From c7b38bc8aa21fc176e6b63bcee8100ee423d07b6 Mon Sep 17 00:00:00 2001 From: Jeremy Spilman Date: Wed, 23 Oct 2024 18:05:25 -0400 Subject: [PATCH 01/10] reports_worker: use_legacy_loaders_and_queries Signed-off-by: Jeremy Spilman --- stable/enterprise/files/default_config.yaml | 1 + stable/enterprise/files/osaa_config.yaml | 1 + stable/enterprise/values.yaml | 3 +++ 3 files changed, 5 insertions(+) diff --git a/stable/enterprise/files/default_config.yaml b/stable/enterprise/files/default_config.yaml index 65d8db92..549fbbb4 100644 --- a/stable/enterprise/files/default_config.yaml +++ b/stable/enterprise/files/default_config.yaml @@ -279,6 +279,7 @@ services: data_load_max_workers: ${ANCHORE_ENTERPRISE_REPORTS_DATA_LOAD_MAX_WORKERS} cycle_timers: {{- toYaml .Values.anchoreConfig.reports_worker.cycle_timers | nindent 6 }} runtime_report_generation: + use_legacy_loaders_and_queries: {{ .Values.anchoreConfig.reports_worker.runtime_report_generation.use_legacy_loaders_and_queries }} inventory_images_by_vulnerability: true vulnerabilities_by_k8s_namespace: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE} vulnerabilities_by_k8s_container: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER} diff --git a/stable/enterprise/files/osaa_config.yaml b/stable/enterprise/files/osaa_config.yaml index 5333f763..83efb470 100644 --- a/stable/enterprise/files/osaa_config.yaml +++ b/stable/enterprise/files/osaa_config.yaml @@ -287,6 +287,7 @@ services: data_load_max_workers: ${ANCHORE_ENTERPRISE_REPORTS_DATA_LOAD_MAX_WORKERS} cycle_timers: {{- toYaml .Values.anchoreConfig.reports_worker.cycle_timers | nindent 6 }} runtime_report_generation: + use_legacy_loaders_and_queries: {{ .Values.anchoreConfig.reports_worker.runtime_report_generation.use_legacy_loaders_and_queries }} inventory_images_by_vulnerability: true vulnerabilities_by_k8s_namespace: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE} vulnerabilities_by_k8s_container: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER} diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index d3b5335e..5cdcdeec 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -684,6 +684,9 @@ anchoreConfig: reports_image_egress: 600 reports_tag_egress: 600 + runtime_report_generation: + use_legacy_loaders_and_queries: false + ui: ## @param anchoreConfig.ui.enable_proxy Trust a reverse proxy when setting secure cookies (via the `X-Forwarded-Proto` header) ## From 3b86e317b056ea51dc5ff19142f6797d2fca430a Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Fri, 25 Oct 2024 16:43:25 -0400 Subject: [PATCH 02/10] update enterprise unittest snapshots, updating chart version Signed-off-by: Hung Nguyen --- stable/enterprise/Chart.yaml | 4 +- stable/enterprise/README.md | 249 +++++++++--------- .../__snapshot__/configmap_test.yaml.snap | 1 + .../osaa_configmap_test.yaml.snap | 2 + stable/enterprise/values.yaml | 2 + 5 files changed, 132 insertions(+), 126 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 8413e19d..c382155b 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: enterprise -version: "3.0.2" -appVersion: "5.10.0" +version: "3.0.3" +appVersion: "5.11.0" kubeVersion: 1.23.x - 1.30.x || 1.23.x-x - 1.30.x-x description: | Anchore Enterprise is a complete container security workflow solution for professional teams. Easily integrating with CI/CD systems, diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 4c6d5a7d..4318b9c0 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -695,130 +695,131 @@ To restore your deployment to using your previous driver configurations: ### Anchore Configuration Parameters -| Name | Description | Value | -| -------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------ | -| `anchoreConfig.service_dir` | Path to directory where default Anchore config files are placed at startup | `/anchore_service` | -| `anchoreConfig.log_level` | The log level for Anchore services: NOTE: This is deprecated, use logging.log_level | `INFO` | -| `anchoreConfig.logging.colored_logging` | Enable colored output in the logs | `false` | -| `anchoreConfig.logging.exception_backtrace_logging` | Enable stack traces in the logs | `false` | -| `anchoreConfig.logging.exception_diagnose_logging` | Enable detailed exception information in the logs | `false` | -| `anchoreConfig.logging.file_rotation_rule` | Maximum size of a log file before it is rotated | `10 MB` | -| `anchoreConfig.logging.file_retention_rule` | Number of log files to retain before deleting the oldest | `10` | -| `anchoreConfig.logging.log_level` | Log level for the service code | `INFO` | -| `anchoreConfig.logging.server_access_logging` | Set whether to print server access to logging | `true` | -| `anchoreConfig.logging.server_response_debug_logging` | Log the elapsed time to process the request and the response size (debug log level) | `false` | -| `anchoreConfig.logging.server_log_level` | Log level specifically for the server (uvicorn) | `info` | -| `anchoreConfig.logging.structured_logging` | Enable structured logging output (JSON) | `false` | -| `anchoreConfig.server.max_connection_backlog` | Max connections permitted in the backlog before dropping | `2048` | -| `anchoreConfig.server.max_wsgi_middleware_worker_queue_size` | Max number of requests to queue for processing by ASGI2WSGI middleware | `100` | -| `anchoreConfig.server.max_wsgi_middleware_worker_count` | Max number of workers to have in the ASGI2WSGI middleware worker pool | `50` | -| `anchoreConfig.server.timeout_graceful_shutdown` | Seconds to permit for graceful shutdown or false to disable | `false` | -| `anchoreConfig.server.timeout_keep_alive` | Seconds to keep a connection alive before closing | `5` | -| `anchoreConfig.audit.enabled` | Enable audit logging | `true` | -| `anchoreConfig.allow_awsecr_iam_auto` | Enable AWS IAM instance role for ECR auth | `true` | -| `anchoreConfig.keys.secret` | The shared secret used for signing & encryption, auto-generated by Helm if not set. | `""` | -| `anchoreConfig.keys.privateKeyFileName` | The file name of the private key used for signing & encryption, found in the k8s secret specified in .Values.certStoreSecretName | `""` | -| `anchoreConfig.keys.publicKeyFileName` | The file name of the public key used for signing & encryption, found in the k8s secret specified in .Values.certStoreSecretName | `""` | -| `anchoreConfig.user_authentication.oauth.enabled` | Enable OAuth for Anchore user authentication | `true` | -| `anchoreConfig.user_authentication.oauth.default_token_expiration_seconds` | The expiration, in seconds, for OAuth tokens | `3600` | -| `anchoreConfig.user_authentication.oauth.refresh_token_expiration_seconds` | The expiration, in seconds, for OAuth refresh tokens | `86400` | -| `anchoreConfig.user_authentication.allow_api_keys_for_saml_users` | Enable API key generation and authentication for SAML users | `false` | -| `anchoreConfig.user_authentication.max_api_key_age_days` | The maximum age, in days, for API keys | `365` | -| `anchoreConfig.user_authentication.max_api_keys_per_user` | The maximum number of API keys per user | `100` | -| `anchoreConfig.user_authentication.remove_deleted_user_api_keys_older_than_days` | The number of days elapsed after a user API key is deleted before it is garbage collected (-1 to disable) | `365` | -| `anchoreConfig.user_authentication.hashed_passwords` | Enable storing passwords as secure hashes in the database | `true` | -| `anchoreConfig.user_authentication.sso_require_existing_users` | set to true in order to disable the SSO JIT provisioning during authentication | `false` | -| `anchoreConfig.user_authentication.disallow_native_users` | Disallow native users to authenticate by any method. Only SSO/'saml' users will be able to access the system. | `false` | -| `anchoreConfig.user_authentication.log_saml_assertions` | Enable logging of received SAML assertions at INFO level for SSO debugging in API container. | `false` | -| `anchoreConfig.metrics.enabled` | Enable Prometheus metrics for all Anchore services | `false` | -| `anchoreConfig.metrics.auth_disabled` | Disable auth on Prometheus metrics for all Anchore services | `false` | -| `anchoreConfig.webhooks` | Enable Anchore services to provide webhooks for external system updates | `{}` | -| `anchoreConfig.default_admin_password` | The password for the Anchore Enterprise admin user | `""` | -| `anchoreConfig.default_admin_email` | The email address used for the Anchore Enterprise admin user | `admin@myanchore` | -| `anchoreConfig.database.timeout` | | `120` | -| `anchoreConfig.database.ssl` | Enable SSL/TLS for the database connection | `false` | -| `anchoreConfig.database.sslMode` | The SSL mode to use for database connection | `verify-full` | -| `anchoreConfig.database.sslRootCertFileName` | File name of the database root CA certificate stored in the k8s secret specified with .Values.certStoreSecretName | `""` | -| `anchoreConfig.database.db_pool_size` | The database max connection pool size | `30` | -| `anchoreConfig.database.db_pool_max_overflow` | The maximum overflow size of the database connection pool | `100` | -| `anchoreConfig.database.engineArgs` | Set custom database engine arguments for SQLAlchemy | `{}` | -| `anchoreConfig.internalServicesSSL.enabled` | Force all Enterprise services to use SSL for internal communication | `false` | -| `anchoreConfig.internalServicesSSL.verifyCerts` | Enable cert verification against the local cert bundle, if this set to false self-signed certs are allowed | `false` | -| `anchoreConfig.internalServicesSSL.certSecretKeyFileName` | File name of the private key used for internal SSL stored in the secret specified in .Values.certStoreSecretName | `""` | -| `anchoreConfig.internalServicesSSL.certSecretCertFileName` | File name of the root CA certificate used for internal SSL stored in the secret specified in .Values.certStoreSecretName | `""` | -| `anchoreConfig.policyBundles` | Include custom Anchore policy bundles | `{}` | -| `anchoreConfig.apiext.external.enabled` | Allow overrides for constructing Anchore API URLs | `false` | -| `anchoreConfig.apiext.external.useTLS` | Enable TLS for external API access | `true` | -| `anchoreConfig.apiext.external.hostname` | Hostname for the external Anchore API | `""` | -| `anchoreConfig.apiext.external.port` | Port configured for external Anchore API | `8443` | -| `anchoreConfig.analyzer.cycle_timers.image_analyzer` | The interval between checks of the work queue for new analysis jobs | `1` | -| `anchoreConfig.analyzer.layer_cache_max_gigabytes` | Specify a cache size > 0GB to enable image layer caching | `0` | -| `anchoreConfig.analyzer.enable_hints` | Enable a user-supplied 'hints' file to override and/or augment the software artifacts found during analysis | `false` | -| `anchoreConfig.analyzer.configFile` | Custom Anchore Analyzer configuration file contents in YAML | `{}` | -| `anchoreConfig.catalog.cycle_timers.image_watcher` | Interval (seconds) to check for an update to a tag | `3600` | -| `anchoreConfig.catalog.cycle_timers.policy_eval` | Interval (seconds) to run a policy evaluation on images with policy_eval subscription activated | `3600` | -| `anchoreConfig.catalog.cycle_timers.vulnerability_scan` | Interval to run a vulnerability scan on images with vuln_update subscription activated | `14400` | -| `anchoreConfig.catalog.cycle_timers.analyzer_queue` | Interval to add new work on the image analysis queue | `1` | -| `anchoreConfig.catalog.cycle_timers.archive_tasks` | Interval to trigger Anchore Catalog archive Tasks | `43200` | -| `anchoreConfig.catalog.cycle_timers.notifications` | Interval in which notifications will be processed for state changes | `30` | -| `anchoreConfig.catalog.cycle_timers.service_watcher` | Interval of service state update poll, used for system status | `15` | -| `anchoreConfig.catalog.cycle_timers.policy_bundle_sync` | Interval of policy bundle sync | `300` | -| `anchoreConfig.catalog.cycle_timers.repo_watcher` | Interval between checks to repo for new tags | `60` | -| `anchoreConfig.catalog.cycle_timers.image_gc` | Interval for garbage collection of images marked for deletion | `60` | -| `anchoreConfig.catalog.cycle_timers.k8s_image_watcher` | Interval for the runtime inventory image analysis poll | `150` | -| `anchoreConfig.catalog.cycle_timers.resource_metrics` | Interval (seconds) for computing metrics from the DB | `60` | -| `anchoreConfig.catalog.cycle_timers.events_gc` | Interval (seconds) for cleaning up events in the system based on timestamp | `43200` | -| `anchoreConfig.catalog.cycle_timers.artifact_lifecycle_policy_tasks` | Interval (seconds) for running artifact lifecycle policy tasks | `43200` | -| `anchoreConfig.catalog.event_log` | Event log for webhooks, YAML configuration | `{}` | -| `anchoreConfig.catalog.analysis_archive` | Custom analysis archive YAML configuration | `{}` | -| `anchoreConfig.catalog.object_store` | Custom object storage YAML configuration | `{}` | -| `anchoreConfig.catalog.runtime_inventory.inventory_ttl_days` | TTL for runtime inventory. | `120` | -| `anchoreConfig.catalog.runtime_inventory.inventory_ingest_overwrite` | force runtime inventory to be overwritten upon every update for that reported context. | `false` | -| `anchoreConfig.catalog.down_analyzer_task_requeue` | Allows fast re-queueing when image status is 'analyzing' on an analyzer that is no longer in the 'up' state | `true` | -| `anchoreConfig.policy_engine.cycle_timers.feed_sync` | Interval to run a feed sync to get latest cve data | `14400` | -| `anchoreConfig.policy_engine.cycle_timers.feed_sync_checker` | Interval between checks to see if there needs to be a task queued | `3600` | -| `anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers` | List of providers to exclude from matching | `nil` | -| `anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types` | List of package types to exclude from matching | `nil` | -| `anchoreConfig.policy_engine.enable_user_base_image` | Enables usage of Well Known Annotation to identify base image for use in ancestry calculations | `true` | -| `anchoreConfig.notifications.cycle_timers.notifications` | Interval that notifications are sent | `30` | -| `anchoreConfig.notifications.ui_url` | Set the UI URL that is included in the notification, defaults to the Enterprise UI service name | `""` | -| `anchoreConfig.reports.enable_graphiql` | Enable GraphiQL, a GUI for editing and testing GraphQL queries and mutations | `true` | -| `anchoreConfig.reports.async_execution_timeout` | Configure how long a scheduled query must be running for before it is considered timed out | `48h` | -| `anchoreConfig.reports.cycle_timers.reports_scheduled_queries` | Interval in seconds to check for scheduled queries that need to be run | `600` | -| `anchoreConfig.reports.use_volume` | Configure the reports service to buffer report generation to disk instead of in memory | `false` | -| `anchoreConfig.reports_worker.enable_data_ingress` | Enable periodically syncing data into the Anchore Reports Service | `true` | -| `anchoreConfig.reports_worker.enable_data_egress` | Periodically remove reporting data that has been removed in other parts of system | `false` | -| `anchoreConfig.reports_worker.data_egress_window` | defines a number of days to keep reporting data following its deletion in the rest of system. | `0` | -| `anchoreConfig.reports_worker.data_refresh_max_workers` | The maximum number of concurrent threads to refresh existing results (etl vulnerabilities and evaluations) in reports service. | `10` | -| `anchoreConfig.reports_worker.data_load_max_workers` | The maximum number of concurrent threads to load new results (etl vulnerabilities and evaluations) to reports service. | `10` | -| `anchoreConfig.reports_worker.cycle_timers.reports_image_load` | Interval that vulnerabilities