fix

2024-05-23 19:02:24 +02:00
parent c6bb50fca4
commit 8a08647dd6
20 changed files with 610 additions and 458 deletions
--- a/apps/sonar/apps_v1_StatefulSet_sonar-sonarqube.yaml
+++ b/apps/sonar/apps_v1_StatefulSet_sonar-sonarqube.yaml
@@ -1,302 +0,0 @@
 # Source: sonarqube/templates/sonarqube-sts.yaml
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: sonar-sonarqube
  labels:
    app: sonarqube
    chart: sonarqube-10.5.1_2816
    release: sonar
    heritage: Helm
    app.kubernetes.io/name: sonarqube-sonar-sonarqube
    app.kubernetes.io/instance: sonar
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: sonarqube
    app.kubernetes.io/component: sonar-sonarqube
    app.kubernetes.io/version: "10.5.1-community"
 spec:
  replicas: 1
  revisionHistoryLimit: 10
  serviceName: sonar-sonarqube
  selector:
    matchLabels:
      app: sonarqube
      release: sonar
  template:
    metadata:
      labels:
        app: sonarqube
        release: sonar
      annotations:
        checksum/init-sysctl: f024654d224568f7d00f522ab1f651e593efb55ee745e9624beec68996a4458d
        checksum/init-fs: 4c8e59703fd03b0281f452e07eb3f3bdab1150a196f823234e641aaa2afb0253
        checksum/plugins: 4e5baae46155e41236fcbdf85ea8b9ba3358994284bc26fb45d44a728d2b5c8e
        checksum/config: 8dfa24e99816e4a8762c59197f8f41e53f8517b2f62d8839b7464952f77ad240
        checksum/secret: 11c9bb7cdad024fc7971937b62d5245054c1091fc798528488974ef4bd5b7255
        checksum/prometheus-config: 8b558b466ef4f60ab41a25ee83bb1cd6798a7c51aea6c557c75718f8b0527a61
        checksum/prometheus-ce-config: 6af690da3580e26dbbfb7d1eea66284f1f52b2cff5db113b8acad5cdb87f4772
    spec:
      automountServiceAccountToken: false      
      securityContext:
        fsGroup: 0
      initContainers:
        - name: "wait-for-db"
          image: sonarqube:10.5.1-community
          imagePullPolicy: IfNotPresent
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            runAsGroup: 0
            runAsNonRoot: true
            runAsUser: 1000
            seccompProfile:
              type: RuntimeDefault
          resources:
            {}
          command: ["/bin/bash", "-c"]
          args: ['set -o pipefail;for i in {1..200};do (echo > /dev/tcp/sonar-postgresql/5432) && exit 0; sleep 2;done; exit 1']
        - name: init-sysctl
          image: sonarqube:10.5.1-community
          imagePullPolicy: IfNotPresent
          securityContext:
            privileged: true
            runAsUser: 0
          resources:
            {}
          command: ["/bin/bash",
            "-e",
            "/tmp/scripts/init_sysctl.sh"]
          volumeMounts:
            - name: init-sysctl
              mountPath: /tmp/scripts/
          env:
            - name: SONAR_WEB_CONTEXT
              value: /
            - name: SONAR_WEB_JAVAOPTS
              value: -javaagent:/opt/sonarqube/data/jmx_prometheus_javaagent.jar=8000:/opt/sonarqube/conf/prometheus-config.yaml
            - name: SONAR_CE_JAVAOPTS
              value: -javaagent:/opt/sonarqube/data/jmx_prometheus_javaagent.jar=8001:/opt/sonarqube/conf/prometheus-ce-config.yaml
        - name: inject-prometheus-exporter
          image: sonarqube:10.5.1-community
          imagePullPolicy: IfNotPresent
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            runAsGroup: 0
            runAsNonRoot: true
            runAsUser: 1000
            seccompProfile:
              type: RuntimeDefault
          resources:
            {}
          command: ["/bin/sh","-c"]
          args: ["curl -s 'https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent/0.17.2/jmx_prometheus_javaagent-0.17.2.jar'  --output /data/jmx_prometheus_javaagent.jar -v"]
          volumeMounts:
            - mountPath: /data
              name: sonarqube
              subPath: data
          env:
            - name: http_proxy
              value: 
            - name: https_proxy
              value: 
            - name: no_proxy
              value: 
            - name: SONAR_WEB_CONTEXT
              value: /
            - name: SONAR_WEB_JAVAOPTS
              value: -javaagent:/opt/sonarqube/data/jmx_prometheus_javaagent.jar=8000:/opt/sonarqube/conf/prometheus-config.yaml
            - name: SONAR_CE_JAVAOPTS
              value: -javaagent:/opt/sonarqube/data/jmx_prometheus_javaagent.jar=8001:/opt/sonarqube/conf/prometheus-ce-config.yaml
        - name: install-plugins
          image: sonarqube:10.5.1-community
          imagePullPolicy: IfNotPresent
          command: ["sh",
            "-e",
            "/tmp/scripts/install_plugins.sh"]
          volumeMounts:
            - mountPath: /opt/sonarqube/extensions/plugins
              name: sonarqube
              subPath: extensions/plugins
            - name: install-plugins
              mountPath: /tmp/scripts/
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            runAsGroup: 0
            runAsNonRoot: true
            runAsUser: 1000
            seccompProfile:
              type: RuntimeDefault
          resources:
            {}
          env:
            - name: http_proxy
              value: 
            - name: https_proxy
              value: 
            - name: no_proxy
              value: 
            - name: SONAR_WEB_CONTEXT
              value: /
            - name: SONAR_WEB_JAVAOPTS
              value: -javaagent:/opt/sonarqube/data/jmx_prometheus_javaagent.jar=8000:/opt/sonarqube/conf/prometheus-config.yaml
            - name: SONAR_CE_JAVAOPTS
              value: -javaagent:/opt/sonarqube/data/jmx_prometheus_javaagent.jar=8001:/opt/sonarqube/conf/prometheus-ce-config.yaml
      containers:
        - name: sonarqube
          image: sonarqube:10.5.1-community
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
              containerPort: 9000
              protocol: TCP
            - name: monitoring-web
              containerPort: 8000
              protocol: TCP
            - name: monitoring-ce
              containerPort: 8001
              protocol: TCP
          resources:
            limits:
              cpu: 800m
              ephemeral-storage: 512000M
              memory: 6144M
            requests:
              cpu: 400m
              ephemeral-storage: 1536M
              memory: 2048M
          env:
            - name: SONAR_WEB_CONTEXT
              value: /
            - name: SONAR_WEB_JAVAOPTS
              value: -javaagent:/opt/sonarqube/data/jmx_prometheus_javaagent.jar=8000:/opt/sonarqube/conf/prometheus-config.yaml
            - name: SONAR_CE_JAVAOPTS
              value: -javaagent:/opt/sonarqube/data/jmx_prometheus_javaagent.jar=8001:/opt/sonarqube/conf/prometheus-ce-config.yaml
            - name: SONAR_HELM_CHART_VERSION
              value: 10.5.1_2816
            - name: SONAR_JDBC_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: sonar-postgresql
                  key: postgresql-password
            - name: SONAR_WEB_SYSTEMPASSCODE
              valueFrom:
                secretKeyRef:
                  name: sonar-sonarqube-monitoring-passcode
                  key: SONAR_WEB_SYSTEMPASSCODE
          envFrom:
            - configMapRef:
                name: sonar-sonarqube-jdbc-config
          livenessProbe:
            exec:
              command:
              - sh
              - -c
              - |
                wget --no-proxy --quiet -O /dev/null --timeout=1 --header="X-Sonar-Passcode: $SONAR_WEB_SYSTEMPASSCODE" "http://localhost:9000/api/system/liveness"
            initialDelaySeconds: 60
            periodSeconds: 30
            failureThreshold: 6
            timeoutSeconds: 1
          readinessProbe:
            exec:
              command:
              - sh
              - -c
              - |
                #!/bin/bash
                # A Sonarqube container is considered ready if the status is UP, DB_MIGRATION_NEEDED or DB_MIGRATION_RUNNING
                # status about migration are added to prevent the node to be kill while sonarqube is upgrading the database.
                if wget --no-proxy -qO- http://localhost:9000/api/system/status | grep -q -e '"status":"UP"' -e '"status":"DB_MIGRATION_NEEDED"' -e '"status":"DB_MIGRATION_RUNNING"'; then
                	exit 0
                fi
                exit 1
            initialDelaySeconds: 60
            periodSeconds: 30
            failureThreshold: 6
            timeoutSeconds: 1
          startupProbe:
            httpGet:
              scheme: HTTP
              path: /api/system/status
              port: http
            initialDelaySeconds: 30
            periodSeconds: 10
            failureThreshold: 24
            timeoutSeconds: 1
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            runAsGroup: 0
            runAsNonRoot: true
            runAsUser: 1000
            seccompProfile:
              type: RuntimeDefault
          volumeMounts:
            - mountPath: /opt/sonarqube/data
              name: sonarqube
              subPath: data
            - mountPath: /opt/sonarqube/extensions/plugins
              name: sonarqube
              subPath: extensions/plugins
            - mountPath: /opt/sonarqube/temp
              name: sonarqube
              subPath: temp
            - mountPath: /opt/sonarqube/logs
              name: sonarqube
              subPath: logs
            - mountPath: /tmp
              name: tmp-dir
            - mountPath: /opt/sonarqube/conf/prometheus-config.yaml
              subPath: prometheus-config.yaml
              name: prometheus-config
            - mountPath: /opt/sonarqube/conf/prometheus-ce-config.yaml
              subPath: prometheus-ce-config.yaml
              name: prometheus-ce-config
      serviceAccountName: default
      volumes:
      - name: init-sysctl
        configMap:
          name: sonar-sonarqube-init-sysctl
          items:
            - key: init_sysctl.sh
              path: init_sysctl.sh
      - name: init-fs
        configMap:
          name: sonar-sonarqube-init-fs
          items:
            - key: init_fs.sh
              path: init_fs.sh
      - name: install-plugins
        configMap:
          name: sonar-sonarqube-install-plugins
          items:
            - key: install_plugins.sh
              path: install_plugins.sh
      - name: prometheus-config
        configMap:
          name: sonar-sonarqube-prometheus-config
          items:
            - key: prometheus-config.yaml
              path: prometheus-config.yaml
      - name: prometheus-ce-config
        configMap:
          name: sonar-sonarqube-prometheus-ce-config
          items:
            - key: prometheus-ce-config.yaml
              path: prometheus-ce-config.yaml
      - name: sonarqube
        emptyDir:
          {}
      - name : tmp-dir
        emptyDir:
          {}
--- a/apps/sonar/common.tf
+++ b/apps/sonar/common.tf
@@ -0,0 +1,22 @@
 locals {
  core_labels = {
    "app.kubernetes.io/name" = var.component
    "app.kubernetes.io/instance" = var.instance
  }
  common_labels = merge({
    "vynil.solidite.fr/owner-name" = var.instance
    "vynil.solidite.fr/owner-namespace" = var.namespace
    "vynil.solidite.fr/owner-category" = var.category
    "vynil.solidite.fr/owner-component" = var.component
    "app.kubernetes.io/managed-by" = "vynil"
  },local.core_labels)
  sonar_labels = merge({
    "app.kubernetes.io/componant" = "sonarQube"
  },local.core_labels)
  sonar_all_labels = merge({
    "app.kubernetes.io/componant" = "sonarQube"
  },local.common_labels)
  pg_labels = merge(local.common_labels, {
    "app.kubernetes.io/component" = "pg"
  })
 }
--- a/apps/sonar/index.yaml
+++ b/apps/sonar/index.yaml
@@ -6,6 +6,11 @@ metadata:
  name: sonar
  description: The code quality tool for better code
 options:
  app_group:
    default: dev
    examples:
    - dev
    type: string
  domain:
    default: your-company
    examples:
@@ -21,21 +26,21 @@ options:
      sonar:
        pull_policy: IfNotPresent
        registry: docker.io
-        repository: to-be/defined
+        repository: sonarqube
-        tag: v1.0.0
+        tag: 10.5.1-community
    examples:
    - sonar:
        pull_policy: IfNotPresent
        registry: docker.io
-        repository: to-be/defined
+        repository: sonarqube
-        tag: v1.0.0
+        tag: 10.5.1-community
    properties:
      sonar:
        default:
          pull_policy: IfNotPresent
          registry: docker.io
-          repository: to-be/defined
+          repository: sonarqube
-          tag: v1.0.0
+          tag: 10.5.1-community
        properties:
          pull_policy:
            default: IfNotPresent
@@ -48,10 +53,10 @@ options:
            default: docker.io
            type: string
          repository:
-            default: to-be/defined
+            default: sonarqube
            type: string
          tag:
-            default: v1.0.0
+            default: 10.5.1-community
            type: string
        type: object
    type: object
@@ -83,6 +88,86 @@ options:
    items:
      type: string
    type: array
  postgres:
    default:
      replicas: 1
    examples:
    - replicas: 1
    properties:
      replicas:
        default: 1
        type: integer
    type: object
  resources:
    limits:
      cpu: 800m
      ephemeral-storage: 512000M
      memory: 6144M
    requests:
      cpu: 400m
      ephemeral-storage: 1536M
      memory: 2048M
  storage:
    default:
      postgres:
        size: 5Gi
      volume:
        accessMode: ReadWriteOnce
        class: ''
        maxSize: 100Gi
        size: 10Gi
        type: Filesystem
    description: Configure this app storage
    examples:
    - postgres:
        size: 5Gi
      volume:
        accessMode: ReadWriteOnce
        class: ''
        maxSize: 100Gi
        size: 10Gi
        type: Filesystem
    properties:
      postgres:
        default:
          size: 5Gi
        properties:
          size:
            default: 5Gi
            type: string
        type: object
      volume:
        default:
          accessMode: ReadWriteOnce
          class: ''
          maxSize: 100Gi
          size: 10Gi
          type: Filesystem
        properties:
          accessMode:
            default: ReadWriteOnce
            enum:
            - ReadWriteOnce
            - ReadOnlyMany
            - ReadWriteMany
            type: string
          class:
            default: ''
            type: string
          maxSize:
            default: 100Gi
            type: string
          size:
            default: 10Gi
            type: string
          type:
            default: Filesystem
            enum:
            - Filesystem
            - Block
            type: string
        type: object
    type: object
  sub_domain:
    default: sonar
    examples:
--- a/apps/sonar/postgresql.tf
+++ b/apps/sonar/postgresql.tf
@@ -0,0 +1,57 @@
 resource "kubectl_manifest" "prj_pg" {
  yaml_body  = join("", concat([<<-EOF
    apiVersion: postgresql.cnpg.io/v1
    kind: Cluster
    metadata:
      name: "${var.instance}-${var.component}-pg"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.pg_labels)}
    spec:
      instances: ${var.postgres.replicas}
      imageName: "${var.images.postgresql.registry}/${var.images.postgresql.repository}:${var.images.postgresql.tag}"
      storage:
        size: "${var.storage.postgres.size}"
      bootstrap:
        initdb:
          database: "${var.component}"
          owner: "${var.component}"
      monitoring:
        enablePodMonitor: true
      inheritedMetadata:
        annotations:
          "k8up.io/backupcommand": "pg_dump -U postgres -d ${var.component} --clean"
          "k8up.io/file-extension": ".sql"
          "k8up.io/backup": "true"
  EOF
  ], var.backups.enable&&var.backups.use_barman?[<<-EOF
      backup:
        barmanObjectStore:
          destinationPath: "s3://${var.instance}-${var.namespace}/"
          endpointURL: "${var.backups.endpoint}/barman"
          s3Credentials:
            accessKeyId:
              name: "${var.backups.secret_name}"
              key: "${var.backups.key_id_key}"
            secretAccessKey:
              name: "${var.backups.secret_name}"
              key: "${var.backups.secret_key}"
  EOF
  ]:[""]))
 }
 resource "kubectl_manifest" "prj_pg_backup" {
  count = var.backups.enable ? 1:0
  yaml_body  = <<-EOF
    apiVersion: postgresql.cnpg.io/v1
    kind: ScheduledBackup
    metadata:
      name: "${var.instance}-${var.component}-pg"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.pg_labels)}
    spec:
      schedule: "${var.backups.schedule.db}"
      backupOwnerReference: self
      cluster:
        name: "${var.instance}-${var.component}-pg"
  EOF
 }
--- a/apps/sonar/sonar_ConfigMap.tf
+++ b/apps/sonar/sonar_ConfigMap.tf
@@ -0,0 +1,94 @@
 resource "kubectl_manifest" "cm_env" {
  yaml_body  = <<-EOF
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: "${var.instance}-${var.component}-envs"
      labels: ${jsonencode(local.sonar_all_labels)}
      namespace: ${var.namespace}
    data:
      SONAR_JDBC_USERNAME: ${var.component}
      SONAR_JDBC_URL: jdbc:postgresql://${var.instance}-${var.component}-rw.${var.namespace}.svc:5432/${var.component}
      SONAR_WEB_CONTEXT: /
      SONAR_WEB_JAVAOPTS: -javaagent:/opt/sonarqube/data/jmx_prometheus_javaagent.jar=8000:/opt/sonarqube/conf/prometheus-config.yaml
      SONAR_CE_JAVAOPTS:  -javaagent:/opt/sonarqube/data/jmx_prometheus_javaagent.jar=8001:/opt/sonarqube/conf/prometheus-ce-config.yaml
 EOF
 }
 resource "kubectl_manifest" "cm_files" {
  yaml_body  = <<-EOF
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: "${var.instance}-${var.component}-files"
      labels: ${jsonencode(local.sonar_all_labels)}
      namespace: ${var.namespace}
    data:
      sonar.properties: |-
        sonar.telemetry.enable=false
        sonar.updatecenter.activate=false
        sonar.auth.saml.enabled=true
        sonar.auth.saml.applicationId=
        sonar.auth.saml.providerName=
        sonar.auth.saml.providerId=
        sonar.auth.saml.loginUrl=
        sonar.auth.saml.certificate.secured=
        sonar.auth.saml.user.login=
        sonar.auth.saml.user.name=
        sonar.auth.saml.user.email=
        sonar.auth.saml.group.name=
      prometheus-ce-config.yaml: |-
        rules:
        - pattern: .*
      prometheus-config.yaml: |-
        rules:
        - pattern: .*
 EOF
 }
 resource "kubectl_manifest" "cm_scripts" {
  yaml_body  = join("", concat([<<EOF
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: "${var.instance}-${var.component}-files"
      labels: ${jsonencode(local.sonar_all_labels)}
      namespace: ${var.namespace}
    data:
      init_sysctl.sh: |-
        if [[ "$(sysctl -n vm.max_map_count)" -lt 524288 ]]; then
          sysctl -w vm.max_map_count=524288
        fi
        if [[ "$(sysctl -n fs.file-max)" -lt 131072 ]]; then
          sysctl -w fs.file-max=131072
        fi
        if [[ "$(ulimit -n)" != "unlimited" ]]; then
          if [[ "$(ulimit -n)" -lt 131072 ]]; then
            echo "ulimit -n 131072"
            ulimit -n 131072
          fi
        fi
        if [[ "$(ulimit -u)" != "unlimited" ]]; then
          if [[ "$(ulimit -u)" -lt 8192 ]]; then
            echo "ulimit -u 8192"
            ulimit -u 8192
          fi
        fi
      init_fs.sh: chown -R 1000:0 /opt/sonarqube
      install_plugins.sh: |-
        #!/bin/bash
        if [ ! -f /data/jmx_prometheus_javaagent.jar ];then
          curl -s 'https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent/0.17.2/jmx_prometheus_javaagent-0.17.2.jar'  --output /data/jmx_prometheus_javaagent.jar -v
        fi
        get_plugin() {
          file=$(echo $1|sed 's#.*/##')
          if [ ! -f "$file" ];then
            curl -fsSLO "$1"
          fi
        }
        cd /opt/sonarqube/extensions/plugins
 EOF
    ],[for p in var.plugins: "        get_plugin ${p}"]))
 }
--- a/apps/sonar/sonar_PersistentVolumeClaim.tf
+++ b/apps/sonar/sonar_PersistentVolumeClaim.tf
@@ -0,0 +1,28 @@
 locals {
  pvc_spec = merge({
    "accessModes" = [var.storage.volume.accessMode]
    "volumeMode" = var.storage.volume.type
    "resources" = {
      "requests" = {
        "storage" = "${var.storage.volume.size}"
      }
    }
  }, var.storage.volume.class != "" ?{
    "storageClassName" = var.storage.volume.class
  }:{})
 }
 resource "kubectl_manifest" "pvc" {
  ignore_fields = ["spec.resources.requests.storage"]
  yaml_body  = <<-EOF
    apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      name: "${var.component}-${var.instance}"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.common_labels)}
      annotations:
        resize.kubesphere.io/storage_limit: "${var.storage.volume.maxSize}"
    spec: ${jsonencode(local.pvc_spec)}
  EOF
 }
--- a/apps/sonar/sonar_Secret.tf
+++ b/apps/sonar/sonar_Secret.tf
@@ -0,0 +1,18 @@
 resource "random_password" "system" {
  length           = 16
  special          = false
 }
 resource "kubectl_manifest" "secret" {
  yaml_body  = <<-EOF
    apiVersion: v1
    kind: Secret
    metadata:
      name: "${var.instance}-${var.component}"
      labels: ${jsonencode(local.sonar_all_labels)}
      namespace: ${var.namespace}
    type: Opaque
    stringData:
      SONAR_WEB_SYSTEMPASSCODE: "${random_password.system.result}"
 EOF
 }
--- a/apps/sonar/sonar_Service.tf
+++ b/apps/sonar/sonar_Service.tf
@@ -0,0 +1,62 @@
 locals {
  dns_name = "${var.sub_domain}.${var.domain_name}"
  dns_names = [local.dns_name]
  app_name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
  icon              = "icon.svg"
 }
 module "service" {
  source = "git::https://git.solidite.fr/vynil/kydah-modules.git//service"
  component         = var.component
  instance          = var.instance
  namespace         = var.namespace
  labels            = local.common_labels
  selector          = local.sonar_labels
  targets           = ["http"]
  providers = {
    kubectl = kubectl
  }
 }
 module "ingress" {
  source = "git::https://git.solidite.fr/vynil/kydah-modules.git//ingress"
  component         = ""
  instance          = var.instance
  namespace         = var.namespace
  issuer            = var.issuer
  ingress_class     = var.ingress_class
  labels            = local.common_labels
  dns_names         = local.dns_names
  middlewares       = [module.forward.middleware]
  services          = [module.service.default_definition]
  providers = {
    kubectl = kubectl
  }
 }
 module "application" {
  source = "git::https://git.solidite.fr/vynil/kydah-modules.git//application"
  component         = var.component
  instance          = var.instance
  app_group         = var.app_group
  dns_name          = local.dns_name
  icon              = local.icon
  protocol_provider = module.saml.provider-id
  providers = {
    authentik = authentik
  }
 }
 module "saml" {
  source = "git::https://git.solidite.fr/vynil/kydah-modules.git//saml"
  component         = var.component
  instance          = var.instance
  issuer            = "self-sign"
  dns_names         = local.dns_names
  namespace         = var.namespace
  labels            = local.common_labels
  providers = {
    kubectl = kubectl
    authentik = authentik
  }
 }
--- a/apps/sonar/sonar_monitoring.tf
+++ b/apps/sonar/sonar_monitoring.tf
@@ -0,0 +1,34 @@
 resource "kubectl_manifest" "PodMonitor_sonarqube" {
  count = var.conditions.have_podmonitors?1:0
  yaml_body  = <<-EOF
    apiVersion: monitoring.coreos.com/v1
    kind: PodMonitor
    metadata:
      name: sonarqube
      namespace: ${var.namespace}
      labels: ${jsonencode(local.sonar_all_labels)}
    spec:
      namespaceSelector:
        matchNames:
        - ${var.namespace}
      selector:
        matchLabels: ${jsonencode(local.sonar_labels)}
      podMetricsEndpoints:
      - port: http
        path: /api/monitoring/metrics
        scheme: http
        interval: 30s
        bearerTokenSecret:
          name: ${kubectl_manifest.secret.name}
          key: SONAR_WEB_SYSTEMPASSCODE
      - port: monitoring-ce
        path: /
        scheme: http
        interval: 30s
      - port: monitoring-web
        path: /
        scheme: http
        interval: 30s
 EOF
 }
--- a/apps/sonar/sonar_workload.tf
+++ b/apps/sonar/sonar_workload.tf
@@ -0,0 +1,196 @@
 resource "kubectl_manifest" "Deployment_sonar-sonarqube" {
  yaml_body  = <<-EOF
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: "${var.instance}-${var.component}"
      labels: ${jsonencode(local.sonar_all_labels)}
      namespace: ${var.namespace}
    spec:
      replicas: 1
      revisionHistoryLimit: 10
      selector:
        matchLabels: ${jsonencode(local.sonar_labels)}
      template:
        metadata:
          labels: ${jsonencode(local.sonar_labels)}
        spec:
          securityContext:
            fsGroup: 0
          initContainers:
          - name: init-sysctl
            image: "${var.images.sonar.registry}/${var.images.sonar.repository}:${var.images.sonar.tag}"
            imagePullPolicy: ${var.images.sonar.pull_policy}
            securityContext:
              privileged: true
              runAsUser: 0
            command: ["/bin/bash","-e","/tmp/scripts/init_sysctl.sh"]
            volumeMounts:
            - name: scripts
              mountPath: /tmp/scripts/
          - name: wait-for-db
            image: "${var.images.sonar.registry}/${var.images.sonar.repository}:${var.images.sonar.tag}"
            imagePullPolicy: ${var.images.sonar.pull_policy}
            securityContext:
              allowPrivilegeEscalation: false
              capabilities:
                drop: ["ALL"]
              runAsGroup: 0
              runAsNonRoot: true
              runAsUser: 1000
              seccompProfile:
                type: RuntimeDefault
            command: ["/bin/bash", "-c"]
            args: ["set -o pipefail;for i in {1..200};do (echo > /dev/tcp/${var.instance}-${var.component}-rw/5432) && exit 0; sleep 2;done; exit 1"]
          - name: configure
            image: "${var.images.sonar.registry}/${var.images.sonar.repository}:${var.images.sonar.tag}"
            imagePullPolicy: ${var.images.sonar.pull_policy}
            command: ["/bin/bash","-e","/tmp/scripts/install_plugins.sh"]
            volumeMounts:
            - mountPath: /data
              name: sonarqube
              subPath: data
            - mountPath: /opt/sonarqube/extensions/plugins
              name: sonarqube
              subPath: extensions/plugins
            - name: scripts
              mountPath: /tmp/scripts/
            securityContext:
              allowPrivilegeEscalation: false
              capabilities:
                drop: ["ALL"]
              runAsGroup: 0
              runAsNonRoot: true
              runAsUser: 1000
              seccompProfile:
                type: RuntimeDefault
            envFrom:
            - configMapRef:
                name: ${kubectl_manifest.cm_env.name}
            env:
            - name: http_proxy
              value: null
            - name: https_proxy
              value: null
            - name: no_proxy
              value: null
          containers:
          - name: sonarqube
            image: "${var.images.sonar.registry}/${var.images.sonar.repository}:${var.images.sonar.tag}"
            imagePullPolicy: ${var.images.sonar.pull_policy}
            ports:
            - name: http
              containerPort: 9000
              protocol: TCP
            - name: monitoring-web
              containerPort: 8000
              protocol: TCP
            - name: monitoring-ce
              containerPort: 8001
              protocol: TCP
            resources:
              limits: ${jsonencode(var.resources.limits)}
              requests: ${jsonencode(var.resources.requests)}
            env:
            - name: SONAR_JDBC_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: ${var.instance}-${var.component}-rw.${var.namespace}.svc
                  key: password
            envFrom:
            - secretRef:
                name: ${kubectl_manifest.secret.name}
            - configMapRef:
                name: ${kubectl_manifest.cm_env.name}
            livenessProbe:
              exec:
                command:
                - sh
                - -c
                - |
                  wget --no-proxy --quiet -O /dev/null --timeout=1 --header="X-Sonar-Passcode: $SONAR_WEB_SYSTEMPASSCODE" "http://localhost:9000/api/system/liveness"
              initialDelaySeconds: 60
              periodSeconds: 30
              failureThreshold: 6
              timeoutSeconds: 1
            readinessProbe:
              exec:
                command:
                - sh
                - -c
                - |
                  #!/bin/bash
                  if wget --no-proxy -qO- http://localhost:9000/api/system/status | grep -q -e '"status":"UP"' -e '"status":"DB_MIGRATION_NEEDED"' -e '"status":"DB_MIGRATION_RUNNING"'; then
                    exit 0
                  fi
                  exit 1
              initialDelaySeconds: 60
              periodSeconds: 30
              failureThreshold: 6
              timeoutSeconds: 1
            startupProbe:
              httpGet:
                scheme: HTTP
                path: /api/system/status
                port: http
              initialDelaySeconds: 30
              periodSeconds: 10
              failureThreshold: 24
              timeoutSeconds: 1
            securityContext:
              allowPrivilegeEscalation: false
              capabilities:
                drop: ["ALL"]
              runAsGroup: 0
              runAsNonRoot: true
              runAsUser: 1000
              seccompProfile:
                type: RuntimeDefault
            volumeMounts:
            - mountPath: /opt/sonarqube/data
              name: sonarqube
              subPath: data
            - mountPath: /opt/sonarqube/extensions
              name: sonarqube
              subPath: extensions
            - mountPath: /opt/sonarqube/temp
              name: sonarqube
              subPath: temp
            - mountPath: /opt/sonarqube/logs
              name: sonarqube
              subPath: logs
            - mountPath: /tmp
              name: tmp-dir
            - mountPath: /opt/sonarqube/conf/prometheus-config.yaml
              subPath: prometheus-config.yaml
              name: files
            - mountPath: /opt/sonarqube/conf/prometheus-ce-config.yaml
              subPath: prometheus-ce-config.yaml
              name: files
          serviceAccountName: default
          volumes:
          - name: scripts
            configMap:
              name: ${kubectl_manifest.wordpress_files.name}
              defaultMode: 0755
              items:
              - key: init_sysctl.sh
                path: init_sysctl.sh
              - key: install_plugins.sh
                path: install_plugins.sh
          - name: files
            configMap:
              name: ${kubectl_manifest.cm_files.name}
              defaultMode: 0644
              items:
              - key: prometheus-config.yaml
                path: prometheus-config.yaml
              - key: prometheus-ce-config.yaml
                path: prometheus-ce-config.yaml
          - name: sonarqube
            persistentVolumeClaim:
              claimName: ${kubectl_manifest.pvc.name}
          - name: tmp-dir
            emptyDir: {}
 EOF
 }
--- a/apps/sonar/template.rhai
+++ b/apps/sonar/template.rhai
@@ -0,0 +1,6 @@
 const DEST=dest;
 fn post_template() {
    save_to_tf(`${global::DEST}/conditions.tf`, "conditions", #{
        have_podmonitors: have_crd("podmonitors.monitoring.coreos.com"),
    });
 }
--- a/apps/sonar/v1_ConfigMap_sonar-sonarqube-config.yaml
+++ b/apps/sonar/v1_ConfigMap_sonar-sonarqube-config.yaml
@@ -1,12 +0,0 @@
 # Source: sonarqube/templates/config.yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: sonar-sonarqube-config
  labels:
    app: sonarqube
    chart: sonarqube-10.5.1_2816
    release: sonar
    heritage: Helm
 data:
  sonar.properties: |
--- a/apps/sonar/v1_ConfigMap_sonar-sonarqube-init-fs.yaml
+++ b/apps/sonar/v1_ConfigMap_sonar-sonarqube-init-fs.yaml
@@ -1,12 +0,0 @@
 # Source: sonarqube/templates/init-fs.yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: sonar-sonarqube-init-fs
  labels:
    app: sonarqube
    chart: sonarqube-10.5.1_2816
    release: sonar
    heritage: Helm
 data:
  init_fs.sh: |-
--- a/apps/sonar/v1_ConfigMap_sonar-sonarqube-init-sysctl.yaml
+++ b/apps/sonar/v1_ConfigMap_sonar-sonarqube-init-sysctl.yaml
@@ -1,30 +0,0 @@
 # Source: sonarqube/templates/init-sysctl.yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: sonar-sonarqube-init-sysctl
  labels:
    app: sonarqube
    chart: sonarqube-10.5.1_2816
    release: sonar
    heritage: Helm
 data:
  init_sysctl.sh: |-
    if [[ "$(sysctl -n vm.max_map_count)" -lt 524288 ]]; then
      sysctl -w vm.max_map_count=524288
    fi
    if [[ "$(sysctl -n fs.file-max)" -lt 131072 ]]; then
      sysctl -w fs.file-max=131072
    fi
    if [[ "$(ulimit -n)" != "unlimited" ]]; then
      if [[ "$(ulimit -n)" -lt 131072 ]]; then
        echo "ulimit -n 131072"
        ulimit -n 131072
      fi
    fi
    if [[ "$(ulimit -u)" != "unlimited" ]]; then
      if [[ "$(ulimit -u)" -lt 8192 ]]; then
        echo "ulimit -u 8192"
        ulimit -u 8192
      fi
    fi
--- a/apps/sonar/v1_ConfigMap_sonar-sonarqube-install-plugins.yaml
+++ b/apps/sonar/v1_ConfigMap_sonar-sonarqube-install-plugins.yaml
@@ -1,20 +0,0 @@
 # Source: sonarqube/templates/install-plugins.yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: sonar-sonarqube-install-plugins
  labels:
    app: sonarqube
    chart: sonarqube-10.5.1_2816
    release: sonar
    heritage: Helm
 data:
  install_plugins.sh: |-
      rm -f /opt/sonarqube/extensions/plugins/*
      cd /opt/sonarqube/extensions/plugins
      curl   -fsSLO "https://github.com/vaulttec/sonar-auth-oidc/releases/download/v2.1.1/sonar-auth-oidc-plugin-2.1.1.jar"
      curl   -fsSLO "https://github.com/jycr/sonar-l10n-fr/releases/download/9.9.0/sonar-l10n-fr-plugin-9.9.0.jar"
      curl   -fsSLO "https://github.com/sbaudoin/sonar-yaml/releases/download/v1.7.0/sonar-yaml-plugin-1.7.0.jar"
      curl   -fsSLO "https://github.com/sbaudoin/sonar-shellcheck/releases/download/v2.5.0/sonar-shellcheck-plugin-2.5.0.jar"
      curl   -fsSLO "https://github.com/cnescatlab/sonar-hadolint-plugin/releases/download/1.1.0/sonar-hadolint-plugin-1.1.0.jar"
      curl   -fsSLO "https://github.com/sbaudoin/sonar-ansible/releases/download/v2.5.1/sonar-ansible-extras-plugin-2.5.1.jar"
--- a/apps/sonar/v1_ConfigMap_sonar-sonarqube-jdbc-config.yaml
+++ b/apps/sonar/v1_ConfigMap_sonar-sonarqube-jdbc-config.yaml
@@ -1,13 +0,0 @@
 # Source: sonarqube/templates/jdbc-config.yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: sonar-sonarqube-jdbc-config
  labels:
    app: sonarqube
    chart: sonarqube-10.5.1_2816
    release: sonar
    heritage: Helm
 data:
  SONAR_JDBC_USERNAME: "sonarUser"
  SONAR_JDBC_URL: "jdbc:postgresql://sonar-postgresql:5432/sonarDB"
--- a/apps/sonar/v1_ConfigMap_sonar-sonarqube-prometheus-ce-config.yaml
+++ b/apps/sonar/v1_ConfigMap_sonar-sonarqube-prometheus-ce-config.yaml
@@ -1,14 +0,0 @@
 # Source: sonarqube/templates/prometheus-ce-config.yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: sonar-sonarqube-prometheus-ce-config
  labels:
    app: sonarqube
    chart: sonarqube-10.5.1_2816
    release: sonar
    heritage: Helm
 data:
  prometheus-ce-config.yaml: |-
        rules:
        - pattern: .*
--- a/apps/sonar/v1_ConfigMap_sonar-sonarqube-prometheus-config.yaml
+++ b/apps/sonar/v1_ConfigMap_sonar-sonarqube-prometheus-config.yaml
@@ -1,14 +0,0 @@
 # Source: sonarqube/templates/prometheus-config.yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: sonar-sonarqube-prometheus-config
  labels:
    app: sonarqube
    chart: sonarqube-10.5.1_2816
    release: sonar
    heritage: Helm
 data:
  prometheus-config.yaml: |-
        rules:
        - pattern: .*
--- a/apps/sonar/v1_Secret_sonar-sonarqube-monitoring-passcode.yaml
+++ b/apps/sonar/v1_Secret_sonar-sonarqube-monitoring-passcode.yaml
@@ -1,12 +0,0 @@
 apiVersion: v1
 kind: Secret
 metadata:
  name: sonar-sonarqube-monitoring-passcode
  labels:
    app: sonarqube
    chart: sonarqube-10.5.1_2816
    release: sonar
    heritage: Helm
 type: Opaque
 data:
  SONAR_WEB_SYSTEMPASSCODE: "ZGVmaW5lX2l0"
--- a/apps/sonar/v1_Service_sonar-sonarqube.yaml
+++ b/apps/sonar/v1_Service_sonar-sonarqube.yaml
@@ -1,21 +0,0 @@
 # Source: sonarqube/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: sonar-sonarqube
  labels:
    app: sonarqube
    chart: sonarqube-10.5.1_2816
    release: sonar
    heritage: Helm
 spec:
  type: ClusterIP
  ports:
    - port: 9000
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app: sonarqube
    release: sonar