stable/enterprise: Update Anchore Enterprise to v5.2.0 (#338)

* Ent 5.2.0 updates (#187) * add additional configs for 5.2.0 * updating helm unittests and readme to include changes * adding scratch for reports * update default of api delete keys to 365; add scratch volume to reports pod; add reports resources tests * adding additional reports resources test * Enterprise split reports api (#188) * move reports service to seperate deployment * use enterprise prefix for helper templates * add rbacAuth container back to api pod * make reports-worker fullname match values key for the service * update unit tests * bump chart version * fix reports worker descriptions & alphabetize the top level key * add rbacAuth container to reports pod (#189) * add rbacAuth container to reports pod * add rbacAuth unit test for reports template * updating error message for image_ttl_days (#192) * Make scratch volume configurable (#193) * use helper template for scratch volume details. Allow component specific configs * add unit tests * add necessary values and update readme * bump chart version * bump enterprise image to v5.2.0 * update test snapshots * bump feeds chart version * bump chart version * update readme and values table * remove reports service from the ingress configuration --------- Signed-off-by: Brady Todhunter <bradyt@anchore.com> Signed-off-by: Hung Nguyen <hung.tran.nguyen.585@gmail.com> Co-authored-by: Hung Nguyen <hung.tran.nguyen.585@gmail.com>
anchore · Feb 2, 2024 · 903a0af · 903a0af
1 parent 6ca8d1f
commit 903a0af
Show file tree

Hide file tree

Showing 29 changed files with 1,234 additions and 608 deletions.
diff --git a/stable/enterprise/Chart.lock b/stable/enterprise/Chart.lock
@@ -7,6 +7,6 @@ dependencies:
   version: 17.11.8
 - name: feeds
   repository: https://charts.anchore.io/stable
-  version: 2.1.2
-digest: sha256:60e766cb4ec7976ab63530288e3c2c23a6fe2e2596bc92f550d6c453e2863336
-generated: "2024-01-03T16:51:40.920313-05:00"
+  version: 2.2.0
+digest: sha256:e2fc0ac4d344f4baf4e9b818d05b1bb88ee87f9f760e3fb8237260b67ffc4d15
+generated: "2024-02-01T21:44:45.424502-08:00"
diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: enterprise
-version: "2.2.4"
-appVersion: "5.1.1"
+version: "2.3.0"
+appVersion: "5.2.0"
 kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.28.x-x
 description: |
   Anchore Enterprise is a complete container security workflow solution for professional teams. Easily integrating with CI/CD systems,

diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md
diff --git a/stable/enterprise/files/default_config.yaml b/stable/enterprise/files/default_config.yaml
@@ -34,15 +34,16 @@ keys:
   private_key_path: ${ANCHORE_AUTH_PUBKEY}
 
 user_authentication:
-  hashed_passwords: ${ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS}
-  sso_require_existing_users: ${ANCHORE_SSO_REQUIRES_EXISTING_USERS}
   oauth:
     enabled: ${ANCHORE_OAUTH_ENABLED}
     default_token_expiration_seconds: ${ANCHORE_OAUTH_TOKEN_EXPIRATION}
     refresh_token_expiration_seconds: ${ANCHORE_OAUTH_REFRESH_TOKEN_EXPIRATION}
+  hashed_passwords: ${ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS}
+  sso_require_existing_users: ${ANCHORE_SSO_REQUIRES_EXISTING_USERS}
   allow_api_keys_for_saml_users: {{ .Values.anchoreConfig.user_authentication.allow_api_keys_for_saml_users }}
   max_api_key_age_days: {{ .Values.anchoreConfig.user_authentication.max_api_key_age_days }}
   max_api_keys_per_user: {{ .Values.anchoreConfig.user_authentication.max_api_keys_per_user }}
+  remove_deleted_user_api_keys_older_than_days: {{ .Values.anchoreConfig.user_authentication.remove_deleted_user_api_keys_older_than_days }}
 
