Releasing Enterprise 3.11.0 (Anchore 5.19.0)

Enterprise 3.11.0 (Anchore 5.19.0)

Author: HN23

.github/workflows/openshift-test.yaml

@@ -168,7 +168,7 @@ jobs:
         else
           echo "updating nightly-values.yaml with nightly image"
           echo 'image: "docker.io/anchore/enterprise-dev:nightly"' >> stable/enterprise/ci/nightly-values.yaml
-          echo 'ui:' >> stable/enterprise/ci/rc-values.yaml
+          echo 'ui:' >> stable/enterprise/ci/nightly-values.yaml
           echo '  image: "docker.io/anchore/anchore-on-prem-ui-dev:nightly"' >> stable/enterprise/ci/nightly-values.yaml
           echo "Appended to stable/enterprise/ci/nightly-values.yaml"
         fi

.github/workflows/test.yaml

@@ -13,7 +13,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        kubernetesVersion: ["v1.28.7", "v1.29.2", "v1.30.0", "v1.31.0", "v1.32.2"]
+        kubernetesVersion: ["v1.28.7", "v1.29.2", "v1.30.0", "v1.31.0", "v1.32.2", "v1.33.1"]
     runs-on: ubuntu-latest
     steps:
     - name: Checkout

stable/enterprise/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v2
 name: enterprise
-version: "3.10.0"
-appVersion: "5.18.0"
-kubeVersion: 1.23.x - 1.32.x || 1.23.x-x - 1.32.x-x
+version: "3.11.0"
+appVersion: "5.19.0"
+kubeVersion: 1.23.x - 1.33.x || 1.23.x-x - 1.33.x-x
 description: |
   Anchore Enterprise is a complete container security workflow solution for professional teams. Easily integrating with CI/CD systems,
   it allows developers to bolster security without compromising velocity and enables security teams to audit and verify compliance in real-time.

stable/enterprise/README.md

@@ -649,7 +649,7 @@ To restore your deployment to using your previous driver configurations:
 
 | Name                                    | Description                                                                                                                        | Value                                  |
 | --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- |
-| `image`                                 | Image used for all Anchore Enterprise deployments, excluding Anchore UI                                                            | `docker.io/anchore/enterprise:v5.18.0` |
+| `image`                                 | Image used for all Anchore Enterprise deployments, excluding Anchore UI                                                            | `docker.io/anchore/enterprise:v5.19.0` |
 | `imagePullPolicy`                       | Image pull policy used by all deployments                                                                                          | `IfNotPresent`                         |
 | `imagePullSecretName`                   | Name of Docker credentials secret for access to private repos                                                                      | `anchore-enterprise-pullcreds`         |
 | `kubectlImage`                          | The image to use for the job's init container that uses kubectl to scale down deployments for the migration / upgrade              | `bitnami/kubectl:1.30`                 |
@@ -765,6 +765,7 @@ To restore your deployment to using your previous driver configurations:
 | `anchoreConfig.analyzer.enable_hints`                                                   | Enable a user-supplied 'hints' file to override and/or augment the software artifacts found during analysis                      | `false`                     |
 | `anchoreConfig.analyzer.configFile`                                                     | Custom Anchore Analyzer configuration file contents in YAML                                                                      | `{}`                        |
 | `anchoreConfig.catalog.account_prometheus_metrics`                                      | Enable per-account image status prometheus metrics.                                                                              | `<ALLOW_API_CONFIGURATION>` |
+| `anchoreConfig.catalog.analysis_queue_priority`                                         | Allow prioritization of new analysis jobs based on the ingress method.                                                           | `<ALLOW_API_CONFIGURATION>` |
 | `anchoreConfig.catalog.sbom_vuln_scan.auto_scale`                                       | Automatically scale batch_size and pool_size. Disable to configure manually.                                                     | `true`                      |
 | `anchoreConfig.catalog.sbom_vuln_scan.batch_size`                                       | The number of SBOMs to select to scan within a single batch, when 'auto_scale' is disabled                                       | `1`                         |
 | `anchoreConfig.catalog.sbom_vuln_scan.pool_size`                                        | The number of concurrent vulnerability scans to dispatch from each catalog instance                                              | `1`                         |
@@ -788,7 +789,6 @@ To restore your deployment to using your previous driver configurations:
 | `anchoreConfig.catalog.runtime_inventory.inventory_ttl_days`                            | TTL for runtime inventory.                                                                                                       | `120`                       |
 | `anchoreConfig.catalog.runtime_inventory.inventory_ingest_overwrite`                    | force runtime inventory to be overwritten upon every update for that reported context.                                           | `false`                     |
 | `anchoreConfig.catalog.integrations.integration_health_report_ttl_days`                 | TTL for integration health reports.                                                                                              | `2`                         |
-| `anchoreConfig.catalog.down_analyzer_task_requeue`                                      | Allows fast re-queueing when image status is 'analyzing' on an analyzer that is no longer in the 'up' state                      | `true`                      |
 | `anchoreConfig.policy_engine.vulnerabilities.matching.exclude.providers`                | List of providers to exclude from matching                                                                                       | `nil`                       |
 | `anchoreConfig.policy_engine.vulnerabilities.matching.exclude.package_types`            | List of package types to exclude from matching                                                                                   | `nil`                       |
 | `anchoreConfig.policy_engine.enable_user_base_image`                                    | Enables usage of Well Known Annotation to identify base image for use in ancestry calculations                                   | `true`                      |
@@ -798,6 +798,7 @@ To restore your deployment to using your previous driver configurations:
 | `anchoreConfig.reports.async_execution_timeout`                                         | Configure how long a scheduled query must be running for before it is considered timed out                                       | `48h`                       |
 | `anchoreConfig.reports.cycle_timers.reports_scheduled_queries`                          | Interval  in seconds to check for scheduled queries that need to be run                                                          | `600`                       |
 | `anchoreConfig.reports.use_volume`                                                      | Configure the reports service to buffer report generation to disk instead of in memory                                           | `false`                     |
+| `anchoreConfig.reports_worker.ingress_images_max_workers`                               | The maximum number of concurrent threads to ingress images                                                                       | `10`                        |
 | `anchoreConfig.reports_worker.enable_data_ingress`                                      | Enable periodically syncing data into the Anchore Reports Service                                                                | `true`                      |
 | `anchoreConfig.reports_worker.enable_data_egress`                                       | Periodically remove reporting data that has been removed in other parts of system                                                | `false`                     |
 | `anchoreConfig.reports_worker.data_egress_window`                                       | defines a number of days to keep reporting data following its deletion in the rest of system.                                    | `0`                         |
@@ -824,6 +825,7 @@ To restore your deployment to using your previous driver configurations:
 | `anchoreConfig.ui.custom_links`                                                         | List of up to 10 external links provided                                                                                         | `{}`                        |
 | `anchoreConfig.ui.enable_add_repositories`                                              | Specify what users can add image repositories to the Anchore UI                                                                  | `{}`                        |
 | `anchoreConfig.ui.custom_message`                                                       | Custom message to display on the login page                                                                                      | `{}`                        |
+| `anchoreConfig.ui.banners`                                                              | Provide messages that will be displayed as a banner at the top and/or bottom of the application or only the login page.          | `{}`                        |
 | `anchoreConfig.ui.log_level`                                                            | Descriptive detail of the application log output                                                                                 | `http`                      |
 | `anchoreConfig.ui.enrich_inventory_view`                                                | aggregate and include compliance and vulnerability data from the reports service.                                                | `true`                      |
 | `anchoreConfig.ui.appdb_config.native`                                                  | toggle the postgreSQL drivers used to connect to the database between the native and the NodeJS drivers.                         | `true`                      |
@@ -1044,7 +1046,7 @@ To restore your deployment to using your previous driver configurations:
 
 | Name                           | Description                                                                                                                                                                  | Value                                     |
 | ------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- |
-| `ui.image`                     | Image used for the Anchore UI container                                                                                                                                      | `docker.io/anchore/enterprise-ui:v5.18.0` |
+| `ui.image`                     | Image used for the Anchore UI container                                                                                                                                      | `docker.io/anchore/enterprise-ui:v5.19.0` |
 | `ui.imagePullPolicy`           | Image pull policy for Anchore UI image                                                                                                                                       | `IfNotPresent`                            |
 | `ui.existingSecretName`        | Name of an existing secret to be used for Anchore UI DB and Redis endpoints                                                                                                  | `anchore-enterprise-ui-env`               |
 | `ui.ldapsRootCaCertName`       | Name of the custom CA certificate file store in `.Values.certStoreSecretName`                                                                                                | `""`                                      |
@@ -1169,6 +1171,7 @@ To restore your deployment to using your previous driver configurations:
 | `osaaMigrationJob.analysisArchiveMigration.analysis_archive` | The configuration of the catalog.analysis_archive for the dest-config.yaml                                       | `{}`                   |
 | `osaaMigrationJob.objectStoreMigration.run`                  | Run the object_store migration                                                                                   | `false`                |
 | `osaaMigrationJob.objectStoreMigration.object_store`         | The configuration of the object_store for the dest-config.yaml                                                   | `{}`                   |
+| `extraManifests`                                             | List of additional manifests to be included in the chart                                                         | `[]`                   |
 
 ## Release Notes
 
@@ -1178,6 +1181,11 @@ For the latest updates and features in Anchore Enterprise, see the official [Rel
 - **Minor Chart Version Change (e.g., v0.1.2 -> v0.2.0)**: Indicates a significant change to the deployment that does not require manual intervention.
 - **Patch Chart Version Change (e.g., v0.1.2 -> v0.1.3)**: Indicates a backwards-compatible bug fix or documentation update.
 
+### V3.11.x
+
+- Deploys Anchore Enterprise v5.19.x. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/5190/) for more information.
+- Adds a mechanism for adding arbitrary manifests to the helm chart so users can include all resources for the deployment within their helm values file
+
 ### V3.10.x
 
 - Deploys Anchore Enterprise v5.18.x. See the [Release Notes](https://docs.anchore.com/current/docs/releasenotes/5180/) for more information.

stable/enterprise/files/default_config.yaml

@@ -64,7 +64,7 @@ webhooks: {{- toYaml .Values.anchoreConfig.webhooks | nindent 2 }}
 default_admin_password: "${ANCHORE_ADMIN_PASSWORD}"
 default_admin_email: ${ANCHORE_ADMIN_EMAIL}
 
-configuration: 
+configuration:
   api_driven_configuration_enabled: ${ANCHORE_API_DRIVEN_CONFIGURATION_ENABLED}
 
 keys:
@@ -167,8 +167,8 @@ services:
       max_worker_threads: ${ANCHORE_CATALOG_IMAGE_GC_WORKERS}
     runtime_compliance:
       object_store_bucket: "runtime_compliance_check"
-    down_analyzer_task_requeue: ${ANCHORE_ANALYZER_TASK_REQUEUE}
     import_operation_expiration_days: ${ANCHORE_IMPORT_OPERATION_EXPIRATION_DAYS}
+    analysis_queue_priority: {{ .Values.anchoreConfig.catalog.analysis_queue_priority }}
     sbom_vuln_scan:
       auto_scale: {{ .Values.anchoreConfig.catalog.sbom_vuln_scan.auto_scale }}
       batch_size: {{ .Values.anchoreConfig.catalog.sbom_vuln_scan.batch_size }}
@@ -287,6 +287,7 @@ services:
     data_egress_window: ${ANCHORE_ENTERPRISE_REPORTS_DATA_EGRESS_WINDOW}
     data_refresh_max_workers: ${ANCHORE_ENTERPRISE_REPORTS_DATA_REFRESH_MAX_WORKERS}
     data_load_max_workers: ${ANCHORE_ENTERPRISE_REPORTS_DATA_LOAD_MAX_WORKERS}
+    ingress_images_max_workers: {{ .Values.anchoreConfig.reports_worker.ingress_images_max_workers }}
     cycle_timers: {{- toYaml .Values.anchoreConfig.reports_worker.cycle_timers | nindent 6 }}
     runtime_report_generation:
       use_legacy_loaders_and_queries: {{ .Values.anchoreConfig.reports_worker.runtime_report_generation.use_legacy_loaders_and_queries }}

stable/enterprise/files/osaa_config.yaml

@@ -64,7 +64,7 @@ webhooks: {{- toYaml .Values.anchoreConfig.webhooks | nindent 2 }}
 default_admin_password: "${ANCHORE_ADMIN_PASSWORD}"
 default_admin_email: ${ANCHORE_ADMIN_EMAIL}
 
-configuration: 
+configuration:
   api_driven_configuration_enabled: ${ANCHORE_API_DRIVEN_CONFIGURATION_ENABLED}
 
 keys:
@@ -167,8 +167,8 @@ services:
       max_worker_threads: ${ANCHORE_CATALOG_IMAGE_GC_WORKERS}
     runtime_compliance:
       object_store_bucket: "runtime_compliance_check"
-    down_analyzer_task_requeue: ${ANCHORE_ANALYZER_TASK_REQUEUE}
     import_operation_expiration_days: ${ANCHORE_IMPORT_OPERATION_EXPIRATION_DAYS}
+    analysis_queue_priority: {{ .Values.anchoreConfig.catalog.analysis_queue_priority }}
     sbom_vuln_scan:
       auto_scale: {{ .Values.anchoreConfig.catalog.sbom_vuln_scan.auto_scale }}
       batch_size: {{ .Values.anchoreConfig.catalog.sbom_vuln_scan.batch_size }}
@@ -295,6 +295,7 @@ services:
     data_egress_window: ${ANCHORE_ENTERPRISE_REPORTS_DATA_EGRESS_WINDOW}
     data_refresh_max_workers: ${ANCHORE_ENTERPRISE_REPORTS_DATA_REFRESH_MAX_WORKERS}
     data_load_max_workers: ${ANCHORE_ENTERPRISE_REPORTS_DATA_LOAD_MAX_WORKERS}
+    ingress_images_max_workers: {{ .Values.anchoreConfig.reports_worker.ingress_images_max_workers }}
     cycle_timers: {{- toYaml .Values.anchoreConfig.reports_worker.cycle_timers | nindent 6 }}
     runtime_report_generation:
       use_legacy_loaders_and_queries: {{ .Values.anchoreConfig.reports_worker.runtime_report_generation.use_legacy_loaders_and_queries }}

stable/enterprise/templates/envvars_configmap.yaml

@@ -18,7 +18,6 @@ data:
   ANCHORE_ADMIN_EMAIL: "{{ .Values.anchoreConfig.default_admin_email }}"
   ANCHORE_API_DRIVEN_CONFIGURATION_ENABLED: "true"
   ANCHORE_ALLOW_ECR_IAM_AUTO: "{{ .Values.anchoreConfig.allow_awsecr_iam_auto }}"
-  ANCHORE_ANALYZER_TASK_REQUEUE: "true"
   ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS: "{{ .Values.anchoreConfig.user_authentication.hashed_passwords }}"
 {{- with .Values.anchoreConfig.keys.publicKeyFileName }}
   ANCHORE_AUTH_PRIVKEY: "/home/anchore/certs/{{- . }}"
@@ -35,6 +34,7 @@ data:
   ANCHORE_CLI_USER: "admin"
   ANCHORECTL_URL: "http://localhost:8228"
   ANCHORECTL_USERNAME: "admin"
+  ANCHORECTL_ACCOUNT: "admin"
   ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED: "true"
   ANCHORE_DISABLE_METRICS_AUTH: "{{ .Values.anchoreConfig.metrics.auth_disabled }}"
   ANCHORE_DB_POOL_MAX_OVERFLOW: "{{ .Values.anchoreConfig.database.db_pool_max_overflow }}"

stable/enterprise/templates/extra_manifests.yaml

@@ -0,0 +1,4 @@
+{{ range .Values.extraManifests }}
+---
+{{ tpl . $ }}
+{{ end }}

stable/enterprise/templates/tests/anchorectl_smoketest.yaml

@@ -33,11 +33,13 @@ spec:
     {{- end }}
       envFrom: {{- include "enterprise.common.envFrom" . | nindent 6 }}
       env: {{- include "enterprise.common.environment" (merge (dict "component" $component) .) | nindent 6 }}
+      - name: ANCHORECTL_URL
+        value: "http://{{ .Release.Name }}-enterprise-api:8228"
 
       command: ["/bin/bash", "-c"]
       args:
         - |
-          anchorectl system smoke-tests run || true
+          anchorectl system smoke-tests run
 
       volumeMounts: {{- include "enterprise.common.volumeMounts" . | nindent 6 }}
   restartPolicy: Never

stable/enterprise/templates/ui_configmap.yaml

@@ -26,6 +26,23 @@ data:
       title: '{{ .title }}'
       message: '{{ .message }}'
   {{- end }}
+  {{- with .Values.anchoreConfig.ui.banners }}
+    banners:
+      {{- with .top }}
+      top:
+        text: {{ default "" .text | quote }}
+        text_color: {{ default "" .text_color | quote}}
+        background_color: {{ default "" .background_color | quote }}
+        display: {{ default "always" .display | quote }}
+      {{- end }}
+      {{- with .bottom }}
+      bottom:
+        text: {{ default "" .text | quote }}
+        text_color: {{ default "" .text_color | quote}}
+        background_color: {{ default "" .background_color | quote }}
+        display: {{ default "always" .display | quote }}
+      {{- end }}
+  {{- end }}
   {{- with .Values.anchoreConfig.ui.enable_add_repositories }}
     enable_add_repositories:
       admin: {{ .admin }}
@@ -45,7 +62,7 @@ data:
     authentication_lock:
       count: {{ .Values.anchoreConfig.ui.authentication_lock.count }}
       expires: {{ .Values.anchoreConfig.ui.authentication_lock.expires }}
-    appdb_config: {{ toYaml .Values.anchoreConfig.ui.appdb_config | nindent 6}}
+    appdb_config: {{- toYaml .Values.anchoreConfig.ui.appdb_config | nindent 6}}
     log_level: {{ .Values.anchoreConfig.ui.log_level | squote }}
     enrich_inventory_view: {{ .Values.anchoreConfig.ui.enrich_inventory_view  }}
     enable_prometheus_metrics: {{ .Values.anchoreConfig.metrics.enabled }}