diff --git a/CHANGELOG.md b/CHANGELOG.md index 810bf2e9cef234ee523657fc8dbb12ae598797eb..4780747a55db319f0a6626255d7ad1c85b635933 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,10 +4,16 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), --- +## [1.12.4-bb.0] +### Changed +- Bumped upstream chart version to 1.12.4 +- Bumped Anchore Engine image version to 0.9.2 from Registry1 +- Bumped Anchore Enterprise image versions to 3.0.1 from Registry1 + ## [1.12.2-bb.0] ### Changed - Bumped upstream chart version to 1.12.2 -- Bumped Anchore enterprise images to 3.0.0 from registry1 +- Bumped Anchore Enterprise image versions to 3.0.0 from Registry1 - BREAKING UPDATE (SSO): When upgrading from 1.11.0-bb.3 and using SSO, manual config is required. See the note in the [Keycloak Docs](./docs/KEYCLOAK.md#anchore-1122-bb0-upgrade). ### Fixed diff --git a/chart/Chart.yaml b/chart/Chart.yaml index f47702b4328c7dbcc30f69f31f3abefe32b0676f..a11d2257bd393df0963d154f72ac46c82a7c385d 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: anchore-engine -version: 1.12.2-bb.0 -appVersion: 0.9.0 +version: 1.12.4-bb.0 +appVersion: 0.9.2 description: Anchore container analysis and policy evaluation engine service keywords: - analysis diff --git a/chart/Kptfile b/chart/Kptfile index 3ceef28d887744a5d4bd9d77a38466d742f7c07e..b18e1b7799ede591a4d20a4b77b36b6b74e29f78 100644 --- a/chart/Kptfile +++ b/chart/Kptfile @@ -5,7 +5,7 @@ metadata: upstream: type: git git: - commit: bbaed019f8eb9fbcf0f1281ab6f8b4d2647b4d03 + commit: 4a9ddbbf97d01a156062945922323478e1668bda repo: https://github.com/anchore/anchore-charts directory: /stable/anchore-engine - ref: anchore-engine-1.12.2 + ref: anchore-engine-1.12.4 diff --git a/chart/README.md b/chart/README.md index 2be0944a6c865da3a1be484a9fb77404d530aba9..80a0c74bce592ee1bf4011fec4fe6c870937630b 100644 --- a/chart/README.md +++ b/chart/README.md @@ -242,12 +242,12 @@ See the anchore-engine [CHANGELOG](https://github.com/anchore/anchore-engine/blo A Helm post-upgrade hook job will shut down all previously running Anchore services and perform the Anchore DB upgrade process using a kubernetes job. The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful helm upgrade. -## Chart version 1.12.0 +## Chart version 1.12.4 --- -* Anchore Engine image updated to v0.9.1 -* Anchore Enterprise images updated to v3.0.0 +* Anchore Engine image updated to v0.9.2 +* Anchore Enterprise images updated to v3.0.1 * Existing secrets now work for Enterprise Feeds and Enterprise UI - see [existing secrets configuration](#-Utilize-an-Existing-Secret) * Anchore admin default password no longer defaults to `foobar`, if no password is specified a random string will be generated. diff --git a/chart/templates/analyzer_deployment.yaml b/chart/templates/analyzer_deployment.yaml index 8afa6b80d9d670d15099e880cf9c59ad16e34c8d..0aca7ed88c9af1d639836e013903e8f43cdee8dc 100644 --- a/chart/templates/analyzer_deployment.yaml +++ b/chart/templates/analyzer_deployment.yaml @@ -42,6 +42,12 @@ spec: {{- with .Values.anchoreAnalyzer.annotations }} {{ toYaml . | nindent 8 }} {{- end }} + {{- if not .Values.inject_secrets_via_env }} + checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }} + {{- end }} + checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }} + checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }} + checksum/analyzer-config: {{ include (print $.Template.BasePath "/analyzer_configmap.yaml") . | sha256sum }} spec: {{- with .Values.anchoreGlobal.securityContext }} securityContext: diff --git a/chart/templates/api_deployment.yaml b/chart/templates/api_deployment.yaml index d06c98b427dc0a876c4ffd56795095e1b729bcd9..422ea3553836d6c0e56b83f4594cce65767a3a9c 100644 --- a/chart/templates/api_deployment.yaml +++ b/chart/templates/api_deployment.yaml @@ -42,6 +42,14 @@ spec: {{- with .Values.anchoreApi.annotations }} {{ toYaml . | nindent 8 }} {{- end }} + {{- if not .Values.inject_secrets_via_env }} + checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }} + {{- end }} + checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }} + checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }} + {{- if .Values.anchoreGlobal.policyBundles }} + checksum/policy-config: {{ include (print $.Template.BasePath "/policy_bundle_configmap.yaml") . | sha256sum }} + {{- end }} spec: {{- with .Values.anchoreGlobal.securityContext }} securityContext: diff --git a/chart/templates/catalog_deployment.yaml b/chart/templates/catalog_deployment.yaml index 046a8d90bdbeaa11deae996184e7e9053ad98f9d..e078a6f7e7c4985e255b881d9026b8626913753f 100644 --- a/chart/templates/catalog_deployment.yaml +++ b/chart/templates/catalog_deployment.yaml @@ -42,6 +42,14 @@ spec: {{- with .Values.anchoreCatalog.annotations }} {{ toYaml . | nindent 8 }} {{- end }} + {{- if not .Values.inject_secrets_via_env }} + checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }} + {{- end }} + checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }} + checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }} + {{- if .Values.anchoreGlobal.policyBundles }} + checksum/policy-config: {{ include (print $.Template.BasePath "/policy_bundle_configmap.yaml") . | sha256sum }} + {{- end }} spec: {{- with .Values.anchoreGlobal.securityContext }} securityContext: diff --git a/chart/templates/engine_configmap.yaml b/chart/templates/engine_configmap.yaml index 085cdc7b60be8ffe42b2f0156d73eea5d681aa67..1115d60b27a6d02de8b2bf0fcc813f8014fc61d0 100644 --- a/chart/templates/engine_configmap.yaml +++ b/chart/templates/engine_configmap.yaml @@ -218,6 +218,7 @@ data: service_watcher: {{ .Values.anchoreCatalog.cycleTimers.service_watcher }} # Interval between checks to repo for new tags repo_watcher: {{ .Values.anchoreCatalog.cycleTimers.repo_watcher }} + k8s_watcher: {{ .Values.anchoreCatalog.cycleTimers.k8s_watcher }} event_log: {{- toYaml .Values.anchoreCatalog.events | nindent 10 }} analysis_archive: @@ -229,6 +230,8 @@ data: ssl_cert: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretCertName }}" ssl_key: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretKeyName }}" {{- end }} + runtime_inventory: + image_ttl_days: {{ .Values.anchoreCatalog.runtime_inventory.image_ttl_days }} simplequeue: enabled: true require_auth: true @@ -255,5 +258,4 @@ data: ssl_enable: {{ .Values.anchoreGlobal.internalServicesSsl.enabled }} ssl_cert: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretCertName }}" ssl_key: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretKeyName }}" - {{- end }} - + {{- end }} \ No newline at end of file diff --git a/chart/templates/engine_secret.yaml b/chart/templates/engine_secret.yaml new file mode 100644 index 0000000000000000000000000000000000000000..ec4baef2f6c281c184a12c511ff5b0c113a1ca61 --- /dev/null +++ b/chart/templates/engine_secret.yaml @@ -0,0 +1,21 @@ +{{- if not .Values.anchoreGlobal.existingSecret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "anchore-engine.fullname" . }} + labels: + app: {{ template "anchore-engine.fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.anchoreGlobal.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} +type: Opaque +stringData: + ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }} + ANCHORE_DB_PASSWORD: {{ index .Values "postgresql" "postgresPassword" | quote }} + {{- with .Values.anchoreGlobal.saml.secret }} + ANCHORE_SAML_SECRET: {{ . }} + {{- end }} +{{- end }} diff --git a/chart/templates/enterprise_feeds_deployment.yaml b/chart/templates/enterprise_feeds_deployment.yaml index 9194dc5e6af1708701de8b24b36e097d50b822de..4389f99db821f7bb8eb8c06c1bc20f344e48fa8b 100644 --- a/chart/templates/enterprise_feeds_deployment.yaml +++ b/chart/templates/enterprise_feeds_deployment.yaml @@ -43,6 +43,11 @@ spec: {{- with .Values.anchoreEnterpriseFeeds.annotations }} {{ toYaml . | nindent 8 }} {{- end }} + {{- if not .Values.inject_secrets_via_env }} + checksum/secrets: {{ include (print $.Template.BasePath "/enterprise_feeds_secret.yaml") . | sha256sum }} + {{- end }} + checksum/env: {{ include (print $.Template.BasePath "/enterprise_feeds_configmap_env.yaml") . | sha256sum }} + checksum/feeds-config: {{ include (print $.Template.BasePath "/enterprise_feeds_configmap.yaml") . | sha256sum }} spec: {{- with .Values.anchoreGlobal.securityContext }} securityContext: diff --git a/chart/templates/enterprise_feeds_secret.yaml b/chart/templates/enterprise_feeds_secret.yaml new file mode 100644 index 0000000000000000000000000000000000000000..f6074f7669415fe4f90d6a8617db6eb955810d6b --- /dev/null +++ b/chart/templates/enterprise_feeds_secret.yaml @@ -0,0 +1,23 @@ +{{- if not .Values.anchoreEnterpriseFeeds.existingSecret }} +{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "anchore-engine.enterprise-feeds.fullname" . }} + labels: + app: {{ template "anchore-engine.fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.anchoreGlobal.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} +type: Opaque +stringData: + ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }} + ANCHORE_FEEDS_DB_PASSWORD: {{ index .Values "anchore-feeds-db" "postgresPassword" | quote }} + {{- with .Values.anchoreGlobal.saml.secret }} + ANCHORE_SAML_SECRET: {{ . }} + {{- end }} +{{- end }} +{{- end }} diff --git a/chart/templates/enterprise_ui_deployment.yaml b/chart/templates/enterprise_ui_deployment.yaml index 5a3bc4b09ec0de4cfa113f25baddb7c946cf882c..d795ae82aa6de09f9f8884b6421c8032cd4815e4 100644 --- a/chart/templates/enterprise_ui_deployment.yaml +++ b/chart/templates/enterprise_ui_deployment.yaml @@ -47,6 +47,10 @@ spec: {{- with .Values.anchoreEnterpriseUi.annotations }} {{ toYaml . | nindent 8 }} {{- end }} + {{- if not .Values.inject_secrets_via_env }} + checksum/secrets: {{ include (print $.Template.BasePath "/enterprise_ui_secret.yaml") . | sha256sum }} + {{- end }} + checksum/ui-config: {{ include (print $.Template.BasePath "/enterprise_ui_configmap.yaml") . | sha256sum }} spec: {{- with .Values.anchoreGlobal.securityContext }} securityContext: diff --git a/chart/templates/enterprise_ui_secret.yaml b/chart/templates/enterprise_ui_secret.yaml new file mode 100644 index 0000000000000000000000000000000000000000..12848521dd4d8c9dbd8a47c91b755df0be816f92 --- /dev/null +++ b/chart/templates/enterprise_ui_secret.yaml @@ -0,0 +1,31 @@ +{{- if not .Values.anchoreEnterpriseUi.existingSecret }} +{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseUi.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "anchore-engine.enterprise-ui.fullname" . }} + labels: + app: {{ template "anchore-engine.fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.anchoreGlobal.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} +type: Opaque +stringData: + ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }} + + {{- if .Values.anchoreGlobal.dbConfig.ssl }} + ANCHORE_APPDB_URI: 'postgresql://{{ index .Values "postgresql" "postgresUser" }}:{{ index .Values "postgresql" "postgresPassword" }}@{{ template "db-hostname" . }}/{{ index .Values "postgresql" "postgresDatabase" }}?ssl=verify-full' + {{- else }} + ANCHORE_APPDB_URI: 'postgresql://{{ index .Values "postgresql" "postgresUser" }}:{{ index .Values "postgresql" "postgresPassword" }}@{{ template "db-hostname" . }}/{{ index .Values "postgresql" "postgresDatabase" }}' + {{- end }} + + {{- if and (index .Values "anchore-ui-redis" "externalEndpoint") (not (index .Values "anchore-ui-redis" "enabled")) }} + ANCHORE_REDIS_URI: '{{ index .Values "anchore-ui-redis" "externalEndpoint" }}' + {{- else }} + ANCHORE_REDIS_URI: 'redis://:{{ index .Values "anchore-ui-redis" "password" }}@{{ template "redis.fullname" . }}-master:6379' + {{- end }} +{{- end }} +{{- end }} diff --git a/chart/templates/policy_engine_deployment.yaml b/chart/templates/policy_engine_deployment.yaml index c3c6979b6a1e4d38177e3e0a821760fa3e3e70cb..5cadc5a74f315eed52be6c7b0e29584efcbf5df4 100644 --- a/chart/templates/policy_engine_deployment.yaml +++ b/chart/templates/policy_engine_deployment.yaml @@ -42,6 +42,11 @@ spec: {{- with .Values.anchorePolicyEngine.annotations }} {{ toYaml . | nindent 8 }} {{- end }} + {{- if not .Values.inject_secrets_via_env }} + checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }} + {{- end }} + checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }} + checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }} spec: {{- with .Values.anchoreGlobal.securityContext }} securityContext: diff --git a/chart/templates/secrets.yaml b/chart/templates/secrets.yaml deleted file mode 100644 index 5fd15db42265a3b128e9e69c5db60cb1cfc8cf29..0000000000000000000000000000000000000000 --- a/chart/templates/secrets.yaml +++ /dev/null @@ -1,79 +0,0 @@ -{{- if not .Values.anchoreGlobal.existingSecret }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "anchore-engine.fullname" . }} - labels: - app: {{ template "anchore-engine.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - {{- with .Values.anchoreGlobal.labels }} - {{ toYaml . | nindent 4 }} - {{- end }} -type: Opaque -stringData: - ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }} - ANCHORE_DB_PASSWORD: {{ index .Values "postgresql" "postgresPassword" | quote }} - {{- with .Values.anchoreGlobal.saml.secret }} - ANCHORE_SAML_SECRET: {{ . }} - {{- end }} -{{- end }} - ---- -{{- if not .Values.anchoreEnterpriseFeeds.existingSecret }} -{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "anchore-engine.enterprise-feeds.fullname" . }} - labels: - app: {{ template "anchore-engine.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - {{- with .Values.anchoreGlobal.labels }} - {{ toYaml . | nindent 4 }} - {{- end }} -type: Opaque -stringData: - ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }} - ANCHORE_FEEDS_DB_PASSWORD: {{ index .Values "anchore-feeds-db" "postgresPassword" | quote }} - {{- with .Values.anchoreGlobal.saml.secret }} - ANCHORE_SAML_SECRET: {{ . }} - {{- end }} -{{- end }} -{{- end }} - ---- -{{- if not .Values.anchoreEnterpriseUi.existingSecret }} -{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseUi.enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "anchore-engine.enterprise-ui.fullname" . }} - labels: - app: {{ template "anchore-engine.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - {{- with .Values.anchoreGlobal.labels }} - {{ toYaml . | nindent 4 }} - {{- end }} -type: Opaque -stringData: - ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }} - - {{- if .Values.anchoreGlobal.dbConfig.ssl }} - ANCHORE_APPDB_URI: 'postgresql://{{ index .Values "postgresql" "postgresUser" }}:{{ index .Values "postgresql" "postgresPassword" }}@{{ template "db-hostname" . }}/{{ index .Values "postgresql" "postgresDatabase" }}?ssl=verify-full' - {{- else }} - ANCHORE_APPDB_URI: 'postgresql://{{ index .Values "postgresql" "postgresUser" }}:{{ index .Values "postgresql" "postgresPassword" }}@{{ template "db-hostname" . }}/{{ index .Values "postgresql" "postgresDatabase" }}' - {{- end }} - - {{- if and (index .Values "anchore-ui-redis" "externalEndpoint") (not (index .Values "anchore-ui-redis" "enabled")) }} - ANCHORE_REDIS_URI: '{{ index .Values "anchore-ui-redis" "externalEndpoint" }}' - {{- else }} - ANCHORE_REDIS_URI: 'redis://:{{ index .Values "anchore-ui-redis" "password" }}@{{ template "redis.fullname" . }}-master:6379' - {{- end }} -{{- end }} -{{- end }} diff --git a/chart/templates/simplequeue_deployment.yaml b/chart/templates/simplequeue_deployment.yaml index 62e50f3c5312db35a2e7dddf56160eabc7475974..59af620600b8140bae17cd6e00d9feeef09e1cdc 100644 --- a/chart/templates/simplequeue_deployment.yaml +++ b/chart/templates/simplequeue_deployment.yaml @@ -42,6 +42,11 @@ spec: {{- with .Values.anchoreSimpleQueue.annotations }} {{ toYaml . | nindent 8 }} {{- end }} + {{- if not .Values.inject_secrets_via_env }} + checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }} + {{- end }} + checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }} + checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }} spec: {{- with .Values.anchoreGlobal.securityContext }} securityContext: diff --git a/chart/values.yaml b/chart/values.yaml index 870d3519a92b5dc1be393e01ad3c1846042aa717..a1643dd537640fda5b8323da37e1a0a444fa77d5 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -141,7 +141,7 @@ ingress: # Global configuration shared by all anchore-engine services. anchoreGlobal: # Image used for all anchore engine deployments (excluding enterprise components). - image: registry1.dso.mil/ironbank/anchore/engine/engine:0.9.0 + image: registry1.dso.mil/ironbank/anchore/engine/engine:0.9.2 imagePullPolicy: IfNotPresent # Set image pull secret name if using an anchore-engine image from a private registry @@ -467,6 +467,8 @@ anchoreCatalog: repo_watcher: 60 # Interval for when the catalog garbage collects images marked for deletion image_gc: 60 + # Interval for the runtime inventory image execution poll + k8s_watcher: 300 # Event log configuration for webhooks events: @@ -594,6 +596,13 @@ anchoreCatalog: tolerations: [] affinity: {} + runtime_inventory: + # This setting tells Anchore how long an image can be missing from an inventory report before it is removed from + # The working set. Note: The image will still have a historical record in the reports service, subject to data history + # constraints as part of that service. + # Note: if a runtime inventory image's digest is also in anchore for regular image analysis, it won't be removed. + image_ttl_days: 1 + # Pod configuration for the anchore engine policy service. anchorePolicyEngine: replicaCount: 1 @@ -676,7 +685,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.0.0 + image: registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.0.1 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. # Create this secret with the following command - kubectl create secret docker-registry anchore-dockerhub-creds --docker-server=docker.io --docker-username= --docker-password= --docker-email= @@ -925,7 +934,7 @@ anchoreEnterpriseNotifications: anchoreEnterpriseUi: # If enabled is set to false, set anchore-ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. enabled: true - image: registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.0.0 + image: registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.0.1 imagePullPolicy: IfNotPresent imagePullSecretName: private-registry diff --git a/docs/KEYCLOAK.md b/docs/KEYCLOAK.md index b87e664100afe8439e627c702d8a67c8ba13f328..d025f9bf60deeda71b5bace0e6e9bf15625fd151 100644 --- a/docs/KEYCLOAK.md +++ b/docs/KEYCLOAK.md @@ -45,7 +45,7 @@ If you are installing the chart without the core Big Bang application chart you ## Anchore 1.12.2-bb.0 Upgrade -When upgrading from any older chart version to 1.12.2-bb.0 you will hit an issue with SSO. After keycloak authentication you will be hit with a message from Anchore: "cannot POST /v1/saml/sso/keycloak (400)". +When upgrading from any older chart version to 1.12.2-bb.0 you will hit an issue with SSO. This issue DOES NOT occur if you skip to 1.12.4-bb.0 (which is Big Bang's reccomendation). After keycloak authentication you will be hit with a message from Anchore: "cannot POST /v1/saml/sso/keycloak (400)". To fix this issue without requiring a clean install, you need to run commands to clean up the DB and restart the API pod. @@ -68,8 +68,6 @@ Then restart the API pod with this command: kubectl delete pods -l component=api -n anchore ``` -This issue should be fixed in the upstream Anchore 3.0.1 Enterprise release, so this is a temporary workaround. - ## Additional References [Anchore SSO Reference](https://anchore.com/blog/feature-series-anchore-enterprise-2-1-sso/) - This includes the process to set up Keycloak integration manually. Our Helm chart automates this process through API calls.