Merge pull request #160 from anchore/update-engine-0101

Update engine 0101

.github/workflows/test.yaml

@@ -8,9 +8,8 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        kubernetesVersion: ["v1.13.12", "v1.18.0"]
-    runs-on: ubuntu-18.04
-    if: github.ref != 'refs/heads/master'
+        kubernetesVersion: ["v1.14.10", "v1.22.0"]
+    runs-on: ubuntu-latest
     steps:
     - name: Checkout
       uses: actions/checkout@v2
@@ -29,11 +28,11 @@ jobs:
         config: ct-config.yaml
 
     - name: Install kind
-      uses: helm/kind-action@v1.0.0
+      uses: helm/kind-action@v1.2.0
       with:
         node_image: "kindest/node:${{ matrix.kubernetesVersion }}"
         config: kind-config.yaml
-        wait: 300s
+        wait: 600s
       if: steps.lint.outputs.changed == 'true'
 
     - name: Check kind nodes

kind-config.yaml

@@ -1,5 +1,5 @@
 kind: Cluster
-apiVersion: kind.sigs.k8s.io/v1alpha3
+apiVersion: kind.x-k8s.io/v1alpha4
 nodes:
   - role: control-plane
   - role: worker

stable/anchore-engine/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: anchore-engine
-version: 1.13.0
-appVersion: 0.10.0
+version: 1.14.0
+appVersion: 0.10.1
 description: Anchore container analysis and policy evaluation engine service
 keywords:
  - analysis

stable/anchore-engine/README.md

@@ -243,6 +243,14 @@ See the anchore-engine [CHANGELOG](https://github.com/anchore/anchore-engine/blo
 
 A Helm post-upgrade hook job will shut down all previously running Anchore services and perform the Anchore DB upgrade process using a kubernetes job. The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful helm upgrade.
 
+## Chart version 1.14.0
+
+---
+
+* Anchore Engine image updated to v0.10.1 - [Release Notes](https://engine.anchore.io/docs/releasenotes/0101/)
+* Anchore Enterprise image updated to v3.1.1 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/311/)
+* Enterprise Feeds - MSRC feeds no longer require an access token. No changes are needed, however MSRC access tokens can now be removed from values and/or existing secrets.
+
 ## Chart version 1.13.0
 
 ---

stable/anchore-engine/templates/engine_configmap.yaml

@@ -240,17 +240,17 @@ data:
               # The following feeds are synced if provider is set to legacy
               # Vulnerabilities feed is the feed for distro cve sources (redhat, debian, ubuntu, oracle, alpine....)
               vulnerabilities:
-                enabled: {{ default "true" .Values.anchoreGlobal.syncVulnerabilites }}
+                enabled: {{ default "true" (.Values.anchoreGlobal.syncVulnerabilites | quote) }}
                 url: {{ $anchoreFeedsURL }}
               # NVD Data is used for non-distro CVEs (jars, npm, etc) that are not packaged and released by distros as rpms, debs, etc
               nvdv2:
-                enabled: {{ default "true" .Values.anchoreGlobal.syncNvd }}
+                enabled: {{ default "true" (.Values.anchoreGlobal.syncNvd | quote) }}
                 url: {{ $anchoreFeedsURL }}
               github:
                 {{- if .Values.anchoreEnterpriseGlobal.enabled }}
                 enabled: {{ .Values.anchoreEnterpriseFeeds.githubDriverEnabled }}
                 {{- else }}
-                enabled: {{ default "true" .Values.anchoreGlobal.syncGithub }}
+                enabled: {{ default "true" (.Values.anchoreGlobal.syncGithub | quote) }}
                 {{- end }}
                 url: {{ $anchoreFeedsURL }}
               # Warning: enabling the packages and nvd sync causes the service to require much more memory to do process the significant data volume. We recommend at least 4GB available for the container
@@ -259,12 +259,12 @@ data:
                 {{- if and (and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled) (or .Values.anchoreEnterpriseFeeds.gemDriverEnabled .Values.anchoreEnterpriseFeeds.npmDriverEnabled) }}
                 enabled: true
                 {{- else }}
-                enabled: {{ default "false" .Values.anchoreGlobal.syncPackages }}
+                enabled: {{ default "false" (.Values.anchoreGlobal.syncPackages | quote) }}
                 {{- end }}
                 url: {{ $anchoreFeedsURL }}
               {{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }}
               vulndb:
-                enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.vulndbDriverEnabled }}
+                enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.vulndbDriverEnabled | quote) }}
                 url: {{ $anchoreFeedsURL }}
               {{- else if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreGlobal.syncVulnDB }}
               vulndb:

stable/anchore-engine/templates/enterprise_feeds_configmap.yaml

@@ -94,54 +94,51 @@ data:
           workspace_preload_file: "/workspace_preload/data.tar.gz"
         # If api_only is set to true, the service will not update feed data in the system.
         # API end points will be functional and serve feed data if any is available.
-        api_only: {{ default "false" .Values.anchoreEnterpriseFeeds.apiOnly }}
+        api_only: {{ default "false" (.Values.anchoreEnterpriseFeeds.apiOnly | quote) }}
         drivers:
           # Configuration section for drivers collecting and processing feed data.
           # All drivers are enabled by default unless explicitly disabled.
           amzn:
-            enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.amazonDriverEnabled }}
+            enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.amazonDriverEnabled | quote) }}
           alpine:
-            enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.alpineDriverEnabled }}
+            enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.alpineDriverEnabled | quote) }}
           centos:
-            enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.centosDriverEnabled }}
+            enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.centosDriverEnabled | quote) }}
           debian:
-            enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.debianDriverEnabled }}
+            enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.debianDriverEnabled | quote) }}
           ol:
-            enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.olDriverEnabled }}
+            enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.olDriverEnabled | quote) }}
           ubuntu:
-            enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.ubuntuDriverEnabled }}
+            enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.ubuntuDriverEnabled | quote) }}
           rhel:
-            enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.rhelDriverEnabled }}
+            enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.rhelDriverEnabled | quote) }}
           nvddb:
-            enabled: {{ default "false" .Values.anchoreEnterpriseFeeds.nvdDriverEnabled }}
+            enabled: {{ default "false" (.Values.anchoreEnterpriseFeeds.nvdDriverEnabled | quote) }}
           # npm and gem drivers are explicitly disabled out of the box
           npm:
-            enabled: {{ default "false" .Values.anchoreEnterpriseFeeds.npmDriverEnabled }}
+            enabled: {{ default "false" (.Values.anchoreEnterpriseFeeds.npmDriverEnabled | quote) }}
           gem:
             # rubygem data comes packaged as a PostgreSQL dump file. gem driver loads the pg dump and normalizes the data.
             # To enable gem driver comment the enabled property and uncomment the db_connect property.
-            enabled: {{ default "false" .Values.anchoreEnterpriseFeeds.gemDriverEnabled }}
+            enabled: {{ default "false" (.Values.anchoreEnterpriseFeeds.gemDriverEnabled | quote) }}
             db_connect: {{ default "'postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/gems'" .Values.anchoreEnterpriseFeeds.gemDbEndpoint }}
           nvdv2:
-            enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.nvdv2DriverEnabled }}
+            enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.nvdv2DriverEnabled | quote) }}
           vulndb:
-            enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.vulndbDriverEnabled }}
-        {{- if .Values.anchoreEnterpriseFeeds.msrcDriverEnabled }}
+            enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.vulndbDriverEnabled | quote) }}
           msrc:
-            enabled: true
-            api_key: ${ANCHORE_MSRC_KEY}
+            enabled: {{ default "false" (.Values.anchoreEnterpriseFeeds.msrcDriverEnabled | quote) }}
             {{- with .Values.anchoreEnterpriseFeeds.msrcWhitelist }}
             whitelist:
               - {{ . }}
             {{- end }}
-        {{- end }}
-        {{- if .Values.anchoreEnterpriseFeeds.githubDriverEnabled }}
           github:
-            enabled: true
+            enabled: {{ default "false" (.Values.anchoreEnterpriseFeeds.githubDriverEnabled | quote) }}
+          {{- if eq (.Values.anchoreEnterpriseFeeds.githubDriverEnabled | toString) "true" }}
             token: ${ANCHORE_GITHUB_TOKEN}
-        {{- end }}
+          {{- end }}
           grypedb:
-            enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.grypeDriverEnabled }}
+            enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.grypeDriverEnabled | quote) }}
             external_feeds_url: "https://toolbox-data.anchore.io/grype/databases/listing.json"
         {{- if .Values.anchoreGlobal.internalServicesSsl.enabled }}
         ssl_enable: {{ .Values.anchoreGlobal.internalServicesSsl.enabled }}

stable/anchore-engine/values.yaml

@@ -95,7 +95,7 @@ ingress:
 # Global configuration shared by all anchore-engine services.
 anchoreGlobal:
   # Image used for all anchore engine deployments (excluding enterprise components).
-  image: docker.io/anchore/anchore-engine:v0.10.0
+  image: docker.io/anchore/anchore-engine:v0.10.1
   imagePullPolicy: IfNotPresent
 
   # Set image pull secret name if using an anchore-engine image from a private registry
@@ -676,7 +676,7 @@ anchoreEnterpriseGlobal:
   # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml=<PATH TO LICENSE.YAML>
   licenseSecretName: anchore-enterprise-license
 
-  image: docker.io/anchore/enterprise:v3.1.0
+  image: docker.io/anchore/enterprise:v3.1.1
   imagePullPolicy: IfNotPresent
   # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images.
   # Create this secret with the following command - kubectl create secret docker-registry anchore-enterprise-pullcreds --docker-server=docker.io --docker-username=<USERNAME> --docker-password=<PASSWORD> --docker-email=<EMAIL_ADDRESS>
@@ -734,8 +734,6 @@ anchoreEnterpriseFeeds:
 
   # Enable microsoft feeds
   msrcDriverEnabled: false
-  # For instructions on getting API key, see the msrc section of the Feeds docs - https://docs.anchore.com/current/docs/installation/feeds/
-  msrcApiKey: null
   # Uncomment to add MSRC product IDs for generating their feed data, this extends the pre-defined list of product IDs
   # msrcWhitelist:
   # - 12345
@@ -912,7 +910,7 @@ anchoreEnterpriseNotifications:
 anchoreEnterpriseUi:
   # If enabled is set to false, set anchore-ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance.
   enabled: true
-  image: docker.io/anchore/enterprise-ui:v3.1.0
+  image: docker.io/anchore/enterprise-ui:v3.1.1
   imagePullPolicy: IfNotPresent
 
   # Set extra environment variables. These will be set on all UI containers.