Merge pull request Oteemo#2 from Oteemo/master

Backmerge
c3-e · Nov 19, 2020 · 9f4fe9f · 9f4fe9f
2 parents 01ebb94 + 192a8e5
commit 9f4fe9f
Show file tree

Hide file tree

Showing 9 changed files with 139 additions and 7 deletions.
diff --git a/charts/sonarqube/CHANGELOG.md b/charts/sonarqube/CHANGELOG.md
@@ -1,6 +1,14 @@
 # SonarQube Chart Changelog
 All changes to this chart will be documented in this file.
 
+## [9.2.0]
+* Added functionality for deployments to OpenShift clusters.
+    * .Values.OpenShift flag to signify if deploying to OpenShift.
+	* Ability to have chart generate an SCC allowing the init-sysctl container to run as privileged.
+	* Setting of a seperate securityContext section for the main SonarQube container to avoid running as root.
+	* Exposing additional `postreSQL` keys in values.yaml to support configuring postgres to run under standard "restricted" or "anyuid"/"nonroot" SCCs on OpenShift.
+* Added initContainer `wait-for-db` to await postgreSQL successful startup before starting SonarQube, to avoid race conditions.
+
 ## [9.1.1]
 * Update SonarQube to 8.5.1.
 * **Fix:** Purge plugins directory before download.

diff --git a/charts/sonarqube/Chart.yaml b/charts/sonarqube/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 name: sonarqube
 description: SonarQube is an open sourced code quality scanning tool
-version: 9.1.2
+version: 9.2.0
 appVersion: 8.5.1-community
 keywords:
   - coverage

diff --git a/charts/sonarqube/README.md b/charts/sonarqube/README.md
@@ -18,9 +18,20 @@ To install the chart:
 helm repo add oteemocharts https://oteemo.github.io/charts
 helm install oteemocharts/sonarqube
 ```
-
 The above command deploys Sonarqube on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
 
+For OpenShift installations; if you wish for the chart to create the required SCC for the privileged initContainer, and run PostgreSQL under the restricted SCC use the following `set` statements:
+
+```bash
+helm repo add oteemocharts https://oteemo.github.io/charts
+helm install oteemocharts/sonarqube --set OpenShift.enabled=true,\
+                                          serviceAccount.create=true,\
+                                          postgresql.serviceAccount.enabled=true,\
+                                          postgresql.securityContext.enabled=false,\
+                                          postgresql.volumePermissions.enabled=true,\
+                                          postgresql.volumePermissions.securityContext.runAsUser="auto"
+```
+
 The default login is admin/admin.
 
 ## Uninstalling the chart

diff --git a/charts/sonarqube/templates/deployment.yaml b/charts/sonarqube/templates/deployment.yaml
@@ -157,6 +157,12 @@ spec:
             {{- . | toYaml | trim | nindent 12 }}
           {{- end }}
       {{- end }}
+        - name: "wait-for-db"
+          image: {{ default "busybox:1.32" .Values.initContainers.image }}
+          imagePullPolicy: {{ .Values.image.pullPolicy  }}
+          resources:
+{{ toYaml .Values.initContainers.resources | indent 12 }}
+          command: ["/bin/sh", "-c", "for i in $(seq 1 200); do nc -z -w3 {{ .Release.Name}}-postgresql 5432 && exit 0 || sleep 2; done; exit 1"]            
       {{- if .Values.priorityClassName }}
       priorityClassName: {{ .Values.priorityClassName }}
       {{- end }}

diff --git a/charts/sonarqube/templates/sonarqube-scc.yaml b/charts/sonarqube/templates/sonarqube-scc.yaml
@@ -0,0 +1,63 @@
+{{- if and (.Values.OpenShift.enabled) (.Values.OpenShift.createSCC) }}
+
+# This SCC allows any user ID but restricts capabilties and host access
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  annotations:
+    kubernetes.io/description: "allows pod to run as root, privileged and run sysctl"
+    "helm.sh/hook": pre-install
+  name: {{ .Release.Name }}-privileged-scc
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegedContainer: true
+allowPrivilegeEscalation: true
+allowedCapabilities: []
+allowedFlexVolumes: []
+allowedUnsafeSysctls: []
+defaultAddCapabilities: []
+defaultAllowPrivilegeEscalation: true
+fsGroup:
+  type: RunAsAny
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+- KILL
+- MKNOD
+- SETUID
+- SETGID
+runAsUser:
+  type: RunAsAny
+# This can be customized for your host machine
+seLinuxContext:
+  type: MustRunAs
+# seLinuxOptions:
+#   level:
+#   user:
+#   role:
+#   type:
+supplementalGroups:
+  type: RunAsAny
+# This can be customized for your host machine
+volumes:
+- configMap
+- downwardAPI
+- emptyDir
+- persistentVolumeClaim
+- projected
+- secret
+# If you want a priority on your SCC -- set for a value more than 0
+priority: 11
+users:
+{{- if .Values.serviceAccount.name }}
+- system:serviceaccount:{{ .Release.Namespace }}:{{ .Release.Name }}-{{ .Values.serviceAccount.name }}
+{{- else  }}
+- system:serviceaccount:{{ .Release.Namespace }}:{{ .Release.Name }}-sonarqube
+{{- end }}
+{{- if .Values.postgresql.securityContext.enabled }}
+- system:serviceaccount:{{ .Release.Namespace }}:{{ .Release.Name }}-postgresql
+{{- end }}
+
+{{- end }}
diff --git a/charts/sonarqube/values.yaml b/charts/sonarqube/values.yaml
@@ -13,6 +13,11 @@ deploymentStrategy: {}
 ##
 # schedulerName:
 
+## Is this deployment for OpenShift? If so, we help with SCCs
+OpenShift:
+  enabled: false
+  createSCC: true
+
 image:
   repository: sonarqube
   tag: 8.5-community
@@ -22,7 +27,12 @@ image:
 
 # Set security context for sonarqube pod
 securityContext:
-  fsGroup: 999
+  fsGroup: 1000
+
+# Set security context for sonarqube container
+containerSecurityContext:
+  # Sonarqube dockerfile creates sonarqube user as UID and GID 1000
+  runAsUser: 1000
 
 # Settings to configure elasticsearch host requirements
 elasticsearch:
@@ -243,6 +253,40 @@ postgresql:
   # Specify the TCP port that PostgreSQL should use
   service:
     port: 5432
+  resources:
+    limits:
+      cpu: 2
+      memory: 2Gi
+    requests:
+      cpu: 100m
+      memory: 200Mi
+  persistence:
+    enabled: true
+    accessMode: ReadWriteOnce
+    size: 20Gi
+    storageClass:
+  securityContext:
+    # For standard Kubernetes deployment, set enabled=true
+    # If using OpenShift, enabled=false for restricted SCC and enabled=true for anyuid/nonroot SCC
+    enabled: true
+    # fsGroup and runAsUser specifications below are not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully.
+    # postgresql dockerfile sets user as 1001
+    fsGroup: 1001
+    runAsUser: 1001
+  volumePermissions:
+    # For standard Kubernetes deployment, set enabled=false
+    # For OpenShift, set enabled=true and ensure to set volumepermissions.securitycontext.runAsUser below.
+    enabled: false
+    # if using restricted SCC set runAsUser: "auto" and if running under anyuid/nonroot SCC - runAsUser needs to match runAsUser above
+    securityContext:
+      runAsUser: 0
+  shmVolume:
+    chmod:
+      enabled: false
+  serviceAccount:
+    ## If enabled = true, and name is not set, postgreSQL will create a serviceAccount
+    enabled: false
+#    name:
 
 # Additional labels to add to the pods:
 # podLabels:

diff --git a/charts/sonatype-nexus/Chart.yaml b/charts/sonatype-nexus/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 name: sonatype-nexus
-version: 3.5.1
-appVersion: 3.25.1
+version: 3.6.0
+appVersion: 3.27.0
 description: Sonatype Nexus is an open source repository manager
 keywords:
   - artifacts

diff --git a/charts/sonatype-nexus/README.md b/charts/sonatype-nexus/README.md
@@ -92,7 +92,7 @@ The following table lists the configurable parameters of the Nexus chart and the
 | `nexus.resources`                           | Nexus resource requests and limits  | `{}`                                    |
 | `nexus.dockerPort`                          | Port to access docker               | `5003`                                  |
 | `nexus.nexusPort`                           | Internal port for Nexus service     | `8081`                                  |
-| `nexus.service.type`                        | Service for Nexus                   |`CluserIP`                                |
+| `nexus.service.type`                        | Service for Nexus                   | `NodePort`                                |
 | `nexus.service.clusterIp`                   | Specific cluster IP when service type is cluster IP. Use None for headless service |`nil`   |
 | `nexus.service.loadBalancerIP`                        | Custom loadBalancerIP                   |`nil`                                |
 | `nexus.securityContextEnabled`                     | Security Context (for enabling official image use `fsGroup: 200`) | `{}`     |

diff --git a/charts/sonatype-nexus/values.yaml b/charts/sonatype-nexus/values.yaml
@@ -20,7 +20,7 @@ initAdminPassword:
 
 nexus:
   imageName: quay.io/travelaudience/docker-nexus
-  imageTag: 3.25.1
+  imageTag: 3.27.0
   imagePullPolicy: IfNotPresent
   # Uncomment this to scheduler pods on priority
   # priorityClassName: "high-priority"