From 918606972b5194068079e632cc14bc69929409c4 Mon Sep 17 00:00:00 2001 From: Carmine Vassallo <carmine.vassallo@sonarsource.com> Date: Wed, 25 Sep 2024 14:54:28 +0200 Subject: [PATCH] SONAR-23150 Group all Openshift-specific resources under the same parameter --- charts/sonarqube-dce/CHANGELOG.md | 2 + charts/sonarqube-dce/Chart.yaml | 4 ++ charts/sonarqube-dce/README.md | 34 ++++++--------- .../openshift-verifier/values.yaml | 1 - charts/sonarqube-dce/templates/route.yaml | 14 +++--- charts/sonarqube-dce/values.yaml | 43 +++++++++---------- charts/sonarqube/CHANGELOG.md | 2 + charts/sonarqube/Chart.yaml | 4 ++ charts/sonarqube/README.md | 35 ++++++--------- .../sonarqube/openshift-verifier/values.yaml | 1 - charts/sonarqube/templates/NOTES.txt | 3 -- charts/sonarqube/templates/route.yaml | 14 +++--- charts/sonarqube/values.yaml | 43 +++++++++---------- 13 files changed, 94 insertions(+), 106 deletions(-) diff --git a/charts/sonarqube-dce/CHANGELOG.md b/charts/sonarqube-dce/CHANGELOG.md index 501b507cc..cc6a35c18 100644 --- a/charts/sonarqube-dce/CHANGELOG.md +++ b/charts/sonarqube-dce/CHANGELOG.md @@ -22,6 +22,8 @@ All changes to this chart will be documented in this file. * Support SONAR_OPENSHIFT telemetry env_var * Update helm chart repo path in sources * Support IS_HELM_AUTOSCALING_ENABLED telemetry env_var and rename SONAR_OPENSHIFT to IS_HELM_OPENSHIFT_ENABLED +* Refactor Route to be subparameter of OpenShift +* Make OpenShift.createSCC false by default ## [10.6.0] * Upgrade SonarQube to 10.6.0 diff --git a/charts/sonarqube-dce/Chart.yaml b/charts/sonarqube-dce/Chart.yaml index 106a8c239..0e79e22a1 100644 --- a/charts/sonarqube-dce/Chart.yaml +++ b/charts/sonarqube-dce/Chart.yaml @@ -69,6 +69,10 @@ annotations: description: "Update helm chart repo path in sources" - kind: added description: "Support IS_HELM_AUTOSCALING_ENABLED telemetry env_var and rename SONAR_OPENSHIFT to IS_HELM_OPENSHIFT_ENABLED" + - kind: changed + description: "Refactor Route to be subparameter of OpenShift" + - kind: changed + description: "Make OpenShift.createSCC false by default" artifacthub.io/links: | - name: support url: https://community.sonarsource.com/ diff --git a/charts/sonarqube-dce/README.md b/charts/sonarqube-dce/README.md index 811dcc49a..257740fbb 100644 --- a/charts/sonarqube-dce/README.md +++ b/charts/sonarqube-dce/README.md @@ -203,7 +203,7 @@ If running on OpenShift, make sure your account has permissions to create PodMon The chart can be installed on OpenShift by setting `OpenShift.enabled=true`. Among the others, please note that this value will disable the initContainer that performs the settings required by Elasticsearch (see [here](#elasticsearch-prerequisites)). Furthermore, we strongly recommend following the [Production Use Case guidelines](#production-use-case). -`Openshift.createSCC` is deprecated and should be set to `false`. The default securityContext, together with the production configurations described [above](#production-use-case), is compatible with restricted SCCv2. +Please note that `Openshift.createSCC` is deprecated and should be set to `false`. The default securityContext, together with the production configurations described [above](#production-use-case), is compatible with restricted SCCv2. The below command will deploy SonarQube on the Openshift Kubernetes cluster. Please note this will use the embedded postgresql database and is not recommended for production. @@ -215,14 +215,11 @@ export JWT_SECRET=$(echo -n "your_secret" | openssl dgst -sha256 -hmac "your_key helm upgrade --install -n sonarqube-dce sonarqube sonarqube/sonarqube-dce \ --set ApplicationNodes.jwtSecret=$JWT_SECRET \ --set OpenShift.enabled=true \ - --set OpenShift.createSCC=false \ --set postgresql.securityContext.enabled=false \ --set postgresql.containerSecurityContext.enabled=false ``` -### Route definition - -If you want to make your application publicly visible with Routes, you can set `route.enabled` to true. Please check the [configuration details](#route) to customize the Route base on your needs. +If you want to make your application publicly visible with Routes, you can