Skip to content

Commit

Permalink
Merge pull request #307 from anchore/dev-sync
Browse files Browse the repository at this point in the history 
Updating Enterprise Image to 4.9.3, enable hashed_passwords by default in enterprise chart.
  • Loading branch information
@HN23
HN23 authored Oct 13, 2023
2 parents c70d2a0 + 0c4042e commit 965e599
Show file tree
Hide file tree
Showing 14 changed files with 66 additions and 43 deletions.
2 changes: 1 addition & 1 deletion stable/anchore-engine/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
apiVersion: v2
name: anchore-engine
version: 1.28.2
version: 1.28.3
appVersion: 1.1.0
description: Anchore container analysis and policy evaluation engine service
keywords:
Expand Down
11 changes: 11 additions & 0 deletions stable/anchore-engine/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -479,4 +479,15 @@ Upon upgrade, check if the user uses non-default values for ingress path configu
{{- if and .Release.IsUpgrade (or .Values.ingress.feedsPath .Values.ingress.reportsPath .Values.ingress.apiPath) }}
{{- fail "As of chart v1.28.0, the `ingress.feedsPath`, `ingress.reportsPath`, and `ingress.apiPath` values are no longer valid. See README for more information - https://github.com/anchore/anchore-charts/blob/main/stable/anchore-engine/README.md#chart-version-1280" }}
{{- end }}
{{- end -}}
{{/*
Fail if the enterprise image is v5.0.0 or greater
*/}}
{{- define "checkAnchoreEnterpriseCompatibility" -}}
{{- $imageVersion := (index (splitList ":" .Values.anchoreEnterpriseGlobal.image) 1) -}}
{{- $majorVersion := int (index (splitList "." (trimPrefix "v" $imageVersion)) 0) -}}
{{- if ge $majorVersion 5 -}}
{{- fail "Upgrading to Anchore 5.0.0+ is not supported with the engine chart. For information on migrating to the enterprise chart, please refer to https://github.com/anchore/anchore-charts/tree/main/stable/enterprise#migrating-to-the-anchore-enterprise-helm-chart" }}
{{- end -}}
{{- end -}}
1 change: 1 addition & 0 deletions stable/anchore-engine/templates/enterprise_configmap.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{- template "checkAnchoreEnterpriseCompatibility" . }}
{{- if and .Values.anchoreEnterpriseGlobal.enabled (or .Values.anchoreEnterpriseRbac.enabled .Values.anchoreEnterpriseReports.enabled) -}}
{{- $component := "enterprise" -}}
apiVersion: v1
Expand Down
2 changes: 1 addition & 1 deletion stable/anchore-engine/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -765,7 +765,7 @@ anchoreEnterpriseGlobal:
# Create this secret with the following command - kubectl create secret generic anchore-enterprise-license --from-file=license.yaml=<PATH TO LICENSE.YAML>
licenseSecretName: anchore-enterprise-license

image: docker.io/anchore/enterprise:v4.9.2
image: docker.io/anchore/enterprise:v4.9.3

