anchore · HN23 · Dec 18, 2024 · Dec 18, 2024 · Dec 18, 2024 · Dec 18, 2024
@@ -29,7 +29,7 @@ jobs:
 
     - uses: actions/setup-python@e9aba2c848f5ebd159c070c61ea2c4e2b122355e # v2.3.4
       with:
-        python-version: 3.7
+        python-version: '3.10'
 
     - name: Set up Helm
       uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
@@ -123,6 +123,15 @@ jobs:
         echo '  image: "docker.io/anchore/anchore-on-prem-ui-dev:rc"' >> stable/enterprise/ci/openshift-test.yaml
         echo "Appended to stable/enterprise/ci/openshift-test.yaml"
 
+    - name: Update to nightly image if needed
+      if: ${{ github.event.pull_request.base.ref == 'nightly' || github.ref_name == 'nightly' }}
+      run: |
+        echo "Branch: ${{ github.event.pull_request.head.ref }}"
+        echo 'image: "docker.io/anchore/enterprise-dev:nightly"' >> stable/enterprise/ci/openshift-test.yaml
+        echo 'ui:' >> stable/enterprise/ci/openshift-test.yaml
+        echo '  image: "docker.io/anchore/anchore-on-prem-ui-dev:nightly"' >> stable/enterprise/ci/openshift-test.yaml
+        echo "Appended to stable/enterprise/ci/openshift-test.yaml"
+
     - name: Run chart-testing
       if: steps.list-changed.outputs.CHANGED == 'true'
       run: |

@@ -27,7 +27,7 @@ jobs:
 
     - uses: actions/setup-python@e9aba2c848f5ebd159c070c61ea2c4e2b122355e # v2.3.4
       with:
-        python-version: 3.7
+        python-version: '3.10'
 
     - name: Set up Helm
       uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
@@ -106,6 +106,15 @@ jobs:
         echo '  image: "docker.io/anchore/anchore-on-prem-ui-dev:rc"' >> stable/enterprise/ci/rc-values.yaml
         echo "Appended to stable/enterprise/ci/rc-values.yaml"
 
+    - name: Update to nightly image if needed
+      if: ${{ github.event.pull_request.base.ref == 'nightly' || github.ref_name == 'nightly' }}
+      run: |
+        echo "Branch: ${{ github.event.pull_request.head.ref }}"
+        echo 'image: "docker.io/anchore/enterprise-dev:nightly"' >> stable/enterprise/ci/nightly-values.yaml
+        echo 'ui:' >> stable/enterprise/ci/nightly-values.yaml
+        echo '  image: "docker.io/anchore/anchore-on-prem-ui-dev:nightly"' >> stable/enterprise/ci/nightly-values.yaml
+        echo "Appended to stable/enterprise/ci/nightly-values.yaml"
+
     - name: Run chart-testing
       if: steps.list-changed.outputs.CHANGED == 'true'
       run: ct install --config ct-config.yaml --helm-extra-args "--timeout 600s"
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: enterprise
-version: "3.3.0"
-appVersion: "5.13.0"
+version: "3.3.1"
+appVersion: "5.13.1"
 kubeVersion: 1.23.x - 1.31.x || 1.23.x-x - 1.31.x-x
 description: |
   Anchore Enterprise is a complete container security workflow solution for professional teams. Easily integrating with CI/CD systems,

@@ -89,7 +89,7 @@ This guide covers deploying Anchore Enterprise on a Kubernetes cluster with the
 
 ### Installing on Openshift
 
-You will need to either disable or properly set the parameters for `containerSecurityContext`, `runAsUser`, and `fsGroup` for the `ui-redis` and any PostgreSQL database that you deploy using the Enterprise chart (e.g., via `postgresql.chartEnabled`).
+You will need to either disable or properly set the parameters for `containerSecurityContext`, `runAsUser`, and `fsGroup` for the `ui-redis` and any PostgreSQL database that you deploy using the Enterprise chart (e.g., via `postgresql.chartEnabled`). Also, by default, Anchore Enterprise creates a user that normally runs the application with a uid/gid/group of 1000. If your deployment uses any other user as openshift usually does, you will need to update the HOME environment variable to a directory where the analyzer service can write to.
 
 For example:
 
@@ -103,7 +103,9 @@ For example:
       --set postgresql.primary.containerSecurityContext.enabled=false \
       --set postgresql.primary.podSecurityContext.enabled=false \
       --set ui-redis.master.podSecurityContext.enabled=false \
-      --set ui-redis.master.containerSecurityContext.enabled=false
+      --set ui-redis.master.containerSecurityContext.enabled=false \
+      --set analyzer.extraEnv[0].name=HOME \
+      --set analyzer.extraEnv[0].value=/tmp
     ```
 
     > **Note:** disabling the containerSecurityContext and podSecurityContext may not be suitable for production. See [Redhat's documentation](https://docs.openshift.com/container-platform/4.13/authentication/managing-security-context-constraints.html#managing-pod-security-policies) on what may be suitable for production. For more information on the openshift.io/sa.scc.uid-range annotation, see the [openshift docs](https://docs.openshift.com/dedicated/authentication/managing-security-context-constraints.html#security-context-constraints-pre-allocated-values_configuring-internal-oauth)
@@ -129,6 +131,10 @@ ui-redis:
       enabled: false
     containerSecurityContext:
       enabled: false
+analyzer:
+  extraEnv:
+    - name: HOME
+      value: /tmp
 ```
 
 ## Upgrading the Chart
@@ -643,7 +649,7 @@ To restore your deployment to using your previous driver configurations:
 
 | Name                                    | Description                                                                                                                        | Value                                  |
 | --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- |
-| `image`                                 | Image used for all Anchore Enterprise deployments, excluding Anchore UI                                                            | `docker.io/anchore/enterprise:v5.13.0` |
+| `image`                                 | Image used for all Anchore Enterprise deployments, excluding Anchore UI                                                            | `docker.io/anchore/enterprise:v5.13.1` |
 | `imagePullPolicy`                       | Image pull policy used by all deployments                                                                                          | `IfNotPresent`                         |
 | `imagePullSecretName`                   | Name of Docker credentials secret for access to private repos                                                                      | `anchore-enterprise-pullcreds`         |
 | `useExistingPullCredSecret`             | forgoes pullcred secret creation and uses the secret defined in imagePullSecretName                                                | `true`                                 |

@@ -26,7 +26,7 @@ migration job should match snapshot:
               name: test-release-enterprise-config-env-vars
           - secretRef:
               name: test-release-enterprise
-        image: docker.io/anchore/enterprise:v5.13.0
+        image: docker.io/anchore/enterprise:v5.13.1
         imagePullPolicy: IfNotPresent
         name: migrate-analysis-archive
         volumeMounts:
@@ -89,7 +89,7 @@ migration job should match snapshot:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.name
-        image: docker.io/anchore/enterprise:v5.13.0
+        image: docker.io/anchore/enterprise:v5.13.1
         imagePullPolicy: IfNotPresent
         name: wait-for-db
     restartPolicy: Never
@@ -148,7 +148,7 @@ migration job should match snapshot analysisArchiveMigration and objectStoreMigr
               name: test-release-enterprise-config-env-vars
           - secretRef:
               name: test-release-enterprise
-        image: docker.io/anchore/enterprise:v5.13.0
+        image: docker.io/anchore/enterprise:v5.13.1
         imagePullPolicy: IfNotPresent
         name: migrate-analysis-archive
         volumeMounts:
@@ -211,7 +211,7 @@ migration job should match snapshot analysisArchiveMigration and objectStoreMigr
             valueFrom:
               fieldRef:
                 fieldPath: metadata.name
-        image: docker.io/anchore/enterprise:v5.13.0
+        image: docker.io/anchore/enterprise:v5.13.1
         imagePullPolicy: IfNotPresent
         name: wait-for-db
     restartPolicy: Never
@@ -268,7 +268,7 @@ migration job should match snapshot analysisArchiveMigration to true:
               name: test-release-enterprise-config-env-vars
           - secretRef:
               name: test-release-enterprise
-        image: docker.io/anchore/enterprise:v5.13.0
+        image: docker.io/anchore/enterprise:v5.13.1
         imagePullPolicy: IfNotPresent
         name: migrate-analysis-archive
         volumeMounts:
@@ -331,7 +331,7 @@ migration job should match snapshot analysisArchiveMigration to true:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.name
-        image: docker.io/anchore/enterprise:v5.13.0
+        image: docker.io/anchore/enterprise:v5.13.1
         imagePullPolicy: IfNotPresent
         name: wait-for-db
     restartPolicy: Never
@@ -387,7 +387,7 @@ migration job should match snapshot objectStoreMigration to true:
               name: test-release-enterprise-config-env-vars
           - secretRef:
               name: test-release-enterprise
-        image: docker.io/anchore/enterprise:v5.13.0
+        image: docker.io/anchore/enterprise:v5.13.1
         imagePullPolicy: IfNotPresent
         name: migrate-analysis-archive
         volumeMounts:
@@ -450,7 +450,7 @@ migration job should match snapshot objectStoreMigration to true:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.name
-        image: docker.io/anchore/enterprise:v5.13.0
+        image: docker.io/anchore/enterprise:v5.13.1
         imagePullPolicy: IfNotPresent
         name: wait-for-db
     restartPolicy: Never
@@ -621,6 +621,6 @@ should render proper initContainers:
           valueFrom:
             fieldRef:
               fieldPath: metadata.name
-      image: docker.io/anchore/enterprise:v5.13.0
+      image: docker.io/anchore/enterprise:v5.13.1
       imagePullPolicy: IfNotPresent
       name: wait-for-db
@@ -19,7 +19,7 @@ global:
 
 ## @param image Image used for all Anchore Enterprise deployments, excluding Anchore UI
 ##
-image: docker.io/anchore/enterprise:v5.13.0
+image: docker.io/anchore/enterprise:v5.13.1
 
 ## @param imagePullPolicy Image pull policy used by all deployments
 ## ref: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy