diff --git a/CHANGELOG.md b/CHANGELOG.md index 3203684a5496c170224a76d5e241fe5e809022be..6526ce62d78d7f61904020fdf796b1a7a62b5c33 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), --- +## [1.12.7-bb.0] +### Changed +- Bumped upstream chart version to 1.12.7 +- Bumped Anchore Engine image version to 0.9.3 from Registry1 +- Bumped Anchore Enterprise image version to 3.0.2 from Registry1 (Anchore Enterprise UI is remaining at 3.0.1) + ## [1.12.4-bb.1] ### Changed - Replaced Bitnami redis chart with Big Bang redis chart diff --git a/README.md b/README.md index b962bf6a4d80632d124d761fa40b7c6040ff2353..0c3747843c85fc9dc8d345696917938c971006e2 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ helm upgrade -i anchore chart -n anchore --create-namespace -f chart/values.yaml To get the admin password (generated if you did not specify one): ``` -kubectl get secrets -n anchore anchore-anchore-engine -o go-template='{{.data.ANCHORE_ADMIN_PASSWORD | base64decode}}' | xargs +kubectl get secrets -n anchore anchore-anchore-engine-admin-pass -o go-template='{{.data.ANCHORE_ADMIN_PASSWORD | base64decode}}' | xargs ``` To delete Anchore when deployed this way: diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 7a2677f770fbd4df850193681087ae1f13417f3a..e7d7043b1257f4df81f4360c27ca04f097842427 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: anchore-engine -version: 1.12.4-bb.1 -appVersion: 0.9.2 +version: 1.12.7-bb.0 +appVersion: 0.9.3 description: Anchore container analysis and policy evaluation engine service keywords: - analysis diff --git a/chart/Kptfile b/chart/Kptfile index b18e1b7799ede591a4d20a4b77b36b6b74e29f78..6173568e05cce6702770b2e4daf2ac347afea3cf 100644 --- a/chart/Kptfile +++ b/chart/Kptfile @@ -5,7 +5,7 @@ metadata: upstream: type: git git: - commit: 4a9ddbbf97d01a156062945922323478e1668bda + commit: e41ae9622408427aed876dcf91cea86d1cddf57a repo: https://github.com/anchore/anchore-charts directory: /stable/anchore-engine - ref: anchore-engine-1.12.4 + ref: anchore-engine-1.12.7 diff --git a/chart/README.md b/chart/README.md index 98ce3ddc1ae2bd82d156f1d7f0de7762769031f2..3c0e4143e7aa529138983f857c3e01dcecafb5b6 100644 --- a/chart/README.md +++ b/chart/README.md @@ -242,6 +242,12 @@ See the anchore-engine [CHANGELOG](https://github.com/anchore/anchore-engine/blo A Helm post-upgrade hook job will shut down all previously running Anchore services and perform the Anchore DB upgrade process using a kubernetes job. The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful helm upgrade. +## Chart version 1.12.7 + +* Anchore Engine image updated to v0.9.3 +* Anchore Enterprise image updated to v3.0.2 (Anchore Enterprise UI image remains at v3.0.1) +* An [issue](https://github.com/anchore/anchore-engine/issues/950) was found that effects users of Anchore Engine 0.9.0 - 0.9.2 scanning certain Java images. A new version of anchore-engine 0.9.3 fixes the issue. Anchore Enterprise customers using Anchore Enterprise 3.0.0 or 3.0.1 should upgrade to 3.0.2. + ## Chart version 1.12.4 --- diff --git a/chart/templates/NOTES.txt b/chart/templates/NOTES.txt index 38d0b0558df08e2037d8eeaad4ab7360dd2999de..97204862cd13283178bda3a8c2d0f86fedff7d55 100644 --- a/chart/templates/NOTES.txt +++ b/chart/templates/NOTES.txt @@ -8,7 +8,7 @@ Here are the steps to configure the anchore-cli (`pip install anchorecli`). Use To configure your anchore-cli run: ANCHORE_CLI_USER=admin - ANCHORE_CLI_PASS=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "anchore-engine.fullname" . }} -o jsonpath="{.data.ANCHORE_ADMIN_PASSWORD}" | base64 --decode; echo) + ANCHORE_CLI_PASS=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "anchore-engine.fullname" . }}-admin-pass -o jsonpath="{.data.ANCHORE_ADMIN_PASSWORD}" | base64 --decode; echo) {{ if .Values.ingress.enabled }} ANCHORE_CLI_URL={{- if .Values.anchoreGlobal.internalServicesSsl.enabled -}}https{{- else }}http{{- end -}}://$(kubectl get ingress --namespace {{ .Release.Namespace }} {{ template "anchore-engine.fullname" . }} -o jsonpath="{.status.loadBalancer.ingress[0].ip}")/v1/ {{ else }} diff --git a/chart/templates/analyzer_deployment.yaml b/chart/templates/analyzer_deployment.yaml index 0aca7ed88c9af1d639836e013903e8f43cdee8dc..1b0ba7b1271361efb94dc610a4a46d4a1699d9ab 100644 --- a/chart/templates/analyzer_deployment.yaml +++ b/chart/templates/analyzer_deployment.yaml @@ -109,6 +109,8 @@ spec: {{- if not .Values.inject_secrets_via_env }} - secretRef: name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + - secretRef: + name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} {{- end }} - configMapRef: name: {{ template "anchore-engine.fullname" . }}-env diff --git a/chart/templates/anchore_admin_secret.yaml b/chart/templates/anchore_admin_secret.yaml new file mode 100644 index 0000000000000000000000000000000000000000..1a8724b69f3b64aa2466054dad04aef069f95638 --- /dev/null +++ b/chart/templates/anchore_admin_secret.yaml @@ -0,0 +1,34 @@ +{{- if not .Values.anchoreGlobal.existingSecret }} + +{{- $anchoreAdminPass := (include "anchore-engine.defaultAdminPassword" . | quote) }} + +{{- /* + If release is being upgraded, don't recreate the defaultAdminPassword, instead get it from the corresponding existing + secret. For users upgrading to chart v1.12.5 or higher, use the new admin-password secret, otherwise use the old + engine secret. +*/ -}} +{{- if and .Release.IsUpgrade (not .Values.anchoreGlobal.defaultAdminPassword) }} +{{- $adminPassSecret := (lookup "v1" "Secret" .Release.Namespace (print (include "anchore-engine.fullname" .) "-admin-pass")) }} +{{- $engineSecret := (lookup "v1" "Secret" .Release.Namespace (include "anchore-engine.fullname" . )) -}} +{{- if or $engineSecret $adminPassSecret }} +{{- $secret := (default $engineSecret $adminPassSecret) }} +{{- $anchoreAdminPass = (index $secret.data "ANCHORE_ADMIN_PASSWORD" | b64dec) }} +{{- end }} +{{- end }} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "anchore-engine.fullname" . }}-admin-pass + labels: + app: {{ template "anchore-engine.fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.anchoreGlobal.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} +type: Opaque +stringData: + ANCHORE_ADMIN_PASSWORD: {{ $anchoreAdminPass }} +{{- end }} diff --git a/chart/templates/api_deployment.yaml b/chart/templates/api_deployment.yaml index 422ea3553836d6c0e56b83f4594cce65767a3a9c..dd52822acb9984d8e87653bb6a1545076655630d 100644 --- a/chart/templates/api_deployment.yaml +++ b/chart/templates/api_deployment.yaml @@ -97,6 +97,8 @@ spec: {{- if not .Values.inject_secrets_via_env }} - secretRef: name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + - secretRef: + name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} {{- end }} - configMapRef: name: {{ template "anchore-engine.fullname" . }}-env @@ -115,7 +117,7 @@ spec: - name: ANCHORE_CLI_PASS valueFrom: secretKeyRef: - name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} key: ANCHORE_ADMIN_PASSWORD {{- end }} ports: @@ -184,6 +186,8 @@ spec: {{- if not .Values.inject_secrets_via_env }} - secretRef: name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + - secretRef: + name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} {{- end }} - configMapRef: name: {{ template "anchore-engine.fullname" . }}-env @@ -254,6 +258,8 @@ spec: {{- if not .Values.inject_secrets_via_env }} - secretRef: name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + - secretRef: + name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} {{- end }} - configMapRef: name: {{ template "anchore-engine.fullname" . }}-env @@ -327,6 +333,8 @@ spec: {{- if not .Values.inject_secrets_via_env }} - secretRef: name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + - secretRef: + name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} {{- end }} - configMapRef: name: {{ template "anchore-engine.fullname" . }}-env @@ -399,6 +407,8 @@ spec: {{- if not .Values.inject_secrets_via_env }} - secretRef: name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + - secretRef: + name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} {{- end }} - configMapRef: name: {{ template "anchore-engine.fullname" . }}-env diff --git a/chart/templates/bigbang/sso/configure-sso.yaml b/chart/templates/bigbang/sso/configure-sso.yaml index 61a321764677a759c2e908b8bfdab44bad901feb..206ca9afa486518cc4ba2840a0a9bb532d61a6c6 100644 --- a/chart/templates/bigbang/sso/configure-sso.yaml +++ b/chart/templates/bigbang/sso/configure-sso.yaml @@ -56,7 +56,7 @@ spec: fi envFrom: - secretRef: - name: {{ template "anchore-engine.fullname" . }} + name: {{ template "anchore-engine.fullname" . }}-admin-pass volumeMounts: - name: anchore-sso mountPath: "/tmp" diff --git a/chart/templates/catalog_deployment.yaml b/chart/templates/catalog_deployment.yaml index e078a6f7e7c4985e255b881d9026b8626913753f..e4effb10e9ab02db5bc91cae49ed75ee0ab126d6 100644 --- a/chart/templates/catalog_deployment.yaml +++ b/chart/templates/catalog_deployment.yaml @@ -97,6 +97,8 @@ spec: {{- if not .Values.inject_secrets_via_env }} - secretRef: name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + - secretRef: + name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} {{- end }} - configMapRef: name: {{ template "anchore-engine.fullname" . }}-env diff --git a/chart/templates/engine_secret.yaml b/chart/templates/engine_secret.yaml index ec4baef2f6c281c184a12c511ff5b0c113a1ca61..e23cc6384b937ef658de6b9d24083800c0753caa 100644 --- a/chart/templates/engine_secret.yaml +++ b/chart/templates/engine_secret.yaml @@ -13,7 +13,6 @@ metadata: {{- end }} type: Opaque stringData: - ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }} ANCHORE_DB_PASSWORD: {{ index .Values "postgresql" "postgresPassword" | quote }} {{- with .Values.anchoreGlobal.saml.secret }} ANCHORE_SAML_SECRET: {{ . }} diff --git a/chart/templates/engine_upgrade_job.yaml b/chart/templates/engine_upgrade_job.yaml index caf3bebb2fcdcb9bcf8bf2edb5d5d5758ed3f4b1..681d094fa5d15d033b8b8c2204f6df0714d26cb4 100644 --- a/chart/templates/engine_upgrade_job.yaml +++ b/chart/templates/engine_upgrade_job.yaml @@ -59,6 +59,8 @@ spec: {{- if not .Values.inject_secrets_via_env }} - secretRef: name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + - secretRef: + name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} {{- end }} - configMapRef: name: {{ template "anchore-engine.fullname" . }}-env diff --git a/chart/templates/enterprise_feeds_deployment.yaml b/chart/templates/enterprise_feeds_deployment.yaml index 4389f99db821f7bb8eb8c06c1bc20f344e48fa8b..767e8088cf73a4ccd21673b3d1f9c2662948d0b8 100644 --- a/chart/templates/enterprise_feeds_deployment.yaml +++ b/chart/templates/enterprise_feeds_deployment.yaml @@ -96,6 +96,8 @@ spec: {{- if not .Values.inject_secrets_via_env }} - secretRef: name: {{ default (include "anchore-engine.enterprise-feeds.fullname" .) .Values.anchoreEnterpriseFeeds.existingSecret }} + - secretRef: + name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} {{- end }} - configMapRef: name: {{ template "anchore-engine.enterprise-feeds.fullname" . }}-env diff --git a/chart/templates/enterprise_feeds_secret.yaml b/chart/templates/enterprise_feeds_secret.yaml index f6074f7669415fe4f90d6a8617db6eb955810d6b..30608313b18d1b4f644d184657336e9854042b3f 100644 --- a/chart/templates/enterprise_feeds_secret.yaml +++ b/chart/templates/enterprise_feeds_secret.yaml @@ -14,7 +14,6 @@ metadata: {{- end }} type: Opaque stringData: - ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }} ANCHORE_FEEDS_DB_PASSWORD: {{ index .Values "anchore-feeds-db" "postgresPassword" | quote }} {{- with .Values.anchoreGlobal.saml.secret }} ANCHORE_SAML_SECRET: {{ . }} diff --git a/chart/templates/enterprise_feeds_upgrade_job.yaml b/chart/templates/enterprise_feeds_upgrade_job.yaml index 5167f421b03b1d42dca2cf2d00e1a611624c54c7..25849385c2aa01ccbe78aae7a1a086c8760fc56d 100644 --- a/chart/templates/enterprise_feeds_upgrade_job.yaml +++ b/chart/templates/enterprise_feeds_upgrade_job.yaml @@ -47,6 +47,8 @@ spec: {{- if not .Values.inject_secrets_via_env }} - secretRef: name: {{ default (include "anchore-engine.enterprise-feeds.fullname" .) .Values.anchoreEnterpriseFeeds.existingSecret }} + - secretRef: + name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} {{- end }} - configMapRef: name: {{ template "anchore-engine.enterprise-feeds.fullname" . }}-env diff --git a/chart/templates/enterprise_ui_deployment.yaml b/chart/templates/enterprise_ui_deployment.yaml index d795ae82aa6de09f9f8884b6421c8032cd4815e4..a0aba73ed5b26a885d002724953837ab8bd162f9 100644 --- a/chart/templates/enterprise_ui_deployment.yaml +++ b/chart/templates/enterprise_ui_deployment.yaml @@ -100,6 +100,8 @@ spec: {{- if not .Values.inject_secrets_via_env }} - secretRef: name: {{ default (include "anchore-engine.enterprise-ui.fullname" .) .Values.anchoreEnterpriseUi.existingSecret }} + - secretRef: + name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} {{- end }} ports: - containerPort: 3000 diff --git a/chart/templates/enterprise_ui_secret.yaml b/chart/templates/enterprise_ui_secret.yaml index 12848521dd4d8c9dbd8a47c91b755df0be816f92..60075dc1f81de87654f8c164247b4e4bb06c0fa4 100644 --- a/chart/templates/enterprise_ui_secret.yaml +++ b/chart/templates/enterprise_ui_secret.yaml @@ -14,8 +14,6 @@ metadata: {{- end }} type: Opaque stringData: - ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }} - {{- if .Values.anchoreGlobal.dbConfig.ssl }} ANCHORE_APPDB_URI: 'postgresql://{{ index .Values "postgresql" "postgresUser" }}:{{ index .Values "postgresql" "postgresPassword" }}@{{ template "db-hostname" . }}/{{ index .Values "postgresql" "postgresDatabase" }}?ssl=verify-full' {{- else }} diff --git a/chart/templates/enterprise_upgrade_job.yaml b/chart/templates/enterprise_upgrade_job.yaml index 17df8d211e172faf467ca9113a6bbdd04607929d..c47296e1bde11e4d37c404e9f60f734babf6ee3d 100644 --- a/chart/templates/enterprise_upgrade_job.yaml +++ b/chart/templates/enterprise_upgrade_job.yaml @@ -47,6 +47,8 @@ spec: {{- if not .Values.inject_secrets_via_env }} - secretRef: name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + - secretRef: + name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} {{- end }} - configMapRef: name: {{ template "anchore-engine.fullname" . }}-env diff --git a/chart/templates/policy_engine_deployment.yaml b/chart/templates/policy_engine_deployment.yaml index 5cadc5a74f315eed52be6c7b0e29584efcbf5df4..347c221a0439418dce620ff281f366c36a34c94d 100644 --- a/chart/templates/policy_engine_deployment.yaml +++ b/chart/templates/policy_engine_deployment.yaml @@ -108,6 +108,8 @@ spec: {{- if not .Values.inject_secrets_via_env }} - secretRef: name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + - secretRef: + name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} {{- end }} - configMapRef: name: {{ template "anchore-engine.fullname" . }}-env diff --git a/chart/templates/simplequeue_deployment.yaml b/chart/templates/simplequeue_deployment.yaml index 59af620600b8140bae17cd6e00d9feeef09e1cdc..03c7efa597ca300495c7198c1d0e60c61b43fd72 100644 --- a/chart/templates/simplequeue_deployment.yaml +++ b/chart/templates/simplequeue_deployment.yaml @@ -94,6 +94,8 @@ spec: {{- if not .Values.inject_secrets_via_env }} - secretRef: name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + - secretRef: + name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} {{- end }} - configMapRef: name: {{ template "anchore-engine.fullname" . }}-env diff --git a/chart/values.yaml b/chart/values.yaml index 4d6b4b0148bd244e74ebf4616204bd7ab0d19efe..c24743193633077cf49d172f098d6f374f0c3de0 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -141,7 +141,7 @@ ingress: # Global configuration shared by all anchore-engine services. anchoreGlobal: # Image used for all anchore engine deployments (excluding enterprise components). - image: registry1.dso.mil/ironbank/anchore/engine/engine:0.9.2 + image: registry1.dso.mil/ironbank/anchore/engine/engine:0.9.3 imagePullPolicy: IfNotPresent # Set image pull secret name if using an anchore-engine image from a private registry @@ -220,7 +220,7 @@ anchoreGlobal: metricsAuthDisabled: false # Sets the password & email address for the default anchore-engine admin user. - defaultAdminPassword: foobar + defaultAdminPassword: defaultAdminEmail: example@email.com saml: @@ -685,7 +685,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.0.1 + image: registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.0.2 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. # Create this secret with the following command - kubectl create secret docker-registry anchore-dockerhub-creds --docker-server=docker.io --docker-username= --docker-password= --docker-email= diff --git a/tests/images.txt b/tests/images.txt index 0299b03c3606ef4c21a266b9b3c3a737c2ceb5de..ac96fca1f37e543f3d49591623142ff006a3f4e3 100644 --- a/tests/images.txt +++ b/tests/images.txt @@ -1,2 +1,2 @@ -registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.0.1 +registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.0.2 registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.0.1