From 78397fa28573c45724fc424641807c15d63eddca Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Thu, 1 Jul 2021 12:33:14 -0400 Subject: [PATCH 01/14] bump version --- CHANGELOG.md | 5 + chart/Chart.yaml | 4 +- chart/Kptfile | 4 +- chart/README.md | 9 ++ chart/templates/catalog_deployment.yaml | 71 ++++++++- chart/templates/engine_configmap.yaml | 136 ++++++++++-------- .../templates/enterprise_feeds_configmap.yaml | 31 ++-- chart/values.yaml | 43 +++++- 8 files changed, 218 insertions(+), 85 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e2ce8ad..1a097db 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), --- +## [1.13.0-bb.0] +### Changed +- Bumped appVersion and Anchore Engine image tag to 0.10.0 +- Bumped Anchore Enterprise & Anchore Enterprise UI image tags to 3.1.0 + ## [1.12.16-bb.2] ### Changed - Separated network policies for required egress diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 09f3a49..48d8285 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: anchore-engine -version: 1.12.16-bb.2 -appVersion: 0.9.4 +version: 1.13.0-bb.0 +appVersion: 0.10.0 description: Anchore container analysis and policy evaluation engine service keywords: - analysis diff --git a/chart/Kptfile b/chart/Kptfile index 81dc50d..6415078 100644 --- a/chart/Kptfile +++ b/chart/Kptfile @@ -5,7 +5,7 @@ metadata: upstream: type: git git: - commit: e2f7ea00c4fa078b93608c95b31ce71a4038aa96 + commit: 1ab19c4642747cab4a6d300021325674ac0cb3d5 repo: https://github.com/anchore/anchore-charts directory: /stable/anchore-engine - ref: anchore-engine-1.12.16 + ref: anchore-engine-1.13.0 diff --git a/chart/README.md b/chart/README.md index 7c54421..c204723 100644 --- a/chart/README.md +++ b/chart/README.md @@ -73,6 +73,7 @@ anchoreGlobal: * Anchore reporting API * Notifications - Slack, GitHub, Jira, etc * Microsoft image vulnerability scanning + * Kubernetes runtime image inventory/scanning ``` ### Enabling Enterprise Services @@ -242,6 +243,14 @@ See the anchore-engine [CHANGELOG](https://github.com/anchore/anchore-engine/blo A Helm post-upgrade hook job will shut down all previously running Anchore services and perform the Anchore DB upgrade process using a kubernetes job. The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful helm upgrade. +## Chart version 1.13.0 + +--- + +* Anchore Engine image updated to v0.10.0 - [Release Notes](https://engine.anchore.io/docs/releasenotes/0100/) +* Anchore Enterprise image updated to v3.1.0 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/310/) +* If utilizing the Enterprise Runtime Inventory feature, the catalog service can now be configured to automatically setup RBAC for image discovery within the cluster. This is configured under `.Values.anchoreCatalog.runtimeInventory` + ## Chart version 1.12.0 --- diff --git a/chart/templates/catalog_deployment.yaml b/chart/templates/catalog_deployment.yaml index 77efe1b..383dcfd 100644 --- a/chart/templates/catalog_deployment.yaml +++ b/chart/templates/catalog_deployment.yaml @@ -219,8 +219,10 @@ spec: tolerations: {{ toYaml . | nindent 8 }} {{- end }} - {{- with .Values.anchoreGlobal.serviceAccountName }} - serviceAccountName: {{ . }} + {{- if .Values.anchoreGlobal.serviceAccountName }} + serviceAccountName: {{ .Values.anchoreGlobal.serviceAccountName }} + {{- else if .Values.anchoreCatalog.createServiceAccount }} + serviceAccountName: {{ template "anchore-engine.catalog.fullname" . }} {{- end }} --- @@ -254,3 +256,68 @@ spec: selector: app: {{ template "anchore-engine.fullname" . }} component: {{ $component }} + +{{- if and .Values.anchoreCatalog.createServiceAccount .Values.anchoreCatalog.runtimeInventory.reportAnchoreCluster.enabled }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "anchore-engine.catalog.fullname" . }} + labels: + {{- with .Values.anchoreCatalog.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.anchoreGlobal.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.anchoreCatalog.annotations }} + annotations: + {{ toYaml . | nindent 4 }} + {{- end }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "anchore-engine.catalog.fullname" . }} + labels: + {{- with .Values.anchoreCatalog.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.anchoreGlobal.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.anchoreCatalog.annotations }} + annotations: + {{ toYaml . | nindent 4 }} + {{- end }} +rules: +- apiGroups: [""] + resources: ["pods","namespaces"] + verbs: ["get", "watch", "list"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "anchore-engine.catalog.fullname" . }} + labels: + {{- with .Values.anchoreCatalog.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.anchoreGlobal.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.anchoreCatalog.annotations }} + annotations: + {{ toYaml . | nindent 4 }} + {{- end }} +subjects: + - kind: ServiceAccount + name: {{ template "anchore-engine.catalog.fullname" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ template "anchore-engine.catalog.fullname" . }} + apiGroup: rbac.authorization.k8s.io +{{- end }} \ No newline at end of file diff --git a/chart/templates/engine_configmap.yaml b/chart/templates/engine_configmap.yaml index 8046f5d..6ed4e6b 100644 --- a/chart/templates/engine_configmap.yaml +++ b/chart/templates/engine_configmap.yaml @@ -1,3 +1,14 @@ +{{ $anchoreFeedsURL := "https://ancho.re/v1/service/feeds" }} +{{- if .Values.anchoreEnterpriseFeeds.url }} +{{- $anchoreFeedsURL = .Values.anchoreEnterpriseFeeds.url }} +{{- else if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }} +{{- if .Values.anchoreGlobal.internalServicesSsl.enabled }} +{{- $anchoreFeedsURL = (printf "https://%s:%s/v1/feeds" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) }} +{{- else }} +{{- $anchoreFeedsURL = (printf "http://%s:%s/v1/feeds" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) }} +{{- end }} +{{- end }} + kind: ConfigMap apiVersion: v1 metadata: @@ -28,7 +39,7 @@ data: global_client_connect_timeout: {{ default 0 .Values.anchoreGlobal.clientConnectTimeout }} global_client_read_timeout: {{ default 0 .Values.anchoreGlobal.clientReadTimeout }} - max_compressed_image_size_mb: {{ default -1 .Values.anchoreGlobal.maxCompressedImageSizeMB }} + server_request_timeout_seconds: {{ .Values.anchoreGlobal.serverRequestTimeout }} metrics: enabled: {{ .Values.monitoring.enabled }} @@ -37,66 +48,14 @@ data: webhooks: {{- toYaml .Values.anchoreGlobal.webhooks | nindent 6 }} {{ end }} - # Configure what feeds to sync. - # The sync will hit http://ancho.re/feeds, if any outbound firewall config needs to be set in your environment. - feeds: - sync_enabled: true - selective_sync: - # If enabled only sync specific feeds instead of all that are found. - enabled: true - feeds: - {{- if .Values.anchoreEnterpriseGlobal.enabled }} - github: {{ .Values.anchoreEnterpriseFeeds.githubDriverEnabled }} - {{- else }} - github: {{ default "true" .Values.anchoreGlobal.syncGithub }} - {{- end }} - # Vulnerabilities feed is the feed for distro cve sources (redhat, debian, ubuntu, oracle, alpine....) - vulnerabilities: {{ default "true" .Values.anchoreGlobal.syncVulnerabilites }} - # NVD Data is used for non-distro CVEs (jars, npm, etc) that are not packaged and released by distros as rpms, debs, etc - nvdv2: {{ default "true" .Values.anchoreGlobal.syncNvd }} - # Warning: enabling the package sync causes the service to require much - # more memory to do process the significant data volume. We recommend at least 4GB available for the container - {{- if and (and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled) (or .Values.anchoreEnterpriseFeeds.gemDriverEnabled .Values.anchoreEnterpriseFeeds.npmDriverEnabled) }} - packages: true - {{- else }} - packages: {{ default "false" .Values.anchoreGlobal.syncPackages }} - {{- end }} - # Enabling vulndb syncs vulndb vulnerability data from an on-premise anchore enterprise feeds service. Please contact - # anchore support for finding out more about this service - {{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }} - vulndb: {{ default "true" .Values.anchoreEnterpriseFeeds.vulndbDriverEnabled }} - # Enabling microsoft syncs MSRC data from an on-premise anchore enterprise feeds service. Please contact - # anchore support for finding out more about this service - microsoft: {{ .Values.anchoreEnterpriseFeeds.msrcDriverEnabled }} - {{- else }} - vulndb: false - microsoft: false - {{- end }} - {{- if .Values.anchoreEnterpriseFeeds.url }} - url: "{{- .Values.anchoreEnterpriseFeeds.url }}" - ssl_verify: {{ .Values.anchoreGlobal.internalServicesSsl.verifyCerts }} - client_url: - token_url: - {{- else if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }} - {{- if .Values.anchoreGlobal.internalServicesSsl.enabled }} - url: "https://{{- template "anchore-engine.enterprise-feeds.fullname" . }}:{{- .Values.anchoreEnterpriseFeeds.service.port }}/v1/feeds" - {{- else }} - url: "http://{{- template "anchore-engine.enterprise-feeds.fullname" . }}:{{- .Values.anchoreEnterpriseFeeds.service.port }}/v1/feeds" - {{- end }} - ssl_verify: {{ .Values.anchoreGlobal.internalServicesSsl.verifyCerts }} - client_url: - token_url: - {{- else }} - client_url: "https://ancho.re/v1/account/users" - token_url: "https://ancho.re/oauth/token" - anonymous_user_username: anon@ancho.re - anonymous_user_password: pbiU2RYZ2XrmYQ - {{- end }} - connection_timeout_seconds: {{ default 3 .Values.anchoreGlobal.feedsConnectionTimeout }} - read_timeout_seconds: {{ default 180 .Values.anchoreGlobal.feedsReadTimeout }} + default_admin_password: ${ANCHORE_ADMIN_PASSWORD} default_admin_email: {{ .Values.anchoreGlobal.defaultAdminEmail }} + # Defines a maximum compressed image size (MB) to be added for analysis + # Value < 0 disables feature. Disabled by default + max_compressed_image_size_mb: {{ default -1 .Values.anchoreGlobal.maxCompressedImageSizeMB }} + # Locations for keys used for signing and encryption. Only one of 'secret' or 'public_key_path'/'private_key_path' needs to be set. If all are set then the keys take precedence over the secret value # Secret is for a shared secret and if set, all components in anchore should have the exact same value in their configs. keys: @@ -188,6 +147,7 @@ data: ssl_cert: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretCertName }}" ssl_key: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretKeyName }}" {{- end }} + enable_owned_package_filtering: {{ .Values.anchoreAnalyzer.enableOwnedPackageFiltering }} catalog: enabled: true require_auth: true @@ -219,6 +179,7 @@ data: # Interval between checks to repo for new tags repo_watcher: {{ .Values.anchoreCatalog.cycleTimers.repo_watcher }} k8s_watcher: {{ .Values.anchoreCatalog.cycleTimers.k8s_watcher }} + k8s_image_watcher: {{ .Values.anchoreCatalog.cycleTimers.k8s_image_watcher }} event_log: {{- toYaml .Values.anchoreCatalog.events | nindent 10 }} analysis_archive: @@ -230,6 +191,10 @@ data: ssl_cert: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretCertName }}" ssl_key: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretKeyName }}" {{- end }} + {{- if .Values.anchoreEnterpriseGlobal.enabled }} + runtime_compliance: + object_store_bucket: "runtime_compliance_check" + {{- end }} runtime_inventory: image_ttl_days: {{ .Values.anchoreCatalog.runtimeInventory.imageTTLDays }} kubernetes: @@ -260,6 +225,61 @@ data: cycle_timer_seconds: 1 cycle_timers: {{- toYaml .Values.anchorePolicyEngine.cycleTimers | nindent 10 }} + vulnerabilities: + provider: {{ .Values.anchorePolicyEngine.vulnerabilityProvider }} + sync: + enabled: true + ssl_verify: {{ .Values.anchoreGlobal.internalServicesSsl.verifyCerts }} + connection_timeout_seconds: {{ default 3 .Values.anchoreGlobal.feedsConnectionTimeout }} + read_timeout_seconds: {{ default 180 .Values.anchoreGlobal.feedsReadTimeout }} + data: + # grypedb feed is synced if the provider is set to grype. All the remaining feeds except for packages are ignored even if they are enabled + grypedb: + enabled: true + url: "https://toolbox-data.anchore.io/grype/databases/listing.json" + # The following feeds are synced if provider is set to legacy + # Vulnerabilities feed is the feed for distro cve sources (redhat, debian, ubuntu, oracle, alpine....) + vulnerabilities: + enabled: {{ default "true" .Values.anchoreGlobal.syncVulnerabilites }} + url: {{ $anchoreFeedsURL }} + # NVD Data is used for non-distro CVEs (jars, npm, etc) that are not packaged and released by distros as rpms, debs, etc + nvdv2: + enabled: {{ default "true" .Values.anchoreGlobal.syncNvd }} + url: {{ $anchoreFeedsURL }} + github: + {{- if .Values.anchoreEnterpriseGlobal.enabled }} + enabled: {{ .Values.anchoreEnterpriseFeeds.githubDriverEnabled }} + {{- else }} + enabled: {{ default "true" .Values.anchoreGlobal.syncGithub }} + {{- end }} + url: {{ $anchoreFeedsURL }} + # Warning: enabling the packages and nvd sync causes the service to require much more memory to do process the significant data volume. We recommend at least 4GB available for the container + # packages feed is synced if it is enabled regardless of the provider + packages: + {{- if and (and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled) (or .Values.anchoreEnterpriseFeeds.gemDriverEnabled .Values.anchoreEnterpriseFeeds.npmDriverEnabled) }} + enabled: true + {{- else }} + enabled: {{ default "false" .Values.anchoreGlobal.syncPackages }} + {{- end }} + url: {{ $anchoreFeedsURL }} + {{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }} + vulndb: + enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.vulndbDriverEnabled }} + url: {{ $anchoreFeedsURL }} + {{- else if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreGlobal.syncVulnDB }} + vulndb: + enabled: true + url: {{ $anchoreFeedsURL }} + {{- end }} + {{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }} + microsoft: + enabled: {{ .Values.anchoreEnterpriseFeeds.msrcDriverEnabled }} + url: {{ $anchoreFeedsURL }} + {{- else if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreGlobal.syncMSRC }} + microsoft: + enabled: true + url: {{ $anchoreFeedsURL }} + {{- end }} {{- if .Values.anchoreGlobal.internalServicesSsl.enabled }} ssl_enable: {{ .Values.anchoreGlobal.internalServicesSsl.enabled }} ssl_cert: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretCertName }}" diff --git a/chart/templates/enterprise_feeds_configmap.yaml b/chart/templates/enterprise_feeds_configmap.yaml index 6a78e53..47a5f6a 100644 --- a/chart/templates/enterprise_feeds_configmap.yaml +++ b/chart/templates/enterprise_feeds_configmap.yaml @@ -18,6 +18,7 @@ data: # Anchore Enterprise Service Configuration File # General system-wide configuration options, these should not need to # be altered for basic operation + service_dir: {{ .Values.anchoreGlobal.serviceDir }} tmp_dir: {{ .Values.anchoreGlobal.scratchVolume.mountPath }} log_level: {{ .Values.anchoreGlobal.logLevel }} @@ -96,32 +97,31 @@ data: api_only: {{ default "false" .Values.anchoreEnterpriseFeeds.apiOnly }} drivers: # Configuration section for drivers collecting and processing feed data. - # All drivers are enabled by default unless explicitly disabled. npm and gem drivers are explicitly disabled out of the box - npm: - enabled: {{ default "false" .Values.anchoreEnterpriseFeeds.npmDriverEnabled }} - gem: - # rubygem data comes packaged as a PostgreSQL dump file. gem driver loads the pg dump and normalizes the data. - # To enable gem driver comment the enabled property and uncomment the db_connect property. - enabled: {{ default "false" .Values.anchoreEnterpriseFeeds.gemDriverEnabled }} - db_connect: {{ default "'postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/gems'" .Values.anchoreEnterpriseFeeds.gemDbEndpoint }} + # All drivers are enabled by default unless explicitly disabled. amzn: enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.amazonDriverEnabled }} + alpine: + enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.alpineDriverEnabled }} centos: enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.centosDriverEnabled }} debian: enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.debianDriverEnabled }} + ol: + enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.olDriverEnabled }} ubuntu: enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.ubuntuDriverEnabled }} rhel: enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.rhelDriverEnabled }} - ol: - enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.olDriverEnabled }} - alpine: - enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.alpineDriverEnabled }} - snyk: - enabled: {{ default "false" .Values.anchoreEnterpriseFeeds.snykDriverEnabled }} nvddb: enabled: {{ default "false" .Values.anchoreEnterpriseFeeds.nvdDriverEnabled }} + # npm and gem drivers are explicitly disabled out of the box + npm: + enabled: {{ default "false" .Values.anchoreEnterpriseFeeds.npmDriverEnabled }} + gem: + # rubygem data comes packaged as a PostgreSQL dump file. gem driver loads the pg dump and normalizes the data. + # To enable gem driver comment the enabled property and uncomment the db_connect property. + enabled: {{ default "false" .Values.anchoreEnterpriseFeeds.gemDriverEnabled }} + db_connect: {{ default "'postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/gems'" .Values.anchoreEnterpriseFeeds.gemDbEndpoint }} nvdv2: enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.nvdv2DriverEnabled }} vulndb: @@ -140,6 +140,9 @@ data: enabled: true token: ${ANCHORE_GITHUB_TOKEN} {{- end }} + grypedb: + enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.grypeDriverEnabled }} + external_feeds_url: "https://toolbox-data.anchore.io/grype/databases/listing.json" {{- if .Values.anchoreGlobal.internalServicesSsl.enabled }} ssl_enable: {{ .Values.anchoreGlobal.internalServicesSsl.enabled }} ssl_cert: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretCertName }}" diff --git a/chart/values.yaml b/chart/values.yaml index 3a07a25..ccbf60e 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -166,14 +166,14 @@ ingress: # Global configuration shared by all anchore-engine services. anchoreGlobal: # Image used for all anchore engine deployments (excluding enterprise components). - image: registry1.dso.mil/ironbank/anchore/engine/engine:0.9.4 + image: registry1.dso.mil/ironbank/anchore/engine/engine:0.10.0 imagePullPolicy: IfNotPresent # Set image pull secret name if using an anchore-engine image from a private registry imagePullSecretName: private-registry # Specify a service account name utilized to run all Anchore pods - serviceAccountName: + serviceAccountName: Null # Set this value to true to setup the chart for OpenShift deployment compatibility. openShiftDeployment: false @@ -238,6 +238,10 @@ anchoreGlobal: # If true, when a user adds an ECR registry with username = awsauto then the system will look for an instance profile to use for auth against the registry allowECRUseIAMRole: false + # Twisted has a global server side timeout on all established connections which defaults to 60, anything lasting longer + # than this (+ a 15 min abort final timeout) will have the connection killed by twisted + serverRequestTimeout: 60 + # Enable prometheus metrics enableMetrics: false @@ -370,6 +374,11 @@ anchoreAnalyzer: # For more info see - https://docs.anchore.com/current/docs/engine/engine_installation/configuration/content_hints enableHints: false + # If enabled, the Anchore Analyzer will filter packages out that are contained by others. (e.g. a python package installed by an RPM using yum or dnf). + # When disabled, the Anchore Analyzer will report all packages as content regardless of "containership". In the above example, this would cause the + # python package to be returned as it's own entry in the image's content. + enableOwnedPackageFiltering: true + configFile: # Anchore analyzer config file # @@ -494,6 +503,7 @@ anchoreCatalog: image_gc: 60 # Interval for the runtime inventory image execution poll k8s_watcher: 300 + k8s_image_watcher: 150 # Event log configuration for webhooks events: @@ -621,6 +631,13 @@ anchoreCatalog: tolerations: [] affinity: {} + # If enabled, the Anchore Helm Chart will create a Service Account with read-only permission to the cluster (pods & namespaces) + # This is largely to support the Out-Of-The-Box Runtime Inventory feature currently. See catalog_deployment.yaml for + # detailed information on the Service Account, Cluster Role & Binding. + # If using an existing service account, leave this value set to `false` & use anchoreGlobal.serviceAccountName to specify + # what service account to use. Existing service account must have adequate permissions to use this feature. + createServiceAccount: false + runtimeInventory: # This setting tells Anchore how long an image can be missing from an inventory report before it is removed from # The working set. Note: The image will still have a historical record in the reports service, subject to data history @@ -630,8 +647,14 @@ anchoreCatalog: # Since Anchore is running in Kubernetes, we can collect runtime inventory data out of the box reportAnchoreCluster: - # If set to true, Anchore will use its own service-account to try and collect runtime inventory data for all namespaces - # Note: requires a value for clusterName to populate inventory image context + # If set to true, Anchore will use its own service account's permissions + # (if anchoreCatalog.createServiceAccount is true, see `catalog_deployment.yaml`) to try and collect runtime + # inventory data for all namespaces. + # + # Note: this feature requires a value for clusterName to populate inventory image context + # Note: If anchoreCatalog.createServiceAccount is set to false, and anchoreGlobal.serviceAccountName is unspecified, + # then the Anchore Catalog service won't have enough permission to be able to read cluster information + # (pods & namespaces) for the embedded runtime inventory. enabled: true clusterName: anchore-k8s namespaces: @@ -652,6 +675,12 @@ anchorePolicyEngine: feed_sync: 14400 # Interval between checks to see if there needs to be a task queued feed_sync_checker: 3600 + # 1 minute between checks to verify local grype-db is up to date + grypedb_sync: 60 + + # Available providers are legacy and grype. Legacy provider offers the same matching logic as previous versions of anchore-engine (<= 0.9.4) + # grype is a new provider that was introduced in 1.0.0, it uses the grype tool for all things vulnerabilities + vulnerabilityProvider: legacy # kubernetes service configuration for anchore policy engine api service: @@ -719,7 +748,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.0.3 + image: registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.1.0 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. # Create this secret with the following command - kubectl create secret docker-registry anchore-dockerhub-creds --docker-server=docker.io --docker-username= --docker-password= --docker-email= @@ -778,7 +807,7 @@ anchoreEnterpriseFeeds: # If enabled is set to false, set anchore-feeds-db.enabled to false to ensure that helm doesn't stand up a unneccessary postgres instance. enabled: true - # Set custom feeds URL if multiple Anchore deployments are using the same feeds service + # Set custom feeds URL if multiple Anchore deployments are using the same internal feeds service. url: "" # Enable github advisory feeds @@ -968,7 +997,7 @@ anchoreEnterpriseNotifications: anchoreEnterpriseUi: # If enabled is set to false, set anchore-ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. enabled: true - image: registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.0.3 + image: registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.1.0 imagePullPolicy: IfNotPresent imagePullSecretName: private-registry -- GitLab From 5c3180fd64084502c431ed73ec589972e33408e3 Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Thu, 1 Jul 2021 15:26:17 -0400 Subject: [PATCH 02/14] fixed ui NP --- CHANGELOG.md | 2 ++ .../bigbang/networkpolicies/allow-egress-from-pods.yaml | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1a097db..c6a9db2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), ### Changed - Bumped appVersion and Anchore Engine image tag to 0.10.0 - Bumped Anchore Enterprise & Anchore Enterprise UI image tags to 3.1.0 +### Fixed +- conditional in network policy for enterprise-ui component ## [1.12.16-bb.2] ### Changed diff --git a/chart/templates/bigbang/networkpolicies/allow-egress-from-pods.yaml b/chart/templates/bigbang/networkpolicies/allow-egress-from-pods.yaml index 34ed248..c978eb0 100644 --- a/chart/templates/bigbang/networkpolicies/allow-egress-from-pods.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-egress-from-pods.yaml @@ -132,10 +132,10 @@ spec: except: - 169.254.169.254/32 {{- end }} -{{- if and (hasKey (index .Values "anchore-ui-redis") "enabled") }} -{{- if and (not (index .Values "anchore-ui-redis" "enabled")) .Values.anchoreEnterpriseGlobal.enabled }} +{{- if or (hasKey (index .Values "anchore-ui-redis") "enabled") (hasKey .Values.postgresql "enabled") }} +{{- if and (or (not (index .Values "anchore-ui-redis" "enabled")) (if (not .Values.postgresql.enabled))) .Values.anchoreEnterpriseGlobal.enabled }} --- -# if external redis is enabled, the ui pod will require egress as it depends on redis +# if external redis is enabled OR external postgres is enabled, the ui pod will require egress as it depends on redis and interacts with the db to perform specific functions such as SAML apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: -- GitLab From f7fe16589c7e2369c45d12d1f25c7ae4ff41db2e Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Thu, 1 Jul 2021 15:37:34 -0400 Subject: [PATCH 03/14] fix syntax --- .../bigbang/networkpolicies/allow-egress-from-pods.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chart/templates/bigbang/networkpolicies/allow-egress-from-pods.yaml b/chart/templates/bigbang/networkpolicies/allow-egress-from-pods.yaml index c978eb0..9509900 100644 --- a/chart/templates/bigbang/networkpolicies/allow-egress-from-pods.yaml +++ b/chart/templates/bigbang/networkpolicies/allow-egress-from-pods.yaml @@ -133,7 +133,7 @@ spec: - 169.254.169.254/32 {{- end }} {{- if or (hasKey (index .Values "anchore-ui-redis") "enabled") (hasKey .Values.postgresql "enabled") }} -{{- if and (or (not (index .Values "anchore-ui-redis" "enabled")) (if (not .Values.postgresql.enabled))) .Values.anchoreEnterpriseGlobal.enabled }} +{{- if and (or (not (index .Values "anchore-ui-redis" "enabled")) (not .Values.postgresql.enabled)) .Values.anchoreEnterpriseGlobal.enabled }} --- # if external redis is enabled OR external postgres is enabled, the ui pod will require egress as it depends on redis and interacts with the db to perform specific functions such as SAML apiVersion: networking.k8s.io/v1 -- GitLab From 1c74fb91521c0735a5f5d6b638881b463cc0a5db Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Thu, 1 Jul 2021 16:38:48 -0400 Subject: [PATCH 04/14] remove annotation --- chart/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/chart/values.yaml b/chart/values.yaml index ccbf60e..77ccead 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -185,8 +185,8 @@ anchoreGlobal: # Add common annotations to set on all pods. Useful expecially when inject secrets directly into pods as ENV from vault via mutation-webhook-injection method. # Ref: https://banzaicloud.com/docs/bank-vaults/mutating-webhook/ - annotations: - traffic.sidecar.istio.io/excludeOutboundPorts: "5432" + annotations: {} + # traffic.sidecar.istio.io/excludeOutboundPorts: "5432" # vault.security.banzaicloud.io/vault-addr: "https://vault:8200" # vault.security.banzaicloud.io/vault-tls-secret: "vault-tls" -- GitLab From 9a814083fb4076977fbce6dae39bd62cdabda70e Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Fri, 2 Jul 2021 11:24:38 -0400 Subject: [PATCH 05/14] testing default values --- chart/values.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/chart/values.yaml b/chart/values.yaml index 77ccead..819bf6b 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -63,7 +63,7 @@ sso: # Anchore engine has a dependency on Postgresql, configure here postgresql: # Use Ironbank image + pull secrets - image: registry1.dso.mil/ironbank/opensource/postgres/postgresql96:9.6.18 + image: registry1.dso.mil/ironbank/opensource/postgres/postgresql12:12.7 imagePullSecrets: private-registry # To use an external DB or Google CloudSQL in GKE, uncomment & set 'enabled: false' # externalEndpoint, postgresUser, postgresPassword & postgresDatabase are required values for external postgres @@ -81,14 +81,14 @@ postgresql: persistence: resourcePolicy: nil size: 20Gi - subPath: "pgdata" - mountPath: /var/lib/postgresql + # subPath: "pgdata" + # mountPath: /var/lib/postgresql # Set the configs to allow listening and connecting from other pods - postgresConfig: {"listen_addresses": "*"} - pgHbaConf: |- - local all all md5 - host all all all md5 + # postgresConfig: {"listen_addresses": "*"} + # pgHbaConf: |- + # local all all md5 + # host all all all md5 # If running on OpenShift - uncomment the image, imageTag & extraEnv values below. # image: registry.access.redhat.com/rhscl/postgresql-96-rhel7 -- GitLab From df4480f64dfae08edbc9d711a5dc05c7d757d422 Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Fri, 2 Jul 2021 11:45:06 -0400 Subject: [PATCH 06/14] test postgres mount --- chart/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/chart/values.yaml b/chart/values.yaml index 819bf6b..99fcd8b 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -81,8 +81,8 @@ postgresql: persistence: resourcePolicy: nil size: 20Gi - # subPath: "pgdata" - # mountPath: /var/lib/postgresql + subPath: "pgdata" + mountPath: /var/lib/postgresql # Set the configs to allow listening and connecting from other pods # postgresConfig: {"listen_addresses": "*"} -- GitLab From b9a7d98feb6828c00fc4d46f3e14dd639b4e0730 Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Fri, 2 Jul 2021 12:16:16 -0400 Subject: [PATCH 07/14] test pgConf --- chart/values.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/chart/values.yaml b/chart/values.yaml index 99fcd8b..92045bc 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -86,7 +86,9 @@ postgresql: # Set the configs to allow listening and connecting from other pods # postgresConfig: {"listen_addresses": "*"} - # pgHbaConf: |- + pgHbaConf: |- + local all all trust + host all all localhost trust # local all all md5 # host all all all md5 -- GitLab From bdfe634493282421941048acf4ec4ca8154e3855 Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Fri, 2 Jul 2021 12:36:20 -0400 Subject: [PATCH 08/14] test pgConf --- chart/values.