set `OpenShift.route.enabled` to true. Please check the [configuration details](#openshift-1) to customize the Route base on your needs. ## Autoscaling @@ -430,22 +427,17 @@ The following table lists the configurable parameters of the SonarQube chart and ### OpenShift -| Parameter | Description | Default | -| --------------------- | -------------------------------------------------------------------------------------- | ------- | -| `OpenShift.enabled` | Define if this deployment is for OpenShift | `false` | -| `OpenShift.createSCC` | If this deployment is for OpenShift, define if SCC should be created for sonarqube pod | `true` | - -### Route - -| Parameter | Description | Default | -| ---------------------- | ----------------------------------------------------------------------------- | -------------------------- | -| `route.enabled` | Flag to enable OpenShift Route | `false` | -| `route.host` | Host that points to the service | `"sonarqube.your-org.com"` | -| `route.path` | Path that the router watches for, to route traffic for to the service | `"/"` | -| `route.tls` | TLS settings including termination type, certificates, insecure traffic, etc. | see `values.yaml` | -| `route.wildcardPolicy` | The wildcard policy that is allowed where this route is exposed | `None` | -| `route.annotations` | Optional field to add extra annotations to the route | `None` | -| `route.labels` | Route additional labels | `{}` | +| Parameter | Description | Default | +| -------------------------------- | --------------------------------------------------------------------------------------------------- | -------------------------- | +| `OpenShift.enabled` | Define if this deployment is for OpenShift | `false` | +| `OpenShift.createSCC` | (DEPRECATED) If this deployment is for OpenShift, define if SCC should be created for sonarqube pod | `false` | +| `OpenShift.route.enabled` | Flag to enable OpenShift Route | `false` | +| `OpenShift.route.host` | Host that points to the service | `"sonarqube.your-org.com"` | +| `OpenShift.route.path` | Path that the router watches for, to route traffic for to the service | `"/"` | +| `OpenShift.route.tls` | TLS settings including termination type, certificates, insecure traffic, etc. | see `values.yaml` | +| `OpenShift.route.wildcardPolicy` | The wildcard policy that is allowed where this route is exposed | `None` | +| `OpenShift.route.annotations` | Optional field to add extra annotations to the route | `None` | +| `OpenShift.route.labels` | Route additional labels | `{}` | ### HttpRoute diff --git a/charts/sonarqube-dce/openshift-verifier/values.yaml b/charts/sonarqube-dce/openshift-verifier/values.yaml index bc6404b93..ccb2d44df 100644 --- a/charts/sonarqube-dce/openshift-verifier/values.yaml +++ b/charts/sonarqube-dce/openshift-verifier/values.yaml @@ -1,6 +1,5 @@ OpenShift: enabled: true - createSCC: false postgresql: securityContext: diff --git a/charts/sonarqube-dce/templates/route.yaml b/charts/sonarqube-dce/templates/route.yaml index 84362aa8b..c4dcd32ae 100644 --- a/charts/sonarqube-dce/templates/route.yaml +++ b/charts/sonarqube-dce/templates/route.yaml @@ -1,21 +1,21 @@ -{{- if and .Values.route.enabled .Values.OpenShift.enabled -}} +{{- if and .Values.OpenShift.route.enabled .Values.OpenShift.enabled -}} kind: Route apiVersion: route.openshift.io/v1 metadata: name: {{ template "sonarqube.fullname" . }} labels: {{- include "sonarqube.labels" . | nindent 4 }} - {{- with .Values.route.labels }} + {{- with .Values.OpenShift.route.labels }} {{- toYaml . | nindent 4 }} {{- end }} - {{- with .Values.route.annotations }} + {{- with .Values.OpenShift.route.