 credentials:
   database:
@@ -235,11 +236,13 @@ services:
     authorization_handler: external
     authorization_handler_config:
       endpoint: http://localhost:8089
+    cycle_timers: {{- toYaml .Values.anchoreConfig.reports.cycle_timers | nindent 6 }}
     max_async_execution_threads: ${ANCHORE_ENTERPRISE_REPORTS_MAX_ASYNC_EXECUTION_THREADS}
     async_execution_timeout: ${ANCHORE_ENTERPRISE_REPORTS_ASYNC_EXECUTION_TIMEOUT}
     ssl_enable: ${ANCHORE_SSL_ENABLED}
     ssl_cert: ${ANCHORE_SSL_CERT}
     ssl_key: ${ANCHORE_SSL_KEY}
+    use_volume: {{ .Values.anchoreConfig.reports.use_volume }}
 
   reports_worker:
     enabled: true

diff --git a/stable/enterprise/templates/_common.tpl b/stable/enterprise/templates/_common.tpl
@@ -90,11 +90,7 @@ When calling this template, .component can be included in the context for compon
 {{ toYaml . }}
   {{- end }}
 - name: ANCHORE_ENDPOINT_HOSTNAME
-  {{- if and (eq $component "reports") (eq .api "true") }}
-  value: {{ template "enterprise.api.fullname" . }}
-  {{- else }}
   value: {{ include (printf "enterprise.%s.fullname" $component) . }}
-  {{- end }}
   {{- with (index .Values (print $component)).service }}
 - name: ANCHORE_PORT
   value: {{ .port | quote }}
@@ -274,6 +270,21 @@ successThreshold: {{ .Values.probes.readiness.successThreshold }}
 {{- end -}}
 
 
+{{/*
+Setup the common anchore scratch volume details config
+*/}}
+{{- define "enterprise.common.scratchVolume.details" -}}
+{{- $component := .component -}}
+{{- if (index .Values (print $component)).scratchVolume.details }}
+  {{- toYaml (index .Values (print $component)).scratchVolume.details }}
+{{- else if .Values.scratchVolume.details }}
+  {{- toYaml .Values.scratchVolume.details }}
+{{- else }}
+emptyDir: {}
+{{- end }}
+{{- end -}}
+
+
 {{/*
 Setup the common anchore volume mounts
 */}}

diff --git a/stable/enterprise/templates/_helpers.tpl b/stable/enterprise/templates/_helpers.tpl
@@ -148,7 +148,7 @@ Return the database user for the Anchore Enterprise UI config
 {{/*
 Set the nodePort for services if its defined
 */}}
-{{- define "service.nodePort" -}}
+{{- define "enterprise.service.nodePort" -}}
 {{- $component := .component -}}
 {{- if (index .Values (print $component)).service.nodePort -}}
 nodePort: {{ (index .Values (print $component)).service.nodePort }}

diff --git a/stable/enterprise/templates/_names.tpl b/stable/enterprise/templates/_names.tpl
@@ -52,6 +52,11 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- printf "%s-%s-%s" .Release.Name $name "reports"| trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{- define "enterprise.reportsWorker.fullname" -}}
+{{- $name := default .Chart.Name .Values.global.nameOverride -}}
+{{- printf "%s-%s-%s" .Release.Name $name "reportsworker"| trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
 {{- define "enterprise.simpleQueue.fullname" -}}
 {{- $name := default .Chart.Name .Values.global.nameOverride -}}
 {{- printf "%s-%s-%s" .Release.Name $name "simplequeue"| trunc 63 | trimSuffix "-" -}}

diff --git a/stable/enterprise/templates/analyzer_deployment.yaml b/stable/enterprise/templates/analyzer_deployment.yaml
@@ -26,11 +26,7 @@ spec:
       {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }}
       volumes: {{- include "enterprise.common.volumes" . | nindent 8 }}
         - name: "anchore-scratch"
-        {{- if .Values.scratchVolume.details }}
-          {{- toYaml .Values.scratchVolume.details | nindent 10 }}
-        {{- else }}
-          emptyDir: {}
-        {{- end }}
+          {{- include "enterprise.common.scratchVolume.details" (merge (dict "component" $component) .) | nindent 10 }}
         - name: analyzer-config-volume
           configMap:
             name: {{ template "enterprise.analyzer.fullname" . }}

diff --git a/stable/enterprise/templates/api_deployment.yaml b/stable/enterprise/templates/api_deployment.yaml
@@ -71,28 +71,6 @@ spec:
         {{- with .Values.api.resources }}
           resources: {{- toYaml . | nindent 12 }}
         {{- end }}
-
-        - name: "{{ .Chart.Name }}-reports-api"
-          image: {{ .Values.image }}
-          imagePullPolicy: {{ .Values.imagePullPolicy }}
-        {{- with .Values.containerSecurityContext }}
-          securityContext:
-            {{ toYaml . | nindent 12 }}
-        {{- end }}
-          command: ["/bin/sh", "-c"]
-          args:
-            - {{ print (include "enterprise.common.dockerEntrypoint" .) }} reports
-          envFrom: {{- include "enterprise.common.envFrom" . | nindent 12 }}
-          env: {{- include "enterprise.common.environment" (merge (dict "component" "reports" "api" "true") .) | nindent 12 }}
-          ports:
-            - containerPort: {{ .Values.reports.service.port }}
-              name: reports
-          volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }}
-          livenessProbe: {{- include "enterprise.common.livenessProbe" (merge (dict "component" "reports") .) | nindent 12 }}
-          readinessProbe: {{- include "enterprise.common.readinessProbe" (merge (dict "component" "reports") .) | nindent 12 }}
-        {{- with .Values.reports.resources }}
-          resources: {{- toYaml . | nindent 12 }}
-        {{- end }}
         {{- include "enterprise.common.rbacAuthContainer" . | nindent 8 }}
 
 ---
@@ -110,12 +88,7 @@ spec:
       port: {{ .Values.api.service.port }}
       targetPort: {{ .Values.api.service.port }}
       protocol: TCP
-      {{ include "service.nodePort" (merge (dict "component" $component) .) }}
-    - name: reports
-      port: {{ .Values.reports.service.port }}
-      targetPort: {{ .Values.reports.service.port }}
-      protocol: TCP
-      {{ include "service.nodePort" (merge (dict "component" "reports") .) }}
+      {{ include "enterprise.service.nodePort" (merge (dict "component" $component) .) }}
   selector:
     app.kubernetes.io/name: {{ template "enterprise.fullname" . }}
     app.kubernetes.io/component: {{ $component | lower }}
diff --git a/stable/enterprise/templates/catalog_deployment.yaml b/stable/enterprise/templates/catalog_deployment.yaml
@@ -28,11 +28,7 @@ spec:
       {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }}
       volumes: {{- include "enterprise.common.volumes" . | nindent 8 }}
         - name: anchore-scratch
-        {{- if .Values.scratchVolume.details }}
-          {{- toYaml .Values.scratchVolume.details | nindent 10 }}
-        {{- else }}
-          emptyDir: {}
-        {{- end }}
+          {{- include "enterprise.common.scratchVolume.details" (merge (dict "component" $component) .) | nindent 10 }}
       {{- if .Values.anchoreConfig.policyBundles }}
         - name: policy-bundle-volume
           configMap:
@@ -92,7 +88,7 @@ spec:
       port: {{ .Values.catalog.service.port }}
       targetPort: {{ .Values.catalog.service.port }}
       protocol: TCP
-      {{ include "service.nodePort" (merge (dict "component" $component) .) }}
+      {{ include "enterprise.service.nodePort" (merge (dict "component" $component) .) }}
   selector:
     app.kubernetes.io/name: {{ template "enterprise.fullname" . }}
     app.kubernetes.io/component: {{ $component | lower }}
diff --git a/stable/enterprise/templates/envvars_configmap.yaml b/stable/enterprise/templates/envvars_configmap.yaml
@@ -50,7 +50,7 @@ data:
   ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER: "true"
   ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE: "true"
 {{- if eq (toString .Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days) "-1" }}
-  {{- fail "The Value `-1` is no longer valid for `.Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days`. Please use `.Values.anchoreConfig.catalog.runtime_inventory.image_ingest_overwrite=true` to force runtime inventory to be overwritten upon every update for that reported context. `.Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days` must be set to a value >1." -}}
+  {{- fail "The Value `-1` is no longer valid for `.Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days`. Please use `.Values.anchoreConfig.catalog.runtime_inventory.image_ingest_overwrite=true` to force runtime inventory to be overwritten upon every update for that reported context. `.Values.anchoreConfig.catalog.runtime_inventory.inventory_ttl_days` must be set to a value >1." -}}
 {{- else }}
   ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_TTL_DAYS: "{{ .Values.anchoreConfig.catalog.runtime_inventory.inventory_ttl_days }}"
   ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_INGEST_OVERWRITE: "{{ .Values.anchoreConfig.catalog.runtime_inventory.inventory_ingest_overwrite }}"

