From 61e71de74eb66deebfd6bf863da7ae605ff2423c Mon Sep 17 00:00:00 2001 From: bhearn Date: Mon, 29 Mar 2021 13:52:50 -0600 Subject: [PATCH 1/3] update docs --- docs/Architecture.md | 46 ++++++++++++++++++++++++++++++++++++++++++++ docs/KEYCLOAK.md | 2 ++ docs/README.md | 1 + 3 files changed, 49 insertions(+) create mode 100644 docs/Architecture.md diff --git a/docs/Architecture.md b/docs/Architecture.md new file mode 100644 index 0000000..5743ae5 --- /dev/null +++ b/docs/Architecture.md @@ -0,0 +1,46 @@ +# Anchore Architecture + +This document provides [architecture](https://docs.anchore.com/current/docs/overview/architecture/) touchpoints for the Big Bang Anchore package. + +### Licensing + +The Big Bang Anchore Enterprise services require a valid Anchore Enterprise license as well as credentials with access to Registry1 rehosting the hardened images. + +To be onboarded and provided with a trial or production license, please send an email to publicsector@anchore.com including program name and contact details. + +### Single Sign On + +Anchore Enterprise 2.1+ can be configured to support user login to the UI using identities from external identity providers that support SAML 2.0. In such a configuration, Anchore never stores any credentials for the users, only their usernames and Anchore permissions, and all UI access is gated through a user’s valid login into the identity provider. Anchore uses the external provider to verify username identity and initialize a username, account, and roles on first login for a new user. Once a user’s identity is initialized in Anchore, the Anchore administrator may manage user permissions by managing the roles associated with the user’s identity in Anchore itself. For more information, see [Anchore Enterprise SSO Support](https://docs.anchore.com/current/docs/overview/sso/). + +### UI + +Anchore Enterprise includes a UI (requires Enterprise license). The Anchore Enterprise UI client can be used to scan repositories and images, edit policy bundles, manage users accounts and roles via RBAC, and view and generate security vulnerability and policy evaluation reports. For more information, see [Using the Anchore Enterprirse UI](https://docs.anchore.com/current/docs/using/ui_usage/). + +### Logging + +Anchore services produce detailed logs that contain information about user interactions, internal processes, warnings and errors. The verbosity of the logs is controlled using the log_level setting in config.yaml (for manual installations) or the corresponding ANCHORE_LOG_LEVEL environment variable (for Helm installations) for each service. The log levels are DEBUG, INFO, WARN, ERROR, and FATAL, where the default is INFO. Most of the time, the default level is sufficient as the logs will container warn, error and fatal messages as well, but for deep troubleshooting, it is always recommended to increase the log level to DEBUG in order to ensure the availability of the maximum amount of information. For more information, see [Anchore Enterprise Logs](https://docs.anchore.com/current/docs/troubleshooting/#logs). + +### Monitoring + +Anchore Enterprise exposes prometheus metrics in the API of each service if the config.yaml used by that service has the metrics.enabled key set to true. Each service exports its own metrics and is typically scraped by a Prometheus installation to gather the metrics. Anchore does not aggregate or distribute metrics between services. You should configure your Prometheus deployment or integration to check each Anchore service’s api (using the same port it exports), for the /metrics route. For more information, see [Anchore Enterprise Monitoring](https://docs.anchore.com/current/docs/monitoring/#monitoring-in-kubernetes-andor-helm-chart) and [metrics.md](./metrics.md). + +### Healthchecks + +Liveness and readiness probes are included in the Anchore Helm chart for all deployments. System health can also be retrieved via the CLI, API, or UI. For example, to see the health of the Anchore services after a Helm install via the CLI: +``` +kubectl -n anchore exec -it -- anchore-cli --u --p system status +``` +For more information, see [Anchore Enterprise System Health](https://docs.anchore.com/current/docs/using/ui_usage/system_health/). + +### High Availability + +Anchore currently does not require any specific processes for HA. Since Anchore relies on a PostgreSQL database, it is recommended that production users utilize their external database service's HA capabilities. + +### Storage + +Anchore relies on a PostgreSQL database as its primary data store. By default, Anchore will deploy an in-cluster PostgreSQL database, but it is recommended that an external PostgreSQL 9.6+ database be used (e.g. Amazon Aurora, Google Cloud SQL, etc.), which can be configured in the Big Bang values.yaml. For more information, see [Anchore Enterprise Storage Overview](https://docs.anchore.com/current/docs/installation/storage/). + +### Dependant Packages + +- PostgreSQL 9.6+ (in-cluster by default; can be configured to use an external postgres) +- Redis (in-cluster by default; can be configured to use an external redis) \ No newline at end of file diff --git a/docs/KEYCLOAK.md b/docs/KEYCLOAK.md index d025f9b..5b1b386 100644 --- a/docs/KEYCLOAK.md +++ b/docs/KEYCLOAK.md @@ -2,6 +2,8 @@ This document summarizes helm values and manual steps that are required to integrate with Keycloak. +**NOTE:** SSO requires an Anchore Enterprise license. To be onboarded and provided with a trial or production license, please send an email to publicsector@anchore.com including program name and contact details. + ## Configuration Steps These are the items you need to do to configure Keycloak and Anchore for SSO in your Big Bang installation. diff --git a/docs/README.md b/docs/README.md index d1d2b21..c1d33a7 100644 --- a/docs/README.md +++ b/docs/README.md @@ -8,6 +8,7 @@ This repo contains Big Bang's implementation of Anchore. This includes the upstr - [Big Bang Modifications](./BBCHANGES.md) - [Keycloak](./KEYCLOAK.md) - [Chart](./CHART.md) +- [Architecture](./Architecture.md) # Structure -- GitLab From 809b90e17249aed16454c8bf6802cdb8b3ec78bd Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Thu, 1 Apr 2021 15:05:37 -0600 Subject: [PATCH 2/3] fix docs typo --- docs/Architecture.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Architecture.md b/docs/Architecture.md index 5743ae5..60c7015 100644 --- a/docs/Architecture.md +++ b/docs/Architecture.md @@ -4,7 +4,7 @@ This document provides [architecture](https://docs.anchore.com/current/docs/over ### Licensing -The Big Bang Anchore Enterprise services require a valid Anchore Enterprise license as well as credentials with access to Registry1 rehosting the hardened images. +The Big Bang Anchore Enterprise services require a valid Anchore Enterprise license as well as credentials with access to Registry1 hosting the hardened images. To be onboarded and provided with a trial or production license, please send an email to publicsector@anchore.com including program name and contact details. -- GitLab From aa416c7d1034789861efde7a5ec2b45ff19fbcb2 Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Thu, 1 Apr 2021 15:20:17 -0600 Subject: [PATCH 3/3] fix docs typo --- docs/Architecture.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/Architecture.md b/docs/Architecture.md index 60c7015..3cca4bd 100644 --- a/docs/Architecture.md +++ b/docs/Architecture.md @@ -18,7 +18,7 @@ Anchore Enterprise includes a UI (requires Enterprise license). The Anchore Ente ### Logging -Anchore services produce detailed logs that contain information about user interactions, internal processes, warnings and errors. The verbosity of the logs is controlled using the log_level setting in config.yaml (for manual installations) or the corresponding ANCHORE_LOG_LEVEL environment variable (for Helm installations) for each service. The log levels are DEBUG, INFO, WARN, ERROR, and FATAL, where the default is INFO. Most of the time, the default level is sufficient as the logs will container warn, error and fatal messages as well, but for deep troubleshooting, it is always recommended to increase the log level to DEBUG in order to ensure the availability of the maximum amount of information. For more information, see [Anchore Enterprise Logs](https://docs.anchore.com/current/docs/troubleshooting/#logs). +Anchore services produce detailed logs that contain information about user interactions, internal processes, warnings and errors. The verbosity of the logs is controlled using the log_level setting in config.yaml (for manual installations) or the corresponding ANCHORE_LOG_LEVEL environment variable (for Helm installations) for each service. The log levels are DEBUG, INFO, WARN, ERROR, and FATAL, where the default is INFO. Most of the time, the default level is sufficient as the logs will contain warn, error and fatal messages as well, but for deep troubleshooting, it is always recommended to increase the log level to DEBUG in order to ensure the availability of the maximum amount of information. For more information, see [Anchore Enterprise Logs](https://docs.anchore.com/current/docs/troubleshooting/#logs). ### Monitoring -- GitLab