# Default values for anchore_engine chart. # Anchore engine has a dependency on Postgresql, configure here postgresql: # To use an external DB or Google CloudSQL in GKE, uncomment & set 'enabled: false' # externalEndpoint, postgresUser, postgresPassword & postgresDatabase are required values for external postgres # enabled: false postgresUser: anchoreengine postgresPassword: anchore-postgres,123 postgresDatabase: anchore # Specify an external (already existing) postgres deployment for use. # Set to the host and port. eg. mypostgres.myserver.io:5432 externalEndpoint: Null # Configure size of the persistent volume used with helm managed chart. # This should be commented out if using an external endpoint. persistence: resourcePolicy: nil size: 20Gi # If running on OpenShift - uncomment the image, imageTag & extraEnv values below. # image: registry.access.redhat.com/rhscl/postgresql-96-rhel7 # imageTag: latest # extraEnv: # - name: POSTGRESQL_USER # value: anchoreengine # - name: POSTGRESQL_PASSWORD # value: anchore-postgres,123 # - name: POSTGRESQL_DATABASE # value: anchore # - name: PGUSER # value: postgres # - name: LD_LIBRARY_PATH # value: /opt/rh/rh-postgresql96/root/usr/lib64 # - name: PATH # value: /opt/rh/rh-postgresql96/root/usr/bin:/opt/app-root/src/bin:/opt/app-root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin # Google CloudSQL support in GKE via gce-proxy cloudsql: # To use CloudSQL in GKE set 'enable: true' enabled: false # set CloudSQL instance: 'project:zone:instancname' instance: "" # Optional existing service account secret to use. # useExistingServiceAcc: false # serviceAccSecretName: service_acc # serviceAccJsonName: for_cloudsql.json image: # set repo and image tag of gce-proxy repository: gcr.io/cloudsql-docker/gce-proxy tag: 1.12 pullPolicy: IfNotPresent # Create an ingress resource for all external anchore engine services (API & Enterprise UI). # By default this chart is setup to use the NGINX ingress controller which needs to be installed & configured on your cluster. # To utilize a GCE/ALB ingress controller comment out the nginx annotations below, change ingress.class, edit path configurations as per the comments, & set API/UI services to use NodePort. ingress: enabled: false labels: {} # Use the following paths for GCE/ALB ingress controller # feedsPath: /v1/feeds/* # apiPath: /v1/* # uiPath: /* # Exposing the feeds API w/ ingress is for special cases only, uncomment feedsPath if external access to the feeds API is needed # feedsPath: /v1/feeds/ apiPath: /v1/ uiPath: / # uncomment `feedsPath` to add an ingress endpoint for the feeds api # Uncomment the following lines to bind on specific hostnames # apiHosts: # - anchore-api.example.com # uiHosts: # - anchore-ui.example.com # feedsHosts: # - anchore-feeds.example.com annotations: # kubernetes.io/ingress.class: gce kubernetes.io/ingress.class: nginx # nginx.ingress.kubernetes.io/ssl-redirect: "false" # kubernetes.io/ingress.allow-http: false # kubernetes.io/tls-acme: true tls: [] # Secrets must be manually created in the namespace. # - secretName: chart-example-tls # hosts: # - chart-example.local # Global configuration shared by all anchore-engine services. anchoreGlobal: # Image used for all anchore engine deployments (excluding enterprise components). image: docker.io/anchore/anchore-engine:v0.7.3 imagePullPolicy: IfNotPresent # Set image pull secret name if using an anchore-engine image from a private registry imagePullSecretName: # Set this value to True to setup the chart for OpenShift deployment compatibility. openShiftDeployment: False # Add additionnal labels to all kubernetes resources labels: {} # app.kubernetes.io/managed-by: Helm # foo: bar # Set extra environment variables. These will be set on all containers. extraEnv: [] # - name: foo # value: bar # Specifies an existing secret to be used for admin and db passwords existingSecret: Null # The scratchVolume controls the mounting of an external volume for scratch space for image analysis. Generally speaking # you need to provision 3x the size of the largest image (uncompressed) that you want to analyze for this space. scratchVolume: mountPath: /analysis_scratch details: # Specify volume configuration here emptyDir: {} # A secret must be created in the same namespace as anchore-engine is deployed, containing the certificates & public/private keys used for SSL, SAML & custom CAs. # Certs and keys should be added using the file name the certificate is stored at. This secret will be mounted to /home/anchore/certs. certStoreSecretName: Null ### # Start of General Anchore Engine Configurations (populates /config/config.yaml) ### # Set where default configs are placed at startup. This must be a writable location for the pod. serviceDir: /anchore_service logLevel: INFO cleanupImages: true # Define timeout, in seconds, for image analysis imageAnalyzeTimeoutSeconds: 36000 # If true, when a user adds an ECR registry with username = awsauto then the system will look for an instance profile to use for auth against the registry allowECRUseIAMRole: false # Enable prometheus metrics enableMetrics: false # Disable auth on prometheus metrics metricsAuthDisabled: false # Sets the password & email address for the default anchore-engine admin user. defaultAdminPassword: foobar defaultAdminEmail: example@email.com saml: # Locations for keys used for signing and encryption. Only one of 'secret' or 'public_key_path'/'private_key_path' needs to be set. If all are set then the keys take precedence over the secret value # Secret is for a shared secret and if set, all components in anchore should have the exact same value in their configs. secret: Null privateKeyName: Null publicKeyName: Null oauthEnabled: false oauthTokenExpirationSeconds: 3600 # Set this to True to enable storing user passwords only as secure hashes in the db. This can dramatically increase CPU usage if you # don't also use oauth and tokens for internal communications (which requires keys/secret to be configured as well) # WARNING: you should not change this after a system has been initialized as it may cause a mismatch in existing passwords hashedPasswords: false # Configure the database connection within anchore-engine & enterprise-ui. This may get split into 2 different configurations based on service utilized. dbConfig: timeout: 120 # Use ssl, but the default postgresql config in helm's stable repo does not support ssl on server side, so this should be set for external dbs only. # All ssl dbConfig values are only utilized when ssl=true ssl: false sslMode: verify-full # sslRootCertName is the name of the postgres root CA certificate stored in anchoreGlobal.certStoreSecretName sslRootCertName: Null connectionPoolSize: 30 connectionPoolMaxOverflow: 100 internalServicesSsl: # Enable to force all anchore-engine services to communicate internally using SSL enabled: false # specify whether cert is verfied against the local certifacte bundle (allow self-signed certs if set to false) verifyCerts: false certSecretKeyName: Null certSecretCertName: Null # To enable webhooks, set webhooksEnabled: true webhooksEnabled: false # Configure webhook outputs here. The service provides these webhooks for notifying external systems of updates webhooks: # User and password to be set (using HTTP basic auth) on all webhook calls if necessary webhook_user: Null webhook_pass: Null ssl_verify: true # Endpoint for general notification delivery. These events are image/tag updates etc. This is globally configured # and updates for all users are sent to the same host but with a different path for each user. # / are required as documented at end of URI - only hostname:port should be configured. general: {} # url: "http://somehost:9090//" # Configuration for the analyzer pods that perform image analysis # There may be many of these analyzers but best practice is to not have more than one per node since analysis # is very IO intensive. Use of affinity/anti-affinity rules for scheduling the analyzers is future work. anchoreAnalyzer: replicaCount: 1 containerPort: 8084 # Set extra environment variables. These will be set only on analyzer containers. extraEnv: [] # - name: foo # value: bar # The cycle timer is the interval between checks to the work queue for new jobs cycleTimers: image_analyzer: 5 # Controls the concurrency of the analyzer itself. Can be configured to process more than one task at a time, but it IO bound, so may not # necessarily be faster depending on hardware. Should test and balance this value vs. number of analyzers for your deployment cluster performance. concurrentTasksPerWorker: 1 # Image layer caching can be enabled to speed up image downloads before analysis. # This chart sets up a scratch directory for all analyzer pods using the values found at anchoreGlobal.scratchVolume. # When setting anchoreAnalyzer.layerCacheMaxGigabytes, ensure the scratch volume has suffient storage space. # For more info see - https://docs.anchore.com/current/docs/engine/engine_installation/storage/layer_caching/ # Enable image layer caching by setting a cache size > 0GB. layerCacheMaxGigabytes: 0 configFile: # Anchore analyzer config file # # WARNING - malforming this file can cause the analyzer to fail on all image analysis # # Options for any analyzer module(s) that takes customizable input # # example configuration for the 'retrieve_files' analyzer, if installed retrieve_files: file_list: - '/etc/passwd' # - '/etc/services' # - '/etc/sudoers' # example configuration for the 'content_search' analyze, if installed secret_search: match_params: - MAXFILESIZE=10000 - STOREONMATCH=n regexp_match: - "AWS_ACCESS_KEY=(?i).*aws_access_key_id( *=+ *).*(?:9000 # bucket: mybucket # access_key: xxxxxx # secret_key: yyyyyy # create_bucket: true # Example Swift Configuration: # name: swift # config: # # Config for swift has a few options, just add the keys and names as used to configure a swiftclient here. All are passed directly to the client impl. # user: "test:tester" # key: "testing" # auth: "http://swift_ephemeral:8080/auth/v1.0" # # The swift container where data will be stored # container: "local_test_anchore" # # Create the container if it is not already present # create_container: false # kubernetes service configuration for anchore catalog api service: type: ClusterIP port: 8082 annotations: {} labels: {} # resources: # limits: # cpu: 1 # memory: 2G # requests: # cpu: 100m # memory: 500M labels: {} annotations: {} nodeSelector: {} tolerations: [] affinity: {} # Pod configuration for the anchore engine policy service. anchorePolicyEngine: replicaCount: 1 # Set extra environment variables. These will be set on all policy engine containers. extraEnv: [] # - name: foo # value: bar # Intervals to run specific events on (seconds) cycleTimers: # Interval to run a feed sync to get latest cve data feed_sync: 14400 # Interval between checks to see if there needs to be a task queued feed_sync_checker: 3600 # kubernetes service configuration for anchore policy engine api service: type: ClusterIP port: 8087 annotations: {} labels: {} # resources: # limits: # cpu: 1 # memory: 4G # requests: # cpu: 100m # memory: 1G labels: {} annotations: {} nodeSelector: {} tolerations: [] affinity: {} # Pod configuration for the anchore engine simplequeue service. anchoreSimpleQueue: replicaCount: 1 # Set extra environment variables. These will be set on all simplequeue containers. extraEnv: [] # - name: foo # value: bar # kubernetes service configuration for anchore simplequeue api service: type: ClusterIP port: 8083 annotations: {} labels: {} # resources: # limits: # cpu: 1 # memory: 1G # requests: # cpu: 100m # memory: 256M labels: {} annotations: {} nodeSelector: {} tolerations: [] affinity: {} # This section is used for configuring anchore enterprise. anchoreEnterpriseGlobal: enabled: false # Name of kubernetes secret containing your license.yaml file. # Create this secret with the following command - kubectl create secret generic anchore-license --from-file=license.yaml= licenseSecretName: anchore-enterprise-license image: docker.io/anchore/enterprise:v2.3.2 imagePullPolicy: IfNotPresent # Name of the kubernetes secret containing your dockerhub creds with access to the anchore enterprise images. # Create this secret with the following command - kubectl create secret docker-registry anchore-dockerhub-creds --docker-server=docker.io --docker-username= --docker-password= --docker-email= imagePullSecretName: anchore-enterprise-pullcreds # Configure the second postgres database instance for the enterprise feeds service. # Only utilized if anchoreEnterpriseGlobal.enabled: true anchore-feeds-db: # To use an external DB or Google CloudSQL, uncomment & set 'enabled: false' # externalEndpoint, postgresUser, postgresPassword & postgresDatabase are required values for external postgres # enabled: false postgresUser: anchoreengine postgresPassword: anchore-postgres,123 postgresDatabase: anchore-feeds # Specify an external (already existing) postgres deployment for use. # Set to the host and port. eg. mypostgres.myserver.io:5432 externalEndpoint: Null # Configure size of the persitant volume used with helm managed chart. # This should be commented out if using an external endpoint. persistence: resourcePolicy: nil size: 20Gi # If running on OpenShift - uncomment the image, imageTag & extraEnv values below. # image: registry.access.redhat.com/rhscl/postgresql-96-rhel7 # imageTag: latest # extraEnv: # - name: POSTGRESQL_USER # value: anchoreengine # - name: POSTGRESQL_PASSWORD # value: anchore-postgres,123 # - name: POSTGRESQL_DATABASE # value: anchore # - name: PGUSER # value: postgres # - name: LD_LIBRARY_PATH # value: /opt/rh/rh-postgresql96/root/usr/lib64 # - name: PATH # value: /opt/rh/rh-postgresql96/root/usr/bin:/opt/app-root/src/bin:/opt/app-root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin # Configure & enable the Anchore Enterprise on-prem feeds service. anchoreEnterpriseFeeds: # If enabled is set to false, set anchore-feeds-db.enabled to false to ensure that helm doesn't stand up a unneccessary postgres instance. enabled: true # Enable github advisory feeds githubDriverEnabled: false # GitHub advisory feeds require a github developer personal access token with no permission scopes selected. githubDriverToken: null # Enable microsoft feeds msrcDriverEnabled: false msrcApiKey: null # Uncomment to add MSRC product IDs for generating their feed data, this extends the pre-defined list of product IDs # msrcWhitelist: # - 12345 # Set extra environment variables. These will be set on all feeds containers. extraEnv: [] # - name: foo # value: bar # Time delay in seconds between consecutive driver runs for processing data cycleTimers: driver_sync: 7200 # Configure the database connection within anchore-engine & enterprise-ui. This may get split into 2 different configurations based on service utilized. dbConfig: timeout: 120 # Use ssl, but the default postgresql config in helm's stable repo does not support ssl on server side, so this should be set for external dbs ssl: false sslMode: verify-full # Specify path to an additional root CA certificate - this is only utilized if 'ssl: true' is configured. sslRootCertName: Null connectionPoolSize: 30 connectionPoolMaxOverflow: 100 # kubernetes service configuration for anchore feeds service api service: type: ClusterIP port: 8448 annotations: {} labels: {} # resources: # limits: # cpu: 1 # memory: 4G # requests: # cpu: 1 # memory: 2G labels: {} annotations: {} nodeSelector: {} tolerations: [] affinity: {} # Configure the Anchore Enterprise role based access control component. # This component consists of 2 containers that run as side-cars in the anchore engine api pod. anchoreEnterpriseRbac: enabled: true # Set extra environment variables. These will be set on all rbac containers. extraEnv: [] # - name: foo # value: bar # Kubernetes service config - annotations & serviceType configs must be set in anchoreApi # Due to RBAC sharing a service with the general API. service: apiPort: 8229 authPort: 8089 # authResources: # limits: # cpu: 1 # memory: 1G # requests: # cpu: 100m # memory: 256M # managerResources: # limits: # cpu: 1 # memory: 1G # requests: # cpu: 100m # memory: 256M # Configure the Anchore Enterprise reporting component. anchoreEnterpriseReports: enabled: true # Set extra environment variables. These will be set on all rbac containers. extraEnv: [] # - name: foo # value: bar # GraphiQL is a GUI for editing and testing GraphQL queries and mutations. # Set enable_graphiql to true and open http://:/v1/reports/graphql in a browser for reports API enableGraphql: true # Set enable_data_ingress to true for periodically syncing data from anchore engine into the reports service enableDataIngress: true cycleTimers: # images and tags synced every 10 minutes reports_data_load: 600 # policy evaluations and vulnerabilities refreshed every 2 hours reports_data_refresh: 7200 # metrics generated every hour reports_metrics: 3600 # Kubernetes service config - annotations & serviceType configs must be set in anchoreApi # Due to Reports sharing a service with the general API. service: port: 8558 # resources: # limits: # cpu: 1 # memory: 1G # requests: # cpu: 100m # memory: 256M labels: {} annotations: {} nodeSelector: {} tolerations: [] affinity: {} # Configure the Anchore Enterprise notifications component. anchoreEnterpriseNotifications: enabled: true # Set extra environment variables. These will be set on all rbac containers. extraEnv: [] # - name: foo # value: bar cycleTimers: notifications: 30 # Kubernetes service config - annotations & serviceType configs must be set in anchoreApi # Due to Reports sharing a service with the general API. service: port: 8668 # resources: # limits: # cpu: 1 # memory: 1G # requests: # cpu: 100m # memory: 256M labels: {} annotations: {} nodeSelector: {} tolerations: [] affinity: {} # Configure the Anchore Enterprise UI. anchoreEnterpriseUi: # If enabled is set to false, set anchore-ui-redis.enabled to false to ensure that helm doesn't stand up a unneccessary redis instance. enabled: true image: docker.io/anchore/enterprise-ui:v2.3.2 imagePullPolicy: IfNotPresent # Set extra environment variables. These will be set on all UI containers. extraEnv: [] # - name: foo # value: bar # If using LDAPS with a custom CA certificate, add the certificate to the secret specified at anchoreGlobal.certStoreSecretName and specify the name of the cert here ldapsRootCaCertName: Null # Specifies whether to trust a reverse proxy when setting secure cookies (via the `X-Forwarded-Proto` header). enableProxy: false # Specifies if SSL is enabled in the web app container. enableSsl: false # Specifies if a single set of user credentials can be used to start multiple Anchore Enterprise UI sessions; for # example, by multiple users across different systems, or by a single user on a single system across multiple browsers. # # When set to `false`, only one session per credential is permitted at a time, and logging in will invalidate any other # sessions that are using the same set of credentials. Note that setting this property to `false` does not prevent a # single session from being viewed within multiple *tabs* inside the same browser. enableSharedLogin: true # The redisFlushdb` key specifies if the Redis datastore containing # user session keys and data is emptied on application startup. If the datastore # is flushed, any users with active sessions will be required to re-authenticate. redisFlushdb: true # The (optional) `policy_hub_uri` key specifies the address of a Policy Hub # service. The value must be a string containing a properly-formed 'http' or # 'https' URI, and can be overridden by using the `ANCHORE_POLICY_HUB_URI` # environment variable. # # When this value is set, the Policy Hub component is enabled within the # Policy Manager view (`/policy`). Note that the availability and integrity of # Policy Hub data is determined by this component at run-time when this # component is accessed. policyHubUri: 'http://hub.anchore.io' # The (optional) `custom_links` key allows a list of up to 10 external links to # be provided (additional items will be excluded). The top-level `title` key # provided the label for the menu (if present, otherwise the string "Custom # External Links" will be used instead). # # Each link entry must have a title of greater than 0-length and a valid URI. # If either item is invalid, the entry will be excluded. # # Uncomment customLinks and specify your custom config as per the example below # customLinks: # title: Custom External Links # links: # - title: Example Link 1 # uri: https://example.com # - title: Example Link 2 # uri: https://example.com # - title: Example Link 3 # uri: https://example.com # - title: Example Link 4 # uri: https://example.com # - title: Example Link 5 # uri: https://example.com # - title: Example Link 6 # uri: https://example.com # - title: Example Link 7 # uri: https://example.com # - title: Example Link 8 # uri: https://example.com # - title: Example Link 9 # uri: https://example.com # - title: Example Link 10 # uri: https://example.com # The (optional) `enable_add_repositories` key specifies if repositories can be # added via the application interface by either administrative users or standard # users. In the absence of this key, the default is `True`. # # In the absence of one or all of the properties, the default is also `True`. # Thus, this key and a child key corresponding to an account type must be # explicitly set to `False` for the feature to be disabled for that account. # # Uncomment enableAddRepositories and set the config as per the example below # enableAddRepositories: # admin: True # standard: True # kubernetes service configuration for anchore UI service: type: ClusterIP port: 80 annotations: {} labels: {} sessionAffinity: ClientIP # resources: # limits: # cpu: 1 # memory: 1G # requests: # cpu: 100m # memory: 256M labels: {} annotations: {} nodeSelector: {} tolerations: [] affinity: {} # Anchore Engine Enterprise UI is dependent on redis for storing sessions # Only utilized if 'anchoreEnterpriseUi.enabled: true' anchore-ui-redis: password: anchore-redis,123 cluster: enabled: false persistence: enabled: false # To use an external redis endpoint, uncomment to set 'enabled: false' # enabled: false # If 'enabled: false', specify an external redis endpoint - # eg redis://:@hostname:6379 externalEndpoint: Null