diff --git a/stable/enterprise/templates/ingress.yaml b/stable/enterprise/templates/ingress.yaml
@@ -29,7 +29,7 @@ spec:
   {{- end }}
 {{- end }}
   rules:
-  {{- if or .Values.ingress.apiHosts .Values.ingress.uiHosts .Values.ingress.feedsHosts .Values.ingress.reportsHosts }}
+  {{- if or .Values.ingress.apiHosts .Values.ingress.uiHosts .Values.ingress.feedsHosts }}
     {{- range $apiHostIndex, $apiHostName := .Values.ingress.apiHosts }}
     - host: {{ $apiHostName | quote }}
       http:
@@ -88,26 +88,6 @@ spec:
           {{- end }}
         {{- end }}
     {{- end }}
-    {{- range $reportsHostIndex, $reportsHostName := .Values.ingress.reportsHosts }}
-    - host: {{ $reportsHostName | quote }}
-      http:
-        paths:
-        {{- range $reportsPathIndex, $reportsPath := $.Values.ingress.reportsPaths }}
-          - path: {{ $reportsPath }}
-          {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
-            pathType: Prefix
-            backend:
-              service:
-                name: {{ template "enterprise.api.fullname" $ }}
-                port:
-                  number: {{ $.Values.api.service.reportsPort }}
-          {{- else }}
-            backend:
-              serviceName: {{ template "enterprise.api.fullname" $ }}
-              servicePort: {{ $.Values.api.service.reportsPort }}
-          {{- end }}
-        {{- end }}
-    {{- end }}
   {{- else }}
     - http:
         paths:
@@ -156,20 +136,5 @@ spec:
               servicePort: {{ $.Values.feeds.service.port }}
           {{- end }}
         {{- end }}
-        {{- range .Values.ingress.reportsPaths }}
-          - path: {{ . }}
-          {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
-            pathType: Prefix
-            backend:
-              service:
-                name: {{ template "enterprise.api.fullname" $ }}
-                port:
-                  number: {{ $.Values.api.service.reportsPort }}
-          {{- else }}
-            backend:
-              serviceName: {{ template "enterprise.api.fullname" $ }}
-              servicePort: {{ $.Values.api.service.reportsPort }}
-          {{- end }}
-        {{- end }}
   {{- end }}
 {{- end -}}
diff --git a/stable/enterprise/templates/notifications_deployment.yaml b/stable/enterprise/templates/notifications_deployment.yaml
@@ -66,7 +66,7 @@ spec:
       port: {{ .Values.notifications.service.port }}
       targetPort: {{ .Values.notifications.service.port }}
       protocol: TCP
-      {{ include "service.nodePort" (merge (dict "component" $component) .) }}
+      {{ include "enterprise.service.nodePort" (merge (dict "component" $component) .) }}
   selector:
     app.kubernetes.io/name: {{ template "enterprise.fullname" . }}
     app.kubernetes.io/component: {{ $component | lower }}
diff --git a/stable/enterprise/templates/policyengine_deployment.yaml b/stable/enterprise/templates/policyengine_deployment.yaml
@@ -25,11 +25,7 @@ spec:
       {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }}
       volumes: {{- include "enterprise.common.volumes" . | nindent 8 }}
         - name: anchore-scratch
-        {{- if .Values.scratchVolume.details }}
-          {{- toYaml .Values.scratchVolume.details | nindent 10 }}
-        {{- else }}
-          emptyDir: {}
-        {{- end }}
+          {{- include "enterprise.common.scratchVolume.details" (merge (dict "component" $component) .) | nindent 10 }}
     {{- if and .Values.scratchVolume.fixGroupPermissions .Values.securityContext.fsGroup }}
       initContainers:
         {{- include "enterprise.common.fixPermissionsInitContainer" . | nindent 8 }}
@@ -77,7 +73,7 @@ spec:
       port: {{ .Values.policyEngine.service.port }}
       targetPort: {{ .Values.policyEngine.service.port }}
       protocol: TCP
-      {{ include "service.nodePort" (merge (dict "component" $component) .) }}
+      {{ include "enterprise.service.nodePort" (merge (dict "component" $component) .) }}
   selector:
     app.kubernetes.io/name: {{ template "enterprise.fullname" . }}
     app.kubernetes.io/component: {{ $component | lower }}
diff --git a/stable/enterprise/templates/rbacmanager_deployment.yaml b/stable/enterprise/templates/rbacmanager_deployment.yaml
@@ -66,7 +66,7 @@ spec:
       port: {{ .Values.rbacManager.service.port }}
       targetPort: {{ .Values.rbacManager.service.port }}
       protocol: TCP
-      {{ include "service.nodePort" (merge (dict "component" $component) .) }}
+      {{ include "enterprise.service.nodePort" (merge (dict "component" $component) .) }}
   selector:
     app.kubernetes.io/name: {{ template "enterprise.fullname" . }}
     app.kubernetes.io/component: {{ $component | lower }}
diff --git a/stable/enterprise/templates/reports_deployment.yaml b/stable/enterprise/templates/reports_deployment.yaml
@@ -24,6 +24,14 @@ spec:
     spec:
       {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }}
       volumes: {{- include "enterprise.common.volumes" . | nindent 8 }}
+      {{- if .Values.anchoreConfig.reports.use_volume }}
+        - name: "anchore-scratch"
+          {{- include "enterprise.common.scratchVolume.details" (merge (dict "component" $component) .) | nindent 10 }}
+      {{- end }}
+    {{- if and .Values.anchoreConfig.reports.use_volume .Values.scratchVolume.fixGroupPermissions .Values.securityContext.fsGroup }}
+      initContainers:
+        {{- include "enterprise.common.fixPermissionsInitContainer" . | nindent 8 }}
+    {{- end }}
       containers:
       {{- if .Values.cloudsql.enabled  }}
         {{- include "enterprise.common.cloudsqlContainer" . | nindent 8 }}
@@ -37,18 +45,23 @@ spec:
         {{- end }}
           command: ["/bin/sh", "-c"]
           args:
-            -  {{ print (include "enterprise.common.dockerEntrypoint" .) }} reports_worker
+            -  {{ print (include "enterprise.common.dockerEntrypoint" .) }} reports
           ports:
             - containerPort: {{ .Values.reports.service.port }}
               name: {{ $component | lower }}
           envFrom: {{- include "enterprise.common.envFrom" . | nindent 12 }}
           env: {{- include "enterprise.common.environment" (merge (dict "component" $component) .) | nindent 12 }}
           volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 12 }}
+          {{- if .Values.anchoreConfig.reports.use_volume }}
+            - name: "anchore-scratch"
+              mountPath: {{ .Values.scratchVolume.mountPath }}
+          {{- end }}
           livenessProbe: {{- include "enterprise.common.livenessProbe" (merge (dict "component" $component) .) | nindent 12 }}
           readinessProbe: {{- include "enterprise.common.readinessProbe" (merge (dict "component" $component) .) | nindent 12 }}
         {{- with .Values.reports.resources }}
           resources: {{- toYaml . | nindent 12 }}
         {{- end }}
+        {{- include "enterprise.common.rbacAuthContainer" . | nindent 8 }}
 
 ---
 apiVersion: v1
@@ -65,7 +78,7 @@ spec:
       port: {{ .Values.reports.service.port }}
       targetPort: {{ .Values.reports.service.port }}
       protocol: TCP
-      {{ include "service.nodePort" (merge (dict "component" $component) .) }}
+      {{ include "enterprise.service.nodePort" (merge (dict "component" $component) .) }}
   selector:
     app.kubernetes.io/name: {{ template "enterprise.fullname" . }}
     app.kubernetes.io/component: {{ $component | lower }}