diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 72f92051af60c2142bff536e42879f49ac016f33..6e9f482a7f7c3e86dc8e81d263dacbbd608c2f81 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,4 +1,4 @@ include: - project: 'platform-one/big-bang/pipeline-templates/pipeline-templates' - ref: '1.0.1' + ref: master file: '/templates/package-tests.yml' diff --git a/CHANGELOG.md b/CHANGELOG.md index a8307337acc19b9c8691b9f7fcc4e0051d37efc8..9b80ccc6c6ce905bfaa5055049955148b66a1264 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). --- +## [1.12.7-bb.4] +### Changed +- Added Helm bash testing for API using approved Iron Bank image +- Bumped upstream chart version to 1.12.13 +- Bumped Anchore Enterprise UI image version to 3.0.2 from Registry1 ## [1.12.7-bb.3] ### Fixed diff --git a/chart/Chart.lock b/chart/Chart.lock index 0f8afea7d60d8821c5e8964bbf543db709c6ea7b..f6be3256bf48ea0d10e0afe42568f60579b5b295 100644 --- a/chart/Chart.lock +++ b/chart/Chart.lock @@ -8,5 +8,8 @@ dependencies: - name: redis repository: file://./deps/redis version: 12.8.3-bb.0 -digest: sha256:ee26f2840524c22deb3b82377f8af573be307de5752873c9cfbfd43a592b7073 -generated: "2021-03-18T13:10:12.040027-04:00" +- name: bb-test-lib + repository: oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates + version: 0.4.0 +digest: sha256:cdf6e2694ba10c26845caffc96343262185f697595fdcb658c1c6e9796ddb029 +generated: "2021-05-11T11:23:19.071211-04:00" diff --git a/chart/Chart.yaml b/chart/Chart.yaml index b111f2f39673d7c36712926fbce92ed4e5ef0806..f33ad5574c15a52a3a006bddcf1b3f774d2a2715 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.12.7-bb.3 +version: 1.12.13-bb.0 appVersion: 0.9.3 description: Anchore container analysis and policy evaluation engine service keywords: @@ -37,3 +37,6 @@ dependencies: repository: "file://./deps/redis" condition: anchore-ui-redis.enabled,anchoreEnterpriseGlobal.enabled alias: anchore-ui-redis + - name: bb-test-lib + version: "0.4.0" + repository: "oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates" diff --git a/chart/Kptfile b/chart/Kptfile index 6173568e05cce6702770b2e4daf2ac347afea3cf..f248c9fc2a8236954fd19478ca9a16e90cec403c 100644 --- a/chart/Kptfile +++ b/chart/Kptfile @@ -5,7 +5,7 @@ metadata: upstream: type: git git: - commit: e41ae9622408427aed876dcf91cea86d1cddf57a + commit: f9a34a42d694e657b5f3d493f590fc3f7a8b933e repo: https://github.com/anchore/anchore-charts directory: /stable/anchore-engine - ref: anchore-engine-1.12.7 + ref: anchore-engine-1.12.13 diff --git a/chart/charts/bb-test-lib-0.4.0.tgz b/chart/charts/bb-test-lib-0.4.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..47269ecab02fec984f282a766ce13a2f7df2b98e Binary files /dev/null and b/chart/charts/bb-test-lib-0.4.0.tgz differ diff --git a/chart/charts/postgresql-1.0.1.tgz b/chart/charts/postgresql-1.0.1.tgz index c6e662bbdd8a3ed79615e0e3a051862f16440fa0..1877132187aa7f054422eca0a279d6ed9bde09bc 100644 Binary files a/chart/charts/postgresql-1.0.1.tgz and b/chart/charts/postgresql-1.0.1.tgz differ diff --git a/chart/charts/redis-12.8.3-bb.0.tgz b/chart/charts/redis-12.8.3-bb.0.tgz index 39b098b7a3037acfc4a28d73cbb2930c6b616a31..2993243961019ae4eeca7f5267ea5ad69eb19dc1 100644 Binary files a/chart/charts/redis-12.8.3-bb.0.tgz and b/chart/charts/redis-12.8.3-bb.0.tgz differ diff --git a/chart/templates/analyzer_deployment.yaml b/chart/templates/analyzer_deployment.yaml index 1b0ba7b1271361efb94dc610a4a46d4a1699d9ab..a66281899de9d487c95f7afee5b069502ef7cfd6 100644 --- a/chart/templates/analyzer_deployment.yaml +++ b/chart/templates/analyzer_deployment.yaml @@ -107,10 +107,15 @@ spec: {{- end }} envFrom: {{- if not .Values.inject_secrets_via_env }} + {{- if .Values.anchoreGlobal.existingSecret }} - secretRef: - name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + name: {{ .Values.anchoreGlobal.existingSecret }} + {{- else }} + - secretRef: + name: {{ include "anchore-engine.fullname" . }} - secretRef: - name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} + name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} + {{- end }} {{- end }} - configMapRef: name: {{ template "anchore-engine.fullname" . }}-env diff --git a/chart/templates/api_deployment.yaml b/chart/templates/api_deployment.yaml index dd52822acb9984d8e87653bb6a1545076655630d..8174324b27e2e189ec45174e4e1ac4dabbb40426 100644 --- a/chart/templates/api_deployment.yaml +++ b/chart/templates/api_deployment.yaml @@ -95,10 +95,15 @@ spec: {{- end }} envFrom: {{- if not .Values.inject_secrets_via_env }} + {{- if .Values.anchoreGlobal.existingSecret }} - secretRef: - name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + name: {{ .Values.anchoreGlobal.existingSecret }} + {{- else }} + - secretRef: + name: {{ include "anchore-engine.fullname" . }} - secretRef: - name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} + name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} + {{- end }} {{- end }} - configMapRef: name: {{ template "anchore-engine.fullname" . }}-env @@ -184,10 +189,15 @@ spec: args: ["anchore-enterprise-manager", "service", "start", "--no-auto-upgrade", "rbac_manager"] envFrom: {{- if not .Values.inject_secrets_via_env }} + {{- if .Values.anchoreGlobal.existingSecret }} + - secretRef: + name: {{ .Values.anchoreGlobal.existingSecret }} + {{- else }} - secretRef: - name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + name: {{ include "anchore-engine.fullname" . }} - secretRef: - name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} + name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} + {{- end }} {{- end }} - configMapRef: name: {{ template "anchore-engine.fullname" . }}-env @@ -256,10 +266,15 @@ spec: args: ["anchore-enterprise-manager", "service", "start", "--no-auto-upgrade", "rbac_authorizer"] envFrom: {{- if not .Values.inject_secrets_via_env }} + {{- if .Values.anchoreGlobal.existingSecret }} + - secretRef: + name: {{ .Values.anchoreGlobal.existingSecret }} + {{- else }} - secretRef: - name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + name: {{ include "anchore-engine.fullname" . }} - secretRef: - name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} + name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} + {{- end }} {{- end }} - configMapRef: name: {{ template "anchore-engine.fullname" . }}-env @@ -331,10 +346,15 @@ spec: name: reports-api envFrom: {{- if not .Values.inject_secrets_via_env }} + {{- if .Values.anchoreGlobal.existingSecret }} + - secretRef: + name: {{ .Values.anchoreGlobal.existingSecret }} + {{- else }} - secretRef: - name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + name: {{ include "anchore-engine.fullname" . }} - secretRef: - name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} + name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} + {{- end }} {{- end }} - configMapRef: name: {{ template "anchore-engine.fullname" . }}-env @@ -405,10 +425,15 @@ spec: name: notifi-api envFrom: {{- if not .Values.inject_secrets_via_env }} + {{- if .Values.anchoreGlobal.existingSecret }} - secretRef: - name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + name: {{ .Values.anchoreGlobal.existingSecret }} + {{- else }} + - secretRef: + name: {{ include "anchore-engine.fullname" . }} - secretRef: - name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} + name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} + {{- end }} {{- end }} - configMapRef: name: {{ template "anchore-engine.fullname" . }}-env diff --git a/chart/templates/catalog_deployment.yaml b/chart/templates/catalog_deployment.yaml index e4effb10e9ab02db5bc91cae49ed75ee0ab126d6..77efe1b6650a8d9fd8bd266c8da60b5c47d7f1a4 100644 --- a/chart/templates/catalog_deployment.yaml +++ b/chart/templates/catalog_deployment.yaml @@ -95,10 +95,15 @@ spec: {{- end }} envFrom: {{- if not .Values.inject_secrets_via_env }} + {{- if .Values.anchoreGlobal.existingSecret }} - secretRef: - name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + name: {{ .Values.anchoreGlobal.existingSecret }} + {{- else }} + - secretRef: + name: {{ include "anchore-engine.fullname" . }} - secretRef: - name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} + name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} + {{- end }} {{- end }} - configMapRef: name: {{ template "anchore-engine.fullname" . }}-env diff --git a/chart/templates/engine_configmap.yaml b/chart/templates/engine_configmap.yaml index 1115d60b27a6d02de8b2bf0fcc813f8014fc61d0..f2a3c85b4a86fd4e1c37b370851bf5ae0436b34a 100644 --- a/chart/templates/engine_configmap.yaml +++ b/chart/templates/engine_configmap.yaml @@ -45,7 +45,9 @@ data: # If enabled only sync specific feeds instead of all that are found. enabled: true feeds: - {{- if not .Values.anchoreEnterpriseGlobal.enabled }} + {{- if .Values.anchoreEnterpriseGlobal.enabled }} + github: {{ .Values.anchoreEnterpriseFeeds.githubDriverEnabled }} + {{- else }} github: {{ default "true" .Values.anchoreGlobal.syncGithub }} {{- end }} # Vulnerabilities feed is the feed for distro cve sources (redhat, debian, ubuntu, oracle, alpine....) @@ -70,8 +72,6 @@ data: vulndb: false microsoft: false {{- end }} - # Sync github data if available for GHSA matches - github: {{ default "true" .Values.anchoreGlobal.syncGithub }} {{- if .Values.anchoreEnterpriseFeeds.url }} url: "{{- .Values.anchoreEnterpriseFeeds.url }}" ssl_verify: {{ .Values.anchoreGlobal.internalServicesSsl.verifyCerts }} diff --git a/chart/templates/engine_upgrade_job.yaml b/chart/templates/engine_upgrade_job.yaml index 681d094fa5d15d033b8b8c2204f6df0714d26cb4..dfe591d183f3c87860dc74e0729dd2371c726f6a 100644 --- a/chart/templates/engine_upgrade_job.yaml +++ b/chart/templates/engine_upgrade_job.yaml @@ -41,8 +41,26 @@ spec: {{- end }} {{- end }} restartPolicy: Never + {{- if .Values.cloudsql.enabled }} + shareProcessNamespace: true + {{- end }} containers: - - name: "{{ .Release.Name }}-enterprise-upgrade" + {{- if .Values.cloudsql.enabled }} + - name: cloudsql-proxy + image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} + imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} + command: ["/cloud_sql_proxy"] + args: + - "-instances={{ .Values.cloudsql.instance }}=tcp:5432" + {{- if .Values.cloudsql.useExistingServiceAcc }} + - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}" + volumeMounts: + - mountPath: /var/{{ .Values.cloudsql.serviceAccSecretName }} + name: {{ .Values.cloudsql.serviceAccSecretName }} + readOnly: true + {{- end }} + {{- end }} + - name: "{{ .Release.Name }}-engine-upgrade" {{- if .Values.anchoreEnterpriseGlobal.enabled }} image: {{ .Values.anchoreEnterpriseGlobal.image }} imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }} @@ -50,17 +68,33 @@ spec: image: {{ .Values.anchoreGlobal.image }} imagePullPolicy: {{ .Values.anchoreGlobal.imagePullPolicy }} {{- end }} + command: ["/bin/bash", "-c"] + args: {{- if .Values.anchoreGlobal.dbConfig.ssl }} - args: ["/bin/bash", "-c", "anchore-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask"] + - | + anchore-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; {{- else }} - args: ["/bin/bash", "-c", "anchore-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask"] + - | + anchore-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask; + {{- end }} + {{- if .Values.cloudsql.enabled }} + sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; + securityContext: + capabilities: + add: + - SYS_PTRACE {{- end }} envFrom: {{- if not .Values.inject_secrets_via_env }} + {{- if .Values.anchoreGlobal.existingSecret }} + - secretRef: + name: {{ .Values.anchoreGlobal.existingSecret }} + {{- else }} - secretRef: - name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + name: {{ include "anchore-engine.fullname" . }} - secretRef: - name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} + name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} + {{- end }} {{- end }} - configMapRef: name: {{ template "anchore-engine.fullname" . }}-env @@ -74,12 +108,19 @@ spec: mountPath: /home/anchore/certs/ readOnly: true {{- end }} - {{- with .Values.anchoreGlobal.certStoreSecretName }} + {{- if or .Values.anchoreGlobal.certStoreSecretName .Values.cloudsql.useExistingServiceAcc }} volumes: + {{- with .Values.anchoreGlobal.certStoreSecretName }} - name: certs secret: secretName: {{ . }} {{- end }} + {{- if .Values.cloudsql.useExistingServiceAcc }} + - name: {{ .Values.cloudsql.serviceAccSecretName }} + secret: + secretName: {{ .Values.cloudsql.serviceAccSecretName }} + {{- end }} + {{- end }} {{- with .Values.anchoreEngineUpgradeJob.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 }} diff --git a/chart/templates/enterprise_feeds_configmap.yaml b/chart/templates/enterprise_feeds_configmap.yaml index 705e162a1585649f11d2e4414ad8afe7089043a5..6a78e533b877855db06024b72e1a4b6e6e40b4a9 100644 --- a/chart/templates/enterprise_feeds_configmap.yaml +++ b/chart/templates/enterprise_feeds_configmap.yaml @@ -126,16 +126,20 @@ data: enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.nvdv2DriverEnabled }} vulndb: enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.vulndbDriverEnabled }} + {{- if .Values.anchoreEnterpriseFeeds.msrcDriverEnabled }} msrc: - enabled: {{ .Values.anchoreEnterpriseFeeds.msrcDriverEnabled }} - api_key: {{ .Values.anchoreEnterpriseFeeds.msrcApiKey }} + enabled: true + api_key: ${ANCHORE_MSRC_KEY} {{- with .Values.anchoreEnterpriseFeeds.msrcWhitelist }} whitelist: - {{ . }} {{- end }} + {{- end }} + {{- if .Values.anchoreEnterpriseFeeds.githubDriverEnabled }} github: - enabled: {{ .Values.anchoreEnterpriseFeeds.githubDriverEnabled }} - token: {{ .Values.anchoreEnterpriseFeeds.githubDriverToken }} + enabled: true + token: ${ANCHORE_GITHUB_TOKEN} + {{- end }} {{- if .Values.anchoreGlobal.internalServicesSsl.enabled }} ssl_enable: {{ .Values.anchoreGlobal.internalServicesSsl.enabled }} ssl_cert: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretCertName }}" diff --git a/chart/templates/enterprise_feeds_deployment.yaml b/chart/templates/enterprise_feeds_deployment.yaml index 767e8088cf73a4ccd21673b3d1f9c2662948d0b8..034430d407b6b46c16074a5688b1dc413236b0d0 100644 --- a/chart/templates/enterprise_feeds_deployment.yaml +++ b/chart/templates/enterprise_feeds_deployment.yaml @@ -94,10 +94,15 @@ spec: name: feeds-api envFrom: {{- if not .Values.inject_secrets_via_env }} + {{- if .Values.anchoreEnterpriseFeeds.existingSecret }} - secretRef: - name: {{ default (include "anchore-engine.enterprise-feeds.fullname" .) .Values.anchoreEnterpriseFeeds.existingSecret }} + name: {{ .Values.anchoreEnterpriseFeeds.existingSecret }} + {{- else }} - secretRef: - name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} + name: {{ include "anchore-engine.enterprise-feeds.fullname" . }} + - secretRef: + name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} + {{- end }} {{- end }} - configMapRef: name: {{ template "anchore-engine.enterprise-feeds.fullname" . }}-env diff --git a/chart/templates/enterprise_feeds_secret.yaml b/chart/templates/enterprise_feeds_secret.yaml index 30608313b18d1b4f644d184657336e9854042b3f..6addc0cf06ea76cd74394c2f2e604d66c7f74b41 100644 --- a/chart/templates/enterprise_feeds_secret.yaml +++ b/chart/templates/enterprise_feeds_secret.yaml @@ -18,5 +18,11 @@ stringData: {{- with .Values.anchoreGlobal.saml.secret }} ANCHORE_SAML_SECRET: {{ . }} {{- end }} + {{- with .Values.anchoreEnterpriseFeeds.msrcApiKey }} + ANCHORE_MSRC_KEY: {{ . | quote }} + {{- end }} + {{- with .Values.anchoreEnterpriseFeeds.githubDriverToken }} + ANCHORE_GITHUB_TOKEN: {{ . | quote }} + {{- end }} {{- end }} {{- end }} diff --git a/chart/templates/enterprise_feeds_upgrade_job.yaml b/chart/templates/enterprise_feeds_upgrade_job.yaml index 25849385c2aa01ccbe78aae7a1a086c8760fc56d..a5cb0eb8354cf888058d66a350b45bb771e36d38 100644 --- a/chart/templates/enterprise_feeds_upgrade_job.yaml +++ b/chart/templates/enterprise_feeds_upgrade_job.yaml @@ -34,21 +34,55 @@ spec: imagePullSecrets: - name: {{ .Values.anchoreEnterpriseGlobal.imagePullSecretName }} restartPolicy: Never + {{- if .Values.cloudsql.enabled }} + shareProcessNamespace: true + {{- end }} containers: + {{- if .Values.cloudsql.enabled }} + - name: cloudsql-proxy + image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} + imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} + command: ["/cloud_sql_proxy"] + args: + - "-instances={{ .Values.cloudsql.instance }}=tcp:5432" + {{- if .Values.cloudsql.useExistingServiceAcc }} + - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}" + volumeMounts: + - mountPath: /var/{{ .Values.cloudsql.serviceAccSecretName }} + name: {{ .Values.cloudsql.serviceAccSecretName }} + readOnly: true + {{- end }} + {{- end }} - name: "{{ .Release.Name }}-enterprise-feeds-upgrade" imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }} image: {{ .Values.anchoreEnterpriseGlobal.image }} + command: ["/bin/bash", "-c"] + args: {{- if .Values.anchoreGlobal.dbConfig.ssl }} - args: ["/bin/bash", "-c", "anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask"] + - | + anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; {{- else }} - args: ["/bin/bash", "-c", "anchore-enterprise-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask"] + - | + anchore-enterprise-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask; + {{- end }} + {{- if .Values.cloudsql.enabled }} + sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; + securityContext: + capabilities: + add: + - SYS_PTRACE {{- end }} envFrom: {{- if not .Values.inject_secrets_via_env }} + {{- if .Values.anchoreEnterpriseFeeds.existingSecret }} - secretRef: - name: {{ default (include "anchore-engine.enterprise-feeds.fullname" .) .Values.anchoreEnterpriseFeeds.existingSecret }} + name: {{ .Values.anchoreEnterpriseFeeds.existingSecret }} + {{- else }} + - secretRef: + name: {{ include "anchore-engine.enterprise-feeds.fullname" . }} - secretRef: - name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} + name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} + {{- end }} {{- end }} - configMapRef: name: {{ template "anchore-engine.enterprise-feeds.fullname" . }}-env @@ -65,12 +99,19 @@ spec: mountPath: /home/anchore/certs/ readOnly: true {{- end }} - {{- with .Values.anchoreGlobal.certStoreSecretName }} + {{- if or .Values.anchoreGlobal.certStoreSecretName .Values.cloudsql.useExistingServiceAcc }} volumes: + {{- with .Values.anchoreGlobal.certStoreSecretName }} - name: certs secret: secretName: {{ . }} {{- end }} + {{- if .Values.cloudsql.useExistingServiceAcc }} + - name: {{ .Values.cloudsql.serviceAccSecretName }} + secret: + secretName: {{ .Values.cloudsql.serviceAccSecretName }} + {{- end }} + {{- end }} {{- with .Values.anchoreEnterpriseFeedsUpgradeJob.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 }} diff --git a/chart/templates/enterprise_ui_deployment.yaml b/chart/templates/enterprise_ui_deployment.yaml index a0aba73ed5b26a885d002724953837ab8bd162f9..d46ab6dd3355cfac65beb652a4750653ce24d902 100644 --- a/chart/templates/enterprise_ui_deployment.yaml +++ b/chart/templates/enterprise_ui_deployment.yaml @@ -98,10 +98,15 @@ spec: {{- end }} envFrom: {{- if not .Values.inject_secrets_via_env }} + {{- if .Values.anchoreEnterpriseUi.existingSecret }} - secretRef: - name: {{ default (include "anchore-engine.enterprise-ui.fullname" .) .Values.anchoreEnterpriseUi.existingSecret }} + name: {{ .Values.anchoreEnterpriseUi.existingSecret }} + {{- else }} - secretRef: - name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} + name: {{ include "anchore-engine.enterprise-ui.fullname" . }} + - secretRef: + name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} + {{- end }} {{- end }} ports: - containerPort: 3000 diff --git a/chart/templates/enterprise_ui_secret.yaml b/chart/templates/enterprise_ui_secret.yaml index 60075dc1f81de87654f8c164247b4e4bb06c0fa4..90df31cff378b8192b8bedb6d3e6e6890abf1201 100644 --- a/chart/templates/enterprise_ui_secret.yaml +++ b/chart/templates/enterprise_ui_secret.yaml @@ -23,7 +23,7 @@ stringData: {{- if and (index .Values "anchore-ui-redis" "externalEndpoint") (not (index .Values "anchore-ui-redis" "enabled")) }} ANCHORE_REDIS_URI: '{{ index .Values "anchore-ui-redis" "externalEndpoint" }}' {{- else }} - ANCHORE_REDIS_URI: 'redis://:{{ index .Values "anchore-ui-redis" "password" }}@{{ template "redis.fullname" . }}-master:6379' + ANCHORE_REDIS_URI: 'redis://nouser:{{ index .Values "anchore-ui-redis" "password" }}@{{ template "redis.fullname" . }}-master:6379' {{- end }} {{- end }} {{- end }} diff --git a/chart/templates/enterprise_upgrade_job.yaml b/chart/templates/enterprise_upgrade_job.yaml index c47296e1bde11e4d37c404e9f60f734babf6ee3d..446e9e78289deb7fae00814a2dd1aa4d5de321dd 100644 --- a/chart/templates/enterprise_upgrade_job.yaml +++ b/chart/templates/enterprise_upgrade_job.yaml @@ -34,21 +34,55 @@ spec: imagePullSecrets: - name: {{ .Values.anchoreEnterpriseGlobal.imagePullSecretName }} restartPolicy: Never + {{- if .Values.cloudsql.enabled }} + shareProcessNamespace: true + {{- end }} containers: + {{- if .Values.cloudsql.enabled }} + - name: cloudsql-proxy + image: {{ .Values.cloudsql.image.repository }}:{{ .Values.cloudsql.image.tag }} + imagePullPolicy: {{ .Values.cloudsql.image.pullPolicy }} + command: ["/cloud_sql_proxy"] + args: + - "-instances={{ .Values.cloudsql.instance }}=tcp:5432" + {{- if .Values.cloudsql.useExistingServiceAcc }} + - "-credential_file=/var/{{ .Values.cloudsql.serviceAccSecretName }}/{{ .Values.cloudsql.serviceAccJsonName }}" + volumeMounts: + - mountPath: /var/{{ .Values.cloudsql.serviceAccSecretName }} + name: {{ .Values.cloudsql.serviceAccSecretName }} + readOnly: true + {{- end }} + {{- end }} - name: "{{ .Release.Name }}-enterprise-upgrade" imagePullPolicy: {{ .Values.anchoreEnterpriseGlobal.imagePullPolicy }} image: {{ .Values.anchoreEnterpriseGlobal.image }} + command: ["/bin/bash", "-c"] + args: {{- if .Values.anchoreGlobal.dbConfig.ssl }} - args: ["/bin/bash", "-c", "anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask"] + - | + anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; {{- else }} - args: ["/bin/bash", "-c", "anchore-enterprise-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask"] + - | + anchore-enterprise-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask; + {{- end }} + {{- if .Values.cloudsql.enabled }} + sql_proxy_pid=$(pgrep cloud_sql_proxy) && kill -INT $sql_proxy_pid; + securityContext: + capabilities: + add: + - SYS_PTRACE {{- end }} envFrom: {{- if not .Values.inject_secrets_via_env }} + {{- if .Values.anchoreGlobal.existingSecret }} - secretRef: - name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + name: {{ .Values.anchoreGlobal.existingSecret }} + {{- else }} + - secretRef: + name: {{ include "anchore-engine.fullname" . }} - secretRef: - name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} + name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} + {{- end }} {{- end }} - configMapRef: name: {{ template "anchore-engine.fullname" . }}-env @@ -62,12 +96,19 @@ spec: mountPath: /home/anchore/certs/ readOnly: true {{- end }} - {{- with .Values.anchoreGlobal.certStoreSecretName }} + {{- if or .Values.anchoreGlobal.certStoreSecretName .Values.cloudsql.useExistingServiceAcc }} volumes: + {{- with .Values.anchoreGlobal.certStoreSecretName }} - name: certs secret: secretName: {{ . }} {{- end }} + {{- if .Values.cloudsql.useExistingServiceAcc }} + - name: {{ .Values.cloudsql.serviceAccSecretName }} + secret: + secretName: {{ .Values.cloudsql.serviceAccSecretName }} + {{- end }} + {{- end }} {{- with .Values.anchoreEnterpriseEngineUpgradeJob.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 }} diff --git a/chart/templates/policy_engine_deployment.yaml b/chart/templates/policy_engine_deployment.yaml index 347c221a0439418dce620ff281f366c36a34c94d..9816fc05fa1b0c28d34f683e28e162a623613d37 100644 --- a/chart/templates/policy_engine_deployment.yaml +++ b/chart/templates/policy_engine_deployment.yaml @@ -106,10 +106,15 @@ spec: {{- end }} envFrom: {{- if not .Values.inject_secrets_via_env }} + {{- if .Values.anchoreGlobal.existingSecret }} - secretRef: - name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + name: {{ .Values.anchoreGlobal.existingSecret }} + {{- else }} + - secretRef: + name: {{ include "anchore-engine.fullname" . }} - secretRef: - name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} + name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} + {{- end }} {{- end }} - configMapRef: name: {{ template "anchore-engine.fullname" . }}-env diff --git a/chart/templates/simplequeue_deployment.yaml b/chart/templates/simplequeue_deployment.yaml index 03c7efa597ca300495c7198c1d0e60c61b43fd72..42b4bbac1a4c0dc45b164f70baa9382dfbb01cfa 100644 --- a/chart/templates/simplequeue_deployment.yaml +++ b/chart/templates/simplequeue_deployment.yaml @@ -92,10 +92,15 @@ spec: {{- end }} envFrom: {{- if not .Values.inject_secrets_via_env }} + {{- if .Values.anchoreGlobal.existingSecret }} - secretRef: - name: {{ default (include "anchore-engine.fullname" .) .Values.anchoreGlobal.existingSecret }} + name: {{ .Values.anchoreGlobal.existingSecret }} + {{- else }} + - secretRef: + name: {{ include "anchore-engine.fullname" . }} - secretRef: - name: {{ default (print (include "anchore-engine.fullname" .) "-admin-pass") .Values.anchoreGlobal.existingSecret }} + name: {{ print (include "anchore-engine.fullname" .) "-admin-pass" }} + {{- end }} {{- end }} - configMapRef: name: {{ template "anchore-engine.fullname" . }}-env diff --git a/chart/templates/tests/test-scripts.yaml b/chart/templates/tests/test-scripts.yaml new file mode 100644 index 0000000000000000000000000000000000000000..3a723dba083cdab642e8ba5ff1e4fecaec9e1e7e --- /dev/null +++ b/chart/templates/tests/test-scripts.yaml @@ -0,0 +1,3 @@ +{{- include "bb-test-lib.script-configmap.base" . }} +--- +{{- include "bb-test-lib.script-runner.base" . }} \ No newline at end of file diff --git a/chart/tests/scripts/test.sh b/chart/tests/scripts/test.sh new file mode 100644 index 0000000000000000000000000000000000000000..1f867f5a6c10f0fc4f70efd71eae4e7c038165d5 --- /dev/null +++ b/chart/tests/scripts/test.sh @@ -0,0 +1,56 @@ +#!/bin/bash + +# Wait for Anchore Engine API to go live +while [ $(curl -sw '%{http_code}' -u "admin:${ANCHORE_CLI_PASS}" "${ANCHORE_CLI_URL}/swagger.json" -o /dev/null) -ne 200 ]; do + echo "Waiting for Anchore API..." + sleep 10; +done + +echo "Retrieving system health..." +status=$(anchore-cli --debug system status 2>&1) + +# IF status code is 200 AND all services are up +if [[ ${status} =~ "httpcode from response: 200" && ${status} =~ "analyzer:8084): up" && ${status} =~ "simplequeue:8083): up" && ${status} =~ "policy:8087): up" && ${status} =~ "api:8228): up" && ${status} =~ "catalog:8082): up" ]]; then + echo "200 OK - all services up!" +else + echo ${status} + sleep 10 + exit 1 +fi + +echo "Initiating image analysis..." +add=$(anchore-cli --debug image add docker.io/library/centos:latest 2>&1) + +# IF status code is 200 +if [[ ${add} =~ "httpcode from response: 200" ]]; then + echo "200 OK - image analysis initiated!" +else + echo ${add} + sleep 10 + exit 1 +fi + +echo "Waiting for image analysis to complete..." +wait=$(anchore-cli --debug image wait docker.io/library/centos:latest 2>&1) + +# IF status code is 200 +if [[ ${wait} =~ "httpcode from response: 200" ]]; then + echo "200 OK - image analysis completed!" +else + echo ${wait} + sleep 10 + exit 1 +fi + +# List analyzed images +echo "Listing analyzed images..." +list=$(anchore-cli --debug image list 2>&1) + +# IF status code is 200 +if [[ ${list} =~ "httpcode from response: 200" ]]; then + echo "200 OK - image analysis stored!" +else + echo ${list} + sleep 10 + exit 1 +fi \ No newline at end of file diff --git a/chart/values.yaml b/chart/values.yaml index 398851e66a6feafebde4a391acda9ae474b93db9..bd8eda6b76e078e34460011c77e5293254965f8d 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -114,7 +114,7 @@ cloudsql: image: # set repo and image tag of gce-proxy repository: gcr.io/cloudsql-docker/gce-proxy - tag: 1.12 + tag: 1.22.0 pullPolicy: IfNotPresent # Create an ingress resource for all external anchore engine services (API & Enterprise UI). @@ -953,7 +953,7 @@ anchoreEnterpriseNotifications: anchoreEnterpriseUi: # If enabled is set to false, set anchore-ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. enabled: true - image: registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.0.1 + image: registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.0.2 imagePullPolicy: IfNotPresent imagePullSecretName: private-registry @@ -1067,7 +1067,7 @@ anchore-ui-redis: # enabled: false # If 'enabled: false', specify an external redis endpoint - - # eg redis://:@hostname:6379 + # eg redis://nouser:@hostname:6379 externalEndpoint: Null # Pod configuration for the helm post-install-hook enterprise engine upgrade Job diff --git a/tests/cypress.json b/tests/cypress.json deleted file mode 100644 index d6a9f111d11ae8bc3d80a3a6c398fe1de8274ddb..0000000000000000000000000000000000000000 --- a/tests/cypress.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "pluginsFile": false, - "supportFile": false, - "fixturesFolder": false, - "env": { - "anchore_url": "anchore-api.bigbang.dev/v1/swagger.json" - } -} diff --git a/tests/cypress/integration/anchore-api-health.spec.js b/tests/cypress/integration/anchore-api-health.spec.js deleted file mode 100644 index 870ef729f19c9f2764e0a4d423c5a13ee831579a..0000000000000000000000000000000000000000 --- a/tests/cypress/integration/anchore-api-health.spec.js +++ /dev/null @@ -1,21 +0,0 @@ -describe('Basic Anchore API', function() { - beforeEach(() => { - cy.request(Cypress.env('anchore_url')).as('anchore-api'); - }); - it('Validate the header', () => { - cy.get('@anchore-api') - .its('headers') - .its('content-type') - .should('include', 'application/json'); - }); - it('Validate the status code', () => { - cy.get('@anchore-api') - .its('status') - .should('equal', 200); - }); - it('Validate API object', () => { - cy.get('@anchore-api') - .its('body') - .should('include', { basePath: '/v1' }); - }); -}) diff --git a/tests/test-values.yml b/tests/test-values.yml index c6c38ee883c5691b3c457d641af9757041cf9e8a..33f2d27510780912866bb18da4be04097d9d2a65 100644 --- a/tests/test-values.yml +++ b/tests/test-values.yml @@ -1,22 +1,30 @@ istio: enabled: true +bbtests: + scripts: + image: registry1.dso.mil/ironbank/anchore/cli/cli:0.9.1 + envs: + ANCHORE_CLI_URL: "http://{{ template \"anchore-engine.api.fullname\" . }}:{{ .Values.anchoreApi.service.port }}/v1" + ANCHORE_CLI_USER: admin + secretEnvs: + - name: ANCHORE_CLI_PASS + valueFrom: + secretKeyRef: + name: "{{ template \"anchore-engine.fullname\" . }}-admin-pass" + key: ANCHORE_ADMIN_PASSWORD + postgresql: - imagePullSecrets: private-registry-mil enabled: true -anchoreGlobal: - imagePullSecretName: private-registry-mil +# anchoreGlobal: anchoreAnalyzer: replicaCount: 1 -anchoreEnterpriseGlobal: - imagePullSecretName: private-registry-mil +# anchoreEnterpriseGlobal: + +# anchore-feeds-db: -anchore-feeds-db: - imagePullSecrets: private-registry-mil -anchore-ui-redis: - global: - imagePullSecrets: - - private-registry-mil +# anchore-ui-redis: +# global: \ No newline at end of file