Merge pull request #169 from anchore/grype-db-feed-config

Add configuration support for grype db feeds in policy engine and advertised feeds address in feeds service.

stable/anchore-engine/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: anchore-engine
-version: 1.14.6
+version: 1.14.7
 appVersion: 0.10.2
 description: Anchore container analysis and policy evaluation engine service
 keywords:

stable/anchore-engine/templates/engine_configmap.yaml

@@ -1,13 +1,20 @@
-{{ $anchoreFeedsURL := "https://ancho.re/v1/service/feeds" }}
-{{- if .Values.anchoreEnterpriseFeeds.url }}
-{{- $anchoreFeedsURL = .Values.anchoreEnterpriseFeeds.url }}
-{{- else if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled }}
-{{- if .Values.anchoreGlobal.internalServicesSsl.enabled }}
-{{- $anchoreFeedsURL = (printf "https://%s:%s/v1/feeds"  (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) }}
-{{- else }}
-{{- $anchoreFeedsURL = (printf "http://%s:%s/v1/feeds" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) }}
-{{- end }}
-{{- end }}
+{{- $anchoreFeedsURL := "https://ancho.re/v1/service/feeds" -}}
+{{- $grypeProviderFeedsExternalURL := "https://toolbox-data.anchore.io/grype/databases/listing.json" -}}
+
+{{- if .Values.anchoreEnterpriseFeeds.url -}}
+  {{- $urlPathSuffix := (default "" (regexFind "/v1.*$" .Values.anchoreEnterpriseFeeds.url)) -}}
+  {{- $anchoreFeedsHost := (trimSuffix $urlPathSuffix .Values.anchoreEnterpriseFeeds.url) -}}
+  {{- $anchoreFeedsURL = (printf "%s/v1/feeds" $anchoreFeedsHost) -}}
+  {{- $grypeProviderFeedsExternalURL = (printf "%s/v1/databases/grype" $anchoreFeedsHost) -}}
+{{- else if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled -}}
+  {{- if .Values.anchoreGlobal.internalServicesSsl.enabled -}}
+    {{- $anchoreFeedsURL = (printf "https://%s:%s/v1/feeds"  (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}}
+    {{- $grypeProviderFeedsExternalURL = (printf "https://%s:%s/v1/databases/grype"  (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}}
+  {{- else -}}
+    {{- $anchoreFeedsURL = (printf "http://%s:%s/v1/feeds" (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}}
+    {{- $grypeProviderFeedsExternalURL = (printf "http://%s:%s/v1/databases/grype"  (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}}
+  {{- end -}}
+{{- end -}}
 
 kind: ConfigMap
 apiVersion: v1
@@ -237,8 +244,8 @@ data:
             data:
               # grypedb feed is synced if the provider is set to grype. All the remaining feeds except for packages are ignored even if they are enabled
               grypedb:
-                enabled: true
-                url: "https://toolbox-data.anchore.io/grype/databases/listing.json"
+                enabled: {{ default "true" (.Values.anchoreGlobal.syncGrypeDB | quote) }}
+                url: {{ $grypeProviderFeedsExternalURL }}
               # The following feeds are synced if provider is set to legacy
               # Vulnerabilities feed is the feed for distro cve sources (redhat, debian, ubuntu, oracle, alpine....)
               vulnerabilities:

stable/anchore-engine/templates/enterprise_feeds_configmap.yaml

@@ -1,5 +1,20 @@
 {{- if and .Values.anchoreEnterpriseGlobal.enabled .Values.anchoreEnterpriseFeeds.enabled -}}
 {{- $component := "enterprise-feeds" -}}
+
+{{- $grypeProviderFeedsExternalURL := "" -}}
+
+{{- if .Values.anchoreEnterpriseFeeds.url -}}
+  {{- $urlPathSuffix := (default "" (regexFind "/v1.*$" .Values.anchoreEnterpriseFeeds.url)) }}
+  {{- $anchoreFeedsHost := (trimSuffix $urlPathSuffix .Values.anchoreEnterpriseFeeds.url) -}}
+  {{- $grypeProviderFeedsExternalURL = (printf "%s/v1/" $anchoreFeedsHost) -}}
+{{- else -}}
+  {{- if .Values.anchoreGlobal.internalServicesSsl.enabled -}}
+    {{- $grypeProviderFeedsExternalURL = (printf "https://%s:%s/v1/"  (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}}
+  {{- else -}}
+    {{- $grypeProviderFeedsExternalURL = (printf "http://%s:%s/v1/"  (include "anchore-engine.enterprise-feeds.fullname" .) (.Values.anchoreEnterpriseFeeds.service.port | toString) ) -}}
+  {{- end -}}
+{{- end -}}
+
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -142,7 +157,7 @@ data:
           {{- end }}
           grypedb:
             enabled: {{ default "true" (.Values.anchoreEnterpriseFeeds.grypeDriverEnabled | quote) }}
-            external_feeds_url: "https://toolbox-data.anchore.io/grype/databases/listing.json"
+            external_feeds_url: {{ $grypeProviderFeedsExternalURL }}
         {{- if .Values.anchoreGlobal.internalServicesSsl.enabled }}
         ssl_enable: {{ .Values.anchoreGlobal.internalServicesSsl.enabled }}
         ssl_cert: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretCertName }}"

stable/anchore-engine/values.yaml

@@ -738,7 +738,8 @@ anchoreEnterpriseFeeds:
   # If enabled is set to false, set anchore-feeds-db.enabled to false to ensure that helm doesn't stand up a unneccessary postgres instance.
   enabled: true
 
-  # Set custom feeds URL if multiple Anchore deployments are using the same internal feeds service.
+  # Set custom feeds URL. Useful when using a feeds service endpoint that is external from the cluster.
+  # i.e. https://<feeds-hostname>:<feeds-port>
   url: ""
 
   # Enable github advisory feeds