UNCLASSIFIED

Skip to content

GitLab

Commit eaa8e77d authored by bhearn's avatar bhearn
Browse files

saml-update

parent b91507ac
Hide whitespace changes
Inline Side-by-side
Showing with 41 additions and 68 deletions
CHANGELOG.md
View file @ eaa8e77d
...@@ -3,6 +3,11 @@ ...@@ -3,6 +3,11 @@
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
--- ---
## [1.12.16-bb.0]
### Changed
- Bumped upstream chart version to 1.12.16
- Fixed insecure SAML configuration issue
## [1.12.15-bb.1] ## [1.12.15-bb.1]
### Changed ### Changed
- Updated Redis dependency to 14.1.0-bb.0 - Updated Redis dependency to 14.1.0-bb.0
......
chart/Chart.lock
View file @ eaa8e77d
...@@ -10,6 +10,6 @@ dependencies: ...@@ -10,6 +10,6 @@ dependencies:
version: 14.1.0-bb.0 version: 14.1.0-bb.0
- name: bb-test-lib - name: bb-test-lib
repository: oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates repository: oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates
version: 0.4.0 version: 0.5.2
digest: sha256:95fc02eb4c73428f58530043f2ccea983eb2de36c3e2bed6566deaff6552285c digest: sha256:4b0f80a6ef5cabb741367909dc3f5c970844b55aeead2f7ce5fee46d515416b4
generated: "2021-06-11T14:51:29.578969-04:00" generated: "2021-06-12T15:47:28.997659-04:00"
chart/Chart.yaml
View file @ eaa8e77d
apiVersion: v2 apiVersion: v2
name: anchore-engine name: anchore-engine
version: 1.12.15-bb.1 version: 1.12.16-bb.0
appVersion: 0.9.4 appVersion: 0.9.4
description: Anchore container analysis and policy evaluation engine service description: Anchore container analysis and policy evaluation engine service
keywords: keywords:
...@@ -38,5 +38,5 @@ dependencies: ...@@ -38,5 +38,5 @@ dependencies:
condition: anchore-ui-redis.enabled,anchoreEnterpriseGlobal.enabled condition: anchore-ui-redis.enabled,anchoreEnterpriseGlobal.enabled
alias: anchore-ui-redis alias: anchore-ui-redis
- name: bb-test-lib - name: bb-test-lib
version: "0.4.0" version: "0.5.2"
repository: "oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates" repository: "oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates"
chart/Kptfile
View file @ eaa8e77d
...@@ -5,7 +5,7 @@ metadata: ...@@ -5,7 +5,7 @@ metadata:
upstream: upstream:
type: git type: git
git: git:
commit: f50573427adb8d582eaea20c968bb0391cb79c48 commit: e2f7ea00c4fa078b93608c95b31ce71a4038aa96
repo: https://github.com/anchore/anchore-charts repo: https://github.com/anchore/anchore-charts
directory: /stable/anchore-engine directory: /stable/anchore-engine
ref: anchore-engine-1.12.15 ref: anchore-engine-1.12.16
chart/templates/_helpers.tpl
View file @ eaa8e77d
...@@ -166,15 +166,4 @@ Create chart name and version as used by the chart label. ...@@ -166,15 +166,4 @@ Create chart name and version as used by the chart label.
*/}} */}}
{{- define "anchore.chart" -}} {{- define "anchore.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}} {{- end -}}
\ No newline at end of file
{{/*
Generate certificates for Anchore
*/}}
{{- define "anchore.gen-certs" -}}
{{- $altNames := list ( printf "%s.%s" (include "anchore.name" .) .Release.Namespace ) ( printf "%s.%s.svc" (include "anchore.name" .) .Release.Namespace ) -}}
{{- $ca := genCA "anchore-ca" 365 -}}
{{- $cert := genSignedCert ( include "anchore.name" . ) nil $altNames 365 $ca -}}
tls.crt: {{ $cert.Cert | b64enc }}
tls.key: {{ $cert.Key | b64enc }}
{{- end -}}
chart/templates/bigbang/anchore-cert.yaml deleted 100644 → 0
View file @ b91507ac
{{- if .Values.anchoreGlobal.oauthEnabled }}
{{- $component := "certs" -}}
apiVersion: v1
kind: Secret
