diff --git a/CHANGELOG.md b/CHANGELOG.md index 431523c473c78df0a7bc020993e53ae83391a0f7..b3ea8408b125b33b662eca989e9478cf64ffbd33 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,13 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), --- +## [1.13.0-bb.6] +## Changed +- updated bb-test-lib dependency to gluon `0.2.3` to resolve OPA Gatekeeper violations +- updated Redis dependency to `14.1.0-bb.3` to resolve OPA Gatekeeper violations +- set resource requests and limits for all containers to resolve OPA Gatekeeper violations +- set resource requests and limits equal to eachother to resolve OPA Gatekeeper violations + ## [1.13.0-bb.5] ## Added - `.Values.postgresqlSuperUser.postgresUsername` and `.Values.postgresqlSuperUser.postgresPassword` for conditionally changing the commands in the ensure db jobs to allow for finer-grain postgres user permissions diff --git a/chart/Chart.lock b/chart/Chart.lock index e23305a914e6af957d1089c18ce58321515a5d79..c594674b99628a7be61c2c7cbd6cad2a6fa464f3 100644 --- a/chart/Chart.lock +++ b/chart/Chart.lock @@ -7,9 +7,9 @@ dependencies: version: 1.0.1 - name: redis repository: file://./deps/redis - version: 14.1.0-bb.2 -- name: bb-test-lib - repository: oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates - version: 0.5.2 -digest: sha256:b6031a1579e20adfbd8f708ede7fc9665a21a5c030ca7304af18acdff3b56150 -generated: "2021-07-13T16:37:10.13824-04:00" + version: 14.1.0-bb.3 +- name: gluon + repository: oci://registry.dso.mil/platform-one/big-bang/apps/library-charts/gluon + version: 0.2.3 +digest: sha256:18e2ebc2abf59245eb530874f5c9aab50f3041a4959aa6534b6411810191d078 +generated: "2021-08-18T14:00:09.786881-04:00" diff --git a/chart/Chart.yaml b/chart/Chart.yaml index b4bd06c2e64827b702f6488c6f0802bb9351802b..405d6bbe4edf0b46fa93534f47d5a93933584632 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: anchore-engine -version: 1.13.0-bb.5 +version: 1.13.0-bb.6 appVersion: 0.10.0 description: Anchore container analysis and policy evaluation engine service keywords: @@ -33,10 +33,10 @@ dependencies: condition: anchore-feeds-db.enabled,anchoreEnterpriseGlobal.enabled alias: anchore-feeds-db - name: redis - version: "14.1.0-bb.2" + version: "14.1.0-bb.3" repository: "file://./deps/redis" condition: anchore-ui-redis.enabled,anchoreEnterpriseGlobal.enabled alias: anchore-ui-redis - - name: bb-test-lib - version: "0.5.2" - repository: "oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates" + - name: gluon + version: "0.2.3" + repository: oci://registry.dso.mil/platform-one/big-bang/apps/library-charts/gluon \ No newline at end of file diff --git a/chart/charts/bb-test-lib-0.5.2.tgz b/chart/charts/bb-test-lib-0.5.2.tgz deleted file mode 100644 index 8dfbf00fe39fb381984557d13c29343c509f86b5..0000000000000000000000000000000000000000 Binary files a/chart/charts/bb-test-lib-0.5.2.tgz and /dev/null differ diff --git a/chart/charts/gluon-0.2.3.tgz b/chart/charts/gluon-0.2.3.tgz new file mode 100644 index 0000000000000000000000000000000000000000..03fa0d4f6be0bd975ba08b14c5831025ec52c02f Binary files /dev/null and b/chart/charts/gluon-0.2.3.tgz differ diff --git a/chart/charts/postgresql-1.0.1.tgz b/chart/charts/postgresql-1.0.1.tgz index 22760154daf2285ec69eb2790b4853eb21232065..234563866a76adc02b21c5fb0a74fa31e0c26d15 100644 Binary files a/chart/charts/postgresql-1.0.1.tgz and b/chart/charts/postgresql-1.0.1.tgz differ diff --git a/chart/charts/redis-14.1.0-bb.2.tgz b/chart/charts/redis-14.1.0-bb.2.tgz deleted file mode 100644 index bd3c27fbca1b2ae6a7a9e41d8f186c108578bc6f..0000000000000000000000000000000000000000 Binary files a/chart/charts/redis-14.1.0-bb.2.tgz and /dev/null differ diff --git a/chart/charts/redis-14.1.0-bb.3.tgz b/chart/charts/redis-14.1.0-bb.3.tgz new file mode 100644 index 0000000000000000000000000000000000000000..efc841510f1ea41b362888ae6d25b37e38c7413b Binary files /dev/null and b/chart/charts/redis-14.1.0-bb.3.tgz differ diff --git a/chart/deps/redis/Chart.yaml b/chart/deps/redis/Chart.yaml index 0387e10590915b83b4e60b431922fd876f352b69..65bc406f8bf706d6715aa1befaad340bea478cbf 100644 --- a/chart/deps/redis/Chart.yaml +++ b/chart/deps/redis/Chart.yaml @@ -25,4 +25,4 @@ name: redis sources: - https://github.com/bitnami/bitnami-docker-redis - http://redis.io/ -version: 14.1.0-bb.2 +version: 14.1.0-bb.3 diff --git a/chart/deps/redis/Kptfile b/chart/deps/redis/Kptfile index d3ed0eda9c1ab28a27d7cee59fcc675880ccebd2..7c9f2ed899a262a8f6c73cbe3b6f5a922b1d7e03 100644 --- a/chart/deps/redis/Kptfile +++ b/chart/deps/redis/Kptfile @@ -5,7 +5,7 @@ metadata: upstream: type: git git: - commit: ca398b827ba384da78213d9b2f21abf83a9eea8a + commit: f24af16a6d583e9e125f519127ffab11f48f42f8 repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/redis directory: /chart - ref: 14.1.0-bb.2 + ref: 14.1.0-bb.3 diff --git a/chart/deps/redis/templates/bigbang/redis-upgrade.yaml b/chart/deps/redis/templates/bigbang/redis-upgrade.yaml index a9960197584721b664234fe8a374b420d413206c..23fde003c938b1dc40206a33636fa2b9cb399b8e 100644 --- a/chart/deps/redis/templates/bigbang/redis-upgrade.yaml +++ b/chart/deps/redis/templates/bigbang/redis-upgrade.yaml @@ -124,4 +124,7 @@ spec: echo "No PVCs to clean up." fi echo "Done with upgrade steps." + {{- if .Values.cleanUpgrade.resources }} + resources: {{- toYaml .Values.cleanUpgrade.resources | nindent 12 }} + {{- end }} {{- end }} diff --git a/chart/deps/redis/values.yaml b/chart/deps/redis/values.yaml index 495b1c258c5501a557fe55a12684f1148bad33a6..cbff12c60ef45e016da7d986bcd401cc47e850c4 100644 --- a/chart/deps/redis/values.yaml +++ b/chart/deps/redis/values.yaml @@ -23,6 +23,13 @@ monitoring: cleanUpgrade: enabled: true image: "registry1.dso.mil/ironbank/big-bang/base:8.4" + resources: + requests: + memory: 256Mi + cpu: 100m + limits: + memory: 256Mi + cpu: 100m # NOTE: We default this to true in case packages consuming Redis forget to turn it on and have API traffic blocked networkPolicies: @@ -879,8 +886,12 @@ sentinel: ## @param sentinel.resources.requests The requested resources for the Redis(TM) Sentinel containers ## resources: - limits: {} - requests: {} + requests: + memory: 256Mi + cpu: 100m + limits: + memory: 256Mi + cpu: 100m ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param sentinel.containerSecurityContext.enabled Enabled Redis(TM) Sentinel containers' Security Context @@ -1123,8 +1134,12 @@ metrics: ## @param metrics.resources.requests The requested resources for the Redis(TM) exporter container ## resources: - limits: {} - requests: {} + requests: + memory: 256Mi + cpu: 100m + limits: + memory: 256Mi + cpu: 100m ## @param metrics.podLabels Extra labels for Redis(TM) exporter pods ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ ## @@ -1209,8 +1224,12 @@ metrics: ## @param metrics.sentinel.resources.requests The requested resources for the Redis(TM) Sentinel exporter container ## resources: - limits: {} - requests: {} + requests: + memory: 256Mi + cpu: 100m + limits: + memory: 256Mi + cpu: 100m ## Redis(TM) Sentinel exporter service parameters ## service: @@ -1364,8 +1383,12 @@ volumePermissions: ## @param volumePermissions.resources.requests The requested resources for the init container ## resources: - limits: {} - requests: {} + requests: + memory: 256Mi + cpu: 100m + limits: + memory: 256Mi + cpu: 100m ## Init container Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param volumePermissions.containerSecurityContext.runAsUser Set init container's Security Context runAsUser @@ -1416,5 +1439,9 @@ sysctl: ## @param sysctl.resources.requests The requested resources for the init container ## resources: - limits: {} - requests: {} + requests: + memory: 256Mi + cpu: 100m + limits: + memory: 256Mi + cpu: 100m diff --git a/chart/templates/bigbang/db/ensure-anchore-db.yaml b/chart/templates/bigbang/db/ensure-anchore-db.yaml index b6c024271dc00e44f702952a603c7196d5802419..03290c8fa09961ad4370a106b20de78618f2bcd8 100644 --- a/chart/templates/bigbang/db/ensure-anchore-db.yaml +++ b/chart/templates/bigbang/db/ensure-anchore-db.yaml @@ -61,6 +61,8 @@ spec: - secretRef: name: anchore-db-credentials {{- end }} + resources: + {{ toYaml .Values.ensureDbJobs.resources | nindent 12 }} restartPolicy: OnFailure {{- end }} {{- end }} diff --git a/chart/templates/bigbang/db/ensure-feeds-db.yaml b/chart/templates/bigbang/db/ensure-feeds-db.yaml index 0d736c42daf7d6b0f017041cc3460fc913cf8e07..66e2aa2944bcbcd634e32149f80c064a8e9586cb 100644 --- a/chart/templates/bigbang/db/ensure-feeds-db.yaml +++ b/chart/templates/bigbang/db/ensure-feeds-db.yaml @@ -61,6 +61,8 @@ spec: - secretRef: name: feeds-db-credentials {{- end }} + resources: + {{ toYaml .Values.ensureDbJobs.resources | nindent 12 }} restartPolicy: OnFailure {{- end }} {{- end }} diff --git a/chart/templates/bigbang/sso/configure-sso.yaml b/chart/templates/bigbang/sso/configure-sso.yaml index 206ca9afa486518cc4ba2840a0a9bb532d61a6c6..1541f85411d52fcd30214ca9a6f5807d35ff0db2 100644 --- a/chart/templates/bigbang/sso/configure-sso.yaml +++ b/chart/templates/bigbang/sso/configure-sso.yaml @@ -61,6 +61,8 @@ spec: - name: anchore-sso mountPath: "/tmp" readOnly: true + resources: + {{ toYaml .Values.sso.resources | nindent 12 }} volumes: - name: anchore-sso secret: diff --git a/chart/templates/engine_upgrade_job.yaml b/chart/templates/engine_upgrade_job.yaml index a077813fa67c694abe222588ebf13de63cedcc8c..babf88219d5b2643e5307abdd33a72a2658bb106 100644 --- a/chart/templates/engine_upgrade_job.yaml +++ b/chart/templates/engine_upgrade_job.yaml @@ -109,6 +109,8 @@ spec: mountPath: /home/anchore/certs/ readOnly: true {{- end }} + resources: + {{ toYaml .Values.anchoreEngineUpgradeJob.resources | nindent 10 }} {{- if or .Values.anchoreGlobal.certStoreSecretName .Values.cloudsql.useExistingServiceAcc }} volumes: {{- with .Values.anchoreGlobal.certStoreSecretName }} diff --git a/chart/templates/enterprise_feeds_upgrade_job.yaml b/chart/templates/enterprise_feeds_upgrade_job.yaml index 903f36aa2f92bb376f39590e9b5fb98699332c5d..b1e7083e9029b2e2938ab795c28edd9343b8baef 100644 --- a/chart/templates/enterprise_feeds_upgrade_job.yaml +++ b/chart/templates/enterprise_feeds_upgrade_job.yaml @@ -100,6 +100,8 @@ spec: mountPath: /home/anchore/certs/ readOnly: true {{- end }} + resources: + {{ toYaml .Values.anchoreEnterpriseFeedsUpgradeJob.resources | nindent 10 }} {{- if or .Values.anchoreGlobal.certStoreSecretName .Values.cloudsql.useExistingServiceAcc }} volumes: {{- with .Values.anchoreGlobal.certStoreSecretName }} diff --git a/chart/templates/enterprise_upgrade_job.yaml b/chart/templates/enterprise_upgrade_job.yaml index c021c404da0f8bed2112bce5d81de88b3b788c5a..fec38a1f310ee304037ed78aec2b0ae124dcce17 100644 --- a/chart/templates/enterprise_upgrade_job.yaml +++ b/chart/templates/enterprise_upgrade_job.yaml @@ -97,6 +97,8 @@ spec: mountPath: /home/anchore/certs/ readOnly: true {{- end }} + resources: + {{ toYaml .Values.anchoreEnterpriseEngineUpgradeJob.resources | nindent 10 }} {{- if or .Values.anchoreGlobal.certStoreSecretName .Values.cloudsql.useExistingServiceAcc }} volumes: {{- with .Values.anchoreGlobal.certStoreSecretName }} diff --git a/chart/templates/tests/test-scripts.yaml b/chart/templates/tests/test-scripts.yaml index 3a723dba083cdab642e8ba5ff1e4fecaec9e1e7e..9757c43f9dbd90fbb3c6cae18b4c29fd331e2782 100644 --- a/chart/templates/tests/test-scripts.yaml +++ b/chart/templates/tests/test-scripts.yaml @@ -1,3 +1,3 @@ -{{- include "bb-test-lib.script-configmap.base" . }} +{{- include "gluon.tests.script-configmap.base" .}} --- -{{- include "bb-test-lib.script-runner.base" . }} \ No newline at end of file +{{- include "gluon.tests.script-runner.base" .}} \ No newline at end of file diff --git a/chart/values.yaml b/chart/values.yaml index 433cfea37a299eed357de35b71c596ab6704fbd4..215dcb5902fa9334c6722c783489e3253802d886 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -37,6 +37,16 @@ postgresqlSuperUser: postgresUsername: "" postgresPassword: "" +# Configure resource requests and limits in ./chart/templates/bigbang/db/ensure-anchore-db.yaml and ./chart/templates/bigbang/db/ensure-feeds-db.yaml +ensureDbJobs: + resources: + limits: + cpu: 100m + memory: 256Mi + requests: + cpu: 100m + memory: 256Mi + # Enable Prometheus Monitoring monitoring: enabled: false @@ -61,7 +71,14 @@ sso: requireSignedAssertions: false requireSignedResponse: true idpMetadataUrl: "https://login.dso.mil/auth/realms/baby-yoda/protocol/saml/descriptor" - + # Configure resource requests and limits in the ./chart/templates/bigbang/sso/configure-sso.yaml job + resources: + limits: + cpu: 100m + memory: 256Mi + requests: + cpu: 100m + memory: 256Mi # Upstream Anchore Values # ----------------------- @@ -88,6 +105,25 @@ postgresql: size: 20Gi subPath: "pgdata" mountPath: /var/lib/postgresql + + # Configure resource limits and requests for the postgresql deployment + resources: + limits: + cpu: 100m + memory: 256Mi + requests: + cpu: 100m + memory: 256Mi + + # Configure resource limits and requests for postgresql metrics (disabled by default) + metrics: + resources: + limits: + cpu: 100m + memory: 256Mi + requests: + cpu: 100m + memory: 256Mi # Set the configs to allow listening and connecting from other pods postgresConfig: {"listen_addresses": "*"} @@ -427,13 +463,13 @@ anchoreAnalyzer: # db_update_enabled: true - # resources: - # limits: - # cpu: 1 - # memory: 4G - # requests: - # cpu: 1 - # memory: 1G + resources: + limits: + cpu: 500m + memory: 1000Mi + requests: + cpu: 500m + memory: 1000Mi labels: {} annotations: {} @@ -464,13 +500,13 @@ anchoreApi: # hostname: anchore-api.example.com # port: 8443 - # resources: - # limits: - # cpu: 1 - # memory: 4G - # requests: - # cpu: 100m - # memory: 1G + resources: + limits: + cpu: 500m + memory: 4G + requests: + cpu: 500m + memory: 4G labels: {} annotations: {} @@ -622,13 +658,13 @@ anchoreCatalog: annotations: {} labels: {} - # resources: - # limits: - # cpu: 1 - # memory: 2G - # requests: - # cpu: 100m - # memory: 500M + resources: + limits: + cpu: 500m + memory: 2Gi + requests: + cpu: 500m + memory: 2Gi labels: {} annotations: {} @@ -694,13 +730,13 @@ anchorePolicyEngine: annotations: {} labels: {} - # resources: - # limits: - # cpu: 1 - # memory: 4G - # requests: - # cpu: 100m - # memory: 1G + resources: + limits: + cpu: 500m + memory: 3Gi + requests: + cpu: 500m + memory: 3Gi labels: {} annotations: {} @@ -724,13 +760,13 @@ anchoreSimpleQueue: annotations: {} labels: {} - # resources: - # limits: - # cpu: 1 - # memory: 1G - # requests: - # cpu: 100m - # memory: 256M + resources: + limits: + cpu: 500m + memory: 4G + requests: + cpu: 500m + memory: 4G labels: {} annotations: {} @@ -741,6 +777,15 @@ anchoreSimpleQueue: # Pod configuration for the helm post-install-hook engine upgrade Job anchoreEngineUpgradeJob: enabled: true + + resources: + limits: + cpu: 500m + memory: 1.5Gi + requests: + cpu: 500m + memory: 1.5Gi + nodeSelector: {} tolerations: [] affinity: {} @@ -784,6 +829,25 @@ anchore-feeds-db: subPath: "pgdata" mountPath: /var/lib/postgresql + # Configure resource limits and requests for the postgresql deployment + resources: + limits: + cpu: 100m + memory: 256Mi + requests: + cpu: 100m + memory: 256Mi + + # Configure resource limits and requests for postgresql metrics (disabled by default) + metrics: + resources: + limits: + cpu: 100m + memory: 256Mi + requests: + cpu: 100m + memory: 256Mi + # Set the configs to allow listening and connecting from other pods postgresConfig: {"listen_addresses": "*"} pgHbaConf: |- @@ -866,13 +930,13 @@ anchoreEnterpriseFeeds: annotations: {} labels: {} - # resources: - # limits: - # cpu: 1 - # memory: 4G - # requests: - # cpu: 1 - # memory: 2G + resources: + limits: + cpu: 1 + memory: 4G + requests: + cpu: 1 + memory: 4G labels: {} annotations: {} @@ -883,6 +947,15 @@ anchoreEnterpriseFeeds: # Pod configuration for the helm post-install-hook feeds upgrade Job anchoreEnterpriseFeedsUpgradeJob: enabled: true + + resources: + limits: + cpu: 500m + memory: 1.5Gi + requests: + cpu: 500m + memory: 1.5Gi + nodeSelector: {} tolerations: [] affinity: {} @@ -907,20 +980,20 @@ anchoreEnterpriseRbac: authPort: 8089 authResources: - limits: - cpu: 500m - memory: 1G - requests: - cpu: 500m - memory: 1G + limits: + cpu: 500m + memory: 1G + requests: + cpu: 500m + memory: 1G managerResources: - limits: - cpu: 500m - memory: 1G - requests: - cpu: 500m - memory: 1G + limits: + cpu: 1 + memory: 4G + requests: + cpu: 1 + memory: 4G # Configure the Anchore Enterprise reporting component. anchoreEnterpriseReports: @@ -950,13 +1023,13 @@ anchoreEnterpriseReports: service: port: 8558 - # resources: - # limits: - # cpu: 1 - # memory: 1G - # requests: - # cpu: 100m - # memory: 256M + resources: + limits: + cpu: 500m + memory: 3Gi + requests: + cpu: 500m + memory: 3Gi labels: {} annotations: {} @@ -984,13 +1057,13 @@ anchoreEnterpriseNotifications: service: port: 8668 - # resources: - # limits: - # cpu: 1 - # memory: 1G - # requests: - # cpu: 100m - # memory: 256M + resources: + limits: + cpu: 500m + memory: 1.5Gi + requests: + cpu: 500m + memory: 1.5Gi labels: {} annotations: {} @@ -1093,13 +1166,13 @@ anchoreEnterpriseUi: labels: {} sessionAffinity: ClientIP - # resources: - # limits: - # cpu: 1 - # memory: 1G - # requests: - # cpu: 100m - # memory: 256M + resources: + limits: + cpu: 500m + memory: 1.5Gi + requests: + cpu: 500m + memory: 1.5Gi labels: {} annotations: {} @@ -1123,6 +1196,15 @@ anchore-ui-redis: # Pod configuration for the helm post-install-hook enterprise engine upgrade Job anchoreEnterpriseEngineUpgradeJob: enabled: true + + resources: + limits: + cpu: 500m + memory: 1.5Gi + requests: + cpu: 500m + memory: 1.5Gi + nodeSelector: {} tolerations: [] affinity: {} diff --git a/docs/BBCHANGES.md b/docs/BBCHANGES.md index 6a949b97633ee05391cf9a105bdbbe6715b55371..267ef24756fec1cea334f7e8772ded50c4161339 100644 --- a/docs/BBCHANGES.md +++ b/docs/BBCHANGES.md @@ -203,4 +203,11 @@ To resolve a race condition in Big Bang CI pipelines, an additional sleep argume - | sleep 60 anchore-manager db --db-connect postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}/${ANCHORE_DB_NAME} upgrade --dontask; +``` + +Additionally, a field was added to `chart/templates/engine_upgrade_job.yaml`, `enterprise_upgrade_job.yaml`, and `enterprise_feeds_upgrade_jobs.yaml` to allow users to specify container resource requests and limits for the jobs. This was done to resolve OPA Gatekeeper violations around container resources and ratios: + +```yaml +resources: + {{ toYaml .Values.anchoreEngineUpgradeJob.resources | nindent 10 }} ``` \ No newline at end of file diff --git a/tests/test-values.yml b/tests/test-values.yml index 62dbc77190ba7a2839fd16b44d4ff1e2d9b04f8b..9daa5b8d82774e84f1bef3ca61a46477e2b61335 100644 --- a/tests/test-values.yml +++ b/tests/test-values.yml @@ -17,6 +17,13 @@ bbtests: secretKeyRef: name: "{{ template \"anchore-engine.fullname\" . }}-admin-pass" key: ANCHORE_ADMIN_PASSWORD + resources: + requests: + cpu: "1" + memory: "1Gi" + limits: + cpu: "1" + memory: "1Gi" anchoreGlobal: saml: