# Default values for anchore_engine chart.

# Anchore engine has a dependency on Postgresql, configure here
postgresql:
  # To use an external DB or Google CloudSQL in GKE, uncomment & set 'enabled: false'
  # externalEndpoint, postgresUser, postgresPassword & postgresDatabase are required values for external postgres
  # enabled: false
  postgresUser: anchoreengine
  postgresPassword: KebabNinja2020
  postgresDatabase: anchore

  # Specify an external (already existing) postgres deployment for use.
  # Set to the host and port. eg. mypostgres.myserver.io:5432
  externalEndpoint: Null

  # Configure size of the persistent volume used with helm managed chart.
  # This should be commented out if using an external endpoint.
  persistence:
    storageClass: managed-nfs-storage
    resourcePolicy: nil
    size: 20Gi

ingress:
  enabled: true
  labels: {}
  # Exposing the feeds API w/ ingress is for special cases only, uncomment feedsPath if external access to the feeds API is needed
  # feedsPath: /v1/feeds/
  apiPath: /v1/
  uiPath: /

  # Uncomment the following lines to bind on specific hostnames
  # apiHosts:
  #   - anchore-api.example.com
  # uiHosts:
  #   - anchore-ui.example.com
  # feedsHosts:
  #   - anchore-feeds.example.com
  annotations:
    kubernetes.io/ingress.class: nginx
    certmanager.io/cluster-issuer: ca-issuer
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
  tls:
  - secretName: anchore-tls
    hosts:
    - anchore.k2.local

# Global configuration shared by all anchore-engine services.
anchoreGlobal:
  # Image used for all anchore engine deployments (excluding enterprise components).
  image: docker.io/anchore/anchore-engine:v0.8.1
  imagePullPolicy: IfNotPresent
  # Set image pull secret name if using an anchore-engine image from a private registry
  imagePullSecretName:

  # Set this value to True to setup the chart for OpenShift deployment compatibility.
  openShiftDeployment: False

  # Add additionnal labels to all kubernetes resources
  labels: {}
    # app.kubernetes.io/managed-by: Helm
    # foo: bar

  # Set extra environment variables. These will be set on all containers.
  extraEnv: []
    # - name: foo
    #   value: bar

  # Specifies an existing secret to be used for admin and db passwords
  existingSecret: Null

  # The scratchVolume controls the mounting of an external volume for scratch space for image analysis. Generally speaking
  # you need to provision 3x the size of the largest image (uncompressed) that you want to analyze for this space.
  scratchVolume:
    mountPath: /analysis_scratch
    details:
      # Specify volume configuration here
      emptyDir: {}

  # A secret must be created in the same namespace as anchore-engine is deployed, containing the certificates & public/private keys used for SSL, SAML & custom CAs.
  # Certs and keys should be added using the file name the certificate is stored at. This secret will be mounted to /home/anchore/certs.
  certStoreSecretName: Null

  # Specify your pod securityContext here, by default the anchore images utilize the user/group 'anchore' using uid/gid 1000
  # To disable this securityContext comment out `runAsUser` & `runAsGroup`
  securityContext:
    runAsUser: 1000
    runAsGroup: 1000

  ###
  # Start of General Anchore Engine Configurations (populates /config/config.yaml)
  ###
  # Set where default configs are placed at startup. This must be a writable location for the pod.
  serviceDir: /anchore_service
  logLevel: INFO
  cleanupImages: true

  # Define timeout, in seconds, for image analysis
  imageAnalyzeTimeoutSeconds: 36000

  # If true, when a user adds an ECR registry with username = awsauto then the system will look for an instance profile to use for auth against the registry
  allowECRUseIAMRole: false

  # Enable prometheus metrics
  enableMetrics: true

  # Disable auth on prometheus metrics
  metricsAuthDisabled: false

  # Sets the password & email address for the default anchore-engine admin user.
  defaultAdminPassword: KebabNinja2020
  defaultAdminEmail: jonas.juselius@tromso.serit.no

  saml:
    # Locations for keys used for signing and encryption. Only one of 'secret' or 'public_key_path'/'private_key_path' needs to be set. If all are set then the keys take precedence over the secret value
    # Secret is for a shared secret and if set, all components in anchore should have the exact same value in their configs.
    secret: Null
    privateKeyName: Null
    publicKeyName: Null

  oauthEnabled: false
  oauthTokenExpirationSeconds: 3600

  # Set this to True to enable storing user passwords only as secure hashes in the db. This can dramatically increase CPU usage if you
  # don't also use oauth and tokens for internal communications (which requires keys/secret to be configured as well)
  # WARNING: you should not change this after a system has been initialized as it may cause a mismatch in existing passwords
  hashedPasswords: false

  # Configure the database connection within anchore-engine & enterprise-ui. This may get split into 2 different configurations based on service utilized.
  dbConfig:
    timeout: 120
    # Use ssl, but the default postgresql config in helm's stable repo does not support ssl on server side, so this should be set for external dbs only.
    # All ssl dbConfig values are only utilized when ssl=true
    ssl: false
    sslMode: verify-full
    # sslRootCertName is the name of the postgres root CA certificate stored in anchoreGlobal.certStoreSecretName
    sslRootCertName: Null
    connectionPoolSize: 30
    connectionPoolMaxOverflow: 100

  internalServicesSsl:
    # Enable to force all anchore-engine services to communicate internally using SSL
    enabled: false
    # specify whether cert is verfied against the local certifacte bundle (allow self-signed certs if set to false)
    verifyCerts: false
    certSecretKeyName: Null
    certSecretCertName: Null

  # To enable webhooks, set webhooksEnabled: true
  webhooksEnabled: true
  # Configure webhook outputs here. The service provides these webhooks for notifying external systems of updates
  webhooks:
    # User and password to be set (using HTTP basic auth) on all webhook calls if necessary
    webhook_user: Null
    webhook_pass: Null
    ssl_verify: false

    # Endpoint for general notification delivery. These events are image/tag updates etc. This is globally configured
    # and updates for all users are sent to the same host but with a different path for each user.
    # <notification_type>/<userId> are required as documented at end of URI - only hostname:port should be configured.
    general:
      url: http://busynix.default
      # url: "http://somehost:9090/<notification_type>/<userId>"

  # Allow configuration of Kubernetes probes
  probes:
    liveness:
      initialDelaySeconds: 120
      timeoutSeconds: 10
      periodSeconds: 10
      failureThreshold: 6
      successThreshold: 1
    readiness:
      timeoutSeconds: 10
      periodSeconds: 10
      failureThreshold: 3
      successThreshold: 1

# Configuration for the analyzer pods that perform image analysis
# There may be many of these analyzers but best practice is to not have more than one per node since analysis
# is very IO intensive. Use of affinity/anti-affinity rules for scheduling the analyzers is future work.
anchoreAnalyzer:
  replicaCount: 1
  containerPort: 8084

  # Set extra environment variables. These will be set only on analyzer containers.
  extraEnv: []
    # - name: foo
    #   value: bar

  # The cycle timer is the interval between checks to the work queue for new jobs
  cycleTimers:
    image_analyzer: 5

  # Controls the concurrency of the analyzer itself. Can be configured to process more than one task at a time, but it IO bound, so may not
  # necessarily be faster depending on hardware. Should test and balance this value vs. number of analyzers for your deployment cluster performance.
  concurrentTasksPerWorker: 1

  # Image layer caching can be enabled to speed up image downloads before analysis.
  # This chart sets up a scratch directory for all analyzer pods using the values found at anchoreGlobal.scratchVolume.
  # When setting anchoreAnalyzer.layerCacheMaxGigabytes, ensure the scratch volume has suffient storage space.
  # For more info see - https://docs.anchore.com/current/docs/engine/engine_installation/storage/layer_caching/
  # Enable image layer caching by setting a cache size > 0GB.
  layerCacheMaxGigabytes: 0

  # Enable the ability to read a user-supplied 'hints' file to allow users to override and/or augment the software artifacts that are discovered by anchore during its image analysis process.
  # Once enabled, the analyzer services will look for a file with a specific name, location and format located within the container image - /anchore_hints.json
  # For more info see - https://docs.anchore.com/current/docs/engine/engine_installation/configuration/content_hints
  enableHints: false

  configFile:
    # Anchore analyzer config file
    #
    # WARNING - malforming this file can cause the analyzer to fail on all image analysis
    #
    # Options for any analyzer module(s) that takes customizable input
    #
    # example configuration for the 'retrieve_files' analyzer, if installed
    retrieve_files:
      file_list:
        - '/etc/passwd'
        # - '/etc/services'
        # - '/etc/sudoers'

    # example configuration for the 'content_search' analyze, if installed
    secret_search:
      match_params:
        - MAXFILESIZE=10000
        - STOREONMATCH=n
      regexp_match:
        - "AWS_ACCESS_KEY=(?i).*aws_access_key_id( *=+ *).*(?<![A-Z0-9])[A-Z0-9]{20}(?![A-Z0-9]).*"
        - "AWS_SECRET_KEY=(?i).*aws_secret_access_key( *=+ *).*(?<![A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=]).*"
        - "PRIV_KEY=(?i)-+BEGIN(.*)PRIVATE KEY-+"
        - "DOCKER_AUTH=(?i).*\"auth\": *\".+\""
        - "API_KEY=(?i).*api(-|_)key( *=+ *).*(?<![A-Z0-9])[A-Z0-9]{20,60}(?![A-Z0-9]).*"
        # - "ALPINE_NULL_ROOT=^root:::0:::::$"
    # content_search:
    #   match_params:
    #     - MAXFILESIZE=10000
    #   regexp_match:
    #     - "EXAMPLE_MATCH="

    # Uncomment the 'malware' section to enable use of the open-source ClamAV malware scanner to detect malicious code embedded in container images.
    # This scan occurs only at analysis time when the image content itself is available, and the scan results are available via the Engine API as well as
    # for consumption in new policy gates to allow gating of image with malware findings.
    # For more detailed configuration info see - https://docs.anchore.com/current/docs/engine/general/concepts/images/analysis/malware_scanning
    #
    malware:
      clamav:
        enabled: true
        db_update_enabled: true


  # resources:
  #  limits:
  #    cpu: 1
  #    memory: 4G
  #  requests:
  #    cpu: 1
  #    memory: 1G

  labels: {}
  annotations: {}
  nodeSelector: {}
  tolerations: []
  affinity: {}


# Pod configuration for the anchore engine api service.
anchoreApi:
  replicaCount: 1

  # Set extra environment variables. These will be set on all api containers.
  extraEnv: []
    # - name: foo
    #   value: bar

  # kubernetes service configuration for anchore external API
  service:
    type: ClusterIP
    port: 8228
    annotations: {}
    label: {}

  # (Optional) Overrides for constructing API URLs.  All values are optional.
  # external:
  #   use_tls: true
  #   hostname: anchore-api.example.com
  #   port: 8443

  # resources:
  #  limits:
  #    cpu: 1
  #    memory: 4G
  #  requests:
  #    cpu: 100m
  #    memory: 1G

  labels: {}
  annotations: {}
  nodeSelector: {}
  tolerations: []
  affinity: {}

anchoreCatalog:
  replicaCount: 1

  # Set extra environment variables. These will be set on all catalog containers.
  extraEnv: []
    # - name: foo
    #   value: bar

  # Intervals to run specific events on (seconds)
  cycleTimers:
    # Interval to check for an update to a tag
    image_watcher: 3600
    # Interval to run a policy evaluation on images with the policy_eval subscription activated.
    policy_eval: 3600
    # Interval to run a vulnerability scan on images with the vuln_update subscription activated.
    vulnerability_scan: 14400
    # Interval at which the catalog looks for new work to put on the image analysis queue.
    analyzer_queue: 1
    # Interval notifications will be processed for state changes
    notifications: 30
    # Intervals service state updates are polled for the system status
    service_watcher: 15
    # Interval between checks to repo for new tags
    repo_watcher: 60

  # Event log configuration for webhooks
  events:
    notification:
      enabled: false
      # Send notifications for events with severity level that matches items in this list
      level:
        - error
        # - info

  archive:
    compression:
      enabled: true
      min_size_kbytes: 100
    storage_driver:
      # Valid storage driver names: 'db', 's3', 'swift'
      name: s3
      config:
        url: https://minio.staging.itpartner.no
        bucket: anchore
        access_key: Mkd324ijlnfll23883
        secret_key: KJQfefrnflol93jpj31mrkjs3i88sj2L
        create_bucket: true

  # kubernetes service configuration for anchore catalog api
  service:
    type: ClusterIP
    port: 8082
    annotations: {}
    labels: {}

  # resources:
  #  limits:
  #    cpu: 1
  #    memory: 2G
  #  requests:
  #    cpu: 100m
  #    memory: 500M

  labels: {}
  annotations: {}
  nodeSelector: {}
  tolerations: []
  affinity: {}

# Pod configuration for the anchore engine policy service.
anchorePolicyEngine:
  replicaCount: 1

  # Set extra environment variables. These will be set on all policy engine containers.
  extraEnv: []
    # - name: foo
    #   value: bar

  # Intervals to run specific events on (seconds)
  cycleTimers:
    # Interval to run a feed sync to get latest cve data
    feed_sync: 14400
    # Interval between checks to see if there needs to be a task queued
    feed_sync_checker: 3600

  # kubernetes service configuration for anchore policy engine api
  service:
    type: ClusterIP
    port: 8087
    annotations: {}
    labels: {}

  # resources:
  #  limits:
  #    cpu: 1
  #    memory: 4G
  #  requests:
  #    cpu: 100m
  #    memory: 1G

  labels: {}
  annotations: {}
  nodeSelector: {}
  tolerations: []
  affinity: {}

# Pod configuration for the anchore engine simplequeue service.
anchoreSimpleQueue:
  replicaCount: 1

  # Set extra environment variables. These will be set on all simplequeue containers.
  extraEnv: []
    # - name: foo
    #   value: bar

  # kubernetes service configuration for anchore simplequeue api
  service:
    type: ClusterIP
    port: 8083
    annotations: {}
    labels: {}

  # resources:
  #  limits:
  #    cpu: 1
  #    memory: 1G
  #  requests:
  #    cpu: 100m
  #    memory: 256M

  labels: {}
  annotations: {}
  nodeSelector: {}
  tolerations: []
  affinity: {}