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/chart/values.yaml b/chart/values.yaml index 92045bc..c408150 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -85,10 +85,10 @@ postgresql: mountPath: /var/lib/postgresql # Set the configs to allow listening and connecting from other pods - # postgresConfig: {"listen_addresses": "*"} - pgHbaConf: |- - local all all trust - host all all localhost trust + postgresConfig: {"listen_addresses": "*"} + # pgHbaConf: |- + # local all all trust + # host all all localhost trust # local all all md5 # host all all all md5 -- GitLab From 5a19252865ea3fa8bb374087cd73c05e6256fdd0 Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Fri, 2 Jul 2021 13:08:20 -0400 Subject: [PATCH 09/14] revert changes --- chart/values.yaml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/chart/values.yaml b/chart/values.yaml index c408150..77ccead 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -63,7 +63,7 @@ sso: # Anchore engine has a dependency on Postgresql, configure here postgresql: # Use Ironbank image + pull secrets - image: registry1.dso.mil/ironbank/opensource/postgres/postgresql12:12.7 + image: registry1.dso.mil/ironbank/opensource/postgres/postgresql96:9.6.18 imagePullSecrets: private-registry # To use an external DB or Google CloudSQL in GKE, uncomment & set 'enabled: false' # externalEndpoint, postgresUser, postgresPassword & postgresDatabase are required values for external postgres @@ -86,11 +86,9 @@ postgresql: # Set the configs to allow listening and connecting from other pods postgresConfig: {"listen_addresses": "*"} - # pgHbaConf: |- - # local all all trust - # host all all localhost trust - # local all all md5 - # host all all all md5 + pgHbaConf: |- + local all all md5 + host all all all md5 # If running on OpenShift - uncomment the image, imageTag & extraEnv values below. # image: registry.access.redhat.com/rhscl/postgresql-96-rhel7 -- GitLab From fb5a886b62a419297a34868cffd91e70603772af Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Fri, 2 Jul 2021 13:39:37 -0400 Subject: [PATCH 10/14] testing --- chart/templates/engine_configmap_env.yaml | 3 ++- chart/templates/engine_upgrade_job.yaml | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/chart/templates/engine_configmap_env.yaml b/chart/templates/engine_configmap_env.yaml index eff162d..5df021f 100644 --- a/chart/templates/engine_configmap_env.yaml +++ b/chart/templates/engine_configmap_env.yaml @@ -18,5 +18,6 @@ data: {{- else if and (index .Values "cloudsql" "enabled") (not (index .Values "postgresql" "enabled")) }} ANCHORE_DB_HOST: "localhost:5432" {{- else }} - ANCHORE_DB_HOST: "{{ template "postgres.fullname" . }}:5432" + ANCHORE_DB_HOST: "{{ template "postgres.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:5432" + # ANCHORE_DB_HOST: "{{ template "postgres.fullname" . }}:5432" {{- end }} diff --git a/chart/templates/engine_upgrade_job.yaml b/chart/templates/engine_upgrade_job.yaml index dfe591d..a077813 100644 --- a/chart/templates/engine_upgrade_job.yaml +++ b/chart/templates/engine_upgrade_job.yaml @@ -75,6 +75,7 @@ spec: anchore-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; {{- else }} - | + sleep 60 anchore-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask; {{- end }} {{- if .Values.cloudsql.enabled }} -- GitLab From fb63a8a2288342d528da3c5382dcc85c7eadf47b Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Fri, 2 Jul 2021 14:03:34 -0400 Subject: [PATCH 11/14] revert upgrade job modification --- chart/templates/engine_upgrade_job.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/chart/templates/engine_upgrade_job.yaml b/chart/templates/engine_upgrade_job.yaml index a077813..dfe591d 100644 --- a/chart/templates/engine_upgrade_job.yaml +++ b/chart/templates/engine_upgrade_job.yaml @@ -75,7 +75,6 @@ spec: anchore-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; {{- else }} - | - sleep 60 anchore-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask; {{- end }} {{- if .Values.cloudsql.enabled }} -- GitLab From ee02d5ddf7b29c5d23c202b59e06a77aa7e62451 Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Fri, 2 Jul 2021 14:19:46 -0400 Subject: [PATCH 12/14] testing --- chart/templates/engine_configmap_env.yaml | 4 ++-- chart/templates/engine_upgrade_job.yaml | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/chart/templates/engine_configmap_env.yaml b/chart/templates/engine_configmap_env.yaml index 5df021f..33e13a8 100644 --- a/chart/templates/engine_configmap_env.yaml +++ b/chart/templates/engine_configmap_env.yaml @@ -18,6 +18,6 @@ data: {{- else if and (index .Values "cloudsql" "enabled") (not (index .Values "postgresql" "enabled")) }} ANCHORE_DB_HOST: "localhost:5432" {{- else }} - ANCHORE_DB_HOST: "{{ template "postgres.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:5432" - # ANCHORE_DB_HOST: "{{ template "postgres.fullname" . }}:5432" + # ANCHORE_DB_HOST: "{{ template "postgres.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:5432" + ANCHORE_DB_HOST: "{{ template "postgres.fullname" . }}:5432" {{- end }} diff --git a/chart/templates/engine_upgrade_job.yaml b/chart/templates/engine_upgrade_job.yaml index dfe591d..a077813 100644 --- a/chart/templates/engine_upgrade_job.yaml +++ b/chart/templates/engine_upgrade_job.yaml @@ -75,6 +75,7 @@ spec: anchore-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; {{- else }} - | + sleep 60 anchore-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask; {{- end }} {{- if .Values.cloudsql.enabled }} -- GitLab From c8785a57320364760fa13e608e89c5f00bffde8a Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Fri, 2 Jul 2021 14:43:29 -0400 Subject: [PATCH 13/14] hopefully last commit --- CHANGELOG.md | 1 + chart/templates/engine_configmap_env.yaml | 1 - docs/BBCHANGES.md | 8 ++++++++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c6a9db2..7899336 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), - Bumped Anchore Enterprise & Anchore Enterprise UI image tags to 3.1.0 ### Fixed - conditional in network policy for enterprise-ui component +- intermittent issue with engine upgrade job for in-cluster anchore db ## [1.12.16-bb.2] ### Changed diff --git a/chart/templates/engine_configmap_env.yaml b/chart/templates/engine_configmap_env.yaml index 33e13a8..eff162d 100644 --- a/chart/templates/engine_configmap_env.yaml +++ b/chart/templates/engine_configmap_env.yaml @@ -18,6 +18,5 @@ data: {{- else if and (index .Values "cloudsql" "enabled") (not (index .Values "postgresql" "enabled")) }} ANCHORE_DB_HOST: "localhost:5432" {{- else }} - # ANCHORE_DB_HOST: "{{ template "postgres.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:5432" ANCHORE_DB_HOST: "{{ template "postgres.fullname" . }}:5432" {{- end }} diff --git a/docs/BBCHANGES.md b/docs/BBCHANGES.md index 32ec614..934b2df 100644 --- a/docs/BBCHANGES.md +++ b/docs/BBCHANGES.md @@ -186,3 +186,11 @@ In `chart/templates/enterprise_feeds_configmap.yaml` also modify the metrics lin metrics: enabled: {{ .Values.monitoring.enabled }} ``` + +To resolve a race condition in Big Bang CI pipelines, an additional sleep argument was added in `chart/templates/engine_upgrade_job.yaml`: + +```yaml +- | + sleep 60 + anchore-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask; +``` \ No newline at end of file -- GitLab From e96409c3c77df6f5ea57d6383541efa4a4d7c2ee Mon Sep 17 00:00:00 2001 From: bhearn7 Date: Tue, 6 Jul 2021 09:52:22 -0400 Subject: [PATCH 14/14] get more sleep --- CHANGELOG.md | 2 +- chart/templates/enterprise_feeds_upgrade_job.yaml | 1 + chart/templates/enterprise_upgrade_job.yaml | 1 + docs/BBCHANGES.md | 2 +- tests/images.txt | 4 ++-- 5 files changed, 6 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7899336..0930a99 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,7 +10,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), - Bumped Anchore Enterprise & Anchore Enterprise UI image tags to 3.1.0 ### Fixed - conditional in network policy for enterprise-ui component -- intermittent issue with engine upgrade job for in-cluster anchore db +- intermittent issue with upgrade jobs for in-cluster anchore dbs ## [1.12.16-bb.2] ### Changed diff --git a/chart/templates/enterprise_feeds_upgrade_job.yaml b/chart/templates/enterprise_feeds_upgrade_job.yaml index a5cb0eb..903f36a 100644 --- a/chart/templates/enterprise_feeds_upgrade_job.yaml +++ b/chart/templates/enterprise_feeds_upgrade_job.yaml @@ -63,6 +63,7 @@ spec: anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; {{- else }} - | + sleep 60 anchore-enterprise-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask; {{- end }} {{- if .Values.cloudsql.enabled }} diff --git a/chart/templates/enterprise_upgrade_job.yaml b/chart/templates/enterprise_upgrade_job.yaml index 446e9e7..c021c40 100644 --- a/chart/templates/enterprise_upgrade_job.yaml +++ b/chart/templates/enterprise_upgrade_job.yaml @@ -63,6 +63,7 @@ spec: anchore-enterprise-manager db --db-use-ssl --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME}?sslmode={{ .Values.anchoreGlobal.dbConfig.sslMode }}\\&sslrootcert=/home/anchore/certs/{{ .Values.anchoreGlobal.dbConfig.sslRootCertName }} upgrade --dontask; {{- else }} - | + sleep 60 anchore-enterprise-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask; {{- end }} {{- if .Values.cloudsql.enabled }} diff --git a/docs/BBCHANGES.md b/docs/BBCHANGES.md index 934b2df..82d2748 100644 --- a/docs/BBCHANGES.md +++ b/docs/BBCHANGES.md @@ -187,7 +187,7 @@ In `chart/templates/enterprise_feeds_configmap.yaml` also modify the metrics lin enabled: {{ .Values.monitoring.enabled }} ``` -To resolve a race condition in Big Bang CI pipelines, an additional sleep argument was added in `chart/templates/engine_upgrade_job.yaml`: +To resolve a race condition in Big Bang CI pipelines, an additional sleep argument was added in `chart/templates/engine_upgrade_job.yaml`, `enterprise_upgrade_job.yaml`, and `enterprise_feeds_upgrade_jobs.yaml`: ```yaml - | diff --git a/tests/images.txt b/tests/images.txt index 686a9f3..7705a2c 100644 --- a/tests/images.txt +++ b/tests/images.txt @@ -1,2 +1,2 @@ -registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.0.3 -registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.0.3 +registry1.dso.mil/ironbank/anchore/enterprise/enterprise:3.1.0 +registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui:3.1.0 -- GitLab