From c00f21867c7d1cb3fe698cb42e1c64b44efb7a2a Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Fri, 18 Oct 2024 13:20:22 -0400 Subject: [PATCH] Update exclusions check for better new user experience (#412) Signed-off-by: Hung Nguyen * Update exclusions check to only fail under certain conditions. external feeds, disabled drivers * removing redundant github workflow helm-extra-set-args * toJson the list * test updates * allow changing data_syncer auto_sync_enabled * adding notes to helper function Signed-off-by: Hung Nguyen --------- Signed-off-by: Hung Nguyen --- .github/workflows/openshift-test.yaml | 2 +- .github/workflows/test.yaml | 2 +- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/files/default_config.yaml | 14 ++- stable/enterprise/files/osaa_config.yaml | 14 ++- stable/enterprise/templates/_helpers.tpl | 90 ++++++++++++++++++- .../templates/anchore_configmap.yaml | 3 +- .../templates/envvars_configmap.yaml | 1 + .../__snapshot__/configmap_test.yaml.snap | 3 +- .../osaa_configmap_test.yaml.snap | 4 +- 10 files changed, 120 insertions(+), 15 deletions(-) diff --git a/.github/workflows/openshift-test.yaml b/.github/workflows/openshift-test.yaml index 164339cb..4f8b8156 100644 --- a/.github/workflows/openshift-test.yaml +++ b/.github/workflows/openshift-test.yaml @@ -128,7 +128,7 @@ jobs: mv ci/openshift-test.yaml ci/openshift-test-values.yaml popd done - ct install --config ct-config.yaml --helm-extra-args "--timeout 600s" --helm-extra-set-args "--set=useExistingPullCredSecret=true--set=useExistingLicenseSecret=true --set=anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers=[] --set=anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types=[]" + ct install --config ct-config.yaml --helm-extra-args "--timeout 600s" env: KUBECONFIG: ./tmp/kubeconfig TARGET_BRANCH: "${{ github.event.pull_request.base.ref }}" diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index d467e489..434b14a9 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -99,4 +99,4 @@ jobs: - name: Run chart-testing if: steps.list-changed.outputs.CHANGED == 'true' - run: ct install --config ct-config.yaml --helm-extra-args "--timeout 600s" --helm-extra-set-args "--set=useExistingPullCredSecret=true --set=useExistingLicenseSecret=true --set=anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers=[] --set=anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types=[]" + run: ct install --config ct-config.yaml --helm-extra-args "--timeout 600s" diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index d6c51fa2..f8927516 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "3.0.0" +version: "3.0.1" appVersion: "5.10.0" kubeVersion: 1.23.x - 1.30.x || 1.23.x-x - 1.30.x-x description: | diff --git a/stable/enterprise/files/default_config.yaml b/stable/enterprise/files/default_config.yaml index a0dc8d1c..ef1478c9 100644 --- a/stable/enterprise/files/default_config.yaml +++ b/stable/enterprise/files/default_config.yaml @@ -201,8 +201,16 @@ services: enabled: true matching: exclude: - providers: {{ .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers }} - package_types: {{ .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types }} + {{- if .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers }} + providers: {{ .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers | toJson }} + {{- else }} + providers: [] + {{- end }} + {{- if .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types }} + package_types: {{ .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types | toJson }} + {{- else }} + package_types: [] + {{- end }} default: search: by_cpe: @@ -298,7 +306,7 @@ services: endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} listen: 0.0.0.0 port: ${ANCHORE_PORT} - auto_sync_enabled: true + auto_sync_enabled: ${ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED} upload_dir: {{ .Values.scratchVolume.mountPath }} datasets: vulnerability_db: diff --git a/stable/enterprise/files/osaa_config.yaml b/stable/enterprise/files/osaa_config.yaml index 17bbd789..64f0f88e 100644 --- a/stable/enterprise/files/osaa_config.yaml +++ b/stable/enterprise/files/osaa_config.yaml @@ -209,8 +209,16 @@ services: enabled: true matching: exclude: - providers: {{ .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers }} - package_types: {{ .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types }} + {{- if .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers }} + providers: {{ .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers | toJson }} + {{- else }} + providers: [] + {{- end }} + {{- if .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types }} + package_types: {{ .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types | toJson }} + {{- else }} + package_types: [] + {{- end }} default: search: by_cpe: @@ -306,7 +314,7 @@ services: endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} listen: 0.0.0.0 port: ${ANCHORE_PORT} - auto_sync_enabled: true + auto_sync_enabled: ${ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED} upload_dir: {{ .Values.scratchVolume.mountPath }} datasets: vulnerability_db: diff --git a/stable/enterprise/templates/_helpers.tpl b/stable/enterprise/templates/_helpers.tpl index b1eab41b..c9af8a8b 100644 --- a/stable/enterprise/templates/_helpers.tpl +++ b/stable/enterprise/templates/_helpers.tpl @@ -154,4 +154,92 @@ secretName: {{ . }} {{- else }} secretName: {{ template "enterprise.fullname" . }}-license {{- end }} -{{- end -}} \ No newline at end of file +{{- end -}} + + +{{/* +Takes in a map of drivers and checks if the driver is enabled. If not, update the map to sets the notify flag to true +*/}} +{{- define "checkDriverEnabled" -}} + {{- $drivers := .drivers -}} + {{- $driverName := .driverName -}} + {{- $driver := index $drivers $driverName -}} + {{- if $driver }} + {{- $driverEnabled := index $driver "enabled" -}} + {{- if not $driverEnabled }} + {{- $notify := .notify -}} + {{- $_ := set . "notify" true -}} + {{- end }} + {{- end }} +{{- end }} + +{{/* +Checks if the feeds chart was previously disabled or if any of the drivers were disabled. If so and required values aren't set, fail the upgrade. +*/}} +{{- define "enterprise.exclusionCheck" -}} + +{{ $notify := false }} + +{{/* checks if theres a feeds key, and if so, require values if feeds.chartEnabled is false or feeds.extraEnvs contain ANCHORE_FEEDS_DRIVER or drivers are disabled via values */}} +{{ $feeds := index .Values "feeds" }} +{{- if $feeds -}} + {{ $feedsChartEnabled := index .Values "feeds" "chartEnabled" }} + {{- if (not $feedsChartEnabled) -}} + {{ $notify = true }} + {{- end -}} + + {{- if not $notify -}} + {{ $feedsExtraEnvs := index .Values "feeds" "extraEnv" }} + {{- if $feedsExtraEnvs -}} + {{- range $index, $val := $feedsExtraEnvs -}} + {{- if contains "ANCHORE_FEEDS_DRIVER" .name -}} + {{ $notify = true }} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{- if not $notify -}} + {{- $anchoreConfig := index $feeds "anchoreConfig" }} + {{- if $anchoreConfig }} + {{- $anchoreFeeds := index $anchoreConfig "feeds" }} + {{- if $anchoreFeeds }} + {{- $drivers := index $anchoreFeeds "drivers" }} + {{/* calling function to check if driver is enabled, if driver is disabled, set notify to true if its not already true */}} + {{- if $drivers }} + {{- $context := dict "drivers" $drivers "notify" $notify "driverName" "gem" }} + {{- include "checkDriverEnabled" $context }} + {{- $notify = $context.notify }} + + {{- $context := dict "drivers" $drivers "notify" $notify "driverName" "github" }} + {{- include "checkDriverEnabled" $context }} + {{- $notify = $context.notify }} + + {{- $context := dict "drivers" $drivers "notify" $notify "driverName" "msrc" }} + {{- include "checkDriverEnabled" $context }} + {{- $notify = $context.notify }} + + {{- $context := dict "drivers" $drivers "notify" $notify "driverName" "npm" }} + {{- include "checkDriverEnabled" $context }} + {{- $notify = $context.notify }} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* if we haven't needed a notification yet, check if top level extraEnvs have ANCHORE_FEEDS_DRIVER */}} +{{- if not $notify -}} + {{- range $index, $val := .Values.extraEnv -}} + {{- if contains "ANCHORE_FEEDS_DRIVER" .name -}} + {{ $notify = true }} + {{- end -}} + {{- end -}} +{{- end -}} + +{{ if $notify }} + {{- $exclude_providers := required "anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers is required" .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers -}} + {{- $exclude_package := required "anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types is required" .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types -}} +{{- end -}} + +{{- end -}} diff --git a/stable/enterprise/templates/anchore_configmap.yaml b/stable/enterprise/templates/anchore_configmap.yaml index 47896f9b..710530ec 100644 --- a/stable/enterprise/templates/anchore_configmap.yaml +++ b/stable/enterprise/templates/anchore_configmap.yaml @@ -1,5 +1,4 @@ -{{- $exclude_providers := required "anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers is required" .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers -}} -{{- $exclude_package := required "anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types is required" .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types -}} +{{- include "enterprise.exclusionCheck" . -}} kind: ConfigMap apiVersion: v1 metadata: diff --git a/stable/enterprise/templates/envvars_configmap.yaml b/stable/enterprise/templates/envvars_configmap.yaml index c07fcdd8..3cb08a04 100644 --- a/stable/enterprise/templates/envvars_configmap.yaml +++ b/stable/enterprise/templates/envvars_configmap.yaml @@ -26,6 +26,7 @@ data: ANCHORE_CLI_USER: "admin" ANCHORECTL_URL: "http://localhost:8228" ANCHORECTL_USERNAME: "admin" + ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED: "true" ANCHORE_DISABLE_METRICS_AUTH: "{{ .Values.anchoreConfig.metrics.auth_disabled }}" ANCHORE_DB_POOL_MAX_OVERFLOW: "{{ .Values.anchoreConfig.database.db_pool_max_overflow }}" ANCHORE_DB_POOL_SIZE: "{{ .Values.anchoreConfig.database.db_pool_size }}" diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index 63dbadb1..1e0d8bc3 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -387,7 +387,7 @@ should render the configmaps: endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} listen: 0.0.0.0 port: ${ANCHORE_PORT} - auto_sync_enabled: true + auto_sync_enabled: ${ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED} upload_dir: /analysis_scratch datasets: vulnerability_db: @@ -424,6 +424,7 @@ should render the configmaps: ANCHORE_CATALOG_IMAGE_GC_WORKERS: "4" ANCHORE_CLI_URL: http://localhost:8228 ANCHORE_CLI_USER: admin + ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED: "true" ANCHORE_DB_POOL_MAX_OVERFLOW: "100" ANCHORE_DB_POOL_SIZE: "30" ANCHORE_DB_SSL: "false" diff --git a/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap index 3dfe9d12..b0dd9743 100644 --- a/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap @@ -348,7 +348,7 @@ should render the configmaps for osaa migration if enabled: endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} listen: 0.0.0.0 port: ${ANCHORE_PORT} - auto_sync_enabled: true + auto_sync_enabled: ${ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED} upload_dir: /analysis_scratch datasets: vulnerability_db: @@ -733,7 +733,7 @@ should render the configmaps for osaa migration if enabled: endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} listen: 0.0.0.0 port: ${ANCHORE_PORT} - auto_sync_enabled: true + auto_sync_enabled: ${ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED} upload_dir: /analysis_scratch datasets: vulnerability_db: