vynil/domain-incoming
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix

Browse Source
This commit is contained in:
Sébastien Huss
2024-05-23 19:02:24 +02:00
parent c6bb50fca4
commit 8a08647dd6
20 changed files with 610 additions and 458 deletions
Download Patch File Download Diff File Expand all files Collapse all files

302
apps/sonar/apps_v1_StatefulSet_sonar-sonarqube.yaml
View File

@@ -1,302 +0,0 @@
# Source: sonarqube/templates/sonarqube-sts.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: sonar-sonarqube
labels:
app: sonarqube
chart: sonarqube-10.5.1_2816
release: sonar
heritage: Helm
app.kubernetes.io/name: sonarqube-sonar-sonarqube
app.kubernetes.io/instance: sonar
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: sonarqube
app.kubernetes.io/component: sonar-sonarqube
app.kubernetes.io/version: "10.5.1-community"
spec:
replicas: 1
revisionHistoryLimit: 10
serviceName: sonar-sonarqube
selector:
matchLabels:
app: sonarqube
release: sonar
template:
metadata:
labels:
app: sonarqube
release: sonar
annotations:
checksum/init-sysctl: f024654d224568f7d00f522ab1f651e593efb55ee745e9624beec68996a4458d
checksum/init-fs: 4c8e59703fd03b0281f452e07eb3f3bdab1150a196f823234e641aaa2afb0253
checksum/plugins: 4e5baae46155e41236fcbdf85ea8b9ba3358994284bc26fb45d44a728d2b5c8e
checksum/config: 8dfa24e99816e4a8762c59197f8f41e53f8517b2f62d8839b7464952f77ad240
checksum/secret: 11c9bb7cdad024fc7971937b62d5245054c1091fc798528488974ef4bd5b7255
checksum/prometheus-config: 8b558b466ef4f60ab41a25ee83bb1cd6798a7c51aea6c557c75718f8b0527a61
checksum/prometheus-ce-config: 6af690da3580e26dbbfb7d1eea66284f1f52b2cff5db113b8acad5cdb87f4772
spec:
automountServiceAccountToken: false
securityContext:
fsGroup: 0
initContainers:
- name: "wait-for-db"
image: sonarqube:10.5.1-community
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsGroup: 0
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
resources:
{}
command: ["/bin/bash", "-c"]
args: ['set -o pipefail;for i in {1..200};do (echo > /dev/tcp/sonar-postgresql/5432) && exit 0; sleep 2;done; exit 1']
- name: init-sysctl
image: sonarqube:10.5.1-community
imagePullPolicy: IfNotPresent
securityContext:
privileged: true
runAsUser: 0
resources:
{}
command: ["/bin/bash",
"-e",
"/tmp/scripts/init_sysctl.sh"]
volumeMounts:
- name: init-sysctl
mountPath: /tmp/scripts/
env:
- name: SONAR_WEB_CONTEXT
value: /
- name: SONAR_WEB_JAVAOPTS
value: -javaagent:/opt/sonarqube/data/jmx_prometheus_javaagent.jar=8000:/opt/sonarqube/conf/prometheus-config.yaml
- name: SONAR_CE_JAVAOPTS
value: -javaagent:/opt/sonarqube/data/jmx_prometheus_javaagent.jar=8001:/opt/sonarqube/conf/prometheus-ce-config.yaml
- name: inject-prometheus-exporter
image: sonarqube:10.5.1-community
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsGroup: 0
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
resources:
{}
command: ["/bin/sh","-c"]
args: ["curl -s 'https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent/0.17.2/jmx_prometheus_javaagent-0.17.2.jar' --output /data/jmx_prometheus_javaagent.jar -v"]
volumeMounts:
- mountPath: /data
name: sonarqube
subPath: data
env:
- name: http_proxy
value:
- name: https_proxy
value:
- name: no_proxy
value:
- name: SONAR_WEB_CONTEXT
value: /
- name: SONAR_WEB_JAVAOPTS
value: -javaagent:/opt/sonarqube/data/jmx_prometheus_javaagent.jar=8000:/opt/sonarqube/conf/prometheus-config.yaml
- name: SONAR_CE_JAVAOPTS
value: -javaagent:/opt/sonarqube/data/jmx_prometheus_javaagent.jar=8001:/opt/sonarqube/conf/prometheus-ce-config.yaml
- name: install-plugins
image: sonarqube:10.5.1-community
imagePullPolicy: IfNotPresent
command: ["sh",
"-e",
"/tmp/scripts/install_plugins.sh"]
volumeMounts:
- mountPath: /opt/sonarqube/extensions/plugins
name: sonarqube
subPath: extensions/plugins
- name: install-plugins
mountPath: /tmp/scripts/
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsGroup: 0
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
resources:
{}
env:
- name: http_proxy
value:
- name: https_proxy
value:
- name: no_proxy
value:
- name: SONAR_WEB_CONTEXT
value: /
- name: SONAR_WEB_JAVAOPTS
value: -javaagent:/opt/sonarqube/data/jmx_prometheus_javaagent.jar=8000:/opt/sonarqube/conf/prometheus-config.yaml
- name: SONAR_CE_JAVAOPTS
value: -javaagent:/opt/sonarqube/data/jmx_prometheus_javaagent.jar=8001:/opt/sonarqube/conf/prometheus-ce-config.yaml
containers:
- name: sonarqube
image: sonarqube:10.5.1-community
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 9000
protocol: TCP
- name: monitoring-web
containerPort: 8000
protocol: TCP
- name: monitoring-ce
containerPort: 8001
protocol: TCP
resources:
limits:
cpu: 800m
ephemeral-storage: 512000M
memory: 6144M
requests:
cpu: 400m
ephemeral-storage: 1536M
memory: 2048M
env:
- name: SONAR_WEB_CONTEXT
value: /
- name: SONAR_WEB_JAVAOPTS
value: -javaagent:/opt/sonarqube/data/jmx_prometheus_javaagent.jar=8000:/opt/sonarqube/conf/prometheus-config.yaml
- name: SONAR_CE_JAVAOPTS
value: -javaagent:/opt/sonarqube/data/jmx_prometheus_javaagent.jar=8001:/opt/sonarqube/conf/prometheus-ce-config.yaml
- name: SONAR_HELM_CHART_VERSION
value: 10.5.1_2816
- name: SONAR_JDBC_PASSWORD
valueFrom:
secretKeyRef:
name: sonar-postgresql
key: postgresql-password
- name: SONAR_WEB_SYSTEMPASSCODE
valueFrom:
secretKeyRef:
name: sonar-sonarqube-monitoring-passcode
key: SONAR_WEB_SYSTEMPASSCODE
envFrom:
- configMapRef:
name: sonar-sonarqube-jdbc-config
livenessProbe:
exec:
command:
- sh
- -c
- |
wget --no-proxy --quiet -O /dev/null --timeout=1 --header="X-Sonar-Passcode: $SONAR_WEB_SYSTEMPASSCODE" "http://localhost:9000/api/system/liveness"
initialDelaySeconds: 60
periodSeconds: 30
failureThreshold: 6
timeoutSeconds: 1
readinessProbe:
exec:
command:
- sh
- -c
- |
#!/bin/bash
# A Sonarqube container is considered ready if the status is UP, DB_MIGRATION_NEEDED or DB_MIGRATION_RUNNING
# status about migration are added to prevent the node to be kill while sonarqube is upgrading the database.
if wget --no-proxy -qO- http://localhost:9000/api/system/status | grep -q -e '"status":"UP"' -e '"status":"DB_MIGRATION_NEEDED"' -e '"status":"DB_MIGRATION_RUNNING"'; then
exit 0
fi
exit 1
initialDelaySeconds: 60
periodSeconds: 30
failureThreshold: 6
timeoutSeconds: 1
startupProbe:
httpGet:
scheme: HTTP
path: /api/system/status
port: http
initialDelaySeconds: 30
periodSeconds: 10
failureThreshold: 24
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsGroup: 0
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /opt/sonarqube/data
name: sonarqube
subPath: data
- mountPath: /opt/sonarqube/extensions/plugins
name: sonarqube
subPath: extensions/plugins
- mountPath: /opt/sonarqube/temp
name: sonarqube
subPath: temp
- mountPath: /opt/sonarqube/logs
name: sonarqube
subPath: logs
- mountPath: /tmp
name: tmp-dir
- mountPath: /opt/sonarqube/conf/prometheus-config.yaml
subPath: prometheus-config.yaml
name: prometheus-config
- mountPath: /opt/sonarqube/conf/prometheus-ce-config.yaml
subPath: prometheus-ce-config.yaml
name: prometheus-ce-config
serviceAccountName: default
volumes:
- name: init-sysctl
configMap:
name: sonar-sonarqube-init-sysctl
items:
- key: init_sysctl.sh
path: init_sysctl.sh
- name: init-fs
configMap:
name: sonar-sonarqube-init-fs
items:
- key: init_fs.sh
path: init_fs.sh
- name: install-plugins
configMap:
name: sonar-sonarqube-install-plugins
items:
- key: install_plugins.sh
path: install_plugins.sh
- name: prometheus-config
configMap:
name: sonar-sonarqube-prometheus-config
items:
- key: prometheus-config.yaml
path: prometheus-config.yaml
- name: prometheus-ce-config
configMap:
name: sonar-sonarqube-prometheus-ce-config
items:
- key: prometheus-ce-config.yaml
path: prometheus-ce-config.yaml
- name: sonarqube
emptyDir:
{}
- name : tmp-dir
emptyDir:
{}

22
apps/sonar/common.tf Normal file
View File

@@ -0,0 +1,22 @@
locals {
core_labels = {
"app.kubernetes.io/name" = var.component
"app.kubernetes.io/instance" = var.instance
}
common_labels = merge({
"vynil.solidite.fr/owner-name" = var.instance
"vynil.solidite.fr/owner-namespace" = var.namespace
"vynil.solidite.fr/owner-category" = var.category
"vynil.solidite.fr/owner-component" = var.component
"app.kubernetes.io/managed-by" = "vynil"
},local.core_labels)
sonar_labels = merge({
"app.kubernetes.io/componant" = "sonarQube"
},local.core_labels)
sonar_all_labels = merge({
"app.kubernetes.io/componant" = "sonarQube"
},local.common_labels)
pg_labels = merge(local.common_labels, {
"app.kubernetes.io/component" = "pg"
})
}

101
apps/sonar/index.yaml
View File

@@ -6,6 +6,11 @@ metadata:
name: sonar
description: The code quality tool for better code
options:
app_group:
default: dev
examples:
- dev
type: string
domain:
default: your-company
examples:
@@ -21,21 +26,21 @@ options:
sonar:
pull_policy: IfNotPresent
registry: docker.io
repository: to-be/defined
tag: v1.0.0
repository: sonarqube
tag: 10.5.1-community
examples:
- sonar:
pull_policy: IfNotPresent
registry: docker.io
repository: to-be/defined
tag: v1.0.0
repository: sonarqube
tag: 10.5.1-community
properties:
sonar:
default:
pull_policy: IfNotPresent
registry: docker.io
repository: to-be/defined
tag: v1.0.0
repository: sonarqube
tag: 10.5.1-community
properties:
pull_policy:
default: IfNotPresent
@@ -48,10 +53,10 @@ options:
default: docker.io
type: string
repository:
default: to-be/defined
default: sonarqube
type: string
tag:
default: v1.0.0
default: 10.5.1-community
type: string
type: object
type: object
@@ -83,6 +88,86 @@ options:
items:
type: string
type: array
postgres:
default:
replicas: 1
examples:
- replicas: 1
properties:
replicas:
default: 1
type: integer
type: object
resources:
limits:
cpu: 800m
ephemeral-storage: 512000M
memory: 6144M
requests:
cpu: 400m
ephemeral-storage: 1536M
memory: 2048M
storage:
default:
postgres:
size: 5Gi
volume:
accessMode: ReadWriteOnce
class: ''
maxSize: 100Gi
size: 10Gi
type: Filesystem
description: Configure this app storage
examples:
- postgres:
size: 5Gi
volume:
accessMode: ReadWriteOnce
class: ''
maxSize: 100Gi
size: 10Gi
type: Filesystem
properties:
postgres:
default:
size: 5Gi
properties:
size:
default: 5Gi
type: string
type: object
volume:
default:
accessMode: ReadWriteOnce
class: ''
maxSize: 100Gi
size: 10Gi
type: Filesystem
properties:
accessMode:
default: ReadWriteOnce
enum:
- ReadWriteOnce
- ReadOnlyMany
- ReadWriteMany
type: string
class:
default: ''
type: string
maxSize:
default: 100Gi
type: string
size:
default: 10Gi
type: string
type:
default: Filesystem
enum:
- Filesystem
- Block
type: string
type: object
type: object
sub_domain:
default: sonar
examples:

57
apps/sonar/postgresql.tf Normal file
View File

@@ -0,0 +1,57 @@
resource "kubectl_manifest" "prj_pg" {
yaml_body = join("", concat([<<-EOF
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: "${var.instance}-${var.component}-pg"
namespace: "${var.namespace}"
labels: ${jsonencode(local.pg_labels)}
spec:
instances: ${var.postgres.replicas}
imageName: "${var.images.postgresql.registry}/${var.images.postgresql.repository}:${var.images.postgresql.tag}"
storage:
size: "${var.storage.postgres.size}"
bootstrap:
initdb:
database: "${var.component}"
owner: "${var.component}"
monitoring:
enablePodMonitor: true
inheritedMetadata:
annotations:
"k8up.io/backupcommand": "pg_dump -U postgres -d ${var.component} --clean"
"k8up.io/file-extension": ".sql"
"k8up.io/backup": "true"
EOF
], var.backups.enable&&var.backups.use_barman?[<<-EOF
backup:
barmanObjectStore:
destinationPath: "s3://${var.instance}-${var.namespace}/"
endpointURL: "${var.backups.endpoint}/barman"
s3Credentials:
accessKeyId:
name: "${var.backups.secret_name}"
key: "${var.backups.key_id_key}"
secretAccessKey:
name: "${var.backups.secret_name}"
key: "${var.backups.secret_key}"
EOF
]:[""]))
}
resource "kubectl_manifest" "prj_pg_backup" {
count = var.backups.enable ? 1:0
yaml_body = <<-EOF
apiVersion: postgresql.cnpg.io/v1
kind: ScheduledBackup
metadata:
name: "${var.instance}-${var.component}-pg"
namespace: "${var.namespace}"
labels: ${jsonencode(local.pg_labels)}
spec:
schedule: "${var.backups.schedule.db}"
backupOwnerReference: self
cluster:
name: "${var.instance}-${var.component}-pg"
EOF
}

94
apps/sonar/sonar_ConfigMap.tf Normal file
View File

@@ -0,0 +1,94 @@
resource "kubectl_manifest" "cm_env" {
yaml_body = <<-EOF
apiVersion: v1
kind: ConfigMap
metadata:
name: "${var.instance}-${var.component}-envs"
labels: ${jsonencode(local.sonar_all_labels)}
namespace: ${var.namespace}
data:
SONAR_JDBC_USERNAME: ${var.component}
SONAR_JDBC_URL: jdbc:postgresql://${var.instance}-${var.component}-rw.${var.namespace}.svc:5432/${var.component}
SONAR_WEB_CONTEXT: /
SONAR_WEB_JAVAOPTS: -javaagent:/opt/sonarqube/data/jmx_prometheus_javaagent.jar=8000:/opt/sonarqube/conf/prometheus-config.yaml
SONAR_CE_JAVAOPTS: -javaagent:/opt/sonarqube/data/jmx_prometheus_javaagent.jar=8001:/opt/sonarqube/conf/prometheus-ce-config.yaml
EOF
}
resource "kubectl_manifest" "cm_files" {
yaml_body = <<-EOF
apiVersion: v1
kind: ConfigMap
metadata:
name: "${var.instance}-${var.component}-files"
labels: ${jsonencode(local.sonar_all_labels)}
namespace: ${var.namespace}
data:
sonar.properties: |-
sonar.telemetry.enable=false
sonar.updatecenter.activate=false
sonar.auth.saml.enabled=true
sonar.auth.saml.applicationId=
sonar.auth.saml.providerName=
sonar.auth.saml.providerId=
sonar.auth.saml.loginUrl=
sonar.auth.saml.certificate.secured=
sonar.auth.saml.user.login=
sonar.auth.saml.user.name=
sonar.auth.saml.user.email=
sonar.auth.saml.group.name=
prometheus-ce-config.yaml: |-
rules:
- pattern: .*
prometheus-config.yaml: |-
rules:
- pattern: .*
EOF
}
resource "kubectl_manifest" "cm_scripts" {
yaml_body = join("", concat([<<EOF
apiVersion: v1
kind: ConfigMap
metadata:
name: "${var.instance}-${var.component}-files"
labels: ${jsonencode(local.sonar_all_labels)}
namespace: ${var.namespace}
data:
init_sysctl.sh: |-
if [[ "$(sysctl -n vm.max_map_count)" -lt 524288 ]]; then
sysctl -w vm.max_map_count=524288
fi
if [[ "$(sysctl -n fs.file-max)" -lt 131072 ]]; then
sysctl -w fs.file-max=131072
fi
if [[ "$(ulimit -n)" != "unlimited" ]]; then
if [[ "$(ulimit -n)" -lt 131072 ]]; then
echo "ulimit -n 131072"
ulimit -n 131072
fi
fi
if [[ "$(ulimit -u)" != "unlimited" ]]; then
if [[ "$(ulimit -u)" -lt 8192 ]]; then
echo "ulimit -u 8192"
ulimit -u 8192
fi
fi
init_fs.sh: chown -R 1000:0 /opt/sonarqube
install_plugins.sh: |-
#!/bin/bash
if [ ! -f /data/jmx_prometheus_javaagent.jar ];then
curl -s 'https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent/0.17.2/jmx_prometheus_javaagent-0.17.2.jar' --output /data/jmx_prometheus_javaagent.jar -v
fi
get_plugin() {
file=$(echo $1|sed 's#.*/##')
if [ ! -f "$file" ];then
curl -fsSLO "$1"
fi
}
cd /opt/sonarqube/extensions/plugins
EOF
],[for p in var.plugins: " get_plugin ${p}"]))
}

28
apps/sonar/sonar_PersistentVolumeClaim.tf Normal file
View File

@@ -0,0 +1,28 @@
locals {
pvc_spec = merge({
"accessModes" = [var.storage.volume.accessMode]
"volumeMode" = var.storage.volume.type
"resources" = {
"requests" = {
"storage" = "${var.storage.volume.size}"
}
}
}, var.storage.volume.class != "" ?{
"storageClassName" = var.storage.volume.class
}:{})
}
resource "kubectl_manifest" "pvc" {
ignore_fields = ["spec.resources.requests.storage"]
yaml_body = <<-EOF
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: "${var.component}-${var.instance}"
namespace: "${var.namespace}"
labels: ${jsonencode(local.common_labels)}
annotations:
resize.kubesphere.io/storage_limit: "${var.storage.volume.maxSize}"
spec: ${jsonencode(local.pvc_spec)}
EOF
}

18
apps/sonar/sonar_Secret.tf Normal file
View File

@@ -0,0 +1,18 @@
resource "random_password" "system" {
length = 16
special = false
}
resource "kubectl_manifest" "secret" {
yaml_body = <<-EOF
apiVersion: v1
kind: Secret
metadata:
name: "${var.instance}-${var.component}"
labels: ${jsonencode(local.sonar_all_labels)}
namespace: ${var.namespace}
type: Opaque
stringData:
SONAR_WEB_SYSTEMPASSCODE: "${random_password.system.result}"
EOF
}

62
apps/sonar/sonar_Service.tf Normal file
View File

@@ -0,0 +1,62 @@
locals {
dns_name = "${var.sub_domain}.${var.domain_name}"
dns_names = [local.dns_name]
app_name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
icon = "icon.svg"
}
module "service" {
source = "git::https://git.solidite.fr/vynil/kydah-modules.git//service"
component = var.component
instance = var.instance
namespace = var.namespace
labels = local.common_labels
selector = local.sonar_labels
targets = ["http"]
providers = {
kubectl = kubectl
}
}
module "ingress" {
source = "git::https://git.solidite.fr/vynil/kydah-modules.git//ingress"
component = ""
instance = var.instance
namespace = var.namespace
issuer = var.issuer
ingress_class = var.ingress_class
labels = local.common_labels
dns_names = local.dns_names
middlewares = [module.forward.middleware]
services = [module.service.default_definition]
providers = {
kubectl = kubectl
}
}
module "application" {
source = "git::https://git.solidite.fr/vynil/kydah-modules.git//application"
component = var.component
instance = var.instance
app_group = var.app_group
dns_name = local.dns_name
icon = local.icon
protocol_provider = module.saml.provider-id
providers = {
authentik = authentik
}
}
module "saml" {
source = "git::https://git.solidite.fr/vynil/kydah-modules.git//saml"
component = var.component
instance = var.instance
issuer = "self-sign"
dns_names = local.dns_names
namespace = var.namespace
labels = local.common_labels
providers = {
kubectl = kubectl
authentik = authentik
}
}

34
apps/sonar/sonar_monitoring.tf Normal file
View File

@@ -0,0 +1,34 @@
resource "kubectl_manifest" "PodMonitor_sonarqube" {
count = var.conditions.have_podmonitors?1:0
yaml_body = <<-EOF
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: sonarqube
namespace: ${var.namespace}
labels: ${jsonencode(local.sonar_all_labels)}
spec:
namespaceSelector:
matchNames:
- ${var.namespace}
selector:
matchLabels: ${jsonencode(local.sonar_labels)}
podMetricsEndpoints:
- port: http
path: /api/monitoring/metrics
scheme: http
interval: 30s
bearerTokenSecret:
name: ${kubectl_manifest.secret.name}
key: SONAR_WEB_SYSTEMPASSCODE
- port: monitoring-ce
path: /
scheme: http
interval: 30s
- port: monitoring-web
path: /
scheme: http
interval: 30s
EOF
}

196
apps/sonar/sonar_workload.tf Normal file
View File

@@ -0,0 +1,196 @@
resource "kubectl_manifest" "Deployment_sonar-sonarqube" {
yaml_body = <<-EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: "${var.instance}-${var.component}"
labels: ${jsonencode(local.sonar_all_labels)}
namespace: ${var.namespace}
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels: ${jsonencode(local.sonar_labels)}
template:
metadata:
labels: ${jsonencode(local.sonar_labels)}
spec:
securityContext:
fsGroup: 0
initContainers:
- name: init-sysctl
image: "${var.images.sonar.registry}/${var.images.sonar.repository}:${var.images.sonar.tag}"
imagePullPolicy: ${var.images.sonar.pull_policy}
securityContext:
privileged: true
runAsUser: 0
command: ["/bin/bash","-e","/tmp/scripts/init_sysctl.sh"]
volumeMounts:
- name: scripts
mountPath: /tmp/scripts/
- name: wait-for-db
image: "${var.images.sonar.registry}/${var.images.sonar.repository}:${var.images.sonar.tag}"
imagePullPolicy: ${var.images.sonar.pull_policy}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
runAsGroup: 0
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
command: ["/bin/bash", "-c"]
args: ["set -o pipefail;for i in {1..200};do (echo > /dev/tcp/${var.instance}-${var.component}-rw/5432) && exit 0; sleep 2;done; exit 1"]
- name: configure
image: "${var.images.sonar.registry}/${var.images.sonar.repository}:${var.images.sonar.tag}"
imagePullPolicy: ${var.images.sonar.pull_policy}
command: ["/bin/bash","-e","/tmp/scripts/install_plugins.sh"]
volumeMounts:
- mountPath: /data
name: sonarqube
subPath: data
- mountPath: /opt/sonarqube/extensions/plugins
name: sonarqube
subPath: extensions/plugins
- name: scripts
mountPath: /tmp/scripts/
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
runAsGroup: 0
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
envFrom:
- configMapRef:
name: ${kubectl_manifest.cm_env.name}
env:
- name: http_proxy
value: null
- name: https_proxy
value: null
- name: no_proxy
value: null
containers:
- name: sonarqube
image: "${var.images.sonar.registry}/${var.images.sonar.repository}:${var.images.sonar.tag}"
imagePullPolicy: ${var.images.sonar.pull_policy}
ports:
- name: http
containerPort: 9000
protocol: TCP
- name: monitoring-web
containerPort: 8000
protocol: TCP
- name: monitoring-ce
containerPort: 8001
protocol: TCP
resources:
limits: ${jsonencode(var.resources.limits)}
requests: ${jsonencode(var.resources.requests)}
env:
- name: SONAR_JDBC_PASSWORD
valueFrom:
secretKeyRef:
name: ${var.instance}-${var.component}-rw.${var.namespace}.svc
key: password
envFrom:
- secretRef:
name: ${kubectl_manifest.secret.name}
- configMapRef:
name: ${kubectl_manifest.cm_env.name}
livenessProbe:
exec:
command:
- sh
- -c
- |
wget --no-proxy --quiet -O /dev/null --timeout=1 --header="X-Sonar-Passcode: $SONAR_WEB_SYSTEMPASSCODE" "http://localhost:9000/api/system/liveness"
initialDelaySeconds: 60
periodSeconds: 30
failureThreshold: 6
timeoutSeconds: 1
readinessProbe:
exec:
command:
- sh
- -c
- |
#!/bin/bash
if wget --no-proxy -qO- http://localhost:9000/api/system/status | grep -q -e '"status":"UP"' -e '"status":"DB_MIGRATION_NEEDED"' -e '"status":"DB_MIGRATION_RUNNING"'; then
exit 0
fi
exit 1
initialDelaySeconds: 60
periodSeconds: 30
failureThreshold: 6
timeoutSeconds: 1
startupProbe:
httpGet:
scheme: HTTP
path: /api/system/status
port: http
initialDelaySeconds: 30
periodSeconds: 10
failureThreshold: 24
timeoutSeconds: 1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
runAsGroup: 0
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /opt/sonarqube/data
name: sonarqube
subPath: data
- mountPath: /opt/sonarqube/extensions
name: sonarqube
subPath: extensions
- mountPath: /opt/sonarqube/temp
name: sonarqube
subPath: temp
- mountPath: /opt/sonarqube/logs
name: sonarqube
subPath: logs
- mountPath: /tmp
name: tmp-dir
- mountPath: /opt/sonarqube/conf/prometheus-config.yaml
subPath: prometheus-config.yaml
name: files
- mountPath: /opt/sonarqube/conf/prometheus-ce-config.yaml
subPath: prometheus-ce-config.yaml
name: files
serviceAccountName: default
volumes:
- name: scripts
configMap:
name: ${kubectl_manifest.wordpress_files.name}
defaultMode: 0755
items:
- key: init_sysctl.sh
path: init_sysctl.sh
- key: install_plugins.sh
path: install_plugins.sh
- name: files
configMap:
name: ${kubectl_manifest.cm_files.name}
defaultMode: 0644
items:
- key: prometheus-config.yaml
path: prometheus-config.yaml
- key: prometheus-ce-config.yaml
path: prometheus-ce-config.yaml
- name: sonarqube
persistentVolumeClaim:
claimName: ${kubectl_manifest.pvc.name}
- name: tmp-dir
emptyDir: {}
EOF
}

6
apps/sonar/template.rhai Normal file
View File

@@ -0,0 +1,6 @@
const DEST=dest;
fn post_template() {
save_to_tf(`${global::DEST}/conditions.tf`, "conditions", #{
have_podmonitors: have_crd("podmonitors.monitoring.coreos.com"),
});
}

12
apps/sonar/v1_ConfigMap_sonar-sonarqube-config.yaml
View File

@@ -1,12 +0,0 @@
# Source: sonarqube/templates/config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: sonar-sonarqube-config
labels:
app: sonarqube
chart: sonarqube-10.5.1_2816
release: sonar
heritage: Helm
data:
sonar.properties: |

12
apps/sonar/v1_ConfigMap_sonar-sonarqube-init-fs.yaml
View File

@@ -1,12 +0,0 @@
# Source: sonarqube/templates/init-fs.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: sonar-sonarqube-init-fs
labels:
app: sonarqube
chart: sonarqube-10.5.1_2816
release: sonar
heritage: Helm
data:
init_fs.sh: |-

30
apps/sonar/v1_ConfigMap_sonar-sonarqube-init-sysctl.yaml
View File

@@ -1,30 +0,0 @@
# Source: sonarqube/templates/init-sysctl.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: sonar-sonarqube-init-sysctl
labels:
app: sonarqube
chart: sonarqube-10.5.1_2816
release: sonar
heritage: Helm
data:
init_sysctl.sh: |-
if [[ "$(sysctl -n vm.max_map_count)" -lt 524288 ]]; then
sysctl -w vm.max_map_count=524288
fi
if [[ "$(sysctl -n fs.file-max)" -lt 131072 ]]; then
sysctl -w fs.file-max=131072
fi
if [[ "$(ulimit -n)" != "unlimited" ]]; then
if [[ "$(ulimit -n)" -lt 131072 ]]; then
echo "ulimit -n 131072"
ulimit -n 131072
fi
fi
if [[ "$(ulimit -u)" != "unlimited" ]]; then
if [[ "$(ulimit -u)" -lt 8192 ]]; then
echo "ulimit -u 8192"
ulimit -u 8192
fi
fi

20
apps/sonar/v1_ConfigMap_sonar-sonarqube-install-plugins.yaml
View File

@@ -1,20 +0,0 @@
# Source: sonarqube/templates/install-plugins.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: sonar-sonarqube-install-plugins
labels:
app: sonarqube
chart: sonarqube-10.5.1_2816
release: sonar
heritage: Helm
data:
install_plugins.sh: |-
rm -f /opt/sonarqube/extensions/plugins/*
cd /opt/sonarqube/extensions/plugins
curl -fsSLO "https://github.com/vaulttec/sonar-auth-oidc/releases/download/v2.1.1/sonar-auth-oidc-plugin-2.1.1.jar"
curl -fsSLO "https://github.com/jycr/sonar-l10n-fr/releases/download/9.9.0/sonar-l10n-fr-plugin-9.9.0.jar"
curl -fsSLO "https://github.com/sbaudoin/sonar-yaml/releases/download/v1.7.0/sonar-yaml-plugin-1.7.0.jar"
curl -fsSLO "https://github.com/sbaudoin/sonar-shellcheck/releases/download/v2.5.0/sonar-shellcheck-plugin-2.5.0.jar"
curl -fsSLO "https://github.com/cnescatlab/sonar-hadolint-plugin/releases/download/1.1.0/sonar-hadolint-plugin-1.1.0.jar"
curl -fsSLO "https://github.com/sbaudoin/sonar-ansible/releases/download/v2.5.1/sonar-ansible-extras-plugin-2.5.1.jar"

13
apps/sonar/v1_ConfigMap_sonar-sonarqube-jdbc-config.yaml
View File

@@ -1,13 +0,0 @@
# Source: sonarqube/templates/jdbc-config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: sonar-sonarqube-jdbc-config
labels:
app: sonarqube
chart: sonarqube-10.5.1_2816
release: sonar
heritage: Helm
data:
SONAR_JDBC_USERNAME: "sonarUser"
SONAR_JDBC_URL: "jdbc:postgresql://sonar-postgresql:5432/sonarDB"

14
apps/sonar/v1_ConfigMap_sonar-sonarqube-prometheus-ce-config.yaml
View File

@@ -1,14 +0,0 @@
# Source: sonarqube/templates/prometheus-ce-config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: sonar-sonarqube-prometheus-ce-config
labels:
app: sonarqube
chart: sonarqube-10.5.1_2816
release: sonar
heritage: Helm
data:
prometheus-ce-config.yaml: |-
rules:
- pattern: .*

14
apps/sonar/v1_ConfigMap_sonar-sonarqube-prometheus-config.yaml
View File

@@ -1,14 +0,0 @@
# Source: sonarqube/templates/prometheus-config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: sonar-sonarqube-prometheus-config
labels:
app: sonarqube
chart: sonarqube-10.5.1_2816
release: sonar
heritage: Helm
data:
prometheus-config.yaml: |-
rules:
- pattern: .*

12
apps/sonar/v1_Secret_sonar-sonarqube-monitoring-passcode.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: sonar-sonarqube-monitoring-passcode
labels:
app: sonarqube
chart: sonarqube-10.5.1_2816
release: sonar
heritage: Helm
type: Opaque
data:
SONAR_WEB_SYSTEMPASSCODE: "ZGVmaW5lX2l0"

21
apps/sonar/v1_Service_sonar-sonarqube.yaml
View File

@@ -1,21 +0,0 @@
# Source: sonarqube/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: sonar-sonarqube
labels:
app: sonarqube
chart: sonarqube-10.5.1_2816
release: sonar
heritage: Helm
spec:
type: ClusterIP
ports:
- port: 9000
targetPort: http
protocol: TCP
name: http
selector:
app: sonarqube
release: sonar