diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 37571eeb..6a22f057 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: enterprise -version: "3.1.1" -appVersion: "5.11.1" +version: "3.2.0" +appVersion: "5.12.0" kubeVersion: 1.23.x - 1.31.x || 1.23.x-x - 1.31.x-x description: | Anchore Enterprise is a complete container security workflow solution for professional teams. Easily integrating with CI/CD systems, diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index 6615f79f..5268d764 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -643,7 +643,7 @@ To restore your deployment to using your previous driver configurations: | Name | Description | Value | | --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- | -| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v5.11.1` | +| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v5.12.0` | | `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | | `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | | `useExistingPullCredSecret` | forgoes pullcred secret creation and uses the secret defined in imagePullSecretName | `true` | @@ -695,132 +695,132 @@ To restore your deployment to using your previous driver configurations: ### Anchore Configuration Parameters -| Name | Description | Value | -| --------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------ | -| `anchoreConfig.service_dir` | Path to directory where default Anchore config files are placed at startup | `/anchore_service` | -| `anchoreConfig.log_level` | The log level for Anchore services: NOTE: This is deprecated, use logging.log_level | `INFO` | -| `anchoreConfig.logging.colored_logging` | Enable colored output in the logs | `false` | -| `anchoreConfig.logging.exception_backtrace_logging` | Enable stack traces in the logs | `false` | -| `anchoreConfig.logging.exception_diagnose_logging` | Enable detailed exception information in the logs | `false` | -| `anchoreConfig.logging.file_rotation_rule` | Maximum size of a log file before it is rotated | `10 MB` | -| `anchoreConfig.logging.file_retention_rule` | Number of log files to retain before deleting the oldest | `10` | -| `anchoreConfig.logging.log_level` | Log level for the service code | `INFO` | -| `anchoreConfig.logging.server_access_logging` | Set whether to print server access to logging | `true` | -| `anchoreConfig.logging.server_response_debug_logging` | Log the elapsed time to process the request and the response size (debug log level) | `false` | -| `anchoreConfig.logging.server_log_level` | Log level specifically for the server (uvicorn) | `info` | -| `anchoreConfig.logging.structured_logging` | Enable structured logging output (JSON) | `false` | -| `anchoreConfig.server.max_connection_backlog` | Max connections permitted in the backlog before dropping | `2048` | -| `anchoreConfig.server.max_wsgi_middleware_worker_queue_size` | Max number of requests to queue for processing by ASGI2WSGI middleware | `100` | -| `anchoreConfig.server.max_wsgi_middleware_worker_count` | Max number of workers to have in the ASGI2WSGI middleware worker pool | `50` | -| `anchoreConfig.server.timeout_graceful_shutdown` | Seconds to permit for graceful shutdown or false to disable | `false` | -| `anchoreConfig.server.timeout_keep_alive` | Seconds to keep a connection alive before closing | `5` | -| `anchoreConfig.audit.enabled` | Enable audit logging | `true` | -| `anchoreConfig.allow_awsecr_iam_auto` | Enable AWS IAM instance role for ECR auth | `true` | -| `anchoreConfig.keys.secret` | The shared secret used for signing & encryption, auto-generated by Helm if not set. | `""` | -| `anchoreConfig.keys.privateKeyFileName` | The file name of the private key used for signing & encryption, found in the k8s secret specified in .Values.certStoreSecretName | `""` | -| `anchoreConfig.keys.publicKeyFileName` | The file name of the public key used for signing & encryption, found in the k8s secret specified in .Values.certStoreSecretName | `""` | -| `anchoreConfig.user_authentication.oauth.enabled` | Enable OAuth for Anchore user authentication | `true` | -| `anchoreConfig.user_authentication.oauth.default_token_expiration_seconds` | The expiration, in seconds, for OAuth tokens | `3600` | -| `anchoreConfig.user_authentication.oauth.refresh_token_expiration_seconds` | The expiration, in seconds, for OAuth refresh tokens | `86400` | -| `anchoreConfig.user_authentication.allow_api_keys_for_saml_users` | Enable API key generation and authentication for SAML users | `false` | -| `anchoreConfig.user_authentication.max_api_key_age_days` | The maximum age, in days, for API keys | `365` | -| `anchoreConfig.user_authentication.max_api_keys_per_user` | The maximum number of API keys per user | `100` | -| `anchoreConfig.user_authentication.remove_deleted_user_api_keys_older_than_days` | The number of days elapsed after a user API key is deleted before it is garbage collected (-1 to disable) | `365` | -| `anchoreConfig.user_authentication.hashed_passwords` | Enable storing passwords as secure hashes in the database | `true` | -| `anchoreConfig.user_authentication.sso_require_existing_users` | set to true in order to disable the SSO JIT provisioning during authentication | `false` | -| `anchoreConfig.user_authentication.disallow_native_users` | Disallow native users to authenticate by any method. Only SSO/'saml' users will be able to access the system. | `false` | -| `anchoreConfig.user_authentication.log_saml_assertions` | Enable logging of received SAML assertions at INFO level for SSO debugging in API container. | `false` | -| `anchoreConfig.metrics.enabled` | Enable Prometheus metrics for all Anchore services | `false` | -| `anchoreConfig.metrics.auth_disabled` | Disable auth on Prometheus metrics for all Anchore services | `false` | -| `anchoreConfig.webhooks` | Enable Anchore services to provide webhooks for external system updates | `{}` | -| `anchoreConfig.default_admin_password` | The password for the Anchore Enterprise admin user | `""` | -| `anchoreConfig.default_admin_email` | The email address used for the Anchore Enterprise admin user | `admin@myanchore` | -| `anchoreConfig.database.timeout` | | `120` | -| `anchoreConfig.database.ssl` | Enable SSL/TLS for the database connection | `false` | -| `anchoreConfig.database.sslMode` | The SSL mode to use for database connection | `verify-full` | -| `anchoreConfig.database.sslRootCertFileName` | File name of the database root CA certificate stored in the k8s secret specified with .Values.certStoreSecretName | `""` | -| `anchoreConfig.database.db_pool_size` | The database max connection pool size | `30` | -| `anchoreConfig.database.db_pool_max_overflow` | The maximum overflow size of the database connection pool | `100` | -| `anchoreConfig.database.engineArgs` | Set custom database engine arguments for SQLAlchemy | `{}` | -| `anchoreConfig.internalServicesSSL.enabled` | Force all Enterprise services to use SSL for internal communication | `false` | -| `anchoreConfig.internalServicesSSL.verifyCerts` | Enable cert verification against the local cert bundle, if this set to false self-signed certs are allowed | `false` | -| `anchoreConfig.internalServicesSSL.certSecretKeyFileName` | File name of the private key used for internal SSL stored in the secret specified in .Values.certStoreSecretName | `""` | -| `anchoreConfig.internalServicesSSL.certSecretCertFileName` | File name of the root CA certificate used for internal SSL stored in the secret specified in .Values.certStoreSecretName | `""` | -| `anchoreConfig.policyBundles` | Include custom Anchore policy bundles | `{}` | -| `anchoreConfig.apiext.external.enabled` | Allow overrides for constructing Anchore API URLs | `false` | -| `anchoreConfig.apiext.external.useTLS` | Enable TLS for external API access | `true` | -| `anchoreConfig.apiext.external.hostname` | Hostname for the external Anchore API | `""` | -| `anchoreConfig.apiext.external.port` | Port configured for external Anchore API | `8443` | -| `anchoreConfig.analyzer.cycle_timers.image_analyzer` | The interval between checks of the work queue for new analysis jobs | `1` | -| `anchoreConfig.analyzer.layer_cache_max_gigabytes` | Specify a cache size > 0GB to enable image layer caching | `0` | -| `anchoreConfig.analyzer.enable_hints` | Enable a user-supplied 'hints' file to override and/or augment the software artifacts found during analysis | `false` | -| `anchoreConfig.analyzer.configFile` | Custom Anchore Analyzer configuration file contents in YAML | `{}` | -| `anchoreConfig.catalog.cycle_timers.image_watcher` | Interval (seconds) to check for an update to a tag | `3600` | -| `anchoreConfig.catalog.cycle_timers.policy_eval` | Interval (seconds) to run a policy evaluation on images with policy_eval subscription activated | `3600` | -| `anchoreConfig.catalog.cycle_timers.vulnerability_scan` | Interval to run a vulnerability scan on images with vuln_update subscription activated | `14400` | -| `anchoreConfig.catalog.cycle_timers.analyzer_queue` | Interval to add new work on the image analysis queue | `1` | -| `anchoreConfig.catalog.cycle_timers.archive_tasks` | Interval to trigger Anchore Catalog archive Tasks | `43200` | -| `anchoreConfig.catalog.cycle_timers.notifications` | Interval in which notifications will be processed for state changes | `30` | -| `anchoreConfig.catalog.cycle_timers.service_watcher` | Interval of service state update poll, used for system status | `15` | -| `anchoreConfig.catalog.cycle_timers.policy_bundle_sync` | Interval of policy bundle sync | `300` | -| `anchoreConfig.catalog.cycle_timers.repo_watcher` | Interval between checks to repo for new tags | `60` | -| `anchoreConfig.catalog.cycle_timers.image_gc` | Interval for garbage collection of images marked for deletion | `60` | -| `anchoreConfig.catalog.cycle_timers.k8s_image_watcher` | Interval for the runtime inventory image analysis poll | `150` | -| `anchoreConfig.catalog.cycle_timers.resource_metrics` | Interval (seconds) for computing metrics from the DB | `60` | -| `anchoreConfig.catalog.cycle_timers.events_gc` | Interval (seconds) for cleaning up events in the system based on timestamp | `43200` | -| `anchoreConfig.catalog.cycle_timers.artifact_lifecycle_policy_tasks` | Interval (seconds) for running artifact lifecycle policy tasks | `43200` | -| `anchoreConfig.catalog.event_log` | Event log for webhooks, YAML configuration | `{}` | -| `anchoreConfig.catalog.analysis_archive` | Custom analysis archive YAML configuration | `{}` | -| `anchoreConfig.catalog.object_store` | Custom object storage YAML configuration | `{}` | -| `anchoreConfig.catalog.runtime_inventory.inventory_ttl_days` | TTL for runtime inventory. | `120` | -| `anchoreConfig.catalog.runtime_inventory.inventory_ingest_overwrite` | force runtime inventory to be overwritten upon every update for that reported context. | `false` | -| `anchoreConfig.catalog.integrations.integration_health_report_ttl_days` | TTL for integration health reports. | `2` | -| `anchoreConfig.catalog.down_analyzer_task_requeue` | Allows fast re-queueing when image status is 'analyzing' on an analyzer that is no longer in the 'up' state | `true` | -| `anchoreConfig.policy_engine.cycle_timers.feed_sync` | Interval to run a feed sync to get latest cve data | `14400` | -| `anchoreConfig.policy_engine.cycle_timers.feed_sync_checker` | Interval between checks to see if there needs to be a task queued | `3600` | -| `anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers` | List of providers to exclude from matching | `nil` | -| `anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types` | List of package types to exclude from matching | `nil` | -| `anchoreConfig.policy_engine.enable_user_base_image` | Enables usage of Well Known Annotation to identify base image for use in ancestry calculations | `true` | -| `anchoreConfig.notifications.cycle_timers.notifications` | Interval that notifications are sent | `30` | -| `anchoreConfig.notifications.ui_url` | Set the UI URL that is included in the notification, defaults to the Enterprise UI service name | `""` | -| `anchoreConfig.reports.enable_graphiql` | Enable GraphiQL, a GUI for editing and testing GraphQL queries and mutations | `true` | -| `anchoreConfig.reports.async_execution_timeout` | Configure how long a scheduled query must be running for before it is considered timed out | `48h` | -| `anchoreConfig.reports.cycle_timers.reports_scheduled_queries` | Interval in seconds to check for scheduled queries that need to be run | `600` | -| `anchoreConfig.reports.use_volume` | Configure the reports service to buffer report generation to disk instead of in memory | `false` | -| `anchoreConfig.reports_worker.enable_data_ingress` | Enable periodically syncing data into the Anchore Reports Service | `true` | -| `anchoreConfig.reports_worker.enable_data_egress` | Periodically remove reporting data that has been removed in other parts of system | `false` | -| `anchoreConfig.reports_worker.data_egress_window` | defines a number of days to keep reporting data following its deletion in the rest of system. | `0` | -| `anchoreConfig.reports_worker.data_refresh_max_workers` | The maximum number of concurrent threads to refresh existing results (etl vulnerabilities and evaluations) in reports service. | `10` | -| `anchoreConfig.reports_worker.data_load_max_workers` | The maximum number of concurrent threads to load new results (etl vulnerabilities and evaluations) to reports service. | `10` | -| `anchoreConfig.reports_worker.cycle_timers.reports_image_load` | Interval that vulnerabilities for images are synced | `600` | -| `anchoreConfig.reports_worker.cycle_timers.reports_tag_load` | Interval that vulnerabilities by tags are synced | `600` | -| `anchoreConfig.reports_worker.cycle_timers.reports_runtime_inventory_load` | Interval that the runtime inventory is synced | `600` | -| `anchoreConfig.reports_worker.cycle_timers.reports_extended_runtime_vuln_load` | Interval extended runtime reports are synched (ecs, k8s containers and namespaces) | `1800` | -| `anchoreConfig.reports_worker.cycle_timers.reports_image_refresh` | Interval that images are refreshed | `7200` | -| `anchoreConfig.reports_worker.cycle_timers.reports_tag_refresh` | Interval that tags are refreshed | `7200` | -| `anchoreConfig.reports_worker.cycle_timers.reports_metrics` | Interval for how often reporting metrics are generated | `3600` | -| `anchoreConfig.reports_worker.cycle_timers.reports_image_egress` | Interval stale states are removed by image | `600` | -| `anchoreConfig.reports_worker.cycle_timers.reports_tag_egress` | Interval stale states are removed by tag | `600` | -| `anchoreConfig.reports_worker.runtime_report_generation.use_legacy_loaders_and_queries` | Use legacy loaders and queries for runtime report generation | `false` | -| `anchoreConfig.ui.enable_proxy` | Trust a reverse proxy when setting secure cookies (via the `X-Forwarded-Proto` header) | `false` | -| `anchoreConfig.ui.enable_ssl` | Enable SSL in the Anchore UI container | `false` | -| `anchoreConfig.ui.enable_shared_login` | Allow single user to start multiple Anchore UI sessions | `true` | -| `anchoreConfig.ui.redis_flushdb` | Flush user session keys and empty data on Anchore UI startup | `true` | -| `anchoreConfig.ui.force_websocket` | Force WebSocket protocol for socket message communications | `false` | -| `anchoreConfig.ui.authentication_lock.count` | Number of failed authentication attempts allowed before a temporary lock is applied | `5` | -| `anchoreConfig.ui.authentication_lock.expires` | Authentication lock duration | `300` | -| `anchoreConfig.ui.sso_auth_only` | Enable SSO authentication only | `false` | -| `anchoreConfig.ui.custom_links` | List of up to 10 external links provided | `{}` | -| `anchoreConfig.ui.enable_add_repositories` | Specify what users can add image repositories to the Anchore UI | `{}` | -| `anchoreConfig.ui.log_level` | Descriptive detail of the application log output | `http` | -| `anchoreConfig.ui.enrich_inventory_view` | aggregate and include compliance and vulnerability data from the reports service. | `true` | -| `anchoreConfig.ui.appdb_config.native` | toggle the postgreSQL drivers used to connect to the database between the native and the NodeJS drivers. | `true` | -| `anchoreConfig.ui.appdb_config.pool.max` | maximum number of simultaneous connections allowed in the connection pool | `10` | -| `anchoreConfig.ui.appdb_config.pool.min` | minimum number of connections | `0` | -| `anchoreConfig.ui.appdb_config.pool.acquire` | the timeout in milliseconds used when acquiring a new connection | `30000` | -| `anchoreConfig.ui.appdb_config.pool.idle` | the maximum time that a connection can be idle before being released | `10000` | -| `anchoreConfig.ui.dbUser` | allows overriding and separation of the ui database user. | `""` | -| `anchoreConfig.ui.dbPassword` | allows overriding and separation of the ui database user authentication | `""` | +| Name | Description | Value | +| --------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | --------------------------- | +| `anchoreConfig.service_dir` | Path to directory where default Anchore config files are placed at startup | `/anchore_service` | +| `anchoreConfig.log_level` | The log level for Anchore services: NOTE: This is deprecated, use logging.log_level | `` | +| `anchoreConfig.logging.colored_logging` | Enable colored output in the logs | `false` | +| `anchoreConfig.logging.exception_backtrace_logging` | Enable stack traces in the logs | `false` | +| `anchoreConfig.logging.exception_diagnose_logging` | Enable detailed exception information in the logs | `false` | +| `anchoreConfig.logging.file_rotation_rule` | Maximum size of a log file before it is rotated | `10 MB` | +| `anchoreConfig.logging.file_retention_rule` | Number of log files to retain before deleting the oldest | `10` | +| `anchoreConfig.logging.log_level` | Log level for the service code | `` | +| `anchoreConfig.logging.server_access_logging` | Set whether to print server access to logging | `true` | +| `anchoreConfig.logging.server_response_debug_logging` | Log the elapsed time to process the request and the response size (debug log level) | `false` | +| `anchoreConfig.logging.server_log_level` | Log level specifically for the server (uvicorn) | `info` | +| `anchoreConfig.logging.structured_logging` | Enable structured logging output (JSON) | `false` | +| `anchoreConfig.server.max_connection_backlog` | Max connections permitted in the backlog before dropping | `2048` | +| `anchoreConfig.server.max_wsgi_middleware_worker_queue_size` | Max number of requests to queue for processing by ASGI2WSGI middleware | `100` | +| `anchoreConfig.server.max_wsgi_middleware_worker_count` | Max number of workers to have in the ASGI2WSGI middleware worker pool | `50` | +| `anchoreConfig.server.timeout_graceful_shutdown` | Seconds to permit for graceful shutdown or false to disable | `false` | +| `anchoreConfig.server.timeout_keep_alive` | Seconds to keep a connection alive before closing | `5` | +| `anchoreConfig.audit.enabled` | Enable audit logging | `true` | +| `anchoreConfig.allow_awsecr_iam_auto` | Enable AWS IAM instance role for ECR auth | `true` | +| `anchoreConfig.keys.secret` | The shared secret used for signing & encryption, auto-generated by Helm if not set. | `""` | +| `anchoreConfig.keys.privateKeyFileName` | The file name of the private key used for signing & encryption, found in the k8s secret specified in .Values.certStoreSecretName | `""` | +| `anchoreConfig.keys.publicKeyFileName` | The file name of the public key used for signing & encryption, found in the k8s secret specified in .Values.certStoreSecretName | `""` | +| `anchoreConfig.user_authentication.oauth.enabled` | Enable OAuth for Anchore user authentication | `true` | +| `anchoreConfig.user_authentication.oauth.default_token_expiration_seconds` | The expiration, in seconds, for OAuth tokens | `3600` | +| `anchoreConfig.user_authentication.oauth.refresh_token_expiration_seconds` | The expiration, in seconds, for OAuth refresh tokens | `86400` | +| `anchoreConfig.user_authentication.allow_api_keys_for_saml_users` | Enable API key generation and authentication for SAML users | `false` | +| `anchoreConfig.user_authentication.max_api_key_age_days` | The maximum age, in days, for API keys | `365` | +| `anchoreConfig.user_authentication.max_api_keys_per_user` | The maximum number of API keys per user | `100` | +| `anchoreConfig.user_authentication.remove_deleted_user_api_keys_older_than_days` | The number of days elapsed after a user API key is deleted before it is garbage collected (-1 to disable) | `365` | +| `anchoreConfig.user_authentication.hashed_passwords` | Enable storing passwords as secure hashes in the database | `true` | +| `anchoreConfig.user_authentication.sso_require_existing_users` | set to true in order to disable the SSO JIT provisioning during authentication | `false` | +| `anchoreConfig.user_authentication.disallow_native_users` | Disallow native users to authenticate by any method. Only SSO/'saml' users will be able to access the system. | `false` | +| `anchoreConfig.user_authentication.log_saml_assertions` | Enable logging of received SAML assertions at INFO level for SSO debugging in API container. | `false` | +| `anchoreConfig.metrics.enabled` | Enable Prometheus metrics for all Anchore services | `false` | +| `anchoreConfig.metrics.auth_disabled` | Disable auth on Prometheus metrics for all Anchore services | `false` | +| `anchoreConfig.webhooks` | Enable Anchore services to provide webhooks for external system updates | `{}` | +| `anchoreConfig.default_admin_password` | The password for the Anchore Enterprise admin user | `""` | +| `anchoreConfig.default_admin_email` | The email address used for the Anchore Enterprise admin user | `admin@myanchore` | +| `anchoreConfig.database.timeout` | | `120` | +| `anchoreConfig.database.ssl` | Enable SSL/TLS for the database connection | `false` | +| `anchoreConfig.database.sslMode` | The SSL mode to use for database connection | `verify-full` | +| `anchoreConfig.database.sslRootCertFileName` | File name of the database root CA certificate stored in the k8s secret specified with .Values.certStoreSecretName | `""` | +| `anchoreConfig.database.db_pool_size` | The database max connection pool size | `30` | +| `anchoreConfig.database.db_pool_max_overflow` | The maximum overflow size of the database connection pool | `100` | +| `anchoreConfig.database.engineArgs` | Set custom database engine arguments for SQLAlchemy | `{}` | +| `anchoreConfig.internalServicesSSL.enabled` | Force all Enterprise services to use SSL for internal communication | `false` | +| `anchoreConfig.internalServicesSSL.verifyCerts` | Enable cert verification against the local cert bundle, if this set to false self-signed certs are allowed | `false` | +| `anchoreConfig.internalServicesSSL.certSecretKeyFileName` | File name of the private key used for internal SSL stored in the secret specified in .Values.certStoreSecretName | `""` | +| `anchoreConfig.internalServicesSSL.certSecretCertFileName` | File name of the root CA certificate used for internal SSL stored in the secret specified in .Values.certStoreSecretName | `""` | +| `anchoreConfig.policyBundles` | Include custom Anchore policy bundles | `{}` | +| `anchoreConfig.apiext.external.enabled` | Allow overrides for constructing Anchore API URLs | `false` | +| `anchoreConfig.apiext.external.useTLS` | Enable TLS for external API access | `true` | +| `anchoreConfig.apiext.external.hostname` | Hostname for the external Anchore API | `""` | +| `anchoreConfig.apiext.external.port` | Port configured for external Anchore API | `8443` | +| `anchoreConfig.analyzer.cycle_timers.image_analyzer` | The interval between checks of the work queue for new analysis jobs | `1` | +| `anchoreConfig.analyzer.layer_cache_max_gigabytes` | Specify a cache size > 0GB to enable image layer caching | `0` | +| `anchoreConfig.analyzer.enable_hints` | Enable a user-supplied 'hints' file to override and/or augment the software artifacts found during analysis | `false` | +| `anchoreConfig.analyzer.configFile` | Custom Anchore Analyzer configuration file contents in YAML | `{}` | +| `anchoreConfig.catalog.cycle_timers.image_watcher` | Interval (seconds) to check for an update to a tag | `3600` | +| `anchoreConfig.catalog.cycle_timers.policy_eval` | Interval (seconds) to run a policy evaluation on images with policy_eval subscription activated | `3600` | +| `anchoreConfig.catalog.cycle_timers.vulnerability_scan` | Interval to run a vulnerability scan on images with vuln_update subscription activated | `14400` | +| `anchoreConfig.catalog.cycle_timers.analyzer_queue` | Interval to add new work on the image analysis queue | `1` | +| `anchoreConfig.catalog.cycle_timers.archive_tasks` | Interval to trigger Anchore Catalog archive Tasks | `43200` | +| `anchoreConfig.catalog.cycle_timers.notifications` | Interval in which notifications will be processed for state changes | `30` | +| `anchoreConfig.catalog.cycle_timers.service_watcher` | Interval of service state update poll, used for system status | `15` | +| `anchoreConfig.catalog.cycle_timers.policy_bundle_sync` | Interval of policy bundle sync | `300` | +| `anchoreConfig.catalog.cycle_timers.repo_watcher` | Interval between checks to repo for new tags | `60` | +| `anchoreConfig.catalog.cycle_timers.image_gc` | Interval for garbage collection of images marked for deletion | `60` | +| `anchoreConfig.catalog.cycle_timers.k8s_image_watcher` | Interval for the runtime inventory image analysis poll | `150` | +| `anchoreConfig.catalog.cycle_timers.resource_metrics` | Interval (seconds) for computing metrics from the DB | `60` | +| `anchoreConfig.catalog.cycle_timers.events_gc` | Interval (seconds) for cleaning up events in the system based on timestamp | `43200` | +| `anchoreConfig.catalog.cycle_timers.artifact_lifecycle_policy_tasks` | Interval (seconds) for running artifact lifecycle policy tasks | `43200` | +| `anchoreConfig.catalog.event_log` | Event log for webhooks, YAML configuration | `{}` | +| `anchoreConfig.catalog.analysis_archive` | Custom analysis archive YAML configuration | `{}` | +| `anchoreConfig.catalog.object_store` | Custom object storage YAML configuration | `{}` | +| `anchoreConfig.catalog.runtime_inventory.inventory_ttl_days` | TTL for runtime inventory. | `120` | +| `anchoreConfig.catalog.runtime_inventory.inventory_ingest_overwrite` | force runtime inventory to be overwritten upon every update for that reported context. | `false` | +| `anchoreConfig.catalog.integrations.integration_health_report_ttl_days` | TTL for integration health reports. | `2` | +| `anchoreConfig.catalog.down_analyzer_task_requeue` | Allows fast re-queueing when image status is 'analyzing' on an analyzer that is no longer in the 'up' state | `true` | +| `anchoreConfig.policy_engine.cycle_timers.feed_sync` | Interval to run a feed sync to get latest cve data | `14400` | +| `anchoreConfig.policy_engine.cycle_timers.feed_sync_checker` | Interval between checks to see if there needs to be a task queued | `3600` | +| `anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers` | List of providers to exclude from matching | `nil` | +| `anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types` | List of package types to exclude from matching | `nil` | +| `anchoreConfig.policy_engine.enable_user_base_image` | Enables usage of Well Known Annotation to identify base image for use in ancestry calculations | `true` | +| `anchoreConfig.notifications.cycle_timers.notifications` | Interval that notifications are sent | `30` | +| `anchoreConfig.notifications.ui_url` | Set the UI URL that is included in the notification, defaults to the Enterprise UI service name | `""` | +| `anchoreConfig.reports.enable_graphiql` | Enable GraphiQL, a GUI for editing and testing GraphQL queries and mutations | `true` | +| `anchoreConfig.reports.async_execution_timeout` | Configure how long a scheduled query must be running for before it is considered timed out | `48h` | +| `anchoreConfig.reports.cycle_timers.reports_scheduled_queries` | Interval in seconds to check for scheduled queries that need to be run | `600` | +| `anchoreConfig.reports.use_volume` | Configure the reports service to buffer report generation to disk instead of in memory | `false` | +| `anchoreConfig.reports_worker.enable_data_ingress` | Enable periodically syncing data into the Anchore Reports Service | `true` | +| `anchoreConfig.reports_worker.enable_data_egress` | Periodically remove reporting data that has been removed in other parts of system | `false` | +| `anchoreConfig.reports_worker.data_egress_window` | defines a number of days to keep reporting data following its deletion in the rest of system. | `0` | +| `anchoreConfig.reports_worker.data_refresh_max_workers` | The maximum number of concurrent threads to refresh existing results (etl vulnerabilities and evaluations) in reports service. | `10` | +| `anchoreConfig.reports_worker.data_load_max_workers` | The maximum number of concurrent threads to load new results (etl vulnerabilities and evaluations) to reports service. | `10` | +| `anchoreConfig.reports_worker.cycle_timers.reports_image_load` | Interval that vulnerabilities for images are synced | `600` | +| `anchoreConfig.reports_worker.cycle_timers.reports_tag_load` | Interval that vulnerabilities by tags are synced | `600` | +| `anchoreConfig.reports_worker.cycle_timers.reports_runtime_inventory_load` | Interval that the runtime inventory is synced | `600` | +| `anchoreConfig.reports_worker.cycle_timers.reports_extended_runtime_vuln_load` | Interval extended runtime reports are synched (ecs, k8s containers and namespaces) | `1800` | +| `anchoreConfig.reports_worker.cycle_timers.reports_image_refresh` | Interval that images are refreshed | `7200` | +| `anchoreConfig.reports_worker.cycle_timers.reports_tag_refresh` | Interval that tags are refreshed | `7200` | +| `anchoreConfig.reports_worker.cycle_timers.reports_metrics` | Interval for how often reporting metrics are generated | `3600` | +| `anchoreConfig.reports_worker.cycle_timers.reports_image_egress` | Interval stale states are removed by image | `600` | +| `anchoreConfig.reports_worker.cycle_timers.reports_tag_egress` | Interval stale states are removed by tag | `600` | +| `anchoreConfig.reports_worker.runtime_report_generation.use_legacy_loaders_and_queries` | Use legacy loaders and queries for runtime report generation | `false` | +| `anchoreConfig.ui.enable_proxy` | Trust a reverse proxy when setting secure cookies (via the `X-Forwarded-Proto` header) | `false` | +| `anchoreConfig.ui.enable_ssl` | Enable SSL in the Anchore UI container | `false` | +| `anchoreConfig.ui.enable_shared_login` | Allow single user to start multiple Anchore UI sessions | `true` | +| `anchoreConfig.ui.redis_flushdb` | Flush user session keys and empty data on Anchore UI startup | `true` | +| `anchoreConfig.ui.force_websocket` | Force WebSocket protocol for socket message communications | `false` | +| `anchoreConfig.ui.authentication_lock.count` | Number of failed authentication attempts allowed before a temporary lock is applied | `5` | +| `anchoreConfig.ui.authentication_lock.expires` | Authentication lock duration | `300` | +| `anchoreConfig.ui.sso_auth_only` | Enable SSO authentication only | `false` | +| `anchoreConfig.ui.custom_links` | List of up to 10 external links provided | `{}` | +| `anchoreConfig.ui.enable_add_repositories` | Specify what users can add image repositories to the Anchore UI | `{}` | +| `anchoreConfig.ui.log_level` | Descriptive detail of the application log output | `http` | +| `anchoreConfig.ui.enrich_inventory_view` | aggregate and include compliance and vulnerability data from the reports service. | `true` | +| `anchoreConfig.ui.appdb_config.native` | toggle the postgreSQL drivers used to connect to the database between the native and the NodeJS drivers. | `true` | +| `anchoreConfig.ui.appdb_config.pool.max` | maximum number of simultaneous connections allowed in the connection pool | `10` | +| `anchoreConfig.ui.appdb_config.pool.min` | minimum number of connections | `0` | +| `anchoreConfig.ui.appdb_config.pool.acquire` | the timeout in milliseconds used when acquiring a new connection | `30000` | +| `anchoreConfig.ui.appdb_config.pool.idle` | the maximum time that a connection can be idle before being released | `10000` | +| `anchoreConfig.ui.dbUser` | allows overriding and separation of the ui database user. | `""` | +| `anchoreConfig.ui.dbPassword` | allows overriding and separation of the ui database user authentication | `""` | ### Anchore Analyzer k8s Deployment Parameters @@ -1023,7 +1023,7 @@ To restore your deployment to using your previous driver configurations: | Name | Description | Value | | ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- | -| `ui.image` | Image used for the Anchore UI container | `docker.io/anchore/enterprise-ui:v5.11.0` | +| `ui.image` | Image used for the Anchore UI container | `docker.io/anchore/enterprise-ui:v5.12.0` | | `ui.imagePullPolicy` | Image pull policy for Anchore UI image | `IfNotPresent` | | `ui.existingSecretName` | Name of an existing secret to be used for Anchore UI DB and Redis endpoints | `anchore-enterprise-ui-env` | | `ui.ldapsRootCaCertName` | Name of the custom CA certificate file store in `.Values.certStoreSecretName` | `""` | @@ -1054,7 +1054,7 @@ To restore your deployment to using your previous driver configurations: | `upgradeJob.rbacCreate` | Create RBAC resources for the Anchore upgrade job | `true` | | `upgradeJob.serviceAccountName` | Use an existing service account for the Anchore upgrade job | `""` | | `upgradeJob.usePostUpgradeHook` | Use a Helm post-upgrade hook to run the upgrade job instead of the default pre-upgrade hook. This job does not require creating RBAC resources. | `false` | -| `upgradeJob.kubectlImage` | The image to use for the upgrade job's init container that uses kubectl to scale down deployments before an upgrade | `bitnami/kubectl:1.27` | +| `upgradeJob.kubectlImage` | The image to use for the upgrade job's init container that uses kubectl to scale down deployments before an upgrade | `bitnami/kubectl:1.30` | | `upgradeJob.nodeSelector` | Node labels for the Anchore upgrade job pod assignment | `{}` | | `upgradeJob.tolerations` | Tolerations for the Anchore upgrade job pod assignment | `[]` | | `upgradeJob.affinity` | Affinity for the Anchore upgrade job pod assignment | `{}` | @@ -1146,6 +1146,14 @@ For the latest updates and features in Anchore Enterprise, see the official [Rel - **Minor Chart Version Change (e.g., v0.1.2 -> v0.2.0)**: Indicates a significant change to the deployment that does not require manual intervention. - **Patch Chart Version Change (e.g., v0.1.2 -> v0.1.3)**: Indicates a backwards-compatible bug fix or documentation update. +### V3.2.x + +- Deploys Anchore Enterprise v5.12.x. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/5120/) for more information. +- Updates the bitnami/kubectl image to 1.30 to address critical vulnerabilities present in bitnami/kubectl:1.27 +- Updates the values of the following to "" to allow updating their respective configurations through the UI in the future. Any changes to these values will still be respected (ie. if you changed it previously or going forward). If a value was never set, it will still default to the previous default value, but the default value is now handled in the application itself. + - `anchoreConfig.log_level` + - `anchoreConfig.analyzer.configFile.malware.clamav.enabled` + ### V3.1.x - Deploys Anchore Enterprise v5.11.x. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/5110/) for more information. diff --git a/stable/enterprise/files/default_config.yaml b/stable/enterprise/files/default_config.yaml index 01a589ca..ba6961fd 100644 --- a/stable/enterprise/files/default_config.yaml +++ b/stable/enterprise/files/default_config.yaml @@ -64,6 +64,9 @@ webhooks: {{- toYaml .Values.anchoreConfig.webhooks | nindent 2 }} default_admin_password: "${ANCHORE_ADMIN_PASSWORD}" default_admin_email: ${ANCHORE_ADMIN_EMAIL} +configuration: + api_driven_configuration_enabled: ${ANCHORE_API_DRIVEN_CONFIGURATION_ENABLED} + keys: secret: "${ANCHORE_SAML_SECRET}" public_key_path: ${ANCHORE_AUTH_PRIVKEY} diff --git a/stable/enterprise/files/osaa_config.yaml b/stable/enterprise/files/osaa_config.yaml index 34fee0db..5278933b 100644 --- a/stable/enterprise/files/osaa_config.yaml +++ b/stable/enterprise/files/osaa_config.yaml @@ -64,6 +64,9 @@ webhooks: {{- toYaml .Values.anchoreConfig.webhooks | nindent 2 }} default_admin_password: "${ANCHORE_ADMIN_PASSWORD}" default_admin_email: ${ANCHORE_ADMIN_EMAIL} +configuration: + api_driven_configuration_enabled: ${ANCHORE_API_DRIVEN_CONFIGURATION_ENABLED} + keys: secret: "${ANCHORE_SAML_SECRET}" public_key_path: ${ANCHORE_AUTH_PRIVKEY} diff --git a/stable/enterprise/templates/envvars_configmap.yaml b/stable/enterprise/templates/envvars_configmap.yaml index b88eca3c..e827bdec 100644 --- a/stable/enterprise/templates/envvars_configmap.yaml +++ b/stable/enterprise/templates/envvars_configmap.yaml @@ -8,6 +8,7 @@ metadata: data: ANCHORE_ADMIN_EMAIL: "{{ .Values.anchoreConfig.default_admin_email }}" + ANCHORE_API_DRIVEN_CONFIGURATION_ENABLED: "true" ANCHORE_ALLOW_ECR_IAM_AUTO: "{{ .Values.anchoreConfig.allow_awsecr_iam_auto }}" ANCHORE_ANALYZER_TASK_REQUEUE: "true" ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS: "{{ .Values.anchoreConfig.user_authentication.hashed_passwords }}" diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index bfd41e24..0649e3d8 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -7,7 +7,7 @@ should render the configmaps: malware: clamav: db_update_enabled: true - enabled: false + enabled: retrieve_files: file_list: - /etc/passwd @@ -41,367 +41,7 @@ should render the configmaps: 2: | apiVersion: v1 data: - config.yaml: | - # Anchore Service Configuration File, mounted from a configmap - # - service_dir: ${ANCHORE_SERVICE_DIR} - tmp_dir: ${ANCHORE_TMP_DIR} - log_level: ${ANCHORE_LOG_LEVEL} # Deprecated - prefer use of logging.log_level - - logging: - colored_logging: false - exception_backtrace_logging: false - exception_diagnose_logging: false - file_retention_rule: 10 - file_rotation_rule: 10 MB - log_level: INFO - server_access_logging: true - server_log_level: info - server_response_debug_logging: false - structured_logging: false - - server: - max_connection_backlog: 2048 - max_wsgi_middleware_worker_count: 50 - max_wsgi_middleware_worker_queue_size: 100 - timeout_graceful_shutdown: false - timeout_keep_alive: 5 - - allow_awsecr_iam_auto: ${ANCHORE_ALLOW_ECR_IAM_AUTO} - host_id: "${ANCHORE_HOST_ID}" - internal_ssl_verify: ${ANCHORE_INTERNAL_SSL_VERIFY} - image_analyze_timeout_seconds: ${ANCHORE_IMAGE_ANALYZE_TIMEOUT_SECONDS} - - global_client_connect_timeout: ${ANCHORE_GLOBAL_CLIENT_CONNECT_TIMEOUT} - global_client_read_timeout: ${ANCHORE_GLOBAL_CLIENT_READ_TIMEOUT} - server_request_timeout_seconds: ${ANCHORE_GLOBAL_SERVER_REQUEST_TIMEOUT_SEC} - - license_file: ${ANCHORE_LICENSE_FILE} - auto_restart_services: false - - max_source_import_size_mb: ${ANCHORE_MAX_IMPORT_SOURCE_SIZE_MB} - max_import_content_size_mb: ${ANCHORE_MAX_IMPORT_CONTENT_SIZE_MB} - - max_compressed_image_size_mb: ${ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB} - - audit: - enabled: true - mode: log - verbs: - - post - - put - - delete - - patch - resource_uris: - - "/accounts" - - "/accounts/{account_name}" - - "/accounts/{account_name}/state" - - "/accounts/{account_name}/users" - - "/accounts/{account_name}/users/{username}" - - "/accounts/{account_name}/users/{username}/api-keys" - - "/accounts/{account_name}/users/{username}/api-keys/{key_name}" - - "/accounts/{account_name}/users/{username}/credentials" - - "/rbac-manager/roles" - - "/rbac-manager/roles/{role_name}/members" - - "/rbac-manager/saml/idps" - - "/rbac-manager/saml/idps/{name}" - - "/rbac-manager/saml/idps/{name}/user-group-mappings" - - "/system/user-groups" - - "/system/user-groups/{group_uuid}" - - "/system/user-groups/{group_uuid}/roles" - - "/system/user-groups/{group_uuid}/users" - - "/user/api-keys" - - "/user/api-keys/{key_name}" - - "/user/credentials" - - metrics: - enabled: ${ANCHORE_ENABLE_METRICS} - auth_disabled: ${ANCHORE_DISABLE_METRICS_AUTH} - - webhooks: - {} - - default_admin_password: "${ANCHORE_ADMIN_PASSWORD}" - default_admin_email: ${ANCHORE_ADMIN_EMAIL} - - keys: - secret: "${ANCHORE_SAML_SECRET}" - public_key_path: ${ANCHORE_AUTH_PRIVKEY} - private_key_path: ${ANCHORE_AUTH_PUBKEY} - - user_authentication: - oauth: - enabled: ${ANCHORE_OAUTH_ENABLED} - default_token_expiration_seconds: ${ANCHORE_OAUTH_TOKEN_EXPIRATION} - refresh_token_expiration_seconds: ${ANCHORE_OAUTH_REFRESH_TOKEN_EXPIRATION} - hashed_passwords: ${ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS} - sso_require_existing_users: ${ANCHORE_SSO_REQUIRES_EXISTING_USERS} - allow_api_keys_for_saml_users: false - max_api_key_age_days: 365 - max_api_keys_per_user: 100 - remove_deleted_user_api_keys_older_than_days: 365 - disallow_native_users: false - log_saml_assertions: false - credentials: - database: - user: "${ANCHORE_DB_USER}" - password: "${ANCHORE_DB_PASSWORD}" - host: "${ANCHORE_DB_HOST}" - port: "${ANCHORE_DB_PORT}" - name: "${ANCHORE_DB_NAME}" - db_connect_args: - timeout: ${ANCHORE_DB_TIMEOUT} - ssl: ${ANCHORE_DB_SSL} - db_pool_size: ${ANCHORE_DB_POOL_SIZE} - db_pool_max_overflow: ${ANCHORE_DB_POOL_MAX_OVERFLOW} - - account_gc: - max_resource_gc_chunk: 4096 - max_deletion_threads: 4 - - services: - apiext: - enabled: true - require_auth: true - endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} - max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - listen: '0.0.0.0' - port: ${ANCHORE_PORT} - ssl_enable: ${ANCHORE_SSL_ENABLED} - ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} - - analyzer: - enabled: true - require_auth: true - endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} - listen: '0.0.0.0' - port: ${ANCHORE_PORT} - max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - cycle_timer_seconds: 1 - cycle_timers: - image_analyzer: 1 - analyzer_driver: 'nodocker' - layer_cache_enable: ${ANCHORE_LAYER_CACHE_ENABLED} - layer_cache_max_gigabytes: ${ANCHORE_LAYER_CACHE_SIZE_GB} - enable_hints: ${ANCHORE_HINTS_ENABLED} - enable_owned_package_filtering: ${ANCHORE_OWNED_PACKAGE_FILTERING_ENABLED} - keep_image_analysis_tmpfiles: ${ANCHORE_KEEP_IMAGE_ANALYSIS_TMPFILES} - ssl_enable: ${ANCHORE_SSL_ENABLED} - ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} - - catalog: - enabled: true - require_auth: true - endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} - listen: '0.0.0.0' - port: ${ANCHORE_PORT} - max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - cycle_timer_seconds: 1 - cycle_timers: - analyzer_queue: 1 - archive_tasks: 43200 - artifact_lifecycle_policy_tasks: 43200 - events_gc: 43200 - image_gc: 60 - image_watcher: 3600 - k8s_image_watcher: 150 - notifications: 30 - policy_bundle_sync: 300 - policy_eval: 3600 - repo_watcher: 60 - resource_metrics: 60 - service_watcher: 15 - vulnerability_scan: 14400 - event_log: - max_retention_age_days: 180 - notification: - enabled: false - level: - - error - runtime_inventory: - inventory_ttl_days: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_TTL_DAYS} - inventory_ingest_overwrite: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_INGEST_OVERWRITE} - integrations: - integration_health_report_ttl_days: ${ANCHORE_ENTERPRISE_INTEGRATION_HEALTH_REPORTS_TTL_DAYS} - image_gc: - max_worker_threads: ${ANCHORE_CATALOG_IMAGE_GC_WORKERS} - runtime_compliance: - object_store_bucket: "runtime_compliance_check" - down_analyzer_task_requeue: ${ANCHORE_ANALYZER_TASK_REQUEUE} - import_operation_expiration_days: ${ANCHORE_IMPORT_OPERATION_EXPIRATION_DAYS} - analysis_archive: - {} - object_store: - compression: - enabled: true - min_size_kbytes: 100 - storage_driver: - config: {} - name: db - verify_content_digests: true - ssl_enable: ${ANCHORE_SSL_ENABLED} - ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} - - simplequeue: - enabled: true - require_auth: true - endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} - listen: '0.0.0.0' - port: ${ANCHORE_PORT} - max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - ssl_enable: ${ANCHORE_SSL_ENABLED} - ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} - - policy_engine: - enabled: true - require_auth: true - max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} - listen: '0.0.0.0' - port: ${ANCHORE_PORT} - policy_evaluation_cache_ttl: ${ANCHORE_POLICY_EVAL_CACHE_TTL_SECONDS} - cycle_timer_seconds: 1 - cycle_timers: - feed_sync: 14400 - feed_sync_checker: 3600 - enable_package_db_load: ${ANCHORE_POLICY_ENGINE_ENABLE_PACKAGE_DB_LOAD} - enable_user_base_image: true - vulnerabilities: - sync: - enabled: true - ssl_verify: ${ANCHORE_FEEDS_SSL_VERIFY} - connection_timeout_seconds: 3 - read_timeout_seconds: 60 - data: - grypedb: - enabled: true - matching: - exclude: - providers: [] - package_types: [] - default: - search: - by_cpe: - enabled: ${ANCHORE_VULN_MATCHING_DEFAULT_SEARCH_BY_CPE_ENABLED} - ecosystem_specific: - dotnet: - search: - by_cpe: - enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_DOTNET_SEARCH_BY_CPE_ENABLED} - golang: - search: - by_cpe: - enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_GOLANG_SEARCH_BY_CPE_ENABLED} - java: - search: - by_cpe: - enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_JAVA_SEARCH_BY_CPE_ENABLED} - javascript: - search: - by_cpe: - enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_JAVASCRIPT_SEARCH_BY_CPE_ENABLED} - python: - search: - by_cpe: - enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_PYTHON_SEARCH_BY_CPE_ENABLED} - ruby: - search: - by_cpe: - enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_RUBY_SEARCH_BY_CPE_ENABLED} - stock: - search: - by_cpe: - # Disabling search by CPE for the stock matcher will entirely disable binary-only matches and is not advised - enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_STOCK_SEARCH_BY_CPE_ENABLED} - ssl_enable: ${ANCHORE_SSL_ENABLED} - ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} - - reports: - enabled: true - require_auth: true - endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} - listen: '0.0.0.0' - port: ${ANCHORE_PORT} - max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - enable_graphiql: ${ANCHORE_ENTERPRISE_REPORTS_ENABLE_GRAPHIQL} - cycle_timers: - reports_scheduled_queries: 600 - max_async_execution_threads: ${ANCHORE_ENTERPRISE_REPORTS_MAX_ASYNC_EXECUTION_THREADS} - async_execution_timeout: ${ANCHORE_ENTERPRISE_REPORTS_ASYNC_EXECUTION_TIMEOUT} - ssl_enable: ${ANCHORE_SSL_ENABLED} - ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} - use_volume: false - - reports_worker: - enabled: true - require_auth: true - endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} - listen: '0.0.0.0' - port: ${ANCHORE_PORT} - max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - enable_data_ingress: ${ANCHORE_ENTERPRISE_REPORTS_ENABLE_DATA_INGRESS} - enable_data_egress: ${ANCHORE_ENTERPRISE_REPORTS_ENABLE_DATA_EGRESS} - data_egress_window: ${ANCHORE_ENTERPRISE_REPORTS_DATA_EGRESS_WINDOW} - data_refresh_max_workers: ${ANCHORE_ENTERPRISE_REPORTS_DATA_REFRESH_MAX_WORKERS} - data_load_max_workers: ${ANCHORE_ENTERPRISE_REPORTS_DATA_LOAD_MAX_WORKERS} - cycle_timers: - reports_extended_runtime_vuln_load: 1800 - reports_image_egress: 600 - reports_image_load: 600 - reports_image_refresh: 7200 - reports_metrics: 3600 - reports_runtime_inventory_load: 600 - reports_tag_egress: 600 - reports_tag_load: 600 - reports_tag_refresh: 7200 - runtime_report_generation: - use_legacy_loaders_and_queries: false - inventory_images_by_vulnerability: true - vulnerabilities_by_k8s_namespace: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE} - vulnerabilities_by_k8s_container: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER} - vulnerabilities_by_ecs_container: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_ECS_CONTAINER} - ssl_enable: ${ANCHORE_SSL_ENABLED} - ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} - - notifications: - enabled: true - require_auth: true - endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} - listen: '0.0.0.0' - port: ${ANCHORE_PORT} - max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - cycle_timers: - notifications: 30 - ui_url: ${ANCHORE_ENTERPRISE_UI_URL} - ssl_enable: ${ANCHORE_SSL_ENABLED} - ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} - - data_syncer: - enabled: true - require_auth: true - endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} - listen: 0.0.0.0 - port: ${ANCHORE_PORT} - auto_sync_enabled: ${ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED} - upload_dir: /analysis_scratch - datasets: - vulnerability_db: - versions: ["5"] - clamav_db: - versions: ["1"] - kev_db: - versions: ["1"] - ssl_enable: ${ANCHORE_SSL_ENABLED} - ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} + config.yaml: "# Anchore Service Configuration File, mounted from a configmap\n#\nservice_dir: ${ANCHORE_SERVICE_DIR}\ntmp_dir: ${ANCHORE_TMP_DIR}\nlog_level: ${ANCHORE_LOG_LEVEL} # Deprecated - prefer use of logging.log_level\n\nlogging:\n colored_logging: false\n exception_backtrace_logging: false\n exception_diagnose_logging: false\n file_retention_rule: 10\n file_rotation_rule: 10 MB\n log_level: \n server_access_logging: true\n server_log_level: info\n server_response_debug_logging: false\n structured_logging: false\n\nserver:\n max_connection_backlog: 2048\n max_wsgi_middleware_worker_count: 50\n max_wsgi_middleware_worker_queue_size: 100\n timeout_graceful_shutdown: false\n timeout_keep_alive: 5\n\nallow_awsecr_iam_auto: ${ANCHORE_ALLOW_ECR_IAM_AUTO}\nhost_id: \"${ANCHORE_HOST_ID}\"\ninternal_ssl_verify: ${ANCHORE_INTERNAL_SSL_VERIFY}\nimage_analyze_timeout_seconds: ${ANCHORE_IMAGE_ANALYZE_TIMEOUT_SECONDS}\n\nglobal_client_connect_timeout: ${ANCHORE_GLOBAL_CLIENT_CONNECT_TIMEOUT}\nglobal_client_read_timeout: ${ANCHORE_GLOBAL_CLIENT_READ_TIMEOUT}\nserver_request_timeout_seconds: ${ANCHORE_GLOBAL_SERVER_REQUEST_TIMEOUT_SEC}\n\nlicense_file: ${ANCHORE_LICENSE_FILE}\nauto_restart_services: false\n\nmax_source_import_size_mb: ${ANCHORE_MAX_IMPORT_SOURCE_SIZE_MB}\nmax_import_content_size_mb: ${ANCHORE_MAX_IMPORT_CONTENT_SIZE_MB}\n\nmax_compressed_image_size_mb: ${ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB}\n\naudit:\n enabled: true\n mode: log\n verbs:\n - post\n - put\n - delete\n - patch\n resource_uris:\n - \"/accounts\"\n - \"/accounts/{account_name}\"\n - \"/accounts/{account_name}/state\"\n - \"/accounts/{account_name}/users\"\n - \"/accounts/{account_name}/users/{username}\"\n - \"/accounts/{account_name}/users/{username}/api-keys\"\n - \"/accounts/{account_name}/users/{username}/api-keys/{key_name}\"\n - \"/accounts/{account_name}/users/{username}/credentials\"\n - \"/rbac-manager/roles\"\n - \"/rbac-manager/roles/{role_name}/members\"\n - \"/rbac-manager/saml/idps\"\n - \"/rbac-manager/saml/idps/{name}\"\n - \"/rbac-manager/saml/idps/{name}/user-group-mappings\"\n - \"/system/user-groups\"\n - \"/system/user-groups/{group_uuid}\"\n - \"/system/user-groups/{group_uuid}/roles\"\n - \"/system/user-groups/{group_uuid}/users\"\n - \"/user/api-keys\"\n - \"/user/api-keys/{key_name}\"\n - \"/user/credentials\"\n\nmetrics:\n enabled: ${ANCHORE_ENABLE_METRICS}\n auth_disabled: ${ANCHORE_DISABLE_METRICS_AUTH}\n\nwebhooks:\n {}\n\ndefault_admin_password: \"${ANCHORE_ADMIN_PASSWORD}\"\ndefault_admin_email: ${ANCHORE_ADMIN_EMAIL}\n\nconfiguration: \n api_driven_configuration_enabled: ${ANCHORE_API_DRIVEN_CONFIGURATION_ENABLED}\n\nkeys:\n secret: \"${ANCHORE_SAML_SECRET}\"\n public_key_path: ${ANCHORE_AUTH_PRIVKEY}\n private_key_path: ${ANCHORE_AUTH_PUBKEY}\n\nuser_authentication:\n oauth:\n enabled: ${ANCHORE_OAUTH_ENABLED}\n default_token_expiration_seconds: ${ANCHORE_OAUTH_TOKEN_EXPIRATION}\n refresh_token_expiration_seconds: ${ANCHORE_OAUTH_REFRESH_TOKEN_EXPIRATION}\n hashed_passwords: ${ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS}\n sso_require_existing_users: ${ANCHORE_SSO_REQUIRES_EXISTING_USERS}\n allow_api_keys_for_saml_users: false\n max_api_key_age_days: 365\n max_api_keys_per_user: 100\n remove_deleted_user_api_keys_older_than_days: 365\n disallow_native_users: false\n log_saml_assertions: false\ncredentials:\n database:\n user: \"${ANCHORE_DB_USER}\"\n password: \"${ANCHORE_DB_PASSWORD}\"\n host: \"${ANCHORE_DB_HOST}\"\n port: \"${ANCHORE_DB_PORT}\"\n name: \"${ANCHORE_DB_NAME}\"\n db_connect_args:\n timeout: ${ANCHORE_DB_TIMEOUT}\n ssl: ${ANCHORE_DB_SSL}\n db_pool_size: ${ANCHORE_DB_POOL_SIZE}\n db_pool_max_overflow: ${ANCHORE_DB_POOL_MAX_OVERFLOW}\n\naccount_gc:\n max_resource_gc_chunk: 4096\n max_deletion_threads: 4\n\nservices:\n apiext:\n enabled: true\n require_auth: true\n endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}\n max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS}\n listen: '0.0.0.0'\n port: ${ANCHORE_PORT}\n ssl_enable: ${ANCHORE_SSL_ENABLED}\n ssl_cert: ${ANCHORE_SSL_CERT}\n ssl_key: ${ANCHORE_SSL_KEY}\n\n analyzer:\n enabled: true\n require_auth: true\n endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}\n listen: '0.0.0.0'\n port: ${ANCHORE_PORT}\n max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS}\n cycle_timer_seconds: 1\n cycle_timers:\n image_analyzer: 1\n analyzer_driver: 'nodocker'\n layer_cache_enable: ${ANCHORE_LAYER_CACHE_ENABLED}\n layer_cache_max_gigabytes: ${ANCHORE_LAYER_CACHE_SIZE_GB}\n enable_hints: ${ANCHORE_HINTS_ENABLED}\n enable_owned_package_filtering: ${ANCHORE_OWNED_PACKAGE_FILTERING_ENABLED}\n keep_image_analysis_tmpfiles: ${ANCHORE_KEEP_IMAGE_ANALYSIS_TMPFILES}\n ssl_enable: ${ANCHORE_SSL_ENABLED}\n ssl_cert: ${ANCHORE_SSL_CERT}\n ssl_key: ${ANCHORE_SSL_KEY}\n\n catalog:\n enabled: true\n require_auth: true\n endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}\n listen: '0.0.0.0'\n port: ${ANCHORE_PORT}\n max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS}\n cycle_timer_seconds: 1\n cycle_timers:\n analyzer_queue: 1\n archive_tasks: 43200\n artifact_lifecycle_policy_tasks: 43200\n events_gc: 43200\n image_gc: 60\n image_watcher: 3600\n k8s_image_watcher: 150\n notifications: 30\n policy_bundle_sync: 300\n policy_eval: 3600\n repo_watcher: 60\n resource_metrics: 60\n service_watcher: 15\n vulnerability_scan: 14400\n event_log:\n max_retention_age_days: 180\n notification:\n enabled: false\n level:\n - error\n runtime_inventory:\n inventory_ttl_days: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_TTL_DAYS}\n inventory_ingest_overwrite: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_INGEST_OVERWRITE}\n integrations:\n integration_health_report_ttl_days: ${ANCHORE_ENTERPRISE_INTEGRATION_HEALTH_REPORTS_TTL_DAYS}\n image_gc:\n max_worker_threads: ${ANCHORE_CATALOG_IMAGE_GC_WORKERS}\n runtime_compliance:\n object_store_bucket: \"runtime_compliance_check\"\n down_analyzer_task_requeue: ${ANCHORE_ANALYZER_TASK_REQUEUE}\n import_operation_expiration_days: ${ANCHORE_IMPORT_OPERATION_EXPIRATION_DAYS}\n analysis_archive:\n {}\n object_store:\n compression:\n enabled: true\n min_size_kbytes: 100\n storage_driver:\n config: {}\n name: db\n verify_content_digests: true\n ssl_enable: ${ANCHORE_SSL_ENABLED}\n ssl_cert: ${ANCHORE_SSL_CERT}\n ssl_key: ${ANCHORE_SSL_KEY}\n\n simplequeue:\n enabled: true\n require_auth: true\n endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}\n listen: '0.0.0.0'\n port: ${ANCHORE_PORT}\n max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS}\n ssl_enable: ${ANCHORE_SSL_ENABLED}\n ssl_cert: ${ANCHORE_SSL_CERT}\n ssl_key: ${ANCHORE_SSL_KEY}\n\n policy_engine:\n enabled: true\n require_auth: true\n max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS}\n endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}\n listen: '0.0.0.0'\n port: ${ANCHORE_PORT}\n policy_evaluation_cache_ttl: ${ANCHORE_POLICY_EVAL_CACHE_TTL_SECONDS}\n cycle_timer_seconds: 1\n cycle_timers:\n feed_sync: 14400\n feed_sync_checker: 3600\n enable_package_db_load: ${ANCHORE_POLICY_ENGINE_ENABLE_PACKAGE_DB_LOAD}\n enable_user_base_image: true\n vulnerabilities:\n sync:\n enabled: true\n ssl_verify: ${ANCHORE_FEEDS_SSL_VERIFY}\n connection_timeout_seconds: 3\n read_timeout_seconds: 60\n data:\n grypedb:\n enabled: true\n matching:\n exclude:\n providers: []\n package_types: []\n default:\n search:\n by_cpe:\n enabled: ${ANCHORE_VULN_MATCHING_DEFAULT_SEARCH_BY_CPE_ENABLED}\n ecosystem_specific:\n dotnet:\n search:\n by_cpe:\n enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_DOTNET_SEARCH_BY_CPE_ENABLED}\n golang:\n search:\n by_cpe:\n enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_GOLANG_SEARCH_BY_CPE_ENABLED}\n java:\n search:\n by_cpe:\n enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_JAVA_SEARCH_BY_CPE_ENABLED}\n javascript:\n search:\n by_cpe:\n enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_JAVASCRIPT_SEARCH_BY_CPE_ENABLED}\n python:\n search:\n by_cpe:\n enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_PYTHON_SEARCH_BY_CPE_ENABLED}\n ruby:\n search:\n by_cpe:\n enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_RUBY_SEARCH_BY_CPE_ENABLED}\n stock:\n search:\n by_cpe:\n # Disabling search by CPE for the stock matcher will entirely disable binary-only matches and is not advised\n enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_STOCK_SEARCH_BY_CPE_ENABLED}\n ssl_enable: ${ANCHORE_SSL_ENABLED}\n ssl_cert: ${ANCHORE_SSL_CERT}\n ssl_key: ${ANCHORE_SSL_KEY}\n\n reports:\n enabled: true\n require_auth: true\n endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}\n listen: '0.0.0.0'\n port: ${ANCHORE_PORT}\n max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS}\n enable_graphiql: ${ANCHORE_ENTERPRISE_REPORTS_ENABLE_GRAPHIQL}\n cycle_timers:\n reports_scheduled_queries: 600\n max_async_execution_threads: ${ANCHORE_ENTERPRISE_REPORTS_MAX_ASYNC_EXECUTION_THREADS}\n async_execution_timeout: ${ANCHORE_ENTERPRISE_REPORTS_ASYNC_EXECUTION_TIMEOUT}\n ssl_enable: ${ANCHORE_SSL_ENABLED}\n ssl_cert: ${ANCHORE_SSL_CERT}\n ssl_key: ${ANCHORE_SSL_KEY}\n use_volume: false\n\n reports_worker:\n enabled: true\n require_auth: true\n endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}\n listen: '0.0.0.0'\n port: ${ANCHORE_PORT}\n max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS}\n enable_data_ingress: ${ANCHORE_ENTERPRISE_REPORTS_ENABLE_DATA_INGRESS}\n enable_data_egress: ${ANCHORE_ENTERPRISE_REPORTS_ENABLE_DATA_EGRESS}\n data_egress_window: ${ANCHORE_ENTERPRISE_REPORTS_DATA_EGRESS_WINDOW}\n data_refresh_max_workers: ${ANCHORE_ENTERPRISE_REPORTS_DATA_REFRESH_MAX_WORKERS}\n data_load_max_workers: ${ANCHORE_ENTERPRISE_REPORTS_DATA_LOAD_MAX_WORKERS}\n cycle_timers:\n reports_extended_runtime_vuln_load: 1800\n reports_image_egress: 600\n reports_image_load: 600\n reports_image_refresh: 7200\n reports_metrics: 3600\n reports_runtime_inventory_load: 600\n reports_tag_egress: 600\n reports_tag_load: 600\n reports_tag_refresh: 7200\n runtime_report_generation:\n use_legacy_loaders_and_queries: false\n inventory_images_by_vulnerability: true\n vulnerabilities_by_k8s_namespace: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE}\n vulnerabilities_by_k8s_container: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER}\n vulnerabilities_by_ecs_container: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_ECS_CONTAINER}\n ssl_enable: ${ANCHORE_SSL_ENABLED}\n ssl_cert: ${ANCHORE_SSL_CERT}\n ssl_key: ${ANCHORE_SSL_KEY}\n\n notifications:\n enabled: true\n require_auth: true\n endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}\n listen: '0.0.0.0'\n port: ${ANCHORE_PORT}\n max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS}\n cycle_timers:\n notifications: 30\n ui_url: ${ANCHORE_ENTERPRISE_UI_URL}\n ssl_enable: ${ANCHORE_SSL_ENABLED}\n ssl_cert: ${ANCHORE_SSL_CERT}\n ssl_key: ${ANCHORE_SSL_KEY}\n\n data_syncer:\n enabled: true\n require_auth: true\n endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}\n listen: 0.0.0.0\n port: ${ANCHORE_PORT}\n auto_sync_enabled: ${ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED}\n upload_dir: /analysis_scratch\n datasets:\n vulnerability_db:\n versions: [\"5\"]\n clamav_db:\n versions: [\"1\"]\n kev_db:\n versions: [\"1\"]\n ssl_enable: ${ANCHORE_SSL_ENABLED}\n ssl_cert: ${ANCHORE_SSL_CERT}\n ssl_key: ${ANCHORE_SSL_KEY}\n" kind: ConfigMap metadata: annotations: @@ -424,6 +64,7 @@ should render the configmaps: ANCHORE_ADMIN_EMAIL: admin@myanchore ANCHORE_ALLOW_ECR_IAM_AUTO: "true" ANCHORE_ANALYZER_TASK_REQUEUE: "true" + ANCHORE_API_DRIVEN_CONFIGURATION_ENABLED: "true" ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS: "true" ANCHORE_AUTH_PRIVKEY: "null" ANCHORE_AUTH_PUBKEY: "null" @@ -465,7 +106,7 @@ should render the configmaps: ANCHORE_LAYER_CACHE_ENABLED: "false" ANCHORE_LAYER_CACHE_SIZE_GB: "0" ANCHORE_LICENSE_FILE: /home/anchore/license.yaml - ANCHORE_LOG_LEVEL: INFO + ANCHORE_LOG_LEVEL: ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB: "-1" ANCHORE_MAX_IMPORT_CONTENT_SIZE_MB: "100" ANCHORE_MAX_IMPORT_SOURCE_SIZE_MB: "100" diff --git a/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap index 7d56c37b..d57dbb57 100644 --- a/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap @@ -2,367 +2,7 @@ should render the configmaps for osaa migration if enabled: 1: | apiVersion: v1 data: - config.yaml: | - # Anchore Service Configuration File, mounted from a configmap - # - service_dir: ${ANCHORE_SERVICE_DIR} - tmp_dir: ${ANCHORE_TMP_DIR} - log_level: ${ANCHORE_LOG_LEVEL} # Deprecated - prefer use of logging.log_level - - logging: - colored_logging: false - exception_backtrace_logging: false - exception_diagnose_logging: false - file_retention_rule: 10 - file_rotation_rule: 10 MB - log_level: INFO - server_access_logging: true - server_log_level: info - server_response_debug_logging: false - structured_logging: false - - server: - max_connection_backlog: 2048 - max_wsgi_middleware_worker_count: 50 - max_wsgi_middleware_worker_queue_size: 100 - timeout_graceful_shutdown: false - timeout_keep_alive: 5 - - allow_awsecr_iam_auto: ${ANCHORE_ALLOW_ECR_IAM_AUTO} - host_id: "${ANCHORE_HOST_ID}" - internal_ssl_verify: ${ANCHORE_INTERNAL_SSL_VERIFY} - image_analyze_timeout_seconds: ${ANCHORE_IMAGE_ANALYZE_TIMEOUT_SECONDS} - - global_client_connect_timeout: ${ANCHORE_GLOBAL_CLIENT_CONNECT_TIMEOUT} - global_client_read_timeout: ${ANCHORE_GLOBAL_CLIENT_READ_TIMEOUT} - server_request_timeout_seconds: ${ANCHORE_GLOBAL_SERVER_REQUEST_TIMEOUT_SEC} - - license_file: ${ANCHORE_LICENSE_FILE} - auto_restart_services: false - - max_source_import_size_mb: ${ANCHORE_MAX_IMPORT_SOURCE_SIZE_MB} - max_import_content_size_mb: ${ANCHORE_MAX_IMPORT_CONTENT_SIZE_MB} - - max_compressed_image_size_mb: ${ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB} - - audit: - enabled: true - mode: log - verbs: - - post - - put - - delete - - patch - resource_uris: - - "/accounts" - - "/accounts/{account_name}" - - "/accounts/{account_name}/state" - - "/accounts/{account_name}/users" - - "/accounts/{account_name}/users/{username}" - - "/accounts/{account_name}/users/{username}/api-keys" - - "/accounts/{account_name}/users/{username}/api-keys/{key_name}" - - "/accounts/{account_name}/users/{username}/credentials" - - "/rbac-manager/roles" - - "/rbac-manager/roles/{role_name}/members" - - "/rbac-manager/saml/idps" - - "/rbac-manager/saml/idps/{name}" - - "/rbac-manager/saml/idps/{name}/user-group-mappings" - - "/system/user-groups" - - "/system/user-groups/{group_uuid}" - - "/system/user-groups/{group_uuid}/roles" - - "/system/user-groups/{group_uuid}/users" - - "/user/api-keys" - - "/user/api-keys/{key_name}" - - "/user/credentials" - - metrics: - enabled: ${ANCHORE_ENABLE_METRICS} - auth_disabled: ${ANCHORE_DISABLE_METRICS_AUTH} - - webhooks: - {} - - default_admin_password: "${ANCHORE_ADMIN_PASSWORD}" - default_admin_email: ${ANCHORE_ADMIN_EMAIL} - - keys: - secret: "${ANCHORE_SAML_SECRET}" - public_key_path: ${ANCHORE_AUTH_PRIVKEY} - private_key_path: ${ANCHORE_AUTH_PUBKEY} - - user_authentication: - oauth: - enabled: ${ANCHORE_OAUTH_ENABLED} - default_token_expiration_seconds: ${ANCHORE_OAUTH_TOKEN_EXPIRATION} - refresh_token_expiration_seconds: ${ANCHORE_OAUTH_REFRESH_TOKEN_EXPIRATION} - hashed_passwords: ${ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS} - sso_require_existing_users: ${ANCHORE_SSO_REQUIRES_EXISTING_USERS} - allow_api_keys_for_saml_users: false - max_api_key_age_days: 365 - max_api_keys_per_user: 100 - remove_deleted_user_api_keys_older_than_days: 365 - disallow_native_users: false - log_saml_assertions: false - credentials: - database: - user: "${ANCHORE_DB_USER}" - password: "${ANCHORE_DB_PASSWORD}" - host: "${ANCHORE_DB_HOST}" - port: "${ANCHORE_DB_PORT}" - name: "${ANCHORE_DB_NAME}" - db_connect_args: - timeout: ${ANCHORE_DB_TIMEOUT} - ssl: ${ANCHORE_DB_SSL} - db_pool_size: ${ANCHORE_DB_POOL_SIZE} - db_pool_max_overflow: ${ANCHORE_DB_POOL_MAX_OVERFLOW} - - account_gc: - max_resource_gc_chunk: 4096 - max_deletion_threads: 4 - - services: - apiext: - enabled: true - require_auth: true - endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} - max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - listen: '0.0.0.0' - port: ${ANCHORE_PORT} - ssl_enable: ${ANCHORE_SSL_ENABLED} - ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} - - analyzer: - enabled: true - require_auth: true - endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} - listen: '0.0.0.0' - port: ${ANCHORE_PORT} - max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - cycle_timer_seconds: 1 - cycle_timers: - image_analyzer: 1 - analyzer_driver: 'nodocker' - layer_cache_enable: ${ANCHORE_LAYER_CACHE_ENABLED} - layer_cache_max_gigabytes: ${ANCHORE_LAYER_CACHE_SIZE_GB} - enable_hints: ${ANCHORE_HINTS_ENABLED} - enable_owned_package_filtering: ${ANCHORE_OWNED_PACKAGE_FILTERING_ENABLED} - keep_image_analysis_tmpfiles: ${ANCHORE_KEEP_IMAGE_ANALYSIS_TMPFILES} - ssl_enable: ${ANCHORE_SSL_ENABLED} - ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} - - catalog: - enabled: true - require_auth: true - endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} - listen: '0.0.0.0' - port: ${ANCHORE_PORT} - max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - cycle_timer_seconds: 1 - cycle_timers: - analyzer_queue: 1 - archive_tasks: 43200 - artifact_lifecycle_policy_tasks: 43200 - events_gc: 43200 - image_gc: 60 - image_watcher: 3600 - k8s_image_watcher: 150 - notifications: 30 - policy_bundle_sync: 300 - policy_eval: 3600 - repo_watcher: 60 - resource_metrics: 60 - service_watcher: 15 - vulnerability_scan: 14400 - event_log: - max_retention_age_days: 180 - notification: - enabled: false - level: - - error - runtime_inventory: - inventory_ttl_days: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_TTL_DAYS} - inventory_ingest_overwrite: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_INGEST_OVERWRITE} - integrations: - integration_health_report_ttl_days: ${ANCHORE_ENTERPRISE_INTEGRATION_HEALTH_REPORTS_TTL_DAYS} - image_gc: - max_worker_threads: ${ANCHORE_CATALOG_IMAGE_GC_WORKERS} - runtime_compliance: - object_store_bucket: "runtime_compliance_check" - down_analyzer_task_requeue: ${ANCHORE_ANALYZER_TASK_REQUEUE} - import_operation_expiration_days: ${ANCHORE_IMPORT_OPERATION_EXPIRATION_DAYS} - analysis_archive: - {} - object_store: - compression: - enabled: true - min_size_kbytes: 100 - storage_driver: - config: {} - name: db - verify_content_digests: true - ssl_enable: ${ANCHORE_SSL_ENABLED} - ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} - - simplequeue: - enabled: true - require_auth: true - endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} - listen: '0.0.0.0' - port: ${ANCHORE_PORT} - max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - ssl_enable: ${ANCHORE_SSL_ENABLED} - ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} - - policy_engine: - enabled: true - require_auth: true - max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} - listen: '0.0.0.0' - port: ${ANCHORE_PORT} - policy_evaluation_cache_ttl: ${ANCHORE_POLICY_EVAL_CACHE_TTL_SECONDS} - cycle_timer_seconds: 1 - cycle_timers: - feed_sync: 14400 - feed_sync_checker: 3600 - enable_package_db_load: ${ANCHORE_POLICY_ENGINE_ENABLE_PACKAGE_DB_LOAD} - enable_user_base_image: true - vulnerabilities: - sync: - enabled: true - ssl_verify: ${ANCHORE_FEEDS_SSL_VERIFY} - connection_timeout_seconds: 3 - read_timeout_seconds: 60 - data: - grypedb: - enabled: true - matching: - exclude: - providers: [] - package_types: [] - default: - search: - by_cpe: - enabled: ${ANCHORE_VULN_MATCHING_DEFAULT_SEARCH_BY_CPE_ENABLED} - ecosystem_specific: - dotnet: - search: - by_cpe: - enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_DOTNET_SEARCH_BY_CPE_ENABLED} - golang: - search: - by_cpe: - enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_GOLANG_SEARCH_BY_CPE_ENABLED} - java: - search: - by_cpe: - enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_JAVA_SEARCH_BY_CPE_ENABLED} - javascript: - search: - by_cpe: - enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_JAVASCRIPT_SEARCH_BY_CPE_ENABLED} - python: - search: - by_cpe: - enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_PYTHON_SEARCH_BY_CPE_ENABLED} - ruby: - search: - by_cpe: - enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_RUBY_SEARCH_BY_CPE_ENABLED} - stock: - search: - by_cpe: - # Disabling search by CPE for the stock matcher will entirely disable binary-only matches and is not advised - enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_STOCK_SEARCH_BY_CPE_ENABLED} - ssl_enable: ${ANCHORE_SSL_ENABLED} - ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} - - reports: - enabled: true - require_auth: true - endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} - listen: '0.0.0.0' - port: ${ANCHORE_PORT} - max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - enable_graphiql: ${ANCHORE_ENTERPRISE_REPORTS_ENABLE_GRAPHIQL} - cycle_timers: - reports_scheduled_queries: 600 - max_async_execution_threads: ${ANCHORE_ENTERPRISE_REPORTS_MAX_ASYNC_EXECUTION_THREADS} - async_execution_timeout: ${ANCHORE_ENTERPRISE_REPORTS_ASYNC_EXECUTION_TIMEOUT} - ssl_enable: ${ANCHORE_SSL_ENABLED} - ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} - use_volume: false - - reports_worker: - enabled: true - require_auth: true - endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} - listen: '0.0.0.0' - port: ${ANCHORE_PORT} - max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - enable_data_ingress: ${ANCHORE_ENTERPRISE_REPORTS_ENABLE_DATA_INGRESS} - enable_data_egress: ${ANCHORE_ENTERPRISE_REPORTS_ENABLE_DATA_EGRESS} - data_egress_window: ${ANCHORE_ENTERPRISE_REPORTS_DATA_EGRESS_WINDOW} - data_refresh_max_workers: ${ANCHORE_ENTERPRISE_REPORTS_DATA_REFRESH_MAX_WORKERS} - data_load_max_workers: ${ANCHORE_ENTERPRISE_REPORTS_DATA_LOAD_MAX_WORKERS} - cycle_timers: - reports_extended_runtime_vuln_load: 1800 - reports_image_egress: 600 - reports_image_load: 600 - reports_image_refresh: 7200 - reports_metrics: 3600 - reports_runtime_inventory_load: 600 - reports_tag_egress: 600 - reports_tag_load: 600 - reports_tag_refresh: 7200 - runtime_report_generation: - use_legacy_loaders_and_queries: false - inventory_images_by_vulnerability: true - vulnerabilities_by_k8s_namespace: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE} - vulnerabilities_by_k8s_container: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER} - vulnerabilities_by_ecs_container: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_ECS_CONTAINER} - ssl_enable: ${ANCHORE_SSL_ENABLED} - ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} - - notifications: - enabled: true - require_auth: true - endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} - listen: '0.0.0.0' - port: ${ANCHORE_PORT} - max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - cycle_timers: - notifications: 30 - ui_url: ${ANCHORE_ENTERPRISE_UI_URL} - ssl_enable: ${ANCHORE_SSL_ENABLED} - ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} - - data_syncer: - enabled: true - require_auth: true - endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} - listen: 0.0.0.0 - port: ${ANCHORE_PORT} - auto_sync_enabled: ${ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED} - upload_dir: /analysis_scratch - datasets: - vulnerability_db: - versions: ["5"] - clamav_db: - versions: ["1"] - kev_db: - versions: ["1"] - ssl_enable: ${ANCHORE_SSL_ENABLED} - ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} + config.yaml: "# Anchore Service Configuration File, mounted from a configmap\n#\nservice_dir: ${ANCHORE_SERVICE_DIR}\ntmp_dir: ${ANCHORE_TMP_DIR}\nlog_level: ${ANCHORE_LOG_LEVEL} # Deprecated - prefer use of logging.log_level\n\nlogging:\n colored_logging: false\n exception_backtrace_logging: false\n exception_diagnose_logging: false\n file_retention_rule: 10\n file_rotation_rule: 10 MB\n log_level: \n server_access_logging: true\n server_log_level: info\n server_response_debug_logging: false\n structured_logging: false\n\nserver:\n max_connection_backlog: 2048\n max_wsgi_middleware_worker_count: 50\n max_wsgi_middleware_worker_queue_size: 100\n timeout_graceful_shutdown: false\n timeout_keep_alive: 5\n\nallow_awsecr_iam_auto: ${ANCHORE_ALLOW_ECR_IAM_AUTO}\nhost_id: \"${ANCHORE_HOST_ID}\"\ninternal_ssl_verify: ${ANCHORE_INTERNAL_SSL_VERIFY}\nimage_analyze_timeout_seconds: ${ANCHORE_IMAGE_ANALYZE_TIMEOUT_SECONDS}\n\nglobal_client_connect_timeout: ${ANCHORE_GLOBAL_CLIENT_CONNECT_TIMEOUT}\nglobal_client_read_timeout: ${ANCHORE_GLOBAL_CLIENT_READ_TIMEOUT}\nserver_request_timeout_seconds: ${ANCHORE_GLOBAL_SERVER_REQUEST_TIMEOUT_SEC}\n\nlicense_file: ${ANCHORE_LICENSE_FILE}\nauto_restart_services: false\n\nmax_source_import_size_mb: ${ANCHORE_MAX_IMPORT_SOURCE_SIZE_MB}\nmax_import_content_size_mb: ${ANCHORE_MAX_IMPORT_CONTENT_SIZE_MB}\n\nmax_compressed_image_size_mb: ${ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB}\n\naudit:\n enabled: true\n mode: log\n verbs:\n - post\n - put\n - delete\n - patch\n resource_uris:\n - \"/accounts\"\n - \"/accounts/{account_name}\"\n - \"/accounts/{account_name}/state\"\n - \"/accounts/{account_name}/users\"\n - \"/accounts/{account_name}/users/{username}\"\n - \"/accounts/{account_name}/users/{username}/api-keys\"\n - \"/accounts/{account_name}/users/{username}/api-keys/{key_name}\"\n - \"/accounts/{account_name}/users/{username}/credentials\"\n - \"/rbac-manager/roles\"\n - \"/rbac-manager/roles/{role_name}/members\"\n - \"/rbac-manager/saml/idps\"\n - \"/rbac-manager/saml/idps/{name}\"\n - \"/rbac-manager/saml/idps/{name}/user-group-mappings\"\n - \"/system/user-groups\"\n - \"/system/user-groups/{group_uuid}\"\n - \"/system/user-groups/{group_uuid}/roles\"\n - \"/system/user-groups/{group_uuid}/users\"\n - \"/user/api-keys\"\n - \"/user/api-keys/{key_name}\"\n - \"/user/credentials\"\n\nmetrics:\n enabled: ${ANCHORE_ENABLE_METRICS}\n auth_disabled: ${ANCHORE_DISABLE_METRICS_AUTH}\n\nwebhooks:\n {}\n\ndefault_admin_password: \"${ANCHORE_ADMIN_PASSWORD}\"\ndefault_admin_email: ${ANCHORE_ADMIN_EMAIL}\n\nconfiguration: \n api_driven_configuration_enabled: ${ANCHORE_API_DRIVEN_CONFIGURATION_ENABLED}\n\nkeys:\n secret: \"${ANCHORE_SAML_SECRET}\"\n public_key_path: ${ANCHORE_AUTH_PRIVKEY}\n private_key_path: ${ANCHORE_AUTH_PUBKEY}\n\nuser_authentication:\n oauth:\n enabled: ${ANCHORE_OAUTH_ENABLED}\n default_token_expiration_seconds: ${ANCHORE_OAUTH_TOKEN_EXPIRATION}\n refresh_token_expiration_seconds: ${ANCHORE_OAUTH_REFRESH_TOKEN_EXPIRATION}\n hashed_passwords: ${ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS}\n sso_require_existing_users: ${ANCHORE_SSO_REQUIRES_EXISTING_USERS}\n allow_api_keys_for_saml_users: false\n max_api_key_age_days: 365\n max_api_keys_per_user: 100\n remove_deleted_user_api_keys_older_than_days: 365\n disallow_native_users: false\n log_saml_assertions: false\ncredentials:\n database:\n user: \"${ANCHORE_DB_USER}\"\n password: \"${ANCHORE_DB_PASSWORD}\"\n host: \"${ANCHORE_DB_HOST}\"\n port: \"${ANCHORE_DB_PORT}\"\n name: \"${ANCHORE_DB_NAME}\"\n db_connect_args:\n timeout: ${ANCHORE_DB_TIMEOUT}\n ssl: ${ANCHORE_DB_SSL}\n db_pool_size: ${ANCHORE_DB_POOL_SIZE}\n db_pool_max_overflow: ${ANCHORE_DB_POOL_MAX_OVERFLOW}\n\naccount_gc:\n max_resource_gc_chunk: 4096\n max_deletion_threads: 4\n\nservices:\n apiext:\n enabled: true\n require_auth: true\n endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}\n max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS}\n listen: '0.0.0.0'\n port: ${ANCHORE_PORT}\n ssl_enable: ${ANCHORE_SSL_ENABLED}\n ssl_cert: ${ANCHORE_SSL_CERT}\n ssl_key: ${ANCHORE_SSL_KEY}\n\n analyzer:\n enabled: true\n require_auth: true\n endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}\n listen: '0.0.0.0'\n port: ${ANCHORE_PORT}\n max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS}\n cycle_timer_seconds: 1\n cycle_timers:\n image_analyzer: 1\n analyzer_driver: 'nodocker'\n layer_cache_enable: ${ANCHORE_LAYER_CACHE_ENABLED}\n layer_cache_max_gigabytes: ${ANCHORE_LAYER_CACHE_SIZE_GB}\n enable_hints: ${ANCHORE_HINTS_ENABLED}\n enable_owned_package_filtering: ${ANCHORE_OWNED_PACKAGE_FILTERING_ENABLED}\n keep_image_analysis_tmpfiles: ${ANCHORE_KEEP_IMAGE_ANALYSIS_TMPFILES}\n ssl_enable: ${ANCHORE_SSL_ENABLED}\n ssl_cert: ${ANCHORE_SSL_CERT}\n ssl_key: ${ANCHORE_SSL_KEY}\n\n catalog:\n enabled: true\n require_auth: true\n endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}\n listen: '0.0.0.0'\n port: ${ANCHORE_PORT}\n max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS}\n cycle_timer_seconds: 1\n cycle_timers:\n analyzer_queue: 1\n archive_tasks: 43200\n artifact_lifecycle_policy_tasks: 43200\n events_gc: 43200\n image_gc: 60\n image_watcher: 3600\n k8s_image_watcher: 150\n notifications: 30\n policy_bundle_sync: 300\n policy_eval: 3600\n repo_watcher: 60\n resource_metrics: 60\n service_watcher: 15\n vulnerability_scan: 14400\n event_log:\n max_retention_age_days: 180\n notification:\n enabled: false\n level:\n - error\n runtime_inventory:\n inventory_ttl_days: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_TTL_DAYS}\n inventory_ingest_overwrite: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_INGEST_OVERWRITE}\n integrations:\n integration_health_report_ttl_days: ${ANCHORE_ENTERPRISE_INTEGRATION_HEALTH_REPORTS_TTL_DAYS}\n image_gc:\n max_worker_threads: ${ANCHORE_CATALOG_IMAGE_GC_WORKERS}\n runtime_compliance:\n object_store_bucket: \"runtime_compliance_check\"\n down_analyzer_task_requeue: ${ANCHORE_ANALYZER_TASK_REQUEUE}\n import_operation_expiration_days: ${ANCHORE_IMPORT_OPERATION_EXPIRATION_DAYS}\n analysis_archive:\n {}\n object_store:\n compression:\n enabled: true\n min_size_kbytes: 100\n storage_driver:\n config: {}\n name: db\n verify_content_digests: true\n ssl_enable: ${ANCHORE_SSL_ENABLED}\n ssl_cert: ${ANCHORE_SSL_CERT}\n ssl_key: ${ANCHORE_SSL_KEY}\n\n simplequeue:\n enabled: true\n require_auth: true\n endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}\n listen: '0.0.0.0'\n port: ${ANCHORE_PORT}\n max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS}\n ssl_enable: ${ANCHORE_SSL_ENABLED}\n ssl_cert: ${ANCHORE_SSL_CERT}\n ssl_key: ${ANCHORE_SSL_KEY}\n\n policy_engine:\n enabled: true\n require_auth: true\n max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS}\n endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}\n listen: '0.0.0.0'\n port: ${ANCHORE_PORT}\n policy_evaluation_cache_ttl: ${ANCHORE_POLICY_EVAL_CACHE_TTL_SECONDS}\n cycle_timer_seconds: 1\n cycle_timers:\n feed_sync: 14400\n feed_sync_checker: 3600\n enable_package_db_load: ${ANCHORE_POLICY_ENGINE_ENABLE_PACKAGE_DB_LOAD}\n enable_user_base_image: true\n vulnerabilities:\n sync:\n enabled: true\n ssl_verify: ${ANCHORE_FEEDS_SSL_VERIFY}\n connection_timeout_seconds: 3\n read_timeout_seconds: 60\n data:\n grypedb:\n enabled: true\n matching:\n exclude:\n providers: []\n package_types: []\n default:\n search:\n by_cpe:\n enabled: ${ANCHORE_VULN_MATCHING_DEFAULT_SEARCH_BY_CPE_ENABLED}\n ecosystem_specific:\n dotnet:\n search:\n by_cpe:\n enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_DOTNET_SEARCH_BY_CPE_ENABLED}\n golang:\n search:\n by_cpe:\n enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_GOLANG_SEARCH_BY_CPE_ENABLED}\n java:\n search:\n by_cpe:\n enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_JAVA_SEARCH_BY_CPE_ENABLED}\n javascript:\n search:\n by_cpe:\n enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_JAVASCRIPT_SEARCH_BY_CPE_ENABLED}\n python:\n search:\n by_cpe:\n enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_PYTHON_SEARCH_BY_CPE_ENABLED}\n ruby:\n search:\n by_cpe:\n enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_RUBY_SEARCH_BY_CPE_ENABLED}\n stock:\n search:\n by_cpe:\n # Disabling search by CPE for the stock matcher will entirely disable binary-only matches and is not advised\n enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_STOCK_SEARCH_BY_CPE_ENABLED}\n ssl_enable: ${ANCHORE_SSL_ENABLED}\n ssl_cert: ${ANCHORE_SSL_CERT}\n ssl_key: ${ANCHORE_SSL_KEY}\n\n reports:\n enabled: true\n require_auth: true\n endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}\n listen: '0.0.0.0'\n port: ${ANCHORE_PORT}\n max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS}\n enable_graphiql: ${ANCHORE_ENTERPRISE_REPORTS_ENABLE_GRAPHIQL}\n cycle_timers:\n reports_scheduled_queries: 600\n max_async_execution_threads: ${ANCHORE_ENTERPRISE_REPORTS_MAX_ASYNC_EXECUTION_THREADS}\n async_execution_timeout: ${ANCHORE_ENTERPRISE_REPORTS_ASYNC_EXECUTION_TIMEOUT}\n ssl_enable: ${ANCHORE_SSL_ENABLED}\n ssl_cert: ${ANCHORE_SSL_CERT}\n ssl_key: ${ANCHORE_SSL_KEY}\n use_volume: false\n\n reports_worker:\n enabled: true\n require_auth: true\n endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}\n listen: '0.0.0.0'\n port: ${ANCHORE_PORT}\n max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS}\n enable_data_ingress: ${ANCHORE_ENTERPRISE_REPORTS_ENABLE_DATA_INGRESS}\n enable_data_egress: ${ANCHORE_ENTERPRISE_REPORTS_ENABLE_DATA_EGRESS}\n data_egress_window: ${ANCHORE_ENTERPRISE_REPORTS_DATA_EGRESS_WINDOW}\n data_refresh_max_workers: ${ANCHORE_ENTERPRISE_REPORTS_DATA_REFRESH_MAX_WORKERS}\n data_load_max_workers: ${ANCHORE_ENTERPRISE_REPORTS_DATA_LOAD_MAX_WORKERS}\n cycle_timers:\n reports_extended_runtime_vuln_load: 1800\n reports_image_egress: 600\n reports_image_load: 600\n reports_image_refresh: 7200\n reports_metrics: 3600\n reports_runtime_inventory_load: 600\n reports_tag_egress: 600\n reports_tag_load: 600\n reports_tag_refresh: 7200\n runtime_report_generation:\n use_legacy_loaders_and_queries: false\n inventory_images_by_vulnerability: true\n vulnerabilities_by_k8s_namespace: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE}\n vulnerabilities_by_k8s_container: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER}\n vulnerabilities_by_ecs_container: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_ECS_CONTAINER}\n ssl_enable: ${ANCHORE_SSL_ENABLED}\n ssl_cert: ${ANCHORE_SSL_CERT}\n ssl_key: ${ANCHORE_SSL_KEY}\n\n notifications:\n enabled: true\n require_auth: true\n endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}\n listen: '0.0.0.0'\n port: ${ANCHORE_PORT}\n max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS}\n cycle_timers:\n notifications: 30\n ui_url: ${ANCHORE_ENTERPRISE_UI_URL}\n ssl_enable: ${ANCHORE_SSL_ENABLED}\n ssl_cert: ${ANCHORE_SSL_CERT}\n ssl_key: ${ANCHORE_SSL_KEY}\n\n data_syncer:\n enabled: true\n require_auth: true\n endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}\n listen: 0.0.0.0\n port: ${ANCHORE_PORT}\n auto_sync_enabled: ${ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED}\n upload_dir: /analysis_scratch\n datasets:\n vulnerability_db:\n versions: [\"5\"]\n clamav_db:\n versions: [\"1\"]\n kev_db:\n versions: [\"1\"]\n ssl_enable: ${ANCHORE_SSL_ENABLED}\n ssl_cert: ${ANCHORE_SSL_CERT}\n ssl_key: ${ANCHORE_SSL_KEY}\n" kind: ConfigMap metadata: annotations: @@ -382,378 +22,7 @@ should render the configmaps for osaa migration if enabled: 2: | apiVersion: v1 data: - config.yaml: | - # Anchore Object Store and Analysis Archive Migration configuration file, mounted from a configmap - # - service_dir: ${ANCHORE_SERVICE_DIR} - tmp_dir: ${ANCHORE_TMP_DIR} - log_level: ${ANCHORE_LOG_LEVEL} # Deprecated - prefer use of logging.log_level - - logging: - colored_logging: false - exception_backtrace_logging: false - exception_diagnose_logging: false - file_retention_rule: 10 - file_rotation_rule: 10 MB - log_level: INFO - server_access_logging: true - server_log_level: info - server_response_debug_logging: false - structured_logging: false - - server: - max_connection_backlog: 2048 - max_wsgi_middleware_worker_count: 50 - max_wsgi_middleware_worker_queue_size: 100 - timeout_graceful_shutdown: false - timeout_keep_alive: 5 - - allow_awsecr_iam_auto: ${ANCHORE_ALLOW_ECR_IAM_AUTO} - host_id: "${ANCHORE_HOST_ID}" - internal_ssl_verify: ${ANCHORE_INTERNAL_SSL_VERIFY} - image_analyze_timeout_seconds: ${ANCHORE_IMAGE_ANALYZE_TIMEOUT_SECONDS} - - global_client_connect_timeout: ${ANCHORE_GLOBAL_CLIENT_CONNECT_TIMEOUT} - global_client_read_timeout: ${ANCHORE_GLOBAL_CLIENT_READ_TIMEOUT} - server_request_timeout_seconds: ${ANCHORE_GLOBAL_SERVER_REQUEST_TIMEOUT_SEC} - - license_file: ${ANCHORE_LICENSE_FILE} - auto_restart_services: false - - max_source_import_size_mb: ${ANCHORE_MAX_IMPORT_SOURCE_SIZE_MB} - max_import_content_size_mb: ${ANCHORE_MAX_IMPORT_CONTENT_SIZE_MB} - - max_compressed_image_size_mb: ${ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB} - - audit: - enabled: true - mode: log - verbs: - - post - - put - - delete - - patch - resource_uris: - - "/accounts" - - "/accounts/{account_name}" - - "/accounts/{account_name}/state" - - "/accounts/{account_name}/users" - - "/accounts/{account_name}/users/{username}" - - "/accounts/{account_name}/users/{username}/api-keys" - - "/accounts/{account_name}/users/{username}/api-keys/{key_name}" - - "/accounts/{account_name}/users/{username}/credentials" - - "/rbac-manager/roles" - - "/rbac-manager/roles/{role_name}/members" - - "/rbac-manager/saml/idps" - - "/rbac-manager/saml/idps/{name}" - - "/rbac-manager/saml/idps/{name}/user-group-mappings" - - "/system/user-groups" - - "/system/user-groups/{group_uuid}" - - "/system/user-groups/{group_uuid}/roles" - - "/system/user-groups/{group_uuid}/users" - - "/user/api-keys" - - "/user/api-keys/{key_name}" - - "/user/credentials" - - metrics: - enabled: ${ANCHORE_ENABLE_METRICS} - auth_disabled: ${ANCHORE_DISABLE_METRICS_AUTH} - - webhooks: - {} - - default_admin_password: "${ANCHORE_ADMIN_PASSWORD}" - default_admin_email: ${ANCHORE_ADMIN_EMAIL} - - keys: - secret: "${ANCHORE_SAML_SECRET}" - public_key_path: ${ANCHORE_AUTH_PRIVKEY} - private_key_path: ${ANCHORE_AUTH_PUBKEY} - - user_authentication: - oauth: - enabled: ${ANCHORE_OAUTH_ENABLED} - default_token_expiration_seconds: ${ANCHORE_OAUTH_TOKEN_EXPIRATION} - refresh_token_expiration_seconds: ${ANCHORE_OAUTH_REFRESH_TOKEN_EXPIRATION} - hashed_passwords: ${ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS} - sso_require_existing_users: ${ANCHORE_SSO_REQUIRES_EXISTING_USERS} - allow_api_keys_for_saml_users: false - max_api_key_age_days: 365 - max_api_keys_per_user: 100 - remove_deleted_user_api_keys_older_than_days: 365 - disallow_native_users: false - log_saml_assertions: false - credentials: - database: - user: "${ANCHORE_DB_USER}" - password: "${ANCHORE_DB_PASSWORD}" - host: "${ANCHORE_DB_HOST}" - port: "${ANCHORE_DB_PORT}" - name: "${ANCHORE_DB_NAME}" - db_connect_args: - timeout: ${ANCHORE_DB_TIMEOUT} - ssl: ${ANCHORE_DB_SSL} - db_pool_size: ${ANCHORE_DB_POOL_SIZE} - db_pool_max_overflow: ${ANCHORE_DB_POOL_MAX_OVERFLOW} - - account_gc: - max_resource_gc_chunk: 4096 - max_deletion_threads: 4 - - services: - apiext: - enabled: true - require_auth: true - endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} - max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - listen: '0.0.0.0' - port: ${ANCHORE_PORT} - ssl_enable: ${ANCHORE_SSL_ENABLED} - ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} - - analyzer: - enabled: true - require_auth: true - endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} - listen: '0.0.0.0' - port: ${ANCHORE_PORT} - max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - cycle_timer_seconds: 1 - cycle_timers: - image_analyzer: 1 - analyzer_driver: 'nodocker' - layer_cache_enable: ${ANCHORE_LAYER_CACHE_ENABLED} - layer_cache_max_gigabytes: ${ANCHORE_LAYER_CACHE_SIZE_GB} - enable_hints: ${ANCHORE_HINTS_ENABLED} - enable_owned_package_filtering: ${ANCHORE_OWNED_PACKAGE_FILTERING_ENABLED} - keep_image_analysis_tmpfiles: ${ANCHORE_KEEP_IMAGE_ANALYSIS_TMPFILES} - ssl_enable: ${ANCHORE_SSL_ENABLED} - ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} - - catalog: - enabled: true - require_auth: true - endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} - listen: '0.0.0.0' - port: ${ANCHORE_PORT} - max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - cycle_timer_seconds: 1 - cycle_timers: - analyzer_queue: 1 - archive_tasks: 43200 - artifact_lifecycle_policy_tasks: 43200 - events_gc: 43200 - image_gc: 60 - image_watcher: 3600 - k8s_image_watcher: 150 - notifications: 30 - policy_bundle_sync: 300 - policy_eval: 3600 - repo_watcher: 60 - resource_metrics: 60 - service_watcher: 15 - vulnerability_scan: 14400 - event_log: - max_retention_age_days: 180 - notification: - enabled: false - level: - - error - runtime_inventory: - inventory_ttl_days: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_TTL_DAYS} - inventory_ingest_overwrite: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_INGEST_OVERWRITE} - integrations: - integration_health_report_ttl_days: ${ANCHORE_ENTERPRISE_INTEGRATION_HEALTH_REPORTS_TTL_DAYS} - image_gc: - max_worker_threads: ${ANCHORE_CATALOG_IMAGE_GC_WORKERS} - runtime_compliance: - object_store_bucket: "runtime_compliance_check" - down_analyzer_task_requeue: ${ANCHORE_ANALYZER_TASK_REQUEUE} - import_operation_expiration_days: ${ANCHORE_IMPORT_OPERATION_EXPIRATION_DAYS} - analysis_archive: - compression: - enabled: true - min_size_kbytes: 100 - enabled: true - storage_driver: - config: - access_key: itsa - bucket: analysisarchive - region: null - secret_key: test - url: http://myminio.mynamespace.svc.cluster.local:9000 - name: s3 - object_store: - compression: - enabled: true - min_size_kbytes: 100 - storage_driver: - config: {} - name: db - verify_content_digests: true - ssl_enable: ${ANCHORE_SSL_ENABLED} - ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} - - simplequeue: - enabled: true - require_auth: true - endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} - listen: '0.0.0.0' - port: ${ANCHORE_PORT} - max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - ssl_enable: ${ANCHORE_SSL_ENABLED} - ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} - - policy_engine: - enabled: true - require_auth: true - max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} - listen: '0.0.0.0' - port: ${ANCHORE_PORT} - policy_evaluation_cache_ttl: ${ANCHORE_POLICY_EVAL_CACHE_TTL_SECONDS} - cycle_timer_seconds: 1 - cycle_timers: - feed_sync: 14400 - feed_sync_checker: 3600 - enable_package_db_load: ${ANCHORE_POLICY_ENGINE_ENABLE_PACKAGE_DB_LOAD} - enable_user_base_image: true - vulnerabilities: - sync: - enabled: true - ssl_verify: ${ANCHORE_FEEDS_SSL_VERIFY} - connection_timeout_seconds: 3 - read_timeout_seconds: 60 - data: - grypedb: - enabled: true - matching: - exclude: - providers: [] - package_types: [] - default: - search: - by_cpe: - enabled: ${ANCHORE_VULN_MATCHING_DEFAULT_SEARCH_BY_CPE_ENABLED} - ecosystem_specific: - dotnet: - search: - by_cpe: - enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_DOTNET_SEARCH_BY_CPE_ENABLED} - golang: - search: - by_cpe: - enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_GOLANG_SEARCH_BY_CPE_ENABLED} - java: - search: - by_cpe: - enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_JAVA_SEARCH_BY_CPE_ENABLED} - javascript: - search: - by_cpe: - enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_JAVASCRIPT_SEARCH_BY_CPE_ENABLED} - python: - search: - by_cpe: - enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_PYTHON_SEARCH_BY_CPE_ENABLED} - ruby: - search: - by_cpe: - enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_RUBY_SEARCH_BY_CPE_ENABLED} - stock: - search: - by_cpe: - # Disabling search by CPE for the stock matcher will entirely disable binary-only matches and is not advised - enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_STOCK_SEARCH_BY_CPE_ENABLED} - ssl_enable: ${ANCHORE_SSL_ENABLED} - ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} - - reports: - enabled: true - require_auth: true - endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} - listen: '0.0.0.0' - port: ${ANCHORE_PORT} - max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - enable_graphiql: ${ANCHORE_ENTERPRISE_REPORTS_ENABLE_GRAPHIQL} - cycle_timers: - reports_scheduled_queries: 600 - max_async_execution_threads: ${ANCHORE_ENTERPRISE_REPORTS_MAX_ASYNC_EXECUTION_THREADS} - async_execution_timeout: ${ANCHORE_ENTERPRISE_REPORTS_ASYNC_EXECUTION_TIMEOUT} - ssl_enable: ${ANCHORE_SSL_ENABLED} - ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} - use_volume: false - - reports_worker: - enabled: true - require_auth: true - endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} - listen: '0.0.0.0' - port: ${ANCHORE_PORT} - max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - enable_data_ingress: ${ANCHORE_ENTERPRISE_REPORTS_ENABLE_DATA_INGRESS} - enable_data_egress: ${ANCHORE_ENTERPRISE_REPORTS_ENABLE_DATA_EGRESS} - data_egress_window: ${ANCHORE_ENTERPRISE_REPORTS_DATA_EGRESS_WINDOW} - data_refresh_max_workers: ${ANCHORE_ENTERPRISE_REPORTS_DATA_REFRESH_MAX_WORKERS} - data_load_max_workers: ${ANCHORE_ENTERPRISE_REPORTS_DATA_LOAD_MAX_WORKERS} - cycle_timers: - reports_extended_runtime_vuln_load: 1800 - reports_image_egress: 600 - reports_image_load: 600 - reports_image_refresh: 7200 - reports_metrics: 3600 - reports_runtime_inventory_load: 600 - reports_tag_egress: 600 - reports_tag_load: 600 - reports_tag_refresh: 7200 - runtime_report_generation: - use_legacy_loaders_and_queries: false - inventory_images_by_vulnerability: true - vulnerabilities_by_k8s_namespace: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE} - vulnerabilities_by_k8s_container: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER} - vulnerabilities_by_ecs_container: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_ECS_CONTAINER} - ssl_enable: ${ANCHORE_SSL_ENABLED} - ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} - - notifications: - enabled: true - require_auth: true - endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} - listen: '0.0.0.0' - port: ${ANCHORE_PORT} - max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS} - cycle_timers: - notifications: 30 - ui_url: ${ANCHORE_ENTERPRISE_UI_URL} - ssl_enable: ${ANCHORE_SSL_ENABLED} - ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} - - data_syncer: - enabled: true - require_auth: true - endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME} - listen: 0.0.0.0 - port: ${ANCHORE_PORT} - auto_sync_enabled: ${ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED} - upload_dir: /analysis_scratch - datasets: - vulnerability_db: - versions: ["5"] - clamav_db: - versions: ["1"] - kev_db: - versions: ["1"] - ssl_enable: ${ANCHORE_SSL_ENABLED} - ssl_cert: ${ANCHORE_SSL_CERT} - ssl_key: ${ANCHORE_SSL_KEY} + config.yaml: "# Anchore Object Store and Analysis Archive Migration configuration file, mounted from a configmap\n#\nservice_dir: ${ANCHORE_SERVICE_DIR}\ntmp_dir: ${ANCHORE_TMP_DIR}\nlog_level: ${ANCHORE_LOG_LEVEL} # Deprecated - prefer use of logging.log_level\n\nlogging:\n colored_logging: false\n exception_backtrace_logging: false\n exception_diagnose_logging: false\n file_retention_rule: 10\n file_rotation_rule: 10 MB\n log_level: \n server_access_logging: true\n server_log_level: info\n server_response_debug_logging: false\n structured_logging: false\n\nserver:\n max_connection_backlog: 2048\n max_wsgi_middleware_worker_count: 50\n max_wsgi_middleware_worker_queue_size: 100\n timeout_graceful_shutdown: false\n timeout_keep_alive: 5\n\nallow_awsecr_iam_auto: ${ANCHORE_ALLOW_ECR_IAM_AUTO}\nhost_id: \"${ANCHORE_HOST_ID}\"\ninternal_ssl_verify: ${ANCHORE_INTERNAL_SSL_VERIFY}\nimage_analyze_timeout_seconds: ${ANCHORE_IMAGE_ANALYZE_TIMEOUT_SECONDS}\n\nglobal_client_connect_timeout: ${ANCHORE_GLOBAL_CLIENT_CONNECT_TIMEOUT}\nglobal_client_read_timeout: ${ANCHORE_GLOBAL_CLIENT_READ_TIMEOUT}\nserver_request_timeout_seconds: ${ANCHORE_GLOBAL_SERVER_REQUEST_TIMEOUT_SEC}\n\nlicense_file: ${ANCHORE_LICENSE_FILE}\nauto_restart_services: false\n\nmax_source_import_size_mb: ${ANCHORE_MAX_IMPORT_SOURCE_SIZE_MB}\nmax_import_content_size_mb: ${ANCHORE_MAX_IMPORT_CONTENT_SIZE_MB}\n\nmax_compressed_image_size_mb: ${ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB}\n\naudit:\n enabled: true\n mode: log\n verbs:\n - post\n - put\n - delete\n - patch\n resource_uris:\n - \"/accounts\"\n - \"/accounts/{account_name}\"\n - \"/accounts/{account_name}/state\"\n - \"/accounts/{account_name}/users\"\n - \"/accounts/{account_name}/users/{username}\"\n - \"/accounts/{account_name}/users/{username}/api-keys\"\n - \"/accounts/{account_name}/users/{username}/api-keys/{key_name}\"\n - \"/accounts/{account_name}/users/{username}/credentials\"\n - \"/rbac-manager/roles\"\n - \"/rbac-manager/roles/{role_name}/members\"\n - \"/rbac-manager/saml/idps\"\n - \"/rbac-manager/saml/idps/{name}\"\n - \"/rbac-manager/saml/idps/{name}/user-group-mappings\"\n - \"/system/user-groups\"\n - \"/system/user-groups/{group_uuid}\"\n - \"/system/user-groups/{group_uuid}/roles\"\n - \"/system/user-groups/{group_uuid}/users\"\n - \"/user/api-keys\"\n - \"/user/api-keys/{key_name}\"\n - \"/user/credentials\"\n\nmetrics:\n enabled: ${ANCHORE_ENABLE_METRICS}\n auth_disabled: ${ANCHORE_DISABLE_METRICS_AUTH}\n\nwebhooks:\n {}\n\ndefault_admin_password: \"${ANCHORE_ADMIN_PASSWORD}\"\ndefault_admin_email: ${ANCHORE_ADMIN_EMAIL}\n\nconfiguration: \n api_driven_configuration_enabled: ${ANCHORE_API_DRIVEN_CONFIGURATION_ENABLED}\n\nkeys:\n secret: \"${ANCHORE_SAML_SECRET}\"\n public_key_path: ${ANCHORE_AUTH_PRIVKEY}\n private_key_path: ${ANCHORE_AUTH_PUBKEY}\n\nuser_authentication:\n oauth:\n enabled: ${ANCHORE_OAUTH_ENABLED}\n default_token_expiration_seconds: ${ANCHORE_OAUTH_TOKEN_EXPIRATION}\n refresh_token_expiration_seconds: ${ANCHORE_OAUTH_REFRESH_TOKEN_EXPIRATION}\n hashed_passwords: ${ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS}\n sso_require_existing_users: ${ANCHORE_SSO_REQUIRES_EXISTING_USERS}\n allow_api_keys_for_saml_users: false\n max_api_key_age_days: 365\n max_api_keys_per_user: 100\n remove_deleted_user_api_keys_older_than_days: 365\n disallow_native_users: false\n log_saml_assertions: false\ncredentials:\n database:\n user: \"${ANCHORE_DB_USER}\"\n password: \"${ANCHORE_DB_PASSWORD}\"\n host: \"${ANCHORE_DB_HOST}\"\n port: \"${ANCHORE_DB_PORT}\"\n name: \"${ANCHORE_DB_NAME}\"\n db_connect_args:\n timeout: ${ANCHORE_DB_TIMEOUT}\n ssl: ${ANCHORE_DB_SSL}\n db_pool_size: ${ANCHORE_DB_POOL_SIZE}\n db_pool_max_overflow: ${ANCHORE_DB_POOL_MAX_OVERFLOW}\n\naccount_gc:\n max_resource_gc_chunk: 4096\n max_deletion_threads: 4\n\nservices:\n apiext:\n enabled: true\n require_auth: true\n endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}\n max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS}\n listen: '0.0.0.0'\n port: ${ANCHORE_PORT}\n ssl_enable: ${ANCHORE_SSL_ENABLED}\n ssl_cert: ${ANCHORE_SSL_CERT}\n ssl_key: ${ANCHORE_SSL_KEY}\n\n analyzer:\n enabled: true\n require_auth: true\n endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}\n listen: '0.0.0.0'\n port: ${ANCHORE_PORT}\n max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS}\n cycle_timer_seconds: 1\n cycle_timers:\n image_analyzer: 1\n analyzer_driver: 'nodocker'\n layer_cache_enable: ${ANCHORE_LAYER_CACHE_ENABLED}\n layer_cache_max_gigabytes: ${ANCHORE_LAYER_CACHE_SIZE_GB}\n enable_hints: ${ANCHORE_HINTS_ENABLED}\n enable_owned_package_filtering: ${ANCHORE_OWNED_PACKAGE_FILTERING_ENABLED}\n keep_image_analysis_tmpfiles: ${ANCHORE_KEEP_IMAGE_ANALYSIS_TMPFILES}\n ssl_enable: ${ANCHORE_SSL_ENABLED}\n ssl_cert: ${ANCHORE_SSL_CERT}\n ssl_key: ${ANCHORE_SSL_KEY}\n\n catalog:\n enabled: true\n require_auth: true\n endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}\n listen: '0.0.0.0'\n port: ${ANCHORE_PORT}\n max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS}\n cycle_timer_seconds: 1\n cycle_timers:\n analyzer_queue: 1\n archive_tasks: 43200\n artifact_lifecycle_policy_tasks: 43200\n events_gc: 43200\n image_gc: 60\n image_watcher: 3600\n k8s_image_watcher: 150\n notifications: 30\n policy_bundle_sync: 300\n policy_eval: 3600\n repo_watcher: 60\n resource_metrics: 60\n service_watcher: 15\n vulnerability_scan: 14400\n event_log:\n max_retention_age_days: 180\n notification:\n enabled: false\n level:\n - error\n runtime_inventory:\n inventory_ttl_days: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_TTL_DAYS}\n inventory_ingest_overwrite: ${ANCHORE_ENTERPRISE_RUNTIME_INVENTORY_INGEST_OVERWRITE}\n integrations:\n integration_health_report_ttl_days: ${ANCHORE_ENTERPRISE_INTEGRATION_HEALTH_REPORTS_TTL_DAYS}\n image_gc:\n max_worker_threads: ${ANCHORE_CATALOG_IMAGE_GC_WORKERS}\n runtime_compliance:\n object_store_bucket: \"runtime_compliance_check\"\n down_analyzer_task_requeue: ${ANCHORE_ANALYZER_TASK_REQUEUE}\n import_operation_expiration_days: ${ANCHORE_IMPORT_OPERATION_EXPIRATION_DAYS}\n analysis_archive:\n compression:\n enabled: true\n min_size_kbytes: 100\n enabled: true\n storage_driver:\n config:\n access_key: itsa\n bucket: analysisarchive\n region: null\n secret_key: test\n url: http://myminio.mynamespace.svc.cluster.local:9000\n name: s3\n object_store:\n compression:\n enabled: true\n min_size_kbytes: 100\n storage_driver:\n config: {}\n name: db\n verify_content_digests: true\n ssl_enable: ${ANCHORE_SSL_ENABLED}\n ssl_cert: ${ANCHORE_SSL_CERT}\n ssl_key: ${ANCHORE_SSL_KEY}\n\n simplequeue:\n enabled: true\n require_auth: true\n endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}\n listen: '0.0.0.0'\n port: ${ANCHORE_PORT}\n max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS}\n ssl_enable: ${ANCHORE_SSL_ENABLED}\n ssl_cert: ${ANCHORE_SSL_CERT}\n ssl_key: ${ANCHORE_SSL_KEY}\n\n policy_engine:\n enabled: true\n require_auth: true\n max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS}\n endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}\n listen: '0.0.0.0'\n port: ${ANCHORE_PORT}\n policy_evaluation_cache_ttl: ${ANCHORE_POLICY_EVAL_CACHE_TTL_SECONDS}\n cycle_timer_seconds: 1\n cycle_timers:\n feed_sync: 14400\n feed_sync_checker: 3600\n enable_package_db_load: ${ANCHORE_POLICY_ENGINE_ENABLE_PACKAGE_DB_LOAD}\n enable_user_base_image: true\n vulnerabilities:\n sync:\n enabled: true\n ssl_verify: ${ANCHORE_FEEDS_SSL_VERIFY}\n connection_timeout_seconds: 3\n read_timeout_seconds: 60\n data:\n grypedb:\n enabled: true\n matching:\n exclude:\n providers: []\n package_types: []\n default:\n search:\n by_cpe:\n enabled: ${ANCHORE_VULN_MATCHING_DEFAULT_SEARCH_BY_CPE_ENABLED}\n ecosystem_specific:\n dotnet:\n search:\n by_cpe:\n enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_DOTNET_SEARCH_BY_CPE_ENABLED}\n golang:\n search:\n by_cpe:\n enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_GOLANG_SEARCH_BY_CPE_ENABLED}\n java:\n search:\n by_cpe:\n enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_JAVA_SEARCH_BY_CPE_ENABLED}\n javascript:\n search:\n by_cpe:\n enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_JAVASCRIPT_SEARCH_BY_CPE_ENABLED}\n python:\n search:\n by_cpe:\n enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_PYTHON_SEARCH_BY_CPE_ENABLED}\n ruby:\n search:\n by_cpe:\n enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_RUBY_SEARCH_BY_CPE_ENABLED}\n stock:\n search:\n by_cpe:\n # Disabling search by CPE for the stock matcher will entirely disable binary-only matches and is not advised\n enabled: ${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_STOCK_SEARCH_BY_CPE_ENABLED}\n ssl_enable: ${ANCHORE_SSL_ENABLED}\n ssl_cert: ${ANCHORE_SSL_CERT}\n ssl_key: ${ANCHORE_SSL_KEY}\n\n reports:\n enabled: true\n require_auth: true\n endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}\n listen: '0.0.0.0'\n port: ${ANCHORE_PORT}\n max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS}\n enable_graphiql: ${ANCHORE_ENTERPRISE_REPORTS_ENABLE_GRAPHIQL}\n cycle_timers:\n reports_scheduled_queries: 600\n max_async_execution_threads: ${ANCHORE_ENTERPRISE_REPORTS_MAX_ASYNC_EXECUTION_THREADS}\n async_execution_timeout: ${ANCHORE_ENTERPRISE_REPORTS_ASYNC_EXECUTION_TIMEOUT}\n ssl_enable: ${ANCHORE_SSL_ENABLED}\n ssl_cert: ${ANCHORE_SSL_CERT}\n ssl_key: ${ANCHORE_SSL_KEY}\n use_volume: false\n\n reports_worker:\n enabled: true\n require_auth: true\n endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}\n listen: '0.0.0.0'\n port: ${ANCHORE_PORT}\n max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS}\n enable_data_ingress: ${ANCHORE_ENTERPRISE_REPORTS_ENABLE_DATA_INGRESS}\n enable_data_egress: ${ANCHORE_ENTERPRISE_REPORTS_ENABLE_DATA_EGRESS}\n data_egress_window: ${ANCHORE_ENTERPRISE_REPORTS_DATA_EGRESS_WINDOW}\n data_refresh_max_workers: ${ANCHORE_ENTERPRISE_REPORTS_DATA_REFRESH_MAX_WORKERS}\n data_load_max_workers: ${ANCHORE_ENTERPRISE_REPORTS_DATA_LOAD_MAX_WORKERS}\n cycle_timers:\n reports_extended_runtime_vuln_load: 1800\n reports_image_egress: 600\n reports_image_load: 600\n reports_image_refresh: 7200\n reports_metrics: 3600\n reports_runtime_inventory_load: 600\n reports_tag_egress: 600\n reports_tag_load: 600\n reports_tag_refresh: 7200\n runtime_report_generation:\n use_legacy_loaders_and_queries: false\n inventory_images_by_vulnerability: true\n vulnerabilities_by_k8s_namespace: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_NAMESPACE}\n vulnerabilities_by_k8s_container: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_K8S_CONTAINER}\n vulnerabilities_by_ecs_container: ${ANCHORE_ENTERPRISE_REPORTS_VULNERABILITIES_BY_ECS_CONTAINER}\n ssl_enable: ${ANCHORE_SSL_ENABLED}\n ssl_cert: ${ANCHORE_SSL_CERT}\n ssl_key: ${ANCHORE_SSL_KEY}\n\n notifications:\n enabled: true\n require_auth: true\n endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}\n listen: '0.0.0.0'\n port: ${ANCHORE_PORT}\n max_request_threads: ${ANCHORE_MAX_REQUEST_THREADS}\n cycle_timers:\n notifications: 30\n ui_url: ${ANCHORE_ENTERPRISE_UI_URL}\n ssl_enable: ${ANCHORE_SSL_ENABLED}\n ssl_cert: ${ANCHORE_SSL_CERT}\n ssl_key: ${ANCHORE_SSL_KEY}\n\n data_syncer:\n enabled: true\n require_auth: true\n endpoint_hostname: ${ANCHORE_ENDPOINT_HOSTNAME}\n listen: 0.0.0.0\n port: ${ANCHORE_PORT}\n auto_sync_enabled: ${ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED}\n upload_dir: /analysis_scratch\n datasets:\n vulnerability_db:\n versions: [\"5\"]\n clamav_db:\n versions: [\"1\"]\n kev_db:\n versions: [\"1\"]\n ssl_enable: ${ANCHORE_SSL_ENABLED}\n ssl_cert: ${ANCHORE_SSL_CERT}\n ssl_key: ${ANCHORE_SSL_KEY}\n" kind: ConfigMap metadata: annotations: diff --git a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap index acd3b9cc..7e5d214f 100644 --- a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap @@ -26,7 +26,7 @@ migration job should match snapshot: name: test-release-enterprise-config-env-vars - secretRef: name: test-release-enterprise - image: docker.io/anchore/enterprise:v5.11.1 + image: docker.io/anchore/enterprise:v5.12.0 imagePullPolicy: IfNotPresent name: migrate-analysis-archive volumeMounts: @@ -89,7 +89,7 @@ migration job should match snapshot: valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v5.11.1 + image: docker.io/anchore/enterprise:v5.12.0 imagePullPolicy: IfNotPresent name: wait-for-db restartPolicy: Never @@ -148,7 +148,7 @@ migration job should match snapshot analysisArchiveMigration and objectStoreMigr name: test-release-enterprise-config-env-vars - secretRef: name: test-release-enterprise - image: docker.io/anchore/enterprise:v5.11.1 + image: docker.io/anchore/enterprise:v5.12.0 imagePullPolicy: IfNotPresent name: migrate-analysis-archive volumeMounts: @@ -211,7 +211,7 @@ migration job should match snapshot analysisArchiveMigration and objectStoreMigr valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v5.11.1 + image: docker.io/anchore/enterprise:v5.12.0 imagePullPolicy: IfNotPresent name: wait-for-db restartPolicy: Never @@ -268,7 +268,7 @@ migration job should match snapshot analysisArchiveMigration to true: name: test-release-enterprise-config-env-vars - secretRef: name: test-release-enterprise - image: docker.io/anchore/enterprise:v5.11.1 + image: docker.io/anchore/enterprise:v5.12.0 imagePullPolicy: IfNotPresent name: migrate-analysis-archive volumeMounts: @@ -331,7 +331,7 @@ migration job should match snapshot analysisArchiveMigration to true: valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v5.11.1 + image: docker.io/anchore/enterprise:v5.12.0 imagePullPolicy: IfNotPresent name: wait-for-db restartPolicy: Never @@ -387,7 +387,7 @@ migration job should match snapshot objectStoreMigration to true: name: test-release-enterprise-config-env-vars - secretRef: name: test-release-enterprise - image: docker.io/anchore/enterprise:v5.11.1 + image: docker.io/anchore/enterprise:v5.12.0 imagePullPolicy: IfNotPresent name: migrate-analysis-archive volumeMounts: @@ -450,7 +450,7 @@ migration job should match snapshot objectStoreMigration to true: valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v5.11.1 + image: docker.io/anchore/enterprise:v5.12.0 imagePullPolicy: IfNotPresent name: wait-for-db restartPolicy: Never @@ -585,7 +585,7 @@ should render proper initContainers: command: - /bin/bash - -c - image: bitnami/kubectl:1.27 + image: bitnami/kubectl:1.30 name: scale-down-anchore - args: - | @@ -621,6 +621,6 @@ should render proper initContainers: valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v5.11.1 + image: docker.io/anchore/enterprise:v5.12.0 imagePullPolicy: IfNotPresent name: wait-for-db diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index a4e5e816..96dff3fb 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -19,7 +19,7 @@ global: ## @param image Image used for all Anchore Enterprise deployments, excluding Anchore UI ## -image: docker.io/anchore/enterprise:v5.11.1 +image: docker.io/anchore/enterprise:v5.12.0 ## @param imagePullPolicy Image pull policy used by all deployments ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy @@ -254,7 +254,7 @@ anchoreConfig: ## @param anchoreConfig.log_level The log level for Anchore services: NOTE: This is deprecated, use logging.log_level ## options available: CRITICAL, ERROR, WARNING, SUCCESS, INFO, DEBUG, TRACE ## - log_level: INFO + log_level: "" # INFOINFO ## @param anchoreConfig.logging.colored_logging Enable colored output in the logs ## @param anchoreConfig.logging.exception_backtrace_logging Enable stack traces in the logs @@ -273,7 +273,7 @@ anchoreConfig: exception_diagnose_logging: false file_rotation_rule: "10 MB" file_retention_rule: 10 - log_level: INFO + log_level: "" # INFO server_access_logging: true server_response_debug_logging: false server_log_level: "info" @@ -501,7 +501,7 @@ anchoreConfig: ## Malware scanning occurs only at analysis time when the image content itself is available malware: clamav: - enabled: false + enabled: "" # false db_update_enabled: true catalog: @@ -1433,7 +1433,7 @@ simpleQueue: ui: ## @param ui.image Image used for the Anchore UI container ## - image: docker.io/anchore/enterprise-ui:v5.11.0 + image: docker.io/anchore/enterprise-ui:v5.12.0 ## @param ui.imagePullPolicy Image pull policy for Anchore UI image ## @@ -1548,7 +1548,7 @@ upgradeJob: ## @param upgradeJob.kubectlImage The image to use for the upgrade job's init container that uses kubectl to scale down deployments before an upgrade ## This is only used in the preupgrade job. ## - kubectlImage: bitnami/kubectl:1.27 + kubectlImage: bitnami/kubectl:1.30 ## @param upgradeJob.nodeSelector Node labels for the Anchore upgrade job pod assignment ##