Add missing security context statement (SonarSource#157)

Aypz · Jan 31, 2022 · 0419fa7 · 0419fa7
1 parent be548a0
commit 0419fa7
Show file tree

Hide file tree

Showing 6 changed files with 18 additions and 2 deletions.
diff --git a/charts/sonarqube/Chart.yaml b/charts/sonarqube/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 name: sonarqube
 description: SonarQube offers Code Quality and Code Security analysis for up to 27 languages. Find Bugs, Vulnerabilities, Security Hotspots and Code Smells throughout your workflow.
-version: 1.6.4
+version: 1.6.5
 appVersion: 9.2.4
 keywords:
  - coverage
@@ -49,6 +49,8 @@ annotations:
  description: "livenessProbe.failureThreshold was never rendered"
  - kind: fixed
  description: "properties are now correctly set"
+ - kind: fixed
+ description: "add securitycontext to wait-for-db and change-password hook"
  artifacthub.io/containsSecurityUpdates: "false"
  artifacthub.io/images: |
  - name: sonarqube

diff --git a/charts/sonarqube/README.md b/charts/sonarqube/README.md
@@ -385,6 +385,7 @@ The following table lists the configurable parameters of the Sonarqube chart and
 | `account.resources.limits.memory` | Memory limit for Admin hook | `128Mi` |
 | `account.resources.limits.cpu` | CPU limit for Admin hook | `100m` |
 | `account.sonarWebContext` | SonarQube web context for Admin hook | `nil` |
+| `account.securityContext` | SecurityContext for change-password-hook | `{}` |
 | `curlContainerImage` | Curl container image | `curlimages/curl:latest` |
 | `adminJobAnnotations` | Custom annotations for admin hook Job | `{}` |
 | `terminationGracePeriodSeconds` | Configuration of `terminationGracePeriodSeconds` | `60` |

diff --git a/charts/sonarqube/templates/change-admin-password-hook.yml b/charts/sonarqube/templates/change-admin-password-hook.yml
@@ -43,6 +43,10 @@ spec:
  containers:
  - name: {{ template "sonarqube.fullname" . }}-change-default-admin-password
  image: {{ default "curlimages/curl:latest" .Values.curlContainerImage }}
+ {{- if $securityContext := .Values.account.securityContext }}
+ securityContext:
+{{ toYaml $securityContext | indent 12 }}
+ {{- end }}
  command: ["sh", "-c", 'until curl -v --connect-timeout 100 {{ template "sonarqube.fullname" . }}:{{ default 9000 .Values.service.internalPort }}{{ default "/" .Values.account.sonarWebContext }}api/system/status | grep -w UP; do sleep 10; done; curl -v --connect-timeout 100 -u admin:{{ default "admin" .Values.account.currentAdminPassword }} -X POST "{{ template "sonarqube.fullname" . }}:{{ default 9000 .Values.service.internalPort }}{{ default "/" .Values.account.sonarWebContext }}api/users/change_password?login=admin&previousPassword={{ .Values.account.currentAdminPassword | default "admin" | urlquery }}&password={{ .Values.account.adminPassword | default "admin" | urlquery }}"']
  resources:
 {{ toYaml (default .Values.resources .Values.account.resources) | indent 10 }}

diff --git a/charts/sonarqube/templates/deployment.yaml b/charts/sonarqube/templates/deployment.yaml
@@ -189,6 +189,10 @@ spec:
  - name: "wait-for-db"
  image: {{ default "busybox:1.32" .Values.initContainers.image }}
  imagePullPolicy: {{ .Values.image.pullPolicy }}
+ {{- if $securityContext := .Values.initContainers.securityContext }}
+ securityContext:
+{{ toYaml $securityContext | indent 12 }}
+ {{- end }}
  resources:
 {{ toYaml .Values.initContainers.resources | indent 12 }}
  command: ["/bin/sh", "-c", "for i in $(seq 1 200); do nc -z -w3 {{ .Release.Name}}-postgresql 5432 && exit 0 || sleep 2; done; exit 1"]

diff --git a/charts/sonarqube/templates/sonarqube-sts.yaml b/charts/sonarqube/templates/sonarqube-sts.yaml
@@ -64,6 +64,10 @@ spec:
  - name: "wait-for-db"
  image: {{ default "busybox:1.32" .Values.initContainers.image }}
  imagePullPolicy: {{ .Values.image.pullPolicy }}
+ {{- if $securityContext := .Values.initContainers.securityContext }}
+ securityContext:
+{{ toYaml $securityContext | indent 12 }}
+ {{- end }}
  resources:
 {{ toYaml .Values.initContainers.resources | indent 12 }}
  command: ["/bin/sh", "-c", "for i in $(seq 1 200); do nc -z -w3 {{ .Release.Name}}-postgresql 5432 && exit 0 || sleep 2; done; exit 1"]
@@ -343,7 +347,7 @@ spec:
  # A Sonarqube container is considered ready if the status is UP, DB_MIGRATION_NEEDED or DB_MIGRATION_RUNNING
  # status about migration are added to prevent the node to be kill while sonarqube is upgrading the database.
  host="$(hostname -i || echo '127.0.0.1')"
- if wget -qO- http:https://${host}:{{ .Values.service.internalPort }}{{ .Values.readinessProbe.sonarWebContext }}api/system/status | grep -q -e '"status":"UP"' -e '"status":"DB_MIGRATION_NEEDED"' -e '"status":"DB_MIGRATION_RUNNING"'; then
+ if wget --proxy off -qO- http:https://${host}:{{ .Values.service.internalPort }}{{ .Values.readinessProbe.sonarWebContext }}api/system/status | grep -q -e '"status":"UP"' -e '"status":"DB_MIGRATION_NEEDED"' -e '"status":"DB_MIGRATION_RUNNING"'; then
  exit 0
  fi
  exit 1

diff --git a/charts/sonarqube/values.yaml b/charts/sonarqube/values.yaml
@@ -488,6 +488,7 @@ extraConfig:
 # account:
 # adminPassword: admin
 # currentAdminPassword: admin
+# securityContext: {}
 # resources:
 # limits:
 # cpu: 100m