type: kubernetes.io/tls
metadata:
name: anchore-certs
labels:
app: {{ template "anchore.name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
component: {{ $component }}
{{- with .Values.anchoreGlobal.labels }}
{{ toYaml . | nindent 4 }}
{{- end }}
annotations:
"helm.sh/hook": "pre-install,pre-upgrade"
"helm.sh/hook-delete-policy": "before-hook-creation"
data:
{{ ( include "anchore.gen-certs" . ) | indent 2 }}
{{- end }}
\ No newline at end of file
chart/templates/bigbang/anchore-vs.yaml
View file @ eaa8e77d
...@@ -29,7 +29,7 @@ spec: ...@@ -29,7 +29,7 @@ spec:
route: route:
- destination: - destination:
port: port:
number: 80 number: {{ .Values.anchoreEnterpriseUi.service.port }}
host: {{ .Release.Name }}-anchore-engine-enterprise-ui host: {{ .Release.Name }}-anchore-engine-enterprise-ui
{{- end }} {{- end }}
--- ---
...@@ -63,7 +63,7 @@ spec: ...@@ -63,7 +63,7 @@ spec:
route: route:
- destination: - destination:
port: port:
number: 8228 number: {{ .Values.anchoreApi.service.port }}
host: {{ .Release.Name }}-anchore-engine-api host: {{ .Release.Name }}-anchore-engine-api
fault: fault:
abort: abort:
...@@ -76,6 +76,6 @@ spec: ...@@ -76,6 +76,6 @@ spec:
route: route:
- destination: - destination:
port: port:
number: 8228 number: {{ .Values.anchoreApi.service.port }}
host: {{ .Release.Name }}-anchore-engine-api host: {{ .Release.Name }}-anchore-engine-api
{{- end }} {{- end }}
chart/templates/bigbang/networkpolicies/allow-kube-dns.yaml
View file @ eaa8e77d
...@@ -16,4 +16,7 @@ spec: ...@@ -16,4 +16,7 @@ spec:
- namespaceSelector: {} # all namespaces - namespaceSelector: {} # all namespaces
ports: ports:
- port: 53 # dns port - port: 53 # dns port
protocol: UDP
- port: 443
protocol: TCP
{{- end }} {{- end }}
\ No newline at end of file
chart/templates/engine_configmap.yaml
View file @ eaa8e77d
...@@ -231,7 +231,13 @@ data: ...@@ -231,7 +231,13 @@ data:
ssl_key: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretKeyName }}" ssl_key: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretKeyName }}"
{{- end }} {{- end }}
runtime_inventory: runtime_inventory:
image_ttl_days: {{ .Values.anchoreCatalog.runtime_inventory.image_ttl_days }} image_ttl_days: {{ .Values.anchoreCatalog.runtimeInventory.imageTTLDays }}
kubernetes:
report_anchore_cluster:
enabled: {{ .Values.anchoreCatalog.runtimeInventory.reportAnchoreCluster.enabled }}
anchore_cluster_name: {{ .Values.anchoreCatalog.runtimeInventory.reportAnchoreCluster.clusterName }}
namespaces:
{{- toYaml .Values.anchoreCatalog.runtimeInventory.reportAnchoreCluster.namespaces | nindent 16 }}
simplequeue: simplequeue:
enabled: true enabled: true
require_auth: true require_auth: true
......
chart/values.yaml
View file @ eaa8e77d
...@@ -251,7 +251,7 @@ anchoreGlobal: ...@@ -251,7 +251,7 @@ anchoreGlobal:
saml: saml:
# Locations for keys used for signing and encryption. Only one of 'secret' or 'privateKeyName'/'publicKeyName' needs to be set. If all are set then the keys take precedence over the secret value # Locations for keys used for signing and encryption. Only one of 'secret' or 'privateKeyName'/'publicKeyName' needs to be set. If all are set then the keys take precedence over the secret value
# Secret is for a shared secret and if set, all components in anchore should have the exact same value in their configs. # Secret is for a shared secret and if set, all components in anchore should have the exact same value in their configs.
secret: anchore-certs secret: Null
# If set to true, use the secret specified in anchoreGlobal.existingSecret to set the ANCHORE_SAML_SECRET env variable # If set to true, use the secret specified in anchoreGlobal.existingSecret to set the ANCHORE_SAML_SECRET env variable
useExistingSecret: false useExistingSecret: false
privateKeyName: Null privateKeyName: Null
...@@ -621,12 +621,21 @@ anchoreCatalog: ...@@ -621,12 +621,21 @@ anchoreCatalog:
tolerations: [] tolerations: []
affinity: {} affinity: {}
runtime_inventory: runtimeInventory:
# This setting tells Anchore how long an image can be missing from an inventory report before it is removed from # This setting tells Anchore how long an image can be missing from an inventory report before it is removed from
# The working set. Note: The image will still have a historical record in the reports service, subject to data history # The working set. Note: The image will still have a historical record in the reports service, subject to data history
# constraints as part of that service. # constraints as part of that service.
# Note: if a runtime inventory image's digest is also in anchore for regular image analysis, it won't be removed. # Note: if a runtime inventory image's digest is also in anchore for regular image analysis, it won't be removed.
image_ttl_days: 1 imageTTLDays: 1
# Since Anchore is running in Kubernetes, we can collect runtime inventory data out of the box
reportAnchoreCluster:
# If set to true, Anchore will use its own service-account to try and collect runtime inventory data for all namespaces
# Note: requires a value for clusterName to populate inventory image context
enabled: true
clusterName: anchore-k8s
namespaces:
- all
# Pod configuration for the anchore engine policy service. # Pod configuration for the anchore engine policy service.
anchorePolicyEngine: anchorePolicyEngine:
......
docs/BBCHANGES.md
View file @ eaa8e77d
...@@ -146,14 +146,6 @@ anchoreEnterpriseRbac: ...@@ -146,14 +146,6 @@ anchoreEnterpriseRbac:
## Other Modifications ## Other Modifications
To support the BigBang wrapper to simplify SSO setup the following global saml option needs to bet set:
```yaml
anchoreGlobal:
saml:
secret: anchore-certs
```
The following block needs to be added to the end of the _helpers.tpl file: The following block needs to be added to the end of the _helpers.tpl file:
```yaml ```yaml
...@@ -170,17 +162,6 @@ Create chart name and version as used by the chart label. ...@@ -170,17 +162,6 @@ Create chart name and version as used by the chart label.
{{- define "anchore.chart" -}} {{- define "anchore.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}} {{- end -}}
{{/*
Generate certificates for Anchore
*/}}
{{- define "anchore.gen-certs" -}}
{{- $altNames := list ( printf "%s.%s" (include "anchore.name" .) .Release.Namespace ) ( printf "%s.%s.svc" (include "anchore.name" .) .Release.Namespace ) -}}
{{- $ca := genCA "anchore-ca" 365 -}}
{{- $cert := genSignedCert ( include "anchore.name" . ) nil $altNames 365 $ca -}}
tls.crt: {{ $cert.Cert | b64enc }}
tls.key: {{ $cert.Key | b64enc }}
{{- end -}}
``` ```
In `chart/templates/engine_configmap.yaml`, modify the metrics lines as such: In `chart/templates/engine_configmap.yaml`, modify the metrics lines as such:
......
tests/test-values.yml
View file @ eaa8e77d
...@@ -23,7 +23,9 @@ bbtests: ...@@ -23,7 +23,9 @@ bbtests:
postgresql: postgresql:
enabled: true enabled: true
# anchoreGlobal: anchoreGlobal:
saml:
secret: ci-testing-only
anchoreAnalyzer: anchoreAnalyzer:
replicaCount: 1 replicaCount: 1
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

UNCLASSIFIED