From 77cb49d2045dbb34ad477b458203ae3cd0c93325 Mon Sep 17 00:00:00 2001 From: Matt Colman Date: Fri, 13 Nov 2020 14:26:32 +0000 Subject: [PATCH 01/14] work_with_openshift --- charts/sonarqube/templates/deployment.yaml | 33 ++-------- charts/sonarqube/templates/job.yaml | 57 ++++++++++++++++ .../templates/serviceaccount-initsysctl.yaml | 15 +++++ .../templates/sonarqube-init-scc.yaml | 58 +++++++++++++++++ charts/sonarqube/templates/sonarqube-scc.yaml | 65 +++++++++++++++++++ charts/sonarqube/values.yaml | 45 ++++++++++++- 6 files changed, 245 insertions(+), 28 deletions(-) create mode 100644 charts/sonarqube/templates/job.yaml create mode 100644 charts/sonarqube/templates/serviceaccount-initsysctl.yaml create mode 100644 charts/sonarqube/templates/sonarqube-init-scc.yaml create mode 100644 charts/sonarqube/templates/sonarqube-scc.yaml diff --git a/charts/sonarqube/templates/deployment.yaml b/charts/sonarqube/templates/deployment.yaml index c00001e..f51f84d 100644 --- a/charts/sonarqube/templates/deployment.yaml +++ b/charts/sonarqube/templates/deployment.yaml @@ -59,6 +59,12 @@ spec: - name: {{ .Values.image.pullSecret }} {{- end }} initContainers: + - name: "wait-for-db" + image: {{ default "busybox:1.32" .Values.initContainers.image }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + resources: +{{ toYaml .Values.initContainers.resources | indent 12 }} + command: ["/bin/sh", "-c", "for i in $(seq 1 200); do nc -z -w3 {{ .Release.Name}}-postgresql 5432 && exit 0 || sleep 2; done; exit 1"] {{- if .Values.caCerts }} - name: ca-certs image: {{ default "adoptopenjdk/openjdk11:alpine" .Values.caCerts.image }} @@ -82,27 +88,6 @@ spec: {{- . | toYaml | trim | nindent 12 }} {{- end }} {{- end }} - {{- if or .Values.initSysctl.enabled .Values.elasticsearch.configureNode }} - - name: init-sysctl - image: {{ default "busybox:1.32" .Values.initSysctl.image }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if $securityContext := (default .Values.initContainers.securityContext .Values.initSysctl.securityContext) }} - securityContext: -{{ toYaml $securityContext | indent 12 }} - {{- end }} - resources: -{{ toYaml (default .Values.initContainers.resources .Values.initSysctl.resources) | indent 12 }} - command: ["sh", - "-e", - "/tmp/scripts/init_sysctl.sh"] - volumeMounts: - - name: init-sysctl - mountPath: /tmp/scripts/ - {{- with .Values.env }} - env: - {{- . | toYaml | trim | nindent 12 }} - {{- end }} - {{- end }} {{- if .Values.plugins.install }} - name: install-plugins image: {{ default "rjkernick/alpine-wget:latest" .Values.plugins.image }} @@ -321,12 +306,6 @@ spec: secret: secretName: {{ .Values.caCerts.secret }} {{- end }} - - name: init-sysctl - configMap: - name: {{ template "sonarqube.fullname" . }}-init-sysctl - items: - - key: init_sysctl.sh - path: init_sysctl.sh - name: install-plugins configMap: name: {{ template "sonarqube.fullname" . }}-install-plugins diff --git a/charts/sonarqube/templates/job.yaml b/charts/sonarqube/templates/job.yaml new file mode 100644 index 0000000..57003dd --- /dev/null +++ b/charts/sonarqube/templates/job.yaml @@ -0,0 +1,57 @@ +{{- if or .Values.initSysctl.enabled .Values.elasticsearch.configureNode }} + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "sonarqube.fullname" . }} + labels: + app: {{ template "sonarqube.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + app.kubernetes.io/name: {{ template "sonarqube.name" . }}-{{ template "sonarqube.fullname" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/part-of: sonarqube + app.kubernetes.io/component: {{ template "sonarqube.fullname" . }} + app.kubernetes.io/version: {{ .Values.image.tag | quote }} +spec: + template: + spec: + {{- if .Values.initSysctl.serviceAccount.create }} + {{- if .Values.initSysctl.serviceAccount.name }} + serviceAccountName: {{ .Values.initSysctl.serviceAccount.name }} + {{- else }} + serviceAccountName: {{ include "sonarqube.fullname" . }}-initsysctl + {{- end }} + {{- end }} + containers: + - name: init-sysctl + image: {{ default "busybox:1.32" .Values.initSysctl.image }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if $securityContext := (default .Values.initContainers.securityContext .Values.initSysctl.securityContext) }} + securityContext: +{{ toYaml $securityContext | indent 12 }} + {{- end }} + resources: +{{ toYaml (default .Values.initContainers.resources .Values.initSysctl.resources) | indent 12 }} + command: ["sh", + "-e", + "/tmp/scripts/init_sysctl.sh"] + volumeMounts: + - name: init-sysctl + mountPath: /tmp/scripts/ + {{- with .Values.env }} + env: + {{- . | toYaml | trim | nindent 12 }} + {{- end }} + restartPolicy: {{ .Values.initSysctl.job.restartPolicy }} + volumes: + - name: init-sysctl + configMap: + name: {{ template "sonarqube.fullname" . }}-init-sysctl + items: + - key: init_sysctl.sh + path: init_sysctl.sh + +{{- end }} \ No newline at end of file diff --git a/charts/sonarqube/templates/serviceaccount-initsysctl.yaml b/charts/sonarqube/templates/serviceaccount-initsysctl.yaml new file mode 100644 index 0000000..040a129 --- /dev/null +++ b/charts/sonarqube/templates/serviceaccount-initsysctl.yaml @@ -0,0 +1,15 @@ +{{- if .Values.initSysctl.serviceAccount.create -}} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: +{{- if .Values.initSysctl.serviceAccount.name }} + name: {{ .Values.initSysctl.serviceAccount.name }} +{{- else }} + name: {{ include "sonarqube.fullname" . }}-initsysctl +{{- end }} +{{- if .Values.serviceAccount.annotations }} + annotations: +{{ toYaml .Values.serviceAccount.annotations | indent 4 }} +{{- end }} +{{- end -}} diff --git a/charts/sonarqube/templates/sonarqube-init-scc.yaml b/charts/sonarqube/templates/sonarqube-init-scc.yaml new file mode 100644 index 0000000..b8e8997 --- /dev/null +++ b/charts/sonarqube/templates/sonarqube-init-scc.yaml @@ -0,0 +1,58 @@ +{{- if and (.Values.OpenShift.enabled) (.Values.OpenShift.createSCC) }} +{{- if and (.Values.initSysctl.serviceAccount.create) (not .Values.initSysctl.serviceAccount.name) }} + +# This SCC allows any user ID except root +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + annotations: + kubernetes.io/description: "allows pod to run as root, privileged and run sysctl" + "helm.sh/hook": pre-install + name: {{ .Release.Name }}-initsysctl-privileged-scc +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegedContainer: true +allowPrivilegeEscalation: true +allowedCapabilities: [] +allowedFlexVolumes: [] +allowedUnsafeSysctls: [] +defaultAddCapabilities: [] +defaultAllowPrivilegeEscalation: true +fsGroup: + type: RunAsAny +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: RunAsAny +# This can be customized for your host machine +seLinuxContext: + type: MustRunAs +# seLinuxOptions: +# level: +# user: +# role: +# type: +supplementalGroups: + type: RunAsAny +# This can be customized for your host machine +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +# If you want a priority on your SCC -- set for a value more than 0 +priority: 11 +users: +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Release.Name }}-sonarqube-initsysctl + +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/sonarqube/templates/sonarqube-scc.yaml b/charts/sonarqube/templates/sonarqube-scc.yaml new file mode 100644 index 0000000..cb6f6fe --- /dev/null +++ b/charts/sonarqube/templates/sonarqube-scc.yaml @@ -0,0 +1,65 @@ +{{- if and (.Values.OpenShift.enabled) (.Values.OpenShift.createSCC) }} + +# This SCC allows any user ID except root +apiVersion: security.openshift.io/v1 +kind: SecurityContextConstraints +metadata: + annotations: + kubernetes.io/description: "nonroot provides all features of the restricted SCC + but allows users to run with any non-root UID. The user must specify the UID + or it must be specified on the by the manifest of the container runtime." + "helm.sh/hook": pre-install + name: {{ .Release.Name }}-nonroot-scc +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegedContainer: false +allowPrivilegeEscalation: true +allowedCapabilities: [] +allowedFlexVolumes: [] +allowedUnsafeSysctls: [] +defaultAddCapabilities: [] +defaultAllowPrivilegeEscalation: true +forbiddenSysctls: + - "*" +fsGroup: + type: RunAsAny +readOnlyRootFilesystem: false +requiredDropCapabilities: +- KILL +- MKNOD +- SETUID +- SETGID +runAsUser: + type: MustRunAsNonRoot +# This can be customized for your host machine +seLinuxContext: + type: MustRunAs +# seLinuxOptions: +# level: +# user: +# role: +# type: +supplementalGroups: + type: RunAsAny +# This can be customized for your host machine +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +# If you want a priority on your SCC -- set for a value more than 0 +priority: 11 +users: +{{- if .Values.serviceAccount.name }} +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Release.Name }}-{{ .Values.serviceAccount.name }} +{{- else }} +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Release.Name }}-sonarqube +{{- end }} +- system:serviceaccount:{{ .Release.Namespace }}:{{ .Release.Name }}-postgresql + +{{- end }} diff --git a/charts/sonarqube/values.yaml b/charts/sonarqube/values.yaml index 0e1b5e0..9516f50 100644 --- a/charts/sonarqube/values.yaml +++ b/charts/sonarqube/values.yaml @@ -13,6 +13,11 @@ deploymentStrategy: {} ## # schedulerName: +## Is this deployment for OpenShift? If so, we help with SCCs +OpenShift: + enabled: false + createSCC: true + image: repository: sonarqube tag: 8.5-community @@ -22,7 +27,9 @@ image: # Set security context for sonarqube pod securityContext: - fsGroup: 999 + fsGroup: 1000 + #Sonarqube dockerfile creates sonarqube user as UID and GID 1000 + runAsUser: 1000 # Settings to configure elasticsearch host requirements elasticsearch: @@ -127,9 +134,14 @@ initSysctl: nofile: 131072 nproc: 8192 # image: busybox:1.32 + serviceAccount: + create: false + # name: securityContext: privileged: true # resources: {} + job: + restartPolicy: OnFailure # List of plugins to install. # For example: @@ -243,6 +255,37 @@ postgresql: # Specify the TCP port that PostgreSQL should use service: port: 5432 + resources: + limits: + cpu: 2 + memory: 2Gi + requests: + cpu: 100m + memory: 200Mi + persistence: + enabled: true + accessMode: ReadWriteOnce + size: 20Gi + storageClass: + securityContext: + # enabled needs to false for OpenShift restricted SCC and true for OpenShift anyuid/nonroot SCC + enabled: true + #fsGroup and runAsUser specifications below are not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. + #postgresql dockerfile sets user as 1001 + fsGroup: 1001 + runAsUser: 1001 + volumePermissions: + enabled: true + # if using restricted SCC set runAsUser: "auto" and if running under anyuid/nonroot SCC - runAsUser needs to match runAsUser above + securityContext: + runAsUser: 1001 + shmVolume: + chmod: + enabled: false + serviceAccount: + ## If enabled = true, and name is not set, postgreSQL will create a serviceAccount + enabled: false +# name: # Additional labels to add to the pods: # podLabels: From 7806492122817fd4a0bf160016a0135e159f8a2f Mon Sep 17 00:00:00 2001 From: Matt Colman Date: Fri, 13 Nov 2020 15:23:35 +0000 Subject: [PATCH 02/14] Update deployment.yaml --- charts/sonarqube/templates/deployment.yaml | 39 ++++++++++++++++++---- 1 file changed, 33 insertions(+), 6 deletions(-) diff --git a/charts/sonarqube/templates/deployment.yaml b/charts/sonarqube/templates/deployment.yaml index f51f84d..6a759f3 100644 --- a/charts/sonarqube/templates/deployment.yaml +++ b/charts/sonarqube/templates/deployment.yaml @@ -59,12 +59,6 @@ spec: - name: {{ .Values.image.pullSecret }} {{- end }} initContainers: - - name: "wait-for-db" - image: {{ default "busybox:1.32" .Values.initContainers.image }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - resources: -{{ toYaml .Values.initContainers.resources | indent 12 }} - command: ["/bin/sh", "-c", "for i in $(seq 1 200); do nc -z -w3 {{ .Release.Name}}-postgresql 5432 && exit 0 || sleep 2; done; exit 1"] {{- if .Values.caCerts }} - name: ca-certs image: {{ default "adoptopenjdk/openjdk11:alpine" .Values.caCerts.image }} @@ -88,6 +82,27 @@ spec: {{- . | toYaml | trim | nindent 12 }} {{- end }} {{- end }} + {{- if or .Values.initSysctl.enabled .Values.elasticsearch.configureNode }} + - name: init-sysctl + image: {{ default "busybox:1.32" .Values.initSysctl.image }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if $securityContext := (default .Values.initContainers.securityContext .Values.initSysctl.securityContext) }} + securityContext: +{{ toYaml $securityContext | indent 12 }} + {{- end }} + resources: +{{ toYaml (default .Values.initContainers.resources .Values.initSysctl.resources) | indent 12 }} + command: ["sh", + "-e", + "/tmp/scripts/init_sysctl.sh"] + volumeMounts: + - name: init-sysctl + mountPath: /tmp/scripts/ + {{- with .Values.env }} + env: + {{- . | toYaml | trim | nindent 12 }} + {{- end }} + {{- end }} {{- if .Values.plugins.install }} - name: install-plugins image: {{ default "rjkernick/alpine-wget:latest" .Values.plugins.image }} @@ -142,6 +157,12 @@ spec: {{- . | toYaml | trim | nindent 12 }} {{- end }} {{- end }} + - name: "wait-for-db" + image: {{ default "busybox:1.32" .Values.initContainers.image }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + resources: +{{ toYaml .Values.initContainers.resources | indent 12 }} + command: ["/bin/sh", "-c", "for i in $(seq 1 200); do nc -z -w3 {{ .Release.Name}}-postgresql 5432 && exit 0 || sleep 2; done; exit 1"] {{- if .Values.priorityClassName }} priorityClassName: {{ .Values.priorityClassName }} {{- end }} @@ -306,6 +327,12 @@ spec: secret: secretName: {{ .Values.caCerts.secret }} {{- end }} + - name: init-sysctl + configMap: + name: {{ template "sonarqube.fullname" . }}-init-sysctl + items: + - key: init_sysctl.sh + path: init_sysctl.sh - name: install-plugins configMap: name: {{ template "sonarqube.fullname" . }}-install-plugins From ba322d8e9a087bf59e2dc1923dc08bc5e8447bcf Mon Sep 17 00:00:00 2001 From: Matt Colman Date: Fri, 13 Nov 2020 15:29:17 +0000 Subject: [PATCH 03/14] scc changes --- .../templates/serviceaccount-initsysctl.yaml | 15 ----- .../templates/sonarqube-init-scc.yaml | 58 ------------------- charts/sonarqube/templates/sonarqube-scc.yaml | 16 ++--- charts/sonarqube/values.yaml | 5 -- 4 files changed, 6 insertions(+), 88 deletions(-) delete mode 100644 charts/sonarqube/templates/serviceaccount-initsysctl.yaml delete mode 100644 charts/sonarqube/templates/sonarqube-init-scc.yaml diff --git a/charts/sonarqube/templates/serviceaccount-initsysctl.yaml b/charts/sonarqube/templates/serviceaccount-initsysctl.yaml deleted file mode 100644 index 040a129..0000000 --- a/charts/sonarqube/templates/serviceaccount-initsysctl.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.initSysctl.serviceAccount.create -}} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: -{{- if .Values.initSysctl.serviceAccount.name }} - name: {{ .Values.initSysctl.serviceAccount.name }} -{{- else }} - name: {{ include "sonarqube.fullname" . }}-initsysctl -{{- end }} -{{- if .Values.serviceAccount.annotations }} - annotations: -{{ toYaml .Values.serviceAccount.annotations | indent 4 }} -{{- end }} -{{- end -}} diff --git a/charts/sonarqube/templates/sonarqube-init-scc.yaml b/charts/sonarqube/templates/sonarqube-init-scc.yaml deleted file mode 100644 index b8e8997..0000000 --- a/charts/sonarqube/templates/sonarqube-init-scc.yaml +++ /dev/null @@ -1,58 +0,0 @@ -{{- if and (.Values.OpenShift.enabled) (.Values.OpenShift.createSCC) }} -{{- if and (.Values.initSysctl.serviceAccount.create) (not .Values.initSysctl.serviceAccount.name) }} - -# This SCC allows any user ID except root -apiVersion: security.openshift.io/v1 -kind: SecurityContextConstraints -metadata: - annotations: - kubernetes.io/description: "allows pod to run as root, privileged and run sysctl" - "helm.sh/hook": pre-install - name: {{ .Release.Name }}-initsysctl-privileged-scc -allowHostDirVolumePlugin: false -allowHostIPC: false -allowHostNetwork: false -allowHostPID: false -allowHostPorts: false -allowPrivilegedContainer: true -allowPrivilegeEscalation: true -allowedCapabilities: [] -allowedFlexVolumes: [] -allowedUnsafeSysctls: [] -defaultAddCapabilities: [] -defaultAllowPrivilegeEscalation: true -fsGroup: - type: RunAsAny -readOnlyRootFilesystem: false -requiredDropCapabilities: -- KILL -- MKNOD -- SETUID -- SETGID -runAsUser: - type: RunAsAny -# This can be customized for your host machine -seLinuxContext: - type: MustRunAs -# seLinuxOptions: -# level: -# user: -# role: -# type: -supplementalGroups: - type: RunAsAny -# This can be customized for your host machine -volumes: -- configMap -- downwardAPI -- emptyDir -- persistentVolumeClaim -- projected -- secret -# If you want a priority on your SCC -- set for a value more than 0 -priority: 11 -users: -- system:serviceaccount:{{ .Release.Namespace }}:{{ .Release.Name }}-sonarqube-initsysctl - -{{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/sonarqube/templates/sonarqube-scc.yaml b/charts/sonarqube/templates/sonarqube-scc.yaml index cb6f6fe..954d20c 100644 --- a/charts/sonarqube/templates/sonarqube-scc.yaml +++ b/charts/sonarqube/templates/sonarqube-scc.yaml @@ -1,29 +1,25 @@ {{- if and (.Values.OpenShift.enabled) (.Values.OpenShift.createSCC) }} -# This SCC allows any user ID except root +# This SCC allows any user ID but restricts capabilties and host access apiVersion: security.openshift.io/v1 kind: SecurityContextConstraints metadata: annotations: - kubernetes.io/description: "nonroot provides all features of the restricted SCC - but allows users to run with any non-root UID. The user must specify the UID - or it must be specified on the by the manifest of the container runtime." + kubernetes.io/description: "allows pod to run as root, privileged and run sysctl" "helm.sh/hook": pre-install - name: {{ .Release.Name }}-nonroot-scc + name: {{ .Release.Name }}-privileged-scc allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false -allowPrivilegedContainer: false +allowPrivilegedContainer: true allowPrivilegeEscalation: true allowedCapabilities: [] allowedFlexVolumes: [] allowedUnsafeSysctls: [] defaultAddCapabilities: [] defaultAllowPrivilegeEscalation: true -forbiddenSysctls: - - "*" fsGroup: type: RunAsAny readOnlyRootFilesystem: false @@ -33,7 +29,7 @@ requiredDropCapabilities: - SETUID - SETGID runAsUser: - type: MustRunAsNonRoot + type: RunAsAny # This can be customized for your host machine seLinuxContext: type: MustRunAs @@ -62,4 +58,4 @@ users: {{- end }} - system:serviceaccount:{{ .Release.Namespace }}:{{ .Release.Name }}-postgresql -{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/sonarqube/values.yaml b/charts/sonarqube/values.yaml index 9516f50..e03fe24 100644 --- a/charts/sonarqube/values.yaml +++ b/charts/sonarqube/values.yaml @@ -134,14 +134,9 @@ initSysctl: nofile: 131072 nproc: 8192 # image: busybox:1.32 - serviceAccount: - create: false - # name: securityContext: privileged: true # resources: {} - job: - restartPolicy: OnFailure # List of plugins to install. # For example: From 74653ff8745ae89c19e3fab64ce36c806f51f06f Mon Sep 17 00:00:00 2001 From: Matt Colman Date: Fri, 13 Nov 2020 15:32:00 +0000 Subject: [PATCH 04/14] get postgres to run under restricted --- charts/sonarqube/templates/sonarqube-scc.yaml | 2 ++ charts/sonarqube/values.yaml | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/charts/sonarqube/templates/sonarqube-scc.yaml b/charts/sonarqube/templates/sonarqube-scc.yaml index 954d20c..7f5ed6d 100644 --- a/charts/sonarqube/templates/sonarqube-scc.yaml +++ b/charts/sonarqube/templates/sonarqube-scc.yaml @@ -56,6 +56,8 @@ users: {{- else }} - system:serviceaccount:{{ .Release.Namespace }}:{{ .Release.Name }}-sonarqube {{- end }} +{{- if .Values.postgresql.securityContext.enabled }} - system:serviceaccount:{{ .Release.Namespace }}:{{ .Release.Name }}-postgresql +{{- end }} {{- end }} \ No newline at end of file diff --git a/charts/sonarqube/values.yaml b/charts/sonarqube/values.yaml index e03fe24..596b190 100644 --- a/charts/sonarqube/values.yaml +++ b/charts/sonarqube/values.yaml @@ -264,7 +264,7 @@ postgresql: storageClass: securityContext: # enabled needs to false for OpenShift restricted SCC and true for OpenShift anyuid/nonroot SCC - enabled: true + enabled: false #fsGroup and runAsUser specifications below are not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. #postgresql dockerfile sets user as 1001 fsGroup: 1001 @@ -273,7 +273,7 @@ postgresql: enabled: true # if using restricted SCC set runAsUser: "auto" and if running under anyuid/nonroot SCC - runAsUser needs to match runAsUser above securityContext: - runAsUser: 1001 + runAsUser: "auto" shmVolume: chmod: enabled: false From 4c9eea77b34ff65f8f76b39573485672cc86ee9c Mon Sep 17 00:00:00 2001 From: Matt Colman Date: Fri, 13 Nov 2020 15:35:36 +0000 Subject: [PATCH 05/14] Delete job.yaml --- charts/sonarqube/templates/job.yaml | 57 ----------------------------- 1 file changed, 57 deletions(-) delete mode 100644 charts/sonarqube/templates/job.yaml diff --git a/charts/sonarqube/templates/job.yaml b/charts/sonarqube/templates/job.yaml deleted file mode 100644 index 57003dd..0000000 --- a/charts/sonarqube/templates/job.yaml +++ /dev/null @@ -1,57 +0,0 @@ -{{- if or .Values.initSysctl.enabled .Values.elasticsearch.configureNode }} - -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ template "sonarqube.fullname" . }} - labels: - app: {{ template "sonarqube.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - app.kubernetes.io/name: {{ template "sonarqube.name" . }}-{{ template "sonarqube.fullname" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/part-of: sonarqube - app.kubernetes.io/component: {{ template "sonarqube.fullname" . }} - app.kubernetes.io/version: {{ .Values.image.tag | quote }} -spec: - template: - spec: - {{- if .Values.initSysctl.serviceAccount.create }} - {{- if .Values.initSysctl.serviceAccount.name }} - serviceAccountName: {{ .Values.initSysctl.serviceAccount.name }} - {{- else }} - serviceAccountName: {{ include "sonarqube.fullname" . }}-initsysctl - {{- end }} - {{- end }} - containers: - - name: init-sysctl - image: {{ default "busybox:1.32" .Values.initSysctl.image }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if $securityContext := (default .Values.initContainers.securityContext .Values.initSysctl.securityContext) }} - securityContext: -{{ toYaml $securityContext | indent 12 }} - {{- end }} - resources: -{{ toYaml (default .Values.initContainers.resources .Values.initSysctl.resources) | indent 12 }} - command: ["sh", - "-e", - "/tmp/scripts/init_sysctl.sh"] - volumeMounts: - - name: init-sysctl - mountPath: /tmp/scripts/ - {{- with .Values.env }} - env: - {{- . | toYaml | trim | nindent 12 }} - {{- end }} - restartPolicy: {{ .Values.initSysctl.job.restartPolicy }} - volumes: - - name: init-sysctl - configMap: - name: {{ template "sonarqube.fullname" . }}-init-sysctl - items: - - key: init_sysctl.sh - path: init_sysctl.sh - -{{- end }} \ No newline at end of file From 591aabbf095352d0ceb748e0978f84c0069a7ca6 Mon Sep 17 00:00:00 2001 From: Matt Colman Date: Sat, 14 Nov 2020 09:52:39 +0000 Subject: [PATCH 06/14] Update Chart.yaml --- charts/sonarqube/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/sonarqube/Chart.yaml b/charts/sonarqube/Chart.yaml index 81fe5cc..c57b202 100644 --- a/charts/sonarqube/Chart.yaml +++ b/charts/sonarqube/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: sonarqube description: SonarQube is an open sourced code quality scanning tool -version: 9.1.2 +version: 9.1.3 appVersion: 8.5.1-community keywords: - coverage From 13aa4fb673f6b28bea485500da7c322ca4fe2871 Mon Sep 17 00:00:00 2001 From: Matt Colman Date: Sat, 14 Nov 2020 09:56:08 +0000 Subject: [PATCH 07/14] changes for linting --- charts/sonarqube/values.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/sonarqube/values.yaml b/charts/sonarqube/values.yaml index 596b190..4937af5 100644 --- a/charts/sonarqube/values.yaml +++ b/charts/sonarqube/values.yaml @@ -28,7 +28,7 @@ image: # Set security context for sonarqube pod securityContext: fsGroup: 1000 - #Sonarqube dockerfile creates sonarqube user as UID and GID 1000 + # Sonarqube dockerfile creates sonarqube user as UID and GID 1000 runAsUser: 1000 # Settings to configure elasticsearch host requirements @@ -261,12 +261,12 @@ postgresql: enabled: true accessMode: ReadWriteOnce size: 20Gi - storageClass: + storageClass: securityContext: # enabled needs to false for OpenShift restricted SCC and true for OpenShift anyuid/nonroot SCC enabled: false - #fsGroup and runAsUser specifications below are not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. - #postgresql dockerfile sets user as 1001 + # fsGroup and runAsUser specifications below are not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. + # postgresql dockerfile sets user as 1001 fsGroup: 1001 runAsUser: 1001 volumePermissions: From 6639d7a993aee1bdc02a72e6073cbab0bcc1e66c Mon Sep 17 00:00:00 2001 From: Matt Colman Date: Sat, 14 Nov 2020 10:19:12 +0000 Subject: [PATCH 08/14] Update values.yaml --- charts/sonarqube/values.yaml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/charts/sonarqube/values.yaml b/charts/sonarqube/values.yaml index 4937af5..f08885f 100644 --- a/charts/sonarqube/values.yaml +++ b/charts/sonarqube/values.yaml @@ -263,17 +263,20 @@ postgresql: size: 20Gi storageClass: securityContext: - # enabled needs to false for OpenShift restricted SCC and true for OpenShift anyuid/nonroot SCC - enabled: false + # For standard Kubernetes deployment, set enabled=true + # If using OpenShift, enabled=false for restricted SCC and enabled=true for anyuid/nonroot SCC + enabled: true # fsGroup and runAsUser specifications below are not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. # postgresql dockerfile sets user as 1001 fsGroup: 1001 runAsUser: 1001 volumePermissions: - enabled: true + # For standard Kubernetes deployment, set enabled=false + # For OpenShift, set enabled=true and ensure to set volumepermissions.securitycontext.runAsUser below. + enabled: false # if using restricted SCC set runAsUser: "auto" and if running under anyuid/nonroot SCC - runAsUser needs to match runAsUser above securityContext: - runAsUser: "auto" + runAsUser: 0 shmVolume: chmod: enabled: false From 994779378eb2e8e4e82d0633d09e9b3e162fddeb Mon Sep 17 00:00:00 2001 From: Matt Colman Date: Sat, 14 Nov 2020 10:48:01 +0000 Subject: [PATCH 09/14] Update values.yaml --- charts/sonarqube/values.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/charts/sonarqube/values.yaml b/charts/sonarqube/values.yaml index f08885f..8c5ff04 100644 --- a/charts/sonarqube/values.yaml +++ b/charts/sonarqube/values.yaml @@ -28,6 +28,10 @@ image: # Set security context for sonarqube pod securityContext: fsGroup: 1000 + +# Set security context for sonarqube container +containerSecurityContext: + fsGroup: 1000 # Sonarqube dockerfile creates sonarqube user as UID and GID 1000 runAsUser: 1000 From ddf5ae59ecc7ebad146c69500d23f765e86ecc46 Mon Sep 17 00:00:00 2001 From: Matt Colman Date: Sat, 14 Nov 2020 10:52:24 +0000 Subject: [PATCH 10/14] Update values.yaml --- charts/sonarqube/values.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/charts/sonarqube/values.yaml b/charts/sonarqube/values.yaml index 8c5ff04..6ddacd4 100644 --- a/charts/sonarqube/values.yaml +++ b/charts/sonarqube/values.yaml @@ -31,7 +31,6 @@ securityContext: # Set security context for sonarqube container containerSecurityContext: - fsGroup: 1000 # Sonarqube dockerfile creates sonarqube user as UID and GID 1000 runAsUser: 1000 From 6511c1e9db47b4a48d17dcf8c7618204cc71a2e3 Mon Sep 17 00:00:00 2001 From: Rob Kernick Date: Thu, 19 Nov 2020 09:47:59 -0500 Subject: [PATCH 11/14] Update Chart.yaml increment minor version --- charts/sonarqube/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/sonarqube/Chart.yaml b/charts/sonarqube/Chart.yaml index c57b202..ebe5ef1 100644 --- a/charts/sonarqube/Chart.yaml +++ b/charts/sonarqube/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: sonarqube description: SonarQube is an open sourced code quality scanning tool -version: 9.1.3 +version: 9.2.0 appVersion: 8.5.1-community keywords: - coverage From b21aaef85add606c416ac157c9c3758c6c940142 Mon Sep 17 00:00:00 2001 From: Matt Colman Date: Thu, 19 Nov 2020 16:51:38 +0000 Subject: [PATCH 12/14] Update CHANGELOG.md --- charts/sonarqube/CHANGELOG.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/charts/sonarqube/CHANGELOG.md b/charts/sonarqube/CHANGELOG.md index b2dc3cd..92179f7 100644 --- a/charts/sonarqube/CHANGELOG.md +++ b/charts/sonarqube/CHANGELOG.md @@ -1,6 +1,14 @@ # SonarQube Chart Changelog All changes to this chart will be documented in this file. +## [9.2.0] +* Added functionality for deployments to OpenShift clusters. + * .Values.OpenShift flag to signify if deploying to OpenShift. + * Ability to have chart generate an SCC allowing the init-sysctl container to run as privileged. + * Setting of a seperate securityContext section for the main SonarQube container to avoid running as root. + * Exposing additional `postreSQL` keys in values.yaml to enable postgres to run under standard "restricted" or "anyuid"/"nonroot" SCCs on OpenShift. +* Added initContainer `wait-for-db` to await postgreSQL successful startup before starting SonarQube, to avoid race conditions. + ## [9.1.1] * Update SonarQube to 8.5.1. * **Fix:** Purge plugins directory before download. From c33a7263bd46336a87cbd5481d30b0737b0b919a Mon Sep 17 00:00:00 2001 From: Matt Colman Date: Thu, 19 Nov 2020 16:53:02 +0000 Subject: [PATCH 13/14] Update CHANGELOG.md --- charts/sonarqube/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/sonarqube/CHANGELOG.md b/charts/sonarqube/CHANGELOG.md index 92179f7..ed34360 100644 --- a/charts/sonarqube/CHANGELOG.md +++ b/charts/sonarqube/CHANGELOG.md @@ -6,7 +6,7 @@ All changes to this chart will be documented in this file. * .Values.OpenShift flag to signify if deploying to OpenShift. * Ability to have chart generate an SCC allowing the init-sysctl container to run as privileged. * Setting of a seperate securityContext section for the main SonarQube container to avoid running as root. - * Exposing additional `postreSQL` keys in values.yaml to enable postgres to run under standard "restricted" or "anyuid"/"nonroot" SCCs on OpenShift. + * Exposing additional `postreSQL` keys in values.yaml to support configuring postgres to run under standard "restricted" or "anyuid"/"nonroot" SCCs on OpenShift. * Added initContainer `wait-for-db` to await postgreSQL successful startup before starting SonarQube, to avoid race conditions. ## [9.1.1] From c0e9e3b8e2e445c771a543b7c8470fa58c5a30bb Mon Sep 17 00:00:00 2001 From: Matt Colman Date: Thu, 19 Nov 2020 17:01:19 +0000 Subject: [PATCH 14/14] Update README.md --- charts/sonarqube/README.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/charts/sonarqube/README.md b/charts/sonarqube/README.md index 7a69501..7c346c4 100644 --- a/charts/sonarqube/README.md +++ b/charts/sonarqube/README.md @@ -18,9 +18,20 @@ To install the chart: helm repo add oteemocharts https://oteemo.github.io/charts helm install oteemocharts/sonarqube ``` - The above command deploys Sonarqube on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. +For OpenShift installations; if you wish for the chart to create the required SCC for the privileged initContainer, and run PostgreSQL under the restricted SCC use the following `set` statements: + +```bash +helm repo add oteemocharts https://oteemo.github.io/charts +helm install oteemocharts/sonarqube --set OpenShift.enabled=true,\ + serviceAccount.create=true,\ + postgresql.serviceAccount.enabled=true,\ + postgresql.securityContext.enabled=false,\ + postgresql.volumePermissions.enabled=true,\ + postgresql.volumePermissions.securityContext.runAsUser="auto" +``` + The default login is admin/admin. ## Uninstalling the chart