Skip to content

Commit

Permalink
Merge pull request #415 from anchore/dev-sync
Browse files Browse the repository at this point in the history 
enterprise 5.11 release
  • Loading branch information
@HN23
HN23 authored Oct 29, 2024
2 parents 70d8725 + 4987539 commit 35dfa91
Show file tree
Hide file tree
Showing 17 changed files with 216 additions and 146 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
strategy:
fail-fast: false
matrix:
kubernetesVersion: ["v1.24.17", "v1.25.16", "v1.26.14", "v1.27.11", "v1.28.7", "v1.29.2", "v1.30.0"]
kubernetesVersion: ["v1.28.7", "v1.29.2", "v1.30.0", "v1.31.0"]
runs-on: ubuntu-latest
steps:
- name: Checkout
Expand Down
6 changes: 3 additions & 3 deletions stable/enterprise/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
apiVersion: v2
name: enterprise
version: "3.0.2"
appVersion: "5.10.0"
kubeVersion: 1.23.x - 1.30.x || 1.23.x-x - 1.30.x-x
version: "3.1.0"
appVersion: "5.11.0"
kubeVersion: 1.23.x - 1.31.x || 1.23.x-x - 1.31.x-x
description: |
Anchore Enterprise is a complete container security workflow solution for professional teams. Easily integrating with CI/CD systems,
it allows developers to bolster security without compromising velocity and enables security teams to audit and verify compliance in real-time.
Expand Down
258 changes: 132 additions & 126 deletions stable/enterprise/README.md
View file

Large diffs are not rendered by default.

3 changes: 3 additions & 0 deletions stable/enterprise/files/default_config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,8 @@ services:
runtime_inventory:
inventory_ttl_days: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_TTL_DAYS}
inventory_ingest_overwrite: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_INGEST_OVERWRITE}
integrations:
integration_health_report_ttl_days: ${ANCHORE_ENTERPRISE_INTEGRATION_HEALTH_REPORTS_TTL_DAYS}
image_gc:
max_worker_threads: ${ANCHORE_CATALOG_IMAGE_GC_WORKERS}
runtime_compliance:
Expand Down Expand Up @@ -279,6 +281,7 @@ services:
data_load_max_workers: ${ANCHORE_ENTERPRISE_REPORTS_DATA_LOAD_MAX_WORKERS}
cycle_timers: {{- toYaml .Values.anchoreConfig.reports_worker.cycle_timers | nindent 6 }}
runtime_report_generation:
use_legacy_loaders_and_queries: {{ .Values.anchoreConfig.reports_worker.runtime_report_generation.use_legacy_loaders_and_queries }}
inventory_images_by_vulnerability: true
vulnerabilities_by_k8s_namespace: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE}
vulnerabilities_by_k8s_container: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER}
Expand Down
3 changes: 3 additions & 0 deletions stable/enterprise/files/osaa_config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,8 @@ services:
runtime_inventory:
inventory_ttl_days: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_TTL_DAYS}
inventory_ingest_overwrite: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_INGEST_OVERWRITE}
integrations:
integration_health_report_ttl_days: ${ANCHORE_ENTERPRISE_INTEGRATION_HEALTH_REPORTS_TTL_DAYS}
image_gc:
max_worker_threads: ${ANCHORE_CATALOG_IMAGE_GC_WORKERS}
runtime_compliance:
Expand Down Expand Up @@ -287,6 +289,7 @@ services:
data_load_max_workers: ${ANCHORE_ENTERPRISE_REPORTS_DATA_LOAD_MAX_WORKERS}
cycle_timers: {{- toYaml .Values.anchoreConfig.reports_worker.cycle_timers | nindent 6 }}
runtime_report_generation:
use_legacy_loaders_and_queries: {{ .Values.anchoreConfig.reports_worker.runtime_report_generation.use_legacy_loaders_and_queries }}
inventory_images_by_vulnerability: true
vulnerabilities_by_k8s_namespace: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE}
vulnerabilities_by_k8s_container: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER}
Expand Down
1 change: 1 addition & 0 deletions stable/enterprise/templates/envvars_configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ data:
ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_TTL_DAYS: "{{ .Values.anchoreConfig.catalog.runtime_inventory.inventory_ttl_days }}"
ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_INGEST_OVERWRITE: "{{ .Values.anchoreConfig.catalog.runtime_inventory.inventory_ingest_overwrite }}"
{{- end }}
ANCHORE_ENTERPRISE_INTEGRATION_HEALTH_REPORTS_TTL_DAYS: "{{ .Values.anchoreConfig.catalog.integrations.integration_health_report_ttl_days }}"
{{- with .Values.anchoreConfig.notifications.ui_url }}
ANCHORE_ENTERPRISE_UI_URL: "{{ . }}"
{{- else }}
Expand Down
2 changes: 1 addition & 1 deletion stable/enterprise/templates/tests/anchorectl_smoketest.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ spec:
command: ["/bin/bash", "-c"]
args:
- |
anchorectl system smoke-tests run
anchorectl system smoke-tests run || true
volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 6 }}
restartPolicy: Never
4 changes: 4 additions & 0 deletions stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -223,6 +223,8 @@ should render the configmaps:
runtime_inventory:
inventory_ttl_days: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_TTL_DAYS}
inventory_ingest_overwrite: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_INGEST_OVERWRITE}
integrations:
integration_health_report_ttl_days: ${ANCHORE_ENTERPRISE_INTEGRATION_HEALTH_REPORTS_TTL_DAYS}
image_gc:
max_worker_threads: ${ANCHORE_CATALOG_IMAGE_GC_WORKERS}
runtime_compliance:
Expand Down Expand Up @@ -359,6 +361,7 @@ should render the configmaps:
reports_tag_load: 600
reports_tag_refresh: 7200
runtime_report_generation:
use_legacy_loaders_and_queries: false
inventory_images_by_vulnerability: true
vulnerabilities_by_k8s_namespace: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE}
vulnerabilities_by_k8s_container: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER}
Expand Down Expand Up @@ -436,6 +439,7 @@ should render the configmaps:
ANCHORE_DB_TIMEOUT: "120"
ANCHORE_DISABLE_METRICS_AUTH: "false"
ANCHORE_ENABLE_METRICS: "false"
ANCHORE_ENTERPRISE_INTEGRATION_HEALTH_REPORTS_TTL_DAYS: "2"
ANCHORE_ENTERPRISE_REPORTS_ASYNC_EXECUTION_TIMEOUT: 48h
ANCHORE_ENTERPRISE_REPORTS_DATA_EGRESS_WINDOW: "0"
ANCHORE_ENTERPRISE_REPORTS_DATA_LOAD_MAX_WORKERS: "10"
Expand Down
6 changes: 6 additions & 0 deletions stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,8 @@ should render the configmaps for osaa migration if enabled:
runtime_inventory:
inventory_ttl_days: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_TTL_DAYS}
inventory_ingest_overwrite: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_INGEST_OVERWRITE}
integrations:
integration_health_report_ttl_days: ${ANCHORE_ENTERPRISE_INTEGRATION_HEALTH_REPORTS_TTL_DAYS}
image_gc:
max_worker_threads: ${ANCHORE_CATALOG_IMAGE_GC_WORKERS}
runtime_compliance:
Expand Down Expand Up @@ -320,6 +322,7 @@ should render the configmaps for osaa migration if enabled:
reports_tag_load: 600
reports_tag_refresh: 7200
runtime_report_generation:
use_legacy_loaders_and_queries: false
inventory_images_by_vulnerability: true
vulnerabilities_by_k8s_namespace: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE}
vulnerabilities_by_k8s_container: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER}
Expand Down Expand Up @@ -561,6 +564,8 @@ should render the configmaps for osaa migration if enabled:
runtime_inventory:
inventory_ttl_days: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_TTL_DAYS}
inventory_ingest_overwrite: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_INGEST_OVERWRITE}
integrations:
integration_health_report_ttl_days: ${ANCHORE_ENTERPRISE_INTEGRATION_HEALTH_REPORTS_TTL_DAYS}
image_gc:
max_worker_threads: ${ANCHORE_CATALOG_IMAGE_GC_WORKERS}
runtime_compliance:
Expand Down Expand Up @@ -708,6 +713,7 @@ should render the configmaps for osaa migration if enabled:
reports_tag_load: 600
reports_tag_refresh: 7200
runtime_report_generation:
use_legacy_loaders_and_queries: false
inventory_images_by_vulnerability: true
vulnerabilities_by_k8s_namespace: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE}
vulnerabilities_by_k8s_container: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER}
Expand Down
18 changes: 9 additions & 9 deletions stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ migration job should match snapshot:
name: test-release-enterprise-config-env-vars
- secretRef:
name: test-release-enterprise
image: docker.io/anchore/enterprise:v5.10.0
image: docker.io/anchore/enterprise:v5.11.0
imagePullPolicy: IfNotPresent
name: migrate-analysis-archive
volumeMounts:
Expand Down Expand Up @@ -89,7 +89,7 @@ migration job should match snapshot:
valueFrom:
fieldRef:
fieldPath: metadata.name
image: docker.io/anchore/enterprise:v5.10.0
image: docker.io/anchore/enterprise:v5.11.0
imagePullPolicy: IfNotPresent
name: wait-for-db
restartPolicy: Never
Expand Down Expand Up @@ -148,7 +148,7 @@ migration job should match snapshot analysisArchiveMigration and objectStoreMigr
name: test-release-enterprise-config-env-vars
- secretRef:
name: test-release-enterprise
image: docker.io/anchore/enterprise:v5.10.0
image: docker.io/anchore/enterprise:v5.11.0
imagePullPolicy: IfNotPresent
name: migrate-analysis-archive
volumeMounts:
Expand Down Expand Up @@ -211,7 +211,7 @@ migration job should match snapshot analysisArchiveMigration and objectStoreMigr
valueFrom:
fieldRef:
fieldPath: metadata.name
image: docker.io/anchore/enterprise:v5.10.0
image: docker.io/anchore/enterprise:v5.11.0
imagePullPolicy: IfNotPresent
name: wait-for-db
restartPolicy: Never
Expand Down Expand Up @@ -268,7 +268,7 @@ migration job should match snapshot analysisArchiveMigration to true:
name: test-release-enterprise-config-env-vars
- secretRef:
name: test-release-enterprise
image: docker.io/anchore/enterprise:v5.10.0
image: docker.io/anchore/enterprise:v5.11.0
imagePullPolicy: IfNotPresent
name: migrate-analysis-archive
volumeMounts:
Expand Down Expand Up @@ -331,7 +331,7 @@ migration job should match snapshot analysisArchiveMigration to true:
valueFrom:
fieldRef:
fieldPath: metadata.name
image: docker.io/anchore/enterprise:v5.10.0
image: docker.io/anchore/enterprise:v5.11.0
imagePullPolicy: IfNotPresent
name: wait-for-db
restartPolicy: Never
Expand Down Expand Up @@ -387,7 +387,7 @@ migration job should match snapshot objectStoreMigration to true:
name: test-release-enterprise-config-env-vars
- secretRef:
name: test-release-enterprise
image: docker.io/anchore/enterprise:v5.10.0
image: docker.io/anchore/enterprise:v5.11.0
imagePullPolicy: IfNotPresent
name: migrate-analysis-archive
volumeMounts:
Expand Down Expand Up @@ -450,7 +450,7 @@ migration job should match snapshot objectStoreMigration to true:
valueFrom:
fieldRef:
fieldPath: metadata.name
image: docker.io/anchore/enterprise:v5.10.0
image: docker.io/anchore/enterprise:v5.11.0
imagePullPolicy: IfNotPresent
name: wait-for-db
restartPolicy: Never
Expand Down Expand Up @@ -621,6 +621,6 @@ should render proper initContainers:
valueFrom:
fieldRef:
fieldPath: metadata.name
image: docker.io/anchore/enterprise:v5.10.0
image: docker.io/anchore/enterprise:v5.11.0
imagePullPolicy: IfNotPresent
name: wait-for-db
14 changes: 12 additions & 2 deletions stable/enterprise/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ global:

## @param image Image used for all Anchore Enterprise deployments, excluding Anchore UI
##
image: docker.io/anchore/enterprise:v5.10.0
image: docker.io/anchore/enterprise:v5.11.0

## @param imagePullPolicy Image pull policy used by all deployments
## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
Expand Down Expand Up @@ -583,6 +583,11 @@ anchoreConfig:
inventory_ttl_days: 120
inventory_ingest_overwrite: false

## @param anchoreConfig.catalog.integrations.integration_health_report_ttl_days TTL for integration health reports.
##
integrations:
integration_health_report_ttl_days: 2

## @param anchoreConfig.catalog.down_analyzer_task_requeue Allows fast re-queueing when image status is 'analyzing' on an analyzer that is no longer in the 'up' state
##
down_analyzer_task_requeue: true
Expand Down Expand Up @@ -684,6 +689,11 @@ anchoreConfig:
reports_image_egress: 600
reports_tag_egress: 600

## @param anchoreConfig.reports_worker.runtime_report_generation.use_legacy_loaders_and_queries Use legacy loaders and queries for runtime report generation
##
runtime_report_generation:
use_legacy_loaders_and_queries: false

ui:
## @param anchoreConfig.ui.enable_proxy Trust a reverse proxy when setting secure cookies (via the `X-Forwarded-Proto` header)
##
Expand Down Expand Up @@ -1423,7 +1433,7 @@ simpleQueue:
ui:
## @param ui.image Image used for the Anchore UI container
##
image: docker.io/anchore/enterprise-ui:v5.10.0
image: docker.io/anchore/enterprise-ui:v5.11.0

## @param ui.imagePullPolicy Image pull policy for Anchore UI image
##
Expand Down
4 changes: 2 additions & 2 deletions stable/k8s-inventory/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v2
name: k8s-inventory
version: 0.4.3
appVersion: "1.6.2"
version: 0.5.0
appVersion: "1.7.1"
description: A Helm chart for Kubernetes Automated Inventory, which describes which images are in use in a given Kubernetes Cluster
keywords:
- analysis
Expand Down
6 changes: 5 additions & 1 deletion stable/k8s-inventory/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,19 +87,23 @@ See the [K8s Inventory repo](https://github.com/anchore/k8s-inventory) for more
### k8sInventory Parameters ##

| Name | Description | Value |
| ----------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | ---------------- |
|-------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------|------------------|
| `k8sInventory.output` | The output format of the report (options: table, json) | `json` |
| `k8sInventory.quiet` | Determine whether or not to log the inventory report to stdout | `false` |
| `k8sInventory.verboseInventoryReports` | Determine whether or not to log the inventory report to stdout | `false` |
| `k8sInventory.log.structured` | Determine whether or not to use structured logs | `false` |
| `k8sInventory.log.level` | the level of verbosity for logs | `debug` |
| `k8sInventory.log.file` | location to write the log file (default is not to have a log file) | `""` |
| `k8sInventory.anchore-registration.registration-id` | Identifier that the integration uses when registering. Can normally be left empty. | `""` |
| `k8sInventory.anchore-registration.integration-name` | Name of the integration instance | `""` |
| `k8sInventory.anchore-registration.integration-description` | Short description of the integration instance | `""` |
| `k8sInventory.kubeconfig.path` | Path should not be changed | `use-in-cluster` |
| `k8sInventory.kubeconfig.cluster` | Tells Anchore which cluster this inventory is coming from | `docker-desktop` |
| `k8sInventory.namespaceSelectors.include` | Which namespaces to search as explicit strings, not regex; Will search all namespaces if empty array | `[]` |
| `k8sInventory.namespaceSelectors.exclude` | Which namespaces to exclude can use explicit strings and/or regexes. | `[]` |
| `k8sInventory.mode` | Can be one of adhoc, periodic (defaults to adhoc) | `periodic` |
| `k8sInventory.pollingIntervalSeconds` | Only respected if mode is periodic | `60` |
| `k8sInventory.healthReportIntervalSeconds` | Only respected if mode is periodic | `60` |
| `k8sInventory.kubernetes.requestTimeoutSeconds` | Sets the request timeout for kubernetes API requests | `60` |
| `k8sInventory.kubernetes.requestBatchSize` | Sets the number of objects to iteratively return when listing resources | `100` |
| `k8sInventory.kubernetes.workerPoolSize` | Worker pool size for collecting pods from namespaces. Adjust this if the api-server gets overwhelmed | `100` |
Expand Down
3 changes: 3 additions & 0 deletions stable/k8s-inventory/templates/cluster-role-readonly.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,6 @@ rules:
- apiGroups: [""]
resources: ["pods","namespaces", "nodes"]
verbs: ["get", "watch", "list"]
- apiGroups: ["apps"]
resources: ["replicasets", "deployments"]
verbs: ["get"]
7 changes: 7 additions & 0 deletions stable/k8s-inventory/templates/configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,19 @@ data:
structured: {{ .Values.k8sInventory.log.structured }}
level: {{ .Values.k8sInventory.log.level }}
file: {{ .Values.k8sInventory.log.file }}
anchore-registration:
registration-id: {{ .Values.k8sInventory.anchoreRegistration.RegistrationId }}
integration-name: {{ .Values.k8sInventory.anchoreRegistration.IntegrationName }}
integration-description: {{ .Values.k8sInventory.anchoreRegistration.IntegrationDescription }}
namespaces:
{{- toYaml .Values.k8sInventory.namespaces | nindent 6 }}
namespace-selectors:
{{- toYaml .Values.k8sInventory.namespaceSelectors | nindent 6 }}
account-routes:
{{- toYaml .Values.k8sInventory.accountRoutes | nindent 6}}
mode: {{ .Values.k8sInventory.mode }}
polling-interval-seconds: {{ .Values.k8sInventory.pollingIntervalSeconds }}
health-report-interval-seconds: {{ .Values.k8sInventory.healthReportIntervalSeconds }}
kubernetes-request-timeout-seconds: {{ .Values.k8sInventory.kubernetesRequestTimeoutSeconds }}
kubernetes:
request-timeout-seconds: {{ .Values.k8sInventory.kubernetes.requestTimeoutSeconds }}
Expand Down
5 changes: 5 additions & 0 deletions stable/k8s-inventory/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,11 @@ spec:
- secretRef:
name: {{ default (include "k8sInventory.fullname" .) .Values.existingSecretName }}
{{- end }}
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumes:
- name: config-volume
configMap:
Expand Down
Loading

0 comments on commit 35dfa91

Please sign in to comment.