Merge branch 'saml-update' into 'main'

saml-update See merge request !36

Merge branch 'saml-update' into 'main'
saml-update See merge request !36
e7840595 · bhearn · b91507ac · eaa8e77d · e7840595 · e7840595
Commit e7840595 authored Jun 14, 2021 by bhearn
16 changed files
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,11 @@
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 ---
+## [1.12.16-bb.0]
+### Changed
+- Bumped upstream chart version to 1.12.16
+- Fixed insecure SAML configuration issue
 ## [1.12.15-bb.1]
 ### Changed
 - Updated Redis dependency to 14.1.0-bb.0

--- a/chart/Chart.lock
+++ b/chart/Chart.lock
@@ -10,6 +10,6 @@ dependencies:
  version: 14.1.0-bb.0
 - name: bb-test-lib
  repository: oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates
-  version: 0.4.0
+  version: 0.5.2
-digest: sha256:95fc02eb4c73428f58530043f2ccea983eb2de36c3e2bed6566deaff6552285c
+digest: sha256:4b0f80a6ef5cabb741367909dc3f5c970844b55aeead2f7ce5fee46d515416b4
-generated: "2021-06-11T14:51:29.578969-04:00"
+generated: "2021-06-12T15:47:28.997659-04:00"
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v2
 name: anchore-engine
-version: 1.12.15-bb.1
+version: 1.12.16-bb.0
 appVersion: 0.9.4
 description: Anchore container analysis and policy evaluation engine service
 keywords:
@@ -38,5 +38,5 @@ dependencies:
   condition: anchore-ui-redis.enabled,anchoreEnterpriseGlobal.enabled
   alias: anchore-ui-redis
 - name: bb-test-lib
-   version: "0.4.0"
+   version: "0.5.2"
   repository: "oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates"
--- a/chart/Kptfile
+++ b/chart/Kptfile
@@ -5,7 +5,7 @@ metadata:
 upstream:
  type: git
  git:
-    commit: f50573427adb8d582eaea20c968bb0391cb79c48
+    commit: e2f7ea00c4fa078b93608c95b31ce71a4038aa96
    repo: https://github.com/anchore/anchore-charts
    directory: /stable/anchore-engine
-    ref: anchore-engine-1.12.15
+    ref: anchore-engine-1.12.16
--- a/chart/charts/bb-test-lib-0.4.0.tgz
+++ b/chart/charts/bb-test-lib-0.4.0.tgz
--- a/chart/charts/bb-test-lib-0.5.2.tgz
+++ b/chart/charts/bb-test-lib-0.5.2.tgz
--- a/chart/charts/postgresql-1.0.1.tgz
+++ b/chart/charts/postgresql-1.0.1.tgz
--- a/chart/charts/redis-14.1.0-bb.0.tgz
+++ b/chart/charts/redis-14.1.0-bb.0.tgz
--- a/chart/templates/_helpers.tpl
+++ b/chart/templates/_helpers.tpl
@@ -167,14 +167,3 @@ Create chart name and version as used by the chart label.
 {{- define "anchore.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
-{{/*
-Generate certificates for Anchore
-*/}}
-{{- define "anchore.gen-certs" -}}
-{{- $altNames := list ( printf "%s.%s" (include "anchore.name" .) .Release.Namespace ) ( printf "%s.%s.svc" (include "anchore.name" .) .Release.Namespace ) -}}
-{{- $ca := genCA "anchore-ca" 365 -}}
-{{- $cert := genSignedCert ( include "anchore.name" . ) nil $altNames 365 $ca -}}
-tls.crt: {{ $cert.Cert | b64enc }}
-tls.key: {{ $cert.Key | b64enc }}
-{{- end -}}
--- a/chart/templates/bigbang/anchore-cert.yaml
+++ b/chart/templates/bigbang/anchore-cert.yaml
-{{- if .Values.anchoreGlobal.oauthEnabled }}
-{{- $component := "certs" -}}
-apiVersion: v1
-kind: Secret
-type: kubernetes.io/tls
-metadata:
-  name: anchore-certs
-  labels:
-    app: {{ template "anchore.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
-    component: {{ $component }}
-    {{- with .Values.anchoreGlobal.labels }}
-    {{ toYaml . | nindent 4 }}
-    {{- end }}
-  annotations:
-    "helm.sh/hook": "pre-install,pre-upgrade"
-    "helm.sh/hook-delete-policy": "before-hook-creation"
-data:
-{{ ( include "anchore.gen-certs" . ) | indent 2 }}
-{{- end }}
\ No newline at end of file
--- a/chart/templates/bigbang/anchore-vs.yaml
+++ b/chart/templates/bigbang/anchore-vs.yaml
@@ -29,7 +29,7 @@ spec:
      route:
        - destination:
            port:
-              number: 80
+              number: {{ .Values.anchoreEnterpriseUi.service.port }}
            host: {{ .Release.Name }}-anchore-engine-enterprise-ui
 {{- end }}
 ---
@@ -63,7 +63,7 @@ spec:
      route:
        - destination:
            port:
-              number: 8228
+              number: {{ .Values.anchoreApi.service.port }} 
            host: {{ .Release.Name }}-anchore-engine-api
      fault:
        abort:
@@ -76,6 +76,6 @@ spec:
      route:
        - destination:
            port:
-              number: 8228
+              number: {{ .Values.anchoreApi.service.port }} 
            host: {{ .Release.Name }}-anchore-engine-api
 {{- end }}
--- a/chart/templates/bigbang/networkpolicies/allow-kube-dns.yaml
+++ b/chart/templates/bigbang/networkpolicies/allow-kube-dns.yaml
@@ -16,4 +16,7 @@ spec:
    - namespaceSelector: {} # all namespaces
    ports:
    - port: 53 # dns port
+      protocol: UDP
+    - port: 443
+      protocol: TCP
 {{- end }}
\ No newline at end of file
--- a/chart/templates/engine_configmap.yaml
+++ b/chart/templates/engine_configmap.yaml
@@ -231,7 +231,13 @@ data:
        ssl_key: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretKeyName }}"
        {{- end }}
        runtime_inventory:
-          image_ttl_days: {{ .Values.anchoreCatalog.runtime_inventory.image_ttl_days }}
+          image_ttl_days: {{ .Values.anchoreCatalog.runtimeInventory.imageTTLDays }}
+          kubernetes:
+            report_anchore_cluster:
+              enabled: {{ .Values.anchoreCatalog.runtimeInventory.reportAnchoreCluster.enabled }}
+              anchore_cluster_name: {{ .Values.anchoreCatalog.runtimeInventory.reportAnchoreCluster.clusterName }}
+              namespaces:
+                {{- toYaml .Values.anchoreCatalog.runtimeInventory.reportAnchoreCluster.namespaces | nindent 16 }}
      simplequeue:
        enabled: true
        require_auth: true

--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -251,7 +251,7 @@ anchoreGlobal:
  saml:
    # Locations for keys used for signing and encryption. Only one of 'secret' or 'privateKeyName'/'publicKeyName' needs to be set. If all are set then the keys take precedence over the secret value
    # Secret is for a shared secret and if set, all components in anchore should have the exact same value in their configs.
-    secret: anchore-certs
+    secret: Null
    # If set to true, use the secret specified in anchoreGlobal.existingSecret to set the ANCHORE_SAML_SECRET env variable
    useExistingSecret: false
    privateKeyName: Null
@@ -621,12 +621,21 @@ anchoreCatalog:
  tolerations: []
  affinity: {}
-  runtime_inventory:
+  runtimeInventory:
    # This setting tells Anchore how long an image can be missing from an inventory report before it is removed from
    # The working set. Note: The image will still have a historical record in the reports service, subject to data history
    # constraints as part of that service.
    # Note: if a runtime inventory image's digest is also in anchore for regular image analysis, it won't be removed.
-    image_ttl_days: 1
+    imageTTLDays: 1
+    # Since Anchore is running in Kubernetes, we can collect runtime inventory data out of the box
+    reportAnchoreCluster:
+      # If set to true, Anchore will use its own service-account to try and collect runtime inventory data for all namespaces
+      # Note: requires a value for clusterName to populate inventory image context
+      enabled: true
+      clusterName: anchore-k8s
+      namespaces:
+        - all
 # Pod configuration for the anchore engine policy service.
 anchorePolicyEngine:

--- a/docs/BBCHANGES.md
+++ b/docs/BBCHANGES.md
@@ -146,14 +146,6 @@ anchoreEnterpriseRbac:
 ## Other Modifications
-To support the BigBang wrapper to simplify SSO setup the following global saml option needs to bet set:
-```yaml
-anchoreGlobal:
-  saml:
-    secret: anchore-certs
-```
 The following block needs to be added to the end of the _helpers.tpl file:
 ```yaml
@@ -170,17 +162,6 @@ Create chart name and version as used by the chart label.
 {{- define "anchore.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
-{{/*
-Generate certificates for Anchore
-*/}}
-{{- define "anchore.gen-certs" -}}
-{{- $altNames := list ( printf "%s.%s" (include "anchore.name" .) .Release.Namespace ) ( printf "%s.%s.svc" (include "anchore.name" .) .Release.Namespace ) -}}
-{{- $ca := genCA "anchore-ca" 365 -}}
-{{- $cert := genSignedCert ( include "anchore.name" . ) nil $altNames 365 $ca -}}
-tls.crt: {{ $cert.Cert | b64enc }}
-tls.key: {{ $cert.Key | b64enc }}
-{{- end -}}
 ```
 In `chart/templates/engine_configmap.yaml`, modify the metrics lines as such:

--- a/tests/test-values.yml
+++ b/tests/test-values.yml
@@ -23,7 +23,9 @@ bbtests:
 postgresql:
  enabled: true
-# anchoreGlobal:
+anchoreGlobal:
+  saml:
+    secret: ci-testing-only
 anchoreAnalyzer:
  replicaCount: 1