diff --git a/CHANGELOG.md b/CHANGELOG.md index e2ce8ad0f499a2779e603c48f5b114206b5941e0..0930a995637326f8cb6b5248534b090b0e198d71 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,14 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), --- +## [1.13.0-bb.0] +### Changed +- Bumped appVersion and Anchore Engine image tag to 0.10.0 +- Bumped Anchore Enterprise & Anchore Enterprise UI image tags to 3.1.0 +### Fixed +- conditional in network policy for enterprise-ui component +- intermittent issue with upgrade jobs for in-cluster anchore dbs + ## [1.12.16-bb.2] ### Changed - Separated network policies for required egress diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 09f3a4930b74a109013e95739fd8e74f37749362..48d8285f52fc0d27d2dab0c64774a76ce761ddb1 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: anchore-engine -version: 1.12.16-bb.2 -appVersion: 0.9.4 +version: 1.13.0-bb.0 +appVersion: 0.10.0 description: Anchore container analysis and policy evaluation engine service keywords: - analysis diff --git a/chart/Kptfile b/chart/Kptfile index 81dc50d32e4e90f86bcab8f2776ce4df682356ff..641507840ffedd667a8282274af8b9a676dcd80a 100644 --- a/chart/Kptfile +++ b/chart/Kptfile @@ -5,7 +5,7 @@ metadata: upstream: type: git git: - commit: e2f7ea00c4fa078b93608c95b31ce71a4038aa96 + commit: 1ab19c4642747cab4a6d300021325674ac0cb3d5 repo: https://github.com/anchore/anchore-charts directory: /stable/anchore-engine - ref: anchore-engine-1.12.16 + ref: anchore-engine-1.13.0 diff --git a/chart/README.md b/chart/README.md index 7c54421968d2acc249503db202a7708ad1f3d1e5..c204723dc1d4ae0419031629890c7f7953097599 100644 --- a/chart/README.md +++ b/chart/README.md @@ -73,6 +73,7 @@ anchoreGlobal: * Anchore reporting API * Notifications - Slack, GitHub, Jira, etc * Microsoft image vulnerability scanning + * Kubernetes runtime image inventory/scanning ``` ### Enabling Enterprise Services @@ -242,6 +243,14 @@ See the anchore-engine [CHANGELOG](https://github.com/anchore/anchore-engine/blo A Helm post-upgrade hook job will shut down all previously running Anchore services and perform the Anchore DB upgrade process using a kubernetes job. The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful helm upgrade. +## Chart version 1.13.0 + +--- + +* Anchore Engine image updated to v0.10.0 - [Release Notes](https://engine.anchore.io/docs/releasenotes/0100/) +* Anchore Enterprise image updated to v3.1.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/310/) +* If utilizing the Enterprise Runtime Inventory feature, the catalog service can now be configured to automatically setup RBAC for image discovery within the cluster. This is configured under `.Values.anchoreCatalog.runtimeInventory` + ## Chart version 1.12.0 --- diff --git a/chart/templates/bigbang/networkpolicies/allow-egress-from-pods.yaml b/chart/templates/bigbang/networkpolicies/allow-egress-from-pods.yaml index 34ed248de4bf86ba5efc1c606fec9a118d60cb44..950990064ed1469a6cb10b89ebc9fd2aff5a28bc 100644 --- a/chart/templates/bigbang/networkpolicies/allow-egress-from-pods.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-egress-from-pods.yaml @@ -132,10 +132,10 @@ spec: except: - 169.254.169.254/32 {{- end }} -{{- if and (hasKey (index .Values "anchore-ui-redis") "enabled") }} -{{- if and (not (index .Values "anchore-ui-redis" "enabled")) .Values.anchoreEnterpriseGlobal.enabled }} +{{- if or (hasKey (index .Values "anchore-ui-redis") "enabled") (hasKey .Values.postgresql "enabled") }} +{{- if and (or (not (index .Values "anchore-ui-redis" "enabled")) (not .Values.postgresql.enabled)) .Values.anchoreEnterpriseGlobal.enabled }} --- -# if external redis is enabled, the ui pod will require egress as it depends on redis +# if external redis is enabled OR external postgres is enabled, the ui pod will require egress as it depends on redis and interacts with the db to perform specific functions such as SAML apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: diff --git a/chart/templates/catalog_deployment.yaml b/chart/templates/catalog_deployment.yaml index 77efe1b6650a8d9fd8bd266c8da60b5c47d7f1a4..383dcfd783b23c6e87eb0812e21b89a3f81e0131 100644 --- a/chart/templates/catalog_deployment.yaml +++ b/chart/templates/catalog_deployment.yaml @@ -219,8 +219,10 @@ spec: tolerations: {{ toYaml . | nindent 8 }} {{- end }} - {{- with .Values.anchoreGlobal.serviceAccountName }} - serviceAccountName: {{ . }} + {{- if .Values.anchoreGlobal.serviceAccountName }} + serviceAccountName: {{ .Values.anchoreGlobal.serviceAccountName }} + {{- else if .Values.anchoreCatalog.createServiceAccount }} + serviceAccountName: {{ template "anchore-engine.catalog.fullname" . }} {{- end }} --- @@ -254,3 +256,68 @@ spec: selector: app: {{ template "anchore-engine.fullname" . }} component: {{ $component }} + +{{- if and .Values.anchoreCatalog.createServiceAccount .Values.anchoreCatalog.runtimeInventory.reportAnchoreCluster.enabled }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "anchore-engine.catalog.fullname" . }} + labels: + {{- with .Values.anchoreCatalog.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.anchoreGlobal.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.anchoreCatalog.annotations }} + annotations: + {{ toYaml . | nindent 4 }} + {{- end }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "anchore-engine.catalog.fullname" . }} + labels: + {{- with .Values.anchoreCatalog.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.anchoreGlobal.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.anchoreCatalog.annotations }} + annotations: + {{ toYaml . | nindent 4 }} + {{- end }} +rules: +- apiGroups: [""] + resources: ["pods","namespaces"] + verbs: ["get", "watch", "list"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "anchore-engine.catalog.fullname" . }} + labels: + {{- with .Values.anchoreCatalog.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.anchoreGlobal.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.anchoreCatalog.annotations }} + annotations: + {{ toYaml . | nindent 4 }} + {{- end }} +subjects: + - kind: ServiceAccount + name: {{ template "anchore-engine.catalog.fullname" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ template "anchore-engine.catalog.fullname" . }} + apiGroup: rbac.authorization.k8s.io +{{- end }} \ No newline at end of file diff --git a/chart/templates/engine_configmap.yaml b/chart/templates/engine_configmap.yaml index 8046f5d743fffde9cd05fcb6e6217a9f9cd46e27..6ed4e6b273ab1902e44a2a70d0e2f22a74ef3f41 100644 --- a/chart/templates/engine_configmap.yaml +++ b/chart/templates/engine_configmap.yaml @@ -1,3 +1,14 @@ +{{ $anchoreFeedsURL := "https://ancho.re/v1/service/feeds" }} +{{- if .Values.anchoreEnterpriseFeeds.url }} +{{- $anchoreFeedsURL = .Values.anchoreEnterpriseFeeds.url }} +{{- else if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }} +{{- if .Values.anchoreGlobal.internalServicesSsl.enabled }} +{{- $anchoreFeedsURL = (printf "https://%s:%s/v1/feeds" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) }} +{{- else }} +{{- $anchoreFeedsURL = (printf "http://%s:%s/v1/feeds" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) }} +{{- end }} +{{- end }} + kind: ConfigMap apiVersion: v1 metadata: @@ -28,7 +39,7 @@ data: global_client_connect_timeout: {{ default 0 .Values.anchoreGlobal.clientConnectTimeout }} global_client_read_timeout: {{ default 0 .Values.anchoreGlobal.clientReadTimeout }} - max_compressed_image_size_mb: {{ default -1 .Values.anchoreGlobal.maxCompressedImageSizeMB }} + server_request_timeout_seconds: {{ .Values.anchoreGlobal.serverRequestTimeout }} metrics: enabled: {{ .Values.monitoring.enabled }} @@ -37,66 +48,14 @@ data: webhooks: {{- toYaml .Values.anchoreGlobal.webhooks | nindent 6 }} {{ end }} - # Configure what feeds to sync. - # The sync will hit http://ancho.re/feeds, if any outbound firewall config needs to be set in your environment. - feeds: - sync_enabled: true - selective_sync: - # If enabled only sync specific feeds instead of all that are found. - enabled: true - feeds: - {{- if .Values.anchoreEnterpriseGlobal.enabled }} - github: {{ .Values.anchoreEnterpriseFeeds.githubDriverEnabled }} - {{- else }} - github: {{ default "true" .Values.anchoreGlobal.syncGithub }} - {{- end }} - # Vulnerabilities feed is the feed for distro cve sources (redhat, debian, ubuntu, oracle, alpine....) - vulnerabilities: {{ default "true" .Values.anchoreGlobal.syncVulnerabilites }} - # NVD Data is used for non-distro CVEs (jars, npm, etc) that are not packaged and released by distros as rpms, debs, etc - nvdv2: {{ default "true" .Values.anchoreGlobal.syncNvd }} - # Warning: enabling the package sync causes the service to require much - # more memory to do process the significant data volume. We recommend at least 4GB available for the container - {{- if and (and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled) (or .Values.anchoreEnterpriseFeeds.gemDriverEnabled .Values.anchoreEnterpriseFeeds.npmDriverEnabled) }} - packages: true - {{- else }} - packages: {{ default "false" .Values.anchoreGlobal.syncPackages }} - {{- end }} - # Enabling vulndb syncs vulndb vulnerability data from an on-premise anchore enterprise feeds service. Please contact - # anchore support for finding out more about this service - {{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }} - vulndb: {{ default "true" .Values.anchoreEnterpriseFeeds.vulndbDriverEnabled }} - # Enabling microsoft syncs MSRC data from an on-premise anchore enterprise feeds service. Please contact - # anchore support for finding out more about this service - microsoft: {{ .Values.anchoreEnterpriseFeeds.msrcDriverEnabled }} - {{- else }} - vulndb: false - microsoft: false - {{- end }} - {{- if .Values.anchoreEnterpriseFeeds.url }} - url: "{{- .Values.anchoreEnterpriseFeeds.url }}" - ssl_verify: {{ .Values.anchoreGlobal.internalServicesSsl.verifyCerts }} - client_url: - token_url: - {{- else if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }} - {{- if .Values.anchoreGlobal.internalServicesSsl.enabled }} - url: "https://{{- template "anchore-engine.enterprise-feeds.fullname" . }}:{{- .Values.anchoreEnterpriseFeeds.service.port }}/v1/feeds" - {{- else }} - url: "http://{{- template "anchore-engine.enterprise-feeds.fullname" . }}:{{- .Values.anchoreEnterpriseFeeds.service.port }}/v1/feeds" - {{- end }} - ssl_verify: {{ .Values.anchoreGlobal.internalServicesSsl.verifyCerts }} - client_url: - token_url: - {{- else }} - client_url: "https://ancho.re/v1/account/users" - token_url: "https://ancho.re/oauth/token" - anonymous_user_username: anon@ancho.re - anonymous_user_password: pbiU2RYZ2XrmYQ - {{- end }} - connection_timeout_seconds: {{ default 3 .Values.anchoreGlobal.feedsConnectionTimeout }} - read_timeout_seconds: {{ default 180 .Values.anchoreGlobal.feedsReadTimeout }} + default_admin_password: ${ANCHORE_ADMIN_PASSWORD} default_admin_email: {{ .Values.anchoreGlobal.defaultAdminEmail }} + # Defines a maximum compressed image size (MB) to be added for analysis + # Value < 0 disables feature. Disabled by default + max_compressed_image_size_mb: {{ default -1 .Values.anchoreGlobal.maxCompressedImageSizeMB }} + # Locations for keys used for signing and encryption. Only one of 'secret' or 'public_key_path'/'private_key_path' needs to be set. If all are set then the keys take precedence over the secret value # Secret is for a shared secret and if set, all components in anchore should have the exact same value in their configs. keys: @@ -188,6 +147,7 @@ data: ssl_cert: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretCertName }}" ssl_key: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretKeyName }}" {{- end }} + enable_owned_package_filtering: {{ .Values.anchoreAnalyzer.enableOwnedPackageFiltering }} catalog: enabled: true require_auth: true @@ -219,6 +179,7 @@ data: # Interval between checks to repo for new tags repo_watcher: {{ .Values.anchoreCatalog.cycleTimers.repo_watcher }} k8s_watcher: {{ .Values.anchoreCatalog.cycleTimers.k8s_watcher }} + k8s_image_watcher: {{ .Values.anchoreCatalog.cycleTimers.k8s_image_watcher }} event_log: {{- toYaml .Values.anchoreCatalog.events | nindent 10 }} analysis_archive: @@ -230,6 +191,10 @@ data: ssl_cert: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretCertName }}" ssl_key: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretKeyName }}" {{- end }} + {{- if .Values.anchoreEnterpriseGlobal.enabled }} + runtime_compliance: + object_store_bucket: "runtime_compliance_check" + {{- end }} runtime_inventory: image_ttl_days: {{ .Values.anchoreCatalog.runtimeInventory.imageTTLDays }} kubernetes: @@ -260,6 +225,61 @@ data: cycle_timer_seconds: 1 cycle_timers: {{- toYaml .Values.anchorePolicyEngine.cycleTimers | nindent 10 }} + vulnerabilities: + provider: {{ .Values.anchorePolicyEngine.vulnerabilityProvider }} + sync: + enabled: true + ssl_verify: {{ .Values.anchoreGlobal.internalServicesSsl.verifyCerts }} + connection_timeout_seconds: {{ default 3 .Values.anchoreGlobal.feedsConnectionTimeout }} + read_timeout_seconds: {{ default 180 .Values.anchoreGlobal.feedsReadTimeout }} + data: + # grypedb feed is synced if the provider is set to grype. All the remaining feeds except for packages are ignored even if they are enabled + grypedb: + enabled: true + url: "https://toolbox-data.anchore.io/grype/databases/listing.json" + # The following feeds are synced if provider is set to legacy + # Vulnerabilities feed is the feed for distro cve sources (redhat, debian, ubuntu, oracle, alpine....) + vulnerabilities: + enabled: {{ default "true" .Values.anchoreGlobal.syncVulnerabilites }} + url: {{ $anchoreFeedsURL }} + # NVD Data is used for non-distro CVEs (jars, npm, etc) that are not packaged and released by distros as rpms, debs, etc + nvdv2: + enabled: {{ default "true" .Values.anchoreGlobal.syncNvd }} + url: {{ $anchoreFeedsURL }} + github: + {{- if .Values.anchoreEnterpriseGlobal.enabled }} + enabled: {{ .Values.anchoreEnterpriseFeeds.githubDriverEnabled }} + {{- else }} + enabled: {{ default "true" .Values.anchoreGlobal.syncGithub }} + {{- end }} + url: {{ $anchoreFeedsURL }} + # Warning: enabling the packages and nvd sync causes the service to require much more memory to do process the significant data volume. We recommend at least 4GB available for the container + # packages feed is synced if it is enabled regardless of the provider + packages: + {{- if and (and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled) (or .Values.anchoreEnterpriseFeeds.gemDriverEnabled .Values.anchoreEnterpriseFeeds.npmDriverEnabled) }} + enabled: true + {{- else }} + enabled: {{ default "false" .Values.anchoreGlobal.syncPackages }} + {{- end }} + url: {{ $anchoreFeedsURL }} + {{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }} + vulndb: + enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.vulndbDriverEnabled }} + url: {{ $anchoreFeedsURL }} + {{- else if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreGlobal.syncVulnDB }} + vulndb: + enabled: true + url: {{ $anchoreFeedsURL }} + {{- end }} + {{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }} + microsoft: + enabled: {{ .Values.anchoreEnterpriseFeeds.msrcDriverEnabled }} + url: {{ $anchoreFeedsURL }} + {{- else if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreGlobal.syncMSRC }} + microsoft: + enabled: true + url: {{ $anchoreFeedsURL }} + {{- end }} {{- if .Values.anchoreGlobal.internalServicesSsl.enabled }} ssl_enable: {{ .Values.anchoreGlobal.internalServicesSsl.enabled }} ssl_cert: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretCertName }}" diff --git a/chart/templates/engine_upgrade_job.yaml b/chart/templates/engine_upgrade_job.yaml index dfe591d183f3c87860dc74e0729dd2371c726f6a..a077813fa67c694abe222588ebf13de63cedcc8c 100644 --- a/chart/templates/engine_upgrade_job.yaml +++ b/chart/templates/engine_upgrade_job.yaml @@ -75,6 +75,7 @@ spec: anchore-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; {{- else }} - | + sleep 60 anchore-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask; {{- end }} {{- if .Values.cloudsql.enabled }} diff --git a/chart/templates/enterprise_feeds_configmap.yaml b/chart/templates/enterprise_feeds_configmap.yaml index 6a78e533b877855db06024b72e1a4b6e6e40b4a9..47a5f6a1390fcc5df481991d98700b6efef37a2f 100644 --- a/chart/templates/enterprise_feeds_configmap.yaml +++ b/chart/templates/enterprise_feeds_configmap.yaml @@ -18,6 +18,7 @@ data: # Anchore Enterprise Service Configuration File # General system-wide configuration options, these should not need to # be altered for basic operation + service_dir: {{ .Values.anchoreGlobal.serviceDir }} tmp_dir: {{ .Values.anchoreGlobal.scratchVolume.mountPath }} log_level: {{ .Values.anchoreGlobal.logLevel }} @@ -96,32 +97,31 @@ data: api_only: {{ default "false" .Values.anchoreEnterpriseFeeds.apiOnly }} drivers: # Configuration section for drivers collecting and processing feed data. - # All drivers are enabled by default unless explicitly disabled. npm and gem drivers are explicitly disabled out of the box - npm: - enabled: {{ default "false" .Values.anchoreEnterpriseFeeds.npmDriverEnabled }} - gem: - # rubygem data comes packaged as a PostgreSQL dump file. gem driver loads the pg dump and normalizes the data. - # To enable gem driver comment the enabled property and uncomment the db_connect property. - enabled: {{ default "false" .Values.anchoreEnterpriseFeeds.gemDriverEnabled }} - db_connect: {{ default "'postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/gems'" .Values.anchoreEnterpriseFeeds.gemDbEndpoint }} + # All drivers are enabled by default unless explicitly disabled. amzn: enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.amazonDriverEnabled }} + alpine: + enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.alpineDriverEnabled }} centos: enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.centosDriverEnabled }} debian: enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.debianDriverEnabled }} + ol: + enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.olDriverEnabled }} ubuntu: enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.ubuntuDriverEnabled }} rhel: enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.rhelDriverEnabled }} - ol: - enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.olDriverEnabled }} - alpine: - enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.alpineDriverEnabled }} - snyk: - enabled: {{ default "false" .Values.anchoreEnterpriseFeeds.snykDriverEnabled }} nvddb: enabled: {{ default "false" .Values.anchoreEnterpriseFeeds.nvdDriverEnabled }} + # npm and gem drivers are explicitly disabled out of the box + npm: + enabled: {{ default "false" .Values.anchoreEnterpriseFeeds.npmDriverEnabled }} + gem: + # rubygem data comes packaged as a PostgreSQL dump file. gem driver loads the pg dump and normalizes the data. + # To enable gem driver comment the enabled property and uncomment the db_connect property. + enabled: {{ default "false" .Values.anchoreEnterpriseFeeds.gemDriverEnabled }} + db_connect: {{ default "'postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/gems'" .Values.anchoreEnterpriseFeeds.gemDbEndpoint }} nvdv2: enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.nvdv2DriverEnabled }} vulndb: @@ -140,6 +140,9 @@ data: enabled: true token: ${ANCHORE_GITHUB_TOKEN} {{- end }} + grypedb: + enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.grypeDriverEnabled }} + external_feeds_url: "https://toolbox-data.anchore.io/grype/databases/listing.json" {{- if .Values.anchoreGlobal.internalServicesSsl.enabled }} ssl_enable: {{ .Values.anchoreGlobal.internalServicesSsl.enabled }} ssl_cert: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretCertName }}" diff --git a/chart/templates/enterprise_feeds_upgrade_job.yaml b/chart/templates/enterprise_feeds_upgrade_job.yaml index a5cb0eb8354cf888058d66a350b45bb771e36d38..903f36aa2f92bb376f39590e9b5fb98699332c5d 100644 --- a/chart/templates/enterprise_feeds_upgrade_job.yaml +++ b/chart/templates/enterprise_feeds_upgrade_job.yaml @@ -63,6 +63,7 @@ spec: anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; {{- else }} - | + sleep 60 anchore-enterprise-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask; {{- end }} {{- if .Values.cloudsql.enabled }} diff --git a/chart/templates/enterprise_upgrade_job.yaml b/chart/templates/enterprise_upgrade_job.yaml index 446e9e78289deb7fae00814a2dd1aa4d5de321dd..c021c404da0f8bed2112bce5d81de88b3b788c5a 100644 --- a/chart/templates/enterprise_upgrade_job.yaml +++ b/chart/templates/enterprise_upgrade_job.yaml @@ -63,6 +63,7 @@ spec: anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; {{- else }} - | + sleep 60 anchore-enterprise-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask; {{- end }} {{- if .Values.cloudsql.enabled }} diff --git a/chart/values.yaml b/chart/values.yaml index 3a07a25f672666008a13f0894ec6403b32f2fbb9..77ccead858deaaa71b51bd367fc6dc61b87720b8 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -166,14 +166,14 @@ ingress: # Global configuration shared by all anchore-engine services. anchoreGlobal: # Image used for all anchore engine deployments (excluding enterprise components). - image: registry1.dso.mil/ironbank/anchore/engine/engine:0.9.4 + image: registry1.dso.mil/ironbank/anchore/engine/engine:0.10.0 imagePullPolicy: IfNotPresent # Set image pull secret name if using an anchore-engine image from a private registry imagePullSecretName: private-registry # Specify a service account name utilized to run all Anchore pods - serviceAccountName: + serviceAccountName: Null # Set this value to true to setup the chart for OpenShift deployment compatibility. openShiftDeployment: false @@ -185,8 +185,8 @@ anchoreGlobal: # Add common annotations to set on all pods. Useful expecially when inject secrets directly into pods as ENV from vault via mutation-webhook-injection method. # Ref: https://banzaicloud.com/docs/bank-vaults/mutating-webhook/ - annotations: - traffic.sidecar.istio.io/excludeOutboundPorts: "5432" + annotations: {} + # traffic.sidecar.istio.io/excludeOutboundPorts: "5432" # vault.security.banzaicloud.io/vault-addr: "https://vault:8200" # vault.security.banzaicloud.io/vault-tls-secret: "vault-tls" @@ -238,6 +238,10 @@ anchoreGlobal: # If true, when a user adds an ECR registry with username = awsauto then the system will look for an instance profile to use for auth against the registry allowECRUseIAMRole: false + # Twisted has a global server side timeout on all established connections which defaults to 60, anything lasting longer + # than this (+ a 15 min abort final timeout) will have the connection killed by twisted + serverRequestTimeout: 60 + # Enable prometheus metrics enableMetrics: false @@ -370,6 +374,11 @@ anchoreAnalyzer: # For more info see - https://docs.anchore.com/current/docs/engine/engine_installation/configuration/content_hints enableHints: false + # If enabled, the Anchore Analyzer will filter packages out that are contained by others. (e.g. a python package installed by an RPM using yum or dnf). + # When disabled, the Anchore Analyzer will report all packages as content regardless of "containership". In the above example, this would cause the + # python package to be returned as it's own entry in the image's content. + enableOwnedPackageFiltering: true + configFile: # Anchore analyzer config file # @@ -494,6 +503,7 @@ anchoreCatalog: image_gc: 60 # Interval for the runtime inventory image execution poll k8s_watcher: 300 + k8s_image_watcher: 150 # Event log configuration for webhooks events: @@ -621,6 +631,13 @@ anchoreCatalog: tolerations: [] affinity: {} + # If enabled, the Anchore Helm Chart will create a Service Account with read-only permission to the cluster (pods & namespaces) + # This is largely to support the Out-Of-The-Box Runtime Inventory feature currently. See catalog_deployment.yaml for + # detailed information on the Service Account, Cluster Role & Binding. + # If using an existing service account, leave this value set to `false` & use anchoreGlobal.serviceAccountName to specify + # what service account to use. Existing service account must have adequate permissions to use this feature. + createServiceAccount: false + runtimeInventory: # This setting tells Anchore how long an image can be missing from an inventory report before it is removed from # The working set. Note: The image will still have a historical record in the reports service, subject to data history @@ -630,8 +647,14 @@ anchoreCatalog: # Since Anchore is running in Kubernetes, we can collect runtime inventory data out of the box reportAnchoreCluster: - # If set to true, Anchore will use its own service-account to try and collect runtime inventory data for all namespaces - # Note: requires a value for clusterName to populate inventory image context + # If set to true, Anchore will use its own service account's permissions + # (if anchoreCatalog.createServiceAccount is true, see `catalog_deployment.yaml`) to try and collect runtime + # inventory data for all namespaces. + # + # Note: this feature requires a value for clusterName to populate inventory image context + # Note: If anchoreCatalog.createServiceAccount is set to false, and anchoreGlobal.serviceAccountName is unspecified, + # then the Anchore Catalog service won't have enough permission to be able to read cluster information + # (pods & namespaces) for the embedded runtime inventory. enabled: true clusterName: anchore-k8s namespaces: @@ -652,6 +675,12 @@ anchorePolicyEngine: feed_sync: 14400 # Interval between checks to see if there needs to be a task queued feed_sync_checker: 3600 + # 1 minute between checks to verify local grype-db is up to date + grypedb_sync: 60 + + # Available providers are legacy and grype. Legacy provider offers the same matching logic as previous versions of anchore-engine (<= 0.9.4) + # grype is a new provider that was introduced in 1.0.0, it uses the grype tool for all things vulnerabilities + vulnerabilityProvider: legacy # kubernetes service configuration for anchore policy engine api service: @@ -719,7 +748,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.0.3 + image: registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.1.0 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. # Create this secret with the following command - kubectl create secret docker-registry anchore-dockerhub-creds --docker-server=docker.io --docker-username= --docker-password= --docker-email= @@ -778,7 +807,7 @@ anchoreEnterpriseFeeds: # If enabled is set to false, set anchore-feeds-db.enabled to false to ensure that helm doesn't stand up a unneccessary postgres instance. enabled: true - # Set custom feeds URL if multiple Anchore deployments are using the same feeds service + # Set custom feeds URL if multiple Anchore deployments are using the same internal feeds service. url: "" # Enable github advisory feeds @@ -968,7 +997,7 @@ anchoreEnterpriseNotifications: anchoreEnterpriseUi: # If enabled is set to false, set anchore-ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. enabled: true - image: registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.0.3 + image: registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.1.0 imagePullPolicy: IfNotPresent imagePullSecretName: private-registry diff --git a/docs/BBCHANGES.md b/docs/BBCHANGES.md index 32ec614b12373701bcb1a36355f1911265c6e1f4..82d274892415b25db9013c3411fea45246205a1a 100644 --- a/docs/BBCHANGES.md +++ b/docs/BBCHANGES.md @@ -186,3 +186,11 @@ In `chart/templates/enterprise_feeds_configmap.yaml` also modify the metrics lin metrics: enabled: {{ .Values.monitoring.enabled }} ``` + +To resolve a race condition in Big Bang CI pipelines, an additional sleep argument was added in `chart/templates/engine_upgrade_job.yaml`, `enterprise_upgrade_job.yaml`, and `enterprise_feeds_upgrade_jobs.yaml`: + +```yaml +- | + sleep 60 + anchore-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask; +``` \ No newline at end of file diff --git a/tests/images.txt b/tests/images.txt index 686a9f387f3b0cb3bc15e773a756071a22334070..7705a2c63785fc172e68ab8da871b504697867d7 100644 --- a/tests/images.txt +++ b/tests/images.txt @@ -1,2 +1,2 @@ -registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.0.3 -registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.0.3 +registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.1.0 +registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.1.0