From f859e650a4f67c4976032829c17dbe85a65fef3e Mon Sep 17 00:00:00 2001 From: bhearn Date: Thu, 25 Mar 2021 18:00:44 +0000 Subject: [PATCH] update "chart" (https://github.com/anchore/anchore-charts) from "anchore-engine-1.12.4" (4a9ddbbf97d01a156062945922323478e1668bda) to "anchore-engine-1.12.6" (ed4d1bdcff2e91a860245f106e666c23a43f5d57) --- CHANGELOG.md | 6 ++++ README.md | 2 +- chart/Chart.yaml | 4 +-- chart/Kptfile | 4 +-- chart/README.md | 6 ++++ chart/templates/NOTES.txt | 2 +- chart/templates/analyzer_deployment.yaml | 2 ++ chart/templates/anchore_admin_secret.yaml | 34 +++++++++++++++++++ chart/templates/api_deployment.yaml | 12 ++++++- .../templates/bigbang/sso/configure-sso.yaml | 2 +- chart/templates/catalog_deployment.yaml | 2 ++ chart/templates/engine_secret.yaml | 1 - chart/templates/engine_upgrade_job.yaml | 2 ++ .../enterprise_feeds_deployment.yaml | 2 ++ chart/templates/enterprise_feeds_secret.yaml | 1 - .../enterprise_feeds_upgrade_job.yaml | 2 ++ chart/templates/enterprise_ui_deployment.yaml | 2 ++ chart/templates/enterprise_ui_secret.yaml | 2 -- chart/templates/enterprise_upgrade_job.yaml | 2 ++ chart/templates/policy_engine_deployment.yaml | 2 ++ chart/templates/simplequeue_deployment.yaml | 2 ++ chart/values.yaml | 6 ++-- tests/images.txt | 2 +- 23 files changed, 86 insertions(+), 16 deletions(-) create mode 100644 chart/templates/anchore_admin_secret.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index 3203684..6526ce6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), --- +## [1.12.7-bb.0] +### Changed +- Bumped upstream chart version to 1.12.7 +- Bumped Anchore Engine image version to 0.9.3 from Registry1 +- Bumped Anchore Enterprise image version to 3.0.2 from Registry1 (Anchore Enterprise UI is remaining at 3.0.1) + ## [1.12.4-bb.1] ### Changed - Replaced Bitnami redis chart with Big Bang redis chart diff --git a/README.md b/README.md index b962bf6..0c37478 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ helm upgrade -i anchore chart -n anchore --create-namespace -f chart/values.yaml To get the admin password (generated if you did not specify one): ``` -kubectl get secrets -n anchore anchore-anchore-engine -o go-template='{{.data.ANCHORE_ADMIN_PASSWORD | base64decode}}' | xargs +kubectl get secrets -n anchore anchore-anchore-engine-admin-pass -o go-template='{{.data.ANCHORE_ADMIN_PASSWORD | base64decode}}' | xargs ``` To delete Anchore when deployed this way: diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 7a2677f..e7d7043 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: anchore-engine -version: 1.12.4-bb.1 -appVersion: 0.9.2 +version: 1.12.7-bb.0 +appVersion: 0.9.3 description: Anchore container analysis and policy evaluation engine service keywords: - analysis diff --git a/chart/Kptfile b/chart/Kptfile index b18e1b7..6173568 100644 --- a/chart/Kptfile +++ b/chart/Kptfile @@ -5,7 +5,7 @@ metadata: upstream: type: git git: - commit: 4a9ddbbf97d01a156062945922323478e1668bda + commit: e41ae9622408427aed876dcf91cea86d1cddf57a repo: https://github.com/anchore/anchore-charts directory: /stable/anchore-engine - ref: anchore-engine-1.12.4 + ref: anchore-engine-1.12.7 diff --git a/chart/README.md b/chart/README.md index 98ce3dd..3c0e414 100644 --- a/chart/README.md +++ b/chart/README.md @@ -242,6 +242,12 @@ See the anchore-engine [CHANGELOG](https://github.com/anchore/anchore-engine/blo A Helm post-upgrade hook job will shut down all previously running Anchore services and perform the Anchore DB upgrade process using a kubernetes job. The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful helm upgrade. +## Chart version 1.12.7 + +* Anchore Engine image updated to v0.9.3 +* Anchore Enterprise image updated to v3.0.2 (Anchore Enterprise UI image remains at v3.0.1) +* An [issue](https://github.com/anchore/anchore-engine/issues/950) was found that effects users of Anchore Engine 0.9.0 - 0.9.2 scanning certain Java images. A new version of anchore-engine 0.9.3 fixes the issue. Anchore Enterprise customers using Anchore Enterprise 3.0.0 or 3.0.1 should upgrade to 3.0.2. + ## Chart version 1.12.4 --- diff --git a/chart/templates/NOTES.txt b/chart/templates/NOTES.txt index 38d0b05..9720486 100644 --- a/chart/templates/NOTES.txt +++ b/chart/templates/NOTES.txt @@ -8,7 +8,7 @@ Here are the steps to configure the anchore-cli (`pip install anchorecli`). Use To configure your anchore-cli run: ANCHORE_CLI_USER=admin - ANCHORE_CLI_PASS=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "anchore-engine.fullname" . }} -o jsonpath="{.data.ANCHORE_ADMIN_PASSWORD}" | base64 --decode; echo) + ANCHORE_CLI_PASS=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "anchore-engine.fullname" . }}-admin-pass -o jsonpath="{.data.ANCHORE_ADMIN_PASSWORD}" | base64 --decode; echo) {{ if .Values.ingress.enabled }} ANCHORE_CLI_URL={{- if .Values.anchoreGlobal.internalServicesSsl.enabled -}}https{{- else }}http{{- end -}}://$(kubectl get ingress --namespace {{ .Release.Namespace }} {{ template "anchore-engine.fullname" . }} -o jsonpath="{.status.loadBalancer.ingress[0].ip}")/v1/ {{ else }} diff --git a/chart/templates/analyzer_deployment.yaml b/chart/templates/analyzer_deployment.yaml index 0aca7ed..1b0ba7b 100644 --- a/chart/templates/analyzer_deployment.yaml +++ b/chart/templates/analyzer_deployment.yaml @@ -109,6 +109,8 @@ spec: {{- if not .Values.inject_secrets_via_env }} - secretRef: name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + - secretRef: + name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} {{- end }} - configMapRef: name: {{ template "anchore-engine.fullname" . }}-env diff --git a/chart/templates/anchore_admin_secret.yaml b/chart/templates/anchore_admin_secret.yaml new file mode 100644 index 0000000..1a8724b --- /dev/null +++ b/chart/templates/anchore_admin_secret.yaml @@ -0,0 +1,34 @@ +{{- if not .Values.anchoreGlobal.existingSecret }} + +{{- $anchoreAdminPass := (include "anchore-engine.defaultAdminPassword" . | quote) }} + +{{- /* + If release is being upgraded, don't recreate the defaultAdminPassword, instead get it from the corresponding existing + secret. For users upgrading to chart v1.12.5 or higher, use the new admin-password secret, otherwise use the old + engine secret. +*/ -}} +{{- if and .Release.IsUpgrade (not .Values.anchoreGlobal.defaultAdminPassword) }} +{{- $adminPassSecret := (lookup "v1" "Secret" .Release.Namespace (print (include "anchore-engine.fullname" .) "-admin-pass")) }} +{{- $engineSecret := (lookup "v1" "Secret" .Release.Namespace (include "anchore-engine.fullname" . )) -}} +{{- if or $engineSecret $adminPassSecret }} +{{- $secret := (default $engineSecret $adminPassSecret) }} +{{- $anchoreAdminPass = (index $secret.data "ANCHORE_ADMIN_PASSWORD" | b64dec) }} +{{- end }} +{{- end }} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "anchore-engine.fullname" . }}-admin-pass + labels: + app: {{ template "anchore-engine.fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.anchoreGlobal.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} +type: Opaque +stringData: + ANCHORE_ADMIN_PASSWORD: {{ $anchoreAdminPass }} +{{- end }} diff --git a/chart/templates/api_deployment.yaml b/chart/templates/api_deployment.yaml index 422ea35..dd52822 100644 --- a/chart/templates/api_deployment.yaml +++ b/chart/templates/api_deployment.yaml @@ -97,6 +97,8 @@ spec: {{- if not .Values.inject_secrets_via_env }} - secretRef: name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + - secretRef: + name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} {{- end }} - configMapRef: name: {{ template "anchore-engine.fullname" . }}-env @@ -115,7 +117,7 @@ spec: - name: ANCHORE_CLI_PASS valueFrom: secretKeyRef: - name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} key: ANCHORE_ADMIN_PASSWORD {{- end }} ports: @@ -184,6 +186,8 @@ spec: {{- if not .Values.inject_secrets_via_env }} - secretRef: name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + - secretRef: + name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} {{- end }} - configMapRef: name: {{ template "anchore-engine.fullname" . }}-env @@ -254,6 +258,8 @@ spec: {{- if not .Values.inject_secrets_via_env }} - secretRef: name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + - secretRef: + name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} {{- end }} - configMapRef: name: {{ template "anchore-engine.fullname" . }}-env @@ -327,6 +333,8 @@ spec: {{- if not .Values.inject_secrets_via_env }} - secretRef: name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + - secretRef: + name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} {{- end }} - configMapRef: name: {{ template "anchore-engine.fullname" . }}-env @@ -399,6 +407,8 @@ spec: {{- if not .Values.inject_secrets_via_env }} - secretRef: name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + - secretRef: + name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} {{- end }} - configMapRef: name: {{ template "anchore-engine.fullname" . }}-env diff --git a/chart/templates/bigbang/sso/configure-sso.yaml b/chart/templates/bigbang/sso/configure-sso.yaml index 61a3217..206ca9a 100644 --- a/chart/templates/bigbang/sso/configure-sso.yaml +++ b/chart/templates/bigbang/sso/configure-sso.yaml @@ -56,7 +56,7 @@ spec: fi envFrom: - secretRef: - name: {{ template "anchore-engine.fullname" . }} + name: {{ template "anchore-engine.fullname" . }}-admin-pass volumeMounts: - name: anchore-sso mountPath: "/tmp" diff --git a/chart/templates/catalog_deployment.yaml b/chart/templates/catalog_deployment.yaml index e078a6f..e4effb1 100644 --- a/chart/templates/catalog_deployment.yaml +++ b/chart/templates/catalog_deployment.yaml @@ -97,6 +97,8 @@ spec: {{- if not .Values.inject_secrets_via_env }} - secretRef: name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + - secretRef: + name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} {{- end }} - configMapRef: name: {{ template "anchore-engine.fullname" . }}-env diff --git a/chart/templates/engine_secret.yaml b/chart/templates/engine_secret.yaml index ec4baef..e23cc63 100644 --- a/chart/templates/engine_secret.yaml +++ b/chart/templates/engine_secret.yaml @@ -13,7 +13,6 @@ metadata: {{- end }} type: Opaque stringData: - ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }} ANCHORE_DB_PASSWORD: {{ index .Values "postgresql" "postgresPassword" | quote }} {{- with .Values.anchoreGlobal.saml.secret }} ANCHORE_SAML_SECRET: {{ . }} diff --git a/chart/templates/engine_upgrade_job.yaml b/chart/templates/engine_upgrade_job.yaml index caf3beb..681d094 100644 --- a/chart/templates/engine_upgrade_job.yaml +++ b/chart/templates/engine_upgrade_job.yaml @@ -59,6 +59,8 @@ spec: {{- if not .Values.inject_secrets_via_env }} - secretRef: name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + - secretRef: + name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} {{- end }} - configMapRef: name: {{ template "anchore-engine.fullname" . }}-env diff --git a/chart/templates/enterprise_feeds_deployment.yaml b/chart/templates/enterprise_feeds_deployment.yaml index 4389f99..767e808 100644 --- a/chart/templates/enterprise_feeds_deployment.yaml +++ b/chart/templates/enterprise_feeds_deployment.yaml @@ -96,6 +96,8 @@ spec: {{- if not .Values.inject_secrets_via_env }} - secretRef: name: {{ default (include "anchore-engine.enterprise-feeds.fullname" .) .Values.anchoreEnterpriseFeeds.existingSecret }} + - secretRef: + name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} {{- end }} - configMapRef: name: {{ template "anchore-engine.enterprise-feeds.fullname" . }}-env diff --git a/chart/templates/enterprise_feeds_secret.yaml b/chart/templates/enterprise_feeds_secret.yaml index f6074f7..3060831 100644 --- a/chart/templates/enterprise_feeds_secret.yaml +++ b/chart/templates/enterprise_feeds_secret.yaml @@ -14,7 +14,6 @@ metadata: {{- end }} type: Opaque stringData: - ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }} ANCHORE_FEEDS_DB_PASSWORD: {{ index .Values "anchore-feeds-db" "postgresPassword" | quote }} {{- with .Values.anchoreGlobal.saml.secret }} ANCHORE_SAML_SECRET: {{ . }} diff --git a/chart/templates/enterprise_feeds_upgrade_job.yaml b/chart/templates/enterprise_feeds_upgrade_job.yaml index 5167f42..2584938 100644 --- a/chart/templates/enterprise_feeds_upgrade_job.yaml +++ b/chart/templates/enterprise_feeds_upgrade_job.yaml @@ -47,6 +47,8 @@ spec: {{- if not .Values.inject_secrets_via_env }} - secretRef: name: {{ default (include "anchore-engine.enterprise-feeds.fullname" .) .Values.anchoreEnterpriseFeeds.existingSecret }} + - secretRef: + name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} {{- end }} - configMapRef: name: {{ template "anchore-engine.enterprise-feeds.fullname" . }}-env diff --git a/chart/templates/enterprise_ui_deployment.yaml