diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml index c4d5c6b3..08e2ff18 100644 --- a/stable/anchore-engine/Chart.yaml +++ b/stable/anchore-engine/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: anchore-engine -version: 1.11.7 -appVersion: 0.9.0 +version: 1.12.0 +appVersion: 0.9.1 description: Anchore container analysis and policy evaluation engine service keywords: - analysis diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md index 1cf05e68..2be0944a 100644 --- a/stable/anchore-engine/README.md +++ b/stable/anchore-engine/README.md @@ -14,15 +14,17 @@ See [Anchore Engine](https://github.com/anchore/anchore-engine) for more project The chart is split into global and service specific configurations for the OSS Anchore Engine, as well as global and services specific configurations for the Enterprise components. - * The `anchoreGlobal` section is for configuration values required by all Anchore Engine components. - * The `anchoreEnterpriseGlobal` section is for configuration values required by all Anchore Engine Enterprise components. - * Service specific configuration values allow customization for each individual service. +* The `anchoreGlobal` section is for configuration values required by all Anchore Engine components. +* The `anchoreEnterpriseGlobal` section is for configuration values required by all Anchore Engine Enterprise components. +* Service specific configuration values allow customization for each individual service. For a description of each component, view the official documentation at: [Anchore Enterprise Service Overview](https://docs.anchore.com/current/docs/overview/architecture/) ## Installing the Anchore Engine Helm Chart + ### TL;DR -``` + +```bash helm repo add anchore https://charts.anchore.io helm install my-release anchore/anchore-engine ``` @@ -33,14 +35,18 @@ The recommended way to install the Anchore Engine Helm Chart is with a customize Create a new file named `anchore_values.yaml` and add all desired custom values (examples below); then run the following command: - #### Helm v3 installation - `helm repo add anchore https://charts.anchore.io` +#### Helm v3 installation - `helm install -f anchore_values.yaml anchore/anchore-engine` +```bash +helm repo add anchore https://charts.anchore.io +helm install -f anchore_values.yaml anchore/anchore-engine +``` ##### Example anchore_values.yaml - using chart managed PostgreSQL service with custom passwords. + *Note: Installs with chart managed PostgreSQL database. This is not a guaranteed production ready config.* -``` + +```yaml ## anchore_values.yaml postgresql: @@ -57,6 +63,7 @@ anchoreGlobal: The following features are available to Anchore Enterprise customers. Please contact the Anchore team for more information about getting a license for the enterprise features. [Anchore Enterprise Demo](https://anchore.com/demo/) +```txt * Role based access control * LDAP integration * Graphical user interface @@ -66,8 +73,10 @@ anchoreGlobal: * Anchore reporting API * Notifications - Slack, GitHub, Jira, etc * Microsoft image vulnerability scanning +``` ### Enabling Enterprise Services + Enterprise services require an Anchore Enterprise license, as well as credentials with permission to the private docker repositories that contain the enterprise images. @@ -75,28 +84,35 @@ To use this Helm chart with the enterprise services enabled, perform these steps 1. Create a kubernetes secret containing your license file. - `kubectl create secret generic anchore-enterprise-license --from-file=license.yaml=` + ```bash + kubectl create secret generic anchore-enterprise-license --from-file=license.yaml= + ``` 1. Create a kubernetes secret containing DockerHub credentials with access to the private anchore enterprise repositories. - `kubectl create secret docker-registry anchore-enterprise-pullcreds --docker-server=docker.io --docker-username= --docker-password= --docker-email=` + ```bash + kubectl create secret docker-registry anchore-enterprise-pullcreds --docker-server=docker.io --docker-username= --docker-password= --docker-email= + ``` 1. (demo) Install the Helm chart using default values - #### Helm v3 installation - `helm repo add anchore https://charts.anchore.io` - `helm install --set anchoreEnterpriseGlobal.enabled=true anchore/anchore-engine` + ```bash + helm repo add anchore https://charts.anchore.io + helm install --set anchoreEnterpriseGlobal.enabled=true anchore/anchore-engine + ``` -2. (production) Install the Helm chart using a custom anchore_values.yaml file - *see examples below* - #### Helm v3 installation - `helm repo add anchore https://charts.anchore.io` +1. (production) Install the Helm chart using a custom anchore_values.yaml file - *see examples below* - `helm install -f anchore_values.yaml anchore/anchore-engine` + ```bash + helm repo add anchore https://charts.anchore.io + helm install -f anchore_values.yaml anchore/anchore-engine + ``` -#### Example anchore_values.yaml - installing Anchore Enterprise +### Example anchore_values.yaml - installing Anchore Enterprise *Note: Installs with chart managed PostgreSQL & Redis databases. This is not a guaranteed production ready config.* -``` + +```yaml ## anchore_values.yaml postgresql: @@ -122,11 +138,14 @@ anchore-ui-redis: ``` ## Installing on OpenShift + As of chart version 1.3.1 deployments to OpenShift are fully supported. Due to permission constraints when utilizing OpenShift, the official RHEL postgresql image must be utilized, which requires custom environment variables to be configured for compatibility with this chart. -#### Example anchore_values.yaml - deploying on OpenShift +### Example anchore_values.yaml - deploying on OpenShift + *Note: Installs with chart managed PostgreSQL database. This is not a guaranteed production ready config.* -``` + +```yaml ## anchore_values.yaml postgresql: @@ -158,7 +177,8 @@ anchoreGlobal: To perform an Enterprise deployment on OpenShift use the following anchore_values.yaml configuration *Note: Installs with chart managed PostgreSQL database. This is not a guaranteed production ready config.* -``` + +```yaml ## anchore_values.yaml postgresql: @@ -215,26 +235,42 @@ anchore-ui-redis: ``` # Chart Updates + See the anchore-engine [CHANGELOG](https://github.com/anchore/anchore-engine/blob/master/CHANGELOG.md) for updates to anchore engine. ## Upgrading from previous chart versions + A Helm post-upgrade hook job will shut down all previously running Anchore services and perform the Anchore DB upgrade process using a kubernetes job. The upgrade will only be considered successful when this job completes successfully. Performing an upgrade will cause the Helm client to block until the upgrade job completes and the new Anchore service pods are started. To view progress of the upgrade process, tail the logs of the upgrade jobs `anchore-engine-upgrade` and `anchore-enterprise-upgrade`. These job resources will be removed upon a successful helm upgrade. -# Chart version 1.10.0 +## Chart version 1.12.0 + +--- + +* Anchore Engine image updated to v0.9.1 +* Anchore Enterprise images updated to v3.0.0 +* Existing secrets now work for Enterprise Feeds and Enterprise UI - see [existing secrets configuration](#-Utilize-an-Existing-Secret) +* Anchore admin default password no longer defaults to `foobar`, if no password is specified a random string will be generated. + +## Chart version 1.10.0 + +--- Chart dependency declarations have been updated to be compatible with Helm v3.4.0 -# Chart version 1.8.0 +## Chart version 1.8.0 +--- The following Anchore-Engine features were added with this version: - * Malware scanning - see .Values.anchoreAnalyzer.configFile.malware - * Binary content scanning - * Content hints file analysis - see .Values.anchoreAnalyzer.enableHints - * Updated image deletion behavior + +* Malware scanning - see .Values.anchoreAnalyzer.configFile.malware +* Binary content scanning +* Content hints file analysis - see .Values.anchoreAnalyzer.enableHints +* Updated image deletion behavior For more details see - https://docs.anchore.com/current/docs/engine/releasenotes/080 -# Chart version 1.7.0 +## Chart version 1.7.0 +--- Starting with version 1.7.0 the anchore-engine chart will be hosted on charts.anchore.io - if you're upgrading from a previous version of the chart, you will need to delete your previous deployment and redeploy Anchore Engine using the chart from the Anchore Charts repository. This version of the chart includes the dependent Postgresql chart in the charts/ directory rather then pulling it from upstream. All apiVersions were updated for compatibility with kubernetes v1.16+ and the postgresql image has been updated to version 9.6.18. The chart version also updates to the latest version of the Redis chart from Bitnami. These dependency updates require deleting and re-installing your chart. If the following process is performed, no data should be lost. @@ -245,7 +281,7 @@ For these examples, we assume that your namespace is called `my-namespace` and y These examples use Helm version 3 and kubectl client version 1.18, server version 1.18. -#### ENSURE MIGRATION IS PERFORMED SEPARATELY FROM ANCHORE ENGINE UPGRADES +### **ENSURE MIGRATION IS PERFORMED SEPARATELY FROM ANCHORE ENGINE UPGRADES** All helm installation steps will include a flag to override the Anchore Engine/Enterprise images with your current running version. Upgrading your version of Anchore can be performed after moving to the new chart from charts.anchore.io. Record the version of your Anchore deployment and use it anytime the instructions refer to the Engine Code Version. @@ -253,7 +289,7 @@ All helm installation steps will include a flag to override the Anchore Engine/E Connect to the anchore-api pod, issue the following command and record the Engine Code Version: -``` +```bash [anchore@anchore-api anchore-engine]$ anchore-cli system status Service analyzer (anchore-anchore-engine-analyzer-7cd9c5cb78-j8n8p, http://anchore-anchore-engine-analyzer:8084): up Service apiext (anchore-anchore-engine-api-54cff87fcd-s4htm, http://anchore-anchore-engine-api:8228): up @@ -266,23 +302,24 @@ Engine Code Version: 0.7.2 ``` ## If Using An External Postgresql Database (not included as chart dependency) -``` -$ helm uninstall --namespace=my-namespace my-anchore -$ helm repo add anchore https://charts.anchore.io -$ helm repo update -$ export ANCHORE_VERSION=0.7.2 # USE YOUR ENGINE CODE VERSION HERE -$ helm install --namespace=my-namespace --set anchoreGlobal.image=docker.io/anchore/anchore-engine:v${ANCHORE_VERSION} --set anchoreEnterpriseGlobal.image=docker.io/anchore/enterprise:v${ANCHORE_VERSION} -f anchore_values.yaml my-anchore anchore/anchore-engine + +```bash +helm uninstall --namespace=my-namespace my-anchore +helm repo add anchore https://charts.anchore.io +helm repo update +export ANCHORE_VERSION=0.7.2 # USE YOUR ENGINE CODE VERSION HERE +helm install --namespace=my-namespace --set anchoreGlobal.image=docker.io/anchore/anchore-engine:v${ANCHORE_VERSION} --set anchoreEnterpriseGlobal.image=docker.io/anchore/enterprise:v${ANCHORE_VERSION} -f anchore_values.yaml my-anchore anchore/anchore-engine ``` ## If Using The Included Postgresql Chart When utilizing the included Postgresql chart you will need to reuse the persistent volume claims that are attached to your current deployment. These existing claims will be utilized when re-installing anchore-engine using the new chart from charts.anchore.io. -#### Determine Your Database PersistentVolumeClaim +### Determine Your Database PersistentVolumeClaim Find the name of the database PersistentVolumeClaim using `kubectl`: -``` +```bash $ kubectl get persistentvolumeclaim --namespace my-namespace NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE my-anchore-postgresql Bound pvc-739f6f21-b73b-11ea-a2b9-42010a800176 20Gi RWO standard 2d @@ -292,7 +329,7 @@ The name of your PersistentVolumeClaim in the example shown is `my-anchore-postg Anchore Enterprise users with a standalone Feeds Service will see a different set of PersistentVolumeClaims: -``` +```bash $ kubectl get persistentvolumeclaim --namespace my-namespace NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE my-anchore-anchore-feeds-db Bound pvc-cd7ebb6f-bbe0-11ea-b9bf-42010a800020 20Gi RWO standard 3d @@ -303,20 +340,20 @@ The names of the PersistentVolumeClaims in the example shown are `my-anchore-anc #### Uninstall Your Anchore Installation With Helm -``` +```bash $ helm uninstall --namespace=my-namespace my-anchore release "my-anchore" uninstalled ``` Anchore Enterprise users will want to remove the Redis DB PersistentVolumeClaim; this will delete all current session data but will not affect stability of the deployment: -``` -$ kubectl delete pvc redis-data-my-anchore-anchore-ui-redis-master-0 +```bash +kubectl delete pvc redis-data-my-anchore-anchore-ui-redis-master-0 ``` Your other PersistentVolumeClaims will still be resident in your cluster (we're showing results from an Anchore Enterprise installation that has a standalone Feeds Service below; Anchore Enterprise users without a standalone Feeds Service and Anchore Engine users will not see `my-anchore-anchore-feeds-db`): -``` +```bash $ kubectl get persistentvolumeclaim --namespace my-namespace NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE my-anchore-anchore-feeds-db Bound pvc-a22abf70-bbb9-11ea-840b-42010a8001d8 20Gi RWO standard 3d @@ -325,7 +362,7 @@ my-anchore-postgresql Bound pvc-e6daf90a-bbb8-11ea-840b-42010a8001d8 #### Add The New Anchore Helm Chart Repository -``` +```bash $ helm repo add anchore https://charts.anchore.io "anchore" has been added to your repositories @@ -339,7 +376,8 @@ Hang tight while we grab the latest from your chart repositories... Update your anchore_values.yaml file as shown, using the PersistentVolumeClaim values from above: Engine only deployment values file example: -``` + +```yaml # anchore_values.yaml postgresql: @@ -348,7 +386,8 @@ Engine only deployment values file example: ``` Enterprise deployment values file example: -``` + +```yaml # anchore_values.yaml postgresql: @@ -361,7 +400,8 @@ anchore-feeds-db: ``` Install a new Anchore Engine deployment using the chart from charts.anchore.io -``` + +```bash $ export ANCHORE_VERSION=0.7.2 # USE YOUR ENGINE CODE VERSION HERE $ helm install --namespace=my-namespace --set anchoreGlobal.image=docker.io/anchore/anchore-engine:v${ANCHORE_VERSION} --set anchoreEnterpriseGlobal.image=docker.io/anchore/enterprise:v${ANCHORE_VERSION} -f anchore_values.yaml my-anchore anchore/anchore-engine @@ -378,7 +418,7 @@ To use Anchore Engine you need the URL, username, and password to access the API Verify that your PersistentVolumeClaims are bound (output may vary): -``` +```bash $ kubectl get persistentvolumeclaim --namespace my-namespace NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE my-anchore-anchore-feeds-db Bound pvc-a22abf70-bbb9-11ea-840b-42010a8001d8 20Gi RWO standard 3d @@ -387,7 +427,7 @@ my-anchore-postgresql Bound pvc-e6daf90a-bbb8-11ea-840b-42010a8001d8 Connect to the anchore-api pod and validate that your installation still contains all of your previously scanned images. -``` +```bash [anchore@anchore-api anchore-engine]$ anchore-cli image list Full Tag Image Digest Analysis Status docker.io/alpine:latest sha256:a15790640a6690aa1730c38cf0a440e2aa44aaca9b0e8931a9f2b0d7cc90fd65 analyzed @@ -398,126 +438,152 @@ docker.io/ubuntu:latest sha256:60f560e52264ed1cb7829a0d59b1ee You are now running Anchore from the new chart repository, with your data in place. ## Upgrade To Latest Version of Anchore + Now that you're migrated to charts.anchore.io you can upgrade Anchore Engine to the latest version if desired. -``` -$ helm upgrade --namespace my-namespace -f anchore_values.yaml my-anchore anchore/anchore-engine +```bash +helm upgrade --namespace my-namespace -f anchore_values.yaml my-anchore anchore/anchore-engine ``` # Configuration All configurations should be appended to your custom `anchore_values.yaml` file and utilized when installing the chart. While the configuration options of Anchore Engine are extensive, the options provided by the chart are: -## Exposing the service outside the cluster: - -#### Using Ingress +## Exposing the service outside the cluster using Ingress This configuration allows SSL termination using your chosen ingress controller. -##### NGINX Ingress Controller +#### NGINX Ingress Controller + +```yaml +ingress: + enabled: true ``` + +#### ALB Ingress Controller + +```yaml ingress: enabled: true + annotations: + kubernetes.io/ingress.class: alb + alb.ingress.kubernetes.io/scheme: internet-facing + apiPath: /v1/* + uiPath: /* + apiHosts: + - anchore-api.example.com + uiHosts: + - anchore-ui.example.com + +anchoreApi: + service: + type: NodePort + +anchoreEnterpriseUi: + service + type: NodePort +``` + +#### GCE Ingress Controller + +```yaml +ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: gce + apiPath: /v1/* + uiPath: /* + apiHosts: + - anchore-api.example.com + uiHosts: + - anchore-ui.example.com + +anchoreApi: + service: + type: NodePort + +anchoreEnterpriseUi: + service + type: NodePort ``` -##### ALB Ingress Controller -``` - ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: alb - alb.ingress.kubernetes.io/scheme: internet-facing - apiPath: /v1/* - uiPath: /* - apiHosts: - - anchore-api.example.com - uiHosts: - - anchore-ui.example.com - - anchoreApi: - service: - type: NodePort - - anchoreEnterpriseUi: - service - type: NodePort -``` - -##### GCE Ingress Controller - ``` - ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: gce - apiPath: /v1/* - uiPath: /* - apiHosts: - - anchore-api.example.com - uiHosts: - - anchore-ui.example.com - - anchoreApi: - service: - type: NodePort - - anchoreEnterpriseUi: - service - type: NodePort - ``` - -#### Using Service Type - ``` - anchoreApi: - service: - type: LoadBalancer - ``` - -### Utilize an Existing Secret -Can be used to override the default secrets.yaml provided +## Exposing the service outside the cluster Using Service Type + +```yaml +anchoreApi: + service: + type: LoadBalancer ``` + +## Utilize an Existing Secret + +Secrets should be created prior to running `helm install`. These can be used to override the secret provisioned by the helm chart, preventing plaintext passwords in your values.yaml file. + +```yaml anchoreGlobal: - existingSecret: "foo-bar" + # The secret should define the following environment vars: + # ANCHORE_ADMIN_PASSWORD + # ANCHORE_DB_PASSWORD + # ANCHORE_SAML_SECRET (if applicable) + existingSecret: "anchore-engine-secrets" + + +anchoreEnterpriseFeeds: + # The secret should define the following environment vars: + # ANCHORE_ADMIN_PASSWORD + # ANCHORE_FEEDS_DB_PASSWORD + # ANCHORE_SAML_SECRET (if applicable) + existingSecret: "anchore-feeds-secrets" + +anchoreEnterpriseUI: + # This secret should define the following ENV vars + # ANCHORE_APPDB_URI + # ANCHORE_REDIS_URI + existingSeccret: "anchore-ui-secrets" ``` -### Install using an existing/external PostgreSQL instance +## Install using an existing/external PostgreSQL instance + *Note: it is recommended to use an external Postgresql instance for production installs* - ``` - postgresql: - postgresPassword: - postgresUser: - postgresDatabase: - enabled: false - externalEndpoint: - - anchoreGlobal: - dbConfig: - ssl: true - ``` - -### Install using Google CloudSQL - ``` - ## anchore_values.yaml - postgresql: - enabled: false - postgresPassword: - postgresUser: - postgresDatabase: - - cloudsql: - enabled: true - instance: "project:zone:cloudsqlinstancename" - # Optional existing service account secret to use. - useExistingServiceAcc: true - serviceAccSecretName: my_service_acc - serviceAccJsonName: for_cloudsql.json - image: - repository: gcr.io/cloudsql-docker/gce-proxy - tag: 1.12 - pullPolicy: IfNotPresent - ``` - -### Archive Driver +```yaml +postgresql: + postgresPassword: + postgresUser: + postgresDatabase: + enabled: false + externalEndpoint: + +anchoreGlobal: + dbConfig: + ssl: true +``` + +## Install using Google CloudSQL + +```yaml +## anchore_values.yaml +postgresql: + enabled: false + postgresPassword: + postgresUser: + postgresDatabase: + +cloudsql: + enabled: true + instance: "project:zone:cloudsqlinstancename" + # Optional existing service account secret to use. + useExistingServiceAcc: true + serviceAccSecretName: my_service_acc + serviceAccJsonName: for_cloudsql.json + image: + repository: gcr.io/cloudsql-docker/gce-proxy + tag: 1.12 + pullPolicy: IfNotPresent +``` + +## Archive Driver + *Note: it is recommended to use an external archive driver for production installs.* The archive subsystem of Anchore Engine is what stores large json documents and can consume quite a lot of storage if @@ -525,47 +591,48 @@ you analyze a lot of images. A general rule for storage provisioning is 10MB per analyzed images, you may need many gigabytes of storage. The Archive drivers now support other backends than just postgresql, so you can leverage external and scalable storage systems and keep the postgresql storage usage to a much lower level. -##### Configuring Compression: +### Configuring Compression The archive system has compression available to help reduce size of objects and storage consumed in exchange for slightly slower performance and more cpu usage. There are two config values: To toggle on/off (default is True), and set a minimum size for compression to be used (to avoid compressing things too small to be of much benefit, the default is 100): - ``` - anchoreCatalog: - archive: - compression: - enabled=True - min_size_kbytes=100 - ``` +```yaml +anchoreCatalog: + archive: + compression: + enabled=True + min_size_kbytes=100 +``` -##### The supported archive drivers are: +### The supported archive drivers are * S3 - Any AWS s3-api compatible system (e.g. minio, scality, etc) * OpenStack Swift * Local FS - A local filesystem on the core pod. Does not handle sharding or replication, so generally only for testing. * DB - the default postgresql backend -#### S3: - ``` - anchoreCatalog: - archive: - storage_driver: - name: 's3' - config: - access_key: 'MY_ACCESS_KEY' - secret_key: 'MY_SECRET_KEY' - #iamauto: True - url: 'https://S3-end-point.example.com' - region: null - bucket: 'anchorearchive' - create_bucket: True - compression: - ... # Compression config here - ``` - -#### Using Swift: +### S3 + +```yaml +anchoreCatalog: + archive: + storage_driver: + name: 's3' + config: + access_key: 'MY_ACCESS_KEY' + secret_key: 'MY_SECRET_KEY' + #iamauto: True + url: 'https://S3-end-point.example.com' + region: null + bucket: 'anchorearchive' + create_bucket: True + compression: + ... # Compression config here +``` + +### Using Swift The swift configuration is basically a pass-thru to the underlying pythonswiftclient so it can take quite a few different options depending on your swift deployment and config. The best way to configure the swift driver is by using a custom values.yaml @@ -576,82 +643,87 @@ The Swift driver supports three authentication methods: * Keystone V2 * Legacy (username / password) -##### Keystone V3: - ``` - anchoreCatalog: - archive: - storage_driver: - name: swift - config: - auth_version: '3' - os_username: 'myusername' - os_password: 'mypassword' - os_project_name: myproject - os_project_domain_name: example.com - os_auth_url: 'foo.example.com:8000/auth/etc' - container: 'anchorearchive' - # Optionally - create_container: True - compression: - ... # Compression config here - ``` - -##### Keystone V2: - ``` - anchoreCatalog: - archive: - storage_driver: - name: swift - config: - auth_version: '2' - os_username: 'myusername' - os_password: 'mypassword' - os_tenant_name: 'mytenant' - os_auth_url: 'foo.example.com:8000/auth/etc' - container: 'anchorearchive' - # Optionally - create_container: True - compression: - ... # Compression config here - ``` - -##### Legacy username/password: - ``` - anchoreCatalog: - archive: - storage_driver: - name: swift - config: - user: 'user:password' - auth: 'http://swift.example.com:8080/auth/v1.0' - key: 'anchore' - container: 'anchorearchive' - # Optionally - create_container: True - compression: - ... # Compression config here - ``` - -#### Postgresql: +#### Keystone V3 + +```yaml +anchoreCatalog: + archive: + storage_driver: + name: swift + config: + auth_version: '3' + os_username: 'myusername' + os_password: 'mypassword' + os_project_name: myproject + os_project_domain_name: example.com + os_auth_url: 'foo.example.com:8000/auth/etc' + container: 'anchorearchive' + # Optionally + create_container: True + compression: + ... # Compression config here +``` + +#### Keystone V2 + +```yaml +anchoreCatalog: + archive: + storage_driver: + name: swift + config: + auth_version: '2' + os_username: 'myusername' + os_password: 'mypassword' + os_tenant_name: 'mytenant' + os_auth_url: 'foo.example.com:8000/auth/etc' + container: 'anchorearchive' + # Optionally + create_container: True + compression: + ... # Compression config here +``` + +#### Legacy username/password + +```yaml +anchoreCatalog: + archive: + storage_driver: + name: swift + config: + user: 'user:password' + auth: 'http://swift.example.com:8080/auth/v1.0' + key: 'anchore' + container: 'anchorearchive' + # Optionally + create_container: True + compression: + ... # Compression config here +``` + +### Using Postgresql This is the default archive driver and requires no additional configuration. -### Prometheus Metrics +## Prometheus Metrics Anchore Engine supports exporting prometheus metrics form each container. To enable metrics: - ``` - anchoreGlobal: - enableMetrics: True - ``` + +```yaml +anchoreGlobal: + enableMetrics: True +``` When enabled, each service provides the metrics over the existing service port so your prometheus deployment will need to know about each pod and the ports it provides to scrape the metrics. -### Using custom certificates +## Using custom certificates + A secret needs to be created in the same namespace as the anchore-engine chart installation. This secret should contain all custom certs, including CA certs & any certs used for internal TLS communication. This secret will be mounted to all anchore-engine pods at /home/anchore/certs to be utilized by the system. -### Event Notifications +## Event Notifications Anchore Engine in v0.2.3 introduces a new events subsystem that exposes system-wide events via both a REST api as well as via webhooks. The webhooks support filtering to ensure only certain event classes result in webhook calls to help limit @@ -659,28 +731,32 @@ the volume of calls if you desire. Events, and all webhooks, are emitted from th done in the coreConfig. To configure the events: - ``` - anchoreCatalog: - events: - notification: - enabled:true - level=error - ``` -### Scaling Individual Components +```yaml +anchoreCatalog: + events: + notification: + enabled:true + level=error +``` + +## Scaling Individual Components As of Chart version 0.9.0, all services can now be scaled-out by increasing the replica counts. The chart now supports this configuration. To set a specific number of service containers: - ``` - anchoreAnalyzer: - replicaCount: 5 - anchorePolicyEngine: - replicaCount: 3 - ``` +```yaml +anchoreAnalyzer: + replicaCount: 5 + +anchorePolicyEngine: + replicaCount: 3 +``` To update the number in a running configuration: -`helm upgrade --set anchoreAnalyzer.replicaCount=2 anchore/anchore-engine -f anchore_values.yaml` +```bash +helm upgrade --set anchoreAnalyzer.replicaCount=2 anchore/anchore-engine -f anchore_values.yaml +``` diff --git a/stable/anchore-engine/templates/analyzer_deployment.yaml b/stable/anchore-engine/templates/analyzer_deployment.yaml index ec52269d..8afa6b80 100644 --- a/stable/anchore-engine/templates/analyzer_deployment.yaml +++ b/stable/anchore-engine/templates/analyzer_deployment.yaml @@ -132,8 +132,6 @@ spec: - name: config-volume mountPath: /config/config.yaml subPath: config.yaml - - name: policy-bundle-volume - mountPath: {{ .Values.anchoreGlobal.serviceDir }}/bundles {{- if (.Values.anchoreGlobal.certStoreSecretName) }} - name: certs mountPath: /home/anchore/certs/ @@ -188,9 +186,6 @@ spec: - name: analyzer-config-volume configMap: name: {{ template "anchore-engine.analyzer.fullname" . }} - - name: policy-bundle-volume - configMap: - name: {{ template "anchore-engine.fullname" . }}-policy-bundles {{- if .Values.anchoreGlobal.openShiftDeployment }} - name: service-config-volume emptyDir: {} diff --git a/stable/anchore-engine/templates/api_deployment.yaml b/stable/anchore-engine/templates/api_deployment.yaml index 32e7ea4f..d06c98b4 100644 --- a/stable/anchore-engine/templates/api_deployment.yaml +++ b/stable/anchore-engine/templates/api_deployment.yaml @@ -122,8 +122,13 @@ spec: - name: config-volume mountPath: /config/config.yaml subPath: config.yaml + {{- if .Values.anchoreGlobal.policyBundles }} + {{- range $key, $value := .Values.anchoreGlobal.policyBundles }} - name: policy-bundle-volume - mountPath: {{ .Values.anchoreGlobal.serviceDir }}/bundles + mountPath: {{ $.Values.anchoreGlobal.serviceDir }}/bundles/{{ $key }} + subPath: {{ $key }} + {{- end }} + {{- end }} {{- if .Values.anchoreGlobal.openShiftDeployment }} - name: service-config-volume mountPath: /anchore_service_config @@ -195,8 +200,6 @@ spec: - name: enterprise-config-volume mountPath: /config/config.yaml subPath: config.yaml - - name: policy-bundle-volume - mountPath: {{ .Values.anchoreGlobal.serviceDir }}/bundles {{- if (.Values.anchoreGlobal.certStoreSecretName) }} - name: certs mountPath: /home/anchore/certs/ @@ -267,8 +270,6 @@ spec: - name: enterprise-config-volume mountPath: /config/config.yaml subPath: config.yaml - - name: policy-bundle-volume - mountPath: {{ .Values.anchoreGlobal.serviceDir }}/bundles {{- if (.Values.anchoreGlobal.certStoreSecretName) }} - name: certs mountPath: /home/anchore/certs/ @@ -339,8 +340,6 @@ spec: - name: anchore-license mountPath: /home/anchore/license.yaml subPath: license.yaml - - name: policy-bundle-volume - mountPath: {{ .Values.anchoreGlobal.serviceDir }}/bundles {{- if (.Values.anchoreGlobal.certStoreSecretName) }} - name: certs mountPath: /home/anchore/certs/ @@ -413,8 +412,6 @@ spec: - name: anchore-license mountPath: /home/anchore/license.yaml subPath: license.yaml - - name: policy-bundle-volume - mountPath: {{ .Values.anchoreGlobal.serviceDir }}/bundles {{- if (.Values.anchoreGlobal.certStoreSecretName) }} - name: certs mountPath: /home/anchore/certs/ @@ -458,9 +455,11 @@ spec: - name: config-volume configMap: name: {{ template "anchore-engine.fullname" . }} + {{- if .Values.anchoreGlobal.policyBundles }} - name: policy-bundle-volume configMap: name: {{ template "anchore-engine.fullname" . }}-policy-bundles + {{- end }} {{- if .Values.anchoreGlobal.openShiftDeployment }} - name: service-config-volume emptyDir: {} diff --git a/stable/anchore-engine/templates/catalog_deployment.yaml b/stable/anchore-engine/templates/catalog_deployment.yaml index b81d9e23..046a8d90 100644 --- a/stable/anchore-engine/templates/catalog_deployment.yaml +++ b/stable/anchore-engine/templates/catalog_deployment.yaml @@ -115,8 +115,13 @@ spec: - name: config-volume mountPath: /config/config.yaml subPath: config.yaml + {{- if .Values.anchoreGlobal.policyBundles }} + {{- range $key, $value := .Values.anchoreGlobal.policyBundles }} - name: policy-bundle-volume - mountPath: {{ .Values.anchoreGlobal.serviceDir }}/bundles + mountPath: {{ $.Values.anchoreGlobal.serviceDir }}/bundles/{{ $key }} + subPath: {{ $key }} + {{- end }} + {{- end }} {{- if .Values.anchoreGlobal.openShiftDeployment }} - name: service-config-volume mountPath: /anchore_service_config @@ -164,9 +169,11 @@ spec: - name: config-volume configMap: name: {{ template "anchore-engine.fullname" . }} + {{- if .Values.anchoreGlobal.policyBundles }} - name: policy-bundle-volume configMap: name: {{ template "anchore-engine.fullname" . }}-policy-bundles + {{- end }} {{- if .Values.anchoreGlobal.openShiftDeployment }} - name: service-config-volume emptyDir: {} diff --git a/stable/anchore-engine/templates/engine_configmap.yaml b/stable/anchore-engine/templates/engine_configmap.yaml index 1324e4d1..e63b898e 100644 --- a/stable/anchore-engine/templates/engine_configmap.yaml +++ b/stable/anchore-engine/templates/engine_configmap.yaml @@ -28,6 +28,7 @@ data: global_client_connect_timeout: {{ default 0 .Values.anchoreGlobal.clientConnectTimeout }} global_client_read_timeout: {{ default 0 .Values.anchoreGlobal.clientReadTimeout }} + max_compressed_image_size_mb: {{ default -1 .Values.anchoreGlobal.maxCompressedImageSizeMB }} metrics: enabled: {{ .Values.anchoreGlobal.enableMetrics }} diff --git a/stable/anchore-engine/templates/enterprise_ui_configmap.yaml b/stable/anchore-engine/templates/enterprise_ui_configmap.yaml index de609e19..252adab2 100644 --- a/stable/anchore-engine/templates/enterprise_ui_configmap.yaml +++ b/stable/anchore-engine/templates/enterprise_ui_configmap.yaml @@ -51,7 +51,6 @@ data: enable_proxy: {{ .Values.anchoreEnterpriseUi.enableProxy }} allow_shared_login: {{ .Values.anchoreEnterpriseUi.enableSharedLogin }} redis_flushdb: {{ .Values.anchoreEnterpriseUi.redisFlushdb }} - policy_hub_uri: {{ .Values.anchoreEnterpriseUi.policyHubUri }} {{- with .Values.anchoreEnterpriseUi.customLinks }} custom_links: title: {{ .title }} diff --git a/stable/anchore-engine/templates/policy_bundle_configmap.yaml b/stable/anchore-engine/templates/policy_bundle_configmap.yaml index f3dce9de..10b06c68 100644 --- a/stable/anchore-engine/templates/policy_bundle_configmap.yaml +++ b/stable/anchore-engine/templates/policy_bundle_configmap.yaml @@ -1,3 +1,4 @@ +{{- if .Values.anchoreGlobal.policyBundles }} kind: ConfigMap apiVersion: v1 metadata: @@ -11,142 +12,7 @@ metadata: {{ toYaml . | nindent 4 }} {{- end }} data: - anchore_default_bundle.json: | - { - "id": "2c53a13c-1765-11e8-82ef-23527761d060", - "version": "1_0", - "name": "Default bundle", - "comment": "Default bundle", - "whitelisted_images": [], - "blacklisted_images": [], - "mappings": [ - { - "name": "default", - "repository": "*", - "image": { - "type": "tag", - "value": "*" - }, - "whitelist_ids": [ - "37fd763e-1765-11e8-add4-3b16c029ac5c" - ], - "registry": "*", - "id": "c4f9bf74-dc38-4ddf-b5cf-00e9c0074611", - "policy_id": "48e6f7d6-1765-11e8-b5f9-8b6f228548b6" - } - ], - "whitelists": [ - { - "comment": "Default global whitelist", - "items": [], - "version": "1_0", - "id": "37fd763e-1765-11e8-add4-3b16c029ac5c", - "name": "Global Whitelist" - } - ], - "policies": [ - { - "comment": "System default policy", - "rules": [ - { - "action": "STOP", - "gate": "dockerfile", - "trigger": "exposed_ports", - "params": [ - { - "name": "ports", - "value": "22" - }, - { - "name": "type", - "value": "blacklist" - } - ], - "id": "ce7b8000-829b-4c27-8122-69cd59018400" - }, - { - "action": "WARN", - "gate": "dockerfile", - "trigger": "instruction", - "params": [ - { - "name": "instruction", - "value": "HEALTHCHECK" - }, - { - "name": "check", - "value": "not_exists" - } - ], - "id": "312d9e41-1c05-4e2f-ad89-b7d34b0855bb" - }, - { - "action": "WARN", - "gate": "vulnerabilities", - "trigger": "stale_feed_data", - "params": [ - { - "name": "max_days_since_sync", - "value": "2" - } - ], - "id": "6b5c14e7-a6f7-48cc-99d2-959273a2c6fa" - }, - { - "action": "WARN", - "gate": "vulnerabilities", - "trigger": "vulnerability_data_unavailable", - "params": [], - "id": "3e79ea94-18c4-4d26-9e29-3b9172a62c2e" - }, - { - "action": "WARN", - "gate": "vulnerabilities", - "trigger": "package", - "params": [ - { - "name": "package_type", - "value": "all" - }, - { - "name": "severity_comparison", - "value": "=" - }, - { - "name": "severity", - "value": "medium" - } - ], - "id": "6063fdde-b1c5-46af-973a-915739451ac4" - }, - { - "action": "STOP", - "gate": "vulnerabilities", - "trigger": "package", - "params": [ - { - "name": "package_type", - "value": "all" - }, - { - "name": "severity_comparison", - "value": ">" - }, - { - "name": "severity", - "value": "medium" - } - ], - "id": "b30e8abc-444f-45b1-8a37-55be1b8c8bb5" - } - ], - "version": "1_0", - "id": "48e6f7d6-1765-11e8-b5f9-8b6f228548b6", - "name": "DefaultPolicy" - } - ] - } - {{- with .Values.anchoreGlobal.policyBundles }} {{- toYaml . | nindent 2 }} -{{- end }} \ No newline at end of file +{{- end }} +{{- end }} \ No newline at end of file diff --git a/stable/anchore-engine/templates/policy_engine_deployment.yaml b/stable/anchore-engine/templates/policy_engine_deployment.yaml index 3624eb2f..c3c6979b 100644 --- a/stable/anchore-engine/templates/policy_engine_deployment.yaml +++ b/stable/anchore-engine/templates/policy_engine_deployment.yaml @@ -129,8 +129,6 @@ spec: - name: config-volume mountPath: /config/config.yaml subPath: config.yaml - - name: policy-bundle-volume - mountPath: {{ .Values.anchoreGlobal.serviceDir }}/bundles - name: {{ $component }}-scratch mountPath: {{ .Values.anchoreGlobal.scratchVolume.mountPath }} {{- if .Values.anchoreGlobal.openShiftDeployment }} @@ -180,9 +178,6 @@ spec: - name: config-volume configMap: name: {{ template "anchore-engine.fullname" . }} - - name: policy-bundle-volume - configMap: - name: {{ template "anchore-engine.fullname" . }}-policy-bundles - name: {{ $component }}-scratch {{ toYaml .Values.anchoreGlobal.scratchVolume.details | nindent 10 }} {{- if .Values.anchoreGlobal.openShiftDeployment }} diff --git a/stable/anchore-engine/templates/simplequeue_deployment.yaml b/stable/anchore-engine/templates/simplequeue_deployment.yaml index 521de9f7..62e50f3c 100644 --- a/stable/anchore-engine/templates/simplequeue_deployment.yaml +++ b/stable/anchore-engine/templates/simplequeue_deployment.yaml @@ -115,8 +115,6 @@ spec: - name: config-volume mountPath: /config/config.yaml subPath: config.yaml - - name: policy-bundle-volume - mountPath: {{ .Values.anchoreGlobal.serviceDir }}/bundles {{- if .Values.anchoreGlobal.openShiftDeployment }} - name: service-config-volume mountPath: /anchore_service_config @@ -164,9 +162,6 @@ spec: - name: config-volume configMap: name: {{ template "anchore-engine.fullname" .}} - - name: policy-bundle-volume - configMap: - name: {{ template "anchore-engine.fullname" . }}-policy-bundles {{- if .Values.anchoreGlobal.openShiftDeployment }} - name: service-config-volume emptyDir: {} diff --git a/stable/anchore-engine/values.yaml b/stable/anchore-engine/values.yaml index 6ba969cb..7d127d1d 100644 --- a/stable/anchore-engine/values.yaml +++ b/stable/anchore-engine/values.yaml @@ -95,7 +95,7 @@ ingress: # Global configuration shared by all anchore-engine services. anchoreGlobal: # Image used for all anchore engine deployments (excluding enterprise components). - image: docker.io/anchore/anchore-engine:v0.9.0 + image: docker.io/anchore/anchore-engine:v0.9.1 imagePullPolicy: IfNotPresent # Set image pull secret name if using an anchore-engine image from a private registry @@ -173,7 +173,7 @@ anchoreGlobal: metricsAuthDisabled: false # Sets the password & email address for the default anchore-engine admin user. - defaultAdminPassword: foobar + defaultAdminPassword: defaultAdminEmail: example@email.com saml: @@ -235,22 +235,22 @@ anchoreGlobal: # to /bundles and made available to all anchore services. See the docs for details on how to create policy bundles # https://docs.anchore.com/current/docs/engine/general/concepts/policy/bundles/ policyBundles: - # custom_policy_bundle1.json: | - # { - # "id": "custom1", - # "version": "1_0", - # "name": "My custom bundle", - # "comment": "My system's custom bundle", - # "whitelisted_images": [], - # "blacklisted_images": [], - # "mappings": [], - # "whitelists": [], - # "policies": [] - # } - # custom_policy_bundle2.json: | - # { - # .... - # } +# custom_policy_bundle1.json: | +# { +# "id": "custom1", +# "version": "1_0", +# "name": "My custom bundle", +# "comment": "My system's custom bundle", +# "whitelisted_images": [], +# "blacklisted_images": [], +# "mappings": [], +# "whitelists": [], +# "policies": [] +# } +# custom_policy_bundle2.json: | +# { +# .... +# } # Allow configuration of Kubernetes probes probes: @@ -629,7 +629,7 @@ anchoreEnterpriseGlobal: # Create this secret with the following command - kubectl create secret generic anchore-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license - image: docker.io/anchore/enterprise:v2.4.1 + image: docker.io/anchore/enterprise:v3.0.0 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. # Create this secret with the following command - kubectl create secret docker-registry anchore-dockerhub-creds --docker-server=docker.io --docker-username= --docker-password= --docker-email= @@ -865,7 +865,7 @@ anchoreEnterpriseNotifications: anchoreEnterpriseUi: # If enabled is set to false, set anchore-ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. enabled: true - image: docker.io/anchore/enterprise-ui:v2.4.1 + image: docker.io/anchore/enterprise-ui:v3.0.0 imagePullPolicy: IfNotPresent # Set extra environment variables. These will be set on all UI containers. @@ -901,17 +901,6 @@ anchoreEnterpriseUi: # is flushed, any users with active sessions will be required to re-authenticate. redisFlushdb: true - # The (optional) `policy_hub_uri` key specifies the address of a Policy Hub - # service. The value must be a string containing a properly-formed 'http' or - # 'https' URI, and can be overridden by using the `ANCHORE_POLICY_HUB_URI` - # environment variable. - # - # When this value is set, the Policy Hub component is enabled within the - # Policy Manager view (`/policy`). Note that the availability and integrity of - # Policy Hub data is determined by this component at run-time when this - # component is accessed. - policyHubUri: 'http://hub.anchore.io' - # The (optional) `custom_links` key allows a list of up to 10 external links to # be provided (additional items will be excluded). The top-level `title` key # provided the label for the menu (if present, otherwise the string "Custom