enterprise: v5.7.0 updates

Signed-off-by: Hung Nguyen <[email protected]>
anchore · Jun 28, 2024 · 2b6a9ee · 2b6a9ee
1 parent 59818a8
commit 2b6a9ee
Show file tree

Hide file tree

Showing 10 changed files with 61 additions and 14 deletions.
diff --git a/stable/enterprise/Chart.lock b/stable/enterprise/Chart.lock
@@ -7,6 +7,6 @@ dependencies:
   version: 17.11.8
 - name: feeds
   repository: https://charts.anchore.io/stable
-  version: 2.6.0
-digest: sha256:c20d790efc92e6f4f186abe76ec02b731c0211aa36cabec589ce9fdb2e9a7189
-generated: "2024-05-31T16:00:42.069239-04:00"
+  version: 2.7.0
+digest: sha256:824b735ba784dca70b5e01b55b4955519381a930e16010ade22727eab5f9da88
+generated: "2024-06-28T16:21:14.882771-04:00"
diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: enterprise
-version: "2.7.0"
-appVersion: "5.6.0"
+version: "2.8.0"
+appVersion: "5.7.0"
 kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.29.x-x
 description: |
   Anchore Enterprise is a complete container security workflow solution for professional teams. Easily integrating with CI/CD systems,

diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md
@@ -1083,6 +1083,7 @@ To restore your deployment to using your previous driver configurations:
 | `anchoreConfig.user_authentication.remove_deleted_user_api_keys_older_than_days` | The number of days elapsed after a user API key is deleted before it is garbage collected (-1 to disable)                        | `365`              |
 | `anchoreConfig.user_authentication.hashed_passwords`                             | Enable storing passwords as secure hashes in the database                                                                        | `true`             |
 | `anchoreConfig.user_authentication.sso_require_existing_users`                   | set to true in order to disable the SSO JIT provisioning during authentication                                                   | `false`            |
+| `anchoreConfig.user_authentication.disallow_native_users`                        | Disallow native users to authenticate by any method. Only SSO/'saml' users will be able to access the system.                    | `false`            |
 | `anchoreConfig.metrics.enabled`                                                  | Enable Prometheus metrics for all Anchore services                                                                               | `false`            |
 | `anchoreConfig.metrics.auth_disabled`                                            | Disable auth on Prometheus metrics for all Anchore services                                                                      | `false`            |
 | `anchoreConfig.webhooks`                                                         | Enable Anchore services to provide webhooks for external system updates                                                          | `{}`               |
@@ -1131,6 +1132,7 @@ To restore your deployment to using your previous driver configurations:
 | `anchoreConfig.policy_engine.cycle_timers.feed_sync`                             | Interval to run a feed sync to get latest cve data                                                                               | `14400`            |
 | `anchoreConfig.policy_engine.cycle_timers.feed_sync_checker`                     | Interval between checks to see if there needs to be a task queued                                                                | `3600`             |
 | `anchoreConfig.policy_engine.overrideFeedsToUpstream`                            | Override the Anchore Feeds URL to use the public upstream Anchore Feeds                                                          | `false`            |
+| `anchoreConfig.policy_engine.enable_user_base_image`                             | Enables usage of Well Known Annotation to identify base image for use in ancestry calculations                                   | `true`             |
 | `anchoreConfig.notifications.cycle_timers.notifications`                         | Interval that notifications are sent                                                                                             | `30`               |
 | `anchoreConfig.notifications.ui_url`                                             | Set the UI URL that is included in the notification, defaults to the Enterprise UI service name                                  | `""`               |
 | `anchoreConfig.reports.enable_graphiql`                                          | Enable GraphiQL, a GUI for editing and testing GraphQL queries and mutations                                                     | `true`             |
@@ -1158,6 +1160,7 @@ To restore your deployment to using your previous driver configurations:
 | `anchoreConfig.ui.force_websocket`                                               | Force WebSocket protocol for socket message communications                                                                       | `false`            |
 | `anchoreConfig.ui.authentication_lock.count`                                     | Number of failed authentication attempts allowed before a temporary lock is applied                                              | `5`                |
 | `anchoreConfig.ui.authentication_lock.expires`                                   | Authentication lock duration                                                                                                     | `300`              |
+| `anchoreConfig.ui.sso_auth_only`                                                 | Enable SSO authentication only                                                                                                   | `false`            |
 | `anchoreConfig.ui.custom_links`                                                  | List of up to 10 external links provided                                                                                         | `{}`               |
 | `anchoreConfig.ui.enable_add_repositories`                                       | Specify what users can add image repositories to the Anchore UI                                                                  | `{}`               |
 | `anchoreConfig.ui.log_level`                                                     | Descriptive detail of the application log output                                                                                 | `http`             |
@@ -1473,6 +1476,10 @@ For the latest updates and features in Anchore Enterprise, see the official [Rel
 - **Minor Chart Version Change (e.g., v0.1.2 -> v0.2.0)**: Indicates a significant change to the deployment that does not require manual intervention.
 - **Patch Chart Version Change (e.g., v0.1.2 -> v0.1.3)**: Indicates a backwards-compatible bug fix or documentation update.
 
+### V2.8.x
+
+- Deploys Anchore Enterprise v5.7.x. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/570/) for more information.
+
 ### V2.7.x
 
 - Deploys Anchore Enterprise v5.6.x. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/560/) for more information.

diff --git a/stable/enterprise/files/default_config.yaml b/stable/enterprise/files/default_config.yaml
@@ -81,7 +81,7 @@ user_authentication:
   max_api_key_age_days: {{ .Values.anchoreConfig.user_authentication.max_api_key_age_days }}
   max_api_keys_per_user: {{ .Values.anchoreConfig.user_authentication.max_api_keys_per_user }}
   remove_deleted_user_api_keys_older_than_days: {{ .Values.anchoreConfig.user_authentication.remove_deleted_user_api_keys_older_than_days }}
-
+  disallow_native_users: {{ .Values.anchoreConfig.user_authentication.disallow_native_users }}
 credentials:
   database:
     user: "${ANCHORE_DB_USER}"
@@ -102,6 +102,10 @@ credentials:
     db_engine_args: {{- toYaml . | nindent 6 }}
   {{- end }}
 
+account_gc:
+  max_resource_gc_chunk: 4096
+  max_deletion_threads: 4
+
 services:
   apiext:
     enabled: true
@@ -185,6 +189,7 @@ services:
     cycle_timer_seconds: 1
     cycle_timers: {{- toYaml .Values.anchoreConfig.policy_engine.cycle_timers | nindent 6 }}
     enable_package_db_load: ${ANCHORE_POLICY_ENGINE_ENABLE_PACKAGE_DB_LOAD}
+    enable_user_base_image: {{ .Values.anchoreConfig.policy_engine.enable_user_base_image }}
     vulnerabilities:
       sync:
         enabled: true

diff --git a/stable/enterprise/files/osaa_config.yaml b/stable/enterprise/files/osaa_config.yaml
@@ -44,6 +44,7 @@ user_authentication:
   max_api_key_age_days: {{ .Values.anchoreConfig.user_authentication.max_api_key_age_days }}
   max_api_keys_per_user: {{ .Values.anchoreConfig.user_authentication.max_api_keys_per_user }}
   remove_deleted_user_api_keys_older_than_days: {{ .Values.anchoreConfig.user_authentication.remove_deleted_user_api_keys_older_than_days }}
+  disallow_native_users: {{ .Values.anchoreConfig.user_authentication.disallow_native_users }}
 
 credentials:
   database:
@@ -65,6 +66,10 @@ credentials:
     db_engine_args: {{- toYaml . | nindent 6 }}
   {{- end }}
 
+account_gc:
+  max_resource_gc_chunk: 4096
+  max_deletion_threads: 4
+
 services:
   apiext:
     enabled: true
@@ -156,6 +161,7 @@ services:
     cycle_timer_seconds: 1
     cycle_timers: {{- toYaml .Values.anchoreConfig.policy_engine.cycle_timers | nindent 6 }}
     enable_package_db_load: ${ANCHORE_POLICY_ENGINE_ENABLE_PACKAGE_DB_LOAD}
+    enable_user_base_image: {{ .Values.anchoreConfig.policy_engine.enable_user_base_image }}
     vulnerabilities:
       sync:
         enabled: true

diff --git a/stable/enterprise/templates/NOTES.txt b/stable/enterprise/templates/NOTES.txt
@@ -6,11 +6,15 @@ The Anchore API can be accessed via port {{ .Values.api.service.port }} on the f
 
 The Anchore UI can be accessed via localhost:8080 with kubernetes port-forwarding:
 
-    kubectl port-forward svc/{{- template "enterprise.ui.fullname" . }} 8080:{{- .Values.ui.service.port }}
+    kubectl port-forward -n {{ .Release.Namespace }} svc/{{- template "enterprise.ui.fullname" . }} 8080:{{- .Values.ui.service.port }}
 
 Get the default admin password using the following command:
 
-    kubectl get secret {{ template "enterprise.fullname" . }} -o jsonpath='{.data.ANCHORE_ADMIN_PASSWORD}' | base64 -D
+    # for MacOS
+    kubectl get secret {{ template "enterprise.fullname" . }} -n {{ .Release.Namespace }} -o jsonpath='{.data.ANCHORE_ADMIN_PASSWORD}' | base64 -D
+
+    # for Linux
+    kubectl get secret {{ template "enterprise.fullname" . }} -n {{ .Release.Namespace }} -o jsonpath='{.data.ANCHORE_ADMIN_PASSWORD}' | base64 -d
 
 * NOTE: On first startup of Anchore Enterprise, the policy-engine performs a CVE data sync which may take several minutes to complete.
 During this time the system status will report 'partially_down' and any images added for analysis will stay in the 'not_analyzed' state.
@@ -19,7 +23,7 @@ Once the sync is complete, any queued images will be analyzed and the system sta
 Initial setup time can be >120sec for postgresql setup and readiness checks to pass for the services as indicated by pod state.
 You can check with:
 
-    kubectl get pods -l app.kubernetes.io/name={{- template "enterprise.fullname" . -}},app.kubernetes.io/component=api
+    kubectl get pods -n {{ .Release.Namespace }} -l app.kubernetes.io/name={{- template "enterprise.fullname" . -}},app.kubernetes.io/component=api
 
 {{ if and .Values.useExistingSecrets .Release.IsUpgrade (semverCompare "~2.1.0" .Chart.Version) }}
 ******************

diff --git a/stable/enterprise/templates/ui_configmap.yaml b/stable/enterprise/templates/ui_configmap.yaml
@@ -44,3 +44,4 @@ data:
     log_level: {{ .Values.anchoreConfig.ui.log_level | squote }}
     enrich_inventory_view: {{ .Values.anchoreConfig.ui.enrich_inventory_view  }}
     enable_prometheus_metrics: {{ .Values.anchoreConfig.metrics.enabled }}
+    sso_auth_only: {{ .Values.anchoreConfig.ui.sso_auth_only }}
diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap
@@ -141,7 +141,7 @@ should render the configmaps:
           max_api_key_age_days: 365
           max_api_keys_per_user: 100
           remove_deleted_user_api_keys_older_than_days: 365
-
+          disallow_native_users: false
         credentials:
           database:
             user: "${ANCHORE_DB_USER}"
@@ -155,6 +155,10 @@ should render the configmaps:
             db_pool_size: ${ANCHORE_DB_POOL_SIZE}
             db_pool_max_overflow: ${ANCHORE_DB_POOL_MAX_OVERFLOW}
 
+        account_gc:
+          max_resource_gc_chunk: 4096
+          max_deletion_threads: 4
+
         services:
           apiext:
             enabled: true
@@ -263,6 +267,7 @@ should render the configmaps:
               feed_sync: 14400
               feed_sync_checker: 3600
             enable_package_db_load: ${ANCHORE_POLICY_ENGINE_ENABLE_PACKAGE_DB_LOAD}
+            enable_user_base_image: true
             vulnerabilities:
               sync:
                 enabled: true
@@ -561,7 +566,7 @@ should render the configmaps:
   6: |
     apiVersion: v1
     data:
-      config-ui.yaml: "# Anchore UI configuration\nreports_uri: 'http://test-release-enterprise-api:8228/v2'\nnotifications_uri: 'http://test-release-enterprise-api:8228/v2'\nenterprise_uri: 'http://test-release-enterprise-api:8228/v2'\n# redis_uri: overridden in deployment using the `ANCHORE_REDIS_URI` environment variable\n# appdb_uri: overridden in deployment using the `ANCHORE_APPDB_URI` environment variable\nlicense_path: '/home/anchore/'\nenable_ssl: false\nenable_proxy: false\nallow_shared_login: true\nredis_flushdb: true\nforce_websocket: false\nauthentication_lock:\n  count: 5\n  expires: 300\nappdb_config: \n  native: true\n  pool:\n    acquire: 30000\n    idle: 10000\n    max: 10\n    min: 0\nlog_level: 'http'\nenrich_inventory_view: true\nenable_prometheus_metrics: false\n"
+      config-ui.yaml: "# Anchore UI configuration\nreports_uri: 'http://test-release-enterprise-api:8228/v2'\nnotifications_uri: 'http://test-release-enterprise-api:8228/v2'\nenterprise_uri: 'http://test-release-enterprise-api:8228/v2'\n# redis_uri: overridden in deployment using the `ANCHORE_REDIS_URI` environment variable\n# appdb_uri: overridden in deployment using the `ANCHORE_APPDB_URI` environment variable\nlicense_path: '/home/anchore/'\nenable_ssl: false\nenable_proxy: false\nallow_shared_login: true\nredis_flushdb: true\nforce_websocket: false\nauthentication_lock:\n  count: 5\n  expires: 300\nappdb_config: \n  native: true\n  pool:\n    acquire: 30000\n    idle: 10000\n    max: 10\n    min: 0\nlog_level: 'http'\nenrich_inventory_view: true\nenable_prometheus_metrics: false\nsso_auth_only: false\n"
     kind: ConfigMap
     metadata:
       annotations:

diff --git a/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap
@@ -102,7 +102,7 @@ should render the configmaps for osaa migration if enabled:
           max_api_key_age_days: 365
           max_api_keys_per_user: 100
           remove_deleted_user_api_keys_older_than_days: 365
-
+          disallow_native_users: false
         credentials:
           database:
             user: "${ANCHORE_DB_USER}"
@@ -116,6 +116,10 @@ should render the configmaps for osaa migration if enabled:
             db_pool_size: ${ANCHORE_DB_POOL_SIZE}
             db_pool_max_overflow: ${ANCHORE_DB_POOL_MAX_OVERFLOW}
 
+        account_gc:
+          max_resource_gc_chunk: 4096
+          max_deletion_threads: 4
+
         services:
           apiext:
             enabled: true
@@ -224,6 +228,7 @@ should render the configmaps for osaa migration if enabled:
               feed_sync: 14400
               feed_sync_checker: 3600
             enable_package_db_load: ${ANCHORE_POLICY_ENGINE_ENABLE_PACKAGE_DB_LOAD}
+            enable_user_base_image: true
             vulnerabilities:
               sync:
                 enabled: true
@@ -406,6 +411,7 @@ should render the configmaps for osaa migration if enabled:
           max_api_key_age_days: 365
           max_api_keys_per_user: 100
           remove_deleted_user_api_keys_older_than_days: 365
+          disallow_native_users: false
 
         credentials:
           database:
@@ -420,6 +426,10 @@ should render the configmaps for osaa migration if enabled:
             db_pool_size: ${ANCHORE_DB_POOL_SIZE}
             db_pool_max_overflow: ${ANCHORE_DB_POOL_MAX_OVERFLOW}
 
+        account_gc:
+          max_resource_gc_chunk: 4096
+          max_deletion_threads: 4
+
         services:
           apiext:
             enabled: true
@@ -539,6 +549,7 @@ should render the configmaps for osaa migration if enabled:
               feed_sync: 14400
               feed_sync_checker: 3600
             enable_package_db_load: ${ANCHORE_POLICY_ENGINE_ENABLE_PACKAGE_DB_LOAD}
+            enable_user_base_image: true
             vulnerabilities:
               sync:
                 enabled: true

diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml
@@ -19,7 +19,7 @@ global:
 
 ## @param image Image used for all Anchore Enterprise deployments, excluding Anchore UI
 ##
-image: docker.io/anchore/enterprise:v5.6.0
+image: docker.io/anchore/enterprise:v5.7.0
 
 ## @param imagePullPolicy Image pull policy used by all deployments
 ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
@@ -304,6 +304,7 @@ anchoreConfig:
   ##
   ## @param anchoreConfig.user_authentication.sso_require_existing_users set to true in order to disable the SSO JIT provisioning during authentication
   ## This provides an additional layer of security and configuration for SSO users to gain access to Anchore.
+  ## @param anchoreConfig.user_authentication.disallow_native_users Disallow native users to authenticate by any method. Only SSO/'saml' users will be able to access the system.
   ##
   user_authentication:
     oauth:
@@ -316,6 +317,7 @@ anchoreConfig:
     hashed_passwords: true
     sso_require_existing_users: false
     remove_deleted_user_api_keys_older_than_days: 365
+    disallow_native_users: false
 
   ## @param anchoreConfig.metrics.enabled Enable Prometheus metrics for all Anchore services
   ## @param anchoreConfig.metrics.auth_disabled Disable auth on Prometheus metrics for all Anchore services
@@ -567,6 +569,9 @@ anchoreConfig:
     ##
     overrideFeedsToUpstream: false
 
+    ## @param anchoreConfig.policy_engine.enable_user_base_image Enables usage of Well Known Annotation to identify base image for use in ancestry calculations
+    enable_user_base_image: true
+
   notifications:
     ## @param anchoreConfig.notifications.cycle_timers.notifications Interval that notifications are sent
     ##
@@ -676,6 +681,9 @@ anchoreConfig:
       count: 5
       expires: 300
 
+    ## @param anchoreConfig.ui.sso_auth_only Enable SSO authentication only
+    sso_auth_only: false
+
     ## @param anchoreConfig.ui.custom_links List of up to 10 external links provided
     ## Each link entry must have a title of greater than 0-length and a valid URI. If either item is invalid, the entry will be excluded.
     ##
@@ -1319,7 +1327,7 @@ simpleQueue:
 ui:
   ## @param ui.image Image used for the Anchore UI container
   ##
-  image: docker.io/anchore/enterprise-ui:v5.6.0
+  image: docker.io/anchore/enterprise-ui:v5.7.0
 
   ## @param ui.imagePullPolicy Image pull policy for Anchore UI image
   ##