update "chart" (https://github.com/anchore/anchore-charts) from...

update "chart" (https://github.com/anchore/anchore-charts) from "anchore-engine-1.12.13" (f9a34a42d694e657b5f3d493f590fc3f7a8b933e) to "anchore-engine-1.12.15" (f50573427adb8d582eaea20c968bb0391cb79c48)

CHANGELOG.md

@@ -3,7 +3,16 @@
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ---
-## [1.12.7-bb.4]
+## [1.12.15-bb.0]
+### Changed
+- Updated docs for BB documentation standards
+- Added optional network policies
+- Bumped upstream chart version to 1.12.15
+- Bumped Anchore Engine image version to 0.9.4 from Registry1
+- Bumped Anchore Enterprise image version to 3.0.3 from Registry1
+- Bumped Anchore Enterprise UI image version to 3.0.3 from Registry1
+
+## [1.12.13-bb.0]
 ### Changed
 - Added Helm bash testing for API using approved Iron Bank image
 - Bumped upstream chart version to 1.12.13

chart/Chart.yaml

 apiVersion: v2
 name: anchore-engine
-version: 1.12.13-bb.0
-appVersion: 0.9.3
+version: 1.12.15-bb.0
+appVersion: 0.9.4
 description: Anchore container analysis and policy evaluation engine service
 keywords:
  - analysis

chart/Kptfile

@@ -5,7 +5,7 @@ metadata:
 upstream:
   type: git
   git:
-    commit: f9a34a42d694e657b5f3d493f590fc3f7a8b933e
+    commit: f50573427adb8d582eaea20c968bb0391cb79c48
     repo: https://github.com/anchore/anchore-charts
     directory: /stable/anchore-engine
-    ref: anchore-engine-1.12.13
+    ref: anchore-engine-1.12.15

chart/templates/bigbang/networkpolicies/allow-egress-except-aws.yaml

+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-except-aws
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+{{- end }}
\ No newline at end of file

chart/templates/bigbang/networkpolicies/allow-in-ns.yaml

+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-in-ns
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - podSelector: {}
+  egress:
+    - to:
+        - podSelector: {}
+{{- end }}
\ No newline at end of file

chart/templates/bigbang/networkpolicies/allow-istio.yaml

+{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-istio
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          app.kubernetes.io/name: istio-controlplane
+      podSelector:
+        matchLabels:
+          {{- toYaml .Values.networkPolicies.ingressLabels | nindent 10}}
+    ports:
+    - port: {{ .Values.anchoreApi.service.port }} # anchore engine api (default: 8228)
+      protocol: TCP
+    - port: {{ .Values.anchoreCatalog.service.port }} # anchore catalog api (default: 8082)
+      protocol: TCP
+    - port: {{ .Values.anchorePolicyEngine.service.port }} # anchore policy engine api (default: 8087)
+      protocol: TCP
+    - port: {{ .Values.anchoreSimpleQueue.service.port }} # anchore simplequeue api (default: 8083)
+      protocol: TCP
+    {{- if not (hasKey .Values.postgresql "enabled") }}
+    - port: 5432 # in-cluster postgresql anchore db
+      protocol: TCP
+    {{- end }}
+    {{- if hasKey .Values.postgresql "enabled" }}
+    {{- if (not .Values.postgresql.enabled) }}
+    - port: "{{$v := .Values.postgresql.externalEndpoint | split ":"}}{{$v._1}}" # in-cluster postgresql anchore db (default: 5432)
+      protocol: TCP
+    {{- end }}
+    {{- end }}
+    {{- if .Values.anchoreEnterpriseGlobal.enabled }}
+    - port: {{ .Values.anchoreEnterpriseFeeds.service.port }} # anchore enterprise feeds api (default: 8448)
+      protocol: TCP
+    - port: {{ .Values.anchoreEnterpriseRbac.service.apiPort }} # anchore enterprise rbac manager api (default: 8229)
+      protocol: TCP
+    - port: {{ .Values.anchoreEnterpriseReports.service.port }} # anchore enterprise reports api (default: 8558)
+      protocol: TCP
+    - port: {{ .Values.anchoreEnterpriseNotifications.service.port }} # anchore enterprise notifications api (default: 8668)
+      protocol: TCP
+    - port: 3000 # anchore enterprise UI (default: 3000; note: Big Bang has configured Istio to use port 80)
+      protocol: TCP
+    {{- if not (hasKey (index .Values "anchore-ui-redis") "enabled") }}
+    - port: 6379 # in-cluster redis anchore enterprise UI dependency
+      protocol: TCP
+    {{- end }}
+    {{- if hasKey (index .Values "anchore-ui-redis") "enabled" }}
+    {{- if (not (index .Values "anchore-ui-redis" "enabled")) }}
+    - port: "{{$v := (index .Values "anchore-ui-redis" "externalEndpoint") | split ":"}}{{$v._3}}" # in-cluster redis anchore enterprise UI dependency (default: 6379)
+      protocol: TCP
+    {{- end }}
+    {{- end }}
+    {{- if not (and (hasKey (index .Values "anchore-feeds-db") "enabled")) }}
+    - port: 5432 # in-cluster postgresql anchore enterprise feeds db
+    {{- end }}
+    {{- if and (hasKey (index .Values "anchore-feeds-db") "enabled") }}
+    {{- if (not (index .Values "anchore-feeds-db" "enabled")) }}
+    - port: "{{$v := (index .Values "anchore-feeds-db" "externalEndpoint") | split ":"}}{{$v._1}}" # in-cluster postgresql anchore enterprise feeds db (default: 5432)
+      protocol: TCP
+    {{- end }}
+    {{- end }}
+    {{- end }}
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          app.kubernetes.io/name: istio-controlplane
+      podSelector:
+        matchLabels:
+          istio: pilot
+{{- end }}
\ No newline at end of file

chart/templates/bigbang/networkpolicies/allow-kube-dns.yaml

+# Allow DNS.  Due to inconsistencies in how distros label dns pods,
+# we just allow all port 53.  We could provide better if we enforce/
+# standardize the kube-system labels or the coredns/kubedns labels
+{{- if .Values.networkPolicies.enabled }}
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-kube-dns
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {} # all pods
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - namespaceSelector: {} # all namespaces
+    ports:
+    - port: 53 # dns port
+{{- end }}
\ No newline at end of file

chart/templates/bigbang/networkpolicies/allow-monitoring.yaml

+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-monitoring
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          app.kubernetes.io/name: monitoring
+      podSelector:
+        matchLabels:
+          app: prometheus
+    ports:
+    - port: {{ .Values.anchoreApi.service.port }} # anchore engine api (default: 8228)
+      protocol: TCP
+    - port: {{ .Values.anchoreCatalog.service.port }} # anchore catalog api (default: 8082)
+      protocol: TCP
+    - port: {{ .Values.anchorePolicyEngine.service.port }} # anchore policy engine api (default: 8087)
+      protocol: TCP
+    - port: {{ .Values.anchoreSimpleQueue.service.port }} # anchore simplequeue api (default: 8083)
+      protocol: TCP
+    {{- if .Values.anchoreEnterpriseGlobal.enabled }}
+    - port: {{ .Values.anchoreEnterpriseFeeds.service.port }} # anchore enterprise feeds api (default: 8448)
+      protocol: TCP
+    - port: {{ .Values.anchoreEnterpriseRbac.service.apiPort }} # anchore enterprise rbac manager api (default: 8229)
+      protocol: TCP
+  {{- end }}
+{{- end }}
\ No newline at end of file

chart/templates/bigbang/networkpolicies/default-deny.yaml

+{{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress
+{{- end }}
\ No newline at end of file

chart/templates/enterprise_ui_deployment.yaml

@@ -80,7 +80,7 @@ spec:
         env:
         {{- if and (index .Values "anchoreEnterpriseUi" "existingSecret") (not (index .Values "anchore-ui-redis" "externalEndpoint")) }}
         - name: ANCHORE_REDIS_URI
-          value: redis://:{{ index .Values "anchore-ui-redis" "password" }}@{{ template "redis.fullname" . }}-master:6379
+          value: redis://nouser:{{ index .Values "anchore-ui-redis" "password" }}@{{ template "redis.fullname" . }}-master:6379
         {{- end }}
         {{ if .Values.anchoreGlobal.dbConfig.ssl }}
         - name: PGSSLROOTCERT

chart/values.yaml

@@ -26,6 +26,12 @@ istio:
     hosts:
       - "anchore-api.{{ .Values.hostname }}"
 
+networkPolicies:
+  enabled: false
+  ingressLabels:
+    app: istio-ingressgateway
+    istio: ingressgateway
+
 # Enable Prometheus Monitoring
 monitoring:
   enabled: false
@@ -160,7 +166,7 @@ ingress:
 # Global configuration shared by all anchore-engine services.
 anchoreGlobal:
   # Image used for all anchore engine deployments (excluding enterprise components).
-  image: registry1.dso.mil/ironbank/anchore/engine/engine:0.9.3
+  image: registry1.dso.mil/ironbank/anchore/engine/engine:0.9.4
   imagePullPolicy: IfNotPresent
 
   # Set image pull secret name if using an anchore-engine image from a private registry
@@ -704,7 +710,7 @@ anchoreEnterpriseGlobal:
   # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml=<PATH TO LICENSE.YAML>
   licenseSecretName: anchore-enterprise-license
 
-  image: registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.0.2
+  image: registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.0.3
   imagePullPolicy: IfNotPresent
   # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images.
   # Create this secret with the following command - kubectl create secret docker-registry anchore-dockerhub-creds --docker-server=docker.io --docker-username=<USERNAME> --docker-password=<PASSWORD> --docker-email=<EMAIL_ADDRESS>
@@ -953,7 +959,7 @@ anchoreEnterpriseNotifications:
 anchoreEnterpriseUi:
   # If enabled is set to false, set anchore-ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance.
   enabled: true
-  image: registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.0.2
+  image: registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.0.3
   imagePullPolicy: IfNotPresent
   imagePullSecretName: private-registry
 

docs/BBCHANGES.md

@@ -8,7 +8,7 @@ This provides a log of these changes to make updates from upstream faster.
 
 ## Big Bang Modifications
 
-Added at the top of the values file are changes to support Istio, automated license creation, monitoring, and SSO.
+Added at the top of the values file are changes to support Istio, optional network policies, automated license creation, monitoring, and SSO.
 
 ```yaml
 # Big Bang Values
@@ -37,6 +37,12 @@ istio:
     hosts:
       - "anchore-api.{{ .Values.hostname }}"
 
+networkPolicies:
+  enabled: false
+  ingressLabels:
+    app: istio-ingressgateway
+    istio: ingressgateway
+    
 # Enable Prometheus Monitoring
 monitoring:
   enabled: false

tests/images.txt

-registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.0.2
-registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.0.1
+registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.0.3
+registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.0.3

tests/test-values.yml

 istio:
   enabled: true
 
+networkPolicies:
+  enabled: true
+#   ingressLabels:
+#     app: istio-ingressgateway
+#     istio: ingressgateway
+
 bbtests:
   scripts:
     image: registry1.dso.mil/ironbank/anchore/cli/cli:0.9.1