From d3c8fa21ae8fc1256f609e042f060fa8bfb3a942 Mon Sep 17 00:00:00 2001 From: bhearn Date: Tue, 16 Mar 2021 14:26:29 +0000 Subject: [PATCH] 3.0.1 update --- CHANGELOG.md | 8 +- chart/Chart.yaml | 4 +- chart/Kptfile | 4 +- chart/README.md | 6 +- chart/templates/analyzer_deployment.yaml | 6 ++ chart/templates/api_deployment.yaml | 8 ++ chart/templates/catalog_deployment.yaml | 8 ++ chart/templates/engine_configmap.yaml | 6 +- chart/templates/engine_secret.yaml | 21 +++++ .../enterprise_feeds_deployment.yaml | 5 ++ chart/templates/enterprise_feeds_secret.yaml | 23 ++++++ chart/templates/enterprise_ui_deployment.yaml | 4 + chart/templates/enterprise_ui_secret.yaml | 31 ++++++++ chart/templates/policy_engine_deployment.yaml | 5 ++ chart/templates/secrets.yaml | 79 ------------------- chart/templates/simplequeue_deployment.yaml | 5 ++ chart/values.yaml | 15 +++- docs/KEYCLOAK.md | 4 +- 18 files changed, 147 insertions(+), 95 deletions(-) create mode 100644 chart/templates/engine_secret.yaml create mode 100644 chart/templates/enterprise_feeds_secret.yaml create mode 100644 chart/templates/enterprise_ui_secret.yaml delete mode 100644 chart/templates/secrets.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index 810bf2e..4780747 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,10 +4,16 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), --- +## [1.12.4-bb.0] +### Changed +- Bumped upstream chart version to 1.12.4 +- Bumped Anchore Engine image version to 0.9.2 from Registry1 +- Bumped Anchore Enterprise image versions to 3.0.1 from Registry1 + ## [1.12.2-bb.0] ### Changed - Bumped upstream chart version to 1.12.2 -- Bumped Anchore enterprise images to 3.0.0 from registry1 +- Bumped Anchore Enterprise image versions to 3.0.0 from Registry1 - BREAKING UPDATE (SSO): When upgrading from 1.11.0-bb.3 and using SSO, manual config is required. See the note in the [Keycloak Docs](./docs/KEYCLOAK.md#anchore-1122-bb0-upgrade). ### Fixed diff --git a/chart/Chart.yaml b/chart/Chart.yaml index f47702b..a11d225 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: anchore-engine -version: 1.12.2-bb.0 -appVersion: 0.9.0 +version: 1.12.4-bb.0 +appVersion: 0.9.2 description: Anchore container analysis and policy evaluation engine service keywords: - analysis diff --git a/chart/Kptfile b/chart/Kptfile index 3ceef28..b18e1b7 100644 --- a/chart/Kptfile +++ b/chart/Kptfile @@ -5,7 +5,7 @@ metadata: upstream: type: git git: - commit: bbaed019f8eb9fbcf0f1281ab6f8b4d2647b4d03 + commit: 4a9ddbbf97d01a156062945922323478e1668bda repo: https://github.com/anchore/anchore-charts directory: /stable/anchore-engine - ref: anchore-engine-1.12.2 + ref: anchore-engine-1.12.4 diff --git a/chart/README.md b/chart/README.md index 2be0944..80a0c74 100644 --- a/chart/README.md +++ b/chart/README.md @@ -242,12 +242,12 @@ See the anchore-engine [CHANGELOG](https://github.com/anchore/anchore-engine/blo A Helm post-upgrade hook job will shut down all previously running Anchore services and perform the Anchore DB upgrade process using a kubernetes job. The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful helm upgrade. -## Chart version 1.12.0 +## Chart version 1.12.4 --- -* Anchore Engine image updated to v0.9.1 -* Anchore Enterprise images updated to v3.0.0 +* Anchore Engine image updated to v0.9.2 +* Anchore Enterprise images updated to v3.0.1 * Existing secrets now work for Enterprise Feeds and Enterprise UI - see [existing secrets configuration](#-Utilize-an-Existing-Secret) * Anchore admin default password no longer defaults to `foobar`, if no password is specified a random string will be generated. diff --git a/chart/templates/analyzer_deployment.yaml b/chart/templates/analyzer_deployment.yaml index 8afa6b8..0aca7ed 100644 --- a/chart/templates/analyzer_deployment.yaml +++ b/chart/templates/analyzer_deployment.yaml @@ -42,6 +42,12 @@ spec: {{- with .Values.anchoreAnalyzer.annotations }} {{ toYaml . | nindent 8 }} {{- end }} + {{- if not .Values.inject_secrets_via_env }} + checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }} + {{- end }} + checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }} + checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }} + checksum/analyzer-config: {{ include (print $.Template.BasePath "/analyzer_configmap.yaml") . | sha256sum }} spec: {{- with .Values.anchoreGlobal.securityContext }} securityContext: diff --git a/chart/templates/api_deployment.yaml b/chart/templates/api_deployment.yaml index d06c98b..422ea35 100644 --- a/chart/templates/api_deployment.yaml +++ b/chart/templates/api_deployment.yaml @@ -42,6 +42,14 @@ spec: {{- with .Values.anchoreApi.annotations }} {{ toYaml . | nindent 8 }} {{- end }} + {{- if not .Values.inject_secrets_via_env }} + checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }} + {{- end }} + checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }} + checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }} + {{- if .Values.anchoreGlobal.policyBundles }} + checksum/policy-config: {{ include (print $.Template.BasePath "/policy_bundle_configmap.yaml") . | sha256sum }} + {{- end }} spec: {{- with .Values.anchoreGlobal.securityContext }} securityContext: diff --git a/chart/templates/catalog_deployment.yaml b/chart/templates/catalog_deployment.yaml index 046a8d9..e078a6f 100644 --- a/chart/templates/catalog_deployment.yaml +++ b/chart/templates/catalog_deployment.yaml @@ -42,6 +42,14 @@ spec: {{- with .Values.anchoreCatalog.annotations }} {{ toYaml . | nindent 8 }} {{- end }} + {{- if not .Values.inject_secrets_via_env }} + checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }} + {{- end }} + checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }} + checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }} + {{- if .Values.anchoreGlobal.policyBundles }} + checksum/policy-config: {{ include (print $.Template.BasePath "/policy_bundle_configmap.yaml") . | sha256sum }} + {{- end }} spec: {{- with .Values.anchoreGlobal.securityContext }} securityContext: diff --git a/chart/templates/engine_configmap.yaml b/chart/templates/engine_configmap.yaml index 085cdc7..1115d60 100644 --- a/chart/templates/engine_configmap.yaml +++ b/chart/templates/engine_configmap.yaml @@ -218,6 +218,7 @@ data: service_watcher: {{ .Values.anchoreCatalog.cycleTimers.service_watcher }} # Interval between checks to repo for new tags repo_watcher: {{ .Values.anchoreCatalog.cycleTimers.repo_watcher }} + k8s_watcher: {{ .Values.anchoreCatalog.cycleTimers.k8s_watcher }} event_log: {{- toYaml .Values.anchoreCatalog.events | nindent 10 }} analysis_archive: @@ -229,6 +230,8 @@ data: ssl_cert: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretCertName }}" ssl_key: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretKeyName }}" {{- end }} + runtime_inventory: + image_ttl_days: {{ .Values.anchoreCatalog.runtime_inventory.image_ttl_days }} simplequeue: enabled: true require_auth: true @@ -255,5 +258,4 @@ data: ssl_enable: {{ .Values.anchoreGlobal.internalServicesSsl.enabled }} ssl_cert: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretCertName }}" ssl_key: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretKeyName }}" - {{- end }} - + {{- end }} \ No newline at end of file diff --git a/chart/templates/engine_secret.yaml b/chart/templates/engine_secret.yaml new file mode 100644 index 0000000..ec4baef --- /dev/null +++ b/chart/templates/engine_secret.yaml @@ -0,0 +1,21 @@ +{{- if not .Values.anchoreGlobal.existingSecret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "anchore-engine.fullname" . }} + labels: + app: {{ template "anchore-engine.fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.anchoreGlobal.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} +type: Opaque +stringData: + ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }} + ANCHORE_DB_PASSWORD: {{ index .Values "postgresql" "postgresPassword" | quote }} + {{- with .Values.anchoreGlobal.saml.secret }} + ANCHORE_SAML_SECRET: {{ . }} + {{- end }} +{{- end }} diff --git a/chart/templates/enterprise_feeds_deployment.yaml b/chart/templates/enterprise_feeds_deployment.yaml index 9194dc5..4389f99 100644 --- a/chart/templates/enterprise_feeds_deployment.yaml +++ b/chart/templates/enterprise_feeds_deployment.yaml @@ -43,6 +43,11 @@ spec: {{- with .Values.anchoreEnterpriseFeeds.annotations }} {{ toYaml . | nindent 8 }} {{- end }} + {{- if not .Values.inject_secrets_via_env }} + checksum/secrets: {{ include (print $.Template.BasePath "/enterprise_feeds_secret.yaml") . | sha256sum }} + {{- end }} + checksum/env: {{ include (print $.Template.BasePath "/enterprise_feeds_configmap_env.yaml") . | sha256sum }} + checksum/feeds-config: {{ include (print $.Template.BasePath "/enterprise_feeds_configmap.yaml") . | sha256sum }} spec: {{- with .Values.anchoreGlobal.securityContext }} securityContext: diff --git a/chart/templates/enterprise_feeds_secret.yaml b/chart/templates/enterprise_feeds_secret.yaml new file mode 100644 index 0000000..f6074f7 --- /dev/null +++ b/chart/templates/enterprise_feeds_secret.yaml @@ -0,0 +1,23 @@ +{{- if not .Values.anchoreEnterpriseFeeds.existingSecret }} +{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "anchore-engine.enterprise-feeds.fullname" . }} + labels: + app: {{ template "anchore-engine.fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.anchoreGlobal.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} +type: Opaque +stringData: + ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }} + ANCHORE_FEEDS_DB_PASSWORD: {{ index .Values "anchore-feeds-db" "postgresPassword" | quote }} + {{- with .Values.anchoreGlobal.saml.secret }} + ANCHORE_SAML_SECRET: {{ . }} + {{- end }} +{{- end }} +{{- end }} diff --git a/chart/templates/enterprise_ui_deployment.yaml b/chart/templates/enterprise_ui_deployment.yaml index 5a3bc4b..d795ae8 100644 --- a/chart/templates/enterprise_ui_deployment.yaml +++ b/chart/templates/enterprise_ui_deployment.yaml @@ -47,6 +47,10 @@ spec: {{- with .Values.anchoreEnterpriseUi.annotations }} {{ toYaml . | nindent 8 }} {{- end }} + {{- if not .Values.inject_secrets_via_env }} + checksum/secrets: {{ include (print $.Template.BasePath "/enterprise_ui_secret.yaml") . | sha256sum }} + {{- end }} + checksum/ui-config: {{ include (print $.Template.BasePath "/enterprise_ui_configmap.yaml") . | sha256sum }} spec: {{- with .Values.anchoreGlobal.securityContext }} securityContext: diff --git a/chart/templates/enterprise_ui_secret.yaml b/chart/templates/enterprise_ui_secret.yaml new file mode 100644 index 0000000..1284852 --- /dev/null +++ b/chart/templates/enterprise_ui_secret.yaml @@ -0,0 +1,31 @@ +{{- if not .Values.anchoreEnterpriseUi.existingSecret }} +{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseUi.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "anchore-engine.enterprise-ui.fullname" . }} + labels: + app: {{ template "anchore-engine.fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + {{- with .Values.anchoreGlobal.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} +type: Opaque +stringData: + ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }} + + {{- if .Values.anchoreGlobal.dbConfig.ssl }} + ANCHORE_APPDB_URI: 'postgresql://{{ index .Values "postgresql" "postgresUser" }}:{{ index .Values "postgresql" "postgresPassword" }}@{{ template "db-hostname" . }}/{{ index .Values "postgresql" "postgresDatabase" }}?ssl=verify-full' + {{- else }} + ANCHORE_APPDB_URI: 'postgresql://{{ index .Values "postgresql" "postgresUser" }}:{{ index .Values "postgresql" "postgresPassword" }}@{{ template "db-hostname" . }}/{{ index .Values "postgresql" "postgresDatabase" }}' + {{- end }} + + {{- if and (index .Values "anchore-ui-redis" "externalEndpoint") (not (index .Values "anchore-ui-redis" "enabled")) }} + ANCHORE_REDIS_URI: '{{ index .Values "anchore-ui-redis" "externalEndpoint" }}' + {{- else }} + ANCHORE_REDIS_URI: 'redis://:{{ index .Values "anchore-ui-redis" "password" }}@{{ template "redis.fullname" . }}-master:6379' + {{- end }} +{{- end }} +{{- end }} diff --git a/chart/templates/policy_engine_deployment.yaml b/chart/templates/policy_engine_deployment.yaml index c3c6979..5cadc5a 100644 --- a/chart/templates/policy_engine_deployment.yaml +++ b/chart/templates/policy_engine_deployment.yaml @@ -42,6 +42,11 @@ spec: {{- with .Values.anchorePolicyEngine.annotations }} {{ toYaml . | nindent 8 }} {{- end }} + {{- if not .Values.inject_secrets_via_env }} + checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }} + {{- end }} + checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }} + checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }} spec: {{- with .Values.anchoreGlobal.securityContext }} securityContext: diff --git a/chart/templates/secrets.yaml b/chart/templates/secrets.yaml deleted file mode 100644 index 5fd15db..0000000 --- a/chart/templates/secrets.yaml +++ /dev/null @@ -1,79 +0,0 @@ -{{- if not .Values.anchoreGlobal.existingSecret }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "anchore-engine.fullname" . }} - labels: - app: {{ template "anchore-engine.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - {{- with .Values.anchoreGlobal.labels }} - {{ toYaml . | nindent 4 }} - {{- end }} -type: Opaque -stringData: - ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }} - ANCHORE_DB_PASSWORD: {{ index .Values "postgresql" "postgresPassword" | quote }} - {{- with .Values.anchoreGlobal.saml.secret }} - ANCHORE_SAML_SECRET: {{ . }} - {{- end }} -{{- end }} - ---- -{{- if not .Values.anchoreEnterpriseFeeds.existingSecret }} -{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "anchore-engine.enterprise-feeds.fullname" . }} - labels: - app: {{ template "anchore-engine.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - {{- with .Values.anchoreGlobal.labels }} - {{ toYaml . | nindent 4 }} - {{- end }} -type: Opaque -stringData: - ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }} - ANCHORE_FEEDS_DB_PASSWORD: {{ index .Values "anchore-feeds-db" "postgresPassword" | quote }} - {{- with .Values.anchoreGlobal.saml.secret }} - ANCHORE_SAML_SECRET: {{ . }} - {{- end }} -{{- end }} -{{- end }} - ---- -{{- if not .Values.anchoreEnterpriseUi.existingSecret }} -{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseUi.enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "anchore-engine.enterprise-ui.fullname" . }} - labels: - app: {{ template "anchore-engine.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - {{- with .Values.anchoreGlobal.labels }} - {{ toYaml . | nindent 4 }} - {{- end }} -type: Opaque -stringData: - ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }} - - {{- if .Values.anchoreGlobal.dbConfig.ssl }} - ANCHORE_APPDB_URI: 'postgresql://{{ index .Values "postgresql" "postgresUser" }}:{{ index .Values "postgresql" "postgresPassword" }}@{{ template "db-hostname" . }}/{{ index .Values "postgresql" "postgresDatabase" }}?ssl=verify-full' - {{- else }} - ANCHORE_APPDB_URI: 'postgresql://{{ index .Values "postgresql" "postgresUser" }}:{{ index .Values "postgresql" "postgresPassword" }}@{{ template "db-hostname" . }}/{{ index .Values "postgresql" "postgresDatabase" }}' - {{- end }} - - {{- if and (index .Values "anchore-ui-redis" "externalEndpoint") (not (index .Values "anchore-ui-redis" "enabled")) }} - ANCHORE_REDIS_URI: '{{ index .Values "anchore-ui-redis" "externalEndpoint" }}' - {{- else }} - ANCHORE_REDIS_URI: 'redis://:{{ index .Values "anchore-ui-redis" "password" }}@{{ template "redis.fullname" . }}-master:6379' - {{- end }} -{{- end }} -{{- end }} diff --git a/chart/templates/simplequeue_deployment.yaml b/chart/templates/simplequeue_deployment.yaml index 62e50f3..59af620 100644 --- a/chart/templates/simplequeue_deployment.yaml +++ b/chart/templates/simplequeue_deployment.yaml @@ -42,6 +42,11 @@ spec: {{- with .Values.anchoreSimpleQueue.annotations }} {{ toYaml . | nindent 8 }} {{- end }} + {{- if not .Values.inject_secrets_via_env }} + checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }} + {{- end }} + checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }} + checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }} spec: {{- with .Values.anchoreGlobal.securityContext }} securityContext: diff --git a/chart/values.yaml b/chart/values.yaml index 870d351..a1643dd 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -141,7 +141,7 @@ ingress: # Global configuration shared by all anchore-engine services. anchoreGlobal: # Image used for all anchore engine deployments (excluding enterprise components). - image: registry1.dso.mil/ironbank/anchore/engine/engine:0.9.0 + image: registry1.dso.mil/ironbank/anchore/engine/engine:0.9.2 imagePullPolicy: IfNotPresent # Set image pull secret name if using an anchore-engine image from a private registry @@ -467,6 +467,8 @@ anchoreCatalog: repo_watcher: 60 # Interval for when the catalog garbage collects images marked for deletion image_gc: 60 + # Interval for the runtime inventory image execution poll + k8s_watcher: 300 # Event log configuration for webhooks events: @@ -594,6 +596,13 @@ anchoreCatalog: tolerations: [] affinity: {} + runtime_inventory: + # This setting tells Anchore how long an image can be missing from an inventory report before it is removed from + # The working set. Note: The image will still have a historical record in the reports service, subject to data history + # constraints as part of that service. + # Note: if a runtime inventory image's digest is also in anchore for regular image analysis, it won't be removed. + image_ttl_days: 1 + # Pod configuration for the anchore engine policy service. anchorePolicyEngine: replicaCount: 1 @@ -676,7 +685,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.0.0 + image: registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.0.1 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. # Create this secret with the following command - kubectl create secret docker-registry anchore-dockerhub-creds --docker-server=docker.io --docker-username= --docker-password= --docker-email= @@ -925,7 +934,7 @@ anchoreEnterpriseNotifications: anchoreEnterpriseUi: # If enabled is set to false, set anchore-ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. enabled: true - image: registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.0.0 + image: registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.0.1 imagePullPolicy: IfNotPresent imagePullSecretName: private-registry diff --git a/docs/KEYCLOAK.md b/docs/KEYCLOAK.md index b87e664..d025f9b 100644 --- a/docs/KEYCLOAK.md +++ b/docs/KEYCLOAK.md @@ -45,7 +45,7 @@ If you are installing the chart without the core Big Bang application chart you ## Anchore 1.12.2-bb.0 Upgrade -When upgrading from any older chart version to 1.12.2-bb.0 you will hit an issue with SSO. After keycloak authentication you will be hit with a message from Anchore: "cannot POST /v1/saml/sso/keycloak (400)". +When upgrading from any older chart version to 1.12.2-bb.0 you will hit an issue with SSO. This issue DOES NOT occur if you skip to 1.12.4-bb.0 (which is Big Bang's reccomendation). After keycloak authentication you will be hit with a message from Anchore: "cannot POST /v1/saml/sso/keycloak (400)". To fix this issue without requiring a clean install, you need to run commands to clean up the DB and restart the API pod. @@ -68,8 +68,6 @@ Then restart the API pod with this command: kubectl delete pods -l component=api -n anchore ``` -This issue should be fixed in the upstream Anchore 3.0.1 Enterprise release, so this is a temporary workaround. - ## Additional References [Anchore SSO Reference](https://anchore.com/blog/feature-series-anchore-enterprise-2-1-sso/) - This includes the process to set up Keycloak integration manually. Our Helm chart automates this process through API calls. -- GitLab