SONAR-23627 improve initsysctl fail logic trigger 572

charts/sonarqube-dce/CHANGELOG.md

@@ -9,6 +9,9 @@ All changes to this chart will be documented in this file.
 * Fix ENV variables not fetched when using extraConfig.configmaps
 * Support Gateway on different namespace in HTTPRoute
 * Change `ingress.ingressClassName` default, set it to `nginx` if `nginx.enabled` or `ingress-nginx.enabled`
+* Ensure that ConfigMap resources are not created for `initFS` and `initSysctl` if not needed
+* Ensure the Pod will stop at `init` stage if init_sysctl.sh failed to modify kernel parameters
+* Replace the example images in initContainers, initSysctl and initFs from `busybox:1.36` to `ubuntu:24.04`, which are commented out by default
 
 ## [10.7.0]
 * Update Chart's version to 10.7.0

charts/sonarqube-dce/Chart.yaml

@@ -41,6 +41,12 @@ annotations:
       description: "Support Gateway on different namespace in HTTPRoute"
     - kind: changed
       description: "Change `ingress.ingressClassName` default, set it to `nginx` if `nginx.enabled` or `ingress-nginx.enabled`"
+    - kind: changed
+      description: "Ensure that ConfigMap resources are not created for `initFS` and `initSysctl` if not needed"
+    - kind: changed
+      description: "Ensure the Pod will stop at `init` stage if init_sysctl.sh failed to modify kernel parameters"
+    - kind: changed
+      description: "Replace the example images in initContainers, initSysctl and initFs from 'busybox:1.36' to 'ubuntu:24.04', which are commented out by default"
   artifacthub.io/links: |
     - name: support
       url: https://community.sonarsource.com/

charts/sonarqube-dce/templates/init-fs.yaml

@@ -1,3 +1,4 @@
+{{- if and .Values.searchNodes.persistence.enabled .Values.initFs.enabled (not .Values.OpenShift.enabled) }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -9,7 +10,6 @@ metadata:
     heritage: {{ .Release.Service }}
 data:
   init_fs.sh: |-
-    {{- if .Values.searchNodes.persistence.enabled }}
     chown -R {{ .Values.searchNodes.persistence.uid }}:{{ .Values.searchNodes.persistence.guid }} {{ .Values.sonarqubeFolder }}/data
     chown -R {{ .Values.searchNodes.persistence.uid }}:{{ .Values.searchNodes.persistence.guid }} {{ .Values.sonarqubeFolder }}/temp
     chown -R {{ .Values.searchNodes.persistence.uid }}:{{ .Values.searchNodes.persistence.guid }} {{ .Values.sonarqubeFolder }}/logs
@@ -19,4 +19,4 @@ data:
     {{- range .Values.searchNodes.persistence.mounts }}
     chown -R {{ $.Values.searchNodes.persistence.uid }}:{{ $.Values.searchNodes.persistence.guid }} {{ .mountPath }}
     {{- end }}
-    {{- end }}
+{{- end }}

charts/sonarqube-dce/templates/init-sysctl.yaml

@@ -1,3 +1,4 @@
+{{- if and .Values.initSysctl.enabled (not .Values.OpenShift.enabled) }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -9,29 +10,46 @@ metadata:
     heritage: {{ .Release.Service }}
 data:
   init_sysctl.sh: |-
+    set -o errexit
+    set -o xtrace
     {{- if .Values.initSysctl.vmMaxMapCount }}
-    if [[ "$(sysctl -n vm.max_map_count)" -lt {{ .Values.initSysctl.vmMaxMapCount }} ]]; then
-      sysctl -w vm.max_map_count={{ .Values.initSysctl.vmMaxMapCount }}
+    vmMaxMapCount={{ .Values.initSysctl.vmMaxMapCount | int }}
+    if [[ "$(sysctl -n vm.max_map_count)" -lt $vmMaxMapCount ]]; then
+      sysctl -w vm.max_map_count=$vmMaxMapCount
+      if [[ "$(sysctl -n vm.max_map_count)" -lt $vmMaxMapCount ]]; then
+        echo "Failed to set initSysctl.vmMaxMapCount"; exit 1
+      fi
     fi
     {{- end }}
     {{- if .Values.initSysctl.fsFileMax }}
-    if [[ "$(sysctl -n fs.file-max)" -lt {{ .Values.initSysctl.fsFileMax }} ]]; then
-      sysctl -w fs.file-max={{ .Values.initSysctl.fsFileMax }}
+    fsFileMax={{ .Values.initSysctl.fsFileMax | int }}
+    if [[ "$(sysctl -n fs.file-max)" -lt $fsFileMax ]]; then
+      sysctl -w fs.file-max=$fsFileMax
+      if [[ "$(sysctl -n fs.file-max)" -lt $fsFileMax ]]; then
+        echo "Failed to set initSysctl.fsFileMax"; exit 1
+      fi
     fi
     {{- end }}
     {{- if .Values.initSysctl.nofile }}
+    nofile={{ .Values.initSysctl.nofile | int }}
     if [[ "$(ulimit -n)" != "unlimited" ]]; then
-      if [[ "$(ulimit -n)" -lt {{ .Values.initSysctl.nofile }} ]]; then
-        echo "ulimit -n {{ .Values.initSysctl.nofile }}"
-        ulimit -n {{ .Values.initSysctl.nofile }}
+      if [[ "$(ulimit -n)" -lt $nofile ]]; then
+        ulimit -n $nofile
+        if [[ "$(ulimit -n)" -lt $nofile ]]; then
+          echo "Failed to set initSysctl.nofile"; exit 1
+        fi
       fi
     fi
     {{- end }}
     {{- if .Values.initSysctl.nproc }}
+    nproc={{ .Values.initSysctl.nproc | int }}
     if [[ "$(ulimit -u)" != "unlimited" ]]; then
-      if [[ "$(ulimit -u)" -lt {{ .Values.initSysctl.nproc }} ]]; then
-        echo "ulimit -u {{ .Values.initSysctl.nproc }}"
-        ulimit -u {{ .Values.initSysctl.nproc }}
+      if [[ "$(ulimit -u)" -lt $nproc ]]; then
+        ulimit -u $nproc
+        if [[ "$(ulimit -u)" -lt $nproc ]]; then
+          echo "Failed to set initSysctl.nproc"; exit 1
+        fi
       fi
     fi
     {{- end }}
+{{- end }}

charts/sonarqube-dce/values.yaml

@@ -570,7 +570,8 @@ networkPolicy:
   # additionalNetworkPolicies:
 
 initContainers:
-  # image: busybox:1.36
+  # all initContainers use SonarQube image by default, but you can override it by setting the image field (ex image: ubuntu:24.04)
+  # image:
   # Set the security context for the init containers
   # The current section contains the default values set in a generic Kubernetes cluster. If you are using OpenShift, you should not set any specific UID or GID to be used for the execution.
   # We allow the init containers to have a separate security context declaration because
@@ -613,7 +614,8 @@ initSysctl:
   fsFileMax: 131072
   nofile: 131072
   nproc: 8192
-  # image: busybox:1.36
+  # all initContainers use SonarQube image by default, but you can override it by setting the image field (ex image: ubuntu:24.04)
+  # image:
   securityContext:
     # Compatible with podSecurity standard privileged
     privileged: true
@@ -624,7 +626,8 @@ initSysctl:
 
 initFs:
   enabled: true
-  # image: busybox:1.36
+  # all initContainers use SonarQube image by default, but you can override it by setting the image field (ex image: ubuntu:24.04)
+  # image:
   # Compatible with podSecurity standard baseline
   securityContext:
     privileged: false

charts/sonarqube/CHANGELOG.md

@@ -12,6 +12,9 @@ All changes to this chart will be documented in this file.
 * Set `app.kubernetes.io/name` and `app.kubernetes.io/version` as selector labels
 * Support Gateway on different namespace in HTTPRoute
 * Change `ingress.ingressClassName` default, set it to `nginx` if `nginx.enabled` or `ingress-nginx.enabled`
+* Ensure that ConfigMap resources are not created for `initFS` and `initSysctl` if not needed
+* Ensure the Pod will stop at `init` stage if init_sysctl.sh failed to modify kernel parameters
+* Replace the example images in initContainers, initSysctl and initFs from `busybox:1.36` to `ubuntu:24.04`, which are commented out by default
 
 ## [10.7.0]
 * Update Chart's version to 10.7.0

charts/sonarqube/Chart.yaml

@@ -52,6 +52,12 @@ annotations:
       description: "Support Gateway on different namespace in HTTPRoute"
     - kind: changed
       description: "Change `ingress.ingressClassName` default, set it to `nginx` if `nginx.enabled` or `ingress-nginx.enabled`"
+    - kind: changed
+      description: "Ensure that ConfigMap resources are not created for `initFS` and `initSysctl` if not needed"
+    - kind: changed
+      description: "Ensure the Pod will stop at `init` stage if init_sysctl.sh failed to modify kernel parameters"
+    - kind: changed
+      description: "Replace the example images in initContainers, initSysctl and initFs from 'busybox:1.36' to 'ubuntu:24.04', which are commented out by default"
   artifacthub.io/containsSecurityUpdates: "false"
   artifacthub.io/images: |
     - name: sonarqube

charts/sonarqube/templates/init-fs.yaml

@@ -1,11 +1,11 @@
+{{- if and .Values.persistence.enabled .Values.initFs.enabled (not .Values.OpenShift.enabled) }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: {{ template "sonarqube.fullname" . }}-init-fs
   labels: {{- include "sonarqube.labels" . | nindent 4 }}
 data:
   init_fs.sh: |-
-    {{- if .Values.persistence.enabled }}
     chown -R {{ .Values.persistence.uid }}:{{ .Values.persistence.guid }} {{ .Values.sonarqubeFolder }}/data
     chown -R {{ .Values.persistence.uid }}:{{ .Values.persistence.guid }} {{ .Values.sonarqubeFolder }}/temp
     chown -R {{ .Values.persistence.uid }}:{{ .Values.persistence.guid }} {{ .Values.sonarqubeFolder }}/logs
@@ -18,4 +18,4 @@ data:
     {{- range .Values.persistence.mounts }}
     chown -R {{ $.Values.persistence.uid }}:{{ $.Values.persistence.guid }} {{ .mountPath }}
     {{- end }}
-    {{- end }}
+{{- end }}

charts/sonarqube/templates/init-sysctl.yaml

@@ -1,33 +1,51 @@
+{{- if and .Values.initSysctl.enabled (not .Values.OpenShift.enabled) }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: {{ template "sonarqube.fullname" . }}-init-sysctl
   labels: {{- include "sonarqube.labels" . | nindent 4 }}
 data:
   init_sysctl.sh: |-
+    set -o errexit
+    set -o xtrace
     {{- if .Values.initSysctl.vmMaxMapCount }}
-    if [[ "$(sysctl -n vm.max_map_count)" -lt {{ .Values.initSysctl.vmMaxMapCount }} ]]; then
-      sysctl -w vm.max_map_count={{ .Values.initSysctl.vmMaxMapCount }}
+    vmMaxMapCount={{ .Values.initSysctl.vmMaxMapCount | int }}
+    if [[ "$(sysctl -n vm.max_map_count)" -lt $vmMaxMapCount ]]; then
+      sysctl -w vm.max_map_count=$vmMaxMapCount
+      if [[ "$(sysctl -n vm.max_map_count)" -lt $vmMaxMapCount ]]; then
+        echo "Failed to set initSysctl.vmMaxMapCount"; exit 1
+      fi
     fi
     {{- end }}
     {{- if .Values.initSysctl.fsFileMax }}
-    if [[ "$(sysctl -n fs.file-max)" -lt {{ .Values.initSysctl.fsFileMax }} ]]; then
-      sysctl -w fs.file-max={{ .Values.initSysctl.fsFileMax }}
+    fsFileMax={{ .Values.initSysctl.fsFileMax | int }}
+    if [[ "$(sysctl -n fs.file-max)" -lt $fsFileMax ]]; then
+      sysctl -w fs.file-max=$fsFileMax
+      if [[ "$(sysctl -n fs.file-max)" -lt $fsFileMax ]]; then
+        echo "Failed to set initSysctl.fsFileMax"; exit 1
+      fi
     fi
     {{- end }}
     {{- if .Values.initSysctl.nofile }}
+    nofile={{ .Values.initSysctl.nofile | int }}
     if [[ "$(ulimit -n)" != "unlimited" ]]; then
-      if [[ "$(ulimit -n)" -lt {{ .Values.initSysctl.nofile }} ]]; then
-        echo "ulimit -n {{ .Values.initSysctl.nofile }}"
-        ulimit -n {{ .Values.initSysctl.nofile }}
+      if [[ "$(ulimit -n)" -lt $nofile ]]; then
+        ulimit -n $nofile
+        if [[ "$(ulimit -n)" -lt $nofile ]]; then
+          echo "Failed to set initSysctl.nofile"; exit 1
+        fi
       fi
     fi
     {{- end }}
     {{- if .Values.initSysctl.nproc }}
+    nproc={{ .Values.initSysctl.nproc | int }}
     if [[ "$(ulimit -u)" != "unlimited" ]]; then
-      if [[ "$(ulimit -u)" -lt {{ .Values.initSysctl.nproc }} ]]; then
-        echo "ulimit -u {{ .Values.initSysctl.nproc }}"
-        ulimit -u {{ .Values.initSysctl.nproc }}
+      if [[ "$(ulimit -u)" -lt $nproc ]]; then
+        ulimit -u $nproc
+        if [[ "$(ulimit -u)" -lt $nproc ]]; then
+          echo "Failed to set initSysctl.nproc"; exit 1
+        fi
       fi
     fi
     {{- end }}
+{{- end }}

