bump version

CHANGELOG.md

@@ -4,6 +4,14 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ---
 
+## [1.13.0-bb.0]
+### Changed
+- Bumped appVersion and Anchore Engine image tag to 0.10.0
+- Bumped Anchore Enterprise & Anchore Enterprise UI image tags to 3.1.0
+### Fixed
+- conditional in network policy for enterprise-ui component
+- intermittent issue with upgrade jobs for in-cluster anchore dbs
+
 ## [1.12.16-bb.2]
 ### Changed
 - Separated network policies for required egress

chart/Chart.yaml

 apiVersion: v2
 name: anchore-engine
-version: 1.12.16-bb.2
-appVersion: 0.9.4
+version: 1.13.0-bb.0
+appVersion: 0.10.0
 description: Anchore container analysis and policy evaluation engine service
 keywords:
  - analysis

chart/Kptfile

@@ -5,7 +5,7 @@ metadata:
 upstream:
   type: git
   git:
-    commit: e2f7ea00c4fa078b93608c95b31ce71a4038aa96
+    commit: 1ab19c4642747cab4a6d300021325674ac0cb3d5
     repo: https://github.com/anchore/anchore-charts
     directory: /stable/anchore-engine
-    ref: anchore-engine-1.12.16
+    ref: anchore-engine-1.13.0

chart/README.md

@@ -73,6 +73,7 @@ anchoreGlobal:
     * Anchore reporting API
     * Notifications - Slack, GitHub, Jira, etc
     * Microsoft image vulnerability scanning
+    * Kubernetes runtime image inventory/scanning
 ```
 
 ### Enabling Enterprise Services
@@ -242,6 +243,14 @@ See the anchore-engine [CHANGELOG](https://github.com/anchore/anchore-engine/blo
 
 A Helm post-upgrade hook job will shut down all previously running Anchore services and perform the Anchore DB upgrade process using a kubernetes job. The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful helm upgrade.
 
+## Chart version 1.13.0
+
+---
+
+* Anchore Engine image updated to v0.10.0 - [Release Notes](https://engine.anchore.io/docs/releasenotes/0100/)
+* Anchore Enterprise image updated to v3.1.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/310/)
+* If utilizing the Enterprise Runtime Inventory feature, the catalog service can now be configured to automatically setup RBAC for image discovery within the cluster. This is configured under `.Values.anchoreCatalog.runtimeInventory`
+
 ## Chart version 1.12.0
 
 ---

chart/templates/bigbang/networkpolicies/allow-egress-from-pods.yaml

@@ -132,10 +132,10 @@ spec:
         except:
         - 169.254.169.254/32
 {{- end }}
-{{- if and (hasKey (index .Values "anchore-ui-redis") "enabled") }}
-{{- if and (not (index .Values "anchore-ui-redis" "enabled")) .Values.anchoreEnterpriseGlobal.enabled }}
+{{- if or (hasKey (index .Values "anchore-ui-redis") "enabled") (hasKey .Values.postgresql "enabled") }}
+{{- if and (or (not (index .Values "anchore-ui-redis" "enabled")) (not .Values.postgresql.enabled)) .Values.anchoreEnterpriseGlobal.enabled }}
 ---
-# if external redis is enabled, the ui pod will require egress as it depends on redis
+# if external redis is enabled OR external postgres is enabled, the ui pod will require egress as it depends on redis and interacts with the db to perform specific functions such as SAML
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:

chart/templates/catalog_deployment.yaml

@@ -219,8 +219,10 @@ spec:
       tolerations:
         {{ toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.anchoreGlobal.serviceAccountName }}
-      serviceAccountName: {{ . }}
+      {{- if .Values.anchoreGlobal.serviceAccountName }}
+      serviceAccountName: {{ .Values.anchoreGlobal.serviceAccountName }}
+      {{- else if .Values.anchoreCatalog.createServiceAccount }}
+      serviceAccountName: {{ template "anchore-engine.catalog.fullname" . }}
       {{- end }}
 
 ---
@@ -254,3 +256,68 @@ spec:
   selector:
     app: {{ template "anchore-engine.fullname" . }}
     component: {{ $component }}
+
+{{- if and .Values.anchoreCatalog.createServiceAccount .Values.anchoreCatalog.runtimeInventory.reportAnchoreCluster.enabled }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "anchore-engine.catalog.fullname" . }}
+  labels:
+    {{- with .Values.anchoreCatalog.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.anchoreGlobal.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.anchoreCatalog.annotations }}
+  annotations:
+    {{ toYaml . | nindent 4 }}
+  {{- end }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "anchore-engine.catalog.fullname" . }}
+  labels:
+    {{- with .Values.anchoreCatalog.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.anchoreGlobal.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.anchoreCatalog.annotations }}
+  annotations:
+    {{ toYaml . | nindent 4 }}
+  {{- end }}
+rules:
+- apiGroups: [""]
+  resources: ["pods","namespaces"]
+  verbs: ["get", "watch", "list"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "anchore-engine.catalog.fullname" . }}
+  labels:
+    {{- with .Values.anchoreCatalog.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.anchoreGlobal.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.anchoreCatalog.annotations }}
+  annotations:
+    {{ toYaml . | nindent 4 }}
+  {{- end }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "anchore-engine.catalog.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ template "anchore-engine.catalog.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
\ No newline at end of file

chart/templates/engine_configmap.yaml

+{{ $anchoreFeedsURL := "https://ancho.re/v1/service/feeds" }}
+{{- if .Values.anchoreEnterpriseFeeds.url }}
+{{- $anchoreFeedsURL = .Values.anchoreEnterpriseFeeds.url }}
+{{- else if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }}
+{{- if .Values.anchoreGlobal.internalServicesSsl.enabled }}
+{{- $anchoreFeedsURL = (printf "https://%s:%s/v1/feeds"  (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) }}
+{{- else }}
+{{- $anchoreFeedsURL = (printf "http://%s:%s/v1/feeds" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) }}
+{{- end }}
+{{- end }}
+
 kind: ConfigMap
 apiVersion: v1
 metadata:
@@ -28,7 +39,7 @@ data:
 
     global_client_connect_timeout: {{ default 0 .Values.anchoreGlobal.clientConnectTimeout }}
     global_client_read_timeout: {{ default 0 .Values.anchoreGlobal.clientReadTimeout }}
-    max_compressed_image_size_mb: {{ default -1 .Values.anchoreGlobal.maxCompressedImageSizeMB }}
+    server_request_timeout_seconds: {{ .Values.anchoreGlobal.serverRequestTimeout }}
 
     metrics:
       enabled: {{ .Values.monitoring.enabled }}
@@ -37,66 +48,14 @@ data:
     webhooks:
       {{- toYaml .Values.anchoreGlobal.webhooks | nindent 6 }}
     {{ end }}
-    # Configure what feeds to sync.
-    # The sync will hit http://ancho.re/feeds, if any outbound firewall config needs to be set in your environment.
-    feeds:
-      sync_enabled: true
-      selective_sync:
-        # If enabled only sync specific feeds instead of all that are found.
-        enabled: true
-        feeds:
-          {{- if .Values.anchoreEnterpriseGlobal.enabled }}
-          github: {{ .Values.anchoreEnterpriseFeeds.githubDriverEnabled }}
-          {{- else }}
-          github: {{ default "true" .Values.anchoreGlobal.syncGithub }}
-          {{- end }}
-          # Vulnerabilities feed is the feed for distro cve sources (redhat, debian, ubuntu, oracle, alpine....)
-          vulnerabilities: {{ default "true" .Values.anchoreGlobal.syncVulnerabilites }}
-          # NVD Data is used for non-distro CVEs (jars, npm, etc) that are not packaged and released by distros as rpms, debs, etc
-          nvdv2: {{ default "true" .Values.anchoreGlobal.syncNvd }}
-          # Warning: enabling the package sync causes the service to require much
-          #   more memory to do process the significant data volume. We recommend at least 4GB available for the container
-          {{- if and (and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled) (or .Values.anchoreEnterpriseFeeds.gemDriverEnabled .Values.anchoreEnterpriseFeeds.npmDriverEnabled) }}
-          packages: true
-          {{- else }}
-          packages: {{ default "false" .Values.anchoreGlobal.syncPackages }}
-          {{- end }}
-          # Enabling vulndb syncs vulndb vulnerability data from an on-premise anchore enterprise feeds service. Please contact
-          # anchore support for finding out more about this service
-          {{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }}
-          vulndb: {{ default "true" .Values.anchoreEnterpriseFeeds.vulndbDriverEnabled }}
-          # Enabling microsoft syncs MSRC data from an on-premise anchore enterprise feeds service. Please contact
-          # anchore support for finding out more about this service
-          microsoft: {{ .Values.anchoreEnterpriseFeeds.msrcDriverEnabled }}
-          {{- else }}
-          vulndb: false
-          microsoft: false
-          {{- end }}
-    {{- if .Values.anchoreEnterpriseFeeds.url }}
-      url: "{{- .Values.anchoreEnterpriseFeeds.url }}"
-      ssl_verify: {{ .Values.anchoreGlobal.internalServicesSsl.verifyCerts }}
-      client_url:
-      token_url:
-    {{- else if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }}
-      {{- if .Values.anchoreGlobal.internalServicesSsl.enabled }}
-      url: "https://{{- template "anchore-engine.enterprise-feeds.fullname" . }}:{{- .Values.anchoreEnterpriseFeeds.service.port }}/v1/feeds"
-      {{- else }}
-      url: "http://{{- template "anchore-engine.enterprise-feeds.fullname" . }}:{{- .Values.anchoreEnterpriseFeeds.service.port }}/v1/feeds"
-      {{- end }}
-      ssl_verify: {{ .Values.anchoreGlobal.internalServicesSsl.verifyCerts }}
-      client_url:
-      token_url:
-    {{- else }}
-      client_url: "https://ancho.re/v1/account/users"
-      token_url: "https://ancho.re/oauth/token"
-      anonymous_user_username: anon@ancho.re
-      anonymous_user_password: pbiU2RYZ2XrmYQ
-    {{- end }}
-      connection_timeout_seconds: {{ default 3 .Values.anchoreGlobal.feedsConnectionTimeout }}
-      read_timeout_seconds: {{ default 180 .Values.anchoreGlobal.feedsReadTimeout }}
+
     default_admin_password: ${ANCHORE_ADMIN_PASSWORD}
     default_admin_email: {{ .Values.anchoreGlobal.defaultAdminEmail }}
 
+    # Defines a maximum compressed image size (MB) to be added for analysis
+    # Value < 0 disables feature. Disabled by default
+    max_compressed_image_size_mb: {{ default -1 .Values.anchoreGlobal.maxCompressedImageSizeMB }}
+
     # Locations for keys used for signing and encryption. Only one of 'secret' or 'public_key_path'/'private_key_path' needs to be set. If all are set then the keys take precedence over the secret value
     # Secret is for a shared secret and if set, all components in anchore should have the exact same value in their configs.
     keys:
@@ -188,6 +147,7 @@ data:
         ssl_cert: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretCertName }}"
         ssl_key: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretKeyName }}"
         {{- end }}
+        enable_owned_package_filtering: {{ .Values.anchoreAnalyzer.enableOwnedPackageFiltering }}
       catalog:
         enabled: true
         require_auth: true
@@ -219,6 +179,7 @@ data:
           # Interval between checks to repo for new tags
           repo_watcher: {{ .Values.anchoreCatalog.cycleTimers.repo_watcher }}
           k8s_watcher: {{ .Values.anchoreCatalog.cycleTimers.k8s_watcher }}
+          k8s_image_watcher: {{ .Values.anchoreCatalog.cycleTimers.k8s_image_watcher }}
         event_log:
           {{- toYaml .Values.anchoreCatalog.events | nindent 10 }}
         analysis_archive:
@@ -230,6 +191,10 @@ data:
         ssl_cert: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretCertName }}"
         ssl_key: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretKeyName }}"
         {{- end }}
+        {{- if .Values.anchoreEnterpriseGlobal.enabled }}
+        runtime_compliance:
+          object_store_bucket: "runtime_compliance_check"
+        {{- end }}
         runtime_inventory:
           image_ttl_days: {{ .Values.anchoreCatalog.runtimeInventory.imageTTLDays }}
           kubernetes:
@@ -260,6 +225,61 @@ data:
         cycle_timer_seconds: 1
         cycle_timers:
           {{- toYaml .Values.anchorePolicyEngine.cycleTimers | nindent 10 }}
+        vulnerabilities:
+          provider: {{ .Values.anchorePolicyEngine.vulnerabilityProvider }}
+          sync:
+            enabled: true
+            ssl_verify: {{ .Values.anchoreGlobal.internalServicesSsl.verifyCerts }}
+            connection_timeout_seconds: {{ default 3 .Values.anchoreGlobal.feedsConnectionTimeout }}
+            read_timeout_seconds: {{ default 180 .Values.anchoreGlobal.feedsReadTimeout }}
+            data:
+              # grypedb feed is synced if the provider is set to grype. All the remaining feeds except for packages are ignored even if they are enabled
+              grypedb:
+                enabled: true
+                url: "https://toolbox-data.anchore.io/grype/databases/listing.json"
+              # The following feeds are synced if provider is set to legacy
+              # Vulnerabilities feed is the feed for distro cve sources (redhat, debian, ubuntu, oracle, alpine....)
+              vulnerabilities:
+                enabled: {{ default "true" .Values.anchoreGlobal.syncVulnerabilites }}
+                url: {{ $anchoreFeedsURL }}
+              # NVD Data is used for non-distro CVEs (jars, npm, etc) that are not packaged and released by distros as rpms, debs, etc
+              nvdv2:
+                enabled: {{ default "true" .Values.anchoreGlobal.syncNvd }}
+                url: {{ $anchoreFeedsURL }}
+              github:
+                {{- if .Values.anchoreEnterpriseGlobal.enabled }}
+                enabled: {{ .Values.anchoreEnterpriseFeeds.githubDriverEnabled }}
+                {{- else }}
+                enabled: {{ default "true" .Values.anchoreGlobal.syncGithub }}
+                {{- end }}
+                url: {{ $anchoreFeedsURL }}
+              # Warning: enabling the packages and nvd sync causes the service to require much more memory to do process the significant data volume. We recommend at least 4GB available for the container
+              # packages feed is synced if it is enabled regardless of the provider
+              packages:
+                {{- if and (and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled) (or .Values.anchoreEnterpriseFeeds.gemDriverEnabled .Values.anchoreEnterpriseFeeds.npmDriverEnabled) }}
+                enabled: true
+                {{- else }}
+                enabled: {{ default "false" .Values.anchoreGlobal.syncPackages }}
+                {{- end }}
+                url: {{ $anchoreFeedsURL }}
+              {{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }}
+              vulndb:
+                enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.vulndbDriverEnabled }}
+                url: {{ $anchoreFeedsURL }}
+              {{- else if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreGlobal.syncVulnDB }}
+              vulndb:
+                enabled: true
+                url: {{ $anchoreFeedsURL }}
+              {{- end }}
+              {{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }}
+              microsoft:
+                enabled: {{ .Values.anchoreEnterpriseFeeds.msrcDriverEnabled }}
+                url: {{ $anchoreFeedsURL }}
+              {{- else if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreGlobal.syncMSRC }}
+              microsoft:
+                enabled: true
+                url: {{ $anchoreFeedsURL }}
+              {{- end }}
         {{- if .Values.anchoreGlobal.internalServicesSsl.enabled }}
         ssl_enable: {{ .Values.anchoreGlobal.internalServicesSsl.enabled }}
         ssl_cert: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretCertName }}"

chart/templates/engine_upgrade_job.yaml

@@ -75,6 +75,7 @@ spec:
             anchore-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask;
         {{- else }}
           - |
+            sleep 60
             anchore-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask;
         {{- end }}
         {{- if .Values.cloudsql.enabled }}

chart/templates/enterprise_feeds_configmap.yaml

@@ -18,6 +18,7 @@ data:
     # Anchore Enterprise Service Configuration File
     # General system-wide configuration options, these should not need to
     # be altered for basic operation
+
     service_dir: {{ .Values.anchoreGlobal.serviceDir }}
     tmp_dir: {{ .Values.anchoreGlobal.scratchVolume.mountPath }}
     log_level: {{ .Values.anchoreGlobal.logLevel }}
@@ -96,32 +97,31 @@ data:
         api_only: {{ default "false" .Values.anchoreEnterpriseFeeds.apiOnly }}
         drivers:
           # Configuration section for drivers collecting and processing feed data.
-          # All drivers are enabled by default unless explicitly disabled. npm and gem drivers are explicitly disabled out of the box
-          npm:
-            enabled: {{ default "false" .Values.anchoreEnterpriseFeeds.npmDriverEnabled }}
-          gem:
-            # rubygem data comes packaged as a PostgreSQL dump file. gem driver loads the pg dump and normalizes the data.
-            # To enable gem driver comment the enabled property and uncomment the db_connect property.
-            enabled: {{ default "false" .Values.anchoreEnterpriseFeeds.gemDriverEnabled }}
-            db_connect: {{ default "'postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/gems'" .Values.anchoreEnterpriseFeeds.gemDbEndpoint }}
+          # All drivers are enabled by default unless explicitly disabled.
           amzn:
             enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.amazonDriverEnabled }}
+          alpine:
+            enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.alpineDriverEnabled }}
           centos:
             enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.centosDriverEnabled }}
           debian:
             enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.debianDriverEnabled }}
+          ol:
+            enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.olDriverEnabled }}
           ubuntu:
             enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.ubuntuDriverEnabled }}
           rhel:
             enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.rhelDriverEnabled }}
-          ol:
-            enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.olDriverEnabled }}
-          alpine:
-            enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.alpineDriverEnabled }}
-          snyk:
-            enabled: {{ default "false" .Values.anchoreEnterpriseFeeds.snykDriverEnabled }}
           nvddb:
             enabled: {{ default "false" .Values.anchoreEnterpriseFeeds.nvdDriverEnabled }}
+          # npm and gem drivers are explicitly disabled out of the box
+          npm:
+            enabled: {{ default "false" .Values.anchoreEnterpriseFeeds.npmDriverEnabled }}
+          gem:
+            # rubygem data comes packaged as a PostgreSQL dump file. gem driver loads the pg dump and normalizes the data.
+            # To enable gem driver comment the enabled property and uncomment the db_connect property.
+            enabled: {{ default "false" .Values.anchoreEnterpriseFeeds.gemDriverEnabled }}
+            db_connect: {{ default "'postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/gems'" .Values.anchoreEnterpriseFeeds.gemDbEndpoint }}
           nvdv2:
             enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.nvdv2DriverEnabled }}
           vulndb:
@@ -140,6 +140,9 @@ data:
             enabled: true
             token: ${ANCHORE_GITHUB_TOKEN}
         {{- end }}
+          grypedb:
+            enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.grypeDriverEnabled }}
+            external_feeds_url: "https://toolbox-data.anchore.io/grype/databases/listing.json"
         {{- if .Values.anchoreGlobal.internalServicesSsl.enabled }}
         ssl_enable: {{ .Values.anchoreGlobal.internalServicesSsl.enabled }}
         ssl_cert: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretCertName }}"

chart/templates/enterprise_feeds_upgrade_job.yaml

@@ -63,6 +63,7 @@ spec:
             anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask;
         {{- else }}
           - |
+            sleep 60
             anchore-enterprise-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask;
         {{- end }}
         {{- if .Values.cloudsql.enabled }}

chart/templates/enterprise_upgrade_job.yaml

@@ -63,6 +63,7 @@ spec:
             anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask;
         {{- else }}
           - |
+            sleep 60
             anchore-enterprise-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask;
         {{- end }}
         {{- if .Values.cloudsql.enabled }}

chart/values.yaml

@@ -166,14 +166,14 @@ ingress:
 # Global configuration shared by all anchore-engine services.
 anchoreGlobal:
   # Image used for all anchore engine deployments (excluding enterprise components).
-  image: registry1.dso.mil/ironbank/anchore/engine/engine:0.9.4
+  image: registry1.dso.mil/ironbank/anchore/engine/engine:0.10.0
   imagePullPolicy: IfNotPresent
 
   # Set image pull secret name if using an anchore-engine image from a private registry
   imagePullSecretName: private-registry
 
   # Specify a service account name utilized to run all Anchore pods
-  serviceAccountName:
+  serviceAccountName: Null
 
   # Set this value to true to setup the chart for OpenShift deployment compatibility.
   openShiftDeployment: false
@@ -185,8 +185,8 @@ anchoreGlobal:
 
   # Add common annotations to set on all pods. Useful expecially when inject secrets directly into pods as ENV from vault via mutation-webhook-injection method.
   # Ref: https://banzaicloud.com/docs/bank-vaults/mutating-webhook/
-  annotations:
-    traffic.sidecar.istio.io/excludeOutboundPorts: "5432"
+  annotations: {}
+    # traffic.sidecar.istio.io/excludeOutboundPorts: "5432"
     # vault.security.banzaicloud.io/vault-addr: "https://vault:8200"
     # vault.security.banzaicloud.io/vault-tls-secret: "vault-tls"
 
@@ -238,6 +238,10 @@ anchoreGlobal:
   # If true, when a user adds an ECR registry with username = awsauto then the system will look for an instance profile to use for auth against the registry
   allowECRUseIAMRole: false
 
+  # Twisted has a global server side timeout on all established connections which defaults to 60, anything lasting longer
+  # than this (+ a 15 min abort final timeout) will have the connection killed by twisted
+  serverRequestTimeout: 60
+
   # Enable prometheus metrics
   enableMetrics: false
 
@@ -370,6 +374,11 @@ anchoreAnalyzer:
   # For more info see - https://docs.anchore.com/current/docs/engine/engine_installation/configuration/content_hints
   enableHints: false
 
+  # If enabled, the Anchore Analyzer will filter packages out that are contained by others. (e.g. a python package installed by an RPM using yum or dnf).
+  # When disabled, the Anchore Analyzer will report all packages as content regardless of "containership". In the above example, this would cause the
+  # python package to be returned as it's own entry in the image's content.
+  enableOwnedPackageFiltering: true
+
   configFile:
     # Anchore analyzer config file
     #
@@ -494,6 +503,7 @@ anchoreCatalog:
     image_gc: 60
     # Interval for the runtime inventory image execution poll
     k8s_watcher: 300
+    k8s_image_watcher: 150
 
   # Event log configuration for webhooks
   events:
@@ -621,6 +631,13 @@ anchoreCatalog:
   tolerations: []
   affinity: {}
 
+  # If enabled, the Anchore Helm Chart will create a Service Account with read-only permission to the cluster (pods & namespaces)
+  # This is largely to support the Out-Of-The-Box Runtime Inventory feature currently. See catalog_deployment.yaml for
+  # detailed information on the Service Account, Cluster Role & Binding.
+  # If using an existing service account, leave this value set to `false` & use anchoreGlobal.serviceAccountName to specify
+  # what service account to use. Existing service account must have adequate permissions to use this feature.
+  createServiceAccount: false
+
   runtimeInventory:
     # This setting tells Anchore how long an image can be missing from an inventory report before it is removed from
     # The working set. Note: The image will still have a historical record in the reports service, subject to data history
@@ -630,8 +647,14 @@ anchoreCatalog:
 
     # Since Anchore is running in Kubernetes, we can collect runtime inventory data out of the box
     reportAnchoreCluster:
-      # If set to true, Anchore will use its own service-account to try and collect runtime inventory data for all namespaces
-      # Note: requires a value for clusterName to populate inventory image context
+      # If set to true, Anchore will use its own service account's permissions
+      # (if anchoreCatalog.createServiceAccount is true, see `catalog_deployment.yaml`) to try and collect runtime
+      # inventory data for all namespaces.
+      #
+      # Note: this feature requires a value for clusterName to populate inventory image context
+      # Note: If anchoreCatalog.createServiceAccount is set to false, and anchoreGlobal.serviceAccountName is unspecified,
+      # then the Anchore Catalog service won't have enough permission to be able to read cluster information
+      # (pods & namespaces) for the embedded runtime inventory.
       enabled: true
       clusterName: anchore-k8s
       namespaces:
@@ -652,6 +675,12 @@ anchorePolicyEngine:
     feed_sync: 14400
     # Interval between checks to see if there needs to be a task queued
     feed_sync_checker: 3600
+    # 1 minute between checks to verify local grype-db is up to date
+    grypedb_sync: 60
+
+  # Available providers are legacy and grype. Legacy provider offers the same matching logic as previous versions of anchore-engine (<= 0.9.4)
+  # grype is a new provider that was introduced in 1.0.0, it uses the grype tool for all things vulnerabilities
+  vulnerabilityProvider: legacy
 
   # kubernetes service configuration for anchore policy engine api
   service:
@@ -719,7 +748,7 @@ anchoreEnterpriseGlobal:
   # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml=<PATH TO LICENSE.YAML>
   licenseSecretName: anchore-enterprise-license
 
-  image: registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.0.3
+  image: registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.1.0
   imagePullPolicy: IfNotPresent
   # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images.
   # Create this secret with the following command - kubectl create secret docker-registry anchore-dockerhub-creds --docker-server=docker.io --docker-username=<USERNAME> --docker-password=<PASSWORD> --docker-email=<EMAIL_ADDRESS>
@@ -778,7 +807,7 @@ anchoreEnterpriseFeeds:
   # If enabled is set to false, set anchore-feeds-db.enabled to false to ensure that helm doesn't stand up a unneccessary postgres instance.
   enabled: true
 
-  # Set custom feeds URL if multiple Anchore deployments are using the same feeds service
+  # Set custom feeds URL if multiple Anchore deployments are using the same internal feeds service.
   url: ""
 
   # Enable github advisory feeds
@@ -968,7 +997,7 @@ anchoreEnterpriseNotifications:
 anchoreEnterpriseUi:
   # If enabled is set to false, set anchore-ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance.
   enabled: true
-  image: registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.0.3
+  image: registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.1.0
   imagePullPolicy: IfNotPresent
   imagePullSecretName: private-registry
 

docs/BBCHANGES.md

@@ -186,3 +186,11 @@ In `chart/templates/enterprise_feeds_configmap.yaml` also modify the metrics lin
     metrics:
       enabled: {{ .Values.monitoring.enabled }}
 ```
+
+To resolve a race condition in Big Bang CI pipelines, an additional sleep argument was added in `chart/templates/engine_upgrade_job.yaml`, `enterprise_upgrade_job.yaml`, and `enterprise_feeds_upgrade_jobs.yaml`:
+
+```yaml
+- |
+  sleep 60
+  anchore-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask;
+```
\ No newline at end of file

tests/images.txt

-registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.0.3
-registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.0.3
+registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.1.0
+registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.1.0