From f77802bf143cf3d4e21e2fa3b69652e380382091 Mon Sep 17 00:00:00 2001 From: sfroment Date: Mon, 13 Sep 2021 18:54:41 +0200 Subject: [PATCH 01/35] feat: add ingress className Signed-off-by: sfroment --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/templates/ingress.yaml | 3 +++ stable/anchore-engine/values.yaml | 4 ++++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 539cfc59..4b8a503c 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.14.5 +version: 1.14.6 appVersion: 0.10.2 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/templates/ingress.yaml b/stable/anchore-engine/templates/ingress.yaml index 6cc50cea..748989c9 100644 --- a/stable/anchore-engine/templates/ingress.yaml +++ b/stable/anchore-engine/templates/ingress.yaml @@ -19,6 +19,9 @@ metadata: {{ toYaml . | nindent 4 }} {{- end }} spec: + {{- if .Values.ingress.ingressClassName }} + ingressClassName: {{ .Values.ingress.ingressClassName }} + {{- end }} {{- if .Values.ingress.tls }} tls: {{- range .Values.ingress.tls }} diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index f36a2797..40285498 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -71,6 +71,10 @@ ingress: # uncomment `feedsPath` to add an ingress endpoint for the feeds api # uncomment 'reportsPath' to add an ingress endpoint for the reports api + # Set ingressClassName if kubernetes version is >= 1.18 + # Reference: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + # ingressClassName: nginx + # Uncomment the following lines to bind on specific hostnames # apiHosts: # - anchore-api.example.com From d95182559f2f6b4940d8978ed4f971b0bb2b6fe2 Mon Sep 17 00:00:00 2001 From: Vijay Pillai Date: Wed, 15 Sep 2021 20:13:50 -0400 Subject: [PATCH 02/35] [WIP] adds configuration support for grype db feeds in policy engine and feeds service Signed-off-by: Vijay Pillai --- .../templates/engine_configmap.yaml | 17 +++++++++++++++-- .../templates/enterprise_feeds_configmap.yaml | 12 +++++++++++- stable/anchore-engine/values.yaml | 6 +++++- 3 files changed, 31 insertions(+), 4 deletions(-) diff --git a/stable/anchore-engine/templates/engine_configmap.yaml b/stable/anchore-engine/templates/engine_configmap.yaml index 996d0858..62f138c3 100644 --- a/stable/anchore-engine/templates/engine_configmap.yaml +++ b/stable/anchore-engine/templates/engine_configmap.yaml @@ -9,6 +9,19 @@ {{- end }} {{- end }} +{{ $grypeProviderFeedsExternalURL := "" }} +{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled -}} +{{- if .Values.anchoreEnterpriseFeeds.grypeProviderFeedsExternalURL }} +{{- $grypeProviderFeedsExternalURL = (printf "%s/databases/grype" .Values.anchoreEnterpriseFeeds.grypeProviderFeedsExternalURL) }} +{{- else if .Values.anchoreGlobal.internalServicesSsl.enabled }} +{{- $grypeProviderFeedsExternalURL = (printf "https://%s:%s/v1/databases/grype" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) }} +{{- else }} +{{- $grypeProviderFeedsExternalURL = (printf "http://%s:%s/v1/databases/grype" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) }} +{{- end }} +{{ - else }} +{{- $grypeProviderFeedsExternalURL = "https://toolbox-data.anchore.io/grype/databases/listing.json" }} +{{- end}} + kind: ConfigMap apiVersion: v1 metadata: @@ -237,8 +250,8 @@ data: data: # grypedb feed is synced if the provider is set to grype. All the remaining feeds except for packages are ignored even if they are enabled grypedb: - enabled: true - url: "https://toolbox-data.anchore.io/grype/databases/listing.json" + enabled: {{ default "true" (.Values.anchoreGlobal.syncGrypeDB | quote) }} + url: {{default "https://toolbox-data.anchore.io/grype/databases/listing.json" $grypeProviderFeedsExternalURL}} # The following feeds are synced if provider is set to legacy # Vulnerabilities feed is the feed for distro cve sources (redhat, debian, ubuntu, oracle, alpine....) vulnerabilities: diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml index 9116c8dc..627411c2 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml @@ -1,5 +1,15 @@ {{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled -}} {{- $component := "enterprise-feeds" -}} + +{{ $grypeProviderFeedsExternalURL := "" }} +{{- if .Values.anchoreEnterpriseFeeds.grypeProviderFeedsExternalURL }} +{{- $grypeProviderFeedsExternalURL = .Values.anchoreEnterpriseFeeds.grypeProviderFeedsExternalURL }} +{{- else if .Values.anchoreGlobal.internalServicesSsl.enabled }} +{{- $grypeProviderFeedsExternalURL = (printf "https://%s:%s/v1" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) }} +{{- else }} +{{- $grypeProviderFeedsExternalURL = (printf "http://%s:%s/v1" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) }} +{{- end }} + apiVersion: v1 kind: ConfigMap metadata: @@ -142,7 +152,7 @@ data: {{- end }} grypedb: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.grypeDriverEnabled | quote) }} - external_feeds_url: "https://toolbox-data.anchore.io/grype/databases/listing.json" + external_feeds_url: {{ $feedsExternalURL }} {{- if .Values.anchoreGlobal.internalServicesSsl.enabled }} ssl_enable: {{ .Values.anchoreGlobal.internalServicesSsl.enabled }} ssl_cert: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretCertName }}" diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 40285498..456725a7 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -738,9 +738,13 @@ anchoreEnterpriseFeeds: # If enabled is set to false, set anchore-feeds-db.enabled to false to ensure that helm doesn't stand up a unneccessary postgres instance. enabled: true - # Set custom feeds URL if multiple Anchore deployments are using the same internal feeds service. + # Set custom feeds URL if multiple Anchore deployments are using the same internal feeds service. i.e.: https://:/v1/feeds url: "" + # ONLY USED IF RUNNING THE GRYPE PROVIDER: + # The URL of the feeds service to download Grype DB with enterprise feeds, i.e.: https://:/v1/ + grypeProviderFeedsExternalURL: "" + # Enable github advisory feeds githubDriverEnabled: false # GitHub advisory feeds require a github developer personal access token with no permission scopes selected. From 1b2bb0993213240b0be4ad8f16281d0e269a8018 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 16 Sep 2021 03:25:36 -0700 Subject: [PATCH 03/35] consolidate logic and external feeds url values config Signed-off-by: Brady Todhunter --- .../templates/engine_configmap.yaml | 40 ++++++++----------- .../templates/enterprise_feeds_configmap.yaml | 23 ++++++----- stable/anchore-engine/values.yaml | 7 +--- 3 files changed, 33 insertions(+), 37 deletions(-) diff --git a/stable/anchore-engine/templates/engine_configmap.yaml b/stable/anchore-engine/templates/engine_configmap.yaml index 62f138c3..d4118b64 100644 --- a/stable/anchore-engine/templates/engine_configmap.yaml +++ b/stable/anchore-engine/templates/engine_configmap.yaml @@ -1,26 +1,20 @@ -{{ $anchoreFeedsURL := "https://ancho.re/v1/service/feeds" }} -{{- if .Values.anchoreEnterpriseFeeds.url }} -{{- $anchoreFeedsURL = .Values.anchoreEnterpriseFeeds.url }} -{{- else if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }} -{{- if .Values.anchoreGlobal.internalServicesSsl.enabled }} -{{- $anchoreFeedsURL = (printf "https://%s:%s/v1/feeds" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) }} -{{- else }} -{{- $anchoreFeedsURL = (printf "http://%s:%s/v1/feeds" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) }} -{{- end }} -{{- end }} +{{- $anchoreFeedsURL := "https://ancho.re/v1/service/feeds" -}} +{{- $grypeProviderFeedsExternalURL := "https://toolbox-data.anchore.io/grype/databases/listing.json" -}} -{{ $grypeProviderFeedsExternalURL := "" }} -{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled -}} -{{- if .Values.anchoreEnterpriseFeeds.grypeProviderFeedsExternalURL }} -{{- $grypeProviderFeedsExternalURL = (printf "%s/databases/grype" .Values.anchoreEnterpriseFeeds.grypeProviderFeedsExternalURL) }} -{{- else if .Values.anchoreGlobal.internalServicesSsl.enabled }} -{{- $grypeProviderFeedsExternalURL = (printf "https://%s:%s/v1/databases/grype" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) }} -{{- else }} -{{- $grypeProviderFeedsExternalURL = (printf "http://%s:%s/v1/databases/grype" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) }} -{{- end }} -{{ - else }} -{{- $grypeProviderFeedsExternalURL = "https://toolbox-data.anchore.io/grype/databases/listing.json" }} -{{- end}} +{{- if .Values.anchoreEnterpriseFeeds.url -}} + {{- $urlPathSuffix := (default "" (regexFind "/v1.*$" .Values.anchoreEnterpriseFeeds.url)) -}} + {{- $anchoreFeedsHost := (trimSuffix $urlPathSuffix .Values.anchoreEnterpriseFeeds.url) -}} + {{- $anchoreFeedsURL = (printf "%s/v1/feeds" $anchoreFeedsHost) -}} + {{- $grypeProviderFeedsExternalURL = (printf "%s/v1/databases/grype" $anchoreFeedsHost) -}} +{{- else if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled -}} + {{- if .Values.anchoreGlobal.internalServicesSsl.enabled -}} + {{- $anchoreFeedsURL = (printf "https://%s:%s/v1/feeds" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}} + {{- $grypeProviderFeedsExternalURL = (printf "https://%s:%s/v1/databases/grype" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}} + {{- else -}} + {{- $anchoreFeedsURL = (printf "http://%s:%s/v1/feeds" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}} + {{- $grypeProviderFeedsExternalURL = (printf "http://%s:%s/v1/databases/grype" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}} + {{- end -}} +{{- end -}} kind: ConfigMap apiVersion: v1 @@ -251,7 +245,7 @@ data: # grypedb feed is synced if the provider is set to grype. All the remaining feeds except for packages are ignored even if they are enabled grypedb: enabled: {{ default "true" (.Values.anchoreGlobal.syncGrypeDB | quote) }} - url: {{default "https://toolbox-data.anchore.io/grype/databases/listing.json" $grypeProviderFeedsExternalURL}} + url: {{ $grypeProviderFeedsExternalURL }} # The following feeds are synced if provider is set to legacy # Vulnerabilities feed is the feed for distro cve sources (redhat, debian, ubuntu, oracle, alpine....) vulnerabilities: diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml index 627411c2..7c107c8b 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml @@ -1,14 +1,19 @@ {{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled -}} {{- $component := "enterprise-feeds" -}} -{{ $grypeProviderFeedsExternalURL := "" }} -{{- if .Values.anchoreEnterpriseFeeds.grypeProviderFeedsExternalURL }} -{{- $grypeProviderFeedsExternalURL = .Values.anchoreEnterpriseFeeds.grypeProviderFeedsExternalURL }} -{{- else if .Values.anchoreGlobal.internalServicesSsl.enabled }} -{{- $grypeProviderFeedsExternalURL = (printf "https://%s:%s/v1" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) }} -{{- else }} -{{- $grypeProviderFeedsExternalURL = (printf "http://%s:%s/v1" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) }} -{{- end }} +{{- $grypeProviderFeedsExternalURL := "" -}} + +{{- if .Values.anchoreEnterpriseFeeds.url -}} + {{- $urlPathSuffix := (default "" (regexFind "/v1.*$" .Values.anchoreEnterpriseFeeds.url)) }} + {{- $anchoreFeedsHost := (trimSuffix $urlPathSuffix .Values.anchoreEnterpriseFeeds.url) -}} + {{- $grypeProviderFeedsExternalURL = (printf "%s/v1/" $anchoreFeedsHost) -}} +{{- else -}} + {{- if .Values.anchoreGlobal.internalServicesSsl.enabled -}} + {{- $grypeProviderFeedsExternalURL = (printf "https://%s:%s/v1/" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}} + {{- else -}} + {{- $grypeProviderFeedsExternalURL = (printf "http://%s:%s/v1/" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}} + {{- end -}} +{{- end -}} apiVersion: v1 kind: ConfigMap @@ -152,7 +157,7 @@ data: {{- end }} grypedb: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.grypeDriverEnabled | quote) }} - external_feeds_url: {{ $feedsExternalURL }} + external_feeds_url: {{ $grypeProviderFeedsExternalURL }} {{- if .Values.anchoreGlobal.internalServicesSsl.enabled }} ssl_enable: {{ .Values.anchoreGlobal.internalServicesSsl.enabled }} ssl_cert: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretCertName }}" diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 456725a7..b1724876 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -738,13 +738,10 @@ anchoreEnterpriseFeeds: # If enabled is set to false, set anchore-feeds-db.enabled to false to ensure that helm doesn't stand up a unneccessary postgres instance. enabled: true - # Set custom feeds URL if multiple Anchore deployments are using the same internal feeds service. i.e.: https://:/v1/feeds + # Set custom feeds URL. Useful when using a feeds service endpoint that is external from the cluster. + # i.e. https://: url: "" - # ONLY USED IF RUNNING THE GRYPE PROVIDER: - # The URL of the feeds service to download Grype DB with enterprise feeds, i.e.: https://:/v1/ - grypeProviderFeedsExternalURL: "" - # Enable github advisory feeds githubDriverEnabled: false # GitHub advisory feeds require a github developer personal access token with no permission scopes selected. From 99ee1bc7fb9967874f323233d9b240221badf6ac Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 16 Sep 2021 11:08:26 -0700 Subject: [PATCH 04/35] bump chart version Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 4b8a503c..d0adf0dc 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.14.6 +version: 1.14.7 appVersion: 0.10.2 description: Anchore container analysis and policy evaluation engine service keywords: From ff4118ef601efb774067121cb4ecca7a773e73c6 Mon Sep 17 00:00:00 2001 From: James Petersen Date: Mon, 20 Sep 2021 12:30:18 -0600 Subject: [PATCH 05/35] Expose the kubernetes request timeout parameter Expose one of the configuration parameters for kai so the k8s api requests are configurable Signed-off-by: James Petersen --- stable/kai/templates/configmap.yaml | 1 + stable/kai/values.yaml | 3 +++ 2 files changed, 4 insertions(+) diff --git a/stable/kai/templates/configmap.yaml b/stable/kai/templates/configmap.yaml index 1b477e30..d1390632 100644 --- a/stable/kai/templates/configmap.yaml +++ b/stable/kai/templates/configmap.yaml @@ -22,6 +22,7 @@ data: {{- toYaml .Values.kai.namespaces | nindent 6 }} mode: {{ .Values.kai.mode }} polling-interval-seconds: {{ .Values.kai.pollingIntervalSeconds }} + kubernetes-request-timeout-seconds: {{ .Values.kai.kubernetesRequestTimeoutSeconds }} anchore: url: {{ .Values.kai.anchore.url }} user: {{ .Values.kai.anchore.user }} diff --git a/stable/kai/values.yaml b/stable/kai/values.yaml index 9706851e..f5be2f06 100644 --- a/stable/kai/values.yaml +++ b/stable/kai/values.yaml @@ -109,6 +109,9 @@ kai: # Only respected if mode is periodic pollingIntervalSeconds: 60 + # Configure the request timeout for the k8s api interaction + kubernetesRequestTimeoutSeconds: 60 + anchore: url: From 5dee194e3ec43c5cd3697950a5653cbd67ab7754 Mon Sep 17 00:00:00 2001 From: James Petersen Date: Mon, 20 Sep 2021 12:32:29 -0600 Subject: [PATCH 06/35] upgrade kai chart version Signed-off-by: James Petersen --- stable/kai/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/kai/Chart.yaml b/stable/kai/Chart.yaml index 61746357..cb9f1abd 100644 --- a/stable/kai/Chart.yaml +++ b/stable/kai/Chart.yaml @@ -28,7 +28,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.2 +version: 0.2.3 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to From 9350e08f82fc3bd053bffc8ab590b1ff90ddb6c9 Mon Sep 17 00:00:00 2001 From: Zane Burstein Date: Mon, 30 Aug 2021 12:06:15 -0700 Subject: [PATCH 07/35] Set grype to be the default vuln provider Signed-off-by: Zane Burstein --- stable/anchore-engine/Chart.yaml | 4 ++-- stable/anchore-engine/values.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index d0adf0dc..38a286f9 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: anchore-engine -version: 1.14.7 -appVersion: 0.10.2 +version: 1.15.0 +appVersion: 0.10.1 description: Anchore container analysis and policy evaluation engine service keywords: - analysis diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index b1724876..757ece79 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -613,7 +613,7 @@ anchorePolicyEngine: # Available providers are legacy and grype. Legacy provider offers the same matching logic as previous versions of anchore-engine (<= 0.9.4) # grype is a new provider that was introduced in 1.0.0, it uses the grype tool for all things vulnerabilities - vulnerabilityProvider: legacy + vulnerabilityProvider: grype # kubernetes service configuration for anchore policy engine api service: From 5957b31079b97e300ec4eed6fa487e238adc93d6 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 24 Sep 2021 12:58:39 -0700 Subject: [PATCH 08/35] add feeds config for sles drivers Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/templates/enterprise_feeds_configmap.yaml | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 38a286f9..52bdb396 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.15.0 +version: 1.15.1 appVersion: 0.10.1 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml index 7c107c8b..1cbeac04 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml @@ -144,6 +144,8 @@ data: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.nvdv2DriverEnabled | quote) }} vulndb: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.vulndbDriverEnabled | quote) }} + sles: + enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.slesDriverEnabled | quote) }} msrc: enabled: {{ default "false" (.Values.anchoreEnterpriseFeeds.msrcDriverEnabled | quote) }} {{- with .Values.anchoreEnterpriseFeeds.msrcWhitelist }} From db4acb13d7e417185190fba9f9797932e1435977 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 24 Sep 2021 13:28:52 -0700 Subject: [PATCH 09/35] fix grypedb feeds url Signed-off-by: Brady Todhunter --- stable/anchore-engine/templates/engine_configmap.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/stable/anchore-engine/templates/engine_configmap.yaml b/stable/anchore-engine/templates/engine_configmap.yaml index d4118b64..1ae4b419 100644 --- a/stable/anchore-engine/templates/engine_configmap.yaml +++ b/stable/anchore-engine/templates/engine_configmap.yaml @@ -5,14 +5,14 @@ {{- $urlPathSuffix := (default "" (regexFind "/v1.*$" .Values.anchoreEnterpriseFeeds.url)) -}} {{- $anchoreFeedsHost := (trimSuffix $urlPathSuffix .Values.anchoreEnterpriseFeeds.url) -}} {{- $anchoreFeedsURL = (printf "%s/v1/feeds" $anchoreFeedsHost) -}} - {{- $grypeProviderFeedsExternalURL = (printf "%s/v1/databases/grype" $anchoreFeedsHost) -}} + {{- $grypeProviderFeedsExternalURL = (printf "%s/v1/databases/grypedb" $anchoreFeedsHost) -}} {{- else if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled -}} {{- if .Values.anchoreGlobal.internalServicesSsl.enabled -}} {{- $anchoreFeedsURL = (printf "https://%s:%s/v1/feeds" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}} - {{- $grypeProviderFeedsExternalURL = (printf "https://%s:%s/v1/databases/grype" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}} + {{- $grypeProviderFeedsExternalURL = (printf "https://%s:%s/v1/databases/grypedb" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}} {{- else -}} {{- $anchoreFeedsURL = (printf "http://%s:%s/v1/feeds" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}} - {{- $grypeProviderFeedsExternalURL = (printf "http://%s:%s/v1/databases/grype" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}} + {{- $grypeProviderFeedsExternalURL = (printf "http://%s:%s/v1/databases/grypedb" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}} {{- end -}} {{- end -}} From 26e543b07827efa93adbe68b1ae73820e9ad002a Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 24 Sep 2021 17:05:31 -0700 Subject: [PATCH 10/35] use grype by default on new installs, but dont change vuln provider upon upgrade unless explicitly set in values Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 4 ++-- stable/anchore-engine/templates/engine_configmap.yaml | 11 ++++++++++- stable/anchore-engine/values.yaml | 8 +++++--- 3 files changed, 17 insertions(+), 6 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 52bdb396..240ed2c5 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: anchore-engine -version: 1.15.1 -appVersion: 0.10.1 +version: 1.15.2 +appVersion: 1.0.0 description: Anchore container analysis and policy evaluation engine service keywords: - analysis diff --git a/stable/anchore-engine/templates/engine_configmap.yaml b/stable/anchore-engine/templates/engine_configmap.yaml index 1ae4b419..e2a9d0d4 100644 --- a/stable/anchore-engine/templates/engine_configmap.yaml +++ b/stable/anchore-engine/templates/engine_configmap.yaml @@ -16,6 +16,15 @@ {{- end -}} {{- end -}} +{{- $vulnerabilityProvider := .Values.anchorePolicyEngine.vulnerabilityProvider -}} +{{- if not $vulnerabilityProvider -}} + {{- if .Release.IsUpgrade -}} + {{- $vulnerabilityProvider = "legacy" -}} + {{- else -}} + {{- $vulnerabilityProvider = "grype" -}} + {{- end -}} +{{- end -}} + kind: ConfigMap apiVersion: v1 metadata: @@ -235,7 +244,7 @@ data: cycle_timers: {{- toYaml .Values.anchorePolicyEngine.cycleTimers | nindent 10 }} vulnerabilities: - provider: {{ .Values.anchorePolicyEngine.vulnerabilityProvider }} + provider: {{ $vulnerabilityProvider }} sync: enabled: true ssl_verify: {{ .Values.anchoreGlobal.internalServicesSsl.verifyCerts }} diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 757ece79..c944ff9c 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -611,9 +611,11 @@ anchorePolicyEngine: # 1 minute between checks to verify local grype-db is up to date grypedb_sync: 60 - # Available providers are legacy and grype. Legacy provider offers the same matching logic as previous versions of anchore-engine (<= 0.9.4) - # grype is a new provider that was introduced in 1.0.0, it uses the grype tool for all things vulnerabilities - vulnerabilityProvider: grype + # Available providers are `legacy` and `grype`. + # legacy provider offers the same matching logic as previous versions of anchore-engine <= 0.9.4 + # grype is a new provider that was introduced in 0.10.0, it uses the grype tool for all things vulnerabilities + # When vulnerabilityProvider is left unset the provider defaults to `grype` on new deployments. When upgrading from a chart version <1.15.0, vulnerabilityProvider will default to `legacy`. + vulnerabilityProvider: null # kubernetes service configuration for anchore policy engine api service: From e8f6f28834534772146c6eab246575a50b87bb1f Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 29 Sep 2021 13:19:11 -0700 Subject: [PATCH 11/35] require vulnerabilityProvider to be set when performing an upgrade Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/templates/engine_configmap.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 240ed2c5..beb1571f 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.15.2 +version: 1.15.3 appVersion: 1.0.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/templates/engine_configmap.yaml b/stable/anchore-engine/templates/engine_configmap.yaml index e2a9d0d4..ecd2d26a 100644 --- a/stable/anchore-engine/templates/engine_configmap.yaml +++ b/stable/anchore-engine/templates/engine_configmap.yaml @@ -19,7 +19,7 @@ {{- $vulnerabilityProvider := .Values.anchorePolicyEngine.vulnerabilityProvider -}} {{- if not $vulnerabilityProvider -}} {{- if .Release.IsUpgrade -}} - {{- $vulnerabilityProvider = "legacy" -}} + {{ required "A vulnerability provider must be explicitly set with .Values.anchorePolicyEngine.vulnerabilityProvider when upgrading to chart version v1.15.0 or higher." .Values.anchorePolicyEngine.vulnerabilityProvider }} {{- else -}} {{- $vulnerabilityProvider = "grype" -}} {{- end -}} From 992af9e16bcdf6be20b43f018b7b98335513ecf8 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 29 Sep 2021 16:33:50 -0700 Subject: [PATCH 12/35] disable grypedb driver when using legacy vulnerabilityProvider Signed-off-by: Brady Todhunter --- .../anchore-engine/templates/enterprise_feeds_configmap.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml index 1cbeac04..ea7169e4 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml @@ -158,7 +158,11 @@ data: token: ${ANCHORE_GITHUB_TOKEN} {{- end }} grypedb: + {{- if eq .Values.anchorePolicyEngine.vulnerabilityProvider "legacy" }} + enabled: false + {{- else }} enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.grypeDriverEnabled | quote) }} + {{- end }} external_feeds_url: {{ $grypeProviderFeedsExternalURL }} {{- if .Values.anchoreGlobal.internalServicesSsl.enabled }} ssl_enable: {{ .Values.anchoreGlobal.internalServicesSsl.enabled }} From 5bb57a9dcb5d3089cf96110da7e22d183b4ace83 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 29 Sep 2021 17:02:36 -0700 Subject: [PATCH 13/35] use a pvc for feeds service workspace by default, but allow customer to disable persistence and use emptydir Signed-off-by: Brady Todhunter --- .../templates/enterprise_feeds_configmap.yaml | 4 +-- .../enterprise_feeds_deployment.yaml | 10 ++++++ .../templates/enterprise_feeds_pvc.yaml | 34 +++++++++++++++++++ stable/anchore-engine/values.yaml | 22 ++++++++++++ 4 files changed, 68 insertions(+), 2 deletions(-) create mode 100644 stable/anchore-engine/templates/enterprise_feeds_pvc.yaml diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml index ea7169e4..3720d405 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml @@ -101,12 +101,12 @@ data: cycle_timers: {{- toYaml .Values.anchoreEnterpriseFeeds.cycleTimers | nindent 10 }} # Staging space for holding normalized output from drivers. - local_workspace: {{ .Values.anchoreGlobal.scratchVolume.mountPath }} + local_workspace: {{ .Values.anchoreEnterpriseFeeds.persistence.mountPath }} # Drivers process data from external sources and store normalized data in local_workspace. Processing large data sets # is a time consuming process for some drivers. To speed it up the container is shipped with pre-loaded data which is used # by default if local_workspace is empty. workspace_preload: - # Do not use pre-loaded data if local_workspace is empty. Drivers will generate normalized data from scratch + # Do not use pre-loaded data if local_workspace is empty. Drivers will generate normalized data from local_workspace # disabled: true # To load the workspace from a different location, uncomment and configure workspace_preload_file property to point to the tar.gz file workspace_preload_file: "/workspace_preload/data.tar.gz" diff --git a/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml b/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml index 034430d4..2fece19a 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_deployment.yaml @@ -118,6 +118,9 @@ spec: fieldRef: fieldPath: metadata.name volumeMounts: + - name: data + mountPath: {{ .Values.anchoreEnterpriseFeeds.persistence.mountPath }} + subPath: {{ .Values.anchoreEnterpriseFeeds.persistence.subPath }} - name: config-volume mountPath: /config/config.yaml subPath: config.yaml @@ -165,6 +168,13 @@ spec: resources: {{ toYaml .Values.anchoreEnterpriseFeeds.resources | nindent 10 }} volumes: + - name: data + {{- if .Values.anchoreEnterpriseFeeds.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ .Values.anchoreEnterpriseFeeds.persistence.existingClaim | default (include "anchore-engine.enterprise-feeds.fullname" .) }} + {{- else }} + emptyDir: {} + {{- end }} - name: config-volume configMap: name: {{ template "anchore-engine.enterprise-feeds.fullname" . }} diff --git a/stable/anchore-engine/templates/enterprise_feeds_pvc.yaml b/stable/anchore-engine/templates/enterprise_feeds_pvc.yaml new file mode 100644 index 00000000..84c4a880 --- /dev/null +++ b/stable/anchore-engine/templates/enterprise_feeds_pvc.yaml @@ -0,0 +1,34 @@ +{{- if and (and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled) (and .Values.anchoreEnterpriseFeeds.persistence.enabled (not .Values.anchoreEnterpriseFeeds.persistence.existingClaim)) -}} +{{- $component := "enterprise-feeds" -}} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "anchore-engine.enterprise-feeds.fullname" . }} + labels: + app: {{ template "anchore-engine.fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + component: {{ $component }} + {{- with .Values.anchoreGlobal.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/resource-policy": {{ default "" .Values.anchoreEnterpriseFeeds.persistence.resourcePolicy }} +{{- if .Values.anchoreEnterpriseFeeds.persistence.annotations }} +{{ toYaml .Values.anchoreEnterpriseFeeds.persistence.annotations | indent 4 }} +{{- end }} +spec: + accessModes: + - {{ .Values.anchoreEnterpriseFeeds.persistence.accessMode | quote }} + resources: + requests: + storage: {{ .Values.anchoreEnterpriseFeeds.persistence.size | quote }} +{{- if .Values.anchoreEnterpriseFeeds.persistence.storageClass }} +{{- if (eq "-" .Values.anchoreEnterpriseFeeds.persistence.storageClass) }} + storageClassName: "" +{{- else }} + storageClassName: "{{ .Values.anchoreEnterpriseFeeds.persistence.storageClass }}" +{{- end }} +{{- end }} +{{- end -}} diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index c944ff9c..ff0d0f75 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -788,6 +788,28 @@ anchoreEnterpriseFeeds: engineArgs: {} # pool_recycle: 600 + # persistence controls the mounting of an external volume for feed driver download workspace. + persistence: + enabled: true + resourcePolicy: # set resource-policy Helm annotation on PVC. Can be nil or "keep" + + ## A manually managed Persistent Volume and Claim + ## Requires anchoreEnterpriseFeeds.persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + # existingClaim: + + ## Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + # storageClass: "-" + accessMode: ReadWriteOnce + size: 40Gi + subPath: "postgresql-db" + mountPath: /workspace + # kubernetes service configuration for anchore feeds service api service: type: ClusterIP From ce89c1fb99b28cf1a21977c352de89805bb70f99 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 29 Sep 2021 19:17:15 -0700 Subject: [PATCH 14/35] use a postgresql deployment for ruby gems database when the gem driver is enabled Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.lock | 7 ++- stable/anchore-engine/Chart.yaml | 7 ++- stable/anchore-engine/templates/_helpers.tpl | 8 ++++ .../templates/enterprise_feeds_configmap.yaml | 12 ++--- .../enterprise_feeds_configmap_env.yaml | 3 ++ .../templates/enterprise_feeds_secret.yaml | 1 + stable/anchore-engine/values.yaml | 46 +++++++++++++------ 7 files changed, 62 insertions(+), 22 deletions(-) diff --git a/stable/anchore-engine/Chart.lock b/stable/anchore-engine/Chart.lock index 65184644..bbfc3805 100644 --- a/stable/anchore-engine/Chart.lock +++ b/stable/anchore-engine/Chart.lock @@ -5,8 +5,11 @@ dependencies: - name: postgresql repository: file://./deps/postgresql version: 1.0.1 +- name: postgresql + repository: file://./deps/postgresql + version: 1.0.1 - name: redis repository: https://charts.bitnami.com/bitnami version: 10.9.0 -digest: sha256:f764fed6fb7081e73c57591d26e99b82b66e643809a2ba02c1e66bb42782f2b1 -generated: "2020-12-16T13:32:27.349956-08:00" +digest: sha256:270d68e80fbf5b26bdd92b7a34d4c14be335d088b5f367f57a05ae22a1b8a0ab +generated: "2021-09-29T19:05:07.656619-07:00" diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index beb1571f..2e55c9c3 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.15.3 +version: 1.15.4 appVersion: 1.0.0 description: Anchore container analysis and policy evaluation engine service keywords: @@ -32,6 +32,11 @@ dependencies: repository: "file://./deps/postgresql" condition: anchore-feeds-db.enabled,anchoreEnterpriseGlobal.enabled alias: anchore-feeds-db + - name: postgresql + version: "1.0.1" + repository: "file://./deps/postgresql" + condition: anchore-feeds-gem-db.enabled,anchoreEnterpriseFeeds.gemDriverEnabled + alias: anchore-feeds-gem-db - name: redis version: "10" repository: "https://charts.bitnami.com/bitnami" diff --git a/stable/anchore-engine/templates/_helpers.tpl b/stable/anchore-engine/templates/_helpers.tpl index 643d2ff4..69f955dc 100755 --- a/stable/anchore-engine/templates/_helpers.tpl +++ b/stable/anchore-engine/templates/_helpers.tpl @@ -121,6 +121,14 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- printf "%s-%s" .Release.Name "anchore-feeds-db" | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Create a default fully qualified dependency name for the feeds gem db. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "postgres.anchore-feeds-gem-db.fullname" -}} +{{- printf "%s-%s" .Release.Name "anchore-feeds-gem-db" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + {{/* Create a default fully qualified dependency name for the db. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml index 3720d405..2c0d0a7e 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml @@ -134,12 +134,12 @@ data: enabled: {{ default "false" (.Values.anchoreEnterpriseFeeds.nvdDriverEnabled | quote) }} # npm and gem drivers are explicitly disabled out of the box npm: - enabled: {{ default "false" (.Values.anchoreEnterpriseFeeds.npmDriverEnabled | quote) }} + enabled: {{ .Values.anchoreEnterpriseFeeds.npmDriverEnabled | quote }} gem: # rubygem data comes packaged as a PostgreSQL dump file. gem driver loads the pg dump and normalizes the data. # To enable gem driver comment the enabled property and uncomment the db_connect property. - enabled: {{ default "false" (.Values.anchoreEnterpriseFeeds.gemDriverEnabled | quote) }} - db_connect: {{ default "'postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/gems'" .Values.anchoreEnterpriseFeeds.gemDbEndpoint }} + enabled: {{ .Values.anchoreEnterpriseFeeds.gemDriverEnabled | quote }} + db_connect: "postgresql://${ANCHORE_GEM_DB_USER}:${ANCHORE_GEM_DB_PASSWORD}@${ANCHORE_GEM_DB_HOST}/${ANCHORE_GEM_DB_NAME}" nvdv2: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.nvdv2DriverEnabled | quote) }} vulndb: @@ -147,18 +147,18 @@ data: sles: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.slesDriverEnabled | quote) }} msrc: - enabled: {{ default "false" (.Values.anchoreEnterpriseFeeds.msrcDriverEnabled | quote) }} + enabled: {{ .Values.anchoreEnterpriseFeeds.msrcDriverEnabled | quote }} {{- with .Values.anchoreEnterpriseFeeds.msrcWhitelist }} whitelist: - {{ . }} {{- end }} github: - enabled: {{ default "false" (.Values.anchoreEnterpriseFeeds.githubDriverEnabled | quote) }} + enabled: {{ .Values.anchoreEnterpriseFeeds.githubDriverEnabled | quote }} {{- if eq (.Values.anchoreEnterpriseFeeds.githubDriverEnabled | toString) "true" }} token: ${ANCHORE_GITHUB_TOKEN} {{- end }} grypedb: - {{- if eq .Values.anchorePolicyEngine.vulnerabilityProvider "legacy" }} + {{- if eq (.Values.anchorePolicyEngine.vulnerabilityProvider | toString ) "legacy" }} enabled: false {{- else }} enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.grypeDriverEnabled | quote) }} diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap_env.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap_env.yaml index 4604dfd9..e058534a 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap_env.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap_env.yaml @@ -23,4 +23,7 @@ data: {{- else }} ANCHORE_DB_HOST: "{{ template "postgres.anchore-feeds-db.fullname" . }}:5432" {{- end }} + ANCHORE_GEM_DB_NAME: {{ index .Values "anchore-feeds-gem-db" "postgresDatabase" | quote }} + ANCHORE_GEM_DB_USER: {{ index .Values "anchore-feeds-gem-db" "postgresUser" | quote }} + ANCHORE_GEM_DB_HOST: "{{ default (include "postgres.anchore-feeds-gem-db.fullname" .) (index .Values "anchore-feeds-gem-db" "externalEndpoint") }}:5432" {{- end }} diff --git a/stable/anchore-engine/templates/enterprise_feeds_secret.yaml b/stable/anchore-engine/templates/enterprise_feeds_secret.yaml index 6addc0cf..0898a702 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_secret.