Enterprise V5.10.0 Release (#407)

* fix: adds log_saml_assertions to the default config with value=false to facilitate better SSO debugging (#243)

Signed-off-by: Zach Hill <[email protected]>

* fix: adds log_saml_assertions to the default config with value=false to facilitate better SSO debugging (#243)

Signed-off-by: Zach Hill <[email protected]>
Signed-off-by: Hung Nguyen <[email protected]>

* feat: chart for enterprise v5.10.0

helm chart for enterprise v5.10.0 with hosted feeds

Signed-off-by: Arvind Somya <[email protected]>
Signed-off-by: Hung Nguyen <[email protected]>

* Adding test for dataSyncer resource (#245)

* Added test for dataSyncer resource; updated common_helpers_test.yaml with the new dataSyncer test; updated .gitignore for vscode use

Signed-off-by: Jesse Tamburino <[email protected]>

* Updated tests and added missing tests

Signed-off-by: Jesse Tamburino <[email protected]>

* Bumped the version of the chart

Signed-off-by: Jesse Tamburino <[email protected]>

---------

Signed-off-by: Jesse Tamburino <[email protected]>
Co-authored-by: Jesse Tamburino <[email protected]>
Signed-off-by: Hung Nguyen <[email protected]>

* fix readme
removing unused code
make osaa_config in line with default config
license secret creation not dependent on useExistingSecrets
bumping chart version for dev-sync to prod
bump feeds app version to correct version

Signed-off-by: Hung Nguyen <[email protected]>

* fix: adds log_saml_assertions to the default config with value=false to facilitate better SSO debugging (#243)
update readme
adding tests
update tests to add required values
move required check into configmap

Signed-off-by: Hung Nguyen <[email protected]>
Signed-off-by: Zach Hill <[email protected]>

---------

Signed-off-by: Zach Hill <[email protected]>
Signed-off-by: Hung Nguyen <[email protected]>
Signed-off-by: Arvind Somya <[email protected]>
Signed-off-by: Jesse Tamburino <[email protected]>
Co-authored-by: Zach Hill <[email protected]>
Co-authored-by: Arvind Somya <[email protected]>
Co-authored-by: Jesse <[email protected]>
Co-authored-by: Jesse Tamburino <[email protected]>

Author: 4 people

.github/workflows/openshift-test.yaml

@@ -4,7 +4,6 @@ on:
   pull_request:
     paths:
       - 'stable/enterprise/Chart.yaml'
-      - 'stable/feeds/Chart.yaml'
       - 'stable/ecs-inventory/Chart.yaml'
       - 'stable/k8s-inventory/Chart.yaml'
 
@@ -129,7 +128,7 @@ jobs:
           mv ci/openshift-test.yaml ci/openshift-test-values.yaml
           popd
         done
-        ct install --config ct-config.yaml --helm-extra-args "--timeout 600s"
+        ct install --config ct-config.yaml --helm-extra-args "--timeout 600s" --helm-extra-set-args "--set=useExistingPullCredSecret=true--set=useExistingLicenseSecret=true --set=anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers=[] --set=anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types=[]"
       env:
         KUBECONFIG: ./tmp/kubeconfig
         TARGET_BRANCH: "${{ github.event.pull_request.base.ref }}"

.github/workflows/test.yaml

@@ -99,4 +99,4 @@ jobs:
 
     - name: Run chart-testing
       if: steps.list-changed.outputs.CHANGED == 'true'
-      run: ct install --config ct-config.yaml --helm-extra-args "--timeout 600s"
+      run: ct install --config ct-config.yaml --helm-extra-args "--timeout 600s" --helm-extra-set-args "--set=useExistingPullCredSecret=true --set=useExistingLicenseSecret=true --set=anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers=[] --set=anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types=[]"

.gitignore

@@ -4,3 +4,5 @@ examples/
 charts/
 .idea/
 *.code-workspace
+.DS_Store
+.vscode/

ct-config.yaml

@@ -7,3 +7,4 @@ chart-repos:
   - bitnami=https://charts.bitnami.com/bitnami
 namespace: anchore
 release-label: anchore
+exclude-deprecated: true

stable/enterprise/Chart.lock

@@ -5,8 +5,5 @@ dependencies:
 - name: redis
   repository: oci://registry-1.docker.io/bitnamicharts
   version: 17.11.8
-- name: feeds
-  repository: https://charts.anchore.io/stable
-  version: 2.9.0
-digest: sha256:794234e4be51cccf563f5efc4b205fef8042f1ddd3113c2578f839eb4b6e10dd
-generated: "2024-09-04T11:58:57.913094-04:00"
+digest: sha256:0ecd9810e416973f8bc4caa4641764b10ff5224edaecb1a5b66d3b1f82948537
+generated: "2024-08-15T22:30:42.63806-07:00"

stable/enterprise/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: enterprise
-version: "2.10.0"
-appVersion: "5.9.0"
+version: "3.0.0"
+appVersion: "5.10.0"
 kubeVersion: 1.23.x - 1.30.x || 1.23.x-x - 1.30.x-x
 description: |
   Anchore Enterprise is a complete container security workflow solution for professional teams. Easily integrating with CI/CD systems,
@@ -38,13 +38,3 @@ dependencies:
     repository: "oci://registry-1.docker.io/bitnamicharts"
     condition: ui-redis.chartEnabled
     alias: ui-redis
-  - name: feeds
-    version: "~2"
-    repository: "@anchore"
-    # repository: file://../feeds
-    condition: feeds.chartEnabled
-    import-values:
-      - child: service
-        parent: feeds.service
-      - child: anchoreConfig.internalServicesSSL
-        parent: feeds.anchoreConfig.internalServicesSSL

stable/enterprise/README.md

@@ -2,9 +2,6 @@ securityContext:
   fsGroup: null
   runAsGroup: null
   runAsUser: null
-feeds:
-  chartEnabled: false
-  url: "my-release-feeds"
 postgresql:
   primary:
     containerSecurityContext:
@@ -16,4 +13,4 @@ ui-redis:
     podSecurityContext:
       enabled: false
     containerSecurityContext:
-      enabled: false
+      enabled: false

stable/enterprise/ci/openshift-test.yaml

@@ -55,7 +55,6 @@ audit:
     - "/user/api-keys/{key_name}"
     - "/user/credentials"
 
-
 metrics:
   enabled: ${ANCHORE_ENABLE_METRICS}
   auth_disabled: ${ANCHORE_DISABLE_METRICS_AUTH}
@@ -82,6 +81,7 @@ user_authentication:
   max_api_keys_per_user: {{ .Values.anchoreConfig.user_authentication.max_api_keys_per_user }}
   remove_deleted_user_api_keys_older_than_days: {{ .Values.anchoreConfig.user_authentication.remove_deleted_user_api_keys_older_than_days }}
   disallow_native_users: {{ .Values.anchoreConfig.user_authentication.disallow_native_users }}
+  log_saml_assertions: {{ .Values.anchoreConfig.user_authentication.log_saml_assertions }}
 credentials:
   database:
     user: "${ANCHORE_DB_USER}"
@@ -199,14 +199,10 @@ services:
         data:
           grypedb:
             enabled: true
-            url: {{ template "enterprise.grypeProviderURL" . }}
-          packages:
-            enabled: ${ANCHORE_FEEDS_DRIVER_PACKAGES_ENABLED}
-            url: {{ template "enterprise.feedsURL" . }}
-          vulnerability_annotations:
-            enabled: ${ANCHORE_FEEDS_DRIVER_VULN_ANNOTATIONS_ENABLED}
-            url: {{ template "enterprise.feedsURL" . }}
       matching:
+        exclude:
+          providers: {{ .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers }}
+          package_types: {{ .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types }}
         default:
           search:
             by_cpe:
@@ -295,3 +291,19 @@ services:
     ssl_enable: ${ANCHORE_SSL_ENABLED}
     ssl_cert: ${ANCHORE_SSL_CERT}
     ssl_key: ${ANCHORE_SSL_KEY}
+
+  data_syncer:
+    enabled: true
+    require_auth: true
+    endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}
+    listen: 0.0.0.0
+    port: ${ANCHORE_PORT}
+    auto_sync_enabled: true
+    upload_dir: {{ .Values.scratchVolume.mountPath }}
+    datasets:
+      vulnerability_db:
+        versions: ["5"]
+      clamav_db:
+        versions: ["1"]
+      kev_db:
+        versions: ["1"]

stable/enterprise/files/default_config.yaml

@@ -1,6 +1,12 @@
 service_dir: ${ANCHORE_SERVICE_DIR}
 tmp_dir: ${ANCHORE_TMP_DIR}
-log_level: ${ANCHORE_LOG_LEVEL}
+log_level: ${ANCHORE_LOG_LEVEL} # Deprecated - prefer use of logging.log_level
+
+logging:
+  {{- toYaml .Values.anchoreConfig.logging | nindent 2 }}
+
+server:
+  {{- toYaml .Values.anchoreConfig.server | nindent 2 }}
 
 allow_awsecr_iam_auto: ${ANCHORE_ALLOW_ECR_IAM_AUTO}
 host_id: "${ANCHORE_HOST_ID}"
@@ -19,6 +25,36 @@ max_import_content_size_mb: ${ANCHORE_MAX_IMPORT_CONTENT_SIZE_MB}
 
 max_compressed_image_size_mb: ${ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB}
 
+audit:
+  enabled: {{ .Values.anchoreConfig.audit.enabled }}
+  mode: log
+  verbs:
+    - post
+    - put
+    - delete
+    - patch
+  resource_uris:
+    - "/accounts"
+    - "/accounts/{account_name}"
+    - "/accounts/{account_name}/state"
+    - "/accounts/{account_name}/users"
+    - "/accounts/{account_name}/users/{username}"
+    - "/accounts/{account_name}/users/{username}/api-keys"
+    - "/accounts/{account_name}/users/{username}/api-keys/{key_name}"
+    - "/accounts/{account_name}/users/{username}/credentials"
+    - "/rbac-manager/roles"
+    - "/rbac-manager/roles/{role_name}/members"
+    - "/rbac-manager/saml/idps"
+    - "/rbac-manager/saml/idps/{name}"
+    - "/rbac-manager/saml/idps/{name}/user-group-mappings"
+    - "/system/user-groups"
+    - "/system/user-groups/{group_uuid}"
+    - "/system/user-groups/{group_uuid}/roles"
+    - "/system/user-groups/{group_uuid}/users"
+    - "/user/api-keys"
+    - "/user/api-keys/{key_name}"
+    - "/user/credentials"
+
 metrics:
   enabled: ${ANCHORE_ENABLE_METRICS}
   auth_disabled: ${ANCHORE_DISABLE_METRICS_AUTH}
@@ -45,7 +81,7 @@ user_authentication:
   max_api_keys_per_user: {{ .Values.anchoreConfig.user_authentication.max_api_keys_per_user }}
   remove_deleted_user_api_keys_older_than_days: {{ .Values.anchoreConfig.user_authentication.remove_deleted_user_api_keys_older_than_days }}
   disallow_native_users: {{ .Values.anchoreConfig.user_authentication.disallow_native_users }}
-
+  log_saml_assertions: {{ .Values.anchoreConfig.user_authentication.log_saml_assertions }}
 credentials:
   database:
     user: "${ANCHORE_DB_USER}"
@@ -171,14 +207,10 @@ services:
         data:
           grypedb:
             enabled: true
-            url: {{ template "enterprise.grypeProviderURL" . }}
-          packages:
-            enabled: ${ANCHORE_FEEDS_DRIVER_PACKAGES_ENABLED}
-            url: {{ template "enterprise.feedsURL" . }}
-          vulnerability_annotations:
-            enabled: ${ANCHORE_FEEDS_DRIVER_VULN_ANNOTATIONS_ENABLED}
-            url: {{ template "enterprise.feedsURL" . }}
       matching:
+        exclude:
+          providers: {{ .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers }}
+          package_types: {{ .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types }}
         default:
           search:
             by_cpe:
@@ -267,3 +299,19 @@ services:
     ssl_enable: ${ANCHORE_SSL_ENABLED}
     ssl_cert: ${ANCHORE_SSL_CERT}
     ssl_key: ${ANCHORE_SSL_KEY}
+
+  data_syncer:
+    enabled: true
+    require_auth: true
+    endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}
+    listen: 0.0.0.0
+    port: ${ANCHORE_PORT}
+    auto_sync_enabled: true
+    upload_dir: {{ .Values.scratchVolume.mountPath }}
+    datasets:
+      vulnerability_db:
+        versions: ["5"]
+      clamav_db:
+        versions: ["1"]
+      kev_db:
+        versions: ["1"]

stable/enterprise/files/osaa_config.yaml

@@ -258,10 +258,15 @@ securityContext: {{- toYaml . | nindent 2 }}
 {{- if or .Values.serviceAccountName (index .Values (print $component)).serviceAccountName (eq $component "upgradeJob") (eq $component "osaaMigrationJob") }}
 serviceAccountName: {{ include "enterprise.serviceAccountName" (merge (dict "component" $component) .) }}
 {{- end }}
+{{- if .Values.useExistingPullCredSecret }}
 {{- with .Values.imagePullSecretName }}
 imagePullSecrets:
   - name: {{ . }}
 {{- end }}
+{{- else }}
+imagePullSecrets:
+  - name: {{ template "enterprise.fullname" . }}-pullcreds
+{{- end }}
 {{- with (default .Values.nodeSelector (index .Values (print $component)).nodeSelector) }}
 nodeSelector: {{- toYaml . | nindent 2 }}
 {{- end }}
@@ -335,7 +340,7 @@ Setup the common anchore volumes
 {{- include "enterprise.common.extraVolumes" (merge (dict "component" $component) .) }}
 - name: anchore-license
   secret:
-    secretName: {{ .Values.licenseSecretName }}
+    {{- include "enterprise.licenseSecret" . | nindent 4 }}
 - name: anchore-scripts
   configMap:
     name: {{ .Release.Name }}-enterprise-scripts

stable/enterprise/templates/_common.tpl

@@ -57,46 +57,6 @@ Allows passing in a feature flag to the ui application on startup
   {{- end }}
 {{- end }}
 
-{{/*
-Returns the proper URL for the feeds service
-*/}}
-{{- define "enterprise.feedsURL" }}
-{{- $anchoreFeedsURL := "" }}
-  {{- if .Values.feeds.url }}
-    {{- /* remove everything from the URL after /v2 to get the hostname, then use that to construct the proper URL */}}
-    {{- $regexSearchPattern := (printf "/v2.*$" | toString) }}
-    {{- $urlPathSuffix := (default "" (regexFind $regexSearchPattern .Values.feeds.url) ) }}
-    {{- $anchoreFeedsHost := (trimSuffix $urlPathSuffix .Values.feeds.url) -}}
-    {{- $anchoreFeedsURL = (printf "%s/v2/feeds" $anchoreFeedsHost) -}}
-  {{- else if .Values.feeds.chartEnabled }}
-    {{- $anchoreFeedsURL = (printf "%s://%s:%s/v2/feeds" (include "enterprise.feeds.setProtocol" .) (include "enterprise.feeds.fullname" .) (.Values.feeds.service.port | toString)) -}}
-  {{- end }}
-    {{- print $anchoreFeedsURL -}}
-{{- end -}}
-
-
-{{/*
-Returns the proper URL for the grype provider
-*/}}
-{{- define "enterprise.grypeProviderURL" }}
-{{- $grypeProviderFeedsExternalURL := "" -}}
-{{- $regexSearchPattern := (printf "/v2.*$" | toString) }}
-  {{- if .Values.feeds.url }}
-    {{- /* remove everything from the URL after /v2 to get the hostname, then use that to construct the proper URL */}}
-    {{- $urlPathSuffix := (default "" ( regexFind $regexSearchPattern .Values.feeds.url )) -}}
-    {{- $anchoreFeedsHost := (trimSuffix $urlPathSuffix .Values.feeds.url) -}}
-    {{- $grypeProviderFeedsExternalURL = (printf "%s/v2/databases/grypedb" $anchoreFeedsHost) -}}
-  {{- else if .Values.feeds.chartEnabled }}
-    {{- $grypeProviderFeedsExternalURL = (printf "%s://%s:%s/v2/databases/grypedb" (include "enterprise.feeds.setProtocol" .) (include "enterprise.feeds.fullname" .) (.Values.feeds.service.port | toString)) -}}
-  {{- end }}
-
-  {{- /* Set the grypeProviderFeedsExternalURL to upstream feeds if still unset or if specifically overridden */}}
-  {{- if or (empty $grypeProviderFeedsExternalURL) .Values.anchoreConfig.policy_engine.overrideFeedsToUpstream -}}
-    {{- $grypeProviderFeedsExternalURL = "https://toolbox-data.anchore.io/grype/databases/listing.json" -}}
-  {{- end }}
-    {{- print $grypeProviderFeedsExternalURL -}}
-{{- end -}}
-
 
 {{/*
 Set the appropriate kubernetes service account name.
@@ -128,18 +88,6 @@ Return the proper protocol when Anchore internal SSL is enabled
 {{- end -}}
 
 
-{{/*
-Return the proper protocol when Anchore internal SSL is enabled
-*/}}
-{{- define "enterprise.feeds.setProtocol" -}}
-  {{- if .Values.feeds.anchoreConfig.internalServicesSSL.enabled }}
-{{- print "https" -}}
-  {{- else -}}
-{{- print "http" -}}
-  {{- end }}
-{{- end -}}
-
-
 {{/*
 Return the database password for the Anchore Enterprise UI config
 */}}
@@ -190,3 +138,20 @@ Checks if the appVersion.minor has increased, which is indicitive of requiring a
 {{- end -}}
 
 {{- end -}}
+
+{{/*
+Constructs a proper dockerconfig json string for use in the image pull secret that is managed by the chart
+*/}}
+{{- define "enterprise.imagePullSecret" }}
+{{- printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}}}" .Values.imageCredentials.registry .Values.imageCredentials.username .Values.imageCredentials.password .Values.imageCredentials.email (printf "%s:%s" .Values.imageCredentials.username .Values.imageCredentials.password | b64enc) | b64enc }}
+{{- end }}
+
+{{- define "enterprise.licenseSecret" -}}
+{{- if .Values.useExistingLicenseSecret }}
+{{- with .Values.licenseSecretName }}
+secretName: {{ . }}
+{{- end }}
+{{- else }}
+secretName: {{ template "enterprise.fullname" . }}-license
+{{- end }}
+{{- end -}}

stable/enterprise/templates/_helpers.tpl

@@ -27,6 +27,11 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- printf "%s-%s-%s" .Release.Name $name "catalog"| trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{- define "enterprise.dataSyncer.fullname" -}}
+{{- $name := default .Chart.Name .Values.global.nameOverride -}}
+{{- printf "%s-%s-%s" .Release.Name $name "datasyncer"| trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
 {{- define "enterprise.notifications.fullname" -}}
 {{- $name := default .Chart.Name .Values.global.nameOverride -}}
 {{- printf "%s-%s-%s" .Release.Name $name "notifications"| trunc 63 | trimSuffix "-" -}}
@@ -76,15 +81,6 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- printf "%s-%s-%s-%s" .Release.Name $name (.Chart.AppVersion | replace "." "") "smoke-test" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
-{{- define "enterprise.feeds.fullname" -}}
-{{- if .Values.feeds.fullnameOverride }}
-  {{- .Values.feeds.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-  {{- $name := default "feeds" .Values.feeds.nameOverride -}}
-  {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end -}}
-
 {{- define "postgres.fullname" -}}
 {{- printf "%s-%s" .Release.Name "postgresql" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}

stable/enterprise/templates/_names.tpl

@@ -1,3 +1,5 @@
+{{- $exclude_providers := required "anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers is required" .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers -}}
+{{- $exclude_package := required "anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types is required" .Values.anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types -}}
 kind: ConfigMap
 apiVersion: v1
 metadata: