SONAR-23627 address reviewer comments

SonarSource · Nov 20, 2024 · 2e6ba7f · 2e6ba7f
1 parent a420ab2
commit 2e6ba7f
Show file tree

Hide file tree

Showing 8 changed files with 67 additions and 48 deletions.
diff --git a/charts/sonarqube-dce/CHANGELOG.md b/charts/sonarqube-dce/CHANGELOG.md
@@ -9,7 +9,6 @@ All changes to this chart will be documented in this file.
 * Fix ENV variables not fetched when using extraConfig.configmaps
 * Support Gateway on different namespace in HTTPRoute
 * Change `ingress.ingressClassName` default, set it to `nginx` if `nginx.enabled` or `ingress-nginx.enabled`
-* Ensure the Pod will stop at "init" stage if init_sysctl.sh failed to modify kernel parameters
 * Ensure that ConfigMap resources are not created for `initFS` and `initSysctl` if not needed
 * Ensure the Pod will stop at `init` stage if init_sysctl.sh failed to modify kernel parameters
 * Replace the example images in initContainers, initSysctl and initFs from `busybox:1.36` to `ubuntu:24.04`, which are commented out by default

diff --git a/charts/sonarqube-dce/Chart.yaml b/charts/sonarqube-dce/Chart.yaml
@@ -41,8 +41,6 @@ annotations:
       description: "Support Gateway on different namespace in HTTPRoute"
     - kind: changed
       description: "Change `ingress.ingressClassName` default, set it to `nginx` if `nginx.enabled` or `ingress-nginx.enabled`"
-    - kind: changed
-      description: "Ensure the Pod will stop at "init" stage if init_sysctl.sh failed to modify kernel parameters"
     - kind: changed
       description: "Ensure that ConfigMap resources are not created for `initFS` and `initSysctl` if not needed"
     - kind: changed

diff --git a/charts/sonarqube-dce/values.yaml b/charts/sonarqube-dce/values.yaml
@@ -570,7 +570,8 @@ networkPolicy:
   # additionalNetworkPolicies:
 
 initContainers:
-  # image: ubuntu:24.04
+  # all initContainers use SonarQube image by default, but you can override it by setting the image field (ex image: ubuntu:24.04)
+  # image:
   # Set the security context for the init containers
   # The current section contains the default values set in a generic Kubernetes cluster. If you are using OpenShift, you should not set any specific UID or GID to be used for the execution.
   # We allow the init containers to have a separate security context declaration because
@@ -613,7 +614,8 @@ initSysctl:
   fsFileMax: 131072
   nofile: 131072
   nproc: 8192
-  # image: ubuntu:24.04
+  # all initContainers use SonarQube image by default, but you can override it by setting the image field (ex image: ubuntu:24.04)
+  # image:
   securityContext:
     # Compatible with podSecurity standard privileged
     privileged: true
@@ -624,7 +626,8 @@ initSysctl:
 
 initFs:
   enabled: true
-  # image: ubuntu:24.04
+  # all initContainers use SonarQube image by default, but you can override it by setting the image field (ex image: ubuntu:24.04)
+  # image:
   # Compatible with podSecurity standard baseline
   securityContext:
     privileged: false

diff --git a/charts/sonarqube/CHANGELOG.md b/charts/sonarqube/CHANGELOG.md
@@ -12,7 +12,6 @@ All changes to this chart will be documented in this file.
 * Set `app.kubernetes.io/name` and `app.kubernetes.io/version` as selector labels
 * Support Gateway on different namespace in HTTPRoute
 * Change `ingress.ingressClassName` default, set it to `nginx` if `nginx.enabled` or `ingress-nginx.enabled`
-* Ensure the Pod will stop at "init" stage if init_sysctl.sh failed to modify kernel parameters
 * Ensure that ConfigMap resources are not created for `initFS` and `initSysctl` if not needed
 * Ensure the Pod will stop at `init` stage if init_sysctl.sh failed to modify kernel parameters
 * Replace the example images in initContainers, initSysctl and initFs from `busybox:1.36` to `ubuntu:24.04`, which are commented out by default

diff --git a/charts/sonarqube/Chart.yaml b/charts/sonarqube/Chart.yaml
@@ -52,8 +52,6 @@ annotations:
       description: "Support Gateway on different namespace in HTTPRoute"
     - kind: changed
       description: "Change `ingress.ingressClassName` default, set it to `nginx` if `nginx.enabled` or `ingress-nginx.enabled`"
-    - kind: changed
-      description: "Ensure the Pod will stop at "init" stage if init_sysctl.sh failed to modify kernel parameters"
     - kind: changed
       description: "Ensure that ConfigMap resources are not created for `initFS` and `initSysctl` if not needed"
     - kind: changed

diff --git a/charts/sonarqube/values.yaml b/charts/sonarqube/values.yaml
@@ -266,7 +266,8 @@ startupProbe:
   # sonarWebContext: /
 
 initContainers:
-  # image: ubuntu:24.04
+  # all initContainers use SonarQube image by default, but you can override it by setting the image field (ex image: ubuntu:24.04)
+  # image:
   # Set the security context for the init containers
   # The current section contains the default values set in a generic Kubernetes cluster. If you are using OpenShift, you should not set any specific UID or GID to be used for the execution.
   # We allow the init containers to have a separate security context declaration because
@@ -320,7 +321,8 @@ initSysctl:
   fsFileMax: 131072
   nofile: 131072
   nproc: 8192
-  # image: ubuntu:24.04
+  # all initContainers use SonarQube image by default, but you can override it by setting the image field (ex image: ubuntu:24.04)
+  # image:
   securityContext:
     # Compatible with podSecurity standard privileged
     privileged: true
@@ -332,7 +334,8 @@ initSysctl:
 # This should not be required anymore, used to chown/chmod folder created by faulty CSI driver that are not applying properly POSIX fsgroup.
 initFs:
   enabled: true
-  # image: ubuntu:24.04
+  # all initContainers use SonarQube image by default, but you can override it by setting the image field (ex image: ubuntu:24.04)
+  # image:
   # Compatible with podSecurity standard baseline.
   securityContext:
     privileged: false

diff --git a/tests/unit-compatibility-test/fixtures/sonarqube-dce/ingress-with-controller.yaml b/tests/unit-compatibility-test/fixtures/sonarqube-dce/ingress-with-controller.yaml
@@ -185,22 +185,38 @@ metadata:
     heritage: Helm
 data:
   init_sysctl.sh: |-
-    if [[ "$(sysctl -n vm.max_map_count)" -lt 524288 ]]; then
-      sysctl -w vm.max_map_count=524288
+    set -o errexit
+    set -o xtrace
+    vmMaxMapCount=524288
+    if [[ "$(sysctl -n vm.max_map_count)" -lt $vmMaxMapCount ]]; then
+      sysctl -w vm.max_map_count=$vmMaxMapCount
+      if [[ "$(sysctl -n vm.max_map_count)" -lt $vmMaxMapCount ]]; then
+        echo "Failed to set initSysctl.vmMaxMapCount"; exit 1
+      fi
     fi
-    if [[ "$(sysctl -n fs.file-max)" -lt 131072 ]]; then
-      sysctl -w fs.file-max=131072
+    fsFileMax=131072
+    if [[ "$(sysctl -n fs.file-max)" -lt $fsFileMax ]]; then
+      sysctl -w fs.file-max=$fsFileMax
+      if [[ "$(sysctl -n fs.file-max)" -lt $fsFileMax ]]; then
+        echo "Failed to set initSysctl.fsFileMax"; exit 1
+      fi
     fi
+    nofile=131072
     if [[ "$(ulimit -n)" != "unlimited" ]]; then
-      if [[ "$(ulimit -n)" -lt 131072 ]]; then
-        echo "ulimit -n 131072"
-        ulimit -n 131072
+      if [[ "$(ulimit -n)" -lt $nofile ]]; then
+        ulimit -n $nofile
+        if [[ "$(ulimit -n)" -lt $nofile ]]; then
+          echo "Failed to set initSysctl.nofile"; exit 1
+        fi
       fi
     fi
+    nproc=8192
     if [[ "$(ulimit -u)" != "unlimited" ]]; then
-      if [[ "$(ulimit -u)" -lt 8192 ]]; then
-        echo "ulimit -u 8192"
-        ulimit -u 8192
+      if [[ "$(ulimit -u)" -lt $nproc ]]; then
+        ulimit -u $nproc
+        if [[ "$(ulimit -u)" -lt $nproc ]]; then
+          echo "Failed to set initSysctl.nproc"; exit 1
+        fi
       fi
     fi
 ---
@@ -1194,8 +1210,8 @@ spec:
         release: ingress-with-controller.yaml
         sonarqube.datacenter/type: "search"
       annotations:
-        checksum/init-sysctl: e790ce07175257a846fd4cae5bad4b341b0ed871bd7eb0a446201f199a4a5389
-        checksum/init-fs: 569020cc17a8564ac164b758c5ab81ecbd4745bd58cea8a5e4ba86f028d57299
+        checksum/init-sysctl: b42fa4e59b26f5cc057eeeb4e85ddcba3e2899926ae54d58adb538094d449efd
+        checksum/init-fs: b70afd1e97ba884fb0a8ffe54a6eb8f09005e2520210e201ea8213b5cb6fb67d
         checksum/config: 0802efffd324447d65231ce4f307b84a5d15911e978fc43eabbde1b30a09a13a
         checksum/secret: 69cfffcdde0e1ac2a3321ee164a9b6b14fd650bd24843aced925625acd8cc7ff
     spec:

diff --git a/tests/unit-compatibility-test/fixtures/sonarqube/ingress-with-controller.yaml b/tests/unit-compatibility-test/fixtures/sonarqube/ingress-with-controller.yaml
@@ -96,19 +96,6 @@ metadata:
 data:
   sonar.properties: |
 ---
-# Source: sonarqube/templates/init-fs.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: ingress-with-controller.yaml-sonarqube-init-fs
-  labels:
-    app: sonarqube
-    chart: sonarqube-10.8.0
-    release: ingress-with-controller.yaml
-    heritage: Helm
-data:
-  init_fs.sh: |-
----
 # Source: sonarqube/templates/init-sysctl.yaml
 apiVersion: v1
 kind: ConfigMap
@@ -121,22 +108,38 @@ metadata:
     heritage: Helm
 data:
   init_sysctl.sh: |-
-    if [[ "$(sysctl -n vm.max_map_count)" -lt 524288 ]]; then
-      sysctl -w vm.max_map_count=524288
+    set -o errexit
+    set -o xtrace
+    vmMaxMapCount=524288
+    if [[ "$(sysctl -n vm.max_map_count)" -lt $vmMaxMapCount ]]; then
+      sysctl -w vm.max_map_count=$vmMaxMapCount
+      if [[ "$(sysctl -n vm.max_map_count)" -lt $vmMaxMapCount ]]; then
+        echo "Failed to set initSysctl.vmMaxMapCount"; exit 1
+      fi
     fi
-    if [[ "$(sysctl -n fs.file-max)" -lt 131072 ]]; then
-      sysctl -w fs.file-max=131072
+    fsFileMax=131072
+    if [[ "$(sysctl -n fs.file-max)" -lt $fsFileMax ]]; then
+      sysctl -w fs.file-max=$fsFileMax
+      if [[ "$(sysctl -n fs.file-max)" -lt $fsFileMax ]]; then
+        echo "Failed to set initSysctl.fsFileMax"; exit 1
+      fi
     fi
+    nofile=131072
     if [[ "$(ulimit -n)" != "unlimited" ]]; then
-      if [[ "$(ulimit -n)" -lt 131072 ]]; then
-        echo "ulimit -n 131072"
-        ulimit -n 131072
+      if [[ "$(ulimit -n)" -lt $nofile ]]; then
+        ulimit -n $nofile
+        if [[ "$(ulimit -n)" -lt $nofile ]]; then
+          echo "Failed to set initSysctl.nofile"; exit 1
+        fi
       fi
     fi
+    nproc=8192
     if [[ "$(ulimit -u)" != "unlimited" ]]; then
-      if [[ "$(ulimit -u)" -lt 8192 ]]; then
-        echo "ulimit -u 8192"
-        ulimit -u 8192
+      if [[ "$(ulimit -u)" -lt $nproc ]]; then
+        ulimit -u $nproc
+        if [[ "$(ulimit -u)" -lt $nproc ]]; then
+          echo "Failed to set initSysctl.nproc"; exit 1
+        fi
       fi
     fi
 ---
@@ -842,7 +845,7 @@ spec:
     metadata:
       annotations:
         checksum/config: 25099e6e526d3763aa95f4b54fadf9629562a6ce38bc25dfec69d7c9fe3863c9
-        checksum/init-sysctl: 071c109f2b523f380abbb590825f11d96601c885891efdd87dde45d13c80e1b9
+        checksum/init-sysctl: 4004af5203bc3b6c427ec8c7a7a4917d78a57802665bf6ea3a47fa8c95f4e4ed
         checksum/plugins: 5ef5952cbd551dbccd54b9de0c5e736a4ae699c87017ca2ac83f336f03b240c1
         checksum/secret: 18dd23ce39e39f9d9414e5617d454413cef3e2d1c934030c421c3399feba0edf
       labels: