From ac8448e3b9322ba8020552b23b00cad18536d179 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Fri, 28 Jun 2024 16:50:24 -0400 Subject: [PATCH] enterprise: v5.7.0 updates (#390) * enterprise: v5.7.0 updates * enterprise update snapshot test * bump k8s version constraint to allow v1.30 --------- Signed-off-by: Hung Nguyen Signed-off-by: Brady Todhunter --- stable/enterprise/Chart.lock | 6 +++--- stable/enterprise/Chart.yaml | 6 +++--- stable/enterprise/README.md | 7 +++++++ stable/enterprise/files/default_config.yaml | 7 ++++++- stable/enterprise/files/osaa_config.yaml | 6 ++++++ stable/enterprise/templates/NOTES.txt | 10 +++++++--- stable/enterprise/templates/ui_configmap.yaml | 1 + .../__snapshot__/configmap_test.yaml.snap | 9 +++++++-- .../__snapshot__/osaa_configmap_test.yaml.snap | 13 ++++++++++++- .../prehook_upgrade_resources_test.yaml.snap | 18 +++++++++--------- stable/enterprise/values.yaml | 12 ++++++++++-- 11 files changed, 71 insertions(+), 24 deletions(-) diff --git a/stable/enterprise/Chart.lock b/stable/enterprise/Chart.lock index 54fffb09..5e81850a 100644 --- a/stable/enterprise/Chart.lock +++ b/stable/enterprise/Chart.lock @@ -7,6 +7,6 @@ dependencies: version: 17.11.8 - name: feeds repository: https://charts.anchore.io/stable - version: 2.6.0 -digest: sha256:c20d790efc92e6f4f186abe76ec02b731c0211aa36cabec589ce9fdb2e9a7189 -generated: "2024-05-31T16:00:42.069239-04:00" + version: 2.7.0 +digest: sha256:824b735ba784dca70b5e01b55b4955519381a930e16010ade22727eab5f9da88 +generated: "2024-06-28T16:21:14.882771-04:00" diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 9c697256..7197a5bd 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 name: enterprise -version: "2.7.0" -appVersion: "5.6.0" -kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.29.x-x +version: "2.8.0" +appVersion: "5.7.0" +kubeVersion: 1.23.x - 1.30.x || 1.23.x-x - 1.30.x-x description: | Anchore Enterprise is a complete container security workflow solution for professional teams. Easily integrating with CI/CD systems, it allows developers to bolster security without compromising velocity and enables security teams to audit and verify compliance in real-time. diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index b58f7993..feb2587b 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -1083,6 +1083,7 @@ To restore your deployment to using your previous driver configurations: | `anchoreConfig.user_authentication.remove_deleted_user_api_keys_older_than_days` | The number of days elapsed after a user API key is deleted before it is garbage collected (-1 to disable) | `365` | | `anchoreConfig.user_authentication.hashed_passwords` | Enable storing passwords as secure hashes in the database | `true` | | `anchoreConfig.user_authentication.sso_require_existing_users` | set to true in order to disable the SSO JIT provisioning during authentication | `false` | +| `anchoreConfig.user_authentication.disallow_native_users` | Disallow native users to authenticate by any method. Only SSO/'saml' users will be able to access the system. | `false` | | `anchoreConfig.metrics.enabled` | Enable Prometheus metrics for all Anchore services | `false` | | `anchoreConfig.metrics.auth_disabled` | Disable auth on Prometheus metrics for all Anchore services | `false` | | `anchoreConfig.webhooks` | Enable Anchore services to provide webhooks for external system updates | `{}` | @@ -1131,6 +1132,7 @@ To restore your deployment to using your previous driver configurations: | `anchoreConfig.policy_engine.cycle_timers.feed_sync` | Interval to run a feed sync to get latest cve data | `14400` | | `anchoreConfig.policy_engine.cycle_timers.feed_sync_checker` | Interval between checks to see if there needs to be a task queued | `3600` | | `anchoreConfig.policy_engine.overrideFeedsToUpstream` | Override the Anchore Feeds URL to use the public upstream Anchore Feeds | `false` | +| `anchoreConfig.policy_engine.enable_user_base_image` | Enables usage of Well Known Annotation to identify base image for use in ancestry calculations | `true` | | `anchoreConfig.notifications.cycle_timers.notifications` | Interval that notifications are sent | `30` | | `anchoreConfig.notifications.ui_url` | Set the UI URL that is included in the notification, defaults to the Enterprise UI service name | `""` | | `anchoreConfig.reports.enable_graphiql` | Enable GraphiQL, a GUI for editing and testing GraphQL queries and mutations | `true` | @@ -1158,6 +1160,7 @@ To restore your deployment to using your previous driver configurations: | `anchoreConfig.ui.force_websocket` | Force WebSocket protocol for socket message communications | `false` | | `anchoreConfig.ui.authentication_lock.count` | Number of failed authentication attempts allowed before a temporary lock is applied | `5` | | `anchoreConfig.ui.authentication_lock.expires` | Authentication lock duration | `300` | +| `anchoreConfig.ui.sso_auth_only` | Enable SSO authentication only | `false` | | `anchoreConfig.ui.custom_links` | List of up to 10 external links provided | `{}` | | `anchoreConfig.ui.enable_add_repositories` | Specify what users can add image repositories to the Anchore UI | `{}` | | `anchoreConfig.ui.log_level` | Descriptive detail of the application log output | `http` | @@ -1473,6 +1476,10 @@ For the latest updates and features in Anchore Enterprise, see the official [Rel - **Minor Chart Version Change (e.g., v0.1.2 -> v0.2.0)**: Indicates a significant change to the deployment that does not require manual intervention. - **Patch Chart Version Change (e.g., v0.1.2 -> v0.1.3)**: Indicates a backwards-compatible bug fix or documentation update. +### V2.8.x + +- Deploys Anchore Enterprise v5.7.x. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/570/) for more information. + ### V2.7.x - Deploys Anchore Enterprise v5.6.x. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/560/) for more information. diff --git a/stable/enterprise/files/default_config.yaml b/stable/enterprise/files/default_config.yaml index 350d7ce3..d65bba02 100644 --- a/stable/enterprise/files/default_config.yaml +++ b/stable/enterprise/files/default_config.yaml @@ -81,7 +81,7 @@ user_authentication: max_api_key_age_days: {{ .Values.anchoreConfig.user_authentication.max_api_key_age_days }} max_api_keys_per_user: {{ .Values.anchoreConfig.user_authentication.max_api_keys_per_user }} remove_deleted_user_api_keys_older_than_days: {{ .Values.anchoreConfig.user_authentication.remove_deleted_user_api_keys_older_than_days }} - + disallow_native_users: {{ .Values.anchoreConfig.user_authentication.disallow_native_users }} credentials: database: user: "${ANCHORE_DB_USER}" @@ -102,6 +102,10 @@ credentials: db_engine_args: {{- toYaml . | nindent 6 }} {{- end }} +account_gc: + max_resource_gc_chunk: 4096 + max_deletion_threads: 4 + services: apiext: enabled: true @@ -185,6 +189,7 @@ services: cycle_timer_seconds: 1 cycle_timers: {{- toYaml .Values.anchoreConfig.policy_engine.cycle_timers | nindent 6 }} enable_package_db_load: ${ANCHORE_POLICY_ENGINE_ENABLE_PACKAGE_DB_LOAD} + enable_user_base_image: {{ .Values.anchoreConfig.policy_engine.enable_user_base_image }} vulnerabilities: sync: enabled: true diff --git a/stable/enterprise/files/osaa_config.yaml b/stable/enterprise/files/osaa_config.yaml index 219e3595..5d2ff105 100644 --- a/stable/enterprise/files/osaa_config.yaml +++ b/stable/enterprise/files/osaa_config.yaml @@ -44,6 +44,7 @@ user_authentication: max_api_key_age_days: {{ .Values.anchoreConfig.user_authentication.max_api_key_age_days }} max_api_keys_per_user: {{ .Values.anchoreConfig.user_authentication.max_api_keys_per_user }} remove_deleted_user_api_keys_older_than_days: {{ .Values.anchoreConfig.user_authentication.remove_deleted_user_api_keys_older_than_days }} + disallow_native_users: {{ .Values.anchoreConfig.user_authentication.disallow_native_users }} credentials: database: @@ -65,6 +66,10 @@ credentials: db_engine_args: {{- toYaml . | nindent 6 }} {{- end }} +account_gc: + max_resource_gc_chunk: 4096 + max_deletion_threads: 4 + services: apiext: enabled: true @@ -156,6 +161,7 @@ services: cycle_timer_seconds: 1 cycle_timers: {{- toYaml .Values.anchoreConfig.policy_engine.cycle_timers | nindent 6 }} enable_package_db_load: ${ANCHORE_POLICY_ENGINE_ENABLE_PACKAGE_DB_LOAD} + enable_user_base_image: {{ .Values.anchoreConfig.policy_engine.enable_user_base_image }} vulnerabilities: sync: enabled: true diff --git a/stable/enterprise/templates/NOTES.txt b/stable/enterprise/templates/NOTES.txt index 15503e39..1899d33d 100644 --- a/stable/enterprise/templates/NOTES.txt +++ b/stable/enterprise/templates/NOTES.txt @@ -6,11 +6,15 @@ The Anchore API can be accessed via port {{ .Values.api.service.port }} on the f The Anchore UI can be accessed via localhost:8080 with kubernetes port-forwarding: - kubectl port-forward svc/{{- template "enterprise.ui.fullname" . }} 8080:{{- .Values.ui.service.port }} + kubectl port-forward -n {{ .Release.Namespace }} svc/{{- template "enterprise.ui.fullname" . }} 8080:{{- .Values.ui.service.port }} Get the default admin password using the following command: - kubectl get secret {{ template "enterprise.fullname" . }} -o jsonpath='{.data.ANCHORE_ADMIN_PASSWORD}' | base64 -D + # for MacOS + kubectl get secret {{ template "enterprise.fullname" . }} -n {{ .Release.Namespace }} -o jsonpath='{.data.ANCHORE_ADMIN_PASSWORD}' | base64 -D + + # for Linux + kubectl get secret {{ template "enterprise.fullname" . }} -n {{ .Release.Namespace }} -o jsonpath='{.data.ANCHORE_ADMIN_PASSWORD}' | base64 -d * NOTE: On first startup of Anchore Enterprise, the policy-engine performs a CVE data sync which may take several minutes to complete. During this time the system status will report 'partially_down' and any images added for analysis will stay in the 'not_analyzed' state. @@ -19,7 +23,7 @@ Once the sync is complete, any queued images will be analyzed and the system sta Initial setup time can be >120sec for postgresql setup and readiness checks to pass for the services as indicated by pod state. You can check with: - kubectl get pods -l app.kubernetes.io/name={{- template "enterprise.fullname" . -}},app.kubernetes.io/component=api + kubectl get pods -n {{ .Release.Namespace }} -l app.kubernetes.io/name={{- template "enterprise.fullname" . -}},app.kubernetes.io/component=api {{ if and .Values.useExistingSecrets .Release.IsUpgrade (semverCompare "~2.1.0" .Chart.Version) }} ****************** diff --git a/stable/enterprise/templates/ui_configmap.yaml b/stable/enterprise/templates/ui_configmap.yaml index 6bd7d196..955a3971 100644 --- a/stable/enterprise/templates/ui_configmap.yaml +++ b/stable/enterprise/templates/ui_configmap.yaml @@ -44,3 +44,4 @@ data: log_level: {{ .Values.anchoreConfig.ui.log_level | squote }} enrich_inventory_view: {{ .Values.anchoreConfig.ui.enrich_inventory_view }} enable_prometheus_metrics: {{ .Values.anchoreConfig.metrics.enabled }} + sso_auth_only: {{ .Values.anchoreConfig.ui.sso_auth_only }} diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index a447b069..2015facb 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -141,7 +141,7 @@ should render the configmaps: max_api_key_age_days: 365 max_api_keys_per_user: 100 remove_deleted_user_api_keys_older_than_days: 365 - + disallow_native_users: false credentials: database: user: "${ANCHORE_DB_USER}" @@ -155,6 +155,10 @@ should render the configmaps: db_pool_size: ${ANCHORE_DB_POOL_SIZE} db_pool_max_overflow: ${ANCHORE_DB_POOL_MAX_OVERFLOW} + account_gc: + max_resource_gc_chunk: 4096 + max_deletion_threads: 4 + services: apiext: enabled: true @@ -263,6 +267,7 @@ should render the configmaps: feed_sync: 14400 feed_sync_checker: 3600 enable_package_db_load: ${ANCHORE_POLICY_ENGINE_ENABLE_PACKAGE_DB_LOAD} + enable_user_base_image: true vulnerabilities: sync: enabled: true @@ -561,7 +566,7 @@ should render the configmaps: 6: | apiVersion: v1 data: - config-ui.yaml: "# Anchore UI configuration\nreports_uri: 'http://test-release-enterprise-api:8228/v2'\nnotifications_uri: 'http://test-release-enterprise-api:8228/v2'\nenterprise_uri: 'http://test-release-enterprise-api:8228/v2'\n# redis_uri: overridden in deployment using the `ANCHORE_REDIS_URI` environment variable\n# appdb_uri: overridden in deployment using the `ANCHORE_APPDB_URI` environment variable\nlicense_path: '/home/anchore/'\nenable_ssl: false\nenable_proxy: false\nallow_shared_login: true\nredis_flushdb: true\nforce_websocket: false\nauthentication_lock:\n count: 5\n expires: 300\nappdb_config: \n native: true\n pool:\n acquire: 30000\n idle: 10000\n max: 10\n min: 0\nlog_level: 'http'\nenrich_inventory_view: true\nenable_prometheus_metrics: false\n" + config-ui.yaml: "# Anchore UI configuration\nreports_uri: 'http://test-release-enterprise-api:8228/v2'\nnotifications_uri: 'http://test-release-enterprise-api:8228/v2'\nenterprise_uri: 'http://test-release-enterprise-api:8228/v2'\n# redis_uri: overridden in deployment using the `ANCHORE_REDIS_URI` environment variable\n# appdb_uri: overridden in deployment using the `ANCHORE_APPDB_URI` environment variable\nlicense_path: '/home/anchore/'\nenable_ssl: false\nenable_proxy: false\nallow_shared_login: true\nredis_flushdb: true\nforce_websocket: false\nauthentication_lock:\n count: 5\n expires: 300\nappdb_config: \n native: true\n pool:\n acquire: 30000\n idle: 10000\n max: 10\n min: 0\nlog_level: 'http'\nenrich_inventory_view: true\nenable_prometheus_metrics: false\nsso_auth_only: false\n" kind: ConfigMap metadata: annotations: diff --git a/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap index 3acbdf44..6a3b054b 100644 --- a/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap @@ -102,7 +102,7 @@ should render the configmaps for osaa migration if enabled: max_api_key_age_days: 365 max_api_keys_per_user: 100 remove_deleted_user_api_keys_older_than_days: 365 - + disallow_native_users: false credentials: database: user: "${ANCHORE_DB_USER}" @@ -116,6 +116,10 @@ should render the configmaps for osaa migration if enabled: db_pool_size: ${ANCHORE_DB_POOL_SIZE} db_pool_max_overflow: ${ANCHORE_DB_POOL_MAX_OVERFLOW} + account_gc: + max_resource_gc_chunk: 4096 + max_deletion_threads: 4 + services: apiext: enabled: true @@ -224,6 +228,7 @@ should render the configmaps for osaa migration if enabled: feed_sync: 14400 feed_sync_checker: 3600 enable_package_db_load: ${ANCHORE_POLICY_ENGINE_ENABLE_PACKAGE_DB_LOAD} + enable_user_base_image: true vulnerabilities: sync: enabled: true @@ -406,6 +411,7 @@ should render the configmaps for osaa migration if enabled: max_api_key_age_days: 365 max_api_keys_per_user: 100 remove_deleted_user_api_keys_older_than_days: 365 + disallow_native_users: false credentials: database: @@ -420,6 +426,10 @@ should render the configmaps for osaa migration if enabled: db_pool_size: ${ANCHORE_DB_POOL_SIZE} db_pool_max_overflow: ${ANCHORE_DB_POOL_MAX_OVERFLOW} + account_gc: + max_resource_gc_chunk: 4096 + max_deletion_threads: 4 + services: apiext: enabled: true @@ -539,6 +549,7 @@ should render the configmaps for osaa migration if enabled: feed_sync: 14400 feed_sync_checker: 3600 enable_package_db_load: ${ANCHORE_POLICY_ENGINE_ENABLE_PACKAGE_DB_LOAD} + enable_user_base_image: true vulnerabilities: sync: enabled: true diff --git a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap index d0e4dacc..1cd7b8c0 100644 --- a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap @@ -26,7 +26,7 @@ migration job should match snapshot: name: test-release-enterprise-config-env-vars - secretRef: name: test-release-enterprise - image: docker.io/anchore/enterprise:v5.6.0 + image: docker.io/anchore/enterprise:v5.7.0 imagePullPolicy: IfNotPresent name: migrate-analysis-archive volumeMounts: @@ -89,7 +89,7 @@ migration job should match snapshot: valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v5.6.0 + image: docker.io/anchore/enterprise:v5.7.0 imagePullPolicy: IfNotPresent name: wait-for-db restartPolicy: Never @@ -148,7 +148,7 @@ migration job should match snapshot analysisArchiveMigration and objectStoreMigr name: test-release-enterprise-config-env-vars - secretRef: name: test-release-enterprise - image: docker.io/anchore/enterprise:v5.6.0 + image: docker.io/anchore/enterprise:v5.7.0 imagePullPolicy: IfNotPresent name: migrate-analysis-archive volumeMounts: @@ -211,7 +211,7 @@ migration job should match snapshot analysisArchiveMigration and objectStoreMigr valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v5.6.0 + image: docker.io/anchore/enterprise:v5.7.0 imagePullPolicy: IfNotPresent name: wait-for-db restartPolicy: Never @@ -268,7 +268,7 @@ migration job should match snapshot analysisArchiveMigration to true: name: test-release-enterprise-config-env-vars - secretRef: name: test-release-enterprise - image: docker.io/anchore/enterprise:v5.6.0 + image: docker.io/anchore/enterprise:v5.7.0 imagePullPolicy: IfNotPresent name: migrate-analysis-archive volumeMounts: @@ -331,7 +331,7 @@ migration job should match snapshot analysisArchiveMigration to true: valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v5.6.0 + image: docker.io/anchore/enterprise:v5.7.0 imagePullPolicy: IfNotPresent name: wait-for-db restartPolicy: Never @@ -387,7 +387,7 @@ migration job should match snapshot objectStoreMigration to true: name: test-release-enterprise-config-env-vars - secretRef: name: test-release-enterprise - image: docker.io/anchore/enterprise:v5.6.0 + image: docker.io/anchore/enterprise:v5.7.0 imagePullPolicy: IfNotPresent name: migrate-analysis-archive volumeMounts: @@ -450,7 +450,7 @@ migration job should match snapshot objectStoreMigration to true: valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v5.6.0 + image: docker.io/anchore/enterprise:v5.7.0 imagePullPolicy: IfNotPresent name: wait-for-db restartPolicy: Never @@ -621,6 +621,6 @@ should render proper initContainers: valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v5.6.0 + image: docker.io/anchore/enterprise:v5.7.0 imagePullPolicy: IfNotPresent name: wait-for-db diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index c694dd89..dd44fbdc 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -19,7 +19,7 @@ global: ## @param image Image used for all Anchore Enterprise deployments, excluding Anchore UI ## -image: docker.io/anchore/enterprise:v5.6.0 +image: docker.io/anchore/enterprise:v5.7.0 ## @param imagePullPolicy Image pull policy used by all deployments ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy @@ -304,6 +304,7 @@ anchoreConfig: ## ## @param anchoreConfig.user_authentication.sso_require_existing_users set to true in order to disable the SSO JIT provisioning during authentication ## This provides an additional layer of security and configuration for SSO users to gain access to Anchore. + ## @param anchoreConfig.user_authentication.disallow_native_users Disallow native users to authenticate by any method. Only SSO/'saml' users will be able to access the system. ## user_authentication: oauth: @@ -316,6 +317,7 @@ anchoreConfig: hashed_passwords: true sso_require_existing_users: false remove_deleted_user_api_keys_older_than_days: 365 + disallow_native_users: false ## @param anchoreConfig.metrics.enabled Enable Prometheus metrics for all Anchore services ## @param anchoreConfig.metrics.auth_disabled Disable auth on Prometheus metrics for all Anchore services @@ -567,6 +569,9 @@ anchoreConfig: ## overrideFeedsToUpstream: false + ## @param anchoreConfig.policy_engine.enable_user_base_image Enables usage of Well Known Annotation to identify base image for use in ancestry calculations + enable_user_base_image: true + notifications: ## @param anchoreConfig.notifications.cycle_timers.notifications Interval that notifications are sent ## @@ -676,6 +681,9 @@ anchoreConfig: count: 5 expires: 300 + ## @param anchoreConfig.ui.sso_auth_only Enable SSO authentication only + sso_auth_only: false + ## @param anchoreConfig.ui.custom_links List of up to 10 external links provided ## Each link entry must have a title of greater than 0-length and a valid URI. If either item is invalid, the entry will be excluded. ## @@ -1319,7 +1327,7 @@ simpleQueue: ui: ## @param ui.image Image used for the Anchore UI container ## - image: docker.io/anchore/enterprise-ui:v5.6.0 + image: docker.io/anchore/enterprise-ui:v5.7.0 ## @param ui.imagePullPolicy Image pull policy for Anchore UI image ##