From bc2f1940bd3a8dbf706ceb1ed72a9bed2a6d6ca7 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 2 Feb 2024 16:49:07 -0800 Subject: [PATCH] stable/enterprise: Update documentation (#340) * update comments around reports resource config * fix error message when using image_ttl_days=-1 * add more details to the release notes around reports deployment values changes * bump chart version --------- Signed-off-by: Brady Todhunter --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 8 ++++---- stable/enterprise/templates/envvars_configmap.yaml | 2 +- stable/enterprise/values.yaml | 8 +++++--- 4 files changed, 11 insertions(+), 9 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index f51696be..5412f8dc 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "2.3.0" +version: "2.3.1" appVersion: "5.2.0" kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.28.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 2ecbcf03..88c10b7b 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -1041,14 +1041,14 @@ This rollback procedure is designed to revert your environment to its pre-migrat | `anchoreConfig.reports.enable_graphiql` | Enable GraphiQL, a GUI for editing and testing GraphQL queries and mutations | `true` | | `anchoreConfig.reports.async_execution_timeout` | Configure how long a scheduled query must be running for before it is considered timed out | `48h` | | `anchoreConfig.reports.cycle_timers.reports_scheduled_queries` | Interval in seconds to check for scheduled queries that need to be run | `600` | -| `anchoreConfig.reports.use_volume` | Configure the reports worker to buffer report generation to disk instead of in memory | `false` | +| `anchoreConfig.reports.use_volume` | Configure the reports service to buffer report generation to disk instead of in memory | `false` | | `anchoreConfig.reports_worker.enable_data_ingress` | Enable periodically syncing data into the Anchore Reports Service | `true` | | `anchoreConfig.reports_worker.enable_data_egress` | Periodically remove reporting data that has been removed in other parts of system | `false` | | `anchoreConfig.reports_worker.data_egress_window` | defines a number of days to keep reporting data following its deletion in the rest of system. | `0` | | `anchoreConfig.reports_worker.data_refresh_max_workers` | The maximum number of concurrent threads to refresh existing results (etl vulnerabilities and evaluations) in reports service. | `10` | | `anchoreConfig.reports_worker.data_load_max_workers` | The maximum number of concurrent threads to load new results (etl vulnerabilities and evaluations) to reports service. | `10` | | `anchoreConfig.reports_worker.cycle_timers.reports_image_load` | Interval that vulnerabilities for images are synced | `600` | -| `anchoreConfig.reports_worker.cycle_timers.reports_tag_load` | Interval that vulnerabilties by tags are synced | `600` | +| `anchoreConfig.reports_worker.cycle_timers.reports_tag_load` | Interval that vulnerabilities by tags are synced | `600` | | `anchoreConfig.reports_worker.cycle_timers.reports_runtime_inventory_load` | Interval that the runtime inventory is synced | `600` | | `anchoreConfig.reports_worker.cycle_timers.reports_extended_runtime_vuln_load` | Interval extended runtime reports are synched (ecs, k8s containers and namespaces) | `1800` | | `anchoreConfig.reports_worker.cycle_timers.reports_image_refresh` | Interval that images are refreshed | `7200` | @@ -1388,8 +1388,8 @@ For the latest updates and features in Anchore Enterprise, see the official [Rel - The reports pod has been split out of the API deployment and is now a separate deployment. A new deployment called `reports_worker` has been added. This allows for more granular control over the resources allocated to the reports and reports_worker services. - :warning: **WARNING:** Values file changes necessary: - If you are using a custom port for the reports service, previously set with `api.service.reportsPort`, you will need to update your values file to use `reports.service.port` instead. - - Resource requests & limits were previously set for both reports pods found in the `reports_deployment` and `api_deployment` using the `reports.resources` section of the values file. These have been split into separate deployments and the resources are now set in the `reports.resources` and `reports_worker.resources` sections of the values file. If you are using custom resources, you will need to update your values file to reflect this change. -- The reports service no longer has an accessible API endpoint, all API requests should be made to the API service. This version of the chart removed deprecated ingress configurations to accommodate this change. Update your values file to remove all references to the `reports` service in the `ingress` section. + - Component specific configurations such as resources (as well as annotations, labels, extraEnv, etc) were previously set for both reports pods found in the `reports_deployment` and `api_deployment` using the `reports.resources` section of the values file. These have been split into separate deployments and the resources are now set in the `reports.resources` and `reports_worker.resources` sections of the values file. If you are using custom resources, you will need to update your values file to reflect this change. +- The reports service is now an internal service and the GraphQLAPI/ReportsAPI is served to users by the API service and routed internally in the deployment as needed. This version of the chart removed deprecated ingress configurations to accommodate this change. Update your values file to remove all references to the `reports` service in the `ingress` section. ### V2.2.0 diff --git a/stable/enterprise/templates/envvars_configmap.yaml b/stable/enterprise/templates/envvars_configmap.yaml index 0d080227..43be8740 100644 --- a/stable/enterprise/templates/envvars_configmap.yaml +++ b/stable/enterprise/templates/envvars_configmap.yaml @@ -50,7 +50,7 @@ data: ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER: "true" ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE: "true" {{- if eq (toString .Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days) "-1" }} - {{- fail "The Value `-1` is no longer valid for `.Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days`. Please use `.Values.anchoreConfig.catalog.runtime_inventory.image_ingest_overwrite=true` to force runtime inventory to be overwritten upon every update for that reported context. `.Values.anchoreConfig.catalog.runtime_inventory.inventory_ttl_days` must be set to a value >1." -}} + {{- fail "The Value `-1` is no longer valid for `.Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days`. Please use `.Values.anchoreConfig.catalog.runtime_inventory.inventory_ingest_overwrite=true` to force runtime inventory to be overwritten upon every update for that reported context. `.Values.anchoreConfig.catalog.runtime_inventory.inventory_ttl_days` must be set to a value >1." -}} {{- else }} ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_TTL_DAYS: "{{ .Values.anchoreConfig.catalog.runtime_inventory.inventory_ttl_days }}" ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_INGEST_OVERWRITE: "{{ .Values.anchoreConfig.catalog.runtime_inventory.inventory_ingest_overwrite }}" diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index bb727784..3b2abf66 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -540,7 +540,7 @@ anchoreConfig: cycle_timers: reports_scheduled_queries: 600 - ## @param anchoreConfig.reports.use_volume Configure the reports worker to buffer report generation to disk instead of in memory + ## @param anchoreConfig.reports.use_volume Configure the reports service to buffer report generation to disk instead of in memory ## This should be configured in production systems with large amounts of data (10s of thousands of images or more) ## Generally speaking you need to provision 2x the size of the largest report that you expect to generate ## We recommend utilizing an ephemeral PVC for your scratch volume, this makes it easy to provision enough storage for large reports @@ -571,7 +571,7 @@ anchoreConfig: data_load_max_workers: 10 ## @param anchoreConfig.reports_worker.cycle_timers.reports_image_load Interval that vulnerabilities for images are synced - ## @param anchoreConfig.reports_worker.cycle_timers.reports_tag_load Interval that vulnerabilties by tags are synced + ## @param anchoreConfig.reports_worker.cycle_timers.reports_tag_load Interval that vulnerabilities by tags are synced ## @param anchoreConfig.reports_worker.cycle_timers.reports_runtime_inventory_load Interval that the runtime inventory is synced ## @param anchoreConfig.reports_worker.cycle_timers.reports_extended_runtime_vuln_load Interval extended runtime reports are synched (ecs, k8s containers and namespaces) ## @param anchoreConfig.reports_worker.cycle_timers.reports_image_refresh Interval that images are refreshed @@ -1112,7 +1112,9 @@ reports: ## @param reports.resources Resource requests and limits for Anchore Reports pods ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations. + ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations + ## NOTE: the commented resources below are assuming the use of a scratch volume with `anchoreConfig.reports.use_volume=true` + ## If not using a scratch volume, the memory resources may need to be increased. ## resources: {} # requests: