From d6f68b34814984a1c7bb19d488f88fa545d82c8e Mon Sep 17 00:00:00 2001 From: Hung Nguyen Date: Tue, 30 Jul 2024 16:07:13 -0400 Subject: [PATCH] enterprise: v5.8.0, slo improvements Signed-off-by: Hung Nguyen --- stable/enterprise/Chart.yaml | 4 +- stable/enterprise/README.md | 348 +++++++++--------- stable/enterprise/files/default_config.yaml | 3 + stable/enterprise/files/osaa_config.yaml | 3 + stable/enterprise/templates/_common.tpl | 25 +- stable/enterprise/templates/_helpers.tpl | 26 ++ stable/enterprise/templates/_names.tpl | 5 + .../templates/analyzer_deployment.yaml | 4 +- .../enterprise/templates/api_deployment.yaml | 4 +- .../templates/catalog_deployment.yaml | 4 +- .../templates/envvars_configmap.yaml | 1 + .../hooks/pre-upgrade/upgrade_job.yaml | 2 + .../templates/notifications_deployment.yaml | 4 +- .../templates/policyengine_deployment.yaml | 4 +- .../templates/reports_deployment.yaml | 4 +- .../templates/reportsworker_deployment.yaml | 4 +- .../templates/simplequeue_deployment.yaml | 4 +- .../enterprise/templates/ui_deployment.yaml | 3 +- .../__snapshot__/configmap_test.yaml.snap | 4 + .../osaa_configmap_test.yaml.snap | 6 + .../prehook_upgrade_resources_test.yaml.snap | 18 +- .../tests/analyzer_resources_test.yaml | 37 ++ .../enterprise/tests/api_resources_test.yaml | 37 ++ .../tests/catalog_resources_test.yaml | 37 ++ .../enterprise/tests/common_helpers_test.yaml | 1 + .../tests/notifications_resources_test.yaml | 37 ++ .../tests/policyengine_resources_test.yaml | 37 ++ .../posthook_upgrade_resources_test.yaml | 34 ++ .../tests/prehook_upgrade_resources_test.yaml | 34 ++ .../tests/reports_resources_test.yaml | 37 ++ .../tests/reportsworker_resources_test.yaml | 37 ++ .../tests/simplequeue_resources_test.yaml | 37 ++ .../enterprise/tests/ui_resources_test.yaml | 36 ++ stable/enterprise/values.yaml | 27 +- 34 files changed, 711 insertions(+), 197 deletions(-) diff --git a/stable/enterprise/Chart.yaml b/stable/enterprise/Chart.yaml index 7197a5bd..8079bf34 100644 --- a/stable/enterprise/Chart.yaml +++ b/stable/enterprise/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: enterprise -version: "2.8.0" -appVersion: "5.7.0" +version: "2.9.0" +appVersion: "5.8.0" kubeVersion: 1.23.x - 1.30.x || 1.23.x-x - 1.30.x-x description: | Anchore Enterprise is a complete container security workflow solution for professional teams. Easily integrating with CI/CD systems, diff --git a/stable/enterprise/README.md b/stable/enterprise/README.md index feb2587b..fd997141 100644 --- a/stable/enterprise/README.md +++ b/stable/enterprise/README.md @@ -1006,7 +1006,7 @@ To restore your deployment to using your previous driver configurations: | Name | Description | Value | | --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | -| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v5.6.0` | +| `image` | Image used for all Anchore Enterprise deployments, excluding Anchore UI | `docker.io/anchore/enterprise:v5.8.0` | | `imagePullPolicy` | Image pull policy used by all deployments | `IfNotPresent` | | `imagePullSecretName` | Name of Docker credentials secret for access to private repos | `anchore-enterprise-pullcreds` | | `startMigrationPod` | Spin up a Database migration pod to help migrate the database to the new schema | `false` | @@ -1047,6 +1047,7 @@ To restore your deployment to using your previous driver configurations: | `doSourceAtEntry.filePaths` | List of file paths to `source` before starting Anchore services | `[]` | | `configOverride` | Allows for overriding the default Anchore configuration file | `""` | | `scripts` | Collection of helper scripts usable in all anchore enterprise pods | `{}` | +| `domainSuffix` | domain suffix for appending to the ANCHORE_ENDPOINT_HOSTNAME. If blank, domainSuffix will be "namespace.svc.cluster.local". | `""` | ### Anchore Configuration Parameters @@ -1175,62 +1176,65 @@ To restore your deployment to using your previous driver configurations: ### Anchore Analyzer k8s Deployment Parameters -| Name | Description | Value | -| -------------------------------- | --------------------------------------------------------------------------- | ------ | -| `analyzer.replicaCount` | Number of replicas for the Anchore Analyzer deployment | `1` | -| `analyzer.service.port` | The port used for gatherings metrics when .Values.metricsEnabled=true | `8084` | -| `analyzer.extraEnv` | Set extra environment variables for Anchore Analyzer pods | `[]` | -| `analyzer.resources` | Resource requests and limits for Anchore Analyzer pods | `{}` | -| `analyzer.labels` | Labels for Anchore Analyzer pods | `{}` | -| `analyzer.annotations` | Annotation for Anchore Analyzer pods | `{}` | -| `analyzer.nodeSelector` | Node labels for Anchore Analyzer pod assignment | `{}` | -| `analyzer.tolerations` | Tolerations for Anchore Analyzer pod assignment | `[]` | -| `analyzer.affinity` | Affinity for Anchore Analyzer pod assignment | `{}` | -| `analyzer.serviceAccountName` | Service account name for Anchore API pods | `""` | -| `analyzer.scratchVolume.details` | Details for the k8s volume to be created for Anchore Analyzer scratch space | `{}` | +| Name | Description | Value | +| -------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | +| `analyzer.replicaCount` | Number of replicas for the Anchore Analyzer deployment | `1` | +| `analyzer.service.port` | The port used for gatherings metrics when .Values.metricsEnabled=true | `8084` | +| `analyzer.service.domainSuffix` | domain suffix for appending to the ANCHORE_ENDPOINT_HOSTNAME. If blank, domainSuffix will be "namespace.svc.cluster.local". Takes precedence over the top level domainSuffix | `""` | +| `analyzer.extraEnv` | Set extra environment variables for Anchore Analyzer pods | `[]` | +| `analyzer.resources` | Resource requests and limits for Anchore Analyzer pods | `{}` | +| `analyzer.labels` | Labels for Anchore Analyzer pods | `{}` | +| `analyzer.annotations` | Annotation for Anchore Analyzer pods | `{}` | +| `analyzer.nodeSelector` | Node labels for Anchore Analyzer pod assignment | `{}` | +| `analyzer.tolerations` | Tolerations for Anchore Analyzer pod assignment | `[]` | +| `analyzer.affinity` | Affinity for Anchore Analyzer pod assignment | `{}` | +| `analyzer.serviceAccountName` | Service account name for Anchore API pods | `""` | +| `analyzer.scratchVolume.details` | Details for the k8s volume to be created for Anchore Analyzer scratch space | `{}` | ### Anchore API k8s Deployment Parameters -| Name | Description | Value | -| ------------------------- | ---------------------------------------------------- | ----------- | -| `api.replicaCount` | Number of replicas for Anchore API deployment | `1` | -| `api.service.type` | Service type for Anchore API | `ClusterIP` | -| `api.service.port` | Service port for Anchore API | `8228` | -| `api.service.annotations` | Annotations for Anchore API service | `{}` | -| `api.service.labels` | Labels for Anchore API service | `{}` | -| `api.service.nodePort` | nodePort for Anchore API service | `""` | -| `api.extraEnv` | Set extra environment variables for Anchore API pods | `[]` | -| `api.extraVolumes` | Define additional volumes for Anchore API pods | `[]` | -| `api.extraVolumeMounts` | Define additional volume mounts for Anchore API pods | `[]` | -| `api.resources` | Resource requests and limits for Anchore API pods | `{}` | -| `api.labels` | Labels for Anchore API pods | `{}` | -| `api.annotations` | Annotation for Anchore API pods | `{}` | -| `api.nodeSelector` | Node labels for Anchore API pod assignment | `{}` | -| `api.tolerations` | Tolerations for Anchore API pod assignment | `[]` | -| `api.affinity` | Affinity for Anchore API pod assignment | `{}` | -| `api.serviceAccountName` | Service account name for Anchore API pods | `""` | +| Name | Description | Value | +| -------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | +| `api.replicaCount` | Number of replicas for Anchore API deployment | `1` | +| `api.service.type` | Service type for Anchore API | `ClusterIP` | +| `api.service.port` | Service port for Anchore API | `8228` | +| `api.service.annotations` | Annotations for Anchore API service | `{}` | +| `api.service.labels` | Labels for Anchore API service | `{}` | +| `api.service.nodePort` | nodePort for Anchore API service | `""` | +| `api.service.domainSuffix` | domain suffix for appending to the ANCHORE_ENDPOINT_HOSTNAME. If blank, domainSuffix will be "namespace.svc.cluster.local". Takes precedence over the top level domainSuffix | `""` | +| `api.extraEnv` | Set extra environment variables for Anchore API pods | `[]` | +| `api.extraVolumes` | Define additional volumes for Anchore API pods | `[]` | +| `api.extraVolumeMounts` | Define additional volume mounts for Anchore API pods | `[]` | +| `api.resources` | Resource requests and limits for Anchore API pods | `{}` | +| `api.labels` | Labels for Anchore API pods | `{}` | +| `api.annotations` | Annotation for Anchore API pods | `{}` | +| `api.nodeSelector` | Node labels for Anchore API pod assignment | `{}` | +| `api.tolerations` | Tolerations for Anchore API pod assignment | `[]` | +| `api.affinity` | Affinity for Anchore API pod assignment | `{}` | +| `api.serviceAccountName` | Service account name for Anchore API pods | `""` | ### Anchore Catalog k8s Deployment Parameters -| Name | Description | Value | -| ------------------------------- | -------------------------------------------------------------------------- | ----------- | -| `catalog.replicaCount` | Number of replicas for the Anchore Catalog deployment | `1` | -| `catalog.service.type` | Service type for Anchore Catalog | `ClusterIP` | -| `catalog.service.port` | Service port for Anchore Catalog | `8082` | -| `catalog.service.annotations` | Annotations for Anchore Catalog service | `{}` | -| `catalog.service.labels` | Labels for Anchore Catalog service | `{}` | -| `catalog.service.nodePort` | nodePort for Anchore Catalog service | `""` | -| `catalog.extraEnv` | Set extra environment variables for Anchore Catalog pods | `[]` | -| `catalog.extraVolumes` | Define additional volumes for Anchore Catalog pods | `[]` | -| `catalog.extraVolumeMounts` | Define additional volume mounts for Anchore Catalog pods | `[]` | -| `catalog.resources` | Resource requests and limits for Anchore Catalog pods | `{}` | -| `catalog.labels` | Labels for Anchore Catalog pods | `{}` | -| `catalog.annotations` | Annotation for Anchore Catalog pods | `{}` | -| `catalog.nodeSelector` | Node labels for Anchore Catalog pod assignment | `{}` | -| `catalog.tolerations` | Tolerations for Anchore Catalog pod assignment | `[]` | -| `catalog.affinity` | Affinity for Anchore Catalog pod assignment | `{}` | -| `catalog.serviceAccountName` | Service account name for Anchore Catalog pods | `""` | -| `catalog.scratchVolume.details` | Details for the k8s volume to be created for Anchore Catalog scratch space | `{}` | +| Name | Description | Value | +| ------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | +| `catalog.replicaCount` | Number of replicas for the Anchore Catalog deployment | `1` | +| `catalog.service.type` | Service type for Anchore Catalog | `ClusterIP` | +| `catalog.service.port` | Service port for Anchore Catalog | `8082` | +| `catalog.service.annotations` | Annotations for Anchore Catalog service | `{}` | +| `catalog.service.labels` | Labels for Anchore Catalog service | `{}` | +| `catalog.service.nodePort` | nodePort for Anchore Catalog service | `""` | +| `catalog.service.domainSuffix` | domain suffix for appending to the ANCHORE_ENDPOINT_HOSTNAME. If blank, domainSuffix will be "namespace.svc.cluster.local". Takes precedence over the top level domainSuffix | `""` | +| `catalog.extraEnv` | Set extra environment variables for Anchore Catalog pods | `[]` | +| `catalog.extraVolumes` | Define additional volumes for Anchore Catalog pods | `[]` | +| `catalog.extraVolumeMounts` | Define additional volume mounts for Anchore Catalog pods | `[]` | +| `catalog.resources` | Resource requests and limits for Anchore Catalog pods | `{}` | +| `catalog.labels` | Labels for Anchore Catalog pods | `{}` | +| `catalog.annotations` | Annotation for Anchore Catalog pods | `{}` | +| `catalog.nodeSelector` | Node labels for Anchore Catalog pod assignment | `{}` | +| `catalog.tolerations` | Tolerations for Anchore Catalog pod assignment | `[]` | +| `catalog.affinity` | Affinity for Anchore Catalog pod assignment | `{}` | +| `catalog.serviceAccountName` | Service account name for Anchore Catalog pods | `""` | +| `catalog.scratchVolume.details` | Details for the k8s volume to be created for Anchore Catalog scratch space | `{}` | ### Anchore Feeds Chart Parameters @@ -1243,135 +1247,141 @@ To restore your deployment to using your previous driver configurations: ### Anchore Notifications Parameters -| Name | Description | Value | -| ----------------------------------- | -------------------------------------------------------------- | ----------- | -| `notifications.replicaCount` | Number of replicas for the Anchore Notifications deployment | `1` | -| `notifications.service.type` | Service type for Anchore Notifications | `ClusterIP` | -| `notifications.service.port` | Service port for Anchore Notifications | `8668` | -| `notifications.service.annotations` | Annotations for Anchore Notifications service | `{}` | -| `notifications.service.labels` | Labels for Anchore Notifications service | `{}` | -| `notifications.service.nodePort` | nodePort for Anchore Notifications service | `""` | -| `notifications.extraEnv` | Set extra environment variables for Anchore Notifications pods | `[]` | -| `notifications.extraVolumes` | Define additional volumes for Anchore Notifications pods | `[]` | -| `notifications.extraVolumeMounts` | Define additional volume mounts for Anchore Notifications pods | `[]` | -| `notifications.resources` | Resource requests and limits for Anchore Notifications pods | `{}` | -| `notifications.labels` | Labels for Anchore Notifications pods | `{}` | -| `notifications.annotations` | Annotation for Anchore Notifications pods | `{}` | -| `notifications.nodeSelector` | Node labels for Anchore Notifications pod assignment | `{}` | -| `notifications.tolerations` | Tolerations for Anchore Notifications pod assignment | `[]` | -| `notifications.affinity` | Affinity for Anchore Notifications pod assignment | `{}` | -| `notifications.serviceAccountName` | Service account name for Anchore Notifications pods | `""` | +| Name | Description | Value | +| ------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | +| `notifications.replicaCount` | Number of replicas for the Anchore Notifications deployment | `1` | +| `notifications.service.type` | Service type for Anchore Notifications | `ClusterIP` | +| `notifications.service.port` | Service port for Anchore Notifications | `8668` | +| `notifications.service.annotations` | Annotations for Anchore Notifications service | `{}` | +| `notifications.service.labels` | Labels for Anchore Notifications service | `{}` | +| `notifications.service.nodePort` | nodePort for Anchore Notifications service | `""` | +| `notifications.service.domainSuffix` | domain suffix for appending to the ANCHORE_ENDPOINT_HOSTNAME. If blank, domainSuffix will be "namespace.svc.cluster.local". Takes precedence over the top level domainSuffix | `""` | +| `notifications.extraEnv` | Set extra environment variables for Anchore Notifications pods | `[]` | +| `notifications.extraVolumes` | Define additional volumes for Anchore Notifications pods | `[]` | +| `notifications.extraVolumeMounts` | Define additional volume mounts for Anchore Notifications pods | `[]` | +| `notifications.resources` | Resource requests and limits for Anchore Notifications pods | `{}` | +| `notifications.labels` | Labels for Anchore Notifications pods | `{}` | +| `notifications.annotations` | Annotation for Anchore Notifications pods | `{}` | +| `notifications.nodeSelector` | Node labels for Anchore Notifications pod assignment | `{}` | +| `notifications.tolerations` | Tolerations for Anchore Notifications pod assignment | `[]` | +| `notifications.affinity` | Affinity for Anchore Notifications pod assignment | `{}` | +| `notifications.serviceAccountName` | Service account name for Anchore Notifications pods | `""` | ### Anchore Policy Engine k8s Deployment Parameters -| Name | Description | Value | -| ------------------------------------ | -------------------------------------------------------------------------------- | ----------- | -| `policyEngine.replicaCount` | Number of replicas for the Anchore Policy Engine deployment | `1` | -| `policyEngine.service.type` | Service type for Anchore Policy Engine | `ClusterIP` | -| `policyEngine.service.port` | Service port for Anchore Policy Engine | `8087` | -| `policyEngine.service.annotations` | Annotations for Anchore Policy Engine service | `{}` | -| `policyEngine.service.labels` | Labels for Anchore Policy Engine service | `{}` | -| `policyEngine.service.nodePort` | nodePort for Anchore Policy Engine service | `""` | -| `policyEngine.extraEnv` | Set extra environment variables for Anchore Policy Engine pods | `[]` | -| `policyEngine.extraVolumes` | Define additional volumes for Anchore Policy Engine pods | `[]` | -| `policyEngine.extraVolumeMounts` | Define additional volume mounts for Anchore Policy Engine pods | `[]` | -| `policyEngine.resources` | Resource requests and limits for Anchore Policy Engine pods | `{}` | -| `policyEngine.labels` | Labels for Anchore Policy Engine pods | `{}` | -| `policyEngine.annotations` | Annotation for Anchore Policy Engine pods | `{}` | -| `policyEngine.nodeSelector` | Node labels for Anchore Policy Engine pod assignment | `{}` | -| `policyEngine.tolerations` | Tolerations for Anchore Policy Engine pod assignment | `[]` | -| `policyEngine.affinity` | Affinity for Anchore Policy Engine pod assignment | `{}` | -| `policyEngine.serviceAccountName` | Service account name for Anchore Policy Engine pods | `""` | -| `policyEngine.scratchVolume.details` | Details for the k8s volume to be created for Anchore Policy Engine scratch space | `{}` | +| Name | Description | Value | +| ------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | +| `policyEngine.replicaCount` | Number of replicas for the Anchore Policy Engine deployment | `1` | +| `policyEngine.service.type` | Service type for Anchore Policy Engine | `ClusterIP` | +| `policyEngine.service.port` | Service port for Anchore Policy Engine | `8087` | +| `policyEngine.service.annotations` | Annotations for Anchore Policy Engine service | `{}` | +| `policyEngine.service.labels` | Labels for Anchore Policy Engine service | `{}` | +| `policyEngine.service.nodePort` | nodePort for Anchore Policy Engine service | `""` | +| `policyEngine.service.domainSuffix` | domain suffix for appending to the ANCHORE_ENDPOINT_HOSTNAME. If blank, domainSuffix will be "namespace.svc.cluster.local". Takes precedence over the top level domainSuffix | `""` | +| `policyEngine.extraEnv` | Set extra environment variables for Anchore Policy Engine pods | `[]` | +| `policyEngine.extraVolumes` | Define additional volumes for Anchore Policy Engine pods | `[]` | +| `policyEngine.extraVolumeMounts` | Define additional volume mounts for Anchore Policy Engine pods | `[]` | +| `policyEngine.resources` | Resource requests and limits for Anchore Policy Engine pods | `{}` | +| `policyEngine.labels` | Labels for Anchore Policy Engine pods | `{}` | +| `policyEngine.annotations` | Annotation for Anchore Policy Engine pods | `{}` | +| `policyEngine.nodeSelector` | Node labels for Anchore Policy Engine pod assignment | `{}` | +| `policyEngine.tolerations` | Tolerations for Anchore Policy Engine pod assignment | `[]` | +| `policyEngine.affinity` | Affinity for Anchore Policy Engine pod assignment | `{}` | +| `policyEngine.serviceAccountName` | Service account name for Anchore Policy Engine pods | `""` | +| `policyEngine.scratchVolume.details` | Details for the k8s volume to be created for Anchore Policy Engine scratch space | `{}` | ### Anchore Reports Parameters -| Name | Description | Value | -| ------------------------------- | -------------------------------------------------------------------------- | ----------- | -| `reports.replicaCount` | Number of replicas for the Anchore Reports deployment | `1` | -| `reports.service.type` | Service type for Anchore Reports | `ClusterIP` | -| `reports.service.port` | Service port for Anchore Reports | `8558` | -| `reports.service.annotations` | Annotations for Anchore Reports service | `{}` | -| `reports.service.labels` | Labels for Anchore Reports service | `{}` | -| `reports.service.nodePort` | nodePort for Anchore Reports service | `""` | -| `reports.extraEnv` | Set extra environment variables for Anchore Reports pods | `[]` | -| `reports.extraVolumes` | Define additional volumes for Anchore Reports pods | `[]` | -| `reports.extraVolumeMounts` | Define additional volume mounts for Anchore Reports pods | `[]` | -| `reports.resources` | Resource requests and limits for Anchore Reports pods | `{}` | -| `reports.labels` | Labels for Anchore Reports pods | `{}` | -| `reports.annotations` | Annotation for Anchore Reports pods | `{}` | -| `reports.nodeSelector` | Node labels for Anchore Reports pod assignment | `{}` | -| `reports.tolerations` | Tolerations for Anchore Reports pod assignment | `[]` | -| `reports.affinity` | Affinity for Anchore Reports pod assignment | `{}` | -| `reports.serviceAccountName` | Service account name for Anchore Reports pods | `""` | -| `reports.scratchVolume.details` | Details for the k8s volume to be created for Anchore Reports scratch space | `{}` | +| Name | Description | Value | +| ------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | +| `reports.replicaCount` | Number of replicas for the Anchore Reports deployment | `1` | +| `reports.service.type` | Service type for Anchore Reports | `ClusterIP` | +| `reports.service.port` | Service port for Anchore Reports | `8558` | +| `reports.service.annotations` | Annotations for Anchore Reports service | `{}` | +| `reports.service.labels` | Labels for Anchore Reports service | `{}` | +| `reports.service.nodePort` | nodePort for Anchore Reports service | `""` | +| `reports.service.domainSuffix` | domain suffix for appending to the ANCHORE_ENDPOINT_HOSTNAME. If blank, domainSuffix will be "namespace.svc.cluster.local". Takes precedence over the top level domainSuffix | `""` | +| `reports.extraEnv` | Set extra environment variables for Anchore Reports pods | `[]` | +| `reports.extraVolumes` | Define additional volumes for Anchore Reports pods | `[]` | +| `reports.extraVolumeMounts` | Define additional volume mounts for Anchore Reports pods | `[]` | +| `reports.resources` | Resource requests and limits for Anchore Reports pods | `{}` | +| `reports.labels` | Labels for Anchore Reports pods | `{}` | +| `reports.annotations` | Annotation for Anchore Reports pods | `{}` | +| `reports.nodeSelector` | Node labels for Anchore Reports pod assignment | `{}` | +| `reports.tolerations` | Tolerations for Anchore Reports pod assignment | `[]` | +| `reports.affinity` | Affinity for Anchore Reports pod assignment | `{}` | +| `reports.serviceAccountName` | Service account name for Anchore Reports pods | `""` | +| `reports.scratchVolume.details` | Details for the k8s volume to be created for Anchore Reports scratch space | `{}` | ### Anchore Reports Worker Parameters -| Name | Description | Value | -| ----------------------------------- | --------------------------------------------------------------- | ----------- | -| `reportsWorker.replicaCount` | Number of replicas for the Anchore Reports deployment | `1` | -| `reportsWorker.service.type` | Service type for Anchore Reports Worker | `ClusterIP` | -| `reportsWorker.service.port` | Service port for Anchore Reports Worker | `8559` | -| `reportsWorker.service.annotations` | Annotations for Anchore Reports Worker service | `{}` | -| `reportsWorker.service.labels` | Labels for Anchore Reports Worker service | `{}` | -| `reportsWorker.service.nodePort` | nodePort for Anchore Reports Worker service | `""` | -| `reportsWorker.extraEnv` | Set extra environment variables for Anchore Reports Worker pods | `[]` | -| `reportsWorker.extraVolumes` | Define additional volumes for Anchore Reports Worker pods | `[]` | -| `reportsWorker.extraVolumeMounts` | Define additional volume mounts for Anchore Reports Worker pods | `[]` | -| `reportsWorker.resources` | Resource requests and limits for Anchore Reports Worker pods | `{}` | -| `reportsWorker.labels` | Labels for Anchore Reports Worker pods | `{}` | -| `reportsWorker.annotations` | Annotation for Anchore Reports Worker pods | `{}` | -| `reportsWorker.nodeSelector` | Node labels for Anchore Reports Worker pod assignment | `{}` | -| `reportsWorker.tolerations` | Tolerations for Anchore Reports Worker pod assignment | `[]` | -| `reportsWorker.affinity` | Affinity for Anchore Reports Worker pod assignment | `{}` | -| `reportsWorker.serviceAccountName` | Service account name for Anchore Reports Worker pods | `""` | +| Name | Description | Value | +| ------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | +| `reportsWorker.replicaCount` | Number of replicas for the Anchore Reports deployment | `1` | +| `reportsWorker.service.type` | Service type for Anchore Reports Worker | `ClusterIP` | +| `reportsWorker.service.port` | Service port for Anchore Reports Worker | `8559` | +| `reportsWorker.service.annotations` | Annotations for Anchore Reports Worker service | `{}` | +| `reportsWorker.service.labels` | Labels for Anchore Reports Worker service | `{}` | +| `reportsWorker.service.nodePort` | nodePort for Anchore Reports Worker service | `""` | +| `reportsWorker.service.domainSuffix` | domain suffix for appending to the ANCHORE_ENDPOINT_HOSTNAME. If blank, domainSuffix will be "namespace.svc.cluster.local". Takes precedence over the top level domainSuffix | `""` | +| `reportsWorker.extraEnv` | Set extra environment variables for Anchore Reports Worker pods | `[]` | +| `reportsWorker.extraVolumes` | Define additional volumes for Anchore Reports Worker pods | `[]` | +| `reportsWorker.extraVolumeMounts` | Define additional volume mounts for Anchore Reports Worker pods | `[]` | +| `reportsWorker.resources` | Resource requests and limits for Anchore Reports Worker pods | `{}` | +| `reportsWorker.labels` | Labels for Anchore Reports Worker pods | `{}` | +| `reportsWorker.annotations` | Annotation for Anchore Reports Worker pods | `{}` | +| `reportsWorker.nodeSelector` | Node labels for Anchore Reports Worker pod assignment | `{}` | +| `reportsWorker.tolerations` | Tolerations for Anchore Reports Worker pod assignment | `[]` | +| `reportsWorker.affinity` | Affinity for Anchore Reports Worker pod assignment | `{}` | +| `reportsWorker.serviceAccountName` | Service account name for Anchore Reports Worker pods | `""` | ### Anchore Simple Queue Parameters -| Name | Description | Value | -| --------------------------------- | ------------------------------------------------------------- | ----------- | -| `simpleQueue.replicaCount` | Number of replicas for the Anchore Simple Queue deployment | `1` | -| `simpleQueue.service.type` | Service type for Anchore Simple Queue | `ClusterIP` | -| `simpleQueue.service.port` | Service port for Anchore Simple Queue | `8083` | -| `simpleQueue.service.annotations` | Annotations for Anchore Simple Queue service | `{}` | -| `simpleQueue.service.labels` | Labels for Anchore Simple Queue service | `{}` | -| `simpleQueue.service.nodePort` | nodePort for Anchore Simple Queue service | `""` | -| `simpleQueue.extraEnv` | Set extra environment variables for Anchore Simple Queue pods | `[]` | -| `simpleQueue.extraVolumes` | Define additional volumes for Anchore Simple Queue pods | `[]` | -| `simpleQueue.extraVolumeMounts` | Define additional volume mounts for Anchore Simple Queue pods | `[]` | -| `simpleQueue.resources` | Resource requests and limits for Anchore Simple Queue pods | `{}` | -| `simpleQueue.labels` | Labels for Anchore Simple Queue pods | `{}` | -| `simpleQueue.annotations` | Annotation for Anchore Simple Queue pods | `{}` | -| `simpleQueue.nodeSelector` | Node labels for Anchore Simple Queue pod assignment | `{}` | -| `simpleQueue.tolerations` | Tolerations for Anchore Simple Queue pod assignment | `[]` | -| `simpleQueue.affinity` | Affinity for Anchore Simple Queue pod assignment | `{}` | -| `simpleQueue.serviceAccountName` | Service account name for Anchore Simple Queue pods | `""` | +| Name | Description | Value | +| ---------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | +| `simpleQueue.replicaCount` | Number of replicas for the Anchore Simple Queue deployment | `1` | +| `simpleQueue.service.type` | Service type for Anchore Simple Queue | `ClusterIP` | +| `simpleQueue.service.port` | Service port for Anchore Simple Queue | `8083` | +| `simpleQueue.service.annotations` | Annotations for Anchore Simple Queue service | `{}` | +| `simpleQueue.service.labels` | Labels for Anchore Simple Queue service | `{}` | +| `simpleQueue.service.nodePort` | nodePort for Anchore Simple Queue service | `""` | +| `simpleQueue.service.domainSuffix` | domain suffix for appending to the ANCHORE_ENDPOINT_HOSTNAME. If blank, domainSuffix will be "namespace.svc.cluster.local". Takes precedence over the top level domainSuffix | `""` | +| `simpleQueue.extraEnv` | Set extra environment variables for Anchore Simple Queue pods | `[]` | +| `simpleQueue.extraVolumes` | Define additional volumes for Anchore Simple Queue pods | `[]` | +| `simpleQueue.extraVolumeMounts` | Define additional volume mounts for Anchore Simple Queue pods | `[]` | +| `simpleQueue.resources` | Resource requests and limits for Anchore Simple Queue pods | `{}` | +| `simpleQueue.labels` | Labels for Anchore Simple Queue pods | `{}` | +| `simpleQueue.annotations` | Annotation for Anchore Simple Queue pods | `{}` | +| `simpleQueue.nodeSelector` | Node labels for Anchore Simple Queue pod assignment | `{}` | +| `simpleQueue.tolerations` | Tolerations for Anchore Simple Queue pod assignment | `[]` | +| `simpleQueue.affinity` | Affinity for Anchore Simple Queue pod assignment | `{}` | +| `simpleQueue.serviceAccountName` | Service account name for Anchore Simple Queue pods | `""` | ### Anchore UI Parameters -| Name | Description | Value | -| ---------------------------- | ----------------------------------------------------------------------------- | ---------------------------------------- | -| `ui.image` | Image used for the Anchore UI container | `docker.io/anchore/enterprise-ui:v5.6.0` | -| `ui.imagePullPolicy` | Image pull policy for Anchore UI image | `IfNotPresent` | -| `ui.existingSecretName` | Name of an existing secret to be used for Anchore UI DB and Redis endpoints | `anchore-enterprise-ui-env` | -| `ui.ldapsRootCaCertName` | Name of the custom CA certificate file store in `.Values.certStoreSecretName` | `""` | -| `ui.service.type` | Service type for Anchore UI | `ClusterIP` | -| `ui.service.port` | Service port for Anchore UI | `80` | -| `ui.service.annotations` | Annotations for Anchore UI service | `{}` | -| `ui.service.labels` | Labels for Anchore UI service | `{}` | -| `ui.service.sessionAffinity` | Session Affinity for Ui service | `ClientIP` | -| `ui.service.nodePort` | nodePort for Anchore UI service | `""` | -| `ui.extraEnv` | Set extra environment variables for Anchore UI pods | `[]` | -| `ui.extraVolumes` | Define additional volumes for Anchore UI pods | `[]` | -| `ui.extraVolumeMounts` | Define additional volume mounts for Anchore UI pods | `[]` | -| `ui.resources` | Resource requests and limits for Anchore UI pods | `{}` | -| `ui.labels` | Labels for Anchore UI pods | `{}` | -| `ui.annotations` | Annotation for Anchore UI pods | `{}` | -| `ui.nodeSelector` | Node labels for Anchore UI pod assignment | `{}` | -| `ui.tolerations` | Tolerations for Anchore UI pod assignment | `[]` | -| `ui.affinity` | Affinity for Anchore ui pod assignment | `{}` | -| `ui.serviceAccountName` | Service account name for Anchore UI pods | `""` | +| Name | Description | Value | +| ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------- | +| `ui.image` | Image used for the Anchore UI container | `docker.io/anchore/enterprise-ui:v5.8.0` | +| `ui.imagePullPolicy` | Image pull policy for Anchore UI image | `IfNotPresent` | +| `ui.existingSecretName` | Name of an existing secret to be used for Anchore UI DB and Redis endpoints | `anchore-enterprise-ui-env` | +| `ui.ldapsRootCaCertName` | Name of the custom CA certificate file store in `.Values.certStoreSecretName` | `""` | +| `ui.service.type` | Service type for Anchore UI | `ClusterIP` | +| `ui.service.port` | Service port for Anchore UI | `80` | +| `ui.service.annotations` | Annotations for Anchore UI service | `{}` | +| `ui.service.labels` | Labels for Anchore UI service | `{}` | +| `ui.service.sessionAffinity` | Session Affinity for Ui service | `ClientIP` | +| `ui.service.nodePort` | nodePort for Anchore UI service | `""` | +| `ui.service.domainSuffix` | domain suffix for appending to the ANCHORE_ENDPOINT_HOSTNAME. If blank, domainSuffix will be "namespace.svc.cluster.local". Takes precedence over the top level domainSuffix | `""` | +| `ui.extraEnv` | Set extra environment variables for Anchore UI pods | `[]` | +| `ui.extraVolumes` | Define additional volumes for Anchore UI pods | `[]` | +| `ui.extraVolumeMounts` | Define additional volume mounts for Anchore UI pods | `[]` | +| `ui.resources` | Resource requests and limits for Anchore UI pods | `{}` | +| `ui.labels` | Labels for Anchore UI pods | `{}` | +| `ui.annotations` | Annotation for Anchore UI pods | `{}` | +| `ui.nodeSelector` | Node labels for Anchore UI pod assignment | `{}` | +| `ui.tolerations` | Tolerations for Anchore UI pod assignment | `[]` | +| `ui.affinity` | Affinity for Anchore ui pod assignment | `{}` | +| `ui.serviceAccountName` | Service account name for Anchore UI pods | `""` | ### Anchore Upgrade Job Parameters @@ -1476,6 +1486,14 @@ For the latest updates and features in Anchore Enterprise, see the official [Rel - **Minor Chart Version Change (e.g., v0.1.2 -> v0.2.0)**: Indicates a significant change to the deployment that does not require manual intervention. - **Patch Chart Version Change (e.g., v0.1.2 -> v0.1.3)**: Indicates a backwards-compatible bug fix or documentation update. +### V2.9.x +- Deploys Anchore Enterprise v5.8.x. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/580/) for more information. +- **Helm upgrade SLO improvements:** + - Deployments will only be scaled down when database upgrades are required, as determined by a major/minor version change of the appVersion in Chart.yaml. + - Deployments will no longer be scaled down for Anchore Enterprise or Kubernetes resource configuration changes. + - Deployments now utilize the RollingUpdate strategy instead of the Recreate strategy when using the pre-upgrade hook. This means that when making Anchore Enterprise or Kubernetes resource configuration changes that require pod replacement, pods will not terminate until the new pods are ready. +- Adds a domainSuffix to the service name for all services' ANCHORE_ENDPOINT_HOSTNAME. *If using proxies, you will need to update it from the service name to the fqdn. eg. anchore-enterprise-api -> anchore-enterprise-api.mynamespace.svc.cluster.local* + ### V2.8.x - Deploys Anchore Enterprise v5.7.x. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/570/) for more information. diff --git a/stable/enterprise/files/default_config.yaml b/stable/enterprise/files/default_config.yaml index d65bba02..dad307c2 100644 --- a/stable/enterprise/files/default_config.yaml +++ b/stable/enterprise/files/default_config.yaml @@ -203,6 +203,9 @@ services: packages: enabled: ${ANCHORE_FEEDS_DRIVER_PACKAGES_ENABLED} url: {{ template "enterprise.feedsURL" . }} + vulnerability_annotations: + enabled: ${ANCHORE_FEEDS_DRIVER_VULN_ANNOTATIONS_ENABLED} + url: {{ template "enterprise.feedsURL" . }} matching: default: search: diff --git a/stable/enterprise/files/osaa_config.yaml b/stable/enterprise/files/osaa_config.yaml index 5d2ff105..2e812ce7 100644 --- a/stable/enterprise/files/osaa_config.yaml +++ b/stable/enterprise/files/osaa_config.yaml @@ -175,6 +175,9 @@ services: packages: enabled: ${ANCHORE_FEEDS_DRIVER_PACKAGES_ENABLED} url: {{ template "enterprise.feedsURL" . }} + vulnerability_annotations: + enabled: ${ANCHORE_FEEDS_DRIVER_VULN_ANNOTATIONS_ENABLED} + url: {{ template "enterprise.feedsURL" . }} matching: default: search: diff --git a/stable/enterprise/templates/_common.tpl b/stable/enterprise/templates/_common.tpl index e0bc00a1..a075a613 100644 --- a/stable/enterprise/templates/_common.tpl +++ b/stable/enterprise/templates/_common.tpl @@ -108,8 +108,20 @@ When calling this template, .component can be included in the context for compon {{- with (index .Values (print $component)).extraEnv }} {{ toYaml . }} {{- end }} + +# check if the domainSuffix is set on the service level of the component, if it is, use that, else use the global domainSuffix +{{- $serviceName := include (printf "enterprise.%s.fullname" $component) . }} +{{- $domainSuffix := .Values.domainSuffix }} + +{{- with (index .Values (print $component)).service }} +{{- if .domainSuffix }} +{{- $domainSuffix = .domainSuffix }} +{{- end }} +{{- end }} + - name: ANCHORE_ENDPOINT_HOSTNAME - value: {{ include (printf "enterprise.%s.fullname" $component) . }}.{{ .Release.Namespace }}.svc.cluster.local + value: {{ $serviceName }}.{{- if $domainSuffix -}}{{ $domainSuffix }}{{- else -}}{{ .Release.Namespace }}.svc.cluster.local{{- end }} + {{- with (index .Values (print $component)).service }} - name: ANCHORE_PORT value: {{ .port | quote }} @@ -348,3 +360,14 @@ Setup the common anchore volumes secretName: {{ .Values.cloudsql.serviceAccSecretName }} {{- end }} {{- end -}} + +{{/* +Deployment Strategy Definition. For preupgrade hooks, use RollingUpdate. For postupgrade hooks, use Recreate. +*/}} +{{- define "enterprise.common.deploymentStrategy" -}} +{{- if .Values.upgradeJob.usePostUpgradeHook -}} +type: Recreate +{{- else -}} +type: RollingUpdate +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/stable/enterprise/templates/_helpers.tpl b/stable/enterprise/templates/_helpers.tpl index 35638b75..8908363e 100644 --- a/stable/enterprise/templates/_helpers.tpl +++ b/stable/enterprise/templates/_helpers.tpl @@ -164,3 +164,29 @@ Set the nodePort for services if its defined nodePort: {{ (index .Values (print $component)).service.nodePort }} {{- end -}} {{- end -}} + +{{/* +Checks if the appVersion.minor has increased, which is indicitive of requiring a db upgrade/service scaling down +*/}} +{{- define "enterprise.appVersionChanged" -}} + +{{- $configMapName := include "enterprise.fullname" . -}} +{{- $configMap := (lookup "v1" "ConfigMap" .Release.Namespace $configMapName) -}} +{{- if $configMap -}} + {{- $currentAppVersion := .Chart.AppVersion -}} + {{- $currentAppVersionSplit := splitList "." $currentAppVersion -}} + {{- $currentAppVersionMajorMinor := ($currentAppVersionSplit | initial | join ".") -}} + {{- $labelVersionKey := "app.kubernetes.io/version" -}} + {{- $configMapAppVersion := index $configMap.metadata.labels $labelVersionKey -}} + {{- $configMapAppVersionSplit := splitList "." $configMapAppVersion -}} + {{- $configMapAppVersionMajorMinor := ($configMapAppVersionSplit | initial | join ".") -}} + {{- if ne $currentAppVersionMajorMinor $configMapAppVersionMajorMinor -}} + {{- print "true" -}} + {{- else -}} + {{- print "false" -}} + {{- end -}} +{{- else -}} + {{- print "true" -}} +{{- end -}} + +{{- end -}} diff --git a/stable/enterprise/templates/_names.tpl b/stable/enterprise/templates/_names.tpl index f38f5e69..4287401e 100644 --- a/stable/enterprise/templates/_names.tpl +++ b/stable/enterprise/templates/_names.tpl @@ -71,6 +71,11 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- printf "%s-%s-%s-%s" .Release.Name $name (.Chart.AppVersion | replace "." "") "osaa-migration-job" | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{- define "enterprise.smokeTest.fullname" -}} +{{- $name := default .Chart.Name .Values.global.nameOverride -}} +{{- printf "%s-%s-%s-%s" .Release.Name $name (.Chart.AppVersion | replace "." "") "smoke-test" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + {{- define "enterprise.feeds.fullname" -}} {{- if .Values.feeds.fullnameOverride }} {{- .Values.feeds.fullnameOverride | trunc 63 | trimSuffix "-" }} diff --git a/stable/enterprise/templates/analyzer_deployment.yaml b/stable/enterprise/templates/analyzer_deployment.yaml index 88779220..229e0ced 100644 --- a/stable/enterprise/templates/analyzer_deployment.yaml +++ b/stable/enterprise/templates/analyzer_deployment.yaml @@ -11,8 +11,7 @@ spec: selector: matchLabels: {{- include "enterprise.common.matchLabels" (merge (dict "component" $component) .) | nindent 6 }} replicas: {{ .Values.analyzer.replicaCount }} - strategy: - type: Recreate + strategy: {{- include "enterprise.common.deploymentStrategy" . | nindent 4 }} template: metadata: labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 8 }} @@ -22,6 +21,7 @@ spec: {{- end }} checksum/enterprise-config: {{ include (print $.Template.BasePath "/anchore_configmap.yaml") . | sha256sum }} checksum/analyzer-config: {{ include (print $.Template.BasePath "/analyzer_configmap.yaml") . | sha256sum }} + checksum/enterprise-envvar: {{ include (print $.Template.BasePath "/envvars_configmap.yaml") . | sha256sum }} spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} volumes: {{- include "enterprise.common.volumes" (merge (dict "component" $component) .) | nindent 8 }} diff --git a/stable/enterprise/templates/api_deployment.yaml b/stable/enterprise/templates/api_deployment.yaml index 1fb20d6f..229c74c8 100644 --- a/stable/enterprise/templates/api_deployment.yaml +++ b/stable/enterprise/templates/api_deployment.yaml @@ -11,8 +11,7 @@ spec: selector: matchLabels: {{- include "enterprise.common.matchLabels" (merge (dict "component" $component) .) | nindent 6 }} replicas: {{ .Values.api.replicaCount }} - strategy: - type: Recreate + strategy: {{- include "enterprise.common.deploymentStrategy" . | nindent 4 }} template: metadata: labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 8 }} @@ -24,6 +23,7 @@ spec: checksum/policy-config: {{ include (print $.Template.BasePath "/policybundle_configmap.yaml") . | sha256sum }} {{- end }} checksum/enterprise-config: {{ include (print $.Template.BasePath "/anchore_configmap.yaml") . | sha256sum }} + checksum/enterprise-envvar: {{ include (print $.Template.BasePath "/envvars_configmap.yaml") . | sha256sum }} spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} volumes: {{- include "enterprise.common.volumes" (merge (dict "component" $component) .) | nindent 8 }} diff --git a/stable/enterprise/templates/catalog_deployment.yaml b/stable/enterprise/templates/catalog_deployment.yaml index 18586225..e639d68a 100644 --- a/stable/enterprise/templates/catalog_deployment.yaml +++ b/stable/enterprise/templates/catalog_deployment.yaml @@ -11,8 +11,7 @@ spec: selector: matchLabels: {{- include "enterprise.common.matchLabels" (merge (dict "component" $component) .) | nindent 6 }} replicas: {{ .Values.catalog.replicaCount }} - strategy: - type: Recreate + strategy: {{- include "enterprise.common.deploymentStrategy" . | nindent 4 }} template: metadata: labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 8 }} @@ -24,6 +23,7 @@ spec: {{- if .Values.anchoreConfig.policyBundles }} checksum/policy-config: {{ include (print $.Template.BasePath "/policybundle_configmap.yaml") . | sha256sum }} {{- end }} + checksum/enterprise-envvar: {{ include (print $.Template.BasePath "/envvars_configmap.yaml") . | sha256sum }} spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} volumes: {{- include "enterprise.common.volumes" (merge (dict "component" $component) .) | nindent 8 }} diff --git a/stable/enterprise/templates/envvars_configmap.yaml b/stable/enterprise/templates/envvars_configmap.yaml index 43be8740..2e7084d1 100644 --- a/stable/enterprise/templates/envvars_configmap.yaml +++ b/stable/enterprise/templates/envvars_configmap.yaml @@ -64,6 +64,7 @@ data: ANCHORE_FEEDS_DRIVER_MSRC_ENABLED: {{ dig "anchoreConfig" "feeds" "drivers" "msrc" "enabled" "false" .Values.feeds | quote }} ANCHORE_FEEDS_DRIVER_NVDV2_ENABLED: "true" ANCHORE_FEEDS_DRIVER_PACKAGES_ENABLED: "false" + ANCHORE_FEEDS_DRIVER_VULN_ANNOTATIONS_ENABLED: "true" ANCHORE_FEEDS_SSL_VERIFY: "{{ .Values.anchoreConfig.internalServicesSSL.verifyCerts }}" ANCHORE_FEEDS_VULNERABILITIES_ENABLED: "true" ANCHORE_GLOBAL_CLIENT_CONNECT_TIMEOUT: "0" diff --git a/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml b/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml index 0497c5d8..6128536f 100644 --- a/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml +++ b/stable/enterprise/templates/hooks/pre-upgrade/upgrade_job.yaml @@ -39,6 +39,7 @@ spec: secret: secretName: {{ .Values.cloudsql.serviceAccSecretName }} {{- end }} + {{- if eq (include "enterprise.appVersionChanged" .) "true" }} initContainers: - name: scale-down-anchore image: {{ .Values.upgradeJob.kubectlImage }} @@ -84,6 +85,7 @@ spec: {{- with .Values.upgradeJob.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} + {{- end }} containers: {{- if .Values.cloudsql.enabled }} {{- include "enterprise.common.cloudsqlContainer" . | nindent 8 }} diff --git a/stable/enterprise/templates/notifications_deployment.yaml b/stable/enterprise/templates/notifications_deployment.yaml index 25bcc040..5faa9ea2 100644 --- a/stable/enterprise/templates/notifications_deployment.yaml +++ b/stable/enterprise/templates/notifications_deployment.yaml @@ -11,8 +11,7 @@ spec: selector: matchLabels: {{- include "enterprise.common.matchLabels" (merge (dict "component" $component) .) | nindent 6 }} replicas: {{ .Values.notifications.replicaCount }} - strategy: - type: Recreate + strategy: {{- include "enterprise.common.deploymentStrategy" . | nindent 4 }} template: metadata: labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 8 }} @@ -21,6 +20,7 @@ spec: checksum/secrets: {{ include (print $.Template.BasePath "/anchore_secret.yaml") . | sha256sum }} {{- end }} checksum/enterprise-config: {{ include (print $.Template.BasePath "/anchore_configmap.yaml") . | sha256sum }} + checksum/enterprise-envvar: {{ include (print $.Template.BasePath "/envvars_configmap.yaml") . | sha256sum }} spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} volumes: {{- include "enterprise.common.volumes" (merge (dict "component" $component) .) | nindent 8 }} diff --git a/stable/enterprise/templates/policyengine_deployment.yaml b/stable/enterprise/templates/policyengine_deployment.yaml index 3d54db31..e7f0e152 100644 --- a/stable/enterprise/templates/policyengine_deployment.yaml +++ b/stable/enterprise/templates/policyengine_deployment.yaml @@ -11,8 +11,7 @@ spec: selector: matchLabels: {{- include "enterprise.common.matchLabels" (merge (dict "component" $component) .) | nindent 6 }} replicas: {{ .Values.policyEngine.replicaCount }} - strategy: - type: Recreate + strategy: {{- include "enterprise.common.deploymentStrategy" . | nindent 4 }} template: metadata: labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 8 }} @@ -21,6 +20,7 @@ spec: checksum/secrets: {{ include (print $.Template.BasePath "/anchore_secret.yaml") . | sha256sum }} {{- end }} checksum/enterprise-config: {{ include (print $.Template.BasePath "/anchore_configmap.yaml") . | sha256sum }} + checksum/enterprise-envvar: {{ include (print $.Template.BasePath "/envvars_configmap.yaml") . | sha256sum }} spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} volumes: {{- include "enterprise.common.volumes" (merge (dict "component" $component) .) | nindent 8 }} diff --git a/stable/enterprise/templates/reports_deployment.yaml b/stable/enterprise/templates/reports_deployment.yaml index 7ffa87d7..7562d607 100644 --- a/stable/enterprise/templates/reports_deployment.yaml +++ b/stable/enterprise/templates/reports_deployment.yaml @@ -11,8 +11,7 @@ spec: selector: matchLabels: {{- include "enterprise.common.matchLabels" (merge (dict "component" $component) .) | nindent 6 }} replicas: {{ .Values.reports.replicaCount }} - strategy: - type: Recreate + strategy: {{- include "enterprise.common.deploymentStrategy" . | nindent 4 }} template: metadata: labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 8 }} @@ -21,6 +20,7 @@ spec: checksum/secrets: {{ include (print $.Template.BasePath "/anchore_secret.yaml") . | sha256sum }} {{- end }} checksum/enterprise-config: {{ include (print $.Template.BasePath "/anchore_configmap.yaml") . | sha256sum }} + checksum/enterprise-envvar: {{ include (print $.Template.BasePath "/envvars_configmap.yaml") . | sha256sum }} spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} volumes: {{- include "enterprise.common.volumes" (merge (dict "component" $component) .) | nindent 8 }} diff --git a/stable/enterprise/templates/reportsworker_deployment.yaml b/stable/enterprise/templates/reportsworker_deployment.yaml index 321cc474..77859adc 100644 --- a/stable/enterprise/templates/reportsworker_deployment.yaml +++ b/stable/enterprise/templates/reportsworker_deployment.yaml @@ -11,8 +11,7 @@ spec: selector: matchLabels: {{- include "enterprise.common.matchLabels" (merge (dict "component" $component) .) | nindent 6 }} replicas: {{ .Values.reportsWorker.replicaCount }} - strategy: - type: Recreate + strategy: {{- include "enterprise.common.deploymentStrategy" . | nindent 4 }} template: metadata: labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 8 }} @@ -21,6 +20,7 @@ spec: checksum/secrets: {{ include (print $.Template.BasePath "/anchore_secret.yaml") . | sha256sum }} {{- end }} checksum/enterprise-config: {{ tpl (print $.Files.BasePath "/default_config.yaml") . | sha256sum }} + checksum/enterprise-envvar: {{ include (print $.Template.BasePath "/envvars_configmap.yaml") . | sha256sum }} spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} volumes: {{- include "enterprise.common.volumes" (merge (dict "component" $component) .) | nindent 8 }} diff --git a/stable/enterprise/templates/simplequeue_deployment.yaml b/stable/enterprise/templates/simplequeue_deployment.yaml index 16db860a..ad196ba7 100644 --- a/stable/enterprise/templates/simplequeue_deployment.yaml +++ b/stable/enterprise/templates/simplequeue_deployment.yaml @@ -10,8 +10,7 @@ spec: selector: matchLabels: {{- include "enterprise.common.matchLabels" (merge (dict "component" $component) .) | nindent 6 }} replicas: {{ .Values.simpleQueue.replicaCount }} - strategy: - type: Recreate + strategy: {{- include "enterprise.common.deploymentStrategy" . | nindent 4 }} template: metadata: labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 8 }} @@ -20,6 +19,7 @@ spec: checksum/secrets: {{ include (print $.Template.BasePath "/anchore_secret.yaml") . | sha256sum }} {{- end }} checksum/enterprise-config: {{ include (print $.Template.BasePath "/anchore_configmap.yaml") . | sha256sum }} + checksum/enterprise-envvar: {{ include (print $.Template.BasePath "/envvars_configmap.yaml") . | sha256sum }} spec: {{- include "enterprise.common.podSpec" (merge (dict "component" $component) .) | indent 6 }} volumes: {{- include "enterprise.common.volumes" (merge (dict "component" $component) .) | nindent 8 }} diff --git a/stable/enterprise/templates/ui_deployment.yaml b/stable/enterprise/templates/ui_deployment.yaml index e98af7b6..0c157023 100644 --- a/stable/enterprise/templates/ui_deployment.yaml +++ b/stable/enterprise/templates/ui_deployment.yaml @@ -11,8 +11,7 @@ spec: selector: matchLabels: {{- include "enterprise.common.matchLabels" (merge (dict "component" $component) .) | nindent 6 }} replicas: 1 - strategy: - type: Recreate + strategy: {{- include "enterprise.common.deploymentStrategy" . | nindent 4 }} template: metadata: labels: {{- include "enterprise.common.labels" (merge (dict "component" $component) .) | nindent 8 }} diff --git a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap index 2015facb..785dc2f5 100644 --- a/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/configmap_test.yaml.snap @@ -281,6 +281,9 @@ should render the configmaps: packages: enabled: ${ANCHORE_FEEDS_DRIVER_PACKAGES_ENABLED} url: http://test-release-feeds:8448/v2/feeds + vulnerability_annotations: + enabled: ${ANCHORE_FEEDS_DRIVER_VULN_ANNOTATIONS_ENABLED} + url: http://test-release-feeds:8448/v2/feeds matching: default: search: @@ -435,6 +438,7 @@ should render the configmaps: ANCHORE_FEEDS_DRIVER_MSRC_ENABLED: "false" ANCHORE_FEEDS_DRIVER_NVDV2_ENABLED: "true" ANCHORE_FEEDS_DRIVER_PACKAGES_ENABLED: "false" + ANCHORE_FEEDS_DRIVER_VULN_ANNOTATIONS_ENABLED: "true" ANCHORE_FEEDS_SSL_VERIFY: "false" ANCHORE_FEEDS_VULNERABILITIES_ENABLED: "true" ANCHORE_GLOBAL_CLIENT_CONNECT_TIMEOUT: "0" diff --git a/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap b/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap index 6a3b054b..5791f1f6 100644 --- a/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/osaa_configmap_test.yaml.snap @@ -242,6 +242,9 @@ should render the configmaps for osaa migration if enabled: packages: enabled: ${ANCHORE_FEEDS_DRIVER_PACKAGES_ENABLED} url: http://test-release-feeds:8448/v2/feeds + vulnerability_annotations: + enabled: ${ANCHORE_FEEDS_DRIVER_VULN_ANNOTATIONS_ENABLED} + url: http://test-release-feeds:8448/v2/feeds matching: default: search: @@ -563,6 +566,9 @@ should render the configmaps for osaa migration if enabled: packages: enabled: ${ANCHORE_FEEDS_DRIVER_PACKAGES_ENABLED} url: http://test-release-feeds:8448/v2/feeds + vulnerability_annotations: + enabled: ${ANCHORE_FEEDS_DRIVER_VULN_ANNOTATIONS_ENABLED} + url: http://test-release-feeds:8448/v2/feeds matching: default: search: diff --git a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap index 1cd7b8c0..0f10322e 100644 --- a/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap +++ b/stable/enterprise/tests/__snapshot__/prehook_upgrade_resources_test.yaml.snap @@ -26,7 +26,7 @@ migration job should match snapshot: name: test-release-enterprise-config-env-vars - secretRef: name: test-release-enterprise - image: docker.io/anchore/enterprise:v5.7.0 + image: docker.io/anchore/enterprise:v5.8.0 imagePullPolicy: IfNotPresent name: migrate-analysis-archive volumeMounts: @@ -89,7 +89,7 @@ migration job should match snapshot: valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v5.7.0 + image: docker.io/anchore/enterprise:v5.8.0 imagePullPolicy: IfNotPresent name: wait-for-db restartPolicy: Never @@ -148,7 +148,7 @@ migration job should match snapshot analysisArchiveMigration and objectStoreMigr name: test-release-enterprise-config-env-vars - secretRef: name: test-release-enterprise - image: docker.io/anchore/enterprise:v5.7.0 + image: docker.io/anchore/enterprise:v5.8.0 imagePullPolicy: IfNotPresent name: migrate-analysis-archive volumeMounts: @@ -211,7 +211,7 @@ migration job should match snapshot analysisArchiveMigration and objectStoreMigr valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v5.7.0 + image: docker.io/anchore/enterprise:v5.8.0 imagePullPolicy: IfNotPresent name: wait-for-db restartPolicy: Never @@ -268,7 +268,7 @@ migration job should match snapshot analysisArchiveMigration to true: name: test-release-enterprise-config-env-vars - secretRef: name: test-release-enterprise - image: docker.io/anchore/enterprise:v5.7.0 + image: docker.io/anchore/enterprise:v5.8.0 imagePullPolicy: IfNotPresent name: migrate-analysis-archive volumeMounts: @@ -331,7 +331,7 @@ migration job should match snapshot analysisArchiveMigration to true: valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v5.7.0 + image: docker.io/anchore/enterprise:v5.8.0 imagePullPolicy: IfNotPresent name: wait-for-db restartPolicy: Never @@ -387,7 +387,7 @@ migration job should match snapshot objectStoreMigration to true: name: test-release-enterprise-config-env-vars - secretRef: name: test-release-enterprise - image: docker.io/anchore/enterprise:v5.7.0 + image: docker.io/anchore/enterprise:v5.8.0 imagePullPolicy: IfNotPresent name: migrate-analysis-archive volumeMounts: @@ -450,7 +450,7 @@ migration job should match snapshot objectStoreMigration to true: valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v5.7.0 + image: docker.io/anchore/enterprise:v5.8.0 imagePullPolicy: IfNotPresent name: wait-for-db restartPolicy: Never @@ -621,6 +621,6 @@ should render proper initContainers: valueFrom: fieldRef: fieldPath: metadata.name - image: docker.io/anchore/enterprise:v5.7.0 + image: docker.io/anchore/enterprise:v5.8.0 imagePullPolicy: IfNotPresent name: wait-for-db diff --git a/stable/enterprise/tests/analyzer_resources_test.yaml b/stable/enterprise/tests/analyzer_resources_test.yaml index 2f32d353..532f3a78 100644 --- a/stable/enterprise/tests/analyzer_resources_test.yaml +++ b/stable/enterprise/tests/analyzer_resources_test.yaml @@ -4,6 +4,7 @@ templates: - analyzer_deployment.yaml - anchore_secret.yaml - anchore_configmap.yaml + - envvars_configmap.yaml release: name: test-release namespace: test-namespace @@ -398,3 +399,39 @@ tests: cpu: 200m memory: 256Mi count: 1 + + - it: should render ANCHORE_ENDPOINT_HOSTNAME as service name without domainSuffix + template: analyzer_deployment.yaml + documentIndex: 0 + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ANCHORE_ENDPOINT_HOSTNAME + value: test-release-enterprise-analyzer.test-namespace.svc.cluster.local + + - it: should render ANCHORE_ENDPOINT_HOSTNAME with toplevel domainSuffix + template: analyzer_deployment.yaml + documentIndex: 0 + set: + domainSuffix: "mynamespace.svc.cluster.local" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ANCHORE_ENDPOINT_HOSTNAME + value: test-release-enterprise-analyzer.mynamespace.svc.cluster.local + + - it: should render ANCHORE_ENDPOINT_HOSTNAME with toplevel domainSuffix specified and overridden + template: analyzer_deployment.yaml + documentIndex: 0 + set: + domainSuffix: "mynamespace.svc.cluster.local" + analyzer.service.domainSuffix: "myothersuffix.svc.cluster.local" + ui.service.domainSuffix: "nope.svc.cluster.local" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ANCHORE_ENDPOINT_HOSTNAME + value: test-release-enterprise-analyzer.myothersuffix.svc.cluster.local \ No newline at end of file diff --git a/stable/enterprise/tests/api_resources_test.yaml b/stable/enterprise/tests/api_resources_test.yaml index 93fc7953..b7f97813 100644 --- a/stable/enterprise/tests/api_resources_test.yaml +++ b/stable/enterprise/tests/api_resources_test.yaml @@ -4,6 +4,7 @@ templates: - anchore_secret.yaml - anchore_configmap.yaml - policybundle_configmap.yaml + - envvars_configmap.yaml release: name: test-release namespace: test-namespace @@ -495,3 +496,39 @@ tests: g2: v2 s1: a1 s2: a2 + + - it: should render ANCHORE_ENDPOINT_HOSTNAME as service name without domainSuffix + template: api_deployment.yaml + documentIndex: 0 + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ANCHORE_ENDPOINT_HOSTNAME + value: test-release-enterprise-api.test-namespace.svc.cluster.local + + - it: should render ANCHORE_ENDPOINT_HOSTNAME with toplevel domainSuffix + template: api_deployment.yaml + documentIndex: 0 + set: + domainSuffix: "mynamespace.svc.cluster.local" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ANCHORE_ENDPOINT_HOSTNAME + value: test-release-enterprise-api.mynamespace.svc.cluster.local + + - it: should render ANCHORE_ENDPOINT_HOSTNAME with toplevel domainSuffix specified and overridden + template: api_deployment.yaml + documentIndex: 0 + set: + domainSuffix: "mynamespace.svc.cluster.local" + api.service.domainSuffix: "myothersuffix.svc.cluster.local" + ui.service.domainSuffix: "nope.svc.cluster.local" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ANCHORE_ENDPOINT_HOSTNAME + value: test-release-enterprise-api.myothersuffix.svc.cluster.local \ No newline at end of file diff --git a/stable/enterprise/tests/catalog_resources_test.yaml b/stable/enterprise/tests/catalog_resources_test.yaml index 6e1c9ee2..4a3169a3 100644 --- a/stable/enterprise/tests/catalog_resources_test.yaml +++ b/stable/enterprise/tests/catalog_resources_test.yaml @@ -4,6 +4,7 @@ templates: - anchore_secret.yaml - anchore_configmap.yaml - policybundle_configmap.yaml + - envvars_configmap.yaml release: name: test-release namespace: test-namespace @@ -508,3 +509,39 @@ tests: g2: v2 s1: a1 s2: a2 + + - it: should render ANCHORE_ENDPOINT_HOSTNAME as service name without domainSuffix + template: catalog_deployment.yaml + documentIndex: 0 + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ANCHORE_ENDPOINT_HOSTNAME + value: test-release-enterprise-catalog.test-namespace.svc.cluster.local + + - it: should render ANCHORE_ENDPOINT_HOSTNAME with toplevel domainSuffix + template: catalog_deployment.yaml + documentIndex: 0 + set: + domainSuffix: "mynamespace.svc.cluster.local" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ANCHORE_ENDPOINT_HOSTNAME + value: test-release-enterprise-catalog.mynamespace.svc.cluster.local + + - it: should render ANCHORE_ENDPOINT_HOSTNAME with toplevel domainSuffix specified and overridden + template: catalog_deployment.yaml + documentIndex: 0 + set: + domainSuffix: "mynamespace.svc.cluster.local" + catalog.service.domainSuffix: "myothersuffix.svc.cluster.local" + ui.service.domainSuffix: "nope.svc.cluster.local" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ANCHORE_ENDPOINT_HOSTNAME + value: test-release-enterprise-catalog.myothersuffix.svc.cluster.local \ No newline at end of file diff --git a/stable/enterprise/tests/common_helpers_test.yaml b/stable/enterprise/tests/common_helpers_test.yaml index 5bf220bb..a2e52eab 100644 --- a/stable/enterprise/tests/common_helpers_test.yaml +++ b/stable/enterprise/tests/common_helpers_test.yaml @@ -15,6 +15,7 @@ templates: - ui_configmap.yaml - anchore_secret.yaml - ui_secret.yaml + - envvars_configmap.yaml release: name: test-release namespace: test-namespace diff --git a/stable/enterprise/tests/notifications_resources_test.yaml b/stable/enterprise/tests/notifications_resources_test.yaml index d36d76a5..88c21c7d 100644 --- a/stable/enterprise/tests/notifications_resources_test.yaml +++ b/stable/enterprise/tests/notifications_resources_test.yaml @@ -3,6 +3,7 @@ templates: - notifications_deployment.yaml - anchore_secret.yaml - anchore_configmap.yaml + - envvars_configmap.yaml release: name: test-release namespace: test-namespace @@ -413,3 +414,39 @@ tests: g2: v2 s1: a1 s2: a2 + + - it: should render ANCHORE_ENDPOINT_HOSTNAME as service name without domainSuffix + template: notifications_deployment.yaml + documentIndex: 0 + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ANCHORE_ENDPOINT_HOSTNAME + value: test-release-enterprise-notifications.test-namespace.svc.cluster.local + + - it: should render ANCHORE_ENDPOINT_HOSTNAME with toplevel domainSuffix + template: notifications_deployment.yaml + documentIndex: 0 + set: + domainSuffix: "mynamespace.svc.cluster.local" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ANCHORE_ENDPOINT_HOSTNAME + value: test-release-enterprise-notifications.mynamespace.svc.cluster.local + + - it: should render ANCHORE_ENDPOINT_HOSTNAME with toplevel domainSuffix specified and overridden + template: notifications_deployment.yaml + documentIndex: 0 + set: + domainSuffix: "mynamespace.svc.cluster.local" + notifications.service.domainSuffix: "myothersuffix.svc.cluster.local" + ui.service.domainSuffix: "nope.svc.cluster.local" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ANCHORE_ENDPOINT_HOSTNAME + value: test-release-enterprise-notifications.myothersuffix.svc.cluster.local \ No newline at end of file diff --git a/stable/enterprise/tests/policyengine_resources_test.yaml b/stable/enterprise/tests/policyengine_resources_test.yaml index d7c1538a..bf2abb48 100644 --- a/stable/enterprise/tests/policyengine_resources_test.yaml +++ b/stable/enterprise/tests/policyengine_resources_test.yaml @@ -3,6 +3,7 @@ templates: - policyengine_deployment.yaml - anchore_secret.yaml - anchore_configmap.yaml + - envvars_configmap.yaml release: name: test-release namespace: test-namespace @@ -467,3 +468,39 @@ tests: g2: v2 s1: a1 s2: a2 + + - it: should render ANCHORE_ENDPOINT_HOSTNAME as service name without domainSuffix + template: policyengine_deployment.yaml + documentIndex: 0 + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ANCHORE_ENDPOINT_HOSTNAME + value: test-release-enterprise-policy.test-namespace.svc.cluster.local + + - it: should render ANCHORE_ENDPOINT_HOSTNAME with toplevel domainSuffix + template: policyengine_deployment.yaml + documentIndex: 0 + set: + domainSuffix: "mynamespace.svc.cluster.local" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ANCHORE_ENDPOINT_HOSTNAME + value: test-release-enterprise-policy.mynamespace.svc.cluster.local + + - it: should render ANCHORE_ENDPOINT_HOSTNAME with toplevel domainSuffix specified and overridden + template: policyengine_deployment.yaml + documentIndex: 0 + set: + domainSuffix: "mynamespace.svc.cluster.local" + policyEngine.service.domainSuffix: "myothersuffix.svc.cluster.local" + ui.service.domainSuffix: "nope.svc.cluster.local" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ANCHORE_ENDPOINT_HOSTNAME + value: test-release-enterprise-policy.myothersuffix.svc.cluster.local \ No newline at end of file diff --git a/stable/enterprise/tests/posthook_upgrade_resources_test.yaml b/stable/enterprise/tests/posthook_upgrade_resources_test.yaml index 36997aa8..83cbcc33 100644 --- a/stable/enterprise/tests/posthook_upgrade_resources_test.yaml +++ b/stable/enterprise/tests/posthook_upgrade_resources_test.yaml @@ -2,6 +2,32 @@ suite: Posthook Upgrade Job Tests templates: - hooks/post-upgrade/upgrade_job.yaml - anchore_secret.yaml + - analyzer_deployment.yaml + - api_deployment.yaml + - catalog_deployment.yaml + - notifications_deployment.yaml + - policyengine_deployment.yaml + - reports_deployment.yaml + - reportsworker_deployment.yaml + - simplequeue_deployment.yaml + - ui_deployment.yaml + - anchore_configmap.yaml + - envvars_configmap.yaml + - ui_configmap.yaml + - ui_secret.yaml + - policybundle_configmap.yaml + - analyzer_configmap.yaml + +deployment-resources: &deployment-resources + - templates/api_deployment.yaml + - templates/analyzer_deployment.yaml + - templates/catalog_deployment.yaml + - templates/notifications_deployment.yaml + - templates/policyengine_deployment.yaml + - templates/reports_deployment.yaml + - templates/reportsworker_deployment.yaml + - templates/simplequeue_deployment.yaml + - templates/ui_deployment.yaml values: - values.yaml set: @@ -312,3 +338,11 @@ tests: mountPath: /mnt/global-extra-vol readOnly: false count: 1 + + - it: should have Recreate as a deployment strategy + templates: *deployment-resources + documentIndex: 0 + asserts: + - equal: + path: spec.strategy.type + value: Recreate \ No newline at end of file diff --git a/stable/enterprise/tests/prehook_upgrade_resources_test.yaml b/stable/enterprise/tests/prehook_upgrade_resources_test.yaml index 079a96c5..edc833be 100644 --- a/stable/enterprise/tests/prehook_upgrade_resources_test.yaml +++ b/stable/enterprise/tests/prehook_upgrade_resources_test.yaml @@ -4,6 +4,32 @@ templates: - templates/hooks/pre-upgrade/upgrade_rbac.yaml - anchore_secret.yaml - templates/hooks/pre-upgrade/object_store_analysis_archive_migration_job.yaml + - analyzer_deployment.yaml + - api_deployment.yaml + - catalog_deployment.yaml + - notifications_deployment.yaml + - policyengine_deployment.yaml + - reports_deployment.yaml + - reportsworker_deployment.yaml + - simplequeue_deployment.yaml + - ui_deployment.yaml + - anchore_configmap.yaml + - envvars_configmap.yaml + - ui_configmap.yaml + - ui_secret.yaml + - policybundle_configmap.yaml + - analyzer_configmap.yaml + +deployment-resources: &deployment-resources + - templates/api_deployment.yaml + - templates/analyzer_deployment.yaml + - templates/catalog_deployment.yaml + - templates/notifications_deployment.yaml + - templates/policyengine_deployment.yaml + - templates/reports_deployment.yaml + - templates/reportsworker_deployment.yaml + - templates/simplequeue_deployment.yaml + - templates/ui_deployment.yaml values: - values.yaml release: @@ -582,3 +608,11 @@ tests: - equal: path: spec.template.spec.serviceAccountName value: test-service-account + + - it: should have RollingUpdate as a deployment strategy + templates: *deployment-resources + documentIndex: 0 + asserts: + - equal: + path: spec.strategy.type + value: RollingUpdate \ No newline at end of file diff --git a/stable/enterprise/tests/reports_resources_test.yaml b/stable/enterprise/tests/reports_resources_test.yaml index 543a7869..f0eb47a7 100644 --- a/stable/enterprise/tests/reports_resources_test.yaml +++ b/stable/enterprise/tests/reports_resources_test.yaml @@ -3,6 +3,7 @@ templates: - reports_deployment.yaml - anchore_secret.yaml - anchore_configmap.yaml + - envvars_configmap.yaml release: name: test-release namespace: test-namespace @@ -527,3 +528,39 @@ tests: g2: v2 s1: a1 s2: a2 + + - it: should render ANCHORE_ENDPOINT_HOSTNAME as service name without domainSuffix + template: reports_deployment.yaml + documentIndex: 0 + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ANCHORE_ENDPOINT_HOSTNAME + value: test-release-enterprise-reports.test-namespace.svc.cluster.local + + - it: should render ANCHORE_ENDPOINT_HOSTNAME with toplevel domainSuffix + template: reports_deployment.yaml + documentIndex: 0 + set: + domainSuffix: "mynamespace.svc.cluster.local" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ANCHORE_ENDPOINT_HOSTNAME + value: test-release-enterprise-reports.mynamespace.svc.cluster.local + + - it: should render ANCHORE_ENDPOINT_HOSTNAME with toplevel domainSuffix specified and overridden + template: reports_deployment.yaml + documentIndex: 0 + set: + domainSuffix: "mynamespace.svc.cluster.local" + reports.service.domainSuffix: "myothersuffix.svc.cluster.local" + ui.service.domainSuffix: "nope.svc.cluster.local" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ANCHORE_ENDPOINT_HOSTNAME + value: test-release-enterprise-reports.myothersuffix.svc.cluster.local \ No newline at end of file diff --git a/stable/enterprise/tests/reportsworker_resources_test.yaml b/stable/enterprise/tests/reportsworker_resources_test.yaml index 81d6da6d..c8955ccc 100644 --- a/stable/enterprise/tests/reportsworker_resources_test.yaml +++ b/stable/enterprise/tests/reportsworker_resources_test.yaml @@ -3,6 +3,7 @@ templates: - reportsworker_deployment.yaml - anchore_secret.yaml - anchore_configmap.yaml + - envvars_configmap.yaml release: name: test-release namespace: test-namespace @@ -412,3 +413,39 @@ tests: g2: v2 s1: a1 s2: a2 + + - it: should render ANCHORE_ENDPOINT_HOSTNAME as service name without domainSuffix + template: reportsworker_deployment.yaml + documentIndex: 0 + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ANCHORE_ENDPOINT_HOSTNAME + value: test-release-enterprise-reportsworker.test-namespace.svc.cluster.local + + - it: should render ANCHORE_ENDPOINT_HOSTNAME with toplevel domainSuffix + template: reportsworker_deployment.yaml + documentIndex: 0 + set: + domainSuffix: "mynamespace.svc.cluster.local" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ANCHORE_ENDPOINT_HOSTNAME + value: test-release-enterprise-reportsworker.mynamespace.svc.cluster.local + + - it: should render ANCHORE_ENDPOINT_HOSTNAME with toplevel domainSuffix specified and overridden + template: reportsworker_deployment.yaml + documentIndex: 0 + set: + domainSuffix: "mynamespace.svc.cluster.local" + reportsWorker.service.domainSuffix: "myothersuffix.svc.cluster.local" + ui.service.domainSuffix: "nope.svc.cluster.local" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ANCHORE_ENDPOINT_HOSTNAME + value: test-release-enterprise-reportsworker.myothersuffix.svc.cluster.local \ No newline at end of file diff --git a/stable/enterprise/tests/simplequeue_resources_test.yaml b/stable/enterprise/tests/simplequeue_resources_test.yaml index 8c18e20a..7a62b468 100644 --- a/stable/enterprise/tests/simplequeue_resources_test.yaml +++ b/stable/enterprise/tests/simplequeue_resources_test.yaml @@ -3,6 +3,7 @@ templates: - simplequeue_deployment.yaml - anchore_secret.yaml - anchore_configmap.yaml + - envvars_configmap.yaml release: name: test-release namespace: test-namespace @@ -387,3 +388,39 @@ tests: g2: v2 s1: a1 s2: a2 + + - it: should render ANCHORE_ENDPOINT_HOSTNAME as service name without domainSuffix + template: simplequeue_deployment.yaml + documentIndex: 0 + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ANCHORE_ENDPOINT_HOSTNAME + value: test-release-enterprise-simplequeue.test-namespace.svc.cluster.local + + - it: should render ANCHORE_ENDPOINT_HOSTNAME with toplevel domainSuffix + template: simplequeue_deployment.yaml + documentIndex: 0 + set: + domainSuffix: "mynamespace.svc.cluster.local" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ANCHORE_ENDPOINT_HOSTNAME + value: test-release-enterprise-simplequeue.mynamespace.svc.cluster.local + + - it: should render ANCHORE_ENDPOINT_HOSTNAME with toplevel domainSuffix specified and overridden + template: simplequeue_deployment.yaml + documentIndex: 0 + set: + domainSuffix: "mynamespace.svc.cluster.local" + simpleQueue.service.domainSuffix: "myothersuffix.svc.cluster.local" + ui.service.domainSuffix: "nope.svc.cluster.local" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ANCHORE_ENDPOINT_HOSTNAME + value: test-release-enterprise-simplequeue.myothersuffix.svc.cluster.local \ No newline at end of file diff --git a/stable/enterprise/tests/ui_resources_test.yaml b/stable/enterprise/tests/ui_resources_test.yaml index 29e986e5..e289ff1d 100644 --- a/stable/enterprise/tests/ui_resources_test.yaml +++ b/stable/enterprise/tests/ui_resources_test.yaml @@ -449,3 +449,39 @@ tests: g2: v2 s1: a1 s2: a2 + + - it: should render ANCHORE_ENDPOINT_HOSTNAME as service name without domainSuffix + template: ui_deployment.yaml + documentIndex: 0 + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ANCHORE_ENDPOINT_HOSTNAME + value: test-release-enterprise-ui.test-namespace.svc.cluster.local + + - it: should render ANCHORE_ENDPOINT_HOSTNAME with toplevel domainSuffix + template: ui_deployment.yaml + documentIndex: 0 + set: + domainSuffix: "mynamespace.svc.cluster.local" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ANCHORE_ENDPOINT_HOSTNAME + value: test-release-enterprise-ui.mynamespace.svc.cluster.local + + - it: should render ANCHORE_ENDPOINT_HOSTNAME with toplevel domainSuffix specified and overridden + template: ui_deployment.yaml + documentIndex: 0 + set: + domainSuffix: "mynamespace.svc.cluster.local" + ui.service.domainSuffix: "myothersuffix.svc.cluster.local" + api.service.domainSuffix: "nope.svc.cluster.local" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ANCHORE_ENDPOINT_HOSTNAME + value: test-release-enterprise-ui.myothersuffix.svc.cluster.local \ No newline at end of file diff --git a/stable/enterprise/values.yaml b/stable/enterprise/values.yaml index dd44fbdc..3ae87d1a 100644 --- a/stable/enterprise/values.yaml +++ b/stable/enterprise/values.yaml @@ -19,7 +19,7 @@ global: ## @param image Image used for all Anchore Enterprise deployments, excluding Anchore UI ## -image: docker.io/anchore/enterprise:v5.7.0 +image: docker.io/anchore/enterprise:v5.8.0 ## @param imagePullPolicy Image pull policy used by all deployments ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy @@ -212,6 +212,11 @@ scripts: printf '%s\n' "$line"; done < /config/config.yaml +## @param domainSuffix domain suffix for appending to the ANCHORE_ENDPOINT_HOSTNAME. If blank, domainSuffix will be "namespace.svc.cluster.local". +## If set here, the domainSuffix will be appended to the hostname for all Anchore services unless overridden at the service level of each anchore service +## +domainSuffix: "" + ##################################################################### ## @section Anchore Configuration Parameters ## Params used for all Anchore Enterprise service configuration files @@ -741,9 +746,11 @@ analyzer: replicaCount: 1 ## @param analyzer.service.port The port used for gatherings metrics when .Values.metricsEnabled=true + ## @param analyzer.service.domainSuffix domain suffix for appending to the ANCHORE_ENDPOINT_HOSTNAME. If blank, domainSuffix will be "namespace.svc.cluster.local". Takes precedence over the top level domainSuffix ## service: port: 8084 + domainSuffix: "" ## @param analyzer.extraEnv Set extra environment variables for Anchore Analyzer pods ## @@ -802,6 +809,7 @@ api: ## @param api.service.annotations Annotations for Anchore API service ## @param api.service.labels Labels for Anchore API service ## @param api.service.nodePort nodePort for Anchore API service + ## @param api.service.domainSuffix domain suffix for appending to the ANCHORE_ENDPOINT_HOSTNAME. If blank, domainSuffix will be "namespace.svc.cluster.local". Takes precedence over the top level domainSuffix ## service: type: ClusterIP @@ -809,6 +817,7 @@ api: annotations: {} labels: {} nodePort: "" + domainSuffix: "" ## @param api.extraEnv Set extra environment variables for Anchore API pods ## @@ -870,6 +879,7 @@ catalog: ## @param catalog.service.annotations Annotations for Anchore Catalog service ## @param catalog.service.labels Labels for Anchore Catalog service ## @param catalog.service.nodePort nodePort for Anchore Catalog service + ## @param catalog.service.domainSuffix domain suffix for appending to the ANCHORE_ENDPOINT_HOSTNAME. If blank, domainSuffix will be "namespace.svc.cluster.local". Takes precedence over the top level domainSuffix ## service: type: ClusterIP @@ -877,6 +887,7 @@ catalog: annotations: {} labels: {} nodePort: "" + domainSuffix: "" ## @param catalog.extraEnv Set extra environment variables for Anchore Catalog pods ## @@ -972,6 +983,7 @@ notifications: ## @param notifications.service.annotations Annotations for Anchore Notifications service ## @param notifications.service.labels Labels for Anchore Notifications service ## @param notifications.service.nodePort nodePort for Anchore Notifications service + ## @param notifications.service.domainSuffix domain suffix for appending to the ANCHORE_ENDPOINT_HOSTNAME. If blank, domainSuffix will be "namespace.svc.cluster.local". Takes precedence over the top level domainSuffix ## service: type: ClusterIP @@ -979,6 +991,7 @@ notifications: annotations: {} labels: {} nodePort: "" + domainSuffix: "" ## @param notifications.extraEnv Set extra environment variables for Anchore Notifications pods ## @@ -1040,6 +1053,7 @@ policyEngine: ## @param policyEngine.service.annotations Annotations for Anchore Policy Engine service ## @param policyEngine.service.labels Labels for Anchore Policy Engine service ## @param policyEngine.service.nodePort nodePort for Anchore Policy Engine service + ## @param policyEngine.service.domainSuffix domain suffix for appending to the ANCHORE_ENDPOINT_HOSTNAME. If blank, domainSuffix will be "namespace.svc.cluster.local". Takes precedence over the top level domainSuffix ## service: type: ClusterIP @@ -1047,6 +1061,7 @@ policyEngine: annotations: {} labels: {} nodePort: "" + domainSuffix: "" ## @param policyEngine.extraEnv Set extra environment variables for Anchore Policy Engine pods ## @@ -1113,6 +1128,7 @@ reports: ## @param reports.service.annotations Annotations for Anchore Reports service ## @param reports.service.labels Labels for Anchore Reports service ## @param reports.service.nodePort nodePort for Anchore Reports service + ## @param reports.service.domainSuffix domain suffix for appending to the ANCHORE_ENDPOINT_HOSTNAME. If blank, domainSuffix will be "namespace.svc.cluster.local". Takes precedence over the top level domainSuffix ## service: type: ClusterIP @@ -1120,6 +1136,7 @@ reports: annotations: {} labels: {} nodePort: "" + domainSuffix: "" ## @param reports.extraEnv Set extra environment variables for Anchore Reports pods ## @@ -1198,6 +1215,7 @@ reportsWorker: ## @param reportsWorker.service.annotations Annotations for Anchore Reports Worker service ## @param reportsWorker.service.labels Labels for Anchore Reports Worker service ## @param reportsWorker.service.nodePort nodePort for Anchore Reports Worker service + ## @param reportsWorker.service.domainSuffix domain suffix for appending to the ANCHORE_ENDPOINT_HOSTNAME. If blank, domainSuffix will be "namespace.svc.cluster.local". Takes precedence over the top level domainSuffix ## service: type: ClusterIP @@ -1205,6 +1223,7 @@ reportsWorker: annotations: {} labels: {} nodePort: "" + domainSuffix: "" ## @param reportsWorker.extraEnv Set extra environment variables for Anchore Reports Worker pods ## @@ -1266,6 +1285,7 @@ simpleQueue: ## @param simpleQueue.service.annotations Annotations for Anchore Simple Queue service ## @param simpleQueue.service.labels Labels for Anchore Simple Queue service ## @param simpleQueue.service.nodePort nodePort for Anchore Simple Queue service + ## @param simpleQueue.service.domainSuffix domain suffix for appending to the ANCHORE_ENDPOINT_HOSTNAME. If blank, domainSuffix will be "namespace.svc.cluster.local". Takes precedence over the top level domainSuffix ## service: type: ClusterIP @@ -1273,6 +1293,7 @@ simpleQueue: annotations: {} labels: {} nodePort: "" + domainSuffix: "" ## @param simpleQueue.extraEnv Set extra environment variables for Anchore Simple Queue pods ## @@ -1327,7 +1348,7 @@ simpleQueue: ui: ## @param ui.image Image used for the Anchore UI container ## - image: docker.io/anchore/enterprise-ui:v5.7.0 + image: docker.io/anchore/enterprise-ui:v5.8.0 ## @param ui.imagePullPolicy Image pull policy for Anchore UI image ## @@ -1351,6 +1372,7 @@ ui: ## @param ui.service.labels Labels for Anchore UI service ## @param ui.service.sessionAffinity Session Affinity for Ui service ## @param ui.service.nodePort nodePort for Anchore UI service + ## @param ui.service.domainSuffix domain suffix for appending to the ANCHORE_ENDPOINT_HOSTNAME. If blank, domainSuffix will be "namespace.svc.cluster.local". Takes precedence over the top level domainSuffix ## service: type: ClusterIP @@ -1360,6 +1382,7 @@ ui: labels: {} sessionAffinity: ClientIP nodePort: "" + domainSuffix: "" ## @param ui.extraEnv Set extra environment variables for Anchore UI pods