diff --git a/charts/sonarqube/Chart.yaml b/charts/sonarqube/Chart.yaml index 284061ee9..9b70c70d7 100644 --- a/charts/sonarqube/Chart.yaml +++ b/charts/sonarqube/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: sonarqube description: SonarQube offers Code Quality and Code Security analysis for up to 27 languages. Find Bugs, Vulnerabilities, Security Hotspots and Code Smells throughout your workflow. -version: 1.6.4 +version: 1.6.5 appVersion: 9.2.4 keywords: - coverage @@ -49,6 +49,8 @@ annotations: description: "livenessProbe.failureThreshold was never rendered" - kind: fixed description: "properties are now correctly set" + - kind: fixed + description: "add securitycontext to wait-for-db and change-password hook" artifacthub.io/containsSecurityUpdates: "false" artifacthub.io/images: | - name: sonarqube diff --git a/charts/sonarqube/README.md b/charts/sonarqube/README.md index 8375c3a5b..10e5c98f6 100644 --- a/charts/sonarqube/README.md +++ b/charts/sonarqube/README.md @@ -385,6 +385,7 @@ The following table lists the configurable parameters of the Sonarqube chart and | `account.resources.limits.memory` | Memory limit for Admin hook | `128Mi` | | `account.resources.limits.cpu` | CPU limit for Admin hook | `100m` | | `account.sonarWebContext` | SonarQube web context for Admin hook | `nil` | +| `account.securityContext` | SecurityContext for change-password-hook | `{}` | | `curlContainerImage` | Curl container image | `curlimages/curl:latest` | | `adminJobAnnotations` | Custom annotations for admin hook Job | `{}` | | `terminationGracePeriodSeconds` | Configuration of `terminationGracePeriodSeconds` | `60` | diff --git a/charts/sonarqube/templates/change-admin-password-hook.yml b/charts/sonarqube/templates/change-admin-password-hook.yml index c96ac460c..8d9e5c24f 100644 --- a/charts/sonarqube/templates/change-admin-password-hook.yml +++ b/charts/sonarqube/templates/change-admin-password-hook.yml @@ -43,6 +43,10 @@ spec: containers: - name: {{ template "sonarqube.fullname" . }}-change-default-admin-password image: {{ default "curlimages/curl:latest" .Values.curlContainerImage }} + {{- if $securityContext := .Values.account.securityContext }} + securityContext: +{{ toYaml $securityContext | indent 12 }} + {{- end }} command: ["sh", "-c", 'until curl -v --connect-timeout 100 {{ template "sonarqube.fullname" . }}:{{ default 9000 .Values.service.internalPort }}{{ default "/" .Values.account.sonarWebContext }}api/system/status | grep -w UP; do sleep 10; done; curl -v --connect-timeout 100 -u admin:{{ default "admin" .Values.account.currentAdminPassword }} -X POST "{{ template "sonarqube.fullname" . }}:{{ default 9000 .Values.service.internalPort }}{{ default "/" .Values.account.sonarWebContext }}api/users/change_password?login=admin&previousPassword={{ .Values.account.currentAdminPassword | default "admin" | urlquery }}&password={{ .Values.account.adminPassword | default "admin" | urlquery }}"'] resources: {{ toYaml (default .Values.resources .Values.account.resources) | indent 10 }} diff --git a/charts/sonarqube/templates/deployment.yaml b/charts/sonarqube/templates/deployment.yaml index 6176df206..6b08d7d17 100644 --- a/charts/sonarqube/templates/deployment.yaml +++ b/charts/sonarqube/templates/deployment.yaml @@ -189,6 +189,10 @@ spec: - name: "wait-for-db" image: {{ default "busybox:1.32" .Values.initContainers.image }} imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if $securityContext := .Values.initContainers.securityContext }} + securityContext: +{{ toYaml $securityContext | indent 12 }} + {{- end }} resources: {{ toYaml .Values.initContainers.resources | indent 12 }} command: ["/bin/sh", "-c", "for i in $(seq 1 200); do nc -z -w3 {{ .Release.Name}}-postgresql 5432 && exit 0 || sleep 2; done; exit 1"] diff --git a/charts/sonarqube/templates/sonarqube-sts.yaml b/charts/sonarqube/templates/sonarqube-sts.yaml index ac61d4aad..3f1c04131 100644 --- a/charts/sonarqube/templates/sonarqube-sts.yaml +++ b/charts/sonarqube/templates/sonarqube-sts.yaml @@ -64,6 +64,10 @@ spec: - name: "wait-for-db" image: {{ default "busybox:1.32" .Values.initContainers.image }} imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if $securityContext := .Values.initContainers.securityContext }} + securityContext: +{{ toYaml $securityContext | indent 12 }} + {{- end }} resources: {{ toYaml .Values.initContainers.resources | indent 12 }} command: ["/bin/sh", "-c", "for i in $(seq 1 200); do nc -z -w3 {{ .Release.Name}}-postgresql 5432 && exit 0 || sleep 2; done; exit 1"] @@ -343,7 +347,7 @@ spec: # A Sonarqube container is considered ready if the status is UP, DB_MIGRATION_NEEDED or DB_MIGRATION_RUNNING # status about migration are added to prevent the node to be kill while sonarqube is upgrading the database. host="$(hostname -i || echo '127.0.0.1')" - if wget -qO- http://${host}:{{ .Values.service.internalPort }}{{ .Values.readinessProbe.sonarWebContext }}api/system/status | grep -q -e '"status":"UP"' -e '"status":"DB_MIGRATION_NEEDED"' -e '"status":"DB_MIGRATION_RUNNING"'; then + if wget --proxy off -qO- http://${host}:{{ .Values.service.internalPort }}{{ .Values.readinessProbe.sonarWebContext }}api/system/status | grep -q -e '"status":"UP"' -e '"status":"DB_MIGRATION_NEEDED"' -e '"status":"DB_MIGRATION_RUNNING"'; then exit 0 fi exit 1 diff --git a/charts/sonarqube/values.yaml b/charts/sonarqube/values.yaml index 706c6c032..ba5c4c02a 100644 --- a/charts/sonarqube/values.yaml +++ b/charts/sonarqube/values.yaml @@ -488,6 +488,7 @@ extraConfig: # account: # adminPassword: admin # currentAdminPassword: admin +# securityContext: {} # resources: # limits: # cpu: 100m