Update exclusions check for better new user experience (#412)

Signed-off-by: Hung Nguyen <[email protected]> * Update exclusions check to only fail under certain conditions. external feeds, disabled drivers * removing redundant github workflow helm-extra-set-args * toJson the list * test updates * allow changing data_syncer auto_sync_enabled * adding notes to helper function Signed-off-by: Hung Nguyen <[email protected]> --------- Signed-off-by: Hung Nguyen <[email protected]>
anchore · Oct 18, 2024 · c00f218 · c00f218
1 parent 62d0980
commit c00f218
Show file tree

Hide file tree

Showing 10 changed files with 120 additions and 15 deletions.
diff --git a/.github/workflows/openshift-test.yaml b/.github/workflows/openshift-test.yaml
@@ -128,7 +128,7 @@ jobs:
           mv ci/openshift-test.yaml ci/openshift-test-values.yaml
           popd
         done
-        ct install --config ct-config.yaml --helm-extra-args "--timeout 600s" --helm-extra-set-args "--set=useExistingPullCredSecret=true--set=useExistingLicenseSecret=true --set=anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers=[] --set=anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types=[]"
+        ct install --config ct-config.yaml --helm-extra-args "--timeout 600s"
       env:
         KUBECONFIG: ./tmp/kubeconfig
         TARGET_BRANCH: "${{ github.event.pull_request.base.ref }}"
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -99,4 +99,4 @@ jobs:
 
     - name: Run chart-testing
       if: steps.list-changed.outputs.CHANGED == 'true'
-      run: ct install --config ct-config.yaml --helm-extra-args "--timeout 600s" --helm-extra-set-args "--set=useExistingPullCredSecret=true --set=useExistingLicenseSecret=true --set=anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers=[] --set=anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types=[]"
+      run: ct install --config ct-config.yaml --helm-extra-args "--timeout 600s"
diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: enterprise
-version: "3.0.0"
+version: "3.0.1"
 appVersion: "5.10.0"
 kubeVersion: 1.23.x - 1.30.x || 1.23.x-x - 1.30.x-x
 description: |

diff --git a/stable/enterprise/files/default_config.yaml b/stable/enterprise/files/default_config.yaml
@@ -201,8 +201,16 @@ services:
             enabled: true
       matching:
         exclude:
-          providers: {{ .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers }}
-          package_types: {{ .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types }}
+          {{- if .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers }}
+          providers: {{ .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers | toJson }}
+          {{- else }}
+          providers: []
+          {{- end }}
+          {{- if .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types }}
+          package_types: {{ .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types | toJson }}
+          {{- else }}
+          package_types: []
+          {{- end }}
         default:
           search:
             by_cpe:
@@ -298,7 +306,7 @@ services:
     endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}
     listen: 0.0.0.0
     port: ${ANCHORE_PORT}
-    auto_sync_enabled: true
+    auto_sync_enabled: ${ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED}
     upload_dir: {{ .Values.scratchVolume.mountPath }}
     datasets:
       vulnerability_db:

diff --git a/stable/enterprise/files/osaa_config.yaml b/stable/enterprise/files/osaa_config.yaml
@@ -209,8 +209,16 @@ services:
             enabled: true
       matching:
         exclude:
-          providers: {{ .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers }}
-          package_types: {{ .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types }}
+          {{- if .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers }}
+          providers: {{ .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers | toJson }}
+          {{- else }}
+          providers: []
+          {{- end }}
+          {{- if .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types }}
+          package_types: {{ .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types | toJson }}
+          {{- else }}
+          package_types: []
+          {{- end }}
         default:
           search:
             by_cpe:
@@ -306,7 +314,7 @@ services:
     endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}
     listen: 0.0.0.0
     port: ${ANCHORE_PORT}
-    auto_sync_enabled: true
+    auto_sync_enabled: ${ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED}
     upload_dir: {{ .Values.scratchVolume.mountPath }}
     datasets:
       vulnerability_db:

diff --git a/stable/enterprise/templates/_helpers.tpl b/stable/enterprise/templates/_helpers.tpl
@@ -154,4 +154,92 @@ secretName: {{ . }}
 {{- else }}
 secretName: {{ template "enterprise.fullname" . }}-license
 {{- end }}
-{{- end -}}
+{{- end -}}
+
+
+{{/*
+Takes in a map of drivers and checks if the driver is enabled. If not, update the map to sets the notify flag to true
+*/}}
+{{- define "checkDriverEnabled" -}}
+  {{- $drivers := .drivers -}}
+  {{- $driverName := .driverName -}}
+  {{- $driver := index $drivers $driverName -}}
+  {{- if $driver }}
+    {{- $driverEnabled := index $driver "enabled" -}}
+    {{- if not $driverEnabled }}
+      {{- $notify := .notify -}}
+      {{- $_ := set . "notify" true -}}
+    {{- end }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Checks if the feeds chart was previously disabled or if any of the drivers were disabled. If so and required values aren't set, fail the upgrade.
+*/}}
+{{- define "enterprise.exclusionCheck" -}}
+
+{{ $notify := false }}
+
+{{/* checks if theres a feeds key, and if so, require values if feeds.chartEnabled is false or feeds.extraEnvs contain ANCHORE_FEEDS_DRIVER or drivers are disabled via values */}}
+{{ $feeds := index .Values "feeds" }}
+{{- if $feeds -}}
+  {{ $feedsChartEnabled := index .Values "feeds" "chartEnabled" }}
+  {{- if (not $feedsChartEnabled) -}}
+    {{ $notify = true }}
+  {{- end -}}
+
+  {{- if not $notify -}}
+    {{ $feedsExtraEnvs := index .Values "feeds" "extraEnv" }}
+    {{- if $feedsExtraEnvs -}}
+      {{- range $index, $val := $feedsExtraEnvs -}}
+        {{- if contains "ANCHORE_FEEDS_DRIVER" .name -}}
+          {{ $notify = true }}
+        {{- end -}}
+      {{- end -}}
+    {{- end -}}
+  {{- end -}}
+
+  {{- if not $notify -}}
+    {{- $anchoreConfig := index $feeds "anchoreConfig" }}
+    {{- if $anchoreConfig }}
+      {{- $anchoreFeeds := index $anchoreConfig "feeds" }}
+      {{- if $anchoreFeeds }}
+        {{- $drivers := index $anchoreFeeds "drivers" }}
+        {{/* calling function to check if driver is enabled, if driver is disabled, set notify to true if its not already true */}}
+        {{- if $drivers }}
+          {{- $context := dict "drivers" $drivers "notify" $notify "driverName" "gem" }}
+          {{- include "checkDriverEnabled" $context }}
+          {{- $notify = $context.notify }}
+
+          {{- $context := dict "drivers" $drivers "notify" $notify "driverName" "github" }}
+          {{- include "checkDriverEnabled" $context }}
+          {{- $notify = $context.notify }}
+
+          {{- $context := dict "drivers" $drivers "notify" $notify "driverName" "msrc" }}
+          {{- include "checkDriverEnabled" $context }}
+          {{- $notify = $context.notify }}
+
+          {{- $context := dict "drivers" $drivers "notify" $notify "driverName" "npm" }}
+          {{- include "checkDriverEnabled" $context }}
+          {{- $notify = $context.notify }}
+        {{- end -}}
+      {{- end -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+
+{{/* if we haven't needed a notification yet, check if top level extraEnvs have ANCHORE_FEEDS_DRIVER */}}
+{{- if not $notify -}}
+  {{- range $index, $val := .Values.extraEnv -}}
+    {{- if contains "ANCHORE_FEEDS_DRIVER" .name -}}
+      {{ $notify = true }}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+
+{{ if $notify }}
+    {{- $exclude_providers := required "anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers is required" .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers -}}
+    {{- $exclude_package := required "anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types is required" .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types -}}
+{{- end -}}
+
+{{- end -}}
diff --git a/stable/enterprise/templates/anchore_configmap.yaml b/stable/enterprise/templates/anchore_configmap.yaml
@@ -1,5 +1,4 @@
-{{- $exclude_providers := required "anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers is required" .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers -}}
-{{- $exclude_package := required "anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types is required" .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types -}}
+{{- include "enterprise.exclusionCheck" . -}}
 kind: ConfigMap
 apiVersion: v1
 metadata:

diff --git a/stable/enterprise/templates/envvars_configmap.yaml b/stable/enterprise/templates/envvars_configmap.yaml
@@ -26,6 +26,7 @@ data:
   ANCHORE_CLI_USER: "admin"
   ANCHORECTL_URL: "http://localhost:8228"
   ANCHORECTL_USERNAME: "admin"
+  ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED: "true"
   ANCHORE_DISABLE_METRICS_AUTH: "{{ .Values.anchoreConfig.metrics.auth_disabled }}"
   ANCHORE_DB_POOL_MAX_OVERFLOW: "{{ .Values.anchoreConfig.database.db_pool_max_overflow }}"
   ANCHORE_DB_POOL_SIZE: "{{ .Values.anchoreConfig.database.db_pool_size }}"

diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap
@@ -387,7 +387,7 @@ should render the configmaps:
             endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}
             listen: 0.0.0.0
             port: ${ANCHORE_PORT}
-            auto_sync_enabled: true
+            auto_sync_enabled: ${ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED}
             upload_dir: /analysis_scratch
             datasets:
               vulnerability_db:
@@ -424,6 +424,7 @@ should render the configmaps:
       ANCHORE_CATALOG_IMAGE_GC_WORKERS: "4"
       ANCHORE_CLI_URL: http://localhost:8228
       ANCHORE_CLI_USER: admin
+      ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED: "true"
       ANCHORE_DB_POOL_MAX_OVERFLOW: "100"
       ANCHORE_DB_POOL_SIZE: "30"
       ANCHORE_DB_SSL: "false"

diff --git a/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap
@@ -348,7 +348,7 @@ should render the configmaps for osaa migration if enabled:
             endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}
             listen: 0.0.0.0
             port: ${ANCHORE_PORT}
-            auto_sync_enabled: true
+            auto_sync_enabled: ${ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED}
             upload_dir: /analysis_scratch
             datasets:
               vulnerability_db:
@@ -733,7 +733,7 @@ should render the configmaps for osaa migration if enabled:
             endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}
             listen: 0.0.0.0
             port: ${ANCHORE_PORT}
-            auto_sync_enabled: true
+            auto_sync_enabled: ${ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED}
             upload_dir: /analysis_scratch
             datasets:
               vulnerability_db: