diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index db305a20..bc7e2fa6 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -76,8 +76,8 @@ jobs: kubectl --namespace anchore create secret docker-registry anchore-enterprise-pullcreds --docker-server=docker.io --docker-username="${DOCKER_USER}" --docker-password="${DOCKER_PASS}" env: ANCHORE_LICENSE: ${{ secrets.B64_ANCHORE_LICENSE }} - DOCKER_USER: ${{ secrets.ANCHORECI_DOCKER_USER }} - DOCKER_PASS: ${{ secrets.ANCHORECI_DOCKER_PASS }} + DOCKER_USER: ${{ secrets.ANCHOREREADONLY_DH_USERNAME }} + DOCKER_PASS: ${{ secrets.ANCHOREREADONLY_DH_PAT }} - name: Check if anchore-engine endpoint is required for admission controller chart id: engine_required diff --git a/.github/workflows/values-converter-docker.yaml b/.github/workflows/values-converter-docker.yaml index 838a2bae..c7290a72 100644 --- a/.github/workflows/values-converter-docker.yaml +++ b/.github/workflows/values-converter-docker.yaml @@ -20,8 +20,8 @@ jobs: - name: Login to DockerHub uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: - username: ${{ secrets.ANCHORECI_DOCKER_USER }} - password: ${{ secrets.ANCHORECI_DOCKER_PASS }} + username: ${{ secrets.ANCHOREDEVWRITE_DH_USERNAME }} + password: ${{ secrets.ANCHOREDEVWRITE_DH_PAT }} - name: Build and push id: docker_build diff --git a/scripts/enterprise-value-converter/mappings.py b/scripts/enterprise-value-converter/mappings.py index 2939b5af..c004a310 100644 --- a/scripts/enterprise-value-converter/mappings.py +++ b/scripts/enterprise-value-converter/mappings.py @@ -110,7 +110,6 @@ "anchore-feeds-db.persistence": "feeds.feeds-db.primary.persistence", "anchoreEnterpriseRbac.managerResources": "rbacManager.resources", - "anchoreEnterpriseRbac.authResources": "rbacAuth.resources", } LEVEL_THREE_CHANGE_KEY_MAPPING = { @@ -217,7 +216,6 @@ "anchoreCatalog.imageGCMaxWorkerThreads": "catalog.ANCHORE_CATALOG_IMAGE_GC_WORKERS", "anchoreEnterpriseNotifications.maxRequestThreads": "notifications.ANCHORE_MAX_REQUEST_THREADS", - "anchoreEnterpriseRbac.maxRequestThreads": "rbacAuth.ANCHORE_MAX_REQUEST_THREADS", "anchoreEnterpriseReports.maxRequestThreads": "reports.ANCHORE_MAX_REQUEST_THREADS", "anchoreGlobal.clientConnectTimeout": "ANCHORE_GLOBAL_CLIENT_CONNECT_TIMEOUT", @@ -322,7 +320,7 @@ }, "anchoreEnterpriseRbac.extraEnv": { "action": "duplicate", - "new_keys": ["rbacAuth.extraEnv", "rbacManager.extraEnv"] + "new_keys": ["rbacManager.extraEnv"] }, "anchoreEnterpriseGlobal.imagePullSecretName": { "action": "duplicate", diff --git a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseRbac_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseRbac_value_mapping.py deleted file mode 100644 index 308d545c..00000000 --- a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseRbac_value_mapping.py +++ /dev/null @@ -1,300 +0,0 @@ -import os -import shutil -import unittest -from helpers import ( - replace_keys_with_mappings, -) - -class TestReplaceKeysWithMappingsCatalog(unittest.TestCase): - def setUp(self): - self.results_dir = "test_results_dir" - - def tearDown(self): - if os.path.exists(self.results_dir): - shutil.rmtree(self.results_dir) - - def test_anchoreEnterpriseRbac_replicaCount_value(self): - dot_string_dict = { - "anchoreEnterpriseRbac.replicaCount": 2, - } - expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, - 'rbacManager': { - 'replicaCount': 2 - } - } - result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) - - - def test_anchoreEnterpriseRbac_resources_value(self): - dot_string_dict = { - "anchoreEnterpriseRbac.resources.limits.cpu": 1, - "anchoreEnterpriseRbac.resources.limits.memory": "4G", - "anchoreEnterpriseRbac.resources.requests.cpu": 1, - "anchoreEnterpriseRbac.resources.requests.memory": "1G" - } - expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, - 'rbacManager': { - 'resources': { - 'limits': { - 'cpu': 1, - 'memory': '4G' - }, - 'requests': { - 'cpu': 1, - 'memory': '1G' - } - } - } - } - result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) - - - def test_anchoreEnterpriseRbac_labels_value(self): - dot_string_dict = { - "anchoreEnterpriseRbac.labels.myLabel": "myValue", - "anchoreEnterpriseRbac.labels.myOtherLabel": "myOtherValue", - "anchoreEnterpriseRbac.labels.anotherLabel.with.a.dot": "qux" - } - expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, - 'rbacManager': { - 'labels': - { - 'myLabel': 'myValue', - 'myOtherLabel': 'myOtherValue', - 'anotherLabel.with.a.dot': 'qux' - } - } - } - result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) - - def test_anchoreEnterpriseRbac_annotations_value(self): - dot_string_dict = { - "anchoreEnterpriseRbac.annotations.foo": "bar", - "anchoreEnterpriseRbac.annotations.bar": "baz", - "anchoreEnterpriseRbac.annotations.anotherLabel.with.a.dot": "qux" - } - expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, - 'rbacManager': { - 'annotations': - { - 'foo': 'bar', - 'bar': 'baz', - 'anotherLabel.with.a.dot': 'qux' - } - - } - } - result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) - - def test_anchoreEnterpriseRbac_deploymentAnnotations_value(self): - dot_string_dict = { - "anchoreEnterpriseRbac.deploymentAnnotations.foo": "bar", - "anchoreEnterpriseRbac.deploymentAnnotations.bar": "baz", - "anchoreEnterpriseRbac.deploymentAnnotations.anotherLabel.with.a.dot": "qux" - } - expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, - 'rbacManager': { - 'deploymentAnnotations': - { - 'foo': 'bar', - 'bar': 'baz', - 'anotherLabel.with.a.dot': 'qux' - } - } - } - result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) - - def test_anchoreEnterpriseRbac_nodeSelector_value(self): - dot_string_dict = { - "anchoreEnterpriseRbac.nodeSelector.name": "foo", - "anchoreEnterpriseRbac.nodeSelector.value": "bar", - "anchoreEnterpriseRbac.nodeSelector.anotherLabel.with.a.dot": "baz" - } - expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, - 'rbacManager': { - 'nodeSelector': - { - 'name': 'foo', - 'value': 'bar', - 'anotherLabel.with.a.dot': 'baz' - } - } - } - result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) - - def test_anchoreEnterpriseRbac_tolerations_value(self): - dot_string_dict = { - "anchoreEnterpriseRbac.tolerations": [ - { - "name": "foo", - "value": "bar" - } - ] - } - expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, - 'rbacManager': { - 'tolerations': [ - { - 'name': 'foo', - 'value': 'bar' - } - ] - } - } - result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) - - def test_anchoreEnterpriseRbac_affinity_value(self): - dot_string_dict = { - "anchoreEnterpriseRbac.affinity.name": "foo", - "anchoreEnterpriseRbac.affinity.value": "bar" - } - expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, - 'rbacManager': { - 'affinity':{ - 'name': 'foo', - 'value': 'bar' - } - } - } - result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) - - def test_anchoreEnterpriseRbac_extraEnv_value(self): - dot_string_dict = { - "anchoreEnterpriseRbac.extraEnv": [ - { - "name": "foo", - "value": "bar" - } - ] - } - expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, - 'rbacManager': { - 'extraEnv': [ - { - "name": "foo", - "value": "bar" - } - ] - }, - 'rbacAuth': { - 'extraEnv': [ - { - "name": "foo", - "value": "bar" - } - ] - } - } - result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - - self.assertEqual(result[0], expected_result) - - def test_anchoreEnterpriseRbac_serviceAccountName_value(self): - dot_string_dict = { - "anchoreEnterpriseRbac.serviceAccountName": "Null" - } - expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, - 'rbacManager': { - 'serviceAccountName': "Null" - } - } - result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) - - - def test_anchoreEnterpriseRbac_service_value(self): - dot_string_dict = { - "anchoreEnterpriseRbac.service.name": "Null", - "anchoreEnterpriseRbac.service.type": "ClusterIP", - "anchoreEnterpriseRbac.service.managerPort": 8082, - "anchoreEnterpriseRbac.service.authPort": "8089", - "anchoreEnterpriseRbac.service.annotations.foo": "bar", - "anchoreEnterpriseRbac.service.annotations.bar": "baz", - "anchoreEnterpriseRbac.service.annotations.anotherLabel.with.a.dot": "qux", - "anchoreEnterpriseRbac.service.labels": {}, - } - expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, - 'rbacManager': { - 'service': { - 'name': 'Null', - 'type': 'ClusterIP', - 'port': 8082, - # 'authPort': '8089', Deprecated - 'annotations': { - 'foo': 'bar', - 'bar': 'baz', - 'anotherLabel.with.a.dot': 'qux' - }, - 'labels': {} - } - } - } - - result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) - -# enabled: true - def test_anchoreEnterpriseRbac_enabled_value(self): - dot_string_dict = { - "anchoreEnterpriseRbac.enabled": True # deprecated - } - expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},} - - result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) - - def test_anchoreEnterpriseRbac_authResources_value(self): - dot_string_dict = { - "anchoreEnterpriseRbac.authResources.limits.cpu": 1, - "anchoreEnterpriseRbac.authResources.limits.memory": "1G", - "anchoreEnterpriseRbac.authResources.requests.cpu": "100m", - "anchoreEnterpriseRbac.authResources.requests.memory": "256M" - } - expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, - 'rbacAuth': { - 'resources': { - 'limits': { - 'cpu': 1, - 'memory': '1G' - }, - 'requests': { - 'cpu': '100m', - 'memory': '256M' - } - } - } - } - result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) - - def test_anchoreEnterpriseRbac_managerResources_value(self): - dot_string_dict = { - "anchoreEnterpriseRbac.managerResources.limits.cpu": 1, - "anchoreEnterpriseRbac.managerResources.limits.memory": "1G", - "anchoreEnterpriseRbac.managerResources.requests.cpu": "100m", - "anchoreEnterpriseRbac.managerResources.requests.memory": "256M" - } - expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, - 'rbacManager': { - 'resources': { - 'limits': { - 'cpu': 1, - 'memory': '1G' - }, - 'requests': { - 'cpu': '100m', - 'memory': '256M' - } - } - } - } - result = replace_keys_with_mappings(dot_string_dict, self.results_dir) - self.assertEqual(result[0], expected_result) diff --git a/stable/enterprise/Chart.lock b/stable/enterprise/Chart.lock index 73b8a52f..bf84f177 100644 --- a/stable/enterprise/Chart.lock +++ b/stable/enterprise/Chart.lock @@ -7,6 +7,6 @@ dependencies: version: 17.11.8 - name: feeds repository: https://charts.anchore.io/stable - version: 2.3.0 -digest: sha256:ea9b8927f17a3ee6cae7972dd7ff5a7a51ccafbf7f90443d978a096398c0834b -generated: "2024-02-29T11:39:05.180607-08:00" + version: 2.4.0 +digest: sha256:9179b9a84b9f974b98c1182a25f7d5976a256371cee3733b9ffb9d09d7339c0f +generated: "2024-04-03T17:23:43.082782-07:00" diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index e504af5b..cf08e4e8 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: enterprise -version: "2.4.2" -appVersion: "5.3.0" +version: "2.5.0" +appVersion: "5.4.0" kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.29.x-x description: | Anchore Enterprise is a complete container security workflow solution for professional teams. Easily integrating with CI/CD systems, diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index e4b8ff47..1da76296 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -419,7 +419,7 @@ stringData: [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) serves as the gateway to expose HTTP and HTTPS routes from outside the Kubernetes cluster to services within it. Routing is governed by rules specified in the Ingress resource. Kubernetes supports a variety of ingress controllers, such as AWS ALB and GCE controllers. -This Helm chart includes a foundational ingress configuration that is customizable. You can expose various Anchore Enterprise external APIs, including the core API, UI, reporting, RBAC, and feeds, by editing the `ingress` section in your values file. +This Helm chart includes a foundational ingress configuration that is customizable. You can expose various Anchore Enterprise external APIs, including the core API, UI, reporting, and feeds, by editing the `ingress` section in your values file. Ingress is disabled by default in this Helm chart. To enable it, along with the [NGINX ingress controller](https://kubernetes.github.io/ingress-nginx/) for core API and UI routes, set the `ingress.enabled` value to `true`. @@ -582,11 +582,6 @@ spec: interval: 30s path: /metrics scheme: http - # RBAC manager - - targetPort: 8229 - interval: 30s - path: /metrics - scheme: http ``` ### Scaling Individual Services @@ -687,7 +682,6 @@ The Anchore Enterprise Helm chart introduces several changes to the deployment c - `-anchore-engine-catalog` -> `-enterprise-catalog` - `-anchore-engine-enterprise-feeds` -> `-feeds` - `-anchore-engine-enterprise-notifications` -> `-enterprise-notifications` - - `-anchore-engine-enterprise-rbac` -> `-enterprise-rbac-manager` - `-anchore-engine-enterprise-reports` -> `-enterprise-reports` - `-anchore-engine-enterprise-ui` -> `-enterprise-ui` - `-anchore-engine-policy` -> `-enterprise-policy` @@ -924,48 +918,50 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `global.fullnameOverride` | overrides the fullname set on resources | `""` | | `global.nameOverride` | overrides the name set on resources | `""` | + ### Common Resource Parameters -| Name | Description | Value | -| --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | -| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v5.3.0` | -| `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | -| `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | -| `startMigrationPod` | Spin up a Database migration pod to help migrate the database to the new schema | `false` | -| `migrationPodImage` | The image reference to the migration pod | `docker.io/postgres:13-bookworm` | -| `migrationAnchoreEngineSecretName` | The name of the secret that has anchore-engine values | `my-engine-anchore-engine` | -| `serviceAccountName` | Name of a service account used to run all Anchore pods | `""` | -| `injectSecretsViaEnv` | Enable secret injection into pod via environment variables instead of via k8s secrets | `false` | -| `licenseSecretName` | Name of the Kubernetes secret containing your license.yaml file | `anchore-enterprise-license` | -| `certStoreSecretName` | Name of secret containing the certificates & keys used for SSL, SAML & CAs | `""` | -| `extraEnv` | Common environment variables set on all containers | `[]` | -| `useExistingSecrets` | forgoes secret creation and uses the secret defined in existingSecretName | `false` | -| `existingSecretName` | Name of an existing secret to be used for Anchore core services, excluding Anchore UI | `anchore-enterprise-env` | -| `labels` | Common labels set on all Kubernetes resources | `{}` | -| `annotations` | Common annotations set on all Kubernetes resources | `{}` | -| `scratchVolume.mountPath` | The mount path of an external volume for scratch space. Used for the following pods: analyzer, policy-engine, catalog, and reports | `/analysis_scratch` | -| `scratchVolume.fixGroupPermissions` | Enable an initContainer that will fix the fsGroup permissions on all scratch volumes | `false` | -| `scratchVolume.fixerInitContainerImage` | The image to use for the mode-fixer initContainer | `alpine` | -| `scratchVolume.details` | Details for the k8s volume to be created (defaults to default emptyDir) | `{}` | -| `extraVolumes` | mounts additional volumes to each pod | `[]` | -| `extraVolumeMounts` | mounts additional volumes to each pod | `[]` | -| `securityContext.runAsUser` | The securityContext runAsUser for all Anchore pods | `1000` | -| `securityContext.runAsGroup` | The securityContext runAsGroup for all Anchore pods | `1000` | -| `securityContext.fsGroup` | The securityContext fsGroup for all Anchore pods | `1000` | -| `containerSecurityContext` | The securityContext for all containers | `{}` | -| `probes.liveness.initialDelaySeconds` | Initial delay seconds for liveness probe | `120` | -| `probes.liveness.timeoutSeconds` | Timeout seconds for liveness probe | `10` | -| `probes.liveness.periodSeconds` | Period seconds for liveness probe | `10` | -| `probes.liveness.failureThreshold` | Failure threshold for liveness probe | `6` | -| `probes.liveness.successThreshold` | Success threshold for liveness probe | `1` | -| `probes.readiness.timeoutSeconds` | Timeout seconds for the readiness probe | `10` | -| `probes.readiness.periodSeconds` | Period seconds for the readiness probe | `10` | -| `probes.readiness.failureThreshold` | Failure threshold for the readiness probe | `3` | -| `probes.readiness.successThreshold` | Success threshold for the readiness probe | `1` | -| `doSourceAtEntry.enabled` | Does a `source` of the file path defined before starting Anchore services | `false` | -| `doSourceAtEntry.filePaths` | List of file paths to `source` before starting Anchore services | `[]` | -| `configOverride` | Allows for overriding the default Anchore configuration file | `""` | -| `scripts` | Collection of helper scripts usable in all anchore enterprise pods | `{}` | +| Name | Description | Value | +| --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- | +| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise-dev:latest` | +| `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | +| `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | +| `startMigrationPod` | Spin up a Database migration pod to help migrate the database to the new schema | `false` | +| `migrationPodImage` | The image reference to the migration pod | `docker.io/postgres:13-bookworm` | +| `migrationAnchoreEngineSecretName` | The name of the secret that has anchore-engine values | `my-engine-anchore-engine` | +| `serviceAccountName` | Name of a service account used to run all Anchore pods | `""` | +| `injectSecretsViaEnv` | Enable secret injection into pod via environment variables instead of via k8s secrets | `false` | +| `licenseSecretName` | Name of the Kubernetes secret containing your license.yaml file | `anchore-enterprise-license` | +| `certStoreSecretName` | Name of secret containing the certificates & keys used for SSL, SAML & CAs | `""` | +| `extraEnv` | Common environment variables set on all containers | `[]` | +| `useExistingSecrets` | forgoes secret creation and uses the secret defined in existingSecretName | `false` | +| `existingSecretName` | Name of an existing secret to be used for Anchore core services, excluding Anchore UI | `anchore-enterprise-env` | +| `labels` | Common labels set on all Kubernetes resources | `{}` | +| `annotations` | Common annotations set on all Kubernetes resources | `{}` | +| `scratchVolume.mountPath` | The mount path of an external volume for scratch space. Used for the following pods: analyzer, policy-engine, catalog, and reports | `/analysis_scratch` | +| `scratchVolume.fixGroupPermissions` | Enable an initContainer that will fix the fsGroup permissions on all scratch volumes | `false` | +| `scratchVolume.fixerInitContainerImage` | The image to use for the mode-fixer initContainer | `alpine` | +| `scratchVolume.details` | Details for the k8s volume to be created (defaults to default emptyDir) | `{}` | +| `extraVolumes` | mounts additional volumes to each pod | `[]` | +| `extraVolumeMounts` | mounts additional volumes to each pod | `[]` | +| `securityContext.runAsUser` | The securityContext runAsUser for all Anchore pods | `1000` | +| `securityContext.runAsGroup` | The securityContext runAsGroup for all Anchore pods | `1000` | +| `securityContext.fsGroup` | The securityContext fsGroup for all Anchore pods | `1000` | +| `containerSecurityContext` | The securityContext for all containers | `{}` | +| `probes.liveness.initialDelaySeconds` | Initial delay seconds for liveness probe | `120` | +| `probes.liveness.timeoutSeconds` | Timeout seconds for liveness probe | `10` | +| `probes.liveness.periodSeconds` | Period seconds for liveness probe | `10` | +| `probes.liveness.failureThreshold` | Failure threshold for liveness probe | `6` | +| `probes.liveness.successThreshold` | Success threshold for liveness probe | `1` | +| `probes.readiness.timeoutSeconds` | Timeout seconds for the readiness probe | `10` | +| `probes.readiness.periodSeconds` | Period seconds for the readiness probe | `10` | +| `probes.readiness.failureThreshold` | Failure threshold for the readiness probe | `3` | +| `probes.readiness.successThreshold` | Success threshold for the readiness probe | `1` | +| `doSourceAtEntry.enabled` | Does a `source` of the file path defined before starting Anchore services | `false` | +| `doSourceAtEntry.filePaths` | List of file paths to `source` before starting Anchore services | `[]` | +| `configOverride` | Allows for overriding the default Anchore configuration file | `""` | +| `scripts` | Collection of helper scripts usable in all anchore enterprise pods | `{}` | + ### Anchore Configuration Parameters @@ -1073,6 +1069,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `anchoreConfig.ui.dbUser` | allows overriding and separation of the ui database user. | `""` | | `anchoreConfig.ui.dbPassword` | allows overriding and separation of the ui database user authentication | `""` | + ### Anchore Analyzer k8s Deployment Parameters | Name | Description | Value | @@ -1089,6 +1086,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `analyzer.serviceAccountName` | Service account name for Anchore API pods | `""` | | `analyzer.scratchVolume.details` | Details for the k8s volume to be created for Anchore Analyzer scratch space | `{}` | + ### Anchore API k8s Deployment Parameters | Name | Description | Value | @@ -1100,6 +1098,8 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `api.service.labels` | Labels for Anchore API service | `{}` | | `api.service.nodePort` | nodePort for Anchore API service | `""` | | `api.extraEnv` | Set extra environment variables for Anchore API pods | `[]` | +| `api.extraVolumes` | Define additional volumes for Anchore API pods | `[]` | +| `api.extraVolumeMounts` | Define additional volume mounts for Anchore API pods | `[]` | | `api.resources` | Resource requests and limits for Anchore API pods | `{}` | | `api.labels` | Labels for Anchore API pods | `{}` | | `api.annotations` | Annotation for Anchore API pods | `{}` | @@ -1108,6 +1108,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `api.affinity` | Affinity for Anchore API pod assignment | `{}` | | `api.serviceAccountName` | Service account name for Anchore API pods | `""` | + ### Anchore Catalog k8s Deployment Parameters | Name | Description | Value | @@ -1119,6 +1120,8 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `catalog.service.labels` | Labels for Anchore Catalog service | `{}` | | `catalog.service.nodePort` | nodePort for Anchore Catalog service | `""` | | `catalog.extraEnv` | Set extra environment variables for Anchore Catalog pods | `[]` | +| `catalog.extraVolumes` | Define additional volumes for Anchore Catalog pods | `[]` | +| `catalog.extraVolumeMounts` | Define additional volume mounts for Anchore Catalog pods | `[]` | | `catalog.resources` | Resource requests and limits for Anchore Catalog pods | `{}` | | `catalog.labels` | Labels for Anchore Catalog pods | `{}` | | `catalog.annotations` | Annotation for Anchore Catalog pods | `{}` | @@ -1128,6 +1131,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `catalog.serviceAccountName` | Service account name for Anchore Catalog pods | `""` | | `catalog.scratchVolume.details` | Details for the k8s volume to be created for Anchore Catalog scratch space | `{}` | + ### Anchore Feeds Chart Parameters | Name | Description | Value | @@ -1137,6 +1141,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `feeds.url` | Set the URL for a standalone Feeds service. Use when chartEnabled=false. | `""` | | `feeds.resources` | Resource requests and limits for Anchore Feeds pods | `{}` | + ### Anchore Notifications Parameters | Name | Description | Value | @@ -1148,6 +1153,8 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `notifications.service.labels` | Labels for Anchore Notifications service | `{}` | | `notifications.service.nodePort` | nodePort for Anchore Notifications service | `""` | | `notifications.extraEnv` | Set extra environment variables for Anchore Notifications pods | `[]` | +| `notifications.extraVolumes` | Define additional volumes for Anchore Notifications pods | `[]` | +| `notifications.extraVolumeMounts` | Define additional volume mounts for Anchore Notifications pods | `[]` | | `notifications.resources` | Resource requests and limits for Anchore Notifications pods | `{}` | | `notifications.labels` | Labels for Anchore Notifications pods | `{}` | | `notifications.annotations` | Annotation for Anchore Notifications pods | `{}` | @@ -1156,6 +1163,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `notifications.affinity` | Affinity for Anchore Notifications pod assignment | `{}` | | `notifications.serviceAccountName` | Service account name for Anchore Notifications pods | `""` | + ### Anchore Policy Engine k8s Deployment Parameters | Name | Description | Value | @@ -1167,6 +1175,8 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `policyEngine.service.labels` | Labels for Anchore Policy Engine service | `{}` | | `policyEngine.service.nodePort` | nodePort for Anchore Policy Engine service | `""` | | `policyEngine.extraEnv` | Set extra environment variables for Anchore Policy Engine pods | `[]` | +| `policyEngine.extraVolumes` | Define additional volumes for Anchore Policy Engine pods | `[]` | +| `policyEngine.extraVolumeMounts` | Define additional volume mounts for Anchore Policy Engine pods | `[]` | | `policyEngine.resources` | Resource requests and limits for Anchore Policy Engine pods | `{}` | | `policyEngine.labels` | Labels for Anchore Policy Engine pods | `{}` | | `policyEngine.annotations` | Annotation for Anchore Policy Engine pods | `{}` | @@ -1176,31 +1186,6 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `policyEngine.serviceAccountName` | Service account name for Anchore Policy Engine pods | `""` | | `policyEngine.scratchVolume.details` | Details for the k8s volume to be created for Anchore Policy Engine scratch space | `{}` | -### Anchore RBAC Authentication Parameters - -| Name | Description | Value | -| -------------------- | -------------------------------------------------------------------------- | ----- | -| `rbacAuth.extraEnv` | Set extra environment variables for Anchore RBAC Authentication containers | `[]` | -| `rbacAuth.resources` | Resource requests and limits for Anchore RBAC Authentication containers | `{}` | - -### Anchore RBAC Manager Parameters - -| Name | Description | Value | -| --------------------------------- | ------------------------------------------------------------- | ----------- | -| `rbacManager.replicaCount` | Number of replicas for the Anchore RBAC Manager deployment | `1` | -| `rbacManager.service.type` | Service type for Anchore RBAC Manager | `ClusterIP` | -| `rbacManager.service.port` | Service port for Anchore RBAC Manager | `8229` | -| `rbacManager.service.annotations` | Annotations for Anchore RBAC Manager service | `{}` | -| `rbacManager.service.labels` | Labels for Anchore RBAC Manager service | `{}` | -| `rbacManager.service.nodePort` | nodePort for Anchore RBAC Manager service | `""` | -| `rbacManager.extraEnv` | Set extra environment variables for Anchore RBAC Manager pods | `[]` | -| `rbacManager.resources` | Resource requests and limits for Anchore RBAC Manager pods | `{}` | -| `rbacManager.labels` | Labels for Anchore RBAC Manager pods | `{}` | -| `rbacManager.annotations` | Annotation for Anchore RBAC Manager pods | `{}` | -| `rbacManager.nodeSelector` | Node labels for Anchore RBAC Manager pod assignment | `{}` | -| `rbacManager.tolerations` | Tolerations for Anchore RBAC Manager pod assignment | `[]` | -| `rbacManager.affinity` | Affinity for Anchore RBAC Manager pod assignment | `{}` | -| `rbacManager.serviceAccountName` | Service account name for Anchore RBAC Manager pods | `""` | ### Anchore Reports Parameters @@ -1213,6 +1198,8 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `reports.service.labels` | Labels for Anchore Reports service | `{}` | | `reports.service.nodePort` | nodePort for Anchore Reports service | `""` | | `reports.extraEnv` | Set extra environment variables for Anchore Reports pods | `[]` | +| `reports.extraVolumes` | Define additional volumes for Anchore Reports pods | `[]` | +| `reports.extraVolumeMounts` | Define additional volume mounts for Anchore Reports pods | `[]` | | `reports.resources` | Resource requests and limits for Anchore Reports pods | `{}` | | `reports.labels` | Labels for Anchore Reports pods | `{}` | | `reports.annotations` | Annotation for Anchore Reports pods | `{}` | @@ -1222,6 +1209,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `reports.serviceAccountName` | Service account name for Anchore Reports pods | `""` | | `reports.scratchVolume.details` | Details for the k8s volume to be created for Anchore Reports scratch space | `{}` | + ### Anchore Reports Worker Parameters | Name | Description | Value | @@ -1233,6 +1221,8 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `reportsWorker.service.labels` | Labels for Anchore Reports Worker service | `{}` | | `reportsWorker.service.nodePort` | nodePort for Anchore Reports Worker service | `""` | | `reportsWorker.extraEnv` | Set extra environment variables for Anchore Reports Worker pods | `[]` | +| `reportsWorker.extraVolumes` | Define additional volumes for Anchore Reports Worker pods | `[]` | +| `reportsWorker.extraVolumeMounts` | Define additional volume mounts for Anchore Reports Worker pods | `[]` | | `reportsWorker.resources` | Resource requests and limits for Anchore Reports Worker pods | `{}` | | `reportsWorker.labels` | Labels for Anchore Reports Worker pods | `{}` | | `reportsWorker.annotations` | Annotation for Anchore Reports Worker pods | `{}` | @@ -1241,6 +1231,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `reportsWorker.affinity` | Affinity for Anchore Reports Worker pod assignment | `{}` | | `reportsWorker.serviceAccountName` | Service account name for Anchore Reports Worker pods | `""` | + ### Anchore Simple Queue Parameters | Name | Description | Value | @@ -1252,6 +1243,8 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `simpleQueue.service.labels` | Labels for Anchore Simple Queue service | `{}` | | `simpleQueue.service.nodePort` | nodePort for Anchore Simple Queue service | `""` | | `simpleQueue.extraEnv` | Set extra environment variables for Anchore Simple Queue pods | `[]` | +| `simpleQueue.extraVolumes` | Define additional volumes for Anchore Simple Queue pods | `[]` | +| `simpleQueue.extraVolumeMounts` | Define additional volume mounts for Anchore Simple Queue pods | `[]` | | `simpleQueue.resources` | Resource requests and limits for Anchore Simple Queue pods | `{}` | | `simpleQueue.labels` | Labels for Anchore Simple Queue pods | `{}` | | `simpleQueue.annotations` | Annotation for Anchore Simple Queue pods | `{}` | @@ -1260,6 +1253,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `simpleQueue.affinity` | Affinity for Anchore Simple Queue pod assignment | `{}` | | `simpleQueue.serviceAccountName` | Service account name for Anchore Simple Queue pods | `""` | + ### Anchore UI Parameters | Name | Description | Value | @@ -1275,6 +1269,8 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `ui.service.sessionAffinity` | Session Affinity for Ui service | `ClientIP` | | `ui.service.nodePort` | nodePort for Anchore UI service | `""` | | `ui.extraEnv` | Set extra environment variables for Anchore UI pods | `[]` | +| `ui.extraVolumes` | Define additional volumes for Anchore UI pods | `[]` | +| `ui.extraVolumeMounts` | Define additional volume mounts for Anchore UI pods | `[]` | | `ui.resources` | Resource requests and limits for Anchore UI pods | `{}` | | `ui.labels` | Labels for Anchore UI pods | `{}` | | `ui.annotations` | Annotation for Anchore UI pods | `{}` | @@ -1283,6 +1279,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `ui.affinity` | Affinity for Anchore ui pod assignment | `{}` | | `ui.serviceAccountName` | Service account name for Anchore UI pods | `""` | + ### Anchore Upgrade Job Parameters | Name | Description | Value | @@ -1301,6 +1298,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `upgradeJob.labels` | Labels for the Anchore upgrade job | `{}` | | `upgradeJob.ttlSecondsAfterFinished` | The time period in seconds the upgrade job, and it's related pods should be retained for | `-1` | + ### Ingress Parameters | Name | Description | Value | @@ -1317,6 +1315,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `ingress.tls` | Configure tls for the ingress resource | `[]` | | `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` | + ### Google CloudSQL DB Parameters | Name | Description | Value | @@ -1330,6 +1329,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `cloudsql.serviceAccJsonName` | | `""` | | `cloudsql.extraArgs` | a list of extra arguments to be passed into the cloudsql container command. eg | `[]` | + ### Anchore UI Redis Parameters | Name | Description | Value | @@ -1340,6 +1340,7 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `ui-redis.architecture` | Redis deployment architecture | `standalone` | | `ui-redis.master.persistence.enabled` | enables persistence | `false` | + ### Anchore Database Parameters | Name | Description | Value | @@ -1363,6 +1364,13 @@ For the latest updates and features in Anchore Enterprise, see the official [Rel - **Minor Chart Version Change (e.g., v0.1.2 -> v0.2.0)**: Indicates a significant change to the deployment that does not require manual intervention. - **Patch Chart Version Change (e.g., v0.1.2 -> v0.1.3)**: Indicates a backwards-compatible bug fix or documentation update. +### V2.5.x + +- Deploys Anchore Enterprise v5.4.x. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/540/) for more information. +- Anchore Enterprise v5.4.0 introduces changes to how RBAC is managed. The chart has been updated to reflect these changes, no action is required. + - The rbac-manager and rbac-authorizer components are no longer necessary and have been removed from the chart. + - The `rbacManager` and `rbacAuthorizer` sections of the values file have been removed. + ### V2.4.x - Deploys Anchore Enterprise v5.3.x. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/530/) for more information. diff --git a/stable/enterprise/files/default_config.yaml b/stable/enterprise/files/default_config.yaml index 98b125c4..b6744018 100644 --- a/stable/enterprise/files/default_config.yaml +++ b/stable/enterprise/files/default_config.yaml @@ -73,9 +73,6 @@ services: max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} listen: '0.0.0.0' port: ${ANCHORE_PORT} - authorization_handler: external - authorization_handler_config: - endpoint: http://localhost:8089 {{- if .Values.anchoreConfig.apiext.external.enabled }} external_tls: {{ .Values.anchoreConfig.apiext.external.useTLS }} external_hostname: {{ .Values.anchoreConfig.apiext.external.hostname }} @@ -203,28 +200,6 @@ services: ssl_cert: ${ANCHORE_SSL_CERT} ssl_key: ${ANCHORE_SSL_KEY} - rbac_authorizer: - enabled: true - require_auth: true - endpoint_hostname: localhost - listen: 127.0.0.1 - port: 8089 - max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - - rbac_manager: - enabled: true - require_auth: true - endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} - listen: '0.0.0.0' - port: ${ANCHORE_PORT} - max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - authorization_handler: external - authorization_handler_config: - endpoint: http://localhost:8089 - ssl_enable: ${ANCHORE_SSL_ENABLED} - ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} - reports: enabled: true require_auth: true @@ -233,9 +208,6 @@ services: port: ${ANCHORE_PORT} max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} enable_graphiql: ${ANCHORE_ENTERPRISE_REPORTS_ENABLE_GRAPHIQL} - authorization_handler: external - authorization_handler_config: - endpoint: http://localhost:8089 cycle_timers: {{- toYaml .Values.anchoreConfig.reports.cycle_timers | nindent 6 }} max_async_execution_threads: ${ANCHORE_ENTERPRISE_REPORTS_MAX_ASYNC_EXECUTION_THREADS} async_execution_timeout: ${ANCHORE_ENTERPRISE_REPORTS_ASYNC_EXECUTION_TIMEOUT} @@ -273,9 +245,6 @@ services: listen: '0.0.0.0' port: ${ANCHORE_PORT} max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - authorization_handler: external - authorization_handler_config: - endpoint: http://localhost:8089 cycle_timers: {{- toYaml .Values.anchoreConfig.notifications.cycle_timers | nindent 6 }} ui_url: ${ANCHORE_ENTERPRISE_UI_URL} ssl_enable: ${ANCHORE_SSL_ENABLED} diff --git a/stable/enterprise/templates/_common.tpl b/stable/enterprise/templates/_common.tpl index 3cd1bb1a..78bbe530 100644 --- a/stable/enterprise/templates/_common.tpl +++ b/stable/enterprise/templates/_common.tpl @@ -106,6 +106,42 @@ When calling this template, .component can be included in the context for compon {{- end -}} +{{/* +Common extraVolumes +When calling this template, .component can be included in the context for component specific annotations +{{- include "enterprise.common.extraVolumes" (merge (dict "component" $component) .) }} +*/}} +{{- define "enterprise.common.extraVolumes" -}} +{{- $component := .component -}} +{{- with .Values.extraVolumes }} +{{ toYaml . }} +{{- end }} +{{- if $component }} + {{- with (index .Values (print $component)).extraVolumes }} +{{ toYaml . }} + {{- end }} +{{- end }} +{{- end -}} + + +{{/* +Common extraVolumeMounts +When calling this template, .component can be included in the context for component specific annotations +{{- include "enterprise.common.extraVolumes" (merge (dict "component" $component) .) }} +*/}} +{{- define "enterprise.common.extraVolumeMounts" -}} +{{- $component := .component -}} +{{- with .Values.extraVolumeMounts }} +{{ toYaml . }} +{{- end }} +{{- if $component }} + {{- with (index .Values (print $component)).extraVolumeMounts }} +{{ toYaml . }} + {{- end }} +{{- end }} +{{- end -}} + + {{/* Setup the common fix permissions init container for all pods using a scratch volume */}} @@ -207,53 +243,6 @@ tolerations: {{- toYaml . | nindent 2 }} {{- end -}} -{{/* -Setup a container for the Anchore Enterprise RBAC Auth for pods that need to authenticate with the API -*/}} -{{- define "enterprise.common.rbacAuthContainer" -}} -- name: rbac-auth - image: {{ .Values.image }} - imagePullPolicy: {{ .Values.imagePullPolicy }} -{{- with .Values.containerSecurityContext }} - securityContext: - {{ toYaml . | nindent 4 }} -{{- end }} - command: ["/bin/sh", "-c"] - args: - - {{ print (include "enterprise.common.dockerEntrypoint" .) }} rbac_authorizer - envFrom: {{- include "enterprise.common.envFrom" . | nindent 4 }} - env: {{- include "enterprise.common.environment" (merge (dict "component" "rbacAuth") .) | nindent 4 }} - ports: - - containerPort: 8089 - name: rbac-auth - volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 4 }} - livenessProbe: - exec: - command: - - curl - - -f - - 'localhost:8089/health' - initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }} - timeoutSeconds: {{ .Values.probes.liveness.timeoutSeconds }} - periodSeconds: {{ .Values.probes.liveness.periodSeconds }} - failureThreshold: {{ .Values.probes.liveness.failureThreshold }} - successThreshold: {{ .Values.probes.liveness.successThreshold }} - readinessProbe: - exec: - command: - - curl - - -f - - 'localhost:8089/health' - timeoutSeconds: {{ .Values.probes.readiness.timeoutSeconds }} - periodSeconds: {{ .Values.probes.readiness.periodSeconds }} - failureThreshold: {{ .Values.probes.readiness.failureThreshold }} - successThreshold: {{ .Values.probes.readiness.successThreshold }} -{{- with .Values.rbacAuth.resources }} - resources: {{- toYaml . | nindent 4 }} -{{- end }} -{{- end -}} - - {{/* Setup the common readiness probes for all Anchore Enterprise containers */}} @@ -289,9 +278,8 @@ emptyDir: {} Setup the common anchore volume mounts */}} {{- define "enterprise.common.volumeMounts" -}} -{{- with .Values.extraVolumeMounts }} -{{ toYaml . }} -{{- end }} +{{- $component := .component -}} +{{- include "enterprise.common.extraVolumeMounts" (merge (dict "component" $component) .) }} - name: anchore-license mountPath: /home/anchore/license.yaml subPath: license.yaml @@ -312,9 +300,8 @@ Setup the common anchore volume mounts Setup the common anchore volumes */}} {{- define "enterprise.common.volumes" -}} -{{- with .Values.extraVolumes }} -{{ toYaml . }} -{{- end }} +{{- $component := .component -}} +{{- include "enterprise.common.extraVolumes" (merge (dict "component" $component) .) }} - name: anchore-license secret: secretName: {{ .Values.licenseSecretName }} diff --git a/stable/enterprise/templates/_names.tpl b/stable/enterprise/templates/_names.tpl index 8d1dc0d3..ec057737 100644 --- a/stable/enterprise/templates/_names.tpl +++ b/stable/enterprise/templates/_names.tpl @@ -37,16 +37,6 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- printf "%s-%s-%s" .Release.Name $name "policy"| trunc 63 | trimSuffix "-" -}} {{- end -}} -{{- define "enterprise.rbacAuth.fullname" -}} -{{- $name := default .Chart.Name .Values.global.nameOverride -}} -{{- printf "%s-%s-%s" .Release.Name $name "rbac-auth"| trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{- define "enterprise.rbacManager.fullname" -}} -{{- $name := default .Chart.Name .Values.global.nameOverride -}} -{{- printf "%s-%s-%s" .Release.Name $name "rbac-manager"| trunc 63 | trimSuffix "-" -}} -{{- end -}} - {{- define "enterprise.reports.fullname" -}} {{- $name := default .Chart.Name .Values.global.nameOverride -}} {{- printf "%s-%s-%s" .Release.Name $name "reports"| trunc 63 | trimSuffix "-" -}} diff --git a/stable/enterprise/templates/analyzer_deployment.yaml b/stable/enterprise/templates/analyzer_deployment.yaml index fe2b6fbf..88779220 100644 --- a/stable/enterprise/templates/analyzer_deployment.yaml +++ b/stable/enterprise/templates/analyzer_deployment.yaml @@ -24,7 +24,7 @@ spec: checksum/analyzer-config: {{ include (print $.Template.BasePath "/analyzer_configmap.yaml") . | sha256sum }} spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} - volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} + volumes: {{- include "enterprise.common.volumes" (merge (dict "component" $component) .) | nindent 8 }} - name: "anchore-scratch" {{- include "enterprise.common.scratchVolume.details" (merge (dict "component" $component) .) | nindent 10 }} - name: analyzer-config-volume @@ -53,7 +53,7 @@ spec: ports: - name: {{ $component | lower }} containerPort: {{ .Values.analyzer.service.port }} - volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} + volumeMounts: {{- include "enterprise.common.volumeMounts" (merge (dict "component" $component) .) | nindent 12 }} - name: analyzer-config-volume mountPath: "{{ .Values.anchoreConfig.service_dir }}/analyzer_config.yaml" subPath: analyzer_config.yaml diff --git a/stable/enterprise/templates/api_deployment.yaml b/stable/enterprise/templates/api_deployment.yaml index 1bafc9fa..ae7490de 100644 --- a/stable/enterprise/templates/api_deployment.yaml +++ b/stable/enterprise/templates/api_deployment.yaml @@ -26,7 +26,7 @@ spec: checksum/enterprise-config: {{ include (print $.Template.BasePath "/anchore_configmap.yaml") . | sha256sum }} spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} - volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} + volumes: {{- include "enterprise.common.volumes" (merge (dict "component" $component) .) | nindent 8 }} {{- if .Values.anchoreConfig.policyBundles }} - name: policy-bundle-volume configMap: @@ -58,7 +58,7 @@ spec: ports: - name: {{ $component | lower }} containerPort: {{ .Values.api.service.port }} - volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} + volumeMounts: {{- include "enterprise.common.volumeMounts" (merge (dict "component" $component) .) | nindent 12 }} {{- if .Values.anchoreConfig.policyBundles }} {{- range $key, $value := .Values.anchoreConfig.policyBundles }} - name: policy-bundle-volume @@ -71,7 +71,6 @@ spec: {{- with .Values.api.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} - {{- include "enterprise.common.rbacAuthContainer" . | nindent 8 }} --- apiVersion: v1 diff --git a/stable/enterprise/templates/catalog_deployment.yaml b/stable/enterprise/templates/catalog_deployment.yaml index 435578b6..f054e7dc 100644 --- a/stable/enterprise/templates/catalog_deployment.yaml +++ b/stable/enterprise/templates/catalog_deployment.yaml @@ -26,7 +26,7 @@ spec: {{- end }} spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} - volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} + volumes: {{- include "enterprise.common.volumes" (merge (dict "component" $component) .) | nindent 8 }} - name: anchore-scratch {{- include "enterprise.common.scratchVolume.details" (merge (dict "component" $component) .) | nindent 10 }} {{- if .Values.anchoreConfig.policyBundles }} @@ -57,7 +57,7 @@ spec: ports: - name: {{ $component | lower }} containerPort: {{ .Values.catalog.service.port }} - volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} + volumeMounts: {{- include "enterprise.common.volumeMounts" (merge (dict "component" $component) .) | nindent 12 }} - name: anchore-scratch mountPath: {{ .Values.scratchVolume.mountPath }} {{- if .Values.anchoreConfig.policyBundles }} diff --git a/stable/enterprise/templates/hooks/post-upgrade/upgrade_job.yaml b/stable/enterprise/templates/hooks/post-upgrade/upgrade_job.yaml index d545cb49..219c990d 100644 --- a/stable/enterprise/templates/hooks/post-upgrade/upgrade_job.yaml +++ b/stable/enterprise/templates/hooks/post-upgrade/upgrade_job.yaml @@ -24,10 +24,7 @@ spec: spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} restartPolicy: Never - volumes: - {{- with .Values.extraVolumes }} - {{- toYaml . | nindent 8 }} - {{- end }} + volumes: {{- include "enterprise.common.extraVolumes" (merge (dict "component" $component) .) | nindent 8 }} {{- with .Values.certStoreSecretName }} - name: certs secret: @@ -62,10 +59,7 @@ spec: {{- end }} envFrom: {{- include "enterprise.common.envFrom" . | nindent 12 }} env: {{- include "enterprise.common.environment" (merge (dict "component" $component) .) | nindent 12 }} - volumeMounts: - {{- with .Values.extraVolumeMounts }} - {{- toYaml . | nindent 12 }} - {{- end }} + volumeMounts: {{- include "enterprise.common.extraVolumeMounts" (merge (dict "component" $component) .) | nindent 12 }} {{- if .Values.certStoreSecretName }} - name: certs mountPath: /home/anchore/certs/ diff --git a/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml b/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml index 21466c60..0497c5d8 100644 --- a/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml +++ b/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml @@ -28,10 +28,7 @@ spec: spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} restartPolicy: Never - volumes: - {{- with .Values.extraVolumes }} - {{- toYaml . | nindent 8 }} - {{- end }} + volumes: {{- include "enterprise.common.extraVolumes" (merge (dict "component" $component) .) | nindent 8 }} {{- with .Values.certStoreSecretName }} - name: certs secret: @@ -99,10 +96,7 @@ spec: {{- end }} envFrom: {{- include "enterprise.common.envFrom" . | nindent 12 }} env: {{- include "enterprise.common.environment" (merge (dict "component" $component) .) | nindent 12 }} - volumeMounts: - {{- with .Values.extraVolumeMounts }} - {{- toYaml . | nindent 12 }} - {{- end }} + volumeMounts: {{- include "enterprise.common.extraVolumeMounts" (merge (dict "component" $component) .) | nindent 12 }} {{- if .Values.certStoreSecretName }} - name: certs mountPath: /home/anchore/certs/ diff --git a/stable/enterprise/templates/notifications_deployment.yaml b/stable/enterprise/templates/notifications_deployment.yaml index 3d003ce3..aa9e3fe5 100644 --- a/stable/enterprise/templates/notifications_deployment.yaml +++ b/stable/enterprise/templates/notifications_deployment.yaml @@ -23,7 +23,7 @@ spec: checksum/enterprise-config: {{ include (print $.Template.BasePath "/anchore_configmap.yaml") . | sha256sum }} spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} - volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} + volumes: {{- include "enterprise.common.volumes" (merge (dict "component" $component) .) | nindent 8 }} containers: {{- if .Values.cloudsql.enabled }} {{- include "enterprise.common.cloudsqlContainer" . | nindent 8 }} @@ -43,13 +43,12 @@ spec: name: {{ $component | lower }} envFrom: {{- include "enterprise.common.envFrom" . | nindent 12 }} env: {{- include "enterprise.common.environment" (merge (dict "component" $component) .) | nindent 12 }} - volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} + volumeMounts: {{- include "enterprise.common.volumeMounts" (merge (dict "component" $component) .) | nindent 12 }} livenessProbe: {{- include "enterprise.common.livenessProbe" (merge (dict "component" $component) .) | nindent 12 }} readinessProbe: {{- include "enterprise.common.readinessProbe" (merge (dict "component" $component) .) | nindent 12 }} {{- with .Values.notifications.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} - {{- include "enterprise.common.rbacAuthContainer" . | nindent 8 }} --- apiVersion: v1 diff --git a/stable/enterprise/templates/policyengine_deployment.yaml b/stable/enterprise/templates/policyengine_deployment.yaml index a791f929..4bed6fbe 100644 --- a/stable/enterprise/templates/policyengine_deployment.yaml +++ b/stable/enterprise/templates/policyengine_deployment.yaml @@ -23,7 +23,7 @@ spec: checksum/enterprise-config: {{ include (print $.Template.BasePath "/anchore_configmap.yaml") . | sha256sum }} spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} - volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} + volumes: {{- include "enterprise.common.volumes" (merge (dict "component" $component) .) | nindent 8 }} - name: anchore-scratch {{- include "enterprise.common.scratchVolume.details" (merge (dict "component" $component) .) | nindent 10 }} {{- if and .Values.scratchVolume.fixGroupPermissions .Values.securityContext.fsGroup }} @@ -49,7 +49,7 @@ spec: ports: - name: {{ $component | lower }} containerPort: {{ .Values.policyEngine.service.port }} - volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} + volumeMounts: {{- include "enterprise.common.volumeMounts" (merge (dict "component" $component) .) | nindent 12 }} - name: "anchore-scratch" mountPath: {{ .Values.scratchVolume.mountPath }} livenessProbe: {{- include "enterprise.common.livenessProbe" (merge (dict "component" $component) .) | nindent 12 }} diff --git a/stable/enterprise/templates/rbacmanager_deployment.yaml b/stable/enterprise/templates/rbacmanager_deployment.yaml deleted file mode 100644 index 82398175..00000000 --- a/stable/enterprise/templates/rbacmanager_deployment.yaml +++ /dev/null @@ -1,72 +0,0 @@ -{{- $component := "rbacManager" -}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "enterprise.rbacManager.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} - annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} -spec: - selector: - matchLabels: {{- include "enterprise.common.matchLabels" (merge (dict "component" $component) .) | nindent 6 }} - replicas: {{ .Values.rbacManager.replicaCount }} - strategy: - type: Recreate - template: - metadata: - labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 8 }} - annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component "nil" true) .) | nindent 8 }} - {{- if and (not .Values.injectSecretsViaEnv) (not .Values.useExistingSecrets) }} - checksum/secrets: {{ include (print $.Template.BasePath "/anchore_secret.yaml") . | sha256sum }} - {{- end }} - checksum/enterprise-config: {{ include (print $.Template.BasePath "/anchore_configmap.yaml") . | sha256sum }} - spec: - {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} - volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} - containers: - {{- if .Values.cloudsql.enabled }} - {{- include "enterprise.common.cloudsqlContainer" . | nindent 8 }} - {{- end }} - - name: "{{ .Chart.Name }}-{{ $component | lower }}" - image: {{ .Values.image }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - {{- with .Values.containerSecurityContext }} - securityContext: - {{ toYaml . | nindent 12 }} - {{- end }} - command: ["/bin/sh", "-c"] - args: - - {{ print (include "enterprise.common.dockerEntrypoint" .) }} rbac_manager - ports: - - containerPort: {{ .Values.rbacManager.service.port }} - name: {{ $component | lower }} - envFrom: {{- include "enterprise.common.envFrom" . | nindent 12 }} - env: {{- include "enterprise.common.environment" (merge (dict "component" $component) .) | nindent 12 }} - volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} - livenessProbe: {{- include "enterprise.common.livenessProbe" (merge (dict "component" $component) .) | nindent 12 }} - readinessProbe: {{- include "enterprise.common.readinessProbe" (merge (dict "component" $component) .) | nindent 12 }} - {{- with .Values.rbacManager.resources }} - resources: {{- toYaml . | nindent 12 }} - {{- end }} - {{- include "enterprise.common.rbacAuthContainer" . | nindent 8 }} - ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ template "enterprise.rbacManager.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} - annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} -spec: - type: {{ .Values.rbacManager.service.type }} - ports: - - name: {{ $component | lower }} - port: {{ .Values.rbacManager.service.port }} - targetPort: {{ .Values.rbacManager.service.port }} - protocol: TCP - {{ include "enterprise.service.nodePort" (merge (dict "component" $component) .) }} - selector: - app.kubernetes.io/name: {{ template "enterprise.fullname" . }} - app.kubernetes.io/component: {{ $component | lower }} diff --git a/stable/enterprise/templates/reports_deployment.yaml b/stable/enterprise/templates/reports_deployment.yaml index ab947a75..5d41532f 100644 --- a/stable/enterprise/templates/reports_deployment.yaml +++ b/stable/enterprise/templates/reports_deployment.yaml @@ -23,7 +23,7 @@ spec: checksum/enterprise-config: {{ include (print $.Template.BasePath "/anchore_configmap.yaml") . | sha256sum }} spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} - volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} + volumes: {{- include "enterprise.common.volumes" (merge (dict "component" $component) .) | nindent 8 }} {{- if .Values.anchoreConfig.reports.use_volume }} - name: "anchore-scratch" {{- include "enterprise.common.scratchVolume.details" (merge (dict "component" $component) .) | nindent 10 }} @@ -51,7 +51,7 @@ spec: name: {{ $component | lower }} envFrom: {{- include "enterprise.common.envFrom" . | nindent 12 }} env: {{- include "enterprise.common.environment" (merge (dict "component" $component) .) | nindent 12 }} - volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} + volumeMounts: {{- include "enterprise.common.volumeMounts" (merge (dict "component" $component) .) | nindent 12 }} {{- if .Values.anchoreConfig.reports.use_volume }} - name: "anchore-scratch" mountPath: {{ .Values.scratchVolume.mountPath }} @@ -61,7 +61,6 @@ spec: {{- with .Values.reports.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} - {{- include "enterprise.common.rbacAuthContainer" . | nindent 8 }} --- apiVersion: v1 diff --git a/stable/enterprise/templates/reportsworker_deployment.yaml b/stable/enterprise/templates/reportsworker_deployment.yaml index 3d56f984..9ffde13e 100644 --- a/stable/enterprise/templates/reportsworker_deployment.yaml +++ b/stable/enterprise/templates/reportsworker_deployment.yaml @@ -23,7 +23,7 @@ spec: checksum/enterprise-config: {{ tpl (print $.Files.BasePath "/default_config.yaml") . | sha256sum }} spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} - volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} + volumes: {{- include "enterprise.common.volumes" (merge (dict "component" $component) .) | nindent 8 }} containers: {{- if .Values.cloudsql.enabled }} {{- include "enterprise.common.cloudsqlContainer" . | nindent 8 }} @@ -43,7 +43,7 @@ spec: name: {{ $component | lower }} envFrom: {{- include "enterprise.common.envFrom" . | nindent 12 }} env: {{- include "enterprise.common.environment" (merge (dict "component" $component) .) | nindent 12 }} - volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} + volumeMounts: {{- include "enterprise.common.volumeMounts" (merge (dict "component" $component) .) | nindent 12 }} livenessProbe: {{- include "enterprise.common.livenessProbe" (merge (dict "component" $component) .) | nindent 12 }} readinessProbe: {{- include "enterprise.common.readinessProbe" (merge (dict "component" $component) .) | nindent 12 }} {{- with .Values.reportsWorker.resources }} diff --git a/stable/enterprise/templates/simplequeue_deployment.yaml b/stable/enterprise/templates/simplequeue_deployment.yaml index c0003eab..21ab1342 100644 --- a/stable/enterprise/templates/simplequeue_deployment.yaml +++ b/stable/enterprise/templates/simplequeue_deployment.yaml @@ -22,7 +22,7 @@ spec: checksum/enterprise-config: {{ include (print $.Template.BasePath "/anchore_configmap.yaml") . | sha256sum }} spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} - volumes: {{- include "enterprise.common.volumes" . | nindent 8 }} + volumes: {{- include "enterprise.common.volumes" (merge (dict "component" $component) .) | nindent 8 }} containers: {{- if .Values.cloudsql.enabled }} {{- include "enterprise.common.cloudsqlContainer" . | nindent 8 }} @@ -42,7 +42,7 @@ spec: ports: - name: {{ $component | lower }} containerPort: {{ .Values.simpleQueue.service.port }} - volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }} + volumeMounts: {{- include "enterprise.common.volumeMounts" (merge (dict "component" $component) .) | nindent 12 }} livenessProbe: {{- include "enterprise.common.livenessProbe" (merge (dict "component" $component) .) | nindent 12 }} readinessProbe: {{- include "enterprise.common.readinessProbe" (merge (dict "component" $component) .) | nindent 12 }} {{- with .Values.simpleQueue.resources }} diff --git a/stable/enterprise/templates/ui_configmap.yaml b/stable/enterprise/templates/ui_configmap.yaml index 2957a1d1..6bd7d196 100644 --- a/stable/enterprise/templates/ui_configmap.yaml +++ b/stable/enterprise/templates/ui_configmap.yaml @@ -28,7 +28,6 @@ data: {{- end }} reports_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.api.fullname" . -}}:{{- .Values.api.service.port -}}/v2' notifications_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.api.fullname" . -}}:{{- .Values.api.service.port -}}/v2' - rbac_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.api.fullname" . -}}:{{- .Values.api.service.port -}}/v2' enterprise_uri: '{{- include "enterprise.setProtocol" . -}}://{{- template "enterprise.api.fullname" . -}}:{{- .Values.api.service.port -}}/v2' # redis_uri: overridden in deployment using the `ANCHORE_REDIS_URI` environment variable # appdb_uri: overridden in deployment using the `ANCHORE_APPDB_URI` environment variable diff --git a/stable/enterprise/templates/ui_deployment.yaml b/stable/enterprise/templates/ui_deployment.yaml index 5fa67923..dd36c1e2 100644 --- a/stable/enterprise/templates/ui_deployment.yaml +++ b/stable/enterprise/templates/ui_deployment.yaml @@ -23,7 +23,7 @@ spec: checksum/ui-config: {{ include (print $.Template.BasePath "/ui_configmap.yaml") . | sha256sum }} spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} - volumes: + volumes: {{- include "enterprise.common.extraVolumes" (merge (dict "component" $component) .) | nindent 8 }} - name: anchore-license secret: secretName: {{ .Values.licenseSecretName }} @@ -80,7 +80,7 @@ spec: - containerPort: 3000 protocol: TCP name: {{ $component | lower }} - volumeMounts: + volumeMounts: {{- include "enterprise.common.extraVolumeMounts" (merge (dict "component" $component) .) | nindent 12 }} - name: anchore-license mountPath: /home/anchore/license.yaml subPath: license.yaml diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index 17ac6302..2e1ee3a3 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -113,9 +113,6 @@ should render the configmaps: max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} listen: '0.0.0.0' port: ${ANCHORE_PORT} - authorization_handler: external - authorization_handler_config: - endpoint: http://localhost:8089 ssl_enable: ${ANCHORE_SSL_ENABLED} ssl_cert: ${ANCHORE_SSL_CERT} ssl_key: ${ANCHORE_SSL_KEY} @@ -268,28 +265,6 @@ should render the configmaps: ssl_cert: ${ANCHORE_SSL_CERT} ssl_key: ${ANCHORE_SSL_KEY} - rbac_authorizer: - enabled: true - require_auth: true - endpoint_hostname: localhost - listen: 127.0.0.1 - port: 8089 - max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - - rbac_manager: - enabled: true - require_auth: true - endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} - listen: '0.0.0.0' - port: ${ANCHORE_PORT} - max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - authorization_handler: external - authorization_handler_config: - endpoint: http://localhost:8089 - ssl_enable: ${ANCHORE_SSL_ENABLED} - ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} - reports: enabled: true require_auth: true @@ -298,9 +273,6 @@ should render the configmaps: port: ${ANCHORE_PORT} max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} enable_graphiql: ${ANCHORE_ENTERPRISE_REPORTS_ENABLE_GRAPHIQL} - authorization_handler: external - authorization_handler_config: - endpoint: http://localhost:8089 cycle_timers: reports_scheduled_queries: 600 max_async_execution_threads: ${ANCHORE_ENTERPRISE_REPORTS_MAX_ASYNC_EXECUTION_THREADS} @@ -348,9 +320,6 @@ should render the configmaps: listen: '0.0.0.0' port: ${ANCHORE_PORT} max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - authorization_handler: external - authorization_handler_config: - endpoint: http://localhost:8089 cycle_timers: notifications: 30 ui_url: ${ANCHORE_ENTERPRISE_UI_URL} @@ -542,7 +511,7 @@ should render the configmaps: 6: | apiVersion: v1 data: - config-ui.yaml: "# Anchore UI configuration\nreports_uri: 'http://test-release-enterprise-api:8228/v2'\nnotifications_uri: 'http://test-release-enterprise-api:8228/v2'\nrbac_uri: 'http://test-release-enterprise-api:8228/v2'\nenterprise_uri: 'http://test-release-enterprise-api:8228/v2'\n# redis_uri: overridden in deployment using the `ANCHORE_REDIS_URI` environment variable\n# appdb_uri: overridden in deployment using the `ANCHORE_APPDB_URI` environment variable\nlicense_path: '/home/anchore/'\nenable_ssl: false\nenable_proxy: false\nallow_shared_login: true\nredis_flushdb: true\nforce_websocket: false\nauthentication_lock:\n count: 5\n expires: 300\nappdb_config: \n native: true\n pool:\n acquire: 30000\n idle: 10000\n max: 10\n min: 0\nlog_level: 'http'\nenrich_inventory_view: true\nenable_prometheus_metrics: false\n" + config-ui.yaml: "# Anchore UI configuration\nreports_uri: 'http://test-release-enterprise-api:8228/v2'\nnotifications_uri: 'http://test-release-enterprise-api:8228/v2'\nenterprise_uri: 'http://test-release-enterprise-api:8228/v2'\n# redis_uri: overridden in deployment using the `ANCHORE_REDIS_URI` environment variable\n# appdb_uri: overridden in deployment using the `ANCHORE_APPDB_URI` environment variable\nlicense_path: '/home/anchore/'\nenable_ssl: false\nenable_proxy: false\nallow_shared_login: true\nredis_flushdb: true\nforce_websocket: false\nauthentication_lock:\n count: 5\n expires: 300\nappdb_config: \n native: true\n pool:\n acquire: 30000\n idle: 10000\n max: 10\n min: 0\nlog_level: 'http'\nenrich_inventory_view: true\nenable_prometheus_metrics: false\n" kind: ConfigMap metadata: annotations: diff --git a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap index b903839a..7006cf4b 100644 --- a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap @@ -143,6 +143,6 @@ should render proper initContainers: valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v5.3.0 + image: docker.io/anchore/enterprise:v5.4.0 imagePullPolicy: IfNotPresent name: wait-for-db diff --git a/stable/enterprise/tests/analyzer_resources_test.yaml b/stable/enterprise/tests/analyzer_resources_test.yaml index 6b7b7b41..d5ce47a4 100644 --- a/stable/enterprise/tests/analyzer_resources_test.yaml +++ b/stable/enterprise/tests/analyzer_resources_test.yaml @@ -266,6 +266,86 @@ tests: count: 1 any: true + - it: should render component extraVolumes + template: analyzer_deployment.yaml + set: + analyzer.extraVolumes: + - name: extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + + - it: should render component extraVolumeMounts + template: analyzer_deployment.yaml + set: + analyzer.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + + - it: should render component and global extraVolumes + template: analyzer_deployment.yaml + set: + analyzer.extraVolumes: + - name: extra-vol + emptyDir: {} + extraVolumes: + - name: global-extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + - contains: + path: spec.template.spec.volumes + content: + name: global-extra-vol + emptyDir: {} + count: 1 + + - it: should render component and global extraVolumeMounts + template: analyzer_deployment.yaml + set: + analyzer.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + extraVolumeMounts: + - name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + count: 1 + - it: should render component probes template: analyzer_deployment.yaml asserts: diff --git a/stable/enterprise/tests/api_resources_test.yaml b/stable/enterprise/tests/api_resources_test.yaml index ac2b85f9..d67029a1 100644 --- a/stable/enterprise/tests/api_resources_test.yaml +++ b/stable/enterprise/tests/api_resources_test.yaml @@ -165,9 +165,6 @@ tests: - equal: path: spec.template.spec.containers[0].name value: enterprise-api - - equal: - path: spec.template.spec.containers[1].name - value: rbac-auth - it: should render component entrypoint args template: api_deployment.yaml @@ -289,6 +286,90 @@ tests: count: 1 any: true + - it: should render component extraVolumes + template: api_deployment.yaml + documentIndex: 0 + set: + api.extraVolumes: + - name: extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + + - it: should render component extraVolumeMounts + template: api_deployment.yaml + documentIndex: 0 + set: + api.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + + - it: should render component and global extraVolumes + template: api_deployment.yaml + documentIndex: 0 + set: + api.extraVolumes: + - name: extra-vol + emptyDir: {} + extraVolumes: + - name: global-extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + - contains: + path: spec.template.spec.volumes + content: + name: global-extra-vol + emptyDir: {} + count: 1 + + - it: should render component and global extraVolumeMounts + template: api_deployment.yaml + documentIndex: 0 + set: + api.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + extraVolumeMounts: + - name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + count: 1 + - it: should render component probes template: api_deployment.yaml documentIndex: 0 diff --git a/stable/enterprise/tests/catalog_resources_test.yaml b/stable/enterprise/tests/catalog_resources_test.yaml index f9971c42..34e2f7c6 100644 --- a/stable/enterprise/tests/catalog_resources_test.yaml +++ b/stable/enterprise/tests/catalog_resources_test.yaml @@ -299,6 +299,90 @@ tests: count: 1 any: true + - it: should render component extraVolumes + template: catalog_deployment.yaml + documentIndex: 0 + set: + catalog.extraVolumes: + - name: extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + + - it: should render component extraVolumeMounts + template: catalog_deployment.yaml + documentIndex: 0 + set: + catalog.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + + - it: should render component and global extraVolumes + template: catalog_deployment.yaml + documentIndex: 0 + set: + catalog.extraVolumes: + - name: extra-vol + emptyDir: {} + extraVolumes: + - name: global-extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + - contains: + path: spec.template.spec.volumes + content: + name: global-extra-vol + emptyDir: {} + count: 1 + + - it: should render component and global extraVolumeMounts + template: catalog_deployment.yaml + documentIndex: 0 + set: + catalog.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + extraVolumeMounts: + - name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + count: 1 + - it: should render component probes template: catalog_deployment.yaml documentIndex: 0 diff --git a/stable/enterprise/tests/common_helpers_test.yaml b/stable/enterprise/tests/common_helpers_test.yaml index 1769ac7d..5bf220bb 100644 --- a/stable/enterprise/tests/common_helpers_test.yaml +++ b/stable/enterprise/tests/common_helpers_test.yaml @@ -5,7 +5,6 @@ templates: - catalog_deployment.yaml - notifications_deployment.yaml - policyengine_deployment.yaml - - rbacmanager_deployment.yaml - reports_deployment.yaml - reportsworker_deployment.yaml - simplequeue_deployment.yaml @@ -29,7 +28,6 @@ backend_test_templates: &backend_test_templates - catalog_deployment.yaml - notifications_deployment.yaml - policyengine_deployment.yaml - - rbacmanager_deployment.yaml - reports_deployment.yaml - reportsworker_deployment.yaml - simplequeue_deployment.yaml @@ -40,7 +38,6 @@ test_templates: &test_templates - catalog_deployment.yaml - notifications_deployment.yaml - policyengine_deployment.yaml - - rbacmanager_deployment.yaml - reports_deployment.yaml - reportsworker_deployment.yaml - simplequeue_deployment.yaml @@ -53,7 +50,6 @@ deployment_templates: &deployment_templates - catalog_deployment.yaml - notifications_deployment.yaml - policyengine_deployment.yaml - - rbacmanager_deployment.yaml - reports_deployment.yaml - reportsworker_deployment.yaml - simplequeue_deployment.yaml @@ -136,7 +132,6 @@ tests: - catalog_deployment.yaml - notifications_deployment.yaml - policyengine_deployment.yaml - - rbacmanager_deployment.yaml - reports_deployment.yaml - simplequeue_deployment.yaml - hooks/pre-upgrade/upgrade_job.yaml @@ -161,7 +156,6 @@ tests: - catalog_deployment.yaml - notifications_deployment.yaml - policyengine_deployment.yaml - - rbacmanager_deployment.yaml - reports_deployment.yaml - simplequeue_deployment.yaml - hooks/pre-upgrade/upgrade_job.yaml @@ -187,7 +181,6 @@ tests: - catalog_deployment.yaml - notifications_deployment.yaml - policyengine_deployment.yaml - - rbacmanager_deployment.yaml - reports_deployment.yaml - simplequeue_deployment.yaml - hooks/pre-upgrade/upgrade_job.yaml @@ -438,25 +431,6 @@ tests: - notExists: path: spec.template.spec.containers[0].securityContext - - it: should render the rbacAuthContainer - templates: - - api_deployment.yaml - - notifications_deployment.yaml - - reports_deployment.yaml - - rbacmanager_deployment.yaml - documentIndex: 0 - asserts: - - contains: - path: spec.template.spec.containers - content: - args: - - /docker-entrypoint.sh anchore-enterprise-manager service start --no-auto-upgrade rbac_authorizer - name: rbac-auth - ports: - - containerPort: 8089 - name: rbac-auth - any: true - - it: should render volumeMounts templates: *backend_test_templates documentIndex: 0 @@ -641,7 +615,6 @@ tests: - catalog_deployment.yaml - notifications_deployment.yaml - policyengine_deployment.yaml - - rbacmanager_deployment.yaml - reports_deployment.yaml - reportsworker_deployment.yaml - simplequeue_deployment.yaml @@ -660,7 +633,6 @@ tests: - catalog_deployment.yaml - notifications_deployment.yaml - policyengine_deployment.yaml - - rbacmanager_deployment.yaml - reports_deployment.yaml - reportsworker_deployment.yaml - simplequeue_deployment.yaml @@ -1037,9 +1009,6 @@ tests: - matchRegex: path: data["config-ui.yaml"] pattern: "enterprise_uri: 'http://test-release-enterprise-api:8228/v2'" - - matchRegex: - path: data["config-ui.yaml"] - pattern: "rbac_uri: 'http://test-release-enterprise-api:8228/v2'" - matchRegex: path: data["config-ui.yaml"] pattern: "notifications_uri: 'http://test-release-enterprise-api:8228/v2'" @@ -1057,9 +1026,6 @@ tests: - matchRegex: path: data["config-ui.yaml"] pattern: "enterprise_uri: 'https://test-release-enterprise-api:8228/v2'" - - matchRegex: - path: data["config-ui.yaml"] - pattern: "rbac_uri: 'https://test-release-enterprise-api:8228/v2'" - matchRegex: path: data["config-ui.yaml"] pattern: "notifications_uri: 'https://test-release-enterprise-api:8228/v2'" @@ -1073,7 +1039,6 @@ tests: catalog.service.nodePort: 9999 notifications.service.nodePort: 9999 policyEngine.service.nodePort: 9999 - rbacManager.service.nodePort: 9999 reports.service.nodePort: 9999 reportsWorker.service.nodePort: 9999 simpleQueue.service.nodePort: 9999 @@ -1083,7 +1048,6 @@ tests: - catalog_deployment.yaml - notifications_deployment.yaml - policyengine_deployment.yaml - - rbacmanager_deployment.yaml - reports_deployment.yaml - reportsworker_deployment.yaml - simplequeue_deployment.yaml @@ -1103,7 +1067,6 @@ tests: - catalog_deployment.yaml - notifications_deployment.yaml - policyengine_deployment.yaml - - rbacmanager_deployment.yaml - reports_deployment.yaml - reportsworker_deployment.yaml - simplequeue_deployment.yaml diff --git a/stable/enterprise/tests/notifications_resources_test.yaml b/stable/enterprise/tests/notifications_resources_test.yaml index 0a3ec922..9dcc13c5 100644 --- a/stable/enterprise/tests/notifications_resources_test.yaml +++ b/stable/enterprise/tests/notifications_resources_test.yaml @@ -149,9 +149,6 @@ tests: - equal: path: spec.template.spec.containers[0].name value: enterprise-notifications - - equal: - path: spec.template.spec.containers[1].name - value: rbac-auth - it: should render component entrypoint args template: notifications_deployment.yaml @@ -196,6 +193,90 @@ tests: name: test value: foobar + - it: should render component extraVolumes + template: notifications_deployment.yaml + documentIndex: 0 + set: + notifications.extraVolumes: + - name: extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + + - it: should render component extraVolumeMounts + template: notifications_deployment.yaml + documentIndex: 0 + set: + notifications.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + + - it: should render component and global extraVolumes + template: notifications_deployment.yaml + documentIndex: 0 + set: + notifications.extraVolumes: + - name: extra-vol + emptyDir: {} + extraVolumes: + - name: global-extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + - contains: + path: spec.template.spec.volumes + content: + name: global-extra-vol + emptyDir: {} + count: 1 + + - it: should render component and global extraVolumeMounts + template: notifications_deployment.yaml + documentIndex: 0 + set: + notifications.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + extraVolumeMounts: + - name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + count: 1 + - it: should render component ports template: notifications_deployment.yaml documentIndex: 0 diff --git a/stable/enterprise/tests/policyengine_resources_test.yaml b/stable/enterprise/tests/policyengine_resources_test.yaml index 9ad77347..6a2f256f 100644 --- a/stable/enterprise/tests/policyengine_resources_test.yaml +++ b/stable/enterprise/tests/policyengine_resources_test.yaml @@ -258,6 +258,90 @@ tests: count: 1 any: true + - it: should render component extraVolumes + template: policyengine_deployment.yaml + documentIndex: 0 + set: + policyEngine.extraVolumes: + - name: extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + + - it: should render component extraVolumeMounts + template: policyengine_deployment.yaml + documentIndex: 0 + set: + policyEngine.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + + - it: should render component and global extraVolumes + template: policyengine_deployment.yaml + documentIndex: 0 + set: + policyEngine.extraVolumes: + - name: extra-vol + emptyDir: {} + extraVolumes: + - name: global-extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + - contains: + path: spec.template.spec.volumes + content: + name: global-extra-vol + emptyDir: {} + count: 1 + + - it: should render component and global extraVolumeMounts + template: policyengine_deployment.yaml + documentIndex: 0 + set: + policyEngine.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + extraVolumeMounts: + - name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + count: 1 + - it: should render component probes template: policyengine_deployment.yaml documentIndex: 0 diff --git a/stable/enterprise/tests/posthook_upgrade_resources_test.yaml b/stable/enterprise/tests/posthook_upgrade_resources_test.yaml index 8486088e..36997aa8 100644 --- a/stable/enterprise/tests/posthook_upgrade_resources_test.yaml +++ b/stable/enterprise/tests/posthook_upgrade_resources_test.yaml @@ -228,3 +228,87 @@ tests: cpu: 200m memory: 256Mi count: 1 + + - it: should render component extraVolumes + template: hooks/post-upgrade/upgrade_job.yaml + documentIndex: 0 + set: + upgradeJob.extraVolumes: + - name: extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + + - it: should render component extraVolumeMounts + template: hooks/post-upgrade/upgrade_job.yaml + documentIndex: 0 + set: + upgradeJob.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + + - it: should render component and global extraVolumes + template: hooks/post-upgrade/upgrade_job.yaml + documentIndex: 0 + set: + upgradeJob.extraVolumes: + - name: extra-vol + emptyDir: {} + extraVolumes: + - name: global-extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + - contains: + path: spec.template.spec.volumes + content: + name: global-extra-vol + emptyDir: {} + count: 1 + + - it: should render component and global extraVolumeMounts + template: hooks/post-upgrade/upgrade_job.yaml + documentIndex: 0 + set: + upgradeJob.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + extraVolumeMounts: + - name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + count: 1 diff --git a/stable/enterprise/tests/prehook_upgrade_resources_test.yaml b/stable/enterprise/tests/prehook_upgrade_resources_test.yaml index 76a68385..35585f40 100644 --- a/stable/enterprise/tests/prehook_upgrade_resources_test.yaml +++ b/stable/enterprise/tests/prehook_upgrade_resources_test.yaml @@ -64,7 +64,7 @@ tests: namespace: test-namespace documentIndex: 2 - - it: pre-hook job does not get created when post-upgrade hook is enabled + - it: pre-hook job does not get created when pre-upgrade hook is enabled templates: *upgrade-resources set: upgradeJob: @@ -304,3 +304,87 @@ tests: cpu: 200m memory: 256Mi count: 1 + + - it: should render component extraVolumes + template: hooks/pre-upgrade/upgrade_job.yaml + documentIndex: 0 + set: + upgradeJob.extraVolumes: + - name: extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + + - it: should render component extraVolumeMounts + template: hooks/pre-upgrade/upgrade_job.yaml + documentIndex: 0 + set: + upgradeJob.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + + - it: should render component and global extraVolumes + template: hooks/pre-upgrade/upgrade_job.yaml + documentIndex: 0 + set: + upgradeJob.extraVolumes: + - name: extra-vol + emptyDir: {} + extraVolumes: + - name: global-extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + - contains: + path: spec.template.spec.volumes + content: + name: global-extra-vol + emptyDir: {} + count: 1 + + - it: should render component and global extraVolumeMounts + template: hooks/pre-upgrade/upgrade_job.yaml + documentIndex: 0 + set: + upgradeJob.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + extraVolumeMounts: + - name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + count: 1 diff --git a/stable/enterprise/tests/rbacmanager_resources_test.yaml b/stable/enterprise/tests/rbacmanager_resources_test.yaml deleted file mode 100644 index 01a1c81d..00000000 --- a/stable/enterprise/tests/rbacmanager_resources_test.yaml +++ /dev/null @@ -1,293 +0,0 @@ -suite: RBACManager Resources Tests -templates: - - rbacmanager_deployment.yaml - - anchore_secret.yaml - - anchore_configmap.yaml -release: - name: test-release - namespace: test-namespace -chart: - version: 9.9.9 - appVersion: 9.9.9 - -tests: - - it: should set the correct resource names - template: rbacmanager_deployment.yaml - asserts: - - equal: - path: metadata.name - value: test-release-enterprise-rbac-manager - - - it: should render component labels - template: rbacmanager_deployment.yaml - set: - rbacManager.labels: - rbacManager: test - test: foobar - asserts: - - isSubset: - path: metadata.labels - content: - rbacManager: test - test: foobar - - isSubset: - path: spec.template.metadata.labels - content: - rbacManager: test - test: foobar - template: rbacmanager_deployment.yaml - documentIndex: 0 - - - it: should render component annotations - template: rbacmanager_deployment.yaml - set: - rbacManager.annotations: - rbacManager: test - test: foobar - asserts: - - isSubset: - path: metadata.annotations - content: - rbacManager: test - test: foobar - - isSubset: - path: spec.template.metadata.annotations - content: - rbacManager: test - test: foobar - template: rbacmanager_deployment.yaml - documentIndex: 0 - - - it: should render component matchLabels - template: rbacmanager_deployment.yaml - documentIndex: 0 - asserts: - - isSubset: - path: spec.selector.matchLabels - content: - app.kubernetes.io/name: test-release-enterprise - app.kubernetes.io/component: rbacmanager - - - it: should render component replica count - template: rbacmanager_deployment.yaml - documentIndex: 0 - set: - rbacManager.replicaCount: 2 - asserts: - - equal: - path: spec.replicas - value: 2 - - - it: should render component serviceAccountName - template: rbacmanager_deployment.yaml - documentIndex: 0 - set: - rbacManager.serviceAccountName: rbacManager-test - asserts: - - equal: - path: spec.template.spec.serviceAccountName - value: rbacManager-test - - - it: should render component serviceAccountName even when global serviceAccountName is set - template: rbacmanager_deployment.yaml - documentIndex: 0 - set: - serviceAccountName: global-test - rbacManager.serviceAccountName: rbacManager-test - asserts: - - equal: - path: spec.template.spec.serviceAccountName - value: rbacManager-test - - - it: should render component nodeSelector - template: rbacmanager_deployment.yaml - documentIndex: 0 - set: - rbacManager.nodeSelector: - rbacManager: test - asserts: - - isSubset: - path: spec.template.spec.nodeSelector - content: - rbacManager: test - - - it: should render component affinity - template: rbacmanager_deployment.yaml - documentIndex: 0 - set: - rbacManager.affinity: - rbacManager: test - asserts: - - isSubset: - path: spec.template.spec.affinity - content: - rbacManager: test - - - it: should render component tolerations - template: rbacmanager_deployment.yaml - documentIndex: 0 - set: - rbacManager.tolerations: - - key: "rbacManager" - operator: "Equal" - value: "test" - effect: "NoSchedule" - asserts: - - contains: - path: spec.template.spec.tolerations - content: - key: "rbacManager" - operator: "Equal" - value: "test" - effect: "NoSchedule" - count: 1 - - - it: should render component container name - template: rbacmanager_deployment.yaml - documentIndex: 0 - asserts: - - equal: - path: spec.template.spec.containers[0].name - value: enterprise-rbacmanager - - - it: should render component entrypoint args - template: rbacmanager_deployment.yaml - documentIndex: 0 - asserts: - - matchRegex: - path: spec.template.spec.containers[0].args[0] - pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade rbac_manager$ - count: 1 - - - it: should render rbacManager component environment variables - template: rbacmanager_deployment.yaml - documentIndex: 0 - set: - rbacManager.extraEnv: - - name: rbacManager - value: test - - name: test - value: foobar - asserts: - - contains: - path: spec.template.spec.containers[0].env - content: - name: ANCHORE_ENDPOINT_HOSTNAME - value: test-release-enterprise-rbac-manager - count: 1 - - contains: - path: spec.template.spec.containers[0].env - content: - name: ANCHORE_PORT - value: "8229" - count: 1 - - contains: - path: spec.template.spec.containers[0].env - content: - name: rbacManager - value: test - count: 1 - - contains: - path: spec.template.spec.containers[0].env - content: - name: test - value: foobar - - - it: should render component ports - template: rbacmanager_deployment.yaml - documentIndex: 0 - asserts: - - contains: - path: spec.template.spec.containers[0].ports - content: - name: rbacmanager - containerPort: 8229 - count: 1 - - - it: should render component probes - template: rbacmanager_deployment.yaml - documentIndex: 0 - asserts: - - isSubset: - path: spec.template.spec.containers[0].livenessProbe - content: - httpGet: - path: /health - port: rbacmanager - scheme: HTTP - initialDelaySeconds: 120 - timeoutSeconds: 10 - periodSeconds: 10 - failureThreshold: 6 - successThreshold: 1 - count: 1 - - isSubset: - path: spec.template.spec.containers[0].readinessProbe - content: - httpGet: - path: /health - port: rbacmanager - scheme: HTTP - timeoutSeconds: 10 - periodSeconds: 10 - failureThreshold: 3 - successThreshold: 1 - count: 1 - - - it: should render component resource requests & limits - template: rbacmanager_deployment.yaml - documentIndex: 0 - set: - rbacManager.resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 200m - memory: 256Mi - asserts: - - isSubset: - path: spec.template.spec.containers[0].resources.requests - content: - cpu: 100m - memory: 128Mi - count: 1 - - isSubset: - path: spec.template.spec.containers[0].resources.limits - content: - cpu: 200m - memory: 256Mi - count: 1 - - - it: should render component service type - template: rbacmanager_deployment.yaml - documentIndex: 1 - asserts: - - equal: - path: spec.type - value: ClusterIP - count: 1 - - - it: should render component service ports - template: rbacmanager_deployment.yaml - documentIndex: 1 - asserts: - - contains: - path: spec.ports - content: - name: rbacmanager - port: 8229 - targetPort: 8229 - protocol: TCP - count: 1 - - - it: should render component service selectors - template: rbacmanager_deployment.yaml - documentIndex: 1 - asserts: - - isSubset: - path: spec.selector - content: - app.kubernetes.io/name: test-release-enterprise - app.kubernetes.io/component: rbacmanager - count: 1 diff --git a/stable/enterprise/tests/reports_resources_test.yaml b/stable/enterprise/tests/reports_resources_test.yaml index 0917a9b6..e869282e 100644 --- a/stable/enterprise/tests/reports_resources_test.yaml +++ b/stable/enterprise/tests/reports_resources_test.yaml @@ -406,3 +406,87 @@ tests: asserts: - notExists: path: spec.template.spec.initContainers + + - it: should render component extraVolumes + template: reports_deployment.yaml + documentIndex: 0 + set: + reports.extraVolumes: + - name: extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + + - it: should render component extraVolumeMounts + template: reports_deployment.yaml + documentIndex: 0 + set: + reports.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + + - it: should render component and global extraVolumes + template: reports_deployment.yaml + documentIndex: 0 + set: + reports.extraVolumes: + - name: extra-vol + emptyDir: {} + extraVolumes: + - name: global-extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + - contains: + path: spec.template.spec.volumes + content: + name: global-extra-vol + emptyDir: {} + count: 1 + + - it: should render component and global extraVolumeMounts + template: reports_deployment.yaml + documentIndex: 0 + set: + reports.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + extraVolumeMounts: + - name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + count: 1 diff --git a/stable/enterprise/tests/reportsworker_resources_test.yaml b/stable/enterprise/tests/reportsworker_resources_test.yaml index 86050391..90a21234 100644 --- a/stable/enterprise/tests/reportsworker_resources_test.yaml +++ b/stable/enterprise/tests/reportsworker_resources_test.yaml @@ -291,3 +291,87 @@ tests: app.kubernetes.io/name: test-release-enterprise app.kubernetes.io/component: reportsworker count: 1 + + - it: should render component extraVolumes + template: reportsworker_deployment.yaml + documentIndex: 0 + set: + reportsWorker.extraVolumes: + - name: extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + + - it: should render component extraVolumeMounts + template: reportsworker_deployment.yaml + documentIndex: 0 + set: + reportsWorker.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + + - it: should render component and global extraVolumes + template: reportsworker_deployment.yaml + documentIndex: 0 + set: + reportsWorker.extraVolumes: + - name: extra-vol + emptyDir: {} + extraVolumes: + - name: global-extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + - contains: + path: spec.template.spec.volumes + content: + name: global-extra-vol + emptyDir: {} + count: 1 + + - it: should render component and global extraVolumeMounts + template: reportsworker_deployment.yaml + documentIndex: 0 + set: + reportsWorker.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + extraVolumeMounts: + - name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + count: 1 diff --git a/stable/enterprise/tests/simplequeue_resources_test.yaml b/stable/enterprise/tests/simplequeue_resources_test.yaml index 5d66c2e0..e16fa53c 100644 --- a/stable/enterprise/tests/simplequeue_resources_test.yaml +++ b/stable/enterprise/tests/simplequeue_resources_test.yaml @@ -266,3 +266,87 @@ tests: app.kubernetes.io/name: test-release-enterprise app.kubernetes.io/component: simplequeue count: 1 + + - it: should render component extraVolumes + template: simplequeue_deployment.yaml + documentIndex: 0 + set: + simpleQueue.extraVolumes: + - name: extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + + - it: should render component extraVolumeMounts + template: simplequeue_deployment.yaml + documentIndex: 0 + set: + simpleQueue.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + + - it: should render component and global extraVolumes + template: simplequeue_deployment.yaml + documentIndex: 0 + set: + simpleQueue.extraVolumes: + - name: extra-vol + emptyDir: {} + extraVolumes: + - name: global-extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + - contains: + path: spec.template.spec.volumes + content: + name: global-extra-vol + emptyDir: {} + count: 1 + + - it: should render component and global extraVolumeMounts + template: simplequeue_deployment.yaml + documentIndex: 0 + set: + simpleQueue.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + extraVolumeMounts: + - name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + count: 1 diff --git a/stable/enterprise/tests/ui_resources_test.yaml b/stable/enterprise/tests/ui_resources_test.yaml index ac56cc61..9755d237 100644 --- a/stable/enterprise/tests/ui_resources_test.yaml +++ b/stable/enterprise/tests/ui_resources_test.yaml @@ -302,3 +302,87 @@ tests: app.kubernetes.io/name: test-release-enterprise app.kubernetes.io/component: ui count: 1 + + - it: should render component extraVolumes + template: ui_deployment.yaml + documentIndex: 0 + set: + ui.extraVolumes: + - name: extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + + - it: should render component extraVolumeMounts + template: ui_deployment.yaml + documentIndex: 0 + set: + ui.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + + - it: should render component and global extraVolumes + template: ui_deployment.yaml + documentIndex: 0 + set: + ui.extraVolumes: + - name: extra-vol + emptyDir: {} + extraVolumes: + - name: global-extra-vol + emptyDir: {} + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: extra-vol + emptyDir: {} + count: 1 + - contains: + path: spec.template.spec.volumes + content: + name: global-extra-vol + emptyDir: {} + count: 1 + + - it: should render component and global extraVolumeMounts + template: ui_deployment.yaml + documentIndex: 0 + set: + ui.extraVolumeMounts: + - name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + extraVolumeMounts: + - name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: extra-vol + mountPath: /mnt/extra-vol + readOnly: false + count: 1 + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: global-extra-vol + mountPath: /mnt/global-extra-vol + readOnly: false + count: 1 diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index 638a3b92..12ae4094 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -18,7 +18,7 @@ global: ## @param image Image used for all Anchore Enterprise deployments, excluding Anchore UI ## -image: docker.io/anchore/enterprise:v5.3.0 +image: docker.io/anchore/enterprise:v5.4.0 ## @param imagePullPolicy Image pull policy used by all deployments ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy @@ -752,6 +752,14 @@ api: ## extraEnv: [] + ## @param api.extraVolumes Define additional volumes for Anchore API pods + ## + extraVolumes: [] + + ## @param api.extraVolumeMounts Define additional volume mounts for Anchore API pods + ## + extraVolumeMounts: [] + ## @param api.resources Resource requests and limits for Anchore API pods ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations. @@ -812,6 +820,14 @@ catalog: ## extraEnv: [] + ## @param catalog.extraVolumes Define additional volumes for Anchore Catalog pods + ## + extraVolumes: [] + + ## @param catalog.extraVolumeMounts Define additional volume mounts for Anchore Catalog pods + ## + extraVolumeMounts: [] + ## @param catalog.resources Resource requests and limits for Anchore Catalog pods ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations. @@ -906,6 +922,14 @@ notifications: ## extraEnv: [] + ## @param notifications.extraVolumes Define additional volumes for Anchore Notifications pods + ## + extraVolumes: [] + + ## @param notifications.extraVolumeMounts Define additional volume mounts for Anchore Notifications pods + ## + extraVolumeMounts: [] + ## @param notifications.resources Resource requests and limits for Anchore Notifications pods ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations. @@ -966,6 +990,14 @@ policyEngine: ## extraEnv: [] + ## @param policyEngine.extraVolumes Define additional volumes for Anchore Policy Engine pods + ## + extraVolumes: [] + + ## @param policyEngine.extraVolumeMounts Define additional volume mounts for Anchore Policy Engine pods + ## + extraVolumeMounts: [] + ## @param policyEngine.resources Resource requests and limits for Anchore Policy Engine pods ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations. @@ -1006,85 +1038,6 @@ policyEngine: scratchVolume: details: {} -################################################## -## @section Anchore RBAC Authentication Parameters -################################################## -rbacAuth: - ## @param rbacAuth.extraEnv Set extra environment variables for Anchore RBAC Authentication containers - ## - extraEnv: [] - - ## @param rbacAuth.resources Resource requests and limits for Anchore RBAC Authentication containers - ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations. - ## - resources: {} - # requests: - # cpu: 100m - # memory: 500Mi - # limits: - # memory: 500Mi - -########################################### -## @section Anchore RBAC Manager Parameters -########################################### -rbacManager: - ## @param rbacManager.replicaCount Number of replicas for the Anchore RBAC Manager deployment - ## - replicaCount: 1 - - ## @param rbacManager.service.type Service type for Anchore RBAC Manager - ## @param rbacManager.service.port Service port for Anchore RBAC Manager - ## @param rbacManager.service.annotations Annotations for Anchore RBAC Manager service - ## @param rbacManager.service.labels Labels for Anchore RBAC Manager service - ## @param rbacManager.service.nodePort nodePort for Anchore RBAC Manager service - ## - service: - type: ClusterIP - port: 8229 - annotations: {} - labels: {} - nodePort: "" - - ## @param rbacManager.extraEnv Set extra environment variables for Anchore RBAC Manager pods - ## - extraEnv: [] - - ## @param rbacManager.resources Resource requests and limits for Anchore RBAC Manager pods - ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations. - ## - resources: {} - # requests: - # cpu: 100m - # memory: 500Mi - # limits: - # memory: 500Mi - - ## @param rbacManager.labels Labels for Anchore RBAC Manager pods - ## - labels: {} - - ## @param rbacManager.annotations Annotation for Anchore RBAC Manager pods - ## - annotations: {} - - ## @param rbacManager.nodeSelector Node labels for Anchore RBAC Manager pod assignment - ## - nodeSelector: {} - - ## @param rbacManager.tolerations Tolerations for Anchore RBAC Manager pod assignment - ## - tolerations: [] - - ## @param rbacManager.affinity Affinity for Anchore RBAC Manager pod assignment - ## - affinity: {} - - ## @param rbacManager.serviceAccountName Service account name for Anchore RBAC Manager pods - ## - serviceAccountName: "" - ######################################## ## @section Anchore Reports Parameters ######################################## @@ -1110,6 +1063,14 @@ reports: ## extraEnv: [] + ## @param reports.extraVolumes Define additional volumes for Anchore Reports pods + ## + extraVolumes: [] + + ## @param reports.extraVolumeMounts Define additional volume mounts for Anchore Reports pods + ## + extraVolumeMounts: [] + ## @param reports.resources Resource requests and limits for Anchore Reports pods ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations @@ -1187,6 +1148,14 @@ reportsWorker: ## extraEnv: [] + ## @param reportsWorker.extraVolumes Define additional volumes for Anchore Reports Worker pods + ## + extraVolumes: [] + + ## @param reportsWorker.extraVolumeMounts Define additional volume mounts for Anchore Reports Worker pods + ## + extraVolumeMounts: [] + ## @param reportsWorker.resources Resource requests and limits for Anchore Reports Worker pods ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations. @@ -1247,6 +1216,14 @@ simpleQueue: ## extraEnv: [] + ## @param simpleQueue.extraVolumes Define additional volumes for Anchore Simple Queue pods + ## + extraVolumes: [] + + ## @param simpleQueue.extraVolumeMounts Define additional volume mounts for Anchore Simple Queue pods + ## + extraVolumeMounts: [] + ## @param simpleQueue.resources Resource requests and limits for Anchore Simple Queue pods ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations. @@ -1288,7 +1265,7 @@ simpleQueue: ui: ## @param ui.image Image used for the Anchore UI container ## - image: docker.io/anchore/enterprise-ui:v5.3.2 + image: docker.io/anchore/enterprise-ui:v5.4.0 ## @param ui.imagePullPolicy Image pull policy for Anchore UI image ## @@ -1327,6 +1304,14 @@ ui: ## extraEnv: [] + ## @param ui.extraVolumes Define additional volumes for Anchore UI pods + ## + extraVolumes: [] + + ## @param ui.extraVolumeMounts Define additional volume mounts for Anchore UI pods + ## + extraVolumeMounts: [] + ## @param ui.resources Resource requests and limits for Anchore UI pods ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations.