From 37f0f0a52d948b015e140c05d9ee008ce2471905 Mon Sep 17 00:00:00 2001 From: bhearn Date: Fri, 2 Apr 2021 20:40:10 +0000 Subject: [PATCH] add configurable gws --- CHANGELOG.md | 2 ++ chart/README.md | 15 +++-------- chart/templates/bigbang/anchore-vs.yaml | 36 ++++++++++++++++++++----- chart/values.yaml | 19 +++++++++++++ docs/BBCHANGES.md | 19 +++++++++++++ docs/CHART.md | 31 +++++++++++++++++++++ docs/KEYCLOAK.md | 2 ++ 7 files changed, 107 insertions(+), 17 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2ed0a0a..c5b044b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), ## [1.12.7-bb.2] ### Changed - Added secrets and jobs for automated external Postgres database creation and user/password synchronization +- Updated virtual services and values.yaml to allow for customizable gateways and hosts +- Updated docs around dependencies ## [1.12.7-bb.1] ### Fixed diff --git a/chart/README.md b/chart/README.md index 3c0e414..7c54421 100644 --- a/chart/README.md +++ b/chart/README.md @@ -242,21 +242,14 @@ See the anchore-engine [CHANGELOG](https://github.com/anchore/anchore-engine/blo A Helm post-upgrade hook job will shut down all previously running Anchore services and perform the Anchore DB upgrade process using a kubernetes job. The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful helm upgrade. -## Chart version 1.12.7 - -* Anchore Engine image updated to v0.9.3 -* Anchore Enterprise image updated to v3.0.2 (Anchore Enterprise UI image remains at v3.0.1) -* An [issue](https://github.com/anchore/anchore-engine/issues/950) was found that effects users of Anchore Engine 0.9.0 - 0.9.2 scanning certain Java images. A new version of anchore-engine 0.9.3 fixes the issue. Anchore Enterprise customers using Anchore Enterprise 3.0.0 or 3.0.1 should upgrade to 3.0.2. - -## Chart version 1.12.4 +## Chart version 1.12.0 --- -* Anchore Engine image updated to v0.9.2 -* Anchore Enterprise images updated to v3.0.1 +* Anchore Engine image updated to v0.9.1 +* Anchore Enterprise images updated to v3.0.0 * Existing secrets now work for Enterprise Feeds and Enterprise UI - see [existing secrets configuration](#-Utilize-an-Existing-Secret) * Anchore admin default password no longer defaults to `foobar`, if no password is specified a random string will be generated. -* Bitnami redis helm chart replaced by Big Bang redis ## Chart version 1.10.0 @@ -766,4 +759,4 @@ To update the number in a running configuration: ```bash helm upgrade --set anchoreAnalyzer.replicaCount=2 anchore/anchore-engine -f anchore_values.yaml -``` +``` \ No newline at end of file diff --git a/chart/templates/bigbang/anchore-vs.yaml b/chart/templates/bigbang/anchore-vs.yaml index 3a13e46..bd03271 100644 --- a/chart/templates/bigbang/anchore-vs.yaml +++ b/chart/templates/bigbang/anchore-vs.yaml @@ -1,15 +1,27 @@ --- -{{- if and .Values.istio.enabled .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseUi.enabled }} +{{- if and .Values.istio.enabled .Values.istio.ui.enabled .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseUi.enabled }} apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: anchore-enterprise-ui-service namespace: {{ .Release.Namespace }} + {{- if .Values.istio.ui.labels }} + labels: +{{ toYaml .Values.istio.ui.labels | indent 4 }} + {{- end }} + {{- if .Values.istio.ui.annotations }} + annotations: +{{ toYaml .Values.istio.ui.annotations | indent 4 }} + {{- end }} spec: gateways: - - istio-system/main + {{- range .Values.istio.ui.gateways }} + - {{ . }} + {{- end }} hosts: - - "anchore.{{ .Values.hostname }}" + {{- range .Values.istio.ui.hosts }} + - {{ tpl . $ }} + {{- end }} http: - match: - uri: @@ -21,17 +33,29 @@ spec: host: {{ .Release.Name }}-anchore-engine-enterprise-ui {{- end }} --- -{{- if .Values.istio.enabled }} +{{- if and .Values.istio.enabled .Values.istio.api.enabled }} apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: anchore-engine-api-service namespace: {{ .Release.Namespace }} + {{- if .Values.istio.api.labels }} + labels: +{{ toYaml .Values.istio.api.labels | indent 4 }} + {{- end }} + {{- if .Values.istio.api.annotations }} + annotations: +{{ toYaml .Values.istio.api.annotations | indent 4 }} + {{- end }} spec: gateways: - - istio-system/main + {{- range .Values.istio.api.gateways }} + - {{ . }} + {{- end }} hosts: - - "anchore-api.{{ .Values.hostname }}" + {{- range .Values.istio.api.hosts }} + - {{ tpl . $ }} + {{- end }} http: - match: - uri: diff --git a/chart/values.yaml b/chart/values.yaml index c247431..398851e 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -5,7 +5,26 @@ hostname: bigbang.dev istio: + # Toggle istio integration enabled: false + ui: + # Toggle vs creation + enabled: true + annotations: {} + labels: {} + gateways: + - istio-system/main + hosts: + - "anchore.{{ .Values.hostname }}" + api: + # Toggle vs creation + enabled: true + annotations: {} + labels: {} + gateways: + - istio-system/main + hosts: + - "anchore-api.{{ .Values.hostname }}" # Enable Prometheus Monitoring monitoring: diff --git a/docs/BBCHANGES.md b/docs/BBCHANGES.md index 2dca5c8..71e342b 100644 --- a/docs/BBCHANGES.md +++ b/docs/BBCHANGES.md @@ -16,7 +16,26 @@ Added at the top of the values file are changes to support Istio, automated lice hostname: bigbang.dev istio: + # Toggle istio integration enabled: false + ui: + # Toggle vs creation + enabled: true + annotations: {} + labels: {} + gateways: + - istio-system/main + hosts: + - "anchore.{{ .Values.hostname }}" + api: + # Toggle vs creation + enabled: true + annotations: {} + labels: {} + gateways: + - istio-system/main + hosts: + - "anchore-api.{{ .Values.hostname }}" # Enable Prometheus Monitoring monitoring: diff --git a/docs/CHART.md b/docs/CHART.md index 418cd1e..798e2dc 100644 --- a/docs/CHART.md +++ b/docs/CHART.md @@ -176,6 +176,37 @@ stringData: password: "password" ``` +### Configuring Istio + +Istio can be configured to utilize your desired gateway(s) and host(s). To configure istio, pass the following options to the Anchore values: +```yaml +stringData: + values.yaml: |- + addons: + anchore: + values: + istio: + enabled: true + ui: + # Toggle vs creation + enabled: true + annotations: {} + labels: {} + gateways: + - istio-system/ + hosts: + - ".{{ .Values.hostname }}" + api: + # Toggle vs creation + enabled: true + annotations: {} + labels: {} + gateways: + - istio-system/ + hosts: + - ".{{ .Values.hostname }}" +``` + ### Enable SSO Big Bang has provided an automated way to configure SSO with Keycloak via the Helm chart. To enable and configure SSO follow the instructions in the main KEYCLOAK document. diff --git a/docs/KEYCLOAK.md b/docs/KEYCLOAK.md index d025f9b..5b1b386 100644 --- a/docs/KEYCLOAK.md +++ b/docs/KEYCLOAK.md @@ -2,6 +2,8 @@ This document summarizes helm values and manual steps that are required to integrate with Keycloak. +**NOTE:** SSO requires an Anchore Enterprise license. To be onboarded and provided with a trial or production license, please send an email to publicsector@anchore.com including program name and contact details. + ## Configuration Steps These are the items you need to do to configure Keycloak and Anchore for SSO in your Big Bang installation. -- GitLab