Merge branch '3.0.1-update' into 'main'

3.0.1 update

See merge request !21

CHANGELOG.md

@@ -4,10 +4,16 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ---
 
+## [1.12.4-bb.0]
+### Changed
+- Bumped upstream chart version to 1.12.4
+- Bumped Anchore Engine image version to 0.9.2 from Registry1
+- Bumped Anchore Enterprise image versions to 3.0.1 from Registry1
+
 ## [1.12.2-bb.0]
 ### Changed
 - Bumped upstream chart version to 1.12.2
-- Bumped Anchore enterprise images to 3.0.0 from registry1
+- Bumped Anchore Enterprise image versions to 3.0.0 from Registry1
 - BREAKING UPDATE (SSO): When upgrading from 1.11.0-bb.3 and using SSO, manual config is required. See the note in the [Keycloak Docs](./docs/KEYCLOAK.md#anchore-1122-bb0-upgrade).
 
 ### Fixed

chart/Chart.yaml

 apiVersion: v2
 name: anchore-engine
-version: 1.12.2-bb.0
-appVersion: 0.9.0
+version: 1.12.4-bb.0
+appVersion: 0.9.2
 description: Anchore container analysis and policy evaluation engine service
 keywords:
  - analysis

chart/Kptfile

@@ -5,7 +5,7 @@ metadata:
 upstream:
   type: git
   git:
-    commit: bbaed019f8eb9fbcf0f1281ab6f8b4d2647b4d03
+    commit: 4a9ddbbf97d01a156062945922323478e1668bda
     repo: https://github.com/anchore/anchore-charts
     directory: /stable/anchore-engine
-    ref: anchore-engine-1.12.2
+    ref: anchore-engine-1.12.4

chart/README.md

@@ -242,12 +242,12 @@ See the anchore-engine [CHANGELOG](https://github.com/anchore/anchore-engine/blo
 
 A Helm post-upgrade hook job will shut down all previously running Anchore services and perform the Anchore DB upgrade process using a kubernetes job. The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful helm upgrade.
 
-## Chart version 1.12.0
+## Chart version 1.12.4
 
 ---
 
-* Anchore Engine image updated to v0.9.1
-* Anchore Enterprise images updated to v3.0.0
+* Anchore Engine image updated to v0.9.2
+* Anchore Enterprise images updated to v3.0.1
 * Existing secrets now work for Enterprise Feeds and Enterprise UI - see [existing secrets configuration](#-Utilize-an-Existing-Secret)
 * Anchore admin default password no longer defaults to `foobar`, if no password is specified a random string will be generated.
 

chart/templates/analyzer_deployment.yaml

@@ -42,6 +42,12 @@ spec:
       {{- with .Values.anchoreAnalyzer.annotations }}
         {{ toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not .Values.inject_secrets_via_env }}
+        checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }}
+      {{- end }}
+        checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }}
+        checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }}
+        checksum/analyzer-config: {{ include (print $.Template.BasePath "/analyzer_configmap.yaml") . | sha256sum }}
     spec:
       {{- with .Values.anchoreGlobal.securityContext }}
       securityContext:

chart/templates/api_deployment.yaml

@@ -42,6 +42,14 @@ spec:
       {{- with .Values.anchoreApi.annotations }}
         {{ toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not .Values.inject_secrets_via_env }}
+        checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }}
+      {{- end }}
+        checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }}
+        checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }}
+      {{- if .Values.anchoreGlobal.policyBundles }}
+        checksum/policy-config: {{ include (print $.Template.BasePath "/policy_bundle_configmap.yaml") . | sha256sum }}
+      {{- end }}
     spec:
       {{- with .Values.anchoreGlobal.securityContext }}
       securityContext:

chart/templates/catalog_deployment.yaml

@@ -42,6 +42,14 @@ spec:
       {{- with .Values.anchoreCatalog.annotations }}
         {{ toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not .Values.inject_secrets_via_env }}
+        checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }}
+      {{- end }}
+        checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }}
+        checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }}
+      {{- if .Values.anchoreGlobal.policyBundles }}
+        checksum/policy-config: {{ include (print $.Template.BasePath "/policy_bundle_configmap.yaml") . | sha256sum }}
+      {{- end }}
     spec:
       {{- with .Values.anchoreGlobal.securityContext }}
       securityContext:

chart/templates/engine_configmap.yaml

@@ -218,6 +218,7 @@ data:
           service_watcher: {{ .Values.anchoreCatalog.cycleTimers.service_watcher }}
           # Interval between checks to repo for new tags
           repo_watcher: {{ .Values.anchoreCatalog.cycleTimers.repo_watcher }}
+          k8s_watcher: {{ .Values.anchoreCatalog.cycleTimers.k8s_watcher }}
         event_log:
           {{- toYaml .Values.anchoreCatalog.events | nindent 10 }}
         analysis_archive:
@@ -229,6 +230,8 @@ data:
         ssl_cert: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretCertName }}"
         ssl_key: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretKeyName }}"
         {{- end }}
+        runtime_inventory:
+          image_ttl_days: {{ .Values.anchoreCatalog.runtime_inventory.image_ttl_days }}
       simplequeue:
         enabled: true
         require_auth: true
@@ -255,5 +258,4 @@ data:
         ssl_enable: {{ .Values.anchoreGlobal.internalServicesSsl.enabled }}
         ssl_cert: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretCertName }}"
         ssl_key: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretKeyName }}"
-        {{- end }}
-
+        {{- end }}
\ No newline at end of file

chart/templates/engine_secret.yaml

+{{- if not .Values.anchoreGlobal.existingSecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "anchore-engine.fullname" . }}
+  labels:
+    app: {{ template "anchore-engine.fullname" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+    {{- with .Values.anchoreGlobal.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+type: Opaque
+stringData:
+  ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }}
+  ANCHORE_DB_PASSWORD: {{ index .Values "postgresql" "postgresPassword" | quote }}
+  {{- with .Values.anchoreGlobal.saml.secret }}
+  ANCHORE_SAML_SECRET: {{ . }}
+  {{- end }}
+{{- end }}

chart/templates/enterprise_feeds_deployment.yaml

@@ -43,6 +43,11 @@ spec:
       {{- with .Values.anchoreEnterpriseFeeds.annotations }}
         {{ toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not .Values.inject_secrets_via_env }}
+        checksum/secrets: {{ include (print $.Template.BasePath "/enterprise_feeds_secret.yaml") . | sha256sum }}
+      {{- end }}
+        checksum/env: {{ include (print $.Template.BasePath "/enterprise_feeds_configmap_env.yaml") . | sha256sum }}
+        checksum/feeds-config: {{ include (print $.Template.BasePath "/enterprise_feeds_configmap.yaml") . | sha256sum }}
     spec:
       {{- with .Values.anchoreGlobal.securityContext }}
       securityContext:

chart/templates/enterprise_feeds_secret.yaml

+{{- if not .Values.anchoreEnterpriseFeeds.existingSecret }}
+{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "anchore-engine.enterprise-feeds.fullname" . }}
+  labels:
+    app: {{ template "anchore-engine.fullname" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+    {{- with .Values.anchoreGlobal.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+type: Opaque
+stringData:
+  ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }}
+  ANCHORE_FEEDS_DB_PASSWORD: {{ index .Values "anchore-feeds-db" "postgresPassword" | quote }}
+  {{- with .Values.anchoreGlobal.saml.secret }}
+  ANCHORE_SAML_SECRET: {{ . }}
+  {{- end }}
+{{- end }}
+{{- end }}

chart/templates/enterprise_ui_deployment.yaml

@@ -47,6 +47,10 @@ spec:
       {{- with .Values.anchoreEnterpriseUi.annotations }}
         {{ toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not .Values.inject_secrets_via_env }}
+        checksum/secrets: {{ include (print $.Template.BasePath "/enterprise_ui_secret.yaml") . | sha256sum }}
+      {{- end }}
+        checksum/ui-config: {{ include (print $.Template.BasePath "/enterprise_ui_configmap.yaml") . | sha256sum }}
     spec:
       {{- with .Values.anchoreGlobal.securityContext }}
       securityContext:

chart/templates/secrets.yaml → chart/templates/enterprise_ui_secret.yaml

-{{- if not .Values.anchoreGlobal.existingSecret }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ template "anchore-engine.fullname" . }}
-  labels:
-    app: {{ template "anchore-engine.fullname" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
-    {{- with .Values.anchoreGlobal.labels }}
-    {{ toYaml . | nindent 4 }}
-    {{- end }}
-type: Opaque
-stringData:
-  ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }}
-  ANCHORE_DB_PASSWORD: {{ index .Values "postgresql" "postgresPassword" | quote }}
-  {{- with .Values.anchoreGlobal.saml.secret }}
-  ANCHORE_SAML_SECRET: {{ . }}
-  {{- end }}
-{{- end }}
-
----
-{{- if not .Values.anchoreEnterpriseFeeds.existingSecret }}
-{{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ template "anchore-engine.enterprise-feeds.fullname" . }}
-  labels:
-    app: {{ template "anchore-engine.fullname" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
-    {{- with .Values.anchoreGlobal.labels }}
-    {{ toYaml . | nindent 4 }}
-    {{- end }}
-type: Opaque
-stringData:
-  ANCHORE_ADMIN_PASSWORD: {{ include "anchore-engine.defaultAdminPassword" . | quote }}
-  ANCHORE_FEEDS_DB_PASSWORD: {{ index .Values "anchore-feeds-db" "postgresPassword" | quote }}
-  {{- with .Values.anchoreGlobal.saml.secret }}
-  ANCHORE_SAML_SECRET: {{ . }}
-  {{- end }}
-{{- end }}
-{{- end }}
-
----
 {{- if not .Values.anchoreEnterpriseUi.existingSecret }}
 {{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseUi.enabled }}
 apiVersion: v1

chart/templates/policy_engine_deployment.yaml

@@ -42,6 +42,11 @@ spec:
       {{- with .Values.anchorePolicyEngine.annotations }}
         {{ toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not .Values.inject_secrets_via_env }}
+        checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }}
+      {{- end }}
+        checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }}
+        checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }}
     spec:
       {{- with .Values.anchoreGlobal.securityContext }}
       securityContext:

chart/templates/simplequeue_deployment.yaml

@@ -42,6 +42,11 @@ spec:
       {{- with .Values.anchoreSimpleQueue.annotations }}
         {{ toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not .Values.inject_secrets_via_env }}
+        checksum/secrets: {{ include (print $.Template.BasePath "/engine_secret.yaml") . | sha256sum }}
+      {{- end }}
+        checksum/env: {{ include (print $.Template.BasePath "/engine_configmap_env.yaml") . | sha256sum }}
+        checksum/engine-config: {{ include (print $.Template.BasePath "/engine_configmap.yaml") . | sha256sum }}
     spec:
       {{- with .Values.anchoreGlobal.securityContext }}
       securityContext:

chart/values.yaml

@@ -141,7 +141,7 @@ ingress:
 # Global configuration shared by all anchore-engine services.
 anchoreGlobal:
   # Image used for all anchore engine deployments (excluding enterprise components).
-  image: registry1.dso.mil/ironbank/anchore/engine/engine:0.9.0
+  image: registry1.dso.mil/ironbank/anchore/engine/engine:0.9.2
   imagePullPolicy: IfNotPresent
 
   # Set image pull secret name if using an anchore-engine image from a private registry
@@ -467,6 +467,8 @@ anchoreCatalog:
     repo_watcher: 60
     # Interval for when the catalog garbage collects images marked for deletion
     image_gc: 60
+    # Interval for the runtime inventory image execution poll
+    k8s_watcher: 300
 
   # Event log configuration for webhooks
   events:
@@ -594,6 +596,13 @@ anchoreCatalog:
   tolerations: []
   affinity: {}
 
+  runtime_inventory:
+    # This setting tells Anchore how long an image can be missing from an inventory report before it is removed from
+    # The working set. Note: The image will still have a historical record in the reports service, subject to data history
+    # constraints as part of that service.
+    # Note: if a runtime inventory image's digest is also in anchore for regular image analysis, it won't be removed.
+    image_ttl_days: 1
+
 # Pod configuration for the anchore engine policy service.
 anchorePolicyEngine:
   replicaCount: 1
@@ -676,7 +685,7 @@ anchoreEnterpriseGlobal:
   # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml=<PATH TO LICENSE.YAML>
   licenseSecretName: anchore-enterprise-license
 
-  image: registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.0.0
+  image: registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.0.1
   imagePullPolicy: IfNotPresent
   # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images.
   # Create this secret with the following command - kubectl create secret docker-registry anchore-dockerhub-creds --docker-server=docker.io --docker-username=<USERNAME> --docker-password=<PASSWORD> --docker-email=<EMAIL_ADDRESS>
@@ -925,7 +934,7 @@ anchoreEnterpriseNotifications:
 anchoreEnterpriseUi:
   # If enabled is set to false, set anchore-ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance.
   enabled: true
-  image: registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.0.0
+  image: registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.0.1
   imagePullPolicy: IfNotPresent
   imagePullSecretName: private-registry
 

docs/KEYCLOAK.md

@@ -45,7 +45,7 @@ If you are installing the chart without the core Big Bang application chart you
 
 ## Anchore 1.12.2-bb.0 Upgrade
 
-When upgrading from any older chart version to 1.12.2-bb.0 you will hit an issue with SSO. After keycloak authentication you will be hit with a message from Anchore: "cannot POST /v1/saml/sso/keycloak (400)".
+When upgrading from any older chart version to 1.12.2-bb.0 you will hit an issue with SSO. This issue DOES NOT occur if you skip to 1.12.4-bb.0 (which is Big Bang's reccomendation). After keycloak authentication you will be hit with a message from Anchore: "cannot POST /v1/saml/sso/keycloak (400)".
 
 To fix this issue without requiring a clean install, you need to run commands to clean up the DB and restart the API pod.
 
@@ -68,8 +68,6 @@ Then restart the API pod with this command:
 kubectl delete pods -l component=api -n anchore
 ```
 
-This issue should be fixed in the upstream Anchore 3.0.1 Enterprise release, so this is a temporary workaround.
-
 ## Additional References
 
 [Anchore SSO Reference](https://anchore.com/blog/feature-series-anchore-enterprise-2-1-sso/) - This includes the process to set up Keycloak integration manually. Our Helm chart automates this process through API calls.