for images are synced | `600` | -| `anchoreConfig.reports_worker.cycle_timers.reports_tag_load` | Interval that vulnerabilities by tags are synced | `600` | -| `anchoreConfig.reports_worker.cycle_timers.reports_runtime_inventory_load` | Interval that the runtime inventory is synced | `600` | -| `anchoreConfig.reports_worker.cycle_timers.reports_extended_runtime_vuln_load` | Interval extended runtime reports are synched (ecs, k8s containers and namespaces) | `1800` | -| `anchoreConfig.reports_worker.cycle_timers.reports_image_refresh` | Interval that images are refreshed | `7200` | -| `anchoreConfig.reports_worker.cycle_timers.reports_tag_refresh` | Interval that tags are refreshed | `7200` | -| `anchoreConfig.reports_worker.cycle_timers.reports_metrics` | Interval for how often reporting metrics are generated | `3600` | -| `anchoreConfig.reports_worker.cycle_timers.reports_image_egress` | Interval stale states are removed by image | `600` | -| `anchoreConfig.reports_worker.cycle_timers.reports_tag_egress` | Interval stale states are removed by tag | `600` | -| `anchoreConfig.ui.enable_proxy` | Trust a reverse proxy when setting secure cookies (via the `X-Forwarded-Proto` header) | `false` | -| `anchoreConfig.ui.enable_ssl` | Enable SSL in the Anchore UI container | `false` | -| `anchoreConfig.ui.enable_shared_login` | Allow single user to start multiple Anchore UI sessions | `true` | -| `anchoreConfig.ui.redis_flushdb` | Flush user session keys and empty data on Anchore UI startup | `true` | -| `anchoreConfig.ui.force_websocket` | Force WebSocket protocol for socket message communications | `false` | -| `anchoreConfig.ui.authentication_lock.count` | Number of failed authentication attempts allowed before a temporary lock is applied | `5` | -| `anchoreConfig.ui.authentication_lock.expires` | Authentication lock duration | `300` | -| `anchoreConfig.ui.sso_auth_only` | Enable SSO authentication only | `false` | -| `anchoreConfig.ui.custom_links` | List of up to 10 external links provided | `{}` | -| `anchoreConfig.ui.enable_add_repositories` | Specify what users can add image repositories to the Anchore UI | `{}` | -| `anchoreConfig.ui.log_level` | Descriptive detail of the application log output | `http` | -| `anchoreConfig.ui.enrich_inventory_view` | aggregate and include compliance and vulnerability data from the reports service. | `true` | -| `anchoreConfig.ui.appdb_config.native` | toggle the postgreSQL drivers used to connect to the database between the native and the NodeJS drivers. | `true` | -| `anchoreConfig.ui.appdb_config.pool.max` | maximum number of simultaneous connections allowed in the connection pool | `10` | -| `anchoreConfig.ui.appdb_config.pool.min` | minimum number of connections | `0` | -| `anchoreConfig.ui.appdb_config.pool.acquire` | the timeout in milliseconds used when acquiring a new connection | `30000` | -| `anchoreConfig.ui.appdb_config.pool.idle` | the maximum time that a connection can be idle before being released | `10000` | -| `anchoreConfig.ui.dbUser` | allows overriding and separation of the ui database user. | `""` | -| `anchoreConfig.ui.dbPassword` | allows overriding and separation of the ui database user authentication | `""` | +| Name | Description | Value | +| --------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------ | +| `anchoreConfig.service_dir` | Path to directory where default Anchore config files are placed at startup | `/anchore_service` | +| `anchoreConfig.log_level` | The log level for Anchore services: NOTE: This is deprecated, use logging.log_level | `INFO` | +| `anchoreConfig.logging.colored_logging` | Enable colored output in the logs | `false` | +| `anchoreConfig.logging.exception_backtrace_logging` | Enable stack traces in the logs | `false` | +| `anchoreConfig.logging.exception_diagnose_logging` | Enable detailed exception information in the logs | `false` | +| `anchoreConfig.logging.file_rotation_rule` | Maximum size of a log file before it is rotated | `10 MB` | +| `anchoreConfig.logging.file_retention_rule` | Number of log files to retain before deleting the oldest | `10` | +| `anchoreConfig.logging.log_level` | Log level for the service code | `INFO` | +| `anchoreConfig.logging.server_access_logging` | Set whether to print server access to logging | `true` | +| `anchoreConfig.logging.server_response_debug_logging` | Log the elapsed time to process the request and the response size (debug log level) | `false` | +| `anchoreConfig.logging.server_log_level` | Log level specifically for the server (uvicorn) | `info` | +| `anchoreConfig.logging.structured_logging` | Enable structured logging output (JSON) | `false` | +| `anchoreConfig.server.max_connection_backlog` | Max connections permitted in the backlog before dropping | `2048` | +| `anchoreConfig.server.max_wsgi_middleware_worker_queue_size` | Max number of requests to queue for processing by ASGI2WSGI middleware | `100` | +| `anchoreConfig.server.max_wsgi_middleware_worker_count` | Max number of workers to have in the ASGI2WSGI middleware worker pool | `50` | +| `anchoreConfig.server.timeout_graceful_shutdown` | Seconds to permit for graceful shutdown or false to disable | `false` | +| `anchoreConfig.server.timeout_keep_alive` | Seconds to keep a connection alive before closing | `5` | +| `anchoreConfig.audit.enabled` | Enable audit logging | `true` | +| `anchoreConfig.allow_awsecr_iam_auto` | Enable AWS IAM instance role for ECR auth | `true` | +| `anchoreConfig.keys.secret` | The shared secret used for signing & encryption, auto-generated by Helm if not set. | `""` | +| `anchoreConfig.keys.privateKeyFileName` | The file name of the private key used for signing & encryption, found in the k8s secret specified in .Values.certStoreSecretName | `""` | +| `anchoreConfig.keys.publicKeyFileName` | The file name of the public key used for signing & encryption, found in the k8s secret specified in .Values.certStoreSecretName | `""` | +| `anchoreConfig.user_authentication.oauth.enabled` | Enable OAuth for Anchore user authentication | `true` | +| `anchoreConfig.user_authentication.oauth.default_token_expiration_seconds` | The expiration, in seconds, for OAuth tokens | `3600` | +| `anchoreConfig.user_authentication.oauth.refresh_token_expiration_seconds` | The expiration, in seconds, for OAuth refresh tokens | `86400` | +| `anchoreConfig.user_authentication.allow_api_keys_for_saml_users` | Enable API key generation and authentication for SAML users | `false` | +| `anchoreConfig.user_authentication.max_api_key_age_days` | The maximum age, in days, for API keys | `365` | +| `anchoreConfig.user_authentication.max_api_keys_per_user` | The maximum number of API keys per user | `100` | +| `anchoreConfig.user_authentication.remove_deleted_user_api_keys_older_than_days` | The number of days elapsed after a user API key is deleted before it is garbage collected (-1 to disable) | `365` | +| `anchoreConfig.user_authentication.hashed_passwords` | Enable storing passwords as secure hashes in the database | `true` | +| `anchoreConfig.user_authentication.sso_require_existing_users` | set to true in order to disable the SSO JIT provisioning during authentication | `false` | +| `anchoreConfig.user_authentication.disallow_native_users` | Disallow native users to authenticate by any method. Only SSO/'saml' users will be able to access the system. | `false` | +| `anchoreConfig.user_authentication.log_saml_assertions` | Enable logging of received SAML assertions at INFO level for SSO debugging in API container. | `false` | +| `anchoreConfig.metrics.enabled` | Enable Prometheus metrics for all Anchore services | `false` | +| `anchoreConfig.metrics.auth_disabled` | Disable auth on Prometheus metrics for all Anchore services | `false` | +| `anchoreConfig.webhooks` | Enable Anchore services to provide webhooks for external system updates | `{}` | +| `anchoreConfig.default_admin_password` | The password for the Anchore Enterprise admin user | `""` | +| `anchoreConfig.default_admin_email` | The email address used for the Anchore Enterprise admin user | `admin@myanchore` | +| `anchoreConfig.database.timeout` | | `120` | +| `anchoreConfig.database.ssl` | Enable SSL/TLS for the database connection | `false` | +| `anchoreConfig.database.sslMode` | The SSL mode to use for database connection | `verify-full` | +| `anchoreConfig.database.sslRootCertFileName` | File name of the database root CA certificate stored in the k8s secret specified with .Values.certStoreSecretName | `""` | +| `anchoreConfig.database.db_pool_size` | The database max connection pool size | `30` | +| `anchoreConfig.database.db_pool_max_overflow` | The maximum overflow size of the database connection pool | `100` | +| `anchoreConfig.database.engineArgs` | Set custom database engine arguments for SQLAlchemy | `{}` | +| `anchoreConfig.internalServicesSSL.enabled` | Force all Enterprise services to use SSL for internal communication | `false` | +| `anchoreConfig.internalServicesSSL.verifyCerts` | Enable cert verification against the local cert bundle, if this set to false self-signed certs are allowed | `false` | +| `anchoreConfig.internalServicesSSL.certSecretKeyFileName` | File name of the private key used for internal SSL stored in the secret specified in .Values.certStoreSecretName | `""` | +| `anchoreConfig.internalServicesSSL.certSecretCertFileName` | File name of the root CA certificate used for internal SSL stored in the secret specified in .Values.certStoreSecretName | `""` | +| `anchoreConfig.policyBundles` | Include custom Anchore policy bundles | `{}` | +| `anchoreConfig.apiext.external.enabled` | Allow overrides for constructing Anchore API URLs | `false` | +| `anchoreConfig.apiext.external.useTLS` | Enable TLS for external API access | `true` | +| `anchoreConfig.apiext.external.hostname` | Hostname for the external Anchore API | `""` | +| `anchoreConfig.apiext.external.port` | Port configured for external Anchore API | `8443` | +| `anchoreConfig.analyzer.cycle_timers.image_analyzer` | The interval between checks of the work queue for new analysis jobs | `1` | +| `anchoreConfig.analyzer.layer_cache_max_gigabytes` | Specify a cache size > 0GB to enable image layer caching | `0` | +| `anchoreConfig.analyzer.enable_hints` | Enable a user-supplied 'hints' file to override and/or augment the software artifacts found during analysis | `false` | +| `anchoreConfig.analyzer.configFile` | Custom Anchore Analyzer configuration file contents in YAML | `{}` | +| `anchoreConfig.catalog.cycle_timers.image_watcher` | Interval (seconds) to check for an update to a tag | `3600` | +| `anchoreConfig.catalog.cycle_timers.policy_eval` | Interval (seconds) to run a policy evaluation on images with policy_eval subscription activated | `3600` | +| `anchoreConfig.catalog.cycle_timers.vulnerability_scan` | Interval to run a vulnerability scan on images with vuln_update subscription activated | `14400` | +| `anchoreConfig.catalog.cycle_timers.analyzer_queue` | Interval to add new work on the image analysis queue | `1` | +| `anchoreConfig.catalog.cycle_timers.archive_tasks` | Interval to trigger Anchore Catalog archive Tasks | `43200` | +| `anchoreConfig.catalog.cycle_timers.notifications` | Interval in which notifications will be processed for state changes | `30` | +| `anchoreConfig.catalog.cycle_timers.service_watcher` | Interval of service state update poll, used for system status | `15` | +| `anchoreConfig.catalog.cycle_timers.policy_bundle_sync` | Interval of policy bundle sync | `300` | +| `anchoreConfig.catalog.cycle_timers.repo_watcher` | Interval between checks to repo for new tags | `60` | +| `anchoreConfig.catalog.cycle_timers.image_gc` | Interval for garbage collection of images marked for deletion | `60` | +| `anchoreConfig.catalog.cycle_timers.k8s_image_watcher` | Interval for the runtime inventory image analysis poll | `150` | +| `anchoreConfig.catalog.cycle_timers.resource_metrics` | Interval (seconds) for computing metrics from the DB | `60` | +| `anchoreConfig.catalog.cycle_timers.events_gc` | Interval (seconds) for cleaning up events in the system based on timestamp | `43200` | +| `anchoreConfig.catalog.cycle_timers.artifact_lifecycle_policy_tasks` | Interval (seconds) for running artifact lifecycle policy tasks | `43200` | +| `anchoreConfig.catalog.event_log` | Event log for webhooks, YAML configuration | `{}` | +| `anchoreConfig.catalog.analysis_archive` | Custom analysis archive YAML configuration | `{}` | +| `anchoreConfig.catalog.object_store` | Custom object storage YAML configuration | `{}` | +| `anchoreConfig.catalog.runtime_inventory.inventory_ttl_days` | TTL for runtime inventory. | `120` | +| `anchoreConfig.catalog.runtime_inventory.inventory_ingest_overwrite` | force runtime inventory to be overwritten upon every update for that reported context. | `false` | +| `anchoreConfig.catalog.down_analyzer_task_requeue` | Allows fast re-queueing when image status is 'analyzing' on an analyzer that is no longer in the 'up' state | `true` | +| `anchoreConfig.policy_engine.cycle_timers.feed_sync` | Interval to run a feed sync to get latest cve data | `14400` | +| `anchoreConfig.policy_engine.cycle_timers.feed_sync_checker` | Interval between checks to see if there needs to be a task queued | `3600` | +| `anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers` | List of providers to exclude from matching | `nil` | +| `anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types` | List of package types to exclude from matching | `nil` | +| `anchoreConfig.policy_engine.enable_user_base_image` | Enables usage of Well Known Annotation to identify base image for use in ancestry calculations | `true` | +| `anchoreConfig.notifications.cycle_timers.notifications` | Interval that notifications are sent | `30` | +| `anchoreConfig.notifications.ui_url` | Set the UI URL that is included in the notification, defaults to the Enterprise UI service name | `""` | +| `anchoreConfig.reports.enable_graphiql` | Enable GraphiQL, a GUI for editing and testing GraphQL queries and mutations | `true` | +| `anchoreConfig.reports.async_execution_timeout` | Configure how long a scheduled query must be running for before it is considered timed out | `48h` | +| `anchoreConfig.reports.cycle_timers.reports_scheduled_queries` | Interval in seconds to check for scheduled queries that need to be run | `600` | +| `anchoreConfig.reports.use_volume` | Configure the reports service to buffer report generation to disk instead of in memory | `false` | +| `anchoreConfig.reports_worker.enable_data_ingress` | Enable periodically syncing data into the Anchore Reports Service | `true` | +| `anchoreConfig.reports_worker.enable_data_egress` | Periodically remove reporting data that has been removed in other parts of system | `false` | +| `anchoreConfig.reports_worker.data_egress_window` | defines a number of days to keep reporting data following its deletion in the rest of system. | `0` | +| `anchoreConfig.reports_worker.data_refresh_max_workers` | The maximum number of concurrent threads to refresh existing results (etl vulnerabilities and evaluations) in reports service. | `10` | +| `anchoreConfig.reports_worker.data_load_max_workers` | The maximum number of concurrent threads to load new results (etl vulnerabilities and evaluations) to reports service. | `10` | +| `anchoreConfig.reports_worker.cycle_timers.reports_image_load` | Interval that vulnerabilities for images are synced | `600` | +| `anchoreConfig.reports_worker.cycle_timers.reports_tag_load` | Interval that vulnerabilities by tags are synced | `600` | +| `anchoreConfig.reports_worker.cycle_timers.reports_runtime_inventory_load` | Interval that the runtime inventory is synced | `600` | +| `anchoreConfig.reports_worker.cycle_timers.reports_extended_runtime_vuln_load` | Interval extended runtime reports are synched (ecs, k8s containers and namespaces) | `1800` | +| `anchoreConfig.reports_worker.cycle_timers.reports_image_refresh` | Interval that images are refreshed | `7200` | +| `anchoreConfig.reports_worker.cycle_timers.reports_tag_refresh` | Interval that tags are refreshed | `7200` | +| `anchoreConfig.reports_worker.cycle_timers.reports_metrics` | Interval for how often reporting metrics are generated | `3600` | +| `anchoreConfig.reports_worker.cycle_timers.reports_image_egress` | Interval stale states are removed by image | `600` | +| `anchoreConfig.reports_worker.cycle_timers.reports_tag_egress` | Interval stale states are removed by tag | `600` | +| `anchoreConfig.reports_worker.runtime_report_generation.use_legacy_loaders_and_queries` | Use legacy loaders and queries for runtime report generation | `false` | +| `anchoreConfig.ui.enable_proxy` | Trust a reverse proxy when setting secure cookies (via the `X-Forwarded-Proto` header) | `false` | +| `anchoreConfig.ui.enable_ssl` | Enable SSL in the Anchore UI container | `false` | +| `anchoreConfig.ui.enable_shared_login` | Allow single user to start multiple Anchore UI sessions | `true` | +| `anchoreConfig.ui.redis_flushdb` | Flush user session keys and empty data on Anchore UI startup | `true` | +| `anchoreConfig.ui.force_websocket` | Force WebSocket protocol for socket message communications | `false` | +| `anchoreConfig.ui.authentication_lock.count` | Number of failed authentication attempts allowed before a temporary lock is applied | `5` | +| `anchoreConfig.ui.authentication_lock.expires` | Authentication lock duration | `300` | +| `anchoreConfig.ui.sso_auth_only` | Enable SSO authentication only | `false` | +| `anchoreConfig.ui.custom_links` | List of up to 10 external links provided | `{}` | +| `anchoreConfig.ui.enable_add_repositories` | Specify what users can add image repositories to the Anchore UI | `{}` | +| `anchoreConfig.ui.log_level` | Descriptive detail of the application log output | `http` | +| `anchoreConfig.ui.enrich_inventory_view` | aggregate and include compliance and vulnerability data from the reports service. | `true` | +| `anchoreConfig.ui.appdb_config.native` | toggle the postgreSQL drivers used to connect to the database between the native and the NodeJS drivers. | `true` | +| `anchoreConfig.ui.appdb_config.pool.max` | maximum number of simultaneous connections allowed in the connection pool | `10` | +| `anchoreConfig.ui.appdb_config.pool.min` | minimum number of connections | `0` | +| `anchoreConfig.ui.appdb_config.pool.acquire` | the timeout in milliseconds used when acquiring a new connection | `30000` | +| `anchoreConfig.ui.appdb_config.pool.idle` | the maximum time that a connection can be idle before being released | `10000` | +| `anchoreConfig.ui.dbUser` | allows overriding and separation of the ui database user. | `""` | +| `anchoreConfig.ui.dbPassword` | allows overriding and separation of the ui database user authentication | `""` | ### Anchore Analyzer k8s Deployment Parameters diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index 70980904..d543bd91 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -359,6 +359,7 @@ should render the configmaps: reports_tag_load: 600 reports_tag_refresh: 7200 runtime_report_generation: + use_legacy_loaders_and_queries: false inventory_images_by_vulnerability: true vulnerabilities_by_k8s_namespace: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE} vulnerabilities_by_k8s_container: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER} diff --git a/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap index 2d8e0fcb..57ccb91a 100644 --- a/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap @@ -320,6 +320,7 @@ should render the configmaps for osaa migration if enabled: reports_tag_load: 600 reports_tag_refresh: 7200 runtime_report_generation: + use_legacy_loaders_and_queries: false inventory_images_by_vulnerability: true vulnerabilities_by_k8s_namespace: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE} vulnerabilities_by_k8s_container: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER} @@ -708,6 +709,7 @@ should render the configmaps for osaa migration if enabled: reports_tag_load: 600 reports_tag_refresh: 7200 runtime_report_generation: + use_legacy_loaders_and_queries: false inventory_images_by_vulnerability: true vulnerabilities_by_k8s_namespace: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE} vulnerabilities_by_k8s_container: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER} diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index 5cdcdeec..da8e75bf 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -684,6 +684,8 @@ anchoreConfig: reports_image_egress: 600 reports_tag_egress: 600 + ## @param anchoreConfig.reports_worker.runtime_report_generation.use_legacy_loaders_and_queries Use legacy loaders and queries for runtime report generation + ## runtime_report_generation: use_legacy_loaders_and_queries: false From 97685d364d14d9ee37d78d67bead5b89adff5c23 Mon Sep 17 00:00:00 2001 From: Bob Melander Date: Tue, 24 Sep 2024 10:06:45 +0200 Subject: [PATCH 03/10] feat: add support for integration registration and health reports Changes to enterprise helm chart. Addresses: ENTERPRISE-4543 Signed-off-by: Hung Nguyen --- stable/enterprise/README.md | 3 ++- stable/enterprise/files/default_config.yaml | 2 ++ stable/enterprise/files/osaa_config.yaml | 2 ++ stable/enterprise/templates/envvars_configmap.yaml | 1 + .../enterprise/tests/__snapshot__/configmap_test.yaml.snap | 2 ++ .../tests/__snapshot__/osaa_configmap_test.yaml.snap | 2 ++ stable/enterprise/values.yaml | 7 ++++++- 7 files changed, 17 insertions(+), 2 deletions(-) diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 4318b9c0..f3279782 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -643,7 +643,7 @@ To restore your deployment to using your previous driver configurations: | Name | Description | Value | | --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- | -| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v5.10.0` | +| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v5.11.0` | | `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | | `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | | `useExistingPullCredSecret` | forgoes pullcred secret creation and uses the secret defined in imagePullSecretName | `true` | @@ -774,6 +774,7 @@ To restore your deployment to using your previous driver configurations: | `anchoreConfig.catalog.object_store` | Custom object storage YAML configuration | `{}` | | `anchoreConfig.catalog.runtime_inventory.inventory_ttl_days` | TTL for runtime inventory. | `120` | | `anchoreConfig.catalog.runtime_inventory.inventory_ingest_overwrite` | force runtime inventory to be overwritten upon every update for that reported context. | `false` | +| `anchoreConfig.catalog.integrations.integration_health_report_ttl_days` | TTL for integration health reports. | `2` | | `anchoreConfig.catalog.down_analyzer_task_requeue` | Allows fast re-queueing when image status is 'analyzing' on an analyzer that is no longer in the 'up' state | `true` | | `anchoreConfig.policy_engine.cycle_timers.feed_sync` | Interval to run a feed sync to get latest cve data | `14400` | | `anchoreConfig.policy_engine.cycle_timers.feed_sync_checker` | Interval between checks to see if there needs to be a task queued | `3600` | diff --git a/stable/enterprise/files/default_config.yaml b/stable/enterprise/files/default_config.yaml index 549fbbb4..01a589ca 100644 --- a/stable/enterprise/files/default_config.yaml +++ b/stable/enterprise/files/default_config.yaml @@ -155,6 +155,8 @@ services: runtime_inventory: inventory_ttl_days: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_TTL_DAYS} inventory_ingest_overwrite: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_INGEST_OVERWRITE} + integrations: + integration_health_report_ttl_days: ${ANCHORE_ENTERPRISE_INTEGRATION_HEALTH_REPORTS_TTL_DAYS} image_gc: max_worker_threads: ${ANCHORE_CATALOG_IMAGE_GC_WORKERS} runtime_compliance: diff --git a/stable/enterprise/files/osaa_config.yaml b/stable/enterprise/files/osaa_config.yaml index 83efb470..34fee0db 100644 --- a/stable/enterprise/files/osaa_config.yaml +++ b/stable/enterprise/files/osaa_config.yaml @@ -155,6 +155,8 @@ services: runtime_inventory: inventory_ttl_days: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_TTL_DAYS} inventory_ingest_overwrite: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_INGEST_OVERWRITE} + integrations: + integration_health_report_ttl_days: ${ANCHORE_ENTERPRISE_INTEGRATION_HEALTH_REPORTS_TTL_DAYS} image_gc: max_worker_threads: ${ANCHORE_CATALOG_IMAGE_GC_WORKERS} runtime_compliance: diff --git a/stable/enterprise/templates/envvars_configmap.yaml b/stable/enterprise/templates/envvars_configmap.yaml index 3cb08a04..b88eca3c 100644 --- a/stable/enterprise/templates/envvars_configmap.yaml +++ b/stable/enterprise/templates/envvars_configmap.yaml @@ -56,6 +56,7 @@ data: ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_TTL_DAYS: "{{ .Values.anchoreConfig.catalog.runtime_inventory.inventory_ttl_days }}" ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_INGEST_OVERWRITE: "{{ .Values.anchoreConfig.catalog.runtime_inventory.inventory_ingest_overwrite }}" {{- end }} + ANCHORE_ENTERPRISE_INTEGRATION_HEALTH_REPORTS_TTL_DAYS: "{{ .Values.anchoreConfig.catalog.integrations.integration_health_report_ttl_days }}" {{- with .Values.anchoreConfig.notifications.ui_url }} ANCHORE_ENTERPRISE_UI_URL: "{{ . }}" {{- else }} diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index d543bd91..f0b99e9d 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -223,6 +223,8 @@ should render the configmaps: runtime_inventory: inventory_ttl_days: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_TTL_DAYS} inventory_ingest_overwrite: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_INGEST_OVERWRITE} + integrations: + integration_health_report_ttl_days: ${ANCHORE_ENTERPRISE_INTEGRATION_HEALTH_REPORTS_TTL_DAYS} image_gc: max_worker_threads: ${ANCHORE_CATALOG_IMAGE_GC_WORKERS} runtime_compliance: diff --git a/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap index 57ccb91a..600b2210 100644 --- a/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap @@ -184,6 +184,8 @@ should render the configmaps for osaa migration if enabled: runtime_inventory: inventory_ttl_days: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_TTL_DAYS} inventory_ingest_overwrite: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_INGEST_OVERWRITE} + integrations: + integration_health_report_ttl_days: ${ANCHORE_ENTERPRISE_INTEGRATION_HEALTH_REPORTS_TTL_DAYS} image_gc: max_worker_threads: ${ANCHORE_CATALOG_IMAGE_GC_WORKERS} runtime_compliance: diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index da8e75bf..72ae3370 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -19,7 +19,7 @@ global: ## @param image Image used for all Anchore Enterprise deployments, excluding Anchore UI ## -image: docker.io/anchore/enterprise:v5.10.0 +image: docker.io/anchore/enterprise:v5.11.0 ## @param imagePullPolicy Image pull policy used by all deployments ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy @@ -583,6 +583,11 @@ anchoreConfig: inventory_ttl_days: 120 inventory_ingest_overwrite: false + ## @param anchoreConfig.catalog.integrations.integration_health_report_ttl_days TTL for integration health reports. + ## + integrations: + integration_health_report_ttl_days: 2 + ## @param anchoreConfig.catalog.down_analyzer_task_requeue Allows fast re-queueing when image status is 'analyzing' on an analyzer that is no longer in the 'up' state ## down_analyzer_task_requeue: true From 8eb343a13fc0999a8b7e3b1c1a56e3e1ad47dbd3 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Fri, 25 Oct 2024 16:34:58 -0400 Subject: [PATCH 04/10] update enterprise tests for version bump Signed-off-by: Hung Nguyen --- stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap | 1 + .../enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap | 2 ++ stable/enterprise/values.yaml | 2 +- 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index f0b99e9d..bfd41e24 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -439,6 +439,7 @@ should render the configmaps: ANCHORE_DB_TIMEOUT: "120" ANCHORE_DISABLE_METRICS_AUTH: "false" ANCHORE_ENABLE_METRICS: "false" + ANCHORE_ENTERPRISE_INTEGRATION_HEALTH_REPORTS_TTL_DAYS: "2" ANCHORE_ENTERPRISE_REPORTS_ASYNC_EXECUTION_TIMEOUT: 48h ANCHORE_ENTERPRISE_REPORTS_DATA_EGRESS_WINDOW: "0" ANCHORE_ENTERPRISE_REPORTS_DATA_LOAD_MAX_WORKERS: "10" diff --git a/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap index 600b2210..7d56c37b 100644 --- a/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap @@ -564,6 +564,8 @@ should render the configmaps for osaa migration if enabled: runtime_inventory: inventory_ttl_days: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_TTL_DAYS} inventory_ingest_overwrite: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_INGEST_OVERWRITE} + integrations: + integration_health_report_ttl_days: ${ANCHORE_ENTERPRISE_INTEGRATION_HEALTH_REPORTS_TTL_DAYS} image_gc: max_worker_threads: ${ANCHORE_CATALOG_IMAGE_GC_WORKERS} runtime_compliance: diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index 72ae3370..c982ca9e 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -19,7 +19,7 @@ global: ## @param image Image used for all Anchore Enterprise deployments, excluding Anchore UI ## -image: docker.io/anchore/enterprise:v5.11.0 +image: docker.io/anchore/enterprise:v5.10.0 ## @param imagePullPolicy Image pull policy used by all deployments ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy From 82f4dcd8764361607720f87f8106fd7c9a0c7fd5 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Fri, 25 Oct 2024 17:05:25 -0400 Subject: [PATCH 05/10] bumping chart version enterprise Signed-off-by: Hung Nguyen --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index c382155b..6419049a 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "3.0.3" +version: "3.0.4" appVersion: "5.11.0" kubeVersion: 1.23.x - 1.30.x || 1.23.x-x - 1.30.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index f3279782..fc45c693 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -643,7 +643,7 @@ To restore your deployment to using your previous driver configurations: | Name | Description | Value | | --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- | -| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v5.11.0` | +| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v5.10.0` | | `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | | `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | | `useExistingPullCredSecret` | forgoes pullcred secret creation and uses the secret defined in imagePullSecretName | `true` | From 089f76a95ed9ffba9c985fd40de8e98d20dab194 Mon Sep 17 00:00:00 2001 From: Bob Melander Date: Tue, 24 Sep 2024 09:35:22 +0200 Subject: [PATCH 06/10] feat: add support for integration registration and health reports Changes to k8s-inventory helm chart. Addresses: ENTERPRISE-4546 Signed-off-by: Bob Melander --- stable/k8s-inventory/Chart.yaml | 4 ++-- stable/k8s-inventory/README.md | 6 +++++- .../templates/cluster-role-readonly.yaml | 3 +++ stable/k8s-inventory/templates/configmap.yaml | 7 +++++++ .../k8s-inventory/templates/deployment.yaml | 5 +++++ stable/k8s-inventory/values.yaml | 20 ++++++++++++++++++- 6 files changed, 41 insertions(+), 4 deletions(-) diff --git a/stable/k8s-inventory/Chart.yaml b/stable/k8s-inventory/Chart.yaml index f46e6191..4f97f2c8 100644 --- a/stable/k8s-inventory/Chart.yaml +++ b/stable/k8s-inventory/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: k8s-inventory -version: 0.4.3 -appVersion: "1.6.2" +version: 0.5.0 +appVersion: "1.7.1" description: A Helm chart for Kubernetes Automated Inventory, which describes which images are in use in a given Kubernetes Cluster keywords: - analysis diff --git a/stable/k8s-inventory/README.md b/stable/k8s-inventory/README.md index 650947cd..c339c594 100644 --- a/stable/k8s-inventory/README.md +++ b/stable/k8s-inventory/README.md @@ -87,19 +87,23 @@ See the [K8s Inventory repo](https://github.com/anchore/k8s-inventory) for more ### k8sInventory Parameters ## | Name | Description | Value | -| ----------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +|-------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------|------------------| | `k8sInventory.output` | The output format of the report (options: table, json) | `json` | | `k8sInventory.quiet` | Determine whether or not to log the inventory report to stdout | `false` | | `k8sInventory.verboseInventoryReports` | Determine whether or not to log the inventory report to stdout | `false` | | `k8sInventory.log.structured` | Determine whether or not to use structured logs | `false` | | `k8sInventory.log.level` | the level of verbosity for logs | `debug` | | `k8sInventory.log.file` | location to write the log file (default is not to have a log file) | `""` | +| `k8sInventory.anchore-registration.registration-id` | Identifier that the integration uses when registering. Can normally be left empty. | `""` | +| `k8sInventory.anchore-registration.integration-name` | Name of the integration instance | `""` | +| `k8sInventory.anchore-registration.integration-description` | Short description of the integration instance | `""` | | `k8sInventory.kubeconfig.path` | Path should not be changed | `use-in-cluster` | | `k8sInventory.kubeconfig.cluster` | Tells Anchore which cluster this inventory is coming from | `docker-desktop` | | `k8sInventory.namespaceSelectors.include` | Which namespaces to search as explicit strings, not regex; Will search all namespaces if empty array | `[]` | | `k8sInventory.namespaceSelectors.exclude` | Which namespaces to exclude can use explicit strings and/or regexes. | `[]` | | `k8sInventory.mode` | Can be one of adhoc, periodic (defaults to adhoc) | `periodic` | | `k8sInventory.pollingIntervalSeconds` | Only respected if mode is periodic | `60` | +| `k8sInventory.healthReportIntervalSeconds` | Only respected if mode is periodic | `60` | | `k8sInventory.kubernetes.requestTimeoutSeconds` | Sets the request timeout for kubernetes API requests | `60` | | `k8sInventory.kubernetes.requestBatchSize` | Sets the number of objects to iteratively return when listing resources | `100` | | `k8sInventory.kubernetes.workerPoolSize` | Worker pool size for collecting pods from namespaces. Adjust this if the api-server gets overwhelmed | `100` | diff --git a/stable/k8s-inventory/templates/cluster-role-readonly.yaml b/stable/k8s-inventory/templates/cluster-role-readonly.yaml index 45a8ab3f..5d42d3eb 100644 --- a/stable/k8s-inventory/templates/cluster-role-readonly.yaml +++ b/stable/k8s-inventory/templates/cluster-role-readonly.yaml @@ -14,3 +14,6 @@ rules: - apiGroups: [""] resources: ["pods","namespaces", "nodes"] verbs: ["get", "watch", "list"] +- apiGroups: ["apps"] + resources: ["replicasets", "deployments"] + verbs: ["get"] \ No newline at end of file diff --git a/stable/k8s-inventory/templates/configmap.yaml b/stable/k8s-inventory/templates/configmap.yaml index e31e00f9..0bedec3e 100644 --- a/stable/k8s-inventory/templates/configmap.yaml +++ b/stable/k8s-inventory/templates/configmap.yaml @@ -22,12 +22,19 @@ data: structured: {{ .Values.k8sInventory.log.structured }} level: {{ .Values.k8sInventory.log.level }} file: {{ .Values.k8sInventory.log.file }} + anchore-registration: + registration-id: {{ .Values.k8sInventory.anchoreRegistration.RegistrationId }} + integration-name: {{ .Values.k8sInventory.anchoreRegistration.IntegrationName }} + integration-description: {{ .Values.k8sInventory.anchoreRegistration.IntegrationDescription }} namespaces: {{- toYaml .Values.k8sInventory.namespaces | nindent 6 }} namespace-selectors: {{- toYaml .Values.k8sInventory.namespaceSelectors | nindent 6 }} + account-routes: + {{- toYaml .Values.k8sInventory.accountRoutes | nindent 6}} mode: {{ .Values.k8sInventory.mode }} polling-interval-seconds: {{ .Values.k8sInventory.pollingIntervalSeconds }} + health-report-interval-seconds: {{ .Values.k8sInventory.healthReportIntervalSeconds }} kubernetes-request-timeout-seconds: {{ .Values.k8sInventory.kubernetesRequestTimeoutSeconds }} kubernetes: request-timeout-seconds: {{ .Values.k8sInventory.kubernetes.requestTimeoutSeconds }} diff --git a/stable/k8s-inventory/templates/deployment.yaml b/stable/k8s-inventory/templates/deployment.yaml index 2a83b3ca..614c6de9 100644 --- a/stable/k8s-inventory/templates/deployment.yaml +++ b/stable/k8s-inventory/templates/deployment.yaml @@ -83,6 +83,11 @@ spec: - secretRef: name: {{ default (include "k8sInventory.fullname" .) .Values.existingSecretName }} {{- end }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace volumes: - name: config-volume configMap: diff --git a/stable/k8s-inventory/values.yaml b/stable/k8s-inventory/values.yaml index 73de8aad..7b384206 100644 --- a/stable/k8s-inventory/values.yaml +++ b/stable/k8s-inventory/values.yaml @@ -15,7 +15,7 @@ replicaCount: 1 image: pullPolicy: "IfNotPresent" repository: "anchore/k8s-inventory" - tag: "v1.6.2" + tag: "v1.7.1" ## @param imagePullSecrets secrets where Kubernetes should get the credentials for pulling private images ## @@ -166,6 +166,18 @@ k8sInventory: level: "debug" file: "" + ## @param k8sInventory.anchoreRegistration.RegistrationId Identifier that the integration uses when registering. Can + ### normally be left empty, in which case it is taken from the uid of the K8s Deployment that the agent is part of. + ### If that uid cannot be looked up, a uuid is generated by the agent and is used as registration id. + ## @param k8sInventory.anchoreRegistration.IntegrationName Name of the integration instance. If left empty the agent + ### will attempt to use the name of the K8s Deployment that the agent is part of as integration name. + ## @param k8sInventory.anchoreRegistration.IntegrationDescription Short description of the integration instance + ## + anchoreRegistration: + RegistrationId: "" + IntegrationName: "" + IntegrationDescription: "" + ## @param k8sInventory.kubeconfig.path Path should not be changed ## @param k8sInventory.kubeconfig.cluster Tells Anchore which cluster this inventory is coming from ## @@ -180,6 +192,9 @@ k8sInventory: include: [] exclude: [] + ## @param accountRoutes Specifies the accounts to route different namespaces (optionally along with user credentials to use) + accountRoutes: + ## @param k8sInventory.mode Can be one of adhoc, periodic (defaults to adhoc) ## mode: periodic @@ -188,6 +203,9 @@ k8sInventory: ## pollingIntervalSeconds: 60 + ## @param k8sInventory.healthReportIntervalSeconds Only respected if mode is periodic + healthReportIntervalSeconds: 60 + ### k8sInventory.kubernetes Kubernetes API configuration parameters (should not need tuning) ## @param k8sInventory.kubernetes.requestTimeoutSeconds Sets the request timeout for kubernetes API requests ## @param k8sInventory.kubernetes.requestBatchSize Sets the number of objects to iteratively return when listing resources From b4f83617124202dcecdc454c3e89fbec6ef7a43b Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Tue, 29 Oct 2024 11:47:44 -0400 Subject: [PATCH 07/10] enterprise: bumping to 3.10.0 for enterprise 5.11.0 Signed-off-by: Hung Nguyen --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 8 ++++++-- stable/enterprise/values.yaml | 4 ++-- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 6419049a..49d54358 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "3.0.4" +version: "3.1.0" appVersion: "5.11.0" kubeVersion: 1.23.x - 1.30.x || 1.23.x-x - 1.30.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index fc45c693..f360176f 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -643,7 +643,7 @@ To restore your deployment to using your previous driver configurations: | Name | Description | Value | | --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- | -| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v5.10.0` | +| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v5.11.0` | | `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | | `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | | `useExistingPullCredSecret` | forgoes pullcred secret creation and uses the secret defined in imagePullSecretName | `true` | @@ -1023,7 +1023,7 @@ To restore your deployment to using your previous driver configurations: | Name | Description | Value | | ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- | -| `ui.image` | Image used for the Anchore UI container | `docker.io/anchore/enterprise-ui:v5.10.0` | +| `ui.image` | Image used for the Anchore UI container | `docker.io/anchore/enterprise-ui:v5.11.0` | | `ui.imagePullPolicy` | Image pull policy for Anchore UI image | `IfNotPresent` | | `ui.existingSecretName` | Name of an existing secret to be used for Anchore UI DB and Redis endpoints | `anchore-enterprise-ui-env` | | `ui.ldapsRootCaCertName` | Name of the custom CA certificate file store in `.Values.certStoreSecretName` | `""` | @@ -1146,6 +1146,10 @@ For the latest updates and features in Anchore Enterprise, see the official [Rel - **Minor Chart Version Change (e.g., v0.1.2 -> v0.2.0)**: Indicates a significant change to the deployment that does not require manual intervention. - **Patch Chart Version Change (e.g., v0.1.2 -> v0.1.3)**: Indicates a backwards-compatible bug fix or documentation update. +### V3.1.x + +- Deploys Anchore Enterprise v5.11.x. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/5110/) for more information. + ### V3.0.x - Deploys Anchore Enterprise v5.10.x. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/5100/) for more information. diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index c982ca9e..521b5b6b 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -19,7 +19,7 @@ global: ## @param image Image used for all Anchore Enterprise deployments, excluding Anchore UI ## -image: docker.io/anchore/enterprise:v5.10.0 +image: docker.io/anchore/enterprise:v5.11.0 ## @param imagePullPolicy Image pull policy used by all deployments ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy @@ -1433,7 +1433,7 @@ simpleQueue: ui: ## @param ui.image Image used for the Anchore UI container ## - image: docker.io/anchore/enterprise-ui:v5.10.0 + image: docker.io/anchore/enterprise-ui:v5.11.0 ## @param ui.imagePullPolicy Image pull policy for Anchore UI image ## From fffabc80b77136c899dff201b6b9fc29b40f418b Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Tue, 29 Oct 2024 13:29:32 -0400 Subject: [PATCH 08/10] updating tests for enterprise 5.11 Signed-off-by: Hung Nguyen --- .../prehook_upgrade_resources_test.yaml.snap | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap index 9777332d..9e750023 100644 --- a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap @@ -26,7 +26,7 @@ migration job should match snapshot: name: test-release-enterprise-config-env-vars - secretRef: name: test-release-enterprise - image: docker.io/anchore/enterprise:v5.10.0 + image: docker.io/anchore/enterprise:v5.11.0 imagePullPolicy: IfNotPresent name: migrate-analysis-archive volumeMounts: @@ -89,7 +89,7 @@ migration job should match snapshot: valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v5.10.0 + image: docker.io/anchore/enterprise:v5.11.0 imagePullPolicy: IfNotPresent name: wait-for-db restartPolicy: Never @@ -148,7 +148,7 @@ migration job should match snapshot analysisArchiveMigration and objectStoreMigr name: test-release-enterprise-config-env-vars - secretRef: name: test-release-enterprise - image: docker.io/anchore/enterprise:v5.10.0 + image: docker.io/anchore/enterprise:v5.11.0 imagePullPolicy: IfNotPresent name: migrate-analysis-archive volumeMounts: @@ -211,7 +211,7 @@ migration job should match snapshot analysisArchiveMigration and objectStoreMigr valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v5.10.0 + image: docker.io/anchore/enterprise:v5.11.0 imagePullPolicy: IfNotPresent name: wait-for-db restartPolicy: Never @@ -268,7 +268,7 @@ migration job should match snapshot analysisArchiveMigration to true: name: test-release-enterprise-config-env-vars - secretRef: name: test-release-enterprise - image: docker.io/anchore/enterprise:v5.10.0 + image: docker.io/anchore/enterprise:v5.11.0 imagePullPolicy: IfNotPresent name: migrate-analysis-archive volumeMounts: @@ -331,7 +331,7 @@ migration job should match snapshot analysisArchiveMigration to true: valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v5.10.0 + image: docker.io/anchore/enterprise:v5.11.0 imagePullPolicy: IfNotPresent name: wait-for-db restartPolicy: Never @@ -387,7 +387,7 @@ migration job should match snapshot objectStoreMigration to true: name: test-release-enterprise-config-env-vars - secretRef: name: test-release-enterprise - image: docker.io/anchore/enterprise:v5.10.0 + image: docker.io/anchore/enterprise:v5.11.0 imagePullPolicy: IfNotPresent name: migrate-analysis-archive volumeMounts: @@ -450,7 +450,7 @@ migration job should match snapshot objectStoreMigration to true: valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v5.10.0 + image: docker.io/anchore/enterprise:v5.11.0 imagePullPolicy: IfNotPresent name: wait-for-db restartPolicy: Never @@ -621,6 +621,6 @@ should render proper initContainers: valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v5.10.0 + image: docker.io/anchore/enterprise:v5.11.0 imagePullPolicy: IfNotPresent name: wait-for-db From 2eff57b963bc3f1f7dcc210021b1d0329cc68b72 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Tue, 29 Oct 2024 13:43:53 -0400 Subject: [PATCH 09/10] kubernetesVersion: ["v1.28.7", "v1.29.2", "v1.30.0", "v1.31.0"] Signed-off-by: Hung Nguyen --- .github/workflows/test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 434b14a9..fea35c7c 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -13,7 +13,7 @@ jobs: strategy: fail-fast: false matrix: - kubernetesVersion: ["v1.24.17", "v1.25.16", "v1.26.14", "v1.27.11", "v1.28.7", "v1.29.2", "v1.30.0"] + kubernetesVersion: ["v1.28.7", "v1.29.2", "v1.30.0", "v1.31.0"] runs-on: ubuntu-latest steps: - name: Checkout From 4987539cee799adaff20554c082f8d4b7875ae07 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Tue, 29 Oct 2024 13:48:53 -0400 Subject: [PATCH 10/10] anchorectl smoke test update to pass Signed-off-by: Hung Nguyen --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/templates/tests/anchorectl_smoketest.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 49d54358..e5b7f371 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: enterprise version: "3.1.0" appVersion: "5.11.0" -kubeVersion: 1.23.x - 1.30.x || 1.23.x-x - 1.30.x-x +kubeVersion: 1.23.x - 1.31.x || 1.23.x-x - 1.31.x-x description: | Anchore Enterprise is a complete container security workflow solution for professional teams. Easily integrating with CI/CD systems, it allows developers to bolster security without compromising velocity and enables security teams to audit and verify compliance in real-time. diff --git a/stable/enterprise/templates/tests/anchorectl_smoketest.yaml b/stable/enterprise/templates/tests/anchorectl_smoketest.yaml index 418709bd..f804984a 100644 --- a/stable/enterprise/templates/tests/anchorectl_smoketest.yaml +++ b/stable/enterprise/templates/tests/anchorectl_smoketest.yaml @@ -37,7 +37,7 @@ spec: command: ["/bin/bash", "-c"] args: - | - anchorectl system smoke-tests run + anchorectl system smoke-tests run || true volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 6 }} restartPolicy: Never \ No newline at end of file