anchore · Btodhunter · Jun 28, 2024 · Jun 28, 2024 · Jun 28, 2024 · Jun 28, 2024
@@ -7,6 +7,6 @@ dependencies:
   version: 17.11.8
 - name: feeds
   repository: https://charts.anchore.io/stable
-  version: 2.6.0
-digest: sha256:c20d790efc92e6f4f186abe76ec02b731c0211aa36cabec589ce9fdb2e9a7189
-generated: "2024-05-31T16:00:42.069239-04:00"
+  version: 2.7.0
+digest: sha256:824b735ba784dca70b5e01b55b4955519381a930e16010ade22727eab5f9da88
+generated: "2024-06-28T16:21:14.882771-04:00"
@@ -1,8 +1,8 @@
 apiVersion: v2
 name: enterprise
-version: "2.7.0"
-appVersion: "5.6.0"
-kubeVersion: 1.23.x - 1.28.x || 1.23.x-x - 1.29.x-x
+version: "2.8.0"
+appVersion: "5.7.0"
+kubeVersion: 1.23.x - 1.30.x || 1.23.x-x - 1.30.x-x
 description: |
   Anchore Enterprise is a complete container security workflow solution for professional teams. Easily integrating with CI/CD systems,
   it allows developers to bolster security without compromising velocity and enables security teams to audit and verify compliance in real-time.

@@ -1083,6 +1083,7 @@ To restore your deployment to using your previous driver configurations:
 | `anchoreConfig.user_authentication.remove_deleted_user_api_keys_older_than_days` | The number of days elapsed after a user API key is deleted before it is garbage collected (-1 to disable)                        | `365`              |
 | `anchoreConfig.user_authentication.hashed_passwords`                             | Enable storing passwords as secure hashes in the database                                                                        | `true`             |
 | `anchoreConfig.user_authentication.sso_require_existing_users`                   | set to true in order to disable the SSO JIT provisioning during authentication                                                   | `false`            |
+| `anchoreConfig.user_authentication.disallow_native_users`                        | Disallow native users to authenticate by any method. Only SSO/'saml' users will be able to access the system.                    | `false`            |
 | `anchoreConfig.metrics.enabled`                                                  | Enable Prometheus metrics for all Anchore services                                                                               | `false`            |
 | `anchoreConfig.metrics.auth_disabled`                                            | Disable auth on Prometheus metrics for all Anchore services                                                                      | `false`            |
 | `anchoreConfig.webhooks`                                                         | Enable Anchore services to provide webhooks for external system updates                                                          | `{}`               |
@@ -1131,6 +1132,7 @@ To restore your deployment to using your previous driver configurations:
 | `anchoreConfig.policy_engine.cycle_timers.feed_sync`                             | Interval to run a feed sync to get latest cve data                                                                               | `14400`            |
 | `anchoreConfig.policy_engine.cycle_timers.feed_sync_checker`                     | Interval between checks to see if there needs to be a task queued                                                                | `3600`             |
 | `anchoreConfig.policy_engine.overrideFeedsToUpstream`                            | Override the Anchore Feeds URL to use the public upstream Anchore Feeds                                                          | `false`            |
+| `anchoreConfig.policy_engine.enable_user_base_image`                             | Enables usage of Well Known Annotation to identify base image for use in ancestry calculations                                   | `true`             |
 | `anchoreConfig.notifications.cycle_timers.notifications`                         | Interval that notifications are sent                                                                                             | `30`               |
 | `anchoreConfig.notifications.ui_url`                                             | Set the UI URL that is included in the notification, defaults to the Enterprise UI service name                                  | `""`               |
 | `anchoreConfig.reports.enable_graphiql`                                          | Enable GraphiQL, a GUI for editing and testing GraphQL queries and mutations                                                     | `true`             |
@@ -1158,6 +1160,7 @@ To restore your deployment to using your previous driver configurations:
 | `anchoreConfig.ui.force_websocket`                                               | Force WebSocket protocol for socket message communications                                                                       | `false`            |
 | `anchoreConfig.ui.authentication_lock.count`                                     | Number of failed authentication attempts allowed before a temporary lock is applied                                              | `5`                |
 | `anchoreConfig.ui.authentication_lock.expires`                                   | Authentication lock duration                                                                                                     | `300`              |
+| `anchoreConfig.ui.sso_auth_only`                                                 | Enable SSO authentication only                                                                                                   | `false`            |
 | `anchoreConfig.ui.custom_links`                                                  | List of up to 10 external links provided                                                                                         | `{}`               |
 | `anchoreConfig.ui.enable_add_repositories`                                       | Specify what users can add image repositories to the Anchore UI                                                                  | `{}`               |
 | `anchoreConfig.ui.log_level`                                                     | Descriptive detail of the application log output                                                                                 | `http`             |
@@ -1473,6 +1476,10 @@ For the latest updates and features in Anchore Enterprise, see the official [Rel
 - **Minor Chart Version Change (e.g., v0.1.2 -> v0.2.0)**: Indicates a significant change to the deployment that does not require manual intervention.
 - **Patch Chart Version Change (e.g., v0.1.2 -> v0.1.3)**: Indicates a backwards-compatible bug fix or documentation update.
 
+### V2.8.x
+
+- Deploys Anchore Enterprise v5.7.x. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/570/) for more information.
+
 ### V2.7.x
 
 - Deploys Anchore Enterprise v5.6.x. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/560/) for more information.

@@ -81,7 +81,7 @@ user_authentication:
   max_api_key_age_days: {{ .Values.anchoreConfig.user_authentication.max_api_key_age_days }}
   max_api_keys_per_user: {{ .Values.anchoreConfig.user_authentication.max_api_keys_per_user }}
   remove_deleted_user_api_keys_older_than_days: {{ .Values.anchoreConfig.user_authentication.remove_deleted_user_api_keys_older_than_days }}
-
+  disallow_native_users: {{ .Values.anchoreConfig.user_authentication.disallow_native_users }}
 credentials:
   database:
     user: "${ANCHORE_DB_USER}"
@@ -102,6 +102,10 @@ credentials:
     db_engine_args: {{- toYaml . | nindent 6 }}
   {{- end }}
 
+account_gc:
+  max_resource_gc_chunk: 4096
+  max_deletion_threads: 4
+
 services:
   apiext:
     enabled: true
@@ -185,6 +189,7 @@ services:
     cycle_timer_seconds: 1
     cycle_timers: {{- toYaml .Values.anchoreConfig.policy_engine.cycle_timers | nindent 6 }}
     enable_package_db_load: ${ANCHORE_POLICY_ENGINE_ENABLE_PACKAGE_DB_LOAD}
+    enable_user_base_image: {{ .Values.anchoreConfig.policy_engine.enable_user_base_image }}
     vulnerabilities:
       sync:
         enabled: true

@@ -44,6 +44,7 @@ user_authentication:
   max_api_key_age_days: {{ .Values.anchoreConfig.user_authentication.max_api_key_age_days }}
   max_api_keys_per_user: {{ .Values.anchoreConfig.user_authentication.max_api_keys_per_user }}
   remove_deleted_user_api_keys_older_than_days: {{ .Values.anchoreConfig.user_authentication.remove_deleted_user_api_keys_older_than_days }}
+  disallow_native_users: {{ .Values.anchoreConfig.user_authentication.disallow_native_users }}
 
 credentials:
   database:
@@ -65,6 +66,10 @@ credentials:
     db_engine_args: {{- toYaml . | nindent 6 }}
   {{- end }}
 
+account_gc:
+  max_resource_gc_chunk: 4096
+  max_deletion_threads: 4
+
 services:
   apiext:
     enabled: true
@@ -156,6 +161,7 @@ services:
     cycle_timer_seconds: 1
     cycle_timers: {{- toYaml .Values.anchoreConfig.policy_engine.cycle_timers | nindent 6 }}
     enable_package_db_load: ${ANCHORE_POLICY_ENGINE_ENABLE_PACKAGE_DB_LOAD}
+    enable_user_base_image: {{ .Values.anchoreConfig.policy_engine.enable_user_base_image }}
     vulnerabilities:
       sync:
         enabled: true

@@ -6,11 +6,15 @@ The Anchore API can be accessed via port {{ .Values.api.service.port }} on the f
 
 The Anchore UI can be accessed via localhost:8080 with kubernetes port-forwarding:
 
-    kubectl port-forward svc/{{- template "enterprise.ui.fullname" . }} 8080:{{- .Values.ui.service.port }}
+    kubectl port-forward -n {{ .Release.Namespace }} svc/{{- template "enterprise.ui.fullname" . }} 8080:{{- .Values.ui.service.port }}
 
 Get the default admin password using the following command:
 
-    kubectl get secret {{ template "enterprise.fullname" . }} -o jsonpath='{.data.ANCHORE_ADMIN_PASSWORD}' | base64 -D
+    # for MacOS
+    kubectl get secret {{ template "enterprise.fullname" . }} -n {{ .Release.Namespace }} -o jsonpath='{.data.ANCHORE_ADMIN_PASSWORD}' | base64 -D
+
+    # for Linux
+    kubectl get secret {{ template "enterprise.fullname" . }} -n {{ .Release.Namespace }} -o jsonpath='{.data.ANCHORE_ADMIN_PASSWORD}' | base64 -d
 
 * NOTE: On first startup of Anchore Enterprise, the policy-engine performs a CVE data sync which may take several minutes to complete.
 During this time the system status will report 'partially_down' and any images added for analysis will stay in the 'not_analyzed' state.
@@ -19,7 +23,7 @@ Once the sync is complete, any queued images will be analyzed and the system sta
 Initial setup time can be >120sec for postgresql setup and readiness checks to pass for the services as indicated by pod state.
 You can check with:
 
-    kubectl get pods -l app.kubernetes.io/name={{- template "enterprise.fullname" . -}},app.kubernetes.io/component=api
+    kubectl get pods -n {{ .Release.Namespace }} -l app.kubernetes.io/name={{- template "enterprise.fullname" . -}},app.kubernetes.io/component=api
 
 {{ if and .Values.useExistingSecrets .Release.IsUpgrade (semverCompare "~2.1.0" .Chart.Version) }}
 ******************

@@ -44,3 +44,4 @@ data:
     log_level: {{ .Values.anchoreConfig.ui.log_level | squote }}
     enrich_inventory_view: {{ .Values.anchoreConfig.ui.enrich_inventory_view  }}
     enable_prometheus_metrics: {{ .Values.anchoreConfig.metrics.enabled }}
+    sso_auth_only: {{ .Values.anchoreConfig.ui.sso_auth_only }}
@@ -141,7 +141,7 @@ should render the configmaps:
           max_api_key_age_days: 365
           max_api_keys_per_user: 100
           remove_deleted_user_api_keys_older_than_days: 365
-
+          disallow_native_users: false
         credentials:
           database:
             user: "${ANCHORE_DB_USER}"
@@ -155,6 +155,10 @@ should render the configmaps:
             db_pool_size: ${ANCHORE_DB_POOL_SIZE}
             db_pool_max_overflow: ${ANCHORE_DB_POOL_MAX_OVERFLOW}
 
+        account_gc:
+          max_resource_gc_chunk: 4096
+          max_deletion_threads: 4
+
         services:
           apiext:
             enabled: true
@@ -263,6 +267,7 @@ should render the configmaps:
               feed_sync: 14400
               feed_sync_checker: 3600
             enable_package_db_load: ${ANCHORE_POLICY_ENGINE_ENABLE_PACKAGE_DB_LOAD}
+            enable_user_base_image: true
             vulnerabilities:
               sync:
                 enabled: true
@@ -561,7 +566,7 @@ should render the configmaps:
   6: |
     apiVersion: v1
     data:
-      config-ui.yaml: "# Anchore UI configuration\nreports_uri: 'http://test-release-enterprise-api:8228/v2'\nnotifications_uri: 'http://test-release-enterprise-api:8228/v2'\nenterprise_uri: 'http://test-release-enterprise-api:8228/v2'\n# redis_uri: overridden in deployment using the `ANCHORE_REDIS_URI` environment variable\n# appdb_uri: overridden in deployment using the `ANCHORE_APPDB_URI` environment variable\nlicense_path: '/home/anchore/'\nenable_ssl: false\nenable_proxy: false\nallow_shared_login: true\nredis_flushdb: true\nforce_websocket: false\nauthentication_lock:\n  count: 5\n  expires: 300\nappdb_config: \n  native: true\n  pool:\n    acquire: 30000\n    idle: 10000\n    max: 10\n    min: 0\nlog_level: 'http'\nenrich_inventory_view: true\nenable_prometheus_metrics: false\n"
+      config-ui.yaml: "# Anchore UI configuration\nreports_uri: 'http://test-release-enterprise-api:8228/v2'\nnotifications_uri: 'http://test-release-enterprise-api:8228/v2'\nenterprise_uri: 'http://test-release-enterprise-api:8228/v2'\n# redis_uri: overridden in deployment using the `ANCHORE_REDIS_URI` environment variable\n# appdb_uri: overridden in deployment using the `ANCHORE_APPDB_URI` environment variable\nlicense_path: '/home/anchore/'\nenable_ssl: false\nenable_proxy: false\nallow_shared_login: true\nredis_flushdb: true\nforce_websocket: false\nauthentication_lock:\n  count: 5\n  expires: 300\nappdb_config: \n  native: true\n  pool:\n    acquire: 30000\n    idle: 10000\n    max: 10\n    min: 0\nlog_level: 'http'\nenrich_inventory_view: true\nenable_prometheus_metrics: false\nsso_auth_only: false\n"
     kind: ConfigMap
     metadata:
       annotations:

@@ -102,7 +102,7 @@ should render the configmaps for osaa migration if enabled:
           max_api_key_age_days: 365
           max_api_keys_per_user: 100
           remove_deleted_user_api_keys_older_than_days: 365
-
+          disallow_native_users: false
         credentials:
           database:
             user: "${ANCHORE_DB_USER}"
@@ -116,6 +116,10 @@ should render the configmaps for osaa migration if enabled:
             db_pool_size: ${ANCHORE_DB_POOL_SIZE}
             db_pool_max_overflow: ${ANCHORE_DB_POOL_MAX_OVERFLOW}
 
+        account_gc:
+          max_resource_gc_chunk: 4096
+          max_deletion_threads: 4
+
         services:
           apiext:
             enabled: true
@@ -224,6 +228,7 @@ should render the configmaps for osaa migration if enabled:
               feed_sync: 14400
               feed_sync_checker: 3600
             enable_package_db_load: ${ANCHORE_POLICY_ENGINE_ENABLE_PACKAGE_DB_LOAD}
+            enable_user_base_image: true
             vulnerabilities:
               sync:
                 enabled: true
@@ -406,6 +411,7 @@ should render the configmaps for osaa migration if enabled:
           max_api_key_age_days: 365
           max_api_keys_per_user: 100
           remove_deleted_user_api_keys_older_than_days: 365
+          disallow_native_users: false
 
         credentials:
           database:
@@ -420,6 +426,10 @@ should render the configmaps for osaa migration if enabled:
             db_pool_size: ${ANCHORE_DB_POOL_SIZE}
             db_pool_max_overflow: ${ANCHORE_DB_POOL_MAX_OVERFLOW}
 
+        account_gc:
+          max_resource_gc_chunk: 4096
+          max_deletion_threads: 4
+
         services:
           apiext:
             enabled: true
@@ -539,6 +549,7 @@ should render the configmaps for osaa migration if enabled:
               feed_sync: 14400
               feed_sync_checker: 3600
             enable_package_db_load: ${ANCHORE_POLICY_ENGINE_ENABLE_PACKAGE_DB_LOAD}
+            enable_user_base_image: true
             vulnerabilities:
               sync:
                 enabled: true

@@ -26,7 +26,7 @@ migration job should match snapshot:
               name: test-release-enterprise-config-env-vars
           - secretRef:
               name: test-release-enterprise
-        image: docker.io/anchore/enterprise:v5.6.0
+        image: docker.io/anchore/enterprise:v5.7.0
         imagePullPolicy: IfNotPresent
         name: migrate-analysis-archive
         volumeMounts:
@@ -89,7 +89,7 @@ migration job should match snapshot:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.name
-        image: docker.io/anchore/enterprise:v5.6.0
+        image: docker.io/anchore/enterprise:v5.7.0
         imagePullPolicy: IfNotPresent
         name: wait-for-db
     restartPolicy: Never
@@ -148,7 +148,7 @@ migration job should match snapshot analysisArchiveMigration and objectStoreMigr
               name: test-release-enterprise-config-env-vars
           - secretRef:
               name: test-release-enterprise
-        image: docker.io/anchore/enterprise:v5.6.0
+        image: docker.io/anchore/enterprise:v5.7.0
         imagePullPolicy: IfNotPresent
         name: migrate-analysis-archive
         volumeMounts:
@@ -211,7 +211,7 @@ migration job should match snapshot analysisArchiveMigration and objectStoreMigr
             valueFrom:
               fieldRef:
                 fieldPath: metadata.name
-        image: docker.io/anchore/enterprise:v5.6.0
+        image: docker.io/anchore/enterprise:v5.7.0
         imagePullPolicy: IfNotPresent
         name: wait-for-db
     restartPolicy: Never
@@ -268,7 +268,7 @@ migration job should match snapshot analysisArchiveMigration to true:
               name: test-release-enterprise-config-env-vars
           - secretRef:
               name: test-release-enterprise
-        image: docker.io/anchore/enterprise:v5.6.0
+        image: docker.io/anchore/enterprise:v5.7.0
         imagePullPolicy: IfNotPresent
         name: migrate-analysis-archive
         volumeMounts:
@@ -331,7 +331,7 @@ migration job should match snapshot analysisArchiveMigration to true:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.name
-        image: docker.io/anchore/enterprise:v5.6.0
+        image: docker.io/anchore/enterprise:v5.7.0
         imagePullPolicy: IfNotPresent
         name: wait-for-db
     restartPolicy: Never
@@ -387,7 +387,7 @@ migration job should match snapshot objectStoreMigration to true:
               name: test-release-enterprise-config-env-vars
           - secretRef:
               name: test-release-enterprise
-        image: docker.io/anchore/enterprise:v5.6.0
+        image: docker.io/anchore/enterprise:v5.7.0
         imagePullPolicy: IfNotPresent
         name: migrate-analysis-archive
         volumeMounts:
@@ -450,7 +450,7 @@ migration job should match snapshot objectStoreMigration to true:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.name
-        image: docker.io/anchore/enterprise:v5.6.0
+        image: docker.io/anchore/enterprise:v5.7.0
         imagePullPolicy: IfNotPresent
         name: wait-for-db
     restartPolicy: Never
@@ -621,6 +621,6 @@ should render proper initContainers:
           valueFrom:
             fieldRef:
               fieldPath: metadata.name
-      image: docker.io/anchore/enterprise:v5.6.0
+      image: docker.io/anchore/enterprise:v5.7.0
       imagePullPolicy: IfNotPresent
       name: wait-for-db