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} spec: - {{- with .Values.route.host }} + {{- with .Values.OpenShift.route.host }} host: {{ . }} {{- end }} - {{- with .Values.route.path }} + {{- with .Values.OpenShift.route.path }} path: {{ . }} {{- end }} to: @@ -23,10 +23,10 @@ spec: name: {{ include "sonarqube.fullname" . }} port: targetPort: http - {{- with .Values.route.tls }} + {{- with .Values.OpenShift.route.tls }} tls: {{- toYaml . | nindent 4 }} {{- end -}} - {{- with .Values.route.wildcardPolicy }} + {{- with .Values.OpenShift.route.wildcardPolicy }} wildcardPolicy: {{ . }} {{- end -}} {{- end -}} diff --git a/charts/sonarqube-dce/values.yaml b/charts/sonarqube-dce/values.yaml index b67faad37..4ccd4d5ad 100644 --- a/charts/sonarqube-dce/values.yaml +++ b/charts/sonarqube-dce/values.yaml @@ -413,11 +413,30 @@ ApplicationNodes: nodeEncryption: enabled: false -## Is this deployment for OpenShift? If so, we help with SCCs +## OpenShift specific configuration OpenShift: enabled: false # (Deprecated) this parameter should not be needed anymore, we support Openshift SCCv2 by default when Openshift.enabled=true - createSCC: true + createSCC: false + route: + enabled: false + host: "sonarqube.your-org.com" + path: "/" + # Add tls section to secure traffic. + tls: + termination: edge + # certificate: + # key: + # caCertificate: + # insecureEdgeTerminationPolicy: Redirect + wildcardPolicy: None + annotations: {} + # See Openshift/OKD route annotation + # https://docs.openshift.com/container-platform/4.10/networking/routes/route-configuration.html#nw-route-specific-annotations_route-configuration + # haproxy.router.openshift.io/timeout: 1m + # Additional labels for Route manifest file + # labels: + # external: 'true' # will be used as default for ingress path and probes path, will be injected in .Values.env as SONAR_WEB_CONTEXT # if .Values.ApplicationNodes.env.SONAR_WEB_CONTEXT is set, this value will be ignored @@ -500,26 +519,6 @@ ingress: # hosts: # - chart-example.local -route: - enabled: false - host: "sonarqube.your-org.com" - path: "/" - # Add tls section to secure traffic. - tls: - termination: edge - # certificate: - # key: - # caCertificate: - # insecureEdgeTerminationPolicy: Redirect - wildcardPolicy: None - annotations: {} - # See Openshift/OKD route annotation - # https://docs.openshift.com/container-platform/4.10/networking/routes/route-configuration.html#nw-route-specific-annotations_route-configuration - # haproxy.router.openshift.io/timeout: 1m - # Additional labels for Route manifest file - # labels: - # external: 'true' - # Affinity for pod assignment # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity affinity: {} diff --git a/charts/sonarqube/CHANGELOG.md b/charts/sonarqube/CHANGELOG.md index e782c8cc5..6dbd3220b 100644 --- a/charts/sonarqube/CHANGELOG.md +++ b/charts/sonarqube/CHANGELOG.md @@ -23,6 +23,8 @@ All changes to this chart will be documented in this file. * Support SONAR_OPENSHIFT telemetry env_var * Update helm chart repo path in sources * Changed SONAR_OPENSHIFT to IS_HELM_OPENSHIFT_ENABLED +* Refactor Route to be subparameter of OpenShift +* Make OpenShift.createSCC false by default ## [10.6.0] * Update SonarQube to 10.6.0 diff --git a/charts/sonarqube/Chart.yaml b/charts/sonarqube/Chart.yaml index 891c9e8c5..ba1efaa82 100644 --- a/charts/sonarqube/Chart.yaml +++ b/charts/sonarqube/Chart.yaml @@ -74,6 +74,10 @@ annotations: description: "Update helm chart repo path in sources" - kind: changed description: "Changed SONAR_OPENSHIFT to IS_HELM_OPENSHIFT_ENABLED" + - kind: changed + description: "Refactor Route to be subparameter of OpenShift" + - kind: changed + description: "Make OpenShift.createSCC false by default" artifacthub.io/containsSecurityUpdates: "false" artifacthub.io/images: | - name: sonarqube diff --git a/charts/sonarqube/README.md b/charts/sonarqube/README.md index 511c2f43a..d5567b1af 100644 --- a/charts/sonarqube/README.md +++ b/charts/sonarqube/README.md @@ -206,7 +206,7 @@ If running on OpenShift, make sure your account has permissions to create PodMon The chart can be installed on OpenShift by setting `OpenShift.enabled=true`. Among the others, please note that this value will disable the initContainer that performs the settings required by Elasticsearch (see [here](#elasticsearch-prerequisites)). Furthermore, we strongly recommend following the [Production Use Case guidelines](#production-use-case). -`Openshift.createSCC` is deprecated and should be set to `false`. The default securityContext, together with the production configurations described [above](#production-use-case), is compatible with restricted SCCv2. +Please note that `Openshift.createSCC` is deprecated and should be set to `false`. The default securityContext, together with the production configurations described [above](#production-use-case), is compatible with restricted SCCv2. The below command will deploy SonarQube on the Openshift Kubernetes cluster. Please note this will use the embedded postgresql database and is not recommended for production. @@ -217,13 +217,9 @@ kubectl create namespace sonarqube # If you dont have permissions to create the helm upgrade --install -n sonarqube sonarqube sonarqube/sonarqube \ --set OpenShift.enabled=true \ --set postgresql.securityContext.enabled=false \ - --set OpenShift.createSCC=false \ --set postgresql.containerSecurityContext.enabled=false ``` - -### Route definition - -If you want to make your application publicly visible with Routes, you can set `route.enabled` to true. Please check the [configuration details](#route) to customize the Route base on your needs. +If you want to make your application publicly visible with Routes, you can set `OpenShift.route.enabled` to true. Please check the [configuration details](#openshift-1) to customize the Route base on your needs. ## Configuration @@ -263,10 +259,17 @@ The following table lists the configurable parameters of the SonarQube chart and ### OpenShift -| Parameter | Description | Default | -| --------------------- | -------------------------------------------------------------------------------------- | ------- | -| `OpenShift.enabled` | Define if this deployment is for OpenShift | `false` | -| `OpenShift.createSCC` | If this deployment is for OpenShift, define if SCC should be created for sonarqube pod | `true` | +| Parameter | Description | Default | +| -------------------------------- | --------------------------------------------------------------------------------------------------- | -------------------------- | +| `OpenShift.enabled` | Define if this deployment is for OpenShift | `false` | +| `OpenShift.createSCC` | (DEPRECATED) If this deployment is for OpenShift, define if SCC should be created for sonarqube pod | `false` | +| `OpenShift.route.enabled` | Flag to enable OpenShift Route | `false` | +| `OpenShift.route.host` | Host that points to the service | `"sonarqube.your-org.com"` | +| `OpenShift.route.path` | Path that the router watches for, to route traffic for to the service | `"/"` | +| `OpenShift.route.tls` | TLS settings including termination type, certificates, insecure traffic, etc. | see `values.yaml` | +| `OpenShift.route.wildcardPolicy` | The wildcard policy that is allowed where this route is exposed | `None` | +| `OpenShift.route.annotations` | Optional field to add extra annotations to the route | `None` | +| `OpenShift.route.labels` | Route additional labels | `{}` | ### Image @@ -319,18 +322,6 @@ The following table lists the configurable parameters of the SonarQube chart and | `ingress.ingressClassName` | Optional field to configure ingress class name | `None` | | `ingress.annotations` | Field to add extra annotations to the ingress | {`nginx.ingress.kubernetes.io/proxy-body-size: "64m"`} if `ingress-nginx.enabled=true or nginx.enabled=true` | -### Route - -| Parameter | Description | Default | -| ---------------------- | ----------------------------------------------------------------------------- | -------------------------- | -| `route.enabled` | Flag to enable OpenShift Route | `false` | -| `route.host` | Host that points to the service | `"sonarqube.your-org.com"` | -| `route.path` | Path that the router watches for, to route traffic for to the service | `"/"` | -| `route.tls` | TLS settings including termination type, certificates, insecure traffic, etc. | see `values.yaml` | -| `route.wildcardPolicy` | The wildcard policy that is allowed where this route is exposed | `None` | -| `route.annotations` | Optional field to add extra annotations to the route | `None` | -| `route.labels` | Route additional labels | `{}` | - ### HttpRoute | Parameter | Description | Default | diff --git a/charts/sonarqube/openshift-verifier/values.yaml b/charts/sonarqube/openshift-verifier/values.yaml index 52e346828..1b248c5f1 100644 --- a/charts/sonarqube/openshift-verifier/values.yaml +++ b/charts/sonarqube/openshift-verifier/values.yaml @@ -1,6 +1,5 @@ OpenShift: enabled: true - createSCC: false postgresql: securityContext: diff --git a/charts/sonarqube/templates/NOTES.txt b/charts/sonarqube/templates/NOTES.txt index dd78bafd5..8af159dc4 100644 --- a/charts/sonarqube/templates/NOTES.txt +++ b/charts/sonarqube/templates/NOTES.txt @@ -3,9 +3,6 @@ {{- range .Values.ingress.hosts }} http://{{ .name }} {{- end }} -{{- else if .Values.route.enabled }} - export ROUTE_HOST=$(kubectl get route {{ template "sonarqube.name" . }} --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.host}") - echo https://$ROUTE_HOST {{- else if contains "NodePort" .Values.service.type }} export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "sonarqube.fullname" . }}) export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") diff --git a/charts/sonarqube/templates/route.yaml b/charts/sonarqube/templates/route.yaml index 84362aa8b..c4dcd32ae 100644 --- a/charts/sonarqube/templates/route.yaml +++ b/charts/sonarqube/templates/route.yaml @@ -1,21 +1,21 @@ -{{- if and .Values.route.enabled .Values.OpenShift.enabled -}} +{{- if and .Values.OpenShift.route.enabled .Values.OpenShift.enabled -}} kind: Route apiVersion: route.openshift.io/v1 metadata: name: {{ template "sonarqube.fullname" . }} labels: {{- include "sonarqube.labels" . | nindent 4 }} - {{- with .Values.route.labels }} + {{- with .Values.OpenShift.route.labels }} {{- toYaml . | nindent 4 }} {{- end }} - {{- with .Values.route.annotations }} + {{- with .Values.OpenShift.route.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} spec: - {{- with .Values.route.host }} + {{- with .Values.OpenShift.route.host }} host: {{ . }} {{- end }} - {{- with .Values.route.path }} + {{- with .Values.OpenShift.route.path }} path: {{ . }} {{- end }} to: @@ -23,10 +23,10 @@ spec: name: {{ include "sonarqube.fullname" . }} port: targetPort: http - {{- with .Values.route.tls }} + {{- with .Values.OpenShift.route.tls }} tls: {{- toYaml . | nindent 4 }} {{- end -}} - {{- with .Values.route.wildcardPolicy }} + {{- with .Values.OpenShift.route.wildcardPolicy }} wildcardPolicy: {{ . }} {{- end -}} {{- end -}} diff --git a/charts/sonarqube/values.yaml b/charts/sonarqube/values.yaml index 6e45b02a4..4250248a0 100644 --- a/charts/sonarqube/values.yaml +++ b/charts/sonarqube/values.yaml @@ -21,11 +21,30 @@ deploymentStrategy: {} ## # schedulerName: -## Is this deployment for OpenShift? If so, we help with SCCs +## OpenShift specific configuration OpenShift: enabled: false # (Deprecated) this parameter should not be needed anymore, we support Openshift SCCv2 by default when Openshift.enabled=true - createSCC: true + createSCC: false + route: + enabled: false + host: "sonarqube.your-org.com" + path: "/" + # Add tls section to secure traffic. + tls: + termination: edge + # certificate: + # key: + # caCertificate: + # insecureEdgeTerminationPolicy: Redirect + wildcardPolicy: None + annotations: {} + # See Openshift/OKD route annotation + # https://docs.openshift.com/container-platform/4.10/networking/routes/route-configuration.html#nw-route-specific-annotations_route-configuration + # haproxy.router.openshift.io/timeout: 1m + # Additional labels for Route manifest file + # labels: + # external: 'true' edition: "community" @@ -158,26 +177,6 @@ ingress: # hosts: # - chart-example.local -route: - enabled: false - host: "sonarqube.your-org.com" - path: "/" - # Add tls section to secure traffic. - tls: - termination: edge - # certificate: - # key: - # caCertificate: - # insecureEdgeTerminationPolicy: Redirect - wildcardPolicy: None - annotations: {} - # See Openshift/OKD route annotation - # https://docs.openshift.com/container-platform/4.10/networking/routes/route-configuration.html#nw-route-specific-annotations_route-configuration - # haproxy.router.openshift.io/timeout: 1m - # Additional labels for Route manifest file - # labels: - # external: 'true' - # Affinity for pod assignment # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity affinity: {}