From 7e6fb87b6ee972e773c6a22184cac4771f3aab67 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 12 Jan 2024 15:20:32 -0800 Subject: [PATCH] Fix Permissions init container fixes (#333) * configurable initContainer image for mode-fixer * update readme to remove unused secret in custom certs section * escape `&` in pre-upgrade hook job when using DB root cert * remove path to certs dir in pre-upgrade job as its included in env var * allow fixGroupPermissions on feeds workspace directory * update tests * update README table --------- Signed-off-by: Hung Nguyen Signed-off-by: Brady Todhunter Co-authored-by: Hung Nguyen Co-authored-by: osiagwe <95670662+osiagwe@users.noreply.github.com> --- stable/anchore-engine/Chart.yaml | 2 +- .../templates/analyzer_deployment.yaml | 2 +- .../templates/catalog_deployment.yaml | 2 +- .../enterprise_feeds_deployment.yaml | 2 +- .../templates/policy_engine_deployment.yaml | 2 +- stable/anchore-engine/values.yaml | 1 + stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 102 ++++++++------ stable/enterprise/templates/_common.tpl | 2 +- .../hooks/pre-upgrade/upgrade_job.yaml | 2 +- .../prehook_upgrade_resources_test.yaml.snap | 2 +- stable/enterprise/values.yaml | 2 + stable/feeds/Chart.yaml | 2 +- stable/feeds/README.md | 124 ++++++++++-------- stable/feeds/templates/deployment.yaml | 21 ++- .../hooks/pre-upgrade/upgrade_job.yaml | 2 +- .../prehook_upgrade_resources_test.yaml.snap | 2 +- stable/feeds/tests/common_helpers_test.yaml | 6 +- stable/feeds/values.yaml | 4 + 19 files changed, 166 insertions(+), 118 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 9a76a4e9..7da83262 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.28.5 +version: 1.28.6 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/templates/analyzer_deployment.yaml b/stable/anchore-engine/templates/analyzer_deployment.yaml index e2a2b00e..2173fecb 100644 --- a/stable/anchore-engine/templates/analyzer_deployment.yaml +++ b/stable/anchore-engine/templates/analyzer_deployment.yaml @@ -73,7 +73,7 @@ spec: {{- if and .Values.anchoreGlobal.scratchVolume.fixGroupPermissions .Values.anchoreGlobal.securityContext.fsGroup }} initContainers: - name: mode-fixer - image: alpine + image: {{ .Values.anchoreGlobal.scratchVolume.initContainerImage }} securityContext: runAsUser: 0 volumeMounts: diff --git a/stable/anchore-engine/templates/catalog_deployment.yaml b/stable/anchore-engine/templates/catalog_deployment.yaml index 34d769da..b12ffc17 100644 --- a/stable/anchore-engine/templates/catalog_deployment.yaml +++ b/stable/anchore-engine/templates/catalog_deployment.yaml @@ -75,7 +75,7 @@ spec: {{- if and .Values.anchoreGlobal.scratchVolume.fixGroupPermissions .Values.anchoreGlobal.securityContext.fsGroup }} initContainers: - name: mode-fixer - image: alpine + image: {{ .Values.anchoreGlobal.scratchVolume.initContainerImage }} securityContext: runAsUser: 0 volumeMounts: diff --git a/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml b/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml index 2299b5f3..b8e4d615 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml @@ -66,7 +66,7 @@ spec: {{- if and (or .Values.anchoreGlobal.scratchVolume.fixGroupPermissions .Values.anchoreEnterpriseFeeds.persistence.fixGroupPermissions) .Values.anchoreGlobal.securityContext.fsGroup }} initContainers: - name: mode-fixer - image: alpine + image: {{ .Values.anchoreGlobal.scratchVolume.initContainerImage }} securityContext: runAsUser: 0 volumeMounts: diff --git a/stable/anchore-engine/templates/policy_engine_deployment.yaml b/stable/anchore-engine/templates/policy_engine_deployment.yaml index 8695d65d..2d4204ad 100644 --- a/stable/anchore-engine/templates/policy_engine_deployment.yaml +++ b/stable/anchore-engine/templates/policy_engine_deployment.yaml @@ -72,7 +72,7 @@ spec: {{- if and .Values.anchoreGlobal.scratchVolume.fixGroupPermissions .Values.anchoreGlobal.securityContext.fsGroup }} initContainers: - name: mode-fixer - image: alpine + image: {{ .Values.anchoreGlobal.scratchVolume.initContainerImage }} securityContext: runAsUser: 0 volumeMounts: diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 69c974bf..50b72926 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -173,6 +173,7 @@ anchoreGlobal: # Some k8s Volumes do not properly respect the fsGroup permissions. These volumes will get mounted as root:root # regardless of the security permissions requested. The fixGroupPermissions will create an initContainer that will # fixup the permissions. + initContainerImage: alpine fixGroupPermissions: false mountPath: /analysis_scratch details: {} diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index cca8b7b3..0f260edd 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "2.2.2" +version: "2.2.3" appVersion: "5.1.1" kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.28.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index da2666c6..72d025d4 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -632,8 +632,6 @@ metadata: namespace: ... type: Opaque data: - internal-ca-cert-bundle.pam: -[base64 encoded text] rds-combined-ca-cert-bundle.pem: [base64 encoded text] internal-cert.pem: @@ -665,7 +663,8 @@ anchoreConfig: certSecretCertFileName: internal-cert.pem ui: - # Specify an LDAP CA cert if using LDAP authenication + # Specify an LDAP CA cert if using LDAP authenication. + # Note if using an internal ca cert for internalServicesSSL, combine that into the ldap-combined-ca-cert-bundle.pem ldapsRootCaCertName: ldap-combined-ca-cert-bundle.pem ``` @@ -937,47 +936,50 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `global.fullnameOverride` | overrides the fullname set on resources | `""` | | `global.nameOverride` | overrides the name set on resources | `""` | + ### Common Resource Parameters -| Name | Description | Value | -| ------------------------------------- | ------------------------------------------------------------------------------------- | ------------------------------------- | -| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v5.1.0` | -| `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | -| `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | -| `startMigrationPod` | Spin up a Database migration pod to help migrate the database to the new schema | `false` | -| `migrationPodImage` | The image reference to the migration pod | `docker.io/postgres:13-bookworm` | -| `migrationAnchoreEngineSecretName` | The name of the secret that has anchore-engine values | `my-engine-anchore-engine` | -| `serviceAccountName` | Name of a service account used to run all Anchore pods | `""` | -| `injectSecretsViaEnv` | Enable secret injection into pod via environment variables instead of via k8s secrets | `false` | -| `licenseSecretName` | Name of the Kubernetes secret containing your license.yaml file | `anchore-enterprise-license` | -| `certStoreSecretName` | Name of secret containing the certificates & keys used for SSL, SAML & CAs | `""` | -| `extraEnv` | Common environment variables set on all containers | `[]` | -| `useExistingSecrets` | forgoes secret creation and uses the secret defined in existingSecretName | `false` | -| `existingSecretName` | Name of an existing secret to be used for Anchore core services, excluding Anchore UI | `anchore-enterprise-env` | -| `labels` | Common labels set on all Kubernetes resources | `{}` | -| `annotations` | Common annotations set on all Kubernetes resources | `{}` | -| `scratchVolume.mountPath` | The mount path of an external volume for scratch space for image analysis | `/analysis_scratch` | -| `scratchVolume.fixGroupPermissions` | Enable an initContainer that will fix the fsGroup permissions | `false` | -| `scratchVolume.details` | Details for the k8s volume to be created | `{}` | -| `extraVolumes` | mounts additional volumes to each pod | `[]` | -| `extraVolumeMounts` | mounts additional volumes to each pod | `[]` | -| `securityContext.runAsUser` | The securityContext runAsUser for all Anchore pods | `1000` | -| `securityContext.runAsGroup` | The securityContext runAsGroup for all Anchore pods | `1000` | -| `securityContext.fsGroup` | The securityContext fsGroup for all Anchore pods | `1000` | -| `containerSecurityContext` | The securityContext for all containers | `{}` | -| `probes.liveness.initialDelaySeconds` | Initial delay seconds for liveness probe | `120` | -| `probes.liveness.timeoutSeconds` | Timeout seconds for liveness probe | `10` | -| `probes.liveness.periodSeconds` | Period seconds for liveness probe | `10` | -| `probes.liveness.failureThreshold` | Failure threshold for liveness probe | `6` | -| `probes.liveness.successThreshold` | Success threshold for liveness probe | `1` | -| `probes.readiness.timeoutSeconds` | Timeout seconds for the readiness probe | `10` | -| `probes.readiness.periodSeconds` | Period seconds for the readiness probe | `10` | -| `probes.readiness.failureThreshold` | Failure threshold for the readiness probe | `3` | -| `probes.readiness.successThreshold` | Success threshold for the readiness probe | `1` | -| `doSourceAtEntry.enabled` | Does a `source` of the file path defined before starting Anchore services | `false` | -| `doSourceAtEntry.filePaths` | List of file paths to `source` before starting Anchore services | `[]` | -| `configOverride` | Allows for overriding the default Anchore configuration file | `""` | -| `scripts` | Collection of helper scripts usable in all anchore enterprise pods | `{}` | +| Name | Description | Value | +| --------------------------------------- | ------------------------------------------------------------------------------------- | ------------------------------------- | +| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v5.1.1` | +| `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | +| `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | +| `startMigrationPod` | Spin up a Database migration pod to help migrate the database to the new schema | `false` | +| `migrationPodImage` | The image reference to the migration pod | `docker.io/postgres:13-bookworm` | +| `migrationAnchoreEngineSecretName` | The name of the secret that has anchore-engine values | `my-engine-anchore-engine` | +| `serviceAccountName` | Name of a service account used to run all Anchore pods | `""` | +| `injectSecretsViaEnv` | Enable secret injection into pod via environment variables instead of via k8s secrets | `false` | +| `licenseSecretName` | Name of the Kubernetes secret containing your license.yaml file | `anchore-enterprise-license` | +| `certStoreSecretName` | Name of secret containing the certificates & keys used for SSL, SAML & CAs | `""` | +| `extraEnv` | Common environment variables set on all containers | `[]` | +| `useExistingSecrets` | forgoes secret creation and uses the secret defined in existingSecretName | `false` | +| `existingSecretName` | Name of an existing secret to be used for Anchore core services, excluding Anchore UI | `anchore-enterprise-env` | +| `labels` | Common labels set on all Kubernetes resources | `{}` | +| `annotations` | Common annotations set on all Kubernetes resources | `{}` | +| `scratchVolume.mountPath` | The mount path of an external volume for scratch space for image analysis | `/analysis_scratch` | +| `scratchVolume.fixGroupPermissions` | Enable an initContainer that will fix the fsGroup permissions | `false` | +| `scratchVolume.fixerInitContainerImage` | The image to use for the mode-fixer initContainer | `alpine` | +| `scratchVolume.details` | Details for the k8s volume to be created | `{}` | +| `extraVolumes` | mounts additional volumes to each pod | `[]` | +| `extraVolumeMounts` | mounts additional volumes to each pod | `[]` | +| `securityContext.runAsUser` | The securityContext runAsUser for all Anchore pods | `1000` | +| `securityContext.runAsGroup` | The securityContext runAsGroup for all Anchore pods | `1000` | +| `securityContext.fsGroup` | The securityContext fsGroup for all Anchore pods | `1000` | +| `containerSecurityContext` | The securityContext for all containers | `{}` | +| `probes.liveness.initialDelaySeconds` | Initial delay seconds for liveness probe | `120` | +| `probes.liveness.timeoutSeconds` | Timeout seconds for liveness probe | `10` | +| `probes.liveness.periodSeconds` | Period seconds for liveness probe | `10` | +| `probes.liveness.failureThreshold` | Failure threshold for liveness probe | `6` | +| `probes.liveness.successThreshold` | Success threshold for liveness probe | `1` | +| `probes.readiness.timeoutSeconds` | Timeout seconds for the readiness probe | `10` | +| `probes.readiness.periodSeconds` | Period seconds for the readiness probe | `10` | +| `probes.readiness.failureThreshold` | Failure threshold for the readiness probe | `3` | +| `probes.readiness.successThreshold` | Success threshold for the readiness probe | `1` | +| `doSourceAtEntry.enabled` | Does a `source` of the file path defined before starting Anchore services | `false` | +| `doSourceAtEntry.filePaths` | List of file paths to `source` before starting Anchore services | `[]` | +| `configOverride` | Allows for overriding the default Anchore configuration file | `""` | +| `scripts` | Collection of helper scripts usable in all anchore enterprise pods | `{}` | + ### Anchore Configuration Parameters @@ -1082,6 +1084,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `anchoreConfig.ui.dbUser` | allows overriding and separation of the ui database user. | `""` | | `anchoreConfig.ui.dbPassword` | allows overriding and separation of the ui database user authentication | `""` | + ### Anchore API k8s Deployment Parameters | Name | Description | Value | @@ -1102,6 +1105,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `api.affinity` | Affinity for Anchore API pod assignment | `{}` | | `api.serviceAccountName` | Service account name for Anchore API pods | `""` | + ### Anchore Analyzer k8s Deployment Parameters | Name | Description | Value | @@ -1117,6 +1121,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `analyzer.affinity` | Affinity for Anchore Analyzer pod assignment | `{}` | | `analyzer.serviceAccountName` | Service account name for Anchore API pods | `""` | + ### Anchore Catalog k8s Deployment Parameters | Name | Description | Value | @@ -1136,6 +1141,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `catalog.affinity` | Affinity for Anchore Catalog pod assignment | `{}` | | `catalog.serviceAccountName` | Service account name for Anchore Catalog pods | `""` | + ### Anchore Feeds Chart Parameters | Name | Description | Value | @@ -1144,6 +1150,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `feeds.standalone` | Sets the Anchore Feeds chart to run into non-standalone mode, for use with Anchore Enterprise. | `false` | | `feeds.url` | Set the URL for a standalone Feeds service. Use when chartEnabled=false. | `""` | + ### Anchore Policy Engine k8s Deployment Parameters | Name | Description | Value | @@ -1163,6 +1170,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `policyEngine.affinity` | Affinity for Anchore Policy Engine pod assignment | `{}` | | `policyEngine.serviceAccountName` | Service account name for Anchore Policy Engine pods | `""` | + ### Anchore Simple Queue Parameters | Name | Description | Value | @@ -1182,6 +1190,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `simpleQueue.affinity` | Affinity for Anchore Simple Queue pod assignment | `{}` | | `simpleQueue.serviceAccountName` | Service account name for Anchore Simple Queue pods | `""` | + ### Anchore Notifications Parameters | Name | Description | Value | @@ -1201,6 +1210,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `notifications.affinity` | Affinity for Anchore Notifications pod assignment | `{}` | | `notifications.serviceAccountName` | Service account name for Anchore Notifications pods | `""` | + ### Anchore Reports Parameters | Name | Description | Value | @@ -1220,6 +1230,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `reports.affinity` | Affinity for Anchore Reports pod assignment | `{}` | | `reports.serviceAccountName` | Service account name for Anchore Reports pods | `""` | + ### Anchore RBAC Authentication Parameters | Name | Description | Value | @@ -1227,6 +1238,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `rbacAuth.extraEnv` | Set extra environment variables for Anchore RBAC Authentication containers | `[]` | | `rbacAuth.resources` | Resource requests and limits for Anchore RBAC Authentication containers | `{}` | + ### Anchore RBAC Manager Parameters | Name | Description | Value | @@ -1246,6 +1258,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `rbacManager.affinity` | Affinity for Anchore RBAC Manager pod assignment | `{}` | | `rbacManager.serviceAccountName` | Service account name for Anchore RBAC Manager pods | `""` | + ### Anchore UI Parameters | Name | Description | Value | @@ -1269,6 +1282,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `ui.affinity` | Affinity for Anchore ui pod assignment | `{}` | | `ui.serviceAccountName` | Service account name for Anchore UI pods | `""` | + ### Anchore Upgrade Job Parameters | Name | Description | Value | @@ -1287,6 +1301,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `upgradeJob.labels` | Labels for the Anchore upgrade job | `{}` | | `upgradeJob.ttlSecondsAfterFinished` | The time period in seconds the upgrade job, and it's related pods should be retained for | `-1` | + ### Ingress Parameters | Name | Description | Value | @@ -1305,6 +1320,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `ingress.tls` | Configure tls for the ingress resource | `[]` | | `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` | + ### Google CloudSQL DB Parameters | Name | Description | Value | @@ -1318,6 +1334,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `cloudsql.serviceAccJsonName` | | `""` | | `cloudsql.extraArgs` | a list of extra arguments to be passed into the cloudsql container command. eg | `[]` | + ### Anchore UI Redis Parameters | Name | Description | Value | @@ -1328,6 +1345,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `ui-redis.architecture` | Redis deployment architecture | `standalone` | | `ui-redis.master.persistence.enabled` | enables persistence | `false` | + ### Anchore Database Parameters | Name | Description | Value | diff --git a/stable/enterprise/templates/_common.tpl b/stable/enterprise/templates/_common.tpl index 370d5b16..c25491ec 100644 --- a/stable/enterprise/templates/_common.tpl +++ b/stable/enterprise/templates/_common.tpl @@ -115,7 +115,7 @@ Setup the common fix permissions init container for all pods using a scratch vol */}} {{- define "enterprise.common.fixPermissionsInitContainer" -}} - name: mode-fixer - image: alpine + image: {{ .Values.scratchVolume.fixerInitContainerImage }} securityContext: runAsUser: 0 volumeMounts: diff --git a/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml b/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml index cf7891cc..5c0dd160 100644 --- a/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml +++ b/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml @@ -71,7 +71,7 @@ spec: CONNSTR=${CONNSTR}?sslmode=${ANCHORE_DB_SSL_MODE} fi if [[ ${ANCHORE_DB_SSL_ROOT_CERT} != null ]]; then - CONNSTR=${CONNSTR}&sslrootcert=/home/anchore/certs/${ANCHORE_DB_SSL_ROOT_CERT} + CONNSTR=${CONNSTR}\&sslrootcert=${ANCHORE_DB_SSL_ROOT_CERT} fi err=$(anchore-enterprise-manager db --db-connect ${CONNSTR} pre-upgrade-check 2>&1 > /dev/null) if [[ !$err ]]; then diff --git a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap index 35049c84..696a938c 100644 --- a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap @@ -117,7 +117,7 @@ should render proper initContainers: CONNSTR=${CONNSTR}?sslmode=${ANCHORE_DB_SSL_MODE} fi if [[ ${ANCHORE_DB_SSL_ROOT_CERT} != null ]]; then - CONNSTR=${CONNSTR}&sslrootcert=/home/anchore/certs/${ANCHORE_DB_SSL_ROOT_CERT} + CONNSTR=${CONNSTR}\&sslrootcert=${ANCHORE_DB_SSL_ROOT_CERT} fi err=$(anchore-enterprise-manager db --db-connect ${CONNSTR} pre-upgrade-check 2>&1 > /dev/null) if [[ !$err ]]; then diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index 3a286d50..4914ed05 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -102,6 +102,7 @@ annotations: {} ## @param scratchVolume.mountPath The mount path of an external volume for scratch space for image analysis ## @param scratchVolume.fixGroupPermissions Enable an initContainer that will fix the fsGroup permissions +## @param scratchVolume.fixerInitContainerImage The image to use for the mode-fixer initContainer ## @param scratchVolume.details [object] Details for the k8s volume to be created ## Generally speaking you need to provision 3x the size of the largest image (uncompressed) that you want to analyze ## ref: https://kubernetes.io/docs/concepts/storage/volumes/ @@ -109,6 +110,7 @@ annotations: {} scratchVolume: mountPath: /analysis_scratch fixGroupPermissions: false + fixerInitContainerImage: alpine details: {} ## @param extraVolumes mounts additional volumes to each pod diff --git a/stable/feeds/Chart.yaml b/stable/feeds/Chart.yaml index 15c9137a..aa555723 100644 --- a/stable/feeds/Chart.yaml +++ b/stable/feeds/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: feeds type: application -version: "2.1.2" +version: "2.1.3" appVersion: "5.1.1" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.28.x-x description: Anchore feeds service diff --git a/stable/feeds/README.md b/stable/feeds/README.md index aa42cb00..7a8b4145 100644 --- a/stable/feeds/README.md +++ b/stable/feeds/README.md @@ -306,64 +306,67 @@ anchoreConfig: ### Common Resource Parameters -| Name | Description | Value | -| ------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------- | -| `standalone` | Enable running the Anchore Feeds service in standalone mode | `true` | -| `url` | Set a custom feeds URL. Useful when using a feeds service endpoint that is external from the cluster. | `""` | -| `fullnameOverride` | overrides the fullname set on resources | `""` | -| `nameOverride` | overrides the name set on resources | `""` | -| `image` | Image used for feeds deployment | `docker.io/anchore/enterprise:v5.1.0` | -| `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | -| `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | -| `serviceAccountName` | Name of a service account used to run all Feeds pods | `""` | -| `injectSecretsViaEnv` | Enable secret injection into pod via environment variables instead of via k8s secrets | `false` | -| `licenseSecretName` | Name of the Kubernetes secret containing your license.yaml file | `anchore-enterprise-license` | -| `certStoreSecretName` | Name of secret containing the certificates & keys used for SSL, SAML & CAs | `""` | -| `extraEnv` | Common environment variables set on all containers | `[]` | -| `labels` | Common labels set on all Kubernetes resources | `{}` | -| `annotations` | Common annotations set on all Kubernetes resources | `{}` | -| `resources` | Resource requests and limits for Anchore Feeds pods | `{}` | -| `nodeSelector` | Node labels for Anchore Feeds pod assignment | `{}` | -| `tolerations` | Tolerations for Anchore Feeds pod assignment | `[]` | -| `affinity` | Affinity for Anchore Feeds pod assignment | `{}` | -| `service.type` | Service type for Anchore Feeds | `ClusterIP` | -| `service.port` | Service port for Anchore Feeds | `8448` | -| `service.annotations` | Annotations for Anchore Feeds service | `{}` | -| `service.labels` | Labels for Anchore Feeds service | `{}` | -| `service.nodePort` | nodePort for Anchore Feeds service | `""` | -| `scratchVolume.mountPath` | The mount path of an external volume for scratch space for image analysis | `/anchore_scratch` | -| `scratchVolume.fixGroupPermissions` | Enable an initContainer that will fix the fsGroup permissions | `false` | -| `scratchVolume.details` | Details for the k8s volume to be created | `{}` | -| `persistence.enabled` | Enable mounting an external volume for feeds driver workspace | `true` | -| `persistence.resourcePolicy` | Resource policy Helm annotation on PVC. Can be nil or "keep" | `keep` | -| `persistence.existingClaim` | Specify an existing volume claim | `""` | -| `persistence.storageClass` | Persistent volume storage class | `""` | -| `persistence.accessMode` | Access Mode for persistent volume | `ReadWriteOnce` | -| `persistence.size` | Size of persistent volume | `40Gi` | -| `persistence.mountPath` | Mount path on Anchore Feeds container for persistent volume | `/workspace` | -| `persistence.subPath` | Directory name used for persistent volume storage | `feeds-workspace` | -| `persistence.annotations` | Annotations for PVC | `{}` | -| `extraVolumes` | mounts additional volumes to each pod | `[]` | -| `extraVolumeMounts` | mounts additional volumes to each pod | `[]` | -| `securityContext.runAsUser` | The securityContext runAsUser for all Feeds pods | `1000` | -| `securityContext.runAsGroup` | The securityContext runAsGroup for all Feeds pods | `1000` | -| `securityContext.fsGroup` | The securityContext fsGroup for all Feeds pods | `1000` | -| `containerSecurityContext` | The securityContext for all Feeds containers | `{}` | -| `probes.liveness.initialDelaySeconds` | Initial delay seconds for liveness probe | `120` | -| `probes.liveness.timeoutSeconds` | Timeout seconds for liveness probe | `10` | -| `probes.liveness.periodSeconds` | Period seconds for liveness probe | `10` | -| `probes.liveness.failureThreshold` | Failure threshold for liveness probe | `6` | -| `probes.liveness.successThreshold` | Success threshold for liveness probe | `1` | -| `probes.readiness.timeoutSeconds` | Timeout seconds for the readiness probe | `10` | -| `probes.readiness.periodSeconds` | Period seconds for the readiness probe | `10` | -| `probes.readiness.failureThreshold` | Failure threshold for the readiness probe | `3` | -| `probes.readiness.successThreshold` | Success threshold for the readiness probe | `1` | -| `doSourceAtEntry.enabled` | Does a `source` of the file paths defined before starting Anchore services | `false` | -| `doSourceAtEntry.filePaths` | List of file paths to `source` before starting Anchore services | `[]` | -| `useExistingSecrets` | forgoes secret creation and uses the secret defined in existingSecretName | `false` | -| `existingSecretName` | Name of the existing secret to be used for Anchore Feeds Service | `anchore-enterprise-feeds-env` | -| `configOverride` | Allows for overriding the default Anchore configuration file | `{}` | -| `scripts` | Collection of helper scripts usable in all anchore enterprise pods | `{}` | +| Name | Description | Value | +| --------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------------- | +| `standalone` | Enable running the Anchore Feeds service in standalone mode | `true` | +| `url` | Set a custom feeds URL. Useful when using a feeds service endpoint that is external from the cluster. | `""` | +| `fullnameOverride` | overrides the fullname set on resources | `""` | +| `nameOverride` | overrides the name set on resources | `""` | +| `image` | Image used for feeds deployment | `docker.io/anchore/enterprise:v5.1.1` | +| `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | +| `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | +| `serviceAccountName` | Name of a service account used to run all Feeds pods | `""` | +| `injectSecretsViaEnv` | Enable secret injection into pod via environment variables instead of via k8s secrets | `false` | +| `licenseSecretName` | Name of the Kubernetes secret containing your license.yaml file | `anchore-enterprise-license` | +| `certStoreSecretName` | Name of secret containing the certificates & keys used for SSL, SAML & CAs | `""` | +| `extraEnv` | Common environment variables set on all containers | `[]` | +| `labels` | Common labels set on all Kubernetes resources | `{}` | +| `annotations` | Common annotations set on all Kubernetes resources | `{}` | +| `resources` | Resource requests and limits for Anchore Feeds pods | `{}` | +| `nodeSelector` | Node labels for Anchore Feeds pod assignment | `{}` | +| `tolerations` | Tolerations for Anchore Feeds pod assignment | `[]` | +| `affinity` | Affinity for Anchore Feeds pod assignment | `{}` | +| `service.type` | Service type for Anchore Feeds | `ClusterIP` | +| `service.port` | Service port for Anchore Feeds | `8448` | +| `service.annotations` | Annotations for Anchore Feeds service | `{}` | +| `service.labels` | Labels for Anchore Feeds service | `{}` | +| `service.nodePort` | nodePort for Anchore Feeds service | `""` | +| `scratchVolume.mountPath` | The mount path of an external volume for scratch space for image analysis | `/anchore_scratch` | +| `scratchVolume.fixGroupPermissions` | Enable an initContainer that will fix the fsGroup permissions | `false` | +| `scratchVolume.fixerInitContainerImage` | Set the container image for the permissions fixer init container | `alpine` | +| `scratchVolume.details` | Details for the k8s volume to be created | `{}` | +| `persistence.enabled` | Enable mounting an external volume for feeds driver workspace | `true` | +| `persistence.fixGroupPermissions` | Enable an initContainer that will fix the fsGroup permissions | `false` | +| `persistence.resourcePolicy` | Resource policy Helm annotation on PVC. Can be nil or "keep" | `keep` | +| `persistence.existingClaim` | Specify an existing volume claim | `""` | +| `persistence.storageClass` | Persistent volume storage class | `""` | +| `persistence.accessMode` | Access Mode for persistent volume | `ReadWriteOnce` | +| `persistence.size` | Size of persistent volume | `40Gi` | +| `persistence.mountPath` | Mount path on Anchore Feeds container for persistent volume | `/workspace` | +| `persistence.subPath` | Directory name used for persistent volume storage | `feeds-workspace` | +| `persistence.annotations` | Annotations for PVC | `{}` | +| `extraVolumes` | mounts additional volumes to each pod | `[]` | +| `extraVolumeMounts` | mounts additional volumes to each pod | `[]` | +| `securityContext.runAsUser` | The securityContext runAsUser for all Feeds pods | `1000` | +| `securityContext.runAsGroup` | The securityContext runAsGroup for all Feeds pods | `1000` | +| `securityContext.fsGroup` | The securityContext fsGroup for all Feeds pods | `1000` | +| `containerSecurityContext` | The securityContext for all Feeds containers | `{}` | +| `probes.liveness.initialDelaySeconds` | Initial delay seconds for liveness probe | `120` | +| `probes.liveness.timeoutSeconds` | Timeout seconds for liveness probe | `10` | +| `probes.liveness.periodSeconds` | Period seconds for liveness probe | `10` | +| `probes.liveness.failureThreshold` | Failure threshold for liveness probe | `6` | +| `probes.liveness.successThreshold` | Success threshold for liveness probe | `1` | +| `probes.readiness.timeoutSeconds` | Timeout seconds for the readiness probe | `10` | +| `probes.readiness.periodSeconds` | Period seconds for the readiness probe | `10` | +| `probes.readiness.failureThreshold` | Failure threshold for the readiness probe | `3` | +| `probes.readiness.successThreshold` | Success threshold for the readiness probe | `1` | +| `doSourceAtEntry.enabled` | Does a `source` of the file paths defined before starting Anchore services | `false` | +| `doSourceAtEntry.filePaths` | List of file paths to `source` before starting Anchore services | `[]` | +| `useExistingSecrets` | forgoes secret creation and uses the secret defined in existingSecretName | `false` | +| `existingSecretName` | Name of the existing secret to be used for Anchore Feeds Service | `anchore-enterprise-feeds-env` | +| `configOverride` | Allows for overriding the default Anchore configuration file | `{}` | +| `scripts` | Collection of helper scripts usable in all anchore enterprise pods | `{}` | + ### Anchore Feeds Configuration Parameters @@ -404,6 +407,7 @@ anchoreConfig: | `anchoreConfig.feeds.drivers.github.enabled` | Enable GitHub advisory feeds (requires GitHub PAT) | `false` | | `anchoreConfig.feeds.drivers.github.token` | GitHub developer personal access token with zero permission scopes | `""` | + ### Anchore Feeds Database Parameters | Name | Description | Value | @@ -418,6 +422,7 @@ anchoreConfig: | `feeds-db.primary.extraEnvVars` | An array to add extra environment variables | `[]` | | `feeds-db.image.tag` | Specifies the image to use for this chart. | `13.11.0-debian-11-r15` | + ### Feeds Gem Database Parameters | Name | Description | Value | @@ -432,6 +437,7 @@ anchoreConfig: | `gem-db.primary.extraEnvVars` | An array to add extra environment variables | `[]` | | `gem-db.image.tag` | Specifies the image to use for this chart. | `13.11.0-debian-11-r15` | + ### Anchore Feeds Upgrade Job Parameters | Name | Description | Value | @@ -450,6 +456,7 @@ anchoreConfig: | `feedsUpgradeJob.resources` | Resources for the Anchore Feeds upgrade job | `{}` | | `feedsUpgradeJob.ttlSecondsAfterFinished` | The time period in seconds the upgrade job, and it's related pods should be retained for | `-1` | + ### Ingress Parameters | Name | Description | Value | @@ -462,6 +469,7 @@ anchoreConfig: | `ingress.tls` | Configure tls for the ingress resource | `[]` | | `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` | + ### Google CloudSQL DB Parameters | Name | Description | Value | diff --git a/stable/feeds/templates/deployment.yaml b/stable/feeds/templates/deployment.yaml index 691a73e8..82a7bf43 100644 --- a/stable/feeds/templates/deployment.yaml +++ b/stable/feeds/templates/deployment.yaml @@ -30,19 +30,30 @@ spec: imagePullSecrets: - name: {{ . }} {{- end }} - {{- if and .Values.scratchVolume.fixGroupPermissions .Values.securityContext.fsGroup }} + {{- if and (or .Values.scratchVolume.fixGroupPermissions .Values.persistence.fixGroupPermissions) .Values.securityContext.fsGroup }} initContainers: - name: mode-fixer - image: alpine + image: {{ .Values.scratchVolume.fixerInitContainerImage }} securityContext: runAsUser: 0 volumeMounts: + {{- if .Values.scratchVolume.fixGroupPermissions }} - name: "anchore-scratch" mountPath: {{ .Values.scratchVolume.mountPath }} - command: - - sh - - -c + {{- end }} + {{- if .Values.persistence.fixGroupPermissions }} + - name: data + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + {{- end }} + command: ["/bin/sh", "-c"] + args: + {{- if .Values.scratchVolume.fixGroupPermissions }} - (chmod 0775 {{ .Values.scratchVolume.mountPath }}; chgrp {{ .Values.securityContext.fsGroup }} {{ .Values.scratchVolume.mountPath }} ) + {{- end }} + {{- if .Values.persistence.fixGroupPermissions }} + - (chmod 0775 {{ .Values.persistence.mountPath }}; chgrp {{ .Values.securityContext.fsGroup }} {{ .Values.persistence.mountPath }} ) + {{- end }} {{- end }} containers: {{- if .Values.cloudsql.enabled }} diff --git a/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml b/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml index df6f0d7b..b588dd49 100644 --- a/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml +++ b/stable/feeds/templates/hooks/pre-upgrade/upgrade_job.yaml @@ -91,7 +91,7 @@ spec: CONNSTR=${CONNSTR}?sslmode=${ANCHORE_FEEDS_DB_SSL_MODE} fi if [[ ${ANCHORE_FEEDS_DB_SSL_ROOT_CERT} != null ]]; then - CONNSTR=${CONNSTR}&sslrootcert=/home/anchore/certs/${ANCHORE_FEEDS_DB_SSL_ROOT_CERT} + CONNSTR=${CONNSTR}\&sslrootcert=${ANCHORE_FEEDS_DB_SSL_ROOT_CERT} fi err=$(anchore-enterprise-manager db --db-connect ${CONNSTR} pre-upgrade-check 2>&1 > /dev/null) if [[ !$err ]]; then diff --git a/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap b/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap index b3a8c1d2..a1c187bc 100644 --- a/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap +++ b/stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap @@ -117,7 +117,7 @@ should render proper initContainers: CONNSTR=${CONNSTR}?sslmode=${ANCHORE_FEEDS_DB_SSL_MODE} fi if [[ ${ANCHORE_FEEDS_DB_SSL_ROOT_CERT} != null ]]; then - CONNSTR=${CONNSTR}&sslrootcert=/home/anchore/certs/${ANCHORE_FEEDS_DB_SSL_ROOT_CERT} + CONNSTR=${CONNSTR}\&sslrootcert=${ANCHORE_FEEDS_DB_SSL_ROOT_CERT} fi err=$(anchore-enterprise-manager db --db-connect ${CONNSTR} pre-upgrade-check 2>&1 > /dev/null) if [[ !$err ]]; then diff --git a/stable/feeds/tests/common_helpers_test.yaml b/stable/feeds/tests/common_helpers_test.yaml index a34c3c84..7893d7ab 100644 --- a/stable/feeds/tests/common_helpers_test.yaml +++ b/stable/feeds/tests/common_helpers_test.yaml @@ -286,7 +286,11 @@ tests: volumeMounts: - name: "anchore-scratch" mountPath: /anchore_scratch - command: [ sh, -c, (chmod 0775 /anchore_scratch; chgrp 9999 /anchore_scratch ) ] + args: + - (chmod 0775 /anchore_scratch; chgrp 9999 /anchore_scratch ) + command: + - /bin/sh + - -c count: 1 any: true diff --git a/stable/feeds/values.yaml b/stable/feeds/values.yaml index c24f7795..c21d5d0d 100644 --- a/stable/feeds/values.yaml +++ b/stable/feeds/values.yaml @@ -102,6 +102,7 @@ service: ## @param scratchVolume.mountPath The mount path of an external volume for scratch space for image analysis ## @param scratchVolume.fixGroupPermissions Enable an initContainer that will fix the fsGroup permissions +## @param scratchVolume.fixerInitContainerImage Set the container image for the permissions fixer init container ## @param scratchVolume.details [object] Details for the k8s volume to be created ## Generally speaking you need to provision 3x the size of the largest image (uncompressed) that you want to analyze ## ref: https://kubernetes.io/docs/concepts/storage/volumes/ @@ -109,9 +110,11 @@ service: scratchVolume: mountPath: /anchore_scratch fixGroupPermissions: false + fixerInitContainerImage: alpine details: {} ## @param persistence.enabled Enable mounting an external volume for feeds driver workspace +## @param persistence.fixGroupPermissions Enable an initContainer that will fix the fsGroup permissions ## @param persistence.resourcePolicy Resource policy Helm annotation on PVC. Can be nil or "keep" ## @param persistence.existingClaim Specify an existing volume claim ## @param persistence.storageClass Persistent volume storage class @@ -124,6 +127,7 @@ scratchVolume: ## persistence: enabled: true + fixGroupPermissions: false resourcePolicy: keep existingClaim: "" storageClass: ""