From 918606972b5194068079e632cc14bc69929409c4 Mon Sep 17 00:00:00 2001
From: Carmine Vassallo <carmine.vassallo@sonarsource.com>
Date: Wed, 25 Sep 2024 14:54:28 +0200
Subject: [PATCH] SONAR-23150 Group all Openshift-specific resources under the
 same parameter

---
 charts/sonarqube-dce/CHANGELOG.md             |  2 +
 charts/sonarqube-dce/Chart.yaml               |  4 ++
 charts/sonarqube-dce/README.md                | 34 ++++++---------
 .../openshift-verifier/values.yaml            |  1 -
 charts/sonarqube-dce/templates/route.yaml     | 14 +++---
 charts/sonarqube-dce/values.yaml              | 43 +++++++++----------
 charts/sonarqube/CHANGELOG.md                 |  2 +
 charts/sonarqube/Chart.yaml                   |  4 ++
 charts/sonarqube/README.md                    | 35 ++++++---------
 .../sonarqube/openshift-verifier/values.yaml  |  1 -
 charts/sonarqube/templates/NOTES.txt          |  3 --
 charts/sonarqube/templates/route.yaml         | 14 +++---
 charts/sonarqube/values.yaml                  | 43 +++++++++----------
 13 files changed, 94 insertions(+), 106 deletions(-)

diff --git a/charts/sonarqube-dce/CHANGELOG.md b/charts/sonarqube-dce/CHANGELOG.md
index 501b507cc..cc6a35c18 100644
--- a/charts/sonarqube-dce/CHANGELOG.md
+++ b/charts/sonarqube-dce/CHANGELOG.md
@@ -22,6 +22,8 @@ All changes to this chart will be documented in this file.
 * Support SONAR_OPENSHIFT telemetry env_var
 * Update helm chart repo path in sources
 * Support IS_HELM_AUTOSCALING_ENABLED telemetry env_var and rename SONAR_OPENSHIFT to IS_HELM_OPENSHIFT_ENABLED
+* Refactor Route to be subparameter of OpenShift
+* Make OpenShift.createSCC false by default
 
 ## [10.6.0]
 * Upgrade SonarQube to 10.6.0
diff --git a/charts/sonarqube-dce/Chart.yaml b/charts/sonarqube-dce/Chart.yaml
index 106a8c239..0e79e22a1 100644
--- a/charts/sonarqube-dce/Chart.yaml
+++ b/charts/sonarqube-dce/Chart.yaml
@@ -69,6 +69,10 @@ annotations:
       description: "Update helm chart repo path in sources"
     - kind: added
       description: "Support IS_HELM_AUTOSCALING_ENABLED telemetry env_var and rename SONAR_OPENSHIFT to IS_HELM_OPENSHIFT_ENABLED"
+    - kind: changed
+      description: "Refactor Route to be subparameter of OpenShift"
+    - kind: changed
+      description: "Make OpenShift.createSCC false by default"
   artifacthub.io/links: |
     - name: support
       url: https://community.sonarsource.com/
diff --git a/charts/sonarqube-dce/README.md b/charts/sonarqube-dce/README.md
index 811dcc49a..257740fbb 100644
--- a/charts/sonarqube-dce/README.md
+++ b/charts/sonarqube-dce/README.md
@@ -203,7 +203,7 @@ If running on OpenShift, make sure your account has permissions to create PodMon
 
 The chart can be installed on OpenShift by setting `OpenShift.enabled=true`. Among the others, please note that this value will disable the initContainer that performs the settings required by Elasticsearch (see [here](#elasticsearch-prerequisites)). Furthermore, we strongly recommend following the [Production Use Case guidelines](#production-use-case).
 
-`Openshift.createSCC` is deprecated and should be set to `false`. The default securityContext, together with the production configurations described [above](#production-use-case), is compatible with restricted SCCv2.
+Please note that `Openshift.createSCC` is deprecated and should be set to `false`. The default securityContext, together with the production configurations described [above](#production-use-case), is compatible with restricted SCCv2.
 
 The below command will deploy SonarQube on the Openshift Kubernetes cluster. Please note this will use the embedded postgresql database and is not recommended for production.
 
@@ -215,14 +215,11 @@ export JWT_SECRET=$(echo -n "your_secret" | openssl dgst -sha256 -hmac "your_key
 helm upgrade --install -n sonarqube-dce sonarqube sonarqube/sonarqube-dce \
   --set ApplicationNodes.jwtSecret=$JWT_SECRET \
   --set OpenShift.enabled=true \
-  --set OpenShift.createSCC=false \
   --set postgresql.securityContext.enabled=false \
   --set postgresql.containerSecurityContext.enabled=false
 ```
 
-### Route definition
-
-If you want to make your application publicly visible with Routes, you can set `route.enabled` to true. Please check the [configuration details](#route) to customize the Route base on your needs.
+If you want to make your application publicly visible with Routes, you can set `OpenShift.route.enabled` to true. Please check the [configuration details](#openshift-1) to customize the Route base on your needs.
 
 ## Autoscaling
 
@@ -430,22 +427,17 @@ The following table lists the configurable parameters of the SonarQube chart and
 
 ### OpenShift
 
-| Parameter             | Description                                                                            | Default |
-| --------------------- | -------------------------------------------------------------------------------------- | ------- |
-| `OpenShift.enabled`   | Define if this deployment is for OpenShift                                             | `false` |
-| `OpenShift.createSCC` | If this deployment is for OpenShift, define if SCC should be created for sonarqube pod | `true`  |
-
-### Route
-
-| Parameter              | Description                                                                   | Default                    |
-| ---------------------- | ----------------------------------------------------------------------------- | -------------------------- |
-| `route.enabled`        | Flag to enable OpenShift Route                                                | `false`                    |
-| `route.host`           | Host that points to the service                                               | `"sonarqube.your-org.com"` |
-| `route.path`           | Path that the router watches for, to route traffic for to the service         | `"/"`                      |
-| `route.tls`            | TLS settings including termination type, certificates, insecure traffic, etc. | see `values.yaml`          |
-| `route.wildcardPolicy` | The wildcard policy that is allowed where this route is exposed               | `None`                     |
-| `route.annotations`    | Optional field to add extra annotations to the route                          | `None`                     |
-| `route.labels`         | Route additional labels                                                       | `{}`                       |
+| Parameter                        | Description                                                                                         | Default                    |
+| -------------------------------- | --------------------------------------------------------------------------------------------------- | -------------------------- |
+| `OpenShift.enabled`              | Define if this deployment is for OpenShift                                                          | `false`                    |
+| `OpenShift.createSCC`            | (DEPRECATED) If this deployment is for OpenShift, define if SCC should be created for sonarqube pod | `false`                    |
+| `OpenShift.route.enabled`        | Flag to enable OpenShift Route                                                                      | `false`                    |
+| `OpenShift.route.host`           | Host that points to the service                                                                     | `"sonarqube.your-org.com"` |
+| `OpenShift.route.path`           | Path that the router watches for, to route traffic for to the service                               | `"/"`                      |
+| `OpenShift.route.tls`            | TLS settings including termination type, certificates, insecure traffic, etc.                       | see `values.yaml`          |
+| `OpenShift.route.wildcardPolicy` | The wildcard policy that is allowed where this route is exposed                                     | `None`                     |
+| `OpenShift.route.annotations`    | Optional field to add extra annotations to the route                                                | `None`                     |
+| `OpenShift.route.labels`         | Route additional labels                                                                             | `{}`                       |
 
 ### HttpRoute
 
diff --git a/charts/sonarqube-dce/openshift-verifier/values.yaml b/charts/sonarqube-dce/openshift-verifier/values.yaml
index bc6404b93..ccb2d44df 100644
--- a/charts/sonarqube-dce/openshift-verifier/values.yaml
+++ b/charts/sonarqube-dce/openshift-verifier/values.yaml
@@ -1,6 +1,5 @@
 OpenShift:
   enabled: true
-  createSCC: false
 
 postgresql:
   securityContext:
diff --git a/charts/sonarqube-dce/templates/route.yaml b/charts/sonarqube-dce/templates/route.yaml
index 84362aa8b..c4dcd32ae 100644
--- a/charts/sonarqube-dce/templates/route.yaml
+++ b/charts/sonarqube-dce/templates/route.yaml
@@ -1,21 +1,21 @@
-{{- if and .Values.route.enabled .Values.OpenShift.enabled -}}
+{{- if and .Values.OpenShift.route.enabled .Values.OpenShift.enabled -}}
 kind: Route
 apiVersion: route.openshift.io/v1
 metadata:
   name: {{ template "sonarqube.fullname" . }}
   labels:
     {{- include "sonarqube.labels" . | nindent 4 }}
-    {{- with .Values.route.labels }}
+    {{- with .Values.OpenShift.route.labels }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
-  {{- with .Values.route.annotations }}
+  {{- with .Values.OpenShift.route.annotations }}
   annotations: {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
-  {{- with .Values.route.host }}
+  {{- with .Values.OpenShift.route.host }}
   host: {{ . }}
   {{- end }}
-  {{- with .Values.route.path }}
+  {{- with .Values.OpenShift.route.path }}
   path: {{ . }}
   {{- end }}
   to:
@@ -23,10 +23,10 @@ spec:
     name: {{ include "sonarqube.fullname" . }}
   port:
     targetPort: http
-  {{- with .Values.route.tls }}
+  {{- with .Values.OpenShift.route.tls }}
   tls: {{- toYaml . | nindent 4 }}
   {{- end -}}
-  {{- with .Values.route.wildcardPolicy }}
+  {{- with .Values.OpenShift.route.wildcardPolicy }}
   wildcardPolicy: {{ . }}
   {{- end -}}
 {{- end -}}
diff --git a/charts/sonarqube-dce/values.yaml b/charts/sonarqube-dce/values.yaml
index b67faad37..4ccd4d5ad 100644
--- a/charts/sonarqube-dce/values.yaml
+++ b/charts/sonarqube-dce/values.yaml
@@ -413,11 +413,30 @@ ApplicationNodes:
 nodeEncryption:
   enabled: false
 
-## Is this deployment for OpenShift? If so, we help with SCCs
+## OpenShift specific configuration
 OpenShift:
   enabled: false
   # (Deprecated) this parameter should not be needed anymore, we support Openshift SCCv2 by default when Openshift.enabled=true
-  createSCC: true
+  createSCC: false
+  route:
+    enabled: false
+    host: "sonarqube.your-org.com"
+    path: "/"
+    # Add tls section to secure traffic.
+    tls:
+      termination: edge
+      # certificate:
+      # key:
+      # caCertificate:
+      # insecureEdgeTerminationPolicy: Redirect
+    wildcardPolicy: None
+    annotations: {}
+    # See Openshift/OKD route annotation
+    # https://docs.openshift.com/container-platform/4.10/networking/routes/route-configuration.html#nw-route-specific-annotations_route-configuration
+    # haproxy.router.openshift.io/timeout: 1m
+    # Additional labels for Route manifest file
+    # labels:
+    #  external: 'true'
 
 # will be used as default for ingress path and probes path, will be injected in .Values.env as SONAR_WEB_CONTEXT
 # if .Values.ApplicationNodes.env.SONAR_WEB_CONTEXT is set, this value will be ignored
@@ -500,26 +519,6 @@ ingress:
   #   hosts:
   #     - chart-example.local
 
-route:
-  enabled: false
-  host: "sonarqube.your-org.com"
-  path: "/"
-  # Add tls section to secure traffic.
-  tls:
-    termination: edge
-    # certificate:
-    # key:
-    # caCertificate:
-    # insecureEdgeTerminationPolicy: Redirect
-  wildcardPolicy: None
-  annotations: {}
-  # See Openshift/OKD route annotation
-  # https://docs.openshift.com/container-platform/4.10/networking/routes/route-configuration.html#nw-route-specific-annotations_route-configuration
-  # haproxy.router.openshift.io/timeout: 1m
-  # Additional labels for Route manifest file
-  # labels:
-  #  external: 'true'
-
 # Affinity for pod assignment
 # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
 affinity: {}
diff --git a/charts/sonarqube/CHANGELOG.md b/charts/sonarqube/CHANGELOG.md
index e782c8cc5..6dbd3220b 100644
--- a/charts/sonarqube/CHANGELOG.md
+++ b/charts/sonarqube/CHANGELOG.md
@@ -23,6 +23,8 @@ All changes to this chart will be documented in this file.
 * Support SONAR_OPENSHIFT telemetry env_var
 * Update helm chart repo path in sources
 * Changed SONAR_OPENSHIFT to IS_HELM_OPENSHIFT_ENABLED
+* Refactor Route to be subparameter of OpenShift
+* Make OpenShift.createSCC false by default
 
 ## [10.6.0]
 * Update SonarQube to 10.6.0
diff --git a/charts/sonarqube/Chart.yaml b/charts/sonarqube/Chart.yaml
index 891c9e8c5..ba1efaa82 100644
--- a/charts/sonarqube/Chart.yaml
+++ b/charts/sonarqube/Chart.yaml
@@ -74,6 +74,10 @@ annotations:
       description: "Update helm chart repo path in sources"
     - kind: changed
       description: "Changed SONAR_OPENSHIFT to IS_HELM_OPENSHIFT_ENABLED"
+    - kind: changed
+      description: "Refactor Route to be subparameter of OpenShift"
+    - kind: changed
+      description: "Make OpenShift.createSCC false by default"
   artifacthub.io/containsSecurityUpdates: "false"
   artifacthub.io/images: |
     - name: sonarqube
diff --git a/charts/sonarqube/README.md b/charts/sonarqube/README.md
index 511c2f43a..d5567b1af 100644
--- a/charts/sonarqube/README.md
+++ b/charts/sonarqube/README.md
@@ -206,7 +206,7 @@ If running on OpenShift, make sure your account has permissions to create PodMon
 
 The chart can be installed on OpenShift by setting `OpenShift.enabled=true`. Among the others, please note that this value will disable the initContainer that performs the settings required by Elasticsearch (see [here](#elasticsearch-prerequisites)). Furthermore, we strongly recommend following the [Production Use Case guidelines](#production-use-case).
 
-`Openshift.createSCC` is deprecated and should be set to `false`. The default securityContext, together with the production configurations described [above](#production-use-case), is compatible with restricted SCCv2.
+Please note that `Openshift.createSCC` is deprecated and should be set to `false`. The default securityContext, together with the production configurations described [above](#production-use-case), is compatible with restricted SCCv2.
 
 The below command will deploy SonarQube on the Openshift Kubernetes cluster. Please note this will use the embedded postgresql database and is not recommended for production.
 
@@ -217,13 +217,9 @@ kubectl create namespace sonarqube # If you dont have permissions to create the
 helm upgrade --install -n sonarqube sonarqube sonarqube/sonarqube \
   --set OpenShift.enabled=true \
   --set postgresql.securityContext.enabled=false \
-  --set OpenShift.createSCC=false \
   --set postgresql.containerSecurityContext.enabled=false
 ```
-
-### Route definition
-
-If you want to make your application publicly visible with Routes, you can set `route.enabled` to true. Please check the [configuration details](#route) to customize the Route base on your needs.
+If you want to make your application publicly visible with Routes, you can set `OpenShift.route.enabled` to true. Please check the [configuration details](#openshift-1) to customize the Route base on your needs.
 
 ## Configuration
 
@@ -263,10 +259,17 @@ The following table lists the configurable parameters of the SonarQube chart and
 
 ### OpenShift
 
-| Parameter             | Description                                                                            | Default |
-| --------------------- | -------------------------------------------------------------------------------------- | ------- |
-| `OpenShift.enabled`   | Define if this deployment is for OpenShift                                             | `false` |
-| `OpenShift.createSCC` | If this deployment is for OpenShift, define if SCC should be created for sonarqube pod | `true`  |
+| Parameter                        | Description                                                                                         | Default                    |
+| -------------------------------- | --------------------------------------------------------------------------------------------------- | -------------------------- |
+| `OpenShift.enabled`              | Define if this deployment is for OpenShift                                                          | `false`                    |
+| `OpenShift.createSCC`            | (DEPRECATED) If this deployment is for OpenShift, define if SCC should be created for sonarqube pod | `false`                    |
+| `OpenShift.route.enabled`        | Flag to enable OpenShift Route                                                                      | `false`                    |
+| `OpenShift.route.host`           | Host that points to the service                                                                     | `"sonarqube.your-org.com"` |
+| `OpenShift.route.path`           | Path that the router watches for, to route traffic for to the service                               | `"/"`                      |
+| `OpenShift.route.tls`            | TLS settings including termination type, certificates, insecure traffic, etc.                       | see `values.yaml`          |
+| `OpenShift.route.wildcardPolicy` | The wildcard policy that is allowed where this route is exposed                                     | `None`                     |
+| `OpenShift.route.annotations`    | Optional field to add extra annotations to the route                                                | `None`                     |
+| `OpenShift.route.labels`         | Route additional labels                                                                             | `{}`                       |
 
 ### Image
 
@@ -319,18 +322,6 @@ The following table lists the configurable parameters of the SonarQube chart and
 | `ingress.ingressClassName`     | Optional field to configure ingress class name               | `None`                                                                                                       |
 | `ingress.annotations`          | Field to add extra annotations to the ingress                | {`nginx.ingress.kubernetes.io/proxy-body-size: "64m"`} if `ingress-nginx.enabled=true or nginx.enabled=true` |
 
-### Route
-
-| Parameter              | Description                                                                   | Default                    |
-| ---------------------- | ----------------------------------------------------------------------------- | -------------------------- |
-| `route.enabled`        | Flag to enable OpenShift Route                                                | `false`                    |
-| `route.host`           | Host that points to the service                                               | `"sonarqube.your-org.com"` |
-| `route.path`           | Path that the router watches for, to route traffic for to the service         | `"/"`                      |
-| `route.tls`            | TLS settings including termination type, certificates, insecure traffic, etc. | see `values.yaml`          |
-| `route.wildcardPolicy` | The wildcard policy that is allowed where this route is exposed               | `None`                     |
-| `route.annotations`    | Optional field to add extra annotations to the route                          | `None`                     |
-| `route.labels`         | Route additional labels                                                       | `{}`                       |
-
 ### HttpRoute
 
 | Parameter             | Description                                                                                                   | Default |
diff --git a/charts/sonarqube/openshift-verifier/values.yaml b/charts/sonarqube/openshift-verifier/values.yaml
index 52e346828..1b248c5f1 100644
--- a/charts/sonarqube/openshift-verifier/values.yaml
+++ b/charts/sonarqube/openshift-verifier/values.yaml
@@ -1,6 +1,5 @@
 OpenShift:
   enabled: true
-  createSCC: false
 
 postgresql:
   securityContext:
diff --git a/charts/sonarqube/templates/NOTES.txt b/charts/sonarqube/templates/NOTES.txt
index dd78bafd5..8af159dc4 100644
--- a/charts/sonarqube/templates/NOTES.txt
+++ b/charts/sonarqube/templates/NOTES.txt
@@ -3,9 +3,6 @@
 {{- range .Values.ingress.hosts }}
   http://{{ .name }}
 {{- end }}
-{{- else if .Values.route.enabled }}
-  export ROUTE_HOST=$(kubectl get route {{ template "sonarqube.name" . }} --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.host}")
-  echo https://$ROUTE_HOST
 {{- else if contains "NodePort" .Values.service.type }}
   export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "sonarqube.fullname" . }})
   export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
diff --git a/charts/sonarqube/templates/route.yaml b/charts/sonarqube/templates/route.yaml
index 84362aa8b..c4dcd32ae 100644
--- a/charts/sonarqube/templates/route.yaml
+++ b/charts/sonarqube/templates/route.yaml
@@ -1,21 +1,21 @@
-{{- if and .Values.route.enabled .Values.OpenShift.enabled -}}
+{{- if and .Values.OpenShift.route.enabled .Values.OpenShift.enabled -}}
 kind: Route
 apiVersion: route.openshift.io/v1
 metadata:
   name: {{ template "sonarqube.fullname" . }}
   labels:
     {{- include "sonarqube.labels" . | nindent 4 }}
-    {{- with .Values.route.labels }}
+    {{- with .Values.OpenShift.route.labels }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
-  {{- with .Values.route.annotations }}
+  {{- with .Values.OpenShift.route.annotations }}
   annotations: {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
-  {{- with .Values.route.host }}
+  {{- with .Values.OpenShift.route.host }}
   host: {{ . }}
   {{- end }}
-  {{- with .Values.route.path }}
+  {{- with .Values.OpenShift.route.path }}
   path: {{ . }}
   {{- end }}
   to:
@@ -23,10 +23,10 @@ spec:
     name: {{ include "sonarqube.fullname" . }}
   port:
     targetPort: http
-  {{- with .Values.route.tls }}
+  {{- with .Values.OpenShift.route.tls }}
   tls: {{- toYaml . | nindent 4 }}
   {{- end -}}
-  {{- with .Values.route.wildcardPolicy }}
+  {{- with .Values.OpenShift.route.wildcardPolicy }}
   wildcardPolicy: {{ . }}
   {{- end -}}
 {{- end -}}
diff --git a/charts/sonarqube/values.yaml b/charts/sonarqube/values.yaml
index 6e45b02a4..4250248a0 100644
--- a/charts/sonarqube/values.yaml
+++ b/charts/sonarqube/values.yaml
@@ -21,11 +21,30 @@ deploymentStrategy: {}
 ##
 # schedulerName:
 
-## Is this deployment for OpenShift? If so, we help with SCCs
+## OpenShift specific configuration
 OpenShift:
   enabled: false
   # (Deprecated) this parameter should not be needed anymore, we support Openshift SCCv2 by default when Openshift.enabled=true
-  createSCC: true
+  createSCC: false
+  route:
+    enabled: false
+    host: "sonarqube.your-org.com"
+    path: "/"
+    # Add tls section to secure traffic.
+    tls:
+      termination: edge
+      # certificate:
+      # key:
+      # caCertificate:
+      # insecureEdgeTerminationPolicy: Redirect
+    wildcardPolicy: None
+    annotations: {}
+    # See Openshift/OKD route annotation
+    # https://docs.openshift.com/container-platform/4.10/networking/routes/route-configuration.html#nw-route-specific-annotations_route-configuration
+    # haproxy.router.openshift.io/timeout: 1m
+    # Additional labels for Route manifest file
+    # labels:
+    #  external: 'true'
 
 edition: "community"
 
@@ -158,26 +177,6 @@ ingress:
   #   hosts:
   #     - chart-example.local
 
-route:
-  enabled: false
-  host: "sonarqube.your-org.com"
-  path: "/"
-  # Add tls section to secure traffic.
-  tls:
-    termination: edge
-    # certificate:
-    # key:
-    # caCertificate:
-    # insecureEdgeTerminationPolicy: Redirect
-  wildcardPolicy: None
-  annotations: {}
-  # See Openshift/OKD route annotation
-  # https://docs.openshift.com/container-platform/4.10/networking/routes/route-configuration.html#nw-route-specific-annotations_route-configuration
-  # haproxy.router.openshift.io/timeout: 1m
-  # Additional labels for Route manifest file
-  # labels:
-  #  external: 'true'
-
 # Affinity for pod assignment
 # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
 affinity: {}