feat: cleaner monitoring

CHANGELOG.md

@@ -4,6 +4,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ---
 
+## [1.11.0-bb.2]
+## Changed
+- Modified chart to handle monitoring more cleanly
+
 ## [1.11.0-bb.1]
 ### Added
 - Prometheus monitoring capability (ServiceMonitor, RoleBinding, Role)

chart/Chart.yaml

 apiVersion: v2
 name: anchore-engine
-version: 1.11.0-bb.1
+version: 1.11.0-bb.2
 appVersion: 0.9.0
 description: Anchore container analysis and policy evaluation engine service
 keywords:

chart/templates/bigbang/anchore-vs.yaml

@@ -33,6 +33,19 @@ spec:
   hosts:
     - "anchore-api.{{ .Values.hostname }}"
   http:
+    - match:
+        - uri:
+            prefix: /metrics
+      route:
+        - destination:
+            port:
+              number: 8228
+            host: {{ .Release.Name }}-anchore-engine-api
+      fault:
+        abort:
+          percentage:
+            value: 100
+          httpStatus: 403
     - match:
         - uri:
             prefix: /

chart/templates/engine_configmap.yaml

@@ -30,8 +30,8 @@ data:
     global_client_read_timeout: {{ default 0 .Values.anchoreGlobal.clientReadTimeout }}
 
     metrics:
-      enabled: {{ .Values.anchoreGlobal.enableMetrics }}
-      auth_disabled: {{ .Values.anchoreGlobal.metricsAuthDisabled }}
+      enabled: {{ .Values.monitoring.enabled }}
+      auth_disabled: {{ .Values.monitoring.enabled }}
     {{ if .Values.anchoreGlobal.webhooksEnabled }}
     webhooks:
       {{- toYaml .Values.anchoreGlobal.webhooks | nindent 6 }}

chart/templates/enterprise_configmap.yaml

@@ -35,8 +35,8 @@ data:
     global_client_read_timeout: {{ default 0 .Values.anchoreGlobal.clientReadTimeout }}
 
     metrics:
-      enabled: {{ .Values.anchoreGlobal.enableMetrics }}
-      auth_disabled: {{ .Values.anchoreGlobal.metricsAuthDisabled }}
+      enabled: {{ .Values.monitoring.enabled }}
+      auth_disabled: {{ .Values.monitoring.enabled }}
 
     # Locations for keys used for signing and encryption. Only one of 'secret' or 'public_key_path'/'private_key_path' needs to be set. If all are set then the keys take precedence over the secret value
     # Secret is for a shared secret and if set, all components in anchore should have the exact same value in their configs.

chart/templates/enterprise_feeds_configmap.yaml

@@ -28,7 +28,7 @@ data:
     auto_restart_services: false
     license_file: /home/anchore/license.yaml
     metrics:
-      enabled: {{ .Values.anchoreGlobal.enableMetrics }}
+      enabled: {{ .Values.monitoring.enabled }}
 
     # Locations for keys used for signing and encryption. Only one of 'secret' or 'public_key_path'/'private_key_path' needs to be set. If all are set then the keys take precedence over the secret value
     # Secret is for a shared secret and if set, all components in anchore should have the exact same value in their configs.

chart/values.yaml

@@ -5,9 +5,9 @@
 hostname: bigbang.dev
 
 istio:
-  enabled: false 
+  enabled: false
 
-# Enable Prometheus Monitoring - requires anchoreGlobal.enableMetrics & anchoreGlobal.metricsAuthDisabled
+# Enable Prometheus Monitoring
 monitoring:
   enabled: false
   namespace: monitoring

docs/BBCHANGES.md

@@ -8,7 +8,7 @@ This provides a log of these changes to make updates from upstream faster.
 
 ## Big Bang Modifications
 
-Added at the top of the values file are changes to support Istio, automated license creation, and SSO.
+Added at the top of the values file are changes to support Istio, automated license creation, monitoring, and SSO.
 
 ```yaml
 # Big Bang Values
@@ -18,9 +18,18 @@ hostname: bigbang.dev
 istio:
   enabled: false
 
-enterpriseLicenseYaml: |
-  FULL LICENSE YAML (must be indented)
+# Enable Prometheus Monitoring
+monitoring:
+  enabled: false
+  namespace: monitoring
+
+# Enterprise license: Specify your multiline license
+# enterpriseLicenseYaml: |
+#   License YAML
+enterpriseLicenseYaml: "" # Full multiline license yaml
 
+# Enable/disable Keycloak SSO integration
+# If enabled, also enable OAuth - anchoreGlobal.oauthEnabled
 sso:
   enabled: false
   name: "keycloak"
@@ -28,7 +37,8 @@ sso:
   spEntityId: "platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-anchore"
   acsUrl: "https://anchore.bigbang.dev/service/sso/auth/keycloak"
   defaultAccount: "user"
-  defaultRole: "read-write"
+  defaultRole: "read-write" # If roleAttribute is passed, defaultRole will be ignored
+  roleAttribute: "" # Optional, defines the Keycloak attribute to use to map roles/permissions
   requireSignedAssertions: false
   requireSignedResponse: true
   idpMetadataUrl: "https://login.dso.mil/auth/realms/baby-yoda/protocol/saml/descriptor"
@@ -124,6 +134,7 @@ anchoreEnterpriseRbac:
     value: "true"
 ```
 
+## Other Modifications
 
 To support the BigBang wrapper to simplify SSO setup the following global saml option needs to bet set:
 ```yaml
@@ -132,7 +143,6 @@ anchoreGlobal:
     secret: anchore-certs
 ```
 
-
 The following block needs to be added to the end of the _helpers.tpl file:
 ```yaml
 {{/*
@@ -160,3 +170,23 @@ tls.crt: {{ $cert.Cert | b64enc }}
 tls.key: {{ $cert.Key | b64enc }}
 {{- end -}}
 ```
+
+In `chart/templates/engine_configmap.yaml`, modify the metrics lines as such:
+```yaml
+    metrics:
+      enabled: {{ .Values.monitoring.enabled }}
+      auth_disabled: {{ .Values.monitoring.enabled }}
+```
+
+Do the same in `chart/templates/enterprise_configmap.yaml`:
+```yaml
+    metrics:
+      enabled: {{ .Values.monitoring.enabled }}
+      auth_disabled: {{ .Values.monitoring.enabled }}
+```
+
+In `chart/templates/enterprise_feeds_configmap.yaml` also modify the metrics lines:
+```yaml
+    metrics:
+      enabled: {{ .Values.monitoring.enabled }}
+```

tests/test-values.yml

@@ -7,7 +7,7 @@ hostname: bigbang.dev
 istio:
   enabled: true
 
-# Enable Prometheus Monitoring - requires anchoreGlobal.enableMetrics & anchoreGlobal.metricsAuthDisabled
+# Enable Prometheus Monitoring
 monitoring:
   enabled: false
   namespace: monitoring