b/chart/templates/enterprise_ui_deployment.yaml index d795ae8..a0aba73 100644 --- a/chart/templates/enterprise_ui_deployment.yaml +++ b/chart/templates/enterprise_ui_deployment.yaml @@ -100,6 +100,8 @@ spec: {{- if not .Values.inject_secrets_via_env }} - secretRef: name: {{ default (include "anchore-engine.enterprise-ui.fullname" .) .Values.anchoreEnterpriseUi.existingSecret }} + - secretRef: + name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} {{- end }} ports: - containerPort: 3000 diff --git a/chart/templates/enterprise_ui_secret.yaml b/chart/templates/enterprise_ui_secret.yaml index 1284852..60075dc 100644 --- a/chart/templates/enterprise_ui_secret.yaml +++ b/chart/templates/enterprise_ui_secret.yaml @@ -14,8 +14,6 @@ metadata: {{- end }} type: Opaque stringData: - ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }} - {{- if .Values.anchoreGlobal.dbConfig.ssl }} ANCHORE_APPDB_URI: 'postgresql://{{ index .Values "postgresql" "postgresUser" }}:{{ index .Values "postgresql" "postgresPassword" }}@{{ template "db-hostname" . }}/{{ index .Values "postgresql" "postgresDatabase" }}?ssl=verify-full' {{- else }} diff --git a/chart/templates/enterprise_upgrade_job.yaml b/chart/templates/enterprise_upgrade_job.yaml index 17df8d2..c47296e 100644 --- a/chart/templates/enterprise_upgrade_job.yaml +++ b/chart/templates/enterprise_upgrade_job.yaml @@ -47,6 +47,8 @@ spec: {{- if not .Values.inject_secrets_via_env }} - secretRef: name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + - secretRef: + name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} {{- end }} - configMapRef: name: {{ template "anchore-engine.fullname" . }}-env diff --git a/chart/templates/policy_engine_deployment.yaml b/chart/templates/policy_engine_deployment.yaml index 5cadc5a..347c221 100644 --- a/chart/templates/policy_engine_deployment.yaml +++ b/chart/templates/policy_engine_deployment.yaml @@ -108,6 +108,8 @@ spec: {{- if not .Values.inject_secrets_via_env }} - secretRef: name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + - secretRef: + name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} {{- end }} - configMapRef: name: {{ template "anchore-engine.fullname" . }}-env diff --git a/chart/templates/simplequeue_deployment.yaml b/chart/templates/simplequeue_deployment.yaml index 59af620..03c7efa 100644 --- a/chart/templates/simplequeue_deployment.yaml +++ b/chart/templates/simplequeue_deployment.yaml @@ -94,6 +94,8 @@ spec: {{- if not .Values.inject_secrets_via_env }} - secretRef: name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + - secretRef: + name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} {{- end }} - configMapRef: name: {{ template "anchore-engine.fullname" . }}-env diff --git a/chart/values.yaml b/chart/values.yaml index 4d6b4b0..c247431 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -141,7 +141,7 @@ ingress: # Global configuration shared by all anchore-engine services. anchoreGlobal: # Image used for all anchore engine deployments (excluding enterprise components). - image: registry1.dso.mil/ironbank/anchore/engine/engine:0.9.2 + image: registry1.dso.mil/ironbank/anchore/engine/engine:0.9.3 imagePullPolicy: IfNotPresent # Set image pull secret name if using an anchore-engine image from a private registry @@ -220,7 +220,7 @@ anchoreGlobal: metricsAuthDisabled: false # Sets the password & email address for the default anchore-engine admin user. - defaultAdminPassword: foobar + defaultAdminPassword: defaultAdminEmail: example@email.com saml: @@ -685,7 +685,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.0.1 + image: registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.0.2 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. # Create this secret with the following command - kubectl create secret docker-registry anchore-dockerhub-creds --docker-server=docker.io --docker-username= --docker-password= --docker-email= diff --git a/tests/images.txt b/tests/images.txt index 0299b03..ac96fca 100644 --- a/tests/images.txt +++ b/tests/images.txt @@ -1,2 +1,2 @@ -registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.0.1 +registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.0.2 registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.0.1 -- GitLab