Update engine v0.8.0 (#53)

* add configuration for analyzer hints & malware scanning

* update README with new feature listing

* bump chart version

Signed-off-by: Brady Todhunter <[email protected]>

stable/anchore-engine/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 name: anchore-engine
-version: 1.7.0
-appVersion: 0.7.3
+version: 1.8.0
+appVersion: 0.8.0
 description: Anchore container analysis and policy evaluation engine service
 keywords:
  - analysis

stable/anchore-engine/README.md

@@ -1,5 +1,7 @@
 # Anchore Engine Helm Chart
 
+[Instructions for migrating deployments from helm/stable to charts.anchore.io](#migrating-to-the-new-anchore-charts-repository)
+
 This chart deploys the Anchore Engine docker container image analysis system. Anchore Engine requires a PostgreSQL database (>=9.6) which may be handled by the chart or supplied externally, and executes in a service based architecture utilizing the following Anchore Engine services: External API, SimpleQueue, Catalog, Policy Engine, and Analyzer.
 
 This chart can also be used to install the following Anchore Enterprise services: GUI, RBAC, Reporting, Notifications & On-premises Feeds. Enterprise services require a valid Anchore Enterprise License as well as credentials with access to the private DockerHub repository hosting the images. These are not enabled by default.
@@ -218,6 +220,16 @@ See the anchore-engine [CHANGELOG](https://github.com/anchore/anchore-engine/blo
 ## Upgrading from previous chart versions
 A Helm post-upgrade hook job will shut down all previously running Anchore services and perform the Anchore DB upgrade process using a kubernetes job. The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful helm upgrade.
 
+# Chart version 1.8.0
+
+The following Anchore-Engine features were added with this version:
+  * Malware scanning - see .Values.anchoreAnalyzer.configFile.malware
+  * Binary content scanning
+  * Content hints file analysis - see .Values.anchoreAnalyzer.enableHints
+  * Updated image deletion behavior
+
+For more details see - https://docs.anchore.com/current/docs/engine/releasenotes/080
+
 # Chart version 1.7.0
 
 Starting with version 1.7.0 the anchore-engine chart will be hosted on charts.anchore.io - if you're upgrading from a previous version of the chart, you will need to delete your previous deployment and redeploy Anchore Engine using the chart from the Anchore Charts repository. 
@@ -228,7 +240,7 @@ This version of the chart includes the dependent Postgresql chart in the charts/
 
 For these examples, we assume that your namespace is called `my-namespace` and your Anchore installation is called `my-anchore`.
 
-These examples use Helm version 3 and kubectl client version 1.18, server version 1.14.
+These examples use Helm version 3 and kubectl client version 1.18, server version 1.18.
 
 #### ENSURE MIGRATION IS PERFORMED SEPARATELY FROM ANCHORE ENGINE UPGRADES
 

stable/anchore-engine/templates/engine_configmap.yaml

@@ -169,6 +169,7 @@ data:
         layer_cache_enable: false
         {{- end }}
         layer_cache_max_gigabytes: {{ .Values.anchoreAnalyzer.layerCacheMaxGigabytes }}
+        enable_hints: {{ .Values.anchoreAnalyzer.enableHints }}
         {{- if .Values.anchoreGlobal.internalServicesSsl.enabled }}
         ssl_enable: {{ .Values.anchoreGlobal.internalServicesSsl.enabled }}
         ssl_cert: "/home/anchore/certs/{{- .Values.anchoreGlobal.internalServicesSsl.certSecretCertName }}"

stable/anchore-engine/values.yaml

@@ -90,7 +90,7 @@ ingress:
 # Global configuration shared by all anchore-engine services.
 anchoreGlobal:
   # Image used for all anchore engine deployments (excluding enterprise components).
-  image: docker.io/anchore/anchore-engine:v0.7.3
+  image: docker.io/anchore/anchore-engine:v0.8.0
   imagePullPolicy: IfNotPresent
   # Set image pull secret name if using an anchore-engine image from a private registry
   imagePullSecretName:
@@ -223,6 +223,12 @@ anchoreAnalyzer:
   # For more info see - https://docs.anchore.com/current/docs/engine/engine_installation/storage/layer_caching/
   # Enable image layer caching by setting a cache size > 0GB.
   layerCacheMaxGigabytes: 0
+
+  # Enable the ability to read a user-supplied 'hints' file to allow users to override and/or augment the software artifacts that are discovered by anchore during its image analysis process.
+  # Once enabled, the analyzer services will look for a file with a specific name, location and format located within the container image - /anchore_hints.json
+  # For more info see - https://docs.anchore.com/current/docs/engine/engine_installation/configuration/content_hints
+  enableHints: false
+
   configFile:
     # Anchore analyzer config file
     #
@@ -255,6 +261,17 @@ anchoreAnalyzer:
     #   regexp_match:
     #     - "EXAMPLE_MATCH="
 
+    # Uncomment the 'malware' section to enable use of the open-source ClamAV malware scanner to detect malicious code embedded in container images.
+    # This scan occurs only at analysis time when the image content itself is available, and the scan results are available via the Engine API as well as
+    # for consumption in new policy gates to allow gating of image with malware findings.
+    # For more detailed configuration info see - https://docs.anchore.com/current/docs/engine/general/concepts/images/analysis/malware_scanning
+    #
+    # malware:
+    #   clamav:
+    #     enabled: true
+    #     db_update_enabled: true
+
+
   # resources:
   #  limits:
   #    cpu: 1