oceanbox/platform
6
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Totally revamp cluster chart configs

Browse Source
This commit is contained in:
Jonas Juselius
2020-11-05 21:05:34 +01:00
parent 6fea8b3bc8
commit 3a69e7f1f1
55 changed files with 3921 additions and 531 deletions
Download Patch File Download Diff File Expand all files Collapse all files

439
charts/anchore/anchore.yaml Normal file
View File

@@ -0,0 +1,439 @@
# Default values for anchore_engine chart.
# Anchore engine has a dependency on Postgresql, configure here
postgresql:
# To use an external DB or Google CloudSQL in GKE, uncomment & set 'enabled: false'
# externalEndpoint, postgresUser, postgresPassword & postgresDatabase are required values for external postgres
# enabled: false
postgresUser: anchoreengine
postgresPassword: KebabNinja2020
postgresDatabase: anchore
# Specify an external (already existing) postgres deployment for use.
# Set to the host and port. eg. mypostgres.myserver.io:5432
externalEndpoint: Null
# Configure size of the persistent volume used with helm managed chart.
# This should be commented out if using an external endpoint.
persistence:
storageClass: managed-nfs-storage
resourcePolicy: nil
size: 20Gi
ingress:
enabled: true
labels: {}
# Exposing the feeds API w/ ingress is for special cases only, uncomment feedsPath if external access to the feeds API is needed
# feedsPath: /v1/feeds/
apiPath: /v1/
uiPath: /
# Uncomment the following lines to bind on specific hostnames
# apiHosts:
# - anchore-api.example.com
# uiHosts:
# - anchore-ui.example.com
# feedsHosts:
# - anchore-feeds.example.com
annotations:
kubernetes.io/ingress.class: nginx
certmanager.io/cluster-issuer: ca-issuer
nginx.ingress.kubernetes.io/ssl-redirect: "true"
tls:
- secretName: anchore-tls
hosts:
- anchore.k2.local
# Global configuration shared by all anchore-engine services.
anchoreGlobal:
# Image used for all anchore engine deployments (excluding enterprise components).
image: docker.io/anchore/anchore-engine:v0.8.1
imagePullPolicy: IfNotPresent
# Set image pull secret name if using an anchore-engine image from a private registry
imagePullSecretName:
# Set this value to True to setup the chart for OpenShift deployment compatibility.
openShiftDeployment: False
# Add additionnal labels to all kubernetes resources
labels: {}
# app.kubernetes.io/managed-by: Helm
# foo: bar
# Set extra environment variables. These will be set on all containers.
extraEnv: []
# - name: foo
# value: bar
# Specifies an existing secret to be used for admin and db passwords
existingSecret: Null
# The scratchVolume controls the mounting of an external volume for scratch space for image analysis. Generally speaking
# you need to provision 3x the size of the largest image (uncompressed) that you want to analyze for this space.
scratchVolume:
mountPath: /analysis_scratch
details:
# Specify volume configuration here
emptyDir: {}
# A secret must be created in the same namespace as anchore-engine is deployed, containing the certificates & public/private keys used for SSL, SAML & custom CAs.
# Certs and keys should be added using the file name the certificate is stored at. This secret will be mounted to /home/anchore/certs.
certStoreSecretName: Null
# Specify your pod securityContext here, by default the anchore images utilize the user/group 'anchore' using uid/gid 1000
# To disable this securityContext comment out `runAsUser` & `runAsGroup`
securityContext:
runAsUser: 1000
runAsGroup: 1000
###
# Start of General Anchore Engine Configurations (populates /config/config.yaml)
###
# Set where default configs are placed at startup. This must be a writable location for the pod.
serviceDir: /anchore_service
logLevel: INFO
cleanupImages: true
# Define timeout, in seconds, for image analysis
imageAnalyzeTimeoutSeconds: 36000
# If true, when a user adds an ECR registry with username = awsauto then the system will look for an instance profile to use for auth against the registry
allowECRUseIAMRole: false
# Enable prometheus metrics
enableMetrics: true
# Disable auth on prometheus metrics
metricsAuthDisabled: false
# Sets the password & email address for the default anchore-engine admin user.
defaultAdminPassword: KebabNinja2020
defaultAdminEmail: jonas.juselius@tromso.serit.no
saml:
# Locations for keys used for signing and encryption. Only one of 'secret' or 'public_key_path'/'private_key_path' needs to be set. If all are set then the keys take precedence over the secret value
# Secret is for a shared secret and if set, all components in anchore should have the exact same value in their configs.
secret: Null
privateKeyName: Null
publicKeyName: Null
oauthEnabled: false
oauthTokenExpirationSeconds: 3600
# Set this to True to enable storing user passwords only as secure hashes in the db. This can dramatically increase CPU usage if you
# don't also use oauth and tokens for internal communications (which requires keys/secret to be configured as well)
# WARNING: you should not change this after a system has been initialized as it may cause a mismatch in existing passwords
hashedPasswords: false
# Configure the database connection within anchore-engine & enterprise-ui. This may get split into 2 different configurations based on service utilized.
dbConfig:
timeout: 120
# Use ssl, but the default postgresql config in helm's stable repo does not support ssl on server side, so this should be set for external dbs only.
# All ssl dbConfig values are only utilized when ssl=true
ssl: false
sslMode: verify-full
# sslRootCertName is the name of the postgres root CA certificate stored in anchoreGlobal.certStoreSecretName
sslRootCertName: Null
connectionPoolSize: 30
connectionPoolMaxOverflow: 100
internalServicesSsl:
# Enable to force all anchore-engine services to communicate internally using SSL
enabled: false
# specify whether cert is verfied against the local certifacte bundle (allow self-signed certs if set to false)
verifyCerts: false
certSecretKeyName: Null
certSecretCertName: Null
# To enable webhooks, set webhooksEnabled: true
webhooksEnabled: true
# Configure webhook outputs here. The service provides these webhooks for notifying external systems of updates
webhooks:
# User and password to be set (using HTTP basic auth) on all webhook calls if necessary
webhook_user: Null
webhook_pass: Null
ssl_verify: false
# Endpoint for general notification delivery. These events are image/tag updates etc. This is globally configured
# and updates for all users are sent to the same host but with a different path for each user.
# <notification_type>/<userId> are required as documented at end of URI - only hostname:port should be configured.
general:
url: http://busynix.default
# url: "http://somehost:9090/<notification_type>/<userId>"
# Allow configuration of Kubernetes probes
probes:
liveness:
initialDelaySeconds: 120
timeoutSeconds: 10
periodSeconds: 10
failureThreshold: 6
successThreshold: 1
readiness:
timeoutSeconds: 10
periodSeconds: 10
failureThreshold: 3
successThreshold: 1
# Configuration for the analyzer pods that perform image analysis
# There may be many of these analyzers but best practice is to not have more than one per node since analysis
# is very IO intensive. Use of affinity/anti-affinity rules for scheduling the analyzers is future work.
anchoreAnalyzer:
replicaCount: 1
containerPort: 8084
# Set extra environment variables. These will be set only on analyzer containers.
extraEnv: []
# - name: foo
# value: bar
# The cycle timer is the interval between checks to the work queue for new jobs
cycleTimers:
image_analyzer: 5
# Controls the concurrency of the analyzer itself. Can be configured to process more than one task at a time, but it IO bound, so may not
# necessarily be faster depending on hardware. Should test and balance this value vs. number of analyzers for your deployment cluster performance.
concurrentTasksPerWorker: 1
# Image layer caching can be enabled to speed up image downloads before analysis.
# This chart sets up a scratch directory for all analyzer pods using the values found at anchoreGlobal.scratchVolume.
# When setting anchoreAnalyzer.layerCacheMaxGigabytes, ensure the scratch volume has suffient storage space.
# For more info see - https://docs.anchore.com/current/docs/engine/engine_installation/storage/layer_caching/
# Enable image layer caching by setting a cache size > 0GB.
layerCacheMaxGigabytes: 0
# Enable the ability to read a user-supplied 'hints' file to allow users to override and/or augment the software artifacts that are discovered by anchore during its image analysis process.
# Once enabled, the analyzer services will look for a file with a specific name, location and format located within the container image - /anchore_hints.json
# For more info see - https://docs.anchore.com/current/docs/engine/engine_installation/configuration/content_hints
enableHints: false
configFile:
# Anchore analyzer config file
#
# WARNING - malforming this file can cause the analyzer to fail on all image analysis
#
# Options for any analyzer module(s) that takes customizable input
#
# example configuration for the 'retrieve_files' analyzer, if installed
retrieve_files:
file_list:
- '/etc/passwd'
# - '/etc/services'
# - '/etc/sudoers'
# example configuration for the 'content_search' analyze, if installed
secret_search:
match_params:
- MAXFILESIZE=10000
- STOREONMATCH=n
regexp_match:
- "AWS_ACCESS_KEY=(?i).*aws_access_key_id( *=+ *).*(?<![A-Z0-9])[A-Z0-9]{20}(?![A-Z0-9]).*"
- "AWS_SECRET_KEY=(?i).*aws_secret_access_key( *=+ *).*(?<![A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=]).*"
- "PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+"
- "DOCKER_AUTH=(?i).*\"auth\": *\".+\""
- "API_KEY=(?i).*api(-|_)key( *=+ *).*(?<![A-Z0-9])[A-Z0-9]{20,60}(?![A-Z0-9]).*"
# - "ALPINE_NULL_ROOT=^root:::0:::::$"
# content_search:
# match_params:
# - MAXFILESIZE=10000
# regexp_match:
# - "EXAMPLE_MATCH="
# Uncomment the 'malware' section to enable use of the open-source ClamAV malware scanner to detect malicious code embedded in container images.
# This scan occurs only at analysis time when the image content itself is available, and the scan results are available via the Engine API as well as
# for consumption in new policy gates to allow gating of image with malware findings.
# For more detailed configuration info see - https://docs.anchore.com/current/docs/engine/general/concepts/images/analysis/malware_scanning
#
malware:
clamav:
enabled: true
db_update_enabled: true
# resources:
# limits:
# cpu: 1
# memory: 4G
# requests:
# cpu: 1
# memory: 1G
labels: {}
annotations: {}
nodeSelector: {}
tolerations: []
affinity: {}
# Pod configuration for the anchore engine api service.
anchoreApi:
replicaCount: 1
# Set extra environment variables. These will be set on all api containers.
extraEnv: []
# - name: foo
# value: bar
# kubernetes service configuration for anchore external API
service:
type: ClusterIP
port: 8228
annotations: {}
label: {}
# (Optional) Overrides for constructing API URLs. All values are optional.
# external:
# use_tls: true
# hostname: anchore-api.example.com
# port: 8443
# resources:
# limits:
# cpu: 1
# memory: 4G
# requests:
# cpu: 100m
# memory: 1G
labels: {}
annotations: {}
nodeSelector: {}
tolerations: []
affinity: {}
anchoreCatalog:
replicaCount: 1
# Set extra environment variables. These will be set on all catalog containers.
extraEnv: []
# - name: foo
# value: bar
# Intervals to run specific events on (seconds)
cycleTimers:
# Interval to check for an update to a tag
image_watcher: 3600
# Interval to run a policy evaluation on images with the policy_eval subscription activated.
policy_eval: 3600
# Interval to run a vulnerability scan on images with the vuln_update subscription activated.
vulnerability_scan: 14400
# Interval at which the catalog looks for new work to put on the image analysis queue.
analyzer_queue: 1
# Interval notifications will be processed for state changes
notifications: 30
# Intervals service state updates are polled for the system status
service_watcher: 15
# Interval between checks to repo for new tags
repo_watcher: 60
# Event log configuration for webhooks
events:
notification:
enabled: false
# Send notifications for events with severity level that matches items in this list
level:
- error
# - info
archive:
compression:
enabled: true
min_size_kbytes: 100
storage_driver:
# Valid storage driver names: 'db', 's3', 'swift'
name: s3
config:
url: https://minio.staging.itpartner.no
bucket: anchore
access_key: Mkd324ijlnfll23883
secret_key: KJQfefrnflol93jpj31mrkjs3i88sj2L
create_bucket: true
# kubernetes service configuration for anchore catalog api
service:
type: ClusterIP
port: 8082
annotations: {}
labels: {}
# resources:
# limits:
# cpu: 1
# memory: 2G
# requests:
# cpu: 100m
# memory: 500M
labels: {}
annotations: {}
nodeSelector: {}
tolerations: []
affinity: {}
# Pod configuration for the anchore engine policy service.
anchorePolicyEngine:
replicaCount: 1
# Set extra environment variables. These will be set on all policy engine containers.
extraEnv: []
# - name: foo
# value: bar
# Intervals to run specific events on (seconds)
cycleTimers:
# Interval to run a feed sync to get latest cve data
feed_sync: 14400
# Interval between checks to see if there needs to be a task queued
feed_sync_checker: 3600
# kubernetes service configuration for anchore policy engine api
service:
type: ClusterIP
port: 8087
annotations: {}
labels: {}
# resources:
# limits:
# cpu: 1
# memory: 4G
# requests:
# cpu: 100m
# memory: 1G
labels: {}
annotations: {}
nodeSelector: {}
tolerations: []
affinity: {}
# Pod configuration for the anchore engine simplequeue service.
anchoreSimpleQueue:
replicaCount: 1
# Set extra environment variables. These will be set on all simplequeue containers.
extraEnv: []
# - name: foo
# value: bar
# kubernetes service configuration for anchore simplequeue api
service:
type: ClusterIP
port: 8083
annotations: {}
labels: {}
# resources:
# limits:
# cpu: 1
# memory: 1G
# requests:
# cpu: 100m
# memory: 256M
labels: {}
annotations: {}
nodeSelector: {}
tolerations: []
affinity: {}