imagePullPolicy: IfNotPresent
# Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images.
Expand Down
4 changes: 2 additions & 2 deletions stable/enterprise/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v2
name: enterprise
version: "0.1.2"
appVersion: "4.9.2"
version: "0.2.1"
appVersion: "4.9.3"
kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x
description: |
Anchore Enterprise is a complete container security workflow solution for professional teams. Easily integrating with CI/CD systems,
Expand Down
36 changes: 18 additions & 18 deletions stable/enterprise/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -788,7 +788,7 @@ rbacManager:
| Name | Description | Value |
| ------------------------------------- | ------------------------------------------------------------------------------------- | ------------------------------------- |
| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v4.9.1` |
| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v4.9.3` |
| `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` |
| `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` |
| `startMigrationPod` | Spin up a Database migration pod to help migrate the database to the new schema | `false` |
Expand Down Expand Up @@ -836,10 +836,10 @@ rbacManager:
| `anchoreConfig.keys.secret` | The shared secret used for signing & encryption, auto-generated by Helm if not set. | `""` |
| `anchoreConfig.keys.privateKeyFileName` | The file name of the private key used for signing & encryption, found in the k8s secret specified in .Values.certStoreSecretName | `""` |
| `anchoreConfig.keys.publicKeyFileName` | The file name of the public key used for signing & encryption, found in the k8s secret specified in .Values.certStoreSecretName | `""` |
| `anchoreConfig.user_authentication.oauth.enabled` | Enable OAuth for Anchore user authentication | `false` |
| `anchoreConfig.user_authentication.oauth.enabled` | Enable OAuth for Anchore user authentication | `true` |
| `anchoreConfig.user_authentication.oauth.default_token_expiration_seconds` | The expiration, in seconds, for OAuth tokens | `3600` |
| `anchoreConfig.user_authentication.oauth.refresh_token_expiration_seconds` | The expiration, in seconds, for OAuth refresh tokens | `86400` |
| `anchoreConfig.user_authentication.hashed_passwords` | Enable storing passwords as secure hashes in the database | `false` |
| `anchoreConfig.user_authentication.hashed_passwords` | Enable storing passwords as secure hashes in the database | `true` |
| `anchoreConfig.user_authentication.sso_require_existing_users` | set to true in order to disable the SSO JIT provisioning during authentication | `false` |
| `anchoreConfig.metrics.enabled` | Enable Prometheus metrics for all Anchore services | `false` |
| `anchoreConfig.metrics.auth_disabled` | Disable auth on Prometheus metrics for all Anchore services | `false` |
Expand Down Expand Up @@ -1130,21 +1130,21 @@ rbacManager:
### Ingress Parameters
| Name | Description | Value |
| -------------------------- | ------------------------------------------------------------------ | ------- |
| `ingress.enabled` | Create an ingress resource for external Anchore service APIs | `false` |
| `ingress.labels` | Labels for the ingress resource | `{}` |
| `ingress.annotations` | Annotations for the ingress resource | `{}` |
| `ingress.apiHosts` | List of custom hostnames for the Anchore API | `[]` |
| `ingress.apiPath` | The path used for accessing the Anchore API | `/v2/` |
| `ingress.uiHosts` | List of custom hostnames for the Anchore UI | `[]` |
| `ingress.uiPath` | The path used for accessing the Anchore UI | `/` |
| `ingress.feedsHosts` | List of custom hostnames for the Anchore Feeds API | `[]` |
| `ingress.feedsPath` | The path used for accessing the Anchore Feeds API | `""` |
| `ingress.reportsHosts` | List of custom hostnames for the Anchore Reports API | `[]` |
| `ingress.reportsPath` | The path used for accessing the Anchore Reports API | `""` |
| `ingress.tls` | Configure tls for the ingress resource | `[]` |
| `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` |
| Name | Description | Value |
| -------------------------- | ------------------------------------------------------------------ | --------------------------------- |
| `ingress.enabled` | Create an ingress resource for external Anchore service APIs | `false` |
| `ingress.labels` | Labels for the ingress resource | `{}` |
| `ingress.annotations` | Annotations for the ingress resource | `{}` |
| `ingress.apiHosts` | List of custom hostnames for the Anchore API | `[]` |
| `ingress.apiPaths` | The path used for accessing the Anchore API | `["/v1/","/v2/","/version/"]` |
| `ingress.uiHosts` | List of custom hostnames for the Anchore UI | `[]` |
| `ingress.uiPath` | The path used for accessing the Anchore UI | `/` |
| `ingress.feedsHosts` | List of custom hostnames for the Anchore Feeds API | `[]` |
| `ingress.feedsPaths` | The path used for accessing the Anchore Feeds API | `["/v1/feeds/","/v2/feeds/"]` |
| `ingress.reportsHosts` | List of custom hostnames for the Anchore Reports API | `[]` |
| `ingress.reportsPaths` | The path used for accessing the Anchore Reports API | `["/v1/reports/","/v2/reports/"]` |
| `ingress.tls` | Configure tls for the ingress resource | `[]` |
| `ingress.ingressClassName` | sets the ingress class name. As of k8s v1.18, this should be nginx | `nginx` |
### Google CloudSQL DB Parameters
Expand Down
10 changes: 10 additions & 0 deletions stable/enterprise/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,16 @@ Return Anchore default admin password
{{- end -}}
{{- end -}}

{{/*
Return Anchore SAML SECRET
*/}}
{{- define "enterprise.samlSecret" -}}
{{- if .Values.anchoreConfig.keys.secret }}
{{- .Values.anchoreConfig.keys.secret -}}
{{- else -}}
{{- randAlphaNum 32 -}}
{{- end -}}
{{- end -}}

{{/*
Allows sourcing of a specified file in the entrypoint of all containers when .Values.doSourceAtEntry.enabled == true
Expand Down
17 changes: 9 additions & 8 deletions stable/enterprise/templates/anchore_secret.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,18 @@
{{- if not .Values.useExistingSecrets -}}
{{- /*
If release is being upgraded, don't recreate the defaultAdminPassword, instead get it from the corresponding existing
If release is being upgraded, don't recreate the defaultAdminPassword or samlSecret, instead get it from the corresponding existing
secret.
*/ -}}
{{- $anchoreAdminPass := (include "enterprise.defaultAdminPassword" . | quote) -}}
{{- if and .Release.IsUpgrade (not .Values.anchoreConfig.default_admin_password) -}}
{{- $adminPassSecret := (lookup "v1" "Secret" .Release.Namespace (include "enterprise.fullname" .)) -}}
{{- if $adminPassSecret -}}
{{- $anchoreAdminPass = (index $adminPassSecret.data "ANCHORE_ADMIN_PASSWORD" | b64dec) -}}
{{- $anchoreSamlSecret := (include "enterprise.samlSecret" . | quote) -}}
{{- if .Release.IsUpgrade -}}
{{- $anchoreSecret := (lookup "v1" "Secret" .Release.Namespace (include "enterprise.fullname" .)) -}}
{{- if $anchoreSecret -}}
{{- $anchoreAdminPass = (index $anchoreSecret.data "ANCHORE_ADMIN_PASSWORD" | b64dec) -}}
{{- $anchoreSamlSecret = (index $anchoreSecret.data "ANCHORE_SAML_SECRET" | b64dec) -}}
{{- end -}}
{{- end -}}

apiVersion: v1
kind: Secret
metadata:
Expand All @@ -27,8 +30,6 @@ stringData:
ANCHORE_DB_USER: {{ index .Values "postgresql" "auth" "username" | quote }}
ANCHORE_DB_PASSWORD: {{ index .Values "postgresql" "auth" "password" | quote }}
ANCHORE_DB_PORT: {{ index .Values "postgresql" "primary" "service" "ports" "postgresql" | quote }}
{{- with .Values.anchoreConfig.keys.secret }}
ANCHORE_SAML_SECRET: {{ . | quote }}
{{- end }}
ANCHORE_SAML_SECRET: {{ $anchoreSamlSecret | quote }}

{{- end -}}
4 changes: 2 additions & 2 deletions stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -345,7 +345,7 @@ should render the configmaps:
ANCHORE_ALLOW_ECR_IAM_AUTO: "true"
ANCHORE_ANALYZER_MAX_THREADS: "1"
ANCHORE_ANALYZER_TASK_REQUEUE: "true"
ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS: "false"
ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS: "true"
ANCHORE_AUTH_PRIVKEY: "null"
ANCHORE_AUTH_PUBKEY: "null"
ANCHORE_AUTHZ_HANDLER: external
Expand Down Expand Up @@ -394,7 +394,7 @@ should render the configmaps:
ANCHORE_MAX_IMPORT_CONTENT_SIZE_MB: "100"
ANCHORE_MAX_IMPORT_SOURCE_SIZE_MB: "100"
ANCHORE_MAX_REQUEST_THREADS: "50"
ANCHORE_OAUTH_ENABLED: "false"
ANCHORE_OAUTH_ENABLED: "true"
ANCHORE_OAUTH_REFRESH_TOKEN_EXPIRATION: "86400"
ANCHORE_OAUTH_TOKEN_EXPIRATION: "3600"
ANCHORE_OWNED_PACKAGE_FILTERING_ENABLED: "true"
Expand Down
2 changes: 1 addition & 1 deletion stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,6 @@ should render proper initContainers:
valueFrom:
fieldRef:
fieldPath: metadata.name
image: docker.io/anchore/enterprise:v4.9.2
image: docker.io/anchore/enterprise:v4.9.3
imagePullPolicy: IfNotPresent
name: wait-for-db
12 changes: 6 additions & 6 deletions stable/enterprise/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ global:

## @param image Image used for all Anchore Enterprise deployments, excluding Anchore UI
##
image: docker.io/anchore/enterprise:v4.9.2
image: docker.io/anchore/enterprise:v4.9.3

## @param imagePullPolicy Image pull policy used by all deployments
## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
Expand Down Expand Up @@ -245,10 +245,10 @@ anchoreConfig:
##
user_authentication:
oauth:
enabled: false
enabled: true
default_token_expiration_seconds: 3600
refresh_token_expiration_seconds: 86400
hashed_passwords: false
hashed_passwords: true
sso_require_existing_users: false

## @param anchoreConfig.metrics.enabled Enable Prometheus metrics for all Anchore services
Expand Down Expand Up @@ -1247,7 +1247,7 @@ ingress:
##
apiHosts: []

## @param ingress.apiPath The path used for accessing the Anchore API
## @param ingress.apiPaths The path used for accessing the Anchore API
##
apiPaths:
- /v1/
Expand All @@ -1266,7 +1266,7 @@ ingress:
##
feedsHosts: []

## @param ingress.feedsPath The path used for accessing the Anchore Feeds API
## @param ingress.feedsPaths The path used for accessing the Anchore Feeds API
## Exposing the feeds API is for special cases only, use /v2/feeds for ingress.feedsPath
##
feedsPaths:
Expand All @@ -1277,7 +1277,7 @@ ingress:
##
reportsHosts: []

## @param ingress.reportsPath The path used for accessing the Anchore Reports API
## @param ingress.reportsPaths The path used for accessing the Anchore Reports API
## Exposing the reports API enables the GraphQL interface, use /v2/reports/graphql for ingress.reportsPath
##
reportsPaths:
Expand Down
4 changes: 2 additions & 2 deletions stable/feeds/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
apiVersion: v2
name: feeds
type: application
version: "0.1.0"
appVersion: "4.9.2"
version: "0.1.1"
appVersion: "4.9.3"
kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x
description: Anchore feeds service
keywords:
Expand Down
2 changes: 1 addition & 1 deletion stable/feeds/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,6 @@ should render proper initContainers:
value: test-release-feeds
- name: ANCHORE_PORT
value: "8448"
image: docker.io/anchore/enterprise:v4.9.2
image: docker.io/anchore/enterprise:v4.9.3
imagePullPolicy: IfNotPresent
name: wait-for-db
2 changes: 1 addition & 1 deletion stable/feeds/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ nameOverride: ""

## @param image Image used for feeds deployment
##
image: docker.io/anchore/enterprise:v4.9.2
image: docker.io/anchore/enterprise:v4.9.3

## @param imagePullPolicy Image pull policy used by all deployments
## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
Expand Down

0 comments on commit 965e599

Please sign in to comment.