API keys per user | `100` | | `anchoreConfig.user_authentication.hashed_passwords` | Enable storing passwords as secure hashes in the database | `true` | | `anchoreConfig.user_authentication.sso_require_existing_users` | set to true in order to disable the SSO JIT provisioning during authentication | `false` | | `anchoreConfig.metrics.enabled` | Enable Prometheus metrics for all Anchore services | `false` | @@ -1350,6 +1350,13 @@ For the latest updates and features in Anchore Enterprise, see the official [Rel - **Minor Chart Version Change (e.g., v0.1.2 -> v0.2.0)**: Indicates a significant change to the deployment that does not require manual intervention. - **Patch Chart Version Change (e.g., v0.1.2 -> v0.1.3)**: Indicates a backwards-compatible bug fix or documentation update. +### V2.2.0 + +- The following keys were changed: + 1. anchoreConfig.user_authentication.oauth.allow_api_keys_for_saml_users -> anchoreConfig.user_authentication.allow_api_keys_for_saml_users + 2. anchoreConfig.user_authentication.oauth.max_api_key_age_days -> anchoreConfig.user_authentication.max_api_key_age_days + 3. anchoreConfig.user_authentication.oauth.max_api_keys_per_user -> anchoreConfig.user_authentication.max_api_keys_per_user + ### V2.1.0 - Deploys Anchore Enterprise v5.1.0. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/510/) for more information. diff --git a/stable/enterprise/files/default_config.yaml b/stable/enterprise/files/default_config.yaml index 3058bab5..55268bf8 100644 --- a/stable/enterprise/files/default_config.yaml +++ b/stable/enterprise/files/default_config.yaml @@ -40,9 +40,9 @@ user_authentication: enabled: ${ANCHORE_OAUTH_ENABLED} default_token_expiration_seconds: ${ANCHORE_OAUTH_TOKEN_EXPIRATION} refresh_token_expiration_seconds: ${ANCHORE_OAUTH_REFRESH_TOKEN_EXPIRATION} - allow_api_keys_for_saml_users: {{ .Values.anchoreConfig.user_authentication.oauth.allow_api_keys_for_saml_users }} - max_api_key_age_days: {{ .Values.anchoreConfig.user_authentication.oauth.max_api_key_age_days }} - max_api_keys_per_user: {{ .Values.anchoreConfig.user_authentication.oauth.max_api_keys_per_user }} + allow_api_keys_for_saml_users: {{ .Values.anchoreConfig.user_authentication.allow_api_keys_for_saml_users }} + max_api_key_age_days: {{ .Values.anchoreConfig.user_authentication.max_api_key_age_days }} + max_api_keys_per_user: {{ .Values.anchoreConfig.user_authentication.max_api_keys_per_user }} credentials: database: diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index 9128d237..1364e8c8 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -87,9 +87,9 @@ should render the configmaps: enabled: ${ANCHORE_OAUTH_ENABLED} default_token_expiration_seconds: ${ANCHORE_OAUTH_TOKEN_EXPIRATION} refresh_token_expiration_seconds: ${ANCHORE_OAUTH_REFRESH_TOKEN_EXPIRATION} - allow_api_keys_for_saml_users: false - max_api_key_age_days: 365 - max_api_keys_per_user: 100 + allow_api_keys_for_saml_users: false + max_api_key_age_days: 365 + max_api_keys_per_user: 100 credentials: database: diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index 8a75ce32..2c7a94b0 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -233,10 +233,10 @@ anchoreConfig: ## @param anchoreConfig.user_authentication.oauth.enabled Enable OAuth for Anchore user authentication ## @param anchoreConfig.user_authentication.oauth.default_token_expiration_seconds The expiration, in seconds, for OAuth tokens ## @param anchoreConfig.user_authentication.oauth.refresh_token_expiration_seconds The expiration, in seconds, for OAuth refresh tokens - ## @param anchoreConfig.user_authentication.oauth.allow_api_keys_for_saml_users Enable API key generation and authentication for SAML users + ## @param anchoreConfig.user_authentication.allow_api_keys_for_saml_users Enable API key generation and authentication for SAML users ## NOTE: Enterprise cannot automatically revoke or delete keys for disabled SAML users, the admin must revoke all keys assigned to a SAML user after disabling that user. - ## @param anchoreConfig.user_authentication.oauth.max_api_key_age_days The maximum age, in days, for API keys - ## @param anchoreConfig.user_authentication.oauth.max_api_keys_per_user The maximum number of API keys per user + ## @param anchoreConfig.user_authentication.max_api_key_age_days The maximum age, in days, for API keys + ## @param anchoreConfig.user_authentication.max_api_keys_per_user The maximum number of API keys per user ## ref: https://docs.anchore.com/current/docs/installation/configuration/user_credential_storage/#bearer-tokensoauth2 ## ## @param anchoreConfig.user_authentication.hashed_passwords Enable storing passwords as secure hashes in the database @@ -252,9 +252,9 @@ anchoreConfig: enabled: true default_token_expiration_seconds: 3600 refresh_token_expiration_seconds: 86400 - allow_api_keys_for_saml_users: false - max_api_key_age_days: 365 - max_api_keys_per_user: 100 + allow_api_keys_for_saml_users: false + max_api_key_age_days: 365 + max_api_keys_per_user: 100 hashed_passwords: true sso_require_existing_users: false From df35fedd2d7aba11699e33d7bfb0ab6558f093f0 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Fri, 22 Dec 2023 09:58:15 -0500 Subject: [PATCH 294/329] making kubectl scale down preupgrade container configurable Signed-off-by: Hung Nguyen --- stable/feeds/Chart.yaml | 2 +- stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml | 2 +- stable/feeds/values.yaml | 6 ++++++ 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/stable/feeds/Chart.yaml b/stable/feeds/Chart.yaml index 5be6b259..82918dfd 100644 --- a/stable/feeds/Chart.yaml +++ b/stable/feeds/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: feeds type: application -version: "2.1.0" +version: "2.1.1" appVersion: "5.1.0" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.28.x-x description: Anchore feeds service diff --git a/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml b/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml index 45f6c6fa..df6f0d7b 100644 --- a/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml +++ b/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml @@ -64,7 +64,7 @@ spec: {{- end }} initContainers: - name: scale-down-anchore - image: bitnami/kubectl:1.27 + image: {{ .Values.feedsUpgradeJob.kubectlImage }} command: ["/bin/bash", "-c"] args: - | diff --git a/stable/feeds/values.yaml b/stable/feeds/values.yaml index a1ce5a0b..81ec7264 100644 --- a/stable/feeds/values.yaml +++ b/stable/feeds/values.yaml @@ -485,6 +485,12 @@ feedsUpgradeJob: ## usePostUpgradeHook: false + + ## @param feedsUpgradeJob.kubectlImage the image to use for the upgrade job's init container that uses kubectl to scale down deployments before an upgrade + ## This is only used in the preupgrade job. + ## + kubectlImage: bitnami/kubectl:1.27 + ## @param feedsUpgradeJob.nodeSelector Node labels for the Anchore Feeds upgrade job pod assignment ## nodeSelector: {} From 51bf07c2e05bc50a5093114c7198e8263bb3b5d3 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Fri, 22 Dec 2023 10:05:33 -0500 Subject: [PATCH 295/329] update README.md with new param Signed-off-by: Hung Nguyen --- stable/feeds/README.md | 29 +++++++++++++++-------------- stable/feeds/values.yaml | 2 +- 2 files changed, 16 insertions(+), 15 deletions(-) diff --git a/stable/feeds/README.md b/stable/feeds/README.md index 7b3b1c05..aa42cb00 100644 --- a/stable/feeds/README.md +++ b/stable/feeds/README.md @@ -434,20 +434,21 @@ anchoreConfig: ### Anchore Feeds Upgrade Job Parameters -| Name | Description | Value | -| ----------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -| `feedsUpgradeJob.enabled` | Enable the Anchore Feeds database upgrade job | `true` | -| `feedsUpgradeJob.force` | Force the Anchore Feeds database upgrade job to run as a regular job instead of as a Helm hook | `false` | -| `feedsUpgradeJob.rbacCreate` | Create RBAC resources for the upgrade job | `true` | -| `feedsUpgradeJob.serviceAccountName` | Use an existing service account for the upgrade job | `""` | -| `feedsUpgradeJob.usePostUpgradeHook` | Use a Helm post-upgrade hook to run the upgrade job instead of the default pre-upgrade hook. This job does not require creating RBAC resources. | `false` | -| `feedsUpgradeJob.nodeSelector` | Node labels for the Anchore Feeds upgrade job pod assignment | `{}` | -| `feedsUpgradeJob.tolerations` | Tolerations for the Anchore Feeds upgrade job pod assignment | `[]` | -| `feedsUpgradeJob.affinity` | Affinity for the Anchore Feeds upgrade job pod assignment | `{}` | -| `feedsUpgradeJob.annotations` | Annotations for the Anchore Feeds upgrade job | `{}` | -| `feedsUpgradeJob.labels` | Labels for the Anchore Feeds upgrade job | `{}` | -| `feedsUpgradeJob.resources` | Resources for the Anchore Feeds upgrade job | `{}` | -| `feedsUpgradeJob.ttlSecondsAfterFinished` | The time period in seconds the upgrade job, and it's related pods should be retained for | `-1` | +| Name | Description | Value | +| ----------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- | +| `feedsUpgradeJob.enabled` | Enable the Anchore Feeds database upgrade job | `true` | +| `feedsUpgradeJob.force` | Force the Anchore Feeds database upgrade job to run as a regular job instead of as a Helm hook | `false` | +| `feedsUpgradeJob.rbacCreate` | Create RBAC resources for the upgrade job | `true` | +| `feedsUpgradeJob.serviceAccountName` | Use an existing service account for the upgrade job | `""` | +| `feedsUpgradeJob.usePostUpgradeHook` | Use a Helm post-upgrade hook to run the upgrade job instead of the default pre-upgrade hook. This job does not require creating RBAC resources. | `false` | +| `feedsUpgradeJob.kubectlImage` | The image to use for the upgrade job's init container that uses kubectl to scale down deployments before an upgrade | `bitnami/kubectl:1.27` | +| `feedsUpgradeJob.nodeSelector` | Node labels for the Anchore Feeds upgrade job pod assignment | `{}` | +| `feedsUpgradeJob.tolerations` | Tolerations for the Anchore Feeds upgrade job pod assignment | `[]` | +| `feedsUpgradeJob.affinity` | Affinity for the Anchore Feeds upgrade job pod assignment | `{}` | +| `feedsUpgradeJob.annotations` | Annotations for the Anchore Feeds upgrade job | `{}` | +| `feedsUpgradeJob.labels` | Labels for the Anchore Feeds upgrade job | `{}` | +| `feedsUpgradeJob.resources` | Resources for the Anchore Feeds upgrade job | `{}` | +| `feedsUpgradeJob.ttlSecondsAfterFinished` | The time period in seconds the upgrade job, and it's related pods should be retained for | `-1` | ### Ingress Parameters diff --git a/stable/feeds/values.yaml b/stable/feeds/values.yaml index 81ec7264..4f221ec2 100644 --- a/stable/feeds/values.yaml +++ b/stable/feeds/values.yaml @@ -486,7 +486,7 @@ feedsUpgradeJob: usePostUpgradeHook: false - ## @param feedsUpgradeJob.kubectlImage the image to use for the upgrade job's init container that uses kubectl to scale down deployments before an upgrade + ## @param feedsUpgradeJob.kubectlImage The image to use for the upgrade job's init container that uses kubectl to scale down deployments before an upgrade ## This is only used in the preupgrade job. ## kubectlImage: bitnami/kubectl:1.27 From 467950d458a40cb6a7a5d7839431d236133fcf98 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Fri, 22 Dec 2023 10:04:22 -0500 Subject: [PATCH 296/329] making kubectl scale down preupgrade container configurable Signed-off-by: Hung Nguyen --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 35 ++++++++++--------- .../hooks/pre-upgrade/upgrade_job.yaml | 2 +- stable/enterprise/values.yaml | 5 +++ 4 files changed, 25 insertions(+), 19 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 6dc9c1bc..48bfe3e5 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "2.2.0" +version: "2.2.1" appVersion: "5.1.0" kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.28.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index be0caaf4..da2666c6 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -992,9 +992,9 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `anchoreConfig.user_authentication.oauth.enabled` | Enable OAuth for Anchore user authentication | `true` | | `anchoreConfig.user_authentication.oauth.default_token_expiration_seconds` | The expiration, in seconds, for OAuth tokens | `3600` | | `anchoreConfig.user_authentication.oauth.refresh_token_expiration_seconds` | The expiration, in seconds, for OAuth refresh tokens | `86400` | -| `anchoreConfig.user_authentication.allow_api_keys_for_saml_users` | Enable API key generation and authentication for SAML users | `false` | -| `anchoreConfig.user_authentication.max_api_key_age_days` | The maximum age, in days, for API keys | `365` | -| `anchoreConfig.user_authentication.max_api_keys_per_user` | The maximum number of API keys per user | `100` | +| `anchoreConfig.user_authentication.allow_api_keys_for_saml_users` | Enable API key generation and authentication for SAML users | `false` | +| `anchoreConfig.user_authentication.max_api_key_age_days` | The maximum age, in days, for API keys | `365` | +| `anchoreConfig.user_authentication.max_api_keys_per_user` | The maximum number of API keys per user | `100` | | `anchoreConfig.user_authentication.hashed_passwords` | Enable storing passwords as secure hashes in the database | `true` | | `anchoreConfig.user_authentication.sso_require_existing_users` | set to true in order to disable the SSO JIT provisioning during authentication | `false` | | `anchoreConfig.metrics.enabled` | Enable Prometheus metrics for all Anchore services | `false` | @@ -1271,20 +1271,21 @@ This rollback procedure is designed to revert your environment to its pre-migrat ### Anchore Upgrade Job Parameters -| Name | Description | Value | -| ------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -| `upgradeJob.enabled` | Enable the Anchore Enterprise database upgrade job | `true` | -| `upgradeJob.force` | Force the Anchore Feeds database upgrade job to run as a regular job instead of as a Helm hook | `false` | -| `upgradeJob.rbacCreate` | Create RBAC resources for the Anchore upgrade job | `true` | -| `upgradeJob.serviceAccountName` | Use an existing service account for the Anchore upgrade job | `""` | -| `upgradeJob.usePostUpgradeHook` | Use a Helm post-upgrade hook to run the upgrade job instead of the default pre-upgrade hook. This job does not require creating RBAC resources. | `false` | -| `upgradeJob.nodeSelector` | Node labels for the Anchore upgrade job pod assignment | `{}` | -| `upgradeJob.tolerations` | Tolerations for the Anchore upgrade job pod assignment | `[]` | -| `upgradeJob.affinity` | Affinity for the Anchore upgrade job pod assignment | `{}` | -| `upgradeJob.annotations` | Annotations for the Anchore upgrade job | `{}` | -| `upgradeJob.resources` | Resource requests and limits for the Anchore upgrade job | `{}` | -| `upgradeJob.labels` | Labels for the Anchore upgrade job | `{}` | -| `upgradeJob.ttlSecondsAfterFinished` | The time period in seconds the upgrade job, and it's related pods should be retained for | `-1` | +| Name | Description | Value | +| ------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- | +| `upgradeJob.enabled` | Enable the Anchore Enterprise database upgrade job | `true` | +| `upgradeJob.force` | Force the Anchore Feeds database upgrade job to run as a regular job instead of as a Helm hook | `false` | +| `upgradeJob.rbacCreate` | Create RBAC resources for the Anchore upgrade job | `true` | +| `upgradeJob.serviceAccountName` | Use an existing service account for the Anchore upgrade job | `""` | +| `upgradeJob.usePostUpgradeHook` | Use a Helm post-upgrade hook to run the upgrade job instead of the default pre-upgrade hook. This job does not require creating RBAC resources. | `false` | +| `upgradeJob.kubectlImage` | The image to use for the upgrade job's init container that uses kubectl to scale down deployments before an upgrade | `bitnami/kubectl:1.27` | +| `upgradeJob.nodeSelector` | Node labels for the Anchore upgrade job pod assignment | `{}` | +| `upgradeJob.tolerations` | Tolerations for the Anchore upgrade job pod assignment | `[]` | +| `upgradeJob.affinity` | Affinity for the Anchore upgrade job pod assignment | `{}` | +| `upgradeJob.annotations` | Annotations for the Anchore upgrade job | `{}` | +| `upgradeJob.resources` | Resource requests and limits for the Anchore upgrade job | `{}` | +| `upgradeJob.labels` | Labels for the Anchore upgrade job | `{}` | +| `upgradeJob.ttlSecondsAfterFinished` | The time period in seconds the upgrade job, and it's related pods should be retained for | `-1` | ### Ingress Parameters diff --git a/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml b/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml index 91f9f2ee..cf7891cc 100644 --- a/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml +++ b/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml @@ -44,7 +44,7 @@ spec: {{- end }} initContainers: - name: scale-down-anchore - image: bitnami/kubectl:1.27 + image: {{ .Values.upgradeJob.kubectlImage }} command: ["/bin/bash", "-c"] args: - | diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index 2c7a94b0..e547480d 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -1202,6 +1202,11 @@ upgradeJob: ## usePostUpgradeHook: false + ## @param upgradeJob.kubectlImage The image to use for the upgrade job's init container that uses kubectl to scale down deployments before an upgrade + ## This is only used in the preupgrade job. + ## + kubectlImage: bitnami/kubectl:1.27 + ## @param upgradeJob.nodeSelector Node labels for the Anchore upgrade job pod assignment ## nodeSelector: {} From afcb2813e1ca7644d28c3b7366d92f79366fa3b5 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Tue, 2 Jan 2024 16:51:48 -0500 Subject: [PATCH 297/329] bumping feeds dependency for enterprise Signed-off-by: Hung Nguyen --- stable/enterprise/Chart.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/stable/enterprise/Chart.lock b/stable/enterprise/Chart.lock index e17799df..7bd5be6e 100644 --- a/stable/enterprise/Chart.lock +++ b/stable/enterprise/Chart.lock @@ -7,6 +7,6 @@ dependencies: version: 17.11.8 - name: feeds repository: https://charts.anchore.io/stable - version: 2.1.0 -digest: sha256:385067b7a0ee56787d1a987313cdafd1345eb935eb73af5480453f03de36277a -generated: "2023-12-12T19:37:54.203291-08:00" + version: 2.1.1 +digest: sha256:c181a54c79ab2db0a379bc22afd53ccd24d9ef2a1f5f7f036dac0f2465f83feb +generated: "2024-01-02T16:50:54.383299-05:00" From 506f693015bdfff156cab66dc3573fd041f3d694 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 3 Jan 2024 16:49:52 -0500 Subject: [PATCH 298/329] Bump feeds 5.1.1 (#331) * bumping feeds to 5.1.1 * update feeds tests --------- Signed-off-by: Hung Nguyen --- stable/feeds/Chart.yaml | 4 ++-- .../__snapshot__/prehook_upgrade_resources_test.yaml.snap | 2 +- stable/feeds/values.yaml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/stable/feeds/Chart.yaml b/stable/feeds/Chart.yaml index 82918dfd..15c9137a 100644 --- a/stable/feeds/Chart.yaml +++ b/stable/feeds/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 name: feeds type: application -version: "2.1.1" -appVersion: "5.1.0" +version: "2.1.2" +appVersion: "5.1.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.28.x-x description: Anchore feeds service keywords: diff --git a/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap b/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap index 4a3e7821..b3a8c1d2 100644 --- a/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap +++ b/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap @@ -143,6 +143,6 @@ should render proper initContainers: value: test-release-feeds - name: ANCHORE_PORT value: "8448" - image: docker.io/anchore/enterprise:v5.1.0 + image: docker.io/anchore/enterprise:v5.1.1 imagePullPolicy: IfNotPresent name: wait-for-db diff --git a/stable/feeds/values.yaml b/stable/feeds/values.yaml index 4f221ec2..c24f7795 100644 --- a/stable/feeds/values.yaml +++ b/stable/feeds/values.yaml @@ -21,7 +21,7 @@ nameOverride: "" ## @param image Image used for feeds deployment ## -image: docker.io/anchore/enterprise:v5.1.0 +image: docker.io/anchore/enterprise:v5.1.1 ## @param imagePullPolicy Image pull policy used by all deployments ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy From 5b94f960f9ed43627f4d9dafd336628e68be6443 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 3 Jan 2024 16:20:13 -0500 Subject: [PATCH 299/329] bumping enterprise Signed-off-by: Hung Nguyen --- stable/enterprise/Chart.yaml | 4 ++-- stable/enterprise/values.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 48bfe3e5..cca8b7b3 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: enterprise -version: "2.2.1" -appVersion: "5.1.0" +version: "2.2.2" +appVersion: "5.1.1" kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.28.x-x description: | Anchore Enterprise is a complete container security workflow solution for professional teams. Easily integrating with CI/CD systems, diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index e547480d..3a286d50 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -18,7 +18,7 @@ global: ## @param image Image used for all Anchore Enterprise deployments, excluding Anchore UI ## -image: docker.io/anchore/enterprise:v5.1.0 +image: docker.io/anchore/enterprise:v5.1.1 ## @param imagePullPolicy Image pull policy used by all deployments ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy From 06204ad8ee5dcd38d61668860f15298835d85861 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 3 Jan 2024 16:25:36 -0500 Subject: [PATCH 300/329] update enterprise tests Signed-off-by: Hung Nguyen --- .../tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap index 26315c7a..35049c84 100644 --- a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap @@ -143,6 +143,6 @@ should render proper initContainers: valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v5.1.0 + image: docker.io/anchore/enterprise:v5.1.1 imagePullPolicy: IfNotPresent name: wait-for-db From 8e6e851f118e89c51d1fbf7f4b57555e45a5818e Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 3 Jan 2024 16:52:11 -0500 Subject: [PATCH 301/329] updating enterprise deps Signed-off-by: Hung Nguyen --- stable/enterprise/Chart.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/stable/enterprise/Chart.lock b/stable/enterprise/Chart.lock index 7bd5be6e..e742212a 100644 --- a/stable/enterprise/Chart.lock +++ b/stable/enterprise/Chart.lock @@ -7,6 +7,6 @@ dependencies: version: 17.11.8 - name: feeds repository: https://charts.anchore.io/stable - version: 2.1.1 -digest: sha256:c181a54c79ab2db0a379bc22afd53ccd24d9ef2a1f5f7f036dac0f2465f83feb -generated: "2024-01-02T16:50:54.383299-05:00" + version: 2.1.2 +digest: sha256:60e766cb4ec7976ab63530288e3c2c23a6fe2e2596bc92f550d6c453e2863336 +generated: "2024-01-03T16:51:40.920313-05:00" From 64dd611da0e95e7d495bc5fcb3dfab674f5b8593 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 10 Jan 2024 12:50:45 -0500 Subject: [PATCH 302/329] add feeds workspace dir to fixPermissions init container (#183) (#332) * add feeds workspace dir to fixPermissions init container * bump chart version * use sh not bash --------- Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- .../enterprise_feeds_deployment.yaml | 19 +++++++++++++++---- stable/anchore-engine/values.yaml | 1 + 3 files changed, 17 insertions(+), 5 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 0177e49b..9a76a4e9 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.28.4 +version: 1.28.5 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml b/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml index 7f5c3786..2299b5f3 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml @@ -63,19 +63,30 @@ spec: {{- end }} imagePullSecrets: - name: {{ .Values.anchoreEnterpriseGlobal.imagePullSecretName }} - {{- if and .Values.anchoreGlobal.scratchVolume.fixGroupPermissions .Values.anchoreGlobal.securityContext.fsGroup }} + {{- if and (or .Values.anchoreGlobal.scratchVolume.fixGroupPermissions .Values.anchoreEnterpriseFeeds.persistence.fixGroupPermissions) .Values.anchoreGlobal.securityContext.fsGroup }} initContainers: - name: mode-fixer image: alpine securityContext: runAsUser: 0 volumeMounts: + {{- if .Values.anchoreGlobal.scratchVolume.fixGroupPermissions }} - name: {{ $component }}-scratch mountPath: {{ .Values.anchoreGlobal.scratchVolume.mountPath }} - command: - - sh - - -c + {{- end }} + {{- if .Values.anchoreEnterpriseFeeds.persistence.fixGroupPermissions }} + - name: data + mountPath: {{ .Values.anchoreEnterpriseFeeds.persistence.mountPath }} + subPath: {{ .Values.anchoreEnterpriseFeeds.persistence.subPath }} + {{- end }} + command: ["/bin/sh", "-c"] + args: + {{- if .Values.anchoreGlobal.scratchVolume.fixGroupPermissions }} - (chmod 0775 {{ .Values.anchoreGlobal.scratchVolume.mountPath }}; chgrp {{ .Values.anchoreGlobal.securityContext.fsGroup }} {{ .Values.anchoreGlobal.scratchVolume.mountPath }} ) + {{- end }} + {{- if .Values.anchoreEnterpriseFeeds.persistence.fixGroupPermissions }} + - (chmod 0775 {{ .Values.anchoreEnterpriseFeeds.persistence.mountPath }}; chgrp {{ .Values.anchoreGlobal.securityContext.fsGroup }} {{ .Values.anchoreEnterpriseFeeds.persistence.mountPath }} ) + {{- end }} {{- end }} containers: {{- if .Values.cloudsql.enabled }} diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index ff33b138..69c974bf 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -915,6 +915,7 @@ anchoreEnterpriseFeeds: # persistence controls the mounting of an external volume for feed driver download workspace. persistence: enabled: true + fixGroupPermissions: false resourcePolicy: keep # set resource-policy Helm annotation on PVC. Can be nil or "keep" ## A manually managed Persistent Volume and Claim From 7e6fb87b6ee972e773c6a22184cac4771f3aab67 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 12 Jan 2024 15:20:32 -0800 Subject: [PATCH 303/329] Fix Permissions init container fixes (#333) * configurable initContainer image for mode-fixer * update readme to remove unused secret in custom certs section * escape `&` in pre-upgrade hook job when using DB root cert * remove path to certs dir in pre-upgrade job as its included in env var * allow fixGroupPermissions on feeds workspace directory * update tests * update README table --------- Signed-off-by: Hung Nguyen Signed-off-by: Brady Todhunter Co-authored-by: Hung Nguyen Co-authored-by: osiagwe <95670662+osiagwe@users.noreply.github.com> --- stable/anchore-engine/Chart.yaml | 2 +- .../templates/analyzer_deployment.yaml | 2 +- .../templates/catalog_deployment.yaml | 2 +- .../enterprise_feeds_deployment.yaml | 2 +- .../templates/policy_engine_deployment.yaml | 2 +- stable/anchore-engine/values.yaml | 1 + stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 102 ++++++++------ stable/enterprise/templates/_common.tpl | 2 +- .../hooks/pre-upgrade/upgrade_job.yaml | 2 +- .../prehook_upgrade_resources_test.yaml.snap | 2 +- stable/enterprise/values.yaml | 2 + stable/feeds/Chart.yaml | 2 +- stable/feeds/README.md | 124 ++++++++++-------- stable/feeds/templates/deployment.yaml | 21 ++- .../hooks/pre-upgrade/upgrade_job.yaml | 2 +- .../prehook_upgrade_resources_test.yaml.snap | 2 +- stable/feeds/tests/common_helpers_test.yaml | 6 +- stable/feeds/values.yaml | 4 + 19 files changed, 166 insertions(+), 118 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 9a76a4e9..7da83262 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.28.5 +version: 1.28.6 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/templates/analyzer_deployment.yaml b/stable/anchore-engine/templates/analyzer_deployment.yaml index e2a2b00e..2173fecb 100644 --- a/stable/anchore-engine/templates/analyzer_deployment.yaml +++ b/stable/anchore-engine/templates/analyzer_deployment.yaml @@ -73,7 +73,7 @@ spec: {{- if and .Values.anchoreGlobal.scratchVolume.fixGroupPermissions .Values.anchoreGlobal.securityContext.fsGroup }} initContainers: - name: mode-fixer - image: alpine + image: {{ .Values.anchoreGlobal.scratchVolume.initContainerImage }} securityContext: runAsUser: 0 volumeMounts: diff --git a/stable/anchore-engine/templates/catalog_deployment.yaml b/stable/anchore-engine/templates/catalog_deployment.yaml index 34d769da..b12ffc17 100644 --- a/stable/anchore-engine/templates/catalog_deployment.yaml +++ b/stable/anchore-engine/templates/catalog_deployment.yaml @@ -75,7 +75,7 @@ spec: {{- if and .Values.anchoreGlobal.scratchVolume.fixGroupPermissions .Values.anchoreGlobal.securityContext.fsGroup }} initContainers: - name: mode-fixer - image: alpine + image: {{ .Values.anchoreGlobal.scratchVolume.initContainerImage }} securityContext: runAsUser: 0 volumeMounts: diff --git a/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml b/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml index 2299b5f3..b8e4d615 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml @@ -66,7 +66,7 @@ spec: {{- if and (or .Values.anchoreGlobal.scratchVolume.fixGroupPermissions .Values.anchoreEnterpriseFeeds.persistence.fixGroupPermissions) .Values.anchoreGlobal.securityContext.fsGroup }} initContainers: - name: mode-fixer - image: alpine + image: {{ .Values.anchoreGlobal.scratchVolume.initContainerImage }} securityContext: runAsUser: 0 volumeMounts: diff --git a/stable/anchore-engine/templates/policy_engine_deployment.yaml b/stable/anchore-engine/templates/policy_engine_deployment.yaml index 8695d65d..2d4204ad 100644 --- a/stable/anchore-engine/templates/policy_engine_deployment.yaml +++ b/stable/anchore-engine/templates/policy_engine_deployment.yaml @@ -72,7 +72,7 @@ spec: {{- if and .Values.anchoreGlobal.scratchVolume.fixGroupPermissions .Values.anchoreGlobal.securityContext.fsGroup }} initContainers: - name: mode-fixer - image: alpine + image: {{ .Values.anchoreGlobal.scratchVolume.initContainerImage }} securityContext: runAsUser: 0 volumeMounts: diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 69c974bf..50b72926 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -173,6 +173,7 @@ anchoreGlobal: # Some k8s Volumes do not properly respect the fsGroup permissions. These volumes will get mounted as root:root # regardless of the security permissions requested. The fixGroupPermissions will create an initContainer that will # fixup the permissions. + initContainerImage: alpine fixGroupPermissions: false mountPath: /analysis_scratch details: {} diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index cca8b7b3..0f260edd 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "2.2.2" +version: "2.2.3" appVersion: "5.1.1" kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.28.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index da2666c6..72d025d4 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -632,8 +632,6 @@ metadata: namespace: ... type: Opaque data: - internal-ca-cert-bundle.pam: -[base64 encoded text] rds-combined-ca-cert-bundle.pem: [base64 encoded text] internal-cert.pem: @@ -665,7 +663,8 @@ anchoreConfig: certSecretCertFileName: internal-cert.pem ui: - # Specify an LDAP CA cert if using LDAP authenication + # Specify an LDAP CA cert if using LDAP authenication. + # Note if using an internal ca cert for internalServicesSSL, combine that into the ldap-combined-ca-cert-bundle.pem ldapsRootCaCertName: ldap-combined-ca-cert-bundle.pem ``` @@ -937,47 +936,50 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `global.fullnameOverride` | overrides the fullname set on resources | `""` | | `global.nameOverride` | overrides the name set on resources | `""` | + ### Common Resource Parameters -| Name | Description | Value | -| ------------------------------------- | ------------------------------------------------------------------------------------- | ------------------------------------- | -| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v5.1.0` | -| `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | -| `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | -| `startMigrationPod` | Spin up a Database migration pod to help migrate the database to the new schema | `false` | -| `migrationPodImage` | The image reference to the migration pod | `docker.io/postgres:13-bookworm` | -| `migrationAnchoreEngineSecretName` | The name of the secret that has anchore-engine values | `my-engine-anchore-engine` | -| `serviceAccountName` | Name of a service account used to run all Anchore pods | `""` | -| `injectSecretsViaEnv` | Enable secret injection into pod via environment variables instead of via k8s secrets | `false` | -| `licenseSecretName` | Name of the Kubernetes secret containing your license.yaml file | `anchore-enterprise-license` | -| `certStoreSecretName` | Name of secret containing the certificates & keys used for SSL, SAML & CAs | `""` | -| `extraEnv` | Common environment variables set on all containers | `[]` | -| `useExistingSecrets` | forgoes secret creation and uses the secret defined in existingSecretName | `false` | -| `existingSecretName` | Name of an existing secret to be used for Anchore core services, excluding Anchore UI | `anchore-enterprise-env` | -| `labels` | Common labels set on all Kubernetes resources | `{}` | -| `annotations` | Common annotations set on all Kubernetes resources | `{}` | -| `scratchVolume.mountPath` | The mount path of an external volume for scratch space for image analysis | `/analysis_scratch` | -| `scratchVolume.fixGroupPermissions` | Enable an initContainer that will fix the fsGroup permissions | `false` | -| `scratchVolume.details` | Details for the k8s volume to be created | `{}` | -| `extraVolumes` | mounts additional volumes to each pod | `[]` | -| `extraVolumeMounts` | mounts additional volumes to each pod | `[]` | -| `securityContext.runAsUser` | The securityContext runAsUser for all Anchore pods | `1000` | -| `securityContext.runAsGroup` | The securityContext runAsGroup for all Anchore pods | `1000` | -| `securityContext.fsGroup` | The securityContext fsGroup for all Anchore pods | `1000` | -| `containerSecurityContext` | The securityContext for all containers | `{}` | -| `probes.liveness.initialDelaySeconds` | Initial delay seconds for liveness probe | `120` | -| `probes.liveness.timeoutSeconds` | Timeout seconds for liveness probe | `10` | -| `probes.liveness.periodSeconds` | Period seconds for liveness probe | `10` | -| `probes.liveness.failureThreshold` | Failure threshold for liveness probe | `6` | -| `probes.liveness.successThreshold` | Success threshold for liveness probe | `1` | -| `probes.readiness.timeoutSeconds` | Timeout seconds for the readiness probe | `10` | -| `probes.readiness.periodSeconds` | Period seconds for the readiness probe | `10` | -| `probes.readiness.failureThreshold` | Failure threshold for the readiness probe | `3` | -| `probes.readiness.successThreshold` | Success threshold for the readiness probe | `1` | -| `doSourceAtEntry.enabled` | Does a `source` of the file path defined before starting Anchore services | `false` | -| `doSourceAtEntry.filePaths` | List of file paths to `source` before starting Anchore services | `[]` | -| `configOverride` | Allows for overriding the default Anchore configuration file | `""` | -| `scripts` | Collection of helper scripts usable in all anchore enterprise pods | `{}` | +| Name | Description | Value | +| --------------------------------------- | ------------------------------------------------------------------------------------- | ------------------------------------- | +| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v5.1.1` | +| `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | +| `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | +| `startMigrationPod` | Spin up a Database migration pod to help migrate the database to the new schema | `false` | +| `migrationPodImage` | The image reference to the migration pod | `docker.io/postgres:13-bookworm` | +| `migrationAnchoreEngineSecretName` | The name of the secret that has anchore-engine values | `my-engine-anchore-engine` | +| `serviceAccountName` | Name of a service account used to run all Anchore pods | `""` | +| `injectSecretsViaEnv` | Enable secret injection into pod via environment variables instead of via k8s secrets | `false` | +| `licenseSecretName` | Name of the Kubernetes secret containing your license.yaml file | `anchore-enterprise-license` | +| `certStoreSecretName` | Name of secret containing the certificates & keys used for SSL, SAML & CAs | `""` | +| `extraEnv` | Common environment variables set on all containers | `[]` | +| `useExistingSecrets` | forgoes secret creation and uses the secret defined in existingSecretName | `false` | +| `existingSecretName` | Name of an existing secret to be used for Anchore core services, excluding Anchore UI | `anchore-enterprise-env` | +| `labels` | Common labels set on all Kubernetes resources | `{}` | +| `annotations` | Common annotations set on all Kubernetes resources | `{}` | +| `scratchVolume.mountPath` | The mount path of an external volume for scratch space for image analysis | `/analysis_scratch` | +| `scratchVolume.fixGroupPermissions` | Enable an initContainer that will fix the fsGroup permissions | `false` | +| `scratchVolume.fixerInitContainerImage` | The image to use for the mode-fixer initContainer | `alpine` | +| `scratchVolume.details` | Details for the k8s volume to be created | `{}` | +| `extraVolumes` | mounts additional volumes to each pod | `[]` | +| `extraVolumeMounts` | mounts additional volumes to each pod | `[]` | +| `securityContext.runAsUser` | The securityContext runAsUser for all Anchore pods | `1000` | +| `securityContext.runAsGroup` | The securityContext runAsGroup for all Anchore pods | `1000` | +| `securityContext.fsGroup` | The securityContext fsGroup for all Anchore pods | `1000` | +| `containerSecurityContext` | The securityContext for all containers | `{}` | +| `probes.liveness.initialDelaySeconds` | Initial delay seconds for liveness probe | `120` | +| `probes.liveness.timeoutSeconds` | Timeout seconds for liveness probe | `10` | +| `probes.liveness.periodSeconds` | Period seconds for liveness probe | `10` | +| `probes.liveness.failureThreshold` | Failure threshold for liveness probe | `6` | +| `probes.liveness.successThreshold` | Success threshold for liveness probe | `1` | +| `probes.readiness.timeoutSeconds` | Timeout seconds for the readiness probe | `10` | +| `probes.readiness.periodSeconds` | Period seconds for the readiness probe | `10` | +| `probes.readiness.failureThreshold` | Failure threshold for the readiness probe | `3` | +| `probes.readiness.successThreshold` | Success threshold for the readiness probe | `1` | +| `doSourceAtEntry.enabled` | Does a `source` of the file path defined before starting Anchore services | `false` | +| `doSourceAtEntry.filePaths` | List of file paths to `source` before starting Anchore services | `[]` | +| `configOverride` | Allows for overriding the default Anchore configuration file | `""` | +| `scripts` | Collection of helper scripts usable in all anchore enterprise pods | `{}` | + ### Anchore Configuration Parameters @@ -1082,6 +1084,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `anchoreConfig.ui.dbUser` | allows overriding and separation of the ui database user. | `""` | | `anchoreConfig.ui.dbPassword` | allows overriding and separation of the ui database user authentication | `""` | + ### Anchore API k8s Deployment Parameters | Name | Description | Value | @@ -1102,6 +1105,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `api.affinity` | Affinity for Anchore API pod assignment | `{}` | | `api.serviceAccountName` | Service account name for Anchore API pods | `""` | + ### Anchore Analyzer k8s Deployment Parameters | Name | Description | Value | @@ -1117,6 +1121,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `analyzer.affinity` | Affinity for Anchore Analyzer pod assignment | `{}` | | `analyzer.serviceAccountName` | Service account name for Anchore API pods | `""` | + ### Anchore Catalog k8s Deployment Parameters | Name | Description | Value | @@ -1136,6 +1141,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `catalog.affinity` | Affinity for Anchore Catalog pod assignment | `{}` | | `catalog.serviceAccountName` | Service account name for Anchore Catalog pods | `""` | + ### Anchore Feeds Chart Parameters | Name | Description | Value | @@ -1144,6 +1150,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `feeds.standalone` | Sets the Anchore Feeds chart to run into non-standalone mode, for use with Anchore Enterprise. | `false` | | `feeds.url` | Set the URL for a standalone Feeds service. Use when chartEnabled=false. | `""` | + ### Anchore Policy Engine k8s Deployment Parameters | Name | Description | Value | @@ -1163,6 +1170,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `policyEngine.affinity` | Affinity for Anchore Policy Engine pod assignment | `{}` | | `policyEngine.serviceAccountName` | Service account name for Anchore Policy Engine pods | `""` | + ### Anchore Simple Queue Parameters | Name | Description | Value | @@ -1182,6 +1190,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `simpleQueue.affinity` | Affinity for Anchore Simple Queue pod assignment | `{}` | | `simpleQueue.serviceAccountName` | Service account name for Anchore Simple Queue pods | `""` | + ### Anchore Notifications Parameters | Name | Description | Value | @@ -1201,6 +1210,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `notifications.affinity` | Affinity for Anchore Notifications pod assignment | `{}` | | `notifications.serviceAccountName` | Service account name for Anchore Notifications pods | `""` | + ### Anchore Reports Parameters | Name | Description | Value | @@ -1220,6 +1230,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `reports.affinity` | Affinity for Anchore Reports pod assignment | `{}` | | `reports.serviceAccountName` | Service account name for Anchore Reports pods | `""` | + ### Anchore RBAC Authentication Parameters | Name | Description | Value | @@ -1227,6 +1238,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `rbacAuth.extraEnv` | Set extra environment variables for Anchore RBAC Authentication containers | `[]` | | `rbacAuth.resources` | Resource requests and limits for Anchore RBAC Authentication containers | `{}` | + ### Anchore RBAC Manager Parameters | Name | Description | Value | @@ -1246,6 +1258,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `rbacManager.affinity` | Affinity for Anchore RBAC Manager pod assignment | `{}` | | `rbacManager.serviceAccountName` | Service account name for Anchore RBAC Manager pods | `""` | + ### Anchore UI Parameters | Name | Description | Value | @@ -1269,6 +1282,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `ui.affinity` | Affinity for Anchore ui pod assignment | `{}` | | `ui.serviceAccountName` | Service account name for Anchore UI pods | `""` | + ### Anchore Upgrade Job Parameters | Name | Description | Value | @@ -1287,6 +1301,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `upgradeJob.labels` | Labels for the Anchore upgrade job | `{}` | | `upgradeJob.ttlSecondsAfterFinished` | The time period in seconds the upgrade job, and it's related pods should be retained for | `-1` | + ### Ingress Parameters | Name | Description | Value | @@ -1305,6 +1320,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `ingress.tls` | Configure tls for the ingress resource | `[]` | | `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` | + ### Google CloudSQL DB Parameters | Name | Description | Value | @@ -1318,6 +1334,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `cloudsql.serviceAccJsonName` | | `""` | | `cloudsql.extraArgs` | a list of extra arguments to be passed into the cloudsql container command. eg | `[]` | + ### Anchore UI Redis Parameters | Name | Description | Value | @@ -1328,6 +1345,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `ui-redis.architecture` | Redis deployment architecture | `standalone` | | `ui-redis.master.persistence.enabled` | enables persistence | `false` | + ### Anchore Database Parameters | Name | Description | Value | diff --git a/stable/enterprise/templates/_common.tpl b/stable/enterprise/templates/_common.tpl index 370d5b16..c25491ec 100644 --- a/stable/enterprise/templates/_common.tpl +++ b/stable/enterprise/templates/_common.tpl @@ -115,7 +115,7 @@ Setup the common fix permissions init container for all pods using a scratch vol */}} {{- define "enterprise.common.fixPermissionsInitContainer" -}} - name: mode-fixer - image: alpine + image: {{ .Values.scratchVolume.fixerInitContainerImage }} securityContext: runAsUser: 0 volumeMounts: diff --git a/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml b/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml index cf7891cc..5c0dd160 100644 --- a/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml +++ b/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml @@ -71,7 +71,7 @@ spec: CONNSTR=${CONNSTR}?sslmode=${ANCHORE_DB_SSL_MODE} fi if [[ ${ANCHORE_DB_SSL_ROOT_CERT} != null ]]; then - CONNSTR=${CONNSTR}&sslrootcert=/home/anchore/certs/${ANCHORE_DB_SSL_ROOT_CERT} + CONNSTR=${CONNSTR}\&sslrootcert=${ANCHORE_DB_SSL_ROOT_CERT} fi err=$(anchore-enterprise-manager db --db-connect ${CONNSTR} pre-upgrade-check 2>&1 > /dev/null) if [[ !$err ]]; then diff --git a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap index 35049c84..696a938c 100644 --- a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap @@ -117,7 +117,7 @@ should render proper initContainers: CONNSTR=${CONNSTR}?sslmode=${ANCHORE_DB_SSL_MODE} fi if [[ ${ANCHORE_DB_SSL_ROOT_CERT} != null ]]; then - CONNSTR=${CONNSTR}&sslrootcert=/home/anchore/certs/${ANCHORE_DB_SSL_ROOT_CERT} + CONNSTR=${CONNSTR}\&sslrootcert=${ANCHORE_DB_SSL_ROOT_CERT} fi err=$(anchore-enterprise-manager db --db-connect ${CONNSTR} pre-upgrade-check 2>&1 > /dev/null) if [[ !$err ]]; then diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index 3a286d50..4914ed05 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -102,6 +102,7 @@ annotations: {} ## @param scratchVolume.mountPath The mount path of an external volume for scratch space for image analysis ## @param scratchVolume.fixGroupPermissions Enable an initContainer that will fix the fsGroup permissions +## @param scratchVolume.fixerInitContainerImage The image to use for the mode-fixer initContainer ## @param scratchVolume.details [object] Details for the k8s volume to be created ## Generally speaking you need to provision 3x the size of the largest image (uncompressed) that you want to analyze ## ref: https://kubernetes.io/docs/concepts/storage/volumes/ @@ -109,6 +110,7 @@ annotations: {} scratchVolume: mountPath: /analysis_scratch fixGroupPermissions: false + fixerInitContainerImage: alpine details: {} ## @param extraVolumes mounts additional volumes to each pod diff --git a/stable/feeds/Chart.yaml b/stable/feeds/Chart.yaml index 15c9137a..aa555723 100644 --- a/stable/feeds/Chart.yaml +++ b/stable/feeds/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: feeds type: application -version: "2.1.2" +version: "2.1.3" appVersion: "5.1.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.28.x-x description: Anchore feeds service diff --git a/stable/feeds/README.md b/stable/feeds/README.md index aa42cb00..7a8b4145 100644 --- a/stable/feeds/README.md +++ b/stable/feeds/README.md @@ -306,64 +306,67 @@ anchoreConfig: ### Common Resource Parameters -| Name | Description | Value | -| ------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------- | -| `standalone` | Enable running the Anchore Feeds service in standalone mode | `true` | -| `url` | Set a custom feeds URL. Useful when using a feeds service endpoint that is external from the cluster. | `""` | -| `fullnameOverride` | overrides the fullname set on resources | `""` | -| `nameOverride` | overrides the name set on resources | `""` | -| `image` | Image used for feeds deployment | `docker.io/anchore/enterprise:v5.1.0` | -| `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | -| `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | -| `serviceAccountName` | Name of a service account used to run all Feeds pods | `""` | -| `injectSecretsViaEnv` | Enable secret injection into pod via environment variables instead of via k8s secrets | `false` | -| `licenseSecretName` | Name of the Kubernetes secret containing your license.yaml file | `anchore-enterprise-license` | -| `certStoreSecretName` | Name of secret containing the certificates & keys used for SSL, SAML & CAs | `""` | -| `extraEnv` | Common environment variables set on all containers | `[]` | -| `labels` | Common labels set on all Kubernetes resources | `{}` | -| `annotations` | Common annotations set on all Kubernetes resources | `{}` | -| `resources` | Resource requests and limits for Anchore Feeds pods | `{}` | -| `nodeSelector` | Node labels for Anchore Feeds pod assignment | `{}` | -| `tolerations` | Tolerations for Anchore Feeds pod assignment | `[]` | -| `affinity` | Affinity for Anchore Feeds pod assignment | `{}` | -| `service.type` | Service type for Anchore Feeds | `ClusterIP` | -| `service.port` | Service port for Anchore Feeds | `8448` | -| `service.annotations` | Annotations for Anchore Feeds service | `{}` | -| `service.labels` | Labels for Anchore Feeds service | `{}` | -| `service.nodePort` | nodePort for Anchore Feeds service | `""` | -| `scratchVolume.mountPath` | The mount path of an external volume for scratch space for image analysis | `/anchore_scratch` | -| `scratchVolume.fixGroupPermissions` | Enable an initContainer that will fix the fsGroup permissions | `false` | -| `scratchVolume.details` | Details for the k8s volume to be created | `{}` | -| `persistence.enabled` | Enable mounting an external volume for feeds driver workspace | `true` | -| `persistence.resourcePolicy` | Resource policy Helm annotation on PVC. Can be nil or "keep" | `keep` | -| `persistence.existingClaim` | Specify an existing volume claim | `""` | -| `persistence.storageClass` | Persistent volume storage class | `""` | -| `persistence.accessMode` | Access Mode for persistent volume | `ReadWriteOnce` | -| `persistence.size` | Size of persistent volume | `40Gi` | -| `persistence.mountPath` | Mount path on Anchore Feeds container for persistent volume | `/workspace` | -| `persistence.subPath` | Directory name used for persistent volume storage | `feeds-workspace` | -| `persistence.annotations` | Annotations for PVC | `{}` | -| `extraVolumes` | mounts additional volumes to each pod | `[]` | -| `extraVolumeMounts` | mounts additional volumes to each pod | `[]` | -| `securityContext.runAsUser` | The securityContext runAsUser for all Feeds pods | `1000` | -| `securityContext.runAsGroup` | The securityContext runAsGroup for all Feeds pods | `1000` | -| `securityContext.fsGroup` | The securityContext fsGroup for all Feeds pods | `1000` | -| `containerSecurityContext` | The securityContext for all Feeds containers | `{}` | -| `probes.liveness.initialDelaySeconds` | Initial delay seconds for liveness probe | `120` | -| `probes.liveness.timeoutSeconds` | Timeout seconds for liveness probe | `10` | -| `probes.liveness.periodSeconds` | Period seconds for liveness probe | `10` | -| `probes.liveness.failureThreshold` | Failure threshold for liveness probe | `6` | -| `probes.liveness.successThreshold` | Success threshold for liveness probe | `1` | -| `probes.readiness.timeoutSeconds` | Timeout seconds for the readiness probe | `10` | -| `probes.readiness.periodSeconds` | Period seconds for the readiness probe | `10` | -| `probes.readiness.failureThreshold` | Failure threshold for the readiness probe | `3` | -| `probes.readiness.successThreshold` | Success threshold for the readiness probe | `1` | -| `doSourceAtEntry.enabled` | Does a `source` of the file paths defined before starting Anchore services | `false` | -| `doSourceAtEntry.filePaths` | List of file paths to `source` before starting Anchore services | `[]` | -| `useExistingSecrets` | forgoes secret creation and uses the secret defined in existingSecretName | `false` | -| `existingSecretName` | Name of the existing secret to be used for Anchore Feeds Service | `anchore-enterprise-feeds-env` | -| `configOverride` | Allows for overriding the default Anchore configuration file | `{}` | -| `scripts` | Collection of helper scripts usable in all anchore enterprise pods | `{}` | +| Name | Description | Value | +| --------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------- | +| `standalone` | Enable running the Anchore Feeds service in standalone mode | `true` | +| `url` | Set a custom feeds URL. Useful when using a feeds service endpoint that is external from the cluster. | `""` | +| `fullnameOverride` | overrides the fullname set on resources | `""` | +| `nameOverride` | overrides the name set on resources | `""` | +| `image` | Image used for feeds deployment | `docker.io/anchore/enterprise:v5.1.1` | +| `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | +| `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | +| `serviceAccountName` | Name of a service account used to run all Feeds pods | `""` | +| `injectSecretsViaEnv` | Enable secret injection into pod via environment variables instead of via k8s secrets | `false` | +| `licenseSecretName` | Name of the Kubernetes secret containing your license.yaml file | `anchore-enterprise-license` | +| `certStoreSecretName` | Name of secret containing the certificates & keys used for SSL, SAML & CAs | `""` | +| `extraEnv` | Common environment variables set on all containers | `[]` | +| `labels` | Common labels set on all Kubernetes resources | `{}` | +| `annotations` | Common annotations set on all Kubernetes resources | `{}` | +| `resources` | Resource requests and limits for Anchore Feeds pods | `{}` | +| `nodeSelector` | Node labels for Anchore Feeds pod assignment | `{}` | +| `tolerations` | Tolerations for Anchore Feeds pod assignment | `[]` | +| `affinity` | Affinity for Anchore Feeds pod assignment | `{}` | +| `service.type` | Service type for Anchore Feeds | `ClusterIP` | +| `service.port` | Service port for Anchore Feeds | `8448` | +| `service.annotations` | Annotations for Anchore Feeds service | `{}` | +| `service.labels` | Labels for Anchore Feeds service | `{}` | +| `service.nodePort` | nodePort for Anchore Feeds service | `""` | +| `scratchVolume.mountPath` | The mount path of an external volume for scratch space for image analysis | `/anchore_scratch` | +| `scratchVolume.fixGroupPermissions` | Enable an initContainer that will fix the fsGroup permissions | `false` | +| `scratchVolume.fixerInitContainerImage` | Set the container image for the permissions fixer init container | `alpine` | +| `scratchVolume.details` | Details for the k8s volume to be created | `{}` | +| `persistence.enabled` | Enable mounting an external volume for feeds driver workspace | `true` | +| `persistence.fixGroupPermissions` | Enable an initContainer that will fix the fsGroup permissions | `false` | +| `persistence.resourcePolicy` | Resource policy Helm annotation on PVC. Can be nil or "keep" | `keep` | +| `persistence.existingClaim` | Specify an existing volume claim | `""` | +| `persistence.storageClass` | Persistent volume storage class | `""` | +| `persistence.accessMode` | Access Mode for persistent volume | `ReadWriteOnce` | +| `persistence.size` | Size of persistent volume | `40Gi` | +| `persistence.mountPath` | Mount path on Anchore Feeds container for persistent volume | `/workspace` | +| `persistence.subPath` | Directory name used for persistent volume storage | `feeds-workspace` | +| `persistence.annotations` | Annotations for PVC | `{}` | +| `extraVolumes` | mounts additional volumes to each pod | `[]` | +| `extraVolumeMounts` | mounts additional volumes to each pod | `[]` | +| `securityContext.runAsUser` | The securityContext runAsUser for all Feeds pods | `1000` | +| `securityContext.runAsGroup` | The securityContext runAsGroup for all Feeds pods | `1000` | +| `securityContext.fsGroup` | The securityContext fsGroup for all Feeds pods | `1000` | +| `containerSecurityContext` | The securityContext for all Feeds containers | `{}` | +| `probes.liveness.initialDelaySeconds` | Initial delay seconds for liveness probe | `120` | +| `probes.liveness.timeoutSeconds` | Timeout seconds for liveness probe | `10` | +| `probes.liveness.periodSeconds` | Period seconds for liveness probe | `10` | +| `probes.liveness.failureThreshold` | Failure threshold for liveness probe | `6` | +| `probes.liveness.successThreshold` | Success threshold for liveness probe | `1` | +| `probes.readiness.timeoutSeconds` | Timeout seconds for the readiness probe | `10` | +| `probes.readiness.periodSeconds` | Period seconds for the readiness probe | `10` | +| `probes.readiness.failureThreshold` | Failure threshold for the readiness probe | `3` | +| `probes.readiness.successThreshold` | Success threshold for the readiness probe | `1` | +| `doSourceAtEntry.enabled` | Does a `source` of the file paths defined before starting Anchore services | `false` | +| `doSourceAtEntry.filePaths` | List of file paths to `source` before starting Anchore services | `[]` | +| `useExistingSecrets` | forgoes secret creation and uses the secret defined in existingSecretName | `false` | +| `existingSecretName` | Name of the existing secret to be used for Anchore Feeds Service | `anchore-enterprise-feeds-env` | +| `configOverride` | Allows for overriding the default Anchore configuration file | `{}` | +| `scripts` | Collection of helper scripts usable in all anchore enterprise pods | `{}` | + ### Anchore Feeds Configuration Parameters @@ -404,6 +407,7 @@ anchoreConfig: | `anchoreConfig.feeds.drivers.github.enabled` | Enable GitHub advisory feeds (requires GitHub PAT) | `false` | | `anchoreConfig.feeds.drivers.github.token` | GitHub developer personal access token with zero permission scopes | `""` | + ### Anchore Feeds Database Parameters | Name | Description | Value | @@ -418,6 +422,7 @@ anchoreConfig: | `feeds-db.primary.extraEnvVars` | An array to add extra environment variables | `[]` | | `feeds-db.image.tag` | Specifies the image to use for this chart. | `13.11.0-debian-11-r15` | + ### Feeds Gem Database Parameters | Name | Description | Value | @@ -432,6 +437,7 @@ anchoreConfig: | `gem-db.primary.extraEnvVars` | An array to add extra environment variables | `[]` | | `gem-db.image.tag` | Specifies the image to use for this chart. | `13.11.0-debian-11-r15` | + ### Anchore Feeds Upgrade Job Parameters | Name | Description | Value | @@ -450,6 +456,7 @@ anchoreConfig: | `feedsUpgradeJob.resources` | Resources for the Anchore Feeds upgrade job | `{}` | | `feedsUpgradeJob.ttlSecondsAfterFinished` | The time period in seconds the upgrade job, and it's related pods should be retained for | `-1` | + ### Ingress Parameters | Name | Description | Value | @@ -462,6 +469,7 @@ anchoreConfig: | `ingress.tls` | Configure tls for the ingress resource | `[]` | | `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` | + ### Google CloudSQL DB Parameters | Name | Description | Value | diff --git a/stable/feeds/templates/deployment.yaml b/stable/feeds/templates/deployment.yaml index 691a73e8..82a7bf43 100644 --- a/stable/feeds/templates/deployment.yaml +++ b/stable/feeds/templates/deployment.yaml @@ -30,19 +30,30 @@ spec: imagePullSecrets: - name: {{ . }} {{- end }} - {{- if and .Values.scratchVolume.fixGroupPermissions .Values.securityContext.fsGroup }} + {{- if and (or .Values.scratchVolume.fixGroupPermissions .Values.persistence.fixGroupPermissions) .Values.securityContext.fsGroup }} initContainers: - name: mode-fixer - image: alpine + image: {{ .Values.scratchVolume.fixerInitContainerImage }} securityContext: runAsUser: 0 volumeMounts: + {{- if .Values.scratchVolume.fixGroupPermissions }} - name: "anchore-scratch" mountPath: {{ .Values.scratchVolume.mountPath }} - command: - - sh - - -c + {{- end }} + {{- if .Values.persistence.fixGroupPermissions }} + - name: data + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + command: ["/bin/sh", "-c"] + args: + {{- if .Values.scratchVolume.fixGroupPermissions }} - (chmod 0775 {{ .Values.scratchVolume.mountPath }}; chgrp {{ .Values.securityContext.fsGroup }} {{ .Values.scratchVolume.mountPath }} ) + {{- end }} + {{- if .Values.persistence.fixGroupPermissions }} + - (chmod 0775 {{ .Values.persistence.mountPath }}; chgrp {{ .Values.securityContext.fsGroup }} {{ .Values.persistence.mountPath }} ) + {{- end }} {{- end }} containers: {{- if .Values.cloudsql.enabled }} diff --git a/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml b/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml index df6f0d7b..b588dd49 100644 --- a/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml +++ b/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml @@ -91,7 +91,7 @@ spec: CONNSTR=${CONNSTR}?sslmode=${ANCHORE_FEEDS_DB_SSL_MODE} fi if [[ ${ANCHORE_FEEDS_DB_SSL_ROOT_CERT} != null ]]; then - CONNSTR=${CONNSTR}&sslrootcert=/home/anchore/certs/${ANCHORE_FEEDS_DB_SSL_ROOT_CERT} + CONNSTR=${CONNSTR}\&sslrootcert=${ANCHORE_FEEDS_DB_SSL_ROOT_CERT} fi err=$(anchore-enterprise-manager db --db-connect ${CONNSTR} pre-upgrade-check 2>&1 > /dev/null) if [[ !$err ]]; then diff --git a/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap b/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap index b3a8c1d2..a1c187bc 100644 --- a/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap +++ b/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap @@ -117,7 +117,7 @@ should render proper initContainers: CONNSTR=${CONNSTR}?sslmode=${ANCHORE_FEEDS_DB_SSL_MODE} fi if [[ ${ANCHORE_FEEDS_DB_SSL_ROOT_CERT} != null ]]; then - CONNSTR=${CONNSTR}&sslrootcert=/home/anchore/certs/${ANCHORE_FEEDS_DB_SSL_ROOT_CERT} + CONNSTR=${CONNSTR}\&sslrootcert=${ANCHORE_FEEDS_DB_SSL_ROOT_CERT} fi err=$(anchore-enterprise-manager db --db-connect ${CONNSTR} pre-upgrade-check 2>&1 > /dev/null) if [[ !$err ]]; then diff --git a/stable/feeds/tests/common_helpers_test.yaml b/stable/feeds/tests/common_helpers_test.yaml index a34c3c84..7893d7ab 100644 --- a/stable/feeds/tests/common_helpers_test.yaml +++ b/stable/feeds/tests/common_helpers_test.yaml @@ -286,7 +286,11 @@ tests: volumeMounts: - name: "anchore-scratch" mountPath: /anchore_scratch - command: [ sh, -c, (chmod 0775 /anchore_scratch; chgrp 9999 /anchore_scratch ) ] + args: + - (chmod 0775 /anchore_scratch; chgrp 9999 /anchore_scratch ) + command: + - /bin/sh + - -c count: 1 any: true diff --git a/stable/feeds/values.yaml b/stable/feeds/values.yaml index c24f7795..c21d5d0d 100644 --- a/stable/feeds/values.yaml +++ b/stable/feeds/values.yaml @@ -102,6 +102,7 @@ service: ## @param scratchVolume.mountPath The mount path of an external volume for scratch space for image analysis ## @param scratchVolume.fixGroupPermissions Enable an initContainer that will fix the fsGroup permissions +## @param scratchVolume.fixerInitContainerImage Set the container image for the permissions fixer init container ## @param scratchVolume.details [object] Details for the k8s volume to be created ## Generally speaking you need to provision 3x the size of the largest image (uncompressed) that you want to analyze ## ref: https://kubernetes.io/docs/concepts/storage/volumes/ @@ -109,9 +110,11 @@ service: scratchVolume: mountPath: /anchore_scratch fixGroupPermissions: false + fixerInitContainerImage: alpine details: {} ## @param persistence.enabled Enable mounting an external volume for feeds driver workspace +## @param persistence.fixGroupPermissions Enable an initContainer that will fix the fsGroup permissions ## @param persistence.resourcePolicy Resource policy Helm annotation on PVC. Can be nil or "keep" ## @param persistence.existingClaim Specify an existing volume claim ## @param persistence.storageClass Persistent volume storage class @@ -124,6 +127,7 @@ scratchVolume: ## persistence: enabled: true + fixGroupPermissions: false resourcePolicy: keep existingClaim: "" storageClass: "" From 63c05b94a85f6433081cc8bf64f538d6f6d5d1ad Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 18 Jan 2024 16:06:36 -0800 Subject: [PATCH 304/329] Enterprise quote defaultpass (#334) * quote passwords in config file * bump chart version * update migration instructions to install latest 1.0.x patch release * update test snapshots --------- Signed-off-by: Brady Todhunter --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 6 +++--- stable/enterprise/files/default_config.yaml | 4 ++-- .../enterprise/tests/__snapshot__/configmap_test.yaml.snap | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 0f260edd..ec65ee01 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "2.2.3" +version: "2.2.4" appVersion: "5.1.1" kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.28.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 72d025d4..eef7be81 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -791,7 +791,7 @@ See the [Migration Rollback Steps](#migration-rollback-steps) section for more d # export ADMIN_PASS=$(kubectl get secret -n ${NAMESPACE} ${ENGINE_RELEASE}-anchore-engine-admin-pass -o jsonpath="{.data.ANCHORE_ADMIN_PASSWORD}" | base64 -d -) # export SET_ADMIN_PASS=("--set" "anchoreConfig.default_admin_password=${ADMIN_PASS}") - helm install ${ENTERPRISE_RELEASE} -n ${NAMESPACE} ${SET_ADMIN_PASS[@]} -f ${ENTERPRISE_VALUES_FILE} anchore/enterprise --version=1.0.0 + helm install ${ENTERPRISE_RELEASE} -n ${NAMESPACE} ${SET_ADMIN_PASS[@]} -f ${ENTERPRISE_VALUES_FILE} anchore/enterprise --version=^1.0.0 ``` 1. **Verification and Cleanup**: After confirming that the Anchore Enterprise deployment is functional, you can safely uninstall the old Anchore Engine deployment. @@ -840,7 +840,7 @@ See the [Migration Rollback Steps](#migration-rollback-steps) section for more d export ADMIN_PASS=$(kubectl get secret -n ${NAMESPACE} ${ENGINE_RELEASE}-anchore-engine-admin-pass -o jsonpath="{.data.ANCHORE_ADMIN_PASSWORD}" | base64 -d -) export SET_ADMIN_PASS=("--set" "anchoreConfig.default_admin_password=${ADMIN_PASS}") - helm install ${ENTERPRISE_RELEASE} -n ${NAMESPACE} --set startMigrationPod=true --set migrationAnchoreEngineSecretName=${ENGINE_RELEASE}-anchore-engine ${SET_ADMIN_PASS[@]} anchore/enterprise -f ${ENTERPRISE_VALUES_FILE} --version=1.0.0 + helm install ${ENTERPRISE_RELEASE} -n ${NAMESPACE} --set startMigrationPod=true --set migrationAnchoreEngineSecretName=${ENGINE_RELEASE}-anchore-engine ${SET_ADMIN_PASS[@]} anchore/enterprise -f ${ENTERPRISE_VALUES_FILE} --version=^1.0.0 ``` 1. **Scale Down Anchore Enterprise**: Before migrating the database, scale down the new Anchore Enterprise deployment to zero replicas. @@ -890,7 +890,7 @@ See the [Migration Rollback Steps](#migration-rollback-steps) section for more d export ENTERPRISE_RELEASE= export ENTERPRISE_VALUES_FILE=${PWD}/output/enterprise.my-values-file.yaml # The converted file - helm upgrade ${ENTERPRISE_RELEASE} -n ${NAMESPACE} --set startMigrationPod=false anchore/enterprise -f ${ENTERPRISE_VALUES_FILE} --version=1.0.0 + helm upgrade ${ENTERPRISE_RELEASE} -n ${NAMESPACE} --set startMigrationPod=false anchore/enterprise -f ${ENTERPRISE_VALUES_FILE} --version=^1.0.0 ``` 1. **Final Verification and Cleanup**: After ensuring the new deployment is operational, uninstall the old Anchore Engine deployment. diff --git a/stable/enterprise/files/default_config.yaml b/stable/enterprise/files/default_config.yaml index 55268bf8..8ef2da94 100644 --- a/stable/enterprise/files/default_config.yaml +++ b/stable/enterprise/files/default_config.yaml @@ -25,11 +25,11 @@ metrics: webhooks: {{- toYaml .Values.anchoreConfig.webhooks | nindent 2 }} -default_admin_password: ${ANCHORE_ADMIN_PASSWORD} +default_admin_password: "${ANCHORE_ADMIN_PASSWORD}" default_admin_email: ${ANCHORE_ADMIN_EMAIL} keys: - secret: ${ANCHORE_SAML_SECRET} + secret: "${ANCHORE_SAML_SECRET}" public_key_path: ${ANCHORE_AUTH_PRIVKEY} private_key_path: ${ANCHORE_AUTH_PUBKEY} diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index 1364e8c8..1fb1cac9 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -72,11 +72,11 @@ should render the configmaps: webhooks: {} - default_admin_password: ${ANCHORE_ADMIN_PASSWORD} + default_admin_password: "${ANCHORE_ADMIN_PASSWORD}" default_admin_email: ${ANCHORE_ADMIN_EMAIL} keys: - secret: ${ANCHORE_SAML_SECRET} + secret: "${ANCHORE_SAML_SECRET}" public_key_path: ${ANCHORE_AUTH_PRIVKEY} private_key_path: ${ANCHORE_AUTH_PUBKEY} From 11bfda6365cb4444a0328e15d9a8341c9adf1560 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 1 Feb 2024 16:48:57 -0800 Subject: [PATCH 305/329] bump enterprise image to v4.9.5 (#335) Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/README.md | 4 ++++ stable/anchore-engine/values.yaml | 4 ++-- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 7da83262..422a5630 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.28.6 +version: 1.28.7 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index b0acc53e..9d012980 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -198,6 +198,10 @@ A Helm post-upgrade hook job will shut down all previously running Anchore servi The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful Helm upgrade. +# Chart Version 1.28.7 + +* Anchore Enterprise image bumped to v4.9.5 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/495/) + # Chart Version 1.28.4 * Anchore Enterprise image bumped to v4.9.4 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/494/) diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 50b72926..c0b35245 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -766,7 +766,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: docker.io/anchore/enterprise:v4.9.4 + image: docker.io/anchore/enterprise:v4.9.5 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. @@ -1136,7 +1136,7 @@ anchoreEnterpriseNotifications: anchoreEnterpriseUi: # If enabled is set to false, set ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. enabled: true - image: docker.io/anchore/enterprise-ui:v4.9.0 + image: docker.io/anchore/enterprise-ui:v4.9.1 imagePullPolicy: IfNotPresent # Set extra environment variables. These will be set on all UI containers. From 6ca8d1fae1bb51ee9d444193e274e0143d55f967 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 1 Feb 2024 20:08:47 -0800 Subject: [PATCH 306/329] stable/feeds: update anchore enterprise image to v5.2.0 (#337) * update anchore enterprise image to v5.2.0 * update test snapshots --------- Signed-off-by: Brady Todhunter --- stable/feeds/Chart.yaml | 4 ++-- stable/feeds/README.md | 21 ++++++++++--------- .../prehook_upgrade_resources_test.yaml.snap | 2 +- stable/feeds/values.yaml | 2 +- 4 files changed, 15 insertions(+), 14 deletions(-) diff --git a/stable/feeds/Chart.yaml b/stable/feeds/Chart.yaml index aa555723..f94900d8 100644 --- a/stable/feeds/Chart.yaml +++ b/stable/feeds/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 name: feeds type: application -version: "2.1.3" -appVersion: "5.1.1" +version: "2.2.0" +appVersion: "5.2.0" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.28.x-x description: Anchore feeds service keywords: diff --git a/stable/feeds/README.md b/stable/feeds/README.md index 7a8b4145..4be79077 100644 --- a/stable/feeds/README.md +++ b/stable/feeds/README.md @@ -195,15 +195,16 @@ See the [Anchore Enterprise Feeds](https://docs.anchore.com/current/docs/configu ```yaml anchoreConfig: feeds: - github: - enabled: true - # The GitHub feeds driver requires a GitHub developer personal access token with no permission scopes selected. - # See https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token - token: your-github-token - - # Enable microsoft feeds - msrc: - enabled: true + drivers: + github: + enabled: true + # The GitHub feeds driver requires a GitHub developer personal access token with no permission scopes selected. + # See https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token + token: your-github-token + + # Enable microsoft feeds + msrc: + enabled: true ``` ### Existing Secrets @@ -312,7 +313,7 @@ anchoreConfig: | `url` | Set a custom feeds URL. Useful when using a feeds service endpoint that is external from the cluster. | `""` | | `fullnameOverride` | overrides the fullname set on resources | `""` | | `nameOverride` | overrides the name set on resources | `""` | -| `image` | Image used for feeds deployment | `docker.io/anchore/enterprise:v5.1.1` | +| `image` | Image used for feeds deployment | `docker.io/anchore/enterprise:v5.2.0` | | `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | | `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | | `serviceAccountName` | Name of a service account used to run all Feeds pods | `""` | diff --git a/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap b/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap index a1c187bc..3a403e51 100644 --- a/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap +++ b/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap @@ -143,6 +143,6 @@ should render proper initContainers: value: test-release-feeds - name: ANCHORE_PORT value: "8448" - image: docker.io/anchore/enterprise:v5.1.1 + image: docker.io/anchore/enterprise:v5.2.0 imagePullPolicy: IfNotPresent name: wait-for-db diff --git a/stable/feeds/values.yaml b/stable/feeds/values.yaml index c21d5d0d..2cbf710d 100644 --- a/stable/feeds/values.yaml +++ b/stable/feeds/values.yaml @@ -21,7 +21,7 @@ nameOverride: "" ## @param image Image used for feeds deployment ## -image: docker.io/anchore/enterprise:v5.1.1 +image: docker.io/anchore/enterprise:v5.2.0 ## @param imagePullPolicy Image pull policy used by all deployments ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy From 903a0afb7d622476e1e97136f960aa6a57377ef8 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 2 Feb 2024 14:14:05 -0800 Subject: [PATCH 307/329] stable/enterprise: Update Anchore Enterprise to v5.2.0 (#338) * Ent 5.2.0 updates (#187) * add additional configs for 5.2.0 * updating helm unittests and readme to include changes * adding scratch for reports * update default of api delete keys to 365; add scratch volume to reports pod; add reports resources tests * adding additional reports resources test * Enterprise split reports api (#188) * move reports service to seperate deployment * use enterprise prefix for helper templates * add rbacAuth container back to api pod * make reports-worker fullname match values key for the service * update unit tests * bump chart version * fix reports worker descriptions & alphabetize the top level key * add rbacAuth container to reports pod (#189) * add rbacAuth container to reports pod * add rbacAuth unit test for reports template * updating error message for image_ttl_days (#192) * Make scratch volume configurable (#193) * use helper template for scratch volume details. Allow component specific configs * add unit tests * add necessary values and update readme * bump chart version * bump enterprise image to v5.2.0 * update test snapshots * bump feeds chart version * bump chart version * update readme and values table * remove reports service from the ingress configuration --------- Signed-off-by: Brady Todhunter Signed-off-by: Hung Nguyen Co-authored-by: Hung Nguyen --- stable/enterprise/Chart.lock | 6 +- stable/enterprise/Chart.yaml | 4 +- stable/enterprise/README.md | 532 +++++++++--------- stable/enterprise/files/default_config.yaml | 7 +- stable/enterprise/templates/_common.tpl | 19 +- stable/enterprise/templates/_helpers.tpl | 2 +- stable/enterprise/templates/_names.tpl | 5 + .../templates/analyzer_deployment.yaml | 6 +- .../enterprise/templates/api_deployment.yaml | 29 +- .../templates/catalog_deployment.yaml | 8 +- .../templates/envvars_configmap.yaml | 2 +- stable/enterprise/templates/ingress.yaml | 37 +- .../templates/notifications_deployment.yaml | 2 +- .../templates/policyengine_deployment.yaml | 8 +- .../templates/rbacmanager_deployment.yaml | 2 +- .../templates/reports_deployment.yaml | 17 +- .../templates/reportsworker_deployment.yaml | 71 +++ .../templates/simplequeue_deployment.yaml | 2 +- .../enterprise/templates/ui_deployment.yaml | 2 +- .../__snapshot__/configmap_test.yaml.snap | 8 +- .../prehook_upgrade_resources_test.yaml.snap | 2 +- .../tests/analyzer_resources_test.yaml | 21 +- .../enterprise/tests/api_resources_test.yaml | 99 ---- .../tests/catalog_resources_test.yaml | 21 +- .../enterprise/tests/common_helpers_test.yaml | 49 ++ .../tests/policyengine_resources_test.yaml | 21 +- .../tests/reports_resources_test.yaml | 117 +++- .../tests/reportsworker_resources_test.yaml | 293 ++++++++++ stable/enterprise/values.yaml | 450 ++++++++++----- 29 files changed, 1234 insertions(+), 608 deletions(-) create mode 100644 stable/enterprise/templates/reportsworker_deployment.yaml create mode 100644 stable/enterprise/tests/reportsworker_resources_test.yaml diff --git a/stable/enterprise/Chart.lock b/stable/enterprise/Chart.lock index e742212a..1ab27050 100644 --- a/stable/enterprise/Chart.lock +++ b/stable/enterprise/Chart.lock @@ -7,6 +7,6 @@ dependencies: version: 17.11.8 - name: feeds repository: https://charts.anchore.io/stable - version: 2.1.2 -digest: sha256:60e766cb4ec7976ab63530288e3c2c23a6fe2e2596bc92f550d6c453e2863336 -generated: "2024-01-03T16:51:40.920313-05:00" + version: 2.2.0 +digest: sha256:e2fc0ac4d344f4baf4e9b818d05b1bb88ee87f9f760e3fb8237260b67ffc4d15 +generated: "2024-02-01T21:44:45.424502-08:00" diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index ec65ee01..f51696be 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: enterprise -version: "2.2.4" -appVersion: "5.1.1" +version: "2.3.0" +appVersion: "5.2.0" kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.28.x-x description: | Anchore Enterprise is a complete container security workflow solution for professional teams. Easily integrating with CI/CD systems, diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index eef7be81..2ecbcf03 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -154,6 +154,8 @@ ui-redis: ## Upgrading the Chart +> :exclamation: **Important:** View the **[Chart Release Notes](#release-notes)** for the latest changes prior to upgrading. + A Helm pre-upgrade hook initiates a Kubernetes job that scales down all active Anchore Enterprise pods and handles the Anchore database upgrade. The Helm upgrade is marked as successful only upon the job's completion. This process causes the Helm client to pause until the job finishes and new Anchore Enterprise pods are initiated. To monitor the upgrade, follow the logs of the upgrade jobs. These jobs are automatically removed after a subsequent successful Helm upgrade. @@ -278,13 +280,14 @@ See the [Anchore Enterprise Feeds](https://docs.anchore.com/current/docs/configu feeds: anchoreConfig: feeds: - github: - enabled: true - # The GitHub feeds driver requires a GitHub developer personal access token with no permission scopes selected. - # See https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token - token: your-github-token - msrc: - enabled: true + drivers: + github: + enabled: true + # The GitHub feeds driver requires a GitHub developer personal access token with no permission scopes selected. + # See https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token + token: your-github-token + msrc: + enabled: true ``` #### Enterprise Feeds External Database Configuration @@ -442,8 +445,6 @@ ingress: - anchore-ui.example.com feedsHosts: - anchore-feeds.example.com - reportsHosts: - - anchore-reports.example.com api: service: @@ -453,10 +454,6 @@ feeds: service: type: NodePort -reports: - service: - type: NodePort - ui: service: type: NodePort @@ -477,9 +474,6 @@ ingress: feedsPaths: - /v1/feeds/* - /v2/feeds/* - reportsPaths: - - /v1/reports/* - - /v2/reports/* uiPath: /* apiHosts: @@ -488,8 +482,6 @@ ingress: - anchore-ui.example.com feedsHosts: - anchore-feeds.example.com - reportsHosts: - - anchore-reports.example.com api: service: @@ -499,10 +491,6 @@ feeds: service: type: NodePort -reports: - service: - type: NodePort - ui: service: type: NodePort @@ -939,150 +927,170 @@ This rollback procedure is designed to revert your environment to its pre-migrat ### Common Resource Parameters -| Name | Description | Value | -| --------------------------------------- | ------------------------------------------------------------------------------------- | ------------------------------------- | -| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v5.1.1` | -| `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | -| `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | -| `startMigrationPod` | Spin up a Database migration pod to help migrate the database to the new schema | `false` | -| `migrationPodImage` | The image reference to the migration pod | `docker.io/postgres:13-bookworm` | -| `migrationAnchoreEngineSecretName` | The name of the secret that has anchore-engine values | `my-engine-anchore-engine` | -| `serviceAccountName` | Name of a service account used to run all Anchore pods | `""` | -| `injectSecretsViaEnv` | Enable secret injection into pod via environment variables instead of via k8s secrets | `false` | -| `licenseSecretName` | Name of the Kubernetes secret containing your license.yaml file | `anchore-enterprise-license` | -| `certStoreSecretName` | Name of secret containing the certificates & keys used for SSL, SAML & CAs | `""` | -| `extraEnv` | Common environment variables set on all containers | `[]` | -| `useExistingSecrets` | forgoes secret creation and uses the secret defined in existingSecretName | `false` | -| `existingSecretName` | Name of an existing secret to be used for Anchore core services, excluding Anchore UI | `anchore-enterprise-env` | -| `labels` | Common labels set on all Kubernetes resources | `{}` | -| `annotations` | Common annotations set on all Kubernetes resources | `{}` | -| `scratchVolume.mountPath` | The mount path of an external volume for scratch space for image analysis | `/analysis_scratch` | -| `scratchVolume.fixGroupPermissions` | Enable an initContainer that will fix the fsGroup permissions | `false` | -| `scratchVolume.fixerInitContainerImage` | The image to use for the mode-fixer initContainer | `alpine` | -| `scratchVolume.details` | Details for the k8s volume to be created | `{}` | -| `extraVolumes` | mounts additional volumes to each pod | `[]` | -| `extraVolumeMounts` | mounts additional volumes to each pod | `[]` | -| `securityContext.runAsUser` | The securityContext runAsUser for all Anchore pods | `1000` | -| `securityContext.runAsGroup` | The securityContext runAsGroup for all Anchore pods | `1000` | -| `securityContext.fsGroup` | The securityContext fsGroup for all Anchore pods | `1000` | -| `containerSecurityContext` | The securityContext for all containers | `{}` | -| `probes.liveness.initialDelaySeconds` | Initial delay seconds for liveness probe | `120` | -| `probes.liveness.timeoutSeconds` | Timeout seconds for liveness probe | `10` | -| `probes.liveness.periodSeconds` | Period seconds for liveness probe | `10` | -| `probes.liveness.failureThreshold` | Failure threshold for liveness probe | `6` | -| `probes.liveness.successThreshold` | Success threshold for liveness probe | `1` | -| `probes.readiness.timeoutSeconds` | Timeout seconds for the readiness probe | `10` | -| `probes.readiness.periodSeconds` | Period seconds for the readiness probe | `10` | -| `probes.readiness.failureThreshold` | Failure threshold for the readiness probe | `3` | -| `probes.readiness.successThreshold` | Success threshold for the readiness probe | `1` | -| `doSourceAtEntry.enabled` | Does a `source` of the file path defined before starting Anchore services | `false` | -| `doSourceAtEntry.filePaths` | List of file paths to `source` before starting Anchore services | `[]` | -| `configOverride` | Allows for overriding the default Anchore configuration file | `""` | -| `scripts` | Collection of helper scripts usable in all anchore enterprise pods | `{}` | +| Name | Description | Value | +| --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | +| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v5.2.0` | +| `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | +| `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | +| `startMigrationPod` | Spin up a Database migration pod to help migrate the database to the new schema | `false` | +| `migrationPodImage` | The image reference to the migration pod | `docker.io/postgres:13-bookworm` | +| `migrationAnchoreEngineSecretName` | The name of the secret that has anchore-engine values | `my-engine-anchore-engine` | +| `serviceAccountName` | Name of a service account used to run all Anchore pods | `""` | +| `injectSecretsViaEnv` | Enable secret injection into pod via environment variables instead of via k8s secrets | `false` | +| `licenseSecretName` | Name of the Kubernetes secret containing your license.yaml file | `anchore-enterprise-license` | +| `certStoreSecretName` | Name of secret containing the certificates & keys used for SSL, SAML & CAs | `""` | +| `extraEnv` | Common environment variables set on all containers | `[]` | +| `useExistingSecrets` | forgoes secret creation and uses the secret defined in existingSecretName | `false` | +| `existingSecretName` | Name of an existing secret to be used for Anchore core services, excluding Anchore UI | `anchore-enterprise-env` | +| `labels` | Common labels set on all Kubernetes resources | `{}` | +| `annotations` | Common annotations set on all Kubernetes resources | `{}` | +| `scratchVolume.mountPath` | The mount path of an external volume for scratch space. Used for the following pods: analyzer, policy-engine, catalog, and reports | `/analysis_scratch` | +| `scratchVolume.fixGroupPermissions` | Enable an initContainer that will fix the fsGroup permissions on all scratch volumes | `false` | +| `scratchVolume.fixerInitContainerImage` | The image to use for the mode-fixer initContainer | `alpine` | +| `scratchVolume.details` | Details for the k8s volume to be created (defaults to default emptyDir) | `{}` | +| `extraVolumes` | mounts additional volumes to each pod | `[]` | +| `extraVolumeMounts` | mounts additional volumes to each pod | `[]` | +| `securityContext.runAsUser` | The securityContext runAsUser for all Anchore pods | `1000` | +| `securityContext.runAsGroup` | The securityContext runAsGroup for all Anchore pods | `1000` | +| `securityContext.fsGroup` | The securityContext fsGroup for all Anchore pods | `1000` | +| `containerSecurityContext` | The securityContext for all containers | `{}` | +| `probes.liveness.initialDelaySeconds` | Initial delay seconds for liveness probe | `120` | +| `probes.liveness.timeoutSeconds` | Timeout seconds for liveness probe | `10` | +| `probes.liveness.periodSeconds` | Period seconds for liveness probe | `10` | +| `probes.liveness.failureThreshold` | Failure threshold for liveness probe | `6` | +| `probes.liveness.successThreshold` | Success threshold for liveness probe | `1` | +| `probes.readiness.timeoutSeconds` | Timeout seconds for the readiness probe | `10` | +| `probes.readiness.periodSeconds` | Period seconds for the readiness probe | `10` | +| `probes.readiness.failureThreshold` | Failure threshold for the readiness probe | `3` | +| `probes.readiness.successThreshold` | Success threshold for the readiness probe | `1` | +| `doSourceAtEntry.enabled` | Does a `source` of the file path defined before starting Anchore services | `false` | +| `doSourceAtEntry.filePaths` | List of file paths to `source` before starting Anchore services | `[]` | +| `configOverride` | Allows for overriding the default Anchore configuration file | `""` | +| `scripts` | Collection of helper scripts usable in all anchore enterprise pods | `{}` | ### Anchore Configuration Parameters -| Name | Description | Value | -| ------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------- | ------------------ | -| `anchoreConfig.service_dir` | Path to directory where default Anchore config files are placed at startup | `/anchore_service` | -| `anchoreConfig.log_level` | The log level for Anchore services | `INFO` | -| `anchoreConfig.allow_awsecr_iam_auto` | Enable AWS IAM instance role for ECR auth | `true` | -| `anchoreConfig.keys.secret` | The shared secret used for signing & encryption, auto-generated by Helm if not set. | `""` | -| `anchoreConfig.keys.privateKeyFileName` | The file name of the private key used for signing & encryption, found in the k8s secret specified in .Values.certStoreSecretName | `""` | -| `anchoreConfig.keys.publicKeyFileName` | The file name of the public key used for signing & encryption, found in the k8s secret specified in .Values.certStoreSecretName | `""` | -| `anchoreConfig.user_authentication.oauth.enabled` | Enable OAuth for Anchore user authentication | `true` | -| `anchoreConfig.user_authentication.oauth.default_token_expiration_seconds` | The expiration, in seconds, for OAuth tokens | `3600` | -| `anchoreConfig.user_authentication.oauth.refresh_token_expiration_seconds` | The expiration, in seconds, for OAuth refresh tokens | `86400` | -| `anchoreConfig.user_authentication.allow_api_keys_for_saml_users` | Enable API key generation and authentication for SAML users | `false` | -| `anchoreConfig.user_authentication.max_api_key_age_days` | The maximum age, in days, for API keys | `365` | -| `anchoreConfig.user_authentication.max_api_keys_per_user` | The maximum number of API keys per user | `100` | -| `anchoreConfig.user_authentication.hashed_passwords` | Enable storing passwords as secure hashes in the database | `true` | -| `anchoreConfig.user_authentication.sso_require_existing_users` | set to true in order to disable the SSO JIT provisioning during authentication | `false` | -| `anchoreConfig.metrics.enabled` | Enable Prometheus metrics for all Anchore services | `false` | -| `anchoreConfig.metrics.auth_disabled` | Disable auth on Prometheus metrics for all Anchore services | `false` | -| `anchoreConfig.webhooks` | Enable Anchore services to provide webhooks for external system updates | `{}` | -| `anchoreConfig.default_admin_password` | The password for the Anchore Enterprise admin user | `""` | -| `anchoreConfig.default_admin_email` | The email address used for the Anchore Enterprise admin user | `admin@myanchore` | -| `anchoreConfig.database.timeout` | | `120` | -| `anchoreConfig.database.ssl` | Enable SSL/TLS for the database connection | `false` | -| `anchoreConfig.database.sslMode` | The SSL mode to use for database connection | `verify-full` | -| `anchoreConfig.database.sslRootCertFileName` | File name of the database root CA certificate stored in the k8s secret specified with .Values.certStoreSecretName | `""` | -| `anchoreConfig.database.db_pool_size` | The database max connection pool size | `30` | -| `anchoreConfig.database.db_pool_max_overflow` | The maximum overflow size of the database connection pool | `100` | -| `anchoreConfig.database.engineArgs` | Set custom database engine arguments for SQLAlchemy | `{}` | -| `anchoreConfig.internalServicesSSL.enabled` | Force all Enterprise services to use SSL for internal communication | `false` | -| `anchoreConfig.internalServicesSSL.verifyCerts` | Enable cert verification against the local cert bundle, if this set to false self-signed certs are allowed | `false` | -| `anchoreConfig.internalServicesSSL.certSecretKeyFileName` | File name of the private key used for internal SSL stored in the secret specified in .Values.certStoreSecretName | `""` | -| `anchoreConfig.internalServicesSSL.certSecretCertFileName` | File name of the root CA certificate used for internal SSL stored in the secret specified in .Values.certStoreSecretName | `""` | -| `anchoreConfig.policyBundles` | Include custom Anchore policy bundles | `{}` | -| `anchoreConfig.apiext.external.enabled` | Allow overrides for constructing Anchore API URLs | `false` | -| `anchoreConfig.apiext.external.useTLS` | Enable TLS for external API access | `true` | -| `anchoreConfig.apiext.external.hostname` | Hostname for the external Anchore API | `""` | -| `anchoreConfig.apiext.external.port` | Port configured for external Anchore API | `8443` | -| `anchoreConfig.analyzer.cycle_timers.image_analyzer` | The interval between checks of the work queue for new analysis jobs | `1` | -| `anchoreConfig.analyzer.layer_cache_max_gigabytes` | Specify a cache size > 0GB to enable image layer caching | `0` | -| `anchoreConfig.analyzer.enable_hints` | Enable a user-supplied 'hints' file to override and/or augment the software artifacts found during analysis | `false` | -| `anchoreConfig.analyzer.configFile` | Custom Anchore Analyzer configuration file contents in YAML | `{}` | -| `anchoreConfig.catalog.cycle_timers.image_watcher` | Interval (seconds) to check for an update to a tag | `3600` | -| `anchoreConfig.catalog.cycle_timers.policy_eval` | Interval (seconds) to run a policy evaluation on images with policy_eval subscription activated | `3600` | -| `anchoreConfig.catalog.cycle_timers.vulnerability_scan` | Interval to run a vulnerability scan on images with vuln_update subscription activated | `14400` | -| `anchoreConfig.catalog.cycle_timers.analyzer_queue` | Interval to add new work on the image analysis queue | `1` | -| `anchoreConfig.catalog.cycle_timers.archive_tasks` | Interval to trigger Anchore Catalog archive Tasks | `43200` | -| `anchoreConfig.catalog.cycle_timers.notifications` | Interval in which notifications will be processed for state changes | `30` | -| `anchoreConfig.catalog.cycle_timers.service_watcher` | Interval of service state update poll, used for system status | `15` | -| `anchoreConfig.catalog.cycle_timers.policy_bundle_sync` | Interval of policy bundle sync | `300` | -| `anchoreConfig.catalog.cycle_timers.repo_watcher` | Interval between checks to repo for new tags | `60` | -| `anchoreConfig.catalog.cycle_timers.image_gc` | Interval for garbage collection of images marked for deletion | `60` | -| `anchoreConfig.catalog.cycle_timers.k8s_image_watcher` | Interval for the runtime inventory image analysis poll | `150` | -| `anchoreConfig.catalog.cycle_timers.resource_metrics` | Interval (seconds) for computing metrics from the DB | `60` | -| `anchoreConfig.catalog.cycle_timers.events_gc` | Interval (seconds) for cleaning up events in the system based on timestamp | `43200` | -| `anchoreConfig.catalog.cycle_timers.artifact_lifecycle_policy_tasks` | Interval (seconds) for running artifact lifecycle policy tasks | `43200` | -| `anchoreConfig.catalog.event_log` | Event log for webhooks, YAML configuration | `{}` | -| `anchoreConfig.catalog.analysis_archive` | Custom analysis archive YAML configuration | `{}` | -| `anchoreConfig.catalog.object_store` | Custom object storage YAML configuration | `{}` | -| `anchoreConfig.catalog.runtime_inventory.inventory_ttl_days` | TTL for runtime inventory. | `120` | -| `anchoreConfig.catalog.runtime_inventory.inventory_ingest_overwrite` | force runtime inventory to be overwritten upon every update for that reported context. | `false` | -| `anchoreConfig.catalog.down_analyzer_task_requeue` | Allows fast re-queueing when image status is 'analyzing' on an analyzer that is no longer in the 'up' state | `true` | -| `anchoreConfig.policy_engine.cycle_timers.feed_sync` | Interval to run a feed sync to get latest cve data | `14400` | -| `anchoreConfig.policy_engine.cycle_timers.feed_sync_checker` | Interval between checks to see if there needs to be a task queued | `3600` | -| `anchoreConfig.policy_engine.overrideFeedsToUpstream` | Override the Anchore Feeds URL to use the public upstream Anchore Feeds | `false` | -| `anchoreConfig.notifications.cycle_timers.notifications` | Interval that notifications are sent | `30` | -| `anchoreConfig.notifications.ui_url` | Set the UI URL that is included in the notification, defaults to the Enterprise UI service name | `""` | -| `anchoreConfig.reports.enable_graphiql` | Enable GraphiQL, a GUI for editing and testing GraphQL queries and mutations | `true` | -| `anchoreConfig.reports.async_execution_timeout` | Configure how long a scheduled query must be running for before it is considered timed out | `48h` | -| `anchoreConfig.reports_worker.enable_data_ingress` | Enable periodically syncing data into the Anchore Reports Service | `true` | -| `anchoreConfig.reports_worker.enable_data_egress` | Periodically remove reporting data that has been removed in other parts of system | `false` | -| `anchoreConfig.reports_worker.data_egress_window` | defines a number of days to keep reporting data following its deletion in the rest of system. | `0` | -| `anchoreConfig.reports_worker.data_refresh_max_workers` | The maximum number of concurrent threads to refresh existing results (etl vulnerabilities and evaluations) in reports service. | `10` | -| `anchoreConfig.reports_worker.data_load_max_workers` | The maximum number of concurrent threads to load new results (etl vulnerabilities and evaluations) to reports service. | `10` | -| `anchoreConfig.reports_worker.cycle_timers.reports_image_load` | Interval that vulnerabilities for images are synced | `600` | -| `anchoreConfig.reports_worker.cycle_timers.reports_tag_load` | Interval that vulnerabilties by tags are synced | `600` | -| `anchoreConfig.reports_worker.cycle_timers.reports_runtime_inventory_load` | Interval that the runtime inventory is synced | `600` | -| `anchoreConfig.reports_worker.cycle_timers.reports_extended_runtime_vuln_load` | Interval extended runtime reports are synched (ecs, k8s containers and namespaces) | `1800` | -| `anchoreConfig.reports_worker.cycle_timers.reports_image_refresh` | Interval that images are refreshed | `7200` | -| `anchoreConfig.reports_worker.cycle_timers.reports_tag_refresh` | Interval that tags are refreshed | `7200` | -| `anchoreConfig.reports_worker.cycle_timers.reports_metrics` | Interval for how often reporting metrics are generated | `3600` | -| `anchoreConfig.reports_worker.cycle_timers.reports_image_egress` | Interval stale states are removed by image | `600` | -| `anchoreConfig.reports_worker.cycle_timers.reports_tag_egress` | Interval stale states are removed by tag | `600` | -| `anchoreConfig.ui.enable_proxy` | Trust a reverse proxy when setting secure cookies (via the `X-Forwarded-Proto` header) | `false` | -| `anchoreConfig.ui.enable_ssl` | Enable SSL in the Anchore UI container | `false` | -| `anchoreConfig.ui.enable_shared_login` | Allow single user to start multiple Anchore UI sessions | `true` | -| `anchoreConfig.ui.redis_flushdb` | Flush user session keys and empty data on Anchore UI startup | `true` | -| `anchoreConfig.ui.force_websocket` | Force WebSocket protocol for socket message communications | `false` | -| `anchoreConfig.ui.authentication_lock.count` | Number of failed authentication attempts allowed before a temporary lock is applied | `5` | -| `anchoreConfig.ui.authentication_lock.expires` | Authentication lock duration | `300` | -| `anchoreConfig.ui.custom_links` | List of up to 10 external links provided | `{}` | -| `anchoreConfig.ui.enable_add_repositories` | Specify what users can add image repositories to the Anchore UI | `{}` | -| `anchoreConfig.ui.log_level` | Descriptive detail of the application log output | `http` | -| `anchoreConfig.ui.enrich_inventory_view` | aggregate and include compliance and vulnerability data from the reports service. | `true` | -| `anchoreConfig.ui.appdb_config.native` | toggle the postgreSQL drivers used to connect to the database between the native and the NodeJS drivers. | `true` | -| `anchoreConfig.ui.appdb_config.pool.max` | maximum number of simultaneous connections allowed in the connection pool | `10` | -| `anchoreConfig.ui.appdb_config.pool.min` | minimum number of connections | `0` | -| `anchoreConfig.ui.appdb_config.pool.acquire` | the timeout in milliseconds used when acquiring a new connection | `30000` | -| `anchoreConfig.ui.appdb_config.pool.idle` | the maximum time that a connection can be idle before being released | `10000` | -| `anchoreConfig.ui.dbUser` | allows overriding and separation of the ui database user. | `""` | -| `anchoreConfig.ui.dbPassword` | allows overriding and separation of the ui database user authentication | `""` | +| Name | Description | Value | +| -------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------ | +| `anchoreConfig.service_dir` | Path to directory where default Anchore config files are placed at startup | `/anchore_service` | +| `anchoreConfig.log_level` | The log level for Anchore services | `INFO` | +| `anchoreConfig.allow_awsecr_iam_auto` | Enable AWS IAM instance role for ECR auth | `true` | +| `anchoreConfig.keys.secret` | The shared secret used for signing & encryption, auto-generated by Helm if not set. | `""` | +| `anchoreConfig.keys.privateKeyFileName` | The file name of the private key used for signing & encryption, found in the k8s secret specified in .Values.certStoreSecretName | `""` | +| `anchoreConfig.keys.publicKeyFileName` | The file name of the public key used for signing & encryption, found in the k8s secret specified in .Values.certStoreSecretName | `""` | +| `anchoreConfig.user_authentication.oauth.enabled` | Enable OAuth for Anchore user authentication | `true` | +| `anchoreConfig.user_authentication.oauth.default_token_expiration_seconds` | The expiration, in seconds, for OAuth tokens | `3600` | +| `anchoreConfig.user_authentication.oauth.refresh_token_expiration_seconds` | The expiration, in seconds, for OAuth refresh tokens | `86400` | +| `anchoreConfig.user_authentication.allow_api_keys_for_saml_users` | Enable API key generation and authentication for SAML users | `false` | +| `anchoreConfig.user_authentication.max_api_key_age_days` | The maximum age, in days, for API keys | `365` | +| `anchoreConfig.user_authentication.max_api_keys_per_user` | The maximum number of API keys per user | `100` | +| `anchoreConfig.user_authentication.remove_deleted_user_api_keys_older_than_days` | The number of days elapsed after a user API key is deleted before it is garbage collected (-1 to disable) | `365` | +| `anchoreConfig.user_authentication.hashed_passwords` | Enable storing passwords as secure hashes in the database | `true` | +| `anchoreConfig.user_authentication.sso_require_existing_users` | set to true in order to disable the SSO JIT provisioning during authentication | `false` | +| `anchoreConfig.metrics.enabled` | Enable Prometheus metrics for all Anchore services | `false` | +| `anchoreConfig.metrics.auth_disabled` | Disable auth on Prometheus metrics for all Anchore services | `false` | +| `anchoreConfig.webhooks` | Enable Anchore services to provide webhooks for external system updates | `{}` | +| `anchoreConfig.default_admin_password` | The password for the Anchore Enterprise admin user | `""` | +| `anchoreConfig.default_admin_email` | The email address used for the Anchore Enterprise admin user | `admin@myanchore` | +| `anchoreConfig.database.timeout` | | `120` | +| `anchoreConfig.database.ssl` | Enable SSL/TLS for the database connection | `false` | +| `anchoreConfig.database.sslMode` | The SSL mode to use for database connection | `verify-full` | +| `anchoreConfig.database.sslRootCertFileName` | File name of the database root CA certificate stored in the k8s secret specified with .Values.certStoreSecretName | `""` | +| `anchoreConfig.database.db_pool_size` | The database max connection pool size | `30` | +| `anchoreConfig.database.db_pool_max_overflow` | The maximum overflow size of the database connection pool | `100` | +| `anchoreConfig.database.engineArgs` | Set custom database engine arguments for SQLAlchemy | `{}` | +| `anchoreConfig.internalServicesSSL.enabled` | Force all Enterprise services to use SSL for internal communication | `false` | +| `anchoreConfig.internalServicesSSL.verifyCerts` | Enable cert verification against the local cert bundle, if this set to false self-signed certs are allowed | `false` | +| `anchoreConfig.internalServicesSSL.certSecretKeyFileName` | File name of the private key used for internal SSL stored in the secret specified in .Values.certStoreSecretName | `""` | +| `anchoreConfig.internalServicesSSL.certSecretCertFileName` | File name of the root CA certificate used for internal SSL stored in the secret specified in .Values.certStoreSecretName | `""` | +| `anchoreConfig.policyBundles` | Include custom Anchore policy bundles | `{}` | +| `anchoreConfig.apiext.external.enabled` | Allow overrides for constructing Anchore API URLs | `false` | +| `anchoreConfig.apiext.external.useTLS` | Enable TLS for external API access | `true` | +| `anchoreConfig.apiext.external.hostname` | Hostname for the external Anchore API | `""` | +| `anchoreConfig.apiext.external.port` | Port configured for external Anchore API | `8443` | +| `anchoreConfig.analyzer.cycle_timers.image_analyzer` | The interval between checks of the work queue for new analysis jobs | `1` | +| `anchoreConfig.analyzer.layer_cache_max_gigabytes` | Specify a cache size > 0GB to enable image layer caching | `0` | +| `anchoreConfig.analyzer.enable_hints` | Enable a user-supplied 'hints' file to override and/or augment the software artifacts found during analysis | `false` | +| `anchoreConfig.analyzer.configFile` | Custom Anchore Analyzer configuration file contents in YAML | `{}` | +| `anchoreConfig.catalog.cycle_timers.image_watcher` | Interval (seconds) to check for an update to a tag | `3600` | +| `anchoreConfig.catalog.cycle_timers.policy_eval` | Interval (seconds) to run a policy evaluation on images with policy_eval subscription activated | `3600` | +| `anchoreConfig.catalog.cycle_timers.vulnerability_scan` | Interval to run a vulnerability scan on images with vuln_update subscription activated | `14400` | +| `anchoreConfig.catalog.cycle_timers.analyzer_queue` | Interval to add new work on the image analysis queue | `1` | +| `anchoreConfig.catalog.cycle_timers.archive_tasks` | Interval to trigger Anchore Catalog archive Tasks | `43200` | +| `anchoreConfig.catalog.cycle_timers.notifications` | Interval in which notifications will be processed for state changes | `30` | +| `anchoreConfig.catalog.cycle_timers.service_watcher` | Interval of service state update poll, used for system status | `15` | +| `anchoreConfig.catalog.cycle_timers.policy_bundle_sync` | Interval of policy bundle sync | `300` | +| `anchoreConfig.catalog.cycle_timers.repo_watcher` | Interval between checks to repo for new tags | `60` | +| `anchoreConfig.catalog.cycle_timers.image_gc` | Interval for garbage collection of images marked for deletion | `60` | +| `anchoreConfig.catalog.cycle_timers.k8s_image_watcher` | Interval for the runtime inventory image analysis poll | `150` | +| `anchoreConfig.catalog.cycle_timers.resource_metrics` | Interval (seconds) for computing metrics from the DB | `60` | +| `anchoreConfig.catalog.cycle_timers.events_gc` | Interval (seconds) for cleaning up events in the system based on timestamp | `43200` | +| `anchoreConfig.catalog.cycle_timers.artifact_lifecycle_policy_tasks` | Interval (seconds) for running artifact lifecycle policy tasks | `43200` | +| `anchoreConfig.catalog.event_log` | Event log for webhooks, YAML configuration | `{}` | +| `anchoreConfig.catalog.analysis_archive` | Custom analysis archive YAML configuration | `{}` | +| `anchoreConfig.catalog.object_store` | Custom object storage YAML configuration | `{}` | +| `anchoreConfig.catalog.runtime_inventory.inventory_ttl_days` | TTL for runtime inventory. | `120` | +| `anchoreConfig.catalog.runtime_inventory.inventory_ingest_overwrite` | force runtime inventory to be overwritten upon every update for that reported context. | `false` | +| `anchoreConfig.catalog.down_analyzer_task_requeue` | Allows fast re-queueing when image status is 'analyzing' on an analyzer that is no longer in the 'up' state | `true` | +| `anchoreConfig.policy_engine.cycle_timers.feed_sync` | Interval to run a feed sync to get latest cve data | `14400` | +| `anchoreConfig.policy_engine.cycle_timers.feed_sync_checker` | Interval between checks to see if there needs to be a task queued | `3600` | +| `anchoreConfig.policy_engine.overrideFeedsToUpstream` | Override the Anchore Feeds URL to use the public upstream Anchore Feeds | `false` | +| `anchoreConfig.notifications.cycle_timers.notifications` | Interval that notifications are sent | `30` | +| `anchoreConfig.notifications.ui_url` | Set the UI URL that is included in the notification, defaults to the Enterprise UI service name | `""` | +| `anchoreConfig.reports.enable_graphiql` | Enable GraphiQL, a GUI for editing and testing GraphQL queries and mutations | `true` | +| `anchoreConfig.reports.async_execution_timeout` | Configure how long a scheduled query must be running for before it is considered timed out | `48h` | +| `anchoreConfig.reports.cycle_timers.reports_scheduled_queries` | Interval in seconds to check for scheduled queries that need to be run | `600` | +| `anchoreConfig.reports.use_volume` | Configure the reports worker to buffer report generation to disk instead of in memory | `false` | +| `anchoreConfig.reports_worker.enable_data_ingress` | Enable periodically syncing data into the Anchore Reports Service | `true` | +| `anchoreConfig.reports_worker.enable_data_egress` | Periodically remove reporting data that has been removed in other parts of system | `false` | +| `anchoreConfig.reports_worker.data_egress_window` | defines a number of days to keep reporting data following its deletion in the rest of system. | `0` | +| `anchoreConfig.reports_worker.data_refresh_max_workers` | The maximum number of concurrent threads to refresh existing results (etl vulnerabilities and evaluations) in reports service. | `10` | +| `anchoreConfig.reports_worker.data_load_max_workers` | The maximum number of concurrent threads to load new results (etl vulnerabilities and evaluations) to reports service. | `10` | +| `anchoreConfig.reports_worker.cycle_timers.reports_image_load` | Interval that vulnerabilities for images are synced | `600` | +| `anchoreConfig.reports_worker.cycle_timers.reports_tag_load` | Interval that vulnerabilties by tags are synced | `600` | +| `anchoreConfig.reports_worker.cycle_timers.reports_runtime_inventory_load` | Interval that the runtime inventory is synced | `600` | +| `anchoreConfig.reports_worker.cycle_timers.reports_extended_runtime_vuln_load` | Interval extended runtime reports are synched (ecs, k8s containers and namespaces) | `1800` | +| `anchoreConfig.reports_worker.cycle_timers.reports_image_refresh` | Interval that images are refreshed | `7200` | +| `anchoreConfig.reports_worker.cycle_timers.reports_tag_refresh` | Interval that tags are refreshed | `7200` | +| `anchoreConfig.reports_worker.cycle_timers.reports_metrics` | Interval for how often reporting metrics are generated | `3600` | +| `anchoreConfig.reports_worker.cycle_timers.reports_image_egress` | Interval stale states are removed by image | `600` | +| `anchoreConfig.reports_worker.cycle_timers.reports_tag_egress` | Interval stale states are removed by tag | `600` | +| `anchoreConfig.ui.enable_proxy` | Trust a reverse proxy when setting secure cookies (via the `X-Forwarded-Proto` header) | `false` | +| `anchoreConfig.ui.enable_ssl` | Enable SSL in the Anchore UI container | `false` | +| `anchoreConfig.ui.enable_shared_login` | Allow single user to start multiple Anchore UI sessions | `true` | +| `anchoreConfig.ui.redis_flushdb` | Flush user session keys and empty data on Anchore UI startup | `true` | +| `anchoreConfig.ui.force_websocket` | Force WebSocket protocol for socket message communications | `false` | +| `anchoreConfig.ui.authentication_lock.count` | Number of failed authentication attempts allowed before a temporary lock is applied | `5` | +| `anchoreConfig.ui.authentication_lock.expires` | Authentication lock duration | `300` | +| `anchoreConfig.ui.custom_links` | List of up to 10 external links provided | `{}` | +| `anchoreConfig.ui.enable_add_repositories` | Specify what users can add image repositories to the Anchore UI | `{}` | +| `anchoreConfig.ui.log_level` | Descriptive detail of the application log output | `http` | +| `anchoreConfig.ui.enrich_inventory_view` | aggregate and include compliance and vulnerability data from the reports service. | `true` | +| `anchoreConfig.ui.appdb_config.native` | toggle the postgreSQL drivers used to connect to the database between the native and the NodeJS drivers. | `true` | +| `anchoreConfig.ui.appdb_config.pool.max` | maximum number of simultaneous connections allowed in the connection pool | `10` | +| `anchoreConfig.ui.appdb_config.pool.min` | minimum number of connections | `0` | +| `anchoreConfig.ui.appdb_config.pool.acquire` | the timeout in milliseconds used when acquiring a new connection | `30000` | +| `anchoreConfig.ui.appdb_config.pool.idle` | the maximum time that a connection can be idle before being released | `10000` | +| `anchoreConfig.ui.dbUser` | allows overriding and separation of the ui database user. | `""` | +| `anchoreConfig.ui.dbPassword` | allows overriding and separation of the ui database user authentication | `""` | + + +### Anchore Analyzer k8s Deployment Parameters + +| Name | Description | Value | +| -------------------------------- | --------------------------------------------------------------------------- | ------ | +| `analyzer.replicaCount` | Number of replicas for the Anchore Analyzer deployment | `1` | +| `analyzer.service.port` | The port used for gatherings metrics when .Values.metricsEnabled=true | `8084` | +| `analyzer.extraEnv` | Set extra environment variables for Anchore Analyzer pods | `[]` | +| `analyzer.resources` | Resource requests and limits for Anchore Analyzer pods | `{}` | +| `analyzer.labels` | Labels for Anchore Analyzer pods | `{}` | +| `analyzer.annotations` | Annotation for Anchore Analyzer pods | `{}` | +| `analyzer.nodeSelector` | Node labels for Anchore Analyzer pod assignment | `{}` | +| `analyzer.tolerations` | Tolerations for Anchore Analyzer pod assignment | `[]` | +| `analyzer.affinity` | Affinity for Anchore Analyzer pod assignment | `{}` | +| `analyzer.serviceAccountName` | Service account name for Anchore API pods | `""` | +| `analyzer.scratchVolume.details` | Details for the k8s volume to be created for Anchore Analyzer scratch space | `{}` | ### Anchore API k8s Deployment Parameters @@ -1092,7 +1100,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `api.replicaCount` | Number of replicas for Anchore API deployment | `1` | | `api.service.type` | Service type for Anchore API | `ClusterIP` | | `api.service.port` | Service port for Anchore API | `8228` | -| `api.service.reportsPort` | Service port for Anchore Reports API | `8558` | | `api.service.annotations` | Annotations for Anchore API service | `{}` | | `api.service.labels` | Labels for Anchore API service | `{}` | | `api.service.nodePort` | nodePort for Anchore API service | `""` | @@ -1106,40 +1113,25 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `api.serviceAccountName` | Service account name for Anchore API pods | `""` | -### Anchore Analyzer k8s Deployment Parameters - -| Name | Description | Value | -| ----------------------------- | --------------------------------------------------------------------- | ------ | -| `analyzer.replicaCount` | Number of replicas for the Anchore Analyzer deployment | `1` | -| `analyzer.service.port` | The port used for gatherings metrics when .Values.metricsEnabled=true | `8084` | -| `analyzer.extraEnv` | Set extra environment variables for Anchore Analyzer pods | `[]` | -| `analyzer.resources` | Resource requests and limits for Anchore Analyzer pods | `{}` | -| `analyzer.labels` | Labels for Anchore Analyzer pods | `{}` | -| `analyzer.annotations` | Annotation for Anchore Analyzer pods | `{}` | -| `analyzer.nodeSelector` | Node labels for Anchore Analyzer pod assignment | `{}` | -| `analyzer.tolerations` | Tolerations for Anchore Analyzer pod assignment | `[]` | -| `analyzer.affinity` | Affinity for Anchore Analyzer pod assignment | `{}` | -| `analyzer.serviceAccountName` | Service account name for Anchore API pods | `""` | - - ### Anchore Catalog k8s Deployment Parameters -| Name | Description | Value | -| ----------------------------- | -------------------------------------------------------- | ----------- | -| `catalog.replicaCount` | Number of replicas for the Anchore Catalog deployment | `1` | -| `catalog.service.type` | Service type for Anchore Catalog | `ClusterIP` | -| `catalog.service.port` | Service port for Anchore Catalog | `8082` | -| `catalog.service.annotations` | Annotations for Anchore Catalog service | `{}` | -| `catalog.service.labels` | Labels for Anchore Catalog service | `{}` | -| `catalog.service.nodePort` | nodePort for Anchore Catalog service | `""` | -| `catalog.extraEnv` | Set extra environment variables for Anchore Catalog pods | `[]` | -| `catalog.resources` | Resource requests and limits for Anchore Catalog pods | `{}` | -| `catalog.labels` | Labels for Anchore Catalog pods | `{}` | -| `catalog.annotations` | Annotation for Anchore Catalog pods | `{}` | -| `catalog.nodeSelector` | Node labels for Anchore Catalog pod assignment | `{}` | -| `catalog.tolerations` | Tolerations for Anchore Catalog pod assignment | `[]` | -| `catalog.affinity` | Affinity for Anchore Catalog pod assignment | `{}` | -| `catalog.serviceAccountName` | Service account name for Anchore Catalog pods | `""` | +| Name | Description | Value | +| ------------------------------- | -------------------------------------------------------------------------- | ----------- | +| `catalog.replicaCount` | Number of replicas for the Anchore Catalog deployment | `1` | +| `catalog.service.type` | Service type for Anchore Catalog | `ClusterIP` | +| `catalog.service.port` | Service port for Anchore Catalog | `8082` | +| `catalog.service.annotations` | Annotations for Anchore Catalog service | `{}` | +| `catalog.service.labels` | Labels for Anchore Catalog service | `{}` | +| `catalog.service.nodePort` | nodePort for Anchore Catalog service | `""` | +| `catalog.extraEnv` | Set extra environment variables for Anchore Catalog pods | `[]` | +| `catalog.resources` | Resource requests and limits for Anchore Catalog pods | `{}` | +| `catalog.labels` | Labels for Anchore Catalog pods | `{}` | +| `catalog.annotations` | Annotation for Anchore Catalog pods | `{}` | +| `catalog.nodeSelector` | Node labels for Anchore Catalog pod assignment | `{}` | +| `catalog.tolerations` | Tolerations for Anchore Catalog pod assignment | `[]` | +| `catalog.affinity` | Affinity for Anchore Catalog pod assignment | `{}` | +| `catalog.serviceAccountName` | Service account name for Anchore Catalog pods | `""` | +| `catalog.scratchVolume.details` | Details for the k8s volume to be created for Anchore Catalog scratch space | `{}` | ### Anchore Feeds Chart Parameters @@ -1149,46 +1141,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `feeds.chartEnabled` | Enable the Anchore Feeds chart | `true` | | `feeds.standalone` | Sets the Anchore Feeds chart to run into non-standalone mode, for use with Anchore Enterprise. | `false` | | `feeds.url` | Set the URL for a standalone Feeds service. Use when chartEnabled=false. | `""` | - - -### Anchore Policy Engine k8s Deployment Parameters - -| Name | Description | Value | -| ---------------------------------- | -------------------------------------------------------------- | ----------- | -| `policyEngine.replicaCount` | Number of replicas for the Anchore Policy Engine deployment | `1` | -| `policyEngine.service.type` | Service type for Anchore Policy Engine | `ClusterIP` | -| `policyEngine.service.port` | Service port for Anchore Policy Engine | `8087` | -| `policyEngine.service.annotations` | Annotations for Anchore Policy Engine service | `{}` | -| `policyEngine.service.labels` | Labels for Anchore Policy Engine service | `{}` | -| `policyEngine.service.nodePort` | nodePort for Anchore Policy Engine service | `""` | -| `policyEngine.extraEnv` | Set extra environment variables for Anchore Policy Engine pods | `[]` | -| `policyEngine.resources` | Resource requests and limits for Anchore Policy Engine pods | `{}` | -| `policyEngine.labels` | Labels for Anchore Policy Engine pods | `{}` | -| `policyEngine.annotations` | Annotation for Anchore Policy Engine pods | `{}` | -| `policyEngine.nodeSelector` | Node labels for Anchore Policy Engine pod assignment | `{}` | -| `policyEngine.tolerations` | Tolerations for Anchore Policy Engine pod assignment | `[]` | -| `policyEngine.affinity` | Affinity for Anchore Policy Engine pod assignment | `{}` | -| `policyEngine.serviceAccountName` | Service account name for Anchore Policy Engine pods | `""` | - - -### Anchore Simple Queue Parameters - -| Name | Description | Value | -| --------------------------------- | ------------------------------------------------------------- | ----------- | -| `simpleQueue.replicaCount` | Number of replicas for the Anchore Simple Queue deployment | `1` | -| `simpleQueue.service.type` | Service type for Anchore Simple Queue | `ClusterIP` | -| `simpleQueue.service.port` | Service port for Anchore Simple Queue | `8083` | -| `simpleQueue.service.annotations` | Annotations for Anchore Simple Queue service | `{}` | -| `simpleQueue.service.labels` | Labels for Anchore Simple Queue service | `{}` | -| `simpleQueue.service.nodePort` | nodePort for Anchore Simple Queue service | `""` | -| `simpleQueue.extraEnv` | Set extra environment variables for Anchore Simple Queue pods | `[]` | -| `simpleQueue.resources` | Resource requests and limits for Anchore Simple Queue pods | `{}` | -| `simpleQueue.labels` | Labels for Anchore Simple Queue pods | `{}` | -| `simpleQueue.annotations` | Annotation for Anchore Simple Queue pods | `{}` | -| `simpleQueue.nodeSelector` | Node labels for Anchore Simple Queue pod assignment | `{}` | -| `simpleQueue.tolerations` | Tolerations for Anchore Simple Queue pod assignment | `[]` | -| `simpleQueue.affinity` | Affinity for Anchore Simple Queue pod assignment | `{}` | -| `simpleQueue.serviceAccountName` | Service account name for Anchore Simple Queue pods | `""` | +| `feeds.resources` | Resource requests and limits for Anchore Feeds pods | `{}` | ### Anchore Notifications Parameters @@ -1211,24 +1164,25 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `notifications.serviceAccountName` | Service account name for Anchore Notifications pods | `""` | -### Anchore Reports Parameters +### Anchore Policy Engine k8s Deployment Parameters -| Name | Description | Value | -| ----------------------------- | -------------------------------------------------------- | ----------- | -| `reports.replicaCount` | Number of replicas for the Anchore Reports deployment | `1` | -| `reports.service.type` | Service type for Anchore Reports | `ClusterIP` | -| `reports.service.port` | Service port for Anchore Reports Worker | `8558` | -| `reports.service.annotations` | Annotations for Anchore Reports service | `{}` | -| `reports.service.labels` | Labels for Anchore Reports service | `{}` | -| `reports.service.nodePort` | nodePort for Anchore Reports service | `""` | -| `reports.extraEnv` | Set extra environment variables for Anchore Reports pods | `[]` | -| `reports.resources` | Resource requests and limits for Anchore Reports pods | `{}` | -| `reports.labels` | Labels for Anchore Reports pods | `{}` | -| `reports.annotations` | Annotation for Anchore Reports pods | `{}` | -| `reports.nodeSelector` | Node labels for Anchore Reports pod assignment | `{}` | -| `reports.tolerations` | Tolerations for Anchore Reports pod assignment | `[]` | -| `reports.affinity` | Affinity for Anchore Reports pod assignment | `{}` | -| `reports.serviceAccountName` | Service account name for Anchore Reports pods | `""` | +| Name | Description | Value | +| ------------------------------------ | -------------------------------------------------------------------------------- | ----------- | +| `policyEngine.replicaCount` | Number of replicas for the Anchore Policy Engine deployment | `1` | +| `policyEngine.service.type` | Service type for Anchore Policy Engine | `ClusterIP` | +| `policyEngine.service.port` | Service port for Anchore Policy Engine | `8087` | +| `policyEngine.service.annotations` | Annotations for Anchore Policy Engine service | `{}` | +| `policyEngine.service.labels` | Labels for Anchore Policy Engine service | `{}` | +| `policyEngine.service.nodePort` | nodePort for Anchore Policy Engine service | `""` | +| `policyEngine.extraEnv` | Set extra environment variables for Anchore Policy Engine pods | `[]` | +| `policyEngine.resources` | Resource requests and limits for Anchore Policy Engine pods | `{}` | +| `policyEngine.labels` | Labels for Anchore Policy Engine pods | `{}` | +| `policyEngine.annotations` | Annotation for Anchore Policy Engine pods | `{}` | +| `policyEngine.nodeSelector` | Node labels for Anchore Policy Engine pod assignment | `{}` | +| `policyEngine.tolerations` | Tolerations for Anchore Policy Engine pod assignment | `[]` | +| `policyEngine.affinity` | Affinity for Anchore Policy Engine pod assignment | `{}` | +| `policyEngine.serviceAccountName` | Service account name for Anchore Policy Engine pods | `""` | +| `policyEngine.scratchVolume.details` | Details for the k8s volume to be created for Anchore Policy Engine scratch space | `{}` | ### Anchore RBAC Authentication Parameters @@ -1259,11 +1213,72 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `rbacManager.serviceAccountName` | Service account name for Anchore RBAC Manager pods | `""` | +### Anchore Reports Parameters + +| Name | Description | Value | +| ------------------------------- | -------------------------------------------------------------------------- | ----------- | +| `reports.replicaCount` | Number of replicas for the Anchore Reports deployment | `1` | +| `reports.service.type` | Service type for Anchore Reports | `ClusterIP` | +| `reports.service.port` | Service port for Anchore Reports | `8558` | +| `reports.service.annotations` | Annotations for Anchore Reports service | `{}` | +| `reports.service.labels` | Labels for Anchore Reports service | `{}` | +| `reports.service.nodePort` | nodePort for Anchore Reports service | `""` | +| `reports.extraEnv` | Set extra environment variables for Anchore Reports pods | `[]` | +| `reports.resources` | Resource requests and limits for Anchore Reports pods | `{}` | +| `reports.labels` | Labels for Anchore Reports pods | `{}` | +| `reports.annotations` | Annotation for Anchore Reports pods | `{}` | +| `reports.nodeSelector` | Node labels for Anchore Reports pod assignment | `{}` | +| `reports.tolerations` | Tolerations for Anchore Reports pod assignment | `[]` | +| `reports.affinity` | Affinity for Anchore Reports pod assignment | `{}` | +| `reports.serviceAccountName` | Service account name for Anchore Reports pods | `""` | +| `reports.scratchVolume.details` | Details for the k8s volume to be created for Anchore Reports scratch space | `{}` | + + +### Anchore Reports Worker Parameters + +| Name | Description | Value | +| ----------------------------------- | --------------------------------------------------------------- | ----------- | +| `reportsWorker.replicaCount` | Number of replicas for the Anchore Reports deployment | `1` | +| `reportsWorker.service.type` | Service type for Anchore Reports Worker | `ClusterIP` | +| `reportsWorker.service.port` | Service port for Anchore Reports Worker | `8559` | +| `reportsWorker.service.annotations` | Annotations for Anchore Reports Worker service | `{}` | +| `reportsWorker.service.labels` | Labels for Anchore Reports Worker service | `{}` | +| `reportsWorker.service.nodePort` | nodePort for Anchore Reports Worker service | `""` | +| `reportsWorker.extraEnv` | Set extra environment variables for Anchore Reports Worker pods | `[]` | +| `reportsWorker.resources` | Resource requests and limits for Anchore Reports Worker pods | `{}` | +| `reportsWorker.labels` | Labels for Anchore Reports Worker pods | `{}` | +| `reportsWorker.annotations` | Annotation for Anchore Reports Worker pods | `{}` | +| `reportsWorker.nodeSelector` | Node labels for Anchore Reports Worker pod assignment | `{}` | +| `reportsWorker.tolerations` | Tolerations for Anchore Reports Worker pod assignment | `[]` | +| `reportsWorker.affinity` | Affinity for Anchore Reports Worker pod assignment | `{}` | +| `reportsWorker.serviceAccountName` | Service account name for Anchore Reports Worker pods | `""` | + + +### Anchore Simple Queue Parameters + +| Name | Description | Value | +| --------------------------------- | ------------------------------------------------------------- | ----------- | +| `simpleQueue.replicaCount` | Number of replicas for the Anchore Simple Queue deployment | `1` | +| `simpleQueue.service.type` | Service type for Anchore Simple Queue | `ClusterIP` | +| `simpleQueue.service.port` | Service port for Anchore Simple Queue | `8083` | +| `simpleQueue.service.annotations` | Annotations for Anchore Simple Queue service | `{}` | +| `simpleQueue.service.labels` | Labels for Anchore Simple Queue service | `{}` | +| `simpleQueue.service.nodePort` | nodePort for Anchore Simple Queue service | `""` | +| `simpleQueue.extraEnv` | Set extra environment variables for Anchore Simple Queue pods | `[]` | +| `simpleQueue.resources` | Resource requests and limits for Anchore Simple Queue pods | `{}` | +| `simpleQueue.labels` | Labels for Anchore Simple Queue pods | `{}` | +| `simpleQueue.annotations` | Annotation for Anchore Simple Queue pods | `{}` | +| `simpleQueue.nodeSelector` | Node labels for Anchore Simple Queue pod assignment | `{}` | +| `simpleQueue.tolerations` | Tolerations for Anchore Simple Queue pod assignment | `[]` | +| `simpleQueue.affinity` | Affinity for Anchore Simple Queue pod assignment | `{}` | +| `simpleQueue.serviceAccountName` | Service account name for Anchore Simple Queue pods | `""` | + + ### Anchore UI Parameters | Name | Description | Value | | ---------------------------- | ----------------------------------------------------------------------------- | ---------------------------------------- | -| `ui.image` | Image used for the Anchore UI container | `docker.io/anchore/enterprise-ui:v5.1.0` | +| `ui.image` | Image used for the Anchore UI container | `docker.io/anchore/enterprise-ui:v5.2.0` | | `ui.imagePullPolicy` | Image pull policy for Anchore UI image | `IfNotPresent` | | `ui.existingSecretName` | Name of an existing secret to be used for Anchore UI DB and Redis endpoints | `anchore-enterprise-ui-env` | | `ui.ldapsRootCaCertName` | Name of the custom CA certificate file store in `.Values.certStoreSecretName` | `""` | @@ -1315,8 +1330,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `ingress.uiPath` | The path used for accessing the Anchore UI | `/` | | `ingress.feedsHosts` | List of custom hostnames for the Anchore Feeds API | `[]` | | `ingress.feedsPaths` | The path used for accessing the Anchore Feeds API | `["/v2/feeds/"]` | -| `ingress.reportsHosts` | List of custom hostnames for the Anchore Reports API | `[]` | -| `ingress.reportsPaths` | The path used for accessing the Anchore Reports API | `["/v2/reports/"]` | | `ingress.tls` | Configure tls for the ingress resource | `[]` | | `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` | @@ -1369,6 +1382,15 @@ For the latest updates and features in Anchore Enterprise, see the official [Rel - **Minor Chart Version Change (e.g., v0.1.2 -> v0.2.0)**: Indicates a significant change to the deployment that does not require manual intervention. - **Patch Chart Version Change (e.g., v0.1.2 -> v0.1.3)**: Indicates a backwards-compatible bug fix or documentation update. +### V2.3.0 + +- Deploys Anchore Enterprise v5.2.0. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/520/) for more information. +- The reports pod has been split out of the API deployment and is now a separate deployment. A new deployment called `reports_worker` has been added. This allows for more granular control over the resources allocated to the reports and reports_worker services. + - :warning: **WARNING:** Values file changes necessary: + - If you are using a custom port for the reports service, previously set with `api.service.reportsPort`, you will need to update your values file to use `reports.service.port` instead. + - Resource requests & limits were previously set for both reports pods found in the `reports_deployment` and `api_deployment` using the `reports.resources` section of the values file. These have been split into separate deployments and the resources are now set in the `reports.resources` and `reports_worker.resources` sections of the values file. If you are using custom resources, you will need to update your values file to reflect this change. +- The reports service no longer has an accessible API endpoint, all API requests should be made to the API service. This version of the chart removed deprecated ingress configurations to accommodate this change. Update your values file to remove all references to the `reports` service in the `ingress` section. + ### V2.2.0 - The following keys were changed: diff --git a/stable/enterprise/files/default_config.yaml b/stable/enterprise/files/default_config.yaml index 8ef2da94..98b125c4 100644 --- a/stable/enterprise/files/default_config.yaml +++ b/stable/enterprise/files/default_config.yaml @@ -34,15 +34,16 @@ keys: private_key_path: ${ANCHORE_AUTH_PUBKEY} user_authentication: - hashed_passwords: ${ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS} - sso_require_existing_users: ${ANCHORE_SSO_REQUIRES_EXISTING_USERS} oauth: enabled: ${ANCHORE_OAUTH_ENABLED} default_token_expiration_seconds: ${ANCHORE_OAUTH_TOKEN_EXPIRATION} refresh_token_expiration_seconds: ${ANCHORE_OAUTH_REFRESH_TOKEN_EXPIRATION} + hashed_passwords: ${ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS} + sso_require_existing_users: ${ANCHORE_SSO_REQUIRES_EXISTING_USERS} allow_api_keys_for_saml_users: {{ .Values.anchoreConfig.user_authentication.allow_api_keys_for_saml_users }} max_api_key_age_days: {{ .Values.anchoreConfig.user_authentication.max_api_key_age_days }} max_api_keys_per_user: {{ .Values.anchoreConfig.user_authentication.max_api_keys_per_user }} + remove_deleted_user_api_keys_older_than_days: {{ .Values.anchoreConfig.user_authentication.remove_deleted_user_api_keys_older_than_days }} credentials: database: @@ -235,11 +236,13 @@ services: authorization_handler: external authorization_handler_config: endpoint: http://localhost:8089 + cycle_timers: {{- toYaml .Values.anchoreConfig.reports.cycle_timers | nindent 6 }} max_async_execution_threads: ${ANCHORE_ENTERPRISE_REPORTS_MAX_ASYNC_EXECUTION_THREADS} async_execution_timeout: ${ANCHORE_ENTERPRISE_REPORTS_ASYNC_EXECUTION_TIMEOUT} ssl_enable: ${ANCHORE_SSL_ENABLED} ssl_cert: ${ANCHORE_SSL_CERT} ssl_key: ${ANCHORE_SSL_KEY} + use_volume: {{ .Values.anchoreConfig.reports.use_volume }} reports_worker: enabled: true diff --git a/stable/enterprise/templates/_common.tpl b/stable/enterprise/templates/_common.tpl index c25491ec..3cd1bb1a 100644 --- a/stable/enterprise/templates/_common.tpl +++ b/stable/enterprise/templates/_common.tpl @@ -90,11 +90,7 @@ When calling this template, .component can be included in the context for compon {{ toYaml . }} {{- end }} - name: ANCHORE_ENDPOINT_HOSTNAME - {{- if and (eq $component "reports") (eq .api "true") }} - value: {{ template "enterprise.api.fullname" . }} - {{- else }} value: {{ include (printf "enterprise.%s.fullname" $component) . }} - {{- end }} {{- with (index .Values (print $component)).service }} - name: ANCHORE_PORT value: {{ .port | quote }} @@ -274,6 +270,21 @@ successThreshold: {{ .Values.probes.readiness.successThreshold }} {{- end -}} +{{/* +Setup the common anchore scratch volume details config +*/}} +{{- define "enterprise.common.scratchVolume.details" -}} +{{- $component := .component -}} +{{- if (index .Values (print $component)).scratchVolume.details }} + {{- toYaml (index .Values (print $component)).scratchVolume.details }} +{{- else if .Values.scratchVolume.details }} + {{- toYaml .Values.scratchVolume.details }} +{{- else }} +emptyDir: {} +{{- end }} +{{- end -}} + + {{/* Setup the common anchore volume mounts */}} diff --git a/stable/enterprise/templates/_helpers.tpl b/stable/enterprise/templates/_helpers.tpl index c17a18d8..b57dde0a 100644 --- a/stable/enterprise/templates/_helpers.tpl +++ b/stable/enterprise/templates/_helpers.tpl @@ -148,7 +148,7 @@ Return the database user for the Anchore Enterprise UI config {{/* Set the nodePort for services if its defined */}} -{{- define "service.nodePort" -}} +{{- define "enterprise.service.nodePort" -}} {{- $component := .component -}} {{- if (index .Values (print $component)).service.nodePort -}} nodePort: {{ (index .Values (print $component)).service.nodePort }} diff --git a/stable/enterprise/templates/_names.tpl b/stable/enterprise/templates/_names.tpl index 07f837aa..8d1dc0d3 100644 --- a/stable/enterprise/templates/_names.tpl +++ b/stable/enterprise/templates/_names.tpl @@ -52,6 +52,11 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- printf "%s-%s-%s" .Release.Name $name "reports"| trunc 63 | trimSuffix "-" -}} {{- end -}} +{{- define "enterprise.reportsWorker.fullname" -}} +{{- $name := default .Chart.Name .Values.global.nameOverride -}} +{{- printf "%s-%s-%s" .Release.Name $name "reportsworker"| trunc 63 | trimSuffix "-" -}} +{{- end -}} + {{- define "enterprise.simpleQueue.fullname" -}} {{- $name := default .Chart.Name .Values.global.nameOverride -}} {{- printf "%s-%s-%s" .Release.Name $name "simplequeue"| trunc 63 | trimSuffix "-" -}} diff --git a/stable/enterprise/templates/analyzer_deployment.yaml b/stable/enterprise/templates/analyzer_deployment.yaml index 3b074617..fe2b6fbf 100644 --- a/stable/enterprise/templates/analyzer_deployment.yaml +++ b/stable/enterprise/templates/analyzer_deployment.yaml @@ -26,11 +26,7 @@ spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} - name: "anchore-scratch" - {{- if .Values.scratchVolume.details }} - {{- toYaml .Values.scratchVolume.details | nindent 10 }} - {{- else }} - emptyDir: {} - {{- end }} + {{- include "enterprise.common.scratchVolume.details" (merge (dict "component" $component) .) | nindent 10 }} - name: analyzer-config-volume configMap: name: {{ template "enterprise.analyzer.fullname" . }} diff --git a/stable/enterprise/templates/api_deployment.yaml b/stable/enterprise/templates/api_deployment.yaml index 57e17fe0..1bafc9fa 100644 --- a/stable/enterprise/templates/api_deployment.yaml +++ b/stable/enterprise/templates/api_deployment.yaml @@ -71,28 +71,6 @@ spec: {{- with .Values.api.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} - - - name: "{{ .Chart.Name }}-reports-api" - image: {{ .Values.image }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - {{- with .Values.containerSecurityContext }} - securityContext: - {{ toYaml . | nindent 12 }} - {{- end }} - command: ["/bin/sh", "-c"] - args: - - {{ print (include "enterprise.common.dockerEntrypoint" .) }} reports - envFrom: {{- include "enterprise.common.envFrom" . | nindent 12 }} - env: {{- include "enterprise.common.environment" (merge (dict "component" "reports" "api" "true") .) | nindent 12 }} - ports: - - containerPort: {{ .Values.reports.service.port }} - name: reports - volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} - livenessProbe: {{- include "enterprise.common.livenessProbe" (merge (dict "component" "reports") .) | nindent 12 }} - readinessProbe: {{- include "enterprise.common.readinessProbe" (merge (dict "component" "reports") .) | nindent 12 }} - {{- with .Values.reports.resources }} - resources: {{- toYaml . | nindent 12 }} - {{- end }} {{- include "enterprise.common.rbacAuthContainer" . | nindent 8 }} --- @@ -110,12 +88,7 @@ spec: port: {{ .Values.api.service.port }} targetPort: {{ .Values.api.service.port }} protocol: TCP - {{ include "service.nodePort" (merge (dict "component" $component) .) }} - - name: reports - port: {{ .Values.reports.service.port }} - targetPort: {{ .Values.reports.service.port }} - protocol: TCP - {{ include "service.nodePort" (merge (dict "component" "reports") .) }} + {{ include "enterprise.service.nodePort" (merge (dict "component" $component) .) }} selector: app.kubernetes.io/name: {{ template "enterprise.fullname" . }} app.kubernetes.io/component: {{ $component | lower }} diff --git a/stable/enterprise/templates/catalog_deployment.yaml b/stable/enterprise/templates/catalog_deployment.yaml index b8aa9f77..435578b6 100644 --- a/stable/enterprise/templates/catalog_deployment.yaml +++ b/stable/enterprise/templates/catalog_deployment.yaml @@ -28,11 +28,7 @@ spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} - name: anchore-scratch - {{- if .Values.scratchVolume.details }} - {{- toYaml .Values.scratchVolume.details | nindent 10 }} - {{- else }} - emptyDir: {} - {{- end }} + {{- include "enterprise.common.scratchVolume.details" (merge (dict "component" $component) .) | nindent 10 }} {{- if .Values.anchoreConfig.policyBundles }} - name: policy-bundle-volume configMap: @@ -92,7 +88,7 @@ spec: port: {{ .Values.catalog.service.port }} targetPort: {{ .Values.catalog.service.port }} protocol: TCP - {{ include "service.nodePort" (merge (dict "component" $component) .) }} + {{ include "enterprise.service.nodePort" (merge (dict "component" $component) .) }} selector: app.kubernetes.io/name: {{ template "enterprise.fullname" . }} app.kubernetes.io/component: {{ $component | lower }} diff --git a/stable/enterprise/templates/envvars_configmap.yaml b/stable/enterprise/templates/envvars_configmap.yaml index 05867815..0d080227 100644 --- a/stable/enterprise/templates/envvars_configmap.yaml +++ b/stable/enterprise/templates/envvars_configmap.yaml @@ -50,7 +50,7 @@ data: ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER: "true" ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE: "true" {{- if eq (toString .Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days) "-1" }} - {{- fail "The Value `-1` is no longer valid for `.Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days`. Please use `.Values.anchoreConfig.catalog.runtime_inventory.image_ingest_overwrite=true` to force runtime inventory to be overwritten upon every update for that reported context. `.Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days` must be set to a value >1." -}} + {{- fail "The Value `-1` is no longer valid for `.Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days`. Please use `.Values.anchoreConfig.catalog.runtime_inventory.image_ingest_overwrite=true` to force runtime inventory to be overwritten upon every update for that reported context. `.Values.anchoreConfig.catalog.runtime_inventory.inventory_ttl_days` must be set to a value >1." -}} {{- else }} ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_TTL_DAYS: "{{ .Values.anchoreConfig.catalog.runtime_inventory.inventory_ttl_days }}" ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_INGEST_OVERWRITE: "{{ .Values.anchoreConfig.catalog.runtime_inventory.inventory_ingest_overwrite }}" diff --git a/stable/enterprise/templates/ingress.yaml b/stable/enterprise/templates/ingress.yaml index ab157683..6caacdda 100644 --- a/stable/enterprise/templates/ingress.yaml +++ b/stable/enterprise/templates/ingress.yaml @@ -29,7 +29,7 @@ spec: {{- end }} {{- end }} rules: - {{- if or .Values.ingress.apiHosts .Values.ingress.uiHosts .Values.ingress.feedsHosts .Values.ingress.reportsHosts }} + {{- if or .Values.ingress.apiHosts .Values.ingress.uiHosts .Values.ingress.feedsHosts }} {{- range $apiHostIndex, $apiHostName := .Values.ingress.apiHosts }} - host: {{ $apiHostName | quote }} http: @@ -88,26 +88,6 @@ spec: {{- end }} {{- end }} {{- end }} - {{- range $reportsHostIndex, $reportsHostName := .Values.ingress.reportsHosts }} - - host: {{ $reportsHostName | quote }} - http: - paths: - {{- range $reportsPathIndex, $reportsPath := $.Values.ingress.reportsPaths }} - - path: {{ $reportsPath }} - {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} - pathType: Prefix - backend: - service: - name: {{ template "enterprise.api.fullname" $ }} - port: - number: {{ $.Values.api.service.reportsPort }} - {{- else }} - backend: - serviceName: {{ template "enterprise.api.fullname" $ }} - servicePort: {{ $.Values.api.service.reportsPort }} - {{- end }} - {{- end }} - {{- end }} {{- else }} - http: paths: @@ -156,20 +136,5 @@ spec: servicePort: {{ $.Values.feeds.service.port }} {{- end }} {{- end }} - {{- range .Values.ingress.reportsPaths }} - - path: {{ . }} - {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} - pathType: Prefix - backend: - service: - name: {{ template "enterprise.api.fullname" $ }} - port: - number: {{ $.Values.api.service.reportsPort }} - {{- else }} - backend: - serviceName: {{ template "enterprise.api.fullname" $ }} - servicePort: {{ $.Values.api.service.reportsPort }} - {{- end }} - {{- end }} {{- end }} {{- end -}} diff --git a/stable/enterprise/templates/notifications_deployment.yaml b/stable/enterprise/templates/notifications_deployment.yaml index 090b9c25..3d003ce3 100644 --- a/stable/enterprise/templates/notifications_deployment.yaml +++ b/stable/enterprise/templates/notifications_deployment.yaml @@ -66,7 +66,7 @@ spec: port: {{ .Values.notifications.service.port }} targetPort: {{ .Values.notifications.service.port }} protocol: TCP - {{ include "service.nodePort" (merge (dict "component" $component) .) }} + {{ include "enterprise.service.nodePort" (merge (dict "component" $component) .) }} selector: app.kubernetes.io/name: {{ template "enterprise.fullname" . }} app.kubernetes.io/component: {{ $component | lower }} diff --git a/stable/enterprise/templates/policyengine_deployment.yaml b/stable/enterprise/templates/policyengine_deployment.yaml index b7ab8b2d..a791f929 100644 --- a/stable/enterprise/templates/policyengine_deployment.yaml +++ b/stable/enterprise/templates/policyengine_deployment.yaml @@ -25,11 +25,7 @@ spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} - name: anchore-scratch - {{- if .Values.scratchVolume.details }} - {{- toYaml .Values.scratchVolume.details | nindent 10 }} - {{- else }} - emptyDir: {} - {{- end }} + {{- include "enterprise.common.scratchVolume.details" (merge (dict "component" $component) .) | nindent 10 }} {{- if and .Values.scratchVolume.fixGroupPermissions .Values.securityContext.fsGroup }} initContainers: {{- include "enterprise.common.fixPermissionsInitContainer" . | nindent 8 }} @@ -77,7 +73,7 @@ spec: port: {{ .Values.policyEngine.service.port }} targetPort: {{ .Values.policyEngine.service.port }} protocol: TCP - {{ include "service.nodePort" (merge (dict "component" $component) .) }} + {{ include "enterprise.service.nodePort" (merge (dict "component" $component) .) }} selector: app.kubernetes.io/name: {{ template "enterprise.fullname" . }} app.kubernetes.io/component: {{ $component | lower }} diff --git a/stable/enterprise/templates/rbacmanager_deployment.yaml b/stable/enterprise/templates/rbacmanager_deployment.yaml index e4d30401..82398175 100644 --- a/stable/enterprise/templates/rbacmanager_deployment.yaml +++ b/stable/enterprise/templates/rbacmanager_deployment.yaml @@ -66,7 +66,7 @@ spec: port: {{ .Values.rbacManager.service.port }} targetPort: {{ .Values.rbacManager.service.port }} protocol: TCP - {{ include "service.nodePort" (merge (dict "component" $component) .) }} + {{ include "enterprise.service.nodePort" (merge (dict "component" $component) .) }} selector: app.kubernetes.io/name: {{ template "enterprise.fullname" . }} app.kubernetes.io/component: {{ $component | lower }} diff --git a/stable/enterprise/templates/reports_deployment.yaml b/stable/enterprise/templates/reports_deployment.yaml index c452ea8d..ab947a75 100644 --- a/stable/enterprise/templates/reports_deployment.yaml +++ b/stable/enterprise/templates/reports_deployment.yaml @@ -24,6 +24,14 @@ spec: spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} + {{- if .Values.anchoreConfig.reports.use_volume }} + - name: "anchore-scratch" + {{- include "enterprise.common.scratchVolume.details" (merge (dict "component" $component) .) | nindent 10 }} + {{- end }} + {{- if and .Values.anchoreConfig.reports.use_volume .Values.scratchVolume.fixGroupPermissions .Values.securityContext.fsGroup }} + initContainers: + {{- include "enterprise.common.fixPermissionsInitContainer" . | nindent 8 }} + {{- end }} containers: {{- if .Values.cloudsql.enabled }} {{- include "enterprise.common.cloudsqlContainer" . | nindent 8 }} @@ -37,18 +45,23 @@ spec: {{- end }} command: ["/bin/sh", "-c"] args: - - {{ print (include "enterprise.common.dockerEntrypoint" .) }} reports_worker + - {{ print (include "enterprise.common.dockerEntrypoint" .) }} reports ports: - containerPort: {{ .Values.reports.service.port }} name: {{ $component | lower }} envFrom: {{- include "enterprise.common.envFrom" . | nindent 12 }} env: {{- include "enterprise.common.environment" (merge (dict "component" $component) .) | nindent 12 }} volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} + {{- if .Values.anchoreConfig.reports.use_volume }} + - name: "anchore-scratch" + mountPath: {{ .Values.scratchVolume.mountPath }} + {{- end }} livenessProbe: {{- include "enterprise.common.livenessProbe" (merge (dict "component" $component) .) | nindent 12 }} readinessProbe: {{- include "enterprise.common.readinessProbe" (merge (dict "component" $component) .) | nindent 12 }} {{- with .Values.reports.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} + {{- include "enterprise.common.rbacAuthContainer" . | nindent 8 }} --- apiVersion: v1 @@ -65,7 +78,7 @@ spec: port: {{ .Values.reports.service.port }} targetPort: {{ .Values.reports.service.port }} protocol: TCP - {{ include "service.nodePort" (merge (dict "component" $component) .) }} + {{ include "enterprise.service.nodePort" (merge (dict "component" $component) .) }} selector: app.kubernetes.io/name: {{ template "enterprise.fullname" . }} app.kubernetes.io/component: {{ $component | lower }} diff --git a/stable/enterprise/templates/reportsworker_deployment.yaml b/stable/enterprise/templates/reportsworker_deployment.yaml new file mode 100644 index 00000000..3d56f984 --- /dev/null +++ b/stable/enterprise/templates/reportsworker_deployment.yaml @@ -0,0 +1,71 @@ +{{- $component := "reportsWorker" -}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "enterprise.reportsWorker.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} +spec: + selector: + matchLabels: {{- include "enterprise.common.matchLabels" (merge (dict "component" $component) .) | nindent 6 }} + replicas: {{ .Values.reportsWorker.replicaCount }} + strategy: + type: Recreate + template: + metadata: + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 8 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component "nil" true) .) | nindent 8 }} + {{- if and (not .Values.injectSecretsViaEnv) (not .Values.useExistingSecrets) }} + checksum/secrets: {{ include (print $.Template.BasePath "/anchore_secret.yaml") . | sha256sum }} + {{- end }} + checksum/enterprise-config: {{ tpl (print $.Files.BasePath "/default_config.yaml") . | sha256sum }} + spec: + {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} + volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} + containers: + {{- if .Values.cloudsql.enabled }} + {{- include "enterprise.common.cloudsqlContainer" . | nindent 8 }} + {{- end }} + - name: "{{ .Chart.Name }}-{{ $component | lower }}" + image: {{ .Values.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- with .Values.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 12 }} + {{- end }} + command: ["/bin/sh", "-c"] + args: + - {{ print (include "enterprise.common.dockerEntrypoint" .) }} reports_worker + ports: + - containerPort: {{ .Values.reportsWorker.service.port }} + name: {{ $component | lower }} + envFrom: {{- include "enterprise.common.envFrom" . | nindent 12 }} + env: {{- include "enterprise.common.environment" (merge (dict "component" $component) .) | nindent 12 }} + volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} + livenessProbe: {{- include "enterprise.common.livenessProbe" (merge (dict "component" $component) .) | nindent 12 }} + readinessProbe: {{- include "enterprise.common.readinessProbe" (merge (dict "component" $component) .) | nindent 12 }} + {{- with .Values.reportsWorker.resources }} + resources: {{- toYaml . | nindent 12 }} + {{- end }} + +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "enterprise.reportsWorker.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} +spec: + type: {{ .Values.reportsWorker.service.type }} + ports: + - name: {{ $component | lower }} + port: {{ .Values.reportsWorker.service.port }} + targetPort: {{ .Values.reportsWorker.service.port }} + protocol: TCP + {{ include "enterprise.service.nodePort" (merge (dict "component" $component) .) }} + selector: + app.kubernetes.io/name: {{ template "enterprise.fullname" . }} + app.kubernetes.io/component: {{ $component | lower }} diff --git a/stable/enterprise/templates/simplequeue_deployment.yaml b/stable/enterprise/templates/simplequeue_deployment.yaml index 6e7fa992..c0003eab 100644 --- a/stable/enterprise/templates/simplequeue_deployment.yaml +++ b/stable/enterprise/templates/simplequeue_deployment.yaml @@ -64,7 +64,7 @@ spec: port: {{ .Values.simpleQueue.service.port }} targetPort: {{ .Values.simpleQueue.service.port }} protocol: TCP - {{ include "service.nodePort" (merge (dict "component" $component) .) }} + {{ include "enterprise.service.nodePort" (merge (dict "component" $component) .) }} selector: app.kubernetes.io/name: {{ template "enterprise.fullname" . }} app.kubernetes.io/component: {{ $component | lower }} diff --git a/stable/enterprise/templates/ui_deployment.yaml b/stable/enterprise/templates/ui_deployment.yaml index 027448e9..5fa67923 100644 --- a/stable/enterprise/templates/ui_deployment.yaml +++ b/stable/enterprise/templates/ui_deployment.yaml @@ -132,7 +132,7 @@ spec: port: {{ .Values.ui.service.port }} protocol: TCP targetPort: 3000 - {{ include "service.nodePort" (merge (dict "component" $component) .) }} + {{ include "enterprise.service.nodePort" (merge (dict "component" $component) .) }} selector: app.kubernetes.io/name: {{ template "enterprise.fullname" . }} app.kubernetes.io/component: {{ $component | lower }} diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index 1fb1cac9..17ac6302 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -81,15 +81,16 @@ should render the configmaps: private_key_path: ${ANCHORE_AUTH_PUBKEY} user_authentication: - hashed_passwords: ${ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS} - sso_require_existing_users: ${ANCHORE_SSO_REQUIRES_EXISTING_USERS} oauth: enabled: ${ANCHORE_OAUTH_ENABLED} default_token_expiration_seconds: ${ANCHORE_OAUTH_TOKEN_EXPIRATION} refresh_token_expiration_seconds: ${ANCHORE_OAUTH_REFRESH_TOKEN_EXPIRATION} + hashed_passwords: ${ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS} + sso_require_existing_users: ${ANCHORE_SSO_REQUIRES_EXISTING_USERS} allow_api_keys_for_saml_users: false max_api_key_age_days: 365 max_api_keys_per_user: 100 + remove_deleted_user_api_keys_older_than_days: 365 credentials: database: @@ -300,11 +301,14 @@ should render the configmaps: authorization_handler: external authorization_handler_config: endpoint: http://localhost:8089 + cycle_timers: + reports_scheduled_queries: 600 max_async_execution_threads: ${ANCHORE_ENTERPRISE_REPORTS_MAX_ASYNC_EXECUTION_THREADS} async_execution_timeout: ${ANCHORE_ENTERPRISE_REPORTS_ASYNC_EXECUTION_TIMEOUT} ssl_enable: ${ANCHORE_SSL_ENABLED} ssl_cert: ${ANCHORE_SSL_CERT} ssl_key: ${ANCHORE_SSL_KEY} + use_volume: false reports_worker: enabled: true diff --git a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap index 696a938c..dd0833e7 100644 --- a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap @@ -143,6 +143,6 @@ should render proper initContainers: valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v5.1.1 + image: docker.io/anchore/enterprise:v5.2.0 imagePullPolicy: IfNotPresent name: wait-for-db diff --git a/stable/enterprise/tests/analyzer_resources_test.yaml b/stable/enterprise/tests/analyzer_resources_test.yaml index 17279128..6b7b7b41 100644 --- a/stable/enterprise/tests/analyzer_resources_test.yaml +++ b/stable/enterprise/tests/analyzer_resources_test.yaml @@ -138,23 +138,36 @@ tests: effect: "NoSchedule" count: 1 - - it: should render scratch volume as emptyDir by default + - it: should render scratch volume details from Analyzer values template: analyzer_deployment.yaml + set: + analyzer.scratchVolume.details: + csi: + driver: inline.storage.kubernetes.io + volumeAttributes: + foo: bar asserts: - contains: path: spec.template.spec.volumes content: name: anchore-scratch - emptyDir: {} + csi: + driver: inline.storage.kubernetes.io + volumeAttributes: + foo: bar count: 1 - - it: should render scratch volume using details from values + - it: should render scratch volume using details from analyzer values, even when global scratchVolume is explicitly set template: analyzer_deployment.yaml set: - scratchVolume.details: + analyzer.scratchVolume.details: hostPath: path: /tmp type: Directory + scratchVolume.details: + emptyDir: + medium: Memory + memoryLimit: 128Mi asserts: - contains: path: spec.template.spec.volumes diff --git a/stable/enterprise/tests/api_resources_test.yaml b/stable/enterprise/tests/api_resources_test.yaml index f8c2e06c..ac2b85f9 100644 --- a/stable/enterprise/tests/api_resources_test.yaml +++ b/stable/enterprise/tests/api_resources_test.yaml @@ -167,19 +167,12 @@ tests: value: enterprise-api - equal: path: spec.template.spec.containers[1].name - value: enterprise-reports-api - - equal: - path: spec.template.spec.containers[2].name value: rbac-auth - it: should render component entrypoint args template: api_deployment.yaml documentIndex: 0 asserts: - - matchRegex: - path: spec.template.spec.containers[1].args[0] - pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade reports$ - count: 1 - matchRegex: path: spec.template.spec.containers[0].args[0] pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade apiext$ @@ -244,40 +237,6 @@ tests: name: existing-secret key: ANCHORE_ADMIN_PASSWORD - - it: should render reports component environment variables - template: api_deployment.yaml - documentIndex: 0 - set: - reports.extraEnv: - - name: reports - value: test - - name: test - value: foobar - asserts: - - contains: - path: spec.template.spec.containers[1].env - content: - name: ANCHORE_ENDPOINT_HOSTNAME - value: test-release-enterprise-api - count: 1 - - contains: - path: spec.template.spec.containers[1].env - content: - name: ANCHORE_PORT - value: "8558" - count: 1 - - contains: - path: spec.template.spec.containers[1].env - content: - name: reports - value: test - count: 1 - - contains: - path: spec.template.spec.containers[1].env - content: - name: test - value: foobar - - it: should render component ports template: api_deployment.yaml documentIndex: 0 @@ -288,12 +247,6 @@ tests: name: api containerPort: 8228 count: 1 - - contains: - path: spec.template.spec.containers[1].ports - content: - name: reports - containerPort: 8558 - count: 1 - it: should render policy bundle volumeMounts when a policy bundle is provided template: api_deployment.yaml @@ -365,31 +318,6 @@ tests: failureThreshold: 3 successThreshold: 1 count: 1 - - isSubset: - path: spec.template.spec.containers[1].livenessProbe - content: - httpGet: - path: /health - port: reports - scheme: HTTP - initialDelaySeconds: 120 - timeoutSeconds: 10 - periodSeconds: 10 - failureThreshold: 6 - successThreshold: 1 - count: 1 - - isSubset: - path: spec.template.spec.containers[1].readinessProbe - content: - httpGet: - path: /health - port: reports - scheme: HTTP - timeoutSeconds: 10 - periodSeconds: 10 - failureThreshold: 3 - successThreshold: 1 - count: 1 - it: should render component resource requests & limits template: api_deployment.yaml @@ -402,13 +330,6 @@ tests: limits: cpu: 200m memory: 256Mi - reports.resources: - requests: - cpu: 200m - memory: 228Mi - limits: - cpu: 400m - memory: 456Mi asserts: - isSubset: path: spec.template.spec.containers[0].resources.requests @@ -422,18 +343,6 @@ tests: cpu: 200m memory: 256Mi count: 1 - - isSubset: - path: spec.template.spec.containers[1].resources.requests - content: - cpu: 200m - memory: 228Mi - count: 1 - - isSubset: - path: spec.template.spec.containers[1].resources.limits - content: - cpu: 400m - memory: 456Mi - count: 1 - it: should render component service type template: api_deployment.yaml @@ -456,14 +365,6 @@ tests: targetPort: 8228 protocol: TCP count: 1 - - contains: - path: spec.ports - content: - name: reports - port: 8558 - targetPort: 8558 - protocol: TCP - count: 1 - it: should render component service selectors template: api_deployment.yaml diff --git a/stable/enterprise/tests/catalog_resources_test.yaml b/stable/enterprise/tests/catalog_resources_test.yaml index d63817fd..f9971c42 100644 --- a/stable/enterprise/tests/catalog_resources_test.yaml +++ b/stable/enterprise/tests/catalog_resources_test.yaml @@ -143,25 +143,38 @@ tests: effect: "NoSchedule" count: 1 - - it: should render scratch volume as emptyDir by default + - it: should render scratch volume details from catalog values template: catalog_deployment.yaml documentIndex: 0 + set: + catalog.scratchVolume.details: + csi: + driver: inline.storage.kubernetes.io + volumeAttributes: + foo: bar asserts: - contains: path: spec.template.spec.volumes content: name: anchore-scratch - emptyDir: {} + csi: + driver: inline.storage.kubernetes.io + volumeAttributes: + foo: bar count: 1 - - it: should render scratch volume using details from values + - it: should render scratch volume using details from catalog values, even when global scratchVolume is explicitly set template: catalog_deployment.yaml documentIndex: 0 set: - scratchVolume.details: + catalog.scratchVolume.details: hostPath: path: /tmp type: Directory + scratchVolume.details: + emptyDir: + medium: Memory + memoryLimit: 128Mi asserts: - contains: path: spec.template.spec.volumes diff --git a/stable/enterprise/tests/common_helpers_test.yaml b/stable/enterprise/tests/common_helpers_test.yaml index 3465ef85..1769ac7d 100644 --- a/stable/enterprise/tests/common_helpers_test.yaml +++ b/stable/enterprise/tests/common_helpers_test.yaml @@ -7,6 +7,7 @@ templates: - policyengine_deployment.yaml - rbacmanager_deployment.yaml - reports_deployment.yaml + - reportsworker_deployment.yaml - simplequeue_deployment.yaml - ui_deployment.yaml - hooks/pre-upgrade/upgrade_job.yaml @@ -30,6 +31,7 @@ backend_test_templates: &backend_test_templates - policyengine_deployment.yaml - rbacmanager_deployment.yaml - reports_deployment.yaml + - reportsworker_deployment.yaml - simplequeue_deployment.yaml test_templates: &test_templates @@ -40,6 +42,7 @@ test_templates: &test_templates - policyengine_deployment.yaml - rbacmanager_deployment.yaml - reports_deployment.yaml + - reportsworker_deployment.yaml - simplequeue_deployment.yaml - ui_deployment.yaml - hooks/pre-upgrade/upgrade_job.yaml @@ -52,6 +55,7 @@ deployment_templates: &deployment_templates - policyengine_deployment.yaml - rbacmanager_deployment.yaml - reports_deployment.yaml + - reportsworker_deployment.yaml - simplequeue_deployment.yaml - ui_deployment.yaml @@ -438,6 +442,7 @@ tests: templates: - api_deployment.yaml - notifications_deployment.yaml + - reports_deployment.yaml - rbacmanager_deployment.yaml documentIndex: 0 asserts: @@ -508,6 +513,43 @@ tests: count: 1 any: true + - it: should render emptyDir scratchVolume if no global or component specific values are set + templates: + - analyzer_deployment.yaml + - catalog_deployment.yaml + - policyengine_deployment.yaml + documentIndex: 0 + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: anchore-scratch + emptyDir: {} + count: 1 + any: true + + - it: should render global scratchVolume if no component specific values are set + templates: + - analyzer_deployment.yaml + - catalog_deployment.yaml + - policyengine_deployment.yaml + set: + scratchVolume.details: + hostPath: + path: /tmp + type: Directory + documentIndex: 0 + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: anchore-scratch + hostPath: + path: /tmp + type: Directory + count: 1 + any: true + - it: should render certStore volumeMount and volume set: certStoreSecretName: mycerts @@ -601,6 +643,7 @@ tests: - policyengine_deployment.yaml - rbacmanager_deployment.yaml - reports_deployment.yaml + - reportsworker_deployment.yaml - simplequeue_deployment.yaml - ui_deployment.yaml documentIndex: 1 @@ -619,6 +662,7 @@ tests: - policyengine_deployment.yaml - rbacmanager_deployment.yaml - reports_deployment.yaml + - reportsworker_deployment.yaml - simplequeue_deployment.yaml - ui_deployment.yaml documentIndex: 1 @@ -935,6 +979,7 @@ tests: - catalog_deployment.yaml - policyengine_deployment.yaml - reports_deployment.yaml + - reportsworker_deployment.yaml - simplequeue_deployment.yaml documentIndex: 0 asserts: @@ -973,6 +1018,7 @@ tests: - catalog_deployment.yaml - policyengine_deployment.yaml - reports_deployment.yaml + - reportsworker_deployment.yaml - simplequeue_deployment.yaml documentIndex: 0 asserts: @@ -1029,6 +1075,7 @@ tests: policyEngine.service.nodePort: 9999 rbacManager.service.nodePort: 9999 reports.service.nodePort: 9999 + reportsWorker.service.nodePort: 9999 simpleQueue.service.nodePort: 9999 ui.service.nodePort: 9999 templates: @@ -1038,6 +1085,7 @@ tests: - policyengine_deployment.yaml - rbacmanager_deployment.yaml - reports_deployment.yaml + - reportsworker_deployment.yaml - simplequeue_deployment.yaml - ui_deployment.yaml documentIndex: 1 @@ -1057,6 +1105,7 @@ tests: - policyengine_deployment.yaml - rbacmanager_deployment.yaml - reports_deployment.yaml + - reportsworker_deployment.yaml - simplequeue_deployment.yaml - ui_deployment.yaml documentIndex: 1 diff --git a/stable/enterprise/tests/policyengine_resources_test.yaml b/stable/enterprise/tests/policyengine_resources_test.yaml index 3d1175ce..9ad77347 100644 --- a/stable/enterprise/tests/policyengine_resources_test.yaml +++ b/stable/enterprise/tests/policyengine_resources_test.yaml @@ -142,25 +142,38 @@ tests: effect: "NoSchedule" count: 1 - - it: should render scratch volume as emptyDir by default + - it: should render scratch volume details from policyEngine values template: policyengine_deployment.yaml documentIndex: 0 + set: + policyEngine.scratchVolume.details: + csi: + driver: inline.storage.kubernetes.io + volumeAttributes: + foo: bar asserts: - contains: path: spec.template.spec.volumes content: name: anchore-scratch - emptyDir: {} + csi: + driver: inline.storage.kubernetes.io + volumeAttributes: + foo: bar count: 1 - - it: should render scratch volume using details from values + - it: should render scratch volume using details from policyEngine values, even when global scratchVolume is explicitly set template: policyengine_deployment.yaml documentIndex: 0 set: - scratchVolume.details: + policyEngine.scratchVolume.details: hostPath: path: /tmp type: Directory + scratchVolume.details: + emptyDir: + medium: Memory + memoryLimit: 128Mi asserts: - contains: path: spec.template.spec.volumes diff --git a/stable/enterprise/tests/reports_resources_test.yaml b/stable/enterprise/tests/reports_resources_test.yaml index e602cd96..0917a9b6 100644 --- a/stable/enterprise/tests/reports_resources_test.yaml +++ b/stable/enterprise/tests/reports_resources_test.yaml @@ -156,7 +156,7 @@ tests: asserts: - matchRegex: path: spec.template.spec.containers[0].args[0] - pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade reports_worker$ + pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade reports$ count: 1 - it: should render reports component environment variables @@ -291,3 +291,118 @@ tests: app.kubernetes.io/name: test-release-enterprise app.kubernetes.io/component: reports count: 1 + + - it: should render emptyDir scratch volume when use_volume is enabled + template: reports_deployment.yaml + documentIndex: 0 + set: + anchoreConfig.reports.use_volume: true + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: anchore-scratch + emptyDir: {} + count: 1 + + - it: should render scratch volume details from global values when use_volume is enabled + template: reports_deployment.yaml + documentIndex: 0 + set: + anchoreConfig.reports.use_volume: true + scratchVolume.details: + emptyDir: + medium: Memory + memoryLimit: 128Mi + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: anchore-scratch + emptyDir: + medium: Memory + memoryLimit: 128Mi + count: 1 + + - it: should render scratch volume using details from reports values, even when global scratchVolume is explicitly set + template: reports_deployment.yaml + documentIndex: 0 + set: + anchoreConfig.reports.use_volume: true + reports.scratchVolume.details: + hostPath: + path: /tmp + type: Directory + scratchVolume.details: + emptyDir: + medium: Memory + memoryLimit: 128Mi + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: anchore-scratch + hostPath: + path: /tmp + type: Directory + count: 1 + + - it: should render scratch volume using details from global values, when reports values are not set + template: reports_deployment.yaml + documentIndex: 0 + set: + anchoreConfig.reports.use_volume: true + scratchVolume.details: + emptyDir: + medium: Memory + memoryLimit: 128Mi + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: anchore-scratch + emptyDir: + medium: Memory + memoryLimit: 128Mi + count: 1 + + - it: should not render scratch volume when use_volume is not enabled (default) + template: reports_deployment.yaml + documentIndex: 0 + asserts: + - notContains: + path: spec.template.spec.volumes + content: + name: anchore-scratch + emptyDir: {} + count: 1 + + - it: should render fixPermissionsInitContainer when use_volume is enabled and fixGroupPermissions is set + templates: + - reports_deployment.yaml + documentIndex: 0 + set: + scratchVolume.fixGroupPermissions: true + securityContext.fsGroup: 9999 + anchoreConfig.reports.use_volume: true + asserts: + - contains: + path: spec.template.spec.initContainers + content: + name: mode-fixer + volumeMounts: + - name: "anchore-scratch" + mountPath: /analysis_scratch + command: [ sh, -c, (chmod 0775 /analysis_scratch; chgrp 9999 /analysis_scratch ) ] + count: 1 + any: true + + - it: should not render fixPermissionsInitContainer if use_volume isn't enabled + set: + scratchVolume.fixGroupPermissions: true + securityContext.fsGroup: 9999 + templates: + - reports_deployment.yaml + asserts: + - notExists: + path: spec.template.spec.initContainers diff --git a/stable/enterprise/tests/reportsworker_resources_test.yaml b/stable/enterprise/tests/reportsworker_resources_test.yaml new file mode 100644 index 00000000..86050391 --- /dev/null +++ b/stable/enterprise/tests/reportsworker_resources_test.yaml @@ -0,0 +1,293 @@ +suite: Reports Resources Tests +templates: + - reportsworker_deployment.yaml + - anchore_secret.yaml + - anchore_configmap.yaml +release: + name: test-release + namespace: test-namespace +chart: + version: 9.9.9 + appVersion: 9.9.9 + +tests: + - it: should set the correct resource names + template: reportsworker_deployment.yaml + asserts: + - equal: + path: metadata.name + value: test-release-enterprise-reportsworker + + - it: should render component labels + template: reportsworker_deployment.yaml + set: + reportsWorker.labels: + reports: test + test: foobar + asserts: + - isSubset: + path: metadata.labels + content: + reports: test + test: foobar + - isSubset: + path: spec.template.metadata.labels + content: + reports: test + test: foobar + template: reportsworker_deployment.yaml + documentIndex: 0 + + - it: should render component annotations + template: reportsworker_deployment.yaml + set: + reportsWorker.annotations: + reports: test + test: foobar + asserts: + - isSubset: + path: metadata.annotations + content: + reports: test + test: foobar + - isSubset: + path: spec.template.metadata.annotations + content: + reports: test + test: foobar + template: reportsworker_deployment.yaml + documentIndex: 0 + + - it: should render component matchLabels + template: reportsworker_deployment.yaml + documentIndex: 0 + asserts: + - isSubset: + path: spec.selector.matchLabels + content: + app.kubernetes.io/name: test-release-enterprise + app.kubernetes.io/component: reportsworker + + - it: should render component replica count + template: reportsworker_deployment.yaml + documentIndex: 0 + set: + reportsWorker.replicaCount: 2 + asserts: + - equal: + path: spec.replicas + value: 2 + + - it: should render component serviceAccountName + template: reportsworker_deployment.yaml + documentIndex: 0 + set: + reportsWorker.serviceAccountName: reports-test + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: reports-test + + - it: should render component serviceAccountName even when global serviceAccountName is set + template: reportsworker_deployment.yaml + documentIndex: 0 + set: + serviceAccountName: global-test + reportsWorker.serviceAccountName: reports-test + asserts: + - equal: + path: spec.template.spec.serviceAccountName + value: reports-test + + - it: should render component nodeSelector + template: reportsworker_deployment.yaml + documentIndex: 0 + set: + reportsWorker.nodeSelector: + reports: test + asserts: + - isSubset: + path: spec.template.spec.nodeSelector + content: + reports: test + + - it: should render component affinity + template: reportsworker_deployment.yaml + documentIndex: 0 + set: + reportsWorker.affinity: + reports: test + asserts: + - isSubset: + path: spec.template.spec.affinity + content: + reports: test + + - it: should render component tolerations + template: reportsworker_deployment.yaml + documentIndex: 0 + set: + reportsWorker.tolerations: + - key: "reports" + operator: "Equal" + value: "test" + effect: "NoSchedule" + asserts: + - contains: + path: spec.template.spec.tolerations + content: + key: "reports" + operator: "Equal" + value: "test" + effect: "NoSchedule" + count: 1 + + - it: should render component container name + template: reportsworker_deployment.yaml + documentIndex: 0 + asserts: + - equal: + path: spec.template.spec.containers[0].name + value: enterprise-reportsworker + + - it: should render component entrypoint args + template: reportsworker_deployment.yaml + documentIndex: 0 + asserts: + - matchRegex: + path: spec.template.spec.containers[0].args[0] + pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade reports_worker$ + count: 1 + + - it: should render reports component environment variables + template: reportsworker_deployment.yaml + documentIndex: 0 + set: + reportsWorker.extraEnv: + - name: reports + value: test + - name: test + value: foobar + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ANCHORE_ENDPOINT_HOSTNAME + value: test-release-enterprise-reportsworker + count: 1 + - contains: + path: spec.template.spec.containers[0].env + content: + name: ANCHORE_PORT + value: "8559" + count: 1 + - contains: + path: spec.template.spec.containers[0].env + content: + name: reports + value: test + count: 1 + - contains: + path: spec.template.spec.containers[0].env + content: + name: test + value: foobar + + - it: should render component ports + template: reportsworker_deployment.yaml + documentIndex: 0 + asserts: + - contains: + path: spec.template.spec.containers[0].ports + content: + name: reportsworker + containerPort: 8559 + count: 1 + + - it: should render component probes + template: reportsworker_deployment.yaml + documentIndex: 0 + asserts: + - isSubset: + path: spec.template.spec.containers[0].livenessProbe + content: + httpGet: + path: /health + port: reportsworker + scheme: HTTP + initialDelaySeconds: 120 + timeoutSeconds: 10 + periodSeconds: 10 + failureThreshold: 6 + successThreshold: 1 + count: 1 + - isSubset: + path: spec.template.spec.containers[0].readinessProbe + content: + httpGet: + path: /health + port: reportsworker + scheme: HTTP + timeoutSeconds: 10 + periodSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + count: 1 + + - it: should render component resource requests & limits + template: reportsworker_deployment.yaml + documentIndex: 0 + set: + reportsWorker.resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 200m + memory: 256Mi + asserts: + - isSubset: + path: spec.template.spec.containers[0].resources.requests + content: + cpu: 100m + memory: 128Mi + count: 1 + - isSubset: + path: spec.template.spec.containers[0].resources.limits + content: + cpu: 200m + memory: 256Mi + count: 1 + + - it: should render component service type + template: reportsworker_deployment.yaml + documentIndex: 1 + asserts: + - equal: + path: spec.type + value: ClusterIP + count: 1 + + - it: should render component service ports + template: reportsworker_deployment.yaml + documentIndex: 1 + asserts: + - contains: + path: spec.ports + content: + name: reportsworker + port: 8559 + targetPort: 8559 + protocol: TCP + count: 1 + + - it: should render component service selectors + template: reportsworker_deployment.yaml + documentIndex: 1 + asserts: + - isSubset: + path: spec.selector + content: + app.kubernetes.io/name: test-release-enterprise + app.kubernetes.io/component: reportsworker + count: 1 diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index 4914ed05..bb727784 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -18,7 +18,7 @@ global: ## @param image Image used for all Anchore Enterprise deployments, excluding Anchore UI ## -image: docker.io/anchore/enterprise:v5.1.1 +image: docker.io/anchore/enterprise:v5.2.0 ## @param imagePullPolicy Image pull policy used by all deployments ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy @@ -100,10 +100,11 @@ labels: {} ## annotations: {} -## @param scratchVolume.mountPath The mount path of an external volume for scratch space for image analysis -## @param scratchVolume.fixGroupPermissions Enable an initContainer that will fix the fsGroup permissions +## @param scratchVolume.mountPath The mount path of an external volume for scratch space. Used for the following pods: analyzer, policy-engine, catalog, and reports +## @param scratchVolume.fixGroupPermissions Enable an initContainer that will fix the fsGroup permissions on all scratch volumes ## @param scratchVolume.fixerInitContainerImage The image to use for the mode-fixer initContainer -## @param scratchVolume.details [object] Details for the k8s volume to be created +## @param scratchVolume.details [object] Details for the k8s volume to be created (defaults to default emptyDir) +## Scratch volume details can be specified per component using the component's scratchVolume object (e.g. .Values.analyzer.scratchVolume) ## Generally speaking you need to provision 3x the size of the largest image (uncompressed) that you want to analyze ## ref: https://kubernetes.io/docs/concepts/storage/volumes/ ## @@ -239,6 +240,7 @@ anchoreConfig: ## NOTE: Enterprise cannot automatically revoke or delete keys for disabled SAML users, the admin must revoke all keys assigned to a SAML user after disabling that user. ## @param anchoreConfig.user_authentication.max_api_key_age_days The maximum age, in days, for API keys ## @param anchoreConfig.user_authentication.max_api_keys_per_user The maximum number of API keys per user + ## @param anchoreConfig.user_authentication.remove_deleted_user_api_keys_older_than_days The number of days elapsed after a user API key is deleted before it is garbage collected (-1 to disable) ## ref: https://docs.anchore.com/current/docs/installation/configuration/user_credential_storage/#bearer-tokensoauth2 ## ## @param anchoreConfig.user_authentication.hashed_passwords Enable storing passwords as secure hashes in the database @@ -259,6 +261,7 @@ anchoreConfig: max_api_keys_per_user: 100 hashed_passwords: true sso_require_existing_users: false + remove_deleted_user_api_keys_older_than_days: 365 ## @param anchoreConfig.metrics.enabled Enable Prometheus metrics for all Anchore services ## @param anchoreConfig.metrics.auth_disabled Disable auth on Prometheus metrics for all Anchore services @@ -532,6 +535,19 @@ anchoreConfig: ## The value should be a number followed by "w", "d", or "h" to represent weeks, days or hours async_execution_timeout: 48h + ## @param anchoreConfig.reports.cycle_timers.reports_scheduled_queries Interval in seconds to check for scheduled queries that need to be run + ## + cycle_timers: + reports_scheduled_queries: 600 + + ## @param anchoreConfig.reports.use_volume Configure the reports worker to buffer report generation to disk instead of in memory + ## This should be configured in production systems with large amounts of data (10s of thousands of images or more) + ## Generally speaking you need to provision 2x the size of the largest report that you expect to generate + ## We recommend utilizing an ephemeral PVC for your scratch volume, this makes it easy to provision enough storage for large reports + ## Scratch volume can be configured using .Values.reports.scratchVolume.details object + ## + use_volume: false + reports_worker: ## @param anchoreConfig.reports_worker.enable_data_ingress Enable periodically syncing data into the Anchore Reports Service ## @@ -654,105 +670,120 @@ anchoreConfig: ## dbPassword: "" - -################################################# -## @section Anchore API k8s Deployment Parameters -################################################# -api: - ## @param api.replicaCount Number of replicas for Anchore API deployment +###################################################### +## @section Anchore Analyzer k8s Deployment Parameters +###################################################### +analyzer: + ## @param analyzer.replicaCount Number of replicas for the Anchore Analyzer deployment ## replicaCount: 1 - ## @param api.service.type Service type for Anchore API - ## @param api.service.port Service port for Anchore API - ## @param api.service.reportsPort Service port for Anchore Reports API - ## @param api.service.annotations Annotations for Anchore API service - ## @param api.service.labels Labels for Anchore API service - ## @param api.service.nodePort nodePort for Anchore API service + ## @param analyzer.service.port The port used for gatherings metrics when .Values.metricsEnabled=true ## service: - type: ClusterIP - port: 8228 - reportsPort: 8558 - annotations: {} - labels: {} - nodePort: "" + port: 8084 - ## @param api.extraEnv Set extra environment variables for Anchore API pods + ## @param analyzer.extraEnv Set extra environment variables for Anchore Analyzer pods ## extraEnv: [] - ## @param api.resources Resource requests and limits for Anchore API pods + ## @param analyzer.resources Resource requests and limits for Anchore Analyzer pods + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations. ## resources: {} + # requests: + # cpu: 1000m + # memory: 8000Mi + # limits: + # memory: 8000Mi - ## @param api.labels Labels for Anchore API pods + ## @param analyzer.labels Labels for Anchore Analyzer pods ## labels: {} - ## @param api.annotations Annotation for Anchore API pods + ## @param analyzer.annotations Annotation for Anchore Analyzer pods ## annotations: {} - ## @param api.nodeSelector Node labels for Anchore API pod assignment + ## @param analyzer.nodeSelector Node labels for Anchore Analyzer pod assignment ## nodeSelector: {} - ## @param api.tolerations Tolerations for Anchore API pod assignment + ## @param analyzer.tolerations Tolerations for Anchore Analyzer pod assignment ## tolerations: [] - ## @param api.affinity Affinity for Anchore API pod assignment + ## @param analyzer.affinity Affinity for Anchore Analyzer pod assignment ## affinity: {} - ## @param api.serviceAccountName Service account name for Anchore API pods + ## @param analyzer.serviceAccountName Service account name for Anchore API pods ## serviceAccountName: "" -###################################################### -## @section Anchore Analyzer k8s Deployment Parameters -###################################################### -analyzer: - ## @param analyzer.replicaCount Number of replicas for the Anchore Analyzer deployment + ## @param analyzer.scratchVolume.details [object] Details for the k8s volume to be created for Anchore Analyzer scratch space + ## + scratchVolume: + details: {} + +################################################# +## @section Anchore API k8s Deployment Parameters +################################################# +api: + ## @param api.replicaCount Number of replicas for Anchore API deployment ## replicaCount: 1 - ## @param analyzer.service.port The port used for gatherings metrics when .Values.metricsEnabled=true + ## @param api.service.type Service type for Anchore API + ## @param api.service.port Service port for Anchore API + ## @param api.service.annotations Annotations for Anchore API service + ## @param api.service.labels Labels for Anchore API service + ## @param api.service.nodePort nodePort for Anchore API service ## service: - port: 8084 + type: ClusterIP + port: 8228 + annotations: {} + labels: {} + nodePort: "" - ## @param analyzer.extraEnv Set extra environment variables for Anchore Analyzer pods + ## @param api.extraEnv Set extra environment variables for Anchore API pods ## extraEnv: [] - ## @param analyzer.resources Resource requests and limits for Anchore Analyzer pods - ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param api.resources Resource requests and limits for Anchore API pods + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations. ## resources: {} + # requests: + # cpu: 500m + # memory: 1000Mi + # limits: + # memory: 1000Mi - ## @param analyzer.labels Labels for Anchore Analyzer pods + ## @param api.labels Labels for Anchore API pods ## labels: {} - ## @param analyzer.annotations Annotation for Anchore Analyzer pods + ## @param api.annotations Annotation for Anchore API pods ## annotations: {} - ## @param analyzer.nodeSelector Node labels for Anchore Analyzer pod assignment + ## @param api.nodeSelector Node labels for Anchore API pod assignment ## nodeSelector: {} - ## @param analyzer.tolerations Tolerations for Anchore Analyzer pod assignment + ## @param api.tolerations Tolerations for Anchore API pod assignment ## tolerations: [] - ## @param analyzer.affinity Affinity for Anchore Analyzer pod assignment + ## @param api.affinity Affinity for Anchore API pod assignment ## affinity: {} - ## @param analyzer.serviceAccountName Service account name for Anchore API pods + ## @param api.serviceAccountName Service account name for Anchore API pods ## serviceAccountName: "" @@ -782,8 +813,15 @@ catalog: extraEnv: [] ## @param catalog.resources Resource requests and limits for Anchore Catalog pods + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations. ## resources: {} + # requests: + # cpu: 1000m + # memory: 8000Mi + # limits: + # memory: 8000Mi ## @param catalog.labels Labels for Anchore Catalog pods ## @@ -809,6 +847,11 @@ catalog: ## serviceAccountName: "" + ## @param catalog.scratchVolume.details [object] Details for the k8s volume to be created for Anchore Catalog scratch space + ## + scratchVolume: + details: {} + ########################################## ## @section Anchore Feeds Chart Parameters ########################################## @@ -826,162 +869,219 @@ feeds: ## url: "" -########################################################### -## @section Anchore Policy Engine k8s Deployment Parameters -########################################################### -policyEngine: - ## @param policyEngine.replicaCount Number of replicas for the Anchore Policy Engine deployment + ## @param feeds.resources Resource requests and limits for Anchore Feeds pods + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations. + ## + resources: {} + # requests: + # cpu: 2500m + # memory: 10Gi + # limits: + # memory: 10Gi + + +############################################ +## @section Anchore Notifications Parameters +############################################ +notifications: + ## @param notifications.replicaCount Number of replicas for the Anchore Notifications deployment ## replicaCount: 1 - ## @param policyEngine.service.type Service type for Anchore Policy Engine - ## @param policyEngine.service.port Service port for Anchore Policy Engine - ## @param policyEngine.service.annotations Annotations for Anchore Policy Engine service - ## @param policyEngine.service.labels Labels for Anchore Policy Engine service - ## @param policyEngine.service.nodePort nodePort for Anchore Policy Engine service + ## @param notifications.service.type Service type for Anchore Notifications + ## @param notifications.service.port Service port for Anchore Notifications + ## @param notifications.service.annotations Annotations for Anchore Notifications service + ## @param notifications.service.labels Labels for Anchore Notifications service + ## @param notifications.service.nodePort nodePort for Anchore Notifications service ## service: type: ClusterIP - port: 8087 + port: 8668 annotations: {} labels: {} nodePort: "" - ## @param policyEngine.extraEnv Set extra environment variables for Anchore Policy Engine pods + ## @param notifications.extraEnv Set extra environment variables for Anchore Notifications pods ## extraEnv: [] - ## @param policyEngine.resources Resource requests and limits for Anchore Policy Engine pods + ## @param notifications.resources Resource requests and limits for Anchore Notifications pods + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations. ## resources: {} + # requests: + # cpu: 100m + # memory: 500Mi + # limits: + # memory: 500Mi - ## @param policyEngine.labels Labels for Anchore Policy Engine pods + ## @param notifications.labels Labels for Anchore Notifications pods ## labels: {} - ## @param policyEngine.annotations Annotation for Anchore Policy Engine pods + ## @param notifications.annotations Annotation for Anchore Notifications pods ## annotations: {} - ## @param policyEngine.nodeSelector Node labels for Anchore Policy Engine pod assignment + ## @param notifications.nodeSelector Node labels for Anchore Notifications pod assignment ## nodeSelector: {} - ## @param policyEngine.tolerations Tolerations for Anchore Policy Engine pod assignment + ## @param notifications.tolerations Tolerations for Anchore Notifications pod assignment ## tolerations: [] - ## @param policyEngine.affinity Affinity for Anchore Policy Engine pod assignment + ## @param notifications.affinity Affinity for Anchore Notifications pod assignment ## affinity: {} - ## @param policyEngine.serviceAccountName Service account name for Anchore Policy Engine pods + ## @param notifications.serviceAccountName Service account name for Anchore Notifications pods ## serviceAccountName: "" -########################################### -## @section Anchore Simple Queue Parameters -########################################### -simpleQueue: - ## @param simpleQueue.replicaCount Number of replicas for the Anchore Simple Queue deployment +########################################################### +## @section Anchore Policy Engine k8s Deployment Parameters +########################################################### +policyEngine: + ## @param policyEngine.replicaCount Number of replicas for the Anchore Policy Engine deployment ## replicaCount: 1 - ## @param simpleQueue.service.type Service type for Anchore Simple Queue - ## @param simpleQueue.service.port Service port for Anchore Simple Queue - ## @param simpleQueue.service.annotations Annotations for Anchore Simple Queue service - ## @param simpleQueue.service.labels Labels for Anchore Simple Queue service - ## @param simpleQueue.service.nodePort nodePort for Anchore Simple Queue service + ## @param policyEngine.service.type Service type for Anchore Policy Engine + ## @param policyEngine.service.port Service port for Anchore Policy Engine + ## @param policyEngine.service.annotations Annotations for Anchore Policy Engine service + ## @param policyEngine.service.labels Labels for Anchore Policy Engine service + ## @param policyEngine.service.nodePort nodePort for Anchore Policy Engine service ## service: type: ClusterIP - port: 8083 + port: 8087 annotations: {} labels: {} nodePort: "" - ## @param simpleQueue.extraEnv Set extra environment variables for Anchore Simple Queue pods + ## @param policyEngine.extraEnv Set extra environment variables for Anchore Policy Engine pods ## extraEnv: [] - ## @param simpleQueue.resources Resource requests and limits for Anchore Simple Queue pods + ## @param policyEngine.resources Resource requests and limits for Anchore Policy Engine pods + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations. ## resources: {} + # requests: + # cpu: 2000m + # memory: 8000Mi + # limits: + # memory: 8000Mi - ## @param simpleQueue.labels Labels for Anchore Simple Queue pods + ## @param policyEngine.labels Labels for Anchore Policy Engine pods ## labels: {} - ## @param simpleQueue.annotations Annotation for Anchore Simple Queue pods + ## @param policyEngine.annotations Annotation for Anchore Policy Engine pods ## annotations: {} - ## @param simpleQueue.nodeSelector Node labels for Anchore Simple Queue pod assignment + ## @param policyEngine.nodeSelector Node labels for Anchore Policy Engine pod assignment ## nodeSelector: {} - ## @param simpleQueue.tolerations Tolerations for Anchore Simple Queue pod assignment + ## @param policyEngine.tolerations Tolerations for Anchore Policy Engine pod assignment ## tolerations: [] - ## @param simpleQueue.affinity Affinity for Anchore Simple Queue pod assignment + ## @param policyEngine.affinity Affinity for Anchore Policy Engine pod assignment ## affinity: {} - ## @param simpleQueue.serviceAccountName Service account name for Anchore Simple Queue pods + ## @param policyEngine.serviceAccountName Service account name for Anchore Policy Engine pods ## serviceAccountName: "" -############################################ -## @section Anchore Notifications Parameters -############################################ -notifications: - ## @param notifications.replicaCount Number of replicas for the Anchore Notifications deployment + ## @param policyEngine.scratchVolume.details [object] Details for the k8s volume to be created for Anchore Policy Engine scratch space + ## + scratchVolume: + details: {} + +################################################## +## @section Anchore RBAC Authentication Parameters +################################################## +rbacAuth: + ## @param rbacAuth.extraEnv Set extra environment variables for Anchore RBAC Authentication containers + ## + extraEnv: [] + + ## @param rbacAuth.resources Resource requests and limits for Anchore RBAC Authentication containers + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations. + ## + resources: {} + # requests: + # cpu: 100m + # memory: 500Mi + # limits: + # memory: 500Mi + +########################################### +## @section Anchore RBAC Manager Parameters +########################################### +rbacManager: + ## @param rbacManager.replicaCount Number of replicas for the Anchore RBAC Manager deployment ## replicaCount: 1 - ## @param notifications.service.type Service type for Anchore Notifications - ## @param notifications.service.port Service port for Anchore Notifications - ## @param notifications.service.annotations Annotations for Anchore Notifications service - ## @param notifications.service.labels Labels for Anchore Notifications service - ## @param notifications.service.nodePort nodePort for Anchore Notifications service + ## @param rbacManager.service.type Service type for Anchore RBAC Manager + ## @param rbacManager.service.port Service port for Anchore RBAC Manager + ## @param rbacManager.service.annotations Annotations for Anchore RBAC Manager service + ## @param rbacManager.service.labels Labels for Anchore RBAC Manager service + ## @param rbacManager.service.nodePort nodePort for Anchore RBAC Manager service ## service: type: ClusterIP - port: 8668 + port: 8229 annotations: {} labels: {} nodePort: "" - ## @param notifications.extraEnv Set extra environment variables for Anchore Notifications pods + ## @param rbacManager.extraEnv Set extra environment variables for Anchore RBAC Manager pods ## extraEnv: [] - ## @param notifications.resources Resource requests and limits for Anchore Notifications pods + ## @param rbacManager.resources Resource requests and limits for Anchore RBAC Manager pods + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations. ## resources: {} + # requests: + # cpu: 100m + # memory: 500Mi + # limits: + # memory: 500Mi - ## @param notifications.labels Labels for Anchore Notifications pods + ## @param rbacManager.labels Labels for Anchore RBAC Manager pods ## labels: {} - ## @param notifications.annotations Annotation for Anchore Notifications pods + ## @param rbacManager.annotations Annotation for Anchore RBAC Manager pods ## annotations: {} - ## @param notifications.nodeSelector Node labels for Anchore Notifications pod assignment + ## @param rbacManager.nodeSelector Node labels for Anchore RBAC Manager pod assignment ## nodeSelector: {} - ## @param notifications.tolerations Tolerations for Anchore Notifications pod assignment + ## @param rbacManager.tolerations Tolerations for Anchore RBAC Manager pod assignment ## tolerations: [] - ## @param notifications.affinity Affinity for Anchore Notifications pod assignment + ## @param rbacManager.affinity Affinity for Anchore RBAC Manager pod assignment ## affinity: {} - ## @param notifications.serviceAccountName Service account name for Anchore Notifications pods + ## @param rbacManager.serviceAccountName Service account name for Anchore RBAC Manager pods ## serviceAccountName: "" @@ -994,7 +1094,7 @@ reports: replicaCount: 1 ## @param reports.service.type Service type for Anchore Reports - ## @param reports.service.port Service port for Anchore Reports Worker + ## @param reports.service.port Service port for Anchore Reports ## @param reports.service.annotations Annotations for Anchore Reports service ## @param reports.service.labels Labels for Anchore Reports service ## @param reports.service.nodePort nodePort for Anchore Reports service @@ -1011,8 +1111,15 @@ reports: extraEnv: [] ## @param reports.resources Resource requests and limits for Anchore Reports pods + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations. ## resources: {} + # requests: + # memory: 2000Mi + # cpu: 2000m + # limits: + # memory: 2000Mi ## @param reports.labels Labels for Anchore Reports pods ## @@ -1038,68 +1145,138 @@ reports: ## serviceAccountName: "" -################################################## -## @section Anchore RBAC Authentication Parameters -################################################## -rbacAuth: - ## @param rbacAuth.extraEnv Set extra environment variables for Anchore RBAC Authentication containers + ## @param reports.scratchVolume.details [object] Details for the k8s volume to be created for Anchore Reports scratch space + ## ref: https://kubernetes.io/docs/concepts/storage/volumes/ + ## + scratchVolume: + details: {} + # ephemeral: + # volumeClaimTemplate: + # spec: + # accessModes: + # - ReadWriteOnce + # resources: + # requests: + # storage: 100Gi + # storageClassName: "" + +############################################# +## @section Anchore Reports Worker Parameters +############################################# +reportsWorker: + ## @param reportsWorker.replicaCount Number of replicas for the Anchore Reports deployment + ## + replicaCount: 1 + + ## @param reportsWorker.service.type Service type for Anchore Reports Worker + ## @param reportsWorker.service.port Service port for Anchore Reports Worker + ## @param reportsWorker.service.annotations Annotations for Anchore Reports Worker service + ## @param reportsWorker.service.labels Labels for Anchore Reports Worker service + ## @param reportsWorker.service.nodePort nodePort for Anchore Reports Worker service + ## + service: + type: ClusterIP + port: 8559 + annotations: {} + labels: {} + nodePort: "" + + ## @param reportsWorker.extraEnv Set extra environment variables for Anchore Reports Worker pods ## extraEnv: [] - ## @param rbacAuth.resources Resource requests and limits for Anchore RBAC Authentication containers + ## @param reportsWorker.resources Resource requests and limits for Anchore Reports Worker pods + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations. ## resources: {} + # requests: + # memory: 1000Mi + # cpu: 2000m + # limits: + # memory: 1000Mi + + ## @param reportsWorker.labels Labels for Anchore Reports Worker pods + ## + labels: {} + + ## @param reportsWorker.annotations Annotation for Anchore Reports Worker pods + ## + annotations: {} + + ## @param reportsWorker.nodeSelector Node labels for Anchore Reports Worker pod assignment + ## + nodeSelector: {} + + ## @param reportsWorker.tolerations Tolerations for Anchore Reports Worker pod assignment + ## + tolerations: [] + + ## @param reportsWorker.affinity Affinity for Anchore Reports Worker pod assignment + ## + affinity: {} + + ## @param reportsWorker.serviceAccountName Service account name for Anchore Reports Worker pods + ## + serviceAccountName: "" ########################################### -## @section Anchore RBAC Manager Parameters +## @section Anchore Simple Queue Parameters ########################################### -rbacManager: - ## @param rbacManager.replicaCount Number of replicas for the Anchore RBAC Manager deployment +simpleQueue: + ## @param simpleQueue.replicaCount Number of replicas for the Anchore Simple Queue deployment ## replicaCount: 1 - ## @param rbacManager.service.type Service type for Anchore RBAC Manager - ## @param rbacManager.service.port Service port for Anchore RBAC Manager - ## @param rbacManager.service.annotations Annotations for Anchore RBAC Manager service - ## @param rbacManager.service.labels Labels for Anchore RBAC Manager service - ## @param rbacManager.service.nodePort nodePort for Anchore RBAC Manager service + ## @param simpleQueue.service.type Service type for Anchore Simple Queue + ## @param simpleQueue.service.port Service port for Anchore Simple Queue + ## @param simpleQueue.service.annotations Annotations for Anchore Simple Queue service + ## @param simpleQueue.service.labels Labels for Anchore Simple Queue service + ## @param simpleQueue.service.nodePort nodePort for Anchore Simple Queue service ## service: type: ClusterIP - port: 8229 + port: 8083 annotations: {} labels: {} nodePort: "" - ## @param rbacManager.extraEnv Set extra environment variables for Anchore RBAC Manager pods + ## @param simpleQueue.extraEnv Set extra environment variables for Anchore Simple Queue pods ## extraEnv: [] - ## @param rbacManager.resources Resource requests and limits for Anchore RBAC Manager pods + ## @param simpleQueue.resources Resource requests and limits for Anchore Simple Queue pods + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations. ## resources: {} + # requests: + # cpu: 250m + # memory: 1000Mi + # limits: + # memory: 1000Mi - ## @param rbacManager.labels Labels for Anchore RBAC Manager pods + ## @param simpleQueue.labels Labels for Anchore Simple Queue pods ## labels: {} - ## @param rbacManager.annotations Annotation for Anchore RBAC Manager pods + ## @param simpleQueue.annotations Annotation for Anchore Simple Queue pods ## annotations: {} - ## @param rbacManager.nodeSelector Node labels for Anchore RBAC Manager pod assignment + ## @param simpleQueue.nodeSelector Node labels for Anchore Simple Queue pod assignment ## nodeSelector: {} - ## @param rbacManager.tolerations Tolerations for Anchore RBAC Manager pod assignment + ## @param simpleQueue.tolerations Tolerations for Anchore Simple Queue pod assignment ## tolerations: [] - ## @param rbacManager.affinity Affinity for Anchore RBAC Manager pod assignment + ## @param simpleQueue.affinity Affinity for Anchore Simple Queue pod assignment ## affinity: {} - ## @param rbacManager.serviceAccountName Service account name for Anchore RBAC Manager pods + ## @param simpleQueue.serviceAccountName Service account name for Anchore Simple Queue pods ## serviceAccountName: "" @@ -1109,7 +1286,7 @@ rbacManager: ui: ## @param ui.image Image used for the Anchore UI container ## - image: docker.io/anchore/enterprise-ui:v5.1.0 + image: docker.io/anchore/enterprise-ui:v5.2.0 ## @param ui.imagePullPolicy Image pull policy for Anchore UI image ## @@ -1149,8 +1326,15 @@ ui: extraEnv: [] ## @param ui.resources Resource requests and limits for Anchore UI pods + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations. ## resources: {} + # requests: + # cpu: 100m + # memory: 5000Mi + # limits: + # memory: 5000Mi ## @param ui.labels Labels for Anchore UI pods ## @@ -1288,16 +1472,6 @@ ingress: feedsPaths: - /v2/feeds/ - ## @param ingress.reportsHosts List of custom hostnames for the Anchore Reports API - ## - reportsHosts: [] - - ## @param ingress.reportsPaths The path used for accessing the Anchore Reports API - ## Exposing the reports API enables the GraphQL interface, use /v2/reports/graphql for ingress.reportsPath - ## - reportsPaths: - - /v2/reports/ - ## @param ingress.tls Configure tls for the ingress resource ## Secrets must be manually created in the release namespace ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls From bc2f1940bd3a8dbf706ceb1ed72a9bed2a6d6ca7 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 2 Feb 2024 16:49:07 -0800 Subject: [PATCH 308/329] stable/enterprise: Update documentation (#340) * update comments around reports resource config * fix error message when using image_ttl_days=-1 * add more details to the release notes around reports deployment values changes * bump chart version --------- Signed-off-by: Brady Todhunter --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 8 ++++---- stable/enterprise/templates/envvars_configmap.yaml | 2 +- stable/enterprise/values.yaml | 8 +++++--- 4 files changed, 11 insertions(+), 9 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index f51696be..5412f8dc 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "2.3.0" +version: "2.3.1" appVersion: "5.2.0" kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.28.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 2ecbcf03..88c10b7b 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -1041,14 +1041,14 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `anchoreConfig.reports.enable_graphiql` | Enable GraphiQL, a GUI for editing and testing GraphQL queries and mutations | `true` | | `anchoreConfig.reports.async_execution_timeout` | Configure how long a scheduled query must be running for before it is considered timed out | `48h` | | `anchoreConfig.reports.cycle_timers.reports_scheduled_queries` | Interval in seconds to check for scheduled queries that need to be run | `600` | -| `anchoreConfig.reports.use_volume` | Configure the reports worker to buffer report generation to disk instead of in memory | `false` | +| `anchoreConfig.reports.use_volume` | Configure the reports service to buffer report generation to disk instead of in memory | `false` | | `anchoreConfig.reports_worker.enable_data_ingress` | Enable periodically syncing data into the Anchore Reports Service | `true` | | `anchoreConfig.reports_worker.enable_data_egress` | Periodically remove reporting data that has been removed in other parts of system | `false` | | `anchoreConfig.reports_worker.data_egress_window` | defines a number of days to keep reporting data following its deletion in the rest of system. | `0` | | `anchoreConfig.reports_worker.data_refresh_max_workers` | The maximum number of concurrent threads to refresh existing results (etl vulnerabilities and evaluations) in reports service. | `10` | | `anchoreConfig.reports_worker.data_load_max_workers` | The maximum number of concurrent threads to load new results (etl vulnerabilities and evaluations) to reports service. | `10` | | `anchoreConfig.reports_worker.cycle_timers.reports_image_load` | Interval that vulnerabilities for images are synced | `600` | -| `anchoreConfig.reports_worker.cycle_timers.reports_tag_load` | Interval that vulnerabilties by tags are synced | `600` | +| `anchoreConfig.reports_worker.cycle_timers.reports_tag_load` | Interval that vulnerabilities by tags are synced | `600` | | `anchoreConfig.reports_worker.cycle_timers.reports_runtime_inventory_load` | Interval that the runtime inventory is synced | `600` | | `anchoreConfig.reports_worker.cycle_timers.reports_extended_runtime_vuln_load` | Interval extended runtime reports are synched (ecs, k8s containers and namespaces) | `1800` | | `anchoreConfig.reports_worker.cycle_timers.reports_image_refresh` | Interval that images are refreshed | `7200` | @@ -1388,8 +1388,8 @@ For the latest updates and features in Anchore Enterprise, see the official [Rel - The reports pod has been split out of the API deployment and is now a separate deployment. A new deployment called `reports_worker` has been added. This allows for more granular control over the resources allocated to the reports and reports_worker services. - :warning: **WARNING:** Values file changes necessary: - If you are using a custom port for the reports service, previously set with `api.service.reportsPort`, you will need to update your values file to use `reports.service.port` instead. - - Resource requests & limits were previously set for both reports pods found in the `reports_deployment` and `api_deployment` using the `reports.resources` section of the values file. These have been split into separate deployments and the resources are now set in the `reports.resources` and `reports_worker.resources` sections of the values file. If you are using custom resources, you will need to update your values file to reflect this change. -- The reports service no longer has an accessible API endpoint, all API requests should be made to the API service. This version of the chart removed deprecated ingress configurations to accommodate this change. Update your values file to remove all references to the `reports` service in the `ingress` section. + - Component specific configurations such as resources (as well as annotations, labels, extraEnv, etc) were previously set for both reports pods found in the `reports_deployment` and `api_deployment` using the `reports.resources` section of the values file. These have been split into separate deployments and the resources are now set in the `reports.resources` and `reports_worker.resources` sections of the values file. If you are using custom resources, you will need to update your values file to reflect this change. +- The reports service is now an internal service and the GraphQLAPI/ReportsAPI is served to users by the API service and routed internally in the deployment as needed. This version of the chart removed deprecated ingress configurations to accommodate this change. Update your values file to remove all references to the `reports` service in the `ingress` section. ### V2.2.0 diff --git a/stable/enterprise/templates/envvars_configmap.yaml b/stable/enterprise/templates/envvars_configmap.yaml index 0d080227..43be8740 100644 --- a/stable/enterprise/templates/envvars_configmap.yaml +++ b/stable/enterprise/templates/envvars_configmap.yaml @@ -50,7 +50,7 @@ data: ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER: "true" ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE: "true" {{- if eq (toString .Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days) "-1" }} - {{- fail "The Value `-1` is no longer valid for `.Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days`. Please use `.Values.anchoreConfig.catalog.runtime_inventory.image_ingest_overwrite=true` to force runtime inventory to be overwritten upon every update for that reported context. `.Values.anchoreConfig.catalog.runtime_inventory.inventory_ttl_days` must be set to a value >1." -}} + {{- fail "The Value `-1` is no longer valid for `.Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days`. Please use `.Values.anchoreConfig.catalog.runtime_inventory.inventory_ingest_overwrite=true` to force runtime inventory to be overwritten upon every update for that reported context. `.Values.anchoreConfig.catalog.runtime_inventory.inventory_ttl_days` must be set to a value >1." -}} {{- else }} ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_TTL_DAYS: "{{ .Values.anchoreConfig.catalog.runtime_inventory.inventory_ttl_days }}" ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_INGEST_OVERWRITE: "{{ .Values.anchoreConfig.catalog.runtime_inventory.inventory_ingest_overwrite }}" diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index bb727784..3b2abf66 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -540,7 +540,7 @@ anchoreConfig: cycle_timers: reports_scheduled_queries: 600 - ## @param anchoreConfig.reports.use_volume Configure the reports worker to buffer report generation to disk instead of in memory + ## @param anchoreConfig.reports.use_volume Configure the reports service to buffer report generation to disk instead of in memory ## This should be configured in production systems with large amounts of data (10s of thousands of images or more) ## Generally speaking you need to provision 2x the size of the largest report that you expect to generate ## We recommend utilizing an ephemeral PVC for your scratch volume, this makes it easy to provision enough storage for large reports @@ -571,7 +571,7 @@ anchoreConfig: data_load_max_workers: 10 ## @param anchoreConfig.reports_worker.cycle_timers.reports_image_load Interval that vulnerabilities for images are synced - ## @param anchoreConfig.reports_worker.cycle_timers.reports_tag_load Interval that vulnerabilties by tags are synced + ## @param anchoreConfig.reports_worker.cycle_timers.reports_tag_load Interval that vulnerabilities by tags are synced ## @param anchoreConfig.reports_worker.cycle_timers.reports_runtime_inventory_load Interval that the runtime inventory is synced ## @param anchoreConfig.reports_worker.cycle_timers.reports_extended_runtime_vuln_load Interval extended runtime reports are synched (ecs, k8s containers and namespaces) ## @param anchoreConfig.reports_worker.cycle_timers.reports_image_refresh Interval that images are refreshed @@ -1112,7 +1112,9 @@ reports: ## @param reports.resources Resource requests and limits for Anchore Reports pods ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations. + ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations + ## NOTE: the commented resources below are assuming the use of a scratch volume with `anchoreConfig.reports.use_volume=true` + ## If not using a scratch volume, the memory resources may need to be increased. ## resources: {} # requests: From 0ff752172c4cc132afcdf8f8e7332165ae4b0786 Mon Sep 17 00:00:00 2001 From: Zach Hill Date: Wed, 7 Feb 2024 15:24:41 -0800 Subject: [PATCH 309/329] fix: updates handling of github token to use a default string instead of null (#339) * fix: set the ANCHORE_GITHUB_TOKEN to "default-unset" instead of null, and add tests Having a non-null string value ensures proper rendering of the value into the secret and is a no-op when the anchoreConfig.feeds.drivers.github.enabled property is false. When a user enables that flag, it is expected that the token value is set to a non-default value in order for the driver to work. Signed-off-by: Zach Hill * Update secret_test.yaml --------- Signed-off-by: Zach Hill Co-authored-by: Brady Todhunter --- stable/feeds/Chart.yaml | 2 +- stable/feeds/templates/envvars_configmap.yaml | 2 +- stable/feeds/templates/secret.yaml | 2 ++ .../__snapshot__/configmap_test.yaml.snap | 2 +- stable/feeds/tests/configmap_test.yaml | 17 ++++++++++++ stable/feeds/tests/secret_test.yaml | 26 +++++++++++++++++++ 6 files changed, 48 insertions(+), 3 deletions(-) create mode 100644 stable/feeds/tests/secret_test.yaml diff --git a/stable/feeds/Chart.yaml b/stable/feeds/Chart.yaml index f94900d8..4d90eed5 100644 --- a/stable/feeds/Chart.yaml +++ b/stable/feeds/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: feeds type: application -version: "2.2.0" +version: "2.2.1" appVersion: "5.2.0" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.28.x-x description: Anchore feeds service diff --git a/stable/feeds/templates/envvars_configmap.yaml b/stable/feeds/templates/envvars_configmap.yaml index 60a6e3a5..568a328c 100644 --- a/stable/feeds/templates/envvars_configmap.yaml +++ b/stable/feeds/templates/envvars_configmap.yaml @@ -63,7 +63,7 @@ data: ANCHORE_FEEDS_PACKAGES_ENABLED: "false" ANCHORE_FEEDS_TMP_DIR: "{{ .Values.scratchVolume.mountPath }}" ANCHORE_FEEDS_WORKSPACE_PRELOAD: "true" - ANCHORE_GITHUB_TOKEN: "null" + ANCHORE_GITHUB_TOKEN: "default-unset" ANCHORE_GLOBAL_CLIENT_CONNECT_TIMEOUT: "0" ANCHORE_GLOBAL_CLIENT_READ_TIMEOUT: "0" ANCHORE_GLOBAL_SERVER_REQUEST_TIMEOUT_SEC: "180" diff --git a/stable/feeds/templates/secret.yaml b/stable/feeds/templates/secret.yaml index dc7ace82..158c3ccd 100644 --- a/stable/feeds/templates/secret.yaml +++ b/stable/feeds/templates/secret.yaml @@ -16,9 +16,11 @@ stringData: {{- with .Values.anchoreConfig.keys.secret }} ANCHORE_SAML_SECRET: {{ . | quote }} {{- end }} +{{- if .Values.anchoreConfig.feeds.drivers.github.enabled }} {{- with .Values.anchoreConfig.feeds.drivers.github.token }} ANCHORE_GITHUB_TOKEN: {{ . | quote }} {{- end }} +{{- end }} {{- with .Values.anchoreConfig.feeds.drivers.nvdv2.api_key }} ANCHORE_NVD_API_KEY: {{ . | quote }} {{- end }} diff --git a/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap b/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap index a7552431..3a3ff1ce 100644 --- a/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/feeds/tests/__snapshot__/configmap_test.yaml.snap @@ -182,7 +182,7 @@ should render the configmaps: ANCHORE_FEEDS_PACKAGES_ENABLED: "false" ANCHORE_FEEDS_TMP_DIR: /anchore_scratch ANCHORE_FEEDS_WORKSPACE_PRELOAD: "true" - ANCHORE_GITHUB_TOKEN: "null" + ANCHORE_GITHUB_TOKEN: default-unset ANCHORE_GLOBAL_CLIENT_CONNECT_TIMEOUT: "0" ANCHORE_GLOBAL_CLIENT_READ_TIMEOUT: "0" ANCHORE_GLOBAL_SERVER_REQUEST_TIMEOUT_SEC: "180" diff --git a/stable/feeds/tests/configmap_test.yaml b/stable/feeds/tests/configmap_test.yaml index 6a15362c..2b904064 100644 --- a/stable/feeds/tests/configmap_test.yaml +++ b/stable/feeds/tests/configmap_test.yaml @@ -32,3 +32,20 @@ tests: - matchRegex: path: data["ANCHORE_FEEDS_EXTERNAL_URL"] pattern: https://something/v2/$ + + - it: should render the default-unset string for the ANCHORE_GITHUB_TOKEN rather than "null" + template: envvars_configmap.yaml + asserts: + - equal: + path: data.ANCHORE_GITHUB_TOKEN + value: "default-unset" + + - it: should render the default-unset string in envvar even if GH token is set, since that is covered by the secrets + template: envvars_configmap.yaml + set: + feeds.drivers.github.enabled: true + feeds.drivers.github.token: foobar + asserts: + - equal: + path: data.ANCHORE_GITHUB_TOKEN + value: "default-unset" \ No newline at end of file diff --git a/stable/feeds/tests/secret_test.yaml b/stable/feeds/tests/secret_test.yaml new file mode 100644 index 00000000..d0684bf8 --- /dev/null +++ b/stable/feeds/tests/secret_test.yaml @@ -0,0 +1,26 @@ +suite: Secret Tests +templates: + - secret.yaml +release: + name: test-release + namespace: test-namespace +chart: + version: 9.9.9 + appVersion: 9.9.9 +tests: + - it: should not render github driver token in the secret when github driver is not enabled + template: secret.yaml + values: + - values.yaml + asserts: + - notExists: + path: stringData.ANCHORE_GITHUB_TOKEN + - it: should render github driver token in the secret correctly when driver is enabled & token is set + template: secret.yaml + set: + anchoreConfig.feeds.drivers.github.token: foobar + anchoreConfig.feeds.drivers.github.enabled: true + asserts: + - equal: + path: stringData.ANCHORE_GITHUB_TOKEN + value: "foobar" From 807927fda52666d693cbe709c5a07f6c600e3ac5 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 8 Feb 2024 09:40:13 -0800 Subject: [PATCH 310/329] update feeds chart dependency (#341) Signed-off-by: Brady Todhunter --- stable/enterprise/Chart.lock | 6 +++--- stable/enterprise/Chart.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/stable/enterprise/Chart.lock b/stable/enterprise/Chart.lock index 1ab27050..2f177ce0 100644 --- a/stable/enterprise/Chart.lock +++ b/stable/enterprise/Chart.lock @@ -7,6 +7,6 @@ dependencies: version: 17.11.8 - name: feeds repository: https://charts.anchore.io/stable - version: 2.2.0 -digest: sha256:e2fc0ac4d344f4baf4e9b818d05b1bb88ee87f9f760e3fb8237260b67ffc4d15 -generated: "2024-02-01T21:44:45.424502-08:00" + version: 2.2.1 +digest: sha256:6956e62b7b6a9645dea5a0d91cf40a4a3f8ea05dfbe9624988821c11b7b2ae11 +generated: "2024-02-08T09:21:52.523495-08:00" diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 5412f8dc..b0844765 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "2.3.1" +version: "2.3.2" appVersion: "5.2.0" kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.28.x-x description: | From 794e1df14f68d88e5c0b29254cdcf0bb5b431ba6 Mon Sep 17 00:00:00 2001 From: Bradley Jones Date: Fri, 9 Feb 2024 17:03:20 +0000 Subject: [PATCH 311/329] feat: bump k8s-inventory version Changes the entrypoint of the container to /anchore-k8s-inventory as it is now based on a scratch container and should not assume the binary is present in the PATH. Signed-off-by: Bradley Jones --- stable/k8s-inventory/Chart.yaml | 4 ++-- stable/k8s-inventory/templates/deployment.yaml | 6 +++--- stable/k8s-inventory/values.yaml | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/stable/k8s-inventory/Chart.yaml b/stable/k8s-inventory/Chart.yaml index 1981ad34..d0c1b7a0 100644 --- a/stable/k8s-inventory/Chart.yaml +++ b/stable/k8s-inventory/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: k8s-inventory -version: 0.1.0 -appVersion: "1.1.1" +version: 0.2.0 +appVersion: "1.2.0" description: A Helm chart for Kubernetes Automated Inventory, which describes which images are in use in a given Kubernetes Cluster keywords: - analysis diff --git a/stable/k8s-inventory/templates/deployment.yaml b/stable/k8s-inventory/templates/deployment.yaml index 811bc297..f4ae1823 100644 --- a/stable/k8s-inventory/templates/deployment.yaml +++ b/stable/k8s-inventory/templates/deployment.yaml @@ -45,7 +45,7 @@ spec: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} - command: ["anchore-k8s-inventory"] + command: ["/anchore-k8s-inventory"] ports: - name: http containerPort: 80 @@ -53,7 +53,7 @@ spec: livenessProbe: exec: command: - - anchore-k8s-inventory + - /anchore-k8s-inventory - version initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }} timeoutSeconds: {{ .Values.probes.liveness.timeoutSeconds }} @@ -63,7 +63,7 @@ spec: readinessProbe: exec: command: - - anchore-k8s-inventory + - /anchore-k8s-inventory - version timeoutSeconds: {{ .Values.probes.readiness.timeoutSeconds }} periodSeconds: {{ .Values.probes.readiness.periodSeconds }} diff --git a/stable/k8s-inventory/values.yaml b/stable/k8s-inventory/values.yaml index 35a2a2f5..18361f7f 100644 --- a/stable/k8s-inventory/values.yaml +++ b/stable/k8s-inventory/values.yaml @@ -15,7 +15,7 @@ replicaCount: 1 image: pullPolicy: "IfNotPresent" repository: "anchore/k8s-inventory" - tag: "v1.1.1" + tag: "v1.2.0" ## @param imagePullSecrets secrets where Kubernetes should get the credentials for pulling private images ## From 03a60ae54bfd1efa9818b191cbc086c3de9d2b38 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Sat, 10 Feb 2024 05:21:42 +0700 Subject: [PATCH 312/329] updating indentation for feeds upgrade job resources (#343) Signed-off-by: Hung Nguyen --- stable/feeds/Chart.yaml | 2 +- stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/stable/feeds/Chart.yaml b/stable/feeds/Chart.yaml index 4d90eed5..6afdd892 100644 --- a/stable/feeds/Chart.yaml +++ b/stable/feeds/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: feeds type: application -version: "2.2.1" +version: "2.2.2" appVersion: "5.2.0" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.28.x-x description: Anchore feeds service diff --git a/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml b/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml index b588dd49..682bdf2b 100644 --- a/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml +++ b/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml @@ -102,10 +102,10 @@ spec: sleep 10 done {{- with .Values.containerSecurityContext }} - securityContext: {{ toYaml . | nindent 10 }} + securityContext: {{ toYaml . | nindent 12 }} {{- end }} {{- with .Values.feedsUpgradeJob.resources }} - resources: {{- toYaml . | nindent 10 }} + resources: {{- toYaml . | nindent 12 }} {{- end }} containers: {{- if .Values.cloudsql.enabled }} From 302d4d30e0a4def0e80ba5a9f1c6344da9b5f0da Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Sat, 10 Feb 2024 05:33:44 +0700 Subject: [PATCH 313/329] updating indentation for pre upgrade job resources (#344) * updating indentation for pre upgrade job resources * update feeds chart dependency --------- Signed-off-by: Hung Nguyen Signed-off-by: Brady Todhunter Co-authored-by: Brady Todhunter --- stable/enterprise/Chart.lock | 6 +++--- stable/enterprise/Chart.yaml | 2 +- .../templates/hooks/pre-upgrade/upgrade_job.yaml | 8 ++++---- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/stable/enterprise/Chart.lock b/stable/enterprise/Chart.lock index 2f177ce0..d799d39c 100644 --- a/stable/enterprise/Chart.lock +++ b/stable/enterprise/Chart.lock @@ -7,6 +7,6 @@ dependencies: version: 17.11.8 - name: feeds repository: https://charts.anchore.io/stable - version: 2.2.1 -digest: sha256:6956e62b7b6a9645dea5a0d91cf40a4a3f8ea05dfbe9624988821c11b7b2ae11 -generated: "2024-02-08T09:21:52.523495-08:00" + version: 2.2.2 +digest: sha256:896842986ad8aab0e43a41ecb7fb7d61e08cc2c7e71c948563503091c6d9f409 +generated: "2024-02-09T14:24:08.790481-08:00" diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index b0844765..54004609 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "2.3.2" +version: "2.3.3" appVersion: "5.2.0" kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.28.x-x description: | diff --git a/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml b/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml index 5c0dd160..21466c60 100644 --- a/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml +++ b/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml @@ -53,10 +53,10 @@ spec: echo 'waiting for pods to go down...' && sleep 5; done {{- with .Values.containerSecurityContext }} - securityContext: {{ toYaml . | nindent 10 }} + securityContext: {{ toYaml . | nindent 12 }} {{- end }} {{- with .Values.upgradeJob.resources }} - resources: {{- toYaml . | nindent 10 }} + resources: {{- toYaml . | nindent 12 }} {{- end }} - name: wait-for-db image: {{ .Values.image }} @@ -82,10 +82,10 @@ spec: sleep 10 done {{- with .Values.containerSecurityContext }} - securityContext: {{ toYaml . | nindent 10 }} + securityContext: {{ toYaml . | nindent 12 }} {{- end }} {{- with .Values.upgradeJob.resources }} - resources: {{- toYaml . | nindent 10 }} + resources: {{- toYaml . | nindent 12 }} {{- end }} containers: {{- if .Values.cloudsql.enabled }} From 2dd3d96700ca8010be55585cb68ba5f4a0974bc2 Mon Sep 17 00:00:00 2001 From: Bradley Jones Date: Wed, 14 Feb 2024 23:55:35 +0000 Subject: [PATCH 314/329] docs: missing namespace in get secret command (#347) Signed-off-by: Bradley Jones --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 54004609..d0f000fd 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "2.3.3" +version: "2.3.4" appVersion: "5.2.0" kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.28.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 88c10b7b..1d38feaf 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -82,7 +82,7 @@ This guide covers deploying Anchore Enterprise on a Kubernetes cluster with the export NAMESPACE=anchore export RELEASE=my-release export ANCHORECTL_URL=http://localhost:8228/v1/ - export ANCHORECTL_PASSWORD=$(kubectl get secret "${RELEASE}-enterprise" -o jsonpath='{.data.ANCHORE_ADMIN_PASSWORD}' | base64 -d -) + export ANCHORECTL_PASSWORD=$(kubectl get secret -n ${NAMESPACE} "${RELEASE}-enterprise" -o jsonpath='{.data.ANCHORE_ADMIN_PASSWORD}' | base64 -d -) kubectl port-forward -n ${NAMESPACE} svc/${RELEASE}-enterprise-api 8228:8228 # port forward for anchorectl in another terminal anchorectl system status # anchorectl defaults to the user admin, and to the password ${ANCHORECTL_PASSWORD} automatically if set From a54f23c462f939fe5b1a958048bdafee3fce31b9 Mon Sep 17 00:00:00 2001 From: Bradley Jones Date: Thu, 15 Feb 2024 23:00:06 +0000 Subject: [PATCH 315/329] feat: bump ecs-inventory version Signed-off-by: Bradley Jones --- stable/ecs-inventory/Chart.yaml | 4 ++-- stable/ecs-inventory/values.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/stable/ecs-inventory/Chart.yaml b/stable/ecs-inventory/Chart.yaml index 4e9a5234..df292f99 100644 --- a/stable/ecs-inventory/Chart.yaml +++ b/stable/ecs-inventory/Chart.yaml @@ -20,7 +20,7 @@ maintainers: email: hung.nguyen@anchore.com type: application -version: 0.0.4 -appVersion: "1.0.0" +version: 0.0.5 +appVersion: "1.3.0" icon: https://anchore.com/wp-content/uploads/2016/08/anchore.png diff --git a/stable/ecs-inventory/values.yaml b/stable/ecs-inventory/values.yaml index ce4624ef..b7b4fb54 100644 --- a/stable/ecs-inventory/values.yaml +++ b/stable/ecs-inventory/values.yaml @@ -8,9 +8,9 @@ replicaCount: 1 ## @param image Image used for all Ecs Inventory deployment deployments -## use docker.io/anchore/ecs-inventory:v1.1.0-fips-amd64 if you want an image built for fips use +## use docker.io/anchore/ecs-inventory:v1.3.0-fips-amd64 if you want an image built for fips use ## -image: "docker.io/anchore/ecs-inventory:v1.1.0" +image: "docker.io/anchore/ecs-inventory:v1.3.0" ## @param imagePullPolicy Image pull policy used by all deployments ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy From be69782978f5d2f226a6bec5d2de9a768a258527 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 16 Feb 2024 13:29:22 -0800 Subject: [PATCH 316/329] Fix ecs-inventory & k8s-inventory existing secrets (#349) * dont fail deployment if using existing secrets (#195) * dont fail deployment if using existing secrets * bump chart version --------- * K8s inventory fix existing secrets (#196) * change useExistingSecrets to match values useExistingSecret in values file * bump chart version * fix existing secret reference in ecs-inventory chart --------- Signed-off-by: Brady Todhunter --- stable/ecs-inventory/Chart.yaml | 2 +- stable/ecs-inventory/templates/deployment.yaml | 2 +- stable/k8s-inventory/Chart.yaml | 2 +- stable/k8s-inventory/templates/_helpers.tpl | 4 ++-- stable/k8s-inventory/templates/deployment.yaml | 2 +- stable/k8s-inventory/templates/secrets.yaml | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/stable/ecs-inventory/Chart.yaml b/stable/ecs-inventory/Chart.yaml index df292f99..04f0197b 100644 --- a/stable/ecs-inventory/Chart.yaml +++ b/stable/ecs-inventory/Chart.yaml @@ -20,7 +20,7 @@ maintainers: email: hung.nguyen@anchore.com type: application -version: 0.0.5 +version: 0.0.6 appVersion: "1.3.0" icon: https://anchore.com/wp-content/uploads/2016/08/anchore.png diff --git a/stable/ecs-inventory/templates/deployment.yaml b/stable/ecs-inventory/templates/deployment.yaml index fc440b04..9365255c 100644 --- a/stable/ecs-inventory/templates/deployment.yaml +++ b/stable/ecs-inventory/templates/deployment.yaml @@ -19,7 +19,7 @@ spec: {{- with .Values.annotations }} {{- toYaml . | nindent 8 }} {{- end }} - {{- if not .Values.useExistingSecrets }} + {{- if not .Values.useExistingSecret }} checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} {{- end }} checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} diff --git a/stable/k8s-inventory/Chart.yaml b/stable/k8s-inventory/Chart.yaml index d0c1b7a0..ea2a0696 100644 --- a/stable/k8s-inventory/Chart.yaml +++ b/stable/k8s-inventory/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: k8s-inventory -version: 0.2.0 +version: 0.2.2 appVersion: "1.2.0" description: A Helm chart for Kubernetes Automated Inventory, which describes which images are in use in a given Kubernetes Cluster keywords: diff --git a/stable/k8s-inventory/templates/_helpers.tpl b/stable/k8s-inventory/templates/_helpers.tpl index 0b50a7e3..c675921f 100644 --- a/stable/k8s-inventory/templates/_helpers.tpl +++ b/stable/k8s-inventory/templates/_helpers.tpl @@ -72,7 +72,7 @@ Create the name of the service account to use Require Anchore endpoint and Anchore credentials */}} {{- define "checkAnchoreRequisites" }} -{{- if or (not .Values.k8sInventory.anchore.url) (not .Values.k8sInventory.anchore.user) (not .Values.k8sInventory.anchore.password) }} +{{- if or (not .Values.k8sInventory.anchore.url) (not .Values.k8sInventory.anchore.user) (and (not .Values.useExistingSecret) (not .Values.k8sInventory.anchore.password)) }} {{- fail "Anchore endpoint and credentials are required. See the chart README for more instructions on configuring Anchore Requisites." }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/stable/k8s-inventory/templates/deployment.yaml b/stable/k8s-inventory/templates/deployment.yaml index f4ae1823..aaaa895a 100644 --- a/stable/k8s-inventory/templates/deployment.yaml +++ b/stable/k8s-inventory/templates/deployment.yaml @@ -25,7 +25,7 @@ spec: {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} - {{- if not .Values.useExistingSecrets }} + {{- if not .Values.useExistingSecret }} checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} {{- end }} checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} diff --git a/stable/k8s-inventory/templates/secrets.yaml b/stable/k8s-inventory/templates/secrets.yaml index c4c90896..37d81d92 100644 --- a/stable/k8s-inventory/templates/secrets.yaml +++ b/stable/k8s-inventory/templates/secrets.yaml @@ -1,4 +1,4 @@ -{{- if not .Values.useExistingSecrets }} +{{- if not .Values.useExistingSecret }} apiVersion: v1 kind: Secret metadata: From 72cb50f9b8d95c18789d5f715c524b71cf511680 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 29 Feb 2024 09:42:08 -0800 Subject: [PATCH 317/329] add k8s 1.29 and update kindest nodes to latest patch versions (#350) * add k8s 1.29 and update kindest nodes to latest patch versions * bump chart version & update kubeVersion --------- Signed-off-by: Brady Todhunter --- .github/workflows/test.yaml | 2 +- stable/enterprise/Chart.yaml | 4 ++-- stable/feeds/Chart.yaml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 111fb3ce..db305a20 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -13,7 +13,7 @@ jobs: strategy: fail-fast: false matrix: - kubernetesVersion: ["v1.23.17", "v1.24.15", "v1.25.11", "v1.26.6", "v1.27.3", "v1.28.0"] + kubernetesVersion: ["v1.24.17", "v1.25.16", "v1.26.14", "v1.27.11", "v1.28.7", "v1.29.2"] runs-on: ubuntu-latest steps: - name: Checkout diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index d0f000fd..4e8256d8 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 name: enterprise -version: "2.3.4" +version: "2.3.5" appVersion: "5.2.0" -kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.28.x-x +kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.29.x-x description: | Anchore Enterprise is a complete container security workflow solution for professional teams. Easily integrating with CI/CD systems, it allows developers to bolster security without compromising velocity and enables security teams to audit and verify compliance in real-time. diff --git a/stable/feeds/Chart.yaml b/stable/feeds/Chart.yaml index 6afdd892..8ee4676d 100644 --- a/stable/feeds/Chart.yaml +++ b/stable/feeds/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 name: feeds type: application -version: "2.2.2" +version: "2.2.3" appVersion: "5.2.0" -kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.28.x-x +kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.29.x-x description: Anchore feeds service keywords: - "anchore" From a1e3847dcb822d1ddb46b14f0810e7f63a26d1d7 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 29 Feb 2024 11:33:04 -0800 Subject: [PATCH 318/329] stable/feeds: upgrade enterprise image to v5.3.0 (#352) * bump enterprise image to v5.3.0 * bump chart version * update test snapshots --------- Signed-off-by: Brady Todhunter --- stable/feeds/Chart.yaml | 4 ++-- stable/feeds/README.md | 12 +++++++++++- .../prehook_upgrade_resources_test.yaml.snap | 2 +- stable/feeds/values.yaml | 2 +- 4 files changed, 15 insertions(+), 5 deletions(-) diff --git a/stable/feeds/Chart.yaml b/stable/feeds/Chart.yaml index 8ee4676d..05bf9c8a 100644 --- a/stable/feeds/Chart.yaml +++ b/stable/feeds/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 name: feeds type: application -version: "2.2.3" -appVersion: "5.2.0" +version: "2.3.0" +appVersion: "5.3.0" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.29.x-x description: Anchore feeds service keywords: diff --git a/stable/feeds/README.md b/stable/feeds/README.md index 4be79077..670168de 100644 --- a/stable/feeds/README.md +++ b/stable/feeds/README.md @@ -313,7 +313,7 @@ anchoreConfig: | `url` | Set a custom feeds URL. Useful when using a feeds service endpoint that is external from the cluster. | `""` | | `fullnameOverride` | overrides the fullname set on resources | `""` | | `nameOverride` | overrides the name set on resources | `""` | -| `image` | Image used for feeds deployment | `docker.io/anchore/enterprise:v5.2.0` | +| `image` | Image used for feeds deployment | `docker.io/anchore/enterprise:v5.3.0` | | `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | | `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | | `serviceAccountName` | Name of a service account used to run all Feeds pods | `""` | @@ -493,6 +493,16 @@ For the latest updates and features in Anchore Enterprise, see the official [Rel - **Minor Chart Version Change (e.g., v0.1.2 -> v0.2.0)**: Indicates a significant change to the deployment that does not require manual intervention. - **Patch Chart Version Change (e.g., v0.1.2 -> v0.1.3)**: Indicates a backwards-compatible bug fix or documentation update. +### v2.3.0 + +- Update Anchore Feeds image to v5.3.0. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/530/) for more information. +- Bump kubeVersion requirement to allow deployment on Kubernetes v1.29.x clusters. + +### v2.2.0 + +- Update Anchore Feeds image to v5.2.0. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/520/) for more information. +- Removes the `null` value from the default `ANCHORE_GITHUB_TOKEN` environment variable in the `anchore-enterprise-feeds-env` secret. This was causing issues with all feeds drivers if a token was not provided. + ### v2.1.0 - Update Anchore Feeds image to v5.1.0. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/510/) for more information. diff --git a/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap b/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap index 3a403e51..9027db61 100644 --- a/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap +++ b/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap @@ -143,6 +143,6 @@ should render proper initContainers: value: test-release-feeds - name: ANCHORE_PORT value: "8448" - image: docker.io/anchore/enterprise:v5.2.0 + image: docker.io/anchore/enterprise:v5.3.0 imagePullPolicy: IfNotPresent name: wait-for-db diff --git a/stable/feeds/values.yaml b/stable/feeds/values.yaml index 2cbf710d..32026309 100644 --- a/stable/feeds/values.yaml +++ b/stable/feeds/values.yaml @@ -21,7 +21,7 @@ nameOverride: "" ## @param image Image used for feeds deployment ## -image: docker.io/anchore/enterprise:v5.2.0 +image: docker.io/anchore/enterprise:v5.3.0 ## @param imagePullPolicy Image pull policy used by all deployments ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy From 14e2492e6c356ab6bc1256ab1c31257239ffea3f Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 29 Feb 2024 12:04:56 -0800 Subject: [PATCH 319/329] stable/enterprise: update Enterprise image to v5.3.0 (#353) * bump enterprise image to v5.3.0 * bump chart version * update test snapshots * bump feeds chart version --------- Signed-off-by: Brady Todhunter --- stable/enterprise/Chart.lock | 6 +++--- stable/enterprise/Chart.yaml | 4 ++-- stable/enterprise/README.md | 9 +++++++-- .../prehook_upgrade_resources_test.yaml.snap | 2 +- stable/enterprise/values.yaml | 4 ++-- 5 files changed, 15 insertions(+), 10 deletions(-) diff --git a/stable/enterprise/Chart.lock b/stable/enterprise/Chart.lock index d799d39c..73b8a52f 100644 --- a/stable/enterprise/Chart.lock +++ b/stable/enterprise/Chart.lock @@ -7,6 +7,6 @@ dependencies: version: 17.11.8 - name: feeds repository: https://charts.anchore.io/stable - version: 2.2.2 -digest: sha256:896842986ad8aab0e43a41ecb7fb7d61e08cc2c7e71c948563503091c6d9f409 -generated: "2024-02-09T14:24:08.790481-08:00" + version: 2.3.0 +digest: sha256:ea9b8927f17a3ee6cae7972dd7ff5a7a51ccafbf7f90443d978a096398c0834b +generated: "2024-02-29T11:39:05.180607-08:00" diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 4e8256d8..9cfe143e 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: enterprise -version: "2.3.5" -appVersion: "5.2.0" +version: "2.4.0" +appVersion: "5.3.0" kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.29.x-x description: | Anchore Enterprise is a complete container security workflow solution for professional teams. Easily integrating with CI/CD systems, diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 1d38feaf..96946c6f 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -929,7 +929,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | Name | Description | Value | | --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | -| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v5.2.0` | +| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v5.3.0` | | `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | | `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | | `startMigrationPod` | Spin up a Database migration pod to help migrate the database to the new schema | `false` | @@ -1278,7 +1278,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | Name | Description | Value | | ---------------------------- | ----------------------------------------------------------------------------- | ---------------------------------------- | -| `ui.image` | Image used for the Anchore UI container | `docker.io/anchore/enterprise-ui:v5.2.0` | +| `ui.image` | Image used for the Anchore UI container | `docker.io/anchore/enterprise-ui:v5.3.0` | | `ui.imagePullPolicy` | Image pull policy for Anchore UI image | `IfNotPresent` | | `ui.existingSecretName` | Name of an existing secret to be used for Anchore UI DB and Redis endpoints | `anchore-enterprise-ui-env` | | `ui.ldapsRootCaCertName` | Name of the custom CA certificate file store in `.Values.certStoreSecretName` | `""` | @@ -1382,6 +1382,11 @@ For the latest updates and features in Anchore Enterprise, see the official [Rel - **Minor Chart Version Change (e.g., v0.1.2 -> v0.2.0)**: Indicates a significant change to the deployment that does not require manual intervention. - **Patch Chart Version Change (e.g., v0.1.2 -> v0.1.3)**: Indicates a backwards-compatible bug fix or documentation update. +### V2.4.0 + +- Deploys Anchore Enterprise v5.3.0. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/530/) for more information. +- Bump kubeVersion requirement to allow deployment on Kubernetes v1.29.x clusters. + ### V2.3.0 - Deploys Anchore Enterprise v5.2.0. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/520/) for more information. diff --git a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap index dd0833e7..b903839a 100644 --- a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap @@ -143,6 +143,6 @@ should render proper initContainers: valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v5.2.0 + image: docker.io/anchore/enterprise:v5.3.0 imagePullPolicy: IfNotPresent name: wait-for-db diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index 3b2abf66..32b40248 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -18,7 +18,7 @@ global: ## @param image Image used for all Anchore Enterprise deployments, excluding Anchore UI ## -image: docker.io/anchore/enterprise:v5.2.0 +image: docker.io/anchore/enterprise:v5.3.0 ## @param imagePullPolicy Image pull policy used by all deployments ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy @@ -1288,7 +1288,7 @@ simpleQueue: ui: ## @param ui.image Image used for the Anchore UI container ## - image: docker.io/anchore/enterprise-ui:v5.2.0 + image: docker.io/anchore/enterprise-ui:v5.3.0 ## @param ui.imagePullPolicy Image pull policy for Anchore UI image ## From fa446e105cf1d33b424b758452c2952a79756fb8 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 7 Mar 2024 14:49:14 -0800 Subject: [PATCH 320/329] stable/enterprise: update UI to 531 (#354) * bump enterprise ui image to 5.3.1 * bump chart version --------- Signed-off-by: Brady Todhunter --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 6 +++--- stable/enterprise/values.yaml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 9cfe143e..397bbfc2 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "2.4.0" +version: "2.4.1" appVersion: "5.3.0" kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.29.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 96946c6f..855df32f 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -1278,7 +1278,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | Name | Description | Value | | ---------------------------- | ----------------------------------------------------------------------------- | ---------------------------------------- | -| `ui.image` | Image used for the Anchore UI container | `docker.io/anchore/enterprise-ui:v5.3.0` | +| `ui.image` | Image used for the Anchore UI container | `docker.io/anchore/enterprise-ui:v5.3.1` | | `ui.imagePullPolicy` | Image pull policy for Anchore UI image | `IfNotPresent` | | `ui.existingSecretName` | Name of an existing secret to be used for Anchore UI DB and Redis endpoints | `anchore-enterprise-ui-env` | | `ui.ldapsRootCaCertName` | Name of the custom CA certificate file store in `.Values.certStoreSecretName` | `""` | @@ -1382,9 +1382,9 @@ For the latest updates and features in Anchore Enterprise, see the official [Rel - **Minor Chart Version Change (e.g., v0.1.2 -> v0.2.0)**: Indicates a significant change to the deployment that does not require manual intervention. - **Patch Chart Version Change (e.g., v0.1.2 -> v0.1.3)**: Indicates a backwards-compatible bug fix or documentation update. -### V2.4.0 +### V2.4.x -- Deploys Anchore Enterprise v5.3.0. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/530/) for more information. +- Deploys Anchore Enterprise v5.3.x. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/530/) for more information. - Bump kubeVersion requirement to allow deployment on Kubernetes v1.29.x clusters. ### V2.3.0 diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index 32b40248..b86c35e3 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -1288,7 +1288,7 @@ simpleQueue: ui: ## @param ui.image Image used for the Anchore UI container ## - image: docker.io/anchore/enterprise-ui:v5.3.0 + image: docker.io/anchore/enterprise-ui:v5.3.1 ## @param ui.imagePullPolicy Image pull policy for Anchore UI image ## From 32b840776d3b80668dd06b08130a962fc7a203a3 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Mon, 18 Mar 2024 14:45:24 -0400 Subject: [PATCH 321/329] bump enterprise-ui image to 5.3.2 Signed-off-by: Hung Nguyen --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 21 +-------------------- stable/enterprise/values.yaml | 2 +- 3 files changed, 3 insertions(+), 22 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 397bbfc2..e504af5b 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "2.4.1" +version: "2.4.2" appVersion: "5.3.0" kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.29.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 855df32f..e4b8ff47 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -924,7 +924,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `global.fullnameOverride` | overrides the fullname set on resources | `""` | | `global.nameOverride` | overrides the name set on resources | `""` | - ### Common Resource Parameters | Name | Description | Value | @@ -968,7 +967,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `configOverride` | Allows for overriding the default Anchore configuration file | `""` | | `scripts` | Collection of helper scripts usable in all anchore enterprise pods | `{}` | - ### Anchore Configuration Parameters | Name | Description | Value | @@ -1075,7 +1073,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `anchoreConfig.ui.dbUser` | allows overriding and separation of the ui database user. | `""` | | `anchoreConfig.ui.dbPassword` | allows overriding and separation of the ui database user authentication | `""` | - ### Anchore Analyzer k8s Deployment Parameters | Name | Description | Value | @@ -1092,7 +1089,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `analyzer.serviceAccountName` | Service account name for Anchore API pods | `""` | | `analyzer.scratchVolume.details` | Details for the k8s volume to be created for Anchore Analyzer scratch space | `{}` | - ### Anchore API k8s Deployment Parameters | Name | Description | Value | @@ -1112,7 +1108,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `api.affinity` | Affinity for Anchore API pod assignment | `{}` | | `api.serviceAccountName` | Service account name for Anchore API pods | `""` | - ### Anchore Catalog k8s Deployment Parameters | Name | Description | Value | @@ -1133,7 +1128,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `catalog.serviceAccountName` | Service account name for Anchore Catalog pods | `""` | | `catalog.scratchVolume.details` | Details for the k8s volume to be created for Anchore Catalog scratch space | `{}` | - ### Anchore Feeds Chart Parameters | Name | Description | Value | @@ -1143,7 +1137,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `feeds.url` | Set the URL for a standalone Feeds service. Use when chartEnabled=false. | `""` | | `feeds.resources` | Resource requests and limits for Anchore Feeds pods | `{}` | - ### Anchore Notifications Parameters | Name | Description | Value | @@ -1163,7 +1156,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `notifications.affinity` | Affinity for Anchore Notifications pod assignment | `{}` | | `notifications.serviceAccountName` | Service account name for Anchore Notifications pods | `""` | - ### Anchore Policy Engine k8s Deployment Parameters | Name | Description | Value | @@ -1184,7 +1176,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `policyEngine.serviceAccountName` | Service account name for Anchore Policy Engine pods | `""` | | `policyEngine.scratchVolume.details` | Details for the k8s volume to be created for Anchore Policy Engine scratch space | `{}` | - ### Anchore RBAC Authentication Parameters | Name | Description | Value | @@ -1192,7 +1183,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `rbacAuth.extraEnv` | Set extra environment variables for Anchore RBAC Authentication containers | `[]` | | `rbacAuth.resources` | Resource requests and limits for Anchore RBAC Authentication containers | `{}` | - ### Anchore RBAC Manager Parameters | Name | Description | Value | @@ -1212,7 +1202,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `rbacManager.affinity` | Affinity for Anchore RBAC Manager pod assignment | `{}` | | `rbacManager.serviceAccountName` | Service account name for Anchore RBAC Manager pods | `""` | - ### Anchore Reports Parameters | Name | Description | Value | @@ -1233,7 +1222,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `reports.serviceAccountName` | Service account name for Anchore Reports pods | `""` | | `reports.scratchVolume.details` | Details for the k8s volume to be created for Anchore Reports scratch space | `{}` | - ### Anchore Reports Worker Parameters | Name | Description | Value | @@ -1253,7 +1241,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `reportsWorker.affinity` | Affinity for Anchore Reports Worker pod assignment | `{}` | | `reportsWorker.serviceAccountName` | Service account name for Anchore Reports Worker pods | `""` | - ### Anchore Simple Queue Parameters | Name | Description | Value | @@ -1273,12 +1260,11 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `simpleQueue.affinity` | Affinity for Anchore Simple Queue pod assignment | `{}` | | `simpleQueue.serviceAccountName` | Service account name for Anchore Simple Queue pods | `""` | - ### Anchore UI Parameters | Name | Description | Value | | ---------------------------- | ----------------------------------------------------------------------------- | ---------------------------------------- | -| `ui.image` | Image used for the Anchore UI container | `docker.io/anchore/enterprise-ui:v5.3.1` | +| `ui.image` | Image used for the Anchore UI container | `docker.io/anchore/enterprise-ui:v5.3.2` | | `ui.imagePullPolicy` | Image pull policy for Anchore UI image | `IfNotPresent` | | `ui.existingSecretName` | Name of an existing secret to be used for Anchore UI DB and Redis endpoints | `anchore-enterprise-ui-env` | | `ui.ldapsRootCaCertName` | Name of the custom CA certificate file store in `.Values.certStoreSecretName` | `""` | @@ -1297,7 +1283,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `ui.affinity` | Affinity for Anchore ui pod assignment | `{}` | | `ui.serviceAccountName` | Service account name for Anchore UI pods | `""` | - ### Anchore Upgrade Job Parameters | Name | Description | Value | @@ -1316,7 +1301,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `upgradeJob.labels` | Labels for the Anchore upgrade job | `{}` | | `upgradeJob.ttlSecondsAfterFinished` | The time period in seconds the upgrade job, and it's related pods should be retained for | `-1` | - ### Ingress Parameters | Name | Description | Value | @@ -1333,7 +1317,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `ingress.tls` | Configure tls for the ingress resource | `[]` | | `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` | - ### Google CloudSQL DB Parameters | Name | Description | Value | @@ -1347,7 +1330,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `cloudsql.serviceAccJsonName` | | `""` | | `cloudsql.extraArgs` | a list of extra arguments to be passed into the cloudsql container command. eg | `[]` | - ### Anchore UI Redis Parameters | Name | Description | Value | @@ -1358,7 +1340,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `ui-redis.architecture` | Redis deployment architecture | `standalone` | | `ui-redis.master.persistence.enabled` | enables persistence | `false` | - ### Anchore Database Parameters | Name | Description | Value | diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index b86c35e3..638a3b92 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -1288,7 +1288,7 @@ simpleQueue: ui: ## @param ui.image Image used for the Anchore UI container ## - image: docker.io/anchore/enterprise-ui:v5.3.1 + image: docker.io/anchore/enterprise-ui:v5.3.2 ## @param ui.imagePullPolicy Image pull policy for Anchore UI image ## From 0f7283a8c9b074ce29821ec5bd6ea3a9241f71f5 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 3 Apr 2024 17:08:04 -0700 Subject: [PATCH 322/329] stable/feeds: Update to v5.4.0 (#356) * bump image to v5.4.0 * update test snapshots * bump chart version --------- Signed-off-by: Brady Todhunter --- stable/feeds/Chart.yaml | 4 ++-- stable/feeds/README.md | 6 +++++- .../__snapshot__/prehook_upgrade_resources_test.yaml.snap | 2 +- stable/feeds/values.yaml | 2 +- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/stable/feeds/Chart.yaml b/stable/feeds/Chart.yaml index 05bf9c8a..92ea01b3 100644 --- a/stable/feeds/Chart.yaml +++ b/stable/feeds/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 name: feeds type: application -version: "2.3.0" -appVersion: "5.3.0" +version: "2.4.0" +appVersion: "5.4.0" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.29.x-x description: Anchore feeds service keywords: diff --git a/stable/feeds/README.md b/stable/feeds/README.md index 670168de..613bfccc 100644 --- a/stable/feeds/README.md +++ b/stable/feeds/README.md @@ -313,7 +313,7 @@ anchoreConfig: | `url` | Set a custom feeds URL. Useful when using a feeds service endpoint that is external from the cluster. | `""` | | `fullnameOverride` | overrides the fullname set on resources | `""` | | `nameOverride` | overrides the name set on resources | `""` | -| `image` | Image used for feeds deployment | `docker.io/anchore/enterprise:v5.3.0` | +| `image` | Image used for feeds deployment | `docker.io/anchore/enterprise:v5.4.0` | | `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | | `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | | `serviceAccountName` | Name of a service account used to run all Feeds pods | `""` | @@ -493,6 +493,10 @@ For the latest updates and features in Anchore Enterprise, see the official [Rel - **Minor Chart Version Change (e.g., v0.1.2 -> v0.2.0)**: Indicates a significant change to the deployment that does not require manual intervention. - **Patch Chart Version Change (e.g., v0.1.2 -> v0.1.3)**: Indicates a backwards-compatible bug fix or documentation update. +### v2.4.0 + +- Update Anchore Feeds image to v5.4.0. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/540/) for more information. + ### v2.3.0 - Update Anchore Feeds image to v5.3.0. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/530/) for more information. diff --git a/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap b/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap index 9027db61..b68b53ca 100644 --- a/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap +++ b/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap @@ -143,6 +143,6 @@ should render proper initContainers: value: test-release-feeds - name: ANCHORE_PORT value: "8448" - image: docker.io/anchore/enterprise:v5.3.0 + image: docker.io/anchore/enterprise:v5.4.0 imagePullPolicy: IfNotPresent name: wait-for-db diff --git a/stable/feeds/values.yaml b/stable/feeds/values.yaml index 32026309..d8e126a4 100644 --- a/stable/feeds/values.yaml +++ b/stable/feeds/values.yaml @@ -21,7 +21,7 @@ nameOverride: "" ## @param image Image used for feeds deployment ## -image: docker.io/anchore/enterprise:v5.3.0 +image: docker.io/anchore/enterprise:v5.4.0 ## @param imagePullPolicy Image pull policy used by all deployments ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy From 3b12801bbeed9afd055b75278bcfaed7f3463d85 Mon Sep 17 00:00:00 2001 From: Arvind Somya Date: Fri, 8 Mar 2024 17:31:50 -0500 Subject: [PATCH 323/329] feat: remove rbac authorizer (#197) remove all references to rbac-authorizer Signed-off-by: Arvind Somya --- .../enterprise-value-converter/mappings.py | 4 +- ...est_anchoreEnterpriseRbac_value_mapping.py | 34 -------------- stable/enterprise/README.md | 6 --- stable/enterprise/files/default_config.yaml | 20 -------- stable/enterprise/templates/_common.tpl | 47 ------------------- stable/enterprise/templates/_names.tpl | 5 -- .../enterprise/templates/api_deployment.yaml | 1 - .../templates/notifications_deployment.yaml | 1 - .../templates/rbacmanager_deployment.yaml | 1 - .../templates/reports_deployment.yaml | 1 - .../__snapshot__/configmap_test.yaml.snap | 20 -------- .../prehook_upgrade_resources_test.yaml.snap | 2 +- .../enterprise/tests/api_resources_test.yaml | 3 -- .../enterprise/tests/common_helpers_test.yaml | 19 -------- .../tests/notifications_resources_test.yaml | 3 -- stable/enterprise/values.yaml | 21 +-------- 16 files changed, 3 insertions(+), 185 deletions(-) diff --git a/scripts/enterprise-value-converter/mappings.py b/scripts/enterprise-value-converter/mappings.py index 2939b5af..c004a310 100644 --- a/scripts/enterprise-value-converter/mappings.py +++ b/scripts/enterprise-value-converter/mappings.py @@ -110,7 +110,6 @@ "anchore-feeds-db.persistence": "feeds.feeds-db.primary.persistence", "anchoreEnterpriseRbac.managerResources": "rbacManager.resources", - "anchoreEnterpriseRbac.authResources": "rbacAuth.resources", } LEVEL_THREE_CHANGE_KEY_MAPPING = { @@ -217,7 +216,6 @@ "anchoreCatalog.imageGCMaxWorkerThreads": "catalog.ANCHORE_CATALOG_IMAGE_GC_WORKERS", "anchoreEnterpriseNotifications.maxRequestThreads": "notifications.ANCHORE_MAX_REQUEST_THREADS", - "anchoreEnterpriseRbac.maxRequestThreads": "rbacAuth.ANCHORE_MAX_REQUEST_THREADS", "anchoreEnterpriseReports.maxRequestThreads": "reports.ANCHORE_MAX_REQUEST_THREADS", "anchoreGlobal.clientConnectTimeout": "ANCHORE_GLOBAL_CLIENT_CONNECT_TIMEOUT", @@ -322,7 +320,7 @@ }, "anchoreEnterpriseRbac.extraEnv": { "action": "duplicate", - "new_keys": ["rbacAuth.extraEnv", "rbacManager.extraEnv"] + "new_keys": ["rbacManager.extraEnv"] }, "anchoreEnterpriseGlobal.imagePullSecretName": { "action": "duplicate", diff --git a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseRbac_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseRbac_value_mapping.py index 308d545c..92565dc4 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseRbac_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseRbac_value_mapping.py @@ -184,14 +184,6 @@ def test_anchoreEnterpriseRbac_extraEnv_value(self): } ] }, - 'rbacAuth': { - 'extraEnv': [ - { - "name": "foo", - "value": "bar" - } - ] - } } result = replace_keys_with_mappings(dot_string_dict, self.results_dir) @@ -215,7 +207,6 @@ def test_anchoreEnterpriseRbac_service_value(self): "anchoreEnterpriseRbac.service.name": "Null", "anchoreEnterpriseRbac.service.type": "ClusterIP", "anchoreEnterpriseRbac.service.managerPort": 8082, - "anchoreEnterpriseRbac.service.authPort": "8089", "anchoreEnterpriseRbac.service.annotations.foo": "bar", "anchoreEnterpriseRbac.service.annotations.bar": "baz", "anchoreEnterpriseRbac.service.annotations.anotherLabel.with.a.dot": "qux", @@ -227,7 +218,6 @@ def test_anchoreEnterpriseRbac_service_value(self): 'name': 'Null', 'type': 'ClusterIP', 'port': 8082, - # 'authPort': '8089', Deprecated 'annotations': { 'foo': 'bar', 'bar': 'baz', @@ -251,30 +241,6 @@ def test_anchoreEnterpriseRbac_enabled_value(self): result = replace_keys_with_mappings(dot_string_dict, self.results_dir) self.assertEqual(result[0], expected_result) - def test_anchoreEnterpriseRbac_authResources_value(self): - dot_string_dict = { - "anchoreEnterpriseRbac.authResources.limits.cpu": 1, - "anchoreEnterpriseRbac.authResources.limits.memory": "1G", - "anchoreEnterpriseRbac.authResources.requests.cpu": "100m", - "anchoreEnterpriseRbac.authResources.requests.memory": "256M" - } - expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, - 'rbacAuth': { - 'resources': { - 'limits': { - 'cpu': 1, - 'memory': '1G' - }, - 'requests': { - 'cpu': '100m', - 'memory': '256M' - } - } - } - } - result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) - def test_anchoreEnterpriseRbac_managerResources_value(self): dot_string_dict = { "anchoreEnterpriseRbac.managerResources.limits.cpu": 1, diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index e4b8ff47..52089840 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -1176,12 +1176,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `policyEngine.serviceAccountName` | Service account name for Anchore Policy Engine pods | `""` | | `policyEngine.scratchVolume.details` | Details for the k8s volume to be created for Anchore Policy Engine scratch space | `{}` | -### Anchore RBAC Authentication Parameters - -| Name | Description | Value | -| -------------------- | -------------------------------------------------------------------------- | ----- | -| `rbacAuth.extraEnv` | Set extra environment variables for Anchore RBAC Authentication containers | `[]` | -| `rbacAuth.resources` | Resource requests and limits for Anchore RBAC Authentication containers | `{}` | ### Anchore RBAC Manager Parameters diff --git a/stable/enterprise/files/default_config.yaml b/stable/enterprise/files/default_config.yaml index 98b125c4..2c8b6b8a 100644 --- a/stable/enterprise/files/default_config.yaml +++ b/stable/enterprise/files/default_config.yaml @@ -73,9 +73,6 @@ services: max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} listen: '0.0.0.0' port: ${ANCHORE_PORT} - authorization_handler: external - authorization_handler_config: - endpoint: http://localhost:8089 {{- if .Values.anchoreConfig.apiext.external.enabled }} external_tls: {{ .Values.anchoreConfig.apiext.external.useTLS }} external_hostname: {{ .Values.anchoreConfig.apiext.external.hostname }} @@ -203,14 +200,6 @@ services: ssl_cert: ${ANCHORE_SSL_CERT} ssl_key: ${ANCHORE_SSL_KEY} - rbac_authorizer: - enabled: true - require_auth: true - endpoint_hostname: localhost - listen: 127.0.0.1 - port: 8089 - max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - rbac_manager: enabled: true require_auth: true @@ -218,9 +207,6 @@ services: listen: '0.0.0.0' port: ${ANCHORE_PORT} max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - authorization_handler: external - authorization_handler_config: - endpoint: http://localhost:8089 ssl_enable: ${ANCHORE_SSL_ENABLED} ssl_cert: ${ANCHORE_SSL_CERT} ssl_key: ${ANCHORE_SSL_KEY} @@ -233,9 +219,6 @@ services: port: ${ANCHORE_PORT} max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} enable_graphiql: ${ANCHORE_ENTERPRISE_REPORTS_ENABLE_GRAPHIQL} - authorization_handler: external - authorization_handler_config: - endpoint: http://localhost:8089 cycle_timers: {{- toYaml .Values.anchoreConfig.reports.cycle_timers | nindent 6 }} max_async_execution_threads: ${ANCHORE_ENTERPRISE_REPORTS_MAX_ASYNC_EXECUTION_THREADS} async_execution_timeout: ${ANCHORE_ENTERPRISE_REPORTS_ASYNC_EXECUTION_TIMEOUT} @@ -273,9 +256,6 @@ services: listen: '0.0.0.0' port: ${ANCHORE_PORT} max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - authorization_handler: external - authorization_handler_config: - endpoint: http://localhost:8089 cycle_timers: {{- toYaml .Values.anchoreConfig.notifications.cycle_timers | nindent 6 }} ui_url: ${ANCHORE_ENTERPRISE_UI_URL} ssl_enable: ${ANCHORE_SSL_ENABLED} diff --git a/stable/enterprise/templates/_common.tpl b/stable/enterprise/templates/_common.tpl index 3cd1bb1a..819c13cf 100644 --- a/stable/enterprise/templates/_common.tpl +++ b/stable/enterprise/templates/_common.tpl @@ -207,53 +207,6 @@ tolerations: {{- toYaml . | nindent 2 }} {{- end -}} -{{/* -Setup a container for the Anchore Enterprise RBAC Auth for pods that need to authenticate with the API -*/}} -{{- define "enterprise.common.rbacAuthContainer" -}} -- name: rbac-auth - image: {{ .Values.image }} - imagePullPolicy: {{ .Values.imagePullPolicy }} -{{- with .Values.containerSecurityContext }} - securityContext: - {{ toYaml . | nindent 4 }} -{{- end }} - command: ["/bin/sh", "-c"] - args: - - {{ print (include "enterprise.common.dockerEntrypoint" .) }} rbac_authorizer - envFrom: {{- include "enterprise.common.envFrom" . | nindent 4 }} - env: {{- include "enterprise.common.environment" (merge (dict "component" "rbacAuth") .) | nindent 4 }} - ports: - - containerPort: 8089 - name: rbac-auth - volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 4 }} - livenessProbe: - exec: - command: - - curl - - -f - - 'localhost:8089/health' - initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }} - timeoutSeconds: {{ .Values.probes.liveness.timeoutSeconds }} - periodSeconds: {{ .Values.probes.liveness.periodSeconds }} - failureThreshold: {{ .Values.probes.liveness.failureThreshold }} - successThreshold: {{ .Values.probes.liveness.successThreshold }} - readinessProbe: - exec: - command: - - curl - - -f - - 'localhost:8089/health' - timeoutSeconds: {{ .Values.probes.readiness.timeoutSeconds }} - periodSeconds: {{ .Values.probes.readiness.periodSeconds }} - failureThreshold: {{ .Values.probes.readiness.failureThreshold }} - successThreshold: {{ .Values.probes.readiness.successThreshold }} -{{- with .Values.rbacAuth.resources }} - resources: {{- toYaml . | nindent 4 }} -{{- end }} -{{- end -}} - - {{/* Setup the common readiness probes for all Anchore Enterprise containers */}} diff --git a/stable/enterprise/templates/_names.tpl b/stable/enterprise/templates/_names.tpl index 8d1dc0d3..ef8fd399 100644 --- a/stable/enterprise/templates/_names.tpl +++ b/stable/enterprise/templates/_names.tpl @@ -37,11 +37,6 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- printf "%s-%s-%s" .Release.Name $name "policy"| trunc 63 | trimSuffix "-" -}} {{- end -}} -{{- define "enterprise.rbacAuth.fullname" -}} -{{- $name := default .Chart.Name .Values.global.nameOverride -}} -{{- printf "%s-%s-%s" .Release.Name $name "rbac-auth"| trunc 63 | trimSuffix "-" -}} -{{- end -}} - {{- define "enterprise.rbacManager.fullname" -}} {{- $name := default .Chart.Name .Values.global.nameOverride -}} {{- printf "%s-%s-%s" .Release.Name $name "rbac-manager"| trunc 63 | trimSuffix "-" -}} diff --git a/stable/enterprise/templates/api_deployment.yaml b/stable/enterprise/templates/api_deployment.yaml index 1bafc9fa..705424d1 100644 --- a/stable/enterprise/templates/api_deployment.yaml +++ b/stable/enterprise/templates/api_deployment.yaml @@ -71,7 +71,6 @@ spec: {{- with .Values.api.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} - {{- include "enterprise.common.rbacAuthContainer" . | nindent 8 }} --- apiVersion: v1 diff --git a/stable/enterprise/templates/notifications_deployment.yaml b/stable/enterprise/templates/notifications_deployment.yaml index 3d003ce3..fdafd772 100644 --- a/stable/enterprise/templates/notifications_deployment.yaml +++ b/stable/enterprise/templates/notifications_deployment.yaml @@ -49,7 +49,6 @@ spec: {{- with .Values.notifications.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} - {{- include "enterprise.common.rbacAuthContainer" . | nindent 8 }} --- apiVersion: v1 diff --git a/stable/enterprise/templates/rbacmanager_deployment.yaml b/stable/enterprise/templates/rbacmanager_deployment.yaml index 82398175..53af96c2 100644 --- a/stable/enterprise/templates/rbacmanager_deployment.yaml +++ b/stable/enterprise/templates/rbacmanager_deployment.yaml @@ -49,7 +49,6 @@ spec: {{- with .Values.rbacManager.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} - {{- include "enterprise.common.rbacAuthContainer" . | nindent 8 }} --- apiVersion: v1 diff --git a/stable/enterprise/templates/reports_deployment.yaml b/stable/enterprise/templates/reports_deployment.yaml index ab947a75..6b350e1d 100644 --- a/stable/enterprise/templates/reports_deployment.yaml +++ b/stable/enterprise/templates/reports_deployment.yaml @@ -61,7 +61,6 @@ spec: {{- with .Values.reports.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} - {{- include "enterprise.common.rbacAuthContainer" . | nindent 8 }} --- apiVersion: v1 diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index 17ac6302..764816b8 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -113,9 +113,6 @@ should render the configmaps: max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} listen: '0.0.0.0' port: ${ANCHORE_PORT} - authorization_handler: external - authorization_handler_config: - endpoint: http://localhost:8089 ssl_enable: ${ANCHORE_SSL_ENABLED} ssl_cert: ${ANCHORE_SSL_CERT} ssl_key: ${ANCHORE_SSL_KEY} @@ -268,14 +265,6 @@ should render the configmaps: ssl_cert: ${ANCHORE_SSL_CERT} ssl_key: ${ANCHORE_SSL_KEY} - rbac_authorizer: - enabled: true - require_auth: true - endpoint_hostname: localhost - listen: 127.0.0.1 - port: 8089 - max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - rbac_manager: enabled: true require_auth: true @@ -283,9 +272,6 @@ should render the configmaps: listen: '0.0.0.0' port: ${ANCHORE_PORT} max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - authorization_handler: external - authorization_handler_config: - endpoint: http://localhost:8089 ssl_enable: ${ANCHORE_SSL_ENABLED} ssl_cert: ${ANCHORE_SSL_CERT} ssl_key: ${ANCHORE_SSL_KEY} @@ -298,9 +284,6 @@ should render the configmaps: port: ${ANCHORE_PORT} max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} enable_graphiql: ${ANCHORE_ENTERPRISE_REPORTS_ENABLE_GRAPHIQL} - authorization_handler: external - authorization_handler_config: - endpoint: http://localhost:8089 cycle_timers: reports_scheduled_queries: 600 max_async_execution_threads: ${ANCHORE_ENTERPRISE_REPORTS_MAX_ASYNC_EXECUTION_THREADS} @@ -348,9 +331,6 @@ should render the configmaps: listen: '0.0.0.0' port: ${ANCHORE_PORT} max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - authorization_handler: external - authorization_handler_config: - endpoint: http://localhost:8089 cycle_timers: notifications: 30 ui_url: ${ANCHORE_ENTERPRISE_UI_URL} diff --git a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap index b903839a..9decce0d 100644 --- a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap @@ -143,6 +143,6 @@ should render proper initContainers: valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v5.3.0 + image: docker.io/anchore/enterprise-dev:latest imagePullPolicy: IfNotPresent name: wait-for-db diff --git a/stable/enterprise/tests/api_resources_test.yaml b/stable/enterprise/tests/api_resources_test.yaml index ac2b85f9..3f1f98f9 100644 --- a/stable/enterprise/tests/api_resources_test.yaml +++ b/stable/enterprise/tests/api_resources_test.yaml @@ -165,9 +165,6 @@ tests: - equal: path: spec.template.spec.containers[0].name value: enterprise-api - - equal: - path: spec.template.spec.containers[1].name - value: rbac-auth - it: should render component entrypoint args template: api_deployment.yaml diff --git a/stable/enterprise/tests/common_helpers_test.yaml b/stable/enterprise/tests/common_helpers_test.yaml index 1769ac7d..f6b5c630 100644 --- a/stable/enterprise/tests/common_helpers_test.yaml +++ b/stable/enterprise/tests/common_helpers_test.yaml @@ -438,25 +438,6 @@ tests: - notExists: path: spec.template.spec.containers[0].securityContext - - it: should render the rbacAuthContainer - templates: - - api_deployment.yaml - - notifications_deployment.yaml - - reports_deployment.yaml - - rbacmanager_deployment.yaml - documentIndex: 0 - asserts: - - contains: - path: spec.template.spec.containers - content: - args: - - /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade rbac_authorizer - name: rbac-auth - ports: - - containerPort: 8089 - name: rbac-auth - any: true - - it: should render volumeMounts templates: *backend_test_templates documentIndex: 0 diff --git a/stable/enterprise/tests/notifications_resources_test.yaml b/stable/enterprise/tests/notifications_resources_test.yaml index 0a3ec922..9352dbaf 100644 --- a/stable/enterprise/tests/notifications_resources_test.yaml +++ b/stable/enterprise/tests/notifications_resources_test.yaml @@ -149,9 +149,6 @@ tests: - equal: path: spec.template.spec.containers[0].name value: enterprise-notifications - - equal: - path: spec.template.spec.containers[1].name - value: rbac-auth - it: should render component entrypoint args template: notifications_deployment.yaml diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index 638a3b92..183b1c90 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -18,7 +18,7 @@ global: ## @param image Image used for all Anchore Enterprise deployments, excluding Anchore UI ## -image: docker.io/anchore/enterprise:v5.3.0 +image: docker.io/anchore/enterprise-dev:latest ## @param imagePullPolicy Image pull policy used by all deployments ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy @@ -1006,25 +1006,6 @@ policyEngine: scratchVolume: details: {} -################################################## -## @section Anchore RBAC Authentication Parameters -################################################## -rbacAuth: - ## @param rbacAuth.extraEnv Set extra environment variables for Anchore RBAC Authentication containers - ## - extraEnv: [] - - ## @param rbacAuth.resources Resource requests and limits for Anchore RBAC Authentication containers - ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations. - ## - resources: {} - # requests: - # cpu: 100m - # memory: 500Mi - # limits: - # memory: 500Mi - ########################################### ## @section Anchore RBAC Manager Parameters ########################################### From fac223a9c10a301b74d6da916091f69738eeb302 Mon Sep 17 00:00:00 2001 From: Arvind Somya Date: Mon, 11 Mar 2024 17:34:03 -0400 Subject: [PATCH 324/329] feat: remove all references to rbac-manager (#198) removing all templates, config and references to the rbac-manager service Signed-off-by: Arvind Somya --- ...est_anchoreEnterpriseRbac_value_mapping.py | 266 ---------------- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 27 +- stable/enterprise/files/default_config.yaml | 11 - stable/enterprise/templates/_names.tpl | 5 - .../templates/rbacmanager_deployment.yaml | 71 ----- stable/enterprise/templates/ui_configmap.yaml | 1 - .../__snapshot__/configmap_test.yaml.snap | 13 +- .../enterprise/tests/common_helpers_test.yaml | 18 -- .../tests/rbacmanager_resources_test.yaml | 293 ------------------ stable/enterprise/values.yaml | 60 ---- 11 files changed, 3 insertions(+), 764 deletions(-) delete mode 100644 scripts/enterprise-value-converter/tests/test_anchoreEnterpriseRbac_value_mapping.py delete mode 100644 stable/enterprise/templates/rbacmanager_deployment.yaml delete mode 100644 stable/enterprise/tests/rbacmanager_resources_test.yaml diff --git a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseRbac_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseRbac_value_mapping.py deleted file mode 100644 index 92565dc4..00000000 --- a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseRbac_value_mapping.py +++ /dev/null @@ -1,266 +0,0 @@ -import os -import shutil -import unittest -from helpers import ( - replace_keys_with_mappings, -) - -class TestReplaceKeysWithMappingsCatalog(unittest.TestCase): - def setUp(self): - self.results_dir = "test_results_dir" - - def tearDown(self): - if os.path.exists(self.results_dir): - shutil.rmtree(self.results_dir) - - def test_anchoreEnterpriseRbac_replicaCount_value(self): - dot_string_dict = { - "anchoreEnterpriseRbac.replicaCount": 2, - } - expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, - 'rbacManager': { - 'replicaCount': 2 - } - } - result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) - - - def test_anchoreEnterpriseRbac_resources_value(self): - dot_string_dict = { - "anchoreEnterpriseRbac.resources.limits.cpu": 1, - "anchoreEnterpriseRbac.resources.limits.memory": "4G", - "anchoreEnterpriseRbac.resources.requests.cpu": 1, - "anchoreEnterpriseRbac.resources.requests.memory": "1G" - } - expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, - 'rbacManager': { - 'resources': { - 'limits': { - 'cpu': 1, - 'memory': '4G' - }, - 'requests': { - 'cpu': 1, - 'memory': '1G' - } - } - } - } - result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) - - - def test_anchoreEnterpriseRbac_labels_value(self): - dot_string_dict = { - "anchoreEnterpriseRbac.labels.myLabel": "myValue", - "anchoreEnterpriseRbac.labels.myOtherLabel": "myOtherValue", - "anchoreEnterpriseRbac.labels.anotherLabel.with.a.dot": "qux" - } - expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, - 'rbacManager': { - 'labels': - { - 'myLabel': 'myValue', - 'myOtherLabel': 'myOtherValue', - 'anotherLabel.with.a.dot': 'qux' - } - } - } - result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) - - def test_anchoreEnterpriseRbac_annotations_value(self): - dot_string_dict = { - "anchoreEnterpriseRbac.annotations.foo": "bar", - "anchoreEnterpriseRbac.annotations.bar": "baz", - "anchoreEnterpriseRbac.annotations.anotherLabel.with.a.dot": "qux" - } - expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, - 'rbacManager': { - 'annotations': - { - 'foo': 'bar', - 'bar': 'baz', - 'anotherLabel.with.a.dot': 'qux' - } - - } - } - result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) - - def test_anchoreEnterpriseRbac_deploymentAnnotations_value(self): - dot_string_dict = { - "anchoreEnterpriseRbac.deploymentAnnotations.foo": "bar", - "anchoreEnterpriseRbac.deploymentAnnotations.bar": "baz", - "anchoreEnterpriseRbac.deploymentAnnotations.anotherLabel.with.a.dot": "qux" - } - expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, - 'rbacManager': { - 'deploymentAnnotations': - { - 'foo': 'bar', - 'bar': 'baz', - 'anotherLabel.with.a.dot': 'qux' - } - } - } - result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) - - def test_anchoreEnterpriseRbac_nodeSelector_value(self): - dot_string_dict = { - "anchoreEnterpriseRbac.nodeSelector.name": "foo", - "anchoreEnterpriseRbac.nodeSelector.value": "bar", - "anchoreEnterpriseRbac.nodeSelector.anotherLabel.with.a.dot": "baz" - } - expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, - 'rbacManager': { - 'nodeSelector': - { - 'name': 'foo', - 'value': 'bar', - 'anotherLabel.with.a.dot': 'baz' - } - } - } - result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) - - def test_anchoreEnterpriseRbac_tolerations_value(self): - dot_string_dict = { - "anchoreEnterpriseRbac.tolerations": [ - { - "name": "foo", - "value": "bar" - } - ] - } - expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, - 'rbacManager': { - 'tolerations': [ - { - 'name': 'foo', - 'value': 'bar' - } - ] - } - } - result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) - - def test_anchoreEnterpriseRbac_affinity_value(self): - dot_string_dict = { - "anchoreEnterpriseRbac.affinity.name": "foo", - "anchoreEnterpriseRbac.affinity.value": "bar" - } - expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, - 'rbacManager': { - 'affinity':{ - 'name': 'foo', - 'value': 'bar' - } - } - } - result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) - - def test_anchoreEnterpriseRbac_extraEnv_value(self): - dot_string_dict = { - "anchoreEnterpriseRbac.extraEnv": [ - { - "name": "foo", - "value": "bar" - } - ] - } - expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, - 'rbacManager': { - 'extraEnv': [ - { - "name": "foo", - "value": "bar" - } - ] - }, - } - result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - - self.assertEqual(result[0], expected_result) - - def test_anchoreEnterpriseRbac_serviceAccountName_value(self): - dot_string_dict = { - "anchoreEnterpriseRbac.serviceAccountName": "Null" - } - expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, - 'rbacManager': { - 'serviceAccountName': "Null" - } - } - result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) - - - def test_anchoreEnterpriseRbac_service_value(self): - dot_string_dict = { - "anchoreEnterpriseRbac.service.name": "Null", - "anchoreEnterpriseRbac.service.type": "ClusterIP", - "anchoreEnterpriseRbac.service.managerPort": 8082, - "anchoreEnterpriseRbac.service.annotations.foo": "bar", - "anchoreEnterpriseRbac.service.annotations.bar": "baz", - "anchoreEnterpriseRbac.service.annotations.anotherLabel.with.a.dot": "qux", - "anchoreEnterpriseRbac.service.labels": {}, - } - expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, - 'rbacManager': { - 'service': { - 'name': 'Null', - 'type': 'ClusterIP', - 'port': 8082, - 'annotations': { - 'foo': 'bar', - 'bar': 'baz', - 'anotherLabel.with.a.dot': 'qux' - }, - 'labels': {} - } - } - } - - result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) - -# enabled: true - def test_anchoreEnterpriseRbac_enabled_value(self): - dot_string_dict = { - "anchoreEnterpriseRbac.enabled": True # deprecated - } - expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} - - result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) - - def test_anchoreEnterpriseRbac_managerResources_value(self): - dot_string_dict = { - "anchoreEnterpriseRbac.managerResources.limits.cpu": 1, - "anchoreEnterpriseRbac.managerResources.limits.memory": "1G", - "anchoreEnterpriseRbac.managerResources.requests.cpu": "100m", - "anchoreEnterpriseRbac.managerResources.requests.memory": "256M" - } - expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, - 'rbacManager': { - 'resources': { - 'limits': { - 'cpu': 1, - 'memory': '1G' - }, - 'requests': { - 'cpu': '100m', - 'memory': '256M' - } - } - } - } - result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index e504af5b..6f2e0b9f 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "2.4.2" +version: "2.4.3" appVersion: "5.3.0" kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.29.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 52089840..17c3a23e 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -419,7 +419,7 @@ stringData: [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) serves as the gateway to expose HTTP and HTTPS routes from outside the Kubernetes cluster to services within it. Routing is governed by rules specified in the Ingress resource. Kubernetes supports a variety of ingress controllers, such as AWS ALB and GCE controllers. -This Helm chart includes a foundational ingress configuration that is customizable. You can expose various Anchore Enterprise external APIs, including the core API, UI, reporting, RBAC, and feeds, by editing the `ingress` section in your values file. +This Helm chart includes a foundational ingress configuration that is customizable. You can expose various Anchore Enterprise external APIs, including the core API, UI, reporting, and feeds, by editing the `ingress` section in your values file. Ingress is disabled by default in this Helm chart. To enable it, along with the [NGINX ingress controller](https://kubernetes.github.io/ingress-nginx/) for core API and UI routes, set the `ingress.enabled` value to `true`. @@ -582,11 +582,6 @@ spec: interval: 30s path: /metrics scheme: http - # RBAC manager - - targetPort: 8229 - interval: 30s - path: /metrics - scheme: http ``` ### Scaling Individual Services @@ -687,7 +682,6 @@ The Anchore Enterprise Helm chart introduces several changes to the deployment c - `-anchore-engine-catalog` -> `-enterprise-catalog` - `-anchore-engine-enterprise-feeds` -> `-feeds` - `-anchore-engine-enterprise-notifications` -> `-enterprise-notifications` - - `-anchore-engine-enterprise-rbac` -> `-enterprise-rbac-manager` - `-anchore-engine-enterprise-reports` -> `-enterprise-reports` - `-anchore-engine-enterprise-ui` -> `-enterprise-ui` - `-anchore-engine-policy` -> `-enterprise-policy` @@ -1177,25 +1171,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `policyEngine.scratchVolume.details` | Details for the k8s volume to be created for Anchore Policy Engine scratch space | `{}` | -### Anchore RBAC Manager Parameters - -| Name | Description | Value | -| --------------------------------- | ------------------------------------------------------------- | ----------- | -| `rbacManager.replicaCount` | Number of replicas for the Anchore RBAC Manager deployment | `1` | -| `rbacManager.service.type` | Service type for Anchore RBAC Manager | `ClusterIP` | -| `rbacManager.service.port` | Service port for Anchore RBAC Manager | `8229` | -| `rbacManager.service.annotations` | Annotations for Anchore RBAC Manager service | `{}` | -| `rbacManager.service.labels` | Labels for Anchore RBAC Manager service | `{}` | -| `rbacManager.service.nodePort` | nodePort for Anchore RBAC Manager service | `""` | -| `rbacManager.extraEnv` | Set extra environment variables for Anchore RBAC Manager pods | `[]` | -| `rbacManager.resources` | Resource requests and limits for Anchore RBAC Manager pods | `{}` | -| `rbacManager.labels` | Labels for Anchore RBAC Manager pods | `{}` | -| `rbacManager.annotations` | Annotation for Anchore RBAC Manager pods | `{}` | -| `rbacManager.nodeSelector` | Node labels for Anchore RBAC Manager pod assignment | `{}` | -| `rbacManager.tolerations` | Tolerations for Anchore RBAC Manager pod assignment | `[]` | -| `rbacManager.affinity` | Affinity for Anchore RBAC Manager pod assignment | `{}` | -| `rbacManager.serviceAccountName` | Service account name for Anchore RBAC Manager pods | `""` | - ### Anchore Reports Parameters | Name | Description | Value | diff --git a/stable/enterprise/files/default_config.yaml b/stable/enterprise/files/default_config.yaml index 2c8b6b8a..b6744018 100644 --- a/stable/enterprise/files/default_config.yaml +++ b/stable/enterprise/files/default_config.yaml @@ -200,17 +200,6 @@ services: ssl_cert: ${ANCHORE_SSL_CERT} ssl_key: ${ANCHORE_SSL_KEY} - rbac_manager: - enabled: true - require_auth: true - endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} - listen: '0.0.0.0' - port: ${ANCHORE_PORT} - max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - ssl_enable: ${ANCHORE_SSL_ENABLED} - ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} - reports: enabled: true require_auth: true diff --git a/stable/enterprise/templates/_names.tpl b/stable/enterprise/templates/_names.tpl index ef8fd399..ec057737 100644 --- a/stable/enterprise/templates/_names.tpl +++ b/stable/enterprise/templates/_names.tpl @@ -37,11 +37,6 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- printf "%s-%s-%s" .Release.Name $name "policy"| trunc 63 | trimSuffix "-" -}} {{- end -}} -{{- define "enterprise.rbacManager.fullname" -}} -{{- $name := default .Chart.Name .Values.global.nameOverride -}} -{{- printf "%s-%s-%s" .Release.Name $name "rbac-manager"| trunc 63 | trimSuffix "-" -}} -{{- end -}} - {{- define "enterprise.reports.fullname" -}} {{- $name := default .Chart.Name .Values.global.nameOverride -}} {{- printf "%s-%s-%s" .Release.Name $name "reports"| trunc 63 | trimSuffix "-" -}} diff --git a/stable/enterprise/templates/rbacmanager_deployment.yaml b/stable/enterprise/templates/rbacmanager_deployment.yaml deleted file mode 100644 index 53af96c2..00000000 --- a/stable/enterprise/templates/rbacmanager_deployment.yaml +++ /dev/null @@ -1,71 +0,0 @@ -{{- $component := "rbacManager" -}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "enterprise.rbacManager.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} - annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} -spec: - selector: - matchLabels: {{- include "enterprise.common.matchLabels" (merge (dict "component" $component) .) | nindent 6 }} - replicas: {{ .Values.rbacManager.replicaCount }} - strategy: - type: Recreate - template: - metadata: - labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 8 }} - annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component "nil" true) .) | nindent 8 }} - {{- if and (not .Values.injectSecretsViaEnv) (not .Values.useExistingSecrets) }} - checksum/secrets: {{ include (print $.Template.BasePath "/anchore_secret.yaml") . | sha256sum }} - {{- end }} - checksum/enterprise-config: {{ include (print $.Template.BasePath "/anchore_configmap.yaml") . | sha256sum }} - spec: - {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} - volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} - containers: - {{- if .Values.cloudsql.enabled }} - {{- include "enterprise.common.cloudsqlContainer" . | nindent 8 }} - {{- end }} - - name: "{{ .Chart.Name }}-{{ $component | lower }}" - image: {{ .Values.image }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - {{- with .Values.containerSecurityContext }} - securityContext: - {{ toYaml . | nindent 12 }} - {{- end }} - command: ["/bin/sh", "-c"] - args: - - {{ print (include "enterprise.common.dockerEntrypoint" .) }} rbac_manager - ports: - - containerPort: {{ .Values.rbacManager.service.port }} - name: {{ $component | lower }} - envFrom: {{- include "enterprise.common.envFrom" . | nindent 12 }} - env: {{- include "enterprise.common.environment" (merge (dict "component" $component) .) | nindent 12 }} - volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} - livenessProbe: {{- include "enterprise.common.livenessProbe" (merge (dict "component" $component) .) | nindent 12 }} - readinessProbe: {{- include "enterprise.common.readinessProbe" (merge (dict "component" $component) .) | nindent 12 }} - {{- with .Values.rbacManager.resources }} - resources: {{- toYaml . | nindent 12 }} - {{- end }} - ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ template "enterprise.rbacManager.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} - annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} -spec: - type: {{ .Values.rbacManager.service.type }} - ports: - - name: {{ $component | lower }} - port: {{ .Values.rbacManager.service.port }} - targetPort: {{ .Values.rbacManager.service.port }} - protocol: TCP - {{ include "enterprise.service.nodePort" (merge (dict "component" $component) .) }} - selector: - app.kubernetes.io/name: {{ template "enterprise.fullname" . }} - app.kubernetes.io/component: {{ $component | lower }} diff --git a/stable/enterprise/templates/ui_configmap.yaml b/stable/enterprise/templates/ui_configmap.yaml index 2957a1d1..6bd7d196 100644 --- a/stable/enterprise/templates/ui_configmap.yaml +++ b/stable/enterprise/templates/ui_configmap.yaml @@ -28,7 +28,6 @@ data: {{- end }} reports_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.api.fullname" . -}}:{{- .Values.api.service.port -}}/v2' notifications_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.api.fullname" . -}}:{{- .Values.api.service.port -}}/v2' - rbac_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.api.fullname" . -}}:{{- .Values.api.service.port -}}/v2' enterprise_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.api.fullname" . -}}:{{- .Values.api.service.port -}}/v2' # redis_uri: overridden in deployment using the `ANCHORE_REDIS_URI` environment variable # appdb_uri: overridden in deployment using the `ANCHORE_APPDB_URI` environment variable diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index 764816b8..2e1ee3a3 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -265,17 +265,6 @@ should render the configmaps: ssl_cert: ${ANCHORE_SSL_CERT} ssl_key: ${ANCHORE_SSL_KEY} - rbac_manager: - enabled: true - require_auth: true - endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} - listen: '0.0.0.0' - port: ${ANCHORE_PORT} - max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - ssl_enable: ${ANCHORE_SSL_ENABLED} - ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} - reports: enabled: true require_auth: true @@ -522,7 +511,7 @@ should render the configmaps: 6: | apiVersion: v1 data: - config-ui.yaml: "# Anchore UI configuration\nreports_uri: 'http://test-release-enterprise-api:8228/v2'\nnotifications_uri: 'http://test-release-enterprise-api:8228/v2'\nrbac_uri: 'http://test-release-enterprise-api:8228/v2'\nenterprise_uri: 'http://test-release-enterprise-api:8228/v2'\n# redis_uri: overridden in deployment using the `ANCHORE_REDIS_URI` environment variable\n# appdb_uri: overridden in deployment using the `ANCHORE_APPDB_URI` environment variable\nlicense_path: '/home/anchore/'\nenable_ssl: false\nenable_proxy: false\nallow_shared_login: true\nredis_flushdb: true\nforce_websocket: false\nauthentication_lock:\n count: 5\n expires: 300\nappdb_config: \n native: true\n pool:\n acquire: 30000\n idle: 10000\n max: 10\n min: 0\nlog_level: 'http'\nenrich_inventory_view: true\nenable_prometheus_metrics: false\n" + config-ui.yaml: "# Anchore UI configuration\nreports_uri: 'http://test-release-enterprise-api:8228/v2'\nnotifications_uri: 'http://test-release-enterprise-api:8228/v2'\nenterprise_uri: 'http://test-release-enterprise-api:8228/v2'\n# redis_uri: overridden in deployment using the `ANCHORE_REDIS_URI` environment variable\n# appdb_uri: overridden in deployment using the `ANCHORE_APPDB_URI` environment variable\nlicense_path: '/home/anchore/'\nenable_ssl: false\nenable_proxy: false\nallow_shared_login: true\nredis_flushdb: true\nforce_websocket: false\nauthentication_lock:\n count: 5\n expires: 300\nappdb_config: \n native: true\n pool:\n acquire: 30000\n idle: 10000\n max: 10\n min: 0\nlog_level: 'http'\nenrich_inventory_view: true\nenable_prometheus_metrics: false\n" kind: ConfigMap metadata: annotations: diff --git a/stable/enterprise/tests/common_helpers_test.yaml b/stable/enterprise/tests/common_helpers_test.yaml index f6b5c630..5bf220bb 100644 --- a/stable/enterprise/tests/common_helpers_test.yaml +++ b/stable/enterprise/tests/common_helpers_test.yaml @@ -5,7 +5,6 @@ templates: - catalog_deployment.yaml - notifications_deployment.yaml - policyengine_deployment.yaml - - rbacmanager_deployment.yaml - reports_deployment.yaml - reportsworker_deployment.yaml - simplequeue_deployment.yaml @@ -29,7 +28,6 @@ backend_test_templates: &backend_test_templates - catalog_deployment.yaml - notifications_deployment.yaml - policyengine_deployment.yaml - - rbacmanager_deployment.yaml - reports_deployment.yaml - reportsworker_deployment.yaml - simplequeue_deployment.yaml @@ -40,7 +38,6 @@ test_templates: &test_templates - catalog_deployment.yaml - notifications_deployment.yaml - policyengine_deployment.yaml - - rbacmanager_deployment.yaml - reports_deployment.yaml - reportsworker_deployment.yaml - simplequeue_deployment.yaml @@ -53,7 +50,6 @@ deployment_templates: &deployment_templates - catalog_deployment.yaml - notifications_deployment.yaml - policyengine_deployment.yaml - - rbacmanager_deployment.yaml - reports_deployment.yaml - reportsworker_deployment.yaml - simplequeue_deployment.yaml @@ -136,7 +132,6 @@ tests: - catalog_deployment.yaml - notifications_deployment.yaml - policyengine_deployment.yaml - - rbacmanager_deployment.yaml - reports_deployment.yaml - simplequeue_deployment.yaml - hooks/pre-upgrade/upgrade_job.yaml @@ -161,7 +156,6 @@ tests: - catalog_deployment.yaml - notifications_deployment.yaml - policyengine_deployment.yaml - - rbacmanager_deployment.yaml - reports_deployment.yaml - simplequeue_deployment.yaml - hooks/pre-upgrade/upgrade_job.yaml @@ -187,7 +181,6 @@ tests: - catalog_deployment.yaml - notifications_deployment.yaml - policyengine_deployment.yaml - - rbacmanager_deployment.yaml - reports_deployment.yaml - simplequeue_deployment.yaml - hooks/pre-upgrade/upgrade_job.yaml @@ -622,7 +615,6 @@ tests: - catalog_deployment.yaml - notifications_deployment.yaml - policyengine_deployment.yaml - - rbacmanager_deployment.yaml - reports_deployment.yaml - reportsworker_deployment.yaml - simplequeue_deployment.yaml @@ -641,7 +633,6 @@ tests: - catalog_deployment.yaml - notifications_deployment.yaml - policyengine_deployment.yaml - - rbacmanager_deployment.yaml - reports_deployment.yaml - reportsworker_deployment.yaml - simplequeue_deployment.yaml @@ -1018,9 +1009,6 @@ tests: - matchRegex: path: data["config-ui.yaml"] pattern: "enterprise_uri: 'http://test-release-enterprise-api:8228/v2'" - - matchRegex: - path: data["config-ui.yaml"] - pattern: "rbac_uri: 'http://test-release-enterprise-api:8228/v2'" - matchRegex: path: data["config-ui.yaml"] pattern: "notifications_uri: 'http://test-release-enterprise-api:8228/v2'" @@ -1038,9 +1026,6 @@ tests: - matchRegex: path: data["config-ui.yaml"] pattern: "enterprise_uri: 'https://test-release-enterprise-api:8228/v2'" - - matchRegex: - path: data["config-ui.yaml"] - pattern: "rbac_uri: 'https://test-release-enterprise-api:8228/v2'" - matchRegex: path: data["config-ui.yaml"] pattern: "notifications_uri: 'https://test-release-enterprise-api:8228/v2'" @@ -1054,7 +1039,6 @@ tests: catalog.service.nodePort: 9999 notifications.service.nodePort: 9999 policyEngine.service.nodePort: 9999 - rbacManager.service.nodePort: 9999 reports.service.nodePort: 9999 reportsWorker.service.nodePort: 9999 simpleQueue.service.nodePort: 9999 @@ -1064,7 +1048,6 @@ tests: - catalog_deployment.yaml - notifications_deployment.yaml - policyengine_deployment.yaml - - rbacmanager_deployment.yaml - reports_deployment.yaml - reportsworker_deployment.yaml - simplequeue_deployment.yaml @@ -1084,7 +1067,6 @@ tests: - catalog_deployment.yaml - notifications_deployment.yaml - policyengine_deployment.yaml - - rbacmanager_deployment.yaml - reports_deployment.yaml - reportsworker_deployment.yaml - simplequeue_deployment.yaml diff --git a/stable/enterprise/tests/rbacmanager_resources_test.yaml b/stable/enterprise/tests/rbacmanager_resources_test.yaml deleted file mode 100644 index 01a1c81d..00000000 --- a/stable/enterprise/tests/rbacmanager_resources_test.yaml +++ /dev/null @@ -1,293 +0,0 @@ -suite: RBACManager Resources Tests -templates: - - rbacmanager_deployment.yaml - - anchore_secret.yaml - - anchore_configmap.yaml -release: - name: test-release - namespace: test-namespace -chart: - version: 9.9.9 - appVersion: 9.9.9 - -tests: - - it: should set the correct resource names - template: rbacmanager_deployment.yaml - asserts: - - equal: - path: metadata.name - value: test-release-enterprise-rbac-manager - - - it: should render component labels - template: rbacmanager_deployment.yaml - set: - rbacManager.labels: - rbacManager: test - test: foobar - asserts: - - isSubset: - path: metadata.labels - content: - rbacManager: test - test: foobar - - isSubset: - path: spec.template.metadata.labels - content: - rbacManager: test - test: foobar - template: rbacmanager_deployment.yaml - documentIndex: 0 - - - it: should render component annotations - template: rbacmanager_deployment.yaml - set: - rbacManager.annotations: - rbacManager: test - test: foobar - asserts: - - isSubset: - path: metadata.annotations - content: - rbacManager: test - test: foobar - - isSubset: - path: spec.template.metadata.annotations - content: - rbacManager: test - test: foobar - template: rbacmanager_deployment.yaml - documentIndex: 0 - - - it: should render component matchLabels - template: rbacmanager_deployment.yaml - documentIndex: 0 - asserts: - - isSubset: - path: spec.selector.matchLabels - content: - app.kubernetes.io/name: test-release-enterprise - app.kubernetes.io/component: rbacmanager - - - it: should render component replica count - template: rbacmanager_deployment.yaml - documentIndex: 0 - set: - rbacManager.replicaCount: 2 - asserts: - - equal: - path: spec.replicas - value: 2 - - - it: should render component serviceAccountName - template: rbacmanager_deployment.yaml - documentIndex: 0 - set: - rbacManager.serviceAccountName: rbacManager-test - asserts: - - equal: - path: spec.template.spec.serviceAccountName - value: rbacManager-test - - - it: should render component serviceAccountName even when global serviceAccountName is set - template: rbacmanager_deployment.yaml - documentIndex: 0 - set: - serviceAccountName: global-test - rbacManager.serviceAccountName: rbacManager-test - asserts: - - equal: - path: spec.template.spec.serviceAccountName - value: rbacManager-test - - - it: should render component nodeSelector - template: rbacmanager_deployment.yaml - documentIndex: 0 - set: - rbacManager.nodeSelector: - rbacManager: test - asserts: - - isSubset: - path: spec.template.spec.nodeSelector - content: - rbacManager: test - - - it: should render component affinity - template: rbacmanager_deployment.yaml - documentIndex: 0 - set: - rbacManager.affinity: - rbacManager: test - asserts: - - isSubset: - path: spec.template.spec.affinity - content: - rbacManager: test - - - it: should render component tolerations - template: rbacmanager_deployment.yaml - documentIndex: 0 - set: - rbacManager.tolerations: - - key: "rbacManager" - operator: "Equal" - value: "test" - effect: "NoSchedule" - asserts: - - contains: - path: spec.template.spec.tolerations - content: - key: "rbacManager" - operator: "Equal" - value: "test" - effect: "NoSchedule" - count: 1 - - - it: should render component container name - template: rbacmanager_deployment.yaml - documentIndex: 0 - asserts: - - equal: - path: spec.template.spec.containers[0].name - value: enterprise-rbacmanager - - - it: should render component entrypoint args - template: rbacmanager_deployment.yaml - documentIndex: 0 - asserts: - - matchRegex: - path: spec.template.spec.containers[0].args[0] - pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade rbac_manager$ - count: 1 - - - it: should render rbacManager component environment variables - template: rbacmanager_deployment.yaml - documentIndex: 0 - set: - rbacManager.extraEnv: - - name: rbacManager - value: test - - name: test - value: foobar - asserts: - - contains: - path: spec.template.spec.containers[0].env - content: - name: ANCHORE_ENDPOINT_HOSTNAME - value: test-release-enterprise-rbac-manager - count: 1 - - contains: - path: spec.template.spec.containers[0].env - content: - name: ANCHORE_PORT - value: "8229" - count: 1 - - contains: - path: spec.template.spec.containers[0].env - content: - name: rbacManager - value: test - count: 1 - - contains: - path: spec.template.spec.containers[0].env - content: - name: test - value: foobar - - - it: should render component ports - template: rbacmanager_deployment.yaml - documentIndex: 0 - asserts: - - contains: - path: spec.template.spec.containers[0].ports - content: - name: rbacmanager - containerPort: 8229 - count: 1 - - - it: should render component probes - template: rbacmanager_deployment.yaml - documentIndex: 0 - asserts: - - isSubset: - path: spec.template.spec.containers[0].livenessProbe - content: - httpGet: - path: /health - port: rbacmanager - scheme: HTTP - initialDelaySeconds: 120 - timeoutSeconds: 10 - periodSeconds: 10 - failureThreshold: 6 - successThreshold: 1 - count: 1 - - isSubset: - path: spec.template.spec.containers[0].readinessProbe - content: - httpGet: - path: /health - port: rbacmanager - scheme: HTTP - timeoutSeconds: 10 - periodSeconds: 10 - failureThreshold: 3 - successThreshold: 1 - count: 1 - - - it: should render component resource requests & limits - template: rbacmanager_deployment.yaml - documentIndex: 0 - set: - rbacManager.resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 200m - memory: 256Mi - asserts: - - isSubset: - path: spec.template.spec.containers[0].resources.requests - content: - cpu: 100m - memory: 128Mi - count: 1 - - isSubset: - path: spec.template.spec.containers[0].resources.limits - content: - cpu: 200m - memory: 256Mi - count: 1 - - - it: should render component service type - template: rbacmanager_deployment.yaml - documentIndex: 1 - asserts: - - equal: - path: spec.type - value: ClusterIP - count: 1 - - - it: should render component service ports - template: rbacmanager_deployment.yaml - documentIndex: 1 - asserts: - - contains: - path: spec.ports - content: - name: rbacmanager - port: 8229 - targetPort: 8229 - protocol: TCP - count: 1 - - - it: should render component service selectors - template: rbacmanager_deployment.yaml - documentIndex: 1 - asserts: - - isSubset: - path: spec.selector - content: - app.kubernetes.io/name: test-release-enterprise - app.kubernetes.io/component: rbacmanager - count: 1 diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index 183b1c90..395fc497 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -1006,66 +1006,6 @@ policyEngine: scratchVolume: details: {} -########################################### -## @section Anchore RBAC Manager Parameters -########################################### -rbacManager: - ## @param rbacManager.replicaCount Number of replicas for the Anchore RBAC Manager deployment - ## - replicaCount: 1 - - ## @param rbacManager.service.type Service type for Anchore RBAC Manager - ## @param rbacManager.service.port Service port for Anchore RBAC Manager - ## @param rbacManager.service.annotations Annotations for Anchore RBAC Manager service - ## @param rbacManager.service.labels Labels for Anchore RBAC Manager service - ## @param rbacManager.service.nodePort nodePort for Anchore RBAC Manager service - ## - service: - type: ClusterIP - port: 8229 - annotations: {} - labels: {} - nodePort: "" - - ## @param rbacManager.extraEnv Set extra environment variables for Anchore RBAC Manager pods - ## - extraEnv: [] - - ## @param rbacManager.resources Resource requests and limits for Anchore RBAC Manager pods - ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations. - ## - resources: {} - # requests: - # cpu: 100m - # memory: 500Mi - # limits: - # memory: 500Mi - - ## @param rbacManager.labels Labels for Anchore RBAC Manager pods - ## - labels: {} - - ## @param rbacManager.annotations Annotation for Anchore RBAC Manager pods - ## - annotations: {} - - ## @param rbacManager.nodeSelector Node labels for Anchore RBAC Manager pod assignment - ## - nodeSelector: {} - - ## @param rbacManager.tolerations Tolerations for Anchore RBAC Manager pod assignment - ## - tolerations: [] - - ## @param rbacManager.affinity Affinity for Anchore RBAC Manager pod assignment - ## - affinity: {} - - ## @param rbacManager.serviceAccountName Service account name for Anchore RBAC Manager pods - ## - serviceAccountName: "" - ######################################## ## @section Anchore Reports Parameters ######################################## From ca3b8f76c1d14355bcf85a47991b5b1bea2dd12c Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 20 Mar 2024 18:57:15 -0400 Subject: [PATCH 325/329] update workflow credentials (#199) Signed-off-by: Hung Nguyen --- .github/workflows/test.yaml | 4 ++-- .github/workflows/values-converter-docker.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index db305a20..bc7e2fa6 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -76,8 +76,8 @@ jobs: kubectl --namespace anchore create secret docker-registry anchore-enterprise-pullcreds --docker-server=docker.io --docker-username="${DOCKER_USER}" --docker-password="${DOCKER_PASS}" env: ANCHORE_LICENSE: ${{ secrets.B64_ANCHORE_LICENSE }} - DOCKER_USER: ${{ secrets.ANCHORECI_DOCKER_USER }} - DOCKER_PASS: ${{ secrets.ANCHORECI_DOCKER_PASS }} + DOCKER_USER: ${{ secrets.ANCHOREREADONLY_DH_USERNAME }} + DOCKER_PASS: ${{ secrets.ANCHOREREADONLY_DH_PAT }} - name: Check if anchore-engine endpoint is required for admission controller chart id: engine_required diff --git a/.github/workflows/values-converter-docker.yaml b/.github/workflows/values-converter-docker.yaml index 838a2bae..c7290a72 100644 --- a/.github/workflows/values-converter-docker.yaml +++ b/.github/workflows/values-converter-docker.yaml @@ -20,8 +20,8 @@ jobs: - name: Login to DockerHub uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: - username: ${{ secrets.ANCHORECI_DOCKER_USER }} - password: ${{ secrets.ANCHORECI_DOCKER_PASS }} + username: ${{ secrets.ANCHOREDEVWRITE_DH_USERNAME }} + password: ${{ secrets.ANCHOREDEVWRITE_DH_PAT }} - name: Build and push id: docker_build From d9d6f3a4e1548d41d7b74aa73368f95505abb9c9 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 29 Mar 2024 15:05:35 -0700 Subject: [PATCH 326/329] Make extra vols component specific (#203) * use common templates for volume/mounts * add tests for volume/mounts common templates * bump chart version --------- Signed-off-by: Brady Todhunter --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 112 +++++++++++------- stable/enterprise/templates/_common.tpl | 46 ++++++- .../templates/analyzer_deployment.yaml | 4 +- .../enterprise/templates/api_deployment.yaml | 4 +- .../templates/catalog_deployment.yaml | 4 +- .../hooks/post-upgrade/upgrade_job.yaml | 10 +- .../hooks/pre-upgrade/upgrade_job.yaml | 10 +- .../templates/notifications_deployment.yaml | 4 +- .../templates/policyengine_deployment.yaml | 4 +- .../templates/reports_deployment.yaml | 4 +- .../templates/reportsworker_deployment.yaml | 4 +- .../templates/simplequeue_deployment.yaml | 4 +- .../enterprise/templates/ui_deployment.yaml | 4 +- .../tests/analyzer_resources_test.yaml | 80 +++++++++++++ .../enterprise/tests/api_resources_test.yaml | 84 +++++++++++++ .../tests/catalog_resources_test.yaml | 84 +++++++++++++ .../tests/notifications_resources_test.yaml | 84 +++++++++++++ .../tests/policyengine_resources_test.yaml | 84 +++++++++++++ .../posthook_upgrade_resources_test.yaml | 84 +++++++++++++ .../tests/prehook_upgrade_resources_test.yaml | 86 +++++++++++++- .../tests/reports_resources_test.yaml | 84 +++++++++++++ .../tests/reportsworker_resources_test.yaml | 84 +++++++++++++ .../tests/simplequeue_resources_test.yaml | 84 +++++++++++++ .../enterprise/tests/ui_resources_test.yaml | 84 +++++++++++++ stable/enterprise/values.yaml | 64 ++++++++++ 26 files changed, 1120 insertions(+), 82 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 6f2e0b9f..73ad5f0e 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "2.4.3" +version: "2.4.5" appVersion: "5.3.0" kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.29.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 17c3a23e..f02c807b 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -918,48 +918,50 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `global.fullnameOverride` | overrides the fullname set on resources | `""` | | `global.nameOverride` | overrides the name set on resources | `""` | + ### Common Resource Parameters -| Name | Description | Value | -| --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | -| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v5.3.0` | -| `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | -| `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | -| `startMigrationPod` | Spin up a Database migration pod to help migrate the database to the new schema | `false` | -| `migrationPodImage` | The image reference to the migration pod | `docker.io/postgres:13-bookworm` | -| `migrationAnchoreEngineSecretName` | The name of the secret that has anchore-engine values | `my-engine-anchore-engine` | -| `serviceAccountName` | Name of a service account used to run all Anchore pods | `""` | -| `injectSecretsViaEnv` | Enable secret injection into pod via environment variables instead of via k8s secrets | `false` | -| `licenseSecretName` | Name of the Kubernetes secret containing your license.yaml file | `anchore-enterprise-license` | -| `certStoreSecretName` | Name of secret containing the certificates & keys used for SSL, SAML & CAs | `""` | -| `extraEnv` | Common environment variables set on all containers | `[]` | -| `useExistingSecrets` | forgoes secret creation and uses the secret defined in existingSecretName | `false` | -| `existingSecretName` | Name of an existing secret to be used for Anchore core services, excluding Anchore UI | `anchore-enterprise-env` | -| `labels` | Common labels set on all Kubernetes resources | `{}` | -| `annotations` | Common annotations set on all Kubernetes resources | `{}` | -| `scratchVolume.mountPath` | The mount path of an external volume for scratch space. Used for the following pods: analyzer, policy-engine, catalog, and reports | `/analysis_scratch` | -| `scratchVolume.fixGroupPermissions` | Enable an initContainer that will fix the fsGroup permissions on all scratch volumes | `false` | -| `scratchVolume.fixerInitContainerImage` | The image to use for the mode-fixer initContainer | `alpine` | -| `scratchVolume.details` | Details for the k8s volume to be created (defaults to default emptyDir) | `{}` | -| `extraVolumes` | mounts additional volumes to each pod | `[]` | -| `extraVolumeMounts` | mounts additional volumes to each pod | `[]` | -| `securityContext.runAsUser` | The securityContext runAsUser for all Anchore pods | `1000` | -| `securityContext.runAsGroup` | The securityContext runAsGroup for all Anchore pods | `1000` | -| `securityContext.fsGroup` | The securityContext fsGroup for all Anchore pods | `1000` | -| `containerSecurityContext` | The securityContext for all containers | `{}` | -| `probes.liveness.initialDelaySeconds` | Initial delay seconds for liveness probe | `120` | -| `probes.liveness.timeoutSeconds` | Timeout seconds for liveness probe | `10` | -| `probes.liveness.periodSeconds` | Period seconds for liveness probe | `10` | -| `probes.liveness.failureThreshold` | Failure threshold for liveness probe | `6` | -| `probes.liveness.successThreshold` | Success threshold for liveness probe | `1` | -| `probes.readiness.timeoutSeconds` | Timeout seconds for the readiness probe | `10` | -| `probes.readiness.periodSeconds` | Period seconds for the readiness probe | `10` | -| `probes.readiness.failureThreshold` | Failure threshold for the readiness probe | `3` | -| `probes.readiness.successThreshold` | Success threshold for the readiness probe | `1` | -| `doSourceAtEntry.enabled` | Does a `source` of the file path defined before starting Anchore services | `false` | -| `doSourceAtEntry.filePaths` | List of file paths to `source` before starting Anchore services | `[]` | -| `configOverride` | Allows for overriding the default Anchore configuration file | `""` | -| `scripts` | Collection of helper scripts usable in all anchore enterprise pods | `{}` | +| Name | Description | Value | +| --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- | +| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise-dev:latest` | +| `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | +| `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | +| `startMigrationPod` | Spin up a Database migration pod to help migrate the database to the new schema | `false` | +| `migrationPodImage` | The image reference to the migration pod | `docker.io/postgres:13-bookworm` | +| `migrationAnchoreEngineSecretName` | The name of the secret that has anchore-engine values | `my-engine-anchore-engine` | +| `serviceAccountName` | Name of a service account used to run all Anchore pods | `""` | +| `injectSecretsViaEnv` | Enable secret injection into pod via environment variables instead of via k8s secrets | `false` | +| `licenseSecretName` | Name of the Kubernetes secret containing your license.yaml file | `anchore-enterprise-license` | +| `certStoreSecretName` | Name of secret containing the certificates & keys used for SSL, SAML & CAs | `""` | +| `extraEnv` | Common environment variables set on all containers | `[]` | +| `useExistingSecrets` | forgoes secret creation and uses the secret defined in existingSecretName | `false` | +| `existingSecretName` | Name of an existing secret to be used for Anchore core services, excluding Anchore UI | `anchore-enterprise-env` | +| `labels` | Common labels set on all Kubernetes resources | `{}` | +| `annotations` | Common annotations set on all Kubernetes resources | `{}` | +| `scratchVolume.mountPath` | The mount path of an external volume for scratch space. Used for the following pods: analyzer, policy-engine, catalog, and reports | `/analysis_scratch` | +| `scratchVolume.fixGroupPermissions` | Enable an initContainer that will fix the fsGroup permissions on all scratch volumes | `false` | +| `scratchVolume.fixerInitContainerImage` | The image to use for the mode-fixer initContainer | `alpine` | +| `scratchVolume.details` | Details for the k8s volume to be created (defaults to default emptyDir) | `{}` | +| `extraVolumes` | mounts additional volumes to each pod | `[]` | +| `extraVolumeMounts` | mounts additional volumes to each pod | `[]` | +| `securityContext.runAsUser` | The securityContext runAsUser for all Anchore pods | `1000` | +| `securityContext.runAsGroup` | The securityContext runAsGroup for all Anchore pods | `1000` | +| `securityContext.fsGroup` | The securityContext fsGroup for all Anchore pods | `1000` | +| `containerSecurityContext` | The securityContext for all containers | `{}` | +| `probes.liveness.initialDelaySeconds` | Initial delay seconds for liveness probe | `120` | +| `probes.liveness.timeoutSeconds` | Timeout seconds for liveness probe | `10` | +| `probes.liveness.periodSeconds` | Period seconds for liveness probe | `10` | +| `probes.liveness.failureThreshold` | Failure threshold for liveness probe | `6` | +| `probes.liveness.successThreshold` | Success threshold for liveness probe | `1` | +| `probes.readiness.timeoutSeconds` | Timeout seconds for the readiness probe | `10` | +| `probes.readiness.periodSeconds` | Period seconds for the readiness probe | `10` | +| `probes.readiness.failureThreshold` | Failure threshold for the readiness probe | `3` | +| `probes.readiness.successThreshold` | Success threshold for the readiness probe | `1` | +| `doSourceAtEntry.enabled` | Does a `source` of the file path defined before starting Anchore services | `false` | +| `doSourceAtEntry.filePaths` | List of file paths to `source` before starting Anchore services | `[]` | +| `configOverride` | Allows for overriding the default Anchore configuration file | `""` | +| `scripts` | Collection of helper scripts usable in all anchore enterprise pods | `{}` | + ### Anchore Configuration Parameters @@ -1067,6 +1069,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `anchoreConfig.ui.dbUser` | allows overriding and separation of the ui database user. | `""` | | `anchoreConfig.ui.dbPassword` | allows overriding and separation of the ui database user authentication | `""` | + ### Anchore Analyzer k8s Deployment Parameters | Name | Description | Value | @@ -1083,6 +1086,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `analyzer.serviceAccountName` | Service account name for Anchore API pods | `""` | | `analyzer.scratchVolume.details` | Details for the k8s volume to be created for Anchore Analyzer scratch space | `{}` | + ### Anchore API k8s Deployment Parameters | Name | Description | Value | @@ -1094,6 +1098,8 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `api.service.labels` | Labels for Anchore API service | `{}` | | `api.service.nodePort` | nodePort for Anchore API service | `""` | | `api.extraEnv` | Set extra environment variables for Anchore API pods | `[]` | +| `api.extraVolumes` | Define additional volumes for Anchore API pods | `[]` | +| `api.extraVolumeMounts` | Define additional volume mounts for Anchore API pods | `[]` | | `api.resources` | Resource requests and limits for Anchore API pods | `{}` | | `api.labels` | Labels for Anchore API pods | `{}` | | `api.annotations` | Annotation for Anchore API pods | `{}` | @@ -1102,6 +1108,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `api.affinity` | Affinity for Anchore API pod assignment | `{}` | | `api.serviceAccountName` | Service account name for Anchore API pods | `""` | + ### Anchore Catalog k8s Deployment Parameters | Name | Description | Value | @@ -1113,6 +1120,8 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `catalog.service.labels` | Labels for Anchore Catalog service | `{}` | | `catalog.service.nodePort` | nodePort for Anchore Catalog service | `""` | | `catalog.extraEnv` | Set extra environment variables for Anchore Catalog pods | `[]` | +| `catalog.extraVolumes` | Define additional volumes for Anchore Catalog pods | `[]` | +| `catalog.extraVolumeMounts` | Define additional volume mounts for Anchore Catalog pods | `[]` | | `catalog.resources` | Resource requests and limits for Anchore Catalog pods | `{}` | | `catalog.labels` | Labels for Anchore Catalog pods | `{}` | | `catalog.annotations` | Annotation for Anchore Catalog pods | `{}` | @@ -1122,6 +1131,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `catalog.serviceAccountName` | Service account name for Anchore Catalog pods | `""` | | `catalog.scratchVolume.details` | Details for the k8s volume to be created for Anchore Catalog scratch space | `{}` | + ### Anchore Feeds Chart Parameters | Name | Description | Value | @@ -1131,6 +1141,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `feeds.url` | Set the URL for a standalone Feeds service. Use when chartEnabled=false. | `""` | | `feeds.resources` | Resource requests and limits for Anchore Feeds pods | `{}` | + ### Anchore Notifications Parameters | Name | Description | Value | @@ -1142,6 +1153,8 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `notifications.service.labels` | Labels for Anchore Notifications service | `{}` | | `notifications.service.nodePort` | nodePort for Anchore Notifications service | `""` | | `notifications.extraEnv` | Set extra environment variables for Anchore Notifications pods | `[]` | +| `notifications.extraVolumes` | Define additional volumes for Anchore Notifications pods | `[]` | +| `notifications.extraVolumeMounts` | Define additional volume mounts for Anchore Notifications pods | `[]` | | `notifications.resources` | Resource requests and limits for Anchore Notifications pods | `{}` | | `notifications.labels` | Labels for Anchore Notifications pods | `{}` | | `notifications.annotations` | Annotation for Anchore Notifications pods | `{}` | @@ -1150,6 +1163,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `notifications.affinity` | Affinity for Anchore Notifications pod assignment | `{}` | | `notifications.serviceAccountName` | Service account name for Anchore Notifications pods | `""` | + ### Anchore Policy Engine k8s Deployment Parameters | Name | Description | Value | @@ -1161,6 +1175,8 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `policyEngine.service.labels` | Labels for Anchore Policy Engine service | `{}` | | `policyEngine.service.nodePort` | nodePort for Anchore Policy Engine service | `""` | | `policyEngine.extraEnv` | Set extra environment variables for Anchore Policy Engine pods | `[]` | +| `policyEngine.extraVolumes` | Define additional volumes for Anchore Policy Engine pods | `[]` | +| `policyEngine.extraVolumeMounts` | Define additional volume mounts for Anchore Policy Engine pods | `[]` | | `policyEngine.resources` | Resource requests and limits for Anchore Policy Engine pods | `{}` | | `policyEngine.labels` | Labels for Anchore Policy Engine pods | `{}` | | `policyEngine.annotations` | Annotation for Anchore Policy Engine pods | `{}` | @@ -1182,6 +1198,8 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `reports.service.labels` | Labels for Anchore Reports service | `{}` | | `reports.service.nodePort` | nodePort for Anchore Reports service | `""` | | `reports.extraEnv` | Set extra environment variables for Anchore Reports pods | `[]` | +| `reports.extraVolumes` | Define additional volumes for Anchore Reports pods | `[]` | +| `reports.extraVolumeMounts` | Define additional volume mounts for Anchore Reports pods | `[]` | | `reports.resources` | Resource requests and limits for Anchore Reports pods | `{}` | | `reports.labels` | Labels for Anchore Reports pods | `{}` | | `reports.annotations` | Annotation for Anchore Reports pods | `{}` | @@ -1191,6 +1209,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `reports.serviceAccountName` | Service account name for Anchore Reports pods | `""` | | `reports.scratchVolume.details` | Details for the k8s volume to be created for Anchore Reports scratch space | `{}` | + ### Anchore Reports Worker Parameters | Name | Description | Value | @@ -1202,6 +1221,8 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `reportsWorker.service.labels` | Labels for Anchore Reports Worker service | `{}` | | `reportsWorker.service.nodePort` | nodePort for Anchore Reports Worker service | `""` | | `reportsWorker.extraEnv` | Set extra environment variables for Anchore Reports Worker pods | `[]` | +| `reportsWorker.extraVolumes` | Define additional volumes for Anchore Reports Worker pods | `[]` | +| `reportsWorker.extraVolumeMounts` | Define additional volume mounts for Anchore Reports Worker pods | `[]` | | `reportsWorker.resources` | Resource requests and limits for Anchore Reports Worker pods | `{}` | | `reportsWorker.labels` | Labels for Anchore Reports Worker pods | `{}` | | `reportsWorker.annotations` | Annotation for Anchore Reports Worker pods | `{}` | @@ -1210,6 +1231,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `reportsWorker.affinity` | Affinity for Anchore Reports Worker pod assignment | `{}` | | `reportsWorker.serviceAccountName` | Service account name for Anchore Reports Worker pods | `""` | + ### Anchore Simple Queue Parameters | Name | Description | Value | @@ -1221,6 +1243,8 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `simpleQueue.service.labels` | Labels for Anchore Simple Queue service | `{}` | | `simpleQueue.service.nodePort` | nodePort for Anchore Simple Queue service | `""` | | `simpleQueue.extraEnv` | Set extra environment variables for Anchore Simple Queue pods | `[]` | +| `simpleQueue.extraVolumes` | Define additional volumes for Anchore Simple Queue pods | `[]` | +| `simpleQueue.extraVolumeMounts` | Define additional volume mounts for Anchore Simple Queue pods | `[]` | | `simpleQueue.resources` | Resource requests and limits for Anchore Simple Queue pods | `{}` | | `simpleQueue.labels` | Labels for Anchore Simple Queue pods | `{}` | | `simpleQueue.annotations` | Annotation for Anchore Simple Queue pods | `{}` | @@ -1229,6 +1253,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `simpleQueue.affinity` | Affinity for Anchore Simple Queue pod assignment | `{}` | | `simpleQueue.serviceAccountName` | Service account name for Anchore Simple Queue pods | `""` | + ### Anchore UI Parameters | Name | Description | Value | @@ -1244,6 +1269,8 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `ui.service.sessionAffinity` | Session Affinity for Ui service | `ClientIP` | | `ui.service.nodePort` | nodePort for Anchore UI service | `""` | | `ui.extraEnv` | Set extra environment variables for Anchore UI pods | `[]` | +| `ui.extraVolumes` | Define additional volumes for Anchore UI pods | `[]` | +| `ui.extraVolumeMounts` | Define additional volume mounts for Anchore UI pods | `[]` | | `ui.resources` | Resource requests and limits for Anchore UI pods | `{}` | | `ui.labels` | Labels for Anchore UI pods | `{}` | | `ui.annotations` | Annotation for Anchore UI pods | `{}` | @@ -1252,6 +1279,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `ui.affinity` | Affinity for Anchore ui pod assignment | `{}` | | `ui.serviceAccountName` | Service account name for Anchore UI pods | `""` | + ### Anchore Upgrade Job Parameters | Name | Description | Value | @@ -1270,6 +1298,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `upgradeJob.labels` | Labels for the Anchore upgrade job | `{}` | | `upgradeJob.ttlSecondsAfterFinished` | The time period in seconds the upgrade job, and it's related pods should be retained for | `-1` | + ### Ingress Parameters | Name | Description | Value | @@ -1286,6 +1315,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `ingress.tls` | Configure tls for the ingress resource | `[]` | | `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` | + ### Google CloudSQL DB Parameters | Name | Description | Value | @@ -1299,6 +1329,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `cloudsql.serviceAccJsonName` | | `""` | | `cloudsql.extraArgs` | a list of extra arguments to be passed into the cloudsql container command. eg | `[]` | + ### Anchore UI Redis Parameters | Name | Description | Value | @@ -1309,6 +1340,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `ui-redis.architecture` | Redis deployment architecture | `standalone` | | `ui-redis.master.persistence.enabled` | enables persistence | `false` | + ### Anchore Database Parameters | Name | Description | Value | diff --git a/stable/enterprise/templates/_common.tpl b/stable/enterprise/templates/_common.tpl index 819c13cf..78bbe530 100644 --- a/stable/enterprise/templates/_common.tpl +++ b/stable/enterprise/templates/_common.tpl @@ -106,6 +106,42 @@ When calling this template, .component can be included in the context for compon {{- end -}} +{{/* +Common extraVolumes +When calling this template, .component can be included in the context for component specific annotations +{{- include "enterprise.common.extraVolumes" (merge (dict "component" $component) .) }} +*/}} +{{- define "enterprise.common.extraVolumes" -}} +{{- $component := .component -}} +{{- with .Values.extraVolumes }} +{{ toYaml . }} +{{- end }} +{{- if $component }} + {{- with (index .Values (print $component)).extraVolumes }} +{{ toYaml . }} + {{- end }} +{{- end }} +{{- end -}} + + +{{/* +Common extraVolumeMounts +When calling this template, .component can be included in the context for component specific annotations +{{- include "enterprise.common.extraVolumes" (merge (dict "component" $component) .) }} +*/}} +{{- define "enterprise.common.extraVolumeMounts" -}} +{{- $component := .component -}} +{{- with .Values.extraVolumeMounts }} +{{ toYaml . }} +{{- end }} +{{- if $component }} + {{- with (index .Values (print $component)).extraVolumeMounts }} +{{ toYaml . }} + {{- end }} +{{- end }} +{{- end -}} + + {{/* Setup the common fix permissions init container for all pods using a scratch volume */}} @@ -242,9 +278,8 @@ emptyDir: {} Setup the common anchore volume mounts */}} {{- define "enterprise.common.volumeMounts" -}} -{{- with .Values.extraVolumeMounts }} -{{ toYaml . }} -{{- end }} +{{- $component := .component -}} +{{- include "enterprise.common.extraVolumeMounts" (merge (dict "component" $component) .) }} - name: anchore-license mountPath: /home/anchore/license.yaml subPath: license.yaml @@ -265,9 +300,8 @@ Setup the common anchore volume mounts Setup the common anchore volumes */}} {{- define "enterprise.common.volumes" -}} -{{- with .Values.extraVolumes }} -{{ toYaml . }} -{{- end }} +{{- $component := .component -}} +{{- include "enterprise.common.extraVolumes" (merge (dict "component" $component) .) }} - name: anchore-license secret: secretName: {{ .Values.licenseSecretName }} diff --git a/stable/enterprise/templates/analyzer_deployment.yaml b/stable/enterprise/templates/analyzer_deployment.yaml index fe2b6fbf..88779220 100644 --- a/stable/enterprise/templates/analyzer_deployment.yaml +++ b/stable/enterprise/templates/analyzer_deployment.yaml @@ -24,7 +24,7 @@ spec: checksum/analyzer-config: {{ include (print $.Template.BasePath "/analyzer_configmap.yaml") . | sha256sum }} spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} - volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} + volumes: {{- include "enterprise.common.volumes" (merge (dict "component" $component) .) | nindent 8 }} - name: "anchore-scratch" {{- include "enterprise.common.scratchVolume.details" (merge (dict "component" $component) .) | nindent 10 }} - name: analyzer-config-volume @@ -53,7 +53,7 @@ spec: ports: - name: {{ $component | lower }} containerPort: {{ .Values.analyzer.service.port }} - volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} + volumeMounts: {{- include "enterprise.common.volumeMounts" (merge (dict "component" $component) .) | nindent 12 }} - name: analyzer-config-volume mountPath: "{{ .Values.anchoreConfig.service_dir }}/analyzer_config.yaml" subPath: analyzer_config.yaml diff --git a/stable/enterprise/templates/api_deployment.yaml b/stable/enterprise/templates/api_deployment.yaml index 705424d1..ae7490de 100644 --- a/stable/enterprise/templates/api_deployment.yaml +++ b/stable/enterprise/templates/api_deployment.yaml @@ -26,7 +26,7 @@ spec: checksum/enterprise-config: {{ include (print $.Template.BasePath "/anchore_configmap.yaml") . | sha256sum }} spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} - volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} + volumes: {{- include "enterprise.common.volumes" (merge (dict "component" $component) .) | nindent 8 }} {{- if .Values.anchoreConfig.policyBundles }} - name: policy-bundle-volume configMap: @@ -58,7 +58,7 @@ spec: ports: - name: {{ $component | lower }} containerPort: {{ .Values.api.service.port }} - volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} + volumeMounts: {{- include "enterprise.common.volumeMounts" (merge (dict "component" $component) .) | nindent 12 }} {{- if .Values.anchoreConfig.policyBundles }} {{- range $key, $value := .Values.anchoreConfig.policyBundles }} - name: policy-bundle-volume diff --git a/stable/enterprise/templates/catalog_deployment.yaml b/stable/enterprise/templates/catalog_deployment.yaml index 435578b6..f054e7dc 100644 --- a/stable/enterprise/templates/catalog_deployment.yaml +++ b/stable/enterprise/templates/catalog_deployment.yaml @@ -26,7 +26,7 @@ spec: {{- end }} spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} - volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} + volumes: {{- include "enterprise.common.volumes" (merge (dict "component" $component) .) | nindent 8 }} - name: anchore-scratch {{- include "enterprise.common.scratchVolume.details" (merge (dict "component" $component) .) | nindent 10 }} {{- if .Values.anchoreConfig.policyBundles }} @@ -57,7 +57,7 @@ spec: ports: - name: {{ $component | lower }} containerPort: {{ .Values.catalog.service.port }} - volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} + volumeMounts: {{- include "enterprise.common.volumeMounts" (merge (dict "component" $component) .) | nindent 12 }} - name: anchore-scratch mountPath: {{ .Values.scratchVolume.mountPath }} {{- if .Values.anchoreConfig.policyBundles }} diff --git a/stable/enterprise/templates/hooks/post-upgrade/upgrade_job.yaml b/stable/enterprise/templates/hooks/post-upgrade/upgrade_job.yaml index d545cb49..219c990d 100644 --- a/stable/enterprise/templates/hooks/post-upgrade/upgrade_job.yaml +++ b/stable/enterprise/templates/hooks/post-upgrade/upgrade_job.yaml @@ -24,10 +24,7 @@ spec: spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} restartPolicy: Never - volumes: - {{- with .Values.extraVolumes }} - {{- toYaml . | nindent 8 }} - {{- end }} + volumes: {{- include "enterprise.common.extraVolumes" (merge (dict "component" $component) .) | nindent 8 }} {{- with .Values.certStoreSecretName }} - name: certs secret: @@ -62,10 +59,7 @@ spec: {{- end }} envFrom: {{- include "enterprise.common.envFrom" . | nindent 12 }} env: {{- include "enterprise.common.environment" (merge (dict "component" $component) .) | nindent 12 }} - volumeMounts: - {{- with .Values.extraVolumeMounts }} - {{- toYaml . | nindent 12 }} - {{- end }} + volumeMounts: {{- include "enterprise.common.extraVolumeMounts" (merge (dict "component" $component) .) | nindent 12 }} {{- if .Values.certStoreSecretName }} - name: certs mountPath: /home/anchore/certs/ diff --git a/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml b/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml index 21466c60..0497c5d8 100644 --- a/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml +++ b/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml @@ -28,10 +28,7 @@ spec: spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} restartPolicy: Never - volumes: - {{- with .Values.extraVolumes }} - {{- toYaml . | nindent 8 }} - {{- end }} + volumes: {{- include "enterprise.common.extraVolumes" (merge (dict "component" $component) .) | nindent 8 }} {{- with .Values.certStoreSecretName }} - name: certs secret: @@ -99,10 +96,7 @@ spec: {{- end }} envFrom: {{- include "enterprise.common.envFrom" . | nindent 12 }} env: {{- include "enterprise.common.environment" (merge (dict "component" $component) .) | nindent 12 }} - volumeMounts: - {{- with .Values.extraVolumeMounts }} - {{- toYaml . | nindent 12 }} - {{- end }} + volumeMounts: {{- include "enterprise.common.extraVolumeMounts" (merge (dict "component" $component) .) | nindent 12 }} {{- if .Values.certStoreSecretName }} - name: certs mountPath: /home/anchore/certs/ diff --git a/stable/enterprise/templates/notifications_deployment.yaml b/stable/enterprise/templates/notifications_deployment.yaml index fdafd772..aa9e3fe5 100644 --- a/stable/enterprise/templates/notifications_deployment.yaml +++ b/stable/enterprise/templates/notifications_deployment.yaml @@ -23,7 +23,7 @@ spec: checksum/enterprise-config: {{ include (print $.Template.BasePath "/anchore_configmap.yaml") . | sha256sum }} spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} - volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} + volumes: {{- include "enterprise.common.volumes" (merge (dict "component" $component) .) | nindent 8 }} containers: {{- if .Values.cloudsql.enabled }} {{- include "enterprise.common.cloudsqlContainer" . | nindent 8 }} @@ -43,7 +43,7 @@ spec: name: {{ $component | lower }} envFrom: {{- include "enterprise.common.envFrom" . | nindent 12 }} env: {{- include "enterprise.common.environment" (merge (dict "component" $component) .) | nindent 12 }} - volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} + volumeMounts: {{- include "enterprise.common.volumeMounts" (merge (dict "component" $component) .) | nindent 12 }} livenessProbe: {{- include "enterprise.common.livenessProbe" (merge (dict "component" $component) .) | nindent 12 }} readinessProbe: {{- include "enterprise.common.readinessProbe" (merge (dict "component" $component) .) | nindent 12 }} {{- with .Values.notifications.resources }} diff --git a/stable/enterprise/templates/policyengine_deployment.yaml b/stable/enterprise/templates/policyengine_deployment.yaml index a791f929..4bed6fbe 100644 --- a/stable/enterprise/templates/policyengine_deployment.yaml +++ b/stable/enterprise/templates/policyengine_deployment.yaml @@ -23,7 +23,7 @@ spec: checksum/enterprise-config: {{ include (print $.Template.BasePath "/anchore_configmap.yaml") . | sha256sum }} spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} - volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} + volumes: {{- include "enterprise.common.volumes" (merge (dict "component" $component) .) | nindent 8 }} - name: anchore-scratch {{- include "enterprise.common.scratchVolume.details" (merge (dict "component" $component) .) | nindent 10 }} {{- if and .Values.scratchVolume.fixGroupPermissions .Values.securityContext.fsGroup }} @@ -49,7 +49,7 @@ spec: ports: - name: {{ $component | lower }} containerPort: {{ .Values.policyEngine.service.port }} - volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} + volumeMounts: {{- include "enterprise.common.volumeMounts" (merge (dict "component" $component) .) | nindent 12 }} - name: "anchore-scratch" mountPath: {{ .Values.scratchVolume.mountPath }} livenessProbe: {{- include "enterprise.common.livenessProbe" (merge (dict "component" $component) .) | nindent 12 }} diff --git a/stable/enterprise/templates/reports_deployment.yaml b/stable/enterprise/templates/reports_deployment.yaml index 6b350e1d..5d41532f 100644 --- a/stable/enterprise/templates/reports_deployment.yaml +++ b/stable/enterprise/templates/reports_deployment.yaml @@ -23,7 +23,7 @@ spec: checksum/enterprise-config: {{ include (print $.Template.BasePath "/anchore_configmap.yaml") . | sha256sum }} spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} - volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} + volumes: {{- include "enterprise.common.volumes" (merge (dict "component" $component) .) | nindent 8 }} {{- if .Values.anchoreConfig.reports.use_volume }} - name: "anchore-scratch" {{- include "enterprise.common.scratchVolume.details" (merge (dict "component" $component) .) | nindent 10 }} @@ -51,7 +51,7 @@ spec: name: {{ $component | lower }} envFrom: {{- include "enterprise.common.envFrom" . | nindent 12 }} env: {{- include "enterprise.common.environment" (merge (dict "component" $component) .) | nindent 12 }} - volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} + volumeMounts: {{- include "enterprise.common.volumeMounts" (merge (dict "component" $component) .) | nindent 12 }} {{- if .Values.anchoreConfig.reports.use_volume }} - name: "anchore-scratch" mountPath: {{ .Values.scratchVolume.mountPath }} diff --git a/stable/enterprise/templates/reportsworker_deployment.yaml b/stable/enterprise/templates/reportsworker_deployment.yaml index 3d56f984..9ffde13e 100644 --- a/stable/enterprise/templates/reportsworker_deployment.yaml +++ b/stable/enterprise/templates/reportsworker_deployment.yaml @@ -23,7 +23,7 @@ spec: checksum/enterprise-config: {{ tpl (print $.Files.BasePath "/default_config.yaml") . | sha256sum }} spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} - volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} + volumes: {{- include "enterprise.common.volumes" (merge (dict "component" $component) .) | nindent 8 }} containers: {{- if .Values.cloudsql.enabled }} {{- include "enterprise.common.cloudsqlContainer" . | nindent 8 }} @@ -43,7 +43,7 @@ spec: name: {{ $component | lower }} envFrom: {{- include "enterprise.common.envFrom" . | nindent 12 }} env: {{- include "enterprise.common.environment" (merge (dict "component" $component) .) | nindent 12 }} - volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} + volumeMounts: {{- include "enterprise.common.volumeMounts" (merge (dict "component" $component) .) | nindent 12 }} livenessProbe: {{- include "enterprise.common.livenessProbe" (merge (dict "component" $component) .) | nindent 12 }} readinessProbe: {{- include "enterprise.common.readinessProbe" (merge (dict "component" $component) .) | nindent 12 }} {{- with .Values.reportsWorker.resources }} diff --git a/stable/enterprise/templates/simplequeue_deployment.yaml b/stable/enterprise/templates/simplequeue_deployment.yaml index c0003eab..21ab1342 100644 --- a/stable/enterprise/templates/simplequeue_deployment.yaml +++ b/stable/enterprise/templates/simplequeue_deployment.yaml @@ -22,7 +22,7 @@ spec: checksum/enterprise-config: {{ include (print $.Template.BasePath "/anchore_configmap.yaml") . | sha256sum }} spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} - volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} + volumes: {{- include "enterprise.common.volumes" (merge (dict "component" $component) .) | nindent 8 }} containers: {{- if .Values.cloudsql.enabled }} {{- include "enterprise.common.cloudsqlContainer" . | nindent 8 }} @@ -42,7 +42,7 @@ spec: ports: - name: {{ $component | lower }} containerPort: {{ .Values.simpleQueue.service.port }} - volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} + volumeMounts: {{- include "enterprise.common.volumeMounts" (merge (dict "component" $component) .) | nindent 12 }} livenessProbe: {{- include "enterprise.common.livenessProbe" (merge (dict "component" $component) .) | nindent 12 }} readinessProbe: {{- include "enterprise.common.readinessProbe" (merge (dict "component" $component) .) | nindent 12 }} {{- with .Values.simpleQueue.resources }} diff --git a/stable/enterprise/templates/ui_deployment.yaml b/stable/enterprise/templates/ui_deployment.yaml index 5fa67923..dd36c1e2 100644 --- a/stable/enterprise/templates/ui_deployment.yaml +++ b/stable/enterprise/templates/ui_deployment.yaml @@ -23,7 +23,7 @@ spec: checksum/ui-config: {{ include (print $.Template.BasePath "/ui_configmap.yaml") . | sha256sum }} spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} - volumes: + volumes: {{- include "enterprise.common.extraVolumes" (merge (dict "component" $component) .) | nindent 8 }} - name: anchore-license secret: secretName: {{ .Values.licenseSecretName }} @@ -80,7 +80,7 @@ spec: - containerPort: 3000 protocol: TCP name: {{ $component | lower }} - volumeMounts: + volumeMounts: {{- include "enterprise.common.extraVolumeMounts" (merge (dict "component" $component) .) | nindent 12 }} - name: anchore-license mountPath: /home/anchore/license.yaml subPath: license.yaml diff --git a/stable/enterprise/tests/analyzer_resources_test.yaml b/stable/enterprise/tests/analyzer_resources_test.yaml index 6b7b7b41..d5ce47a4 100644 --- a/stable/enterprise/tests/analyzer_resources_test.yaml +++ b/stable/enterprise/tests/analyzer_resources_test.yaml @@ -266,6 +266,86 @@ tests: count: 1 any: true + - it: should render component extraVolumes + template: analyzer_deployment.yaml + set: + analyzer.extraVolumes: + - name: extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + + - it: should render component extraVolumeMounts + template: analyzer_deployment.yaml + set: + analyzer.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + + - it: should render component and global extraVolumes + template: analyzer_deployment.yaml + set: + analyzer.extraVolumes: + - name: extra-vol + emptyDir: {} + extraVolumes: + - name: global-extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + - contains: + path: spec.template.spec.volumes + content: + name: global-extra-vol + emptyDir: {} + count: 1 + + - it: should render component and global extraVolumeMounts + template: analyzer_deployment.yaml + set: + analyzer.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + extraVolumeMounts: + - name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + count: 1 + - it: should render component probes template: analyzer_deployment.yaml asserts: diff --git a/stable/enterprise/tests/api_resources_test.yaml b/stable/enterprise/tests/api_resources_test.yaml index 3f1f98f9..d67029a1 100644 --- a/stable/enterprise/tests/api_resources_test.yaml +++ b/stable/enterprise/tests/api_resources_test.yaml @@ -286,6 +286,90 @@ tests: count: 1 any: true + - it: should render component extraVolumes + template: api_deployment.yaml + documentIndex: 0 + set: + api.extraVolumes: + - name: extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + + - it: should render component extraVolumeMounts + template: api_deployment.yaml + documentIndex: 0 + set: + api.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + + - it: should render component and global extraVolumes + template: api_deployment.yaml + documentIndex: 0 + set: + api.extraVolumes: + - name: extra-vol + emptyDir: {} + extraVolumes: + - name: global-extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + - contains: + path: spec.template.spec.volumes + content: + name: global-extra-vol + emptyDir: {} + count: 1 + + - it: should render component and global extraVolumeMounts + template: api_deployment.yaml + documentIndex: 0 + set: + api.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + extraVolumeMounts: + - name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + count: 1 + - it: should render component probes template: api_deployment.yaml documentIndex: 0 diff --git a/stable/enterprise/tests/catalog_resources_test.yaml b/stable/enterprise/tests/catalog_resources_test.yaml index f9971c42..34e2f7c6 100644 --- a/stable/enterprise/tests/catalog_resources_test.yaml +++ b/stable/enterprise/tests/catalog_resources_test.yaml @@ -299,6 +299,90 @@ tests: count: 1 any: true + - it: should render component extraVolumes + template: catalog_deployment.yaml + documentIndex: 0 + set: + catalog.extraVolumes: + - name: extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + + - it: should render component extraVolumeMounts + template: catalog_deployment.yaml + documentIndex: 0 + set: + catalog.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + + - it: should render component and global extraVolumes + template: catalog_deployment.yaml + documentIndex: 0 + set: + catalog.extraVolumes: + - name: extra-vol + emptyDir: {} + extraVolumes: + - name: global-extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + - contains: + path: spec.template.spec.volumes + content: + name: global-extra-vol + emptyDir: {} + count: 1 + + - it: should render component and global extraVolumeMounts + template: catalog_deployment.yaml + documentIndex: 0 + set: + catalog.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + extraVolumeMounts: + - name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + count: 1 + - it: should render component probes template: catalog_deployment.yaml documentIndex: 0 diff --git a/stable/enterprise/tests/notifications_resources_test.yaml b/stable/enterprise/tests/notifications_resources_test.yaml index 9352dbaf..9dcc13c5 100644 --- a/stable/enterprise/tests/notifications_resources_test.yaml +++ b/stable/enterprise/tests/notifications_resources_test.yaml @@ -193,6 +193,90 @@ tests: name: test value: foobar + - it: should render component extraVolumes + template: notifications_deployment.yaml + documentIndex: 0 + set: + notifications.extraVolumes: + - name: extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + + - it: should render component extraVolumeMounts + template: notifications_deployment.yaml + documentIndex: 0 + set: + notifications.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + + - it: should render component and global extraVolumes + template: notifications_deployment.yaml + documentIndex: 0 + set: + notifications.extraVolumes: + - name: extra-vol + emptyDir: {} + extraVolumes: + - name: global-extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + - contains: + path: spec.template.spec.volumes + content: + name: global-extra-vol + emptyDir: {} + count: 1 + + - it: should render component and global extraVolumeMounts + template: notifications_deployment.yaml + documentIndex: 0 + set: + notifications.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + extraVolumeMounts: + - name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + count: 1 + - it: should render component ports template: notifications_deployment.yaml documentIndex: 0 diff --git a/stable/enterprise/tests/policyengine_resources_test.yaml b/stable/enterprise/tests/policyengine_resources_test.yaml index 9ad77347..6a2f256f 100644 --- a/stable/enterprise/tests/policyengine_resources_test.yaml +++ b/stable/enterprise/tests/policyengine_resources_test.yaml @@ -258,6 +258,90 @@ tests: count: 1 any: true + - it: should render component extraVolumes + template: policyengine_deployment.yaml + documentIndex: 0 + set: + policyEngine.extraVolumes: + - name: extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + + - it: should render component extraVolumeMounts + template: policyengine_deployment.yaml + documentIndex: 0 + set: + policyEngine.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + + - it: should render component and global extraVolumes + template: policyengine_deployment.yaml + documentIndex: 0 + set: + policyEngine.extraVolumes: + - name: extra-vol + emptyDir: {} + extraVolumes: + - name: global-extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + - contains: + path: spec.template.spec.volumes + content: + name: global-extra-vol + emptyDir: {} + count: 1 + + - it: should render component and global extraVolumeMounts + template: policyengine_deployment.yaml + documentIndex: 0 + set: + policyEngine.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + extraVolumeMounts: + - name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + count: 1 + - it: should render component probes template: policyengine_deployment.yaml documentIndex: 0 diff --git a/stable/enterprise/tests/posthook_upgrade_resources_test.yaml b/stable/enterprise/tests/posthook_upgrade_resources_test.yaml index 8486088e..36997aa8 100644 --- a/stable/enterprise/tests/posthook_upgrade_resources_test.yaml +++ b/stable/enterprise/tests/posthook_upgrade_resources_test.yaml @@ -228,3 +228,87 @@ tests: cpu: 200m memory: 256Mi count: 1 + + - it: should render component extraVolumes + template: hooks/post-upgrade/upgrade_job.yaml + documentIndex: 0 + set: + upgradeJob.extraVolumes: + - name: extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + + - it: should render component extraVolumeMounts + template: hooks/post-upgrade/upgrade_job.yaml + documentIndex: 0 + set: + upgradeJob.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + + - it: should render component and global extraVolumes + template: hooks/post-upgrade/upgrade_job.yaml + documentIndex: 0 + set: + upgradeJob.extraVolumes: + - name: extra-vol + emptyDir: {} + extraVolumes: + - name: global-extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + - contains: + path: spec.template.spec.volumes + content: + name: global-extra-vol + emptyDir: {} + count: 1 + + - it: should render component and global extraVolumeMounts + template: hooks/post-upgrade/upgrade_job.yaml + documentIndex: 0 + set: + upgradeJob.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + extraVolumeMounts: + - name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + count: 1 diff --git a/stable/enterprise/tests/prehook_upgrade_resources_test.yaml b/stable/enterprise/tests/prehook_upgrade_resources_test.yaml index 76a68385..35585f40 100644 --- a/stable/enterprise/tests/prehook_upgrade_resources_test.yaml +++ b/stable/enterprise/tests/prehook_upgrade_resources_test.yaml @@ -64,7 +64,7 @@ tests: namespace: test-namespace documentIndex: 2 - - it: pre-hook job does not get created when post-upgrade hook is enabled + - it: pre-hook job does not get created when pre-upgrade hook is enabled templates: *upgrade-resources set: upgradeJob: @@ -304,3 +304,87 @@ tests: cpu: 200m memory: 256Mi count: 1 + + - it: should render component extraVolumes + template: hooks/pre-upgrade/upgrade_job.yaml + documentIndex: 0 + set: + upgradeJob.extraVolumes: + - name: extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + + - it: should render component extraVolumeMounts + template: hooks/pre-upgrade/upgrade_job.yaml + documentIndex: 0 + set: + upgradeJob.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + + - it: should render component and global extraVolumes + template: hooks/pre-upgrade/upgrade_job.yaml + documentIndex: 0 + set: + upgradeJob.extraVolumes: + - name: extra-vol + emptyDir: {} + extraVolumes: + - name: global-extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + - contains: + path: spec.template.spec.volumes + content: + name: global-extra-vol + emptyDir: {} + count: 1 + + - it: should render component and global extraVolumeMounts + template: hooks/pre-upgrade/upgrade_job.yaml + documentIndex: 0 + set: + upgradeJob.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + extraVolumeMounts: + - name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + count: 1 diff --git a/stable/enterprise/tests/reports_resources_test.yaml b/stable/enterprise/tests/reports_resources_test.yaml index 0917a9b6..e869282e 100644 --- a/stable/enterprise/tests/reports_resources_test.yaml +++ b/stable/enterprise/tests/reports_resources_test.yaml @@ -406,3 +406,87 @@ tests: asserts: - notExists: path: spec.template.spec.initContainers + + - it: should render component extraVolumes + template: reports_deployment.yaml + documentIndex: 0 + set: + reports.extraVolumes: + - name: extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + + - it: should render component extraVolumeMounts + template: reports_deployment.yaml + documentIndex: 0 + set: + reports.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + + - it: should render component and global extraVolumes + template: reports_deployment.yaml + documentIndex: 0 + set: + reports.extraVolumes: + - name: extra-vol + emptyDir: {} + extraVolumes: + - name: global-extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + - contains: + path: spec.template.spec.volumes + content: + name: global-extra-vol + emptyDir: {} + count: 1 + + - it: should render component and global extraVolumeMounts + template: reports_deployment.yaml + documentIndex: 0 + set: + reports.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + extraVolumeMounts: + - name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + count: 1 diff --git a/stable/enterprise/tests/reportsworker_resources_test.yaml b/stable/enterprise/tests/reportsworker_resources_test.yaml index 86050391..90a21234 100644 --- a/stable/enterprise/tests/reportsworker_resources_test.yaml +++ b/stable/enterprise/tests/reportsworker_resources_test.yaml @@ -291,3 +291,87 @@ tests: app.kubernetes.io/name: test-release-enterprise app.kubernetes.io/component: reportsworker count: 1 + + - it: should render component extraVolumes + template: reportsworker_deployment.yaml + documentIndex: 0 + set: + reportsWorker.extraVolumes: + - name: extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + + - it: should render component extraVolumeMounts + template: reportsworker_deployment.yaml + documentIndex: 0 + set: + reportsWorker.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + + - it: should render component and global extraVolumes + template: reportsworker_deployment.yaml + documentIndex: 0 + set: + reportsWorker.extraVolumes: + - name: extra-vol + emptyDir: {} + extraVolumes: + - name: global-extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + - contains: + path: spec.template.spec.volumes + content: + name: global-extra-vol + emptyDir: {} + count: 1 + + - it: should render component and global extraVolumeMounts + template: reportsworker_deployment.yaml + documentIndex: 0 + set: + reportsWorker.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + extraVolumeMounts: + - name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + count: 1 diff --git a/stable/enterprise/tests/simplequeue_resources_test.yaml b/stable/enterprise/tests/simplequeue_resources_test.yaml index 5d66c2e0..e16fa53c 100644 --- a/stable/enterprise/tests/simplequeue_resources_test.yaml +++ b/stable/enterprise/tests/simplequeue_resources_test.yaml @@ -266,3 +266,87 @@ tests: app.kubernetes.io/name: test-release-enterprise app.kubernetes.io/component: simplequeue count: 1 + + - it: should render component extraVolumes + template: simplequeue_deployment.yaml + documentIndex: 0 + set: + simpleQueue.extraVolumes: + - name: extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + + - it: should render component extraVolumeMounts + template: simplequeue_deployment.yaml + documentIndex: 0 + set: + simpleQueue.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + + - it: should render component and global extraVolumes + template: simplequeue_deployment.yaml + documentIndex: 0 + set: + simpleQueue.extraVolumes: + - name: extra-vol + emptyDir: {} + extraVolumes: + - name: global-extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + - contains: + path: spec.template.spec.volumes + content: + name: global-extra-vol + emptyDir: {} + count: 1 + + - it: should render component and global extraVolumeMounts + template: simplequeue_deployment.yaml + documentIndex: 0 + set: + simpleQueue.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + extraVolumeMounts: + - name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + count: 1 diff --git a/stable/enterprise/tests/ui_resources_test.yaml b/stable/enterprise/tests/ui_resources_test.yaml index ac56cc61..9755d237 100644 --- a/stable/enterprise/tests/ui_resources_test.yaml +++ b/stable/enterprise/tests/ui_resources_test.yaml @@ -302,3 +302,87 @@ tests: app.kubernetes.io/name: test-release-enterprise app.kubernetes.io/component: ui count: 1 + + - it: should render component extraVolumes + template: ui_deployment.yaml + documentIndex: 0 + set: + ui.extraVolumes: + - name: extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + + - it: should render component extraVolumeMounts + template: ui_deployment.yaml + documentIndex: 0 + set: + ui.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + + - it: should render component and global extraVolumes + template: ui_deployment.yaml + documentIndex: 0 + set: + ui.extraVolumes: + - name: extra-vol + emptyDir: {} + extraVolumes: + - name: global-extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + - contains: + path: spec.template.spec.volumes + content: + name: global-extra-vol + emptyDir: {} + count: 1 + + - it: should render component and global extraVolumeMounts + template: ui_deployment.yaml + documentIndex: 0 + set: + ui.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + extraVolumeMounts: + - name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + count: 1 diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index 395fc497..793b33ba 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -752,6 +752,14 @@ api: ## extraEnv: [] + ## @param api.extraVolumes Define additional volumes for Anchore API pods + ## + extraVolumes: [] + + ## @param api.extraVolumeMounts Define additional volume mounts for Anchore API pods + ## + extraVolumeMounts: [] + ## @param api.resources Resource requests and limits for Anchore API pods ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations. @@ -812,6 +820,14 @@ catalog: ## extraEnv: [] + ## @param catalog.extraVolumes Define additional volumes for Anchore Catalog pods + ## + extraVolumes: [] + + ## @param catalog.extraVolumeMounts Define additional volume mounts for Anchore Catalog pods + ## + extraVolumeMounts: [] + ## @param catalog.resources Resource requests and limits for Anchore Catalog pods ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations. @@ -906,6 +922,14 @@ notifications: ## extraEnv: [] + ## @param notifications.extraVolumes Define additional volumes for Anchore Notifications pods + ## + extraVolumes: [] + + ## @param notifications.extraVolumeMounts Define additional volume mounts for Anchore Notifications pods + ## + extraVolumeMounts: [] + ## @param notifications.resources Resource requests and limits for Anchore Notifications pods ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations. @@ -966,6 +990,14 @@ policyEngine: ## extraEnv: [] + ## @param policyEngine.extraVolumes Define additional volumes for Anchore Policy Engine pods + ## + extraVolumes: [] + + ## @param policyEngine.extraVolumeMounts Define additional volume mounts for Anchore Policy Engine pods + ## + extraVolumeMounts: [] + ## @param policyEngine.resources Resource requests and limits for Anchore Policy Engine pods ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations. @@ -1031,6 +1063,14 @@ reports: ## extraEnv: [] + ## @param reports.extraVolumes Define additional volumes for Anchore Reports pods + ## + extraVolumes: [] + + ## @param reports.extraVolumeMounts Define additional volume mounts for Anchore Reports pods + ## + extraVolumeMounts: [] + ## @param reports.resources Resource requests and limits for Anchore Reports pods ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations @@ -1108,6 +1148,14 @@ reportsWorker: ## extraEnv: [] + ## @param reportsWorker.extraVolumes Define additional volumes for Anchore Reports Worker pods + ## + extraVolumes: [] + + ## @param reportsWorker.extraVolumeMounts Define additional volume mounts for Anchore Reports Worker pods + ## + extraVolumeMounts: [] + ## @param reportsWorker.resources Resource requests and limits for Anchore Reports Worker pods ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations. @@ -1168,6 +1216,14 @@ simpleQueue: ## extraEnv: [] + ## @param simpleQueue.extraVolumes Define additional volumes for Anchore Simple Queue pods + ## + extraVolumes: [] + + ## @param simpleQueue.extraVolumeMounts Define additional volume mounts for Anchore Simple Queue pods + ## + extraVolumeMounts: [] + ## @param simpleQueue.resources Resource requests and limits for Anchore Simple Queue pods ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations. @@ -1248,6 +1304,14 @@ ui: ## extraEnv: [] + ## @param ui.extraVolumes Define additional volumes for Anchore UI pods + ## + extraVolumes: [] + + ## @param ui.extraVolumeMounts Define additional volume mounts for Anchore UI pods + ## + extraVolumeMounts: [] + ## @param ui.resources Resource requests and limits for Anchore UI pods ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations. From ed09d3d7a6ebbe3d9d5783a47647794aa8c8b60c Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 3 Apr 2024 20:35:02 -0400 Subject: [PATCH 327/329] bumping enterprise chart image to 5.4 (#205) * bumping enterprise chart image to 5.4 * bump feeds chart version --------- Signed-off-by: Hung Nguyen Signed-off-by: Brady Todhunter --- stable/enterprise/Chart.lock | 6 +++--- stable/enterprise/Chart.yaml | 4 ++-- stable/enterprise/README.md | 7 +++++++ .../__snapshot__/prehook_upgrade_resources_test.yaml.snap | 2 +- stable/enterprise/values.yaml | 4 ++-- 5 files changed, 15 insertions(+), 8 deletions(-) diff --git a/stable/enterprise/Chart.lock b/stable/enterprise/Chart.lock index 73b8a52f..bf84f177 100644 --- a/stable/enterprise/Chart.lock +++ b/stable/enterprise/Chart.lock @@ -7,6 +7,6 @@ dependencies: version: 17.11.8 - name: feeds repository: https://charts.anchore.io/stable - version: 2.3.0 -digest: sha256:ea9b8927f17a3ee6cae7972dd7ff5a7a51ccafbf7f90443d978a096398c0834b -generated: "2024-02-29T11:39:05.180607-08:00" + version: 2.4.0 +digest: sha256:9179b9a84b9f974b98c1182a25f7d5976a256371cee3733b9ffb9d09d7339c0f +generated: "2024-04-03T17:23:43.082782-07:00" diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 73ad5f0e..cf08e4e8 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: enterprise -version: "2.4.5" -appVersion: "5.3.0" +version: "2.5.0" +appVersion: "5.4.0" kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.29.x-x description: | Anchore Enterprise is a complete container security workflow solution for professional teams. Easily integrating with CI/CD systems, diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index f02c807b..1da76296 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -1364,6 +1364,13 @@ For the latest updates and features in Anchore Enterprise, see the official [Rel - **Minor Chart Version Change (e.g., v0.1.2 -> v0.2.0)**: Indicates a significant change to the deployment that does not require manual intervention. - **Patch Chart Version Change (e.g., v0.1.2 -> v0.1.3)**: Indicates a backwards-compatible bug fix or documentation update. +### V2.5.x + +- Deploys Anchore Enterprise v5.4.x. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/540/) for more information. +- Anchore Enterprise v5.4.0 introduces changes to how RBAC is managed. The chart has been updated to reflect these changes, no action is required. + - The rbac-manager and rbac-authorizer components are no longer necessary and have been removed from the chart. + - The `rbacManager` and `rbacAuthorizer` sections of the values file have been removed. + ### V2.4.x - Deploys Anchore Enterprise v5.3.x. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/530/) for more information. diff --git a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap index 9decce0d..7006cf4b 100644 --- a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap @@ -143,6 +143,6 @@ should render proper initContainers: valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise-dev:latest + image: docker.io/anchore/enterprise:v5.4.0 imagePullPolicy: IfNotPresent name: wait-for-db diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index 793b33ba..12ae4094 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -18,7 +18,7 @@ global: ## @param image Image used for all Anchore Enterprise deployments, excluding Anchore UI ## -image: docker.io/anchore/enterprise-dev:latest +image: docker.io/anchore/enterprise:v5.4.0 ## @param imagePullPolicy Image pull policy used by all deployments ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy @@ -1265,7 +1265,7 @@ simpleQueue: ui: ## @param ui.image Image used for the Anchore UI container ## - image: docker.io/anchore/enterprise-ui:v5.3.2 + image: docker.io/anchore/enterprise-ui:v5.4.0 ## @param ui.imagePullPolicy Image pull policy for Anchore UI image ## From 0681f5aada5f061ec690649a5ba545a0d8c946fa Mon Sep 17 00:00:00 2001 From: "Christopher Adams (chrisad2)" Date: Tue, 9 Apr 2024 16:30:49 -0500 Subject: [PATCH 328/329] Common nodeSelector, affinity, tolerations Signed-off-by: Christopher Adams (chrisad2) --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/templates/_common.tpl | 6 +++--- stable/enterprise/values.yaml | 12 ++++++++++++ stable/feeds/Chart.yaml | 2 +- .../templates/hooks/pre-upgrade/upgrade_job.yaml | 6 +++--- 5 files changed, 20 insertions(+), 8 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index cf08e4e8..689c899b 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "2.5.0" +version: "2.5.1" appVersion: "5.4.0" kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.29.x-x description: | diff --git a/stable/enterprise/templates/_common.tpl b/stable/enterprise/templates/_common.tpl index 78bbe530..224ee43e 100644 --- a/stable/enterprise/templates/_common.tpl +++ b/stable/enterprise/templates/_common.tpl @@ -231,13 +231,13 @@ serviceAccountName: {{ include "enterprise.serviceAccountName" (merge (dict "com imagePullSecrets: - name: {{ . }} {{- end }} -{{- with (index .Values (print $component)).nodeSelector }} +{{- with (default .Values.nodeSelector (index .Values (print $component)).nodeSelector) }} nodeSelector: {{- toYaml . | nindent 2 }} {{- end }} -{{- with (index .Values (print $component)).affinity }} +{{- with (default .Values.affinity (index .Values (print $component)).affinity) }} affinity: {{- toYaml . | nindent 2 }} {{- end }} -{{- with (index .Values (print $component)).tolerations }} +{{- with (default .Values.tolerations (index .Values (print $component)).tolerations) }} tolerations: {{- toYaml . | nindent 2 }} {{- end }} {{- end -}} diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index 12ae4094..0997dd57 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -100,6 +100,18 @@ labels: {} ## annotations: {} +## @param nodeSelector Common nodeSelector set on all Kubernetes pods +## +nodeSelector: {} + +## @param tolerations Common tolerations set on all Kubernetes pods +## +tolerations: [] + +## @param affinity Common affinity set on all Kubernetes pods +## +affinity: {} + ## @param scratchVolume.mountPath The mount path of an external volume for scratch space. Used for the following pods: analyzer, policy-engine, catalog, and reports ## @param scratchVolume.fixGroupPermissions Enable an initContainer that will fix the fsGroup permissions on all scratch volumes ## @param scratchVolume.fixerInitContainerImage The image to use for the mode-fixer initContainer diff --git a/stable/feeds/Chart.yaml b/stable/feeds/Chart.yaml index 92ea01b3..2d50e449 100644 --- a/stable/feeds/Chart.yaml +++ b/stable/feeds/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: feeds type: application -version: "2.4.0" +version: "2.4.1" appVersion: "5.4.0" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.29.x-x description: Anchore feeds service diff --git a/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml b/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml index 682bdf2b..c7181f6b 100644 --- a/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml +++ b/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml @@ -37,13 +37,13 @@ spec: - name: {{ . }} {{- end }} restartPolicy: Never - {{- with .Values.feedsUpgradeJob.nodeSelector }} + {{- with (default .Values.nodeSelector .Values.feedsUpgradeJob.nodeSelector) }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.feedsUpgradeJob.affinity }} + {{- with (default .Values.affinity .Values.feedsUpgradeJob.affinity) }} affinity: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.feedsUpgradeJob.tolerations }} + {{- with (default .Values.tolerations .Values.feedsUpgradeJob.tolerations) }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} {{- if or .Values.certStoreSecretName .Values.cloudsql.useExistingServiceAcc .Values.extraVolumes }} From 2baea4ff465da10f9cdc33430e15b25ccefebc87 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Wed, 10 Apr 2024 19:03:50 -0400 Subject: [PATCH 329/329] fix: updating enterprise readme to have the correct ui 5.4.0 image reference (#360) Signed-off-by: Hung Nguyen --- stable/enterprise/Chart.lock | 6 +-- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 102 +++++++++++++++-------------------- 3 files changed, 48 insertions(+), 62 deletions(-) diff --git a/stable/enterprise/Chart.lock b/stable/enterprise/Chart.lock index bf84f177..605b4775 100644 --- a/stable/enterprise/Chart.lock +++ b/stable/enterprise/Chart.lock @@ -7,6 +7,6 @@ dependencies: version: 17.11.8 - name: feeds repository: https://charts.anchore.io/stable - version: 2.4.0 -digest: sha256:9179b9a84b9f974b98c1182a25f7d5976a256371cee3733b9ffb9d09d7339c0f -generated: "2024-04-03T17:23:43.082782-07:00" + version: 2.4.1 +digest: sha256:fc8274f1cbd805dc79cecefdcb4bb9cddbb7e4863ed738aee9ccdb60611d939b +generated: "2024-04-10T17:13:17.54518-04:00" diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 689c899b..8c18ec0c 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "2.5.1" +version: "2.5.2" appVersion: "5.4.0" kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.29.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 1da76296..2215a3a3 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -918,50 +918,51 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `global.fullnameOverride` | overrides the fullname set on resources | `""` | | `global.nameOverride` | overrides the name set on resources | `""` | - ### Common Resource Parameters -| Name | Description | Value | -| --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- | -| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise-dev:latest` | -| `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | -| `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | -| `startMigrationPod` | Spin up a Database migration pod to help migrate the database to the new schema | `false` | -| `migrationPodImage` | The image reference to the migration pod | `docker.io/postgres:13-bookworm` | -| `migrationAnchoreEngineSecretName` | The name of the secret that has anchore-engine values | `my-engine-anchore-engine` | -| `serviceAccountName` | Name of a service account used to run all Anchore pods | `""` | -| `injectSecretsViaEnv` | Enable secret injection into pod via environment variables instead of via k8s secrets | `false` | -| `licenseSecretName` | Name of the Kubernetes secret containing your license.yaml file | `anchore-enterprise-license` | -| `certStoreSecretName` | Name of secret containing the certificates & keys used for SSL, SAML & CAs | `""` | -| `extraEnv` | Common environment variables set on all containers | `[]` | -| `useExistingSecrets` | forgoes secret creation and uses the secret defined in existingSecretName | `false` | -| `existingSecretName` | Name of an existing secret to be used for Anchore core services, excluding Anchore UI | `anchore-enterprise-env` | -| `labels` | Common labels set on all Kubernetes resources | `{}` | -| `annotations` | Common annotations set on all Kubernetes resources | `{}` | -| `scratchVolume.mountPath` | The mount path of an external volume for scratch space. Used for the following pods: analyzer, policy-engine, catalog, and reports | `/analysis_scratch` | -| `scratchVolume.fixGroupPermissions` | Enable an initContainer that will fix the fsGroup permissions on all scratch volumes | `false` | -| `scratchVolume.fixerInitContainerImage` | The image to use for the mode-fixer initContainer | `alpine` | -| `scratchVolume.details` | Details for the k8s volume to be created (defaults to default emptyDir) | `{}` | -| `extraVolumes` | mounts additional volumes to each pod | `[]` | -| `extraVolumeMounts` | mounts additional volumes to each pod | `[]` | -| `securityContext.runAsUser` | The securityContext runAsUser for all Anchore pods | `1000` | -| `securityContext.runAsGroup` | The securityContext runAsGroup for all Anchore pods | `1000` | -| `securityContext.fsGroup` | The securityContext fsGroup for all Anchore pods | `1000` | -| `containerSecurityContext` | The securityContext for all containers | `{}` | -| `probes.liveness.initialDelaySeconds` | Initial delay seconds for liveness probe | `120` | -| `probes.liveness.timeoutSeconds` | Timeout seconds for liveness probe | `10` | -| `probes.liveness.periodSeconds` | Period seconds for liveness probe | `10` | -| `probes.liveness.failureThreshold` | Failure threshold for liveness probe | `6` | -| `probes.liveness.successThreshold` | Success threshold for liveness probe | `1` | -| `probes.readiness.timeoutSeconds` | Timeout seconds for the readiness probe | `10` | -| `probes.readiness.periodSeconds` | Period seconds for the readiness probe | `10` | -| `probes.readiness.failureThreshold` | Failure threshold for the readiness probe | `3` | -| `probes.readiness.successThreshold` | Success threshold for the readiness probe | `1` | -| `doSourceAtEntry.enabled` | Does a `source` of the file path defined before starting Anchore services | `false` | -| `doSourceAtEntry.filePaths` | List of file paths to `source` before starting Anchore services | `[]` | -| `configOverride` | Allows for overriding the default Anchore configuration file | `""` | -| `scripts` | Collection of helper scripts usable in all anchore enterprise pods | `{}` | - +| Name | Description | Value | +| --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | +| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v5.4.0` | +| `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | +| `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | +| `startMigrationPod` | Spin up a Database migration pod to help migrate the database to the new schema | `false` | +| `migrationPodImage` | The image reference to the migration pod | `docker.io/postgres:13-bookworm` | +| `migrationAnchoreEngineSecretName` | The name of the secret that has anchore-engine values | `my-engine-anchore-engine` | +| `serviceAccountName` | Name of a service account used to run all Anchore pods | `""` | +| `injectSecretsViaEnv` | Enable secret injection into pod via environment variables instead of via k8s secrets | `false` | +| `licenseSecretName` | Name of the Kubernetes secret containing your license.yaml file | `anchore-enterprise-license` | +| `certStoreSecretName` | Name of secret containing the certificates & keys used for SSL, SAML & CAs | `""` | +| `extraEnv` | Common environment variables set on all containers | `[]` | +| `useExistingSecrets` | forgoes secret creation and uses the secret defined in existingSecretName | `false` | +| `existingSecretName` | Name of an existing secret to be used for Anchore core services, excluding Anchore UI | `anchore-enterprise-env` | +| `labels` | Common labels set on all Kubernetes resources | `{}` | +| `annotations` | Common annotations set on all Kubernetes resources | `{}` | +| `nodeSelector` | Common nodeSelector set on all Kubernetes pods | `{}` | +| `tolerations` | Common tolerations set on all Kubernetes pods | `[]` | +| `affinity` | Common affinity set on all Kubernetes pods | `{}` | +| `scratchVolume.mountPath` | The mount path of an external volume for scratch space. Used for the following pods: analyzer, policy-engine, catalog, and reports | `/analysis_scratch` | +| `scratchVolume.fixGroupPermissions` | Enable an initContainer that will fix the fsGroup permissions on all scratch volumes | `false` | +| `scratchVolume.fixerInitContainerImage` | The image to use for the mode-fixer initContainer | `alpine` | +| `scratchVolume.details` | Details for the k8s volume to be created (defaults to default emptyDir) | `{}` | +| `extraVolumes` | mounts additional volumes to each pod | `[]` | +| `extraVolumeMounts` | mounts additional volumes to each pod | `[]` | +| `securityContext.runAsUser` | The securityContext runAsUser for all Anchore pods | `1000` | +| `securityContext.runAsGroup` | The securityContext runAsGroup for all Anchore pods | `1000` | +| `securityContext.fsGroup` | The securityContext fsGroup for all Anchore pods | `1000` | +| `containerSecurityContext` | The securityContext for all containers | `{}` | +| `probes.liveness.initialDelaySeconds` | Initial delay seconds for liveness probe | `120` | +| `probes.liveness.timeoutSeconds` | Timeout seconds for liveness probe | `10` | +| `probes.liveness.periodSeconds` | Period seconds for liveness probe | `10` | +| `probes.liveness.failureThreshold` | Failure threshold for liveness probe | `6` | +| `probes.liveness.successThreshold` | Success threshold for liveness probe | `1` | +| `probes.readiness.timeoutSeconds` | Timeout seconds for the readiness probe | `10` | +| `probes.readiness.periodSeconds` | Period seconds for the readiness probe | `10` | +| `probes.readiness.failureThreshold` | Failure threshold for the readiness probe | `3` | +| `probes.readiness.successThreshold` | Success threshold for the readiness probe | `1` | +| `doSourceAtEntry.enabled` | Does a `source` of the file path defined before starting Anchore services | `false` | +| `doSourceAtEntry.filePaths` | List of file paths to `source` before starting Anchore services | `[]` | +| `configOverride` | Allows for overriding the default Anchore configuration file | `""` | +| `scripts` | Collection of helper scripts usable in all anchore enterprise pods | `{}` | ### Anchore Configuration Parameters @@ -1069,7 +1070,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `anchoreConfig.ui.dbUser` | allows overriding and separation of the ui database user. | `""` | | `anchoreConfig.ui.dbPassword` | allows overriding and separation of the ui database user authentication | `""` | - ### Anchore Analyzer k8s Deployment Parameters | Name | Description | Value | @@ -1086,7 +1086,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `analyzer.serviceAccountName` | Service account name for Anchore API pods | `""` | | `analyzer.scratchVolume.details` | Details for the k8s volume to be created for Anchore Analyzer scratch space | `{}` | - ### Anchore API k8s Deployment Parameters | Name | Description | Value | @@ -1108,7 +1107,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `api.affinity` | Affinity for Anchore API pod assignment | `{}` | | `api.serviceAccountName` | Service account name for Anchore API pods | `""` | - ### Anchore Catalog k8s Deployment Parameters | Name | Description | Value | @@ -1131,7 +1129,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `catalog.serviceAccountName` | Service account name for Anchore Catalog pods | `""` | | `catalog.scratchVolume.details` | Details for the k8s volume to be created for Anchore Catalog scratch space | `{}` | - ### Anchore Feeds Chart Parameters | Name | Description | Value | @@ -1141,7 +1138,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `feeds.url` | Set the URL for a standalone Feeds service. Use when chartEnabled=false. | `""` | | `feeds.resources` | Resource requests and limits for Anchore Feeds pods | `{}` | - ### Anchore Notifications Parameters | Name | Description | Value | @@ -1163,7 +1159,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `notifications.affinity` | Affinity for Anchore Notifications pod assignment | `{}` | | `notifications.serviceAccountName` | Service account name for Anchore Notifications pods | `""` | - ### Anchore Policy Engine k8s Deployment Parameters | Name | Description | Value | @@ -1186,7 +1181,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `policyEngine.serviceAccountName` | Service account name for Anchore Policy Engine pods | `""` | | `policyEngine.scratchVolume.details` | Details for the k8s volume to be created for Anchore Policy Engine scratch space | `{}` | - ### Anchore Reports Parameters | Name | Description | Value | @@ -1209,7 +1203,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `reports.serviceAccountName` | Service account name for Anchore Reports pods | `""` | | `reports.scratchVolume.details` | Details for the k8s volume to be created for Anchore Reports scratch space | `{}` | - ### Anchore Reports Worker Parameters | Name | Description | Value | @@ -1231,7 +1224,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `reportsWorker.affinity` | Affinity for Anchore Reports Worker pod assignment | `{}` | | `reportsWorker.serviceAccountName` | Service account name for Anchore Reports Worker pods | `""` | - ### Anchore Simple Queue Parameters | Name | Description | Value | @@ -1253,12 +1245,11 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `simpleQueue.affinity` | Affinity for Anchore Simple Queue pod assignment | `{}` | | `simpleQueue.serviceAccountName` | Service account name for Anchore Simple Queue pods | `""` | - ### Anchore UI Parameters | Name | Description | Value | | ---------------------------- | ----------------------------------------------------------------------------- | ---------------------------------------- | -| `ui.image` | Image used for the Anchore UI container | `docker.io/anchore/enterprise-ui:v5.3.2` | +| `ui.image` | Image used for the Anchore UI container | `docker.io/anchore/enterprise-ui:v5.4.0` | | `ui.imagePullPolicy` | Image pull policy for Anchore UI image | `IfNotPresent` | | `ui.existingSecretName` | Name of an existing secret to be used for Anchore UI DB and Redis endpoints | `anchore-enterprise-ui-env` | | `ui.ldapsRootCaCertName` | Name of the custom CA certificate file store in `.Values.certStoreSecretName` | `""` | @@ -1279,7 +1270,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `ui.affinity` | Affinity for Anchore ui pod assignment | `{}` | | `ui.serviceAccountName` | Service account name for Anchore UI pods | `""` | - ### Anchore Upgrade Job Parameters | Name | Description | Value | @@ -1298,7 +1288,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `upgradeJob.labels` | Labels for the Anchore upgrade job | `{}` | | `upgradeJob.ttlSecondsAfterFinished` | The time period in seconds the upgrade job, and it's related pods should be retained for | `-1` | - ### Ingress Parameters | Name | Description | Value | @@ -1315,7 +1304,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `ingress.tls` | Configure tls for the ingress resource | `[]` | | `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` | - ### Google CloudSQL DB Parameters | Name | Description | Value | @@ -1329,7 +1317,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `cloudsql.serviceAccJsonName` | | `""` | | `cloudsql.extraArgs` | a list of extra arguments to be passed into the cloudsql container command. eg | `[]` | - ### Anchore UI Redis Parameters | Name | Description | Value | @@ -1340,7 +1327,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `ui-redis.architecture` | Redis deployment architecture | `standalone` | | `ui-redis.master.persistence.enabled` | enables persistence | `false` | - ### Anchore Database Parameters | Name | Description | Value |