[incubator/anchore-engine] Adds incubator chart for Anchore Engine (helm#3293)

* Adds incubator chart for Anchore Engine

* Fixes linter issues on anchore-engine values.yaml

* Fixes truth values for values.yaml

* Fixes for truthy values in other yaml configs for anchore-engine chart

* Fix ingress spec for anchore-engine chart for easier config with helm cli

* Addresses typos and some cleanup as requested in PR review

* Adds more startup and config info in NOTES.txt for anchore-engine

* Cleanup and make labels consistent in anchore-engine deployments

* Move anchore-engine chart from incubator/ to stable/

Author: zhill

stable/anchore-engine/Chart.yaml

@@ -0,0 +1,19 @@
+name: anchore-engine
+version: 0.1.0
+appVersion: 0.1.6
+description: Anchore container analysis and policy evaluation engine service
+keywords:
+ - analysis
+ - docker
+ - anchore
+ - "anchore-engine"
+ - image
+ - security
+home: https://anchore.io
+sources:
+ - https://github.com/anchore/anchore-engine
+maintainers:
+ - name: zhill
+   email: zach@anchore.com
+engine: gotpl
+icon: https://anchore.com/wp-content/uploads/2016/08/anchore.png

stable/anchore-engine/README.md

@@ -0,0 +1,83 @@
+Anchore Engine Helm Chart
+=========================
+
+This chart deploys the Anchore Engine docker container image analysis system. Anchore Engine
+requires a PostgresSQL database (>=9.6) which may be handled by the chart or supplied externally,
+and executes in a 2-tier architecture with an api/control layer and a batch execution worker pool layer.
+
+See [Anchore Engine](https://github.com/anchore/anchore-engine) for more project details.
+
+
+Chart Details
+-------------
+
+The chart is split into three primary sections: GlobalConfig, CoreConfig, WorkerConfig. As the name implies,
+the GlobalConfig is for configuration values that all components require, while the Core and Worker sections are
+tier-specific and allow customization for each role.
+
+
+### Core Role
+The core services provide the apis and state management for the system. Core services must be available within the cluster
+for use by the workers.
+* Core component provides webhook calls to external services for notifications of events:
+  * New images added
+  * CVE changes in images
+  * Policy evaluation state change for an image
+
+
+### Worker Role
+The workers download and analyze images and upload results to the core services. The workers poll the queue service and
+do not have their own external api.
+
+
+Installing the Chart
+--------------------
+
+Deploying PostgreSQL as a dependency managed in the chart:
+
+`helm install .`
+
+
+Using and existing/external PostgreSQL service:
+
+`helm install --name <name> --set postgresql.enabled=False .`
+
+
+Configuration
+-------------
+
+While the configuration options of Anchore Engine are extensive, the options provided by the chart are:
+
+### Database
+
+* External Postgres (not managed by helm)
+  * postgresql.enabled=False
+  * postgresql.externalEndpoint=myserver.mypostgres.com:5432
+  * postgresql.postgresUser=username
+  * postgresql.postgresPassword=password
+  * postgresql.postgresDatabase=db name  
+  * globalConfig.dbConfig.ssl=True
+
+
+### Policy Sync from anchore.io
+anchore.io is a hosted version of anchore engine that includes a UI and policy editor. You can configure a local anchore-engine
+to download and keep the policy bundles in sync (policies defining how to evaluate images).
+Simply provide the credentials for your anchore.io account in the values.yaml or using `--set` on CLI to enable:
+
+* coreConfig.policyBundleSyncEnabled=True
+* globalConfig.users.admin.anchoreIOCredentials.useAnonymous=False
+* globalConfig.users.admin.anchoreIOCredentials.user=username
+* globalConfig.users.admin.anchoreIOCredentials.password=password
+
+
+Adding Workers
+--------------
+
+To set a specific number of workers once the service is running:
+
+`helm upgrade --set workerConfig.replicaCount=2`
+
+To launch with more than one worker you can either modify values.yaml or run with:
+
+`helm install --set workerConfig.replicaCount=2 <chart location>`
+

stable/anchore-engine/requirements.yaml

@@ -0,0 +1,5 @@
+dependencies:
+  - name: postgresql
+    version: "*"
+    repository: "alias:stable"
+    condition: postgresql.enabled

stable/anchore-engine/templates/NOTES.txt

@@ -0,0 +1,63 @@
+To use Anchore Engine you need the URL, username, and password to access the API.
+
+Anchore Engine can be accessed via port {{ .Values.service.ports.api }} on the following DNS name from within the cluster:
+{{ template "fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local
+
+Here are the steps to configure the anchore-cli (`pip install anchorecli`). Use these same values for direct API access as well.
+
+To configure your anchore-cli run:
+
+    ANCHORE_CLI_USER=admin
+    ANCHORE_CLI_PASS=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "fullname" . }} -o jsonpath="{.data.adminPassword}" | base64 --decode; echo)
+{{ if .Values.ingress.enabled }}
+   ANCHORE_CLI_URL=http://$(kubectl get ingress --namespace {{ .Release.Namespace }} {{ template "fullname" . }} -o jsonpath="{.status.loadBalancer.ingress[0].ip}")
+{{ else }}
+Using the service endpoint from within the cluster you can use:
+    ANCHORE_CLI_URL=http://{{ template "fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.ports.api}}/v1/
+{{ end }}
+
+To verify the service is up and running, you can run container for the Anchore Engine CLI:
+
+    kubectl run -i --tty anchore-cli --restart=Never --image anchore/engine-cli --env ANCHORE_CLI_USER=admin --env ANCHORE_CLI_PASS=${ANCHORE_CLI_PASS} --env ANCHORE_CLI_URL=http://{{ template "fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.ports.api}}/v1/
+
+from within the container you can use 'anchore-cli' commands.
+
+* NOTE: On first startup of anchore-engine, it performs a CVE data sync which may take several minutes to complete. During this time the system status will report 'partially_down' and any images added for analysis will stay in the 'not_analyzed' state.
+Once the sync is complete, any queued images will be analyzed and the system status will change to 'all_up'.
+
+Initial setup time can be >60sec for postgresql setup and readiness checks to pass for the services as indicated by pod state. You can check with:
+    kubectl get pods -l app={{ template "fullname" .}},component=core
+
+
+A quick primer on using the Anchore Engine CLI follows. For more info see: https://github.com/anchore/anchore-engine/wiki/Getting-Started
+
+View system status:
+
+    anchore-cli system status
+
+Add an image to be analyzed:
+
+    anchore-cli image add <imageref>
+
+List images and see the analysis status (not_analyzed initially):
+
+    anchore-cli image list
+
+Once the image is analyzed you'll see status change to 'analyzed'. This may take some time on first execution with a new database because
+the system must first do a CVE data sync which can take several minutes. Once complete, the image will transition to 'analyzing' state.
+
+When the image reaches 'analyzed' state, you can view policy evaluation output with:
+
+    anchore-cli evaluate check <imageref>
+
+List CVEs found in the image with:
+
+    anchore-cli image vuln <imageref> os
+
+List OS packages found in the image with:
+    anchore-cli image content <imageref> os
+
+List files found in the image with:
+    anchore-cli image content <imageref> files
+
+

stable/anchore-engine/templates/_helpers.tpl

@@ -0,0 +1,43 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "fullname" -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "worker.fullname" -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- printf "%s-%s-%s" .Release.Name $name "worker"| trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "core.fullname" -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- printf "%s-%s-%s" .Release.Name $name "core"| trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+
+{{/*
+Create a default fully qualified dependency name for the db.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "postgres.fullname" -}}
+{{- printf "%s-%s" .Release.Name "postgresql" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}

stable/anchore-engine/templates/core_configmap.yaml

@@ -0,0 +1,131 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: "{{ template "core.fullname" . }}"
+  labels:
+    app: "{{ template "fullname" . }}"
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+    component: core
+data:
+  config.yaml: |
+    # Anchore Service Configuration File from ConfigMap
+    service_dir: {{ default "/config" .Values.globalConfig.configDir }}
+    tmp_dir: "/tmp"
+
+    allow_awsecr_iam_auto: {{ .Values.globalConfig.allowECRUseIAMRole }}
+    cleanup_images: {{ .Values.globalConfig.cleanupImages }}
+
+    # docker_conn: 'unix://var/run/docker.sock'
+    # docker_conn_timeout: 600
+
+    log_level: {{ .Values.coreConfig.logLevel }}
+    host_id: ${ANCHORE_HOST_ID}
+    internal_ssl_verify: {{ .Values.globalConfig.internalServicesSslVerifyCerts }}
+
+    # Uncomment if you have a local endpoint that can accept
+    # notifications from the anchore-engine, as configured below
+    #
+    {{ if .Values.coreConfig.webhooks.enabled }}
+    webhooks:
+{{ toYaml .Values.coreConfig.webhooks.config | indent 6 }}
+    {{ end }}
+
+    # A feeds section is available for override, but shouldn't be
+    # needed. By default, the 'admin' credentials are used if present,
+    # otherwise anonymous access for feed sync is used
+
+    #feeds:
+    #  selective_sync:
+    #    # If enabled only sync specific feeds instead of all.
+    #    enabled: True
+    #    feeds:
+    #      vulnerabilities: True
+    #      # Warning: enabling the package sync causes the service to require much
+    #      #   more memory to do process the significant data volume. We recommend at least 4GB available for the container
+    #      packages: False
+    #  anonymous_user_username: anon@ancho.re
+    #  anonymous_user_password: pbiU2RYZ2XrmYQ
+    #  url: 'https://ancho.re/v1/service/feeds'
+    #  client_url: 'https://ancho.re/v1/account/users'
+    #  token_url: 'https://ancho.re/oauth/token'
+    #  connection_timeout_seconds: 3
+    #  read_timeout_seconds: 60
+
+    credentials:
+      users:
+        admin:
+          password: ${ANCHORE_ADMIN_PASSWORD}
+          email: {{ .Values.globalConfig.users.admin.email }}
+          external_service_auths:
+          {{ if not .Values.globalConfig.users.admin.anchoreIOCredentials.useAnonymous }}
+          anchoreio:
+            anchorecli:
+              auth: "${ANCHORE_IO_USER}:${ANCHORE_IO_PASSWORD}"
+          {{ end }}
+          auto_policy_sync: {{ .Values.coreConfig.policyBundleSyncEnabled }}
+
+      database:
+        {{ if .Values.postgresql.enabled }}
+        db_connect: 'postgresql+pg8000://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@{{ template "postgres.fullname" . }}:5432/{{ .Values.postgresql.postgresDatabase }}'
+        {{ else }}
+        db_connect: 'postgresql+pg8000://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@{{ .Values.postgresql.externalEndpoint}}/{{ .Values.postgresql.postgresDatabase }}'
+        {{ end }}
+        db_connect_args:
+          timeout: 120
+          ssl: {{ .Values.postgresql.sslEnabled }}
+        db_pool_size: {{ .Values.globalConfig.dbConfig.connectionPoolSize }}
+        db_pool_max_overflow: {{ .Values.globalConfig.dbConfig.connectionPoolSize }}
+    services:
+      apiext:
+        enabled: True
+        require_auth: True
+        endpoint_hostname: {{ template "fullname" . }}
+        listen: '0.0.0.0'
+        port: {{ .Values.service.ports.api }}
+        ssl_enable: {{ .Values.globalConfig.internalServicesSslEnabled }}
+        ssl_cert: {{ .Values.coreConfig.ssl.certDir -}}/{{- .Values.coreConfig.ssl.certSecretCertName }}
+        ssl_key: {{ .Values.coreConfig.ssl.certDir -}}/{{- .Values.coreConfig.ssl.certSecretKeyName }}
+      kubernetes_webhook:
+        enabled: True
+        require_auth: False
+        endpoint_hostname: {{ template "fullname" . }}
+        listen: '0.0.0.0'
+        port: {{ .Values.service.ports.k8sImagePolicyWebhook }}
+        ssl_enable: {{ .Values.globalConfig.internalServicesSslEnabled }}
+        ssl_cert: {{ .Values.coreConfig.ssl.certDir -}}/{{- .Values.coreConfig.ssl.certSecretCertName }}
+        ssl_key: {{ .Values.coreConfig.ssl.certDir -}}/{{- .Values.coreConfig.ssl.certSecretKeyName }}
+      catalog:
+        enabled: True
+        require_auth: True
+        endpoint_hostname: {{ template "fullname" . }}
+        listen: '0.0.0.0'
+        port: {{ .Values.service.ports.catalog }}
+        use_db: True
+        cycle_timer_seconds: '1'
+        cycle_timers:
+{{ toYaml .Values.globalConfig.cycleTimers | indent 10 }}
+        ssl_enable: {{ .Values.globalConfig.internalServicesSslEnabled }}
+        ssl_cert: {{ .Values.coreConfig.ssl.certDir -}}/{{- .Values.coreConfig.ssl.certSecretCertName }}
+        ssl_key: {{ .Values.coreConfig.ssl.certDir -}}/{{- .Values.coreConfig.ssl.certSecretKeyName }}
+      simplequeue:
+        enabled: True
+        require_auth: True
+        endpoint_hostname: {{ template "fullname" . }}
+        listen: '0.0.0.0'
+        port: {{ .Values.service.ports.queue }}
+        ssl_enable: {{ .Values.globalConfig.internalServicesSslEnabled }}
+        ssl_cert: {{ .Values.coreConfig.ssl.certDir -}}/{{- .Values.coreConfig.ssl.certSecretCertName }}
+        ssl_key: {{ .Values.coreConfig.ssl.certDir -}}/{{- .Values.coreConfig.ssl.certSecretKeyName }}
+      analyzer:
+        enabled: False
+      policy_engine:
+        enabled: True
+        require_auth: True
+        endpoint_hostname: {{ template "fullname" . }}
+        listen: '0.0.0.0'
+        port: {{ .Values.service.ports.policy }}
+        ssl_cert: {{ .Values.coreConfig.ssl.certDir -}}/{{- .Values.coreConfig.ssl.certSecretCertName }}
+        ssl_key: {{ .Values.coreConfig.ssl.certDir -}}/{{- .Values.coreConfig.ssl.certSecretKeyName }}
+        ssl_enable: {{ .Values.globalConfig.internalServicesSslEnabled }}