[stable/anchore-engine] Enterprise 2.1 update (helm#16864)

* remove |trim from all toYaml statements Signed-off-by: Brady Todhunter <bradyt@anchore.com> * update configmaps to support new feed drivers Signed-off-by: Brady Todhunter <bradyt@anchore.com> * update db configurations to allow sslmode: verify-full & specifying a custom root ca cert Signed-off-by: Brady Todhunter <bradyt@anchore.com> * allow customizable analyzer_config.yaml Signed-off-by: Brady Todhunter <bradyt@anchore.com> * add _secret to ui config file name to clarify the k8s resource type Signed-off-by: Brady Todhunter <bradyt@anchore.com> * add saml support, custom ssl ca certificate support, & cleanup minor implementation bugs Signed-off-by: Brady Todhunter <bradyt@anchore.com> * fix internal ssl configuration Signed-off-by: Brady Todhunter <bradyt@anchore.com> * update image versions Signed-off-by: Brady Todhunter <bradyt@anchore.com> * add https to readiness & liveness checks when anchoreGlobal.internalServicesSsl.enabed=true Signed-off-by: Brady Todhunter <bradyt@anchore.com> * always use -k with curl health check on auth-manager, localhost will never match cert hostname Signed-off-by: Brady Todhunter <bradyt@anchore.com> * remove SSL config from auth handler & make all engine endpoints use https when anchoreGlobal.internalServicesSsl.enabled=true Signed-off-by: Brady Todhunter <bradyt@anchore.com> * add ssl_verify config to feed section Signed-off-by: Brady Todhunter <bradyt@anchore.com> * update README Signed-off-by: Brady Todhunter <bradyt@anchore.com>
arielb135 · Sep 4, 2019 · be0dbfa · be0dbfa
1 parent d7306c2
commit be0dbfa
Show file tree

Hide file tree

Showing 18 changed files with 531 additions and 222 deletions.
diff --git a/stable/anchore-engine/Chart.yaml b/stable/anchore-engine/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 name: anchore-engine
-version: 1.2.1
-appVersion: 0.4.2
+version: 1.3.0
+appVersion: 0.5.0
 description: Anchore container analysis and policy evaluation engine service
 keywords:
  - analysis

diff --git a/stable/anchore-engine/README.md b/stable/anchore-engine/README.md
@@ -104,6 +104,40 @@ To use this Helm chart with the enterprise services enabled, perform these steps
     password: <PASSWORD>
   ```
 
+## Upgrading to Chart version 1.3.0
+The following features were added with this chart version:
+  * Allow custom CA certificates for TLS on all system dependencies (postgresql, ldap, registries)
+  * Customization of the analyzer configuration
+  * Improved authentication methods, allowing SAML/token based auth
+  * Enterprise UI reporting improvements
+  * Enterprise SSO integration
+  * Enterprise vulnerability data enhancement using VulnDB
+
+Internal Service SSL configuration has been changed to support a global certificate storage secret. When upgrading to v1.3.0 of the chart, make sure the values file is updated appropriately.
+
+#### Chart v1.3.0 internal service SSL configuration
+```
+anchoreGlobal:
+  certStoreSecretName: anchore-certs
+  internalServicesSsl:
+    enabled: true
+    verifyCerts: true
+    certSecretKeyName: anchore.example.com.key
+    certSecretCertName: anchore.example.com.crt
+```
+
+#### Chart v1.2.0 internal service SSL configuration
+```
+anchoreGlobal:
+  internalServicesSslEnabled: true
+  internalServicesSsl:
+    verifyCerts: true
+    certSecret: anchore-certs
+    certDir: /home/anchore/certs
+    certSecretKeyName: anchore.example.com.key
+    certSecretCertName: anchore.example.com.crt
+```
+
 ## Upgrading to Chart version 1.0.0
 The following features were added with this chart version:
   * Rootless UBI 7 base image
@@ -449,6 +483,10 @@ Anchore Engine supports exporting prometheus metrics form each container. To ena
 When enabled, each service provides the metrics over the existing service port so your prometheus deployment will need to
 know about each pod and the ports it provides to scrape the metrics.
 
+### Using custom certificates
+A secret needs to be created in the same namespace as the anchore-engine chart installation. This secret should contain all custom certs, including CA certs & any certs used for internal TLS communication. 
+This secret will be mounted to all anchore-engine pods at /home/anchore/certs to be utilized by the system.
+
 ### Event Notifications
 
 Anchore Engine in v0.2.3 introduces a new events subsystem that exposes system-wide events via both a REST api as well

diff --git a/stable/anchore-engine/templates/NOTES.txt b/stable/anchore-engine/templates/NOTES.txt
@@ -10,15 +10,15 @@ To configure your anchore-cli run:
     ANCHORE_CLI_USER=admin
     ANCHORE_CLI_PASS=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "anchore-engine.fullname" . }} -o jsonpath="{.data.ANCHORE_ADMIN_PASSWORD}" | base64 --decode; echo)
 {{ if .Values.ingress.enabled }}
-   ANCHORE_CLI_URL=http://$(kubectl get ingress --namespace {{ .Release.Namespace }} {{ template "anchore-engine.fullname" . }} -o jsonpath="{.status.loadBalancer.ingress[0].ip}")/v1/
+   ANCHORE_CLI_URL={{- if .Values.anchoreGlobal.internalServicesSsl.enabled -}}https{{- else }}http{{- end -}}://$(kubectl get ingress --namespace {{ .Release.Namespace }} {{ template "anchore-engine.fullname" . }} -o jsonpath="{.status.loadBalancer.ingress[0].ip}")/v1/
 {{ else }}
 Using the service endpoint from within the cluster you can use:
-    ANCHORE_CLI_URL=http://{{ template "anchore-engine.api.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.anchoreApi.service.port}}/v1/
+    ANCHORE_CLI_URL={{- if .Values.anchoreGlobal.internalServicesSsl.enabled -}}https{{- else }}http{{- end -}}://{{ template "anchore-engine.api.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.anchoreApi.service.port}}/v1/
 {{ end }}
 
 To verify the service is up and running, you can run container for the Anchore Engine CLI:
 
-    kubectl run -i --tty anchore-cli --restart=Always --image anchore/engine-cli --env ANCHORE_CLI_USER=admin --env ANCHORE_CLI_PASS=${ANCHORE_CLI_PASS} --env ANCHORE_CLI_URL=http://{{ template "anchore-engine.api.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.anchoreApi.service.port}}/v1/
+    kubectl run -i --tty anchore-cli --restart=Always --image anchore/engine-cli {{ if and (not .Values.anchoreGlobal.internalServicesSsl.verifyCerts) .Values.anchoreGlobal.internalServicesSsl.enabled -}}--env ANCHORE_CLI_SSL_VERIFY=n{{- end }} --env ANCHORE_CLI_USER=admin --env ANCHORE_CLI_PASS=${ANCHORE_CLI_PASS} --env ANCHORE_CLI_URL=http://{{ template "anchore-engine.api.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.anchoreApi.service.port}}/v1/
 
 from within the container you can use 'anchore-cli' commands.
 

diff --git a/stable/anchore-engine/templates/analyzer_configmap.yaml b/stable/anchore-engine/templates/analyzer_configmap.yaml
@@ -0,0 +1,20 @@
+{{- $component := "analyzer" -}}
+
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ template "anchore-engine.analyzer.fullname" . }}
+  labels:
+    app: {{ template "anchore-engine.fullname" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+    component: {{ $component }}
+    {{- with .Values.anchoreGlobal.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+data:
+  analyzer_config.yaml: |
+    {{- with .Values.anchoreAnalyzer.configFile }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
diff --git a/stable/anchore-engine/templates/analyzer_deployment.yaml b/stable/anchore-engine/templates/analyzer_deployment.yaml
@@ -10,10 +10,10 @@ metadata:
     heritage: {{ .Release.Service }}
     component: {{ $component }}
     {{- with .Values.anchoreAnalyzer.labels }}
-    {{ toYaml . | nindent 4 | trim }}
+    {{ toYaml . | nindent 4 }}
     {{- end }}
     {{- with .Values.anchoreGlobal.labels }}
-    {{ toYaml . | nindent 4 | trim }}
+    {{ toYaml . | nindent 4 }}
     {{- end }}
 spec:
   selector:
@@ -27,14 +27,14 @@ spec:
         app: {{ template "anchore-engine.fullname" . }}
         component: {{ $component }}
         {{- with .Values.anchoreAnalyzer.labels }}
-        {{ toYaml . | nindent 8 | trim }}
+        {{ toYaml . | nindent 8 }}
         {{- end }}
         {{- with .Values.anchoreGlobal.labels }}
-        {{ toYaml . | nindent 8 | trim }}
+        {{ toYaml . | nindent 8 }}
         {{- end }}
       {{- with .Values.anchoreAnalyzer.annotations }}
       annotations:
-        {{ toYaml . | nindent 8 | trim }}
+        {{ toYaml . | nindent 8 }}
       {{- end }}
     spec:
       containers:
@@ -65,10 +65,10 @@ spec:
             name: {{ template "anchore-engine.fullname" . }}
         env:
         {{- with .Values.anchoreGlobal.extraEnv }}
-        {{- toYaml . | nindent 8 | trim }}
+        {{- toYaml . | nindent 8 }}
         {{- end }}
         {{- with .Values.anchoreAnalyzer.extraEnv }}
-        {{- toYaml . | nindent 8 | trim }}
+        {{- toYaml . | nindent 8 }}
         {{- end }}
         - name: ANCHORE_POD_NAME
           valueFrom:
@@ -78,12 +78,15 @@ spec:
         - name: analyzer-api
           containerPort: {{ .Values.anchoreAnalyzer.containerPort }}
         volumeMounts:
+        - name: analyzer-config-volume
+          mountPath: /anchore_service/analyzer_config.yaml
+          subPath: analyzer_config.yaml
         - name: config-volume
           mountPath: /config/config.yaml
           subPath: config.yaml
-        {{- if .Values.anchoreGlobal.internalServicesSslEnabled }}
+        {{- if (.Values.anchoreGlobal.certStoreSecretName) }}
         - name: certs
-          mountPath: {{ .Values.anchoreGlobal.internalServicesSsl.certDir }}
+          mountPath: /home/anchore/certs/
           readOnly: true
         {{- end }}
         - name: {{ $component }}-scratch
@@ -92,6 +95,9 @@ spec:
           httpGet:
             path: /health
             port: analyzer-api
+            {{- if .Values.anchoreGlobal.internalServicesSsl.enabled }}
+            scheme: HTTPS
+            {{- end }}
           initialDelaySeconds: 120
           timeoutSeconds: 10
           periodSeconds: 10
@@ -101,37 +107,43 @@ spec:
           httpGet:
             path: /health
             port: analyzer-api
+            {{- if .Values.anchoreGlobal.internalServicesSsl.enabled }}
+            scheme: HTTPS
+            {{- end }}
           timeoutSeconds: 10
           periodSeconds: 10
           failureThreshold: 3
           successThreshold: 1
         resources:
-          {{ toYaml .Values.anchoreAnalyzer.resources | nindent 10 | trim }}
+          {{ toYaml .Values.anchoreAnalyzer.resources | nindent 10 }}
       volumes:
         - name: config-volume
           configMap:
             name: {{ template "anchore-engine.fullname" .}}
-        {{- if .Values.anchoreGlobal.internalServicesSslEnabled }}
+        - name: analyzer-config-volume
+          configMap:
+            name: {{ template "anchore-engine.analyzer.fullname" . }}
+        {{- with .Values.anchoreGlobal.certStoreSecretName }}
         - name: certs
           secret:
-            secretName: {{ .Values.anchoreGlobal.internalServicesSsl.certSecret }}
+            secretName: {{ . }}
         {{- end }}
         - name: {{ $component }}-scratch
-          {{ toYaml .Values.anchoreGlobal.scratchVolume.details | indent 10 | trim }}
+          {{ toYaml .Values.anchoreGlobal.scratchVolume.details | nindent 10 }}
         {{- if .Values.cloudsql.useExistingServiceAcc }}
         - name: {{ .Values.cloudsql.serviceAccSecretName }}
           secret:
             secretName: {{ .Values.cloudsql.serviceAccSecretName }}
         {{- end }}
       {{- with .Values.anchoreAnalyzer.nodeSelector }}
       nodeSelector:
-        {{ toYaml . | nindent 8 | trim }}
+        {{ toYaml . | nindent 8 }}
       {{- end }}
       {{- with .Values.anchoreAnalyzer.affinity }}
       affinity:
-        {{ toYaml . | nindent 8 | trim }}
+        {{ toYaml . | nindent 8 }}
       {{- end }}
       {{- with .Values.anchoreAnalyzer.tolerations }}
       tolerations:
-        {{ toYaml . | nindent 8 | trim }}
+        {{ toYaml . | nindent 8 }}
       {{- end }}