charts/sonarqube/values.yaml

@@ -266,7 +266,8 @@ startupProbe:
   # sonarWebContext: /
 
 initContainers:
-  # image: busybox:1.36
+  # all initContainers use SonarQube image by default, but you can override it by setting the image field (ex image: ubuntu:24.04)
+  # image:
   # Set the security context for the init containers
   # The current section contains the default values set in a generic Kubernetes cluster. If you are using OpenShift, you should not set any specific UID or GID to be used for the execution.
   # We allow the init containers to have a separate security context declaration because
@@ -320,7 +321,8 @@ initSysctl:
   fsFileMax: 131072
   nofile: 131072
   nproc: 8192
-  # image: busybox:1.36
+  # all initContainers use SonarQube image by default, but you can override it by setting the image field (ex image: ubuntu:24.04)
+  # image:
   securityContext:
     # Compatible with podSecurity standard privileged
     privileged: true
@@ -332,7 +334,8 @@ initSysctl:
 # This should not be required anymore, used to chown/chmod folder created by faulty CSI driver that are not applying properly POSIX fsgroup.
 initFs:
   enabled: true
-  # Image: busybox:1.36
+  # all initContainers use SonarQube image by default, but you can override it by setting the image field (ex image: ubuntu:24.04)
+  # image:
   # Compatible with podSecurity standard baseline.
   securityContext:
     privileged: false

tests/unit-compatibility-test/fixtures/sonarqube-dce/application-values.yaml

@@ -152,22 +152,38 @@ metadata:
     heritage: Helm
 data:
   init_sysctl.sh: |-
-    if [[ "$(sysctl -n vm.max_map_count)" -lt 524288 ]]; then
-      sysctl -w vm.max_map_count=524288
+    set -o errexit
+    set -o xtrace
+    vmMaxMapCount=524288
+    if [[ "$(sysctl -n vm.max_map_count)" -lt $vmMaxMapCount ]]; then
+      sysctl -w vm.max_map_count=$vmMaxMapCount
+      if [[ "$(sysctl -n vm.max_map_count)" -lt $vmMaxMapCount ]]; then
+        echo "Failed to set initSysctl.vmMaxMapCount"; exit 1
+      fi
     fi
-    if [[ "$(sysctl -n fs.file-max)" -lt 131072 ]]; then
-      sysctl -w fs.file-max=131072
+    fsFileMax=131072
+    if [[ "$(sysctl -n fs.file-max)" -lt $fsFileMax ]]; then
+      sysctl -w fs.file-max=$fsFileMax
+      if [[ "$(sysctl -n fs.file-max)" -lt $fsFileMax ]]; then
+        echo "Failed to set initSysctl.fsFileMax"; exit 1
+      fi
     fi
+    nofile=131072
     if [[ "$(ulimit -n)" != "unlimited" ]]; then
-      if [[ "$(ulimit -n)" -lt 131072 ]]; then
-        echo "ulimit -n 131072"
-        ulimit -n 131072
+      if [[ "$(ulimit -n)" -lt $nofile ]]; then
+        ulimit -n $nofile
+        if [[ "$(ulimit -n)" -lt $nofile ]]; then
+          echo "Failed to set initSysctl.nofile"; exit 1
+        fi
       fi
     fi
+    nproc=8192
     if [[ "$(ulimit -u)" != "unlimited" ]]; then
-      if [[ "$(ulimit -u)" -lt 8192 ]]; then
-        echo "ulimit -u 8192"
-        ulimit -u 8192
+      if [[ "$(ulimit -u)" -lt $nproc ]]; then
+        ulimit -u $nproc
+        if [[ "$(ulimit -u)" -lt $nproc ]]; then
+          echo "Failed to set initSysctl.nproc"; exit 1
+        fi
       fi
     fi
 ---
@@ -752,8 +768,8 @@ spec:
         release: application-values.yaml
         sonarqube.datacenter/type: "search"
       annotations:
-        checksum/init-sysctl: b0adbc75e013962bdccee0ff7c665f96cde26a19fb8f77276ab0b19209db1a89
-        checksum/init-fs: 8944b522b680449d8adea850260d1bea05b7e7bcd83500fb45c2fa0eb317a30a
+        checksum/init-sysctl: 1b587d906e96c6234cd5aa9555dd9ee949f054fb3988706772de25668ff91b43
+        checksum/init-fs: 461175353f719eb6a55a52b4494871d9ae945e5537294170eab6ab537a8c6f45
         checksum/config: 8b2345535c307746d03adee70b6115f85449c08829e7ce75c459a28796e9bd90
         checksum/secret: 1769049746dc3c194133f7b24aac8789c0882223b0da297d21d23d95ff731509
     spec:

tests/unit-compatibility-test/fixtures/sonarqube-dce/ca-certificates-configmap.yaml

@@ -153,22 +153,38 @@ metadata:
     heritage: Helm
 data:
   init_sysctl.sh: |-
-    if [[ "$(sysctl -n vm.max_map_count)" -lt 524288 ]]; then
-      sysctl -w vm.max_map_count=524288
+    set -o errexit
+    set -o xtrace
+    vmMaxMapCount=524288
+    if [[ "$(sysctl -n vm.max_map_count)" -lt $vmMaxMapCount ]]; then
+      sysctl -w vm.max_map_count=$vmMaxMapCount
+      if [[ "$(sysctl -n vm.max_map_count)" -lt $vmMaxMapCount ]]; then
+        echo "Failed to set initSysctl.vmMaxMapCount"; exit 1
+      fi
     fi
-    if [[ "$(sysctl -n fs.file-max)" -lt 131072 ]]; then
-      sysctl -w fs.file-max=131072
+    fsFileMax=131072
+    if [[ "$(sysctl -n fs.file-max)" -lt $fsFileMax ]]; then
+      sysctl -w fs.file-max=$fsFileMax
+      if [[ "$(sysctl -n fs.file-max)" -lt $fsFileMax ]]; then
+        echo "Failed to set initSysctl.fsFileMax"; exit 1
+      fi
     fi
+    nofile=131072
     if [[ "$(ulimit -n)" != "unlimited" ]]; then
-      if [[ "$(ulimit -n)" -lt 131072 ]]; then
-        echo "ulimit -n 131072"
-        ulimit -n 131072
+      if [[ "$(ulimit -n)" -lt $nofile ]]; then
+        ulimit -n $nofile
+        if [[ "$(ulimit -n)" -lt $nofile ]]; then
+          echo "Failed to set initSysctl.nofile"; exit 1
+        fi
       fi
     fi
+    nproc=8192
     if [[ "$(ulimit -u)" != "unlimited" ]]; then
-      if [[ "$(ulimit -u)" -lt 8192 ]]; then
-        echo "ulimit -u 8192"
-        ulimit -u 8192
+      if [[ "$(ulimit -u)" -lt $nproc ]]; then
+        ulimit -u $nproc
+        if [[ "$(ulimit -u)" -lt $nproc ]]; then
+          echo "Failed to set initSysctl.nproc"; exit 1
+        fi
       fi
     fi
 ---
@@ -841,8 +857,8 @@ spec:
         release: ca-certificates-configmap.yaml
         sonarqube.datacenter/type: "search"
       annotations:
-        checksum/init-sysctl: 17a1df024490ff1108533d425a03b19807e1dd8859dadf4ef3f43d2a158bb029
-        checksum/init-fs: cb69624553357300ec49db62167a22552120254802bc345a3cddda2f30dc0057
+        checksum/init-sysctl: cb4d6b67c1123dfcde6b074b0346c80f0d3938a8cb22b7138e1999e6c925732b
+        checksum/init-fs: f0ff3cf0adc0a4e0e1bad5642463c76befcca1f6d0bdeae5378dbf33bb02caed
         checksum/config: 505964f6a2a7bb7d01a8952433a77e6b3dee2e772b4680aacc79950fcb84d03d
         checksum/secret: 87d7d3096c3b63930e4aced97a689305d92650d13c06c4ea6d129a9fcade9a22
     spec: