From db86ab88f7954929b85c62f0ba621efaa84633b5 Mon Sep 17 00:00:00 2001 From: Brady Todhunter Date: Fri, 13 Oct 2023 17:05:17 -0400 Subject: [PATCH 1/8] check for runtime_inventory.image_ttl_days = -1 (#146) * fail when user sets runtime_inventory.image_ttl_days=-1 and prompt them to use runtime_inventory.image_ingest_overwrite * update test snapshots --------- Signed-off-by: Brady Todhunter --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/files/default_config.yaml | 1 - stable/enterprise/templates/envvars_configmap.yaml | 14 +++++++++----- .../tests/__snapshot__/configmap_test.yaml.snap | 1 - stable/enterprise/values.yaml | 8 ++++++-- 5 files changed, 16 insertions(+), 10 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 4cb93c9a..1b65d43a 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.2.1" +version: "0.2.2" appVersion: "4.9.3" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | diff --git a/stable/enterprise/files/default_config.yaml b/stable/enterprise/files/default_config.yaml index 9802d981..1d12c9c5 100644 --- a/stable/enterprise/files/default_config.yaml +++ b/stable/enterprise/files/default_config.yaml @@ -16,7 +16,6 @@ auto_restart_services: false max_source_import_size_mb: ${ANCHORE_MAX_IMPORT_SOURCE_SIZE_MB} max_import_content_size_mb: ${ANCHORE_MAX_IMPORT_CONTENT_SIZE_MB} - max_compressed_image_size_mb: ${ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB} metrics: diff --git a/stable/enterprise/templates/envvars_configmap.yaml b/stable/enterprise/templates/envvars_configmap.yaml index 482d2bc4..552bd050 100644 --- a/stable/enterprise/templates/envvars_configmap.yaml +++ b/stable/enterprise/templates/envvars_configmap.yaml @@ -50,13 +50,17 @@ data: ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_ECS_CONTAINER: "true" ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER: "true" ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE: "true" - ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_IMAGE_TTL_DAYS: "120" - ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_IMAGE_INGEST_OVERWRITE: "false" - {{- with .Values.anchoreConfig.notifications.ui_url }} +{{- if eq (toString .Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days) "-1" }} + {{- fail "The Value `-1` is no longer valid for `.Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days`. Please use `.Values.anchoreConfig.catalog.runtime_inventory.image_ingest_overwrite=true` to force runtime inventory to be overwritten upon every update. `.Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days` must be set to a value >1." -}} +{{- else }} + ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_IMAGE_TTL_DAYS: "{{ .Values.anchoreConfig.catalog.runtime_inventory.image_ttl_days }}" + ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_IMAGE_INGEST_OVERWRITE: "{{ .Values.anchoreConfig.catalog.runtime_inventory.image_ingest_overwrite }}" +{{- end }} +{{- with .Values.anchoreConfig.notifications.ui_url }} ANCHORE_ENTERPRISE_UI_URL: "{{ . }}" - {{- else }} +{{- else }} ANCHORE_ENTERPRISE_UI_URL: {{ include "enterprise.ui.fullname" . | quote }} - {{- end }} +{{- end }} ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED: "false" ANCHORE_FEEDS_DRIVER_MSRC_ENABLED: "false" ANCHORE_FEEDS_DRIVER_NVDV2_ENABLED: "true" diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index a3e55ee1..5959ea0f 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -62,7 +62,6 @@ should render the configmaps: max_source_import_size_mb: ${ANCHORE_MAX_IMPORT_SOURCE_SIZE_MB} max_import_content_size_mb: ${ANCHORE_MAX_IMPORT_CONTENT_SIZE_MB} - max_compressed_image_size_mb: ${ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB} metrics: diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index e07c9e14..ad8f4116 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -477,11 +477,15 @@ anchoreConfig: name: db config: {} - ## @param anchoreConfig.catalog.runtime_inventory.image_ttl_days TTL for images in the inventory report working set + ## anchoreConfig.catalog.runtime_inventory.image_ttl_days TTL for images in the inventory report working set + ## @param anchoreConfig.catalog.runtime_inventory.image_ingest_overwrite disables the image_ttl cycle timer. + ## When `image_ingest_overwrite=true` upon ingestion of inventory, removes anything previously reported by the namespace and only keep the latest inventory posted. + ## This new config value is used instead of setting `image_ttl_days=-1` ## ref: https://docs.anchore.com/current/docs/configuration/runtime_inventory/ ## runtime_inventory: - image_ttl_days: 1 + image_ttl_days: 120 + image_ingest_overwrite: false ## @param anchoreConfig.catalog.down_analyzer_task_requeue Allows fast re-queueing when image status is 'analyzing' on an analyzer that is no longer in the 'up' state ## From de67afbb74178d7546320e2e43f8f0549eee1948 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Mon, 16 Oct 2023 17:17:18 -0400 Subject: [PATCH 2/8] removing analyzer concurrentTasksPerWorker (#147) Signed-off-by: Hung Nguyen --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 4 ++-- stable/enterprise/files/default_config.yaml | 1 - stable/enterprise/templates/envvars_configmap.yaml | 1 - .../tests/__snapshot__/configmap_test.yaml.snap | 2 -- stable/enterprise/values.yaml | 8 +------- 6 files changed, 4 insertions(+), 14 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 1b65d43a..cde093c7 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.2.2" +version: "0.2.3" appVersion: "4.9.3" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index e9fffea7..3ed70b32 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -863,7 +863,6 @@ rbacManager: | `anchoreConfig.apiext.external.hostname` | Hostname for the external Anchore API | `""` | | `anchoreConfig.apiext.external.port` | Port configured for external Anchore API | `8443` | | `anchoreConfig.analyzer.cycle_timers.image_analyzer` | The interval between checks of the work queue for new analysis jobs | `1` | -| `anchoreConfig.analyzer.max_threads` | The concurrency of the Anchore Analyzer worker process | `1` | | `anchoreConfig.analyzer.layer_cache_max_gigabytes` | Specify a cache size > 0GB to enable image layer caching | `0` | | `anchoreConfig.analyzer.enable_hints` | Enable a user-supplied 'hints' file to override and/or augment the software artifacts found during analysis | `false` | | `anchoreConfig.analyzer.configFile` | Custom Anchore Analyzer configuration file contents in YAML | `{}` | @@ -883,7 +882,8 @@ rbacManager: | `anchoreConfig.catalog.event_log` | Event log for webhooks, YAML configuration | `{}` | | `anchoreConfig.catalog.analysis_archive` | Custom analysis archive YAML configuration | `{}` | | `anchoreConfig.catalog.object_store` | Custom object storage YAML configuration | `{}` | -| `anchoreConfig.catalog.runtime_inventory.image_ttl_days` | TTL for images in the inventory report working set | `1` | +| `anchoreConfig.catalog.runtime_inventory.image_ttl_days` | TTL for images in the inventory report working set | `120` | +| `anchoreConfig.catalog.runtime_inventory.image_ingest_overwrite` | disables the image_ttl cycle timer. | `false` | | `anchoreConfig.catalog.down_analyzer_task_requeue` | Allows fast re-queueing when image status is 'analyzing' on an analyzer that is no longer in the 'up' state | `true` | | `anchoreConfig.policy_engine.cycle_timers.feed_sync` | Interval to run a feed sync to get latest cve data | `14400` | | `anchoreConfig.policy_engine.cycle_timers.feed_sync_checker` | Interval between checks to see if there needs to be a task queued | `3600` | diff --git a/stable/enterprise/files/default_config.yaml b/stable/enterprise/files/default_config.yaml index 1d12c9c5..c5256723 100644 --- a/stable/enterprise/files/default_config.yaml +++ b/stable/enterprise/files/default_config.yaml @@ -89,7 +89,6 @@ services: max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} cycle_timer_seconds: 1 cycle_timers: {{- toYaml .Values.anchoreConfig.analyzer.cycle_timers | nindent 6 }} - max_threads: ${ANCHORE_ANALYZER_MAX_THREADS} analyzer_driver: 'nodocker' layer_cache_enable: ${ANCHORE_LAYER_CACHE_ENABLED} layer_cache_max_gigabytes: ${ANCHORE_LAYER_CACHE_SIZE_GB} diff --git a/stable/enterprise/templates/envvars_configmap.yaml b/stable/enterprise/templates/envvars_configmap.yaml index 552bd050..b415de66 100644 --- a/stable/enterprise/templates/envvars_configmap.yaml +++ b/stable/enterprise/templates/envvars_configmap.yaml @@ -10,7 +10,6 @@ data: ANCHORE_ADMIN_EMAIL: "{{ .Values.anchoreConfig.default_admin_email }}" ANCHORE_ALLOW_ECR_IAM_AUTO: "{{ .Values.anchoreConfig.allow_awsecr_iam_auto }}" ANCHORE_ANALYZER_TASK_REQUEUE: "true" - ANCHORE_ANALYZER_MAX_THREADS: "{{ .Values.anchoreConfig.analyzer.max_threads }}" ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS: "{{ .Values.anchoreConfig.user_authentication.hashed_passwords }}" {{- with .Values.anchoreConfig.keys.publicKeyFileName }} ANCHORE_AUTH_PRIVKEY: "/home/anchore/certs/{{- . }}" diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index 5959ea0f..a55064d9 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -125,7 +125,6 @@ should render the configmaps: cycle_timer_seconds: 1 cycle_timers: image_analyzer: 1 - max_threads: ${ANCHORE_ANALYZER_MAX_THREADS} analyzer_driver: 'nodocker' layer_cache_enable: ${ANCHORE_LAYER_CACHE_ENABLED} layer_cache_max_gigabytes: ${ANCHORE_LAYER_CACHE_SIZE_GB} @@ -342,7 +341,6 @@ should render the configmaps: data: ANCHORE_ADMIN_EMAIL: admin@myanchore ANCHORE_ALLOW_ECR_IAM_AUTO: "true" - ANCHORE_ANALYZER_MAX_THREADS: "1" ANCHORE_ANALYZER_TASK_REQUEUE: "true" ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS: "true" ANCHORE_AUTH_PRIVKEY: "null" diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index ad8f4116..ae188f2b 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -354,12 +354,6 @@ anchoreConfig: cycle_timers: image_analyzer: 1 - ## @param anchoreConfig.analyzer.max_threads The concurrency of the Anchore Analyzer worker process - ## Can be configured to process more than one task at a time. This is IO bound so may not necessarily be faster depending on hardware. - ## Operators should test and balance this value vs. number of Anchore Analyzer replicas deployed. - ## - max_threads: 1 - ## @param anchoreConfig.analyzer.layer_cache_max_gigabytes Specify a cache size > 0GB to enable image layer caching ## This chart sets up a scratch directory for all Anchore Analyzer pods using the values found at .Values.scratchVolume ## When setting .Values.anchoreConfig.analyzer.layer_cache_max_gigabytes, ensure the scratch volume has sufficient storage space @@ -477,7 +471,7 @@ anchoreConfig: name: db config: {} - ## anchoreConfig.catalog.runtime_inventory.image_ttl_days TTL for images in the inventory report working set + ## @param anchoreConfig.catalog.runtime_inventory.image_ttl_days TTL for images in the inventory report working set ## @param anchoreConfig.catalog.runtime_inventory.image_ingest_overwrite disables the image_ttl cycle timer. ## When `image_ingest_overwrite=true` upon ingestion of inventory, removes anything previously reported by the namespace and only keep the latest inventory posted. ## This new config value is used instead of setting `image_ttl_days=-1` From 128f114927b8d155bd55384197033a7dffe8ac1e Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Fri, 20 Oct 2023 14:24:32 -0400 Subject: [PATCH 3/8] only add ingress classname if annotation is not set (#150) * only add ingress classname if annotation is not set * bump chart version Signed-off-by: Hung Nguyen --------- Signed-off-by: Hung Nguyen --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/templates/ingress.yaml | 2 +- .../tests/ingress_resources_test.yaml | 30 +++++++++++++++++++ 3 files changed, 32 insertions(+), 2 deletions(-) create mode 100644 stable/enterprise/tests/ingress_resources_test.yaml diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index cde093c7..ea89119b 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.2.3" +version: "0.2.4" appVersion: "4.9.3" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | diff --git a/stable/enterprise/templates/ingress.yaml b/stable/enterprise/templates/ingress.yaml index ed71ad72..ab157683 100644 --- a/stable/enterprise/templates/ingress.yaml +++ b/stable/enterprise/templates/ingress.yaml @@ -15,7 +15,7 @@ metadata: labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 4 }} annotations: {{- include "enterprise.common.annotations" (merge (dict "component" $component) .) | nindent 4 }} spec: -{{- if .Values.ingress.ingressClassName }} +{{- if and .Values.ingress.ingressClassName (not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class")) }} ingressClassName: {{ .Values.ingress.ingressClassName }} {{- end }} {{- if .Values.ingress.tls }} diff --git a/stable/enterprise/tests/ingress_resources_test.yaml b/stable/enterprise/tests/ingress_resources_test.yaml new file mode 100644 index 00000000..11e157f2 --- /dev/null +++ b/stable/enterprise/tests/ingress_resources_test.yaml @@ -0,0 +1,30 @@ +suite: Ingress Resources Tests +templates: + - ingress.yaml +release: + name: test-release + namespace: test-namespace +chart: + version: 9.9.9 + appVersion: 9.9.9 + +tests: + - it: should render classname if annotation is not set + set: + ingress.enabled: true + template: ingress.yaml + asserts: + - equal: + path: spec.ingressClassName + value: nginx + + - it: should not render classname if annotation is set + set: + ingress.enabled: true + ingress: + annotations: + "kubernetes.io/ingress.class": "nginx" + template: ingress.yaml + asserts: + - notExists: + path: spec.ingressClassName From 7301e8b9cde2092bf36a0870b4369da9f882e5c4 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Fri, 20 Oct 2023 17:55:44 -0400 Subject: [PATCH 4/8] remove affinity from key with a dot check (#149) Signed-off-by: Hung Nguyen --- scripts/enterprise-value-converter/helpers.py | 17 +++++++++-------- .../tests/test_anchoreCatalog_value_mapping.py | 6 ++---- ...eEnterpriseEngineUpgradeJob_value_mapping.py | 6 ++---- ...reEnterpriseFeedsUpgradeJob_value_mapping.py | 6 ++---- ...test_anchoreEnterpriseFeeds_value_mapping.py | 6 ++---- ...horeEnterpriseNotifications_value_mapping.py | 6 ++---- .../test_anchoreEnterpriseRbac_value_mapping.py | 6 ++---- ...st_anchoreEnterpriseReports_value_mapping.py | 6 ++---- .../test_anchoreEnterpriseUi_value_mapping.py | 2 -- .../test_anchorePolicyEngine_value_mapping.py | 6 ++---- .../test_anchoreSimpleQueue_value_mapping.py | 2 -- 11 files changed, 25 insertions(+), 44 deletions(-) diff --git a/scripts/enterprise-value-converter/helpers.py b/scripts/enterprise-value-converter/helpers.py index 5acd1e9b..3175cb72 100644 --- a/scripts/enterprise-value-converter/helpers.py +++ b/scripts/enterprise-value-converter/helpers.py @@ -131,21 +131,22 @@ def replace_keys_with_mappings(dot_string_dict, results_dir): write_to_file(f"{dotstring_key}: no longer used\n", os.path.join(logs_dir, log_file_name), "a") continue - # serviceName.annotations - if len(keys) > 1 and keys[1] in ['annotations', 'labels', 'nodeSelector', 'affinity', 'deploymentAnnotations']: - if val != {}: - val = { - '.'.join(keys[2:]): val - } - keys = keys[:2] # serviceName.service.annotations - elif len(keys) > 2 and keys[2] in ['annotations', 'labels']: + if len(keys) > 2 and keys[2] in ['annotations', 'labels']: if val != {}: val = { '.'.join(keys[3:]): val } keys = keys[:3] + # serviceName.annotations + elif len(keys) > 1 and keys[1] in ['annotations', 'labels', 'nodeSelector', 'deploymentAnnotations']: + if val != {}: + val = { + '.'.join(keys[2:]): val + } + keys = keys[:2] + update_result = False errored = True diff --git a/scripts/enterprise-value-converter/tests/test_anchoreCatalog_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreCatalog_value_mapping.py index a04a571b..a295b8b5 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreCatalog_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreCatalog_value_mapping.py @@ -217,15 +217,13 @@ def test_anchoreCatalog_tolerations_value(self): def test_anchoreCatalog_affinity_value(self): dot_string_dict = { "anchoreCatalog.affinity.name": "foo", - "anchoreCatalog.affinity.value": "bar", - "anchoreCatalog.affinity.anotherLabel.with.a.dot": "baz" + "anchoreCatalog.affinity.value": "bar" } expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'catalog': { 'affinity':{ 'name': 'foo', - 'value': 'bar', - 'anotherLabel.with.a.dot': 'baz' + 'value': 'bar' } } } diff --git a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseEngineUpgradeJob_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseEngineUpgradeJob_value_mapping.py index cd71e864..80a0fb01 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseEngineUpgradeJob_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseEngineUpgradeJob_value_mapping.py @@ -133,15 +133,13 @@ def test_anchoreEnterpriseEngineUpgradeJob_tolerations_value(self): def test_anchoreEnterpriseEngineUpgradeJob_affinity_value(self): dot_string_dict = { "anchoreEnterpriseEngineUpgradeJob.affinity.name": "foo", - "anchoreEnterpriseEngineUpgradeJob.affinity.value": "bar", - "anchoreEnterpriseEngineUpgradeJob.affinity.anotherLabel.with.a.dot": "baz" + "anchoreEnterpriseEngineUpgradeJob.affinity.value": "bar" } expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'upgradeJob': { 'affinity':{ 'name': 'foo', - 'value': 'bar', - 'anotherLabel.with.a.dot': 'baz' + 'value': 'bar' } } } diff --git a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseFeedsUpgradeJob_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseFeedsUpgradeJob_value_mapping.py index 988f1fef..14c830f8 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseFeedsUpgradeJob_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseFeedsUpgradeJob_value_mapping.py @@ -144,16 +144,14 @@ def test_anchoreEnterpriseFeedsUpgradeJob_tolerations_value(self): def test_anchoreEnterpriseFeedsUpgradeJob_affinity_value(self): dot_string_dict = { "anchoreEnterpriseFeedsUpgradeJob.affinity.name": "foo", - "anchoreEnterpriseFeedsUpgradeJob.affinity.value": "bar", - "anchoreEnterpriseFeedsUpgradeJob.affinity.anotherLabel.with.a.dot": "baz" + "anchoreEnterpriseFeedsUpgradeJob.affinity.value": "bar" } expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'feedsUpgradeJob': { 'affinity':{ 'name': 'foo', - 'value': 'bar', - 'anotherLabel.with.a.dot': 'baz' + 'value': 'bar' } } } diff --git a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseFeeds_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseFeeds_value_mapping.py index d622f560..32268e45 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseFeeds_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseFeeds_value_mapping.py @@ -165,15 +165,13 @@ def test_anchoreEnterpriseFeeds_tolerations_value(self): def test_anchoreEnterpriseFeeds_affinity_value(self): dot_string_dict = { "anchoreEnterpriseFeeds.affinity.name": "foo", - "anchoreEnterpriseFeeds.affinity.value": "bar", - "anchoreEnterpriseFeeds.affinity.anotherLabel.with.a.dot": "baz" + "anchoreEnterpriseFeeds.affinity.value": "bar" } expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'feeds': { 'affinity':{ 'name': 'foo', - 'value': 'bar', - 'anotherLabel.with.a.dot': 'baz' + 'value': 'bar' } } } diff --git a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseNotifications_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseNotifications_value_mapping.py index 29a7bfcb..a4abbbe8 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseNotifications_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseNotifications_value_mapping.py @@ -161,15 +161,13 @@ def test_anchoreEnterpriseNotifications_tolerations_value(self): def test_anchoreEnterpriseNotifications_affinity_value(self): dot_string_dict = { "anchoreEnterpriseNotifications.affinity.name": "foo", - "anchoreEnterpriseNotifications.affinity.value": "bar", - "anchoreEnterpriseNotifications.affinity.anotherLabel.with.a.dot": "baz" + "anchoreEnterpriseNotifications.affinity.value": "bar" } expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'notifications': { 'affinity':{ 'name': 'foo', - 'value': 'bar', - 'anotherLabel.with.a.dot': 'baz' + 'value': 'bar' } } } diff --git a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseRbac_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseRbac_value_mapping.py index 1b8c6ec4..308d545c 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseRbac_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseRbac_value_mapping.py @@ -153,15 +153,13 @@ def test_anchoreEnterpriseRbac_tolerations_value(self): def test_anchoreEnterpriseRbac_affinity_value(self): dot_string_dict = { "anchoreEnterpriseRbac.affinity.name": "foo", - "anchoreEnterpriseRbac.affinity.value": "bar", - "anchoreEnterpriseRbac.affinity.anotherLabel.with.a.dot": "baz" + "anchoreEnterpriseRbac.affinity.value": "bar" } expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'rbacManager': { 'affinity':{ 'name': 'foo', - 'value': 'bar', - 'anotherLabel.with.a.dot': 'baz' + 'value': 'bar' } } } diff --git a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseReports_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseReports_value_mapping.py index 20fad903..789ccd31 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseReports_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseReports_value_mapping.py @@ -161,15 +161,13 @@ def test_anchoreEnterpriseReports_tolerations_value(self): def test_anchoreEnterpriseReports_affinity_value(self): dot_string_dict = { "anchoreEnterpriseReports.affinity.name": "foo", - "anchoreEnterpriseReports.affinity.value": "bar", - "anchoreEnterpriseReports.affinity.anotherLabel.with.a.dot": "baz" + "anchoreEnterpriseReports.affinity.value": "bar" } expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'reports': { 'affinity':{ 'name': 'foo', - 'value': 'bar', - 'anotherLabel.with.a.dot': 'baz' + 'value': 'bar' } } } diff --git a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseUi_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseUi_value_mapping.py index 2ef88db1..57e67e72 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseUi_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreEnterpriseUi_value_mapping.py @@ -176,14 +176,12 @@ def test_anchoreEnterpriseUi_affinity_value(self): dot_string_dict = { "anchoreEnterpriseUi.affinity.name": "foo", "anchoreEnterpriseUi.affinity.value": "bar", - "anchoreEnterpriseUi.affinity.anotherLabel.with.a.dot": "baz" } expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'ui': { 'affinity':{ 'name': 'foo', 'value': 'bar', - 'anotherLabel.with.a.dot': 'baz' } } } diff --git a/scripts/enterprise-value-converter/tests/test_anchorePolicyEngine_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchorePolicyEngine_value_mapping.py index 17e3332f..00e1a821 100644 --- a/scripts/enterprise-value-converter/tests/test_anchorePolicyEngine_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchorePolicyEngine_value_mapping.py @@ -144,15 +144,13 @@ def test_anchorePolicyEngine_tolerations_value(self): def test_anchorePolicyEngine_affinity_value(self): dot_string_dict = { - "anchorePolicyEngine.affinity.name": "foo", - "anchorePolicyEngine.affinity.with.a.dot.name": "bar" + "anchorePolicyEngine.affinity.name": "foo" } expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'policyEngine': { 'affinity': { - 'name': 'foo', - 'with.a.dot.name': 'bar' + 'name': 'foo' } } } diff --git a/scripts/enterprise-value-converter/tests/test_anchoreSimpleQueue_value_mapping.py b/scripts/enterprise-value-converter/tests/test_anchoreSimpleQueue_value_mapping.py index 74e6bc95..69551464 100644 --- a/scripts/enterprise-value-converter/tests/test_anchoreSimpleQueue_value_mapping.py +++ b/scripts/enterprise-value-converter/tests/test_anchoreSimpleQueue_value_mapping.py @@ -154,14 +154,12 @@ def test_anchoreSimpleQueue_affinity_value(self): dot_string_dict = { "anchoreSimpleQueue.affinity.name": "foo", "anchoreSimpleQueue.affinity.value": "bar", - "anchoreSimpleQueue.affinity.anotherLabel.with.a.dot": "baz" } expected_result = { 'postgresql': {'auth': {'username': 'anchoreengine'}}, 'anchoreConfig': {'user_authentication': {'hashed_passwords': False}}, 'simpleQueue': { 'affinity':{ 'name': 'foo', 'value': 'bar', - 'anotherLabel.with.a.dot': 'baz' } } } From 9a97fcf15b11f4973457cf3f82aa45c1a29ff40a Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Tue, 24 Oct 2023 01:48:20 -0400 Subject: [PATCH 5/8] allow setting feeds drivers github and msrc from enterprise chart (#148) * allow setting feeds drivers github and msrc from enterprise chart --------- Signed-off-by: Hung Nguyen --- stable/enterprise/templates/envvars_configmap.yaml | 4 ++-- stable/enterprise/tests/configmap_test.yaml | 13 +++++++++++++ 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/stable/enterprise/templates/envvars_configmap.yaml b/stable/enterprise/templates/envvars_configmap.yaml index b415de66..69a5ad72 100644 --- a/stable/enterprise/templates/envvars_configmap.yaml +++ b/stable/enterprise/templates/envvars_configmap.yaml @@ -60,8 +60,8 @@ data: {{- else }} ANCHORE_ENTERPRISE_UI_URL: {{ include "enterprise.ui.fullname" . | quote }} {{- end }} - ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED: "false" - ANCHORE_FEEDS_DRIVER_MSRC_ENABLED: "false" + ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED: {{ default "false" .Values.feeds.anchoreConfig.feeds.drivers.github.enabled | quote }} + ANCHORE_FEEDS_DRIVER_MSRC_ENABLED: {{ default "false" .Values.feeds.anchoreConfig.feeds.drivers.msrc.enabled | quote }} ANCHORE_FEEDS_DRIVER_NVDV2_ENABLED: "true" ANCHORE_FEEDS_DRIVER_PACKAGES_ENABLED: "false" ANCHORE_FEEDS_SSL_VERIFY: "{{ .Values.anchoreConfig.internalServicesSSL.verifyCerts }}" diff --git a/stable/enterprise/tests/configmap_test.yaml b/stable/enterprise/tests/configmap_test.yaml index 662459ec..95f3f94a 100644 --- a/stable/enterprise/tests/configmap_test.yaml +++ b/stable/enterprise/tests/configmap_test.yaml @@ -37,3 +37,16 @@ tests: tmp_dir: /test log_level: DEBUG + + - it: should set the msrc and github drivers if set + template: templates/envvars_configmap.yaml + set: + feeds.anchoreConfig.feeds.drivers.github.enabled: true + feeds.anchoreConfig.feeds.drivers.msrc.enabled: true + asserts: + - equal: + path: data["ANCHORE_FEEDS_DRIVER_MSRC_ENABLED"] + value: "true" + - equal: + path: data["ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED"] + value: "true" From 38141889303525d13f45d8b68eff5160f4942111 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Tue, 24 Oct 2023 13:57:42 -0400 Subject: [PATCH 6/8] trying install of engine for adm. cont. (#153) * admission controller ci installs anchore engine to have endpoint * update test and ci/fake-values for adm. cont * update anchoreEndpoint with protocol Signed-off-by: Hung Nguyen --------- Signed-off-by: Hung Nguyen --- .github/workflows/test.yaml | 18 ++++++++++++++++++ stable/anchore-admission-controller/Chart.yaml | 4 ++-- .../ci/fake-values.yaml | 1 + .../anchore-admission-controller/values.yaml | 2 +- 4 files changed, 22 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index a2d79607..d19ac6d0 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -74,6 +74,24 @@ jobs: DOCKER_USER: ${{ secrets.ANCHORECI_DOCKER_USER }} DOCKER_PASS: ${{ secrets.ANCHORECI_DOCKER_PASS }} + - name: Check if anchore-engine endpoint is required for admission controller chart + id: engine_required + run: | + if [[ -n $(git diff --name-only ${{ github.event.pull_request.base.sha }} ${{ github.sha }} | grep 'anchore-admission-controller') ]]; then + echo "File in the 'stable/anchore-admission-controller' directory was changed. We need an engine deployment" + echo "::set-output name=changed::true" + else + echo "No files in 'stable/anchore-admission-controller' directory were changed. Skipping engine deployment" + echo "::set-output name=changed::false" + fi + shell: bash + + - name: Deploy Engine + if: steps.engine_required.outputs.changed == 'true' + run: | + helm install engine anchore/anchore-engine --namespace anchore --wait + kubectl --namespace anchore get pods + - name: Run chart-testing if: steps.list-changed.outputs.CHANGED == 'true' run: ct install --config ct-config.yaml diff --git a/stable/anchore-admission-controller/Chart.yaml b/stable/anchore-admission-controller/Chart.yaml index ddf85753..9b820450 100644 --- a/stable/anchore-admission-controller/Chart.yaml +++ b/stable/anchore-admission-controller/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: anchore-admission-controller -version: 0.4.7 -appVersion: 0.4.0 +version: 0.5.0 +appVersion: 0.5.0 description: A kubernetes admission controller for validating and mutating webhooks that operates against Anchore Engine to make access decisions and annotations home: https://github.com/anchore/kubernetes-admission-controller maintainers: diff --git a/stable/anchore-admission-controller/ci/fake-values.yaml b/stable/anchore-admission-controller/ci/fake-values.yaml index 3d1c6db8..2983ae32 100644 --- a/stable/anchore-admission-controller/ci/fake-values.yaml +++ b/stable/anchore-admission-controller/ci/fake-values.yaml @@ -4,3 +4,4 @@ credentials: password: password1 - username: user2 password: password2 +anchoreEndpoint: http://engine-anchore-engine-api:8228 diff --git a/stable/anchore-admission-controller/values.yaml b/stable/anchore-admission-controller/values.yaml index 3d1ca196..738365c5 100644 --- a/stable/anchore-admission-controller/values.yaml +++ b/stable/anchore-admission-controller/values.yaml @@ -5,7 +5,7 @@ fullnameOverride: Null replicaCount: 1 logVerbosity: 3 -image: "anchore/kubernetes-admission-controller:v0.4.0" +image: "anchore/kubernetes-admission-controller:v0.5.0" imagePullPolicy: IfNotPresent # ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ imagePullSecrets: [] From 23a0429d2b736bacf64b9f229dbf08eb792a32f8 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Tue, 24 Oct 2023 17:20:25 -0400 Subject: [PATCH 7/8] updating envvars to use dig for getting feeds msrc and github values (#154) * updating envvars to use dig for getting feeds msrc and github values, add test that would have caught initial error * adding addition configmap tests for feeds dig function * bumping chart version Signed-off-by: Hung Nguyen --------- Signed-off-by: Hung Nguyen --- stable/enterprise/Chart.yaml | 2 +- .../templates/envvars_configmap.yaml | 4 +- stable/enterprise/tests/configmap_test.yaml | 85 +++++++++++++++++++ 3 files changed, 88 insertions(+), 3 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index ea89119b..43d0c7d8 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.2.4" +version: "0.2.5" appVersion: "4.9.3" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | diff --git a/stable/enterprise/templates/envvars_configmap.yaml b/stable/enterprise/templates/envvars_configmap.yaml index 69a5ad72..e4da45bf 100644 --- a/stable/enterprise/templates/envvars_configmap.yaml +++ b/stable/enterprise/templates/envvars_configmap.yaml @@ -60,8 +60,8 @@ data: {{- else }} ANCHORE_ENTERPRISE_UI_URL: {{ include "enterprise.ui.fullname" . | quote }} {{- end }} - ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED: {{ default "false" .Values.feeds.anchoreConfig.feeds.drivers.github.enabled | quote }} - ANCHORE_FEEDS_DRIVER_MSRC_ENABLED: {{ default "false" .Values.feeds.anchoreConfig.feeds.drivers.msrc.enabled | quote }} + ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED: {{ dig "anchoreConfig" "feeds" "drivers" "github" "enabled" "false" .Values.feeds | quote }} + ANCHORE_FEEDS_DRIVER_MSRC_ENABLED: {{ dig "anchoreConfig" "feeds" "drivers" "msrc" "enabled" "false" .Values.feeds | quote }} ANCHORE_FEEDS_DRIVER_NVDV2_ENABLED: "true" ANCHORE_FEEDS_DRIVER_PACKAGES_ENABLED: "false" ANCHORE_FEEDS_SSL_VERIFY: "{{ .Values.anchoreConfig.internalServicesSSL.verifyCerts }}" diff --git a/stable/enterprise/tests/configmap_test.yaml b/stable/enterprise/tests/configmap_test.yaml index 95f3f94a..3433c48e 100644 --- a/stable/enterprise/tests/configmap_test.yaml +++ b/stable/enterprise/tests/configmap_test.yaml @@ -50,3 +50,88 @@ tests: - equal: path: data["ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED"] value: "true" + + - it: should not throw a templating error if feeds.something is set but drivers are not + template: templates/envvars_configmap.yaml + set: + feeds.chartEnabled: false + asserts: + - equal: + path: data["ANCHORE_FEEDS_DRIVER_MSRC_ENABLED"] + value: "false" + - equal: + path: data["ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED"] + value: "false" + + - it: should set the msrc and github drivers if set differently + template: templates/envvars_configmap.yaml + set: + feeds.anchoreConfig.feeds.drivers.github.enabled: false + feeds.anchoreConfig.feeds.drivers.msrc.enabled: true + asserts: + - equal: + path: data["ANCHORE_FEEDS_DRIVER_MSRC_ENABLED"] + value: "true" + - equal: + path: data["ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED"] + value: "false" + + - it: should not throw a templating error if feeds.anchoreConfig.something is set but drivers are not + template: templates/envvars_configmap.yaml + set: + feeds.anchoreConfig.log_level: ERROR + asserts: + - equal: + path: data["ANCHORE_FEEDS_DRIVER_MSRC_ENABLED"] + value: "false" + - equal: + path: data["ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED"] + value: "false" + + - it: should not throw a templating error if feeds.anchoreConfig.feeds.something is set but drivers are not + template: templates/envvars_configmap.yaml + set: + feeds.anchoreConfig.feeds.cycle_timers.driver_sync: 9001 + asserts: + - equal: + path: data["ANCHORE_FEEDS_DRIVER_MSRC_ENABLED"] + value: "false" + - equal: + path: data["ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED"] + value: "false" + + - it: should not throw a templating error if feeds.anchoreConfig.feeds.drivers.something is set but github and msrc drivers are not + template: templates/envvars_configmap.yaml + set: + feeds.anchoreConfig.feeds.drivers.npm.enabled: true + asserts: + - equal: + path: data["ANCHORE_FEEDS_DRIVER_MSRC_ENABLED"] + value: "false" + - equal: + path: data["ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED"] + value: "false" + + - it: should set the msrc and github drivers correctly if only one is set + template: templates/envvars_configmap.yaml + set: + feeds.anchoreConfig.feeds.drivers.github.enabled: true + asserts: + - equal: + path: data["ANCHORE_FEEDS_DRIVER_MSRC_ENABLED"] + value: "false" + - equal: + path: data["ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED"] + value: "true" + + - it: should set the msrc and github drivers correctly if only the other is set + template: templates/envvars_configmap.yaml + set: + feeds.anchoreConfig.feeds.drivers.msrc.enabled: true + asserts: + - equal: + path: data["ANCHORE_FEEDS_DRIVER_MSRC_ENABLED"] + value: "true" + - equal: + path: data["ANCHORE_FEEDS_DRIVER_GITHUB_ENABLED"] + value: "false" \ No newline at end of file From f5ce9c57970d911b3917dad4c9bc2359a15584d0 Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Tue, 24 Oct 2023 18:49:01 -0400 Subject: [PATCH 8/8] add max threads back Signed-off-by: Hung Nguyen --- stable/enterprise/Chart.yaml | 2 +- stable/enterprise/README.md | 1 + stable/enterprise/files/default_config.yaml | 2 ++ stable/enterprise/templates/envvars_configmap.yaml | 1 + .../enterprise/tests/__snapshot__/configmap_test.yaml.snap | 3 +++ stable/enterprise/values.yaml | 6 ++++++ 6 files changed, 14 insertions(+), 1 deletion(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 43d0c7d8..1b65d43a 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: enterprise -version: "0.2.5" +version: "0.2.2" appVersion: "4.9.3" kubeVersion: 1.23.x - 1.27.x || 1.23.x-x - 1.27.x-x description: | diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 3ed70b32..b78fbdea 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -863,6 +863,7 @@ rbacManager: | `anchoreConfig.apiext.external.hostname` | Hostname for the external Anchore API | `""` | | `anchoreConfig.apiext.external.port` | Port configured for external Anchore API | `8443` | | `anchoreConfig.analyzer.cycle_timers.image_analyzer` | The interval between checks of the work queue for new analysis jobs | `1` | +| `anchoreConfig.analyzer.max_threads` | The concurrency of the Anchore Analyzer worker process | `1` | | `anchoreConfig.analyzer.layer_cache_max_gigabytes` | Specify a cache size > 0GB to enable image layer caching | `0` | | `anchoreConfig.analyzer.enable_hints` | Enable a user-supplied 'hints' file to override and/or augment the software artifacts found during analysis | `false` | | `anchoreConfig.analyzer.configFile` | Custom Anchore Analyzer configuration file contents in YAML | `{}` | diff --git a/stable/enterprise/files/default_config.yaml b/stable/enterprise/files/default_config.yaml index c5256723..9802d981 100644 --- a/stable/enterprise/files/default_config.yaml +++ b/stable/enterprise/files/default_config.yaml @@ -16,6 +16,7 @@ auto_restart_services: false max_source_import_size_mb: ${ANCHORE_MAX_IMPORT_SOURCE_SIZE_MB} max_import_content_size_mb: ${ANCHORE_MAX_IMPORT_CONTENT_SIZE_MB} + max_compressed_image_size_mb: ${ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB} metrics: @@ -89,6 +90,7 @@ services: max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} cycle_timer_seconds: 1 cycle_timers: {{- toYaml .Values.anchoreConfig.analyzer.cycle_timers | nindent 6 }} + max_threads: ${ANCHORE_ANALYZER_MAX_THREADS} analyzer_driver: 'nodocker' layer_cache_enable: ${ANCHORE_LAYER_CACHE_ENABLED} layer_cache_max_gigabytes: ${ANCHORE_LAYER_CACHE_SIZE_GB} diff --git a/stable/enterprise/templates/envvars_configmap.yaml b/stable/enterprise/templates/envvars_configmap.yaml index e4da45bf..17aab83b 100644 --- a/stable/enterprise/templates/envvars_configmap.yaml +++ b/stable/enterprise/templates/envvars_configmap.yaml @@ -10,6 +10,7 @@ data: ANCHORE_ADMIN_EMAIL: "{{ .Values.anchoreConfig.default_admin_email }}" ANCHORE_ALLOW_ECR_IAM_AUTO: "{{ .Values.anchoreConfig.allow_awsecr_iam_auto }}" ANCHORE_ANALYZER_TASK_REQUEUE: "true" + ANCHORE_ANALYZER_MAX_THREADS: "{{ .Values.anchoreConfig.analyzer.max_threads }}" ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS: "{{ .Values.anchoreConfig.user_authentication.hashed_passwords }}" {{- with .Values.anchoreConfig.keys.publicKeyFileName }} ANCHORE_AUTH_PRIVKEY: "/home/anchore/certs/{{- . }}" diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index a55064d9..a3e55ee1 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -62,6 +62,7 @@ should render the configmaps: max_source_import_size_mb: ${ANCHORE_MAX_IMPORT_SOURCE_SIZE_MB} max_import_content_size_mb: ${ANCHORE_MAX_IMPORT_CONTENT_SIZE_MB} + max_compressed_image_size_mb: ${ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB} metrics: @@ -125,6 +126,7 @@ should render the configmaps: cycle_timer_seconds: 1 cycle_timers: image_analyzer: 1 + max_threads: ${ANCHORE_ANALYZER_MAX_THREADS} analyzer_driver: 'nodocker' layer_cache_enable: ${ANCHORE_LAYER_CACHE_ENABLED} layer_cache_max_gigabytes: ${ANCHORE_LAYER_CACHE_SIZE_GB} @@ -341,6 +343,7 @@ should render the configmaps: data: ANCHORE_ADMIN_EMAIL: admin@myanchore ANCHORE_ALLOW_ECR_IAM_AUTO: "true" + ANCHORE_ANALYZER_MAX_THREADS: "1" ANCHORE_ANALYZER_TASK_REQUEUE: "true" ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS: "true" ANCHORE_AUTH_PRIVKEY: "null" diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index ae188f2b..f71ef032 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -354,6 +354,12 @@ anchoreConfig: cycle_timers: image_analyzer: 1 + ## @param anchoreConfig.analyzer.max_threads The concurrency of the Anchore Analyzer worker process + ## Can be configured to process more than one task at a time. This is IO bound so may not necessarily be faster depending on hardware. + ## Operators should test and balance this value vs. number of Anchore Analyzer replicas deployed. + ## + max_threads: 1 + ## @param anchoreConfig.analyzer.layer_cache_max_gigabytes Specify a cache size > 0GB to enable image layer caching ## This chart sets up a scratch directory for all Anchore Analyzer pods using the values found at .Values.scratchVolume ## When setting .Values.anchoreConfig.analyzer.layer_cache_max_gigabytes, ensure the scratch volume has sufficient storage space