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_secret.yaml @@ -14,6 +14,7 @@ metadata: {{- end }} type: Opaque stringData: + ANCHORE_GEM_DB_PASSWORD: {{ index .Values "anchore-feeds-gem-db" "postgresPassword" | quote }} ANCHORE_FEEDS_DB_PASSWORD: {{ index .Values "anchore-feeds-db" "postgresPassword" | quote }} {{- with .Values.anchoreGlobal.saml.secret }} ANCHORE_SAML_SECRET: {{ . }} diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index ff0d0f75..8dd144e6 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -5,18 +5,17 @@ postgresql: # To use an external DB or Google CloudSQL in GKE, uncomment & set 'enabled: false' # externalEndpoint, postgresUser, postgresPassword & postgresDatabase are required values for external postgres # enabled: false + # If enabled=false specify an external (already existing) postgres deployment for use. + # Set to the host and port. eg. mypostgres.myserver.io:5432 + externalEndpoint: Null postgresUser: anchoreengine postgresPassword: anchore-postgres,123 postgresDatabase: anchore - # Specify an external (already existing) postgres deployment for use. - # Set to the host and port. eg. mypostgres.myserver.io:5432 - externalEndpoint: Null - # Configure size of the persistent volume used with helm managed chart. # This should be commented out if using an external endpoint. persistence: - resourcePolicy: nil + resourcePolicy: keep size: 20Gi # If running on OpenShift - uncomment the image, imageTag & extraEnv values below. @@ -704,18 +703,17 @@ anchore-feeds-db: # To use an external DB or Google CloudSQL, uncomment & set 'enabled: false' # externalEndpoint, postgresUser, postgresPassword & postgresDatabase are required values for external postgres # enabled: false + # if enabled=false specify an external (already existing) postgres deployment for use. + # Set to the host and port. eg. mypostgres.myserver.io:5432 + externalEndpoint: Null postgresUser: anchoreengine postgresPassword: anchore-postgres,123 postgresDatabase: anchore-feeds - # Specify an external (already existing) postgres deployment for use. - # Set to the host and port. eg. mypostgres.myserver.io:5432 - externalEndpoint: Null - - # Configure size of the persitant volume used with helm managed chart. + # Configure size of the persistent volume used with helm managed chart. # This should be commented out if using an external endpoint. persistence: - resourcePolicy: nil + resourcePolicy: keep size: 20Gi # If running on OpenShift - uncomment the image, imageTag & extraEnv values below. @@ -735,15 +733,37 @@ anchore-feeds-db: # - name: PATH # value: /opt/rh/rh-postgresql96/root/usr/bin:/opt/app-root/src/bin:/opt/app-root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +# Configure a third postgres database deployment for the enterprise feeds service Ruby Gems DB +# This is only utilized if anchoreEnterpriseFeeds.gemDriverEnabled=true +# Database is used for temporarily loading the Ruby gem vulnerability data. +anchore-feeds-gem-db: + # To use an external DB uncomment & set 'enabled: false' + # externalEndpoint, postgresUser, postgresPassword & postgresDatabase are required values for external postgres + # enabled: false + # If enabled=false specify an external (already existing) postgres deployment for use. + # Set to the host and port. eg. mypostgres.myserver.io:5432 + externalEndpoint: Null + postgresUser: postgres + postgresPassword: anchore-postgres,123 + postgresDatabase: gems + persistence: + enabled: false + # Configure & enable the Anchore Enterprise on-prem feeds service. anchoreEnterpriseFeeds: - # If enabled is set to false, set anchore-feeds-db.enabled to false to ensure that helm doesn't stand up a unneccessary postgres instance. + # If enabled is set to false, set anchore-feeds-db.enabled to false to ensure that helm doesn't stand up a unnecessary postgres instance. enabled: true # Set custom feeds URL. Useful when using a feeds service endpoint that is external from the cluster. # i.e. https://: url: "" + # Enable vulnerability drivers for npm data + npmDriverEnabled: false + + # Enable vulnerability drivers for gem data + gemDriverEnabled: false + # Enable github advisory feeds githubDriverEnabled: false # GitHub advisory feeds require a github developer personal access token with no permission scopes selected. @@ -791,7 +811,7 @@ anchoreEnterpriseFeeds: # persistence controls the mounting of an external volume for feed driver download workspace. persistence: enabled: true - resourcePolicy: # set resource-policy Helm annotation on PVC. Can be nil or "keep" + resourcePolicy: keep # set resource-policy Helm annotation on PVC. Can be nil or "keep" ## A manually managed Persistent Volume and Claim ## Requires anchoreEnterpriseFeeds.persistence.enabled: true From 9785329b4a8ca6ce542c26397c095e90e361549f Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 29 Sep 2021 19:21:00 -0700 Subject: [PATCH 15/35] only create gem db env vars if gem driver is enabled Signed-off-by: Brady Todhunter --- .../templates/enterprise_feeds_configmap_env.yaml | 2 ++ stable/anchore-engine/templates/enterprise_feeds_secret.yaml | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap_env.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap_env.yaml index e058534a..7aaabbc5 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap_env.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap_env.yaml @@ -23,7 +23,9 @@ data: {{- else }} ANCHORE_DB_HOST: "{{ template "postgres.anchore-feeds-db.fullname" . }}:5432" {{- end }} + {{- if .Values.anchoreEnterpriseFeeds.gemDriverEnabled }} ANCHORE_GEM_DB_NAME: {{ index .Values "anchore-feeds-gem-db" "postgresDatabase" | quote }} ANCHORE_GEM_DB_USER: {{ index .Values "anchore-feeds-gem-db" "postgresUser" | quote }} ANCHORE_GEM_DB_HOST: "{{ default (include "postgres.anchore-feeds-gem-db.fullname" .) (index .Values "anchore-feeds-gem-db" "externalEndpoint") }}:5432" + {{- end }} {{- end }} diff --git a/stable/anchore-engine/templates/enterprise_feeds_secret.yaml b/stable/anchore-engine/templates/enterprise_feeds_secret.yaml index 0898a702..86da6f50 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_secret.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_secret.yaml @@ -14,7 +14,6 @@ metadata: {{- end }} type: Opaque stringData: - ANCHORE_GEM_DB_PASSWORD: {{ index .Values "anchore-feeds-gem-db" "postgresPassword" | quote }} ANCHORE_FEEDS_DB_PASSWORD: {{ index .Values "anchore-feeds-db" "postgresPassword" | quote }} {{- with .Values.anchoreGlobal.saml.secret }} ANCHORE_SAML_SECRET: {{ . }} @@ -25,5 +24,8 @@ stringData: {{- with .Values.anchoreEnterpriseFeeds.githubDriverToken }} ANCHORE_GITHUB_TOKEN: {{ . | quote }} {{- end }} + {{- if .Values.anchoreEnterpriseFeeds.gemDriverEnabled }} + ANCHORE_GEM_DB_PASSWORD: {{ index .Values "anchore-feeds-gem-db" "postgresPassword" | quote }} + {{- end }} {{- end }} {{- end }} From 99a6dcb1e42849e4dc410f96d162bd531a988cd9 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Wed, 29 Sep 2021 23:17:09 -0700 Subject: [PATCH 16/35] update lock file Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.lock | 4 ++-- stable/anchore-engine/values.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/stable/anchore-engine/Chart.lock b/stable/anchore-engine/Chart.lock index bbfc3805..2071d680 100644 --- a/stable/anchore-engine/Chart.lock +++ b/stable/anchore-engine/Chart.lock @@ -11,5 +11,5 @@ dependencies: - name: redis repository: https://charts.bitnami.com/bitnami version: 10.9.0 -digest: sha256:270d68e80fbf5b26bdd92b7a34d4c14be335d088b5f367f57a05ae22a1b8a0ab -generated: "2021-09-29T19:05:07.656619-07:00" +digest: sha256:44c16b3d5756edfaa4d86b8e57e6047de3ac0672d932f5cdf9fe1f28220b4fb0 +generated: "2021-09-29T23:16:53.207614-07:00" diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 8dd144e6..b8dbcbdd 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -735,7 +735,7 @@ anchore-feeds-db: # Configure a third postgres database deployment for the enterprise feeds service Ruby Gems DB # This is only utilized if anchoreEnterpriseFeeds.gemDriverEnabled=true -# Database is used for temporarily loading the Ruby gem vulnerability data. +# Database is used for temporarily loading the Ruby gem vulnerability data by the Enterprise Feeds service. anchore-feeds-gem-db: # To use an external DB uncomment & set 'enabled: false' # externalEndpoint, postgresUser, postgresPassword & postgresDatabase are required values for external postgres @@ -811,7 +811,7 @@ anchoreEnterpriseFeeds: # persistence controls the mounting of an external volume for feed driver download workspace. persistence: enabled: true - resourcePolicy: keep # set resource-policy Helm annotation on PVC. Can be nil or "keep" + resourcePolicy: keep # set resource-policy Helm annotation on PVC. Can be nil or "keep" ## A manually managed Persistent Volume and Claim ## Requires anchoreEnterpriseFeeds.persistence.enabled: true From f26a5f1629ac7bf13f59b855a1d5b3395b3a0e7a Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 30 Sep 2021 13:12:27 -0700 Subject: [PATCH 17/35] add upgrade disclaimer and release notes for chart v1.15.0 Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/README.md | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 2e55c9c3..1c4cb1ea 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.15.4 +version: 1.15.5 appVersion: 1.0.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index 99367f3a..894f65c4 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -243,6 +243,17 @@ See the anchore-engine [CHANGELOG](https://github.com/anchore/anchore-engine/blo A Helm post-upgrade hook job will shut down all previously running Anchore services and perform the Anchore DB upgrade process using a kubernetes job. The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful helm upgrade. +## Chart version 1.15.0 + +--- + +Chart version v1.15.0 sets the V2 vulnerability scanner, based on [Grype](https://github.com/anchore/grype), as the default for new deployments. **Users upgrading from chart versions prior to v1.15.0 will need to explicitly set their preferred vulnerability provider using `.Values.anchorePolicyEngine.vulnerabilityProvider`.** If the vulnerabilityProvider is not explicitly set, Helm will prevent an upgrade from being initiated. + +* Anchore Engine image updated to v1.0.0 - [Release Notes](https://engine.anchore.io/docs/releasenotes/100/) +* Anchore Enterprise image updated to v3.2.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/320/) +* Enterprise Feeds - Now uses a PVC for the persistent workspace directory. This directory is used by the vulnerability drivers for downloading vulnerability data and should be persistent for optimal performance. +* Enterprise Feeds - When enabling the Ruby Gems vulnerability driver, the helm chart will now spin up an ephemeral Postgresql deployment for the Feeds service to load Ruby vulnerability data. + ## Chart version 1.14.0 --- From 7af5388ab460c6e6e464129eb49749045115771d Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 30 Sep 2021 16:16:15 -0700 Subject: [PATCH 18/35] dont include gem_db variables if gem driver is disabled Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/README.md | 83 ++++++++++--------- .../templates/enterprise_feeds_configmap.yaml | 2 + 3 files changed, 45 insertions(+), 42 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 1c4cb1ea..749b4395 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.15.5 +version: 1.15.8 appVersion: 1.0.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index 894f65c4..7208bb36 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -2,9 +2,9 @@ [Instructions for migrating deployments from helm/stable to charts.anchore.io](#migrating-to-the-new-anchore-charts-repository) -This chart deploys the Anchore Engine docker container image analysis system. Anchore Engine requires a PostgreSQL database (>=9.6) which may be handled by the chart or supplied externally, and executes in a service based architecture utilizing the following Anchore Engine services: External API, SimpleQueue, Catalog, Policy Engine, and Analyzer. +This chart deploys the Anchore Engine docker container image analysis system. Anchore Engine requires a PostgreSQL database (>=9.6) which may be handled by the chart or supplied externally, and executes in a service-based architecture utilizing the following Anchore Engine services: External API, SimpleQueue, Catalog, Policy Engine, and Analyzer. -This chart can also be used to install the following Anchore Enterprise services: GUI, RBAC, Reporting, Notifications & On-premises Feeds. Enterprise services require a valid Anchore Enterprise License as well as credentials with access to the private DockerHub repository hosting the images. These are not enabled by default. +This chart can also be used to install the following Anchore Enterprise services: GUI, RBAC, Reporting, Notifications & On-premises Feeds. Enterprise services require a valid Anchore Enterprise license, as well as credentials with access to the private DockerHub repository hosting the images. These are not enabled by default. Each of these services can be scaled and configured independently. @@ -29,11 +29,11 @@ helm repo add anchore https://charts.anchore.io helm install my-release anchore/anchore-engine ``` -Anchore Engine will take approximately 3 minutes to bootstrap. After the initial bootstrap period, Anchore Engine will begin a vulnerability feed sync. During this time, image analysis will show zero vulnerabilities until the sync is completed. This sync can take multiple hours depending on which feeds are enabled. The following anchore-cli command is available to poll the system and report back when the engine is bootstrapped and the vulnerability feeds are all synced up. `anchore-cli system wait` +Anchore Engine will take approximately three minutes to bootstrap. After the initial bootstrap period, Anchore Engine will begin a vulnerability feed sync. During this time, image analysis will show zero vulnerabilities until the sync is completed. This sync can take multiple hours depending on which feeds are enabled. The following anchore-cli command is available to poll the system and report back when the engine is bootstrapped and the vulnerability feeds are all synced up. `anchore-cli system wait` -The recommended way to install the Anchore Engine Helm Chart is with a customized values file and a custom release name. It is highly recommended to set non-default passwords when deploying, all passwords are set to defaults specified in the chart. It is also recommended to utilize an external database, rather then using the included postgresql chart. +The recommended way to install the Anchore Engine Helm Chart is with a customized values file and a custom release name. It is highly recommended to set non-default passwords when deploying. All passwords are set to defaults specified in the chart. It is also recommended to utilize an external database, rather then using the included postgresql chart. -Create a new file named `anchore_values.yaml` and add all desired custom values (examples below); then run the following command: +Create a new file named `anchore_values.yaml` and add all desired custom values (see the following examples); then run the following command: #### Helm v3 installation @@ -61,17 +61,17 @@ anchoreGlobal: ## Adding Enterprise Components - The following features are available to Anchore Enterprise customers. Please contact the Anchore team for more information about getting a license for the enterprise features. [Anchore Enterprise Demo](https://anchore.com/demo/) + The following features are available to Anchore Enterprise customers. Please contact the Anchore team for more information about getting a license for the Enterprise features. [Anchore Enterprise Demo](https://anchore.com/demo/) ```txt - * Role based access control + * Role-based access control * LDAP integration * Graphical user interface * Customizable UI dashboards * On-premises feeds service * Proprietary vulnerability data feed (vulnDB, MSRC) * Anchore reporting API - * Notifications - Slack, GitHub, Jira, etc + * Notifications - Slack, GitHub, Jira, etc. * Microsoft image vulnerability scanning * Kubernetes runtime image inventory/scanning ``` @@ -81,28 +81,28 @@ anchoreGlobal: Enterprise services require an Anchore Enterprise license, as well as credentials with permission to the private docker repositories that contain the enterprise images. -To use this Helm chart with the enterprise services enabled, perform these steps. +To use this Helm chart with the Enterprise services enabled, perform the following steps. -1. Create a kubernetes secret containing your license file. +1. Create a Kubernetes secret containing your license file. ```bash kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= ``` -1. Create a kubernetes secret containing DockerHub credentials with access to the private anchore enterprise repositories. +1. Create a Kubernetes secret containing DockerHub credentials with access to the private Anchore Enterprise repositories. ```bash kubectl create secret docker-registry anchore-enterprise-pullcreds --docker-server=docker.io --docker-username= --docker-password= --docker-email= ``` -1. (demo) Install the Helm chart using default values +1. (demo) Install the Helm chart using default values. ```bash helm repo add anchore https://charts.anchore.io helm install --set anchoreEnterpriseGlobal.enabled=true anchore/anchore-engine ``` -1. (production) Install the Helm chart using a custom anchore_values.yaml file - *see examples below* +1. (production) Install the Helm chart using a custom anchore_values.yaml file - *see the following examples*. ```bash helm repo add anchore https://charts.anchore.io @@ -140,7 +140,7 @@ anchore-ui-redis: ## Installing on OpenShift -As of chart version 1.3.1 deployments to OpenShift are fully supported. Due to permission constraints when utilizing OpenShift, the official RHEL postgresql image must be utilized, which requires custom environment variables to be configured for compatibility with this chart. +As of chart version 1.3.1, deployments to OpenShift are fully supported. Due to permission constraints when utilizing OpenShift, the official RHEL postgresql image must be utilized, which requires custom environment variables to be configured for compatibility with this chart. ### Example anchore_values.yaml - deploying on OpenShift @@ -175,7 +175,7 @@ anchoreGlobal: openShiftDeployment: True ``` -To perform an Enterprise deployment on OpenShift use the following anchore_values.yaml configuration +To perform an Enterprise deployment on OpenShift, use the following anchore_values.yaml configuration *Note: Installs with chart managed PostgreSQL database. This is not a guaranteed production ready config.* @@ -237,22 +237,23 @@ anchore-ui-redis: # Chart Updates -See the anchore-engine [CHANGELOG](https://github.com/anchore/anchore-engine/blob/master/CHANGELOG.md) for updates to anchore engine. +See the anchore-engine [CHANGELOG](https://github.com/anchore/anchore-engine/blob/master/CHANGELOG.md) for updates to Anchore Engine. ## Upgrading from previous chart versions -A Helm post-upgrade hook job will shut down all previously running Anchore services and perform the Anchore DB upgrade process using a kubernetes job. The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful helm upgrade. +A Helm post-upgrade hook job will shut down all previously running Anchore services and perform the Anchore database upgrade process using a Kubernetes job. +The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful Helm upgrade. ## Chart version 1.15.0 --- -Chart version v1.15.0 sets the V2 vulnerability scanner, based on [Grype](https://github.com/anchore/grype), as the default for new deployments. **Users upgrading from chart versions prior to v1.15.0 will need to explicitly set their preferred vulnerability provider using `.Values.anchorePolicyEngine.vulnerabilityProvider`.** If the vulnerabilityProvider is not explicitly set, Helm will prevent an upgrade from being initiated. +Chart version v1.15.0 sets the V2 vulnerability scanner, based on [Grype](https://github.com/anchore/grype), as the default for new deployments. **Users upgrading from chart versions prior to v1.15.0 will need to explicitly set their preferred vulnerability provider using `.Values.anchorePolicyEngine.vulnerabilityProvider`.** If the vulnerability provider is not explicitly set, Helm will prevent an upgrade from being initiated. * Anchore Engine image updated to v1.0.0 - [Release Notes](https://engine.anchore.io/docs/releasenotes/100/) * Anchore Enterprise image updated to v3.2.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/320/) -* Enterprise Feeds - Now uses a PVC for the persistent workspace directory. This directory is used by the vulnerability drivers for downloading vulnerability data and should be persistent for optimal performance. -* Enterprise Feeds - When enabling the Ruby Gems vulnerability driver, the helm chart will now spin up an ephemeral Postgresql deployment for the Feeds service to load Ruby vulnerability data. +* Enterprise Feeds - Now uses a PVC for the persistent workspace directory. This directory is used by the vulnerability drivers for downloading vulnerability data, and should be persistent for optimal performance. +* Enterprise Feeds - When enabling the Ruby Gems vulnerability driver, the Helm chart will now spin up an ephemeral Postgresql deployment for the Feeds service to load Ruby vulnerability data. ## Chart version 1.14.0 @@ -276,8 +277,8 @@ Chart version v1.15.0 sets the V2 vulnerability scanner, based on [Grype](https: * Anchore Engine image updated to v0.9.1 * Anchore Enterprise images updated to v3.0.0 -* Existing secrets now work for Enterprise Feeds and Enterprise UI - see [existing secrets configuration](#-Utilize-an-Existing-Secret) -* Anchore admin default password no longer defaults to `foobar`, if no password is specified a random string will be generated. +* Existing secrets now work for Enterprise feeds and Enterprise UI - see [existing secrets configuration](#-Utilize-an-Existing-Secret) +* Anchore admin default password no longer defaults to `foobar`. If no password is specified, a random string will be generated. ## Chart version 1.10.0 @@ -299,9 +300,9 @@ For more details see - https://docs.anchore.com/current/docs/engine/releasenotes ## Chart version 1.7.0 --- -Starting with version 1.7.0 the anchore-engine chart will be hosted on charts.anchore.io - if you're upgrading from a previous version of the chart, you will need to delete your previous deployment and redeploy Anchore Engine using the chart from the Anchore Charts repository. +Starting with version 1.7.0, the anchore-engine chart will be hosted on charts.anchore.io. If you're upgrading from a previous version of the chart, you will need to delete your previous deployment and redeploy Anchore Engine using the chart from the Anchore Charts repository. -This version of the chart includes the dependent Postgresql chart in the charts/ directory rather then pulling it from upstream. All apiVersions were updated for compatibility with kubernetes v1.16+ and the postgresql image has been updated to version 9.6.18. The chart version also updates to the latest version of the Redis chart from Bitnami. These dependency updates require deleting and re-installing your chart. If the following process is performed, no data should be lost. +This version of the chart includes the dependent Postgresql chart in the charts/ directory rather then pulling it from upstream. All apiVersions were updated for compatibility with Kubernetes v1.16+ and the postgresql image has been updated to version 9.6.18. The chart version also updates to the latest version of the Redis chart from Bitnami. These dependency updates require deleting and re-installing your chart. If the following process is performed, no data should be lost. ## Migrating To The New Anchore Charts Repository @@ -311,11 +312,11 @@ These examples use Helm version 3 and kubectl client version 1.18, server versio ### **ENSURE MIGRATION IS PERFORMED SEPARATELY FROM ANCHORE ENGINE UPGRADES** -All helm installation steps will include a flag to override the Anchore Engine/Enterprise images with your current running version. Upgrading your version of Anchore can be performed after moving to the new chart from charts.anchore.io. Record the version of your Anchore deployment and use it anytime the instructions refer to the Engine Code Version. +All helm installation steps will include a flag to override the Anchore Engine/Enterprise images with your current running version. You can upgrade your version of Anchore after moving to the new chart from charts.anchore.io. Record the version of your Anchore deployment and use it anytime the instructions refer to the Engine Code Version. ### Determine Currently Running Anchore Version -Connect to the anchore-api pod, issue the following command and record the Engine Code Version: +To determine the currently running Anchore version, connect to the anchore-api pod, issue the following command, and record the Engine Code Version: ```bash [anchore@anchore-api anchore-engine]$ anchore-cli system status @@ -341,7 +342,7 @@ helm install --namespace=my-namespace --set anchoreGlobal.image=docker.io/anchor ## If Using The Included Postgresql Chart -When utilizing the included Postgresql chart you will need to reuse the persistent volume claims that are attached to your current deployment. These existing claims will be utilized when re-installing anchore-engine using the new chart from charts.anchore.io. +When utilizing the included Postgresql chart, you will need to reuse the persistent volume claims that are attached to your current deployment. These existing claims will be utilized when re-installing anchore-engine using the new chart from charts.anchore.io. ### Determine Your Database PersistentVolumeClaim @@ -364,7 +365,7 @@ my-anchore-anchore-feeds-db Bound pvc-cd7ebb6f-bbe0-11ea-b my-anchore-postgresql Bound pvc-cd7dc7d2-bbe0-11ea-b9bf-42010a800020 20Gi RWO standard 3d ``` -The names of the PersistentVolumeClaims in the example shown are `my-anchore-anchore-feeds-db` and `my-anchore-postgresql`. You may see other persistent volume claims, but only `my-anchore-anchore-feeds-db` and `my-anchore-postgresql` are relevant for this migration; note the names, as you will need them later. +The names of the PersistentVolumeClaims in the example shown are `my-anchore-anchore-feeds-db` and `my-anchore-postgresql`. You may see other persistent volume claims, but only `my-anchore-anchore-feeds-db` and `my-anchore-postgresql` are relevant for this migration. Remember the names, as you will need them later. #### Uninstall Your Anchore Installation With Helm @@ -373,13 +374,13 @@ $ helm uninstall --namespace=my-namespace my-anchore release "my-anchore" uninstalled ``` -Anchore Enterprise users will want to remove the Redis DB PersistentVolumeClaim; this will delete all current session data but will not affect stability of the deployment: +Anchore Enterprise users will want to remove the Redis DB PersistentVolumeClaim. This will delete all current session data but will not affect stability of the deployment: ```bash kubectl delete pvc redis-data-my-anchore-anchore-ui-redis-master-0 ``` -Your other PersistentVolumeClaims will still be resident in your cluster (we're showing results from an Anchore Enterprise installation that has a standalone Feeds Service below; Anchore Enterprise users without a standalone Feeds Service and Anchore Engine users will not see `my-anchore-anchore-feeds-db`): +Your other PersistentVolumeClaims will still be resident in your cluster (we're showing results from an Anchore Enterprise installation that has a standalone Feeds Service below. Anchore Enterprise users without a standalone Feeds Service, and Anchore Engine users will not see `my-anchore-anchore-feeds-db`): ```bash $ kubectl get persistentvolumeclaim --namespace my-namespace @@ -467,7 +468,7 @@ You are now running Anchore from the new chart repository, with your data in pla ## Upgrade To Latest Version of Anchore -Now that you're migrated to charts.anchore.io you can upgrade Anchore Engine to the latest version if desired. +Now that you're migrated to charts.anchore.io, you can upgrade Anchore Engine to the latest version if desired. ```bash helm upgrade --namespace my-namespace -f anchore_values.yaml my-anchore anchore/anchore-engine @@ -475,7 +476,7 @@ helm upgrade --namespace my-namespace -f anchore_values.yaml my-anchore anchore/ # Configuration -All configurations should be appended to your custom `anchore_values.yaml` file and utilized when installing the chart. While the configuration options of Anchore Engine are extensive, the options provided by the chart are: +All configurations should be appended to your custom `anchore_values.yaml` file and utilized when installing the chart. While the configuration options of Anchore Engine are extensive, the options provided by the chart are as follows: ## Exposing the service outside the cluster using Ingress @@ -545,7 +546,7 @@ anchoreApi: ## Utilize an Existing Secret -Secrets should be created prior to running `helm install`. These can be used to override the secret provisioned by the helm chart, preventing plaintext passwords in your values.yaml file. +Secrets should be created prior to running `helm install`. These can be used to override the secret provisioned by the Helm chart, preventing plain text passwords in your values.yaml file. ```yaml anchoreGlobal: @@ -617,7 +618,7 @@ cloudsql: *Note: it is recommended to use an external archive driver for production installs.* -The archive subsystem of Anchore Engine is what stores large json documents and can consume quite a lot of storage if +The archive subsystem of Anchore Engine is what stores large JSON documents, and can consume substantial storage if you analyze a lot of images. A general rule for storage provisioning is 10MB per image analyzed, so with thousands of analyzed images, you may need many gigabytes of storage. The Archive drivers now support other backends than just postgresql, so you can leverage external and scalable storage systems and keep the postgresql storage usage to a much lower level. @@ -641,7 +642,7 @@ anchoreCatalog: * S3 - Any AWS s3-api compatible system (e.g. minio, scality, etc) * OpenStack Swift -* Local FS - A local filesystem on the core pod. Does not handle sharding or replication, so generally only for testing. +* Local FS - A local file system on the core pod. It does not handle sharing or replication, so it is generally only for testing. * DB - the default postgresql backend ### S3 @@ -665,10 +666,10 @@ anchoreCatalog: ### Using Swift -The swift configuration is basically a pass-thru to the underlying pythonswiftclient so it can take quite a few different -options depending on your swift deployment and config. The best way to configure the swift driver is by using a custom values.yaml +The Swift configuration is basically a pass-thru to the underlying pythonswiftclient so it can take quite a few different +options depending on your Swift deployment and config. The best way to configure the Swift driver is by using a custom values.yaml. -The Swift driver supports three authentication methods: +The Swift driver supports the following authentication methods: * Keystone V3 * Keystone V2 @@ -715,7 +716,7 @@ anchoreCatalog: ... # Compression config here ``` -#### Legacy username/password +#### Legacy Username/Password ```yaml anchoreCatalog: @@ -739,7 +740,7 @@ This is the default archive driver and requires no additional configuration. ## Prometheus Metrics -Anchore Engine supports exporting prometheus metrics form each container. To enable metrics: +Anchore Engine supports exporting prometheus metrics form each container. Do the following to enable metrics: ```yaml anchoreGlobal: @@ -747,7 +748,7 @@ anchoreGlobal: ``` When enabled, each service provides the metrics over the existing service port so your prometheus deployment will need to -know about each pod and the ports it provides to scrape the metrics. +know about each pod, and the ports it provides to scrape the metrics. ## Using custom certificates diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml index 2c0d0a7e..40a3de8b 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml @@ -139,7 +139,9 @@ data: # rubygem data comes packaged as a PostgreSQL dump file. gem driver loads the pg dump and normalizes the data. # To enable gem driver comment the enabled property and uncomment the db_connect property. enabled: {{ .Values.anchoreEnterpriseFeeds.gemDriverEnabled | quote }} + {{- if .Values.anchoreEnterpriseFeeds.gemDriverEnabled }} db_connect: "postgresql://${ANCHORE_GEM_DB_USER}:${ANCHORE_GEM_DB_PASSWORD}@${ANCHORE_GEM_DB_HOST}/${ANCHORE_GEM_DB_NAME}" + {{- end }} nvdv2: enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.nvdv2DriverEnabled | quote) }} vulndb: From d367623c084003b5e776a551ffb1a61c017fecd7 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 1 Oct 2021 11:54:12 -0700 Subject: [PATCH 19/35] bump engine/enterprise images to release version Signed-off-by: Brady Todhunter --- stable/anchore-engine/values.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index b8dbcbdd..a84dc38e 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -98,7 +98,7 @@ ingress: # Global configuration shared by all anchore-engine services. anchoreGlobal: # Image used for all anchore engine deployments (excluding enterprise components). - image: docker.io/anchore/anchore-engine:v0.10.2 + image: docker.io/anchore/anchore-engine:v1.0.0 imagePullPolicy: IfNotPresent # Set image pull secret name if using an anchore-engine image from a private registry @@ -691,7 +691,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: docker.io/anchore/enterprise:v3.1.2 + image: docker.io/anchore/enterprise:v3.2.0 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. # Create this secret with the following command - kubectl create secret docker-registry anchore-enterprise-pullcreds --docker-server=docker.io --docker-username= --docker-password= --docker-email= @@ -980,7 +980,7 @@ anchoreEnterpriseNotifications: anchoreEnterpriseUi: # If enabled is set to false, set anchore-ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. enabled: true - image: docker.io/anchore/enterprise-ui:v3.1.1 + image: docker.io/anchore/enterprise-ui:v3.2.0 imagePullPolicy: IfNotPresent # Set extra environment variables. These will be set on all UI containers. From 8d6b4714b9ce4d3578c9bf8a302b11eec25b5589 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Mon, 4 Oct 2021 12:04:12 -0700 Subject: [PATCH 20/35] bump chart version Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 749b4395..f914b061 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.15.8 +version: 1.15.0 appVersion: 1.0.0 description: Anchore container analysis and policy evaluation engine service keywords: From 02ec5a402dc46ca02abf102d07b8510771f36c36 Mon Sep 17 00:00:00 2001 From: James Petersen Date: Fri, 17 Sep 2021 14:43:29 -0600 Subject: [PATCH 21/35] use kai in path Signed-off-by: James Petersen --- stable/kai/templates/deployment.yaml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/stable/kai/templates/deployment.yaml b/stable/kai/templates/deployment.yaml index 4bb4f03e..99e9a657 100644 --- a/stable/kai/templates/deployment.yaml +++ b/stable/kai/templates/deployment.yaml @@ -31,8 +31,7 @@ spec: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} - command: ["/kai"] - args: ["--config", "/.kai.yaml"] + command: ["kai"] ports: - name: http containerPort: 80 @@ -40,7 +39,7 @@ spec: livenessProbe: exec: command: - - /kai + - kai - version initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }} timeoutSeconds: {{ .Values.probes.liveness.timeoutSeconds }} @@ -50,7 +49,7 @@ spec: readinessProbe: exec: command: - - /kai + - kai - version timeoutSeconds: {{ .Values.probes.readiness.timeoutSeconds }} periodSeconds: {{ .Values.probes.readiness.periodSeconds }} @@ -60,7 +59,7 @@ spec: {{- toYaml .Values.resources | nindent 12 }} volumeMounts: - name: config-volume - mountPath: /.kai.yaml + mountPath: /home/nonroot/.kai.yaml subPath: .kai.yaml envFrom: {{- if not .Values.inject_secrets_via_env }} From 433f80d7d171b77d892190d9a615c81bc36418f3 Mon Sep 17 00:00:00 2001 From: James Petersen Date: Fri, 17 Sep 2021 14:47:22 -0600 Subject: [PATCH 22/35] upgrade the chart version Signed-off-by: James Petersen --- stable/kai/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/kai/Chart.yaml b/stable/kai/Chart.yaml index 61746357..cb9f1abd 100644 --- a/stable/kai/Chart.yaml +++ b/stable/kai/Chart.yaml @@ -28,7 +28,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.2 +version: 0.2.3 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to From 8ec33b7c7229ac089598a67757611831121b3515 Mon Sep 17 00:00:00 2001 From: James Petersen Date: Fri, 17 Sep 2021 14:48:20 -0600 Subject: [PATCH 23/35] upgrade the kai version Signed-off-by: James Petersen --- stable/kai/Chart.yaml | 2 +- stable/kai/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/stable/kai/Chart.yaml b/stable/kai/Chart.yaml index cb9f1abd..5d20027e 100644 --- a/stable/kai/Chart.yaml +++ b/stable/kai/Chart.yaml @@ -33,6 +33,6 @@ version: 0.2.3 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 0.2.1 +appVersion: 0.2.2 icon: https://anchore.com/wp-content/uploads/2016/08/anchore.png diff --git a/stable/kai/values.yaml b/stable/kai/values.yaml index 9706851e..a893b725 100644 --- a/stable/kai/values.yaml +++ b/stable/kai/values.yaml @@ -8,7 +8,7 @@ image: repository: anchore/kai pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: "v0.2.1" + tag: "v0.2.2" imagePullSecrets: [] nameOverride: "" From aa429a67bc3bc7807b55e698f8d1ee9be37162a8 Mon Sep 17 00:00:00 2001 From: James Petersen Date: Fri, 8 Oct 2021 16:00:03 -0600 Subject: [PATCH 24/35] upgrade kai chart version Signed-off-by: James Petersen --- stable/kai/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stable/kai/Chart.yaml b/stable/kai/Chart.yaml index 5d20027e..ea00a9ef 100644 --- a/stable/kai/Chart.yaml +++ b/stable/kai/Chart.yaml @@ -28,7 +28,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.3 +version: 0.2.4 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to From efe3b96711f4cd93c776dad6d1acb1870e3ef594 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 29 Oct 2021 14:51:29 -0700 Subject: [PATCH 25/35] bump anchore images to latest version Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 4 ++-- stable/anchore-engine/values.yaml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index f914b061..0cdb3301 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: anchore-engine -version: 1.15.0 -appVersion: 1.0.0 +version: 1.15.1 +appVersion: 1.0.1 description: Anchore container analysis and policy evaluation engine service keywords: - analysis diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index a84dc38e..46e40193 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -98,7 +98,7 @@ ingress: # Global configuration shared by all anchore-engine services. anchoreGlobal: # Image used for all anchore engine deployments (excluding enterprise components). - image: docker.io/anchore/anchore-engine:v1.0.0 + image: docker.io/anchore/anchore-engine:v1.0.1 imagePullPolicy: IfNotPresent # Set image pull secret name if using an anchore-engine image from a private registry @@ -691,7 +691,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: docker.io/anchore/enterprise:v3.2.0 + image: docker.io/anchore/enterprise:v3.2.1 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. # Create this secret with the following command - kubectl create secret docker-registry anchore-enterprise-pullcreds --docker-server=docker.io --docker-username= --docker-password= --docker-email= @@ -980,7 +980,7 @@ anchoreEnterpriseNotifications: anchoreEnterpriseUi: # If enabled is set to false, set anchore-ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. enabled: true - image: docker.io/anchore/enterprise-ui:v3.2.0 + image: docker.io/anchore/enterprise-ui:v3.2.1 imagePullPolicy: IfNotPresent # Set extra environment variables. These will be set on all UI containers. From c09310aa7c4dbe15a66aef47acb2eef3aba81ab7 Mon Sep 17 00:00:00 2001 From: James Petersen Date: Tue, 9 Nov 2021 12:44:13 -0700 Subject: [PATCH 26/35] honor the timeout seconds config in kai Signed-off-by: James Petersen --- stable/kai/Chart.yaml | 2 +- stable/kai/templates/configmap.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/stable/kai/Chart.yaml b/stable/kai/Chart.yaml index ea00a9ef..8e7cefdd 100644 --- a/stable/kai/Chart.yaml +++ b/stable/kai/Chart.yaml @@ -28,7 +28,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.4 +version: 0.2.5 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/stable/kai/templates/configmap.yaml b/stable/kai/templates/configmap.yaml index d1390632..911ee60d 100644 --- a/stable/kai/templates/configmap.yaml +++ b/stable/kai/templates/configmap.yaml @@ -30,4 +30,4 @@ data: account: {{ .Values.kai.anchore.account }} http: insecure: {{ .Values.kai.anchore.http.insecure }} - timeoutSeconds: {{ .Values.kai.anchore.http.timeoutSeconds }} + timeout-seconds: {{ .Values.kai.anchore.http.timeoutSeconds }} From 5ecdfdcdf92eae4c2f0ec370c6483d3b6b64e18c Mon Sep 17 00:00:00 2001 From: James Petersen Date: Tue, 16 Nov 2021 19:12:33 -0700 Subject: [PATCH 27/35] update the chart and app version Signed-off-by: James Petersen --- stable/kai/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/stable/kai/Chart.yaml b/stable/kai/Chart.yaml index 8e7cefdd..1c0edebc 100644 --- a/stable/kai/Chart.yaml +++ b/stable/kai/Chart.yaml @@ -28,11 +28,11 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.5 +version: 0.2.6 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 0.2.2 +appVersion: 0.2.3 icon: https://anchore.com/wp-content/uploads/2016/08/anchore.png From 6f741e0883252e6af261ee6ffa3310bcd5550f64 Mon Sep 17 00:00:00 2001 From: James Petersen Date: Tue, 16 Nov 2021 19:12:47 -0700 Subject: [PATCH 28/35] update the configuration Signed-off-by: James Petersen --- stable/kai/templates/configmap.yaml | 8 ++++- stable/kai/values.yaml | 52 +++++++++++++++++++++++++---- 2 files changed, 53 insertions(+), 7 deletions(-) diff --git a/stable/kai/templates/configmap.yaml b/stable/kai/templates/configmap.yaml index 911ee60d..3edab6c2 100644 --- a/stable/kai/templates/configmap.yaml +++ b/stable/kai/templates/configmap.yaml @@ -22,7 +22,13 @@ data: {{- toYaml .Values.kai.namespaces | nindent 6 }} mode: {{ .Values.kai.mode }} polling-interval-seconds: {{ .Values.kai.pollingIntervalSeconds }} - kubernetes-request-timeout-seconds: {{ .Values.kai.kubernetesRequestTimeoutSeconds }} + kubernetes: + request-timeout-seconds: {{ .Values.kai.kubernetes.requestTimeoutSeconds }} + request-batch-size: {{ .Values.kai.kubernetes.requestBatchSize }} + worker-pool-size: {{ .Values.kai.kubernetes.workerPoolSize }} + ignore-not-running: {{ .Values.kai.ignoreNotRunning }} + missing-tag-policy: + {{- toYaml .Values.kai.missingTagPolicy | nindent 6 }} anchore: url: {{ .Values.kai.anchore.url }} user: {{ .Values.kai.anchore.user }} diff --git a/stable/kai/values.yaml b/stable/kai/values.yaml index 094591fe..bad7a570 100644 --- a/stable/kai/values.yaml +++ b/stable/kai/values.yaml @@ -99,18 +99,58 @@ kai: path: use-in-cluster cluster: docker-desktop - # Which namespaces to search (can just be a single element "all" or it can be multiple) + # Which namespaces to search or exclude. namespaces: - - all + # Namespaces to include as explicit strings, not regex + # NOTE: Will search ALL namespaces if left as an empty array + include: [] + + # List of namespaces to exclude, can use explicit strings and/or regexes. + # For example + # + # list: + # - default + # - ^kube-* + # + # Will exclude the default, kube-system, and kube-public namespaces + exclude: [] # Can be one of adhoc, periodic (defaults to adhoc) mode: periodic # Only respected if mode is periodic - pollingIntervalSeconds: 60 - - # Configure the request timeout for the k8s api interaction - kubernetesRequestTimeoutSeconds: 60 + pollingIntervalSeconds: 600 + + # Kubernetes API configuration parameters (should not need tuning) + kubernetes: + # Sets the request timeout for kubernetes API requests + requestTimeoutSeconds: 60 + + # Sets the number of objects to iteratively return when listing resources + requestBatchSize: 100 + + # Worker pool size for collecting pods from namespaces. Adjust this if the api-server gets overwhelmed + workerPoolSize: 100 + + # Handle cases where a tag is missing. For example - images designated by digest + missingTagPolicy: + # One of the following options [digest, insert, drop]. Default is 'digest' + # + # [digest] will use the image's digest as a dummy tag. + # + # [insert] will insert a default tag in as a dummy tag. The dummy tag is + # customizable under missing-tag-policy.tag + # + # [drop] will drop images that do not have tags associated with them. Not + # recommended. + policy: digest + + # Dummy tag to use. Only applicable if policy is 'insert'. Defaults to UNKNOWN + tag: UNKNOWN + + + # Ignore images out of pods that are not in a Running state + ignoreNotRunning: true anchore: url: From 62c2f465b47849c7025b095def25f3c606d6b22e Mon Sep 17 00:00:00 2001 From: James Petersen Date: Tue, 16 Nov 2021 19:31:04 -0700 Subject: [PATCH 29/35] auto-roll the deployment on config update Signed-off-by: James Petersen --- stable/kai/templates/deployment.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/stable/kai/templates/deployment.yaml b/stable/kai/templates/deployment.yaml index 99e9a657..04aee624 100644 --- a/stable/kai/templates/deployment.yaml +++ b/stable/kai/templates/deployment.yaml @@ -11,10 +11,11 @@ spec: {{- include "kai.selectorLabels" . | nindent 6 }} template: metadata: - {{- with .Values.podAnnotations }} annotations: + {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} - {{- end }} + {{- end }} + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} labels: {{- include "kai.selectorLabels" . | nindent 8 }} spec: From 710c7984acec1b3b9bff046a4d4daebb6ac33b39 Mon Sep 17 00:00:00 2001 From: James Petersen Date: Wed, 17 Nov 2021 20:22:04 -0700 Subject: [PATCH 30/35] match the configuration to a backwards compatible config Signed-off-by: James Petersen --- stable/kai/templates/configmap.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/stable/kai/templates/configmap.yaml b/stable/kai/templates/configmap.yaml index 3edab6c2..5bd774ff 100644 --- a/stable/kai/templates/configmap.yaml +++ b/stable/kai/templates/configmap.yaml @@ -20,8 +20,11 @@ data: file: {{ .Values.kai.log.file }} namespaces: {{- toYaml .Values.kai.namespaces | nindent 6 }} + namespace-selectors: + {{- toYaml .Values.kai.namespaceSelectors | nindent 6 }} mode: {{ .Values.kai.mode }} polling-interval-seconds: {{ .Values.kai.pollingIntervalSeconds }} + kubernetes-request-timeout-seconds: {{ .Values.kai.kubernetesRequestTimeoutSeconds }} kubernetes: request-timeout-seconds: {{ .Values.kai.kubernetes.requestTimeoutSeconds }} request-batch-size: {{ .Values.kai.kubernetes.requestBatchSize }} From b063a7f04741c2ea7ff7d186fcc7b52954b4f9e4 Mon Sep 17 00:00:00 2001 From: James Petersen Date: Wed, 17 Nov 2021 20:26:58 -0700 Subject: [PATCH 31/35] update values file with app version Signed-off-by: James Petersen --- stable/kai/values.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/stable/kai/values.yaml b/stable/kai/values.yaml index bad7a570..de53de73 100644 --- a/stable/kai/values.yaml +++ b/stable/kai/values.yaml @@ -8,7 +8,7 @@ image: repository: anchore/kai pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: "v0.2.2" + tag: "v0.3.0" imagePullSecrets: [] nameOverride: "" @@ -100,7 +100,7 @@ kai: cluster: docker-desktop # Which namespaces to search or exclude. - namespaces: + namespaceSelectors: # Namespaces to include as explicit strings, not regex # NOTE: Will search ALL namespaces if left as an empty array include: [] @@ -119,7 +119,7 @@ kai: mode: periodic # Only respected if mode is periodic - pollingIntervalSeconds: 600 + pollingIntervalSeconds: 60 # Kubernetes API configuration parameters (should not need tuning) kubernetes: From c27cc79574671d799c949ef31c1abf454174e022 Mon Sep 17 00:00:00 2001 From: James Petersen Date: Wed, 17 Nov 2021 20:27:52 -0700 Subject: [PATCH 32/35] bump the minor version for app and chart Signed-off-by: James Petersen --- stable/kai/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/stable/kai/Chart.yaml b/stable/kai/Chart.yaml index 1c0edebc..1af3746f 100644 --- a/stable/kai/Chart.yaml +++ b/stable/kai/Chart.yaml @@ -28,11 +28,11 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.6 +version: 0.3.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 0.2.3 +appVersion: 0.3.0 icon: https://anchore.com/wp-content/uploads/2016/08/anchore.png From 3d6aaf6bfa50c44bc41ad8c7d372b8a9d4212605 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 2 Dec 2021 14:49:14 -0800 Subject: [PATCH 33/35] add image_gc configuration Signed-off-by: Brady Todhunter --- stable/anchore-engine/templates/engine_configmap.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/stable/anchore-engine/templates/engine_configmap.yaml b/stable/anchore-engine/templates/engine_configmap.yaml index ecd2d26a..2e7cb843 100644 --- a/stable/anchore-engine/templates/engine_configmap.yaml +++ b/stable/anchore-engine/templates/engine_configmap.yaml @@ -198,6 +198,8 @@ data: repo_watcher: {{ .Values.anchoreCatalog.cycleTimers.repo_watcher }} k8s_watcher: {{ .Values.anchoreCatalog.cycleTimers.k8s_watcher }} k8s_image_watcher: {{ .Values.anchoreCatalog.cycleTimers.k8s_image_watcher }} + image_gc: + max_worker_threads: {{ default 1 .Values.anchoreCatalog.imageGCMaxWorkerThreads }} event_log: {{- toYaml .Values.anchoreCatalog.events | nindent 10 }} analysis_archive: From 57932cef07dbfbfeac87365110b44c50d2c1deb8 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Thu, 2 Dec 2021 14:49:31 -0800 Subject: [PATCH 34/35] bump anchore images to latest version & bump chart version Signed-off-by: Brady Todhunter --- stable/anchore-engine/Chart.yaml | 4 ++-- stable/anchore-engine/README.md | 16 +++++----------- stable/anchore-engine/values.yaml | 6 +++--- 3 files changed, 10 insertions(+), 16 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 0cdb3301..1f6ff75a 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: anchore-engine -version: 1.15.1 -appVersion: 1.0.1 +version: 1.16.0 +appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: - analysis diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index 7208bb36..3690e854 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -244,9 +244,12 @@ See the anchore-engine [CHANGELOG](https://github.com/anchore/anchore-engine/blo A Helm post-upgrade hook job will shut down all previously running Anchore services and perform the Anchore database upgrade process using a Kubernetes job. The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful Helm upgrade. -## Chart version 1.15.0 +## Chart version 1.16.0 + +* Anchore Engine image updated to v1.1.0 - [Release Notes](https://engine.anchore.io/docs/releasenotes/110/) +* Anchore Enterprise image updated to v3.3.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/330/) ---- +## Chart version 1.15.0 Chart version v1.15.0 sets the V2 vulnerability scanner, based on [Grype](https://github.com/anchore/grype), as the default for new deployments. **Users upgrading from chart versions prior to v1.15.0 will need to explicitly set their preferred vulnerability provider using `.Values.anchorePolicyEngine.vulnerabilityProvider`.** If the vulnerability provider is not explicitly set, Helm will prevent an upgrade from being initiated. @@ -257,24 +260,18 @@ Chart version v1.15.0 sets the V2 vulnerability scanner, based on [Grype](https: ## Chart version 1.14.0 ---- - * Anchore Engine image updated to v0.10.1 - [Release Notes](https://engine.anchore.io/docs/releasenotes/0101/) * Anchore Enterprise image updated to v3.1.1 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/311/) * Enterprise Feeds - MSRC feeds no longer require an access token. No changes are needed, however MSRC access tokens can now be removed from values and/or existing secrets. ## Chart version 1.13.0 ---- - * Anchore Engine image updated to v0.10.0 - [Release Notes](https://engine.anchore.io/docs/releasenotes/0100/) * Anchore Enterprise image updated to v3.1.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/310/) * If utilizing the Enterprise Runtime Inventory feature, the catalog service can now be configured to automatically setup RBAC for image discovery within the cluster. This is configured under `.Values.anchoreCatalog.runtimeInventory` ## Chart version 1.12.0 ---- - * Anchore Engine image updated to v0.9.1 * Anchore Enterprise images updated to v3.0.0 * Existing secrets now work for Enterprise feeds and Enterprise UI - see [existing secrets configuration](#-Utilize-an-Existing-Secret) @@ -282,12 +279,10 @@ Chart version v1.15.0 sets the V2 vulnerability scanner, based on [Grype](https: ## Chart version 1.10.0 ---- Chart dependency declarations have been updated to be compatible with Helm v3.4.0 ## Chart version 1.8.0 ---- The following Anchore-Engine features were added with this version: * Malware scanning - see .Values.anchoreAnalyzer.configFile.malware @@ -299,7 +294,6 @@ For more details see - https://docs.anchore.com/current/docs/engine/releasenotes ## Chart version 1.7.0 ---- Starting with version 1.7.0, the anchore-engine chart will be hosted on charts.anchore.io. If you're upgrading from a previous version of the chart, you will need to delete your previous deployment and redeploy Anchore Engine using the chart from the Anchore Charts repository. This version of the chart includes the dependent Postgresql chart in the charts/ directory rather then pulling it from upstream. All apiVersions were updated for compatibility with Kubernetes v1.16+ and the postgresql image has been updated to version 9.6.18. The chart version also updates to the latest version of the Redis chart from Bitnami. These dependency updates require deleting and re-installing your chart. If the following process is performed, no data should be lost. diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 46e40193..a09a5879 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -98,7 +98,7 @@ ingress: # Global configuration shared by all anchore-engine services. anchoreGlobal: # Image used for all anchore engine deployments (excluding enterprise components). - image: docker.io/anchore/anchore-engine:v1.0.1 + image: docker.io/anchore/anchore-engine:v1.1.0 imagePullPolicy: IfNotPresent # Set image pull secret name if using an anchore-engine image from a private registry @@ -691,7 +691,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: docker.io/anchore/enterprise:v3.2.1 + image: docker.io/anchore/enterprise:v3.3.0 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. # Create this secret with the following command - kubectl create secret docker-registry anchore-enterprise-pullcreds --docker-server=docker.io --docker-username= --docker-password= --docker-email= @@ -980,7 +980,7 @@ anchoreEnterpriseNotifications: anchoreEnterpriseUi: # If enabled is set to false, set anchore-ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. enabled: true - image: docker.io/anchore/enterprise-ui:v3.2.1 + image: docker.io/anchore/enterprise-ui:v3.3.0 imagePullPolicy: IfNotPresent # Set extra environment variables. These will be set on all UI containers. From e4b011f7afcacf13c81a779c50cc8f2faea8aa7b Mon Sep 17 00:00:00 2001 From: Jan Esser Date: Tue, 18 Jan 2022 12:45:14 +0100 Subject: [PATCH 35/35] k8s 1.22 compat, fix to #185 Signed-off-by: Jan Esser --- stable/anchore-engine/Chart.yaml | 2 +- stable/anchore-engine/templates/ingress.yaml | 80 +++++++++++++++++++- 2 files changed, 80 insertions(+), 2 deletions(-) diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index 1f6ff75a..d5df9923 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.16.0 +version: 1.16.1 appVersion: 1.1.0 description: Anchore container analysis and policy evaluation engine service keywords: diff --git a/stable/anchore-engine/templates/ingress.yaml b/stable/anchore-engine/templates/ingress.yaml index 748989c9..dfa59ce5 100644 --- a/stable/anchore-engine/templates/ingress.yaml +++ b/stable/anchore-engine/templates/ingress.yaml @@ -1,5 +1,11 @@ {{- if .Values.ingress.enabled -}} -apiVersion: {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} networking.k8s.io/v1beta1 {{- else }} extensions/v1beta1 {{- end }} +{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} +apiVersion: networking.k8s.io/v1 +{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} +apiVersion: networking.k8s.io/v1beta1 +{{- else }} +apiVersion: extensions/v1beta1 +{{- end }} kind: Ingress metadata: name: {{ template "anchore-engine.fullname" . }} @@ -39,63 +45,135 @@ spec: http: paths: - path: {{ $.Values.ingress.apiPath }} + {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1" }} + pathType: Prefix + backend: + service: + name: {{ template "anchore-engine.api.fullname" $ }} + port: + number: {{ $.Values.anchoreApi.service.port }} + {{else}} backend: serviceName: {{ template "anchore-engine.api.fullname" $ }} servicePort: {{ $.Values.anchoreApi.service.port }} + {{- end }} {{- end }} {{- range .Values.ingress.uiHosts }} - host: {{ . | quote }} http: paths: - path: {{ $.Values.ingress.uiPath }} + {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1" }} + pathType: Prefix + backend: + service: + name: {{ template "anchore-engine.enterprise-ui.fullname" $ }} + port: + number: {{ $.Values.anchoreEnterpriseUi.service.port }} + {{- else}} backend: serviceName: {{ template "anchore-engine.enterprise-ui.fullname" $ }} servicePort: {{ $.Values.anchoreEnterpriseUi.service.port }} + {{- end }} {{- end }} {{- range .Values.ingress.feedsHosts }} - host: {{ . | quote }} http: paths: - path: {{ $.Values.ingress.feedsPath }} + {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1" }} + pathType: Prefix + backend: + service: + name: {{ template "anchore-engine.enterprise-feeds.fullname" $ }} + port: + number: {{ $.Values.anchoreEnterpriseFeeds.service.port }} + {{- else}} backend: serviceName: {{ template "anchore-engine.enterprise-feeds.fullname" $ }} servicePort: {{ $.Values.anchoreEnterpriseFeeds.service.port }} + {{- end }} {{- end }} {{- range .Values.ingress.reportsHosts }} - host: {{ . | quote }} http: paths: - path: {{ $.Values.ingress.reportsPath }} + {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1" }} + pathType: Prefix + backend: + service: + name: {{ template "anchore-engine.api.fullname" $ }} + port: + number: {{ $.Values.anchoreEnterpriseReports.service.port }} + {{- else}} backend: serviceName: {{ template "anchore-engine.api.fullname" $ }} servicePort: {{ $.Values.anchoreEnterpriseReports.service.port }} + {{- end }} {{- end }} {{- else }} - http: paths: {{- with .Values.ingress.apiPath }} - path: {{ . }} + {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1" }} + pathType: Prefix + backend: + service: + name: {{ template "anchore-engine.api.fullname" $ }} + port: + number: {{ $.Values.anchoreApi.service.port }} + {{else}} backend: serviceName: {{ template "anchore-engine.api.fullname" $ }} servicePort: {{ $.Values.anchoreApi.service.port }} + {{- end }} {{- end }} {{- with .Values.ingress.uiPath }} - path: {{ . }} + {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1" }} + pathType: Prefix + backend: + service: + name: {{ template "anchore-engine.enterprise-ui.fullname" $ }} + port: + number: {{ $.Values.anchoreEnterpriseUi.service.port }} + {{- else}} backend: serviceName: {{ template "anchore-engine.enterprise-ui.fullname" $ }} servicePort: {{ $.Values.anchoreEnterpriseUi.service.port }} + {{- end }} {{- end }} {{- with .Values.ingress.feedsPath }} - path: {{ . }} + {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1" }} + pathType: Prefix + backend: + service: + name: {{ template "anchore-engine.enterprise-feeds.fullname" $ }} + port: + number: {{ $.Values.anchoreEnterpriseFeeds.service.port }} + {{- else}} backend: serviceName: {{ template "anchore-engine.enterprise-feeds.fullname" $ }} servicePort: {{ $.Values.anchoreEnterpriseFeeds.service.port }} + {{- end }} {{- end }} {{- with .Values.ingress.reportsPath }} - path: {{ . }} + {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1" }} + pathType: Prefix + backend: + service: + name: {{ template "anchore-engine.api.fullname" $ }} + port: + number: {{ $.Values.anchoreEnterpriseReports.service.port }} + {{- else}} backend: serviceName: {{ template "anchore-engine.api.fullname" $ }} servicePort: {{ $.Values.anchoreEnterpriseReports.service.port }} + {{- end }} {{- end }} {{- end }} {{- end -}}