Merge pull request #308 from anchore/dev-sync

Admission Controller 0.5.0 image bump, Enterprise ingress classname fix, Enterprise feeds driver fix, Enterprise config updates

.github/workflows/test.yaml

@@ -74,6 +74,24 @@ jobs:
         DOCKER_USER: ${{ secrets.ANCHORECI_DOCKER_USER }}
         DOCKER_PASS: ${{ secrets.ANCHORECI_DOCKER_PASS }}
 
+    - name: Check if anchore-engine endpoint is required for admission controller chart
+      id: engine_required
+      run: |
+        if [[ -n $(git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep 'anchore-admission-controller') ]]; then
+          echo "File in the 'stable/anchore-admission-controller' directory was changed. We need an engine deployment"
+          echo "::set-output name=changed::true"
+        else
+          echo "No files in 'stable/anchore-admission-controller' directory were changed. Skipping engine deployment"
+          echo "::set-output name=changed::false"
+        fi
+      shell: bash
+
+    - name: Deploy Engine
+      if: steps.engine_required.outputs.changed == 'true'
+      run: |
+        helm install engine anchore/anchore-engine --namespace anchore --wait
+        kubectl --namespace anchore get pods
+
     - name: Run chart-testing
       if: steps.list-changed.outputs.CHANGED == 'true'
       run: ct install --config ct-config.yaml

scripts/enterprise-value-converter/helpers.py

@@ -131,21 +131,22 @@ def replace_keys_with_mappings(dot_string_dict, results_dir):
             write_to_file(f"{dotstring_key}: no longer used\n", os.path.join(logs_dir, log_file_name), "a")
             continue
 
-        # serviceName.annotations
-        if len(keys) > 1 and keys[1] in ['annotations', 'labels', 'nodeSelector', 'affinity', 'deploymentAnnotations']:
-            if val != {}:
-                val = {
-                    '.'.join(keys[2:]): val
-                }
-            keys = keys[:2]
         # serviceName.service.annotations
-        elif len(keys) > 2 and keys[2] in ['annotations', 'labels']:
+        if len(keys) > 2 and keys[2] in ['annotations', 'labels']:
             if val != {}:
                 val = {
                     '.'.join(keys[3:]): val
                 }
             keys = keys[:3]
 
+        # serviceName.annotations
+        elif len(keys) > 1 and keys[1] in ['annotations', 'labels', 'nodeSelector', 'deploymentAnnotations']:
+            if val != {}:
+                val = {
+                    '.'.join(keys[2:]): val
+                }
+            keys = keys[:2]
+
         update_result = False
         errored = True
 

scripts/enterprise-value-converter/tests/test_anchoreCatalog_value_mapping.py

@@ -217,15 +217,13 @@ def test_anchoreCatalog_tolerations_value(self):
     def test_anchoreCatalog_affinity_value(self):
         dot_string_dict = {
             "anchoreCatalog.affinity.name": "foo",
-            "anchoreCatalog.affinity.value": "bar",
-            "anchoreCatalog.affinity.anotherLabel.with.a.dot": "baz"
+            "anchoreCatalog.affinity.value": "bar"
         }
         expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},
             'catalog': {
                 'affinity':{
                     'name': 'foo',
-                    'value': 'bar',
-                    'anotherLabel.with.a.dot': 'baz'
+                    'value': 'bar'
                 }
             }
         }

scripts/enterprise-value-converter/tests/test_anchoreEnterpriseEngineUpgradeJob_value_mapping.py

@@ -133,15 +133,13 @@ def test_anchoreEnterpriseEngineUpgradeJob_tolerations_value(self):
     def test_anchoreEnterpriseEngineUpgradeJob_affinity_value(self):
         dot_string_dict = {
             "anchoreEnterpriseEngineUpgradeJob.affinity.name": "foo",
-            "anchoreEnterpriseEngineUpgradeJob.affinity.value": "bar",
-            "anchoreEnterpriseEngineUpgradeJob.affinity.anotherLabel.with.a.dot": "baz"
+            "anchoreEnterpriseEngineUpgradeJob.affinity.value": "bar"
         }
         expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},
             'upgradeJob': {
                 'affinity':{
                     'name': 'foo',
-                    'value': 'bar',
-                    'anotherLabel.with.a.dot': 'baz'
+                    'value': 'bar'
                 }
             }
         }

scripts/enterprise-value-converter/tests/test_anchoreEnterpriseFeedsUpgradeJob_value_mapping.py

@@ -144,16 +144,14 @@ def test_anchoreEnterpriseFeedsUpgradeJob_tolerations_value(self):
     def test_anchoreEnterpriseFeedsUpgradeJob_affinity_value(self):
         dot_string_dict = {
             "anchoreEnterpriseFeedsUpgradeJob.affinity.name": "foo",
-            "anchoreEnterpriseFeedsUpgradeJob.affinity.value": "bar",
-            "anchoreEnterpriseFeedsUpgradeJob.affinity.anotherLabel.with.a.dot": "baz"
+            "anchoreEnterpriseFeedsUpgradeJob.affinity.value": "bar"
         }
         expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},
             'feeds': {
                 'feedsUpgradeJob': {
                     'affinity':{
                         'name': 'foo',
-                        'value': 'bar',
-                        'anotherLabel.with.a.dot': 'baz'
+                        'value': 'bar'
                     }
                 }
             }

scripts/enterprise-value-converter/tests/test_anchoreEnterpriseFeeds_value_mapping.py

@@ -165,15 +165,13 @@ def test_anchoreEnterpriseFeeds_tolerations_value(self):
     def test_anchoreEnterpriseFeeds_affinity_value(self):
         dot_string_dict = {
             "anchoreEnterpriseFeeds.affinity.name": "foo",
-            "anchoreEnterpriseFeeds.affinity.value": "bar",
-            "anchoreEnterpriseFeeds.affinity.anotherLabel.with.a.dot": "baz"
+            "anchoreEnterpriseFeeds.affinity.value": "bar"
         }
         expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},
             'feeds': {
                 'affinity':{
                     'name': 'foo',
-                    'value': 'bar',
-                    'anotherLabel.with.a.dot': 'baz'
+                    'value': 'bar'
                 }
             }
         }

scripts/enterprise-value-converter/tests/test_anchoreEnterpriseNotifications_value_mapping.py

@@ -161,15 +161,13 @@ def test_anchoreEnterpriseNotifications_tolerations_value(self):
     def test_anchoreEnterpriseNotifications_affinity_value(self):
         dot_string_dict = {
             "anchoreEnterpriseNotifications.affinity.name": "foo",
-            "anchoreEnterpriseNotifications.affinity.value": "bar",
-            "anchoreEnterpriseNotifications.affinity.anotherLabel.with.a.dot": "baz"
+            "anchoreEnterpriseNotifications.affinity.value": "bar"
         }
         expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},
             'notifications': {
                 'affinity':{
                     'name': 'foo',
-                    'value': 'bar',
-                    'anotherLabel.with.a.dot': 'baz'
+                    'value': 'bar'
                 }
             }
         }

scripts/enterprise-value-converter/tests/test_anchoreEnterpriseRbac_value_mapping.py

@@ -153,15 +153,13 @@ def test_anchoreEnterpriseRbac_tolerations_value(self):
     def test_anchoreEnterpriseRbac_affinity_value(self):
         dot_string_dict = {
             "anchoreEnterpriseRbac.affinity.name": "foo",
-            "anchoreEnterpriseRbac.affinity.value": "bar",
-            "anchoreEnterpriseRbac.affinity.anotherLabel.with.a.dot": "baz"
+            "anchoreEnterpriseRbac.affinity.value": "bar"
         }
         expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},
             'rbacManager': {
                 'affinity':{
                     'name': 'foo',
-                    'value': 'bar',
-                    'anotherLabel.with.a.dot': 'baz'
+                    'value': 'bar'
                 }
             }
         }

scripts/enterprise-value-converter/tests/test_anchoreEnterpriseReports_value_mapping.py

@@ -161,15 +161,13 @@ def test_anchoreEnterpriseReports_tolerations_value(self):
     def test_anchoreEnterpriseReports_affinity_value(self):
         dot_string_dict = {
             "anchoreEnterpriseReports.affinity.name": "foo",
-            "anchoreEnterpriseReports.affinity.value": "bar",
-            "anchoreEnterpriseReports.affinity.anotherLabel.with.a.dot": "baz"
+            "anchoreEnterpriseReports.affinity.value": "bar"
         }
         expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},
             'reports': {
                 'affinity':{
                     'name': 'foo',
-                    'value': 'bar',
-                    'anotherLabel.with.a.dot': 'baz'
+                    'value': 'bar'
                 }
             }
         }

scripts/enterprise-value-converter/tests/test_anchoreEnterpriseUi_value_mapping.py

@@ -176,14 +176,12 @@ def test_anchoreEnterpriseUi_affinity_value(self):
         dot_string_dict = {
             "anchoreEnterpriseUi.affinity.name": "foo",
             "anchoreEnterpriseUi.affinity.value": "bar",
-            "anchoreEnterpriseUi.affinity.anotherLabel.with.a.dot": "baz"
         }
         expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},
             'ui': {
                 'affinity':{
                     'name': 'foo',
                     'value': 'bar',
-                    'anotherLabel.with.a.dot': 'baz'
                 }
             }
         }

scripts/enterprise-value-converter/tests/test_anchorePolicyEngine_value_mapping.py

@@ -144,15 +144,13 @@ def test_anchorePolicyEngine_tolerations_value(self):
 
     def test_anchorePolicyEngine_affinity_value(self):
         dot_string_dict = {
-            "anchorePolicyEngine.affinity.name": "foo",
-            "anchorePolicyEngine.affinity.with.a.dot.name": "bar"
+            "anchorePolicyEngine.affinity.name": "foo"
         }
         expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},
             'policyEngine': {
                 'affinity':
                     {
-                        'name': 'foo',
-                        'with.a.dot.name': 'bar'
+                        'name': 'foo'
                     }
             }
         }

scripts/enterprise-value-converter/tests/test_anchoreSimpleQueue_value_mapping.py

@@ -154,14 +154,12 @@ def test_anchoreSimpleQueue_affinity_value(self):
         dot_string_dict = {
             "anchoreSimpleQueue.affinity.name": "foo",
             "anchoreSimpleQueue.affinity.value": "bar",
-            "anchoreSimpleQueue.affinity.anotherLabel.with.a.dot": "baz"
         }
         expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}},
             'simpleQueue': {
                 'affinity':{
                     'name': 'foo',
                     'value': 'bar',
-                    'anotherLabel.with.a.dot': 'baz'
                 }
             }
         }

stable/anchore-admission-controller/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 name: anchore-admission-controller
-version: 0.4.7
-appVersion: 0.4.0
+version: 0.5.0
+appVersion: 0.5.0
 description: A kubernetes admission controller for validating and mutating webhooks that operates against Anchore Engine to make access decisions and annotations
 home: https://github.com/anchore/kubernetes-admission-controller
 maintainers:

stable/anchore-admission-controller/ci/fake-values.yaml

@@ -4,3 +4,4 @@ credentials:
     password: password1
   - username: user2
     password: password2
+anchoreEndpoint: http://engine-anchore-engine-api:8228

stable/anchore-admission-controller/values.yaml

@@ -5,7 +5,7 @@ fullnameOverride: Null
 replicaCount: 1
 logVerbosity: 3
 
-image: "anchore/kubernetes-admission-controller:v0.4.0"
+image: "anchore/kubernetes-admission-controller:v0.5.0"
 imagePullPolicy: IfNotPresent
 # ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
 imagePullSecrets: []

stable/enterprise/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: enterprise
-version: "0.2.1"
+version: "0.2.2"
 appVersion: "4.9.3"
 kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x
 description: |

stable/enterprise/README.md

@@ -883,7 +883,8 @@ rbacManager:
 | `anchoreConfig.catalog.event_log`                                          | Event log for webhooks, YAML configuration                                                                                       | `{}`               |
 | `anchoreConfig.catalog.analysis_archive`                                   | Custom analysis archive YAML configuration                                                                                       | `{}`               |
 | `anchoreConfig.catalog.object_store`                                       | Custom object storage YAML configuration                                                                                         | `{}`               |
-| `anchoreConfig.catalog.runtime_inventory.image_ttl_days`                   | TTL for images in the inventory report working set                                                                               | `1`                |
+| `anchoreConfig.catalog.runtime_inventory.image_ttl_days`                   | TTL for images in the inventory report working set                                                                               | `120`              |
+| `anchoreConfig.catalog.runtime_inventory.image_ingest_overwrite`           | disables the image_ttl cycle timer.                                                                                              | `false`            |
 | `anchoreConfig.catalog.down_analyzer_task_requeue`                         | Allows fast re-queueing when image status is 'analyzing' on an analyzer that is no longer in the 'up' state                      | `true`             |
 | `anchoreConfig.policy_engine.cycle_timers.feed_sync`                       | Interval to run a feed sync to get latest cve data                                                                               | `14400`            |
 | `anchoreConfig.policy_engine.cycle_timers.feed_sync_checker`               | Interval between checks to see if there needs to be a task queued                                                                | `3600`             |

stable/enterprise/templates/envvars_configmap.yaml

@@ -50,15 +50,19 @@ data:
   ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_ECS_CONTAINER: "true"
   ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER: "true"
   ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE: "true"
-  ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_IMAGE_TTL_DAYS: "120"
-  ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_IMAGE_INGEST_OVERWRITE: "false"
-  {{- with .Values.anchoreConfig.notifications.ui_url }}
+{{- if eq (toString .Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days) "-1" }}
+  {{- fail "The Value `-1` is no longer valid for `.Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days`. Please use `.Values.anchoreConfig.catalog.runtime_inventory.image_ingest_overwrite=true` to force runtime inventory to be overwritten upon every update. `.Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days` must be set to a value >1." -}}
+{{- else }}
+  ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_IMAGE_TTL_DAYS: "{{ .Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days }}"
+  ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_IMAGE_INGEST_OVERWRITE: "{{ .Values.anchoreConfig.catalog.runtime_inventory.image_ingest_overwrite }}"
+{{- end }}
+{{- with .Values.anchoreConfig.notifications.ui_url }}
   ANCHORE_ENTERPRISE_UI_URL: "{{ . }}"
-  {{- else }}
+{{- else }}
   ANCHORE_ENTERPRISE_UI_URL: {{ include "enterprise.ui.fullname" . | quote }}
-  {{- end }}
-  ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED: "false"
-  ANCHORE_FEEDS_DRIVER_MSRC_ENABLED: "false"
+{{- end }}
+  ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED: {{ dig "anchoreConfig" "feeds" "drivers" "github" "enabled" "false" .Values.feeds | quote }}
+  ANCHORE_FEEDS_DRIVER_MSRC_ENABLED: {{ dig "anchoreConfig" "feeds" "drivers" "msrc" "enabled" "false" .Values.feeds | quote }}
   ANCHORE_FEEDS_DRIVER_NVDV2_ENABLED: "true"
   ANCHORE_FEEDS_DRIVER_PACKAGES_ENABLED: "false"
   ANCHORE_FEEDS_SSL_VERIFY: "{{ .Values.anchoreConfig.internalServicesSSL.verifyCerts }}"

stable/enterprise/templates/ingress.yaml

@@ -15,7 +15,7 @@ metadata:
   labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }}
   annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }}
 spec:
-{{- if .Values.ingress.ingressClassName }}
+{{- if and .Values.ingress.ingressClassName (not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class")) }}
   ingressClassName: {{ .Values.ingress.ingressClassName }}
 {{- end }}
 {{- if .Values.ingress.tls }}