diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 53f894e8..de7cfbcf 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -8,9 +8,8 @@ jobs: strategy: fail-fast: false matrix: - kubernetesVersion: ["v1.13.12", "v1.18.0"] - runs-on: ubuntu-18.04 - if: github.ref != 'refs/heads/master' + kubernetesVersion: ["v1.14.10", "v1.22.0"] + runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v2 @@ -29,11 +28,11 @@ jobs: config: ct-config.yaml - name: Install kind - uses: helm/kind-action@v1.0.0 + uses: helm/kind-action@v1.2.0 with: node_image: "kindest/node:${{ matrix.kubernetesVersion }}" config: kind-config.yaml - wait: 300s + wait: 600s if: steps.lint.outputs.changed == 'true' - name: Check kind nodes diff --git a/kind-config.yaml b/kind-config.yaml index 3c696b75..ae8cd304 100644 --- a/kind-config.yaml +++ b/kind-config.yaml @@ -1,5 +1,5 @@ kind: Cluster -apiVersion: kind.sigs.k8s.io/v1alpha3 +apiVersion: kind.x-k8s.io/v1alpha4 nodes: - role: control-plane - role: worker diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index fe8e3bc9..475f8ee4 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: anchore-engine -version: 1.13.0 -appVersion: 0.10.0 +version: 1.14.0 +appVersion: 0.10.1 description: Anchore container analysis and policy evaluation engine service keywords: - analysis diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index f2b8c1d2..4544f92e 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -243,6 +243,14 @@ See the anchore-engine [CHANGELOG](https://github.com/anchore/anchore-engine/blo A Helm post-upgrade hook job will shut down all previously running Anchore services and perform the Anchore DB upgrade process using a kubernetes job. The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful helm upgrade. +## Chart version 1.14.0 + +--- + +* Anchore Engine image updated to v0.10.1 - [Release Notes](https://engine.anchore.io/docs/releasenotes/0101/) +* Anchore Enterprise image updated to v3.1.1 - [Release Notes](https://docs.anchore.com/current/docs/releasenotes/311/) +* Enterprise Feeds - MSRC feeds no longer require an access token. No changes are needed, however MSRC access tokens can now be removed from values and/or existing secrets. + ## Chart version 1.13.0 --- diff --git a/stable/anchore-engine/templates/engine_configmap.yaml b/stable/anchore-engine/templates/engine_configmap.yaml index b5374991..1bf9921e 100644 --- a/stable/anchore-engine/templates/engine_configmap.yaml +++ b/stable/anchore-engine/templates/engine_configmap.yaml @@ -240,17 +240,17 @@ data: # The following feeds are synced if provider is set to legacy # Vulnerabilities feed is the feed for distro cve sources (redhat, debian, ubuntu, oracle, alpine....) vulnerabilities: - enabled: {{ default "true" .Values.anchoreGlobal.syncVulnerabilites }} + enabled: {{ default "true" (.Values.anchoreGlobal.syncVulnerabilites | quote) }} url: {{ $anchoreFeedsURL }} # NVD Data is used for non-distro CVEs (jars, npm, etc) that are not packaged and released by distros as rpms, debs, etc nvdv2: - enabled: {{ default "true" .Values.anchoreGlobal.syncNvd }} + enabled: {{ default "true" (.Values.anchoreGlobal.syncNvd | quote) }} url: {{ $anchoreFeedsURL }} github: {{- if .Values.anchoreEnterpriseGlobal.enabled }} enabled: {{ .Values.anchoreEnterpriseFeeds.githubDriverEnabled }} {{- else }} - enabled: {{ default "true" .Values.anchoreGlobal.syncGithub }} + enabled: {{ default "true" (.Values.anchoreGlobal.syncGithub | quote) }} {{- end }} url: {{ $anchoreFeedsURL }} # Warning: enabling the packages and nvd sync causes the service to require much more memory to do process the significant data volume. We recommend at least 4GB available for the container @@ -259,12 +259,12 @@ data: {{- if and (and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled) (or .Values.anchoreEnterpriseFeeds.gemDriverEnabled .Values.anchoreEnterpriseFeeds.npmDriverEnabled) }} enabled: true {{- else }} - enabled: {{ default "false" .Values.anchoreGlobal.syncPackages }} + enabled: {{ default "false" (.Values.anchoreGlobal.syncPackages | quote) }} {{- end }} url: {{ $anchoreFeedsURL }} {{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }} vulndb: - enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.vulndbDriverEnabled }} + enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.vulndbDriverEnabled | quote) }} url: {{ $anchoreFeedsURL }} {{- else if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreGlobal.syncVulnDB }} vulndb: diff --git a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml index d1b21197..d0373b94 100644 --- a/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_feeds_configmap.yaml @@ -94,54 +94,51 @@ data: workspace_preload_file: "/workspace_preload/data.tar.gz" # If api_only is set to true, the service will not update feed data in the system. # API end points will be functional and serve feed data if any is available. - api_only: {{ default "false" .Values.anchoreEnterpriseFeeds.apiOnly }} + api_only: {{ default "false" (.Values.anchoreEnterpriseFeeds.apiOnly | quote) }} drivers: # Configuration section for drivers collecting and processing feed data. # All drivers are enabled by default unless explicitly disabled. amzn: - enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.amazonDriverEnabled }} + enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.amazonDriverEnabled | quote) }} alpine: - enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.alpineDriverEnabled }} + enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.alpineDriverEnabled | quote) }} centos: - enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.centosDriverEnabled }} + enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.centosDriverEnabled | quote) }} debian: - enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.debianDriverEnabled }} + enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.debianDriverEnabled | quote) }} ol: - enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.olDriverEnabled }} + enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.olDriverEnabled | quote) }} ubuntu: - enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.ubuntuDriverEnabled }} + enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.ubuntuDriverEnabled | quote) }} rhel: - enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.rhelDriverEnabled }} + enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.rhelDriverEnabled | quote) }} nvddb: - enabled: {{ default "false" .Values.anchoreEnterpriseFeeds.nvdDriverEnabled }} + enabled: {{ default "false" (.Values.anchoreEnterpriseFeeds.nvdDriverEnabled | quote) }} # npm and gem drivers are explicitly disabled out of the box npm: - enabled: {{ default "false" .Values.anchoreEnterpriseFeeds.npmDriverEnabled }} + enabled: {{ default "false" (.Values.anchoreEnterpriseFeeds.npmDriverEnabled | quote) }} gem: # rubygem data comes packaged as a PostgreSQL dump file. gem driver loads the pg dump and normalizes the data. # To enable gem driver comment the enabled property and uncomment the db_connect property. - enabled: {{ default "false" .Values.anchoreEnterpriseFeeds.gemDriverEnabled }} + enabled: {{ default "false" (.Values.anchoreEnterpriseFeeds.gemDriverEnabled | quote) }} db_connect: {{ default "'postgresql://${ANCHORE_DB_USER}:${ANCHORE_FEEDS_DB_PASSWORD}@${ANCHORE_DB_HOST}/gems'" .Values.anchoreEnterpriseFeeds.gemDbEndpoint }} nvdv2: - enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.nvdv2DriverEnabled }} + enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.nvdv2DriverEnabled | quote) }} vulndb: - enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.vulndbDriverEnabled }} - {{- if .Values.anchoreEnterpriseFeeds.msrcDriverEnabled }} + enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.vulndbDriverEnabled | quote) }} msrc: - enabled: true - api_key: ${ANCHORE_MSRC_KEY} + enabled: {{ default "false" (.Values.anchoreEnterpriseFeeds.msrcDriverEnabled | quote) }} {{- with .Values.anchoreEnterpriseFeeds.msrcWhitelist }} whitelist: - {{ . }} {{- end }} - {{- end }} - {{- if .Values.anchoreEnterpriseFeeds.githubDriverEnabled }} github: - enabled: true + enabled: {{ default "false" (.Values.anchoreEnterpriseFeeds.githubDriverEnabled | quote) }} + {{- if eq (.Values.anchoreEnterpriseFeeds.githubDriverEnabled | toString) "true" }} token: ${ANCHORE_GITHUB_TOKEN} - {{- end }} + {{- end }} grypedb: - enabled: {{ default "true" .Values.anchoreEnterpriseFeeds.grypeDriverEnabled }} + enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.grypeDriverEnabled | quote) }} external_feeds_url: "https://toolbox-data.anchore.io/grype/databases/listing.json" {{- if .Values.anchoreGlobal.internalServicesSsl.enabled }} ssl_enable: {{ .Values.anchoreGlobal.internalServicesSsl.enabled }} diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 30d20952..a497c3cc 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -95,7 +95,7 @@ ingress: # Global configuration shared by all anchore-engine services. anchoreGlobal: # Image used for all anchore engine deployments (excluding enterprise components). - image: docker.io/anchore/anchore-engine:v0.10.0 + image: docker.io/anchore/anchore-engine:v0.10.1 imagePullPolicy: IfNotPresent # Set image pull secret name if using an anchore-engine image from a private registry @@ -676,7 +676,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: docker.io/anchore/enterprise:v3.1.0 + image: docker.io/anchore/enterprise:v3.1.1 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. # Create this secret with the following command - kubectl create secret docker-registry anchore-enterprise-pullcreds --docker-server=docker.io --docker-username= --docker-password= --docker-email= @@ -734,8 +734,6 @@ anchoreEnterpriseFeeds: # Enable microsoft feeds msrcDriverEnabled: false - # For instructions on getting API key, see the msrc section of the Feeds docs - https://docs.anchore.com/current/docs/installation/feeds/ - msrcApiKey: null # Uncomment to add MSRC product IDs for generating their feed data, this extends the pre-defined list of product IDs # msrcWhitelist: # - 12345 @@ -912,7 +910,7 @@ anchoreEnterpriseNotifications: anchoreEnterpriseUi: # If enabled is set to false, set anchore-ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. enabled: true - image: docker.io/anchore/enterprise-ui:v3.1.0 + image: docker.io/anchore/enterprise-ui:v3.1.1 imagePullPolicy: IfNotPresent # Set extra environment variables. These will be set on all UI containers.