Merge branch 'master' into feature/anchore-engine-hpa

stable/anchore-engine/Chart.lock

@@ -5,8 +5,11 @@ dependencies:
 - name: postgresql
   repository: file://./deps/postgresql
   version: 1.0.1
+- name: postgresql
+  repository: file://./deps/postgresql
+  version: 1.0.1
 - name: redis
   repository: https://charts.bitnami.com/bitnami
   version: 10.9.0
-digest: sha256:f764fed6fb7081e73c57591d26e99b82b66e643809a2ba02c1e66bb42782f2b1
-generated: "2020-12-16T13:32:27.349956-08:00"
+digest: sha256:44c16b3d5756edfaa4d86b8e57e6047de3ac0672d932f5cdf9fe1f28220b4fb0
+generated: "2021-09-29T23:16:53.207614-07:00"

stable/anchore-engine/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: anchore-engine
-version: 1.14.6
-appVersion: 0.10.2
+version: 1.16.2
+appVersion: 1.1.0
 description: Anchore container analysis and policy evaluation engine service
 keywords:
  - analysis
@@ -32,6 +32,11 @@ dependencies:
    repository: "file://./deps/postgresql"
    condition: anchore-feeds-db.enabled,anchoreEnterpriseGlobal.enabled
    alias: anchore-feeds-db
+ - name: postgresql
+   version: "1.0.1"
+   repository: "file://./deps/postgresql"
+   condition: anchore-feeds-gem-db.enabled,anchoreEnterpriseFeeds.gemDriverEnabled
+   alias: anchore-feeds-gem-db
  - name: redis
    version: "10"
    repository: "https://charts.bitnami.com/bitnami"

stable/anchore-engine/templates/_helpers.tpl

@@ -121,6 +121,14 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- printf "%s-%s" .Release.Name "anchore-feeds-db" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{/*
+Create a default fully qualified dependency name for the feeds gem db.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "postgres.anchore-feeds-gem-db.fullname" -}}
+{{- printf "%s-%s" .Release.Name "anchore-feeds-gem-db" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
 {{/*
 Create a default fully qualified dependency name for the db.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).

stable/anchore-engine/templates/engine_configmap.yaml

@@ -1,13 +1,29 @@
-{{ $anchoreFeedsURL := "https://ancho.re/v1/service/feeds" }}
-{{- if .Values.anchoreEnterpriseFeeds.url }}
-{{- $anchoreFeedsURL = .Values.anchoreEnterpriseFeeds.url }}
-{{- else if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }}
-{{- if .Values.anchoreGlobal.internalServicesSsl.enabled }}
-{{- $anchoreFeedsURL = (printf "https://%s:%s/v1/feeds"  (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) }}
-{{- else }}
-{{- $anchoreFeedsURL = (printf "http://%s:%s/v1/feeds" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) }}
-{{- end }}
-{{- end }}
+{{- $anchoreFeedsURL := "https://ancho.re/v1/service/feeds" -}}
+{{- $grypeProviderFeedsExternalURL := "https://toolbox-data.anchore.io/grype/databases/listing.json" -}}
+
+{{- if .Values.anchoreEnterpriseFeeds.url -}}
+  {{- $urlPathSuffix := (default "" (regexFind "/v1.*$" .Values.anchoreEnterpriseFeeds.url)) -}}
+  {{- $anchoreFeedsHost := (trimSuffix $urlPathSuffix .Values.anchoreEnterpriseFeeds.url) -}}
+  {{- $anchoreFeedsURL = (printf "%s/v1/feeds" $anchoreFeedsHost) -}}
+  {{- $grypeProviderFeedsExternalURL = (printf "%s/v1/databases/grypedb" $anchoreFeedsHost) -}}
+{{- else if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled -}}
+  {{- if .Values.anchoreGlobal.internalServicesSsl.enabled -}}
+    {{- $anchoreFeedsURL = (printf "https://%s:%s/v1/feeds"  (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}}
+    {{- $grypeProviderFeedsExternalURL = (printf "https://%s:%s/v1/databases/grypedb"  (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}}
+  {{- else -}}
+    {{- $anchoreFeedsURL = (printf "http://%s:%s/v1/feeds" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}}
+    {{- $grypeProviderFeedsExternalURL = (printf "http://%s:%s/v1/databases/grypedb"  (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}}
+  {{- end -}}
+{{- end -}}
+
+{{- $vulnerabilityProvider := .Values.anchorePolicyEngine.vulnerabilityProvider -}}
+{{- if not $vulnerabilityProvider -}}
+  {{- if .Release.IsUpgrade -}}
+    {{ required "A vulnerability provider must be explicitly set with .Values.anchorePolicyEngine.vulnerabilityProvider when upgrading to chart version v1.15.0 or higher." .Values.anchorePolicyEngine.vulnerabilityProvider }}
+  {{- else -}}
+    {{- $vulnerabilityProvider = "grype" -}}
+  {{- end -}}
+{{- end -}}
 
 kind: ConfigMap
 apiVersion: v1
@@ -182,6 +198,8 @@ data:
           repo_watcher: {{ .Values.anchoreCatalog.cycleTimers.repo_watcher }}
           k8s_watcher: {{ .Values.anchoreCatalog.cycleTimers.k8s_watcher }}
           k8s_image_watcher: {{ .Values.anchoreCatalog.cycleTimers.k8s_image_watcher }}
+        image_gc:
+          max_worker_threads: {{ default 1 .Values.anchoreCatalog.imageGCMaxWorkerThreads }}
         event_log:
           {{- toYaml .Values.anchoreCatalog.events | nindent 10 }}
         analysis_archive:
@@ -228,7 +246,7 @@ data:
         cycle_timers:
           {{- toYaml .Values.anchorePolicyEngine.cycleTimers | nindent 10 }}
         vulnerabilities:
-          provider: {{ .Values.anchorePolicyEngine.vulnerabilityProvider }}
+          provider: {{ $vulnerabilityProvider }}
           sync:
             enabled: true
             ssl_verify: {{ .Values.anchoreGlobal.internalServicesSsl.verifyCerts }}
@@ -237,8 +255,8 @@ data:
             data:
               # grypedb feed is synced if the provider is set to grype. All the remaining feeds except for packages are ignored even if they are enabled
               grypedb:
-                enabled: true
-                url: "https://toolbox-data.anchore.io/grype/databases/listing.json"
+                enabled: {{ default "true" (.Values.anchoreGlobal.syncGrypeDB | quote) }}
+                url: {{ $grypeProviderFeedsExternalURL }}
               # The following feeds are synced if provider is set to legacy
               # Vulnerabilities feed is the feed for distro cve sources (redhat, debian, ubuntu, oracle, alpine....)
               vulnerabilities:

stable/anchore-engine/templates/enterprise_feeds_configmap.yaml

@@ -1,5 +1,20 @@
 {{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled -}}
 {{- $component := "enterprise-feeds" -}}
+
+{{- $grypeProviderFeedsExternalURL := "" -}}
+
+{{- if .Values.anchoreEnterpriseFeeds.url -}}
+  {{- $urlPathSuffix := (default "" (regexFind "/v1.*$" .Values.anchoreEnterpriseFeeds.url)) }}
+  {{- $anchoreFeedsHost := (trimSuffix $urlPathSuffix .Values.anchoreEnterpriseFeeds.url) -}}
+  {{- $grypeProviderFeedsExternalURL = (printf "%s/v1/" $anchoreFeedsHost) -}}
+{{- else -}}
+  {{- if .Values.anchoreGlobal.internalServicesSsl.enabled -}}
+    {{- $grypeProviderFeedsExternalURL = (printf "https://%s:%s/v1/"  (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}}
+  {{- else -}}
+    {{- $grypeProviderFeedsExternalURL = (printf "http://%s:%s/v1/"  (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}}
+  {{- end -}}
+{{- end -}}
+
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -86,12 +101,12 @@ data:
         cycle_timers:
           {{- toYaml .Values.anchoreEnterpriseFeeds.cycleTimers | nindent 10 }}
         # Staging space for holding normalized output from drivers.
-        local_workspace: {{ .Values.anchoreGlobal.scratchVolume.mountPath }}
+        local_workspace: {{ .Values.anchoreEnterpriseFeeds.persistence.mountPath }}
         # Drivers process data from external sources and store normalized data in local_workspace. Processing large data sets
         # is a time consuming process for some drivers. To speed it up the container is shipped with pre-loaded data which is used
         # by default if local_workspace is empty.
         workspace_preload:
-          # Do not use pre-loaded data if local_workspace is empty. Drivers will generate normalized data from scratch
+          # Do not use pre-loaded data if local_workspace is empty. Drivers will generate normalized data from local_workspace
           # disabled: true
           # To load the workspace from a different location, uncomment and configure workspace_preload_file property to point to the tar.gz file
           workspace_preload_file: "/workspace_preload/data.tar.gz"
@@ -119,30 +134,38 @@ data:
             enabled: {{ default "false" (.Values.anchoreEnterpriseFeeds.nvdDriverEnabled | quote) }}
           # npm and gem drivers are explicitly disabled out of the box
           npm:
-            enabled: {{ default "false" (.Values.anchoreEnterpriseFeeds.npmDriverEnabled | quote) }}
+            enabled: {{ .Values.anchoreEnterpriseFeeds.npmDriverEnabled | quote }}
           gem:
             # rubygem data comes packaged as a PostgreSQL dump file. gem driver loads the pg dump and normalizes the data.
             # To enable gem driver comment the enabled property and uncomment the db_connect property.
-            enabled: {{ default "false" (.Values.anchoreEnterpriseFeeds.gemDriverEnabled | quote) }}
-            db_connect: {{ default "'postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/gems'" .Values.anchoreEnterpriseFeeds.gemDbEndpoint }}
+            enabled: {{ .Values.anchoreEnterpriseFeeds.gemDriverEnabled | quote }}
+          {{- if .Values.anchoreEnterpriseFeeds.gemDriverEnabled }}
+            db_connect: "postgresql://${ANCHORE_GEM_DB_USER}:${ANCHORE_GEM_DB_PASSWORD}@${ANCHORE_GEM_DB_HOST}/${ANCHORE_GEM_DB_NAME}"
+          {{- end }}
           nvdv2:
             enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.nvdv2DriverEnabled | quote) }}
           vulndb:
             enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.vulndbDriverEnabled | quote) }}
+          sles:
+            enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.slesDriverEnabled | quote) }}
           msrc:
-            enabled: {{ default "false" (.Values.anchoreEnterpriseFeeds.msrcDriverEnabled | quote) }}
+            enabled: {{ .Values.anchoreEnterpriseFeeds.msrcDriverEnabled | quote }}
             {{- with .Values.anchoreEnterpriseFeeds.msrcWhitelist }}
             whitelist:
               - {{ . }}
             {{- end }}
           github:
-            enabled: {{ default "false" (.Values.anchoreEnterpriseFeeds.githubDriverEnabled | quote) }}
+            enabled: {{ .Values.anchoreEnterpriseFeeds.githubDriverEnabled | quote }}
           {{- if eq (.Values.anchoreEnterpriseFeeds.githubDriverEnabled | toString) "true" }}
             token: ${ANCHORE_GITHUB_TOKEN}
           {{- end }}
           grypedb:
+          {{- if eq (.Values.anchorePolicyEngine.vulnerabilityProvider | toString ) "legacy" }}
+            enabled: false
+          {{- else }}
             enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.grypeDriverEnabled | quote) }}
-            external_feeds_url: "https://toolbox-data.anchore.io/grype/databases/listing.json"
+          {{- end }}
+            external_feeds_url: {{ $grypeProviderFeedsExternalURL }}
         {{- if .Values.anchoreGlobal.internalServicesSsl.enabled }}
         ssl_enable: {{ .Values.anchoreGlobal.internalServicesSsl.enabled }}
         ssl_cert: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretCertName }}"

stable/anchore-engine/templates/enterprise_feeds_configmap_env.yaml

@@ -23,4 +23,9 @@ data:
   {{- else }}
   ANCHORE_DB_HOST: "{{ template "postgres.anchore-feeds-db.fullname" . }}:5432"
   {{- end }}
+  {{- if .Values.anchoreEnterpriseFeeds.gemDriverEnabled }}
+  ANCHORE_GEM_DB_NAME: {{ index .Values "anchore-feeds-gem-db" "postgresDatabase" | quote }}
+  ANCHORE_GEM_DB_USER: {{ index .Values "anchore-feeds-gem-db" "postgresUser" | quote }}
+  ANCHORE_GEM_DB_HOST: "{{ default (include "postgres.anchore-feeds-gem-db.fullname" .) (index .Values "anchore-feeds-gem-db" "externalEndpoint") }}:5432"
+  {{- end }}
 {{- end }}

stable/anchore-engine/templates/enterprise_feeds_deployment.yaml

@@ -118,6 +118,9 @@ spec:
             fieldRef:
               fieldPath: metadata.name
         volumeMounts:
+        - name: data
+          mountPath: {{ .Values.anchoreEnterpriseFeeds.persistence.mountPath }}
+          subPath: {{ .Values.anchoreEnterpriseFeeds.persistence.subPath }}
         - name: config-volume
           mountPath: /config/config.yaml
           subPath: config.yaml
@@ -165,6 +168,13 @@ spec:
         resources:
           {{ toYaml .Values.anchoreEnterpriseFeeds.resources | nindent 10 }}
       volumes:
+        - name: data
+        {{- if .Values.anchoreEnterpriseFeeds.persistence.enabled }}
+          persistentVolumeClaim:
+            claimName: {{ .Values.anchoreEnterpriseFeeds.persistence.existingClaim | default (include "anchore-engine.enterprise-feeds.fullname" .) }}
+        {{- else }}
+          emptyDir: {}
+        {{- end }}
         - name: config-volume
           configMap:
             name: {{ template "anchore-engine.enterprise-feeds.fullname" . }}

stable/anchore-engine/templates/enterprise_feeds_pvc.yaml

@@ -0,0 +1,34 @@
+{{- if and (and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled) (and .Values.anchoreEnterpriseFeeds.persistence.enabled (not .Values.anchoreEnterpriseFeeds.persistence.existingClaim)) -}}
+{{- $component := "enterprise-feeds" -}}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ template "anchore-engine.enterprise-feeds.fullname" . }}
+  labels:
+    app: {{ template "anchore-engine.fullname" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+    component: {{ $component }}
+    {{- with .Values.anchoreGlobal.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+  annotations:
+    "helm.sh/resource-policy": {{ default "" .Values.anchoreEnterpriseFeeds.persistence.resourcePolicy }}
+{{- if .Values.anchoreEnterpriseFeeds.persistence.annotations }}
+{{ toYaml .Values.anchoreEnterpriseFeeds.persistence.annotations | indent 4 }}
+{{- end }}
+spec:
+  accessModes:
+    - {{ .Values.anchoreEnterpriseFeeds.persistence.accessMode | quote }}
+  resources:
+    requests:
+      storage: {{ .Values.anchoreEnterpriseFeeds.persistence.size | quote }}
+{{- if .Values.anchoreEnterpriseFeeds.persistence.storageClass }}
+{{- if (eq "-" .Values.anchoreEnterpriseFeeds.persistence.storageClass) }}
+  storageClassName: ""
+{{- else }}
+  storageClassName: "{{ .Values.anchoreEnterpriseFeeds.persistence.storageClass }}"
+{{- end }}
+{{- end }}
+{{- end -}}

stable/anchore-engine/templates/enterprise_feeds_secret.yaml

@@ -24,5 +24,8 @@ stringData:
   {{- with .Values.anchoreEnterpriseFeeds.githubDriverToken }}
   ANCHORE_GITHUB_TOKEN: {{ . | quote }}
   {{- end }}
+  {{- if .Values.anchoreEnterpriseFeeds.gemDriverEnabled }}
+  ANCHORE_GEM_DB_PASSWORD: {{ index .Values "anchore-feeds-gem-db" "postgresPassword" | quote }}
+  {{- end }}
 {{- end }}
 {{- end }}