diff --git a/.github/workflows/openshift-test.yaml b/.github/workflows/openshift-test.yaml index 44d1f008..164339cb 100644 --- a/.github/workflows/openshift-test.yaml +++ b/.github/workflows/openshift-test.yaml @@ -4,7 +4,6 @@ on: pull_request: paths: - 'stable/enterprise/Chart.yaml' - - 'stable/feeds/Chart.yaml' - 'stable/ecs-inventory/Chart.yaml' - 'stable/k8s-inventory/Chart.yaml' @@ -129,7 +128,7 @@ jobs: mv ci/openshift-test.yaml ci/openshift-test-values.yaml popd done - ct install --config ct-config.yaml --helm-extra-args "--timeout 600s" + ct install --config ct-config.yaml --helm-extra-args "--timeout 600s" --helm-extra-set-args "--set=useExistingPullCredSecret=true--set=useExistingLicenseSecret=true --set=anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers=[] --set=anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types=[]" env: KUBECONFIG: ./tmp/kubeconfig TARGET_BRANCH: "${{ github.event.pull_request.base.ref }}" diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 434b14a9..d467e489 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -99,4 +99,4 @@ jobs: - name: Run chart-testing if: steps.list-changed.outputs.CHANGED == 'true' - run: ct install --config ct-config.yaml --helm-extra-args "--timeout 600s" + run: ct install --config ct-config.yaml --helm-extra-args "--timeout 600s" --helm-extra-set-args "--set=useExistingPullCredSecret=true --set=useExistingLicenseSecret=true --set=anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers=[] --set=anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types=[]" diff --git a/.gitignore b/.gitignore index 24be4a11..8a17658a 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,5 @@ examples/ charts/ .idea/ *.code-workspace +.DS_Store +.vscode/ diff --git a/ct-config.yaml b/ct-config.yaml index bb18e351..2a524751 100644 --- a/ct-config.yaml +++ b/ct-config.yaml @@ -7,3 +7,4 @@ chart-repos: - bitnami=https://charts.bitnami.com/bitnami namespace: anchore release-label: anchore +exclude-deprecated: true diff --git a/stable/enterprise/Chart.lock b/stable/enterprise/Chart.lock index 316c5295..4ee8465e 100644 --- a/stable/enterprise/Chart.lock +++ b/stable/enterprise/Chart.lock @@ -5,8 +5,5 @@ dependencies: - name: redis repository: oci://registry-1.docker.io/bitnamicharts version: 17.11.8 -- name: feeds - repository: https://charts.anchore.io/stable - version: 2.9.0 -digest: sha256:794234e4be51cccf563f5efc4b205fef8042f1ddd3113c2578f839eb4b6e10dd -generated: "2024-09-04T11:58:57.913094-04:00" +digest: sha256:0ecd9810e416973f8bc4caa4641764b10ff5224edaecb1a5b66d3b1f82948537 +generated: "2024-08-15T22:30:42.63806-07:00" diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 2fb1e225..d6c51fa2 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: enterprise -version: "2.10.0" -appVersion: "5.9.0" +version: "3.0.0" +appVersion: "5.10.0" kubeVersion: 1.23.x - 1.30.x || 1.23.x-x - 1.30.x-x description: | Anchore Enterprise is a complete container security workflow solution for professional teams. Easily integrating with CI/CD systems, @@ -38,13 +38,3 @@ dependencies: repository: "oci://registry-1.docker.io/bitnamicharts" condition: ui-redis.chartEnabled alias: ui-redis - - name: feeds - version: "~2" - repository: "@anchore" - # repository: file://../feeds - condition: feeds.chartEnabled - import-values: - - child: service - parent: feeds.service - - child: anchoreConfig.internalServicesSSL - parent: feeds.anchoreConfig.internalServicesSSL diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index f38b6b7a..4c6d5a7d 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -18,7 +18,6 @@ See the [Anchore Enterprise Documentation](https://docs.anchore.com) for more de - [Configuration](#configuration) - [External Database Requirements](#external-database-requirements) - [Installing on Openshift](#installing-on-openshift) - - [Enterprise Feeds Configuration](#enterprise-feeds-configuration) - [Analyzer Image Layer Cache Configuration](#analyzer-image-layer-cache-configuration) - [Configuring Object Storage](#configuring-object-storage) - [Configuring Analysis Archive Storage](#configuring-analysis-archive-storage) @@ -27,7 +26,6 @@ See the [Anchore Enterprise Documentation](https://docs.anchore.com) for more de - [Prometheus Metrics](#prometheus-metrics) - [Scaling Individual Services](#scaling-individual-services) - [Using TLS Internally](#using-tls-internally) -- [Migrating to the Anchore Enterprise Helm Chart](#migrating-to-the-anchore-enterprise-helm-chart) - [Object storage migration](#object-storage-migration) - [Parameters](#parameters) - [Release Notes](#release-notes) @@ -39,8 +37,6 @@ See the [Anchore Enterprise Documentation](https://docs.anchore.com) for more de ## Installing the Chart -> **Note**: For migration steps from an Anchore Engine Helm chart deployment, refer to the [Migrating to the Anchore Enterprise Helm Chart](#migrating-to-the-anchore-enterprise-helm-chart) section. - This guide covers deploying Anchore Enterprise on a Kubernetes cluster with the default configuration. Refer to the [Configuration](#configuration) section for additional guidance on production deployments. 1. **Create a Kubernetes Secret for License File**: Generate a Kubernetes secret to store your Anchore Enterprise license file. @@ -52,7 +48,7 @@ This guide covers deploying Anchore Enterprise on a Kubernetes cluster with the kubectl create secret generic anchore-enterprise-license --from-file=license.yaml=${LICENSE_PATH} -n ${NAMESPACE} ``` -1. **Create a Kubernetes Secret for DockerHub Credentials**: Generate another Kubernetes secret for DockerHub credentials. These credentials should have access to private Anchore Enterprise repositories. We recommend that you create a brand new DockerHub user for these pull credentials. Contact [Anchore Support](https://get.anchore.com/contact/) to obtain access. +2. **Create a Kubernetes Secret for DockerHub Credentials**: Generate another Kubernetes secret for DockerHub credentials. These credentials should have access to private Anchore Enterprise repositories. We recommend that you create a brand new DockerHub user for these pull credentials. Contact [Anchore Support](https://get.anchore.com/contact/) to obtain access. ```shell export NAMESPACE=anchore @@ -63,7 +59,7 @@ This guide covers deploying Anchore Enterprise on a Kubernetes cluster with the kubectl create secret docker-registry anchore-enterprise-pullcreds --docker-server=docker.io --docker-username=${DOCKERHUB_USER} --docker-password=${DOCKERHUB_PASSWORD} --docker-email=${DOCKERHUB_EMAIL} -n ${NAMESPACE} ``` -1. **Add Chart Repository & Deploy Anchore Enterprise**: Create a custom values file, named `anchore_values.yaml`, to override any chart parameters. Refer to the [Parameters](#parameters) section for available options. +3. **Add Chart Repository & Deploy Anchore Enterprise**: Create a custom values file, named `anchore_values.yaml`, to override any chart parameters. Refer to the [Parameters](#parameters) section for available options. > :exclamation: **Important**: Default passwords are specified in the chart. It's highly recommended to modify these before deploying. @@ -77,7 +73,7 @@ This guide covers deploying Anchore Enterprise on a Kubernetes cluster with the > **Note**: This command installs Anchore Enterprise with a chart-managed PostgreSQL database, which may not be suitable for production use. See the [External Database](#external-database-requirements) section for details on using an external database. -1. **Post-Installation Steps**: Anchore Enterprise will take some time to initialize. After the bootstrap phase, it will begin a vulnerability feed sync. Image analysis will show zero vulnerabilities until this sync is complete. This can take several hours based on the enabled feeds. Use the following [anchorectl](https://docs.anchore.com/current/docs/deployment/anchorectl/) commands to check the system status: +4. **Post-Installation Steps**: Anchore Enterprise will take some time to initialize. Use the following [anchorectl](https://docs.anchore.com/current/docs/deployment/anchorectl/) commands to check the system status: ```shell export NAMESPACE=anchore @@ -93,23 +89,10 @@ This guide covers deploying Anchore Enterprise on a Kubernetes cluster with the ### Installing on Openshift -As of August 2, 2023, Helm does not offer native support for passing `null` values to child or dependency charts. For details, refer to this [Helm GitHub issue](https://github.com/helm/helm/issues/9027). Given that the `feeds` chart is a dependency, a workaround is to deploy it as a standalone chart and configure the `enterprise` deployment to point to this separate `feeds` deployment. - -Additionally, be aware that you'll need to either disable or properly set the parameters for `containerSecurityContext`, `runAsUser`, and `fsGroup` for the `ui-redis` and any PostgreSQL database that you deploy using the Enterprise chart (e.g., via `postgresql.chartEnabled` or `feeds-db.chartEnabled`). +You will need to either disable or properly set the parameters for `containerSecurityContext`, `runAsUser`, and `fsGroup` for the `ui-redis` and any PostgreSQL database that you deploy using the Enterprise chart (e.g., via `postgresql.chartEnabled`). For example: -1. **Deploy feeds chart as a standalone deployment:** - - ```shell - helm install my-release anchore/feeds \ - --set securityContext.fsGroup=null \ - --set securityContext.runAsGroup=null \ - --set securityContext.runAsUser=null \ - --set feeds-db.primary.containerSecurityContext.enabled=false \ - --set feeds-db.primary.podSecurityContext.enabled=false - ``` - 1. **Deploy the enterprise chart with appropriate values:** ```shell @@ -117,8 +100,6 @@ For example: --set securityContext.fsGroup=null \ --set securityContext.runAsGroup=null \ --set securityContext.runAsUser=null \ - --set feeds.chartEnabled=false \ - --set feeds.url=my-release-feeds \ --set postgresql.primary.containerSecurityContext.enabled=false \ --set postgresql.primary.podSecurityContext.enabled=false \ --set ui-redis.master.podSecurityContext.enabled=false \ @@ -136,9 +117,6 @@ securityContext: fsGroup: null runAsGroup: null runAsUser: null -feeds: - chartEnabled: false - url: my-release-feeds postgresql: primary: containerSecurityContext: @@ -188,8 +166,6 @@ After deleting the helm release, there are still a few persistent volume claims export RELEASE=my-release kubectl get pvc -n ${NAMESPACE} - kubectl delete pvc ${RELEASE}-feeds -n ${NAMESPACE} - kubectl delete pvc ${RELEASE}-feeds-db -n ${NAMESPACE} kubectl delete pvc ${RELEASE}-postgresql -n ${NAMESPACE} ``` @@ -275,47 +251,6 @@ cloudsql: serviceAccJsonName: for_cloudsql.json ``` -### Enterprise Feeds Configuration - -The Anchore Enterprise Feeds service is provided as a dependent [Helm chart](https://github.com/anchore/anchore-charts/tree/main/stable/feeds). This service is comprised of different drivers for different vulnerability feeds. The drivers can be configured separately, and some drivers require a token or other credential. - -See the [Anchore Enterprise Feeds](https://docs.anchore.com/current/docs/configuration/feeds/) documentation for details. - -```yaml -feeds: - anchoreConfig: - feeds: - drivers: - github: - enabled: true - # The GitHub feeds driver requires a GitHub developer personal access token with no permission scopes selected. - # See https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token - token: your-github-token - msrc: - enabled: true -``` - -#### Enterprise Feeds External Database Configuration - -Anchore Enterprise Feeds requires the use of a PostgreSQL-compatible database version 13 or above. This database is distinct from the primary Anchore Enterprise database. For production environments, leveraging managed database services like AWS RDS or Google Cloud SQL is advised. While the Helm chart includes a chart-managed database by default, you can override this setting to use an external database. - -See previous [examples](#external-database-requirements) of configuring RDS Postgresql and Google CloudSQL. - -```yaml -feeds: - anchoreConfig: - database: - ssl: true - sslMode: require - - feeds-db: - enabled: false - auth.password: - auth.username: - auth.database: - externalEndpoint: -``` - ### Analyzer Image Layer Cache Configuration To improve performance, the Anchore Enterprise Analyzer can be configured to cache image layers. This can be particularly helpful if many images analyzed are built from the same set of base images. @@ -356,7 +291,6 @@ Configuration of external analysis archive storage is essentially identical to c For deployments where version-controlled configurations are essential, it's advised to avoid storing credentials directly in values files. Instead, manually create Kubernetes secrets and reference them as existing secrets within your values files. When using existing secrets, the chart will load environment variables into deployments from the secret names specified by the following values: - `.Values.existingSecretName` [default: anchore-enterprise-env] -- `.Values.feeds.existingSecretName` [default: anchore-enterprise-feeds-env] - `.Values.ui.existingSecretName` [default: anchore-enterprise-ui-env] To enable this feature, set the following values to `true` in your values file: @@ -364,8 +298,6 @@ To enable this feature, set the following values to `true` in your values file: ```yaml useExistingSecrets: true -feeds: - useExistingSecrets: true ``` Below are sample Kubernetes secret objects and corresponding guidelines on integrating them into your Anchore Enterprise configuration. @@ -397,34 +329,13 @@ stringData: ANCHORE_APPDB_URI: postgresql://anchoreengine:anchore-postgres,123@anchore-postgresql:5432/anchore ANCHORE_REDIS_URI: redis://:anchore-redis,123@anchore-ui-redis-master:6379 ---- -apiVersion: v1 -kind: Secret -metadata: - name: anchore-enterprise-feeds-env - app: anchore -type: Opaque -stringData: - ANCHORE_ADMIN_PASSWORD: foobar1234 - ANCHORE_FEEDS_DB_NAME: anchore-feeds - ANCHORE_FEEDS_DB_USER: anchoreengine - ANCHORE_FEEDS_DB_PASSWORD: anchore-postgres,123 - ANCHORE_FEEDS_DB_HOST: anchore-enterprise-feeds-db - ANCHORE_FEEDS_DB_PORT: 5432 - # (if applicable) ANCHORE_SAML_SECRET: foobar,saml1234 - # (if applicable) ANCHORE_GITHUB_TOKEN: foobar,github1234 - # (if applicable) ANCHORE_NVD_API_KEY: foobar,nvd1234 - # (if applicable) ANCHORE_GEM_DB_NAME: anchore-gems - # (if applicable) ANCHORE_GEM_DB_USER: anchoregemsuser - # (if applicable) ANCHORE_GEM_DB_PASSWORD: foobar1234 - # (if applicable) ANCHORE_GEM_DB_HOST: anchorefeeds-gem-db.example.com:5432 ``` ### Ingress [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) serves as the gateway to expose HTTP and HTTPS routes from outside the Kubernetes cluster to services within it. Routing is governed by rules specified in the Ingress resource. Kubernetes supports a variety of ingress controllers, such as AWS ALB and GCE controllers. -This Helm chart includes a foundational ingress configuration that is customizable. You can expose various Anchore Enterprise external APIs, including the core API, UI, reporting, and feeds, by editing the `ingress` section in your values file. +This Helm chart includes a foundational ingress configuration that is customizable. You can expose various Anchore Enterprise external APIs, including the core API, UI, and Reporting by editing the `ingress` section in your values file. Ingress is disabled by default in this Helm chart. To enable it, along with the [NGINX ingress controller](https://kubernetes.github.io/ingress-nginx/) for core API and UI routes, set the `ingress.enabled` value to `true`. @@ -448,17 +359,11 @@ ingress: - anchore-api.example.com uiHosts: - anchore-ui.example.com - feedsHosts: - - anchore-feeds.example.com api: service: type: NodePort -feeds: - service: - type: NodePort - ui: service: type: NodePort @@ -476,26 +381,17 @@ ingress: - /v1/* - /v2/* - /version/* - feedsPaths: - - /v1/feeds/* - - /v2/feeds/* uiPath: /* apiHosts: - anchore-api.example.com uiHosts: - anchore-ui.example.com - feedsHosts: - - anchore-feeds.example.com api: service: type: NodePort -feeds: - service: - type: NodePort - ui: service: type: NodePort @@ -572,11 +468,6 @@ spec: interval: 30s path: /metrics scheme: http - # feeds - - targetPort: 8448 - interval: 30s - path: /metrics - scheme: http # reports - targetPort: 8558 interval: 30s @@ -656,264 +547,6 @@ ui: ldapsRootCaCertName: ldap-combined-ca-cert-bundle.pem ``` -## Migrating to the Anchore Enterprise Helm Chart - -This guide provides steps for transitioning from an Anchore Engine Helm chart deployment to the updated Anchore Enterprise Helm chart, a necessary step for users planning to upgrade to Anchore Enterprise version v5.0.0 or later. - - > :warning: **Warning**: The values file used by the Anchore Enterprise Helm chart is different from the one used by the Anchore Engine Helm chart. Make sure to convert your existing values file accordingly. - -A [migration script](https://github.com/anchore/anchore-charts/tree/main/scripts) is available to automate the conversion of your Anchore Engine values file to the new Enterprise format. A usage example is provided below. - -### Migration Prerequisites - -- **Anchore Version**: Ensure that your current deployment is running Anchore Enterprise version 4.9.x (but not v5.0.0+). This is required to ensure that the migration script can properly convert your values file. - - > **Note:** Upgrade your [anchore-engine](https://github.com/anchore/anchore-charts/tree/main/stable/anchore-engine) chart deployment to `v1.28.0` or higher to ensure that you're running Anchore Enterprise v4.9.x. - -- **PostgreSQL Version**: You need PostgreSQL version 13 or higher. For upgrading your existing PostgreSQL installation, refer to the official [PostgreSQL documentation](https://www.postgresql.org/docs/13/upgrading.html). Database migration help for helm managed PostgreSQL deployments is provided below. - - > **Note:** This chart deploys PostgreSQL 13 by default. - -- **Runtime Environment**: Docker or Podman must be installed on the machine where the migration will run. - -### Expected Changes to Your Deployment - -The Anchore Enterprise Helm chart introduces several changes to the deployment compared to the Anchore Engine chart deployment. These changes are outlined below. - -#### Service Names - -- All service names have been updated to follow the Enterprise naming convention: - - `-anchore-engine-api` -> `-enterprise-api` - - `-anchore-engine-catalog` -> `-enterprise-catalog` - - `-anchore-engine-enterprise-feeds` -> `-feeds` - - `-anchore-engine-enterprise-notifications` -> `-enterprise-notifications` - - `-anchore-engine-enterprise-reports` -> `-enterprise-reports` - - `-anchore-engine-enterprise-ui` -> `-enterprise-ui` - - `-anchore-engine-policy` -> `-enterprise-policy` - - `-anchore-engine-simplequeue` -> `-enterprise-simplequeue` - -#### Labels, Annotations & Selectors - -- Standard Kubernetes labels and annotations replace the custom ones used in Anchore Engine: - - `component` -> `app.kubernetes.io/component` - - `release` -> `app.kubernetes.io/instance` - - `app` -> `app.kubernetes.io/name` - - `chart` -> `helm.sh/chart` - -#### Dependent Services - -- The Feeds service is now deployed as a dependent chart, it can be configured using the [Feeds Values](https://github.com/anchore/anchore-charts/blob/main/stable/feeds/values.yaml) -- The bundled PostgreSQL chart has been replaced with the Bitnami PostgreSQL Chart as a dependency. Configuration options can be found in the [Postgresql Values](https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml). - -#### Upgrade Behavior - -- Pre-upgrade Helm hooks, along with a Bitnami/kubectl init container, are used to terminate all pods before running the Anchore upgrade. You can revert to legacy post-upgrade hooks by setting `upgradeJob.usePostUpgradeHook=true`. - -#### Application Configuration - -- Configuration is now primarily managed through environment variables, specified in the `-enterprise-config-env-vars` ConfigMap and set via the values file. -- Previously, unexposed values for advanced Anchore configurations have been removed. Instead, you can use the `extraEnv` value to set the required environment variables. - -### Migration Rollback Strategy - -The migration employs a blue/green deployment strategy to minimize risk and facilitate easy rollback. Should you encounter issues during the migration, reverting to the prior state is straightforward: simply scale your Anchore-Engine deployment back up. - -For those using an external PostgreSQL database without the benefit of a blue/green deployment strategy, a manual database restoration is necessary. Utilize a pre-migration backup to restore the database to its previous version, and then proceed to scale your Anchore-Engine deployment back up. - -See the [Migration Rollback Steps](#migration-rollback-steps) section for more details. - -### Step-by-Step Migration Process - -1. **Upgrade Existing Anchore Engine Deployment**: Upgrade your existing Anchore Engine deployment to chart version 1.28.0 or higher. This will ensure that your deployment is running Anchore Enterprise v4.9.x. - - ```shell - export NAMESPACE=anchore - export ENGINE_RELEASE= # Existing Engine release name - export VALUES_FILE_NAME=my-values-file.yaml # Existing Engine chart values file - - helm repo update - helm upgrade ${ENGINE_RELEASE} -n ${NAMESPACE} anchore/anchore-engine -f ${VALUES_FILE_NAME} --version=^1.28.0 - ``` - -1. **Generate a New Enterprise Values File**: Use the migration script to convert your existing Anchore Engine values file to the new Anchore Enterprise format. - - >**Note**: This command mounts a local volume to persistently store the output files, it also mounts the input values file within the container for conversion. It's critical to review both the output logs and the new `output/enterprise.values.yaml` file before moving forward. - - ```shell - export VALUES_FILE_NAME=my-values-file.yaml # Existing Engine chart values file - - docker run -v ${PWD}:/tmp -v ${PWD}/${VALUES_FILE_NAME}:/app/${VALUES_FILE_NAME} docker.io/anchore/enterprise-helm-migrator:latest -e /app/${VALUES_FILE_NAME} -d /tmp/output - ``` - -### If Using an External PostgreSQL Database - -1. **Scale Down Anchore Engine**: To avoid data inconsistency, scale down your existing Anchore Engine deployment to zero replicas. - - ```shell - export NAMESPACE=anchore - export ENGINE_RELEASE= - - kubectl scale deployment --replicas=0 -l app=${ENGINE_RELEASE}-anchore-engine -n ${NAMESPACE} - ``` - -1. **Perform database backup**: Backup your external database. See the official [PostgreSQL documentation](https://www.postgresql.org/docs/13/backup.html) for guidance. If using a managed cloud database service refer to their documentation. - -1. **Perform database upgrade**: Upgrade your external database. See the official [PostgreSQL documentation](https://www.postgresql.org/docs/13/upgrading.html) for guidance. If using a managed cloud database service refer to their documentation. - - > Tip: Leveraging a backup to instantiate a new database instance enables a non-intrusive database upgrade and Enterprise chart migration. This approach preserves the integrity of your original database. By adopting a blue/green deployment strategy for the migration, you gain the advantage of effortless rollbacks in case of migration-related issues. - -1. **(Optional) Update Database Hostname**: If you're employing a blue/green deployment strategy for the database upgrade, update the database hostname in your values file and/or existing Kubernetes secrets to point to your newly created database instance. This step is essential for properly configuring the Enterprise chart to use the new database. - -1. **Deploy Anchore Enterprise**: Use the converted values file to deploy the new Anchore Enterprise Helm chart. - - >**Note:** If you are **not using existing secrets**, you will need to uncomment the `ADMIN_PASS` and `SET_ADMIN_PASS` export commands below. This is needed to ensure that your Enterprise deployment stores the correct Anchore admin password in the secret. - - ```shell - export NAMESPACE=anchore - export ENTERPRISE_RELEASE= - export ENTERPRISE_VALUES_FILE=${PWD}/output/enterprise.my-values-file.yaml - - # If you are not using existing secrets, uncomment the following export commands - # - # export ADMIN_PASS=$(kubectl get secret -n ${NAMESPACE} ${ENGINE_RELEASE}-anchore-engine-admin-pass -o jsonpath="{.data.ANCHORE_ADMIN_PASSWORD}" | base64 -d -) - # export SET_ADMIN_PASS=("--set" "anchoreConfig.default_admin_password=${ADMIN_PASS}") - - helm install ${ENTERPRISE_RELEASE} -n ${NAMESPACE} ${SET_ADMIN_PASS[@]} -f ${ENTERPRISE_VALUES_FILE} anchore/enterprise --version=^1.0.0 - ``` - -1. **Verification and Cleanup**: After confirming that the Anchore Enterprise deployment is functional, you can safely uninstall the old Anchore Engine deployment. - - ```shell - export NAMESPACE=anchore - export ENGINE_RELEASE= - - helm uninstall ${ENGINE_RELEASE} -n ${NAMESPACE} - ``` - - You may now have old engine persistent volume claims to delete. Delete these only when you are confident with the state of your new Enterprise Chart deployment. - - ```shell - export NAMESPACE=anchore - export ENGINE_RELEASE= - - kubectl get pvc -n ${NAMESPACE} - kubectl delete pvc ${ENGINE_RELEASE}-anchore-engine-enterprise-feeds -n ${NAMESPACE} - -### If Using the Dependent PostgreSQL Chart - -1. **Scale Down Anchore Engine**: To avoid data inconsistency, scale down your existing Anchore Engine deployment to zero replicas. - - ```shell - export NAMESPACE=anchore - export ENGINE_RELEASE= - - kubectl scale deployment --replicas=0 -l app=${ENGINE_RELEASE}-anchore-engine -n ${NAMESPACE} - ``` - -1. **Deploy Anchore Enterprise**: Use the converted values file to deploy the new Anchore Enterprise Helm chart. - - >**Note:** You will have to migrate data from the old database to the new one after the chart is installed. The enterprise chart contains a helper pod to aid with this. This helper pod is enabled using the `startMigrationPod=true` & `migrationAnchoreEngineSecretName=${ENGINE_RELEASE}-anchore-engine` flags in the following command. - > - > If you **are using existing secrets**, you should ignore setting the `ADMIN_PASS` and `SET_ADMIN_PASS` environment variables. - - ```shell - export NAMESPACE=anchore - export ENGINE_RELEASE= - export ENTERPRISE_RELEASE= - export ENTERPRISE_VALUES_FILE=${PWD}/output/enterprise.my-values-file.yaml # The converted file - - # If you are using existing secrets, ignore the following export commands - # - export ADMIN_PASS=$(kubectl get secret -n ${NAMESPACE} ${ENGINE_RELEASE}-anchore-engine-admin-pass -o jsonpath="{.data.ANCHORE_ADMIN_PASSWORD}" | base64 -d -) - export SET_ADMIN_PASS=("--set" "anchoreConfig.default_admin_password=${ADMIN_PASS}") - - helm install ${ENTERPRISE_RELEASE} -n ${NAMESPACE} --set startMigrationPod=true --set migrationAnchoreEngineSecretName=${ENGINE_RELEASE}-anchore-engine ${SET_ADMIN_PASS[@]} anchore/enterprise -f ${ENTERPRISE_VALUES_FILE} --version=^1.0.0 - ``` - -1. **Scale Down Anchore Enterprise**: Before migrating the database, scale down the new Anchore Enterprise deployment to zero replicas. - - ```shell - export NAMESPACE=anchore - export ENTERPRISE_RELEASE= - - kubectl scale deployment -n ${NAMESPACE} --replicas=0 -l app.kubernetes.io/instance=${ENTERPRISE_RELEASE} - ``` - -1. **Database Preparation**: Replace the existing Anchore database schema with a new database schema in the PostgreSQL 13 deployment. If you set `startMigrationPod=true` as per the step above, you can exec into the migrator pod using the following commands: - - ```shell - export NAMESPACE=anchore - export ENTERPRISE_RELEASE= - - kubectl -n ${NAMESPACE} exec -it ${ENTERPRISE_RELEASE}-enterprise-migrate-db -- /bin/bash -c 'PGPASSWORD=${NEW_DB_PASSWORD} dropdb -h ${NEW_DB_HOST} -U ${NEW_DB_USERNAME} ${NEW_DB_NAME}; PGPASSWORD=${NEW_DB_PASSWORD} psql -h ${NEW_DB_HOST} -U ${NEW_DB_USERNAME} -c "CREATE DATABASE ${NEW_DB_NAME}" postgres' - ``` - -1. **Data Migration**: Migrate data from the old Anchore Engine database to the new Anchore Enterprise database. - - - If you are using the migration helper pod, exec into that pod and perform the database migration using following commands: - - ```shell - export NAMESPACE=anchore - export ENTERPRISE_RELEASE= - - kubectl -n ${NAMESPACE} exec -it ${ENTERPRISE_RELEASE}-enterprise-migrate-db -- /bin/bash -c 'PGPASSWORD=${OLD_DB_PASSWORD} pg_dump -h ${OLD_DB_HOST} -U ${OLD_DB_USERNAME} -c ${OLD_DB_NAME} | PGPASSWORD=${NEW_DB_PASSWORD} psql -h ${NEW_DB_HOST} -U ${NEW_DB_USERNAME} ${NEW_DB_NAME}' - ``` - - - If you are using your own pod then follow these steps - - 1. Gather old DB parameters from the secret ${OLD_ENGINE_RELEASE}-anchore-engine - 1. Gather new DB parameters from the new secret ${NEW_ENTERPRISE_RELEASE}-enterprise - 1. Start a migration pod that has all the psql binaries required e.g. docker.io/postgresql:13 - 1. Export all the required environment variables - - ```shell - PGPASSWORD=${OLD_DB_PASSWORD} pg_dump -h ${OLD_DB_HOST} -U ${OLD_DB_USERNAME} -c ${OLD_DB_NAME} | PGPASSWORD=${NEW_DB_PASSWORD} psql -h ${NEW_DB_HOST} -U ${NEW_DB_USERNAME} ${NEW_DB_NAME} - ``` - -1. **Upgrade Anchore Enterprise**: After migrating the data, upgrade the Anchore Enterprise Helm deployment. - - ```shell - export NAMESPACE=anchore - export ENTERPRISE_RELEASE= - export ENTERPRISE_VALUES_FILE=${PWD}/output/enterprise.my-values-file.yaml # The converted file - - helm upgrade ${ENTERPRISE_RELEASE} -n ${NAMESPACE} --set startMigrationPod=false anchore/enterprise -f ${ENTERPRISE_VALUES_FILE} --version=^1.0.0 - ``` - -1. **Final Verification and Cleanup**: After ensuring the new deployment is operational, uninstall the old Anchore Engine deployment. - - ```shell - export NAMESPACE=anchore - export ENGINE_RELEASE= - - helm uninstall ${ENGINE_RELEASE} -n ${NAMESPACE} - ``` - - You may now have old engine persistent volume claims to delete. Delete these only when you are confident with the state of your new Enterprise Chart deployment. - - ```shell - export NAMESPACE=anchore - export ENGINE_RELEASE= - - kubectl get pvc -n ${NAMESPACE} - kubectl delete pvc ${ENGINE_RELEASE}-anchore-engine-enterprise-feeds -n ${NAMESPACE} - kubectl delete pvc ${ENGINE_RELEASE}-anchore-feeds-db -n ${NAMESPACE} - kubectl delete pvc ${ENGINE_RELEASE}-postgresql -n ${NAMESPACE} - ``` - -### Migration Rollback Steps - -In case of issues during the migration, execute the following rollback steps: - -1. **Uninstall the Anchore Enterprise Chart**: Remove the Anchore Enterprise deployment from your cluster. -1. **Remove Migrated Values File**: Delete the `output` directory generated by the migration script. -1. **Erase Enterprise Database**: Delete the database associated with the Anchore Enterprise deployment. -1. **(Optional) Restore Anchore-Engine Database**: If necessary, restore the Anchore-Engine database from a backup. -1. **Reactivate Anchore Engine**: Scale the Anchore Engine deployment back to its original state. -1. **Retry Migration**: Re-attempt the migration process following the initial steps. - -This rollback procedure is designed to revert your environment to its pre-migration state, allowing for a fresh migration attempt. - ## Object Storage Migration To cleanly migrate data from one archive driver to another, Anchore Enterprise includes some tooling that automates the process in the ‘anchore-enterprise-manager’ tool packaged with the system. @@ -1008,50 +641,57 @@ To restore your deployment to using your previous driver configurations: ### Common Resource Parameters -| Name | Description | Value | -| --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | -| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v5.9.0` | -| `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | -| `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | -| `startMigrationPod` | Spin up a Database migration pod to help migrate the database to the new schema | `false` | -| `migrationPodImage` | The image reference to the migration pod | `docker.io/postgres:13-bookworm` | -| `migrationAnchoreEngineSecretName` | The name of the secret that has anchore-engine values | `my-engine-anchore-engine` | -| `serviceAccountName` | Name of a service account used to run all Anchore pods | `""` | -| `injectSecretsViaEnv` | Enable secret injection into pod via environment variables instead of via k8s secrets | `false` | -| `licenseSecretName` | Name of the Kubernetes secret containing your license.yaml file | `anchore-enterprise-license` | -| `certStoreSecretName` | Name of secret containing the certificates & keys used for SSL, SAML & CAs | `""` | -| `extraEnv` | Common environment variables set on all containers | `[]` | -| `useExistingSecrets` | forgoes secret creation and uses the secret defined in existingSecretName | `false` | -| `existingSecretName` | Name of an existing secret to be used for Anchore core services, excluding Anchore UI | `anchore-enterprise-env` | -| `labels` | Common labels set on all Kubernetes resources | `{}` | -| `annotations` | Common annotations set on all Kubernetes resources | `{}` | -| `nodeSelector` | Common nodeSelector set on all Kubernetes pods | `{}` | -| `tolerations` | Common tolerations set on all Kubernetes pods | `[]` | -| `affinity` | Common affinity set on all Kubernetes pods | `{}` | -| `scratchVolume.mountPath` | The mount path of an external volume for scratch space. Used for the following pods: analyzer, policy-engine, catalog, and reports | `/analysis_scratch` | -| `scratchVolume.fixGroupPermissions` | Enable an initContainer that will fix the fsGroup permissions on all scratch volumes | `false` | -| `scratchVolume.fixerInitContainerImage` | The image to use for the mode-fixer initContainer | `alpine` | -| `scratchVolume.details` | Details for the k8s volume to be created (defaults to default emptyDir) | `{}` | -| `extraVolumes` | mounts additional volumes to each pod | `[]` | -| `extraVolumeMounts` | mounts additional volumes to each pod | `[]` | -| `securityContext.runAsUser` | The securityContext runAsUser for all Anchore pods | `1000` | -| `securityContext.runAsGroup` | The securityContext runAsGroup for all Anchore pods | `1000` | -| `securityContext.fsGroup` | The securityContext fsGroup for all Anchore pods | `1000` | -| `containerSecurityContext` | The securityContext for all containers | `{}` | -| `probes.liveness.initialDelaySeconds` | Initial delay seconds for liveness probe | `120` | -| `probes.liveness.timeoutSeconds` | Timeout seconds for liveness probe | `10` | -| `probes.liveness.periodSeconds` | Period seconds for liveness probe | `10` | -| `probes.liveness.failureThreshold` | Failure threshold for liveness probe | `6` | -| `probes.liveness.successThreshold` | Success threshold for liveness probe | `1` | -| `probes.readiness.timeoutSeconds` | Timeout seconds for the readiness probe | `10` | -| `probes.readiness.periodSeconds` | Period seconds for the readiness probe | `10` | -| `probes.readiness.failureThreshold` | Failure threshold for the readiness probe | `3` | -| `probes.readiness.successThreshold` | Success threshold for the readiness probe | `1` | -| `doSourceAtEntry.enabled` | Does a `source` of the file path defined before starting Anchore services | `false` | -| `doSourceAtEntry.filePaths` | List of file paths to `source` before starting Anchore services | `[]` | -| `configOverride` | Allows for overriding the default Anchore configuration file | `""` | -| `scripts` | Collection of helper scripts usable in all anchore enterprise pods | `{}` | -| `domainSuffix` | domain suffix for appending to the ANCHORE_ENDPOINT_HOSTNAME. If blank, domainSuffix will be "namespace.svc.cluster.local". | `""` | +| Name | Description | Value | +| --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- | +| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v5.10.0` | +| `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | +| `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | +| `useExistingPullCredSecret` | forgoes pullcred secret creation and uses the secret defined in imagePullSecretName | `true` | +| `imageCredentials.registry` | The registry URL for the image pull secret | `""` | +| `imageCredentials.username` | The username for the image pull secret | `""` | +| `imageCredentials.password` | The password for the image pull secret | `""` | +| `imageCredentials.email` | The email for the image pull secret | `""` | +| `startMigrationPod` | Spin up a Database migration pod to help migrate the database to the new schema | `false` | +| `migrationPodImage` | The image reference to the migration pod | `docker.io/postgres:13-bookworm` | +| `migrationAnchoreEngineSecretName` | The name of the secret that has anchore-engine values | `my-engine-anchore-engine` | +| `serviceAccountName` | Name of a service account used to run all Anchore pods | `""` | +| `injectSecretsViaEnv` | Enable secret injection into pod via environment variables instead of via k8s secrets | `false` | +| `license` | License for Anchore Enterprise | `{}` | +| `licenseSecretName` | Name of the Kubernetes secret containing your license.yaml file | `anchore-enterprise-license` | +| `useExistingLicenseSecret` | forgoes license secret creation and uses the secret defined in licenseSecretName | `true` | +| `certStoreSecretName` | Name of secret containing the certificates & keys used for SSL, SAML & CAs | `""` | +| `extraEnv` | Common environment variables set on all containers | `[]` | +| `useExistingSecrets` | forgoes secret creation and uses the secret defined in existingSecretName | `false` | +| `existingSecretName` | Name of an existing secret to be used for Anchore core services, excluding Anchore UI | `anchore-enterprise-env` | +| `labels` | Common labels set on all Kubernetes resources | `{}` | +| `annotations` | Common annotations set on all Kubernetes resources | `{}` | +| `nodeSelector` | Common nodeSelector set on all Kubernetes pods | `{}` | +| `tolerations` | Common tolerations set on all Kubernetes pods | `[]` | +| `affinity` | Common affinity set on all Kubernetes pods | `{}` | +| `scratchVolume.mountPath` | The mount path of an external volume for scratch space. Used for the following pods: analyzer, policy-engine, catalog, and reports | `/analysis_scratch` | +| `scratchVolume.fixGroupPermissions` | Enable an initContainer that will fix the fsGroup permissions on all scratch volumes | `false` | +| `scratchVolume.fixerInitContainerImage` | The image to use for the mode-fixer initContainer | `alpine` | +| `scratchVolume.details` | Details for the k8s volume to be created (defaults to default emptyDir) | `{}` | +| `extraVolumes` | mounts additional volumes to each pod | `[]` | +| `extraVolumeMounts` | mounts additional volumes to each pod | `[]` | +| `securityContext.runAsUser` | The securityContext runAsUser for all Anchore pods | `1000` | +| `securityContext.runAsGroup` | The securityContext runAsGroup for all Anchore pods | `1000` | +| `securityContext.fsGroup` | The securityContext fsGroup for all Anchore pods | `1000` | +| `containerSecurityContext` | The securityContext for all containers | `{}` | +| `probes.liveness.initialDelaySeconds` | Initial delay seconds for liveness probe | `120` | +| `probes.liveness.timeoutSeconds` | Timeout seconds for liveness probe | `10` | +| `probes.liveness.periodSeconds` | Period seconds for liveness probe | `10` | +| `probes.liveness.failureThreshold` | Failure threshold for liveness probe | `6` | +| `probes.liveness.successThreshold` | Success threshold for liveness probe | `1` | +| `probes.readiness.timeoutSeconds` | Timeout seconds for the readiness probe | `10` | +| `probes.readiness.periodSeconds` | Period seconds for the readiness probe | `10` | +| `probes.readiness.failureThreshold` | Failure threshold for the readiness probe | `3` | +| `probes.readiness.successThreshold` | Success threshold for the readiness probe | `1` | +| `doSourceAtEntry.enabled` | Does a `source` of the file path defined before starting Anchore services | `false` | +| `doSourceAtEntry.filePaths` | List of file paths to `source` before starting Anchore services | `[]` | +| `configOverride` | Allows for overriding the default Anchore configuration file | `""` | +| `scripts` | Collection of helper scripts usable in all anchore enterprise pods | `{}` | +| `domainSuffix` | domain suffix for appending to the ANCHORE_ENDPOINT_HOSTNAME. If blank, domainSuffix will be "namespace.svc.cluster.local". | `""` | ### Anchore Configuration Parameters @@ -1089,6 +729,7 @@ To restore your deployment to using your previous driver configurations: | `anchoreConfig.user_authentication.hashed_passwords` | Enable storing passwords as secure hashes in the database | `true` | | `anchoreConfig.user_authentication.sso_require_existing_users` | set to true in order to disable the SSO JIT provisioning during authentication | `false` | | `anchoreConfig.user_authentication.disallow_native_users` | Disallow native users to authenticate by any method. Only SSO/'saml' users will be able to access the system. | `false` | +| `anchoreConfig.user_authentication.log_saml_assertions` | Enable logging of received SAML assertions at INFO level for SSO debugging in API container. | `false` | | `anchoreConfig.metrics.enabled` | Enable Prometheus metrics for all Anchore services | `false` | | `anchoreConfig.metrics.auth_disabled` | Disable auth on Prometheus metrics for all Anchore services | `false` | | `anchoreConfig.webhooks` | Enable Anchore services to provide webhooks for external system updates | `{}` | @@ -1136,7 +777,8 @@ To restore your deployment to using your previous driver configurations: | `anchoreConfig.catalog.down_analyzer_task_requeue` | Allows fast re-queueing when image status is 'analyzing' on an analyzer that is no longer in the 'up' state | `true` | | `anchoreConfig.policy_engine.cycle_timers.feed_sync` | Interval to run a feed sync to get latest cve data | `14400` | | `anchoreConfig.policy_engine.cycle_timers.feed_sync_checker` | Interval between checks to see if there needs to be a task queued | `3600` | -| `anchoreConfig.policy_engine.overrideFeedsToUpstream` | Override the Anchore Feeds URL to use the public upstream Anchore Feeds | `false` | +| `anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers` | List of providers to exclude from matching | `nil` | +| `anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types` | List of package types to exclude from matching | `nil` | | `anchoreConfig.policy_engine.enable_user_base_image` | Enables usage of Well Known Annotation to identify base image for use in ancestry calculations | `true` | | `anchoreConfig.notifications.cycle_timers.notifications` | Interval that notifications are sent | `30` | | `anchoreConfig.notifications.ui_url` | Set the UI URL that is included in the notification, defaults to the Enterprise UI service name | `""` | @@ -1240,14 +882,28 @@ To restore your deployment to using your previous driver configurations: | `catalog.serviceAccountName` | Service account name for Anchore Catalog pods | `""` | | `catalog.scratchVolume.details` | Details for the k8s volume to be created for Anchore Catalog scratch space | `{}` | -### Anchore Feeds Chart Parameters +### Anchore DataSyncer k8s Deployment Parameters -| Name | Description | Value | -| -------------------- | ---------------------------------------------------------------------------------------------- | ------- | -| `feeds.chartEnabled` | Enable the Anchore Feeds chart | `true` | -| `feeds.standalone` | Sets the Anchore Feeds chart to run into non-standalone mode, for use with Anchore Enterprise. | `false` | -| `feeds.url` | Set the URL for a standalone Feeds service. Use when chartEnabled=false. | `""` | -| `feeds.resources` | Resource requests and limits for Anchore Feeds pods | `{}` | +| Name | Description | Value | +| ---------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | +| `dataSyncer.replicaCount` | Number of replicas for the Anchore DataSyncer deployment | `1` | +| `dataSyncer.service.type` | Service type for Anchore DataSyncer | `ClusterIP` | +| `dataSyncer.service.port` | Service port for Anchore DataSyncer | `8778` | +| `dataSyncer.service.annotations` | Annotations for Anchore DataSyncer service | `{}` | +| `dataSyncer.service.labels` | Labels for Anchore DataSyncer service | `{}` | +| `dataSyncer.service.nodePort` | nodePort for Anchore DataSyncer service | `""` | +| `dataSyncer.service.domainSuffix` | domain suffix for appending to the ANCHORE_ENDPOINT_HOSTNAME. If blank, domainSuffix will be "namespace.svc.cluster.local". Takes precedence over the top level domainSuffix | `""` | +| `dataSyncer.extraEnv` | Set extra environment variables for Anchore DataSyncer pods | `[]` | +| `dataSyncer.extraVolumes` | Define additional volumes for Anchore DataSyncer pods | `[]` | +| `dataSyncer.extraVolumeMounts` | Define additional volume mounts for Anchore DataSyncer pods | `[]` | +| `dataSyncer.resources` | Resource requests and limits for Anchore DataSyncer pods | `{}` | +| `dataSyncer.labels` | Labels for Anchore DataSyncer pods | `{}` | +| `dataSyncer.annotations` | Annotation for Anchore DataSyncer pods | `{}` | +| `dataSyncer.nodeSelector` | Node labels for Anchore DataSyncer pod assignment | `{}` | +| `dataSyncer.tolerations` | Tolerations for Anchore DataSyncer pod assignment | `[]` | +| `dataSyncer.affinity` | Affinity for Anchore DataSyncer pod assignment | `{}` | +| `dataSyncer.serviceAccountName` | Service account name for Anchore DataSyncer pods | `""` | +| `dataSyncer.scratchVolume.details` | Details for the k8s volume to be created for Anchore DataSyncer scratch space | `{}` | ### Anchore Notifications Parameters @@ -1363,29 +1019,29 @@ To restore your deployment to using your previous driver configurations: ### Anchore UI Parameters -| Name | Description | Value | -| ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------- | -| `ui.image` | Image used for the Anchore UI container | `docker.io/anchore/enterprise-ui:v5.9.0` | -| `ui.imagePullPolicy` | Image pull policy for Anchore UI image | `IfNotPresent` | -| `ui.existingSecretName` | Name of an existing secret to be used for Anchore UI DB and Redis endpoints | `anchore-enterprise-ui-env` | -| `ui.ldapsRootCaCertName` | Name of the custom CA certificate file store in `.Values.certStoreSecretName` | `""` | -| `ui.service.type` | Service type for Anchore UI | `ClusterIP` | -| `ui.service.port` | Service port for Anchore UI | `80` | -| `ui.service.annotations` | Annotations for Anchore UI service | `{}` | -| `ui.service.labels` | Labels for Anchore UI service | `{}` | -| `ui.service.sessionAffinity` | Session Affinity for Ui service | `ClientIP` | -| `ui.service.nodePort` | nodePort for Anchore UI service | `""` | -| `ui.service.domainSuffix` | domain suffix for appending to the ANCHORE_ENDPOINT_HOSTNAME. If blank, domainSuffix will be "namespace.svc.cluster.local". Takes precedence over the top level domainSuffix | `""` | -| `ui.extraEnv` | Set extra environment variables for Anchore UI pods | `[]` | -| `ui.extraVolumes` | Define additional volumes for Anchore UI pods | `[]` | -| `ui.extraVolumeMounts` | Define additional volume mounts for Anchore UI pods | `[]` | -| `ui.resources` | Resource requests and limits for Anchore UI pods | `{}` | -| `ui.labels` | Labels for Anchore UI pods | `{}` | -| `ui.annotations` | Annotation for Anchore UI pods | `{}` | -| `ui.nodeSelector` | Node labels for Anchore UI pod assignment | `{}` | -| `ui.tolerations` | Tolerations for Anchore UI pod assignment | `[]` | -| `ui.affinity` | Affinity for Anchore ui pod assignment | `{}` | -| `ui.serviceAccountName` | Service account name for Anchore UI pods | `""` | +| Name | Description | Value | +| ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- | +| `ui.image` | Image used for the Anchore UI container | `docker.io/anchore/enterprise-ui:v5.10.0` | +| `ui.imagePullPolicy` | Image pull policy for Anchore UI image | `IfNotPresent` | +| `ui.existingSecretName` | Name of an existing secret to be used for Anchore UI DB and Redis endpoints | `anchore-enterprise-ui-env` | +| `ui.ldapsRootCaCertName` | Name of the custom CA certificate file store in `.Values.certStoreSecretName` | `""` | +| `ui.service.type` | Service type for Anchore UI | `ClusterIP` | +| `ui.service.port` | Service port for Anchore UI | `80` | +| `ui.service.annotations` | Annotations for Anchore UI service | `{}` | +| `ui.service.labels` | Labels for Anchore UI service | `{}` | +| `ui.service.sessionAffinity` | Session Affinity for Ui service | `ClientIP` | +| `ui.service.nodePort` | nodePort for Anchore UI service | `""` | +| `ui.service.domainSuffix` | domain suffix for appending to the ANCHORE_ENDPOINT_HOSTNAME. If blank, domainSuffix will be "namespace.svc.cluster.local". Takes precedence over the top level domainSuffix | `""` | +| `ui.extraEnv` | Set extra environment variables for Anchore UI pods | `[]` | +| `ui.extraVolumes` | Define additional volumes for Anchore UI pods | `[]` | +| `ui.extraVolumeMounts` | Define additional volume mounts for Anchore UI pods | `[]` | +| `ui.resources` | Resource requests and limits for Anchore UI pods | `{}` | +| `ui.labels` | Labels for Anchore UI pods | `{}` | +| `ui.annotations` | Annotation for Anchore UI pods | `{}` | +| `ui.nodeSelector` | Node labels for Anchore UI pod assignment | `{}` | +| `ui.tolerations` | Tolerations for Anchore UI pod assignment | `[]` | +| `ui.affinity` | Affinity for Anchore ui pod assignment | `{}` | +| `ui.serviceAccountName` | Service account name for Anchore UI pods | `""` | ### Anchore Upgrade Job Parameters @@ -1416,8 +1072,6 @@ To restore your deployment to using your previous driver configurations: | `ingress.apiPaths` | The path used for accessing the Anchore API | `["/v2/","/version/"]` | | `ingress.uiHosts` | List of custom hostnames for the Anchore UI | `[]` | | `ingress.uiPath` | The path used for accessing the Anchore UI | `/` | -| `ingress.feedsHosts` | List of custom hostnames for the Anchore Feeds API | `[]` | -| `ingress.feedsPaths` | The path used for accessing the Anchore Feeds API | `["/v2/feeds/"]` | | `ingress.tls` | Configure tls for the ingress resource | `[]` | | `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` | @@ -1490,10 +1144,47 @@ For the latest updates and features in Anchore Enterprise, see the official [Rel - **Minor Chart Version Change (e.g., v0.1.2 -> v0.2.0)**: Indicates a significant change to the deployment that does not require manual intervention. - **Patch Chart Version Change (e.g., v0.1.2 -> v0.1.3)**: Indicates a backwards-compatible bug fix or documentation update. +### V3.0.x + +- Deploys Anchore Enterprise v5.10.x. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/5100/) for more information. +- Feeds service has been removed as a dependency to the enterprise chart. Instead, Anchore will use Anchore's hosted Data Service. + - If you had any ingress pointing to the feeds service api, that is no longer necessary as it doesn't exist anymore. + - A new anchore component (deployment/service) called `datasyncer` has been added to sync with the Anchore hosted Data Service. +- :warning: **WARNING:** Values file changes necessary: + - **The following values will have to be set manually in your values file**: + - `anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers` + - `anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types` + - If you don't want to exclude any providers or package types, you can set them to an empty list. eg: + ``` + anchoreConfig: + policy_engine: + vulnerabilities: + matching: + exclude: + providers: [] + package_types: [] + ``` + - If you had any drivers disabled in your feeds deployment, you will have to exclude them. eg: + ``` + anchoreConfig: + policy_engine: + vulnerabilities: + matching: + exclude: + providers: ['nvd', 'github'] + package_types: ['rpm'] + ``` + Refer to the [Anchore docs](https://docs.anchore.com/current/docs/configuration/feeds/feed_configuration/) for the available providers and package_types. +- The following values were added to the values file to handle the creation or reuse of pull creds and Anchore license secrets: + - `useExistingLicenseSecret`: defaults to `true` to be backwards compatible with existing deployments. If you are doing a new deployment, you can either set the `license` field for the secret to be created for you or you can create the secret out of band from helm. + - `useExistingPullCredSecret`: defaults to `true` to be backwards compatible with existing deployments. If you are doing a new deployment, you can either set the `imageCredentials` fields for a secret to be created for you or create the secret out of band from helm. + ### V2.10.x + - Deploys Anchore Enterprise v5.9.x. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/590/) for more information. ### V2.9.x + - Deploys Anchore Enterprise v5.8.x. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/580/) for more information. - **Helm upgrade SLO improvements:** - Deployments will only be scaled down when database upgrades are required, as determined by a major/minor version change of the appVersion in Chart.yaml. diff --git a/stable/enterprise/ci/openshift-test.yaml b/stable/enterprise/ci/openshift-test.yaml index 17b2fedd..1b770578 100644 --- a/stable/enterprise/ci/openshift-test.yaml +++ b/stable/enterprise/ci/openshift-test.yaml @@ -2,9 +2,6 @@ securityContext: fsGroup: null runAsGroup: null runAsUser: null -feeds: - chartEnabled: false - url: "my-release-feeds" postgresql: primary: containerSecurityContext: @@ -16,4 +13,4 @@ ui-redis: podSecurityContext: enabled: false containerSecurityContext: - enabled: false \ No newline at end of file + enabled: false diff --git a/stable/enterprise/files/default_config.yaml b/stable/enterprise/files/default_config.yaml index dad307c2..a0dc8d1c 100644 --- a/stable/enterprise/files/default_config.yaml +++ b/stable/enterprise/files/default_config.yaml @@ -55,7 +55,6 @@ audit: - "/user/api-keys/{key_name}" - "/user/credentials" - metrics: enabled: ${ANCHORE_ENABLE_METRICS} auth_disabled: ${ANCHORE_DISABLE_METRICS_AUTH} @@ -82,6 +81,7 @@ user_authentication: max_api_keys_per_user: {{ .Values.anchoreConfig.user_authentication.max_api_keys_per_user }} remove_deleted_user_api_keys_older_than_days: {{ .Values.anchoreConfig.user_authentication.remove_deleted_user_api_keys_older_than_days }} disallow_native_users: {{ .Values.anchoreConfig.user_authentication.disallow_native_users }} + log_saml_assertions: {{ .Values.anchoreConfig.user_authentication.log_saml_assertions }} credentials: database: user: "${ANCHORE_DB_USER}" @@ -199,14 +199,10 @@ services: data: grypedb: enabled: true - url: {{ template "enterprise.grypeProviderURL" . }} - packages: - enabled: ${ANCHORE_FEEDS_DRIVER_PACKAGES_ENABLED} - url: {{ template "enterprise.feedsURL" . }} - vulnerability_annotations: - enabled: ${ANCHORE_FEEDS_DRIVER_VULN_ANNOTATIONS_ENABLED} - url: {{ template "enterprise.feedsURL" . }} matching: + exclude: + providers: {{ .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers }} + package_types: {{ .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types }} default: search: by_cpe: @@ -295,3 +291,19 @@ services: ssl_enable: ${ANCHORE_SSL_ENABLED} ssl_cert: ${ANCHORE_SSL_CERT} ssl_key: ${ANCHORE_SSL_KEY} + + data_syncer: + enabled: true + require_auth: true + endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} + listen: 0.0.0.0 + port: ${ANCHORE_PORT} + auto_sync_enabled: true + upload_dir: {{ .Values.scratchVolume.mountPath }} + datasets: + vulnerability_db: + versions: ["5"] + clamav_db: + versions: ["1"] + kev_db: + versions: ["1"] diff --git a/stable/enterprise/files/osaa_config.yaml b/stable/enterprise/files/osaa_config.yaml index 2e812ce7..17bbd789 100644 --- a/stable/enterprise/files/osaa_config.yaml +++ b/stable/enterprise/files/osaa_config.yaml @@ -1,6 +1,12 @@ service_dir: ${ANCHORE_SERVICE_DIR} tmp_dir: ${ANCHORE_TMP_DIR} -log_level: ${ANCHORE_LOG_LEVEL} +log_level: ${ANCHORE_LOG_LEVEL} # Deprecated - prefer use of logging.log_level + +logging: + {{- toYaml .Values.anchoreConfig.logging | nindent 2 }} + +server: + {{- toYaml .Values.anchoreConfig.server | nindent 2 }} allow_awsecr_iam_auto: ${ANCHORE_ALLOW_ECR_IAM_AUTO} host_id: "${ANCHORE_HOST_ID}" @@ -19,6 +25,36 @@ max_import_content_size_mb: ${ANCHORE_MAX_IMPORT_CONTENT_SIZE_MB} max_compressed_image_size_mb: ${ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB} +audit: + enabled: {{ .Values.anchoreConfig.audit.enabled }} + mode: log + verbs: + - post + - put + - delete + - patch + resource_uris: + - "/accounts" + - "/accounts/{account_name}" + - "/accounts/{account_name}/state" + - "/accounts/{account_name}/users" + - "/accounts/{account_name}/users/{username}" + - "/accounts/{account_name}/users/{username}/api-keys" + - "/accounts/{account_name}/users/{username}/api-keys/{key_name}" + - "/accounts/{account_name}/users/{username}/credentials" + - "/rbac-manager/roles" + - "/rbac-manager/roles/{role_name}/members" + - "/rbac-manager/saml/idps" + - "/rbac-manager/saml/idps/{name}" + - "/rbac-manager/saml/idps/{name}/user-group-mappings" + - "/system/user-groups" + - "/system/user-groups/{group_uuid}" + - "/system/user-groups/{group_uuid}/roles" + - "/system/user-groups/{group_uuid}/users" + - "/user/api-keys" + - "/user/api-keys/{key_name}" + - "/user/credentials" + metrics: enabled: ${ANCHORE_ENABLE_METRICS} auth_disabled: ${ANCHORE_DISABLE_METRICS_AUTH} @@ -45,7 +81,7 @@ user_authentication: max_api_keys_per_user: {{ .Values.anchoreConfig.user_authentication.max_api_keys_per_user }} remove_deleted_user_api_keys_older_than_days: {{ .Values.anchoreConfig.user_authentication.remove_deleted_user_api_keys_older_than_days }} disallow_native_users: {{ .Values.anchoreConfig.user_authentication.disallow_native_users }} - + log_saml_assertions: {{ .Values.anchoreConfig.user_authentication.log_saml_assertions }} credentials: database: user: "${ANCHORE_DB_USER}" @@ -171,14 +207,10 @@ services: data: grypedb: enabled: true - url: {{ template "enterprise.grypeProviderURL" . }} - packages: - enabled: ${ANCHORE_FEEDS_DRIVER_PACKAGES_ENABLED} - url: {{ template "enterprise.feedsURL" . }} - vulnerability_annotations: - enabled: ${ANCHORE_FEEDS_DRIVER_VULN_ANNOTATIONS_ENABLED} - url: {{ template "enterprise.feedsURL" . }} matching: + exclude: + providers: {{ .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers }} + package_types: {{ .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types }} default: search: by_cpe: @@ -267,3 +299,19 @@ services: ssl_enable: ${ANCHORE_SSL_ENABLED} ssl_cert: ${ANCHORE_SSL_CERT} ssl_key: ${ANCHORE_SSL_KEY} + + data_syncer: + enabled: true + require_auth: true + endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} + listen: 0.0.0.0 + port: ${ANCHORE_PORT} + auto_sync_enabled: true + upload_dir: {{ .Values.scratchVolume.mountPath }} + datasets: + vulnerability_db: + versions: ["5"] + clamav_db: + versions: ["1"] + kev_db: + versions: ["1"] diff --git a/stable/enterprise/templates/_common.tpl b/stable/enterprise/templates/_common.tpl index 535ee71b..55b1f90a 100644 --- a/stable/enterprise/templates/_common.tpl +++ b/stable/enterprise/templates/_common.tpl @@ -258,10 +258,15 @@ securityContext: {{- toYaml . | nindent 2 }} {{- if or .Values.serviceAccountName (index .Values (print $component)).serviceAccountName (eq $component "upgradeJob") (eq $component "osaaMigrationJob") }} serviceAccountName: {{ include "enterprise.serviceAccountName" (merge (dict "component" $component) .) }} {{- end }} +{{- if .Values.useExistingPullCredSecret }} {{- with .Values.imagePullSecretName }} imagePullSecrets: - name: {{ . }} {{- end }} +{{- else }} +imagePullSecrets: + - name: {{ template "enterprise.fullname" . }}-pullcreds +{{- end }} {{- with (default .Values.nodeSelector (index .Values (print $component)).nodeSelector) }} nodeSelector: {{- toYaml . | nindent 2 }} {{- end }} @@ -335,7 +340,7 @@ Setup the common anchore volumes {{- include "enterprise.common.extraVolumes" (merge (dict "component" $component) .) }} - name: anchore-license secret: - secretName: {{ .Values.licenseSecretName }} + {{- include "enterprise.licenseSecret" . | nindent 4 }} - name: anchore-scripts configMap: name: {{ .Release.Name }}-enterprise-scripts diff --git a/stable/enterprise/templates/_helpers.tpl b/stable/enterprise/templates/_helpers.tpl index 8908363e..b1eab41b 100644 --- a/stable/enterprise/templates/_helpers.tpl +++ b/stable/enterprise/templates/_helpers.tpl @@ -57,46 +57,6 @@ Allows passing in a feature flag to the ui application on startup {{- end }} {{- end }} -{{/* -Returns the proper URL for the feeds service -*/}} -{{- define "enterprise.feedsURL" }} -{{- $anchoreFeedsURL := "" }} - {{- if .Values.feeds.url }} - {{- /* remove everything from the URL after /v2 to get the hostname, then use that to construct the proper URL */}} - {{- $regexSearchPattern := (printf "/v2.*$" | toString) }} - {{- $urlPathSuffix := (default "" (regexFind $regexSearchPattern .Values.feeds.url) ) }} - {{- $anchoreFeedsHost := (trimSuffix $urlPathSuffix .Values.feeds.url) -}} - {{- $anchoreFeedsURL = (printf "%s/v2/feeds" $anchoreFeedsHost) -}} - {{- else if .Values.feeds.chartEnabled }} - {{- $anchoreFeedsURL = (printf "%s://%s:%s/v2/feeds" (include "enterprise.feeds.setProtocol" .) (include "enterprise.feeds.fullname" .) (.Values.feeds.service.port | toString)) -}} - {{- end }} - {{- print $anchoreFeedsURL -}} -{{- end -}} - - -{{/* -Returns the proper URL for the grype provider -*/}} -{{- define "enterprise.grypeProviderURL" }} -{{- $grypeProviderFeedsExternalURL := "" -}} -{{- $regexSearchPattern := (printf "/v2.*$" | toString) }} - {{- if .Values.feeds.url }} - {{- /* remove everything from the URL after /v2 to get the hostname, then use that to construct the proper URL */}} - {{- $urlPathSuffix := (default "" ( regexFind $regexSearchPattern .Values.feeds.url )) -}} - {{- $anchoreFeedsHost := (trimSuffix $urlPathSuffix .Values.feeds.url) -}} - {{- $grypeProviderFeedsExternalURL = (printf "%s/v2/databases/grypedb" $anchoreFeedsHost) -}} - {{- else if .Values.feeds.chartEnabled }} - {{- $grypeProviderFeedsExternalURL = (printf "%s://%s:%s/v2/databases/grypedb" (include "enterprise.feeds.setProtocol" .) (include "enterprise.feeds.fullname" .) (.Values.feeds.service.port | toString)) -}} - {{- end }} - - {{- /* Set the grypeProviderFeedsExternalURL to upstream feeds if still unset or if specifically overridden */}} - {{- if or (empty $grypeProviderFeedsExternalURL) .Values.anchoreConfig.policy_engine.overrideFeedsToUpstream -}} - {{- $grypeProviderFeedsExternalURL = "https://toolbox-data.anchore.io/grype/databases/listing.json" -}} - {{- end }} - {{- print $grypeProviderFeedsExternalURL -}} -{{- end -}} - {{/* Set the appropriate kubernetes service account name. @@ -128,18 +88,6 @@ Return the proper protocol when Anchore internal SSL is enabled {{- end -}} -{{/* -Return the proper protocol when Anchore internal SSL is enabled -*/}} -{{- define "enterprise.feeds.setProtocol" -}} - {{- if .Values.feeds.anchoreConfig.internalServicesSSL.enabled }} -{{- print "https" -}} - {{- else -}} -{{- print "http" -}} - {{- end }} -{{- end -}} - - {{/* Return the database password for the Anchore Enterprise UI config */}} @@ -190,3 +138,20 @@ Checks if the appVersion.minor has increased, which is indicitive of requiring a {{- end -}} {{- end -}} + +{{/* +Constructs a proper dockerconfig json string for use in the image pull secret that is managed by the chart +*/}} +{{- define "enterprise.imagePullSecret" }} +{{- printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}}}" .Values.imageCredentials.registry .Values.imageCredentials.username .Values.imageCredentials.password .Values.imageCredentials.email (printf "%s:%s" .Values.imageCredentials.username .Values.imageCredentials.password | b64enc) | b64enc }} +{{- end }} + +{{- define "enterprise.licenseSecret" -}} +{{- if .Values.useExistingLicenseSecret }} +{{- with .Values.licenseSecretName }} +secretName: {{ . }} +{{- end }} +{{- else }} +secretName: {{ template "enterprise.fullname" . }}-license +{{- end }} +{{- end -}} \ No newline at end of file diff --git a/stable/enterprise/templates/_names.tpl b/stable/enterprise/templates/_names.tpl index 4287401e..bc49a983 100644 --- a/stable/enterprise/templates/_names.tpl +++ b/stable/enterprise/templates/_names.tpl @@ -27,6 +27,11 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- printf "%s-%s-%s" .Release.Name $name "catalog"| trunc 63 | trimSuffix "-" -}} {{- end -}} +{{- define "enterprise.dataSyncer.fullname" -}} +{{- $name := default .Chart.Name .Values.global.nameOverride -}} +{{- printf "%s-%s-%s" .Release.Name $name "datasyncer"| trunc 63 | trimSuffix "-" -}} +{{- end -}} + {{- define "enterprise.notifications.fullname" -}} {{- $name := default .Chart.Name .Values.global.nameOverride -}} {{- printf "%s-%s-%s" .Release.Name $name "notifications"| trunc 63 | trimSuffix "-" -}} @@ -76,15 +81,6 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- printf "%s-%s-%s-%s" .Release.Name $name (.Chart.AppVersion | replace "." "") "smoke-test" | trunc 63 | trimSuffix "-" -}} {{- end -}} -{{- define "enterprise.feeds.fullname" -}} -{{- if .Values.feeds.fullnameOverride }} - {{- .Values.feeds.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} - {{- $name := default "feeds" .Values.feeds.nameOverride -}} - {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} - {{- define "postgres.fullname" -}} {{- printf "%s-%s" .Release.Name "postgresql" | trunc 63 | trimSuffix "-" -}} {{- end -}} diff --git a/stable/enterprise/templates/anchore_configmap.yaml b/stable/enterprise/templates/anchore_configmap.yaml index f8683e25..47896f9b 100644 --- a/stable/enterprise/templates/anchore_configmap.yaml +++ b/stable/enterprise/templates/anchore_configmap.yaml @@ -1,3 +1,5 @@ +{{- $exclude_providers := required "anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers is required" .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers -}} +{{- $exclude_package := required "anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types is required" .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types -}} kind: ConfigMap apiVersion: v1 metadata: diff --git a/stable/enterprise/templates/datasyncer_deployment.yaml b/stable/enterprise/templates/datasyncer_deployment.yaml new file mode 100644 index 00000000..3728d05f --- /dev/null +++ b/stable/enterprise/templates/datasyncer_deployment.yaml @@ -0,0 +1,79 @@ +{{- $component := "dataSyncer" -}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "enterprise.dataSyncer.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} +spec: + selector: + matchLabels: {{- include "enterprise.common.matchLabels" (merge (dict "component" $component) .) | nindent 6 }} + replicas: {{ .Values.dataSyncer.replicaCount }} + strategy: {{- include "enterprise.common.deploymentStrategy" . | nindent 4 }} + template: + metadata: + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 8 }} + annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component "nil" true) .) | nindent 8 }} + checksum/enterprise-config: {{ include (print $.Template.BasePath "/anchore_configmap.yaml") . | sha256sum }} + {{- if and (not .Values.injectSecretsViaEnv) (not .Values.useExistingSecrets) }} + checksum/secrets: {{ include (print $.Template.BasePath "/anchore_secret.yaml") . | sha256sum }} + {{- end }} + checksum/enterprise-envvar: {{ include (print $.Template.BasePath "/envvars_configmap.yaml") . | sha256sum }} + spec: + {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} + volumes: {{- include "enterprise.common.volumes" (merge (dict "component" $component) .) | nindent 8 }} + - name: anchore-scratch + {{- include "enterprise.common.scratchVolume.details" (merge (dict "component" $component) .) | nindent 10 }} + {{- if and .Values.scratchVolume.fixGroupPermissions .Values.securityContext.fsGroup }} + initContainers: + {{- include "enterprise.common.fixPermissionsInitContainer" . | nindent 8 }} + {{- end }} + containers: + {{- if .Values.cloudsql.enabled }} + {{- include "enterprise.common.cloudsqlContainer" . | nindent 8 }} + {{- end }} + - name: "{{ .Chart.Name }}-{{ $component | lower }}" + image: {{ .Values.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + {{- with .Values.containerSecurityContext }} + securityContext: + {{ toYaml . | nindent 12 }} + {{- end }} + command: ["/bin/sh", "-c"] + args: + - {{ print (include "enterprise.common.dockerEntrypoint" .) }} data_syncer + envFrom: {{- include "enterprise.common.envFrom" . | nindent 12 }} + env: {{- include "enterprise.common.environment" (merge (dict "component" $component) .) | nindent 12 }} + ports: + - name: {{ $component | lower }} + containerPort: {{ .Values.dataSyncer.service.port }} + volumeMounts: {{- include "enterprise.common.volumeMounts" (merge (dict "component" $component) .) | nindent 12 }} + - name: anchore-scratch + mountPath: {{ .Values.scratchVolume.mountPath }} + livenessProbe: {{- include "enterprise.common.livenessProbe" (merge (dict "component" $component) .) | nindent 12 }} + readinessProbe: {{- include "enterprise.common.readinessProbe" (merge (dict "component" $component) .) | nindent 12 }} + {{- with .Values.dataSyncer.resources }} + resources: {{- toYaml . | nindent 12 }} + {{- end }} + +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "enterprise.dataSyncer.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} + annotations: {{- include "enterprise.service.annotations" (merge (dict "component" $component) .) | nindent 4 }} +spec: + type: {{ .Values.dataSyncer.service.type }} + ports: + - name: {{ $component | lower }} + port: {{ .Values.dataSyncer.service.port }} + targetPort: {{ .Values.dataSyncer.service.port }} + protocol: TCP + {{ include "enterprise.service.nodePort" (merge (dict "component" $component) .) }} + selector: + app.kubernetes.io/name: {{ template "enterprise.fullname" . }} + app.kubernetes.io/component: {{ $component | lower }} diff --git a/stable/enterprise/templates/envvars_configmap.yaml b/stable/enterprise/templates/envvars_configmap.yaml index 2e7084d1..c07fcdd8 100644 --- a/stable/enterprise/templates/envvars_configmap.yaml +++ b/stable/enterprise/templates/envvars_configmap.yaml @@ -60,13 +60,6 @@ data: {{- else }} ANCHORE_ENTERPRISE_UI_URL: {{ include "enterprise.ui.fullname" . | quote }} {{- end }} - ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED: {{ dig "anchoreConfig" "feeds" "drivers" "github" "enabled" "false" .Values.feeds | quote }} - ANCHORE_FEEDS_DRIVER_MSRC_ENABLED: {{ dig "anchoreConfig" "feeds" "drivers" "msrc" "enabled" "false" .Values.feeds | quote }} - ANCHORE_FEEDS_DRIVER_NVDV2_ENABLED: "true" - ANCHORE_FEEDS_DRIVER_PACKAGES_ENABLED: "false" - ANCHORE_FEEDS_DRIVER_VULN_ANNOTATIONS_ENABLED: "true" - ANCHORE_FEEDS_SSL_VERIFY: "{{ .Values.anchoreConfig.internalServicesSSL.verifyCerts }}" - ANCHORE_FEEDS_VULNERABILITIES_ENABLED: "true" ANCHORE_GLOBAL_CLIENT_CONNECT_TIMEOUT: "0" ANCHORE_GLOBAL_CLIENT_READ_TIMEOUT: "0" ANCHORE_GLOBAL_SERVER_REQUEST_TIMEOUT_SEC: "180" diff --git a/stable/enterprise/templates/hooks/pre-upgrade/object_store_analysis_archive_migration_job.yaml b/stable/enterprise/templates/hooks/pre-upgrade/object_store_analysis_archive_migration_job.yaml index d0ee3d19..e048062a 100644 --- a/stable/enterprise/templates/hooks/pre-upgrade/object_store_analysis_archive_migration_job.yaml +++ b/stable/enterprise/templates/hooks/pre-upgrade/object_store_analysis_archive_migration_job.yaml @@ -27,7 +27,7 @@ spec: {{- include "enterprise.common.extraVolumes" (merge (dict "component" $component) .) | nindent 8 }} - name: anchore-license secret: - secretName: {{ .Values.licenseSecretName }} + {{- include "enterprise.licenseSecret" . | nindent 12 }} - name: anchore-scripts configMap: name: {{ .Release.Name }}-enterprise-scripts diff --git a/stable/enterprise/templates/ingress.yaml b/stable/enterprise/templates/ingress.yaml index 6caacdda..4f42efc7 100644 --- a/stable/enterprise/templates/ingress.yaml +++ b/stable/enterprise/templates/ingress.yaml @@ -29,7 +29,7 @@ spec: {{- end }} {{- end }} rules: - {{- if or .Values.ingress.apiHosts .Values.ingress.uiHosts .Values.ingress.feedsHosts }} + {{- if or .Values.ingress.apiHosts .Values.ingress.uiHosts }} {{- range $apiHostIndex, $apiHostName := .Values.ingress.apiHosts }} - host: {{ $apiHostName | quote }} http: @@ -68,26 +68,6 @@ spec: servicePort: {{ $.Values.ui.service.port }} {{- end }} {{- end }} - {{- range $feedsHostIndex, $feedsHostName := .Values.ingress.feedsHosts }} - - host: {{ $feedsHostName | quote }} - http: - paths: - {{- range $feedsPathIndex, $feedsPath := $.Values.ingress.feedsPaths }} - - path: {{ $feedsPath }} - {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} - pathType: Prefix - backend: - service: - name: {{ template "enterprise.feeds.fullname" $ }} - port: - number: {{ $.Values.feeds.service.port }} - {{- else }} - backend: - serviceName: {{ template "enterprise.feeds.fullname" $ }} - servicePort: {{ $.Values.feeds.service.port }} - {{- end }} - {{- end }} - {{- end }} {{- else }} - http: paths: @@ -121,20 +101,5 @@ spec: servicePort: {{ $.Values.ui.service.port }} {{- end }} {{- end }} - {{- range .Values.ingress.feedsPaths }} - - path: {{ . }} - {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} - pathType: Prefix - backend: - service: - name: {{ template "enterprise.feeds.fullname" $ }} - port: - number: {{ $.Values.feeds.service.port }} - {{- else }} - backend: - serviceName: {{ template "enterprise.feeds.fullname" $ }} - servicePort: {{ $.Values.feeds.service.port }} - {{- end }} - {{- end }} {{- end }} {{- end -}} diff --git a/stable/enterprise/templates/license_secret.yaml b/stable/enterprise/templates/license_secret.yaml new file mode 100644 index 00000000..a6cfe7a4 --- /dev/null +++ b/stable/enterprise/templates/license_secret.yaml @@ -0,0 +1,18 @@ +{{- if (not .Values.useExistingLicenseSecret) -}} +{{- $license := required "A valid .Values.license is required!" .Values.license -}} + +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: {{ template "enterprise.fullname" . }}-license + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" . | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" . | nindent 4 }} +stringData: + license.yaml: | + # Anchore Enterprise License - installed via Helm + # +{{ toYaml .Values.license | indent 4 }} + +{{- end -}} diff --git a/stable/enterprise/templates/policyengine_deployment.yaml b/stable/enterprise/templates/policyengine_deployment.yaml index e7f0e152..304e215c 100644 --- a/stable/enterprise/templates/policyengine_deployment.yaml +++ b/stable/enterprise/templates/policyengine_deployment.yaml @@ -1,5 +1,4 @@ {{- $component := "policyEngine" -}} - apiVersion: apps/v1 kind: Deployment metadata: diff --git a/stable/enterprise/templates/pullcreds_secret.yaml b/stable/enterprise/templates/pullcreds_secret.yaml new file mode 100644 index 00000000..ffc4ec81 --- /dev/null +++ b/stable/enterprise/templates/pullcreds_secret.yaml @@ -0,0 +1,18 @@ +{{- if (not .Values.useExistingPullCredSecret) -}} +{{- $imageUsername := required "A valid .Values.imageCredentials.username is required!" .Values.imageCredentials.username -}} +{{- $imagePassword := required "A valid .Values.imageCredentials.password is required!" .Values.imageCredentials.password -}} +{{- $imageEmail := required "A valid .Values.imageCredentials.email is required!" .Values.imageCredentials.email -}} +{{- $imageRegistry := required "A valid .Values.imageCredentials.registry is required!" .Values.imageCredentials.registry -}} + +apiVersion: v1 +kind: Secret +type: kubernetes.io/dockerconfigjson +metadata: + name: {{ template "enterprise.fullname" . }}-pullcreds + namespace: {{ .Release.Namespace }} + labels: {{- include "enterprise.common.labels" . | nindent 4 }} + annotations: {{- include "enterprise.common.annotations" . | nindent 4 }} +data: + .dockerconfigjson: {{ template "enterprise.imagePullSecret" . }} + +{{- end -}} diff --git a/stable/enterprise/templates/ui_deployment.yaml b/stable/enterprise/templates/ui_deployment.yaml index 0c157023..f905247e 100644 --- a/stable/enterprise/templates/ui_deployment.yaml +++ b/stable/enterprise/templates/ui_deployment.yaml @@ -25,7 +25,7 @@ spec: volumes: {{- include "enterprise.common.extraVolumes" (merge (dict "component" $component) .) | nindent 8 }} - name: anchore-license secret: - secretName: {{ .Values.licenseSecretName }} + {{- include "enterprise.licenseSecret" . | nindent 12 }} - name: anchore-ui-config configMap: name: {{ template "enterprise.ui.fullname" . }} diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index 785dc2f5..63dbadb1 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -114,7 +114,6 @@ should render the configmaps: - "/user/api-keys/{key_name}" - "/user/credentials" - metrics: enabled: ${ANCHORE_ENABLE_METRICS} auth_disabled: ${ANCHORE_DISABLE_METRICS_AUTH} @@ -142,6 +141,7 @@ should render the configmaps: max_api_keys_per_user: 100 remove_deleted_user_api_keys_older_than_days: 365 disallow_native_users: false + log_saml_assertions: false credentials: database: user: "${ANCHORE_DB_USER}" @@ -277,14 +277,10 @@ should render the configmaps: data: grypedb: enabled: true - url: http://test-release-feeds:8448/v2/databases/grypedb - packages: - enabled: ${ANCHORE_FEEDS_DRIVER_PACKAGES_ENABLED} - url: http://test-release-feeds:8448/v2/feeds - vulnerability_annotations: - enabled: ${ANCHORE_FEEDS_DRIVER_VULN_ANNOTATIONS_ENABLED} - url: http://test-release-feeds:8448/v2/feeds matching: + exclude: + providers: [] + package_types: [] default: search: by_cpe: @@ -384,6 +380,22 @@ should render the configmaps: ssl_enable: ${ANCHORE_SSL_ENABLED} ssl_cert: ${ANCHORE_SSL_CERT} ssl_key: ${ANCHORE_SSL_KEY} + + data_syncer: + enabled: true + require_auth: true + endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} + listen: 0.0.0.0 + port: ${ANCHORE_PORT} + auto_sync_enabled: true + upload_dir: /analysis_scratch + datasets: + vulnerability_db: + versions: ["5"] + clamav_db: + versions: ["1"] + kev_db: + versions: ["1"] kind: ConfigMap metadata: annotations: @@ -434,13 +446,6 @@ should render the configmaps: ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_INGEST_OVERWRITE: "false" ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_TTL_DAYS: "120" ANCHORE_ENTERPRISE_UI_URL: test-release-enterprise-ui - ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED: "false" - ANCHORE_FEEDS_DRIVER_MSRC_ENABLED: "false" - ANCHORE_FEEDS_DRIVER_NVDV2_ENABLED: "true" - ANCHORE_FEEDS_DRIVER_PACKAGES_ENABLED: "false" - ANCHORE_FEEDS_DRIVER_VULN_ANNOTATIONS_ENABLED: "true" - ANCHORE_FEEDS_SSL_VERIFY: "false" - ANCHORE_FEEDS_VULNERABILITIES_ENABLED: "true" ANCHORE_GLOBAL_CLIENT_CONNECT_TIMEOUT: "0" ANCHORE_GLOBAL_CLIENT_READ_TIMEOUT: "0" ANCHORE_GLOBAL_SERVER_REQUEST_TIMEOUT_SEC: "180" diff --git a/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap index 5791f1f6..3dfe9d12 100644 --- a/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap @@ -75,7 +75,6 @@ should render the configmaps for osaa migration if enabled: - "/user/api-keys/{key_name}" - "/user/credentials" - metrics: enabled: ${ANCHORE_ENABLE_METRICS} auth_disabled: ${ANCHORE_DISABLE_METRICS_AUTH} @@ -103,6 +102,7 @@ should render the configmaps for osaa migration if enabled: max_api_keys_per_user: 100 remove_deleted_user_api_keys_older_than_days: 365 disallow_native_users: false + log_saml_assertions: false credentials: database: user: "${ANCHORE_DB_USER}" @@ -238,14 +238,10 @@ should render the configmaps for osaa migration if enabled: data: grypedb: enabled: true - url: http://test-release-feeds:8448/v2/databases/grypedb - packages: - enabled: ${ANCHORE_FEEDS_DRIVER_PACKAGES_ENABLED} - url: http://test-release-feeds:8448/v2/feeds - vulnerability_annotations: - enabled: ${ANCHORE_FEEDS_DRIVER_VULN_ANNOTATIONS_ENABLED} - url: http://test-release-feeds:8448/v2/feeds matching: + exclude: + providers: [] + package_types: [] default: search: by_cpe: @@ -345,6 +341,22 @@ should render the configmaps for osaa migration if enabled: ssl_enable: ${ANCHORE_SSL_ENABLED} ssl_cert: ${ANCHORE_SSL_CERT} ssl_key: ${ANCHORE_SSL_KEY} + + data_syncer: + enabled: true + require_auth: true + endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} + listen: 0.0.0.0 + port: ${ANCHORE_PORT} + auto_sync_enabled: true + upload_dir: /analysis_scratch + datasets: + vulnerability_db: + versions: ["5"] + clamav_db: + versions: ["1"] + kev_db: + versions: ["1"] kind: ConfigMap metadata: annotations: @@ -369,7 +381,26 @@ should render the configmaps for osaa migration if enabled: # service_dir: ${ANCHORE_SERVICE_DIR} tmp_dir: ${ANCHORE_TMP_DIR} - log_level: ${ANCHORE_LOG_LEVEL} + log_level: ${ANCHORE_LOG_LEVEL} # Deprecated - prefer use of logging.log_level + + logging: + colored_logging: false + exception_backtrace_logging: false + exception_diagnose_logging: false + file_retention_rule: 10 + file_rotation_rule: 10 MB + log_level: INFO + server_access_logging: true + server_log_level: info + server_response_debug_logging: false + structured_logging: false + + server: + max_connection_backlog: 2048 + max_wsgi_middleware_worker_count: 50 + max_wsgi_middleware_worker_queue_size: 100 + timeout_graceful_shutdown: false + timeout_keep_alive: 5 allow_awsecr_iam_auto: ${ANCHORE_ALLOW_ECR_IAM_AUTO} host_id: "${ANCHORE_HOST_ID}" @@ -388,6 +419,36 @@ should render the configmaps for osaa migration if enabled: max_compressed_image_size_mb: ${ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB} + audit: + enabled: true + mode: log + verbs: + - post + - put + - delete + - patch + resource_uris: + - "/accounts" + - "/accounts/{account_name}" + - "/accounts/{account_name}/state" + - "/accounts/{account_name}/users" + - "/accounts/{account_name}/users/{username}" + - "/accounts/{account_name}/users/{username}/api-keys" + - "/accounts/{account_name}/users/{username}/api-keys/{key_name}" + - "/accounts/{account_name}/users/{username}/credentials" + - "/rbac-manager/roles" + - "/rbac-manager/roles/{role_name}/members" + - "/rbac-manager/saml/idps" + - "/rbac-manager/saml/idps/{name}" + - "/rbac-manager/saml/idps/{name}/user-group-mappings" + - "/system/user-groups" + - "/system/user-groups/{group_uuid}" + - "/system/user-groups/{group_uuid}/roles" + - "/system/user-groups/{group_uuid}/users" + - "/user/api-keys" + - "/user/api-keys/{key_name}" + - "/user/credentials" + metrics: enabled: ${ANCHORE_ENABLE_METRICS} auth_disabled: ${ANCHORE_DISABLE_METRICS_AUTH} @@ -415,7 +476,7 @@ should render the configmaps for osaa migration if enabled: max_api_keys_per_user: 100 remove_deleted_user_api_keys_older_than_days: 365 disallow_native_users: false - + log_saml_assertions: false credentials: database: user: "${ANCHORE_DB_USER}" @@ -562,14 +623,10 @@ should render the configmaps for osaa migration if enabled: data: grypedb: enabled: true - url: http://test-release-feeds:8448/v2/databases/grypedb - packages: - enabled: ${ANCHORE_FEEDS_DRIVER_PACKAGES_ENABLED} - url: http://test-release-feeds:8448/v2/feeds - vulnerability_annotations: - enabled: ${ANCHORE_FEEDS_DRIVER_VULN_ANNOTATIONS_ENABLED} - url: http://test-release-feeds:8448/v2/feeds matching: + exclude: + providers: [] + package_types: [] default: search: by_cpe: @@ -669,6 +726,22 @@ should render the configmaps for osaa migration if enabled: ssl_enable: ${ANCHORE_SSL_ENABLED} ssl_cert: ${ANCHORE_SSL_CERT} ssl_key: ${ANCHORE_SSL_KEY} + + data_syncer: + enabled: true + require_auth: true + endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} + listen: 0.0.0.0 + port: ${ANCHORE_PORT} + auto_sync_enabled: true + upload_dir: /analysis_scratch + datasets: + vulnerability_db: + versions: ["5"] + clamav_db: + versions: ["1"] + kev_db: + versions: ["1"] kind: ConfigMap metadata: annotations: diff --git a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap index 28593e8c..9777332d 100644 --- a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap @@ -26,7 +26,7 @@ migration job should match snapshot: name: test-release-enterprise-config-env-vars - secretRef: name: test-release-enterprise - image: docker.io/anchore/enterprise:v5.9.0 + image: docker.io/anchore/enterprise:v5.10.0 imagePullPolicy: IfNotPresent name: migrate-analysis-archive volumeMounts: @@ -89,7 +89,7 @@ migration job should match snapshot: valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v5.9.0 + image: docker.io/anchore/enterprise:v5.10.0 imagePullPolicy: IfNotPresent name: wait-for-db restartPolicy: Never @@ -148,7 +148,7 @@ migration job should match snapshot analysisArchiveMigration and objectStoreMigr name: test-release-enterprise-config-env-vars - secretRef: name: test-release-enterprise - image: docker.io/anchore/enterprise:v5.9.0 + image: docker.io/anchore/enterprise:v5.10.0 imagePullPolicy: IfNotPresent name: migrate-analysis-archive volumeMounts: @@ -211,7 +211,7 @@ migration job should match snapshot analysisArchiveMigration and objectStoreMigr valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v5.9.0 + image: docker.io/anchore/enterprise:v5.10.0 imagePullPolicy: IfNotPresent name: wait-for-db restartPolicy: Never @@ -268,7 +268,7 @@ migration job should match snapshot analysisArchiveMigration to true: name: test-release-enterprise-config-env-vars - secretRef: name: test-release-enterprise - image: docker.io/anchore/enterprise:v5.9.0 + image: docker.io/anchore/enterprise:v5.10.0 imagePullPolicy: IfNotPresent name: migrate-analysis-archive volumeMounts: @@ -331,7 +331,7 @@ migration job should match snapshot analysisArchiveMigration to true: valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v5.9.0 + image: docker.io/anchore/enterprise:v5.10.0 imagePullPolicy: IfNotPresent name: wait-for-db restartPolicy: Never @@ -387,7 +387,7 @@ migration job should match snapshot objectStoreMigration to true: name: test-release-enterprise-config-env-vars - secretRef: name: test-release-enterprise - image: docker.io/anchore/enterprise:v5.9.0 + image: docker.io/anchore/enterprise:v5.10.0 imagePullPolicy: IfNotPresent name: migrate-analysis-archive volumeMounts: @@ -450,7 +450,7 @@ migration job should match snapshot objectStoreMigration to true: valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v5.9.0 + image: docker.io/anchore/enterprise:v5.10.0 imagePullPolicy: IfNotPresent name: wait-for-db restartPolicy: Never @@ -621,6 +621,6 @@ should render proper initContainers: valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v5.9.0 + image: docker.io/anchore/enterprise:v5.10.0 imagePullPolicy: IfNotPresent name: wait-for-db diff --git a/stable/enterprise/tests/analyzer_resources_test.yaml b/stable/enterprise/tests/analyzer_resources_test.yaml index 532f3a78..a93ce60b 100644 --- a/stable/enterprise/tests/analyzer_resources_test.yaml +++ b/stable/enterprise/tests/analyzer_resources_test.yaml @@ -11,6 +11,9 @@ release: chart: version: 9.9.9 appVersion: 9.9.9 +set: + anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers: [] + anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types: [] tests: - it: should render a valid analyzer config file diff --git a/stable/enterprise/tests/api_resources_test.yaml b/stable/enterprise/tests/api_resources_test.yaml index b7f97813..350e379f 100644 --- a/stable/enterprise/tests/api_resources_test.yaml +++ b/stable/enterprise/tests/api_resources_test.yaml @@ -11,6 +11,9 @@ release: chart: version: 9.9.9 appVersion: 9.9.9 +set: + anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers: [] + anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types: [] tests: - it: should set the correct resource names diff --git a/stable/enterprise/tests/catalog_resources_test.yaml b/stable/enterprise/tests/catalog_resources_test.yaml index 4a3169a3..1450790b 100644 --- a/stable/enterprise/tests/catalog_resources_test.yaml +++ b/stable/enterprise/tests/catalog_resources_test.yaml @@ -11,6 +11,9 @@ release: chart: version: 9.9.9 appVersion: 9.9.9 +set: + anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers: [] + anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types: [] tests: - it: should set the correct resource names diff --git a/stable/enterprise/tests/common_helpers_test.yaml b/stable/enterprise/tests/common_helpers_test.yaml index a2e52eab..5eeb453e 100644 --- a/stable/enterprise/tests/common_helpers_test.yaml +++ b/stable/enterprise/tests/common_helpers_test.yaml @@ -16,12 +16,16 @@ templates: - anchore_secret.yaml - ui_secret.yaml - envvars_configmap.yaml + - datasyncer_deployment.yaml release: name: test-release namespace: test-namespace chart: version: 9.9.9 appVersion: 9.9.9 +set: + anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers: [] + anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types: [] backend_test_templates: &backend_test_templates - analyzer_deployment.yaml @@ -32,6 +36,7 @@ backend_test_templates: &backend_test_templates - reports_deployment.yaml - reportsworker_deployment.yaml - simplequeue_deployment.yaml + - datasyncer_deployment.yaml test_templates: &test_templates - analyzer_deployment.yaml @@ -44,6 +49,7 @@ test_templates: &test_templates - simplequeue_deployment.yaml - ui_deployment.yaml - hooks/pre-upgrade/upgrade_job.yaml + - datasyncer_deployment.yaml deployment_templates: &deployment_templates - analyzer_deployment.yaml @@ -55,6 +61,7 @@ deployment_templates: &deployment_templates - reportsworker_deployment.yaml - simplequeue_deployment.yaml - ui_deployment.yaml + - datasyncer_deployment.yaml tests: - it: should render global annotations @@ -394,7 +401,7 @@ tests: - notExists: path: spec.template.spec.serviceAccountName - - it: should render imagePullSecretName + - it: should render imagePullSecretName with useExistingPullCredSecret templates: *test_templates documentIndex: 0 asserts: @@ -402,9 +409,32 @@ tests: path: spec.template.spec.imagePullSecrets[0].name value: anchore-enterprise-pullcreds + - it: should render imagePullSecretName with useExistingPullCredSecret set + set: + useExistingPullCredSecret: true + imagePullSecretName: blah-release-enterprise-pullcreds + templates: *test_templates + documentIndex: 0 + asserts: + - equal: + path: spec.template.spec.imagePullSecrets[0].name + value: blah-release-enterprise-pullcreds + + - it: should render imagePullSecretName without useExistingPullCredSecret + set: + useExistingPullCredSecret: false + imagePullSecretName: blah-release-enterprise-pullcreds + templates: *test_templates + documentIndex: 0 + asserts: + - equal: + path: spec.template.spec.imagePullSecrets[0].name + value: test-release-enterprise-pullcreds + - it: should render set imagePullSecretName set: imagePullSecretName: mysecret + useExistingPullCredSecret: true templates: *test_templates documentIndex: 0 asserts: @@ -600,6 +630,34 @@ tests: count: 1 any: true + - it: should render global volumes anchore-license with useExistingLicenseSecret set to false + set: + useExistingLicenseSecret: false + licenseSecretName: my-license-secret + templates: *backend_test_templates + documentIndex: 0 + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: anchore-license + secret: + secretName: test-release-enterprise-license + + - it: should render global volumes anchore-license with useExistingLicenseSecret set to true and different secret name + set: + useExistingLicenseSecret: true + licenseSecretName: my-license-secret + templates: *backend_test_templates + documentIndex: 0 + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: anchore-license + secret: + secretName: my-license-secret + - it: should render enterprise.fullname templates: *test_templates documentIndex: 0 @@ -839,112 +897,6 @@ tests: path: stringData["ANCHORE_ADMIN_PASSWORD"] pattern: ^[a-zA-Z0-9]{32}$ - - it: should render anchoreFeedsURL with feeds.url set - set: - feeds: - url: my-feeds-url - templates: - - anchore_configmap.yaml - documentIndex: 0 - asserts: - - matchRegex: - path: data["config.yaml"] - pattern: "url: my-feeds-url/v2/databases/grypedb" - - - matchRegex: - path: data["config.yaml"] - pattern: "url: my-feeds-url/v2/feeds" - - - it: should render v2 anchoreFeedsURL with feeds.url set - set: - feeds: - url: my-feeds-url - service: - apiVersion: v2 - templates: - - anchore_configmap.yaml - documentIndex: 0 - asserts: - - matchRegex: - path: data["config.yaml"] - pattern: "url: my-feeds-url/v2/databases/grypedb" - - - matchRegex: - path: data["config.yaml"] - pattern: "url: my-feeds-url/v2/feeds" - - - it: should render anchoreFeedsURL with feeds.chartEnabled - set: - feeds: - chartEnabled: true - templates: - - anchore_configmap.yaml - documentIndex: 0 - asserts: - - matchRegex: - path: data["config.yaml"] - pattern: "url: http://test-release-feeds:8448/v2/databases/grypedb" - - - matchRegex: - path: data["config.yaml"] - pattern: "url: http://test-release-feeds:8448/v2/feeds" - - - it: should render grypeProviderURL with anchoreConfig.policy_engine.overrideFeedsToUpstream - set: - anchoreConfig.policy_engine: - overrideFeedsToUpstream: true - templates: - - anchore_configmap.yaml - documentIndex: 0 - asserts: - - notMatchRegex: - path: data["config.yaml"] - pattern: "url: http://test-release-feeds:8448/v2/databases/grypedb" - - - matchRegex: - path: data["config.yaml"] - pattern: "url: https://toolbox-data.anchore.io/grype/databases/listing.json" - - - it: should render grypeProviderURL without feeds.url defined and feeds.chartEnabled as false - set: - feeds: - url: "" - chartEnabled: false - templates: - - anchore_configmap.yaml - documentIndex: 0 - asserts: - - notMatchRegex: - path: data["config.yaml"] - pattern: "url: http://test-release-feeds:8448/v2/databases/grypedb" - - - matchRegex: - path: data["config.yaml"] - pattern: "url: https://toolbox-data.anchore.io/grype/databases/listing.json" - - - it: should set the correct protocol with feeds.anchoreConfig.internalServicesSSL.enabled to true for anchore_configmap.yaml - set: - feeds.anchoreConfig.internalServicesSSL.enabled: true - templates: - - anchore_configmap.yaml - documentIndex: 0 - asserts: - - matchRegex: - path: data["config.yaml"] - pattern: "url: https://test-release-feeds:8448/v2/databases/grypedb" - - - matchRegex: - path: data["config.yaml"] - pattern: "url: https://test-release-feeds:8448/v2/feeds" - - - notMatchRegex: - path: data["config.yaml"] - pattern: "url: http://test-release-feeds:8448/v2/databases/grypedb" - - - notMatchRegex: - path: data["config.yaml"] - pattern: "url: http://test-release-feeds:8448/v2/feeds" - - it: should set the correct protocol with anchoreConfig.internalServicesSSL.enabled to true for deployments set: anchoreConfig.internalServicesSSL.enabled: true @@ -961,29 +913,6 @@ tests: content: scheme: HTTPS - - it: should set the correct protocol with feeds.anchoreConfig.internalServicesSSL.enabled to false for anchore_configmap.yaml - set: - anchoreConfig.internalServicesSSL.enabled: false - templates: - - anchore_configmap.yaml - documentIndex: 0 - asserts: - - matchRegex: - path: data["config.yaml"] - pattern: "url: http://test-release-feeds:8448/v2/databases/grypedb" - - - matchRegex: - path: data["config.yaml"] - pattern: "url: http://test-release-feeds:8448/v2/feeds" - - - notMatchRegex: - path: data["config.yaml"] - pattern: "url: https://test-release-feeds:8448/v2/databases/grypedb" - - - notMatchRegex: - path: data["config.yaml"] - pattern: "url: https://test-release-feeds:8448/v2/feeds" - - it: should set the correct protocol with anchoreConfig.internalServicesSSL.enabled to false for deployments set: anchoreConfig.internalServicesSSL.enabled: false diff --git a/stable/enterprise/tests/configmap_test.yaml b/stable/enterprise/tests/configmap_test.yaml index 3433c48e..662459ec 100644 --- a/stable/enterprise/tests/configmap_test.yaml +++ b/stable/enterprise/tests/configmap_test.yaml @@ -37,101 +37,3 @@ tests: tmp_dir: /test log_level: DEBUG - - - it: should set the msrc and github drivers if set - template: templates/envvars_configmap.yaml - set: - feeds.anchoreConfig.feeds.drivers.github.enabled: true - feeds.anchoreConfig.feeds.drivers.msrc.enabled: true - asserts: - - equal: - path: data["ANCHORE_FEEDS_DRIVER_MSRC_ENABLED"] - value: "true" - - equal: - path: data["ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED"] - value: "true" - - - it: should not throw a templating error if feeds.something is set but drivers are not - template: templates/envvars_configmap.yaml - set: - feeds.chartEnabled: false - asserts: - - equal: - path: data["ANCHORE_FEEDS_DRIVER_MSRC_ENABLED"] - value: "false" - - equal: - path: data["ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED"] - value: "false" - - - it: should set the msrc and github drivers if set differently - template: templates/envvars_configmap.yaml - set: - feeds.anchoreConfig.feeds.drivers.github.enabled: false - feeds.anchoreConfig.feeds.drivers.msrc.enabled: true - asserts: - - equal: - path: data["ANCHORE_FEEDS_DRIVER_MSRC_ENABLED"] - value: "true" - - equal: - path: data["ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED"] - value: "false" - - - it: should not throw a templating error if feeds.anchoreConfig.something is set but drivers are not - template: templates/envvars_configmap.yaml - set: - feeds.anchoreConfig.log_level: ERROR - asserts: - - equal: - path: data["ANCHORE_FEEDS_DRIVER_MSRC_ENABLED"] - value: "false" - - equal: - path: data["ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED"] - value: "false" - - - it: should not throw a templating error if feeds.anchoreConfig.feeds.something is set but drivers are not - template: templates/envvars_configmap.yaml - set: - feeds.anchoreConfig.feeds.cycle_timers.driver_sync: 9001 - asserts: - - equal: - path: data["ANCHORE_FEEDS_DRIVER_MSRC_ENABLED"] - value: "false" - - equal: - path: data["ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED"] - value: "false" - - - it: should not throw a templating error if feeds.anchoreConfig.feeds.drivers.something is set but github and msrc drivers are not - template: templates/envvars_configmap.yaml - set: - feeds.anchoreConfig.feeds.drivers.npm.enabled: true - asserts: - - equal: - path: data["ANCHORE_FEEDS_DRIVER_MSRC_ENABLED"] - value: "false" - - equal: - path: data["ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED"] - value: "false" - - - it: should set the msrc and github drivers correctly if only one is set - template: templates/envvars_configmap.yaml - set: - feeds.anchoreConfig.feeds.drivers.github.enabled: true - asserts: - - equal: - path: data["ANCHORE_FEEDS_DRIVER_MSRC_ENABLED"] - value: "false" - - equal: - path: data["ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED"] - value: "true" - - - it: should set the msrc and github drivers correctly if only the other is set - template: templates/envvars_configmap.yaml - set: - feeds.anchoreConfig.feeds.drivers.msrc.enabled: true - asserts: - - equal: - path: data["ANCHORE_FEEDS_DRIVER_MSRC_ENABLED"] - value: "true" - - equal: - path: data["ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED"] - value: "false" \ No newline at end of file diff --git a/stable/enterprise/tests/datasyncer_resources_test.yaml b/stable/enterprise/tests/datasyncer_resources_test.yaml new file mode 100644 index 00000000..8f030346 --- /dev/null +++ b/stable/enterprise/tests/datasyncer_resources_test.yaml @@ -0,0 +1,390 @@ +suite: Datasyncer Resources Tests +templates: + - datasyncer_deployment.yaml + - anchore_secret.yaml + - anchore_configmap.yaml + - envvars_configmap.yaml +release: + name: test-release + namespace: test-namespace +chart: + version: 9.9.9 + appVersion: 9.9.9 +set: + anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers: [] + anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types: [] + +tests: + # Document 0 - Deployment + + - it: should render correct apiVersion and kind for document[0] Service + templates: + - datasyncer_deployment.yaml + documentIndex: 0 + asserts: + - equal: + path: apiVersion + value: apps/v1 + - equal: + path: kind + value: Deployment + + - it: should render components for metadata + template: datasyncer_deployment.yaml + documentIndex: 0 + set: + dataSyncer.labels: + dataSyncer: test + test: foobar + dataSyncer.annotations: + dataSyncer: test + test: foobar + asserts: + - equal: + path: metadata.name + value: test-release-enterprise-datasyncer + - equal: + path: metadata.namespace + value: test-namespace + - isSubset: + path: metadata.labels + content: + dataSyncer: test + test: foobar + template: datasyncer_deployment.yaml + documentIndex: 0 + - isSubset: + path: metadata.annotations + content: + dataSyncer: test + test: foobar + + - it: should render component spec.selector.matchLabels + template: datasyncer_deployment.yaml + documentIndex: 0 + asserts: + - isSubset: + path: spec.selector.matchLabels + content: + app.kubernetes.io/name: test-release-enterprise + app.kubernetes.io/component: datasyncer + + - it: should render component spec.replicas count + template: datasyncer_deployment.yaml + documentIndex: 0 + set: + dataSyncer.replicaCount: 99 + asserts: + - equal: + path: spec.replicas + value: 99 + + - it: should render the correct deployment spec.strategy + template: datasyncer_deployment.yaml + documentIndex: 0 + asserts: + - isSubset: + path: spec.strategy + content: + type: Recreate + + - it: should render component spec.template.metadata.labels + template: datasyncer_deployment.yaml + documentIndex: 0 + set: + dataSyncer.spec.templates.metadata.labels: + dataSyncer: test + test: foobar + asserts: + - isSubset: + path: spec.template.metadata.labels + content: + app.kubernetes.io/component: datasyncer + app.kubernetes.io/instance: test-release + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: test-release-enterprise + app.kubernetes.io/part-of: anchore + app.kubernetes.io/version: 9.9.9 + helm.sh/chart: enterprise-9.9.9 + + - it: should render component spec.template.metadata.annotations + template: datasyncer_deployment.yaml + documentIndex: 0 + set: + dataSyncer.labels: + dataSyncer: test + test: foobar + injectSecretsViaEnv: false + useExistingSecrets: false + asserts: + - matchRegex: + path: spec.template.metadata.annotations.checksum/enterprise-config + pattern: '^[a-zA-Z0-9]+$' + - matchRegex: + path: spec.template.metadata.annotations.checksum/enterprise-envvar + pattern: '^[a-zA-Z0-9]+$' + - matchRegex: + path: spec.template.metadata.annotations.checksum/secrets + pattern: '^[a-zA-Z0-9]+$' + + - it: should not render component spec.template.metadata.annotations when injectSecretsViaEnv and useExistingSecrets are true + template: datasyncer_deployment.yaml + documentIndex: 0 + set: + injectSecretsViaEnv: true + useExistingSecrets: true + asserts: + - notExists: + path: spec.template.metadata.annotations.checksum/secrets + + - it: should render component spec.template.spec volume + template: datasyncer_deployment.yaml + documentIndex: 0 + set: + dataSyncer.serviceAccountName: dataSyncer-test + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: anchore-scratch + emptyDir: {} + count: 1 + + - it: should render fixPermissionsInitContainer + templates: + - datasyncer_deployment.yaml + set: + scratchVolume.fixGroupPermissions: true + securityContext.fsGroup: 1001 + documentIndex: 0 + asserts: + - contains: + path: spec.template.spec.initContainers + content: + volumeMounts: + - name: "anchore-scratch" + mountPath: /analysis_scratch + command: [ sh, -c, (chmod 0775 /analysis_scratch; chgrp 1001 /analysis_scratch ) ] + image: alpine + name: mode-fixer + securityContext: + runAsUser: 0 + count: 1 + any: true + + - it: should include cloudsqlContainer when cloudsql.enabled is true + template: datasyncer_deployment.yaml + documentIndex: 0 + set: + cloudsql.enabled: true + asserts: + - equal: + path: spec.template.spec.containers[0].name + value: cloudsql-proxy + + - it: should exclude cloudsqlContainer when cloudsql.enabled is false + template: datasyncer_deployment.yaml + documentIndex: 0 + set: + cloudsql.enabled: false + asserts: + - notContains: + path: spec.template.spec.containers + content: + name: cloudsql + + - it: should render dataSyncer spec.template.spec.containers + template: datasyncer_deployment.yaml + documentIndex: 0 + set: + image: "test-image:latest" + imagePullPolicy: "Always" + containerSecurityContext: + runAsUser: 9997 + runAsGroup: 9998 + fsGroup: 9999 + dataSyncer.volumeMounts: + - name: test-volume + mountPath: /mnt/test + readOnly: true + + + asserts: + - equal: + path: spec.template.spec.containers[0].name + value: "enterprise-datasyncer" + - equal: + path: spec.template.spec.containers[0].image + value: "test-image:latest" + - equal: + path: spec.template.spec.containers[0].imagePullPolicy + value: "Always" + - isSubset: + path : spec.template.spec.containers[0].securityContext + content: + runAsUser: 9997 + runAsGroup: 9998 + fsGroup: 9999 + - equal: + path: spec.template.spec.containers[0].command + value: + - "/bin/sh" + - "-c" + - matchRegex: + path: spec.template.spec.containers[0].args[0] + pattern: ^/docker-entrypoint\.sh anchore-enterprise-manager service start --no-auto-upgrade data_syncer + - contains: + path: spec.template.spec.containers[0].envFrom + content: + configMapRef: + name: test-release-enterprise-config-env-vars + - isSubset: + path: spec.template.spec.containers[0].env[0] + content: + name: ANCHORE_ENDPOINT_HOSTNAME + value: test-release-enterprise-datasyncer.test-namespace.svc.cluster.local + count: 1 + - isSubset: + path: spec.template.spec.containers[0].env[1] + content: + name: ANCHORE_PORT + value: "8778" + count: 1 + - contains: + path: spec.template.spec.containers[0].ports + content: + name: datasyncer + containerPort: 8778 + count: 1 + - contains: + path: spec.template.spec.volumes + content: + name: anchore-scratch + emptyDir: {} + count: 1 + + - it: should render component spec.template.spec.containers.livenessProbe + template: datasyncer_deployment.yaml + documentIndex: 0 + set: + dataSyncer.resources: + requests: + cpu: 99m + memory: 99Mi + limits: + cpu: 999m + memory: 999Mi + asserts: + - isSubset: + path: spec.template.spec.containers[0].livenessProbe + content: + httpGet: + path: /health + port: datasyncer + scheme: HTTP + initialDelaySeconds: 120 + timeoutSeconds: 10 + periodSeconds: 10 + failureThreshold: 6 + successThreshold: 1 + count: 1 + - isSubset: + path: spec.template.spec.containers[0].readinessProbe + content: + httpGet: + path: /health + port: datasyncer + scheme: HTTP + timeoutSeconds: 10 + periodSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + count: 1 + - isSubset: + path: spec.template.spec.containers[0].resources + content: + requests: + cpu: 99m + memory: 99Mi + limits: + cpu: 999m + memory: 999Mi + + # Document 1 - Service + + - it: should render document[1] apiVersion and kind + templates: + - datasyncer_deployment.yaml + documentIndex: 1 + asserts: + - equal: + path: apiVersion + value: v1 + - equal: + path: kind + value: Service + + - it: should render document[1] metadata + template: datasyncer_deployment.yaml + documentIndex: 1 # Reference to Service + set: + dataSyncer: + service: + annotations: + bar: baz + foo: bar + asserts: + - equal: + path: metadata.name + value: test-release-enterprise-datasyncer + - equal: + path: metadata.namespace + value: test-namespace + - isSubset: + path: metadata.labels + content: + app.kubernetes.io/component: datasyncer + app.kubernetes.io/instance: test-release + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: test-release-enterprise + app.kubernetes.io/part-of: anchore + app.kubernetes.io/version: 9.9.9 + helm.sh/chart: enterprise-9.9.9 + - isSubset: + path: metadata.annotations + content: + bar: baz + foo: bar + + - it: should render document[1] component spec.type + template: datasyncer_deployment.yaml + documentIndex: 1 # Reference to Service + asserts: + - equal: + path: spec.type + value: ClusterIP + count: 1 + + - it: should render document[1] component spec.ports + template: datasyncer_deployment.yaml + documentIndex: 1 # Reference to Service + asserts: + - contains: + path: spec.ports + content: + name: datasyncer + port: 8778 + targetPort: 8778 + protocol: TCP + count: 1 + + - it: should render document[1] component spec.selectors + template: datasyncer_deployment.yaml + documentIndex: 1 # Reference to Service + asserts: + - isSubset: + path: spec.selector + content: + app.kubernetes.io/name: test-release-enterprise + app.kubernetes.io/component: datasyncer + count: 1 diff --git a/stable/enterprise/tests/notifications_resources_test.yaml b/stable/enterprise/tests/notifications_resources_test.yaml index 88c21c7d..1f87831d 100644 --- a/stable/enterprise/tests/notifications_resources_test.yaml +++ b/stable/enterprise/tests/notifications_resources_test.yaml @@ -10,6 +10,9 @@ release: chart: version: 9.9.9 appVersion: 9.9.9 +set: + anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers: [] + anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types: [] tests: - it: should set the correct resource names diff --git a/stable/enterprise/tests/osaa_configmap_test.yaml b/stable/enterprise/tests/osaa_configmap_test.yaml index b99c8388..5bdbc7ca 100644 --- a/stable/enterprise/tests/osaa_configmap_test.yaml +++ b/stable/enterprise/tests/osaa_configmap_test.yaml @@ -3,6 +3,8 @@ templates: - templates/osaa_configmap.yaml - templates/anchore_configmap.yaml set: + anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers: [] + anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types: [] osaaMigrationJob: enabled: true analysisArchiveMigration: diff --git a/stable/enterprise/tests/policyengine_resources_test.yaml b/stable/enterprise/tests/policyengine_resources_test.yaml index bf2abb48..fa1511f4 100644 --- a/stable/enterprise/tests/policyengine_resources_test.yaml +++ b/stable/enterprise/tests/policyengine_resources_test.yaml @@ -10,6 +10,9 @@ release: chart: version: 9.9.9 appVersion: 9.9.9 +set: + anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers: [] + anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types: [] tests: - it: should set the correct resource names diff --git a/stable/enterprise/tests/posthook_upgrade_resources_test.yaml b/stable/enterprise/tests/posthook_upgrade_resources_test.yaml index 83cbcc33..227d96e8 100644 --- a/stable/enterprise/tests/posthook_upgrade_resources_test.yaml +++ b/stable/enterprise/tests/posthook_upgrade_resources_test.yaml @@ -33,6 +33,8 @@ values: set: upgradeJob.enabled: true upgradeJob.usePostUpgradeHook: true + anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers: [] + anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types: [] release: name: test-release namespace: test-namespace diff --git a/stable/enterprise/tests/prehook_upgrade_resources_test.yaml b/stable/enterprise/tests/prehook_upgrade_resources_test.yaml index fa55b5fc..9ce39ff9 100644 --- a/stable/enterprise/tests/prehook_upgrade_resources_test.yaml +++ b/stable/enterprise/tests/prehook_upgrade_resources_test.yaml @@ -38,7 +38,9 @@ release: chart: version: 9.9.9 appVersion: 9.9.9 - +set: + anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers: [] + anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types: [] upgrade-resource: &upgrade-resources - templates/hooks/pre-upgrade/upgrade_job.yaml - templates/hooks/pre-upgrade/upgrade_rbac.yaml diff --git a/stable/enterprise/tests/reports_resources_test.yaml b/stable/enterprise/tests/reports_resources_test.yaml index f0eb47a7..02fdac39 100644 --- a/stable/enterprise/tests/reports_resources_test.yaml +++ b/stable/enterprise/tests/reports_resources_test.yaml @@ -10,7 +10,9 @@ release: chart: version: 9.9.9 appVersion: 9.9.9 - +set: + anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers: [] + anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types: [] tests: - it: should set the correct resource names template: reports_deployment.yaml diff --git a/stable/enterprise/tests/reportsworker_resources_test.yaml b/stable/enterprise/tests/reportsworker_resources_test.yaml index c8955ccc..21304e3f 100644 --- a/stable/enterprise/tests/reportsworker_resources_test.yaml +++ b/stable/enterprise/tests/reportsworker_resources_test.yaml @@ -10,7 +10,9 @@ release: chart: version: 9.9.9 appVersion: 9.9.9 - +set: + anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers: [] + anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types: [] tests: - it: should set the correct resource names template: reportsworker_deployment.yaml diff --git a/stable/enterprise/tests/simplequeue_resources_test.yaml b/stable/enterprise/tests/simplequeue_resources_test.yaml index 7a62b468..d5ad2252 100644 --- a/stable/enterprise/tests/simplequeue_resources_test.yaml +++ b/stable/enterprise/tests/simplequeue_resources_test.yaml @@ -10,7 +10,9 @@ release: chart: version: 9.9.9 appVersion: 9.9.9 - +set: + anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers: [] + anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types: [] tests: - it: should set the correct resource names template: simplequeue_deployment.yaml diff --git a/stable/enterprise/tests/ui_resources_test.yaml b/stable/enterprise/tests/ui_resources_test.yaml index e289ff1d..eb55547a 100644 --- a/stable/enterprise/tests/ui_resources_test.yaml +++ b/stable/enterprise/tests/ui_resources_test.yaml @@ -9,7 +9,9 @@ release: chart: version: 9.9.9 appVersion: 9.9.9 - +set: + anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers: [] + anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types: [] tests: - it: should set the correct resource names template: ui_deployment.yaml diff --git a/stable/enterprise/tests/values.yaml b/stable/enterprise/tests/values.yaml index 9b015f99..10c8e00c 100644 --- a/stable/enterprise/tests/values.yaml +++ b/stable/enterprise/tests/values.yaml @@ -13,6 +13,12 @@ extraEnv: value: baz anchoreConfig: + policy_engine: + vulnerabilities: + matching: + exclude: + package_types: [] + providers: [] policyBundles: custom_policy_bundle1.json: | { diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index 1a537f77..d3b5335e 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -19,7 +19,7 @@ global: ## @param image Image used for all Anchore Enterprise deployments, excluding Anchore UI ## -image: docker.io/anchore/enterprise:v5.9.0 +image: docker.io/anchore/enterprise:v5.10.0 ## @param imagePullPolicy Image pull policy used by all deployments ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy @@ -32,6 +32,21 @@ imagePullPolicy: IfNotPresent ## imagePullSecretName: anchore-enterprise-pullcreds +## @param useExistingPullCredSecret forgoes pullcred secret creation and uses the secret defined in imagePullSecretName +## +useExistingPullCredSecret: true + +## @param imageCredentials.registry The registry URL for the image pull secret +## @param imageCredentials.username The username for the image pull secret +## @param imageCredentials.password The password for the image pull secret +## @param imageCredentials.email The email for the image pull secret +## +imageCredentials: + registry: "" + username: "" + password: "" + email: "" + ## @param startMigrationPod Spin up a Database migration pod to help migrate the database to the new schema ## startMigrationPod: false @@ -54,12 +69,20 @@ serviceAccountName: "" ## injectSecretsViaEnv: false +## @param license License for Anchore Enterprise +## +license: {} + ## @param licenseSecretName Name of the Kubernetes secret containing your license.yaml file ## This must be manually created. For example with the following command: ## `kubectl create secret generic anchore-enterprise-license --from-file=license.yaml=` ## licenseSecretName: anchore-enterprise-license +## @param useExistingLicenseSecret forgoes license secret creation and uses the secret defined in licenseSecretName +## +useExistingLicenseSecret: true + ## @param certStoreSecretName Name of secret containing the certificates & keys used for SSL, SAML & CAs ## The chart will mount the secret specified in certStoreSecretName to /home/anchore/certs ## Secret must be manually created in the same namespace as release @@ -310,6 +333,7 @@ anchoreConfig: ## @param anchoreConfig.user_authentication.sso_require_existing_users set to true in order to disable the SSO JIT provisioning during authentication ## This provides an additional layer of security and configuration for SSO users to gain access to Anchore. ## @param anchoreConfig.user_authentication.disallow_native_users Disallow native users to authenticate by any method. Only SSO/'saml' users will be able to access the system. + ## @param anchoreConfig.user_authentication.log_saml_assertions Enable logging of received SAML assertions at INFO level for SSO debugging in API container. ## user_authentication: oauth: @@ -323,6 +347,7 @@ anchoreConfig: sso_require_existing_users: false remove_deleted_user_api_keys_older_than_days: 365 disallow_native_users: false + log_saml_assertions: false ## @param anchoreConfig.metrics.enabled Enable Prometheus metrics for all Anchore services ## @param anchoreConfig.metrics.auth_disabled Disable auth on Prometheus metrics for all Anchore services @@ -570,9 +595,13 @@ anchoreConfig: feed_sync: 14400 feed_sync_checker: 3600 - ## @param anchoreConfig.policy_engine.overrideFeedsToUpstream Override the Anchore Feeds URL to use the public upstream Anchore Feeds - ## - overrideFeedsToUpstream: false + ## @param anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers List of providers to exclude from matching + ## @param anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types List of package types to exclude from matching + vulnerabilities: + matching: + exclude: + providers: null + package_types: null ## @param anchoreConfig.policy_engine.enable_user_base_image Enables usage of Well Known Annotation to identify base image for use in ancestry calculations enable_user_base_image: true @@ -941,34 +970,80 @@ catalog: scratchVolume: details: {} -########################################## -## @section Anchore Feeds Chart Parameters -########################################## -feeds: - ## @param feeds.chartEnabled Enable the Anchore Feeds chart +######################################################### +## @section Anchore DataSyncer k8s Deployment Parameters +######################################################### +dataSyncer: + ## @param dataSyncer.replicaCount Number of replicas for the Anchore DataSyncer deployment ## - chartEnabled: true + replicaCount: 1 + + ## @param dataSyncer.service.type Service type for Anchore DataSyncer + ## @param dataSyncer.service.port Service port for Anchore DataSyncer + ## @param dataSyncer.service.annotations Annotations for Anchore DataSyncer service + ## @param dataSyncer.service.labels Labels for Anchore DataSyncer service + ## @param dataSyncer.service.nodePort nodePort for Anchore DataSyncer service + ## @param dataSyncer.service.domainSuffix domain suffix for appending to the ANCHORE_ENDPOINT_HOSTNAME. If blank, domainSuffix will be "namespace.svc.cluster.local". Takes precedence over the top level domainSuffix + ## + service: + type: ClusterIP + port: 8778 + annotations: {} + labels: {} + nodePort: "" + domainSuffix: "" - ## @param feeds.standalone Sets the Anchore Feeds chart to run into non-standalone mode, for use with Anchore Enterprise. - ## This should never be set to true when chartEnabled=true. + ## @param dataSyncer.extraEnv Set extra environment variables for Anchore DataSyncer pods ## - standalone: false + extraEnv: [] - ## @param feeds.url Set the URL for a standalone Feeds service. Use when chartEnabled=false. + ## @param dataSyncer.extraVolumes Define additional volumes for Anchore DataSyncer pods ## - url: "" + extraVolumes: [] + + ## @param dataSyncer.extraVolumeMounts Define additional volume mounts for Anchore DataSyncer pods + ## + extraVolumeMounts: [] - ## @param feeds.resources Resource requests and limits for Anchore Feeds pods + ## @param dataSyncer.resources Resource requests and limits for Anchore DataSyncer pods ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ ## Commented values below are just a suggested baseline. Contact Anchore support for deployment specific recommendations. ## resources: {} # requests: - # cpu: 2500m - # memory: 10Gi + # cpu: 1000m + # memory: 8000Mi # limits: - # memory: 10Gi + # memory: 8000Mi + + ## @param dataSyncer.labels Labels for Anchore DataSyncer pods + ## + labels: {} + + ## @param dataSyncer.annotations Annotation for Anchore DataSyncer pods + ## + annotations: {} + + ## @param dataSyncer.nodeSelector Node labels for Anchore DataSyncer pod assignment + ## + nodeSelector: {} + + ## @param dataSyncer.tolerations Tolerations for Anchore DataSyncer pod assignment + ## + tolerations: [] + ## @param dataSyncer.affinity Affinity for Anchore DataSyncer pod assignment + ## + affinity: {} + + ## @param dataSyncer.serviceAccountName Service account name for Anchore DataSyncer pods + ## + serviceAccountName: "" + + ## @param dataSyncer.scratchVolume.details [object] Details for the k8s volume to be created for Anchore DataSyncer scratch space + ## + scratchVolume: + details: {} ############################################ ## @section Anchore Notifications Parameters @@ -1348,7 +1423,7 @@ simpleQueue: ui: ## @param ui.image Image used for the Anchore UI container ## - image: docker.io/anchore/enterprise-ui:v5.9.0 + image: docker.io/anchore/enterprise-ui:v5.10.0 ## @param ui.imagePullPolicy Image pull policy for Anchore UI image ## @@ -1534,16 +1609,6 @@ ingress: ## uiPath: / - ## @param ingress.feedsHosts List of custom hostnames for the Anchore Feeds API - ## - feedsHosts: [] - - ## @param ingress.feedsPaths The path used for accessing the Anchore Feeds API - ## Exposing the feeds API is for special cases only, use /v2/feeds for ingress.feedsPath - ## - feedsPaths: - - /v2/feeds/ - ## @param ingress.tls Configure tls for the ingress resource ## Secrets must be manually created in the release namespace ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls diff --git a/stable/feeds/Chart.yaml b/stable/feeds/Chart.yaml index e151f18f..3eb76770 100644 --- a/stable/feeds/Chart.yaml +++ b/stable/feeds/Chart.yaml @@ -1,20 +1,13 @@ apiVersion: v2 name: feeds type: application -version: "2.9.0" +version: "3.0.0" appVersion: "5.9.0" kubeVersion: 1.23.x - 1.30.x || 1.23.x-x - 1.30.x-x description: Anchore feeds service keywords: - "anchore" - "anchore-feeds" -maintainers: - - name: zhill - email: zach@anchore.com - - name: btodhunter - email: bradyt@anchore.com - - name: hnguyen - email: hung.nguyen@anchore.com icon: https://anchore.com/wp-content/uploads/2016/08/anchore.png dependencies: - name: postgresql @@ -27,3 +20,4 @@ dependencies: repository: "oci://registry-1.docker.io/bitnamicharts" condition: gem-db.chartEnabled,anchoreConfig.feeds.drivers.gem.enabled alias: gem-db +deprecated: true diff --git a/stable/feeds/README.md b/stable/feeds/README.md index ff79d4a6..252742ea 100644 --- a/stable/feeds/README.md +++ b/stable/feeds/README.md @@ -1,5 +1,7 @@ # Anchore Enterprise Feeds Helm Chart +> :exclamation: **WARNING:** This chart has been deprecated and replaced with an Anchore hosted feeds service. + > :exclamation: **Important:** View the **[Chart Release Notes](#release-notes)** for the latest changes prior to installation or upgrading. This Helm chart deploys the Anchore Enterprise Feeds service on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. @@ -227,15 +229,16 @@ apiVersion: v1 kind: Secret metadata: name: anchore-enterprise-feeds-env + labels: app: anchore type: Opaque stringData: - ANCHORE_ADMIN_PASSWORD: foobar1234 - ANCHORE_FEEDS_DB_NAME: anchore-feeds - ANCHORE_FEEDS_DB_USER: anchoreengine - ANCHORE_FEEDS_DB_PASSWORD: anchore-postgres,123 - ANCHORE_FEEDS_DB_HOST: anchore-enterprise-feeds-db - ANCHORE_FEEDS_DB_PORT: 5432 + ANCHORE_ADMIN_PASSWORD: "foobar1234" + ANCHORE_FEEDS_DB_NAME: "anchore-feeds" + ANCHORE_FEEDS_DB_USER: "anchoreengine" + ANCHORE_FEEDS_DB_PASSWORD: "anchore-postgres,123" + ANCHORE_FEEDS_DB_HOST: "anchore-enterprise-feeds-db" + ANCHORE_FEEDS_DB_PORT: "5432" # (if applicable) ANCHORE_SAML_SECRET: foobar,saml1234 # (if applicable) ANCHORE_GITHUB_TOKEN: foobar,github1234 # (if applicable) ANCHORE_NVD_API_KEY: foobar,nvd1234