diff --git a/charts/sonarqube/config b/charts/sonarqube/config index 413bf1cad..2b46004bb 100644 --- a/charts/sonarqube/config +++ b/charts/sonarqube/config @@ -3,7 +3,7 @@ export USE_OPENSOURCE_CHART=false export REPO_URL=https://SonarSource.github.io/helm-chart-sonarqube export REPO_NAME=sonarqube export CHART_NAME=sonarqube -export VERSION=10.2.0 +export VERSION=10.8.0 # push to daocloud repo export DAOCLOUD_REPO_PROJECT=community export CUSTOM_SHELL=custom.sh diff --git a/charts/sonarqube/sonarqube/Chart.yaml b/charts/sonarqube/sonarqube/Chart.yaml index a0a32d72d..265ce8277 100644 --- a/charts/sonarqube/sonarqube/Chart.yaml +++ b/charts/sonarqube/sonarqube/Chart.yaml @@ -1,37 +1,60 @@ annotations: artifacthub.io/changes: | - kind: changed - description: "Upgrading SonarQube to 10.2.0" - - kind: deprecated - description: "livenessProbe.sonarWebContext is deprecated, please use sonarWebContext at the value top level" - - kind: deprecated - description: "readinessProbe.sonarWebContext is deprecated, please use sonarWebContext at the value top level" + description: "Upgrade SonarQube Server to 10.8.0" + - kind: changed + description: "Release SonarQube Community Build 24.12" + - kind: changed + description: "Update Chart's version to 10.8.0" + - kind: added + description: "Support the installation of the Oracle JDBC Driver" + - kind: changed + description: "Support Kubernetes v1.31" - kind: deprecated - description: "startupProbe.sonarWebContext is deprecated, please use sonarWebContext at the value top level" + description: "Deprecate the 'community' value for the 'edition' parameter" - kind: deprecated - description: "account.sonarWebContext is deprecated, please use sonarWebContext at the value top level" + description: "Deprecate the default value of 'image.tag' in favor of an empty string" + - kind: added + description: "Introduce the 'community.enabled' and 'community.buildNumber' parameters for SonarQube Community Build" + - kind: changed + description: "Update the Chart's icon with the SonarQube Server logo" + - kind: fixed + description: "Set 'app.kubernetes.io/name' and 'app.kubernetes.io/version' as selector labels" + - kind: added + description: "Support Gateway on different namespace in HTTPRoute" - kind: changed - description: "Update Chart's version to 10.2.0" - - kind: security - description: "Update cURL image to 8.2.0" - - kind: security - description: "Update ingress-nginx dependency to 4.7.1" + description: "Change 'ingress.ingressClassName' default, set it to 'nginx' if 'nginx.enabled' or 'ingress-nginx.enabled'" + - kind: changed + description: "Ensure that ConfigMap resources are not created for 'initFS' and 'initSysctl' if not needed" + - kind: changed + description: "Ensure the Pod will stop at 'init' stage if init_sysctl.sh failed to modify kernel parameters" + - kind: changed + description: "Replace the example images in initContainers, initSysctl and initFs from 'busybox:1.36' to 'ubuntu:24.04', which are commented out by default" - kind: fixed - description: "Fixes broken table on README" + description: "Make the 'automountServiceAccountToken' configurable with 'serviceAccount.automountToken' in PodSpec" + - kind: deprecated + description: "Deprecate 'sonarqubeFolder', 'jdbcOverwrite.jdbcPassword' and 'terminationGracePeriodSeconds'" + - kind: deprecated + description: "Deprecate 'deploymentStrategy.type', which will be set to 'Recreate'" + - kind: deprecated + description: "Deprecate 'account', 'curlContainerImage', 'adminJobAnnotation'" + - kind: deprecated + description: "Deprecate the StatefulSet deployment type" artifacthub.io/containsSecurityUpdates: "false" artifacthub.io/images: | - name: sonarqube - image: sonarqube:10.2.0-community + image: sonarqube:24.12.0.100206-community artifacthub.io/links: | - name: support url: https://community.sonarsource.com/ - name: Chart Source url: https://github.com/SonarSource/helm-chart-sonarqube/tree/master/charts/sonarqube + charts.openshift.io/name: sonarqube apiVersion: v2 -appVersion: 10.2.0 +appVersion: 10.8.0 description: SonarQube is a self-managed, automatic code review tool that systematically helps you deliver clean code. As a core element of our Sonar solution, SonarQube integrates into your existing workflow and detects issues in your code to help you perform continuous code inspections of your projects. The tool analyses 30+ different programming languages and integrates into your CI pipeline and DevOps platform to ensure that your code meets high-quality standards. home: https://www.sonarqube.org/ -icon: https://raw.githubusercontent.com/SonarSource/sonarqube-static-resources/master/helm/SonarQubeLogo.svg +icon: https://raw.githubusercontent.com/SonarSource/sonarqube-static-resources/master/helm/SonarQubeServerLogo.png keywords: - coverage - security @@ -39,8 +62,6 @@ keywords: - quality kubeVersion: '>= 1.24.0-0' maintainers: - - email: leo.geoffroy+helm@sonarsource.com - name: leo-geoffroy-sonarsource - email: carmine.vassallo@sonarsource.com name: carminevassallo - email: jeremy.cotineau@sonarsource.com @@ -49,12 +70,12 @@ maintainers: name: davividal name: sonarqube sources: - - https://github.com/SonarSource/helm-chart-sonarqube + - https://github.com/SonarSource/helm-chart-sonarqube/tree/master/charts/sonarqube - https://github.com/SonarSource/docker-sonarqube - https://github.com/SonarSource/sonarqube type: application -version: 10.2.0+738 +version: 10.8.0 dependencies: - name: sonarqube - version: "10.2.0" + version: "10.8.0" repository: "https://SonarSource.github.io/helm-chart-sonarqube" diff --git a/charts/sonarqube/sonarqube/README.md b/charts/sonarqube/sonarqube/README.md index ec091acac..5bf42c860 100644 --- a/charts/sonarqube/sonarqube/README.md +++ b/charts/sonarqube/sonarqube/README.md @@ -1,6 +1,6 @@ # SonarQube -Code better in up to 27 languages. Improve Code Quality and Code Security throughout your workflow. [SonarQube](https://www.sonarqube.org/) can detect Bugs, Vulnerabilities, Security Hotspots and Code Smells and give you the guidance to fix them. +Code better in up to 27 languages. Improve Code Quality and Code Security throughout your workflow. [SonarQube](https://www.sonarsource.com/products/sonarqube/) can detect Bugs, Vulnerabilities, Security Hotspots and Code Smells and give you the guidance to fix them. ## Introduction @@ -8,15 +8,17 @@ This chart bootstraps an instance of the latest SonarQube version with a Postgre The latest version of the chart installs the latest SonarQube version. -To install the version of the chart for SonarQube 9.9 LTS, please read the section [below](#installing-the-sonarqube-99-lts-chart). Deciding between LTS and Latest? [This may help](https://www.sonarsource.com/products/sonarqube/downloads/lts/) +To install the version of the chart for SonarQube 9.9 LTA, please read the section [below](#installing-the-sonarqube-99-lta-chart). Deciding between LTA and Latest? [This may help](https://www.sonarsource.com/products/sonarqube/downloads/lts/) Please note that this chart only supports SonarQube Community, Developer, and Enterprise editions. ## Compatibility -Compatible SonarQube Version: `10.2.0` +Compatible SonarQube Server Version: `10.8.0` +Compatible SonarQube Community Build: `24.12.0.100206` -Supported Kubernetes Versions: From `1.24` to `1.27` +Supported Kubernetes Versions: From `1.24` to `1.31` +Supported Openshift Versions: From `4.11` to `4.16` ## Installing the chart @@ -29,26 +31,37 @@ kubectl create namespace sonarqube helm upgrade --install -n sonarqube sonarqube sonarqube/sonarqube ``` -The above command deploys SonarQube on the Kubernetes cluster in the default configuration in the sonarqube namespace. The [configuration](#configuration) section lists the parameters that can be configured during installation. +The above command deploys SonarQube on the Kubernetes cluster in the default configuration in the sonarqube namespace. +If you are interested in deploying SonarQube on Openshift, please check the [dedicated section](#openshift). + +The [configuration](#configuration) section lists the parameters that can be configured during installation. The default login is admin/admin. -## Installing the SonarQube 9.9 LTS chart +## Installing the SonarQube Community Build chart + +The SonarQube Community Edition has been replaced by the SonarQube Community Build. +If you want to install the SonarQube Community Build chart, please set `community.enabled` to `true`. +The `community.buildNumber` parameter will be set to the latest Community Build. +The `community` value is deprecated and won't be supported for `edition` anymore. + +## Installing the SonarQube 9.9 LTA chart -The version of the chart for the SonarQube 9.9 LTS is being distributed as the `8.x.x` version of this chart. +The version of the chart for the SonarQube 9.9 LTA is being distributed as the `8.x.x` version of this chart. In order to use it, please set the version constraint `~8`, which is equivalent to `>=8.0.0 && <= 9.0.0`. That version parameter **must** be used in every helm related command including `install`, `upgrade`, `template`, and `diff` (don't treat this as an exhaustive list). Example: -``` -helm upgrade --install -n sonarqube --version ~8 sonarqube sonarqube/sonarqube + +```Bash +helm upgrade --install -n sonarqube --version '~8' sonarqube sonarqube/sonarqube ``` To upgrade from the old and unmaintained [sonarqube-lts chart](https://artifacthub.io/packages/helm/sonarqube/sonarqube-lts), please follow the steps described [in this section](#upgrade-from-the-old-sonarqube-lts-to-this-chart). ## How to use it -Take some time to read the Deploy on [SonarQube on Kubernetes](https://docs.sonarqube.org/latest/setup/sonarqube-on-kubernetes/) page. +Take some time to read the Deploy on [SonarQube on Kubernetes](https://docs.sonarsource.com/sonarqube/latest/setup-and-upgrade/deploy-on-kubernetes/server/introduction/) page. SonarQube deployment on Kubernetes has been tested with the recommendations and constraints documented there, and deployment has some limitations. ## Uninstalling the chart @@ -64,15 +77,38 @@ $ helm delete kindly-newt ## Prerequisites and suggested settings for production -Please read the official documentation prerequisites [here](https://docs.sonarqube.org/latest/requirements/prerequisites-and-overview/). +Please read the official documentation prerequisites [here](https://docs.sonarsource.com/sonarqube/latest/requirements/prerequisites-and-overview/). ### Kubernetes - Pod Security Standards -The following [Pod Security levels](https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-levels) cannot be used in combination with SonarQube's chart: +Here is the list of containers that are compatible with the [Pod Security levels](https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-levels): -* Baseline. The `init-sysctl` container requires `securityContext.privileged=true`. -* Restricted. In addition to the previous requirement, - * The `sonarqube-postgresql`, `wait-for-db`, `init-sysctl`, and `sonarqube` containers require `securityContext.allowPrivilegeEscalation=true`, unrestricted capabilities, running as `root`, and a `seccompProfile` different from `RuntimeDefault` or `localhost`. +* privileged: + * `init-sysctl` +* baseline: + * `init-fs` +* restricted: + * SQ application containers + * SQ init containers. + * postgresql containers. + +This is achieved by setting this SecurityContext as default on **most** containers: + +```yaml +allowPrivilegeEscalation: false +runAsNonRoot: true +runAsUser: 1000 +runAsGroup: 0 +seccompProfile: + type: RuntimeDefault +capabilities: + drop: ["ALL"] +readOnlyRootFilesystem: true +``` + +Based on that, one can run the SQ helm chart in a full restricted namespace, by deactivating the `initSysctl.enabled` and `initFs.enabled` parameters, which require root access. + +Please take a look at [production-use-case](#production-use-case) for more information or directly at the values.yaml file. ### Elasticsearch prerequisites @@ -84,8 +120,8 @@ Because of such constraints, even when running in Docker containers, SonarQube r Please carefully read the following and make sure these configurations are set up at the host level: -- [vm.max_map_count](https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html#vm-max-map-count) -- [seccomp filter should be available](https://github.com/SonarSource/docker-sonarqube/issues/614) +* [vm.max_map_count](https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html#vm-max-map-count) +* [seccomp filter should be available](https://github.com/SonarSource/docker-sonarqube/issues/614) In general, please carefully read the Elasticsearch's [documentation](https://www.elastic.co/guide/en/elasticsearch/reference/current/system-config.html). @@ -95,24 +131,46 @@ The SonarQube helm chart is packed with multiple features enabling users to inst Nonetheless, if you intend to run a production-grade SonarQube please follow these recommendations. -- Set `nginx.enabled` to **false**. This parameter would run the nginx chart. This is useful for testing purposes only. Ingress controllers are critical Kubernetes components, we advise users to install their own. -- Set `postgresql.enabled` to **false**. This parameter would run the postgresql pre-2022 bitnami chart. That is useful for testing purposes, however, given that the database is at the hearth of SonarQube, we advise users to be careful with it and use a well-maintained database as a service or deploy their own database on top of Kubernetes. -- Set `initSysctl.enabled` to **false**. This parameter would run **root** `sysctl` commands, while those sysctl-related values should be set by the Kubernetes administrator at the node level (see [here](#elasticsearch-prerequisites)) -- Set `initFs.enabled` to **false**. This parameter would run **root** `chown` commands. The parameter exists to fix non-posix, CSI, or deprecated drivers. +* Set `ingress-nginx.enabled` to **false**. This parameter would run the nginx chart. This is useful for testing purposes only. Ingress controllers are critical Kubernetes components, we advise users to install their own. +* Set `postgresql.enabled` to **false**. This parameter would run the postgresql pre-2022 bitnami chart. That is useful for testing purposes, however, given that the database is at the hearth of SonarQube, we advise users to be careful with it and use a well-maintained database as a service or deploy their own database on top of Kubernetes. +* Set `initSysctl.enabled` to **false**. This parameter would run **root** `sysctl` commands, while those sysctl-related values should be set by the Kubernetes administrator at the node level (see [here](#elasticsearch-prerequisites)) +* Set `initFs.enabled` to **false**. This parameter would run **root** `chown` commands. The parameter exists to fix non-posix, CSI, or deprecated drivers. + +#### Cpu and memory settings + +Monitoring cpu and memory is an important part of software reliability. The SonarQube helm chart comes with default values for cpu and memory requests and limits. Those memory values are matching the default SonarQube JVM Xmx and Xms values. + +Xmx defines the maximum size of the JVM heap, this is **not** the maximum memory the JVM can allocate. + +For this reason, it is recommended to set Xmx to the ~80% of the total amount of memory available on the machine (in Kubernetes, this corresponds to requests and limits). + +Please find here the default SonarQube Xmx parameters to setup the memory requests and limits accordingly. + +| Edition | Sum of Xmx | +| ------------------ | ---------- | +| community edition | 1536M | +| developer edition | 1536M | +| enterprise edition | 5G | + +The default request and limit for this chart are set to 2048M and 6144M, to comply with the 3 editions and the 80% rule mentioned above. + +Please feel free to adjust those values to your needs. However, given that memory is a “non-compressible” resource, we advise you to set the memory requests and limits to the **same**, making memory a guaranteed resource. This is needed especially for production use cases. + +To get some guidance when setting the Xmx and Xms values, please refer to this [documentation](https://docs.sonarsource.com/sonarqube/latest/setup-and-upgrade/configure-and-operate-a-server/environment-variables/) and set the environment variables or sonar.properties accordingly. ## Upgrade -1. Read through the [SonarQube Upgrade Guide](https://docs.sonarqube.org/latest/setup/upgrading/) to familiarize yourself with the general upgrade process (most importantly, back up your database) +1. Read through the [SonarQube Upgrade Guide](https://docs.sonarsource.com/sonarqube/latest/setup-and-upgrade/upgrade-the-server/roadmap/) to familiarize yourself with the general upgrade process (most importantly, back up your database) 2. Change the SonarQube version on `values.yaml` 3. Redeploy SonarQube with the same helm chart (see [Install instructions](#installing-the-chart)) -4. Browse to http://yourSonarQubeServerURL/setup and follow the setup instructions +4. Browse to and follow the setup instructions 5. Reanalyze your projects to get fresh data ### Upgrade from the old sonarqube-lts to this chart -Please refer to the Helm upgrade section accessible [here](https://docs.sonarqube.org/latest/setup-and-upgrade/upgrade-the-server/upgrade-guide/) +Please refer to the Helm upgrade section accessible [here](https://docs.sonarsource.com/sonarqube/latest/setup-and-upgrade/upgrade-the-server/upgrade/#upgrade-from-89x-lts-to-99x-lts). -## Ingress +## Ingress usage ### Path @@ -138,7 +196,7 @@ ingress: ## Monitoring -This Helm chart offers the possibility to monitor SonarQube with Prometheus. +This Helm chart offers the possibility to monitor SonarQube with Prometheus. You can find [Information on SonarQube monitoring on Kubernetes](https://docs.sonarsource.com/sonarqube/latest/setup-and-upgrade/deploy-on-kubernetes/set-up-monitoring/introduction/) in the SonarQube documentation. ### Export JMX metrics @@ -150,312 +208,383 @@ Per default the JMX metrics for the Web Bean and the CE Bean are exposed on port If a Prometheus Operator is deployed in your cluster, you can enable a PodMonitor resource with `prometheusMonitoring.podMonitor.enabled`. It scrapes the Prometheus endpoint `/api/monitoring/metrics` exposed by the SonarQube application. +If running on OpenShift, make sure your account has permissions to create PodMonitor resources under the monitoring.coreos.com/v1 apiVersion. + +## OpenShift installation + +The chart can be installed on OpenShift by setting `OpenShift.enabled=true`. Among the others, please note that this value will disable the initContainer that performs the settings required by Elasticsearch (see [here](#elasticsearch-prerequisites)). Furthermore, we strongly recommend following the [Production Use Case guidelines](#production-use-case). + +Please note that `Openshift.createSCC` is deprecated and should be set to `false`. The default securityContext, together with the production configurations described [above](#production-use-case), is compatible with restricted SCCv2. + +The below command will deploy SonarQube on the Openshift Kubernetes cluster. Please note this will use the embedded postgresql database and is not recommended for production. + +```bash +helm repo add sonarqube https://SonarSource.github.io/helm-chart-sonarqube +helm repo update +kubectl create namespace sonarqube # If you dont have permissions to create the namespace, skip this step and replace all -n with an existing namespace name. +helm upgrade --install -n sonarqube sonarqube sonarqube/sonarqube \ + --set OpenShift.enabled=true \ + --set postgresql.securityContext.enabled=false \ + --set postgresql.containerSecurityContext.enabled=false +``` + +If you want to make your application publicly visible with Routes, you can set `OpenShift.route.enabled` to true. Please check the [configuration details](#openshift-1) to customize the Route base on your needs. + +## License + +SonarQube Community Build is released under the [GNU Lesser General Public License, Version 3.0⁠,](http://www.gnu.org/licenses/lgpl.txt) and packaged with [SSALv1](https://www.sonarsource.com/license/ssal/) analyzers. SonarQube Server Developer and Enterprise are licensed under [SonarQube Server Terms and Conditions](https://www.sonarsource.com/legal/sonarqube/terms-and-conditions/). + ## Configuration The following table lists the configurable parameters of the SonarQube chart and their default values. ### Global -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `deploymentType` | Deployment Type (supported values are `StatefulSet` or `Deployment`) | `StatefulSet` | -| `replicaCount` | Number of replicas deployed (supported values are 0 and 1) | `1` | -| `deploymentStrategy` | Deployment strategy | `{}` | -| `priorityClassName` | Schedule pods on priority (e.g. `high-priority`) | `None` | -| `schedulerName` | Kubernetes scheduler name | `None` | -| `affinity` | Node / Pod affinities | `{}` | -| `tolerations` | List of node taints to tolerate | `[]` | -| `nodeSelector` | Node labels for pod assignment | `{}` | -| `hostAliases` | Aliases for IPs in /etc/hosts | `[]` | -| `podLabels` | Map of labels to add to the pods | `{}` | -| `env` | Environment variables to attach to the pods | `{}`| -| `annotations` | SonarQube Pod annotations | `{}` | -| `edition` | SonarQube Edition to use (e.g. `community`, `developer` or `enterprise`) | `community` | -| `sonarWebContext` | SonarQube web context, also serve as default value for `ingress.path`, `account.sonarWebContext` and probes path. | `` | +| Parameter | Description | Default | +| ----------------------- | --------------------------------------------------------------------------------------------------------------------------------------- | ------------------ | +| `deploymentType` | (DEPRECATED) Deployment Type (supported values are `StatefulSet` or `Deployment`) | `StatefulSet` | +| `replicaCount` | Number of replicas deployed (supported values are 0 and 1) | `1` | +| `deploymentStrategy` | Deployment strategy. Setting the strategy type is deprecated and it will be hardcoded to `Recreate` | `{type: Recreate}` | +| `priorityClassName` | Schedule pods on priority (e.g. `high-priority`) | `None` | +| `schedulerName` | Kubernetes scheduler name | `None` | +| `affinity` | Node / Pod affinities | `{}` | +| `tolerations` | List of node taints to tolerate | `[]` | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `hostAliases` | Aliases for IPs in /etc/hosts | `[]` | +| `podLabels` | Map of labels to add to the pods | `{}` | +| `env` | Environment variables to attach to the pods | `{}` | +| `annotations` | SonarQube Pod annotations | `{}` | +| `edition` | SonarQube Edition to use (e.g. `community`, `developer` or `enterprise`). Please note that the default `community` value is deprecated. | `community` | +| `community.enabled` | Install SonarQube Community Build. When set to `true`, this parameter replaces `edition=community` | `true` | +| `community.buildNumber` | The SonarQube Community Build number to install | `24.12.0.100206` | +| `sonarWebContext` | SonarQube web context, also serve as default value for `ingress.path`, `account.sonarWebContext` and probes path. | `` | +| `httpProxySecret` | Should contain `http_proxy`, `https_proxy` and `no_proxy` keys, will superseed every other proxy variables | `` | +| `httpProxy` | HTTP proxy for downloading JMX agent and install plugins, will superseed initContainer specific http proxy variables | `` | +| `httpsProxy` | HTTPS proxy for downloading JMX agent and install plugins, will superseed initContainer specific https proxy variable | `` | +| `noProxy` | No proxy for downloading JMX agent and install plugins, will superseed initContainer specific no proxy variables | `` | +| `ingress-nginx.enabled` | Install Nginx Ingress Helm | `false` | ### NetworkPolicies -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `networkPolicy.enabled` | Create NetworkPolicies | `false` | -| `networkPolicy.prometheusNamespace` | Allow incoming traffic to monitoring ports from this namespace | `nil` | -| `networkPolicy.additionalNetworkPolicys` | User defined NetworkPolicies (usefull for external database) | `nil` | +| Parameter | Description | Default | +| ----------------------------------------- | ------------------------------------------------------------------------- | ------- | +| `networkPolicy.enabled` | Create NetworkPolicies | `false` | +| `networkPolicy.prometheusNamespace` | Allow incoming traffic to monitoring ports from this namespace | `nil` | +| `networkPolicy.additionalNetworkPolicys` | (DEPRECATED) Please use `networkPolicy.additionalNetworkPolicies` instead | `nil` | +| `networkPolicy.additionalNetworkPolicies` | User defined NetworkPolicies (useful for external database) | `nil` | ### OpenShift -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `OpenShift.enabled` | Define if this deployment is for OpenShift | `false` | -| `OpenShift.createSCC` | If this deployment is for OpenShift, define if SCC should be created for sonarqube pod | `true` | +| Parameter | Description | Default | +| -------------------------------- | --------------------------------------------------------------------------------------------------- | -------------------------- | +| `OpenShift.enabled` | Define if this deployment is for OpenShift | `false` | +| `OpenShift.createSCC` | (DEPRECATED) If this deployment is for OpenShift, define if SCC should be created for sonarqube pod | `false` | +| `OpenShift.route.enabled` | Flag to enable OpenShift Route | `false` | +| `OpenShift.route.host` | Host that points to the service | `"sonarqube.your-org.com"` | +| `OpenShift.route.path` | Path that the router watches for, to route traffic for to the service | `"/"` | +| `OpenShift.route.tls` | TLS settings including termination type, certificates, insecure traffic, etc. | see `values.yaml` | +| `OpenShift.route.wildcardPolicy` | The wildcard policy that is allowed where this route is exposed | `None` | +| `OpenShift.route.annotations` | Optional field to add extra annotations to the route | `None` | +| `OpenShift.route.labels` | Route additional labels | `{}` | ### Image -| Parameter | Description | Default | -| --------- | ----------- |--------------------------------| -| `image.repository` | image repository | `sonarqube` | -| `image.tag` | `sonarqube` image tag. | `10.2.0-{{ .Values.edition }}` | -| `image.pullPolicy` | Image pull policy | `IfNotPresent` | -| `image.pullSecret` | (DEPRECATED) imagePullSecret to use for private repository | `None` | -| `image.pullSecrets` | imagePullSecrets to use for private repository | `None` | +| Parameter | Description | Default | +| ------------------- | ------------------------------------------------------------------------------------------------- | ------------------------------ | +| `image.repository` | image repository | `sonarqube` | +| `image.tag` | `sonarqube` image tag. Please note that the default `10.8.0-{{ .Values.edition }}` is deprecated. | `10.8.0-{{ .Values.edition }}` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `image.pullSecret` | (DEPRECATED) imagePullSecret to use for private repository | `None` | +| `image.pullSecrets` | imagePullSecrets to use for private repository | `None` | ### Security -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `securityContext.fsGroup` | Group applied to mounted directories/files | `1000` | -| `containerSecurityContext.runAsUser` | User to run containers in sonarqube pod as, unless overwritten (such as for init-sysctl container) | `1000` | +| Parameter | Description | Default | +| -------------------------- | ---------------------------------------------- | ---------------------------------------------------------------------- | +| `securityContext` | SecurityContext for the pod | [Restricted podSecurityStandard](#kubernetes---pod-security-standards) | +| `containerSecurityContext` | SecurityContext for container in sonarqube pod | [Restricted podSecurityStandard](#kubernetes---pod-security-standards) | ### Elasticsearch -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `elasticsearch.configureNode` | [DEPRECATED] Use initSysctl.enabled instead. | `true` | -| `elasticsearch.bootstrapChecks` | Enables/disables Elasticsearch bootstrap checks | `true` | +| Parameter | Description | Default | +| ------------------------------- | ----------------------------------------------- | ------- | +| `elasticsearch.configureNode` | [DEPRECATED] Use initSysctl.enabled instead. | `false` | +| `elasticsearch.bootstrapChecks` | Enables/disables Elasticsearch bootstrap checks | `true` | ### Service -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `service.type` | Kubernetes service type | `ClusterIP` | -| `service.externalPort` | Kubernetes service port | `9000` | -| `service.internalPort` | Kubernetes container port | `9000` | -| `service.labels` | Kubernetes service labels | `None` | -| `service.annotations` | Kubernetes service annotations | `None` | -| `service.loadBalancerSourceRanges` | Kubernetes service LB Allowed inbound IP addresses | `None` | -| `service.loadBalancerIP` | Kubernetes service LB Optional fixed external IP | `None` | +| Parameter | Description | Default | +| ---------------------------------- | -------------------------------------------------- | ----------- | +| `service.type` | Kubernetes service type | `ClusterIP` | +| `service.externalPort` | Kubernetes service port | `9000` | +| `service.internalPort` | Kubernetes container port | `9000` | +| `service.labels` | Kubernetes service labels | `None` | +| `service.annotations` | Kubernetes service annotations | `None` | +| `service.loadBalancerSourceRanges` | Kubernetes service LB Allowed inbound IP addresses | `None` | +| `service.loadBalancerIP` | Kubernetes service LB Optional fixed external IP | `None` | ### Ingress -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `nginx.enabled` | Also install Nginx Ingress Helm | `false` | -| `ingress.enabled` | Flag to enable Ingress | `false` | -| `ingress.labels` | Ingress additional labels | `{}` | -| `ingress.hosts[0].name` | Hostname to your SonarQube installation | `sonarqube.your-org.com` | -| `ingress.hosts[0].path` | Path within the URL structure | `/` | -| `ingress.hosts[0].serviceName` | Optional field to override the default serviceName of a path | `None` | -| `ingress.hosts[0].servicePort` | Optional field to override the default servicePort of a path | `None` | -| `ingress.tls` | Ingress secrets for TLS certificates | `[]` | -| `ingress.ingressClassName` | Optional field to configure ingress class name | `None` | -| `ingress.annotations` | Field to add extra annotations to the ingress | {`nginx.ingress.kubernetes.io/proxy-body-size=64m`} | -| `ingress.annotations.nginx.ingress.kubernetes.io/proxy-body-size` | Field to set the maximum allowed size of the client request body | `64m` | - -### Route - -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `route.enabled` | Flag to enable OpenShift Route | `false` | -| `route.host` | Host of the route | `""` | -| `route.tls.termination` | TLS termination type. Currently supported values are `edge` and `passthrough` | `edge` | -| `route.annotations` | Optional field to add extra annotations to the route | `None` | -| `route.labels` | Route additional labels | `{}` | +| Parameter | Description | Default | +| ------------------------------ | ------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------ | +| `nginx.enabled` | (DEPRECATED) please use `ingress-nginx.enabled` | `false` | +| `ingress.labels` | Ingress additional labels | `{}` | +| `ingress.hosts[0].name` | Hostname to your SonarQube installation | `sonarqube.your-org.com` | +| `ingress.hosts[0].path` | Path within the URL structure | `/` | +| `ingress.hosts[0].serviceName` | Optional field to override the default serviceName of a path | `None` | +| `ingress.hosts[0].servicePort` | Optional field to override the default servicePort of a path | `None` | +| `ingress.tls` | Ingress secrets for TLS certificates | `[]` | +| `ingress.ingressClassName` | Optional field to configure ingress class name | `None` OR `nginx` if `nginx.enabled` or `ingress-nginx.enabled` | +| `ingress.annotations` | Field to add extra annotations to the ingress | {`nginx.ingress.kubernetes.io/proxy-body-size: "64m"`} if `ingress-nginx.enabled=true or nginx.enabled=true` | + +### HttpRoute + +| Parameter | Description | Default | +| ---------------------------- | ------------------------------------------------------------------------------------------------------------- | ------- | +| `httproute.enabled` | Flag to enable GatewayAPI HttpRoute | `False` | +| `httproute.gateway` | Name of the gateway | `None` | +| `httproute.gatewayNamespace` | (Optional) Name of the gateway namespace when located in a different namespace | `None` | +| `httproute.hostnames` | List of hostnames to match the HttpRoute against | `None` | +| `httproute.labels` | (Optional) List of extra labels to add to the HttpRoute | `None` | +| `httproute.rules` | (Optional) Extra Rules block of the HttpRoute. A default one is created with SonarWebContext and service port | `None` | ### Probes -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `readinessProbe.initialDelaySeconds` | ReadinessProbe initial delay for SonarQube checking | `60` | -| `readinessProbe.periodSeconds` | ReadinessProbe period between checking SonarQube | `30` | -| `readinessProbe.failureThreshold` | ReadinessProbe threshold for marking as failed | `6` | -| `readinessProbe.timeoutSeconds`| ReadinessProbe timeout delay | `1` | -| `readinessProbe.sonarWebContext` | (DEPRECATED) SonarQube web context for readinessProbe, please use sonarWebContext at the value top level instead | `/` | -| `livenessProbe.initialDelaySeconds` | LivenessProbe initial delay for SonarQube checking | `60` | -| `livenessProbe.periodSeconds` | LivenessProbe period between checking SonarQube | `30` | -| `livenessProbe.sonarWebContext` | (DEPRECATED) SonarQube web context for LivenessProbe, please use sonarWebContext at the value top level instead | `/` | -| `livenessProbe.failureThreshold` | LivenessProbe threshold for marking as dead | `6` | -| `livenessProbe.timeoutSeconds`| LivenessProbe timeout delay | `1` | -| `startupProbe.initialDelaySeconds` | StartupProbe initial delay for SonarQube checking | `30` | -| `startupProbe.periodSeconds` | StartupProbe period between checking SonarQube | `10` | -| `startupProbe.sonarWebContext` | (DEPRECATED) SonarQube web context for StartupProbe, please use sonarWebContext at the value top level instead | `/` | -| `startupProbe.failureThreshold` | StartupProbe threshold for marking as failed | `24` | -| `startupProbe.timeoutSeconds`| StartupProbe timeout delay | `1` | +| Parameter | Description | Default | +| ------------------------------------ | ---------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------- | +| `readinessProbe` | ReadinessProbe for SonarQube | `exec; curl api/system/status` see `values.yaml` for details | +| `readinessProbe.initialDelaySeconds` | ReadinessProbe initial delay for SonarQube checking | `60` | +| `readinessProbe.periodSeconds` | ReadinessProbe period between checking SonarQube | `30` | +| `readinessProbe.failureThreshold` | ReadinessProbe threshold for marking as failed | `6` | +| `readinessProbe.timeoutSeconds` | ReadinessProbe timeout delay | `1` | +| `readinessProbe.sonarWebContext` | (DEPRECATED) SonarQube web context for readinessProbe, please use sonarWebContext at the value top level instead | `/` | +| `livenessProbe` | LivenessProbe for SonarQube | `exec: curl api/system/liveness` see `values.yaml` for details | +| `livenessProbe.initialDelaySeconds` | LivenessProbe initial delay for SonarQube checking | `60` | +| `livenessProbe.periodSeconds` | LivenessProbe period between checking SonarQube | `30` | +| `livenessProbe.failureThreshold` | LivenessProbe threshold for marking as failed | `6` | +| `livenessProbe.timeoutSeconds` | LivenessProbe timeout delay | `1` | +| `livenessProbe.sonarWebContext` | (DEPRECATED) SonarQube web context for LivenessProbe, please use sonarWebContext at the value top level instead | `/` | +| `startupProbe` | StartupProbe for SonarQube | `httpGet: api/system/status` | +| `startupProbe.initialDelaySeconds` | StartupProbe initial delay for SonarQube checking | `30` | +| `startupProbe.periodSeconds` | StartupProbe period between checking SonarQube | `10` | +| `startupProbe.failureThreshold` | StartupProbe threshold for marking as failed | `24` | +| `startupProbe.timeoutSeconds` | StartupProbe timeout delay | `1` | +| `startupProbe.sonarWebContext` | (DEPRECATED) SonarQube web context for StartupProbe, please use sonarWebContext at the value top level instead | `/` | ### InitContainers -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `initContainers.image` | Change init container image | `busybox:1.32` | -| `initContainers.securityContext` | SecurityContext for init containers | `None` | -| `initContainers.resources` | Resources for init containers | `{}` | -| `extraInitContainers` | Extra init containers to e.g. download required artifacts | `{}` | -| `caCerts.enabled` | Flag for enabling additional CA certificates | `false` | -| `caCerts.image` | Change init CA certificates container image | `adoptopenjdk/openjdk11:alpine` | -| `caCerts.secret` | Name of the secret containing additional CA certificates | `None` | -| `initSysctl.enabled` | Modify k8s worker to conform to system requirements | `true` | -| `initSysctl.vmMaxMapCount` | Set init sysctl container vm.max_map_count | `524288` | -| `initSysctl.fsFileMax` | Set init sysctl container fs.file-max | `131072` | -| `initSysctl.nofile` | Set init sysctl container open file descriptors limit | `131072` | -| `initSysctl.nproc` | Set init sysctl container open threads limit | `8192 ` | -| `initSysctl.image` | Change init sysctl container image | `busybox:1.32` | -| `initSysctl.securityContext` | InitSysctl container security context | `{privileged: true}` | -| `initSysctl.resources` | InitSysctl container resource requests & limits | `{}` | -| `initFs.enabled` | Enable file permission change with init container | `true` | -| `initFs.image` | InitFS container image | `busybox:1.32` | -| `initFs.securityContext.privileged` | InitFS container needs to run privileged | `true` | +| Parameter | Description | Default | +| ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------- | +| `initContainers.image` | Change init container image | `"image.repository":"image.tag"` | +| `initContainers.securityContext` | SecurityContext for init containers | [Restricted podSecurityStandard](#kubernetes---pod-security-standards) | +| `initContainers.resources` | Resources for init containers | `{}` | +| `extraInitContainers` | Extra init containers to e.g. download required artifacts | `{}` | +| `caCerts.enabled` | Flag for enabling additional CA certificates | `false` | +| `caCerts.image` | Change init CA certificates container image | `"image.repository":"image.tag"` | +| `caCerts.secret` | Name of the secret containing additional CA certificates. If defined, only secrets are going to be used. | `None` | +| `caCerts.configMap.name` | Name of the ConfigMap containing additional CA certificate. Ensure that `caCerts.secret` is not set if you want to use a `ConfigMap`. | `None` | +| `caCerts.configMap.key` | Name of the key containing the additional CA certificate | `None` | +| `caCerts.configMap.path` | Filename that should be used for the given CA certificate | `None` | +| `initSysctl.enabled` | Modify k8s worker to conform to system requirements | `true` | +| `initSysctl.vmMaxMapCount` | Set init sysctl container vm.max_map_count | `524288` | +| `initSysctl.fsFileMax` | Set init sysctl container fs.file-max | `131072` | +| `initSysctl.nofile` | Set init sysctl container open file descriptors limit | `131072` | +| `initSysctl.nproc` | Set init sysctl container open threads limit | `8192` | +| `initSysctl.image` | Change init sysctl container image | `"image.repository":"image.tag"` | +| `initSysctl.securityContext` | InitSysctl container security context | `{privileged: true}` | +| `initSysctl.resources` | InitSysctl container resource requests & limits | `{}` | +| `initFs.enabled` | Enable file permission change with init container | `true` | +| `initFs.image` | InitFS container image | `"image.repository":"image.tag"` | +| `initFs.securityContext.privileged` | InitFS container needs to run privileged | `true` | ### Monitoring (Prometheus Exporter) -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `prometheusExporter.enabled` | Use the Prometheus JMX exporter | `false` | -| `prometheusExporter.version` | jmx_prometheus_javaagent version to download from Maven Central | `0.17.2` | -| `prometheusExporter.noCheckCertificate` | Flag to not check server's certificate when downloading jmx_prometheus_javaagent | `false` | -| `prometheusExporter.webBeanPort` | Port where the jmx_prometheus_javaagent exposes the metrics for the webBean | `8000` | -| `prometheusExporter.ceBeanPort` | Port where the jmx_prometheus_javaagent exposes the metrics for the ceBean | `8001` | -| `prometheusExporter.downloadURL` | Alternative full download URL for the jmx_prometheus_javaagent.jar (overrides `prometheusExporter.version`) | `""` | -| `prometheusExporter.config` | Prometheus JMX exporter config yaml for the web process, and the CE process if `prometheusExporter.ceConfig` is not set | see `values.yaml` | -| `prometheusExporter.ceConfig` | Prometheus JMX exporter config yaml for the CE process (by default, `prometheusExporter.config` is used) | `None` | -| `prometheusExporter.httpProxy` | HTTP proxy for downloading JMX agent | `""` | -| `prometheusExporter.httpsProxy` | HTTPS proxy for downloading JMX agent | `""` | -| `prometheusExporter.noProxy` | No proxy for downloading JMX agent | `""` | -| `prometheusExporter.securityContext` | Security context for downloading the jmx agent | see `values.yaml` | +| Parameter | Description | Default | +| --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------- | +| `prometheusExporter.enabled` | Use the Prometheus JMX exporter | `false` | +| `prometheusExporter.version` | jmx_prometheus_javaagent version to download from Maven Central | `0.17.2` | +| `prometheusExporter.noCheckCertificate` | Flag to not check server's certificate when downloading jmx_prometheus_javaagent | `false` | +| `prometheusExporter.webBeanPort` | Port where the jmx_prometheus_javaagent exposes the metrics for the webBean | `8000` | +| `prometheusExporter.ceBeanPort` | Port where the jmx_prometheus_javaagent exposes the metrics for the ceBean | `8001` | +| `prometheusExporter.downloadURL` | Alternative full download URL for the jmx_prometheus_javaagent.jar (overrides `prometheusExporter.version`) | `""` | +| `prometheusExporter.config` | Prometheus JMX exporter config yaml for the web process, and the CE process if `prometheusExporter.ceConfig` is not set | see `values.yaml` | +| `prometheusExporter.ceConfig` | Prometheus JMX exporter config yaml for the CE process (by default, `prometheusExporter.config` is used) | `None` | +| `prometheusExporter.httpProxy` | HTTP proxy for downloading JMX agent | `""` | +| `prometheusExporter.httpsProxy` | HTTPS proxy for downloading JMX agent | `""` | +| `prometheusExporter.noProxy` | No proxy for downloading JMX agent | `""` | +| `prometheusExporter.securityContext` | Security context for downloading the jmx agent | [Restricted podSecurityStandard](#kubernetes---pod-security-standards) | ### Monitoring (Prometheus PodMonitor) -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `prometheusMonitoring.podMonitor.enabled` | Enable Prometheus PodMonitor | `false` | -| `prometheusMonitoring.podMonitor.namespace` | Specify a custom namespace where the PodMonitor will be created | `default` | -| `prometheusMonitoring.podMonitor.interval` | Specify the interval how often metrics should be scraped | `30s` | -| `prometheusMonitoring.podMonitor.scrapeTimeout` | Specify the timeout after a scrape is ended | `None` | -| `prometheusMonitoring.podMonitor.jobLabel` | Name of the label on target services that prometheus uses as job name | `None` | - +| Parameter | Description | Default | +| ----------------------------------------------- | ----------------------------------------------------------------------------------------------------------- | -------------------------- | +| `prometheusMonitoring.podMonitor.enabled` | Enable Prometheus PodMonitor | `false` | +| `prometheusMonitoring.podMonitor.namespace` | (DEPRECATED) This value should not be set, as the PodMonitor's namespace has to match the Release Namespace | `{{ .Release.Namespace }}` | +| `prometheusMonitoring.podMonitor.interval` | Specify the interval how often metrics should be scraped | `30s` | +| `prometheusMonitoring.podMonitor.scrapeTimeout` | Specify the timeout after a scrape is ended | `None` | +| `prometheusMonitoring.podMonitor.jobLabel` | Name of the label on target services that prometheus uses as job name | `None` | +| `prometheusMonitoring.podMonitor.labels` | Additional labels to add to the PodMonitor | `{}` | ### Plugins -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `plugins.install` | Link(s) to the plugin JARs to download and install | `[]` | -| `plugins.resources` | Plugin Pod resource requests & limits | `{}` | -| `plugins.httpProxy` | For use behind a corporate proxy when downloading plugins | `""` | -| `plugins.httpsProxy` | For use behind a corporate proxy when downloading plugins | `""` | -| `plugins.noProxy` | For use behind a corporate proxy when downloading plugins | `""` | -| `plugins.image` | Image for plugins container | `""`| -| `plugins.resources` | Resources for plugins container | `{}` | -| `plugins.netrcCreds` | Name of the secret containing .netrc file to use creds when downloading plugins | `""` | -| `plugins.noCheckCertificate` | Flag to not check server's certificate when downloading plugins | `false` | -| `plugins.securityContext` | Security context for the container to download plugins | see `values.yaml` | +| Parameter | Description | Default | +| ---------------------------- | ------------------------------------------------------------------------------- | ---------------------------------------------------------------------- | +| `plugins.install` | Link(s) to the plugin JARs to download and install | `[]` | +| `plugins.resources` | Plugin Pod resource requests & limits | `{}` | +| `plugins.httpProxy` | For use behind a corporate proxy when downloading plugins | `""` | +| `plugins.httpsProxy` | For use behind a corporate proxy when downloading plugins | `""` | +| `plugins.noProxy` | For use behind a corporate proxy when downloading plugins | `""` | +| `plugins.image` | Image for plugins container | `"image.repository":"image.tag"` | +| `plugins.resources` | Resources for plugins container | `{}` | +| `plugins.netrcCreds` | Name of the secret containing .netrc file to use creds when downloading plugins | `""` | +| `plugins.noCheckCertificate` | Flag to not check server's certificate when downloading plugins | `false` | +| `plugins.securityContext` | Security context for the container to download plugins | [Restricted podSecurityStandard](#kubernetes---pod-security-standards) | ### SonarQube Specific -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `jvmOpts` | (DEPRECATED) Values to add to SONARQUBE_WEB_JVM_OPTS | `""` | -| `jvmCeOpts` | (DEPRECATED) Values to add to SONAR_CE_JAVAOPTS | `""` | -| `sonarqubeFolder` | Directory name of SonarQube | `/opt/sonarqube` | -| `sonarProperties` | Custom `sonar.properties` key-value pairs (e.g., "sonarProperties.sonar.forceAuthentication=true") | `None` | -| `sonarSecretProperties` | Additional `sonar.properties` key-value pairs to load from a secret | `None` | -| `sonarSecretKey` | Name of existing secret used for settings encryption | `None` | -| `monitoringPasscode` | Value for sonar.web.systemPasscode needed for LivenessProbes (encoded to Base64 format) | `define_it` | -| `monitoringPasscodeSecretName` | Name of the secret where to load `monitoringPasscode` | `None` | -| `monitoringPasscodeSecretKey` | Key of an existing secret containing `monitoringPasscode` | `None` | -| `extraContainers` | Array of extra containers to run alongside the `sonarqube` container (aka. Sidecars) | `[]` | -| `extraVolumes` | Array of extra volumes to add to the SonarQube deployment | `[]` | -| `extraVolumeMounts` | Array of extra volume mounts to add to the SonarQube deployment | `[]` | +| Parameter | Description | Default | +| ------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| `jvmOpts` | (DEPRECATED) Values to add to `SONAR_WEB_JAVAOPTS`. Please set directly `SONAR_WEB_JAVAOPTS` or `sonar.web.javaOpts` | `""` | +| `jvmCeOpts` | (DEPRECATED) Values to add to `SONAR_CE_JAVAOPTS`. Please set directly `SONAR_CE_JAVAOPTS` or `sonar.ce.javaOpts` | `""` | +| `sonarqubeFolder` | (DEPRECATED) Directory name of SonarQube, Due to 1-1 mapping between helm version and docker version, there is no need for configuration | `/opt/sonarqube` | +| `sonarProperties` | Custom `sonar.properties` key-value pairs (e.g., "sonarProperties.sonar.forceAuthentication=true") | `None` | +| `sonarSecretProperties` | Additional `sonar.properties` key-value pairs to load from a secret | `None` | +| `sonarSecretKey` | Name of existing secret used for settings encryption | `None` | +| `monitoringPasscode` | Value for sonar.web.systemPasscode needed for LivenessProbes (encoded to Base64 format) | `define_it` | +| `monitoringPasscodeSecretName` | Name of the secret where to load `monitoringPasscode` | `None` | +| `monitoringPasscodeSecretKey` | Key of an existing secret containing `monitoringPasscode` | `None` | +| `extraContainers` | Array of extra containers to run alongside the `sonarqube` container (aka. Sidecars) | `[]` | +| `extraVolumes` | Array of extra volumes to add to the SonarQube deployment | `[]` | +| `extraVolumeMounts` | Array of extra volume mounts to add to the SonarQube deployment | `[]` | ### Resources -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `resources.requests.memory` | SonarQube memory request | `2Gi` | -| `resources.requests.cpu` | SonarQube cpu request | `400m` | -| `resources.limits.memory` | SonarQube memory limit | `4Gi` | -| `resources.limits.cpu` | SonarQube cpu limit | `800m` | +| Parameter | Description | Default | +| -------------------------------------- | ------------------------- | ------- | +| `resources.requests.memory` | SonarQube memory request | `2048M` | +| `resources.requests.cpu` | SonarQube cpu request | `400m` | +| `resources.requests.ephemeral-storage` | SonarQube storage request | `1536M` | +| `resources.limits.memory` | SonarQube memory limit | `6144M` | +| `resources.limits.cpu` | SonarQube cpu limit | `800m` | +| `resources.limits.ephemeral-storage` | SonarQube storage limit | `500Gi` | ### Persistence -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `persistence.enabled` | Flag for enabling persistent storage | `false` | -| `persistence.annotations` | Kubernetes pvc annotations | `{}` | -| `persistence.existingClaim` | Do not create a new PVC but use this one | `None` | -| `persistence.storageClass` | Storage class to be used | `""` | -| `persistence.accessMode` | Volumes access mode to be set | `ReadWriteOnce` | -| `persistence.size` | Size of the volume | `5Gi` | -| `persistence.volumes` | Specify extra volumes. Refer to ".spec.volumes" specification | `[]` | -| `persistence.mounts` | Specify extra mounts. Refer to ".spec.containers.volumeMounts" specification | `[]` | -| `emptyDir` | Configuration of resources for `emptyDir` | `{}` | +| Parameter | Description | Default | +| --------------------------- | ------------------------------------------------- | --------------- | +| `persistence.enabled` | Flag for enabling persistent storage | `false` | +| `persistence.annotations` | Kubernetes pvc annotations | `{}` | +| `persistence.existingClaim` | Do not create a new PVC but use this one | `None` | +| `persistence.storageClass` | Storage class to be used | `""` | +| `persistence.accessMode` | Volumes access mode to be set | `ReadWriteOnce` | +| `persistence.size` | Size of the volume | `5Gi` | +| `persistence.volumes` | (DEPRECATED) Please use extraVolumes instead | `[]` | +| `persistence.mounts` | (DEPRECATED) Please use extraVolumeMounts instead | `[]` | +| `persistence.uid` | UID used for init-fs container | `1000` | +| `persistence.guid` | GUID used for init-fs container | `0` | +| `emptyDir` | Configuration of resources for `emptyDir` | `{}` | ### JDBC Overwrite -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `jdbcOverwrite.enable` | Enable JDBC overwrites for external Databases (disables `postgresql.enabled`) | `false` | -| `jdbcOverwrite.jdbcUrl` | The JDBC url to connect the external DB | `jdbc:postgresql://myPostgress/myDatabase?socketTimeout=1500` | -| `jdbcOverwrite.jdbcUsername` | The DB user that should be used for the JDBC connection | `sonarUser` | -| `jdbcOverwrite.jdbcPassword` | The DB password that should be used for the JDBC connection (Use this if you don't mind the DB password getting stored in plain text within the values file) | `sonarPass` | -| `jdbcOverwrite.jdbcSecretName` | Alternatively, use a pre-existing k8s secret containing the DB password | `None` | -| `jdbcOverwrite.jdbcSecretPasswordKey` | If the pre-existing k8s secret is used this allows the user to overwrite the 'key' of the password property in the secret | `None` | - -### Bundled Postgres Chart - -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `postgresql.enabled` | Set to `false` to use external server | `true` | -| `postgresql.existingSecret` | existingSecret Name of existing secret to use for PostgreSQL passwords | `nil` | -| `postgresql.postgresqlServer` | (DEPRECATED) Hostname of the external Postgresql server | `nil` | -| `postgresql.postgresqlUsername` | Postgresql database user | `sonarUser` | -| `postgresql.postgresqlPassword` | Postgresql database password | `sonarPass` | -| `postgresql.postgresqlDatabase` | Postgresql database name | `sonarDB` | -| `postgresql.service.port` | Postgresql port | `5432` | -| `postgresql.resources.requests.memory` | Postgresql memory request | `256Mi` | -| `postgresql.resources.requests.cpu` | Postgresql cpu request | `250m` | -| `postgresql.resources.limits.memory` | Postgresql memory limit | `2Gi` | -| `postgresql.resources.limits.cpu` | Postgresql cpu limit | `2` | -| `postgresql.persistence.enabled` | Postgresql persistence en/disabled | `true` | -| `postgresql.persistence.accessMode` | Postgresql persistence accessMode | `ReadWriteOnce` | -| `postgresql.persistence.size` | Postgresql persistence size | `20Gi` | -| `postgresql.persistence.storageClass` | Postgresql persistence storageClass | `""` | -| `postgresql.securityContext.enabled` | Postgresql securityContext en/disabled | `true` | -| `postgresql.securityContext.fsGroup` | Postgresql securityContext fsGroup | `1001` | -| `postgresql.securityContext.runAsUser` | Postgresql securityContext runAsUser | `1001` | -| `postgresql.volumePermissions.enabled` | Postgres vol permissions en/disabled | `false` | -| `postgresql.volumePermissions.securityContext.runAsUser` | Postgres vol permissions secContext runAsUser | `0` | -| `postgresql.shmVolume.chmod.enabled` | Postgresql shared memory vol en/disabled | `false` | -| `postgresql.serivceAccount.enabled` | Postgresql service Account creation en/disabled | `false` | -| `postgresql.serivceAccount.name` | Postgresql service Account name | `""` | +| Parameter | Description | Default | +| ------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------ | +| `jdbcOverwrite.enable` | (DEPRECATED) Enable JDBC overwrites for external Databases (disables `postgresql.enabled`) ,Please use jdbcOverwrite.enabled instead | `false` | +| `jdbcOverwrite.enabled` | Enable JDBC overwrites for external Databases (disables `postgresql.enabled`) | `false` | +| `jdbcOverwrite.jdbcUrl` | The JDBC url to connect the external DB | `jdbc:postgresql://myPostgress/myDatabase` | +| `jdbcOverwrite.jdbcUsername` | The DB user that should be used for the JDBC connection | `sonarUser` | +| `jdbcOverwrite.jdbcPassword` | (DEPRECATED) The DB password that should be used for the JDBC connection, please use `jdbcOverwrite.jdbcSecretName` and `jdbcOverwrite.jdbcSecretPasswordKey` | `sonarPass` | +| `jdbcOverwrite.jdbcSecretName` | Alternatively, use a pre-existing k8s secret containing the DB password | `None` | +| `jdbcOverwrite.jdbcSecretPasswordKey` | If the pre-existing k8s secret is used this allows the user to overwrite the 'key' of the password property in the secret | `None` | +| `jdbcOverwrite.oracleJdbcDriver.url` | The URL of the Oracle JDBC driver to be downloaded | `None` | +| `jdbcOverwrite.oracleJdbcDriver.netrcCreds` | Name of the secret containing .netrc file to use creds when downloading the Oracle JDBC driver | `None` | + +### Bundled PostgreSQL Chart (DEPRECATED) + +The bundled PostgreSQL Chart is deprecated. Please see for more information. + +| Parameter | Description | Default | +| -------------------------------------------------------- | ---------------------------------------------------------------------- | --------------- | +| `postgresql.enabled` | Set to `false` to use external server | `true` | +| `postgresql.existingSecret` | existingSecret Name of existing secret to use for PostgreSQL passwords | `nil` | +| `postgresql.postgresqlServer` | (DEPRECATED) Hostname of the external PostgreSQL server | `nil` | +| `postgresql.postgresqlUsername` | PostgreSQL database user | `sonarUser` | +| `postgresql.postgresqlPassword` | PostgreSQL database password | `sonarPass` | +| `postgresql.postgresqlDatabase` | PostgreSQL database name | `sonarDB` | +| `postgresql.service.port` | PostgreSQL port | `5432` | +| `postgresql.resources.requests.memory` | PostgreSQL memory request | `256Mi` | +| `postgresql.resources.requests.cpu` | PostgreSQL cpu request | `250m` | +| `postgresql.resources.limits.memory` | PostgreSQL memory limit | `2Gi` | +| `postgresql.resources.limits.cpu` | PostgreSQL cpu limit | `2` | +| `postgresql.persistence.enabled` | PostgreSQL persistence en/disabled | `true` | +| `postgresql.persistence.accessMode` | PostgreSQL persistence accessMode | `ReadWriteOnce` | +| `postgresql.persistence.size` | PostgreSQL persistence size | `20Gi` | +| `postgresql.persistence.storageClass` | PostgreSQL persistence storageClass | `""` | +| `postgresql.securityContext.enabled` | PostgreSQL securityContext en/disabled | `false` | +| `postgresql.securityContext` | PostgreSQL securityContext | `false` | +| `postgresql.volumePermissions.enabled` | PostgreSQL vol permissions en/disabled | `false` | +| `postgresql.volumePermissions.securityContext.runAsUser` | PostgreSQL vol permissions secContext runAsUser | `0` | +| `postgresql.shmVolume.chmod.enabled` | PostgreSQL shared memory vol en/disabled | `false` | +| `postgresql.serivceAccount.enabled` | PostgreSQL service Account creation en/disabled | `false` | +| `postgresql.serivceAccount.name` | PostgreSQL service Account name | `""` | ### Tests -| Parameter | Description | Default | -|------------------------------|---------------------------------------------------------------| ------- | -| `tests.enabled` | Flag that allows tests to be excluded from the generated yaml | `true` | -| `tests.image` | Change test container image | `` | +| Parameter | Description | Default | +| ------------------------------- | ------------------------------------------------------------- | -------------------------------- | +| `tests.enabled` | Flag that allows tests to be excluded from the generated yaml | `true` | +| `tests.image` | Set the test container image | `"image.repository":"image.tag"` | +| `tests.resources.limits.cpu` | CPU limit for test container | `500m` | +| `tests.resources.limits.memory` | Memory limit for test container | `200M` | ### ServiceAccount -| Parameter | Description | Default | -|---------------------------------|--------------------------------------------------------------------------------------|-----------------------| -| `serviceAccount.create` | If set to true, create a serviceAccount | `false` | -| `serviceAccount.name` | Name of the serviceAccount to create/use | `sonarqube-sonarqube` | -| `serviceAccount.automountToken` | Manage `automountServiceAccountToken` field for mounting service account credentials | `false` | -| `serviceAccount.annotations` | Additional serviceAccount annotations | `{}` | +| Parameter | Description | Default | +| ------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- | +| `serviceAccount.create` | If set to true, create a service account | `false` | +| `serviceAccount.name` | Name of the service account to create/use | `sonarqube-sonarqube` | +| `serviceAccount.automountToken` | Manage `automountServiceAccountToken` field for mounting service account credentials. Please note that this will set the default value used by SQ Pods, regardless of the service account being used. | `false` | +| `serviceAccount.annotations` | Additional service account annotations | `{}` | ### ExtraConfig -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `extraConfig.secrets` | A list of `Secret`s (which must contain key/value pairs) which may be loaded into the Scanner as environment variables | `[]` | -| `extraConfig.configmaps` | A list of `ConfigMap`s (which must contain key/value pairs) which may be loaded into the Scanner as environment variables | `[]` | +| Parameter | Description | Default | +| ------------------------ | ----------------------------------------------------------- | ------- | +| `extraConfig.secrets` | A list of `Secret`s (which must contain key/value pairs) | `[]` | +| `extraConfig.configmaps` | A list of `ConfigMap`s (which must contain key/value pairs) | `[]` | + +### SetAdminPassword + +| Parameter | Description | Default | +| -------------------------------------------- | ------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------- | +| `setAdminPassword.newPassword` | Custom admin password | `AdminAdmin_12$` | +| `setAdminPassword.currentPassword` | Current admin password | `admin` | +| `setAdminPassword.passwordSecretName` | Secret containing `password` (custom password) and `currentPassword` (current password) keys for admin | `None` | +| `setAdminPassword.resources.requests.memory` | Memory request for Admin hook | `128Mi` | +| `setAdminPassword.resources.requests.cpu` | CPU request for Admin hook | `100m` | +| `setAdminPassword.resources.limits.memory` | Memory limit for Admin hook | `128Mi` | +| `setAdminPassword.resources.limits.cpu` | CPU limit for Admin hook | `100m` | +| `setAdminPassword.securityContext` | SecurityContext for change-password-hook | [Restricted podSecurityStandard](#kubernetes---pod-security-standards) | +| `setAdminPassword.image` | Curl container image | `"image.repository":"image.tag"` | +| `setAdminPassword.annotations` | Custom annotations for admin hook Job | `{}` | ### Advanced Options -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `account.adminPassword` | Custom admin password | `admin` | -| `account.currentAdminPassword` | Current admin password | `admin` | -| `account.adminPasswordSecretName` | Secret containing `password` (custom password) and `currentPassword` (current password) keys for admin | `None` | -| `account.resources.requests.memory` | Memory request for Admin hook | `128Mi` | -| `account.resources.requests.cpu` | CPU request for Admin hook | `100m` | -| `account.resources.limits.memory` | Memory limit for Admin hook | `128Mi` | -| `account.resources.limits.cpu` | CPU limit for Admin hook | `100m` | -| `account.sonarWebContext` | (DEPRECATED) SonarQube web context for Admin hook. please use sonarWebContext at the value top level instead | `nil` | -| `account.securityContext` | SecurityContext for change-password-hook | `{}` | -| `curlContainerImage` | Curl container image | `curlimages/curl:8.2.0` | -| `adminJobAnnotations` | Custom annotations for admin hook Job | `{}` | -| `terminationGracePeriodSeconds` | Configuration of `terminationGracePeriodSeconds` | `60` | - -You can also configure values for the PostgreSQL database via the Postgresql [Chart](https://hub.helm.sh/charts/bitnami/postgresql) +| Parameter | Description | Default | +| ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------- | +| `account.adminPassword` | (DEPRECATED) Custom admin password. Please use `setAdminPassword.newPassword` instead. | `AdminAdmin_12$` | +| `account.currentAdminPassword` | (DEPRECATED) Current admin password. Please use `setAdminPassword.currentPassword` instead. | `admin` | +| `account.adminPasswordSecretName` | (DEPRECATED) Secret containing `password` (custom password) and `currentPassword` (current password) keys for admin. Please use `setAdminPassword.passwordSecretName` instead. | `None` | +| `account.resources.requests.memory` | (DEPRECATED) Memory request for Admin hook. Please use `setAdminPassword.resources.requests.memory` instead. | `128Mi` | +| `account.resources.requests.cpu` | (DEPRECATED) CPU request for Admin hook. Please use `setAdminPassword.resources.requests.cpu` instead. | `100m` | +| `account.resources.limits.memory` | (DEPRECATED) Memory limit for Admin hook. Please use `setAdminPassword.resources.limits.memory` instead. | `128Mi` | +| `account.resources.limits.cpu` | (DEPRECATED) CPU limit for Admin hook. Please use `setAdminPassword.resources.limits.cpu` instead. | `100m` | +| `account.sonarWebContext` | (DEPRECATED) SonarQube web context for Admin hook. Please use `sonarWebContext` at the value top level instead | `nil` | +| `account.securityContext` | (DEPRECATED) SecurityContext for change-password-hook. Please use `setAdminPassword.securityContext` instead. | [Restricted podSecurityStandard](#kubernetes---pod-security-standards) | +| `curlContainerImage` | (DEPRECATED) Curl container image. Please use `setAdminPassword.image` instead. | `"image.repository":"image.tag"` | +| `adminJobAnnotations` | (DEPRECATED) Custom annotations for admin hook Job. Please use `setAdminPassword.annotations` instead. | `{}` | +| `terminationGracePeriodSeconds` | Configuration of `terminationGracePeriodSeconds` | `60` | + +You can also configure values for the PostgreSQL database via the PostgreSQL [Chart](https://hub.helm.sh/charts/bitnami/postgresql) For overriding variables see: [Customizing the chart](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing) @@ -493,7 +622,7 @@ In environments with air-gapped setup, especially with internal tooling (repos) Since SonarQube comes bundled with an Elasticsearch instance, some [bootstrap checks](https://www.elastic.co/guide/en/elasticsearch/reference/master/bootstrap-checks.html) of the host settings are done at start. -This chart offers the option to use an initContainer in privilaged mode to automatically set certain kernel settings on the kube worker. While this can ensure proper functionality of Elasticsearch, modifying the underlying kernel settings on the Kubernetes node can impact other users. It may be best to work with your cluster administrator to either provide specific nodes with the proper kernel settings, or ensure they are set cluster wide. +This chart offers the option to use an initContainer in privileged mode to automatically set certain kernel settings on the kube worker. While this can ensure proper functionality of Elasticsearch, modifying the underlying kernel settings on the Kubernetes node can impact other users. It may be best to work with your cluster administrator to either provide specific nodes with the proper kernel settings, or ensure they are set cluster wide. To enable auto-configuration of the kube worker node, set `elasticsearch.configureNode` to `true`. This is the default behavior, so you do not need to explicitly set this. diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/CHANGELOG.md b/charts/sonarqube/sonarqube/charts/sonarqube/CHANGELOG.md index d7470216f..172054a03 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/CHANGELOG.md +++ b/charts/sonarqube/sonarqube/charts/sonarqube/CHANGELOG.md @@ -1,6 +1,105 @@ # SonarQube Chart Changelog All changes to this chart will be documented in this file. +## [10.8.0] +* Update Chart's version to 10.8.0 +* Upgrade SonarQube Server to 10.8.0 +* Release SonarQube Community Build 24.12 +* Support the installation of the Oracle JDBC Driver +* Support Kubernetes v1.31 +* Deprecate the `community` value for the `edition` parameter +* Introduce the `community.enabled` and `community.buildNumber` parameters for SonarQube Community Build +* Deprecate the default value of `image.tag` in favor of an empty string +* Update the Chart's icon with the SonarQube Server logo +* Set `app.kubernetes.io/name` and `app.kubernetes.io/version` as selector labels +* Support Gateway on different namespace in HTTPRoute +* Change `ingress.ingressClassName` default, set it to `nginx` if `nginx.enabled` or `ingress-nginx.enabled` +* Ensure that ConfigMap resources are not created for `initFS` and `initSysctl` if not needed +* Ensure the Pod will stop at `init` stage if init_sysctl.sh failed to modify kernel parameters +* Replace the example images in initContainers, initSysctl and initFs from `busybox:1.36` to `ubuntu:24.04`, which are commented out by default +* Make the `automountServiceAccountToken` configurable with `serviceAccount.automountToken` in PodSpec +* Deprecate `sonarqubeFolder`, `jdbcOverwrite.jdbcPassword` and `terminationGracePeriodSeconds` +* Deprecate `deploymentStrategy.type`, which will be set to `Recreate` +* Deprecate `account`, `curlContainerImage`, `adminJobAnnotations` +* Deprecate the StatefulSet deployment type + +## [10.7.0] +* Update Chart's version to 10.7.0 +* Upgrade SonarQube to 10.7.0 +* Support Kubernetes v1.30 +* Upgrade ingress-nginx dependency to 4.10.1 +* Deprecate `jdbcOverwrite.enable` in favor of `jdbcOverwrite.enabled` +* Fix regression on env valuesFrom in the new STS template +* Fix a typo in the new common STS template +* Enable the setup of ReadOnlyRootFilesystem in the security contexts +* Support basic chart installation on Openshift +* Include remaining Route settings +* Fix networkPolicy.additionalPolicys typo +* Support install-plugin and prometheusExporter proxy variables in secret +* Support GatewayAPI HttpRoute +* Support additional labels in the PodMonitor +* Support Openshift SCCv2 by default when Openshift.enabled=true +* Deprecate Openshift.createSCC +* Support additional CA Certificate as ConfigMap instead of Secret only +* Changed default value for caCerts.image +* Fix openshift change-admin-password-hook Job SecurityContext failure +* Support SONAR_OPENSHIFT telemetry env_var +* Update helm chart repo path in sources +* Changed SONAR_OPENSHIFT to IS_HELM_OPENSHIFT_ENABLED +* Remove socketTimeout from jdbcOverwrite.jdbcUrl's default value +* Refactor Route to be subparameter of OpenShift +* Make OpenShift.createSCC false by default +* Deprecate peristence.volumes and persistence.mounts in favor or extraVolumes and extraVolumeMounts +* Ensure kubernetes.io/version label is smaller than 63 chars + +## [10.6.0] +* Update SonarQube to 10.6.0 +* Update Chart's version to 10.6.0 +* Fix the env-var templating when sourcing from secrets +* Fix the postgresql chart's repository link +* Add support for overriding liveness/readiness probe logic +* Use a common template for Deployment and StatefulSet + +## [10.5.0] +* Upgrade SonarQube to 10.5.0 +* Update Chart's version to 10.5.0 +* Update nginx-ingress-controller dependency to version 4.9.1 +* Set `automountServiceAccountToken` to false in pod's specifications +* Update default `resources` values matching better default Xmx and Xms of the SonarQube processes. +* Make `ephemeral-storage` resource's limits and requests configurable for the SonarQube container +* Set memory and cpu limits for the test container +* Deprecate nginx.enabled in favor of ingress-nginx.enabled, to match with subchart config block +* Deprecate `prometheusMonitoring.podMonitor.namespace` +* Instantiate `monitoring-web` and `monitoring-ce` endpoints when the `prometheusExporter` is enabled +* Take `sonarWebContext` into account for the `PodMonitor` path +* Fix duplicated env_var in Pods causing deployment issue (`SONAR_WEB_CONTEXT`,`SONAR_WEB_JAVAOPTS`,`SONAR_CE_JAVAOPTS`) + +## [10.4.0] +* Upgrade SonarQube to 10.4.0 +* Update Chart's version to 10.4.0 +* Improve the description of deprecated `jvmOpts` and `jvmCeOpts` values +* Run the initSysctl init-container as root to prevent 'permission denied' issues +* Add revisionHistoryLimit configuration for SonarQube application Deployment ReplicaSets & StatefulSets +* Update the security contexts to use root as group ID +* Fix empty ingress annotations in values +* Add support for dual stack and IPv6 single stack clusters in readiness/liveness probes + +## [10.3.0] +* Upgrade SonarQube to 10.3.0 +* Update Chart's version to 10.3.0 +* Update default images to the latest versions +* Remove the nginx-proxy-body annotation when nginx is disabled +* Enable post-upgrade in the change-admin-password hook +* Update default ContainerSecurityContext, InitContainerSecurityContext and postgresql.securityContext to match restricted podSecurityStandard +* Update initFs defaut securityContext to match baseline podSecurityStandard +* Update Elasticsearch.configureNode to false by default after 3 year deprecation +* Fix wrong condition on initSysctl feature +* Update default image of initContainers to sonarqube image, allowing for faster loading time and less external images needed +* Support Kubernetes v1.28 +* Avoid duplicate SONAR_WEB_SYSTEMPASSCODE secrets +* Deprecate embedded PostgreSQL +* Update nginx-ingress-controller dependency to version 4.8.3, please carefully read the changelog of this new major version. + ## [10.2.0] * Update SonarQube to 10.2.0 * Update Chart's version to 10.2.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/Chart.lock b/charts/sonarqube/sonarqube/charts/sonarqube/Chart.lock index 2b70c1eba..3f845f68d 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/Chart.lock +++ b/charts/sonarqube/sonarqube/charts/sonarqube/Chart.lock @@ -1,9 +1,9 @@ dependencies: - name: postgresql - repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami + repository: https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami version: 10.15.0 - name: ingress-nginx repository: https://kubernetes.github.io/ingress-nginx - version: 4.7.1 -digest: sha256:16a5362bfe5ceca82723c85608da059005c70bc46bfc72fc9d976b42a49f2120 -generated: "2023-08-04T14:18:34.978582+02:00" + version: 4.11.2 +digest: sha256:0ad1aac6c67cf15b7aabb05dc27ad791f9575fe305744407792981aa3082e1c9 +generated: "2024-10-07T17:45:01.454569+02:00" diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/Chart.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/Chart.yaml index c84ef1da7..7fa3c0e84 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/Chart.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/Chart.yaml @@ -1,43 +1,66 @@ annotations: artifacthub.io/changes: | - kind: changed - description: "Upgrading SonarQube to 10.2.0" - - kind: deprecated - description: "livenessProbe.sonarWebContext is deprecated, please use sonarWebContext at the value top level" - - kind: deprecated - description: "readinessProbe.sonarWebContext is deprecated, please use sonarWebContext at the value top level" + description: "Upgrade SonarQube Server to 10.8.0" + - kind: changed + description: "Release SonarQube Community Build 24.12" + - kind: changed + description: "Update Chart's version to 10.8.0" + - kind: added + description: "Support the installation of the Oracle JDBC Driver" + - kind: changed + description: "Support Kubernetes v1.31" - kind: deprecated - description: "startupProbe.sonarWebContext is deprecated, please use sonarWebContext at the value top level" + description: "Deprecate the 'community' value for the 'edition' parameter" - kind: deprecated - description: "account.sonarWebContext is deprecated, please use sonarWebContext at the value top level" + description: "Deprecate the default value of 'image.tag' in favor of an empty string" + - kind: added + description: "Introduce the 'community.enabled' and 'community.buildNumber' parameters for SonarQube Community Build" + - kind: changed + description: "Update the Chart's icon with the SonarQube Server logo" + - kind: fixed + description: "Set 'app.kubernetes.io/name' and 'app.kubernetes.io/version' as selector labels" + - kind: added + description: "Support Gateway on different namespace in HTTPRoute" - kind: changed - description: "Update Chart's version to 10.2.0" - - kind: security - description: "Update cURL image to 8.2.0" - - kind: security - description: "Update ingress-nginx dependency to 4.7.1" + description: "Change 'ingress.ingressClassName' default, set it to 'nginx' if 'nginx.enabled' or 'ingress-nginx.enabled'" + - kind: changed + description: "Ensure that ConfigMap resources are not created for 'initFS' and 'initSysctl' if not needed" + - kind: changed + description: "Ensure the Pod will stop at 'init' stage if init_sysctl.sh failed to modify kernel parameters" + - kind: changed + description: "Replace the example images in initContainers, initSysctl and initFs from 'busybox:1.36' to 'ubuntu:24.04', which are commented out by default" - kind: fixed - description: "Fixes broken table on README" + description: "Make the 'automountServiceAccountToken' configurable with 'serviceAccount.automountToken' in PodSpec" + - kind: deprecated + description: "Deprecate 'sonarqubeFolder', 'jdbcOverwrite.jdbcPassword' and 'terminationGracePeriodSeconds'" + - kind: deprecated + description: "Deprecate 'deploymentStrategy.type', which will be set to 'Recreate'" + - kind: deprecated + description: "Deprecate 'account', 'curlContainerImage', 'adminJobAnnotation'" + - kind: deprecated + description: "Deprecate the StatefulSet deployment type" artifacthub.io/containsSecurityUpdates: "false" artifacthub.io/images: | - name: sonarqube - image: sonarqube:10.2.0-community + image: sonarqube:24.12.0.100206-community artifacthub.io/links: | - name: support url: https://community.sonarsource.com/ - name: Chart Source url: https://github.com/SonarSource/helm-chart-sonarqube/tree/master/charts/sonarqube + charts.openshift.io/name: sonarqube apiVersion: v2 -appVersion: 10.2.0 +appVersion: 10.8.0 dependencies: - condition: postgresql.enabled name: postgresql - repository: https://raw.githubusercontent.com/bitnami/charts/pre-2022/bitnami + repository: https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami version: 10.15.0 -- condition: nginx.enabled +- condition: nginx.enabled,ingress-nginx.enabled name: ingress-nginx repository: https://kubernetes.github.io/ingress-nginx - version: 4.7.1 + version: 4.11.2 description: SonarQube is a self-managed, automatic code review tool that systematically helps you deliver clean code. As a core element of our Sonar solution, SonarQube integrates into your existing workflow and detects issues in your code to help you @@ -45,7 +68,7 @@ description: SonarQube is a self-managed, automatic code review tool that system programming languages and integrates into your CI pipeline and DevOps platform to ensure that your code meets high-quality standards. home: https://www.sonarqube.org/ -icon: https://raw.githubusercontent.com/SonarSource/sonarqube-static-resources/master/helm/SonarQubeLogo.svg +icon: https://raw.githubusercontent.com/SonarSource/sonarqube-static-resources/master/helm/SonarQubeServerLogo.png keywords: - coverage - security @@ -53,8 +76,6 @@ keywords: - quality kubeVersion: '>= 1.24.0-0' maintainers: -- email: leo.geoffroy+helm@sonarsource.com - name: leo-geoffroy-sonarsource - email: carmine.vassallo@sonarsource.com name: carminevassallo - email: jeremy.cotineau@sonarsource.com @@ -63,8 +84,8 @@ maintainers: name: davividal name: sonarqube sources: -- https://github.com/SonarSource/helm-chart-sonarqube +- https://github.com/SonarSource/helm-chart-sonarqube/tree/master/charts/sonarqube - https://github.com/SonarSource/docker-sonarqube - https://github.com/SonarSource/sonarqube type: application -version: 10.2.0+738 +version: 10.8.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/README.md b/charts/sonarqube/sonarqube/charts/sonarqube/README.md index ec091acac..5bf42c860 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/README.md +++ b/charts/sonarqube/sonarqube/charts/sonarqube/README.md @@ -1,6 +1,6 @@ # SonarQube -Code better in up to 27 languages. Improve Code Quality and Code Security throughout your workflow. [SonarQube](https://www.sonarqube.org/) can detect Bugs, Vulnerabilities, Security Hotspots and Code Smells and give you the guidance to fix them. +Code better in up to 27 languages. Improve Code Quality and Code Security throughout your workflow. [SonarQube](https://www.sonarsource.com/products/sonarqube/) can detect Bugs, Vulnerabilities, Security Hotspots and Code Smells and give you the guidance to fix them. ## Introduction @@ -8,15 +8,17 @@ This chart bootstraps an instance of the latest SonarQube version with a Postgre The latest version of the chart installs the latest SonarQube version. -To install the version of the chart for SonarQube 9.9 LTS, please read the section [below](#installing-the-sonarqube-99-lts-chart). Deciding between LTS and Latest? [This may help](https://www.sonarsource.com/products/sonarqube/downloads/lts/) +To install the version of the chart for SonarQube 9.9 LTA, please read the section [below](#installing-the-sonarqube-99-lta-chart). Deciding between LTA and Latest? [This may help](https://www.sonarsource.com/products/sonarqube/downloads/lts/) Please note that this chart only supports SonarQube Community, Developer, and Enterprise editions. ## Compatibility -Compatible SonarQube Version: `10.2.0` +Compatible SonarQube Server Version: `10.8.0` +Compatible SonarQube Community Build: `24.12.0.100206` -Supported Kubernetes Versions: From `1.24` to `1.27` +Supported Kubernetes Versions: From `1.24` to `1.31` +Supported Openshift Versions: From `4.11` to `4.16` ## Installing the chart @@ -29,26 +31,37 @@ kubectl create namespace sonarqube helm upgrade --install -n sonarqube sonarqube sonarqube/sonarqube ``` -The above command deploys SonarQube on the Kubernetes cluster in the default configuration in the sonarqube namespace. The [configuration](#configuration) section lists the parameters that can be configured during installation. +The above command deploys SonarQube on the Kubernetes cluster in the default configuration in the sonarqube namespace. +If you are interested in deploying SonarQube on Openshift, please check the [dedicated section](#openshift). + +The [configuration](#configuration) section lists the parameters that can be configured during installation. The default login is admin/admin. -## Installing the SonarQube 9.9 LTS chart +## Installing the SonarQube Community Build chart + +The SonarQube Community Edition has been replaced by the SonarQube Community Build. +If you want to install the SonarQube Community Build chart, please set `community.enabled` to `true`. +The `community.buildNumber` parameter will be set to the latest Community Build. +The `community` value is deprecated and won't be supported for `edition` anymore. + +## Installing the SonarQube 9.9 LTA chart -The version of the chart for the SonarQube 9.9 LTS is being distributed as the `8.x.x` version of this chart. +The version of the chart for the SonarQube 9.9 LTA is being distributed as the `8.x.x` version of this chart. In order to use it, please set the version constraint `~8`, which is equivalent to `>=8.0.0 && <= 9.0.0`. That version parameter **must** be used in every helm related command including `install`, `upgrade`, `template`, and `diff` (don't treat this as an exhaustive list). Example: -``` -helm upgrade --install -n sonarqube --version ~8 sonarqube sonarqube/sonarqube + +```Bash +helm upgrade --install -n sonarqube --version '~8' sonarqube sonarqube/sonarqube ``` To upgrade from the old and unmaintained [sonarqube-lts chart](https://artifacthub.io/packages/helm/sonarqube/sonarqube-lts), please follow the steps described [in this section](#upgrade-from-the-old-sonarqube-lts-to-this-chart). ## How to use it -Take some time to read the Deploy on [SonarQube on Kubernetes](https://docs.sonarqube.org/latest/setup/sonarqube-on-kubernetes/) page. +Take some time to read the Deploy on [SonarQube on Kubernetes](https://docs.sonarsource.com/sonarqube/latest/setup-and-upgrade/deploy-on-kubernetes/server/introduction/) page. SonarQube deployment on Kubernetes has been tested with the recommendations and constraints documented there, and deployment has some limitations. ## Uninstalling the chart @@ -64,15 +77,38 @@ $ helm delete kindly-newt ## Prerequisites and suggested settings for production -Please read the official documentation prerequisites [here](https://docs.sonarqube.org/latest/requirements/prerequisites-and-overview/). +Please read the official documentation prerequisites [here](https://docs.sonarsource.com/sonarqube/latest/requirements/prerequisites-and-overview/). ### Kubernetes - Pod Security Standards -The following [Pod Security levels](https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-levels) cannot be used in combination with SonarQube's chart: +Here is the list of containers that are compatible with the [Pod Security levels](https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-levels): -* Baseline. The `init-sysctl` container requires `securityContext.privileged=true`. -* Restricted. In addition to the previous requirement, - * The `sonarqube-postgresql`, `wait-for-db`, `init-sysctl`, and `sonarqube` containers require `securityContext.allowPrivilegeEscalation=true`, unrestricted capabilities, running as `root`, and a `seccompProfile` different from `RuntimeDefault` or `localhost`. +* privileged: + * `init-sysctl` +* baseline: + * `init-fs` +* restricted: + * SQ application containers + * SQ init containers. + * postgresql containers. + +This is achieved by setting this SecurityContext as default on **most** containers: + +```yaml +allowPrivilegeEscalation: false +runAsNonRoot: true +runAsUser: 1000 +runAsGroup: 0 +seccompProfile: + type: RuntimeDefault +capabilities: + drop: ["ALL"] +readOnlyRootFilesystem: true +``` + +Based on that, one can run the SQ helm chart in a full restricted namespace, by deactivating the `initSysctl.enabled` and `initFs.enabled` parameters, which require root access. + +Please take a look at [production-use-case](#production-use-case) for more information or directly at the values.yaml file. ### Elasticsearch prerequisites @@ -84,8 +120,8 @@ Because of such constraints, even when running in Docker containers, SonarQube r Please carefully read the following and make sure these configurations are set up at the host level: -- [vm.max_map_count](https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html#vm-max-map-count) -- [seccomp filter should be available](https://github.com/SonarSource/docker-sonarqube/issues/614) +* [vm.max_map_count](https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html#vm-max-map-count) +* [seccomp filter should be available](https://github.com/SonarSource/docker-sonarqube/issues/614) In general, please carefully read the Elasticsearch's [documentation](https://www.elastic.co/guide/en/elasticsearch/reference/current/system-config.html). @@ -95,24 +131,46 @@ The SonarQube helm chart is packed with multiple features enabling users to inst Nonetheless, if you intend to run a production-grade SonarQube please follow these recommendations. -- Set `nginx.enabled` to **false**. This parameter would run the nginx chart. This is useful for testing purposes only. Ingress controllers are critical Kubernetes components, we advise users to install their own. -- Set `postgresql.enabled` to **false**. This parameter would run the postgresql pre-2022 bitnami chart. That is useful for testing purposes, however, given that the database is at the hearth of SonarQube, we advise users to be careful with it and use a well-maintained database as a service or deploy their own database on top of Kubernetes. -- Set `initSysctl.enabled` to **false**. This parameter would run **root** `sysctl` commands, while those sysctl-related values should be set by the Kubernetes administrator at the node level (see [here](#elasticsearch-prerequisites)) -- Set `initFs.enabled` to **false**. This parameter would run **root** `chown` commands. The parameter exists to fix non-posix, CSI, or deprecated drivers. +* Set `ingress-nginx.enabled` to **false**. This parameter would run the nginx chart. This is useful for testing purposes only. Ingress controllers are critical Kubernetes components, we advise users to install their own. +* Set `postgresql.enabled` to **false**. This parameter would run the postgresql pre-2022 bitnami chart. That is useful for testing purposes, however, given that the database is at the hearth of SonarQube, we advise users to be careful with it and use a well-maintained database as a service or deploy their own database on top of Kubernetes. +* Set `initSysctl.enabled` to **false**. This parameter would run **root** `sysctl` commands, while those sysctl-related values should be set by the Kubernetes administrator at the node level (see [here](#elasticsearch-prerequisites)) +* Set `initFs.enabled` to **false**. This parameter would run **root** `chown` commands. The parameter exists to fix non-posix, CSI, or deprecated drivers. + +#### Cpu and memory settings + +Monitoring cpu and memory is an important part of software reliability. The SonarQube helm chart comes with default values for cpu and memory requests and limits. Those memory values are matching the default SonarQube JVM Xmx and Xms values. + +Xmx defines the maximum size of the JVM heap, this is **not** the maximum memory the JVM can allocate. + +For this reason, it is recommended to set Xmx to the ~80% of the total amount of memory available on the machine (in Kubernetes, this corresponds to requests and limits). + +Please find here the default SonarQube Xmx parameters to setup the memory requests and limits accordingly. + +| Edition | Sum of Xmx | +| ------------------ | ---------- | +| community edition | 1536M | +| developer edition | 1536M | +| enterprise edition | 5G | + +The default request and limit for this chart are set to 2048M and 6144M, to comply with the 3 editions and the 80% rule mentioned above. + +Please feel free to adjust those values to your needs. However, given that memory is a “non-compressible” resource, we advise you to set the memory requests and limits to the **same**, making memory a guaranteed resource. This is needed especially for production use cases. + +To get some guidance when setting the Xmx and Xms values, please refer to this [documentation](https://docs.sonarsource.com/sonarqube/latest/setup-and-upgrade/configure-and-operate-a-server/environment-variables/) and set the environment variables or sonar.properties accordingly. ## Upgrade -1. Read through the [SonarQube Upgrade Guide](https://docs.sonarqube.org/latest/setup/upgrading/) to familiarize yourself with the general upgrade process (most importantly, back up your database) +1. Read through the [SonarQube Upgrade Guide](https://docs.sonarsource.com/sonarqube/latest/setup-and-upgrade/upgrade-the-server/roadmap/) to familiarize yourself with the general upgrade process (most importantly, back up your database) 2. Change the SonarQube version on `values.yaml` 3. Redeploy SonarQube with the same helm chart (see [Install instructions](#installing-the-chart)) -4. Browse to http://yourSonarQubeServerURL/setup and follow the setup instructions +4. Browse to and follow the setup instructions 5. Reanalyze your projects to get fresh data ### Upgrade from the old sonarqube-lts to this chart -Please refer to the Helm upgrade section accessible [here](https://docs.sonarqube.org/latest/setup-and-upgrade/upgrade-the-server/upgrade-guide/) +Please refer to the Helm upgrade section accessible [here](https://docs.sonarsource.com/sonarqube/latest/setup-and-upgrade/upgrade-the-server/upgrade/#upgrade-from-89x-lts-to-99x-lts). -## Ingress +## Ingress usage ### Path @@ -138,7 +196,7 @@ ingress: ## Monitoring -This Helm chart offers the possibility to monitor SonarQube with Prometheus. +This Helm chart offers the possibility to monitor SonarQube with Prometheus. You can find [Information on SonarQube monitoring on Kubernetes](https://docs.sonarsource.com/sonarqube/latest/setup-and-upgrade/deploy-on-kubernetes/set-up-monitoring/introduction/) in the SonarQube documentation. ### Export JMX metrics @@ -150,312 +208,383 @@ Per default the JMX metrics for the Web Bean and the CE Bean are exposed on port If a Prometheus Operator is deployed in your cluster, you can enable a PodMonitor resource with `prometheusMonitoring.podMonitor.enabled`. It scrapes the Prometheus endpoint `/api/monitoring/metrics` exposed by the SonarQube application. +If running on OpenShift, make sure your account has permissions to create PodMonitor resources under the monitoring.coreos.com/v1 apiVersion. + +## OpenShift installation + +The chart can be installed on OpenShift by setting `OpenShift.enabled=true`. Among the others, please note that this value will disable the initContainer that performs the settings required by Elasticsearch (see [here](#elasticsearch-prerequisites)). Furthermore, we strongly recommend following the [Production Use Case guidelines](#production-use-case). + +Please note that `Openshift.createSCC` is deprecated and should be set to `false`. The default securityContext, together with the production configurations described [above](#production-use-case), is compatible with restricted SCCv2. + +The below command will deploy SonarQube on the Openshift Kubernetes cluster. Please note this will use the embedded postgresql database and is not recommended for production. + +```bash +helm repo add sonarqube https://SonarSource.github.io/helm-chart-sonarqube +helm repo update +kubectl create namespace sonarqube # If you dont have permissions to create the namespace, skip this step and replace all -n with an existing namespace name. +helm upgrade --install -n sonarqube sonarqube sonarqube/sonarqube \ + --set OpenShift.enabled=true \ + --set postgresql.securityContext.enabled=false \ + --set postgresql.containerSecurityContext.enabled=false +``` + +If you want to make your application publicly visible with Routes, you can set `OpenShift.route.enabled` to true. Please check the [configuration details](#openshift-1) to customize the Route base on your needs. + +## License + +SonarQube Community Build is released under the [GNU Lesser General Public License, Version 3.0⁠,](http://www.gnu.org/licenses/lgpl.txt) and packaged with [SSALv1](https://www.sonarsource.com/license/ssal/) analyzers. SonarQube Server Developer and Enterprise are licensed under [SonarQube Server Terms and Conditions](https://www.sonarsource.com/legal/sonarqube/terms-and-conditions/). + ## Configuration The following table lists the configurable parameters of the SonarQube chart and their default values. ### Global -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `deploymentType` | Deployment Type (supported values are `StatefulSet` or `Deployment`) | `StatefulSet` | -| `replicaCount` | Number of replicas deployed (supported values are 0 and 1) | `1` | -| `deploymentStrategy` | Deployment strategy | `{}` | -| `priorityClassName` | Schedule pods on priority (e.g. `high-priority`) | `None` | -| `schedulerName` | Kubernetes scheduler name | `None` | -| `affinity` | Node / Pod affinities | `{}` | -| `tolerations` | List of node taints to tolerate | `[]` | -| `nodeSelector` | Node labels for pod assignment | `{}` | -| `hostAliases` | Aliases for IPs in /etc/hosts | `[]` | -| `podLabels` | Map of labels to add to the pods | `{}` | -| `env` | Environment variables to attach to the pods | `{}`| -| `annotations` | SonarQube Pod annotations | `{}` | -| `edition` | SonarQube Edition to use (e.g. `community`, `developer` or `enterprise`) | `community` | -| `sonarWebContext` | SonarQube web context, also serve as default value for `ingress.path`, `account.sonarWebContext` and probes path. | `` | +| Parameter | Description | Default | +| ----------------------- | --------------------------------------------------------------------------------------------------------------------------------------- | ------------------ | +| `deploymentType` | (DEPRECATED) Deployment Type (supported values are `StatefulSet` or `Deployment`) | `StatefulSet` | +| `replicaCount` | Number of replicas deployed (supported values are 0 and 1) | `1` | +| `deploymentStrategy` | Deployment strategy. Setting the strategy type is deprecated and it will be hardcoded to `Recreate` | `{type: Recreate}` | +| `priorityClassName` | Schedule pods on priority (e.g. `high-priority`) | `None` | +| `schedulerName` | Kubernetes scheduler name | `None` | +| `affinity` | Node / Pod affinities | `{}` | +| `tolerations` | List of node taints to tolerate | `[]` | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `hostAliases` | Aliases for IPs in /etc/hosts | `[]` | +| `podLabels` | Map of labels to add to the pods | `{}` | +| `env` | Environment variables to attach to the pods | `{}` | +| `annotations` | SonarQube Pod annotations | `{}` | +| `edition` | SonarQube Edition to use (e.g. `community`, `developer` or `enterprise`). Please note that the default `community` value is deprecated. | `community` | +| `community.enabled` | Install SonarQube Community Build. When set to `true`, this parameter replaces `edition=community` | `true` | +| `community.buildNumber` | The SonarQube Community Build number to install | `24.12.0.100206` | +| `sonarWebContext` | SonarQube web context, also serve as default value for `ingress.path`, `account.sonarWebContext` and probes path. | `` | +| `httpProxySecret` | Should contain `http_proxy`, `https_proxy` and `no_proxy` keys, will superseed every other proxy variables | `` | +| `httpProxy` | HTTP proxy for downloading JMX agent and install plugins, will superseed initContainer specific http proxy variables | `` | +| `httpsProxy` | HTTPS proxy for downloading JMX agent and install plugins, will superseed initContainer specific https proxy variable | `` | +| `noProxy` | No proxy for downloading JMX agent and install plugins, will superseed initContainer specific no proxy variables | `` | +| `ingress-nginx.enabled` | Install Nginx Ingress Helm | `false` | ### NetworkPolicies -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `networkPolicy.enabled` | Create NetworkPolicies | `false` | -| `networkPolicy.prometheusNamespace` | Allow incoming traffic to monitoring ports from this namespace | `nil` | -| `networkPolicy.additionalNetworkPolicys` | User defined NetworkPolicies (usefull for external database) | `nil` | +| Parameter | Description | Default | +| ----------------------------------------- | ------------------------------------------------------------------------- | ------- | +| `networkPolicy.enabled` | Create NetworkPolicies | `false` | +| `networkPolicy.prometheusNamespace` | Allow incoming traffic to monitoring ports from this namespace | `nil` | +| `networkPolicy.additionalNetworkPolicys` | (DEPRECATED) Please use `networkPolicy.additionalNetworkPolicies` instead | `nil` | +| `networkPolicy.additionalNetworkPolicies` | User defined NetworkPolicies (useful for external database) | `nil` | ### OpenShift -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `OpenShift.enabled` | Define if this deployment is for OpenShift | `false` | -| `OpenShift.createSCC` | If this deployment is for OpenShift, define if SCC should be created for sonarqube pod | `true` | +| Parameter | Description | Default | +| -------------------------------- | --------------------------------------------------------------------------------------------------- | -------------------------- | +| `OpenShift.enabled` | Define if this deployment is for OpenShift | `false` | +| `OpenShift.createSCC` | (DEPRECATED) If this deployment is for OpenShift, define if SCC should be created for sonarqube pod | `false` | +| `OpenShift.route.enabled` | Flag to enable OpenShift Route | `false` | +| `OpenShift.route.host` | Host that points to the service | `"sonarqube.your-org.com"` | +| `OpenShift.route.path` | Path that the router watches for, to route traffic for to the service | `"/"` | +| `OpenShift.route.tls` | TLS settings including termination type, certificates, insecure traffic, etc. | see `values.yaml` | +| `OpenShift.route.wildcardPolicy` | The wildcard policy that is allowed where this route is exposed | `None` | +| `OpenShift.route.annotations` | Optional field to add extra annotations to the route | `None` | +| `OpenShift.route.labels` | Route additional labels | `{}` | ### Image -| Parameter | Description | Default | -| --------- | ----------- |--------------------------------| -| `image.repository` | image repository | `sonarqube` | -| `image.tag` | `sonarqube` image tag. | `10.2.0-{{ .Values.edition }}` | -| `image.pullPolicy` | Image pull policy | `IfNotPresent` | -| `image.pullSecret` | (DEPRECATED) imagePullSecret to use for private repository | `None` | -| `image.pullSecrets` | imagePullSecrets to use for private repository | `None` | +| Parameter | Description | Default | +| ------------------- | ------------------------------------------------------------------------------------------------- | ------------------------------ | +| `image.repository` | image repository | `sonarqube` | +| `image.tag` | `sonarqube` image tag. Please note that the default `10.8.0-{{ .Values.edition }}` is deprecated. | `10.8.0-{{ .Values.edition }}` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `image.pullSecret` | (DEPRECATED) imagePullSecret to use for private repository | `None` | +| `image.pullSecrets` | imagePullSecrets to use for private repository | `None` | ### Security -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `securityContext.fsGroup` | Group applied to mounted directories/files | `1000` | -| `containerSecurityContext.runAsUser` | User to run containers in sonarqube pod as, unless overwritten (such as for init-sysctl container) | `1000` | +| Parameter | Description | Default | +| -------------------------- | ---------------------------------------------- | ---------------------------------------------------------------------- | +| `securityContext` | SecurityContext for the pod | [Restricted podSecurityStandard](#kubernetes---pod-security-standards) | +| `containerSecurityContext` | SecurityContext for container in sonarqube pod | [Restricted podSecurityStandard](#kubernetes---pod-security-standards) | ### Elasticsearch -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `elasticsearch.configureNode` | [DEPRECATED] Use initSysctl.enabled instead. | `true` | -| `elasticsearch.bootstrapChecks` | Enables/disables Elasticsearch bootstrap checks | `true` | +| Parameter | Description | Default | +| ------------------------------- | ----------------------------------------------- | ------- | +| `elasticsearch.configureNode` | [DEPRECATED] Use initSysctl.enabled instead. | `false` | +| `elasticsearch.bootstrapChecks` | Enables/disables Elasticsearch bootstrap checks | `true` | ### Service -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `service.type` | Kubernetes service type | `ClusterIP` | -| `service.externalPort` | Kubernetes service port | `9000` | -| `service.internalPort` | Kubernetes container port | `9000` | -| `service.labels` | Kubernetes service labels | `None` | -| `service.annotations` | Kubernetes service annotations | `None` | -| `service.loadBalancerSourceRanges` | Kubernetes service LB Allowed inbound IP addresses | `None` | -| `service.loadBalancerIP` | Kubernetes service LB Optional fixed external IP | `None` | +| Parameter | Description | Default | +| ---------------------------------- | -------------------------------------------------- | ----------- | +| `service.type` | Kubernetes service type | `ClusterIP` | +| `service.externalPort` | Kubernetes service port | `9000` | +| `service.internalPort` | Kubernetes container port | `9000` | +| `service.labels` | Kubernetes service labels | `None` | +| `service.annotations` | Kubernetes service annotations | `None` | +| `service.loadBalancerSourceRanges` | Kubernetes service LB Allowed inbound IP addresses | `None` | +| `service.loadBalancerIP` | Kubernetes service LB Optional fixed external IP | `None` | ### Ingress -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `nginx.enabled` | Also install Nginx Ingress Helm | `false` | -| `ingress.enabled` | Flag to enable Ingress | `false` | -| `ingress.labels` | Ingress additional labels | `{}` | -| `ingress.hosts[0].name` | Hostname to your SonarQube installation | `sonarqube.your-org.com` | -| `ingress.hosts[0].path` | Path within the URL structure | `/` | -| `ingress.hosts[0].serviceName` | Optional field to override the default serviceName of a path | `None` | -| `ingress.hosts[0].servicePort` | Optional field to override the default servicePort of a path | `None` | -| `ingress.tls` | Ingress secrets for TLS certificates | `[]` | -| `ingress.ingressClassName` | Optional field to configure ingress class name | `None` | -| `ingress.annotations` | Field to add extra annotations to the ingress | {`nginx.ingress.kubernetes.io/proxy-body-size=64m`} | -| `ingress.annotations.nginx.ingress.kubernetes.io/proxy-body-size` | Field to set the maximum allowed size of the client request body | `64m` | - -### Route - -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `route.enabled` | Flag to enable OpenShift Route | `false` | -| `route.host` | Host of the route | `""` | -| `route.tls.termination` | TLS termination type. Currently supported values are `edge` and `passthrough` | `edge` | -| `route.annotations` | Optional field to add extra annotations to the route | `None` | -| `route.labels` | Route additional labels | `{}` | +| Parameter | Description | Default | +| ------------------------------ | ------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------ | +| `nginx.enabled` | (DEPRECATED) please use `ingress-nginx.enabled` | `false` | +| `ingress.labels` | Ingress additional labels | `{}` | +| `ingress.hosts[0].name` | Hostname to your SonarQube installation | `sonarqube.your-org.com` | +| `ingress.hosts[0].path` | Path within the URL structure | `/` | +| `ingress.hosts[0].serviceName` | Optional field to override the default serviceName of a path | `None` | +| `ingress.hosts[0].servicePort` | Optional field to override the default servicePort of a path | `None` | +| `ingress.tls` | Ingress secrets for TLS certificates | `[]` | +| `ingress.ingressClassName` | Optional field to configure ingress class name | `None` OR `nginx` if `nginx.enabled` or `ingress-nginx.enabled` | +| `ingress.annotations` | Field to add extra annotations to the ingress | {`nginx.ingress.kubernetes.io/proxy-body-size: "64m"`} if `ingress-nginx.enabled=true or nginx.enabled=true` | + +### HttpRoute + +| Parameter | Description | Default | +| ---------------------------- | ------------------------------------------------------------------------------------------------------------- | ------- | +| `httproute.enabled` | Flag to enable GatewayAPI HttpRoute | `False` | +| `httproute.gateway` | Name of the gateway | `None` | +| `httproute.gatewayNamespace` | (Optional) Name of the gateway namespace when located in a different namespace | `None` | +| `httproute.hostnames` | List of hostnames to match the HttpRoute against | `None` | +| `httproute.labels` | (Optional) List of extra labels to add to the HttpRoute | `None` | +| `httproute.rules` | (Optional) Extra Rules block of the HttpRoute. A default one is created with SonarWebContext and service port | `None` | ### Probes -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `readinessProbe.initialDelaySeconds` | ReadinessProbe initial delay for SonarQube checking | `60` | -| `readinessProbe.periodSeconds` | ReadinessProbe period between checking SonarQube | `30` | -| `readinessProbe.failureThreshold` | ReadinessProbe threshold for marking as failed | `6` | -| `readinessProbe.timeoutSeconds`| ReadinessProbe timeout delay | `1` | -| `readinessProbe.sonarWebContext` | (DEPRECATED) SonarQube web context for readinessProbe, please use sonarWebContext at the value top level instead | `/` | -| `livenessProbe.initialDelaySeconds` | LivenessProbe initial delay for SonarQube checking | `60` | -| `livenessProbe.periodSeconds` | LivenessProbe period between checking SonarQube | `30` | -| `livenessProbe.sonarWebContext` | (DEPRECATED) SonarQube web context for LivenessProbe, please use sonarWebContext at the value top level instead | `/` | -| `livenessProbe.failureThreshold` | LivenessProbe threshold for marking as dead | `6` | -| `livenessProbe.timeoutSeconds`| LivenessProbe timeout delay | `1` | -| `startupProbe.initialDelaySeconds` | StartupProbe initial delay for SonarQube checking | `30` | -| `startupProbe.periodSeconds` | StartupProbe period between checking SonarQube | `10` | -| `startupProbe.sonarWebContext` | (DEPRECATED) SonarQube web context for StartupProbe, please use sonarWebContext at the value top level instead | `/` | -| `startupProbe.failureThreshold` | StartupProbe threshold for marking as failed | `24` | -| `startupProbe.timeoutSeconds`| StartupProbe timeout delay | `1` | +| Parameter | Description | Default | +| ------------------------------------ | ---------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------- | +| `readinessProbe` | ReadinessProbe for SonarQube | `exec; curl api/system/status` see `values.yaml` for details | +| `readinessProbe.initialDelaySeconds` | ReadinessProbe initial delay for SonarQube checking | `60` | +| `readinessProbe.periodSeconds` | ReadinessProbe period between checking SonarQube | `30` | +| `readinessProbe.failureThreshold` | ReadinessProbe threshold for marking as failed | `6` | +| `readinessProbe.timeoutSeconds` | ReadinessProbe timeout delay | `1` | +| `readinessProbe.sonarWebContext` | (DEPRECATED) SonarQube web context for readinessProbe, please use sonarWebContext at the value top level instead | `/` | +| `livenessProbe` | LivenessProbe for SonarQube | `exec: curl api/system/liveness` see `values.yaml` for details | +| `livenessProbe.initialDelaySeconds` | LivenessProbe initial delay for SonarQube checking | `60` | +| `livenessProbe.periodSeconds` | LivenessProbe period between checking SonarQube | `30` | +| `livenessProbe.failureThreshold` | LivenessProbe threshold for marking as failed | `6` | +| `livenessProbe.timeoutSeconds` | LivenessProbe timeout delay | `1` | +| `livenessProbe.sonarWebContext` | (DEPRECATED) SonarQube web context for LivenessProbe, please use sonarWebContext at the value top level instead | `/` | +| `startupProbe` | StartupProbe for SonarQube | `httpGet: api/system/status` | +| `startupProbe.initialDelaySeconds` | StartupProbe initial delay for SonarQube checking | `30` | +| `startupProbe.periodSeconds` | StartupProbe period between checking SonarQube | `10` | +| `startupProbe.failureThreshold` | StartupProbe threshold for marking as failed | `24` | +| `startupProbe.timeoutSeconds` | StartupProbe timeout delay | `1` | +| `startupProbe.sonarWebContext` | (DEPRECATED) SonarQube web context for StartupProbe, please use sonarWebContext at the value top level instead | `/` | ### InitContainers -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `initContainers.image` | Change init container image | `busybox:1.32` | -| `initContainers.securityContext` | SecurityContext for init containers | `None` | -| `initContainers.resources` | Resources for init containers | `{}` | -| `extraInitContainers` | Extra init containers to e.g. download required artifacts | `{}` | -| `caCerts.enabled` | Flag for enabling additional CA certificates | `false` | -| `caCerts.image` | Change init CA certificates container image | `adoptopenjdk/openjdk11:alpine` | -| `caCerts.secret` | Name of the secret containing additional CA certificates | `None` | -| `initSysctl.enabled` | Modify k8s worker to conform to system requirements | `true` | -| `initSysctl.vmMaxMapCount` | Set init sysctl container vm.max_map_count | `524288` | -| `initSysctl.fsFileMax` | Set init sysctl container fs.file-max | `131072` | -| `initSysctl.nofile` | Set init sysctl container open file descriptors limit | `131072` | -| `initSysctl.nproc` | Set init sysctl container open threads limit | `8192 ` | -| `initSysctl.image` | Change init sysctl container image | `busybox:1.32` | -| `initSysctl.securityContext` | InitSysctl container security context | `{privileged: true}` | -| `initSysctl.resources` | InitSysctl container resource requests & limits | `{}` | -| `initFs.enabled` | Enable file permission change with init container | `true` | -| `initFs.image` | InitFS container image | `busybox:1.32` | -| `initFs.securityContext.privileged` | InitFS container needs to run privileged | `true` | +| Parameter | Description | Default | +| ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------- | +| `initContainers.image` | Change init container image | `"image.repository":"image.tag"` | +| `initContainers.securityContext` | SecurityContext for init containers | [Restricted podSecurityStandard](#kubernetes---pod-security-standards) | +| `initContainers.resources` | Resources for init containers | `{}` | +| `extraInitContainers` | Extra init containers to e.g. download required artifacts | `{}` | +| `caCerts.enabled` | Flag for enabling additional CA certificates | `false` | +| `caCerts.image` | Change init CA certificates container image | `"image.repository":"image.tag"` | +| `caCerts.secret` | Name of the secret containing additional CA certificates. If defined, only secrets are going to be used. | `None` | +| `caCerts.configMap.name` | Name of the ConfigMap containing additional CA certificate. Ensure that `caCerts.secret` is not set if you want to use a `ConfigMap`. | `None` | +| `caCerts.configMap.key` | Name of the key containing the additional CA certificate | `None` | +| `caCerts.configMap.path` | Filename that should be used for the given CA certificate | `None` | +| `initSysctl.enabled` | Modify k8s worker to conform to system requirements | `true` | +| `initSysctl.vmMaxMapCount` | Set init sysctl container vm.max_map_count | `524288` | +| `initSysctl.fsFileMax` | Set init sysctl container fs.file-max | `131072` | +| `initSysctl.nofile` | Set init sysctl container open file descriptors limit | `131072` | +| `initSysctl.nproc` | Set init sysctl container open threads limit | `8192` | +| `initSysctl.image` | Change init sysctl container image | `"image.repository":"image.tag"` | +| `initSysctl.securityContext` | InitSysctl container security context | `{privileged: true}` | +| `initSysctl.resources` | InitSysctl container resource requests & limits | `{}` | +| `initFs.enabled` | Enable file permission change with init container | `true` | +| `initFs.image` | InitFS container image | `"image.repository":"image.tag"` | +| `initFs.securityContext.privileged` | InitFS container needs to run privileged | `true` | ### Monitoring (Prometheus Exporter) -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `prometheusExporter.enabled` | Use the Prometheus JMX exporter | `false` | -| `prometheusExporter.version` | jmx_prometheus_javaagent version to download from Maven Central | `0.17.2` | -| `prometheusExporter.noCheckCertificate` | Flag to not check server's certificate when downloading jmx_prometheus_javaagent | `false` | -| `prometheusExporter.webBeanPort` | Port where the jmx_prometheus_javaagent exposes the metrics for the webBean | `8000` | -| `prometheusExporter.ceBeanPort` | Port where the jmx_prometheus_javaagent exposes the metrics for the ceBean | `8001` | -| `prometheusExporter.downloadURL` | Alternative full download URL for the jmx_prometheus_javaagent.jar (overrides `prometheusExporter.version`) | `""` | -| `prometheusExporter.config` | Prometheus JMX exporter config yaml for the web process, and the CE process if `prometheusExporter.ceConfig` is not set | see `values.yaml` | -| `prometheusExporter.ceConfig` | Prometheus JMX exporter config yaml for the CE process (by default, `prometheusExporter.config` is used) | `None` | -| `prometheusExporter.httpProxy` | HTTP proxy for downloading JMX agent | `""` | -| `prometheusExporter.httpsProxy` | HTTPS proxy for downloading JMX agent | `""` | -| `prometheusExporter.noProxy` | No proxy for downloading JMX agent | `""` | -| `prometheusExporter.securityContext` | Security context for downloading the jmx agent | see `values.yaml` | +| Parameter | Description | Default | +| --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------- | +| `prometheusExporter.enabled` | Use the Prometheus JMX exporter | `false` | +| `prometheusExporter.version` | jmx_prometheus_javaagent version to download from Maven Central | `0.17.2` | +| `prometheusExporter.noCheckCertificate` | Flag to not check server's certificate when downloading jmx_prometheus_javaagent | `false` | +| `prometheusExporter.webBeanPort` | Port where the jmx_prometheus_javaagent exposes the metrics for the webBean | `8000` | +| `prometheusExporter.ceBeanPort` | Port where the jmx_prometheus_javaagent exposes the metrics for the ceBean | `8001` | +| `prometheusExporter.downloadURL` | Alternative full download URL for the jmx_prometheus_javaagent.jar (overrides `prometheusExporter.version`) | `""` | +| `prometheusExporter.config` | Prometheus JMX exporter config yaml for the web process, and the CE process if `prometheusExporter.ceConfig` is not set | see `values.yaml` | +| `prometheusExporter.ceConfig` | Prometheus JMX exporter config yaml for the CE process (by default, `prometheusExporter.config` is used) | `None` | +| `prometheusExporter.httpProxy` | HTTP proxy for downloading JMX agent | `""` | +| `prometheusExporter.httpsProxy` | HTTPS proxy for downloading JMX agent | `""` | +| `prometheusExporter.noProxy` | No proxy for downloading JMX agent | `""` | +| `prometheusExporter.securityContext` | Security context for downloading the jmx agent | [Restricted podSecurityStandard](#kubernetes---pod-security-standards) | ### Monitoring (Prometheus PodMonitor) -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `prometheusMonitoring.podMonitor.enabled` | Enable Prometheus PodMonitor | `false` | -| `prometheusMonitoring.podMonitor.namespace` | Specify a custom namespace where the PodMonitor will be created | `default` | -| `prometheusMonitoring.podMonitor.interval` | Specify the interval how often metrics should be scraped | `30s` | -| `prometheusMonitoring.podMonitor.scrapeTimeout` | Specify the timeout after a scrape is ended | `None` | -| `prometheusMonitoring.podMonitor.jobLabel` | Name of the label on target services that prometheus uses as job name | `None` | - +| Parameter | Description | Default | +| ----------------------------------------------- | ----------------------------------------------------------------------------------------------------------- | -------------------------- | +| `prometheusMonitoring.podMonitor.enabled` | Enable Prometheus PodMonitor | `false` | +| `prometheusMonitoring.podMonitor.namespace` | (DEPRECATED) This value should not be set, as the PodMonitor's namespace has to match the Release Namespace | `{{ .Release.Namespace }}` | +| `prometheusMonitoring.podMonitor.interval` | Specify the interval how often metrics should be scraped | `30s` | +| `prometheusMonitoring.podMonitor.scrapeTimeout` | Specify the timeout after a scrape is ended | `None` | +| `prometheusMonitoring.podMonitor.jobLabel` | Name of the label on target services that prometheus uses as job name | `None` | +| `prometheusMonitoring.podMonitor.labels` | Additional labels to add to the PodMonitor | `{}` | ### Plugins -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `plugins.install` | Link(s) to the plugin JARs to download and install | `[]` | -| `plugins.resources` | Plugin Pod resource requests & limits | `{}` | -| `plugins.httpProxy` | For use behind a corporate proxy when downloading plugins | `""` | -| `plugins.httpsProxy` | For use behind a corporate proxy when downloading plugins | `""` | -| `plugins.noProxy` | For use behind a corporate proxy when downloading plugins | `""` | -| `plugins.image` | Image for plugins container | `""`| -| `plugins.resources` | Resources for plugins container | `{}` | -| `plugins.netrcCreds` | Name of the secret containing .netrc file to use creds when downloading plugins | `""` | -| `plugins.noCheckCertificate` | Flag to not check server's certificate when downloading plugins | `false` | -| `plugins.securityContext` | Security context for the container to download plugins | see `values.yaml` | +| Parameter | Description | Default | +| ---------------------------- | ------------------------------------------------------------------------------- | ---------------------------------------------------------------------- | +| `plugins.install` | Link(s) to the plugin JARs to download and install | `[]` | +| `plugins.resources` | Plugin Pod resource requests & limits | `{}` | +| `plugins.httpProxy` | For use behind a corporate proxy when downloading plugins | `""` | +| `plugins.httpsProxy` | For use behind a corporate proxy when downloading plugins | `""` | +| `plugins.noProxy` | For use behind a corporate proxy when downloading plugins | `""` | +| `plugins.image` | Image for plugins container | `"image.repository":"image.tag"` | +| `plugins.resources` | Resources for plugins container | `{}` | +| `plugins.netrcCreds` | Name of the secret containing .netrc file to use creds when downloading plugins | `""` | +| `plugins.noCheckCertificate` | Flag to not check server's certificate when downloading plugins | `false` | +| `plugins.securityContext` | Security context for the container to download plugins | [Restricted podSecurityStandard](#kubernetes---pod-security-standards) | ### SonarQube Specific -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `jvmOpts` | (DEPRECATED) Values to add to SONARQUBE_WEB_JVM_OPTS | `""` | -| `jvmCeOpts` | (DEPRECATED) Values to add to SONAR_CE_JAVAOPTS | `""` | -| `sonarqubeFolder` | Directory name of SonarQube | `/opt/sonarqube` | -| `sonarProperties` | Custom `sonar.properties` key-value pairs (e.g., "sonarProperties.sonar.forceAuthentication=true") | `None` | -| `sonarSecretProperties` | Additional `sonar.properties` key-value pairs to load from a secret | `None` | -| `sonarSecretKey` | Name of existing secret used for settings encryption | `None` | -| `monitoringPasscode` | Value for sonar.web.systemPasscode needed for LivenessProbes (encoded to Base64 format) | `define_it` | -| `monitoringPasscodeSecretName` | Name of the secret where to load `monitoringPasscode` | `None` | -| `monitoringPasscodeSecretKey` | Key of an existing secret containing `monitoringPasscode` | `None` | -| `extraContainers` | Array of extra containers to run alongside the `sonarqube` container (aka. Sidecars) | `[]` | -| `extraVolumes` | Array of extra volumes to add to the SonarQube deployment | `[]` | -| `extraVolumeMounts` | Array of extra volume mounts to add to the SonarQube deployment | `[]` | +| Parameter | Description | Default | +| ------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| `jvmOpts` | (DEPRECATED) Values to add to `SONAR_WEB_JAVAOPTS`. Please set directly `SONAR_WEB_JAVAOPTS` or `sonar.web.javaOpts` | `""` | +| `jvmCeOpts` | (DEPRECATED) Values to add to `SONAR_CE_JAVAOPTS`. Please set directly `SONAR_CE_JAVAOPTS` or `sonar.ce.javaOpts` | `""` | +| `sonarqubeFolder` | (DEPRECATED) Directory name of SonarQube, Due to 1-1 mapping between helm version and docker version, there is no need for configuration | `/opt/sonarqube` | +| `sonarProperties` | Custom `sonar.properties` key-value pairs (e.g., "sonarProperties.sonar.forceAuthentication=true") | `None` | +| `sonarSecretProperties` | Additional `sonar.properties` key-value pairs to load from a secret | `None` | +| `sonarSecretKey` | Name of existing secret used for settings encryption | `None` | +| `monitoringPasscode` | Value for sonar.web.systemPasscode needed for LivenessProbes (encoded to Base64 format) | `define_it` | +| `monitoringPasscodeSecretName` | Name of the secret where to load `monitoringPasscode` | `None` | +| `monitoringPasscodeSecretKey` | Key of an existing secret containing `monitoringPasscode` | `None` | +| `extraContainers` | Array of extra containers to run alongside the `sonarqube` container (aka. Sidecars) | `[]` | +| `extraVolumes` | Array of extra volumes to add to the SonarQube deployment | `[]` | +| `extraVolumeMounts` | Array of extra volume mounts to add to the SonarQube deployment | `[]` | ### Resources -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `resources.requests.memory` | SonarQube memory request | `2Gi` | -| `resources.requests.cpu` | SonarQube cpu request | `400m` | -| `resources.limits.memory` | SonarQube memory limit | `4Gi` | -| `resources.limits.cpu` | SonarQube cpu limit | `800m` | +| Parameter | Description | Default | +| -------------------------------------- | ------------------------- | ------- | +| `resources.requests.memory` | SonarQube memory request | `2048M` | +| `resources.requests.cpu` | SonarQube cpu request | `400m` | +| `resources.requests.ephemeral-storage` | SonarQube storage request | `1536M` | +| `resources.limits.memory` | SonarQube memory limit | `6144M` | +| `resources.limits.cpu` | SonarQube cpu limit | `800m` | +| `resources.limits.ephemeral-storage` | SonarQube storage limit | `500Gi` | ### Persistence -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `persistence.enabled` | Flag for enabling persistent storage | `false` | -| `persistence.annotations` | Kubernetes pvc annotations | `{}` | -| `persistence.existingClaim` | Do not create a new PVC but use this one | `None` | -| `persistence.storageClass` | Storage class to be used | `""` | -| `persistence.accessMode` | Volumes access mode to be set | `ReadWriteOnce` | -| `persistence.size` | Size of the volume | `5Gi` | -| `persistence.volumes` | Specify extra volumes. Refer to ".spec.volumes" specification | `[]` | -| `persistence.mounts` | Specify extra mounts. Refer to ".spec.containers.volumeMounts" specification | `[]` | -| `emptyDir` | Configuration of resources for `emptyDir` | `{}` | +| Parameter | Description | Default | +| --------------------------- | ------------------------------------------------- | --------------- | +| `persistence.enabled` | Flag for enabling persistent storage | `false` | +| `persistence.annotations` | Kubernetes pvc annotations | `{}` | +| `persistence.existingClaim` | Do not create a new PVC but use this one | `None` | +| `persistence.storageClass` | Storage class to be used | `""` | +| `persistence.accessMode` | Volumes access mode to be set | `ReadWriteOnce` | +| `persistence.size` | Size of the volume | `5Gi` | +| `persistence.volumes` | (DEPRECATED) Please use extraVolumes instead | `[]` | +| `persistence.mounts` | (DEPRECATED) Please use extraVolumeMounts instead | `[]` | +| `persistence.uid` | UID used for init-fs container | `1000` | +| `persistence.guid` | GUID used for init-fs container | `0` | +| `emptyDir` | Configuration of resources for `emptyDir` | `{}` | ### JDBC Overwrite -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `jdbcOverwrite.enable` | Enable JDBC overwrites for external Databases (disables `postgresql.enabled`) | `false` | -| `jdbcOverwrite.jdbcUrl` | The JDBC url to connect the external DB | `jdbc:postgresql://myPostgress/myDatabase?socketTimeout=1500` | -| `jdbcOverwrite.jdbcUsername` | The DB user that should be used for the JDBC connection | `sonarUser` | -| `jdbcOverwrite.jdbcPassword` | The DB password that should be used for the JDBC connection (Use this if you don't mind the DB password getting stored in plain text within the values file) | `sonarPass` | -| `jdbcOverwrite.jdbcSecretName` | Alternatively, use a pre-existing k8s secret containing the DB password | `None` | -| `jdbcOverwrite.jdbcSecretPasswordKey` | If the pre-existing k8s secret is used this allows the user to overwrite the 'key' of the password property in the secret | `None` | - -### Bundled Postgres Chart - -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `postgresql.enabled` | Set to `false` to use external server | `true` | -| `postgresql.existingSecret` | existingSecret Name of existing secret to use for PostgreSQL passwords | `nil` | -| `postgresql.postgresqlServer` | (DEPRECATED) Hostname of the external Postgresql server | `nil` | -| `postgresql.postgresqlUsername` | Postgresql database user | `sonarUser` | -| `postgresql.postgresqlPassword` | Postgresql database password | `sonarPass` | -| `postgresql.postgresqlDatabase` | Postgresql database name | `sonarDB` | -| `postgresql.service.port` | Postgresql port | `5432` | -| `postgresql.resources.requests.memory` | Postgresql memory request | `256Mi` | -| `postgresql.resources.requests.cpu` | Postgresql cpu request | `250m` | -| `postgresql.resources.limits.memory` | Postgresql memory limit | `2Gi` | -| `postgresql.resources.limits.cpu` | Postgresql cpu limit | `2` | -| `postgresql.persistence.enabled` | Postgresql persistence en/disabled | `true` | -| `postgresql.persistence.accessMode` | Postgresql persistence accessMode | `ReadWriteOnce` | -| `postgresql.persistence.size` | Postgresql persistence size | `20Gi` | -| `postgresql.persistence.storageClass` | Postgresql persistence storageClass | `""` | -| `postgresql.securityContext.enabled` | Postgresql securityContext en/disabled | `true` | -| `postgresql.securityContext.fsGroup` | Postgresql securityContext fsGroup | `1001` | -| `postgresql.securityContext.runAsUser` | Postgresql securityContext runAsUser | `1001` | -| `postgresql.volumePermissions.enabled` | Postgres vol permissions en/disabled | `false` | -| `postgresql.volumePermissions.securityContext.runAsUser` | Postgres vol permissions secContext runAsUser | `0` | -| `postgresql.shmVolume.chmod.enabled` | Postgresql shared memory vol en/disabled | `false` | -| `postgresql.serivceAccount.enabled` | Postgresql service Account creation en/disabled | `false` | -| `postgresql.serivceAccount.name` | Postgresql service Account name | `""` | +| Parameter | Description | Default | +| ------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------ | +| `jdbcOverwrite.enable` | (DEPRECATED) Enable JDBC overwrites for external Databases (disables `postgresql.enabled`) ,Please use jdbcOverwrite.enabled instead | `false` | +| `jdbcOverwrite.enabled` | Enable JDBC overwrites for external Databases (disables `postgresql.enabled`) | `false` | +| `jdbcOverwrite.jdbcUrl` | The JDBC url to connect the external DB | `jdbc:postgresql://myPostgress/myDatabase` | +| `jdbcOverwrite.jdbcUsername` | The DB user that should be used for the JDBC connection | `sonarUser` | +| `jdbcOverwrite.jdbcPassword` | (DEPRECATED) The DB password that should be used for the JDBC connection, please use `jdbcOverwrite.jdbcSecretName` and `jdbcOverwrite.jdbcSecretPasswordKey` | `sonarPass` | +| `jdbcOverwrite.jdbcSecretName` | Alternatively, use a pre-existing k8s secret containing the DB password | `None` | +| `jdbcOverwrite.jdbcSecretPasswordKey` | If the pre-existing k8s secret is used this allows the user to overwrite the 'key' of the password property in the secret | `None` | +| `jdbcOverwrite.oracleJdbcDriver.url` | The URL of the Oracle JDBC driver to be downloaded | `None` | +| `jdbcOverwrite.oracleJdbcDriver.netrcCreds` | Name of the secret containing .netrc file to use creds when downloading the Oracle JDBC driver | `None` | + +### Bundled PostgreSQL Chart (DEPRECATED) + +The bundled PostgreSQL Chart is deprecated. Please see for more information. + +| Parameter | Description | Default | +| -------------------------------------------------------- | ---------------------------------------------------------------------- | --------------- | +| `postgresql.enabled` | Set to `false` to use external server | `true` | +| `postgresql.existingSecret` | existingSecret Name of existing secret to use for PostgreSQL passwords | `nil` | +| `postgresql.postgresqlServer` | (DEPRECATED) Hostname of the external PostgreSQL server | `nil` | +| `postgresql.postgresqlUsername` | PostgreSQL database user | `sonarUser` | +| `postgresql.postgresqlPassword` | PostgreSQL database password | `sonarPass` | +| `postgresql.postgresqlDatabase` | PostgreSQL database name | `sonarDB` | +| `postgresql.service.port` | PostgreSQL port | `5432` | +| `postgresql.resources.requests.memory` | PostgreSQL memory request | `256Mi` | +| `postgresql.resources.requests.cpu` | PostgreSQL cpu request | `250m` | +| `postgresql.resources.limits.memory` | PostgreSQL memory limit | `2Gi` | +| `postgresql.resources.limits.cpu` | PostgreSQL cpu limit | `2` | +| `postgresql.persistence.enabled` | PostgreSQL persistence en/disabled | `true` | +| `postgresql.persistence.accessMode` | PostgreSQL persistence accessMode | `ReadWriteOnce` | +| `postgresql.persistence.size` | PostgreSQL persistence size | `20Gi` | +| `postgresql.persistence.storageClass` | PostgreSQL persistence storageClass | `""` | +| `postgresql.securityContext.enabled` | PostgreSQL securityContext en/disabled | `false` | +| `postgresql.securityContext` | PostgreSQL securityContext | `false` | +| `postgresql.volumePermissions.enabled` | PostgreSQL vol permissions en/disabled | `false` | +| `postgresql.volumePermissions.securityContext.runAsUser` | PostgreSQL vol permissions secContext runAsUser | `0` | +| `postgresql.shmVolume.chmod.enabled` | PostgreSQL shared memory vol en/disabled | `false` | +| `postgresql.serivceAccount.enabled` | PostgreSQL service Account creation en/disabled | `false` | +| `postgresql.serivceAccount.name` | PostgreSQL service Account name | `""` | ### Tests -| Parameter | Description | Default | -|------------------------------|---------------------------------------------------------------| ------- | -| `tests.enabled` | Flag that allows tests to be excluded from the generated yaml | `true` | -| `tests.image` | Change test container image | `` | +| Parameter | Description | Default | +| ------------------------------- | ------------------------------------------------------------- | -------------------------------- | +| `tests.enabled` | Flag that allows tests to be excluded from the generated yaml | `true` | +| `tests.image` | Set the test container image | `"image.repository":"image.tag"` | +| `tests.resources.limits.cpu` | CPU limit for test container | `500m` | +| `tests.resources.limits.memory` | Memory limit for test container | `200M` | ### ServiceAccount -| Parameter | Description | Default | -|---------------------------------|--------------------------------------------------------------------------------------|-----------------------| -| `serviceAccount.create` | If set to true, create a serviceAccount | `false` | -| `serviceAccount.name` | Name of the serviceAccount to create/use | `sonarqube-sonarqube` | -| `serviceAccount.automountToken` | Manage `automountServiceAccountToken` field for mounting service account credentials | `false` | -| `serviceAccount.annotations` | Additional serviceAccount annotations | `{}` | +| Parameter | Description | Default | +| ------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- | +| `serviceAccount.create` | If set to true, create a service account | `false` | +| `serviceAccount.name` | Name of the service account to create/use | `sonarqube-sonarqube` | +| `serviceAccount.automountToken` | Manage `automountServiceAccountToken` field for mounting service account credentials. Please note that this will set the default value used by SQ Pods, regardless of the service account being used. | `false` | +| `serviceAccount.annotations` | Additional service account annotations | `{}` | ### ExtraConfig -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `extraConfig.secrets` | A list of `Secret`s (which must contain key/value pairs) which may be loaded into the Scanner as environment variables | `[]` | -| `extraConfig.configmaps` | A list of `ConfigMap`s (which must contain key/value pairs) which may be loaded into the Scanner as environment variables | `[]` | +| Parameter | Description | Default | +| ------------------------ | ----------------------------------------------------------- | ------- | +| `extraConfig.secrets` | A list of `Secret`s (which must contain key/value pairs) | `[]` | +| `extraConfig.configmaps` | A list of `ConfigMap`s (which must contain key/value pairs) | `[]` | + +### SetAdminPassword + +| Parameter | Description | Default | +| -------------------------------------------- | ------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------- | +| `setAdminPassword.newPassword` | Custom admin password | `AdminAdmin_12$` | +| `setAdminPassword.currentPassword` | Current admin password | `admin` | +| `setAdminPassword.passwordSecretName` | Secret containing `password` (custom password) and `currentPassword` (current password) keys for admin | `None` | +| `setAdminPassword.resources.requests.memory` | Memory request for Admin hook | `128Mi` | +| `setAdminPassword.resources.requests.cpu` | CPU request for Admin hook | `100m` | +| `setAdminPassword.resources.limits.memory` | Memory limit for Admin hook | `128Mi` | +| `setAdminPassword.resources.limits.cpu` | CPU limit for Admin hook | `100m` | +| `setAdminPassword.securityContext` | SecurityContext for change-password-hook | [Restricted podSecurityStandard](#kubernetes---pod-security-standards) | +| `setAdminPassword.image` | Curl container image | `"image.repository":"image.tag"` | +| `setAdminPassword.annotations` | Custom annotations for admin hook Job | `{}` | ### Advanced Options -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `account.adminPassword` | Custom admin password | `admin` | -| `account.currentAdminPassword` | Current admin password | `admin` | -| `account.adminPasswordSecretName` | Secret containing `password` (custom password) and `currentPassword` (current password) keys for admin | `None` | -| `account.resources.requests.memory` | Memory request for Admin hook | `128Mi` | -| `account.resources.requests.cpu` | CPU request for Admin hook | `100m` | -| `account.resources.limits.memory` | Memory limit for Admin hook | `128Mi` | -| `account.resources.limits.cpu` | CPU limit for Admin hook | `100m` | -| `account.sonarWebContext` | (DEPRECATED) SonarQube web context for Admin hook. please use sonarWebContext at the value top level instead | `nil` | -| `account.securityContext` | SecurityContext for change-password-hook | `{}` | -| `curlContainerImage` | Curl container image | `curlimages/curl:8.2.0` | -| `adminJobAnnotations` | Custom annotations for admin hook Job | `{}` | -| `terminationGracePeriodSeconds` | Configuration of `terminationGracePeriodSeconds` | `60` | - -You can also configure values for the PostgreSQL database via the Postgresql [Chart](https://hub.helm.sh/charts/bitnami/postgresql) +| Parameter | Description | Default | +| ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------- | +| `account.adminPassword` | (DEPRECATED) Custom admin password. Please use `setAdminPassword.newPassword` instead. | `AdminAdmin_12$` | +| `account.currentAdminPassword` | (DEPRECATED) Current admin password. Please use `setAdminPassword.currentPassword` instead. | `admin` | +| `account.adminPasswordSecretName` | (DEPRECATED) Secret containing `password` (custom password) and `currentPassword` (current password) keys for admin. Please use `setAdminPassword.passwordSecretName` instead. | `None` | +| `account.resources.requests.memory` | (DEPRECATED) Memory request for Admin hook. Please use `setAdminPassword.resources.requests.memory` instead. | `128Mi` | +| `account.resources.requests.cpu` | (DEPRECATED) CPU request for Admin hook. Please use `setAdminPassword.resources.requests.cpu` instead. | `100m` | +| `account.resources.limits.memory` | (DEPRECATED) Memory limit for Admin hook. Please use `setAdminPassword.resources.limits.memory` instead. | `128Mi` | +| `account.resources.limits.cpu` | (DEPRECATED) CPU limit for Admin hook. Please use `setAdminPassword.resources.limits.cpu` instead. | `100m` | +| `account.sonarWebContext` | (DEPRECATED) SonarQube web context for Admin hook. Please use `sonarWebContext` at the value top level instead | `nil` | +| `account.securityContext` | (DEPRECATED) SecurityContext for change-password-hook. Please use `setAdminPassword.securityContext` instead. | [Restricted podSecurityStandard](#kubernetes---pod-security-standards) | +| `curlContainerImage` | (DEPRECATED) Curl container image. Please use `setAdminPassword.image` instead. | `"image.repository":"image.tag"` | +| `adminJobAnnotations` | (DEPRECATED) Custom annotations for admin hook Job. Please use `setAdminPassword.annotations` instead. | `{}` | +| `terminationGracePeriodSeconds` | Configuration of `terminationGracePeriodSeconds` | `60` | + +You can also configure values for the PostgreSQL database via the PostgreSQL [Chart](https://hub.helm.sh/charts/bitnami/postgresql) For overriding variables see: [Customizing the chart](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing) @@ -493,7 +622,7 @@ In environments with air-gapped setup, especially with internal tooling (repos) Since SonarQube comes bundled with an Elasticsearch instance, some [bootstrap checks](https://www.elastic.co/guide/en/elasticsearch/reference/master/bootstrap-checks.html) of the host settings are done at start. -This chart offers the option to use an initContainer in privilaged mode to automatically set certain kernel settings on the kube worker. While this can ensure proper functionality of Elasticsearch, modifying the underlying kernel settings on the Kubernetes node can impact other users. It may be best to work with your cluster administrator to either provide specific nodes with the proper kernel settings, or ensure they are set cluster wide. +This chart offers the option to use an initContainer in privileged mode to automatically set certain kernel settings on the kube worker. While this can ensure proper functionality of Elasticsearch, modifying the underlying kernel settings on the Kubernetes node can impact other users. It may be best to work with your cluster administrator to either provide specific nodes with the proper kernel settings, or ensure they are set cluster wide. To enable auto-configuration of the kube worker node, set `elasticsearch.configureNode` to `true`. This is the default behavior, so you do not need to explicitly set this. diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/.helmignore b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/.helmignore index 50af03172..109b40811 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/.helmignore +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/.helmignore @@ -20,3 +20,4 @@ .idea/ *.tmproj .vscode/ +__snapshot__ diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/CHANGELOG.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/CHANGELOG.md deleted file mode 100644 index 7d81ac1bd..000000000 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/CHANGELOG.md +++ /dev/null @@ -1,460 +0,0 @@ -# Changelog - -This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). - -### 4.4.0 - -* Adding support for disabling liveness and readiness probes to the Helm chart by @njegosrailic in https://github.com/kubernetes/ingress-nginx/pull/9238 -* add:(admission-webhooks) ability to set securityContext by @ybelMekk in https://github.com/kubernetes/ingress-nginx/pull/9186 -* #7652 - Updated Helm chart to use the fullname for the electionID if not specified. by @FutureMatt in https://github.com/kubernetes/ingress-nginx/pull/9133 -* Rename controller-wehbooks-networkpolicy.yaml. by @Gacko in https://github.com/kubernetes/ingress-nginx/pull/9123 - -### 4.3.0 -- Support for Kubernetes v.1.25.0 was added and support for endpoint slices -- Support for Kubernetes v1.20.0 and v1.21.0 was removed -- [8890](https://github.com/kubernetes/ingress-nginx/pull/8890) migrate to endpointslices -- [9059](https://github.com/kubernetes/ingress-nginx/pull/9059) kubewebhookcertgen sha change after go1191 -- [9046](https://github.com/kubernetes/ingress-nginx/pull/9046) Parameterize metrics port name -- [9104](https://github.com/kubernetes/ingress-nginx/pull/9104) Fix yaml formatting error with multiple annotations - -### 4.2.1 - -- The sha of kube-webhook-certgen image & the opentelemetry image, in values file, was changed to new images built on alpine-v3.16.1 -- "[8896](https://github.com/kubernetes/ingress-nginx/pull/8896) updated to new images built today" - -### 4.2.0 - -- Support for Kubernetes v1.19.0 was removed -- "[8810](https://github.com/kubernetes/ingress-nginx/pull/8810) Prepare for v1.3.0" -- "[8808](https://github.com/kubernetes/ingress-nginx/pull/8808) revert arch var name" -- "[8805](https://github.com/kubernetes/ingress-nginx/pull/8805) Bump k8s.io/klog/v2 from 2.60.1 to 2.70.1" -- "[8803](https://github.com/kubernetes/ingress-nginx/pull/8803) Update to nginx base with alpine v3.16" -- "[8802](https://github.com/kubernetes/ingress-nginx/pull/8802) chore: start v1.3.0 release process" -- "[8798](https://github.com/kubernetes/ingress-nginx/pull/8798) Add v1.24.0 to test matrix" -- "[8796](https://github.com/kubernetes/ingress-nginx/pull/8796) fix: add MAC_OS variable for static-check" -- "[8793](https://github.com/kubernetes/ingress-nginx/pull/8793) changed to alpine-v3.16" -- "[8781](https://github.com/kubernetes/ingress-nginx/pull/8781) Bump github.com/stretchr/testify from 1.7.5 to 1.8.0" -- "[8778](https://github.com/kubernetes/ingress-nginx/pull/8778) chore: remove stable.txt from release process" -- "[8775](https://github.com/kubernetes/ingress-nginx/pull/8775) Remove stable" -- "[8773](https://github.com/kubernetes/ingress-nginx/pull/8773) Bump github/codeql-action from 2.1.14 to 2.1.15" -- "[8772](https://github.com/kubernetes/ingress-nginx/pull/8772) Bump ossf/scorecard-action from 1.1.1 to 1.1.2" -- "[8771](https://github.com/kubernetes/ingress-nginx/pull/8771) fix bullet md format" -- "[8770](https://github.com/kubernetes/ingress-nginx/pull/8770) Add condition for monitoring.coreos.com/v1 API" -- "[8769](https://github.com/kubernetes/ingress-nginx/pull/8769) Fix typos and add links to developer guide" -- "[8767](https://github.com/kubernetes/ingress-nginx/pull/8767) change v1.2.0 to v1.2.1 in deploy doc URLs" -- "[8765](https://github.com/kubernetes/ingress-nginx/pull/8765) Bump github/codeql-action from 1.0.26 to 2.1.14" -- "[8752](https://github.com/kubernetes/ingress-nginx/pull/8752) Bump github.com/spf13/cobra from 1.4.0 to 1.5.0" -- "[8751](https://github.com/kubernetes/ingress-nginx/pull/8751) Bump github.com/stretchr/testify from 1.7.2 to 1.7.5" -- "[8750](https://github.com/kubernetes/ingress-nginx/pull/8750) added announcement" -- "[8740](https://github.com/kubernetes/ingress-nginx/pull/8740) change sha e2etestrunner and echoserver" -- "[8738](https://github.com/kubernetes/ingress-nginx/pull/8738) Update docs to make it easier for noobs to follow step by step" -- "[8737](https://github.com/kubernetes/ingress-nginx/pull/8737) updated baseimage sha" -- "[8736](https://github.com/kubernetes/ingress-nginx/pull/8736) set ld-musl-path" -- "[8733](https://github.com/kubernetes/ingress-nginx/pull/8733) feat: migrate leaderelection lock to leases" -- "[8726](https://github.com/kubernetes/ingress-nginx/pull/8726) prometheus metric: upstream_latency_seconds" -- "[8720](https://github.com/kubernetes/ingress-nginx/pull/8720) Ci pin deps" -- "[8719](https://github.com/kubernetes/ingress-nginx/pull/8719) Working OpenTelemetry sidecar (base nginx image)" -- "[8714](https://github.com/kubernetes/ingress-nginx/pull/8714) Create Openssf scorecard" -- "[8708](https://github.com/kubernetes/ingress-nginx/pull/8708) Bump github.com/prometheus/common from 0.34.0 to 0.35.0" -- "[8703](https://github.com/kubernetes/ingress-nginx/pull/8703) Bump actions/dependency-review-action from 1 to 2" -- "[8701](https://github.com/kubernetes/ingress-nginx/pull/8701) Fix several typos" -- "[8699](https://github.com/kubernetes/ingress-nginx/pull/8699) fix the gosec test and a make target for it" -- "[8698](https://github.com/kubernetes/ingress-nginx/pull/8698) Bump actions/upload-artifact from 2.3.1 to 3.1.0" -- "[8697](https://github.com/kubernetes/ingress-nginx/pull/8697) Bump actions/setup-go from 2.2.0 to 3.2.0" -- "[8695](https://github.com/kubernetes/ingress-nginx/pull/8695) Bump actions/download-artifact from 2 to 3" -- "[8694](https://github.com/kubernetes/ingress-nginx/pull/8694) Bump crazy-max/ghaction-docker-buildx from 1.6.2 to 3.3.1" - -### 4.1.2 - -- "[8587](https://github.com/kubernetes/ingress-nginx/pull/8587) Add CAP_SYS_CHROOT to DS/PSP when needed" -- "[8458](https://github.com/kubernetes/ingress-nginx/pull/8458) Add portNamePreffix Helm chart parameter" -- "[8522](https://github.com/kubernetes/ingress-nginx/pull/8522) Add documentation for controller.service.loadBalancerIP in Helm chart" - -### 4.1.0 - -- "[8481](https://github.com/kubernetes/ingress-nginx/pull/8481) Fix log creation in chroot script" -- "[8479](https://github.com/kubernetes/ingress-nginx/pull/8479) changed nginx base img tag to img built with alpine3.14.6" -- "[8478](https://github.com/kubernetes/ingress-nginx/pull/8478) update base images and protobuf gomod" -- "[8468](https://github.com/kubernetes/ingress-nginx/pull/8468) Fallback to ngx.var.scheme for redirectScheme with use-forward-headers when X-Forwarded-Proto is empty" -- "[8456](https://github.com/kubernetes/ingress-nginx/pull/8456) Implement object deep inspector" -- "[8455](https://github.com/kubernetes/ingress-nginx/pull/8455) Update dependencies" -- "[8454](https://github.com/kubernetes/ingress-nginx/pull/8454) Update index.md" -- "[8447](https://github.com/kubernetes/ingress-nginx/pull/8447) typo fixing" -- "[8446](https://github.com/kubernetes/ingress-nginx/pull/8446) Fix suggested annotation-value-word-blocklist" -- "[8444](https://github.com/kubernetes/ingress-nginx/pull/8444) replace deprecated topology key in example with current one" -- "[8443](https://github.com/kubernetes/ingress-nginx/pull/8443) Add dependency review enforcement" -- "[8434](https://github.com/kubernetes/ingress-nginx/pull/8434) added new auth-tls-match-cn annotation" -- "[8426](https://github.com/kubernetes/ingress-nginx/pull/8426) Bump github.com/prometheus/common from 0.32.1 to 0.33.0" - -### 4.0.18 - -- "[8291](https://github.com/kubernetes/ingress-nginx/pull/8291) remove git tag env from cloud build" -- "[8286](https://github.com/kubernetes/ingress-nginx/pull/8286) Fix OpenTelemetry sidecar image build" -- "[8277](https://github.com/kubernetes/ingress-nginx/pull/8277) Add OpenSSF Best practices badge" -- "[8273](https://github.com/kubernetes/ingress-nginx/pull/8273) Issue#8241" -- "[8267](https://github.com/kubernetes/ingress-nginx/pull/8267) Add fsGroup value to admission-webhooks/job-patch charts" -- "[8262](https://github.com/kubernetes/ingress-nginx/pull/8262) Updated confusing error" -- "[8256](https://github.com/kubernetes/ingress-nginx/pull/8256) fix: deny locations with invalid auth-url annotation" -- "[8253](https://github.com/kubernetes/ingress-nginx/pull/8253) Add a certificate info metric" -- "[8236](https://github.com/kubernetes/ingress-nginx/pull/8236) webhook: remove useless code." -- "[8227](https://github.com/kubernetes/ingress-nginx/pull/8227) Update libraries in webhook image" -- "[8225](https://github.com/kubernetes/ingress-nginx/pull/8225) fix inconsistent-label-cardinality for prometheus metrics: nginx_ingress_controller_requests" -- "[8221](https://github.com/kubernetes/ingress-nginx/pull/8221) Do not validate ingresses with unknown ingress class in admission webhook endpoint" -- "[8210](https://github.com/kubernetes/ingress-nginx/pull/8210) Bump github.com/prometheus/client_golang from 1.11.0 to 1.12.1" -- "[8209](https://github.com/kubernetes/ingress-nginx/pull/8209) Bump google.golang.org/grpc from 1.43.0 to 1.44.0" -- "[8204](https://github.com/kubernetes/ingress-nginx/pull/8204) Add Artifact Hub lint" -- "[8203](https://github.com/kubernetes/ingress-nginx/pull/8203) Fix Indentation of example and link to cert-manager tutorial" -- "[8201](https://github.com/kubernetes/ingress-nginx/pull/8201) feat(metrics): add path and method labels to requests countera" -- "[8199](https://github.com/kubernetes/ingress-nginx/pull/8199) use functional options to reduce number of methods creating an EchoDeployment" -- "[8196](https://github.com/kubernetes/ingress-nginx/pull/8196) docs: fix inconsistent controller annotation" -- "[8191](https://github.com/kubernetes/ingress-nginx/pull/8191) Using Go install for misspell" -- "[8186](https://github.com/kubernetes/ingress-nginx/pull/8186) prometheus+grafana using servicemonitor" -- "[8185](https://github.com/kubernetes/ingress-nginx/pull/8185) Append elements on match, instead of removing for cors-annotations" -- "[8179](https://github.com/kubernetes/ingress-nginx/pull/8179) Bump github.com/opencontainers/runc from 1.0.3 to 1.1.0" -- "[8173](https://github.com/kubernetes/ingress-nginx/pull/8173) Adding annotations to the controller service account" -- "[8163](https://github.com/kubernetes/ingress-nginx/pull/8163) Update the $req_id placeholder description" -- "[8162](https://github.com/kubernetes/ingress-nginx/pull/8162) Versioned static manifests" -- "[8159](https://github.com/kubernetes/ingress-nginx/pull/8159) Adding some geoip variables and default values" -- "[8155](https://github.com/kubernetes/ingress-nginx/pull/8155) #7271 feat: avoid-pdb-creation-when-default-backend-disabled-and-replicas-gt-1" -- "[8151](https://github.com/kubernetes/ingress-nginx/pull/8151) Automatically generate helm docs" -- "[8143](https://github.com/kubernetes/ingress-nginx/pull/8143) Allow to configure delay before controller exits" -- "[8136](https://github.com/kubernetes/ingress-nginx/pull/8136) add ingressClass option to helm chart - back compatibility with ingress.class annotations" -- "[8126](https://github.com/kubernetes/ingress-nginx/pull/8126) Example for JWT" - - -### 4.0.15 - -- [8120] https://github.com/kubernetes/ingress-nginx/pull/8120 Update go in runner and release v1.1.1 -- [8119] https://github.com/kubernetes/ingress-nginx/pull/8119 Update to go v1.17.6 -- [8118] https://github.com/kubernetes/ingress-nginx/pull/8118 Remove deprecated libraries, update other libs -- [8117] https://github.com/kubernetes/ingress-nginx/pull/8117 Fix codegen errors -- [8115] https://github.com/kubernetes/ingress-nginx/pull/8115 chart/ghaction: set the correct permission to have access to push a release -- [8098] https://github.com/kubernetes/ingress-nginx/pull/8098 generating SHA for CA only certs in backend_ssl.go + comparison of P… -- [8088] https://github.com/kubernetes/ingress-nginx/pull/8088 Fix Edit this page link to use main branch -- [8072] https://github.com/kubernetes/ingress-nginx/pull/8072 Expose GeoIP2 Continent code as variable -- [8061] https://github.com/kubernetes/ingress-nginx/pull/8061 docs(charts): using helm-docs for chart -- [8058] https://github.com/kubernetes/ingress-nginx/pull/8058 Bump github.com/spf13/cobra from 1.2.1 to 1.3.0 -- [8054] https://github.com/kubernetes/ingress-nginx/pull/8054 Bump google.golang.org/grpc from 1.41.0 to 1.43.0 -- [8051] https://github.com/kubernetes/ingress-nginx/pull/8051 align bug report with feature request regarding kind documentation -- [8046] https://github.com/kubernetes/ingress-nginx/pull/8046 Report expired certificates (#8045) -- [8044] https://github.com/kubernetes/ingress-nginx/pull/8044 remove G109 check till gosec resolves issues -- [8042] https://github.com/kubernetes/ingress-nginx/pull/8042 docs_multiple_instances_one_cluster_ticket_7543 -- [8041] https://github.com/kubernetes/ingress-nginx/pull/8041 docs: fix typo'd executable name -- [8035] https://github.com/kubernetes/ingress-nginx/pull/8035 Comment busy owners -- [8029] https://github.com/kubernetes/ingress-nginx/pull/8029 Add stream-snippet as a ConfigMap and Annotation option -- [8023] https://github.com/kubernetes/ingress-nginx/pull/8023 fix nginx compilation flags -- [8021] https://github.com/kubernetes/ingress-nginx/pull/8021 Disable default modsecurity_rules_file if modsecurity-snippet is specified -- [8019] https://github.com/kubernetes/ingress-nginx/pull/8019 Revise main documentation page -- [8018] https://github.com/kubernetes/ingress-nginx/pull/8018 Preserve order of plugin invocation -- [8015] https://github.com/kubernetes/ingress-nginx/pull/8015 Add newline indenting to admission webhook annotations -- [8014] https://github.com/kubernetes/ingress-nginx/pull/8014 Add link to example error page manifest in docs -- [8009] https://github.com/kubernetes/ingress-nginx/pull/8009 Fix spelling in documentation and top-level files -- [8008] https://github.com/kubernetes/ingress-nginx/pull/8008 Add relabelings in controller-servicemonitor.yaml -- [8003] https://github.com/kubernetes/ingress-nginx/pull/8003 Minor improvements (formatting, consistency) in install guide -- [8001] https://github.com/kubernetes/ingress-nginx/pull/8001 fix: go-grpc Dockerfile -- [7999] https://github.com/kubernetes/ingress-nginx/pull/7999 images: use k8s-staging-test-infra/gcb-docker-gcloud -- [7996] https://github.com/kubernetes/ingress-nginx/pull/7996 doc: improvement -- [7983] https://github.com/kubernetes/ingress-nginx/pull/7983 Fix a couple of misspellings in the annotations documentation. -- [7979] https://github.com/kubernetes/ingress-nginx/pull/7979 allow set annotations for admission Jobs -- [7977] https://github.com/kubernetes/ingress-nginx/pull/7977 Add ssl_reject_handshake to default server -- [7975] https://github.com/kubernetes/ingress-nginx/pull/7975 add legacy version update v0.50.0 to main changelog -- [7972] https://github.com/kubernetes/ingress-nginx/pull/7972 updated service upstream definition - -### 4.0.14 - -- [8061] https://github.com/kubernetes/ingress-nginx/pull/8061 Using helm-docs to populate values table in README.md - -### 4.0.13 - -- [8008] https://github.com/kubernetes/ingress-nginx/pull/8008 Add relabelings in controller-servicemonitor.yaml - -### 4.0.12 - -- [7978] https://github.com/kubernetes/ingress-nginx/pull/7979 Support custom annotations in admissions Jobs - -### 4.0.11 - -- [7873] https://github.com/kubernetes/ingress-nginx/pull/7873 Makes the [appProtocol](https://kubernetes.io/docs/concepts/services-networking/_print/#application-protocol) field optional. - -### 4.0.10 - -- [7964] https://github.com/kubernetes/ingress-nginx/pull/7964 Update controller version to v1.1.0 - -### 4.0.9 - -- [6992] https://github.com/kubernetes/ingress-nginx/pull/6992 Add ability to specify labels for all resources - -### 4.0.7 - -- [7923] https://github.com/kubernetes/ingress-nginx/pull/7923 Release v1.0.5 of ingress-nginx -- [7806] https://github.com/kubernetes/ingress-nginx/pull/7806 Choice option for internal/external loadbalancer type service - -### 4.0.6 - -- [7804] https://github.com/kubernetes/ingress-nginx/pull/7804 Release v1.0.4 of ingress-nginx -- [7651] https://github.com/kubernetes/ingress-nginx/pull/7651 Support ipFamilyPolicy and ipFamilies fields in Helm Chart -- [7798] https://github.com/kubernetes/ingress-nginx/pull/7798 Exoscale: use HTTP Healthcheck mode -- [7793] https://github.com/kubernetes/ingress-nginx/pull/7793 Update kube-webhook-certgen to v1.1.1 - -### 4.0.5 - -- [7740] https://github.com/kubernetes/ingress-nginx/pull/7740 Release v1.0.3 of ingress-nginx - -### 4.0.3 - -- [7707] https://github.com/kubernetes/ingress-nginx/pull/7707 Release v1.0.2 of ingress-nginx - -### 4.0.2 - -- [7681] https://github.com/kubernetes/ingress-nginx/pull/7681 Release v1.0.1 of ingress-nginx - -### 4.0.1 - -- [7535] https://github.com/kubernetes/ingress-nginx/pull/7535 Release v1.0.0 ingress-nginx - -### 3.34.0 - -- [7256] https://github.com/kubernetes/ingress-nginx/pull/7256 Add namespace field in the namespace scoped resource templates - -### 3.33.0 - -- [7164] https://github.com/kubernetes/ingress-nginx/pull/7164 Update nginx to v1.20.1 - -### 3.32.0 - -- [7117] https://github.com/kubernetes/ingress-nginx/pull/7117 Add annotations for HPA - -### 3.31.0 - -- [7137] https://github.com/kubernetes/ingress-nginx/pull/7137 Add support for custom probes - -### 3.30.0 - -- [#7092](https://github.com/kubernetes/ingress-nginx/pull/7092) Removes the possibility of using localhost in ExternalNames as endpoints - -### 3.29.0 - -- [X] [#6945](https://github.com/kubernetes/ingress-nginx/pull/7020) Add option to specify job label for ServiceMonitor - -### 3.28.0 - -- [ ] [#6900](https://github.com/kubernetes/ingress-nginx/pull/6900) Support existing PSPs - -### 3.27.0 - -- Update ingress-nginx v0.45.0 - -### 3.26.0 - -- [X] [#6979](https://github.com/kubernetes/ingress-nginx/pull/6979) Changed servicePort value for metrics - -### 3.25.0 - -- [X] [#6957](https://github.com/kubernetes/ingress-nginx/pull/6957) Add ability to specify automountServiceAccountToken - -### 3.24.0 - -- [X] [#6908](https://github.com/kubernetes/ingress-nginx/pull/6908) Add volumes to default-backend deployment - -### 3.23.0 - -- Update ingress-nginx v0.44.0 - -### 3.22.0 - -- [X] [#6802](https://github.com/kubernetes/ingress-nginx/pull/6802) Add value for configuring a custom Diffie-Hellman parameters file -- [X] [#6815](https://github.com/kubernetes/ingress-nginx/pull/6815) Allow use of numeric namespaces in helm chart - -### 3.21.0 - -- [X] [#6783](https://github.com/kubernetes/ingress-nginx/pull/6783) Add custom annotations to ScaledObject -- [X] [#6761](https://github.com/kubernetes/ingress-nginx/pull/6761) Adding quotes in the serviceAccount name in Helm values -- [X] [#6767](https://github.com/kubernetes/ingress-nginx/pull/6767) Remove ClusterRole when scope option is enabled -- [X] [#6785](https://github.com/kubernetes/ingress-nginx/pull/6785) Update kube-webhook-certgen image to v1.5.1 - -### 3.20.1 - -- Do not create KEDA in case of DaemonSets. -- Fix KEDA v2 definition - -### 3.20.0 - -- [X] [#6730](https://github.com/kubernetes/ingress-nginx/pull/6730) Do not create HPA for defaultBackend if not enabled. - -### 3.19.0 - -- Update ingress-nginx v0.43.0 - -### 3.18.0 - -- [X] [#6688](https://github.com/kubernetes/ingress-nginx/pull/6688) Allow volume-type emptyDir in controller podsecuritypolicy -- [X] [#6691](https://github.com/kubernetes/ingress-nginx/pull/6691) Improve parsing of helm parameters - -### 3.17.0 - -- Update ingress-nginx v0.42.0 - -### 3.16.1 - -- Fix chart-releaser action - -### 3.16.0 - -- [X] [#6646](https://github.com/kubernetes/ingress-nginx/pull/6646) Added LoadBalancerIP value for internal service - -### 3.15.1 - -- Fix chart-releaser action - -### 3.15.0 - -- [X] [#6586](https://github.com/kubernetes/ingress-nginx/pull/6586) Fix 'maxmindLicenseKey' location in values.yaml - -### 3.14.0 - -- [X] [#6469](https://github.com/kubernetes/ingress-nginx/pull/6469) Allow custom service names for controller and backend - -### 3.13.0 - -- [X] [#6544](https://github.com/kubernetes/ingress-nginx/pull/6544) Fix default backend HPA name variable - -### 3.12.0 - -- [X] [#6514](https://github.com/kubernetes/ingress-nginx/pull/6514) Remove helm2 support and update docs - -### 3.11.1 - -- [X] [#6505](https://github.com/kubernetes/ingress-nginx/pull/6505) Reorder HPA resource list to work with GitOps tooling - -### 3.11.0 - -- Support Keda Autoscaling - -### 3.10.1 - -- Fix regression introduced in 0.41.0 with external authentication - -### 3.10.0 - -- Fix routing regression introduced in 0.41.0 with PathType Exact - -### 3.9.0 - -- [X] [#6423](https://github.com/kubernetes/ingress-nginx/pull/6423) Add Default backend HPA autoscaling - -### 3.8.0 - -- [X] [#6395](https://github.com/kubernetes/ingress-nginx/pull/6395) Update jettech/kube-webhook-certgen image -- [X] [#6377](https://github.com/kubernetes/ingress-nginx/pull/6377) Added loadBalancerSourceRanges for internal lbs -- [X] [#6356](https://github.com/kubernetes/ingress-nginx/pull/6356) Add securitycontext settings on defaultbackend -- [X] [#6401](https://github.com/kubernetes/ingress-nginx/pull/6401) Fix controller service annotations -- [X] [#6403](https://github.com/kubernetes/ingress-nginx/pull/6403) Initial helm chart changelog - -### 3.7.1 - -- [X] [#6326](https://github.com/kubernetes/ingress-nginx/pull/6326) Fix liveness and readiness probe path in daemonset chart - -### 3.7.0 - -- [X] [#6316](https://github.com/kubernetes/ingress-nginx/pull/6316) Numerals in podAnnotations in quotes [#6315](https://github.com/kubernetes/ingress-nginx/issues/6315) - -### 3.6.0 - -- [X] [#6305](https://github.com/kubernetes/ingress-nginx/pull/6305) Add default linux nodeSelector - -### 3.5.1 - -- [X] [#6299](https://github.com/kubernetes/ingress-nginx/pull/6299) Fix helm chart release - -### 3.5.0 - -- [X] [#6260](https://github.com/kubernetes/ingress-nginx/pull/6260) Allow Helm Chart to customize admission webhook's annotations, timeoutSeconds, namespaceSelector, objectSelector and cert files locations - -### 3.4.0 - -- [X] [#6268](https://github.com/kubernetes/ingress-nginx/pull/6268) Update to 0.40.2 in helm chart #6288 - -### 3.3.1 - -- [X] [#6259](https://github.com/kubernetes/ingress-nginx/pull/6259) Release helm chart -- [X] [#6258](https://github.com/kubernetes/ingress-nginx/pull/6258) Fix chart markdown link -- [X] [#6253](https://github.com/kubernetes/ingress-nginx/pull/6253) Release v0.40.0 - -### 3.3.1 - -- [X] [#6233](https://github.com/kubernetes/ingress-nginx/pull/6233) Add admission controller e2e test - -### 3.3.0 - -- [X] [#6203](https://github.com/kubernetes/ingress-nginx/pull/6203) Refactor parsing of key values -- [X] [#6162](https://github.com/kubernetes/ingress-nginx/pull/6162) Add helm chart options to expose metrics service as NodePort -- [X] [#6180](https://github.com/kubernetes/ingress-nginx/pull/6180) Fix helm chart admissionReviewVersions regression -- [X] [#6169](https://github.com/kubernetes/ingress-nginx/pull/6169) Fix Typo in example prometheus rules - -### 3.0.0 - -- [X] [#6167](https://github.com/kubernetes/ingress-nginx/pull/6167) Update chart requirements - -### 2.16.0 - -- [X] [#6154](https://github.com/kubernetes/ingress-nginx/pull/6154) add `topologySpreadConstraint` to controller - -### 2.15.0 - -- [X] [#6087](https://github.com/kubernetes/ingress-nginx/pull/6087) Adding parameter for externalTrafficPolicy in internal controller service spec - -### 2.14.0 - -- [X] [#6104](https://github.com/kubernetes/ingress-nginx/pull/6104) Misc fixes for nginx-ingress chart for better keel and prometheus-operator integration - -### 2.13.0 - -- [X] [#6093](https://github.com/kubernetes/ingress-nginx/pull/6093) Release v0.35.0 - -### 2.13.0 - -- [X] [#6093](https://github.com/kubernetes/ingress-nginx/pull/6093) Release v0.35.0 -- [X] [#6080](https://github.com/kubernetes/ingress-nginx/pull/6080) Switch images to k8s.gcr.io after Vanity Domain Flip - -### 2.12.1 - -- [X] [#6075](https://github.com/kubernetes/ingress-nginx/pull/6075) Sync helm chart affinity examples - -### 2.12.0 - -- [X] [#6039](https://github.com/kubernetes/ingress-nginx/pull/6039) Add configurable serviceMonitor metricRelabelling and targetLabels -- [X] [#6044](https://github.com/kubernetes/ingress-nginx/pull/6044) Fix YAML linting - -### 2.11.3 - -- [X] [#6038](https://github.com/kubernetes/ingress-nginx/pull/6038) Bump chart version PATCH - -### 2.11.2 - -- [X] [#5951](https://github.com/kubernetes/ingress-nginx/pull/5951) Bump chart patch version - -### 2.11.1 - -- [X] [#5900](https://github.com/kubernetes/ingress-nginx/pull/5900) Release helm chart for v0.34.1 - -### 2.11.0 - -- [X] [#5879](https://github.com/kubernetes/ingress-nginx/pull/5879) Update helm chart for v0.34.0 -- [X] [#5671](https://github.com/kubernetes/ingress-nginx/pull/5671) Make liveness probe more fault tolerant than readiness probe - -### 2.10.0 - -- [X] [#5843](https://github.com/kubernetes/ingress-nginx/pull/5843) Update jettech/kube-webhook-certgen image - -### 2.9.1 - -- [X] [#5823](https://github.com/kubernetes/ingress-nginx/pull/5823) Add quoting to sysctls because numeric values need to be presented as strings (#5823) - -### 2.9.0 - -- [X] [#5795](https://github.com/kubernetes/ingress-nginx/pull/5795) Use fully qualified images to avoid cri-o issues - - -### TODO - -Keep building the changelog using *git log charts* checking the tag diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/Chart.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/Chart.yaml index 28db08ff9..fd7b81030 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/Chart.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/Chart.yaml @@ -1,12 +1,9 @@ annotations: artifacthub.io/changes: | - - "Added a doc line to the missing helm value service.internal.loadBalancerIP (#9406)" - - "feat(helm): Add loadBalancerClass (#9562)" - - "added helmshowvalues example (#10019)" - - "Update Ingress-Nginx version controller-v1.8.1" + - Update Ingress-Nginx version controller-v1.11.2 artifacthub.io/prerelease: "false" apiVersion: v2 -appVersion: 1.8.1 +appVersion: 1.11.2 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer home: https://github.com/kubernetes/ingress-nginx @@ -14,12 +11,15 @@ icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/5 keywords: - ingress - nginx -kubeVersion: '>=1.20.0-0' +kubeVersion: '>=1.21.0-0' maintainers: +- name: cpanato +- name: Gacko +- name: puerco - name: rikatz - name: strongjz - name: tao12345666333 name: ingress-nginx sources: - https://github.com/kubernetes/ingress-nginx -version: 4.7.1 +version: 4.11.2 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/OWNERS b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/OWNERS index 6b7e049ca..d588ede68 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/OWNERS +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/OWNERS @@ -1,4 +1,4 @@ -# See the OWNERS docs: https://github.com/kubernetes/community/blob/master/contributors/guide/owners.md +# See the OWNERS docs: https://www.kubernetes.dev/docs/guide/owners approvers: - ingress-nginx-helm-maintainers diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/README.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/README.md index 955091873..26eab2855 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/README.md +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/README.md @@ -2,7 +2,7 @@ [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer -![Version: 4.7.1](https://img.shields.io/badge/Version-4.7.1-informational?style=flat-square) ![AppVersion: 1.8.1](https://img.shields.io/badge/AppVersion-1.8.1-informational?style=flat-square) +![Version: 4.11.2](https://img.shields.io/badge/Version-4.11.2-informational?style=flat-square) ![AppVersion: 1.11.2](https://img.shields.io/badge/AppVersion-1.11.2-informational?style=flat-square) To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. @@ -10,7 +10,7 @@ This chart bootstraps an ingress-nginx deployment on a [Kubernetes](http://kuber ## Requirements -Kubernetes: `>=1.20.0-0` +Kubernetes: `>=1.21.0-0` ## Get Repo Info @@ -240,33 +240,40 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.admissionWebhooks.certManager.enabled | bool | `false` | | | controller.admissionWebhooks.certManager.rootCert.duration | string | `""` | | | controller.admissionWebhooks.certificate | string | `"/usr/local/certificates/cert"` | | +| controller.admissionWebhooks.createSecretJob.name | string | `"create"` | | | controller.admissionWebhooks.createSecretJob.resources | object | `{}` | | -| controller.admissionWebhooks.createSecretJob.securityContext.allowPrivilegeEscalation | bool | `false` | | +| controller.admissionWebhooks.createSecretJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for secret creation containers | | controller.admissionWebhooks.enabled | bool | `true` | | | controller.admissionWebhooks.existingPsp | string | `""` | Use an existing PSP instead of creating one | | controller.admissionWebhooks.extraEnvs | list | `[]` | Additional environment variables to set | | controller.admissionWebhooks.failurePolicy | string | `"Fail"` | Admission Webhook failure policy to use | | controller.admissionWebhooks.key | string | `"/usr/local/certificates/key"` | | | controller.admissionWebhooks.labels | object | `{}` | Labels to be added to admission webhooks | +| controller.admissionWebhooks.name | string | `"admission"` | | | controller.admissionWebhooks.namespaceSelector | object | `{}` | | -| controller.admissionWebhooks.networkPolicyEnabled | bool | `false` | | | controller.admissionWebhooks.objectSelector | object | `{}` | | | controller.admissionWebhooks.patch.enabled | bool | `true` | | -| controller.admissionWebhooks.patch.image.digest | string | `"sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b"` | | +| controller.admissionWebhooks.patch.image.digest | string | `"sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3"` | | | controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` | | | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` | | | controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` | | -| controller.admissionWebhooks.patch.image.tag | string | `"v20230407"` | | +| controller.admissionWebhooks.patch.image.tag | string | `"v1.4.3"` | | | controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources | +| controller.admissionWebhooks.patch.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | | | controller.admissionWebhooks.patch.podAnnotations | object | `{}` | | | controller.admissionWebhooks.patch.priorityClassName | string | `""` | Provide a priority class name to the webhook patching job # | -| controller.admissionWebhooks.patch.securityContext.fsGroup | int | `2000` | | -| controller.admissionWebhooks.patch.securityContext.runAsNonRoot | bool | `true` | | -| controller.admissionWebhooks.patch.securityContext.runAsUser | int | `2000` | | +| controller.admissionWebhooks.patch.rbac | object | `{"create":true}` | Admission webhook patch job RBAC | +| controller.admissionWebhooks.patch.rbac.create | bool | `true` | Create RBAC or not | +| controller.admissionWebhooks.patch.securityContext | object | `{}` | Security context for secret creation & webhook patch pods | +| controller.admissionWebhooks.patch.serviceAccount | object | `{"automountServiceAccountToken":true,"create":true,"name":""}` | Admission webhook patch job service account | +| controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken | bool | `true` | Auto-mount service account token or not | +| controller.admissionWebhooks.patch.serviceAccount.create | bool | `true` | Create a service account or not | +| controller.admissionWebhooks.patch.serviceAccount.name | string | `""` | Custom service account name | | controller.admissionWebhooks.patch.tolerations | list | `[]` | | +| controller.admissionWebhooks.patchWebhookJob.name | string | `"patch"` | | | controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` | | -| controller.admissionWebhooks.patchWebhookJob.securityContext.allowPrivilegeEscalation | bool | `false` | | +| controller.admissionWebhooks.patchWebhookJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for webhook patch containers | | controller.admissionWebhooks.port | int | `8443` | | | controller.admissionWebhooks.service.annotations | object | `{}` | | | controller.admissionWebhooks.service.externalIPs | list | `[]` | | @@ -274,7 +281,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.admissionWebhooks.service.servicePort | int | `443` | | | controller.admissionWebhooks.service.type | string | `"ClusterIP"` | | | controller.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity # | -| controller.allowSnippetAnnotations | bool | `true` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected | +| controller.allowSnippetAnnotations | bool | `false` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected | | controller.annotations | object | `{}` | Annotations to be added to the controller Deployment or DaemonSet # | | controller.autoscaling.annotations | object | `{}` | | | controller.autoscaling.behavior | object | `{}` | | @@ -284,18 +291,22 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.autoscaling.targetCPUUtilizationPercentage | int | `50` | | | controller.autoscaling.targetMemoryUtilizationPercentage | int | `50` | | | controller.autoscalingTemplate | list | `[]` | | -| controller.config | object | `{}` | Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ | +| controller.config | object | `{}` | Global configuration passed to the ConfigMap consumed by the controller. Values may contain Helm templates. Ref.: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ | | controller.configAnnotations | object | `{}` | Annotations to be added to the controller config configuration configmap. | | controller.configMapNamespace | string | `""` | Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE) | | controller.containerName | string | `"controller"` | Configures the controller container name | | controller.containerPort | object | `{"http":80,"https":443}` | Configures the ports that the nginx-controller listens on | +| controller.containerSecurityContext | object | `{}` | Security context for controller containers | | controller.customTemplate.configMapKey | string | `""` | | | controller.customTemplate.configMapName | string | `""` | | +| controller.disableLeaderElection | bool | `false` | This configuration disable Nginx Controller Leader Election | | controller.dnsConfig | object | `{}` | Optionally customize the pod dnsConfig. | | controller.dnsPolicy | string | `"ClusterFirst"` | Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. | | controller.electionID | string | `""` | Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' | +| controller.electionTTL | string | `""` | Duration a leader election is valid before it's getting re-elected, e.g. `15s`, `10m` or `1h`. (Default: 30s) | +| controller.enableAnnotationValidations | bool | `false` | | | controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # | -| controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-aware-hints="auto" Defaults to false | +| controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto" Defaults to false | | controller.existingPsp | string | `""` | Use an existing PSP instead of creating one | | controller.extraArgs | object | `{}` | Additional command line arguments to pass to Ingress-Nginx Controller E.g. to specify the default SSL certificate you can use | | controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. | @@ -306,27 +317,34 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.extraVolumes | list | `[]` | Additional volumes to the controller pod. | | controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the Ingress-Nginx Controller is running in the `hostNetwork: true` mode. | | controller.healthCheckPath | string | `"/healthz"` | Path of the health check endpoint. All requests received on the port defined by the healthz-port parameter are forwarded internally to this path. | +| controller.hostAliases | list | `[]` | Optionally customize the pod hostAliases. | | controller.hostNetwork | bool | `false` | Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 is merged | | controller.hostPort.enabled | bool | `false` | Enable 'hostPort' or not | | controller.hostPort.ports.http | int | `80` | 'hostPort' http port | | controller.hostPort.ports.https | int | `443` | 'hostPort' https port | | controller.hostname | object | `{}` | Optionally customize the pod hostname. | -| controller.image.allowPrivilegeEscalation | bool | `true` | | +| controller.image.allowPrivilegeEscalation | bool | `false` | | | controller.image.chroot | bool | `false` | | -| controller.image.digest | string | `"sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd"` | | -| controller.image.digestChroot | string | `"sha256:e0d4121e3c5e39de9122e55e331a32d5ebf8d4d257227cb93ab54a1b912a7627"` | | +| controller.image.digest | string | `"sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce"` | | +| controller.image.digestChroot | string | `"sha256:21b55a2f0213a18b91612a8c0850167e00a8e34391fd595139a708f9c047e7a8"` | | | controller.image.image | string | `"ingress-nginx/controller"` | | | controller.image.pullPolicy | string | `"IfNotPresent"` | | +| controller.image.readOnlyRootFilesystem | bool | `false` | | | controller.image.registry | string | `"registry.k8s.io"` | | +| controller.image.runAsNonRoot | bool | `true` | | | controller.image.runAsUser | int | `101` | | -| controller.image.tag | string | `"v1.8.1"` | | +| controller.image.seccompProfile.type | string | `"RuntimeDefault"` | | +| controller.image.tag | string | `"v1.11.2"` | | | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation | | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). | -| controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass | -| controller.ingressClassResource.default | bool | `false` | Is this the default ingressClass for the cluster | -| controller.ingressClassResource.enabled | bool | `true` | Is this ingressClass enabled or not | -| controller.ingressClassResource.name | string | `"nginx"` | Name of the ingressClass | -| controller.ingressClassResource.parameters | object | `{}` | Parameters is a link to a custom resource containing additional configuration for the controller. This is optional if the controller does not require extra parameters. | +| controller.ingressClassResource | object | `{"aliases":[],"annotations":{},"controllerValue":"k8s.io/ingress-nginx","default":false,"enabled":true,"name":"nginx","parameters":{}}` | This section refers to the creation of the IngressClass resource. IngressClasses are immutable and cannot be changed after creation. We do not support namespaced IngressClasses, yet, so a ClusterRole and a ClusterRoleBinding is required. | +| controller.ingressClassResource.aliases | list | `[]` | Aliases of this IngressClass. Creates copies with identical settings but the respective alias as name. Useful for development environments with only one Ingress Controller but production-like Ingress resources. `default` gets enabled on the original IngressClass only. | +| controller.ingressClassResource.annotations | object | `{}` | Annotations to be added to the IngressClass resource. | +| controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller of the IngressClass. An Ingress Controller looks for IngressClasses it should reconcile by this value. This value is also being set as the `--controller-class` argument of this Ingress Controller. Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class | +| controller.ingressClassResource.default | bool | `false` | If true, Ingresses without `ingressClassName` get assigned to this IngressClass on creation. Ingress creation gets rejected if there are multiple default IngressClasses. Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class | +| controller.ingressClassResource.enabled | bool | `true` | Create the IngressClass or not | +| controller.ingressClassResource.name | string | `"nginx"` | Name of the IngressClass | +| controller.ingressClassResource.parameters | object | `{}` | A link to a custom resource containing additional configuration for the controller. This is optional if the controller consuming this IngressClass does not require additional parameters. Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class | | controller.keda.apiVersion | string | `"keda.sh/v1alpha1"` | | | controller.keda.behavior | object | `{}` | | | controller.keda.cooldownPeriod | int | `300` | | @@ -362,6 +380,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.metrics.service.servicePort | int | `10254` | | | controller.metrics.service.type | string | `"ClusterIP"` | | | controller.metrics.serviceMonitor.additionalLabels | object | `{}` | | +| controller.metrics.serviceMonitor.annotations | object | `{}` | | | controller.metrics.serviceMonitor.enabled | bool | `false` | | | controller.metrics.serviceMonitor.metricRelabelings | list | `[]` | | | controller.metrics.serviceMonitor.namespace | string | `""` | | @@ -372,13 +391,25 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. | | controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # | | controller.name | string | `"controller"` | | +| controller.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | | controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # | | controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | | +| controller.opentelemetry.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | | +| controller.opentelemetry.containerSecurityContext.readOnlyRootFilesystem | bool | `true` | | +| controller.opentelemetry.containerSecurityContext.runAsNonRoot | bool | `true` | | +| controller.opentelemetry.containerSecurityContext.runAsUser | int | `65532` | The image's default user, inherited from its base image `cgr.dev/chainguard/static`. | +| controller.opentelemetry.containerSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | | | controller.opentelemetry.enabled | bool | `false` | | -| controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20230527@sha256:fd7ec835f31b7b37187238eb4fdad4438806e69f413a203796263131f4f02ed0"` | | +| controller.opentelemetry.image.digest | string | `"sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922"` | | +| controller.opentelemetry.image.distroless | bool | `true` | | +| controller.opentelemetry.image.image | string | `"ingress-nginx/opentelemetry-1.25.3"` | | +| controller.opentelemetry.image.registry | string | `"registry.k8s.io"` | | +| controller.opentelemetry.image.tag | string | `"v20240813-b933310d"` | | +| controller.opentelemetry.name | string | `"opentelemetry"` | | +| controller.opentelemetry.resources | object | `{}` | | | controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # | | controller.podLabels | object | `{}` | Labels to add to the pod container metadata | -| controller.podSecurityContext | object | `{}` | Security Context policies for controller pods | +| controller.podSecurityContext | object | `{}` | Security context for controller pods | | controller.priorityClassName | string | `""` | | | controller.proxySetHeaders | object | `{}` | Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers | | controller.publishService | object | `{"enabled":true,"pathOverride":""}` | Allows customization of the source of the IP address or FQDN to report in the ingress status field. By default, it reads the information provided by the service. If disable, the status field reports the IP address of the node or nodes where an ingress controller pod is running. | @@ -399,36 +430,52 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.scope.enabled | bool | `false` | Enable 'scope' or not | | controller.scope.namespace | string | `""` | Namespace to limit the controller to; defaults to $(POD_NAMESPACE) | | controller.scope.namespaceSelector | string | `""` | When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces. | -| controller.service.annotations | object | `{}` | | -| controller.service.appProtocol | bool | `true` | If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http It allows choosing the protocol for each backend specified in the Kubernetes service. See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244 Will be ignored for Kubernetes versions older than 1.20 # | -| controller.service.enableHttp | bool | `true` | | -| controller.service.enableHttps | bool | `true` | | -| controller.service.enabled | bool | `true` | | -| controller.service.external.enabled | bool | `true` | | -| controller.service.externalIPs | list | `[]` | List of IP addresses at which the controller services are available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # | -| controller.service.internal.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. | -| controller.service.internal.enabled | bool | `false` | Enables an additional internal load balancer (besides the external one). | -| controller.service.internal.loadBalancerIP | string | `""` | Used by cloud providers to connect the resulting internal LoadBalancer to a pre-existing static IP. Make sure to add to the service the needed annotation to specify the subnet which the static IP belongs to. For instance, `networking.gke.io/internal-load-balancer-subnet` for GCP and `service.beta.kubernetes.io/aws-load-balancer-subnets` for AWS. | -| controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. | -| controller.service.internal.ports | object | `{}` | Custom port mapping for internal service | -| controller.service.internal.targetPorts | object | `{}` | Custom target port mapping for internal service | -| controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically based on cluster configuration and the ipFamilyPolicy field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ | -| controller.service.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack-ness requested or required by this Service. Possible values are SingleStack, PreferDualStack or RequireDualStack. The ipFamilies and clusterIPs fields depend on the value of this field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ | -| controller.service.labels | object | `{}` | | -| controller.service.loadBalancerClass | string | `""` | Used by cloud providers to select a load balancer implementation other than the cloud provider default. https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class | -| controller.service.loadBalancerIP | string | `""` | Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer | -| controller.service.loadBalancerSourceRanges | list | `[]` | | -| controller.service.nodePorts.http | string | `""` | | -| controller.service.nodePorts.https | string | `""` | | -| controller.service.nodePorts.tcp | object | `{}` | | -| controller.service.nodePorts.udp | object | `{}` | | -| controller.service.ports.http | int | `80` | | -| controller.service.ports.https | int | `443` | | -| controller.service.targetPorts.http | string | `"http"` | | -| controller.service.targetPorts.https | string | `"https"` | | -| controller.service.type | string | `"LoadBalancer"` | | +| controller.service.annotations | object | `{}` | Annotations to be added to the external controller service. See `controller.service.internal.annotations` for annotations to be added to the internal controller service. | +| controller.service.appProtocol | bool | `true` | Declare the app protocol of the external HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol | +| controller.service.clusterIP | string | `""` | Pre-defined cluster internal IP address of the external controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address | +| controller.service.enableHttp | bool | `true` | Enable the HTTP listener on both controller services or not. | +| controller.service.enableHttps | bool | `true` | Enable the HTTPS listener on both controller services or not. | +| controller.service.enabled | bool | `true` | Enable controller services or not. This does not influence the creation of either the admission webhook or the metrics service. | +| controller.service.external.enabled | bool | `true` | Enable the external controller service or not. Useful for internal-only deployments. | +| controller.service.externalIPs | list | `[]` | List of node IP addresses at which the external controller service is available. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips | +| controller.service.externalTrafficPolicy | string | `""` | External traffic policy of the external controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip | +| controller.service.internal.annotations | object | `{}` | Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer | +| controller.service.internal.appProtocol | bool | `true` | Declare the app protocol of the internal HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol | +| controller.service.internal.clusterIP | string | `""` | Pre-defined cluster internal IP address of the internal controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address | +| controller.service.internal.enabled | bool | `false` | Enable the internal controller service or not. Remember to configure `controller.service.internal.annotations` when enabling this. | +| controller.service.internal.externalIPs | list | `[]` | List of node IP addresses at which the internal controller service is available. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips | +| controller.service.internal.externalTrafficPolicy | string | `""` | External traffic policy of the internal controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip | +| controller.service.internal.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the internal controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | +| controller.service.internal.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack capabilities of the internal controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. Fields `ipFamilies` and `clusterIP` depend on the value of this field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | +| controller.service.internal.loadBalancerClass | string | `""` | Load balancer class of the internal controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class | +| controller.service.internal.loadBalancerIP | string | `""` | Deprecated: Pre-defined IP address of the internal controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer | +| controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access to the internal controller service. Values must be CIDRs. Allows any source address by default. | +| controller.service.internal.nodePorts.http | string | `""` | Node port allocated for the internal HTTP listener. If left empty, the service controller allocates one from the configured node port range. | +| controller.service.internal.nodePorts.https | string | `""` | Node port allocated for the internal HTTPS listener. If left empty, the service controller allocates one from the configured node port range. | +| controller.service.internal.nodePorts.tcp | object | `{}` | Node port mapping for internal TCP listeners. If left empty, the service controller allocates them from the configured node port range. Example: tcp: 8080: 30080 | +| controller.service.internal.nodePorts.udp | object | `{}` | Node port mapping for internal UDP listeners. If left empty, the service controller allocates them from the configured node port range. Example: udp: 53: 30053 | +| controller.service.internal.ports | object | `{}` | | +| controller.service.internal.sessionAffinity | string | `""` | Session affinity of the internal controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity | +| controller.service.internal.targetPorts | object | `{}` | | +| controller.service.internal.type | string | `""` | Type of the internal controller service. Defaults to the value of `controller.service.type`. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types | +| controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the external controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | +| controller.service.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack capabilities of the external controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. Fields `ipFamilies` and `clusterIP` depend on the value of this field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | +| controller.service.labels | object | `{}` | Labels to be added to both controller services. | +| controller.service.loadBalancerClass | string | `""` | Load balancer class of the external controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class | +| controller.service.loadBalancerIP | string | `""` | Deprecated: Pre-defined IP address of the external controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer | +| controller.service.loadBalancerSourceRanges | list | `[]` | Restrict access to the external controller service. Values must be CIDRs. Allows any source address by default. | +| controller.service.nodePorts.http | string | `""` | Node port allocated for the external HTTP listener. If left empty, the service controller allocates one from the configured node port range. | +| controller.service.nodePorts.https | string | `""` | Node port allocated for the external HTTPS listener. If left empty, the service controller allocates one from the configured node port range. | +| controller.service.nodePorts.tcp | object | `{}` | Node port mapping for external TCP listeners. If left empty, the service controller allocates them from the configured node port range. Example: tcp: 8080: 30080 | +| controller.service.nodePorts.udp | object | `{}` | Node port mapping for external UDP listeners. If left empty, the service controller allocates them from the configured node port range. Example: udp: 53: 30053 | +| controller.service.ports.http | int | `80` | Port the external HTTP listener is published with. | +| controller.service.ports.https | int | `443` | Port the external HTTPS listener is published with. | +| controller.service.sessionAffinity | string | `""` | Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity | +| controller.service.targetPorts.http | string | `"http"` | Port of the ingress controller the external HTTP listener is mapped to. | +| controller.service.targetPorts.https | string | `"https"` | Port of the ingress controller the external HTTPS listener is mapped to. | +| controller.service.type | string | `"LoadBalancer"` | Type of the external controller service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types | | controller.shareProcessNamespace | bool | `false` | | -| controller.sysctls | object | `{}` | See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls | +| controller.sysctls | object | `{}` | sysctls for controller pods # Ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ | | controller.tcp.annotations | object | `{}` | Annotations to be added to the tcp config configmap | | controller.tcp.configMapNamespace | string | `""` | Allows customization of the tcp-services-configmap; defaults to $(POD_NAMESPACE) | | controller.terminationGracePeriodSeconds | int | `300` | `terminationGracePeriodSeconds` to avoid killing pods before we are ready # wait up to five minutes for the drain of connections # | @@ -438,17 +485,18 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.udp.configMapNamespace | string | `""` | Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE) | | controller.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # | | controller.watchIngressWithoutClass | bool | `false` | Process Ingress objects without ingressClass annotation/ingressClassName field Overrides value for --watch-ingress-without-class flag of the controller binary Defaults to false | -| defaultBackend.affinity | object | `{}` | | +| defaultBackend.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity | | defaultBackend.autoscaling.annotations | object | `{}` | | | defaultBackend.autoscaling.enabled | bool | `false` | | | defaultBackend.autoscaling.maxReplicas | int | `2` | | | defaultBackend.autoscaling.minReplicas | int | `1` | | | defaultBackend.autoscaling.targetCPUUtilizationPercentage | int | `50` | | | defaultBackend.autoscaling.targetMemoryUtilizationPercentage | int | `50` | | -| defaultBackend.containerSecurityContext | object | `{}` | Security Context policies for controller main container. See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls # | +| defaultBackend.containerSecurityContext | object | `{}` | Security context for default backend containers | | defaultBackend.enabled | bool | `false` | | | defaultBackend.existingPsp | string | `""` | Use an existing PSP instead of creating one | | defaultBackend.extraArgs | object | `{}` | | +| defaultBackend.extraConfigMaps | list | `[]` | | | defaultBackend.extraEnvs | list | `[]` | Additional environment variables to set for defaultBackend pods | | defaultBackend.extraVolumeMounts | list | `[]` | | | defaultBackend.extraVolumes | list | `[]` | | @@ -459,6 +507,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | defaultBackend.image.registry | string | `"registry.k8s.io"` | | | defaultBackend.image.runAsNonRoot | bool | `true` | | | defaultBackend.image.runAsUser | int | `65534` | | +| defaultBackend.image.seccompProfile.type | string | `"RuntimeDefault"` | | | defaultBackend.image.tag | string | `"1.5"` | | | defaultBackend.labels | object | `{}` | Labels to be added to the default backend resources | | defaultBackend.livenessProbe.failureThreshold | int | `3` | | @@ -469,10 +518,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | defaultBackend.minAvailable | int | `1` | | | defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # | | defaultBackend.name | string | `"defaultbackend"` | | +| defaultBackend.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | | defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # | | defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods # | | defaultBackend.podLabels | object | `{}` | Labels to add to the pod container metadata | -| defaultBackend.podSecurityContext | object | `{}` | Security Context policies for controller pods See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls # | +| defaultBackend.podSecurityContext | object | `{}` | Security context for default backend pods | | defaultBackend.port | int | `8080` | | | defaultBackend.priorityClassName | string | `""` | | | defaultBackend.readinessProbe.failureThreshold | int | `6` | | @@ -491,9 +541,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | defaultBackend.serviceAccount.create | bool | `true` | | | defaultBackend.serviceAccount.name | string | `""` | | | defaultBackend.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ # | +| defaultBackend.topologySpreadConstraints | list | `[]` | Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. Ref.: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ | | defaultBackend.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # | | dhParam | string | `""` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param | | imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | +| namespaceOverride | string | `""` | Override the deployment namespace; defaults to .Release.Namespace | | podSecurityPolicy.enabled | bool | `false` | | | portNamePrefix | string | `""` | Prefix for TCP and UDP ports names in ingress controller service # Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration | | rbac.create | bool | `true` | | diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/.gitkeep b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/.gitkeep deleted file mode 100644 index e69de29bb..000000000 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.10.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.10.0.md new file mode 100644 index 000000000..b42d6c28b --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.10.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 2.10.0 + +* [#5843](https://github.com/kubernetes/ingress-nginx/pull/5843) Update jettech/kube-webhook-certgen image + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.9.1...ingress-nginx-2.10.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.11.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.11.0.md new file mode 100644 index 000000000..e549b3867 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.11.0.md @@ -0,0 +1,10 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 2.11.0 + +* [#5879](https://github.com/kubernetes/ingress-nginx/pull/5879) Update helm chart for v0.34.0 +* [#5671](https://github.com/kubernetes/ingress-nginx/pull/5671) Make liveness probe more fault tolerant than readiness probe + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.10.0...ingress-nginx-2.11.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.11.1.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.11.1.md new file mode 100644 index 000000000..d910d3bf4 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.11.1.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 2.11.1 + +* [#5900](https://github.com/kubernetes/ingress-nginx/pull/5900) Release helm chart for v0.34.1 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.11.0...ingress-nginx-2.11.1 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.11.2.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.11.2.md new file mode 100644 index 000000000..9f7821005 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.11.2.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 2.11.2 + +* [#5951](https://github.com/kubernetes/ingress-nginx/pull/5951) Bump chart patch version + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.11.1...ingress-nginx-2.11.2 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.11.3.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.11.3.md new file mode 100644 index 000000000..344769163 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.11.3.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 2.11.3 + +* [#6038](https://github.com/kubernetes/ingress-nginx/pull/6038) Bump chart version PATCH + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.11.2...ingress-nginx-2.11.3 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.12.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.12.0.md new file mode 100644 index 000000000..5cb3888aa --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.12.0.md @@ -0,0 +1,10 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 2.12.0 + +* [#6039](https://github.com/kubernetes/ingress-nginx/pull/6039) Add configurable serviceMonitor metricRelabelling and targetLabels +* [#6044](https://github.com/kubernetes/ingress-nginx/pull/6044) Fix YAML linting + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.11.3...ingress-nginx-2.12.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.12.1.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.12.1.md new file mode 100644 index 000000000..94d121db5 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.12.1.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 2.12.1 + +* [#6075](https://github.com/kubernetes/ingress-nginx/pull/6075) Sync helm chart affinity examples + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.12.0...ingress-nginx-2.12.1 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.13.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.13.0.md new file mode 100644 index 000000000..01fe0b15d --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.13.0.md @@ -0,0 +1,10 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 2.13.0 + +* [#6093](https://github.com/kubernetes/ingress-nginx/pull/6093) Release v0.35.0 +* [#6080](https://github.com/kubernetes/ingress-nginx/pull/6080) Switch images to k8s.gcr.io after Vanity Domain Flip + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.12.1...ingress-nginx-2.13.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.14.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.14.0.md new file mode 100644 index 000000000..2fb7a5a76 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.14.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 2.14.0 + +* [#6104](https://github.com/kubernetes/ingress-nginx/pull/6104) Misc fixes for nginx-ingress chart for better keel and prometheus-operator integration + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.13.0...ingress-nginx-2.14.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.15.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.15.0.md new file mode 100644 index 000000000..543a55927 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.15.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 2.15.0 + +* [#6087](https://github.com/kubernetes/ingress-nginx/pull/6087) Adding parameter for externalTrafficPolicy in internal controller service spec + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.14.0...ingress-nginx-2.15.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.16.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.16.0.md new file mode 100644 index 000000000..996f4489e --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.16.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 2.16.0 + +* [#6154](https://github.com/kubernetes/ingress-nginx/pull/6154) add `topologySpreadConstraint` to controller + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.15.0...ingress-nginx-2.16.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.9.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.9.0.md new file mode 100644 index 000000000..11c5f5fed --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.9.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 2.9.0 + +* [#5795](https://github.com/kubernetes/ingress-nginx/pull/5795) Use fully qualified images to avoid cri-o issues + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-TODO...ingress-nginx-2.9.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.9.1.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.9.1.md new file mode 100644 index 000000000..7d4314d9c --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-2.9.1.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 2.9.1 + +* [#5823](https://github.com/kubernetes/ingress-nginx/pull/5823) Add quoting to sysctls because numeric values need to be presented as strings (#5823) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.9.0...ingress-nginx-2.9.1 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.0.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.0.0.md new file mode 100644 index 000000000..a7d50ee3a --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.0.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.0.0 + +* [#6167](https://github.com/kubernetes/ingress-nginx/pull/6167) Update chart requirements + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.16.0...ingress-nginx-3.0.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.10.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.10.0.md new file mode 100644 index 000000000..3369bed03 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.10.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.10.0 + +* Fix routing regression introduced in 0.41.0 with PathType Exact + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.9.0...ingress-nginx-3.10.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.10.1.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.10.1.md new file mode 100644 index 000000000..6ff682e52 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.10.1.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.10.1 + +* Fix regression introduced in 0.41.0 with external authentication + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.10.0...ingress-nginx-3.10.1 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.11.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.11.0.md new file mode 100644 index 000000000..69ba5506b --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.11.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.11.0 + +* Support Keda Autoscaling + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.10.1...ingress-nginx-3.11.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.11.1.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.11.1.md new file mode 100644 index 000000000..4e81f4b41 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.11.1.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.11.1 + +* [#6505](https://github.com/kubernetes/ingress-nginx/pull/6505) Reorder HPA resource list to work with GitOps tooling + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.11.0...ingress-nginx-3.11.1 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.12.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.12.0.md new file mode 100644 index 000000000..41b9744de --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.12.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.12.0 + +* [#6514](https://github.com/kubernetes/ingress-nginx/pull/6514) Remove helm2 support and update docs + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.11.1...ingress-nginx-3.12.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.13.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.13.0.md new file mode 100644 index 000000000..0855a7913 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.13.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.13.0 + +* [#6544](https://github.com/kubernetes/ingress-nginx/pull/6544) Fix default backend HPA name variable + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.12.0...ingress-nginx-3.13.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.14.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.14.0.md new file mode 100644 index 000000000..e07880bf4 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.14.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.14.0 + +* [#6469](https://github.com/kubernetes/ingress-nginx/pull/6469) Allow custom service names for controller and backend + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.13.0...ingress-nginx-3.14.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.15.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.15.0.md new file mode 100644 index 000000000..3053a3548 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.15.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.15.0 + +* [#6586](https://github.com/kubernetes/ingress-nginx/pull/6586) Fix 'maxmindLicenseKey' location in values.yaml + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.14.0...ingress-nginx-3.15.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.15.1.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.15.1.md new file mode 100644 index 000000000..f11ee0a76 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.15.1.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.15.1 + +* Fix chart-releaser action + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.15.0...ingress-nginx-3.15.1 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.16.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.16.0.md new file mode 100644 index 000000000..fba30b171 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.16.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.16.0 + +* [#6646](https://github.com/kubernetes/ingress-nginx/pull/6646) Added LoadBalancerIP value for internal service + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.15.1...helm-chart-3.16.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.16.1.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.16.1.md new file mode 100644 index 000000000..650d1b8fa --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.16.1.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.16.1 + +* Fix chart-releaser action + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.16.0...helm-chart-3.16.1 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.17.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.17.0.md new file mode 100644 index 000000000..175c7a264 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.17.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.17.0 + +* Update ingress-nginx v0.42.0 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.16.1...helm-chart-3.17.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.18.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.18.0.md new file mode 100644 index 000000000..31b815e4e --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.18.0.md @@ -0,0 +1,10 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.18.0 + +* [#6688](https://github.com/kubernetes/ingress-nginx/pull/6688) Allow volume-type emptyDir in controller podsecuritypolicy +* [#6691](https://github.com/kubernetes/ingress-nginx/pull/6691) Improve parsing of helm parameters + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.17.0...helm-chart-3.18.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.19.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.19.0.md new file mode 100644 index 000000000..0970bf02c --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.19.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.19.0 + +* Update ingress-nginx v0.43.0 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.18.0...helm-chart-3.19.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.20.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.20.0.md new file mode 100644 index 000000000..4b81ae42f --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.20.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.20.0 + +* [#6730](https://github.com/kubernetes/ingress-nginx/pull/6730) Do not create HPA for defaultBackend if not enabled. + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.19.0...helm-chart-3.20.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.20.1.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.20.1.md new file mode 100644 index 000000000..952bf2bd3 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.20.1.md @@ -0,0 +1,10 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.20.1 + +* Do not create KEDA in case of DaemonSets. +* Fix KEDA v2 definition + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.20.0...helm-chart-3.20.1 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.21.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.21.0.md new file mode 100644 index 000000000..25edbefd9 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.21.0.md @@ -0,0 +1,12 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.21.0 + +* [#6783](https://github.com/kubernetes/ingress-nginx/pull/6783) Add custom annotations to ScaledObject +* [#6761](https://github.com/kubernetes/ingress-nginx/pull/6761) Adding quotes in the serviceAccount name in Helm values +* [#6767](https://github.com/kubernetes/ingress-nginx/pull/6767) Remove ClusterRole when scope option is enabled +* [#6785](https://github.com/kubernetes/ingress-nginx/pull/6785) Update kube-webhook-certgen image to v1.5.1 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.20.1...helm-chart-3.21.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.22.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.22.0.md new file mode 100644 index 000000000..147d66421 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.22.0.md @@ -0,0 +1,10 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.22.0 + +* [#6802](https://github.com/kubernetes/ingress-nginx/pull/6802) Add value for configuring a custom Diffie-Hellman parameters file +* [#6815](https://github.com/kubernetes/ingress-nginx/pull/6815) Allow use of numeric namespaces in helm chart + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.21.0...helm-chart-3.22.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.23.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.23.0.md new file mode 100644 index 000000000..5dcb50fa8 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.23.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.23.0 + +* Update ingress-nginx v0.44.0 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.22.0...helm-chart-3.23.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.24.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.24.0.md new file mode 100644 index 000000000..d7db808b1 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.24.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.24.0 + +* [#6908](https://github.com/kubernetes/ingress-nginx/pull/6908) Add volumes to default-backend deployment + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.23.0...helm-chart-3.24.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.25.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.25.0.md new file mode 100644 index 000000000..f9679a124 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.25.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.25.0 + +* [#6957](https://github.com/kubernetes/ingress-nginx/pull/6957) Add ability to specify automountServiceAccountToken + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.24.0...helm-chart-3.25.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.26.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.26.0.md new file mode 100644 index 000000000..0c3a1df68 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.26.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.26.0 + +* [#6979](https://github.com/kubernetes/ingress-nginx/pull/6979) Changed servicePort value for metrics + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.25.0...helm-chart-3.26.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.27.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.27.0.md new file mode 100644 index 000000000..8113d7b9b --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.27.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.27.0 + +* Update ingress-nginx v0.45.0 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.26.0...helm-chart-3.27.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.28.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.28.0.md new file mode 100644 index 000000000..eee0ccbec --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.28.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.28.0 + +* [#6900](https://github.com/kubernetes/ingress-nginx/pull/6900) Support existing PSPs + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.27.0...helm-chart-3.28.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.29.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.29.0.md new file mode 100644 index 000000000..f0fabdce1 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.29.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.29.0 + +* [#6945](https://github.com/kubernetes/ingress-nginx/pull/7020) Add option to specify job label for ServiceMonitor + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.28.0...helm-chart-3.29.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.3.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.3.0.md new file mode 100644 index 000000000..09fab3756 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.3.0.md @@ -0,0 +1,12 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.3.0 + +* [#6203](https://github.com/kubernetes/ingress-nginx/pull/6203) Refactor parsing of key values +* [#6162](https://github.com/kubernetes/ingress-nginx/pull/6162) Add helm chart options to expose metrics service as NodePort +* [#6180](https://github.com/kubernetes/ingress-nginx/pull/6180) Fix helm chart admissionReviewVersions regression +* [#6169](https://github.com/kubernetes/ingress-nginx/pull/6169) Fix Typo in example prometheus rules + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.0.0...ingress-nginx-3.3.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.3.1.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.3.1.md new file mode 100644 index 000000000..81f44fdbd --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.3.1.md @@ -0,0 +1,12 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.3.1 + +* [#6259](https://github.com/kubernetes/ingress-nginx/pull/6259) Release helm chart +* [#6258](https://github.com/kubernetes/ingress-nginx/pull/6258) Fix chart markdown link +* [#6253](https://github.com/kubernetes/ingress-nginx/pull/6253) Release v0.40.0 +* [#6233](https://github.com/kubernetes/ingress-nginx/pull/6233) Add admission controller e2e test + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.3.0...ingress-nginx-3.3.1 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.30.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.30.0.md new file mode 100644 index 000000000..77ad6b41b --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.30.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.30.0 + +* [#7092](https://github.com/kubernetes/ingress-nginx/pull/7092) Removes the possibility of using localhost in ExternalNames as endpoints + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.29.0...helm-chart-3.30.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.31.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.31.0.md new file mode 100644 index 000000000..bc07fed76 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.31.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.31.0 + +* [7137] https://github.com/kubernetes/ingress-nginx/pull/7137 Add support for custom probes + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.30.0...helm-chart-3.31.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.32.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.32.0.md new file mode 100644 index 000000000..68f7ed6b2 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.32.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.32.0 + +* [7117] https://github.com/kubernetes/ingress-nginx/pull/7117 Add annotations for HPA + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.31.0...helm-chart-3.32.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.33.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.33.0.md new file mode 100644 index 000000000..b56c5fc1e --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.33.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.33.0 + +* [7164] https://github.com/kubernetes/ingress-nginx/pull/7164 Update nginx to v1.20.1 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.32.0...helm-chart-3.33.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.34.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.34.0.md new file mode 100644 index 000000000..a28cd0282 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.34.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.34.0 + +* [7256] https://github.com/kubernetes/ingress-nginx/pull/7256 Add namespace field in the namespace scoped resource templates + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.33.0...helm-chart-3.34.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.4.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.4.0.md new file mode 100644 index 000000000..3b4ca9353 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.4.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.4.0 + +* [#6268](https://github.com/kubernetes/ingress-nginx/pull/6268) Update to 0.40.2 in helm chart #6288 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.3.1...ingress-nginx-3.4.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.5.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.5.0.md new file mode 100644 index 000000000..44991b3bb --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.5.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.5.0 + +* [#6260](https://github.com/kubernetes/ingress-nginx/pull/6260) Allow Helm Chart to customize admission webhook's annotations, timeoutSeconds, namespaceSelector, objectSelector and cert files locations + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.4.0...ingress-nginx-3.5.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.5.1.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.5.1.md new file mode 100644 index 000000000..740f00c45 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.5.1.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.5.1 + +* [#6299](https://github.com/kubernetes/ingress-nginx/pull/6299) Fix helm chart release + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.5.0...ingress-nginx-3.5.1 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.6.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.6.0.md new file mode 100644 index 000000000..4af7f11a1 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.6.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.6.0 + +* [#6305](https://github.com/kubernetes/ingress-nginx/pull/6305) Add default linux nodeSelector + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.5.1...ingress-nginx-3.6.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.7.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.7.0.md new file mode 100644 index 000000000..a6b12994b --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.7.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.7.0 + +* [#6316](https://github.com/kubernetes/ingress-nginx/pull/6316) Numerals in podAnnotations in quotes [#6315](https://github.com/kubernetes/ingress-nginx/issues/6315) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.6.0...ingress-nginx-3.7.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.7.1.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.7.1.md new file mode 100644 index 000000000..6ba12df91 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.7.1.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.7.1 + +* [#6326](https://github.com/kubernetes/ingress-nginx/pull/6326) Fix liveness and readiness probe path in daemonset chart + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.7.0...ingress-nginx-3.7.1 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.8.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.8.0.md new file mode 100644 index 000000000..8df250a98 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.8.0.md @@ -0,0 +1,13 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.8.0 + +* [#6395](https://github.com/kubernetes/ingress-nginx/pull/6395) Update jettech/kube-webhook-certgen image +* [#6377](https://github.com/kubernetes/ingress-nginx/pull/6377) Added loadBalancerSourceRanges for internal lbs +* [#6356](https://github.com/kubernetes/ingress-nginx/pull/6356) Add securitycontext settings on defaultbackend +* [#6401](https://github.com/kubernetes/ingress-nginx/pull/6401) Fix controller service annotations +* [#6403](https://github.com/kubernetes/ingress-nginx/pull/6403) Initial helm chart changelog + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.7.1...ingress-nginx-3.8.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.9.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.9.0.md new file mode 100644 index 000000000..e8c9def51 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-3.9.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.9.0 + +* [#6423](https://github.com/kubernetes/ingress-nginx/pull/6423) Add Default backend HPA autoscaling + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.8.0...ingress-nginx-3.9.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.1.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.1.md new file mode 100644 index 000000000..7a187b350 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.1.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.0.1 + +* [7535] https://github.com/kubernetes/ingress-nginx/pull/7535 Release v1.0.0 ingress-nginx + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.34.0...helm-chart-4.0.1 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.10.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.10.md new file mode 100644 index 000000000..c5d651670 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.10.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.0.10 + +* [7964] https://github.com/kubernetes/ingress-nginx/pull/7964 Update controller version to v1.1.0 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.9...helm-chart-4.0.10 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.11.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.11.md new file mode 100644 index 000000000..554182355 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.11.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.0.11 + +* [7873] https://github.com/kubernetes/ingress-nginx/pull/7873 Makes the [appProtocol](https://kubernetes.io/docs/concepts/services-networking/_print/#application-protocol) field optional. + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.10...helm-chart-4.0.11 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.12.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.12.md new file mode 100644 index 000000000..320f6f546 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.12.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.0.12 + +* [7978] https://github.com/kubernetes/ingress-nginx/pull/7979 Support custom annotations in admissions Jobs + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.11...helm-chart-4.0.12 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.13.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.13.md new file mode 100644 index 000000000..edd922814 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.13.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.0.13 + +* [8008] https://github.com/kubernetes/ingress-nginx/pull/8008 Add relabelings in controller-servicemonitor.yaml + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.12...helm-chart-4.0.13 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.14.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.14.md new file mode 100644 index 000000000..e92701039 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.14.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.0.14 + +* [8061] https://github.com/kubernetes/ingress-nginx/pull/8061 Using helm-docs to populate values table in README.md + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.13...helm-chart-4.0.14 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.15.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.15.md new file mode 100644 index 000000000..d3d14a98d --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.15.md @@ -0,0 +1,43 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.0.15 + +* [8120] https://github.com/kubernetes/ingress-nginx/pull/8120 Update go in runner and release v1.1.1 +* [8119] https://github.com/kubernetes/ingress-nginx/pull/8119 Update to go v1.17.6 +* [8118] https://github.com/kubernetes/ingress-nginx/pull/8118 Remove deprecated libraries, update other libs +* [8117] https://github.com/kubernetes/ingress-nginx/pull/8117 Fix codegen errors +* [8115] https://github.com/kubernetes/ingress-nginx/pull/8115 chart/ghaction: set the correct permission to have access to push a release +* [8098] https://github.com/kubernetes/ingress-nginx/pull/8098 generating SHA for CA only certs in backend_ssl.go + comparison of P… +* [8088] https://github.com/kubernetes/ingress-nginx/pull/8088 Fix Edit this page link to use main branch +* [8072] https://github.com/kubernetes/ingress-nginx/pull/8072 Expose GeoIP2 Continent code as variable +* [8061] https://github.com/kubernetes/ingress-nginx/pull/8061 docs(charts): using helm-docs for chart +* [8058] https://github.com/kubernetes/ingress-nginx/pull/8058 Bump github.com/spf13/cobra from 1.2.1 to 1.3.0 +* [8054] https://github.com/kubernetes/ingress-nginx/pull/8054 Bump google.golang.org/grpc from 1.41.0 to 1.43.0 +* [8051] https://github.com/kubernetes/ingress-nginx/pull/8051 align bug report with feature request regarding kind documentation +* [8046] https://github.com/kubernetes/ingress-nginx/pull/8046 Report expired certificates (#8045) +* [8044] https://github.com/kubernetes/ingress-nginx/pull/8044 remove G109 check till gosec resolves issues +* [8042] https://github.com/kubernetes/ingress-nginx/pull/8042 docs_multiple_instances_one_cluster_ticket_7543 +* [8041] https://github.com/kubernetes/ingress-nginx/pull/8041 docs: fix typo'd executable name +* [8035] https://github.com/kubernetes/ingress-nginx/pull/8035 Comment busy owners +* [8029] https://github.com/kubernetes/ingress-nginx/pull/8029 Add stream-snippet as a ConfigMap and Annotation option +* [8023] https://github.com/kubernetes/ingress-nginx/pull/8023 fix nginx compilation flags +* [8021] https://github.com/kubernetes/ingress-nginx/pull/8021 Disable default modsecurity_rules_file if modsecurity-snippet is specified +* [8019] https://github.com/kubernetes/ingress-nginx/pull/8019 Revise main documentation page +* [8018] https://github.com/kubernetes/ingress-nginx/pull/8018 Preserve order of plugin invocation +* [8015] https://github.com/kubernetes/ingress-nginx/pull/8015 Add newline indenting to admission webhook annotations +* [8014] https://github.com/kubernetes/ingress-nginx/pull/8014 Add link to example error page manifest in docs +* [8009] https://github.com/kubernetes/ingress-nginx/pull/8009 Fix spelling in documentation and top-level files +* [8008] https://github.com/kubernetes/ingress-nginx/pull/8008 Add relabelings in controller-servicemonitor.yaml +* [8003] https://github.com/kubernetes/ingress-nginx/pull/8003 Minor improvements (formatting, consistency) in install guide +* [8001] https://github.com/kubernetes/ingress-nginx/pull/8001 fix: go-grpc Dockerfile +* [7999] https://github.com/kubernetes/ingress-nginx/pull/7999 images: use k8s-staging-test-infra/gcb-docker-gcloud +* [7996] https://github.com/kubernetes/ingress-nginx/pull/7996 doc: improvement +* [7983] https://github.com/kubernetes/ingress-nginx/pull/7983 Fix a couple of misspellings in the annotations documentation. +* [7979] https://github.com/kubernetes/ingress-nginx/pull/7979 allow set annotations for admission Jobs +* [7977] https://github.com/kubernetes/ingress-nginx/pull/7977 Add ssl_reject_handshake to default server +* [7975] https://github.com/kubernetes/ingress-nginx/pull/7975 add legacy version update v0.50.0 to main changelog +* [7972] https://github.com/kubernetes/ingress-nginx/pull/7972 updated service upstream definition + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.14...helm-chart-4.0.15 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.18.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.18.md new file mode 100644 index 000000000..30a8f75c1 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.18.md @@ -0,0 +1,40 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.0.18 + +* [8291](https://github.com/kubernetes/ingress-nginx/pull/8291) remove git tag env from cloud build +* [8286](https://github.com/kubernetes/ingress-nginx/pull/8286) Fix OpenTelemetry sidecar image build +* [8277](https://github.com/kubernetes/ingress-nginx/pull/8277) Add OpenSSF Best practices badge +* [8273](https://github.com/kubernetes/ingress-nginx/pull/8273) Issue#8241 +* [8267](https://github.com/kubernetes/ingress-nginx/pull/8267) Add fsGroup value to admission-webhooks/job-patch charts +* [8262](https://github.com/kubernetes/ingress-nginx/pull/8262) Updated confusing error +* [8256](https://github.com/kubernetes/ingress-nginx/pull/8256) fix: deny locations with invalid auth-url annotation +* [8253](https://github.com/kubernetes/ingress-nginx/pull/8253) Add a certificate info metric +* [8236](https://github.com/kubernetes/ingress-nginx/pull/8236) webhook: remove useless code. +* [8227](https://github.com/kubernetes/ingress-nginx/pull/8227) Update libraries in webhook image +* [8225](https://github.com/kubernetes/ingress-nginx/pull/8225) fix inconsistent-label-cardinality for prometheus metrics: nginx_ingress_controller_requests +* [8221](https://github.com/kubernetes/ingress-nginx/pull/8221) Do not validate ingresses with unknown ingress class in admission webhook endpoint +* [8210](https://github.com/kubernetes/ingress-nginx/pull/8210) Bump github.com/prometheus/client_golang from 1.11.0 to 1.12.1 +* [8209](https://github.com/kubernetes/ingress-nginx/pull/8209) Bump google.golang.org/grpc from 1.43.0 to 1.44.0 +* [8204](https://github.com/kubernetes/ingress-nginx/pull/8204) Add Artifact Hub lint +* [8203](https://github.com/kubernetes/ingress-nginx/pull/8203) Fix Indentation of example and link to cert-manager tutorial +* [8201](https://github.com/kubernetes/ingress-nginx/pull/8201) feat(metrics): add path and method labels to requests countera +* [8199](https://github.com/kubernetes/ingress-nginx/pull/8199) use functional options to reduce number of methods creating an EchoDeployment +* [8196](https://github.com/kubernetes/ingress-nginx/pull/8196) docs: fix inconsistent controller annotation +* [8191](https://github.com/kubernetes/ingress-nginx/pull/8191) Using Go install for misspell +* [8186](https://github.com/kubernetes/ingress-nginx/pull/8186) prometheus+grafana using servicemonitor +* [8185](https://github.com/kubernetes/ingress-nginx/pull/8185) Append elements on match, instead of removing for cors-annotations +* [8179](https://github.com/kubernetes/ingress-nginx/pull/8179) Bump github.com/opencontainers/runc from 1.0.3 to 1.1.0 +* [8173](https://github.com/kubernetes/ingress-nginx/pull/8173) Adding annotations to the controller service account +* [8163](https://github.com/kubernetes/ingress-nginx/pull/8163) Update the $req_id placeholder description +* [8162](https://github.com/kubernetes/ingress-nginx/pull/8162) Versioned static manifests +* [8159](https://github.com/kubernetes/ingress-nginx/pull/8159) Adding some geoip variables and default values +* [8155](https://github.com/kubernetes/ingress-nginx/pull/8155) #7271 feat: avoid-pdb-creation-when-default-backend-disabled-and-replicas-gt-1 +* [8151](https://github.com/kubernetes/ingress-nginx/pull/8151) Automatically generate helm docs +* [8143](https://github.com/kubernetes/ingress-nginx/pull/8143) Allow to configure delay before controller exits +* [8136](https://github.com/kubernetes/ingress-nginx/pull/8136) add ingressClass option to helm chart - back compatibility with ingress.class annotations +* [8126](https://github.com/kubernetes/ingress-nginx/pull/8126) Example for JWT + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.15...helm-chart-4.0.18 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.2.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.2.md new file mode 100644 index 000000000..9dbd003a9 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.2.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.0.2 + +* [7681] https://github.com/kubernetes/ingress-nginx/pull/7681 Release v1.0.1 of ingress-nginx + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.1...helm-chart-4.0.2 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.3.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.3.md new file mode 100644 index 000000000..09b89f66c --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.3.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.0.3 + +* [7707] https://github.com/kubernetes/ingress-nginx/pull/7707 Release v1.0.2 of ingress-nginx + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.2...helm-chart-4.0.3 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.5.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.5.md new file mode 100644 index 000000000..be67704ba --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.5.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.0.5 + +* [7740] https://github.com/kubernetes/ingress-nginx/pull/7740 Release v1.0.3 of ingress-nginx + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.3...helm-chart-4.0.5 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.6.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.6.md new file mode 100644 index 000000000..25276e2be --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.6.md @@ -0,0 +1,12 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.0.6 + +* [7804] https://github.com/kubernetes/ingress-nginx/pull/7804 Release v1.0.4 of ingress-nginx +* [7651] https://github.com/kubernetes/ingress-nginx/pull/7651 Support ipFamilyPolicy and ipFamilies fields in Helm Chart +* [7798] https://github.com/kubernetes/ingress-nginx/pull/7798 Exoscale: use HTTP Healthcheck mode +* [7793] https://github.com/kubernetes/ingress-nginx/pull/7793 Update kube-webhook-certgen to v1.1.1 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.5...helm-chart-4.0.6 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.7.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.7.md new file mode 100644 index 000000000..50fd9227c --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.7.md @@ -0,0 +1,10 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.0.7 + +* [7923] https://github.com/kubernetes/ingress-nginx/pull/7923 Release v1.0.5 of ingress-nginx +* [7806] https://github.com/kubernetes/ingress-nginx/pull/7806 Choice option for internal/external loadbalancer type service + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.6...helm-chart-4.0.7 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.9.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.9.md new file mode 100644 index 000000000..f2f725c93 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.0.9.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.0.9 + +* [6992] https://github.com/kubernetes/ingress-nginx/pull/6992 Add ability to specify labels for all resources + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.7...helm-chart-4.0.9 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.1.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.1.0.md new file mode 100644 index 000000000..24aaf49ae --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.1.0.md @@ -0,0 +1,21 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.1.0 + +* [8481](https://github.com/kubernetes/ingress-nginx/pull/8481) Fix log creation in chroot script +* [8479](https://github.com/kubernetes/ingress-nginx/pull/8479) changed nginx base img tag to img built with alpine3.14.6 +* [8478](https://github.com/kubernetes/ingress-nginx/pull/8478) update base images and protobuf gomod +* [8468](https://github.com/kubernetes/ingress-nginx/pull/8468) Fallback to ngx.var.scheme for redirectScheme with use-forward-headers when X-Forwarded-Proto is empty +* [8456](https://github.com/kubernetes/ingress-nginx/pull/8456) Implement object deep inspector +* [8455](https://github.com/kubernetes/ingress-nginx/pull/8455) Update dependencies +* [8454](https://github.com/kubernetes/ingress-nginx/pull/8454) Update index.md +* [8447](https://github.com/kubernetes/ingress-nginx/pull/8447) typo fixing +* [8446](https://github.com/kubernetes/ingress-nginx/pull/8446) Fix suggested annotation-value-word-blocklist +* [8444](https://github.com/kubernetes/ingress-nginx/pull/8444) replace deprecated topology key in example with current one +* [8443](https://github.com/kubernetes/ingress-nginx/pull/8443) Add dependency review enforcement +* [8434](https://github.com/kubernetes/ingress-nginx/pull/8434) added new auth-tls-match-cn annotation +* [8426](https://github.com/kubernetes/ingress-nginx/pull/8426) Bump github.com/prometheus/common from 0.32.1 to 0.33.0 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.18...helm-chart-4.1.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.1.2.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.1.2.md new file mode 100644 index 000000000..0a1d80cf1 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.1.2.md @@ -0,0 +1,11 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.1.2 + +* [8587](https://github.com/kubernetes/ingress-nginx/pull/8587) Add CAP_SYS_CHROOT to DS/PSP when needed +* [8458](https://github.com/kubernetes/ingress-nginx/pull/8458) Add portNamePreffix Helm chart parameter +* [8522](https://github.com/kubernetes/ingress-nginx/pull/8522) Add documentation for controller.service.loadBalancerIP in Helm chart + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.1.0...helm-chart-4.1.2 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.10.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.10.0.md new file mode 100644 index 000000000..a1f1847ec --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.10.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.10.0 + +* - "Update Ingress-Nginx version controller-v1.10.0" + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.9.1...helm-chart-4.10.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.10.1.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.10.1.md new file mode 100644 index 000000000..3a28de00c --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.10.1.md @@ -0,0 +1,11 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.10.1 + +* - "update post submit helm ci and clean up (#11221)" +* - "refactor helm ci tests part I (#11188)" +* - "Update Ingress-Nginx version controller-v1.10.1" + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.10.0...helm-chart-4.10.1 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.10.2.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.10.2.md new file mode 100644 index 000000000..399bd98d6 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.10.2.md @@ -0,0 +1,18 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.10.2 + +* Chores: Align security contacts & chart maintainers to actual owners. (#11480) +* Fix helm install on cloud provider admonition block (#11412) +* edited helm-install tips (#11411) +* added info for aws helm install (#11410) +* add workflow to helm release and update ct for branch (#11317) +* Merge pull request #11277 from strongjz/chart-1.10.1 (#11314) +* release helm chart from release branch (#11278) +* update post submit helm ci and clean up (#11221) +* refactor helm ci tests part I (#11188) +* Update Ingress-Nginx version controller-v1.10.2 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.10.1...helm-chart-4.10.2 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.11.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.11.0.md new file mode 100644 index 000000000..64108c04e --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.11.0.md @@ -0,0 +1,18 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.11.0 + +* Chores: Align security contacts & chart maintainers to actual owners. (#11465) +* Merge pull request #11277 from strongjz/chart-1.10.1 (#11415) +* Fix helm install on cloud provider admonition block (#11394) +* edited helm-install tips (#11393) +* added info for aws helm install (#11390) +* add workflow to helm release and update ct for branch (#11378) +* release helm chart from release branch (#11276) +* update post submit helm ci and clean up (#11220) +* refactor helm ci tests part I (#11178) +* Update Ingress-Nginx version controller-v1.11.0 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.10.2...helm-chart-4.11.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.11.1.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.11.1.md new file mode 100644 index 000000000..281513e5f --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.11.1.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.11.1 + +* Update Ingress-Nginx version controller-v1.11.1 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.11.0...helm-chart-4.11.1 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.11.2.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.11.2.md new file mode 100644 index 000000000..c7645a5b6 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.11.2.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.11.2 + +* Update Ingress-Nginx version controller-v1.11.2 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.11.1...helm-chart-4.11.2 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.2.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.2.0.md new file mode 100644 index 000000000..2074a0953 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.2.0.md @@ -0,0 +1,47 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.2.0 + +* Support for Kubernetes v1.19.0 was removed +* [8810](https://github.com/kubernetes/ingress-nginx/pull/8810) Prepare for v1.3.0 +* [8808](https://github.com/kubernetes/ingress-nginx/pull/8808) revert arch var name +* [8805](https://github.com/kubernetes/ingress-nginx/pull/8805) Bump k8s.io/klog/v2 from 2.60.1 to 2.70.1 +* [8803](https://github.com/kubernetes/ingress-nginx/pull/8803) Update to nginx base with alpine v3.16 +* [8802](https://github.com/kubernetes/ingress-nginx/pull/8802) chore: start v1.3.0 release process +* [8798](https://github.com/kubernetes/ingress-nginx/pull/8798) Add v1.24.0 to test matrix +* [8796](https://github.com/kubernetes/ingress-nginx/pull/8796) fix: add MAC_OS variable for static-check +* [8793](https://github.com/kubernetes/ingress-nginx/pull/8793) changed to alpine-v3.16 +* [8781](https://github.com/kubernetes/ingress-nginx/pull/8781) Bump github.com/stretchr/testify from 1.7.5 to 1.8.0 +* [8778](https://github.com/kubernetes/ingress-nginx/pull/8778) chore: remove stable.txt from release process +* [8775](https://github.com/kubernetes/ingress-nginx/pull/8775) Remove stable +* [8773](https://github.com/kubernetes/ingress-nginx/pull/8773) Bump github/codeql-action from 2.1.14 to 2.1.15 +* [8772](https://github.com/kubernetes/ingress-nginx/pull/8772) Bump ossf/scorecard-action from 1.1.1 to 1.1.2 +* [8771](https://github.com/kubernetes/ingress-nginx/pull/8771) fix bullet md format +* [8770](https://github.com/kubernetes/ingress-nginx/pull/8770) Add condition for monitoring.coreos.com/v1 API +* [8769](https://github.com/kubernetes/ingress-nginx/pull/8769) Fix typos and add links to developer guide +* [8767](https://github.com/kubernetes/ingress-nginx/pull/8767) change v1.2.0 to v1.2.1 in deploy doc URLs +* [8765](https://github.com/kubernetes/ingress-nginx/pull/8765) Bump github/codeql-action from 1.0.26 to 2.1.14 +* [8752](https://github.com/kubernetes/ingress-nginx/pull/8752) Bump github.com/spf13/cobra from 1.4.0 to 1.5.0 +* [8751](https://github.com/kubernetes/ingress-nginx/pull/8751) Bump github.com/stretchr/testify from 1.7.2 to 1.7.5 +* [8750](https://github.com/kubernetes/ingress-nginx/pull/8750) added announcement +* [8740](https://github.com/kubernetes/ingress-nginx/pull/8740) change sha e2etestrunner and echoserver +* [8738](https://github.com/kubernetes/ingress-nginx/pull/8738) Update docs to make it easier for noobs to follow step by step +* [8737](https://github.com/kubernetes/ingress-nginx/pull/8737) updated baseimage sha +* [8736](https://github.com/kubernetes/ingress-nginx/pull/8736) set ld-musl-path +* [8733](https://github.com/kubernetes/ingress-nginx/pull/8733) feat: migrate leaderelection lock to leases +* [8726](https://github.com/kubernetes/ingress-nginx/pull/8726) prometheus metric: upstream_latency_seconds +* [8720](https://github.com/kubernetes/ingress-nginx/pull/8720) Ci pin deps +* [8719](https://github.com/kubernetes/ingress-nginx/pull/8719) Working OpenTelemetry sidecar (base nginx image) +* [8714](https://github.com/kubernetes/ingress-nginx/pull/8714) Create Openssf scorecard +* [8708](https://github.com/kubernetes/ingress-nginx/pull/8708) Bump github.com/prometheus/common from 0.34.0 to 0.35.0 +* [8703](https://github.com/kubernetes/ingress-nginx/pull/8703) Bump actions/dependency-review-action from 1 to 2 +* [8701](https://github.com/kubernetes/ingress-nginx/pull/8701) Fix several typos +* [8699](https://github.com/kubernetes/ingress-nginx/pull/8699) fix the gosec test and a make target for it +* [8698](https://github.com/kubernetes/ingress-nginx/pull/8698) Bump actions/upload-artifact from 2.3.1 to 3.1.0 +* [8697](https://github.com/kubernetes/ingress-nginx/pull/8697) Bump actions/setup-go from 2.2.0 to 3.2.0 +* [8695](https://github.com/kubernetes/ingress-nginx/pull/8695) Bump actions/download-artifact from 2 to 3 +* [8694](https://github.com/kubernetes/ingress-nginx/pull/8694) Bump crazy-max/ghaction-docker-buildx from 1.6.2 to 3.3.1 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.1.2...helm-chart-4.2.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.2.1.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.2.1.md new file mode 100644 index 000000000..7965bb1c2 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.2.1.md @@ -0,0 +1,10 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.2.1 + +* The sha of kube-webhook-certgen image & the opentelemetry image, in values file, was changed to new images built on alpine-v3.16.1 +* [8896](https://github.com/kubernetes/ingress-nginx/pull/8896) updated to new images built today + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.2.0...helm-chart-4.2.1 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.3.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.3.0.md new file mode 100644 index 000000000..f9dca22d9 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.3.0.md @@ -0,0 +1,14 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.3.0 + +* Support for Kubernetes v.1.25.0 was added and support for endpoint slices +* Support for Kubernetes v1.20.0 and v1.21.0 was removed +* [8890](https://github.com/kubernetes/ingress-nginx/pull/8890) migrate to endpointslices +* [9059](https://github.com/kubernetes/ingress-nginx/pull/9059) kubewebhookcertgen sha change after go1191 +* [9046](https://github.com/kubernetes/ingress-nginx/pull/9046) Parameterize metrics port name +* [9104](https://github.com/kubernetes/ingress-nginx/pull/9104) Fix yaml formatting error with multiple annotations + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.2.1...helm-chart-4.3.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.4.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.4.0.md new file mode 100644 index 000000000..20f9e2336 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.4.0.md @@ -0,0 +1,12 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.4.0 + +* Adding support for disabling liveness and readiness probes to the Helm chart by @njegosrailic in https://github.com/kubernetes/ingress-nginx/pull/9238 +* add:(admission-webhooks) ability to set securityContext by @ybelMekk in https://github.com/kubernetes/ingress-nginx/pull/9186 +* #7652 - Updated Helm chart to use the fullname for the electionID if not specified. by @FutureMatt in https://github.com/kubernetes/ingress-nginx/pull/9133 +* Rename controller-wehbooks-networkpolicy.yaml. by @Gacko in https://github.com/kubernetes/ingress-nginx/pull/9123 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.3.0...helm-chart-4.4.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/Changelog-4.5.2.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.5.2.md similarity index 100% rename from charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/Changelog-4.5.2.md rename to charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.5.2.md diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/Changelog-4.6.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.6.0.md similarity index 100% rename from charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/Changelog-4.6.0.md rename to charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.6.0.md diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/Changelog-4.6.1.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.6.1.md similarity index 100% rename from charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/Changelog-4.6.1.md rename to charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.6.1.md diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/Changelog-4.7.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.7.0.md similarity index 100% rename from charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/Changelog-4.7.0.md rename to charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.7.0.md diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/Changelog-4.7.1.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.7.1.md similarity index 100% rename from charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/Changelog-4.7.1.md rename to charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.7.1.md diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.7.2.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.7.2.md new file mode 100644 index 000000000..57b17b982 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.7.2.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.7.2 + +* Update Ingress-Nginx version controller-v1.8.2 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.1...helm-chart-4.7.2 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.8.0-beta.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.8.0-beta.0.md new file mode 100644 index 000000000..9072a75b4 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.8.0-beta.0.md @@ -0,0 +1,13 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.8.0-beta.0 + +* ci(helm): fix Helm Chart release action 422 error (#10237) +* helm: Use .Release.Namespace as default for ServiceMonitor namespace (#10249) +* [helm] configure allow to configure hostAliases (#10180) +* [helm] pass service annotations through helm tpl engine (#10084) +* Update Ingress-Nginx version controller-v1.9.0-beta.0 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.2...helm-chart-4.8.0-beta.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.8.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.8.0.md new file mode 100644 index 000000000..af8f1241f --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.8.0.md @@ -0,0 +1,13 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.8.0 + +* ci(helm): fix Helm Chart release action 422 error (#10237) +* helm: Use .Release.Namespace as default for ServiceMonitor namespace (#10249) +* [helm] configure allow to configure hostAliases (#10180) +* [helm] pass service annotations through helm tpl engine (#10084) +* Update Ingress-Nginx version controller-v1.9.0 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.2...helm-chart-4.8.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.8.1.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.8.1.md new file mode 100644 index 000000000..53a4493de --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.8.1.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.8.1 + +* Update Ingress-Nginx version controller-v1.9.1 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.8.0...helm-chart-4.8.1 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.8.2.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.8.2.md new file mode 100644 index 000000000..9957c1a85 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.8.2.md @@ -0,0 +1,10 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.8.2 + +* update nginx base, httpbun, e2e, helm webhook cert gen (#10506) +* Update Ingress-Nginx version controller-v1.9.3 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.8.1...helm-chart-4.8.2 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.8.3.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.8.3.md new file mode 100644 index 000000000..b8d4d56b3 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.8.3.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.8.3 + +* Update Ingress-Nginx version controller-v1.9.4 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.8.2...helm-chart-4.8.3 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.9.0.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.9.0.md new file mode 100644 index 000000000..5c7729866 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.9.0.md @@ -0,0 +1,13 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.9.0 + +* - "Add controller.metrics.serviceMonitor.annotations in Helm chart" +* - "fix(labels): use complete labels variable on default-backend deployment" +* - "chart: allow setting allocateLoadBalancerNodePorts (#10693)" +* - "[release-1.9] feat(helm): add documentation about metric args (#10695)" +* - "Update Ingress-Nginx version controller-v1.9.5" + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.8.3...helm-chart-4.9.0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.9.1.md b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.9.1.md new file mode 100644 index 000000000..c6120e736 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart-4.9.1.md @@ -0,0 +1,10 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.9.1 + +* - "update web hook cert gen to latest release v20231226-1a7112e06" +* - "Update Ingress-Nginx version controller-v1.9.6" + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.9.0...helm-chart-4.9.1 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog.md.gotmpl b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart.md.gotmpl similarity index 83% rename from charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog.md.gotmpl rename to charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart.md.gotmpl index de9885670..ef5add55d 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog.md.gotmpl +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/changelog/helm-chart.md.gotmpl @@ -2,8 +2,10 @@ This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). -### {{ .NewHelmChartVersion }} +### {{ .NewHelmChartVersion }} {{ with .HelmUpdates }} -{{ range . }}* {{ . }} -{{ end }}{{ end }} +{{- range . }} +* {{ . }} +{{- end }} +{{ end }} **Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-{{ .PreviousHelmChartVersion }}...helm-chart-{{ .NewHelmChartVersion }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/ci/daemonset-extra-modules.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/ci/daemonset-extra-modules.yaml index f299dbf1c..52a32fcbd 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/ci/daemonset-extra-modules.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/ci/daemonset-extra-modules.yaml @@ -7,4 +7,7 @@ controller: type: ClusterIP extraModules: - name: opentelemetry - image: busybox + image: + registry: registry.k8s.io + image: busybox + tag: latest diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml index 2310c344e..91b1b98a8 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml @@ -9,4 +9,7 @@ controller: allowPrivilegeEscalation: false extraModules: - name: opentelemetry - image: busybox + image: + registry: registry.k8s.io + image: busybox + tag: latest diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml index bd2f011cc..b6013c7d0 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml @@ -7,6 +7,9 @@ controller: type: ClusterIP extraModules: - name: opentelemetry - image: busybox + image: + registry: registry.k8s.io + image: busybox + tag: latest containerSecurityContext: allowPrivilegeEscalation: false diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/ci/deployment-extra-modules.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/ci/deployment-extra-modules.yaml index ec5923548..2fbe1cc01 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/ci/deployment-extra-modules.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/ci/deployment-extra-modules.yaml @@ -7,4 +7,7 @@ controller: type: ClusterIP extraModules: - name: opentelemetry - image: busybox + image: + registry: registry.k8s.io + image: busybox + tag: latest diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/ci/deployment-opentelemetry-customregistry-values.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/ci/deployment-opentelemetry-customregistry-values.yaml new file mode 100644 index 000000000..fb3ef4446 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/ci/deployment-opentelemetry-customregistry-values.yaml @@ -0,0 +1,9 @@ +controller: + image: + repository: ingress-controller/controller + tag: 1.0.0-dev + digest: null + service: + type: ClusterIP + opentelemetry: + enabled: true diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/NOTES.txt b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/NOTES.txt index 9fe35c785..f4923007e 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/NOTES.txt +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/NOTES.txt @@ -6,24 +6,24 @@ Get the application URL by running these commands: {{- if (not (empty .Values.controller.service.nodePorts.http)) }} export HTTP_NODE_PORT={{ .Values.controller.service.nodePorts.http }} {{- else }} - export HTTP_NODE_PORT=$(kubectl --namespace {{ .Release.Namespace }} get services -o jsonpath="{.spec.ports[0].nodePort}" {{ include "ingress-nginx.controller.fullname" . }}) + export HTTP_NODE_PORT=$(kubectl get service --namespace {{ include "ingress-nginx.namespace" . }} {{ include "ingress-nginx.controller.fullname" . }} --output jsonpath="{.spec.ports[0].nodePort}") {{- end }} {{- if (not (empty .Values.controller.service.nodePorts.https)) }} export HTTPS_NODE_PORT={{ .Values.controller.service.nodePorts.https }} {{- else }} - export HTTPS_NODE_PORT=$(kubectl --namespace {{ .Release.Namespace }} get services -o jsonpath="{.spec.ports[1].nodePort}" {{ include "ingress-nginx.controller.fullname" . }}) + export HTTPS_NODE_PORT=$(kubectl get service --namespace {{ include "ingress-nginx.namespace" . }} {{ include "ingress-nginx.controller.fullname" . }} --output jsonpath="{.spec.ports[1].nodePort}") {{- end }} - export NODE_IP=$(kubectl --namespace {{ .Release.Namespace }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}") + export NODE_IP="$(kubectl get nodes --output jsonpath="{.items[0].status.addresses[1].address}")" - echo "Visit http://$NODE_IP:$HTTP_NODE_PORT to access your application via HTTP." - echo "Visit https://$NODE_IP:$HTTPS_NODE_PORT to access your application via HTTPS." + echo "Visit http://${NODE_IP}:${HTTP_NODE_PORT} to access your application via HTTP." + echo "Visit https://${NODE_IP}:${HTTPS_NODE_PORT} to access your application via HTTPS." {{- else if contains "LoadBalancer" .Values.controller.service.type }} -It may take a few minutes for the LoadBalancer IP to be available. -You can watch the status by running 'kubectl --namespace {{ .Release.Namespace }} get services -o wide -w {{ include "ingress-nginx.controller.fullname" . }}' +It may take a few minutes for the load balancer IP to be available. +You can watch the status by running 'kubectl get service --namespace {{ include "ingress-nginx.namespace" . }} {{ include "ingress-nginx.controller.fullname" . }} --output wide --watch' {{- else if contains "ClusterIP" .Values.controller.service.type }} Get the application URL by running these commands: - export POD_NAME=$(kubectl --namespace {{ .Release.Namespace }} get pods -o jsonpath="{.items[0].metadata.name}" -l "app={{ template "ingress-nginx.name" . }},component={{ .Values.controller.name }},release={{ .Release.Name }}") - kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80 + export POD_NAME="$(kubectl get pods --namespace {{ include "ingress-nginx.namespace" . }} --selector app.kubernetes.io/name={{ include "ingress-nginx.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=controller --output jsonpath="{.items[0].metadata.name}")" + kubectl port-forward --namespace {{ include "ingress-nginx.namespace" . }} "${POD_NAME}" 8080:80 echo "Visit http://127.0.0.1:8080 to access your application." {{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/_helpers.tpl b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/_helpers.tpl index 548e8cf12..99246888e 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/_helpers.tpl +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/_helpers.tpl @@ -30,25 +30,40 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- end -}} {{- end -}} +{{/* +Expand the namespace of the release. +Allows overriding it for multi-namespace deployments in combined charts. +*/}} +{{- define "ingress-nginx.namespace" -}} +{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} {{/* -Container SecurityContext. +Controller container security context. */}} -{{- define "controller.containerSecurityContext" -}} +{{- define "ingress-nginx.controller.containerSecurityContext" -}} {{- if .Values.controller.containerSecurityContext -}} {{- toYaml .Values.controller.containerSecurityContext -}} {{- else -}} +runAsNonRoot: {{ .Values.controller.image.runAsNonRoot }} +runAsUser: {{ .Values.controller.image.runAsUser }} +allowPrivilegeEscalation: {{ or .Values.controller.image.allowPrivilegeEscalation .Values.controller.image.chroot }} +{{- if .Values.controller.image.seccompProfile }} +seccompProfile: {{ toYaml .Values.controller.image.seccompProfile | nindent 2 }} +{{- end }} capabilities: drop: - ALL add: - NET_BIND_SERVICE {{- if .Values.controller.image.chroot }} + {{- if .Values.controller.image.seccompProfile }} + - SYS_ADMIN + {{- end }} - SYS_CHROOT {{- end }} -runAsUser: {{ .Values.controller.image.runAsUser }} -allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }} -{{- end }} +readOnlyRootFilesystem: {{ .Values.controller.image.readOnlyRootFilesystem }} +{{- end -}} {{- end -}} {{/* @@ -102,7 +117,6 @@ By convention this will simply use the / to match th service generated. Users can provide an override for an explicit service they want bound via `.Values.controller.publishService.pathOverride` - */}} {{- define "ingress-nginx.controller.publishServicePath" -}} {{- $defServiceName := printf "%s/%s" "$(POD_NAMESPACE)" (include "ingress-nginx.controller.fullname" .) -}} @@ -110,14 +124,6 @@ Users can provide an override for an explicit service they want bound via `.Valu {{- print $servicePath | trimSuffix "-" -}} {{- end -}} -{{/* -Create a default fully qualified default backend name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "ingress-nginx.defaultBackend.fullname" -}} -{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - {{/* Common labels */}} @@ -153,6 +159,49 @@ Create the name of the controller service account to use {{- end -}} {{- end -}} +{{/* +Create a default fully qualified admission webhook name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "ingress-nginx.admissionWebhooks.fullname" -}} +{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.controller.admissionWebhooks.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name of the admission webhook patch job service account to use +*/}} +{{- define "ingress-nginx.admissionWebhooks.patch.serviceAccountName" -}} +{{- if .Values.controller.admissionWebhooks.patch.serviceAccount.create -}} + {{ default (include "ingress-nginx.admissionWebhooks.fullname" .) .Values.controller.admissionWebhooks.patch.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.controller.admissionWebhooks.patch.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified admission webhook secret creation job name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "ingress-nginx.admissionWebhooks.createSecretJob.fullname" -}} +{{- printf "%s-%s" (include "ingress-nginx.admissionWebhooks.fullname" .) .Values.controller.admissionWebhooks.createSecretJob.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified admission webhook patch job name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "ingress-nginx.admissionWebhooks.patchWebhookJob.fullname" -}} +{{- printf "%s-%s" (include "ingress-nginx.admissionWebhooks.fullname" .) .Values.controller.admissionWebhooks.patchWebhookJob.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "ingress-nginx.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + {{/* Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled */}} @@ -165,52 +214,59 @@ Create the name of the backend service account to use - only used when podsecuri {{- end -}} {{/* -Return the appropriate apiGroup for PodSecurityPolicy. +Default backend container security context. */}} -{{- define "podSecurityPolicy.apiGroup" -}} -{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "policy" -}} +{{- define "ingress-nginx.defaultBackend.containerSecurityContext" -}} +{{- if .Values.defaultBackend.containerSecurityContext -}} +{{- toYaml .Values.defaultBackend.containerSecurityContext -}} {{- else -}} -{{- print "extensions" -}} +runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }} +runAsUser: {{ .Values.defaultBackend.image.runAsUser }} +allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }} +{{- if .Values.defaultBackend.image.seccompProfile }} +seccompProfile: {{ toYaml .Values.defaultBackend.image.seccompProfile | nindent 2 }} +{{- end }} +capabilities: + drop: + - ALL +readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem }} {{- end -}} {{- end -}} {{/* -Check the ingress controller version tag is at most three versions behind the last release +Return the appropriate apiGroup for PodSecurityPolicy. */}} -{{- define "isControllerTagValid" -}} -{{- if not (semverCompare ">=0.27.0-0" .Values.controller.image.tag) -}} -{{- fail "Controller container image tag should be 0.27.0 or higher" -}} -{{- end -}} +{{- define "podSecurityPolicy.apiGroup" -}} +{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +{{- print "policy" -}} +{{- else -}} +{{- print "extensions" -}} {{- end -}} - -{{/* -IngressClass parameters. -*/}} -{{- define "ingressClass.parameters" -}} - {{- if .Values.controller.ingressClassResource.parameters -}} - parameters: -{{ toYaml .Values.controller.ingressClassResource.parameters | indent 4}} - {{ end }} {{- end -}} {{/* Extra modules. */}} {{- define "extraModules" -}} - - name: {{ .name }} - image: {{ .image }} - {{- if .distroless | default false }} - command: ['/init_module'] + {{- with .image }} + image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} + command: + {{- if .distroless }} + - /init_module {{- else }} - command: ['sh', '-c', '/usr/local/bin/init_module.sh'] + - sh + - -c + - /usr/local/bin/init_module.sh + {{- end }} {{- end }} {{- if .containerSecurityContext }} - securityContext: {{ .containerSecurityContext | toYaml | nindent 4 }} + securityContext: {{ toYaml .containerSecurityContext | nindent 4 }} + {{- end }} + {{- if .resources }} + resources: {{ toYaml .resources | nindent 4 }} {{- end }} volumeMounts: - - name: {{ toYaml "modules"}} - mountPath: {{ toYaml "/modules_mount"}} - + - name: modules + mountPath: /modules_mount {{- end -}} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/_params.tpl b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/_params.tpl index a1aef01ae..48569a8b0 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/_params.tpl +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/_params.tpl @@ -1,5 +1,8 @@ {{- define "ingress-nginx.params" -}} - /nginx-ingress-controller +{{- if .Values.controller.enableAnnotationValidations }} +- --enable-annotation-validation=true +{{- end }} {{- if .Values.defaultBackend.enabled }} - --default-backend-service=$(POD_NAMESPACE)/{{ include "ingress-nginx.defaultBackend.fullname" . }} {{- end }} @@ -26,7 +29,7 @@ - --watch-namespace={{ default "$(POD_NAMESPACE)" .Values.controller.scope.namespace }} {{- end }} {{- if and (not .Values.controller.scope.enabled) .Values.controller.scope.namespaceSelector }} -- --watch-namespace-selector={{ default "" .Values.controller.scope.namespaceSelector }} +- --watch-namespace-selector={{ .Values.controller.scope.namespaceSelector }} {{- end }} {{- if and .Values.controller.reportNodeInternalIp .Values.controller.hostNetwork }} - --report-node-internal-ip-address={{ .Values.controller.reportNodeInternalIp }} @@ -51,9 +54,18 @@ {{- if .Values.controller.watchIngressWithoutClass }} - --watch-ingress-without-class=true {{- end }} +{{- if not .Values.controller.metrics.enabled }} +- --enable-metrics={{ .Values.controller.metrics.enabled }} +{{- end }} {{- if .Values.controller.enableTopologyAwareRouting }} - --enable-topology-aware-routing=true {{- end }} +{{- if .Values.controller.disableLeaderElection }} +- --disable-leader-election=true +{{- end }} +{{- if .Values.controller.electionTTL }} +- --election-ttl={{ .Values.controller.electionTTL }} +{{- end }} {{- range $key, $value := .Values.controller.extraArgs }} {{- /* Accept keys without values or with false as value */}} {{- if eq ($value | quote | len) 2 }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/cert-manager.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/cert-manager.yaml index 55fab471c..db2946c3d 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/cert-manager.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/cert-manager.yaml @@ -6,7 +6,7 @@ apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: {{ include "ingress-nginx.fullname" . }}-self-signed-issuer - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: selfSigned: {} --- @@ -15,7 +15,7 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: {{ include "ingress-nginx.fullname" . }}-root-cert - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: secretName: {{ include "ingress-nginx.fullname" . }}-root-cert duration: {{ .Values.controller.admissionWebhooks.certManager.rootCert.duration | default "43800h0m0s" | quote }} @@ -32,7 +32,7 @@ apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: {{ include "ingress-nginx.fullname" . }}-root-issuer - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: ca: secretName: {{ include "ingress-nginx.fullname" . }}-root-cert @@ -42,10 +42,10 @@ spec: apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: {{ include "ingress-nginx.fullname" . }}-admission - namespace: {{ .Release.Namespace }} + name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: - secretName: {{ include "ingress-nginx.fullname" . }}-admission + secretName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} duration: {{ .Values.controller.admissionWebhooks.certManager.admissionCert.duration | default "8760h0m0s" | quote }} issuerRef: {{- if .Values.controller.admissionWebhooks.certManager.issuerRef }} @@ -55,8 +55,8 @@ spec: {{- end }} dnsNames: - {{ include "ingress-nginx.controller.fullname" . }}-admission - - {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ .Release.Namespace }} - - {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ .Release.Namespace }}.svc + - {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ include "ingress-nginx.namespace" . }} + - {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ include "ingress-nginx.namespace" . }}.svc subject: organizations: - ingress-nginx-admission diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml index f9ec70974..a21848201 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml @@ -1,8 +1,8 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ include "ingress-nginx.fullname" . }}-admission + name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded @@ -21,14 +21,13 @@ rules: - get - update {{- if .Values.podSecurityPolicy.enabled }} - - apiGroups: ['extensions'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: + - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] + resources: ['podsecuritypolicies'] + verbs: ['use'] {{- with .Values.controller.admissionWebhooks.existingPsp }} - - {{ . }} + resourceNames: [{{ . }}] {{- else }} - - {{ include "ingress-nginx.fullname" . }}-admission + resourceNames: [{{ include "ingress-nginx.admissionWebhooks.fullname" . }}] {{- end }} {{- end }} {{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml index 871953261..b89388433 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml @@ -1,8 +1,8 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ include "ingress-nginx.fullname" . }}-admission + name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded @@ -15,9 +15,9 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ include "ingress-nginx.fullname" . }}-admission + name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} subjects: - kind: ServiceAccount - name: {{ include "ingress-nginx.fullname" . }}-admission - namespace: {{ .Release.Namespace | quote }} + name: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }} + namespace: {{ include "ingress-nginx.namespace" . }} {{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml index d93433ecd..176616467 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml @@ -2,8 +2,8 @@ apiVersion: batch/v1 kind: Job metadata: - name: {{ include "ingress-nginx.fullname" . }}-admission-create - namespace: {{ .Release.Namespace }} + name: {{ include "ingress-nginx.admissionWebhooks.createSecretJob.fullname" . }} + namespace: {{ include "ingress-nginx.namespace" . }} annotations: "helm.sh/hook": pre-install,pre-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded @@ -23,7 +23,7 @@ spec: {{- end }} template: metadata: - name: {{ include "ingress-nginx.fullname" . }}-admission-create + name: {{ include "ingress-nginx.admissionWebhooks.createSecretJob.fullname" . }} {{- if .Values.controller.admissionWebhooks.patch.podAnnotations }} annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }} {{- end }} @@ -43,14 +43,14 @@ spec: containers: - name: create {{- with .Values.controller.admissionWebhooks.patch.image }} - image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}" + image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} {{- end }} imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }} args: - create - --host={{ include "ingress-nginx.controller.fullname" . }}-admission,{{ include "ingress-nginx.controller.fullname" . }}-admission.$(POD_NAMESPACE).svc - --namespace=$(POD_NAMESPACE) - - --secret-name={{ include "ingress-nginx.fullname" . }}-admission + - --secret-name={{ include "ingress-nginx.admissionWebhooks.fullname" . }} env: - name: POD_NAMESPACE valueFrom: @@ -66,15 +66,14 @@ spec: resources: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.resources | nindent 12 }} {{- end }} restartPolicy: OnFailure - serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission + serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }} {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }} nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }} {{- end }} {{- if .Values.controller.admissionWebhooks.patch.tolerations }} tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }} {{- end }} - {{- if .Values.controller.admissionWebhooks.patch.securityContext }} - securityContext: - {{- toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }} - {{- end }} + {{- if .Values.controller.admissionWebhooks.patch.securityContext }} + securityContext: {{ toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }} + {{- end }} {{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml index 0fa3ff9a2..f7d44a24d 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml @@ -2,8 +2,8 @@ apiVersion: batch/v1 kind: Job metadata: - name: {{ include "ingress-nginx.fullname" . }}-admission-patch - namespace: {{ .Release.Namespace }} + name: {{ include "ingress-nginx.admissionWebhooks.patchWebhookJob.fullname" . }} + namespace: {{ include "ingress-nginx.namespace" . }} annotations: "helm.sh/hook": post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded @@ -23,7 +23,7 @@ spec: {{- end }} template: metadata: - name: {{ include "ingress-nginx.fullname" . }}-admission-patch + name: {{ include "ingress-nginx.admissionWebhooks.patchWebhookJob.fullname" . }} {{- if .Values.controller.admissionWebhooks.patch.podAnnotations }} annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }} {{- end }} @@ -43,15 +43,15 @@ spec: containers: - name: patch {{- with .Values.controller.admissionWebhooks.patch.image }} - image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}" + image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} {{- end }} imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }} args: - patch - - --webhook-name={{ include "ingress-nginx.fullname" . }}-admission + - --webhook-name={{ include "ingress-nginx.admissionWebhooks.fullname" . }} - --namespace=$(POD_NAMESPACE) - --patch-mutating=false - - --secret-name={{ include "ingress-nginx.fullname" . }}-admission + - --secret-name={{ include "ingress-nginx.admissionWebhooks.fullname" . }} - --patch-failure-policy={{ .Values.controller.admissionWebhooks.failurePolicy }} env: - name: POD_NAMESPACE @@ -68,15 +68,14 @@ spec: resources: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.resources | nindent 12 }} {{- end }} restartPolicy: OnFailure - serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission + serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }} {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }} nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }} {{- end }} {{- if .Values.controller.admissionWebhooks.patch.tolerations }} tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }} {{- end }} - {{- if .Values.controller.admissionWebhooks.patch.securityContext }} - securityContext: - {{- toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }} - {{- end }} + {{- if .Values.controller.admissionWebhooks.patch.securityContext }} + securityContext: {{ toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }} + {{- end }} {{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/networkpolicy.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/networkpolicy.yaml index 08b32257c..a8f38df96 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/networkpolicy.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/networkpolicy.yaml @@ -1,9 +1,9 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.networkPolicyEnabled }} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.networkPolicy.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: {{ include "ingress-nginx.fullname" . }}-admission - namespace: {{ .Release.Namespace }} + name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} + namespace: {{ include "ingress-nginx.namespace" . }} annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded @@ -16,11 +16,11 @@ metadata: spec: podSelector: matchLabels: - {{- include "ingress-nginx.labels" . | nindent 6 }} + {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} app.kubernetes.io/component: admission-webhook policyTypes: - - Ingress - - Egress + - Ingress + - Egress egress: - - {} + - {} {{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml index e19c95572..8e5dc72ac 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml @@ -1,12 +1,13 @@ {{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.podSecurityPolicy.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}} +{{- if and .Values.podSecurityPolicy.enabled .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: - name: {{ include "ingress-nginx.fullname" . }}-admission + name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*" labels: {{- include "ingress-nginx.labels" . | nindent 4 }} app.kubernetes.io/component: admission-webhook @@ -14,28 +15,38 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: - allowPrivilegeEscalation: false + privileged: false + hostPID: false + hostIPC: false + hostNetwork: false + volumes: + - configMap + - downwardAPI + - emptyDir + - secret + - projected fsGroup: - ranges: - - max: 65535 - min: 1 rule: MustRunAs - requiredDropCapabilities: - - ALL + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: true runAsUser: rule: MustRunAsNonRoot - seLinux: - rule: RunAsAny - supplementalGroups: + runAsGroup: + rule: MustRunAs ranges: - - max: 65535 - min: 1 + - min: 1 + max: 65535 + supplementalGroups: rule: MustRunAs - volumes: - - configMap - - emptyDir - - projected - - secret - - downwardAPI + ranges: + - min: 1 + max: 65535 + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL + seLinux: + rule: RunAsAny {{- end }} {{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml index ea7c20818..c4b23aa08 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml @@ -1,9 +1,9 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ include "ingress-nginx.fullname" . }}-admission - namespace: {{ .Release.Namespace }} + name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} + namespace: {{ include "ingress-nginx.namespace" . }} annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml index 60c3f4ff0..425e8d821 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml @@ -1,9 +1,9 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ include "ingress-nginx.fullname" . }}-admission - namespace: {{ .Release.Namespace }} + name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} + namespace: {{ include "ingress-nginx.namespace" . }} annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded @@ -16,9 +16,9 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ include "ingress-nginx.fullname" . }}-admission + name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} subjects: - kind: ServiceAccount - name: {{ include "ingress-nginx.fullname" . }}-admission - namespace: {{ .Release.Namespace | quote }} + name: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }} + namespace: {{ include "ingress-nginx.namespace" . }} {{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml index 00be54ec5..52f94dcce 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml @@ -1,9 +1,9 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.serviceAccount.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: v1 kind: ServiceAccount metadata: - name: {{ include "ingress-nginx.fullname" . }}-admission - namespace: {{ .Release.Namespace }} + name: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }} + namespace: {{ include "ingress-nginx.namespace" . }} annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded @@ -13,4 +13,5 @@ metadata: {{- with .Values.controller.admissionWebhooks.patch.labels }} {{- toYaml . | nindent 4 }} {{- end }} +automountServiceAccountToken: {{ .Values.controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken }} {{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml index f27244dc9..4cd36a62e 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml @@ -6,8 +6,8 @@ kind: ValidatingWebhookConfiguration metadata: annotations: {{- if .Values.controller.admissionWebhooks.certManager.enabled }} - certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "ingress-nginx.fullname" .) | quote }} - cert-manager.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "ingress-nginx.fullname" .) | quote }} + certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s" (include "ingress-nginx.namespace" .) (include "ingress-nginx.admissionWebhooks.fullname" .) | quote }} + cert-manager.io/inject-ca-from: {{ printf "%s/%s" (include "ingress-nginx.namespace" .) (include "ingress-nginx.admissionWebhooks.fullname" .) | quote }} {{- end }} {{- if .Values.controller.admissionWebhooks.annotations }} {{- toYaml .Values.controller.admissionWebhooks.annotations | nindent 4 }} @@ -18,7 +18,7 @@ metadata: {{- with .Values.controller.admissionWebhooks.labels }} {{- toYaml . | nindent 4 }} {{- end }} - name: {{ include "ingress-nginx.fullname" . }}-admission + name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} webhooks: - name: validate.nginx.ingress.kubernetes.io matchPolicy: Equivalent @@ -38,8 +38,8 @@ webhooks: - v1 clientConfig: service: - namespace: {{ .Release.Namespace | quote }} name: {{ include "ingress-nginx.controller.fullname" . }}-admission + namespace: {{ include "ingress-nginx.namespace" . }} path: /networking/v1/ingresses {{- if .Values.controller.admissionWebhooks.timeoutSeconds }} timeoutSeconds: {{ .Values.controller.admissionWebhooks.timeoutSeconds }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/clusterrolebinding.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/clusterrolebinding.yaml index acbbd8b10..8f91aac80 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/clusterrolebinding.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/clusterrolebinding.yaml @@ -15,5 +15,5 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "ingress-nginx.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "ingress-nginx.namespace" . }} {{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-configmap-addheaders.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-configmap-addheaders.yaml index dfd49a126..4e4bd1310 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-configmap-addheaders.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-configmap-addheaders.yaml @@ -9,6 +9,6 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.fullname" . }}-custom-add-headers - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} data: {{ toYaml .Values.controller.addHeaders | nindent 2 }} {{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml index 38feb721f..0a22600db 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml @@ -9,6 +9,6 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.fullname" . }}-custom-proxy-headers - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} data: {{ toYaml .Values.controller.proxySetHeaders | nindent 2 }} {{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-configmap-tcp.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-configmap-tcp.yaml index 0f6088ea9..131a9ad51 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-configmap-tcp.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-configmap-tcp.yaml @@ -12,6 +12,6 @@ metadata: annotations: {{ toYaml .Values.controller.tcp.annotations | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.fullname" . }}-tcp - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} data: {{ tpl (toYaml .Values.tcp) . | nindent 2 }} {{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-configmap-udp.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-configmap-udp.yaml index 3772ec514..7137da9ad 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-configmap-udp.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-configmap-udp.yaml @@ -12,6 +12,6 @@ metadata: annotations: {{ toYaml .Values.controller.udp.annotations | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.fullname" . }}-udp - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} data: {{ tpl (toYaml .Values.udp) . | nindent 2 }} {{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-configmap.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-configmap.yaml index 9ec2b8369..22080d115 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-configmap.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-configmap.yaml @@ -11,18 +11,18 @@ metadata: annotations: {{ toYaml .Values.controller.configAnnotations | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} data: allow-snippet-annotations: "{{ .Values.controller.allowSnippetAnnotations }}" {{- if .Values.controller.addHeaders }} - add-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers + add-headers: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers {{- end }} {{- if .Values.controller.proxySetHeaders }} - proxy-set-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-proxy-headers + proxy-set-headers: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.fullname" . }}-custom-proxy-headers {{- end }} {{- if .Values.dhParam }} - ssl-dh-param: {{ .Release.Namespace }}/{{ include "ingress-nginx.controller.fullname" . }} + ssl-dh-param: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.controller.fullname" . }} {{- end }} {{- range $key, $value := .Values.controller.config }} - {{- $key | nindent 2 }}: {{ $value | quote }} + {{- $key | nindent 2 }}: {{ tpl (toString $value) $ | quote }} {{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-daemonset.yaml index 82abe7564..fcc633d3d 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-daemonset.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-daemonset.yaml @@ -1,5 +1,4 @@ -{{- if or (eq .Values.controller.kind "DaemonSet") (eq .Values.controller.kind "Both") -}} -{{- include "isControllerTagValid" . -}} +{{- if eq .Values.controller.kind "DaemonSet" -}} apiVersion: apps/v1 kind: DaemonSet metadata: @@ -10,7 +9,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} {{- if .Values.controller.annotations }} annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} {{- end }} @@ -45,6 +44,9 @@ spec: {{- if .Values.controller.dnsConfig }} dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }} {{- end }} + {{- if .Values.controller.hostAliases }} + hostAliases: {{ tpl (toYaml .Values.controller.hostAliases) $ | nindent 8 }} + {{- end }} {{- if .Values.controller.hostname }} hostname: {{ toYaml .Values.controller.hostname | nindent 8 }} {{- end }} @@ -57,16 +59,16 @@ spec: {{- end }} {{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }} securityContext: - {{- end }} - {{- if .Values.controller.podSecurityContext }} + {{- if .Values.controller.podSecurityContext }} {{- toYaml .Values.controller.podSecurityContext | nindent 8 }} - {{- end }} - {{- if .Values.controller.sysctls }} + {{- end }} + {{- if .Values.controller.sysctls }} sysctls: - {{- range $sysctl, $value := .Values.controller.sysctls }} - - name: {{ $sysctl | quote }} - value: {{ $value | quote }} - {{- end }} + {{- range $sysctl, $value := .Values.controller.sysctls }} + - name: {{ $sysctl | quote }} + value: {{ $value | quote }} + {{- end }} + {{- end }} {{- end }} {{- if .Values.controller.shareProcessNamespace }} shareProcessNamespace: {{ .Values.controller.shareProcessNamespace }} @@ -74,15 +76,14 @@ spec: containers: - name: {{ .Values.controller.containerName }} {{- with .Values.controller.image }} - image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{- end -}}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}" + image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }} {{- end }} imagePullPolicy: {{ .Values.controller.image.pullPolicy }} {{- if .Values.controller.lifecycle }} lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }} {{- end }} - args: - {{- include "ingress-nginx.params" . | nindent 12 }} - securityContext: {{ include "controller.containerSecurityContext" . | nindent 12 }} + args: {{ include "ingress-nginx.params" . | nindent 12 }} + securityContext: {{ include "ingress-nginx.controller.containerSecurityContext" . | nindent 12 }} env: - name: POD_NAME valueFrom: @@ -147,11 +148,11 @@ spec: volumeMounts: {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} - name: modules - {{ if .Values.controller.image.chroot }} + {{- if .Values.controller.image.chroot }} mountPath: /chroot/modules_mount - {{ else }} + {{- else }} mountPath: /modules_mount - {{ end }} + {{- end }} {{- end }} {{- if .Values.controller.customTemplate.configMapName }} - mountPath: /etc/nginx/template @@ -171,23 +172,25 @@ spec: resources: {{ toYaml .Values.controller.resources | nindent 12 }} {{- end }} {{- if .Values.controller.extraContainers }} - {{ toYaml .Values.controller.extraContainers | nindent 8 }} + {{- toYaml .Values.controller.extraContainers | nindent 8 }} {{- end }} {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} initContainers: {{- if .Values.controller.extraInitContainers }} - {{ toYaml .Values.controller.extraInitContainers | nindent 8 }} + {{- toYaml .Values.controller.extraInitContainers | nindent 8 }} {{- end }} {{- if .Values.controller.extraModules }} {{- range .Values.controller.extraModules }} - {{ $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} -{{ include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | indent 8 }} + {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} + {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} + {{- end }} + {{- end }} + {{- if .Values.controller.opentelemetry.enabled }} + {{- with .Values.controller.opentelemetry }} + {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} + {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} {{- end }} {{- end }} - {{- if .Values.controller.opentelemetry.enabled}} - {{ $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext) | nindent 8}} - {{- end}} {{- end }} {{- if .Values.controller.hostNetwork }} hostNetwork: {{ .Values.controller.hostNetwork }} @@ -199,10 +202,10 @@ spec: tolerations: {{ toYaml .Values.controller.tolerations | nindent 8 }} {{- end }} {{- if .Values.controller.affinity }} - affinity: {{ toYaml .Values.controller.affinity | nindent 8 }} + affinity: {{ tpl (toYaml .Values.controller.affinity) $ | nindent 8 }} {{- end }} {{- if .Values.controller.topologySpreadConstraints }} - topologySpreadConstraints: {{ toYaml .Values.controller.topologySpreadConstraints | nindent 8 }} + topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }} {{- end }} serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} @@ -223,7 +226,7 @@ spec: {{- if .Values.controller.admissionWebhooks.enabled }} - name: webhook-cert secret: - secretName: {{ include "ingress-nginx.fullname" . }}-admission + secretName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} {{- if .Values.controller.admissionWebhooks.certManager.enabled }} items: - key: tls.crt diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-deployment.yaml index 7fe8804ea..5211acd0b 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-deployment.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-deployment.yaml @@ -1,5 +1,4 @@ -{{- if or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both") -}} -{{- include "isControllerTagValid" . -}} +{{- if eq .Values.controller.kind "Deployment" -}} apiVersion: apps/v1 kind: Deployment metadata: @@ -10,7 +9,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} {{- if .Values.controller.annotations }} annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} {{- end }} @@ -19,13 +18,12 @@ spec: matchLabels: {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} app.kubernetes.io/component: controller - {{- if not .Values.controller.autoscaling.enabled }} + {{- if eq .Values.controller.autoscaling.enabled .Values.controller.keda.enabled }} replicas: {{ .Values.controller.replicaCount }} {{- end }} revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} {{- if .Values.controller.updateStrategy }} - strategy: - {{ toYaml .Values.controller.updateStrategy | nindent 4 }} + strategy: {{ toYaml .Values.controller.updateStrategy | nindent 4 }} {{- end }} minReadySeconds: {{ .Values.controller.minReadySeconds }} template: @@ -49,6 +47,9 @@ spec: {{- if .Values.controller.dnsConfig }} dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }} {{- end }} + {{- if .Values.controller.hostAliases }} + hostAliases: {{ tpl (toYaml .Values.controller.hostAliases) $ | nindent 8 }} + {{- end }} {{- if .Values.controller.hostname }} hostname: {{ toYaml .Values.controller.hostname | nindent 8 }} {{- end }} @@ -61,16 +62,16 @@ spec: {{- end }} {{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }} securityContext: - {{- end }} - {{- if .Values.controller.podSecurityContext }} + {{- if .Values.controller.podSecurityContext }} {{- toYaml .Values.controller.podSecurityContext | nindent 8 }} - {{- end }} - {{- if .Values.controller.sysctls }} + {{- end }} + {{- if .Values.controller.sysctls }} sysctls: - {{- range $sysctl, $value := .Values.controller.sysctls }} - - name: {{ $sysctl | quote }} - value: {{ $value | quote }} - {{- end }} + {{- range $sysctl, $value := .Values.controller.sysctls }} + - name: {{ $sysctl | quote }} + value: {{ $value | quote }} + {{- end }} + {{- end }} {{- end }} {{- if .Values.controller.shareProcessNamespace }} shareProcessNamespace: {{ .Values.controller.shareProcessNamespace }} @@ -78,15 +79,14 @@ spec: containers: - name: {{ .Values.controller.containerName }} {{- with .Values.controller.image }} - image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{- end -}}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}" + image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }} {{- end }} imagePullPolicy: {{ .Values.controller.image.pullPolicy }} {{- if .Values.controller.lifecycle }} lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }} {{- end }} - args: - {{- include "ingress-nginx.params" . | nindent 12 }} - securityContext: {{ include "controller.containerSecurityContext" . | nindent 12 }} + args: {{ include "ingress-nginx.params" . | nindent 12 }} + securityContext: {{ include "ingress-nginx.controller.containerSecurityContext" . | nindent 12 }} env: - name: POD_NAME valueFrom: @@ -151,11 +151,11 @@ spec: volumeMounts: {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} - name: modules - {{ if .Values.controller.image.chroot }} + {{- if .Values.controller.image.chroot }} mountPath: /chroot/modules_mount - {{ else }} + {{- else }} mountPath: /modules_mount - {{ end }} + {{- end }} {{- end }} {{- if .Values.controller.customTemplate.configMapName }} - mountPath: /etc/nginx/template @@ -175,23 +175,25 @@ spec: resources: {{ toYaml .Values.controller.resources | nindent 12 }} {{- end }} {{- if .Values.controller.extraContainers }} - {{ toYaml .Values.controller.extraContainers | nindent 8 }} + {{- toYaml .Values.controller.extraContainers | nindent 8 }} {{- end }} {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} initContainers: {{- if .Values.controller.extraInitContainers }} - {{ toYaml .Values.controller.extraInitContainers | nindent 8 }} + {{- toYaml .Values.controller.extraInitContainers | nindent 8 }} {{- end }} {{- if .Values.controller.extraModules }} {{- range .Values.controller.extraModules }} - {{ $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} -{{ include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | indent 8 }} + {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} + {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} + {{- end }} + {{- end }} + {{- if .Values.controller.opentelemetry.enabled }} + {{- with .Values.controller.opentelemetry }} + {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} + {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} {{- end }} {{- end }} - {{- if .Values.controller.opentelemetry.enabled}} - {{ $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext "distroless" false) | nindent 8}} - {{- end}} {{- end }} {{- if .Values.controller.hostNetwork }} hostNetwork: {{ .Values.controller.hostNetwork }} @@ -203,10 +205,10 @@ spec: tolerations: {{ toYaml .Values.controller.tolerations | nindent 8 }} {{- end }} {{- if .Values.controller.affinity }} - affinity: {{ toYaml .Values.controller.affinity | nindent 8 }} + affinity: {{ tpl (toYaml .Values.controller.affinity) $ | nindent 8 }} {{- end }} {{- if .Values.controller.topologySpreadConstraints }} - topologySpreadConstraints: {{ toYaml .Values.controller.topologySpreadConstraints | nindent 8 }} + topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }} {{- end }} serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} @@ -227,7 +229,7 @@ spec: {{- if .Values.controller.admissionWebhooks.enabled }} - name: webhook-cert secret: - secretName: {{ include "ingress-nginx.fullname" . }}-admission + secretName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} {{- if .Values.controller.admissionWebhooks.certManager.enabled }} items: - key: tls.crt diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-hpa.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-hpa.yaml index f212bc4f5..ec9ad7380 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-hpa.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-hpa.yaml @@ -1,4 +1,4 @@ -{{- if and (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) .Values.controller.autoscaling.enabled (not .Values.controller.keda.enabled) -}} +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled (not .Values.controller.keda.enabled) -}} apiVersion: {{ ternary "autoscaling/v2" "autoscaling/v2beta2" (.Capabilities.APIVersions.Has "autoscaling/v2") }} kind: HorizontalPodAutoscaler metadata: @@ -12,7 +12,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: scaleTargetRef: apiVersion: apps/v1 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-ingressclass-aliases.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-ingressclass-aliases.yaml new file mode 100644 index 000000000..ffe22310c --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-ingressclass-aliases.yaml @@ -0,0 +1,23 @@ +{{- if .Values.controller.ingressClassResource.enabled -}} +{{- range .Values.controller.ingressClassResource.aliases }} +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + {{- include "ingress-nginx.labels" $ | nindent 4 }} + app.kubernetes.io/component: controller + {{- with $.Values.controller.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ . }} + {{- if $.Values.controller.ingressClassResource.annotations }} + annotations: {{ toYaml $.Values.controller.ingressClassResource.annotations | nindent 4 }} + {{- end }} +spec: + controller: {{ $.Values.controller.ingressClassResource.controllerValue }} + {{- with $.Values.controller.ingressClassResource.parameters }} + parameters: {{ toYaml . | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-ingressclass.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-ingressclass.yaml index 9492784a2..98479a529 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-ingressclass.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-ingressclass.yaml @@ -1,6 +1,4 @@ {{- if .Values.controller.ingressClassResource.enabled -}} -# We don't support namespaced ingressClass yet -# So a ClusterRole and a ClusterRoleBinding is required apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: @@ -11,11 +9,18 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ .Values.controller.ingressClassResource.name }} -{{- if .Values.controller.ingressClassResource.default }} + {{- if or .Values.controller.ingressClassResource.default .Values.controller.ingressClassResource.annotations }} annotations: + {{- if .Values.controller.ingressClassResource.default }} ingressclass.kubernetes.io/is-default-class: "true" -{{- end }} + {{- end }} + {{- if .Values.controller.ingressClassResource.annotations }} + {{- toYaml .Values.controller.ingressClassResource.annotations | nindent 4 }} + {{- end }} + {{- end }} spec: controller: {{ .Values.controller.ingressClassResource.controllerValue }} - {{ template "ingressClass.parameters" . }} + {{- with .Values.controller.ingressClassResource.parameters }} + parameters: {{ toYaml . | nindent 4 }} + {{- end }} {{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-keda.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-keda.yaml index c0d95a98e..24d30fa0a 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-keda.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-keda.yaml @@ -1,6 +1,4 @@ -{{- if and .Values.controller.keda.enabled (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) -}} -# https://keda.sh/docs/ - +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.keda.enabled (not .Values.controller.autoscaling.enabled) -}} apiVersion: {{ .Values.controller.keda.apiVersion }} kind: ScaledObject metadata: @@ -11,6 +9,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }} + namespace: {{ include "ingress-nginx.namespace" . }} {{- if .Values.controller.keda.scaledObject.annotations }} annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }} {{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-networkpolicy.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-networkpolicy.yaml new file mode 100644 index 000000000..e68f9916d --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-networkpolicy.yaml @@ -0,0 +1,45 @@ +{{- if .Values.controller.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + {{- with .Values.controller.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "ingress-nginx.controller.fullname" . }} + namespace: {{ include "ingress-nginx.namespace" . }} +spec: + podSelector: + matchLabels: + {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: controller + policyTypes: + - Ingress + - Egress + ingress: + - ports: + {{- range $key, $value := .Values.controller.containerPort }} + - protocol: TCP + port: {{ $value }} + {{- end }} + {{- if .Values.controller.metrics.enabled }} + - protocol: TCP + port: {{ .Values.controller.metrics.port }} + {{- end }} + {{- if .Values.controller.admissionWebhooks.enabled }} + - protocol: TCP + port: {{ .Values.controller.admissionWebhooks.port }} + {{- end }} + {{- range $key, $value := .Values.tcp }} + - protocol: TCP + port: {{ $key }} + {{- end }} + {{- range $key, $value := .Values.udp }} + - protocol: UDP + port: {{ $key }} + {{- end }} + egress: + - {} +{{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml index 91be5801f..8e0181f9f 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml @@ -1,4 +1,13 @@ -{{- if or (and .Values.controller.autoscaling.enabled (gt (.Values.controller.autoscaling.minReplicas | int) 1)) (and (not .Values.controller.autoscaling.enabled) (gt (.Values.controller.replicaCount | int) 1)) }} +# PDB is not supported for DaemonSets. +# https://github.com/kubernetes/kubernetes/issues/108124 +{{- if eq .Values.controller.kind "Deployment" }} +{{- $replicas := .Values.controller.replicaCount }} +{{- if and .Values.controller.autoscaling.enabled (not .Values.controller.keda.enabled) }} +{{- $replicas = .Values.controller.autoscaling.minReplicas }} +{{- else if and .Values.controller.keda.enabled (not .Values.controller.autoscaling.enabled) }} +{{- $replicas = .Values.controller.keda.minReplicas }} +{{- end }} +{{- if gt ($replicas | int) 1 }} apiVersion: {{ ternary "policy/v1" "policy/v1beta1" (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }} kind: PodDisruptionBudget metadata: @@ -9,7 +18,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} {{- if .Values.controller.annotations }} annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} {{- end }} @@ -24,3 +33,4 @@ spec: maxUnavailable: {{ .Values.controller.maxUnavailable }} {{- end }} {{- end }} +{{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-prometheusrules.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-prometheusrules.yaml index 78b5362e8..41684c370 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-prometheusrules.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-prometheusrules.yaml @@ -1,10 +1,12 @@ -{{- if and ( .Values.controller.metrics.enabled ) ( .Values.controller.metrics.prometheusRule.enabled ) ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) -}} +{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.prometheusRule.enabled -}} apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: name: {{ include "ingress-nginx.controller.fullname" . }} {{- if .Values.controller.metrics.prometheusRule.namespace }} - namespace: {{ .Values.controller.metrics.prometheusRule.namespace | quote }} + namespace: {{ .Values.controller.metrics.prometheusRule.namespace }} +{{- else }} + namespace: {{ include "ingress-nginx.namespace" . }} {{- end }} labels: {{- include "ingress-nginx.labels" . | nindent 4 }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-psp.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-psp.yaml index 3c499b9d4..aad1d2736 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-psp.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-psp.yaml @@ -4,6 +4,8 @@ apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: {{ include "ingress-nginx.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*" labels: {{- include "ingress-nginx.labels" . | nindent 4 }} app.kubernetes.io/component: controller @@ -11,84 +13,88 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: - allowedCapabilities: - - NET_BIND_SERVICE - {{- if .Values.controller.image.chroot }} - - SYS_CHROOT - {{- end }} -{{- if .Values.controller.sysctls }} - allowedUnsafeSysctls: - {{- range $sysctl, $value := .Values.controller.sysctls }} - - {{ $sysctl }} - {{- end }} -{{- end }} privileged: false - allowPrivilegeEscalation: true - # Allow core volume types. - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'downwardAPI' -{{- if .Values.controller.hostNetwork }} + hostPID: false + hostIPC: false hostNetwork: {{ .Values.controller.hostNetwork }} -{{- end }} {{- if or .Values.controller.hostNetwork .Values.controller.hostPort.enabled }} hostPorts: -{{- if .Values.controller.hostNetwork }} -{{- range $key, $value := .Values.controller.containerPort }} - # {{ $key }} - - min: {{ $value }} - max: {{ $value }} -{{- end }} -{{- else if .Values.controller.hostPort.enabled }} -{{- range $key, $value := .Values.controller.hostPort.ports }} - # {{ $key }} - - min: {{ $value }} - max: {{ $value }} -{{- end }} -{{- end }} -{{- if .Values.controller.metrics.enabled }} - # metrics - - min: {{ .Values.controller.metrics.port }} - max: {{ .Values.controller.metrics.port }} -{{- end }} -{{- if .Values.controller.admissionWebhooks.enabled }} - # admission webhooks - - min: {{ .Values.controller.admissionWebhooks.port }} - max: {{ .Values.controller.admissionWebhooks.port }} -{{- end }} -{{- range $key, $value := .Values.tcp }} - # {{ $key }}-tcp - - min: {{ $key }} - max: {{ $key }} -{{- end }} -{{- range $key, $value := .Values.udp }} - # {{ $key }}-udp - - min: {{ $key }} - max: {{ $key }} -{{- end }} + {{- if .Values.controller.hostNetwork }} + {{- range $key, $value := .Values.controller.containerPort }} + # controller.containerPort.{{ $key }} + - min: {{ $value }} + max: {{ $value }} + {{- end }} + {{- else if .Values.controller.hostPort.enabled }} + {{- range $key, $value := .Values.controller.hostPort.ports }} + # controller.hostPort.ports.{{ $key }} + - min: {{ $value }} + max: {{ $value }} + {{- end }} + {{- end }} + {{- if .Values.controller.metrics.enabled }} + # controller.metrics.port + - min: {{ .Values.controller.metrics.port }} + max: {{ .Values.controller.metrics.port }} + {{- end }} + {{- if .Values.controller.admissionWebhooks.enabled }} + # controller.admissionWebhooks.port + - min: {{ .Values.controller.admissionWebhooks.port }} + max: {{ .Values.controller.admissionWebhooks.port }} + {{- end }} + {{- range $key, $value := .Values.tcp }} + # tcp.{{ $key }} + - min: {{ $key }} + max: {{ $key }} + {{- end }} + {{- range $key, $value := .Values.udp }} + # udp.{{ $key }} + - min: {{ $key }} + max: {{ $key }} + {{- end }} {{- end }} - hostIPC: false - hostPID: false + volumes: + - configMap + - downwardAPI + - emptyDir + - secret + - projected + fsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false runAsUser: - # Require the container to run without root privileges. - rule: 'MustRunAsNonRoot' - supplementalGroups: - rule: 'MustRunAs' + rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs ranges: - # Forbid adding the root group. - min: 1 max: 65535 - fsGroup: - rule: 'MustRunAs' + supplementalGroups: + rule: MustRunAs ranges: - # Forbid adding the root group. - min: 1 max: 65535 - readOnlyRootFilesystem: false + allowPrivilegeEscalation: {{ or .Values.controller.image.allowPrivilegeEscalation .Values.controller.image.chroot }} + requiredDropCapabilities: + - ALL + allowedCapabilities: + - NET_BIND_SERVICE + {{- if .Values.controller.image.chroot }} + {{- if .Values.controller.image.seccompProfile }} + - SYS_ADMIN + {{- end }} + - SYS_CHROOT + {{- end }} seLinux: - rule: 'RunAsAny' + rule: RunAsAny +{{- if .Values.controller.sysctls }} + allowedUnsafeSysctls: + {{- range $sysctl, $value := .Values.controller.sysctls }} + - {{ $sysctl }} + {{- end }} +{{- end }} {{- end }} {{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-role.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-role.yaml index d1aa9aac7..a94b39978 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-role.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-role.yaml @@ -9,7 +9,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} rules: - apiGroups: - "" @@ -44,12 +44,15 @@ rules: - get - list - watch + # Omit Ingress status permissions if `--update-status` is disabled. + {{- if ne (index .Values.controller.extraArgs "update-status") "false" }} - apiGroups: - networking.k8s.io resources: - ingresses/status verbs: - update + {{- end }} - apiGroups: - networking.k8s.io resources: diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-rolebinding.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-rolebinding.yaml index e846a1183..153430aa2 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-rolebinding.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-rolebinding.yaml @@ -9,7 +9,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -17,5 +17,5 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "ingress-nginx.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "ingress-nginx.namespace" . }} {{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-secret.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-secret.yaml index f3744232f..f20f53469 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-secret.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-secret.yaml @@ -9,7 +9,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} data: dhparam.pem: {{ .Values.dhParam }} {{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-service-internal.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-service-internal.yaml index 87146b746..6d0b47caf 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-service-internal.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-service-internal.yaml @@ -1,10 +1,10 @@ -{{- if and .Values.controller.service.enabled .Values.controller.service.internal.enabled .Values.controller.service.internal.annotations}} +{{- if and .Values.controller.service.enabled .Values.controller.service.internal.enabled .Values.controller.service.internal.annotations -}} apiVersion: v1 kind: Service metadata: annotations: {{- range $key, $value := .Values.controller.service.internal.annotations }} - {{ $key }}: {{ $value | quote }} + {{ $key }}: {{ tpl ($value | toString) $ | quote }} {{- end }} labels: {{- include "ingress-nginx.labels" . | nindent 4 }} @@ -13,17 +13,43 @@ metadata: {{- toYaml .Values.controller.service.labels | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }}-internal - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: - type: "{{ .Values.controller.service.type }}" + type: {{ .Values.controller.service.internal.type | default .Values.controller.service.type }} +{{- if .Values.controller.service.internal.clusterIP }} + clusterIP: {{ .Values.controller.service.internal.clusterIP }} +{{- end }} +{{- if .Values.controller.service.internal.externalIPs }} + externalIPs: {{ toYaml .Values.controller.service.internal.externalIPs | nindent 4 }} +{{- end }} {{- if .Values.controller.service.internal.loadBalancerIP }} loadBalancerIP: {{ .Values.controller.service.internal.loadBalancerIP }} {{- end }} {{- if .Values.controller.service.internal.loadBalancerSourceRanges }} loadBalancerSourceRanges: {{ toYaml .Values.controller.service.internal.loadBalancerSourceRanges | nindent 4 }} {{- end }} +{{- if .Values.controller.service.internal.loadBalancerClass }} + loadBalancerClass: {{ .Values.controller.service.internal.loadBalancerClass }} +{{- end }} +{{- if hasKey .Values.controller.service.internal "allocateLoadBalancerNodePorts" }} + allocateLoadBalancerNodePorts: {{ .Values.controller.service.internal.allocateLoadBalancerNodePorts }} +{{- end }} {{- if .Values.controller.service.internal.externalTrafficPolicy }} externalTrafficPolicy: {{ .Values.controller.service.internal.externalTrafficPolicy }} +{{- end }} +{{- if .Values.controller.service.internal.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.internal.sessionAffinity }} +{{- end }} +{{- if .Values.controller.service.internal.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.internal.healthCheckNodePort }} +{{- end }} +{{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version -}} +{{- if .Values.controller.service.internal.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.internal.ipFamilyPolicy }} +{{- end }} +{{- if .Values.controller.service.internal.ipFamilies }} + ipFamilies: {{ toYaml .Values.controller.service.internal.ipFamilies | nindent 4 }} +{{- end }} {{- end }} ports: {{- $setNodePorts := (or (eq .Values.controller.service.type "NodePort") (eq .Values.controller.service.type "LoadBalancer")) }} @@ -32,11 +58,11 @@ spec: port: {{ .Values.controller.service.internal.ports.http | default .Values.controller.service.ports.http }} protocol: TCP targetPort: {{ .Values.controller.service.internal.targetPorts.http | default .Values.controller.service.targetPorts.http }} - {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} + {{- if and (semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version) (.Values.controller.service.internal.appProtocol) }} appProtocol: http {{- end }} - {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.http))) }} - nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- if (and $setNodePorts (not (empty .Values.controller.service.internal.nodePorts.http))) }} + nodePort: {{ .Values.controller.service.internal.nodePorts.http }} {{- end }} {{- end }} {{- if .Values.controller.service.enableHttps }} @@ -44,11 +70,11 @@ spec: port: {{ .Values.controller.service.internal.ports.https | default .Values.controller.service.ports.https }} protocol: TCP targetPort: {{ .Values.controller.service.internal.targetPorts.https | default .Values.controller.service.targetPorts.https }} - {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} + {{- if and (semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version) (.Values.controller.service.internal.appProtocol) }} appProtocol: https {{- end }} - {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.https))) }} - nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- if (and $setNodePorts (not (empty .Values.controller.service.internal.nodePorts.https))) }} + nodePort: {{ .Values.controller.service.internal.nodePorts.https }} {{- end }} {{- end }} {{- range $key, $value := .Values.tcp }} @@ -56,9 +82,9 @@ spec: port: {{ $key }} protocol: TCP targetPort: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-tcp - {{- if $.Values.controller.service.nodePorts.tcp }} - {{- if index $.Values.controller.service.nodePorts.tcp $key }} - nodePort: {{ index $.Values.controller.service.nodePorts.tcp $key }} + {{- if $.Values.controller.service.internal.nodePorts.tcp }} + {{- if index $.Values.controller.service.internal.nodePorts.tcp $key }} + nodePort: {{ index $.Values.controller.service.internal.nodePorts.tcp $key }} {{- end }} {{- end }} {{- end }} @@ -67,9 +93,9 @@ spec: port: {{ $key }} protocol: UDP targetPort: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-udp - {{- if $.Values.controller.service.nodePorts.udp }} - {{- if index $.Values.controller.service.nodePorts.udp $key }} - nodePort: {{ index $.Values.controller.service.nodePorts.udp $key }} + {{- if $.Values.controller.service.internal.nodePorts.udp }} + {{- if index $.Values.controller.service.internal.nodePorts.udp $key }} + nodePort: {{ index $.Values.controller.service.internal.nodePorts.udp $key }} {{- end }} {{- end }} {{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-service-metrics.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-service-metrics.yaml index b178401c9..7c153295f 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-service-metrics.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-service-metrics.yaml @@ -12,7 +12,7 @@ metadata: {{- toYaml .Values.controller.metrics.service.labels | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }}-metrics - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: type: {{ .Values.controller.metrics.service.type }} {{- if .Values.controller.metrics.service.clusterIP }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-service-webhook.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-service-webhook.yaml index 2aae24fcf..6dcf1a10a 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-service-webhook.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-service-webhook.yaml @@ -12,7 +12,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }}-admission - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: type: {{ .Values.controller.admissionWebhooks.service.type }} {{- if .Values.controller.admissionWebhooks.service.clusterIP }} @@ -31,7 +31,7 @@ spec: - name: https-webhook port: 443 targetPort: webhook - {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} appProtocol: https {{- end }} selector: diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-service.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-service.yaml index b2735d2e8..cb78a7035 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-service.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-service.yaml @@ -4,7 +4,7 @@ kind: Service metadata: annotations: {{- range $key, $value := .Values.controller.service.annotations }} - {{ $key }}: {{ $value | quote }} + {{ $key }}: {{ tpl ($value | toString) $ | quote }} {{- end }} labels: {{- include "ingress-nginx.labels" . | nindent 4 }} @@ -13,7 +13,7 @@ metadata: {{- toYaml .Values.controller.service.labels | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: type: {{ .Values.controller.service.type }} {{- if .Values.controller.service.clusterIP }} @@ -31,6 +31,9 @@ spec: {{- if .Values.controller.service.loadBalancerClass }} loadBalancerClass: {{ .Values.controller.service.loadBalancerClass }} {{- end }} +{{- if hasKey .Values.controller.service "allocateLoadBalancerNodePorts" }} + allocateLoadBalancerNodePorts: {{ .Values.controller.service.allocateLoadBalancerNodePorts }} +{{- end }} {{- if .Values.controller.service.externalTrafficPolicy }} externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} {{- end }} @@ -44,8 +47,6 @@ spec: {{- if .Values.controller.service.ipFamilyPolicy }} ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy }} {{- end }} -{{- end }} -{{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version -}} {{- if .Values.controller.service.ipFamilies }} ipFamilies: {{ toYaml .Values.controller.service.ipFamilies | nindent 4 }} {{- end }} @@ -57,7 +58,7 @@ spec: port: {{ .Values.controller.service.ports.http }} protocol: TCP targetPort: {{ .Values.controller.service.targetPorts.http }} - {{- if and (semverCompare ">=1.20" .Capabilities.KubeVersion.Version) (.Values.controller.service.appProtocol) }} + {{- if and (semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version) (.Values.controller.service.appProtocol) }} appProtocol: http {{- end }} {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.http))) }} @@ -69,7 +70,7 @@ spec: port: {{ .Values.controller.service.ports.https }} protocol: TCP targetPort: {{ .Values.controller.service.targetPorts.https }} - {{- if and (semverCompare ">=1.20" .Capabilities.KubeVersion.Version) (.Values.controller.service.appProtocol) }} + {{- if and (semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version) (.Values.controller.service.appProtocol) }} appProtocol: https {{- end }} {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.https))) }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-serviceaccount.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-serviceaccount.yaml index e6e776d09..df83de3d0 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-serviceaccount.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-serviceaccount.yaml @@ -9,10 +9,9 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ template "ingress-nginx.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} {{- if .Values.serviceAccount.annotations }} - annotations: - {{- toYaml .Values.serviceAccount.annotations | nindent 4 }} + annotations: {{ toYaml .Values.serviceAccount.annotations | nindent 4 }} {{- end }} automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} {{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-servicemonitor.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-servicemonitor.yaml index 8ab16f0b2..62301da45 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-servicemonitor.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-servicemonitor.yaml @@ -4,7 +4,9 @@ kind: ServiceMonitor metadata: name: {{ include "ingress-nginx.controller.fullname" . }} {{- if .Values.controller.metrics.serviceMonitor.namespace }} - namespace: {{ .Values.controller.metrics.serviceMonitor.namespace | quote }} + namespace: {{ .Values.controller.metrics.serviceMonitor.namespace }} +{{- else }} + namespace: {{ include "ingress-nginx.namespace" . }} {{- end }} labels: {{- include "ingress-nginx.labels" . | nindent 4 }} @@ -12,6 +14,9 @@ metadata: {{- if .Values.controller.metrics.serviceMonitor.additionalLabels }} {{- toYaml .Values.controller.metrics.serviceMonitor.additionalLabels | nindent 4 }} {{- end }} + {{- if .Values.controller.metrics.serviceMonitor.annotations }} + annotations: {{ toYaml .Values.controller.metrics.serviceMonitor.annotations | nindent 4 }} + {{- end }} spec: endpoints: - port: {{ .Values.controller.metrics.portName }} @@ -33,7 +38,7 @@ spec: {{- else }} namespaceSelector: matchNames: - - {{ .Release.Namespace }} + - {{ include "ingress-nginx.namespace" . }} {{- end }} {{- if .Values.controller.metrics.serviceMonitor.targetLabels }} targetLabels: diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-webhooks-networkpolicy.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-webhooks-networkpolicy.yaml deleted file mode 100644 index f74c2fbf3..000000000 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/controller-webhooks-networkpolicy.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.controller.admissionWebhooks.enabled }} -{{- if .Values.controller.admissionWebhooks.networkPolicyEnabled }} - -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ include "ingress-nginx.fullname" . }}-webhooks-allow - namespace: {{ .Release.Namespace }} -spec: - ingress: - - {} - podSelector: - matchLabels: - app.kubernetes.io/name: {{ include "ingress-nginx.name" . }} - policyTypes: - - Ingress - -{{- end }} -{{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-deployment.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-deployment.yaml index 87aced49d..c6ccdd5c9 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-deployment.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-deployment.yaml @@ -9,7 +9,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.defaultBackend.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: selector: matchLabels: @@ -30,7 +30,7 @@ spec: annotations: {{ toYaml .Values.defaultBackend.podAnnotations | nindent 8 }} {{- end }} labels: - {{- include "ingress-nginx.selectorLabels" . | nindent 8 }} + {{- include "ingress-nginx.labels" . | nindent 8 }} app.kubernetes.io/component: default-backend {{- with .Values.defaultBackend.labels }} {{- toYaml . | nindent 8 }} @@ -51,7 +51,7 @@ spec: containers: - name: {{ template "ingress-nginx.name" . }}-default-backend {{- with .Values.defaultBackend.image }} - image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}" + image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} {{- end }} imagePullPolicy: {{ .Values.defaultBackend.image.pullPolicy }} {{- if .Values.defaultBackend.extraArgs }} @@ -65,14 +65,7 @@ spec: {{- end }} {{- end }} {{- end }} - securityContext: - capabilities: - drop: - - ALL - runAsUser: {{ .Values.defaultBackend.image.runAsUser }} - runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }} - allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }} - readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem}} + securityContext: {{ include "ingress-nginx.defaultBackend.containerSecurityContext" . | nindent 12 }} {{- if .Values.defaultBackend.extraEnvs }} env: {{ toYaml .Values.defaultBackend.extraEnvs | nindent 12 }} {{- end }} @@ -114,7 +107,10 @@ spec: tolerations: {{ toYaml .Values.defaultBackend.tolerations | nindent 8 }} {{- end }} {{- if .Values.defaultBackend.affinity }} - affinity: {{ toYaml .Values.defaultBackend.affinity | nindent 8 }} + affinity: {{ tpl (toYaml .Values.defaultBackend.affinity) $ | nindent 8 }} + {{- end }} + {{- if .Values.defaultBackend.topologySpreadConstraints }} + topologySpreadConstraints: {{ tpl (toYaml .Values.defaultBackend.topologySpreadConstraints) $ | nindent 8 }} {{- end }} terminationGracePeriodSeconds: 60 {{- if .Values.defaultBackend.extraVolumes }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-extra-configmaps.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-extra-configmaps.yaml new file mode 100644 index 000000000..9af56cf38 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-extra-configmaps.yaml @@ -0,0 +1,23 @@ +{{- if .Values.defaultBackend.enabled }} +{{- range .Values.defaultBackend.extraConfigMaps }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + {{- include "ingress-nginx.labels" $ | nindent 4 }} + app.kubernetes.io/component: default-backend + {{- with $.Values.defaultBackend.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ .name }} + namespace: {{ include "ingress-nginx.namespace" $ }} +data: + {{- with .data }} + {{- toYaml . | nindent 2 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-hpa.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-hpa.yaml index faaf4fa75..49bcdcfdc 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-hpa.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-hpa.yaml @@ -12,7 +12,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.defaultBackend.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: scaleTargetRef: apiVersion: apps/v1 @@ -21,18 +21,18 @@ spec: minReplicas: {{ .Values.defaultBackend.autoscaling.minReplicas }} maxReplicas: {{ .Values.defaultBackend.autoscaling.maxReplicas }} metrics: - {{- with .Values.defaultBackend.autoscaling.targetCPUUtilizationPercentage }} + {{- with .Values.defaultBackend.autoscaling.targetMemoryUtilizationPercentage }} - type: Resource resource: - name: cpu + name: memory target: type: Utilization averageUtilization: {{ . }} {{- end }} - {{- with .Values.defaultBackend.autoscaling.targetMemoryUtilizationPercentage }} + {{- with .Values.defaultBackend.autoscaling.targetCPUUtilizationPercentage }} - type: Resource resource: - name: memory + name: cpu target: type: Utilization averageUtilization: {{ . }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-networkpolicy.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-networkpolicy.yaml new file mode 100644 index 000000000..90b3c2ba0 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-networkpolicy.yaml @@ -0,0 +1,25 @@ +{{- if and .Values.defaultBackend.enabled .Values.defaultBackend.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: default-backend + {{- with .Values.defaultBackend.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "ingress-nginx.defaultBackend.fullname" . }} + namespace: {{ include "ingress-nginx.namespace" . }} +spec: + podSelector: + matchLabels: + {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: default-backend + policyTypes: + - Ingress + - Egress + ingress: + - ports: + - protocol: TCP + port: {{ .Values.defaultBackend.port }} +{{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml index 00891cee5..f869e4530 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml @@ -10,7 +10,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.defaultBackend.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: selector: matchLabels: diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-psp.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-psp.yaml index c144c8fbf..424109109 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-psp.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-psp.yaml @@ -4,6 +4,8 @@ apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: {{ include "ingress-nginx.fullname" . }}-backend + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*" labels: {{- include "ingress-nginx.labels" . | nindent 4 }} app.kubernetes.io/component: default-backend @@ -11,28 +13,38 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: - allowPrivilegeEscalation: false + privileged: false + hostPID: false + hostIPC: false + hostNetwork: false + volumes: + - configMap + - downwardAPI + - emptyDir + - secret + - projected fsGroup: - ranges: - - max: 65535 - min: 1 rule: MustRunAs - requiredDropCapabilities: - - ALL + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: true runAsUser: rule: MustRunAsNonRoot - seLinux: - rule: RunAsAny - supplementalGroups: + runAsGroup: + rule: MustRunAs ranges: - - max: 65535 - min: 1 + - min: 1 + max: 65535 + supplementalGroups: rule: MustRunAs - volumes: - - configMap - - emptyDir - - projected - - secret - - downwardAPI + ranges: + - min: 1 + max: 65535 + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL + seLinux: + rule: RunAsAny {{- end }} {{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-role.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-role.yaml index a2b457c36..dd7868aa0 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-role.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-role.yaml @@ -9,7 +9,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.fullname" . }}-backend - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} rules: - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] resources: ['podsecuritypolicies'] diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-rolebinding.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-rolebinding.yaml index dbaa516b9..3203b6f57 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-rolebinding.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-rolebinding.yaml @@ -9,7 +9,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.fullname" . }}-backend - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -17,5 +17,5 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "ingress-nginx.namespace" . }} {{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-service.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-service.yaml index 5f1d09a95..65b6b8362 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-service.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-service.yaml @@ -12,7 +12,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.defaultBackend.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: type: {{ .Values.defaultBackend.service.type }} {{- if .Values.defaultBackend.service.clusterIP }} @@ -32,7 +32,7 @@ spec: port: {{ .Values.defaultBackend.service.servicePort }} protocol: TCP targetPort: http - {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} appProtocol: http {{- end }} selector: diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml index b45a95ad2..2afaf0c04 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml @@ -9,6 +9,6 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} automountServiceAccountToken: {{ .Values.defaultBackend.serviceAccount.automountServiceAccountToken }} {{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrole_test.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrole_test.yaml new file mode 100644 index 000000000..d7a8b8852 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrole_test.yaml @@ -0,0 +1,11 @@ +suite: Admission Webhooks > Patch Job > ClusterRole +templates: + - admission-webhooks/job-patch/clusterrole.yaml + +tests: + - it: should not create a ClusterRole if `controller.admissionWebhooks.patch.rbac.create` is false + set: + controller.admissionWebhooks.patch.rbac.create: false + asserts: + - hasDocuments: + count: 0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrolebinding_test.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrolebinding_test.yaml new file mode 100644 index 000000000..d7c3266d2 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrolebinding_test.yaml @@ -0,0 +1,11 @@ +suite: Admission Webhooks > Patch Job > ClusterRoleBinding +templates: + - admission-webhooks/job-patch/clusterrolebinding.yaml + +tests: + - it: should not create a ClusterRoleBinding if `controller.admissionWebhooks.patch.rbac.create` is false + set: + controller.admissionWebhooks.patch.rbac.create: false + asserts: + - hasDocuments: + count: 0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/admission-webhooks/job-patch/role_test.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/admission-webhooks/job-patch/role_test.yaml new file mode 100644 index 000000000..a236f3d7b --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/admission-webhooks/job-patch/role_test.yaml @@ -0,0 +1,11 @@ +suite: Admission Webhooks > Patch Job > Role +templates: + - admission-webhooks/job-patch/role.yaml + +tests: + - it: should not create a Role if `controller.admissionWebhooks.patch.rbac.create` is false + set: + controller.admissionWebhooks.patch.rbac.create: false + asserts: + - hasDocuments: + count: 0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/admission-webhooks/job-patch/rolebinding_test.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/admission-webhooks/job-patch/rolebinding_test.yaml new file mode 100644 index 000000000..74abaa163 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/admission-webhooks/job-patch/rolebinding_test.yaml @@ -0,0 +1,11 @@ +suite: Admission Webhooks > Patch Job > RoleBinding +templates: + - admission-webhooks/job-patch/rolebinding.yaml + +tests: + - it: should not create a RoleBinding if `controller.admissionWebhooks.patch.rbac.create` is false + set: + controller.admissionWebhooks.patch.rbac.create: false + asserts: + - hasDocuments: + count: 0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml new file mode 100644 index 000000000..7c30d1e66 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml @@ -0,0 +1,47 @@ +suite: Admission Webhooks > Patch Job > ServiceAccount +templates: + - admission-webhooks/job-patch/serviceaccount.yaml + +tests: + - it: should not create a ServiceAccount if `controller.admissionWebhooks.patch.serviceAccount.create` is false + set: + controller.admissionWebhooks.patch.serviceAccount.create: false + asserts: + - hasDocuments: + count: 0 + + - it: should create a ServiceAccount if `controller.admissionWebhooks.patch.serviceAccount.create` is true + set: + controller.admissionWebhooks.patch.serviceAccount.create: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ServiceAccount + - equal: + path: metadata.name + value: ingress-nginx-admission + + - it: should create a ServiceAccount with specified name if `controller.admissionWebhooks.patch.serviceAccount.name` is set + set: + controller.admissionWebhooks.patch.serviceAccount.name: ingress-nginx-admission-test-sa + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ServiceAccount + - equal: + path: metadata.name + value: ingress-nginx-admission-test-sa + + - it: should create a ServiceAccount with token auto-mounting disabled if `controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken` is false + set: + controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken: false + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ServiceAccount + - equal: + path: automountServiceAccountToken + value: false diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-configmap-addheaders_test.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-configmap-addheaders_test.yaml new file mode 100644 index 000000000..e831d50c0 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-configmap-addheaders_test.yaml @@ -0,0 +1,27 @@ +suite: Controller > ConfigMap > Add Headers +templates: + - controller-configmap-addheaders.yaml + +tests: + - it: should not create a ConfigMap if `controller.addHeaders` is not set + set: + controller.addHeaders: null + asserts: + - hasDocuments: + count: 0 + + - it: should create a ConfigMap if `controller.addHeaders` is set + set: + controller.addHeaders: + X-Another-Custom-Header: Value + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-custom-add-headers + - equal: + path: data.X-Another-Custom-Header + value: Value diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-configmap-proxyheaders_test.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-configmap-proxyheaders_test.yaml new file mode 100644 index 000000000..0634a3739 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-configmap-proxyheaders_test.yaml @@ -0,0 +1,27 @@ +suite: Controller > ConfigMap > Proxy Headers +templates: + - controller-configmap-proxyheaders.yaml + +tests: + - it: should not create a ConfigMap if `controller.proxySetHeaders` is not set + set: + controller.proxySetHeaders: null + asserts: + - hasDocuments: + count: 0 + + - it: should create a ConfigMap if `controller.proxySetHeaders` is set + set: + controller.proxySetHeaders: + X-Custom-Header: Value + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-custom-proxy-headers + - equal: + path: data.X-Custom-Header + value: Value diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-configmap_test.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-configmap_test.yaml new file mode 100644 index 000000000..9cfea9800 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-configmap_test.yaml @@ -0,0 +1,31 @@ +suite: Controller > ConfigMap +templates: + - controller-configmap.yaml + +tests: + - it: should create a ConfigMap + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller + + - it: should create a ConfigMap with templated values if `controller.config` contains templates + set: + controller.config: + global-rate-limit-memcached-host: "memcached.{{ .Release.Namespace }}.svc.kubernetes.local" + global-rate-limit-memcached-port: 11211 + use-gzip: true + asserts: + - equal: + path: data.global-rate-limit-memcached-host + value: memcached.NAMESPACE.svc.kubernetes.local + - equal: + path: data.global-rate-limit-memcached-port + value: "11211" + - equal: + path: data.use-gzip + value: "true" diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-daemonset_test.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-daemonset_test.yaml new file mode 100644 index 000000000..bc810a1cd --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-daemonset_test.yaml @@ -0,0 +1,150 @@ +suite: Controller > DaemonSet +templates: + - controller-daemonset.yaml + +tests: + - it: should create a DaemonSet if `controller.kind` is "DaemonSet" + set: + controller.kind: DaemonSet + asserts: + - hasDocuments: + count: 1 + - isKind: + of: DaemonSet + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller + + - it: should create a DaemonSet with argument `--enable-metrics=false` if `controller.metrics.enabled` is false + set: + controller.kind: DaemonSet + controller.metrics.enabled: false + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: --enable-metrics=false + + - it: should create a DaemonSet without argument `--enable-metrics=false` if `controller.metrics.enabled` is true + set: + controller.kind: DaemonSet + controller.metrics.enabled: true + asserts: + - notContains: + path: spec.template.spec.containers[0].args + content: --enable-metrics=false + + - it: should create a DaemonSet with argument `--controller-class=k8s.io/ingress-nginx-internal` if `controller.ingressClassResource.controllerValue` is "k8s.io/ingress-nginx-internal" + set: + controller.kind: DaemonSet + controller.ingressClassResource.controllerValue: k8s.io/ingress-nginx-internal + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: --controller-class=k8s.io/ingress-nginx-internal + + - it: should create a DaemonSet with resource limits if `controller.resources.limits` is set + set: + controller.kind: DaemonSet + controller.resources.limits.cpu: 500m + controller.resources.limits.memory: 512Mi + asserts: + - equal: + path: spec.template.spec.containers[0].resources.limits.cpu + value: 500m + - equal: + path: spec.template.spec.containers[0].resources.limits.memory + value: 512Mi + + - it: should create a DaemonSet with topology spread constraints if `controller.topologySpreadConstraints` is set + set: + controller.kind: DaemonSet + controller.topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/component: controller + topologyKey: topology.kubernetes.io/zone + maxSkew: 1 + whenUnsatisfiable: ScheduleAnyway + - labelSelector: + matchLabels: + app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/component: controller + topologyKey: kubernetes.io/hostname + maxSkew: 1 + whenUnsatisfiable: ScheduleAnyway + asserts: + - equal: + path: spec.template.spec.topologySpreadConstraints + value: + - labelSelector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/component: controller + topologyKey: topology.kubernetes.io/zone + maxSkew: 1 + whenUnsatisfiable: ScheduleAnyway + - labelSelector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/component: controller + topologyKey: kubernetes.io/hostname + maxSkew: 1 + whenUnsatisfiable: ScheduleAnyway + + - it: should create a DaemonSet with affinity if `controller.affinity` is set + set: + controller.kind: DaemonSet + controller.affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - '{{ include "ingress-nginx.name" . }}' + - key: app.kubernetes.io/instance + operator: In + values: + - '{{ .Release.Name }}' + - key: app.kubernetes.io/component + operator: In + values: + - controller + topologyKey: kubernetes.io/hostname + asserts: + - equal: + path: spec.template.spec.affinity + value: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - ingress-nginx + - key: app.kubernetes.io/instance + operator: In + values: + - RELEASE-NAME + - key: app.kubernetes.io/component + operator: In + values: + - controller + topologyKey: kubernetes.io/hostname + + - it: should create a DaemonSet with a custom tag if `controller.image.tag` is set + set: + controller.kind: DaemonSet + controller.image.tag: my-little-custom-tag + controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: registry.k8s.io/ingress-nginx/controller:my-little-custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-deployment_test.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-deployment_test.yaml new file mode 100644 index 000000000..da400487e --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-deployment_test.yaml @@ -0,0 +1,171 @@ +suite: Controller > Deployment +templates: + - controller-deployment.yaml + +tests: + - it: should create a Deployment + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Deployment + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller + + - it: should create a Deployment with 3 replicas if `controller.replicaCount` is 3 + set: + controller.replicaCount: 3 + asserts: + - equal: + path: spec.replicas + value: 3 + + - it: should create a Deployment without replicas if `controller.autoscaling.enabled` is true + set: + controller.autoscaling.enabled: true + asserts: + - notExists: + path: spec.replicas + + - it: should create a Deployment without replicas if `controller.keda.enabled` is true + set: + controller.keda.enabled: true + asserts: + - notExists: + path: spec.replicas + + - it: should create a Deployment with replicas if `controller.autoscaling.enabled` is true and `controller.keda.enabled` is true + set: + controller.autoscaling.enabled: true + controller.keda.enabled: true + asserts: + - exists: + path: spec.replicas + + - it: should create a Deployment with argument `--enable-metrics=false` if `controller.metrics.enabled` is false + set: + controller.metrics.enabled: false + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: --enable-metrics=false + + - it: should create a Deployment without argument `--enable-metrics=false` if `controller.metrics.enabled` is true + set: + controller.metrics.enabled: true + asserts: + - notContains: + path: spec.template.spec.containers[0].args + content: --enable-metrics=false + + - it: should create a Deployment with argument `--controller-class=k8s.io/ingress-nginx-internal` if `controller.ingressClassResource.controllerValue` is "k8s.io/ingress-nginx-internal" + set: + controller.ingressClassResource.controllerValue: k8s.io/ingress-nginx-internal + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: --controller-class=k8s.io/ingress-nginx-internal + + - it: should create a Deployment with resource limits if `controller.resources.limits` is set + set: + controller.resources.limits.cpu: 500m + controller.resources.limits.memory: 512Mi + asserts: + - equal: + path: spec.template.spec.containers[0].resources.limits.cpu + value: 500m + - equal: + path: spec.template.spec.containers[0].resources.limits.memory + value: 512Mi + + - it: should create a Deployment with topology spread constraints if `controller.topologySpreadConstraints` is set + set: + controller.topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/component: controller + topologyKey: topology.kubernetes.io/zone + maxSkew: 1 + whenUnsatisfiable: ScheduleAnyway + - labelSelector: + matchLabels: + app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/component: controller + topologyKey: kubernetes.io/hostname + maxSkew: 1 + whenUnsatisfiable: ScheduleAnyway + asserts: + - equal: + path: spec.template.spec.topologySpreadConstraints + value: + - labelSelector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/component: controller + topologyKey: topology.kubernetes.io/zone + maxSkew: 1 + whenUnsatisfiable: ScheduleAnyway + - labelSelector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/component: controller + topologyKey: kubernetes.io/hostname + maxSkew: 1 + whenUnsatisfiable: ScheduleAnyway + + - it: should create a Deployment with affinity if `controller.affinity` is set + set: + controller.affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - '{{ include "ingress-nginx.name" . }}' + - key: app.kubernetes.io/instance + operator: In + values: + - '{{ .Release.Name }}' + - key: app.kubernetes.io/component + operator: In + values: + - controller + topologyKey: kubernetes.io/hostname + asserts: + - equal: + path: spec.template.spec.affinity + value: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - ingress-nginx + - key: app.kubernetes.io/instance + operator: In + values: + - RELEASE-NAME + - key: app.kubernetes.io/component + operator: In + values: + - controller + topologyKey: kubernetes.io/hostname + + - it: should create a Deployment with a custom tag if `controller.image.tag` is set + set: + controller.image.tag: my-little-custom-tag + controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: registry.k8s.io/ingress-nginx/controller:my-little-custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-hpa_test.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-hpa_test.yaml new file mode 100644 index 000000000..869d3a690 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-hpa_test.yaml @@ -0,0 +1,31 @@ +suite: Controller > HPA +templates: + - controller-hpa.yaml + +tests: + - it: should create an HPA if `controller.autoscaling.enabled` is true + set: + controller.autoscaling.enabled: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: HorizontalPodAutoscaler + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller + + - it: should not create an HPA if `controller.autoscaling.enabled` is true and `controller.keda.enabled` is true + set: + controller.autoscaling.enabled: true + controller.keda.enabled: true + asserts: + - hasDocuments: + count: 0 + + - it: should not create an HPA if `controller.kind` is "DaemonSet" + set: + controller.kind: DaemonSet + asserts: + - hasDocuments: + count: 0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-ingressclass-aliases_test.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-ingressclass-aliases_test.yaml new file mode 100644 index 000000000..9a4a576b7 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-ingressclass-aliases_test.yaml @@ -0,0 +1,110 @@ +suite: Controller > IngressClass > Aliases +templates: + - controller-ingressclass-aliases.yaml + +tests: + - it: should not create IngressClass aliases + asserts: + - hasDocuments: + count: 0 + + - it: should create an IngressClass alias with name "nginx-alias" if `controller.ingressClassResource.aliases` is set + set: + controller.ingressClassResource.aliases: + - nginx-alias + asserts: + - hasDocuments: + count: 1 + - isKind: + of: IngressClass + - equal: + path: metadata.name + value: nginx-alias + + - it: should create an IngressClass alias without annotation `ingressclass.kubernetes.io/is-default-class` if `controller.ingressClassResource.default` is true + set: + controller.ingressClassResource.aliases: + - nginx-alias + controller.ingressClassResource.default: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: IngressClass + - equal: + path: metadata.name + value: nginx-alias + - notExists: + path: metadata.annotations["ingressclass.kubernetes.io/is-default-class"] + + - it: should create an IngressClass alias with annotations if `controller.ingressClassResource.annotations` is set + set: + controller.ingressClassResource.aliases: + - nginx-alias + controller.ingressClassResource.annotations: + my-fancy-annotation: has-a-value + asserts: + - hasDocuments: + count: 1 + - isKind: + of: IngressClass + - equal: + path: metadata.name + value: nginx-alias + - equal: + path: metadata.annotations.my-fancy-annotation + value: has-a-value + + - it: should create an IngressClass alias with controller "k8s.io/ingress-nginx-internal" if `controller.ingressClassResource.controllerValue` is "k8s.io/ingress-nginx-internal" + set: + controller.ingressClassResource.aliases: + - nginx-alias + controller.ingressClassResource.controllerValue: k8s.io/ingress-nginx-internal + asserts: + - hasDocuments: + count: 1 + - isKind: + of: IngressClass + - equal: + path: metadata.name + value: nginx-alias + - equal: + path: spec.controller + value: k8s.io/ingress-nginx-internal + + - it: should create an IngressClass alias with parameters if `controller.ingressClassResource.parameters` is set + set: + controller.ingressClassResource.aliases: + - nginx-alias + controller.ingressClassResource.parameters: + apiGroup: k8s.example.com + kind: IngressParameters + name: external-lb + asserts: + - hasDocuments: + count: 1 + - isKind: + of: IngressClass + - equal: + path: metadata.name + value: nginx-alias + - equal: + path: spec.parameters + value: + apiGroup: k8s.example.com + kind: IngressParameters + name: external-lb + + - it: should create two IngressClass aliases if `controller.ingressClassResource.aliases` has two elements + set: + controller.ingressClassResource.aliases: + - nginx-alias-1 + - nginx-alias-2 + asserts: + - hasDocuments: + count: 2 + - isKind: + of: IngressClass + - matchRegex: + path: metadata.name + pattern: nginx-alias-(1|2) diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-ingressclass_test.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-ingressclass_test.yaml new file mode 100644 index 000000000..b3384af32 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-ingressclass_test.yaml @@ -0,0 +1,93 @@ +suite: Controller > IngressClass +templates: + - controller-ingressclass.yaml + +tests: + - it: should create an IngressClass + asserts: + - hasDocuments: + count: 1 + - isKind: + of: IngressClass + - equal: + path: metadata.name + value: nginx + + - it: should create an IngressClass with name "nginx-internal" if `controller.ingressClassResource.name` is "nginx-internal" + set: + controller.ingressClassResource.name: nginx-internal + asserts: + - hasDocuments: + count: 1 + - isKind: + of: IngressClass + - equal: + path: metadata.name + value: nginx-internal + + - it: "should create an IngressClass with annotation `ingressclass.kubernetes.io/is-default-class: \"true\"` if `controller.ingressClassResource.default` is true" + set: + controller.ingressClassResource.default: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: IngressClass + - equal: + path: metadata.name + value: nginx + - equal: + path: metadata.annotations["ingressclass.kubernetes.io/is-default-class"] + value: "true" + + - it: should create an IngressClass with annotations if `controller.ingressClassResource.annotations` is set + set: + controller.ingressClassResource.annotations: + my-fancy-annotation: has-a-value + asserts: + - hasDocuments: + count: 1 + - isKind: + of: IngressClass + - equal: + path: metadata.name + value: nginx + - equal: + path: metadata.annotations.my-fancy-annotation + value: has-a-value + + - it: should create an IngressClass with controller "k8s.io/ingress-nginx-internal" if `controller.ingressClassResource.controllerValue` is "k8s.io/ingress-nginx-internal" + set: + controller.ingressClassResource.controllerValue: k8s.io/ingress-nginx-internal + asserts: + - hasDocuments: + count: 1 + - isKind: + of: IngressClass + - equal: + path: metadata.name + value: nginx + - equal: + path: spec.controller + value: k8s.io/ingress-nginx-internal + + - it: should create an IngressClass with parameters if `controller.ingressClassResource.parameters` is set + set: + controller.ingressClassResource.parameters: + apiGroup: k8s.example.com + kind: IngressParameters + name: external-lb + asserts: + - hasDocuments: + count: 1 + - isKind: + of: IngressClass + - equal: + path: metadata.name + value: nginx + - equal: + path: spec.parameters + value: + apiGroup: k8s.example.com + kind: IngressParameters + name: external-lb diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-keda_test.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-keda_test.yaml new file mode 100644 index 000000000..800283483 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-keda_test.yaml @@ -0,0 +1,31 @@ +suite: Controller > KEDA +templates: + - controller-keda.yaml + +tests: + - it: should create a ScaledObject if `controller.keda.enabled` is true + set: + controller.keda.enabled: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ScaledObject + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller + + - it: should not create a ScaledObject if `controller.keda.enabled` is true and `controller.autoscaling.enabled` is true + set: + controller.keda.enabled: true + controller.autoscaling.enabled: true + asserts: + - hasDocuments: + count: 0 + + - it: should not create a ScaledObject if `controller.kind` is "DaemonSet" + set: + controller.kind: DaemonSet + asserts: + - hasDocuments: + count: 0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-networkpolicy_test.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-networkpolicy_test.yaml new file mode 100644 index 000000000..5de12e9c4 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-networkpolicy_test.yaml @@ -0,0 +1,23 @@ +suite: Controller > NetworkPolicy +templates: + - controller-networkpolicy.yaml + +tests: + - it: should not create a NetworkPolicy if `controller.networkPolicy.enabled` is false + set: + controller.networkPolicy.enabled: false + asserts: + - hasDocuments: + count: 0 + + - it: should create a NetworkPolicy if `controller.networkPolicy.enabled` is true + set: + controller.networkPolicy.enabled: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: NetworkPolicy + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml new file mode 100644 index 000000000..48b4fafcc --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml @@ -0,0 +1,73 @@ +suite: Controller > PodDisruptionBudget +templates: + - controller-poddisruptionbudget.yaml + +tests: + - it: should create a PodDisruptionBudget if `controller.replicaCount` is greater than 1 + set: + controller.replicaCount: 2 + asserts: + - hasDocuments: + count: 1 + - isKind: + of: PodDisruptionBudget + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller + + - it: should not create a PodDisruptionBudget if `controller.replicaCount` is less than or equal 1 + set: + controller.replicaCount: 1 + asserts: + - hasDocuments: + count: 0 + + - it: should create a PodDisruptionBudget if `controller.autoscaling.enabled` is true and `controller.autoscaling.minReplicas` is greater than 1 + set: + controller.autoscaling.enabled: true + controller.autoscaling.minReplicas: 2 + asserts: + - hasDocuments: + count: 1 + - isKind: + of: PodDisruptionBudget + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller + + - it: should not create a PodDisruptionBudget if `controller.autoscaling.enabled` is true and `controller.autoscaling.minReplicas` is less than or equal 1 + set: + controller.autoscaling.enabled: true + controller.autoscaling.minReplicas: 1 + asserts: + - hasDocuments: + count: 0 + + - it: should create a PodDisruptionBudget if `controller.keda.enabled` is true and `controller.keda.minReplicas` is greater than 1 + set: + controller.keda.enabled: true + controller.keda.minReplicas: 2 + asserts: + - hasDocuments: + count: 1 + - isKind: + of: PodDisruptionBudget + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller + + - it: should not create a PodDisruptionBudget if `controller.keda.enabled` is true and `controller.keda.minReplicas` is less than or equal 1 + set: + controller.keda.enabled: true + controller.keda.minReplicas: 1 + asserts: + - hasDocuments: + count: 0 + + - it: should not create a PodDisruptionBudget if `controller.autoscaling.enabled` is true and `controller.keda.enabled` is true + set: + controller.autoscaling.enabled: true + controller.keda.enabled: true + asserts: + - hasDocuments: + count: 0 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-service-internal_test.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-service-internal_test.yaml new file mode 100644 index 000000000..5465e1a2b --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-service-internal_test.yaml @@ -0,0 +1,25 @@ +suite: Controller > Service > Internal +templates: + - controller-service-internal.yaml + +tests: + - it: should not create an internal Service if `controller.service.internal.enabled` is false + set: + controller.service.internal.enabled: false + asserts: + - hasDocuments: + count: 0 + + - it: should create an internal Service if `controller.service.internal.enabled` is true and `controller.service.internal.annotations` are set + set: + controller.service.internal.enabled: true + controller.service.internal.annotations: + test.annotation: "true" + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Service + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller-internal diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-service-metrics_test.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-service-metrics_test.yaml new file mode 100644 index 000000000..afdb94046 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-service-metrics_test.yaml @@ -0,0 +1,23 @@ +suite: Controller > Service > Metrics +templates: + - controller-service-metrics.yaml + +tests: + - it: should not create a metrics Service if `controller.metrics.enabled` is false + set: + controller.metrics.enabled: false + asserts: + - hasDocuments: + count: 0 + + - it: should create a metrics Service if `controller.metrics.enabled` is true + set: + controller.metrics.enabled: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Service + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller-metrics diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-service_test.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-service_test.yaml new file mode 100644 index 000000000..10574f227 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/controller-service_test.yaml @@ -0,0 +1,32 @@ +suite: Controller > Service +templates: + - controller-service.yaml + +tests: + - it: should not create a Service if `controller.service.external.enabled` is false + set: + controller.service.external.enabled: false + asserts: + - hasDocuments: + count: 0 + + - it: should create a Service if `controller.service.external.enabled` is true + set: + controller.service.external.enabled: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Service + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller + + - it: should create a Service of type "NodePort" if `controller.service.external.enabled` is true and `controller.service.type` is "NodePort" + set: + controller.service.external.enabled: true + controller.service.type: NodePort + asserts: + - equal: + path: spec.type + value: NodePort diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/default-backend-deployment_test.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/default-backend-deployment_test.yaml new file mode 100644 index 000000000..e237fe7e3 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/default-backend-deployment_test.yaml @@ -0,0 +1,137 @@ +suite: Default Backend > Deployment +templates: + - default-backend-deployment.yaml + +tests: + - it: should not create a Deployment if `defaultBackend.enabled` is false + set: + defaultBackend.enabled: false + asserts: + - hasDocuments: + count: 0 + + - it: should create a Deployment if `defaultBackend.enabled` is true + set: + defaultBackend.enabled: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Deployment + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-defaultbackend + + - it: should create a Deployment with 3 replicas if `defaultBackend.replicaCount` is 3 + set: + defaultBackend.enabled: true + defaultBackend.replicaCount: 3 + asserts: + - equal: + path: spec.replicas + value: 3 + + - it: should create a Deployment without replicas if `defaultBackend.autoscaling.enabled` is true + set: + defaultBackend.enabled: true + defaultBackend.autoscaling.enabled: true + asserts: + - notExists: + path: spec.replicas + + - it: should create a Deployment with resource limits if `defaultBackend.resources.limits` is set + set: + defaultBackend.enabled: true + defaultBackend.resources.limits.cpu: 500m + defaultBackend.resources.limits.memory: 512Mi + asserts: + - equal: + path: spec.template.spec.containers[0].resources.limits.cpu + value: 500m + - equal: + path: spec.template.spec.containers[0].resources.limits.memory + value: 512Mi + + - it: should create a Deployment with topology spread constraints if `defaultBackend.topologySpreadConstraints` is set + set: + defaultBackend.enabled: true + defaultBackend.topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/component: default-backend + topologyKey: topology.kubernetes.io/zone + maxSkew: 1 + whenUnsatisfiable: ScheduleAnyway + - labelSelector: + matchLabels: + app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' + app.kubernetes.io/instance: '{{ .Release.Name }}' + app.kubernetes.io/component: default-backend + topologyKey: kubernetes.io/hostname + maxSkew: 1 + whenUnsatisfiable: ScheduleAnyway + asserts: + - equal: + path: spec.template.spec.topologySpreadConstraints + value: + - labelSelector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/component: default-backend + topologyKey: topology.kubernetes.io/zone + maxSkew: 1 + whenUnsatisfiable: ScheduleAnyway + - labelSelector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/component: default-backend + topologyKey: kubernetes.io/hostname + maxSkew: 1 + whenUnsatisfiable: ScheduleAnyway + + - it: should create a Deployment with affinity if `defaultBackend.affinity` is set + set: + defaultBackend.enabled: true + defaultBackend.affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - '{{ include "ingress-nginx.name" . }}' + - key: app.kubernetes.io/instance + operator: In + values: + - '{{ .Release.Name }}' + - key: app.kubernetes.io/component + operator: In + values: + - default-backend + topologyKey: kubernetes.io/hostname + asserts: + - equal: + path: spec.template.spec.affinity + value: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - ingress-nginx + - key: app.kubernetes.io/instance + operator: In + values: + - RELEASE-NAME + - key: app.kubernetes.io/component + operator: In + values: + - default-backend + topologyKey: kubernetes.io/hostname diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/default-backend-extra-configmaps_test.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/default-backend-extra-configmaps_test.yaml new file mode 100644 index 000000000..aa600e749 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/default-backend-extra-configmaps_test.yaml @@ -0,0 +1,50 @@ +suite: Default Backend > Extra ConfigMaps +templates: + - default-backend-extra-configmaps.yaml + +tests: + - it: should not create a ConfigMap if `defaultBackend.extraConfigMaps` is empty + set: + defaultBackend.enabled: true + defaultBackend.extraConfigMaps: [] + asserts: + - hasDocuments: + count: 0 + + - it: should create one ConfigMap if `defaultBackend.extraConfigMaps` has one element + set: + defaultBackend.enabled: true + defaultBackend.extraConfigMaps: + - name: my-configmap-1 + data: + key1: value1 + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - equal: + path: metadata.name + value: my-configmap-1 + - equal: + path: data.key1 + value: value1 + + - it: should create two ConfigMaps if `defaultBackend.extraConfigMaps` has two elements + set: + defaultBackend.enabled: true + defaultBackend.extraConfigMaps: + - name: my-configmap-1 + data: + key1: value1 + - name: my-configmap-2 + data: + key2: value2 + asserts: + - hasDocuments: + count: 2 + - isKind: + of: ConfigMap + - matchRegex: + path: metadata.name + pattern: my-configmap-(1|2) diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/default-backend-service_test.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/default-backend-service_test.yaml new file mode 100644 index 000000000..f16904f9f --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/tests/default-backend-service_test.yaml @@ -0,0 +1,32 @@ +suite: Default Backend > Service +templates: + - default-backend-service.yaml + +tests: + - it: should not create a Service if `defaultBackend.enabled` is false + set: + defaultBackend.enabled: false + asserts: + - hasDocuments: + count: 0 + + - it: should create a Service if `defaultBackend.enabled` is true + set: + defaultBackend.enabled: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Service + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-defaultbackend + + - it: should create a Service with port 80 if `defaultBackend.service.port` is 80 + set: + defaultBackend.enabled: true + defaultBackend.service.port: 80 + asserts: + - equal: + path: spec.ports[0].port + value: 80 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/values.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/values.yaml index d091391a8..fbd0b31cf 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/values.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/charts/ingress-nginx/values.yaml @@ -7,6 +7,8 @@ # nameOverride: # fullnameOverride: +# -- Override the deployment namespace; defaults to .Release.Namespace +namespaceOverride: "" ## Labels to apply to all resources ## commonLabels: {} @@ -15,6 +17,7 @@ commonLabels: {} controller: name: controller + enableAnnotationValidations: false image: ## Keep false as default for now! chroot: false @@ -23,13 +26,17 @@ controller: ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: "v1.8.1" - digest: sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd - digestChroot: sha256:e0d4121e3c5e39de9122e55e331a32d5ebf8d4d257227cb93ab54a1b912a7627 + tag: "v1.11.2" + digest: sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce + digestChroot: sha256:21b55a2f0213a18b91612a8c0850167e00a8e34391fd595139a708f9c047e7a8 pullPolicy: IfNotPresent + runAsNonRoot: true # www-data -> uid 101 runAsUser: 101 - allowPrivilegeEscalation: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + readOnlyRootFilesystem: false # -- Use an existing PSP instead of creating one existingPsp: "" # -- Configures the controller container name @@ -38,7 +45,8 @@ controller: containerPort: http: 80 https: 443 - # -- Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ + # -- Global configuration passed to the ConfigMap consumed by the controller. Values may contain Helm templates. + # Ref.: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ config: {} # -- Annotations to be added to the controller config configuration configmap. configAnnotations: {} @@ -48,6 +56,16 @@ controller: addHeaders: {} # -- Optionally customize the pod dnsConfig. dnsConfig: {} + # -- Optionally customize the pod hostAliases. + hostAliases: [] + # - ip: 127.0.0.1 + # hostnames: + # - foo.local + # - bar.local + # - ip: 10.1.2.3 + # hostnames: + # - foo.remote + # - bar.remote # -- Optionally customize the pod hostname. hostname: {} # -- Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. @@ -63,14 +81,18 @@ controller: watchIngressWithoutClass: false # -- Process IngressClass per name (additionally as per spec.controller). ingressClassByName: false - # -- This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-aware-hints="auto" + # -- This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto" # Defaults to false enableTopologyAwareRouting: false + # -- This configuration disable Nginx Controller Leader Election + disableLeaderElection: false + # -- Duration a leader election is valid before it's getting re-elected, e.g. `15s`, `10m` or `1h`. (Default: 30s) + electionTTL: "" # -- This configuration defines if Ingress Controller should allow users to set # their own *-snippet annotations, otherwise this is forbidden / dropped # when users add those annotations. # Global snippets in ConfigMap are still respected - allowSnippetAnnotations: true + allowSnippetAnnotations: false # -- Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 # is merged @@ -85,23 +107,45 @@ controller: http: 80 # -- 'hostPort' https port https: 443 + # NetworkPolicy for controller component. + networkPolicy: + # -- Enable 'networkPolicy' or not + enabled: false # -- Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' electionID: "" - ## This section refers to the creation of the IngressClass resource - ## IngressClass resources are supported since k8s >= 1.18 and required since k8s >= 1.19 + # -- This section refers to the creation of the IngressClass resource. + # IngressClasses are immutable and cannot be changed after creation. + # We do not support namespaced IngressClasses, yet, so a ClusterRole and a ClusterRoleBinding is required. ingressClassResource: - # -- Name of the ingressClass + # -- Name of the IngressClass name: nginx - # -- Is this ingressClass enabled or not + # -- Create the IngressClass or not enabled: true - # -- Is this the default ingressClass for the cluster + # -- If true, Ingresses without `ingressClassName` get assigned to this IngressClass on creation. + # Ingress creation gets rejected if there are multiple default IngressClasses. + # Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class default: false - # -- Controller-value of the controller that is processing this ingressClass - controllerValue: "k8s.io/ingress-nginx" - # -- Parameters is a link to a custom resource containing additional - # configuration for the controller. This is optional if the controller - # does not require extra parameters. + # -- Annotations to be added to the IngressClass resource. + annotations: {} + # -- Controller of the IngressClass. An Ingress Controller looks for IngressClasses it should reconcile by this value. + # This value is also being set as the `--controller-class` argument of this Ingress Controller. + # Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class + controllerValue: k8s.io/ingress-nginx + # -- Aliases of this IngressClass. Creates copies with identical settings but the respective alias as name. + # Useful for development environments with only one Ingress Controller but production-like Ingress resources. + # `default` gets enabled on the original IngressClass only. + aliases: [] + # aliases: + # - nginx-alias-1 + # - nginx-alias-2 + # -- A link to a custom resource containing additional configuration for the controller. + # This is optional if the controller consuming this IngressClass does not require additional parameters. + # Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class parameters: {} + # parameters: + # apiGroup: k8s.example.com + # kind: IngressParameters + # name: external-lb # -- For backwards compatibility with ingress.class annotation, use ingressClass. # Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation ingressClass: nginx @@ -109,13 +153,15 @@ controller: podLabels: {} # key: value - # -- Security Context policies for controller pods + # -- Security context for controller pods podSecurityContext: {} - # -- See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls + # -- sysctls for controller pods + ## Ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ sysctls: {} # sysctls: # "net.core.somaxconn": "8192" - + # -- Security context for controller containers + containerSecurityContext: {} # -- Allows customization of the source of the IP address or FQDN to report # in the ingress status field. By default, it reads the information provided # by the service. If disable, the status field reports the IP address of the @@ -155,6 +201,9 @@ controller: extraArgs: {} ## extraArgs: ## default-ssl-certificate: "/" + ## time-buckets: "0.005,0.01,0.025,0.05,0.1,0.25,0.5,1,2.5,5,10" + ## length-buckets: "10,20,30,40,50,60,70,80,90,100" + ## size-buckets: "10,100,1000,10000,100000,1e+06,1e+07" # -- Additional environment variables to set extraEnvs: [] @@ -211,11 +260,11 @@ controller: # - key: app.kubernetes.io/name # operator: In # values: - # - ingress-nginx + # - '{{ include "ingress-nginx.name" . }}' # - key: app.kubernetes.io/instance # operator: In # values: - # - ingress-nginx + # - '{{ .Release.Name }}' # - key: app.kubernetes.io/component # operator: In # values: @@ -230,27 +279,37 @@ controller: # - key: app.kubernetes.io/name # operator: In # values: - # - ingress-nginx + # - '{{ include "ingress-nginx.name" . }}' # - key: app.kubernetes.io/instance # operator: In # values: - # - ingress-nginx + # - '{{ .Release.Name }}' # - key: app.kubernetes.io/component # operator: In # values: # - controller - # topologyKey: "kubernetes.io/hostname" + # topologyKey: kubernetes.io/hostname # -- Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ ## topologySpreadConstraints: [] - # - maxSkew: 1 + # - labelSelector: + # matchLabels: + # app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' + # app.kubernetes.io/instance: '{{ .Release.Name }}' + # app.kubernetes.io/component: controller # topologyKey: topology.kubernetes.io/zone - # whenUnsatisfiable: DoNotSchedule - # labelSelector: + # maxSkew: 1 + # whenUnsatisfiable: ScheduleAnyway + # - labelSelector: # matchLabels: - # app.kubernetes.io/instance: ingress-nginx-internal + # app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' + # app.kubernetes.io/instance: '{{ .Release.Name }}' + # app.kubernetes.io/component: controller + # topologyKey: kubernetes.io/hostname + # maxSkew: 1 + # whenUnsatisfiable: ScheduleAnyway # -- `terminationGracePeriodSeconds` to avoid killing pods before we are ready ## wait up to five minutes for the drain of connections @@ -311,7 +370,7 @@ controller: # -- Minimum available pods set in PodDisruptionBudget. # Define either 'minAvailable' or 'maxUnavailable', never both. minAvailable: 1 - # -- Maximum unavalaile pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. # maxUnavailable: 1 ## Define requests resources to avoid probe issues due to CPU utilization in busy nodes @@ -407,95 +466,170 @@ controller: configMapName: "" configMapKey: "" service: + # -- Enable controller services or not. This does not influence the creation of either the admission webhook or the metrics service. enabled: true - # -- If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were - # using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http - # It allows choosing the protocol for each backend specified in the Kubernetes service. - # See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244 - # Will be ignored for Kubernetes versions older than 1.20 - ## - appProtocol: true + external: + # -- Enable the external controller service or not. Useful for internal-only deployments. + enabled: true + # -- Annotations to be added to the external controller service. See `controller.service.internal.annotations` for annotations to be added to the internal controller service. annotations: {} + # -- Labels to be added to both controller services. labels: {} - # clusterIP: "" - - # -- List of IP addresses at which the controller services are available - ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips - ## + # -- Type of the external controller service. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types + type: LoadBalancer + # -- Pre-defined cluster internal IP address of the external controller service. Take care of collisions with existing services. + # This value is immutable. Set once, it can not be changed without deleting and re-creating the service. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address + clusterIP: "" + # -- List of node IP addresses at which the external controller service is available. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips externalIPs: [] - # -- Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + # -- Deprecated: Pre-defined IP address of the external controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer loadBalancerIP: "" + # -- Restrict access to the external controller service. Values must be CIDRs. Allows any source address by default. loadBalancerSourceRanges: [] - # -- Used by cloud providers to select a load balancer implementation other than the cloud provider default. https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class + # -- Load balancer class of the external controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class loadBalancerClass: "" - enableHttp: true - enableHttps: true - ## Set external traffic policy to: "Local" to preserve source IP on providers supporting it. - ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer - # externalTrafficPolicy: "" - - ## Must be either "None" or "ClientIP" if set. Kubernetes will default to "None". - ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - # sessionAffinity: "" + # -- Enable node port allocation for the external controller service or not. Applies to type `LoadBalancer` only. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation + # allocateLoadBalancerNodePorts: true - ## Specifies the health check node port (numeric port number) for the service. If healthCheckNodePort isn’t specified, - ## the service controller allocates a port from your cluster’s NodePort range. - ## Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + # -- External traffic policy of the external controller service. Set to "Local" to preserve source IP on providers supporting it. + # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + externalTrafficPolicy: "" + # -- Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". + # Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity + sessionAffinity: "" + # -- Specifies the health check node port (numeric port number) for the external controller service. + # If not specified, the service controller allocates a port from your cluster's node port range. + # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip # healthCheckNodePort: 0 - # -- Represents the dual-stack-ness requested or required by this Service. Possible values are - # SingleStack, PreferDualStack or RequireDualStack. - # The ipFamilies and clusterIPs fields depend on the value of this field. - ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ - ipFamilyPolicy: "SingleStack" - # -- List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically - # based on cluster configuration and the ipFamilyPolicy field. - ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + # -- Represents the dual-stack capabilities of the external controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. + # Fields `ipFamilies` and `clusterIP` depend on the value of this field. + # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: SingleStack + # -- List of IP families (e.g. IPv4, IPv6) assigned to the external controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. + # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services ipFamilies: - IPv4 + # -- Enable the HTTP listener on both controller services or not. + enableHttp: true + # -- Enable the HTTPS listener on both controller services or not. + enableHttps: true ports: + # -- Port the external HTTP listener is published with. http: 80 + # -- Port the external HTTPS listener is published with. https: 443 targetPorts: + # -- Port of the ingress controller the external HTTP listener is mapped to. http: http + # -- Port of the ingress controller the external HTTPS listener is mapped to. https: https - type: LoadBalancer - ## type: NodePort - ## nodePorts: - ## http: 32080 - ## https: 32443 - ## tcp: - ## 8080: 32808 + # -- Declare the app protocol of the external HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol + appProtocol: true nodePorts: + # -- Node port allocated for the external HTTP listener. If left empty, the service controller allocates one from the configured node port range. http: "" + # -- Node port allocated for the external HTTPS listener. If left empty, the service controller allocates one from the configured node port range. https: "" + # -- Node port mapping for external TCP listeners. If left empty, the service controller allocates them from the configured node port range. + # Example: + # tcp: + # 8080: 30080 tcp: {} + # -- Node port mapping for external UDP listeners. If left empty, the service controller allocates them from the configured node port range. + # Example: + # udp: + # 53: 30053 udp: {} - external: - enabled: true internal: - # -- Enables an additional internal load balancer (besides the external one). + # -- Enable the internal controller service or not. Remember to configure `controller.service.internal.annotations` when enabling this. enabled: false - # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. + # -- Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer annotations: {} - # -- Used by cloud providers to connect the resulting internal LoadBalancer to a pre-existing static IP. Make sure to add to the service the needed annotation to specify the subnet which the static IP belongs to. For instance, `networking.gke.io/internal-load-balancer-subnet` for GCP and `service.beta.kubernetes.io/aws-load-balancer-subnets` for AWS. + # -- Type of the internal controller service. + # Defaults to the value of `controller.service.type`. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types + type: "" + # -- Pre-defined cluster internal IP address of the internal controller service. Take care of collisions with existing services. + # This value is immutable. Set once, it can not be changed without deleting and re-creating the service. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address + clusterIP: "" + # -- List of node IP addresses at which the internal controller service is available. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips + externalIPs: [] + # -- Deprecated: Pre-defined IP address of the internal controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer loadBalancerIP: "" - # -- Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. + # -- Restrict access to the internal controller service. Values must be CIDRs. Allows any source address by default. loadBalancerSourceRanges: [] - ## Set external traffic policy to: "Local" to preserve source IP on - ## providers supporting it - ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer - # externalTrafficPolicy: "" + # -- Load balancer class of the internal controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class + loadBalancerClass: "" + # -- Enable node port allocation for the internal controller service or not. Applies to type `LoadBalancer` only. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation + # allocateLoadBalancerNodePorts: true + + # -- External traffic policy of the internal controller service. Set to "Local" to preserve source IP on providers supporting it. + # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + externalTrafficPolicy: "" + # -- Session affinity of the internal controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". + # Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity + sessionAffinity: "" + # -- Specifies the health check node port (numeric port number) for the internal controller service. + # If not specified, the service controller allocates a port from your cluster's node port range. + # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + # healthCheckNodePort: 0 - # -- Custom port mapping for internal service + # -- Represents the dual-stack capabilities of the internal controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. + # Fields `ipFamilies` and `clusterIP` depend on the value of this field. + # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: SingleStack + # -- List of IP families (e.g. IPv4, IPv6) assigned to the internal controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. + # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilies: + - IPv4 ports: {} - # http: 80 - # https: 443 + # -- Port the internal HTTP listener is published with. + # Defaults to the value of `controller.service.ports.http`. + # http: 80 + # -- Port the internal HTTPS listener is published with. + # Defaults to the value of `controller.service.ports.https`. + # https: 443 - # -- Custom target port mapping for internal service targetPorts: {} - # http: http - # https: https + # -- Port of the ingress controller the internal HTTP listener is mapped to. + # Defaults to the value of `controller.service.targetPorts.http`. + # http: http + # -- Port of the ingress controller the internal HTTPS listener is mapped to. + # Defaults to the value of `controller.service.targetPorts.https`. + # https: https + + # -- Declare the app protocol of the internal HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol + appProtocol: true + nodePorts: + # -- Node port allocated for the internal HTTP listener. If left empty, the service controller allocates one from the configured node port range. + http: "" + # -- Node port allocated for the internal HTTPS listener. If left empty, the service controller allocates one from the configured node port range. + https: "" + # -- Node port mapping for internal TCP listeners. If left empty, the service controller allocates them from the configured node port range. + # Example: + # tcp: + # 8080: 30080 + tcp: {} + # -- Node port mapping for internal UDP listeners. If left empty, the service controller allocates them from the configured node port range. + # Example: + # udp: + # 53: 30053 + udp: {} # shareProcessNamespace enables process namespace sharing within the pod. # This can be used for example to signal log rotation using `kill -USR1` from a sidecar. shareProcessNamespace: false @@ -542,9 +676,26 @@ controller: # -- Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module extraModules: [] # - name: mytestmodule - # image: registry.k8s.io/ingress-nginx/mytestmodule + # image: + # registry: registry.k8s.io + # image: ingress-nginx/mytestmodule + # ## for backwards compatibility consider setting the full image url via the repository value below + # ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail + # ## repository: + # tag: "v1.0.0" + # digest: "" + # distroless: false # containerSecurityContext: + # runAsNonRoot: true + # runAsUser: # allowPrivilegeEscalation: false + # seccompProfile: + # type: RuntimeDefault + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # resources: {} # # The image must contain a `/usr/local/bin/init_module.sh` executable, which # will be executed as initContainers, to move its config files within the @@ -552,10 +703,30 @@ controller: opentelemetry: enabled: false - image: registry.k8s.io/ingress-nginx/opentelemetry:v20230527@sha256:fd7ec835f31b7b37187238eb4fdad4438806e69f413a203796263131f4f02ed0 + name: opentelemetry + image: + registry: registry.k8s.io + image: ingress-nginx/opentelemetry-1.25.3 + ## for backwards compatibility consider setting the full image url via the repository value below + ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail + ## repository: + tag: v20240813-b933310d + digest: sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922 + distroless: true containerSecurityContext: + runAsNonRoot: true + # -- The image's default user, inherited from its base image `cgr.dev/chainguard/static`. + runAsUser: 65532 allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + resources: {} admissionWebhooks: + name: admission annotations: {} # ignore-check.kube-linter.io/no-read-only-rootfs: "This deployment needs write access to root filesystem". @@ -583,7 +754,6 @@ controller: labels: {} # -- Use an existing PSP instead of creating one existingPsp: "" - networkPolicyEnabled: false service: annotations: {} # clusterIP: "" @@ -593,8 +763,18 @@ controller: servicePort: 443 type: ClusterIP createSecretJob: + name: create + # -- Security context for secret creation containers securityContext: + runAsNonRoot: true + runAsUser: 65532 allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true resources: {} # limits: # cpu: 10m @@ -603,8 +783,18 @@ controller: # cpu: 10m # memory: 20Mi patchWebhookJob: + name: patch + # -- Security context for webhook patch containers securityContext: + runAsNonRoot: true + runAsUser: 65532 allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true resources: {} patch: enabled: true @@ -614,22 +804,36 @@ controller: ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: v20230407 - digest: sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b + tag: v1.4.3 + digest: sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3 pullPolicy: IfNotPresent # -- Provide a priority class name to the webhook patching job ## priorityClassName: "" podAnnotations: {} + # NetworkPolicy for webhook patch + networkPolicy: + # -- Enable 'networkPolicy' or not + enabled: false nodeSelector: kubernetes.io/os: linux tolerations: [] # -- Labels to be added to patch job resources labels: {} - securityContext: - runAsNonRoot: true - runAsUser: 2000 - fsGroup: 2000 + # -- Security context for secret creation & webhook patch pods + securityContext: {} + # -- Admission webhook patch job RBAC + rbac: + # -- Create RBAC or not + create: true + # -- Admission webhook patch job service account + serviceAccount: + # -- Create a service account or not + create: true + # -- Custom service account name + name: "" + # -- Auto-mount service account token or not + automountServiceAccountToken: true # Use certmanager to generate webhook certs certManager: enabled: false @@ -669,11 +873,12 @@ controller: serviceMonitor: enabled: false additionalLabels: {} + annotations: {} ## The label to use to retrieve the job name from. ## jobLabel: "app.kubernetes.io/name" namespace: "" namespaceSelector: {} - ## Default: scrape .Release.Namespace only + ## Default: scrape .Release.Namespace or namespaceOverride only ## To scrape all, use the following: ## namespaceSelector: ## any: true @@ -696,8 +901,13 @@ controller: # annotations: # description: bad ingress config - nginx config test failed # summary: uninstall the latest ingress changes to allow config reloads to resume + # # By default a fake self-signed certificate is generated as default and + # # it is fine if it expires. If `--default-ssl-certificate` flag is used + # # and a valid certificate passed please do not filter for `host` label! + # # (i.e. delete `{host!="_"}` so also the default SSL certificate is + # # checked for expiration) # - alert: NGINXCertificateExpiry - # expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds) by (host) - time()) < 604800 + # expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds{host!="_"}) by (host) - time()) < 604800 # for: 1s # labels: # severity: critical @@ -750,11 +960,13 @@ defaultBackend: ## repository: tag: "1.5" pullPolicy: IfNotPresent + runAsNonRoot: true # nobody user -> uid 65534 runAsUser: 65534 - runAsNonRoot: true - readOnlyRootFilesystem: true allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + readOnlyRootFilesystem: true # -- Use an existing PSP instead of creating one existingPsp: "" extraArgs: {} @@ -799,16 +1011,71 @@ defaultBackend: # value: "value" # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + # -- Affinity and anti-affinity rules for server scheduling to nodes + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity affinity: {} - # -- Security Context policies for controller pods - # See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for - # notes on enabling and using sysctls - ## + # # An example of preferred pod anti-affinity, weight is in the range 1-100 + # podAntiAffinity: + # preferredDuringSchedulingIgnoredDuringExecution: + # - weight: 100 + # podAffinityTerm: + # labelSelector: + # matchExpressions: + # - key: app.kubernetes.io/name + # operator: In + # values: + # - '{{ include "ingress-nginx.name" . }}' + # - key: app.kubernetes.io/instance + # operator: In + # values: + # - '{{ .Release.Name }}' + # - key: app.kubernetes.io/component + # operator: In + # values: + # - default-backend + # topologyKey: kubernetes.io/hostname + + # # An example of required pod anti-affinity + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchExpressions: + # - key: app.kubernetes.io/name + # operator: In + # values: + # - '{{ include "ingress-nginx.name" . }}' + # - key: app.kubernetes.io/instance + # operator: In + # values: + # - '{{ .Release.Name }}' + # - key: app.kubernetes.io/component + # operator: In + # values: + # - default-backend + # topologyKey: kubernetes.io/hostname + + # -- Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. + # Ref.: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + topologySpreadConstraints: [] + # - labelSelector: + # matchLabels: + # app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' + # app.kubernetes.io/instance: '{{ .Release.Name }}' + # app.kubernetes.io/component: default-backend + # topologyKey: topology.kubernetes.io/zone + # maxSkew: 1 + # whenUnsatisfiable: ScheduleAnyway + # - labelSelector: + # matchLabels: + # app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' + # app.kubernetes.io/instance: '{{ .Release.Name }}' + # app.kubernetes.io/component: default-backend + # topologyKey: kubernetes.io/hostname + # maxSkew: 1 + # whenUnsatisfiable: ScheduleAnyway + # -- Security context for default backend pods podSecurityContext: {} - # -- Security Context policies for controller main container. - # See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for - # notes on enabling and using sysctls - ## + # -- Security context for default backend containers containerSecurityContext: {} # -- Labels to add to the pod container metadata podLabels: {} @@ -842,6 +1109,21 @@ defaultBackend: # - name: copy-portal-skins # emptyDir: {} + extraConfigMaps: [] + ## Additional configmaps to the default backend pod. + # - name: my-extra-configmap-1 + # labels: + # type: config-1 + # data: + # extra_file_1.html: | + # + # - name: my-extra-configmap-2 + # labels: + # type: config-2 + # data: + # extra_file_2.html: | + # + autoscaling: annotations: {} enabled: false @@ -849,6 +1131,10 @@ defaultBackend: maxReplicas: 2 targetCPUUtilizationPercentage: 50 targetMemoryUtilizationPercentage: 50 + # NetworkPolicy for default backend component. + networkPolicy: + # -- Enable 'networkPolicy' or not + enabled: false service: annotations: {} # clusterIP: "" @@ -887,13 +1173,13 @@ imagePullSecrets: [] ## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md ## tcp: {} -# 8080: "default/example-tcp-svc:9000" +# "8080": "default/example-tcp-svc:9000" # -- UDP service key-value pairs ## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md ## udp: {} -# 53: "kube-system/kube-dns:53" +# "53": "kube-system/kube-dns:53" # -- Prefix for TCP and UDP ports names in ingress controller service ## Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/ci/cirrus-values.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/ci/cirrus-values.yaml new file mode 100644 index 000000000..135fa5c87 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/ci/cirrus-values.yaml @@ -0,0 +1,12 @@ +image: + pullSecrets: + - name: pullsecret + repository: "sonarsource/sonarqube" + tag: "24.12.0.100206-community" +postgresql: + securityContext: + # On Cirrus, we have permissions issue if the fsGroup is not set to 1001 explicitly + enabled: true + # fsGroup and runAsUser specifications below are not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. + # postgresql dockerfile sets user as 1001 + fsGroup: 1001 diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/openshift-verifier/values.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/openshift-verifier/values.yaml new file mode 100644 index 000000000..0889ea6fb --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/openshift-verifier/values.yaml @@ -0,0 +1,16 @@ +OpenShift: + enabled: true + route: + enabled: true + +postgresql: + securityContext: + enabled: false + containerSecurityContext: + enabled: false + +image: + pullSecrets: + - name: pullsecret + repository: "sonarsource/sonarqube" + tag: "24.12.0.100206-community" diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/templates/NOTES.txt b/charts/sonarqube/sonarqube/charts/sonarqube/templates/NOTES.txt index 5ca350c43..3362bafe6 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/templates/NOTES.txt +++ b/charts/sonarqube/sonarqube/charts/sonarqube/templates/NOTES.txt @@ -3,9 +3,6 @@ {{- range .Values.ingress.hosts }} http://{{ .name }} {{- end }} -{{- else if .Values.route.enabled }} - export ROUTE_HOST=$(kubectl get route {{ template "sonarqube.name" . }} --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.host}") - echo https://$ROUTE_HOST {{- else if contains "NodePort" .Values.service.type }} export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "sonarqube.fullname" . }}) export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") @@ -20,3 +17,25 @@ echo "Visit http://127.0.0.1:8080 to use your application" kubectl port-forward $POD_NAME 8080:{{ .Values.service.externalPort }} -n {{ .Release.Namespace }} {{- end }} +{{- if eq .Values.edition "community" }} +DEPRECATION NOTICE: The SonarQube Community Edition has been replaced by the SonarQube Community Build. + Please use "community.enabled=true" to use the latest SonarQube Community Build. + The "community" value is deprecated and won't be supported for "edition" anymore. +{{- end }} +WARNING: + Please note that the SonarQube image runs with a non-root user (uid=1000) belonging to the root group (guid=0). In this way, the chart can support arbitrary user ids as recommended in OpenShift. + Please visit https://docs.openshift.com/container-platform/4.14/openshift_images/create-images.html#use-uid_create-images for more information. +{{ if .Values.postgresql.enabled }} +WARNING: The embedded PostgreSQL is intended for evaluation only, it is DEPRECATED, and it will be REMOVED in a future release. + Please visit https://artifacthub.io/packages/helm/sonarqube/sonarqube#production-use-case for more information. +{{- end }} +{{ if or (.Values.nginx).enabled (index .Values "ingress-nginx" "enabled") }} +WARNING: The ingress nginx controller dependency has been upgraded to a major version (4.x), please carefully read the changelogs at https://github.com/kubernetes/ingress-nginx/releases and refer to the documentation at https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/. + Please also visit https://artifacthub.io/packages/helm/sonarqube/sonarqube#production-use-case for more information. +{{- end }} +{{ if hasKey .Values.deploymentStrategy "type" }} +WARNING: Setting the deployment strategy type is deprecated and will be removed in a future release. It will be hard-coded to Recreate. +{{- end }} +{{ if eq .Values.deploymentType "StatefulSet" }} +WARNING: The deploymentType value is deprecated and won't be supported anymore. SonarQube will be deployed as a Deployment by default. +{{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/templates/_helpers.tpl b/charts/sonarqube/sonarqube/charts/sonarqube/templates/_helpers.tpl index 837ac985f..276c584e9 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/templates/_helpers.tpl +++ b/charts/sonarqube/sonarqube/charts/sonarqube/templates/_helpers.tpl @@ -18,6 +18,61 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- end -}} {{- end -}} +{{/* +Common labels +*/}} +{{- define "sonarqube.labels" -}} +app: {{ include "sonarqube.name" . }} +chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" }} +release: {{ .Release.Name }} +heritage: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "sonarqube.selectorLabels" -}} +app: {{ include "sonarqube.name" . }} +release: {{ .Release.Name }} +app.kubernetes.io/name: {{ .Release.Name }} +app.kubernetes.io/version: {{ (tpl .Values.image.tag .) | trunc 63 | trimSuffix "-" | quote }} +{{- end -}} + +{{/* +Workload labels (Deployment or StatefulSet) +*/}} +{{- define "sonarqube.workloadLabels" -}} +{{- include "sonarqube.labels" . }} +app.kubernetes.io/name: {{ .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/part-of: sonarqube +app.kubernetes.io/component: {{ include "sonarqube.fullname" . }} +app.kubernetes.io/version: {{ (tpl (include "image.tag" .) . ) | trunc 63 | trimSuffix "-" | quote }} +{{- end -}} + +{{/* +Expand the Application Image name. +*/}} +{{- define "sonarqube.image" -}} +{{- printf "%s:%s" .Values.image.repository (tpl (include "image.tag" .) .) }} +{{- end -}} + +{{/* + Define the image.tag value that computes the right tag to be used as `sonarqube.image` +*/}} +{{- define "image.tag" -}} +{{- if empty .Values.image.tag -}} +{{- if and (not (empty .Values.edition)) (or (eq .Values.edition "developer") (eq .Values.edition "enterprise")) -}} +{{- printf "%s-%s" .Chart.AppVersion .Values.edition -}} +{{- else if or (.Values.community.enabled) (and (not (empty .Values.edition)) (eq .Values.edition "community")) -}} +{{- printf "%s-%s" .Values.community.buildNumber "community" -}} +{{- end -}} +{{- else -}} +{{- .Values.image.tag -}} +{{- end -}} +{{- end -}} + {{/* Create a default fully qualified mysql/postgresql name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). @@ -47,7 +102,7 @@ Determine the k8s secret containing the JDBC credentials {{- else -}} {{- template "postgresql.fullname" . -}} {{- end -}} -{{- else if .Values.jdbcOverwrite.enable -}} +{{- else if or .Values.jdbcOverwrite.enabled .Values.jdbcOverwrite.enable -}} {{- if .Values.jdbcOverwrite.jdbcSecretName -}} {{- .Values.jdbcOverwrite.jdbcSecretName -}} {{- else -}} @@ -64,7 +119,7 @@ Determine JDBC username {{- define "jdbc.username" -}} {{- if and .Values.postgresql.enabled .Values.postgresql.postgresqlUsername -}} {{- .Values.postgresql.postgresqlUsername | quote -}} -{{- else if and .Values.jdbcOverwrite.enable .Values.jdbcOverwrite.jdbcUsername -}} +{{- else if and (or .Values.jdbcOverwrite.enabled .Values.jdbcOverwrite.enable) .Values.jdbcOverwrite.jdbcUsername -}} {{- .Values.jdbcOverwrite.jdbcUsername | quote -}} {{- else -}} {{- .Values.postgresql.postgresqlUsername -}} @@ -81,7 +136,7 @@ Determine the k8s secretKey contrining the JDBC password {{- else -}} {{- "postgresql-password" -}} {{- end -}} -{{- else if .Values.jdbcOverwrite.enable -}} +{{- else if or .Values.jdbcOverwrite.enabled .Values.jdbcOverwrite.enable -}} {{- if and .Values.jdbcOverwrite.jdbcSecretName .Values.jdbcOverwrite.jdbcSecretPasswordKey -}} {{- .Values.jdbcOverwrite.jdbcSecretPasswordKey -}} {{- else -}} @@ -96,7 +151,7 @@ Determine the k8s secretKey contrining the JDBC password Determine JDBC password if internal secret is used */}} {{- define "jdbc.internalSecretPasswd" -}} -{{- if .Values.jdbcOverwrite.enable -}} +{{- if or .Values.jdbcOverwrite.enabled .Values.jdbcOverwrite.enable -}} {{- .Values.jdbcOverwrite.jdbcPassword | b64enc | quote -}} {{- else -}} {{- .Values.postgresql.postgresqlPassword | b64enc | quote -}} @@ -118,11 +173,11 @@ Set sonarqube.jvmOpts {{- end -}} {{- end -}} {{- if and .Values.caCerts.enabled .Values.prometheusExporter.enabled -}} -{{ printf "-javaagent:%s/data/jmx_prometheus_javaagent.jar=%d:%s/conf/prometheus-config.yaml -Djavax.net.ssl.trustStore=%s/certs/cacerts %s" .Values.sonarqubeFolder (int .Values.prometheusExporter.webBeanPort) .Values.sonarqubeFolder .Values.sonarqubeFolder $tempJvm | trim | quote }} +{{ printf "-javaagent:%s/data/jmx_prometheus_javaagent.jar=%d:%s/conf/prometheus-config.yaml -Djavax.net.ssl.trustStore=%s/certs/cacerts %s" .Values.sonarqubeFolder (int .Values.prometheusExporter.webBeanPort) .Values.sonarqubeFolder .Values.sonarqubeFolder $tempJvm | trim }} {{- else if .Values.caCerts.enabled -}} -{{ printf "-Djavax.net.ssl.trustStore=%s/certs/cacerts %s" .Values.sonarqubeFolder $tempJvm | trim | quote }} +{{ printf "-Djavax.net.ssl.trustStore=%s/certs/cacerts %s" .Values.sonarqubeFolder $tempJvm | trim }} {{- else if .Values.prometheusExporter.enabled -}} -{{ printf "-javaagent:%s/data/jmx_prometheus_javaagent.jar=%d:%s/conf/prometheus-config.yaml %s" .Values.sonarqubeFolder (int .Values.prometheusExporter.webBeanPort) .Values.sonarqubeFolder $tempJvm | trim | quote }} +{{ printf "-javaagent:%s/data/jmx_prometheus_javaagent.jar=%d:%s/conf/prometheus-config.yaml %s" .Values.sonarqubeFolder (int .Values.prometheusExporter.webBeanPort) .Values.sonarqubeFolder $tempJvm | trim }} {{- else -}} {{ printf "%s" $tempJvm }} {{- end -}} @@ -143,11 +198,11 @@ Set sonarqube.jvmCEOpts {{- end -}} {{- end -}} {{- if and .Values.caCerts.enabled .Values.prometheusExporter.enabled -}} -{{ printf "-javaagent:%s/data/jmx_prometheus_javaagent.jar=%d:%s/conf/prometheus-ce-config.yaml -Djavax.net.ssl.trustStore=%s/certs/cacerts %s" .Values.sonarqubeFolder (int .Values.prometheusExporter.ceBeanPort) .Values.sonarqubeFolder .Values.sonarqubeFolder $tempJvm | trim | quote }} +{{ printf "-javaagent:%s/data/jmx_prometheus_javaagent.jar=%d:%s/conf/prometheus-ce-config.yaml -Djavax.net.ssl.trustStore=%s/certs/cacerts %s" .Values.sonarqubeFolder (int .Values.prometheusExporter.ceBeanPort) .Values.sonarqubeFolder .Values.sonarqubeFolder $tempJvm | trim }} {{- else if .Values.caCerts.enabled -}} -{{ printf "-Djavax.net.ssl.trustStore=%s/certs/cacerts %s" .Values.sonarqubeFolder $tempJvm | trim | quote }} +{{ printf "-Djavax.net.ssl.trustStore=%s/certs/cacerts %s" .Values.sonarqubeFolder $tempJvm | trim }} {{- else if .Values.prometheusExporter.enabled -}} -{{ printf "-javaagent:%s/data/jmx_prometheus_javaagent.jar=%d:%s/conf/prometheus-ce-config.yaml %s" .Values.sonarqubeFolder (int .Values.prometheusExporter.ceBeanPort) .Values.sonarqubeFolder $tempJvm | trim | quote }} +{{ printf "-javaagent:%s/data/jmx_prometheus_javaagent.jar=%d:%s/conf/prometheus-ce-config.yaml %s" .Values.sonarqubeFolder (int .Values.prometheusExporter.ceBeanPort) .Values.sonarqubeFolder $tempJvm | trim }} {{- else -}} {{ printf "%s" $tempJvm }} {{- end -}} @@ -196,4 +251,186 @@ Set sonarqube.webcontext, ensuring it starts and ends with a slash, in order to {{- $tempWebcontext = print $tempWebcontext "/" -}} {{- end -}} {{ printf "%s" $tempWebcontext }} +{{- end -}} + +{{/* +Set combined_env, ensuring we dont have any duplicates with our features and some of the user provided env vars +*/}} +{{- define "sonarqube.combined_env" -}} +{{- $filteredEnv := list -}} +{{- range $index,$val := .Values.env -}} + {{- if not (has $val.name (list "SONAR_WEB_CONTEXT" "SONAR_WEB_JAVAOPTS" "SONAR_CE_JAVAOPTS")) -}} + {{- $filteredEnv = append $filteredEnv $val -}} + {{- end -}} +{{- end -}} +{{- $filteredEnv = append $filteredEnv (dict "name" "SONAR_WEB_CONTEXT" "value" (include "sonarqube.webcontext" .)) -}} +{{- $filteredEnv = append $filteredEnv (dict "name" "SONAR_WEB_JAVAOPTS" "value" (include "sonarqube.jvmOpts" .)) -}} +{{- $filteredEnv = append $filteredEnv (dict "name" "SONAR_CE_JAVAOPTS" "value" (include "sonarqube.jvmCEOpts" .)) -}} +{{- toJson $filteredEnv -}} +{{- end -}} + + +{{/* + generate Proxy env var from httpProxySecret +*/}} +{{- define "sonarqube.proxyFromSecret" -}} +- name: http_proxy + valueFrom: + secretKeyRef: + name: {{ .Values.httpProxySecret }} + key: http_proxy +- name: https_proxy + valueFrom: + secretKeyRef: + name: {{ .Values.httpProxySecret }} + key: https_proxy +- name: no_proxy + valueFrom: + secretKeyRef: + name: {{ .Values.httpProxySecret }} + key: no_proxy +{{- end -}} + +{{/* + generate prometheusExporter proxy env var +*/}} +{{- define "sonarqube.prometheusExporterProxy.env" -}} +{{- if .Values.httpProxySecret -}} +{{- include "sonarqube.proxyFromSecret" . }} +{{- else -}} +- name: http_proxy + valueFrom: + secretKeyRef: + name: {{ template "sonarqube.fullname" . }}-http-proxies + key: PROMETHEUS-EXPORTER-HTTP-PROXY +- name: https_proxy + valueFrom: + secretKeyRef: + name: {{ template "sonarqube.fullname" . }}-http-proxies + key: PROMETHEUS-EXPORTER-HTTPS-PROXY +- name: no_proxy + valueFrom: + secretKeyRef: + name: {{ template "sonarqube.fullname" . }}-http-proxies + key: PROMETHEUS-EXPORTER-NO-PROXY +{{- end -}} +{{- end -}} + +{{/* + generate install-plugins proxy env var +*/}} +{{- define "sonarqube.install-plugins-proxy.env" -}} +{{- if .Values.httpProxySecret -}} +{{- include "sonarqube.proxyFromSecret" . }} +{{- else -}} +- name: http_proxy + valueFrom: + secretKeyRef: + name: {{ template "sonarqube.fullname" . }}-http-proxies + key: PLUGINS-HTTP-PROXY +- name: https_proxy + valueFrom: + secretKeyRef: + name: {{ template "sonarqube.fullname" . }}-http-proxies + key: PLUGINS-HTTPS-PROXY +- name: no_proxy + valueFrom: + secretKeyRef: + name: {{ template "sonarqube.fullname" . }}-http-proxies + key: PLUGINS-NO-PROXY +{{- end -}} +{{- end -}} + +{{/* +Remove incompatible user/group values that do not work in Openshift out of the box +*/}} +{{- define "sonarqube.securityContext" -}} +{{- $adaptedSecurityContext := .Values.securityContext -}} + {{- if .Values.OpenShift.enabled -}} + {{- $adaptedSecurityContext = omit $adaptedSecurityContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- end -}} + {{- toYaml $adaptedSecurityContext -}} +{{- end -}} + + +{{/* +Remove incompatible user/group values that do not work in Openshift out of the box +*/}} +{{- define "sonarqube.containerSecurityContext" -}} +{{- $adaptedContainerSecurityContext := .Values.containerSecurityContext -}} + {{- if .Values.OpenShift.enabled -}} + {{- $adaptedContainerSecurityContext = omit $adaptedContainerSecurityContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- end -}} +{{- toYaml $adaptedContainerSecurityContext -}} +{{- end -}} + +{{/* +Remove incompatible user/group values that do not work in Openshift out of the box +*/}} +{{- define "sonarqube.initContainerSecurityContext" -}} +{{- $adaptedInitContainerSecurityContext := .Values.initContainers.securityContext -}} + {{- if .Values.OpenShift.enabled -}} + {{- $adaptedInitContainerSecurityContext = omit $adaptedInitContainerSecurityContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- end -}} +{{- toYaml $adaptedInitContainerSecurityContext -}} +{{- end -}} + +{{/* + generate caCerts volume +*/}} +{{- define "sonarqube.volumes.caCerts" -}} +{{- if .Values.caCerts.enabled -}} +- name: ca-certs + {{- if .Values.caCerts.secret }} + secret: + secretName: {{ .Values.caCerts.secret }} + {{- else if .Values.caCerts.configMap }} + configMap: + name: {{ .Values.caCerts.configMap.name }} + items: + - key: {{ .Values.caCerts.configMap.key }} + path: {{ .Values.caCerts.configMap.path }} + {{- end -}} +{{- end -}} +{{- end -}} + +{{/* + This helper deeply merges two maps (structs). It recursively merges nested maps and takes the values from `map2` when keys overlap. +*/}} +{{- define "deepMerge" -}} +{{- $map1 := .map1 -}} +{{- $map2 := .map2 -}} + +{{- $result := dict -}} + +{{- /* Merge keys from map1 */}} +{{- range $key, $value := $map1 -}} + {{- $_ := set $result $key $value -}} +{{- end -}} + +{{- /* Merge keys from map2 (overriding map1 if the key exists) */}} +{{- range $key, $value := $map2 -}} + {{- if hasKey $map1 $key -}} + {{- /* If both maps have the same key and the value is a map, we need to merge recursively */}} + {{- if and (kindIs "map" $value) (kindIs "map" (index $map1 $key)) -}} + {{- $_ := set $result $key (fromYaml (include "deepMerge" (dict "map1" (index $map1 $key) "map2" $value))) -}} + {{- else -}} + {{- /* Otherwise, just take the value from map2 */}} + {{- $_ := set $result $key $value -}} + {{- end -}} + {{- else -}} + {{- /* If map2 has a key not in map1, just add it to the result */}} + {{- $_ := set $result $key $value -}} + {{- end -}} +{{- end -}} + +{{- toYaml $result -}} +{{- end -}} + +{{- define "accountDeprecation" -}} +{{- $map1 := .Values.setAdminPassword -}} +{{- $map2 := .Values.account -}} + +{{- $accountDeprecation := (include "deepMerge" (dict "map1" $map1 "map2" $map2)) -}} +{{- $accountDeprecation }} {{- end -}} \ No newline at end of file diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/templates/_pod.tpl b/charts/sonarqube/sonarqube/charts/sonarqube/templates/_pod.tpl new file mode 100644 index 000000000..dc216a80b --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/templates/_pod.tpl @@ -0,0 +1,487 @@ +{{- define "sonarqube.pod" -}} +metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }} + {{- if and .Values.persistence.enabled .Values.initFs.enabled (not .Values.OpenShift.enabled) }} + checksum/init-fs: {{ include (print $.Template.BasePath "/init-fs.yaml") . | sha256sum }} + {{- end }} + {{- if and .Values.initSysctl.enabled (not .Values.OpenShift.enabled) }} + checksum/init-sysctl: {{ include (print $.Template.BasePath "/init-sysctl.yaml") . | sha256sum }} + {{- end }} + checksum/plugins: {{ include (print $.Template.BasePath "/install-plugins.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + {{- if .Values.prometheusExporter.enabled }} + checksum/prometheus-config: {{ include (print $.Template.BasePath "/prometheus-config.yaml") . | sha256sum }} + checksum/prometheus-ce-config: {{ include (print $.Template.BasePath "/prometheus-ce-config.yaml") . | sha256sum }} + {{- end }} + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + {{- include "sonarqube.selectorLabels" . | nindent 4 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + automountServiceAccountToken: {{ .Values.serviceAccount.automountToken }} + {{- with .Values.schedulerName }} + schedulerName: {{ . }} + {{- end }} + {{- with (include "sonarqube.securityContext" .) }} + securityContext: {{- . | nindent 4 }} + {{- end }} + {{- if or .Values.image.pullSecrets .Values.image.pullSecret }} + imagePullSecrets: + {{- if .Values.image.pullSecret }} + - name: {{ .Values.image.pullSecret }} + {{- end }} + {{- with .Values.image.pullSecrets }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} + initContainers: + {{- if .Values.extraInitContainers }} + {{- toYaml .Values.extraInitContainers | nindent 4 }} + {{- end }} + {{- if .Values.postgresql.enabled }} + - name: "wait-for-db" + image: {{ default (include "sonarqube.image" $) .Values.initContainers.image }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with (include "sonarqube.initContainerSecurityContext" .) }} + securityContext: {{- . | nindent 8 }} + {{- end }} + {{- with .Values.initContainers.resources }} + resources: {{- toYaml . | nindent 8 }} + {{- end }} + command: ["/bin/bash", "-c"] + args: ['set -o pipefail;for i in {1..200};do (echo > /dev/tcp/{{ .Release.Name }}-postgresql/5432) && exit 0; sleep 2;done; exit 1'] + {{- end }} + {{- if .Values.caCerts.enabled }} + - name: ca-certs + image: {{ default (include "sonarqube.image" $) .Values.caCerts.image }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: ["sh"] + args: ["-c", "cp -f \"${JAVA_HOME}/lib/security/cacerts\" /tmp/certs/cacerts; if [ \"$(ls /tmp/secrets/ca-certs)\" ]; then for f in /tmp/secrets/ca-certs/*; do keytool -importcert -file \"${f}\" -alias \"$(basename \"${f}\")\" -keystore /tmp/certs/cacerts -storepass changeit -trustcacerts -noprompt; done; fi;"] + {{- with (include "sonarqube.initContainerSecurityContext" .) }} + securityContext: {{- . | nindent 8 }} + {{- end }} + {{- with .Values.initContainers.resources }} + resources: {{- toYaml . | nindent 8 }} + {{- end }} + volumeMounts: + - mountPath: /tmp/certs + name: sonarqube + subPath: certs + - mountPath: /tmp/secrets/ca-certs + name: ca-certs + env: + {{- (include "sonarqube.combined_env" . | fromJsonArray) | toYaml | trim | nindent 8 }} + {{- end }} + {{- if and (or .Values.initSysctl.enabled .Values.elasticsearch.configureNode) (not .Values.OpenShift.enabled) }} + - name: init-sysctl + image: {{ default (include "sonarqube.image" $) .Values.initSysctl.image }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with (default (fromYaml (include "sonarqube.initContainerSecurityContext" .)) (.Values.initSysctl.securityContext )) }} + securityContext: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (default .Values.initContainers.resources .Values.initSysctl.resources) }} + resources: {{- toYaml . | nindent 8 }} + {{- end }} + command: ["/bin/bash", "-e", "/tmp/scripts/init_sysctl.sh"] + volumeMounts: + - name: init-sysctl + mountPath: /tmp/scripts/ + env: + {{- (include "sonarqube.combined_env" . | fromJsonArray) | toYaml | trim | nindent 8 }} + {{- end }} + {{- if or .Values.sonarProperties .Values.sonarSecretProperties .Values.sonarSecretKey (not .Values.elasticsearch.bootstrapChecks) }} + - name: concat-properties + image: {{ default (include "sonarqube.image" $) .Values.initContainers.image }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - sh + - -c + - | + #!/bin/sh + if [ -f /tmp/props/sonar.properties ]; then + cat /tmp/props/sonar.properties > /tmp/result/sonar.properties + fi + if [ -f /tmp/props/secret.properties ]; then + cat /tmp/props/secret.properties > /tmp/result/sonar.properties + fi + if [ -f /tmp/props/sonar.properties -a -f /tmp/props/secret.properties ]; then + awk 1 /tmp/props/sonar.properties /tmp/props/secret.properties > /tmp/result/sonar.properties + fi + volumeMounts: + - mountPath: /tmp/result + name: concat-dir + {{- if or .Values.sonarProperties .Values.sonarSecretKey (not .Values.elasticsearch.bootstrapChecks) }} + - mountPath: /tmp/props/sonar.properties + name: config + subPath: sonar.properties + {{- end }} + {{- if .Values.sonarSecretProperties }} + - mountPath: /tmp/props/secret.properties + name: secret-config + subPath: secret.properties + {{- end }} + {{- with (include "sonarqube.initContainerSecurityContext" .) }} + securityContext: {{- . | nindent 8 }} + {{- end }} + {{- with .Values.initContainers.resources }} + resources: {{- toYaml . | nindent 8 }} + {{- end }} + env: + {{- (include "sonarqube.combined_env" . | fromJsonArray) | toYaml | trim | nindent 8 }} + {{- end }} + {{- if .Values.prometheusExporter.enabled }} + - name: inject-prometheus-exporter + image: {{ default (include "sonarqube.image" $) .Values.prometheusExporter.image }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with (default (fromYaml (include "sonarqube.initContainerSecurityContext" .)) .Values.prometheusExporter.securityContext) }} + securityContext: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (default .Values.initContainers.resources .Values.prometheusExporter.resources)}} + resources: {{- toYaml . | nindent 8 }} + {{- end }} + command: ["/bin/sh", "-c"] + args: ["curl -s '{{ include "prometheusExporter.downloadURL" . }}' {{ if $.Values.prometheusExporter.noCheckCertificate }}--insecure{{ end }} --output /data/jmx_prometheus_javaagent.jar -v"] + volumeMounts: + - mountPath: /data + name: sonarqube + subPath: data + env: + {{- with (include "sonarqube.prometheusExporterProxy.env" .) }} + {{- . | nindent 8 }} + {{- end }} + {{- (include "sonarqube.combined_env" . | fromJsonArray) | toYaml | trim | nindent 8 }} + {{- end }} + {{- if and .Values.persistence.enabled .Values.initFs.enabled (not .Values.OpenShift.enabled) }} + - name: init-fs + image: {{ default (include "sonarqube.image" $) .Values.initFs.image }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with (default (fromYaml (include "sonarqube.initContainerSecurityContext" .)) .Values.initFs.securityContext) }} + securityContext: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (default .Values.initContainers.resources .Values.initFs.resources) }} + resources: {{- toYaml . | nindent 8 }} + {{- end }} + command: ["sh", "-e", "/tmp/scripts/init_fs.sh"] + volumeMounts: + - name: init-fs + mountPath: /tmp/scripts/ + - mountPath: {{ .Values.sonarqubeFolder }}/data + name: sonarqube + subPath: data + - mountPath: {{ .Values.sonarqubeFolder }}/temp + name: sonarqube + subPath: temp + - mountPath: {{ .Values.sonarqubeFolder }}/logs + name: sonarqube + subPath: logs + - mountPath: /tmp + name: tmp-dir + {{- if .Values.caCerts.enabled }} + - mountPath: {{ .Values.sonarqubeFolder }}/certs + name: sonarqube + subPath: certs + {{- end }} + - mountPath: {{ .Values.sonarqubeFolder }}/extensions + name: sonarqube + subPath: extensions + {{- with .Values.persistence.mounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + {{- if .Values.plugins.install }} + - name: install-plugins + image: {{ default (include "sonarqube.image" $) .Values.plugins.image }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: ["sh", "-e", "/tmp/scripts/install_plugins.sh"] + {{- with (default (fromYaml (include "sonarqube.initContainerSecurityContext" .)) .Values.plugins.securityContext) }} + securityContext: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with (default .Values.initContainers.resources .Values.plugins.resource) }} + resources: {{- toYaml . | nindent 8 }} + {{- end }} + volumeMounts: + - mountPath: {{ .Values.sonarqubeFolder }}/extensions/plugins + name: sonarqube + subPath: extensions/plugins + - name: install-plugins + mountPath: /tmp/scripts/ + {{- if .Values.plugins.netrcCreds }} + - name: plugins-netrc-file + mountPath: /root + {{- end }} + env: + {{- with (include "sonarqube.install-plugins-proxy.env" .) }} + {{- . | nindent 8 }} + {{- end }} + {{- (include "sonarqube.combined_env" . | fromJsonArray) | toYaml | trim | nindent 8 }} + {{- end }} + {{- if and .Values.jdbcOverwrite.oracleJdbcDriver .Values.jdbcOverwrite.oracleJdbcDriver.url }} + - name: install-oracle-jdbc-driver + image: {{ default (include "sonarqube.image" $) .Values.initContainers.image }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: ["sh", "-e", "/tmp/scripts/install_oracle_jdbc_driver.sh"] + {{- with (default (fromYaml (include "sonarqube.initContainerSecurityContext" .)) .Values.initContainers.securityContext) }} + securityContext: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.initContainers.resources }} + resources: {{- toYaml . | nindent 8 }} + {{- end }} + volumeMounts: + - mountPath: {{ .Values.sonarqubeFolder }}/extensions/jdbc-driver/oracle + name: sonarqube + subPath: extensions/jdbc-driver/oracle + - name: install-oracle-jdbc-driver + mountPath: /tmp/scripts/ + {{- if .Values.jdbcOverwrite.oracleJdbcDriver.netrcCreds }} + - name: oracle-jdbc-driver-netrc-file + mountPath: /root + {{- end }} + {{- if .Values.caCerts.enabled }} + - mountPath: /tmp/secrets/ca-certs + name: ca-certs + {{- end }} + env: + {{- (include "sonarqube.combined_env" . | fromJsonArray) | toYaml | trim | nindent 8 }} + {{- end }} + containers: + {{- with .Values.extraContainers }} + {{- toYaml . | nindent 4 }} + {{- end }} + - name: {{ .Chart.Name }} + image: {{ include "sonarqube.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: {{ .Values.service.internalPort }} + protocol: TCP + {{- if .Values.prometheusExporter.enabled }} + - name: monitoring-web + containerPort: {{ .Values.prometheusExporter.webBeanPort }} + protocol: TCP + - name: monitoring-ce + containerPort: {{ .Values.prometheusExporter.ceBeanPort }} + protocol: TCP + {{- end }} + resources: {{- toYaml .Values.resources | nindent 8 }} + env: + - name: SONAR_HELM_CHART_VERSION + value: {{ .Chart.Version | replace "+" "_" }} + {{- if .Values.OpenShift.enabled }} + - name: IS_HELM_OPENSHIFT_ENABLED + value: "true" + {{- end }} + - name: SONAR_JDBC_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "jdbc.secret" . }} + key: {{ include "jdbc.secretPasswordKey" . }} + - name: SONAR_WEB_SYSTEMPASSCODE + valueFrom: + secretKeyRef: + {{- if and .Values.monitoringPasscodeSecretName .Values.monitoringPasscodeSecretKey }} + name: {{ .Values.monitoringPasscodeSecretName }} + key: {{ .Values.monitoringPasscodeSecretKey }} + {{- else }} + name: {{ include "sonarqube.fullname" . }}-monitoring-passcode + key: SONAR_WEB_SYSTEMPASSCODE + {{- end }} + {{- (include "sonarqube.combined_env" . | fromJsonArray) | toYaml | trim | nindent 8 }} + envFrom: + - configMapRef: + name: {{ include "sonarqube.fullname" . }}-jdbc-config + {{- range .Values.extraConfig.secrets }} + - secretRef: + name: {{ . }} + {{- end }} + {{- range .Values.extraConfig.configmaps }} + - configMapRef: + name: {{ . }} + {{- end }} + livenessProbe: + {{- tpl (omit .Values.livenessProbe "sonarWebContext" | toYaml) . | nindent 8 }} + readinessProbe: + {{- tpl (omit .Values.readinessProbe "sonarWebContext" | toYaml) . | nindent 8 }} + startupProbe: + httpGet: + scheme: HTTP + path: {{ .Values.startupProbe.sonarWebContext | default (include "sonarqube.webcontext" .) }}api/system/status + port: http + initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.startupProbe.periodSeconds }} + failureThreshold: {{ .Values.startupProbe.failureThreshold }} + timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }} + {{- with (include "sonarqube.containerSecurityContext" .) }} + securityContext: {{- . | nindent 8 }} + {{- end }} + volumeMounts: + - mountPath: {{ .Values.sonarqubeFolder }}/data + name: sonarqube + subPath: data + - mountPath: {{ .Values.sonarqubeFolder }}/temp + name: sonarqube + subPath: temp + - mountPath: {{ .Values.sonarqubeFolder }}/logs + name: sonarqube + subPath: logs + - mountPath: /tmp + name: tmp-dir + {{- if or .Values.sonarProperties .Values.sonarSecretProperties .Values.sonarSecretKey (not .Values.elasticsearch.bootstrapChecks) }} + - mountPath: {{ .Values.sonarqubeFolder }}/conf/ + name: concat-dir + {{- end }} + {{- if .Values.sonarSecretKey }} + - mountPath: {{ .Values.sonarqubeFolder }}/secret/ + name: secret + {{- end }} + {{- if .Values.caCerts.enabled }} + - mountPath: {{ .Values.sonarqubeFolder }}/certs + name: sonarqube + subPath: certs + {{- end }} + - mountPath: {{ .Values.sonarqubeFolder }}/extensions + name: sonarqube + subPath: extensions + {{- if .Values.prometheusExporter.enabled }} + - mountPath: {{ .Values.sonarqubeFolder }}/conf/prometheus-config.yaml + subPath: prometheus-config.yaml + name: prometheus-config + - mountPath: {{ .Values.sonarqubeFolder }}/conf/prometheus-ce-config.yaml + subPath: prometheus-ce-config.yaml + name: prometheus-ce-config + {{- end }} + {{- with .Values.persistence.mounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.hostAliases }} + hostAliases: {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.affinity }} + affinity: {{- toYaml . | nindent 4 }} + {{- end }} + serviceAccountName: {{ include "sonarqube.serviceAccountName" . }} + volumes: + {{- with .Values.persistence.volumes }} + {{- tpl (toYaml . | nindent 4) $ }} + {{- end }} + {{- with .Values.extraVolumes }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if or .Values.sonarProperties .Values.sonarSecretKey ( not .Values.elasticsearch.bootstrapChecks) }} + - name: config + configMap: + name: {{ include "sonarqube.fullname" . }}-config + items: + - key: sonar.properties + path: sonar.properties + {{- end }} + {{- if .Values.sonarSecretProperties }} + - name: secret-config + secret: + secretName: {{ .Values.sonarSecretProperties }} + items: + - key: secret.properties + path: secret.properties + {{- end }} + {{- if .Values.sonarSecretKey }} + - name: secret + secret: + secretName: {{ .Values.sonarSecretKey }} + items: + - key: sonar-secret.txt + path: sonar-secret.txt + {{- end }} + {{- include "sonarqube.volumes.caCerts" . | nindent 4 }} + {{- if .Values.plugins.netrcCreds }} + - name: plugins-netrc-file + secret: + secretName: {{ .Values.plugins.netrcCreds }} + items: + - key: netrc + path: .netrc + {{- end }} + {{- if and .Values.jdbcOverwrite.oracleJdbcDriver .Values.jdbcOverwrite.oracleJdbcDriver.netrcCreds }} + - name: oracle-jdbc-driver-netrc-file + secret: + secretName: {{ .Values.jdbcOverwrite.oracleJdbcDriver.netrcCreds }} + items: + - key: netrc + path: .netrc + {{- end }} + {{- if and .Values.initSysctl.enabled (not .Values.OpenShift.enabled) }} + - name: init-sysctl + configMap: + name: {{ include "sonarqube.fullname" . }}-init-sysctl + items: + - key: init_sysctl.sh + path: init_sysctl.sh + {{- end }} + {{- if and .Values.persistence.enabled .Values.initFs.enabled (not .Values.OpenShift.enabled) }} + - name: init-fs + configMap: + name: {{ include "sonarqube.fullname" . }}-init-fs + items: + - key: init_fs.sh + path: init_fs.sh + {{- end }} + {{- if .Values.plugins.install }} + - name: install-plugins + configMap: + name: {{ include "sonarqube.fullname" . }}-install-plugins + items: + - key: install_plugins.sh + path: install_plugins.sh + {{- end }} + {{- if and .Values.jdbcOverwrite.oracleJdbcDriver .Values.jdbcOverwrite.oracleJdbcDriver.url }} + - name: install-oracle-jdbc-driver + configMap: + name: {{ include "sonarqube.fullname" . }}-install-oracle-jdbc-driver + items: + - key: install_oracle_jdbc_driver.sh + path: install_oracle_jdbc_driver.sh + {{- end }} + {{- if .Values.prometheusExporter.enabled }} + - name: prometheus-config + configMap: + name: {{ include "sonarqube.fullname" . }}-prometheus-config + items: + - key: prometheus-config.yaml + path: prometheus-config.yaml + - name: prometheus-ce-config + configMap: + name: {{ include "sonarqube.fullname" . }}-prometheus-ce-config + items: + - key: prometheus-ce-config.yaml + path: prometheus-ce-config.yaml + {{- end }} + - name: sonarqube + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ if .Values.persistence.existingClaim }}{{ .Values.persistence.existingClaim }}{{- else }}{{ include "sonarqube.fullname" . }}{{- end }} + {{- else }} + emptyDir: {{- toYaml .Values.emptyDir | nindent 8 }} + {{- end }} + - name : tmp-dir + emptyDir: {{- toYaml .Values.emptyDir | nindent 8 }} + {{- if or .Values.sonarProperties .Values.sonarSecretProperties .Values.sonarSecretKey ( not .Values.elasticsearch.bootstrapChecks) }} + - name : concat-dir + emptyDir: {{- toYaml .Values.emptyDir | nindent 8 }} + {{- end }} + +{{- end -}} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/templates/change-admin-password-hook.yml b/charts/sonarqube/sonarqube/charts/sonarqube/templates/change-admin-password-hook.yml index 4f83977a0..f557e321e 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/templates/change-admin-password-hook.yml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/templates/change-admin-password-hook.yml @@ -1,34 +1,23 @@ +{{ $accountDeprecation := fromYaml (include "accountDeprecation" . ) }} +{{ $_ := set .Values "account" $accountDeprecation }} {{- if .Values.account }} -{{- if or .Values.account.adminPassword .Values.account.adminPasswordSecretName}} +{{- if or .Values.account.adminPassword .Values.account.newPassword .Values.account.adminPasswordSecretName .Values.account.passwordSecretName }} apiVersion: batch/v1 kind: Job metadata: name: {{ template "sonarqube.fullname" . }}-change-admin-password-hook - labels: - app: {{ template "sonarqube.name" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - {{- range $key, $value := .Values.service.labels }} - {{ $key }}: {{ $value | quote }} - {{- end }} + labels: {{- include "sonarqube.labels" . | nindent 4 }} annotations: - "helm.sh/hook": post-install + "helm.sh/hook": post-install, post-upgrade "helm.sh/hook-delete-policy": hook-succeeded - {{- range $key, $value := .Values.adminJobAnnotations }} + {{- range $key, $value := .Values.adminJobAnnotations | default .Values.account.annotations }} {{ $key }}: {{ $value | quote }} - {{- end }} + {{- end }} spec: template: metadata: name: {{ template "sonarqube.fullname" . }}-change-admin-password-hook - labels: - app: {{ template "sonarqube.name" . }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - {{- range $key, $value := .Values.service.labels }} - {{ $key }}: {{ $value | quote }} - {{- end }} + labels: {{- include "sonarqube.labels" . | nindent 8 }} spec: restartPolicy: OnFailure {{- if or .Values.image.pullSecrets .Values.image.pullSecret }} @@ -36,47 +25,45 @@ spec: {{- if .Values.image.pullSecret }} - name: {{ .Values.image.pullSecret }} {{- end }} - {{- if .Values.image.pullSecrets }} -{{ toYaml .Values.image.pullSecrets | indent 8 }} + {{- with .Values.image.pullSecrets }} + {{- toYaml . | nindent 8 }} {{- end }} {{- end }} serviceAccountName: {{ template "sonarqube.serviceAccountName" . }} - {{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 8 }} - {{- end }} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 8 }} - {{- end }} + {{- with .Values.tolerations }} + tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: {{ template "sonarqube.fullname" . }}-change-default-admin-password - image: {{ default "curlimages/curl:8.2.0" .Values.curlContainerImage }} - {{- if $securityContext := .Values.account.securityContext }} - securityContext: -{{ toYaml $securityContext | indent 12 }} + image: {{ .Values.curlContainerImage | default ( .Values.account.image | default (include "sonarqube.image" .) ) }} + {{- with (default (fromYaml (include "sonarqube.initContainerSecurityContext" .)) .Values.account.securityContext) }} + securityContext: {{- toYaml . | nindent 10 }} {{- end }} command: ["sh", "-c", 'until curl -v --connect-timeout 100 {{ template "sonarqube.fullname" . }}:{{ default 9000 .Values.service.internalPort }}{{ .Values.account.sonarWebContext | default (include "sonarqube.webcontext" .) }}api/system/status | grep -w UP; do sleep 10; done; curl -v --connect-timeout 100 -u admin:$CURRENT_ADMIN_PASSWORD -X POST "{{ template "sonarqube.fullname" . }}:{{ default 9000 .Values.service.internalPort }}{{ .Values.account.sonarWebContext | default (include "sonarqube.webcontext" .) }}api/users/change_password?login=admin&previousPassword=$CURRENT_ADMIN_PASSWORD&password=$ADMIN_PASSWORD"'] env: - name: ADMIN_PASSWORD valueFrom: secretKeyRef: - {{- if .Values.account.adminPassword }} + {{- if or .Values.account.adminPassword .Values.account.newPassword }} name: {{ template "sonarqube.fullname" . }}-admin-password {{- else }} - name: {{ .Values.account.adminPasswordSecretName }} + name: {{ .Values.account.adminPasswordSecretName | default .Values.account.passwordSecretName }} {{- end }} key: password - name: CURRENT_ADMIN_PASSWORD valueFrom: secretKeyRef: - {{- if .Values.account.adminPassword }} + {{- if or .Values.account.adminPassword .Values.account.newPassword }} name: {{ template "sonarqube.fullname" . }}-admin-password {{- else }} - name: {{ .Values.account.adminPasswordSecretName }} + name: {{ .Values.account.adminPasswordSecretName | default .Values.account.passwordSecretName }} {{- end }} key: currentPassword - resources: -{{ toYaml (default .Values.resources .Values.account.resources) | indent 10 }} + {{- with (default .Values.resources .Values.account.resources) }} + resources: {{- toYaml . | nindent 10 }} + {{- end }} {{- end }} {{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/templates/config.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/templates/config.yaml index 2fc8623a0..9d4b0c8b4 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/templates/config.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/templates/config.yaml @@ -2,11 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ template "sonarqube.fullname" . }}-config - labels: - app: {{ template "sonarqube.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} + labels: {{- include "sonarqube.labels" . | nindent 4 }} data: sonar.properties: | {{- range $key, $val := .Values.sonarProperties }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/templates/deployment.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/templates/deployment.yaml index 7cf2c8fb5..62952b3b7 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/templates/deployment.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/templates/deployment.yaml @@ -1,482 +1,16 @@ -{{- if eq .Values.deploymentType "Deployment"}} +{{- if eq .Values.deploymentType "Deployment" }} apiVersion: apps/v1 kind: Deployment metadata: name: {{ template "sonarqube.fullname" . }} - labels: - app: {{ template "sonarqube.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - app.kubernetes.io/name: {{ template "sonarqube.name" . }}-{{ template "sonarqube.fullname" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/part-of: sonarqube - app.kubernetes.io/component: {{ template "sonarqube.fullname" . }} - app.kubernetes.io/version: {{ tpl .Values.image.tag . | quote }} + labels: {{- include "sonarqube.workloadLabels" . | nindent 4 }} spec: replicas: {{ .Values.replicaCount }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} selector: - matchLabels: - app: {{ template "sonarqube.name" . }} - release: {{ .Release.Name }} -{{- if .Values.deploymentStrategy }} - strategy: -{{ toYaml .Values.deploymentStrategy | indent 4 }} -{{- end }} - template: - metadata: - labels: - app: {{ template "sonarqube.name" . }} - release: {{ .Release.Name }} -{{- with .Values.podLabels }} -{{ toYaml . | indent 8 }} -{{- end }} - annotations: - checksum/init-sysctl: {{ include (print $.Template.BasePath "/init-sysctl.yaml") . | sha256sum }} - checksum/plugins: {{ include (print $.Template.BasePath "/install-plugins.yaml") . | sha256sum }} - checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }} - checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} -{{- if .Values.prometheusExporter.enabled }} - checksum/prometheus-config: {{ include (print $.Template.BasePath "/prometheus-config.yaml") . | sha256sum }} - checksum/prometheus-ce-config: {{ include (print $.Template.BasePath "/prometheus-ce-config.yaml") . | sha256sum }} -{{- end }} -{{- if .Values.annotations}} - {{- range $key, $value := .Values.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} -{{- end }} - spec: - {{- if .Values.schedulerName }} - schedulerName: {{ .Values.schedulerName }} - {{- end }} - securityContext: -{{ toYaml .Values.securityContext | indent 8 }} - {{- if or .Values.image.pullSecrets .Values.image.pullSecret }} - imagePullSecrets: - {{- if .Values.image.pullSecret }} - - name: {{ .Values.image.pullSecret }} - {{- end }} - {{- if .Values.image.pullSecrets}} -{{ toYaml .Values.image.pullSecrets | indent 8 }} - {{- end }} - {{- end }} - initContainers: - {{- if .Values.extraInitContainers }} -{{ toYaml .Values.extraInitContainers | indent 8 }} - {{- end }} - {{- if .Values.postgresql.enabled }} - - name: "wait-for-db" - image: {{ default "docker.m.daocloud.io" .Values.initContainers.registry }}/{{ default "library/busybox" .Values.initContainers.repository }}:{{ default "1.32" .Values.initContainers.tag }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if $securityContext := .Values.initContainers.securityContext }} - securityContext: -{{ toYaml $securityContext | indent 12 }} - {{- end }} - resources: -{{ toYaml .Values.initContainers.resources | indent 12 }} - command: ["/bin/sh", "-c", "for i in $(seq 1 200); do nc -z -w3 {{ .Release.Name}}-postgresql 5432 && exit 0 || sleep 2; done; exit 1"] - {{- end }} - {{- if .Values.caCerts.enabled }} - - name: ca-certs - image: {{ default "docker.m.daocloud.io" .Values.caCerts.registry }}/{{ default "adoptopenjdk/openjdk11" .Values.caCerts.repository }}:{{ default "alpine" .Values.caCerts.tag }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: ["sh"] - args: ["-c", "cp -f \"${JAVA_HOME}/lib/security/cacerts\" /tmp/certs/cacerts; if [ \"$(ls /tmp/secrets/ca-certs)\" ]; then for f in /tmp/secrets/ca-certs/*; do keytool -importcert -file \"${f}\" -alias \"$(basename \"${f}\")\" -keystore /tmp/certs/cacerts -storepass changeit -trustcacerts -noprompt; done; fi;"] - {{- if $securityContext := .Values.initContainers.securityContext }} - securityContext: -{{ toYaml $securityContext | indent 12 }} - {{- end }} - resources: -{{ toYaml .Values.initContainers.resources | indent 12 }} - volumeMounts: - - mountPath: /tmp/certs - name: sonarqube - subPath: certs - - mountPath: /tmp/secrets/ca-certs - name: ca-certs - {{- with .Values.env }} - env: - {{- . | toYaml | trim | nindent 12 }} - {{- end }} - {{- end }} - {{- if or .Values.initSysctl.enabled .Values.elasticsearch.configureNode }} - - name: init-sysctl - image: {{ default "docker.m.daocloud.io" .Values.initSysctl.registry }}/{{ default "library/busybox" .Values.initSysctl.repository }}:{{ default "1.32" .Values.initSysctl.tag }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if $securityContext := (default .Values.initContainers.securityContext .Values.initSysctl.securityContext) }} - securityContext: -{{ toYaml $securityContext | indent 12 }} - {{- end }} - resources: -{{ toYaml (default .Values.initContainers.resources .Values.initSysctl.resources) | indent 12 }} - command: ["sh", - "-e", - "/tmp/scripts/init_sysctl.sh"] - volumeMounts: - - name: init-sysctl - mountPath: /tmp/scripts/ - {{- with .Values.env }} - env: - {{- . | toYaml | trim | nindent 12 }} - {{- end }} - {{- end }} - - {{- if or .Values.sonarProperties .Values.sonarSecretProperties .Values.sonarSecretKey (not .Values.elasticsearch.bootstrapChecks) }} - - name: concat-properties - image: {{ default "docker.m.daocloud.io" .Values.initContainers.registry }}/{{ default "library/busybox" .Values.initContainers.repository }}:{{ default "1.32" .Values.initContainers.tag }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: - - sh - - -c - - | - #!/bin/sh - if [ -f /tmp/props/sonar.properties ]; then - cat /tmp/props/sonar.properties > /tmp/result/sonar.properties - fi - if [ -f /tmp/props/secret.properties ]; then - cat /tmp/props/secret.properties > /tmp/result/sonar.properties - fi - if [ -f /tmp/props/sonar.properties -a -f /tmp/props/secret.properties ]; then - awk 1 /tmp/props/sonar.properties /tmp/props/secret.properties > /tmp/result/sonar.properties - fi - volumeMounts: - {{- if or .Values.sonarProperties .Values.sonarSecretKey (not .Values.elasticsearch.bootstrapChecks) }} - - mountPath: /tmp/props/sonar.properties - name: config - subPath: sonar.properties - {{- end }} - {{- if .Values.sonarSecretProperties }} - - mountPath: /tmp/props/secret.properties - name: secret-config - subPath: secret.properties - {{- end }} - - mountPath: /tmp/result - name: concat-dir - {{- if $securityContext := .Values.initContainers.securityContext }} - securityContext: -{{ toYaml $securityContext | indent 12 }} - {{- end }} - resources: -{{ toYaml .Values.initContainers.resources | indent 12 }} - {{- with .Values.env }} - env: - {{- . | toYaml | trim | nindent 12 }} - {{- end }} - {{- end }} - - {{- if .Values.prometheusExporter.enabled }} - - name: inject-prometheus-exporter - image: {{ default "docker.m.daocloud.io" .Values.prometheusExporter.registry }}/{{ default "curlimages/curl" .Values.prometheusExporter.repository }}:{{ default "8.2.0" .Values.prometheusExporter.tag }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if $securityContext := (default .Values.initContainers.securityContext .Values.prometheusExporter.securityContext) }} - securityContext: -{{ toYaml $securityContext | indent 12 }} - {{- end }} - resources: -{{ toYaml (default .Values.initContainers.resources .Values.prometheusExporter.resources) | indent 12 }} - command: ["/bin/sh","-c"] - args: ["curl -s '{{ template "prometheusExporter.downloadURL" . }}' {{ if $.Values.prometheusExporter.noCheckCertificate }}--insecure{{ end }} --output /data/jmx_prometheus_javaagent.jar -v"] - volumeMounts: - - mountPath: /data - name: sonarqube - subPath: data - env: - - name: http_proxy - value: {{ default "" .Values.prometheusExporter.httpProxy }} - - name: https_proxy - value: {{ default "" .Values.prometheusExporter.httpsProxy }} - - name: no_proxy - value: {{ default "" .Values.prometheusExporter.noProxy }} - {{- with .Values.env }} - {{- . | toYaml | trim | nindent 12 }} - {{- end }} - {{- end }} - {{- if .Values.plugins.install }} - - name: install-plugins - image: {{ default "docker.m.daocloud.io" .Values.plugins.registry }}/{{ default "curlimages/curl" .Values.plugins.repository }}:{{ default "8.2.0" .Values.plugins.tag }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: ["sh", - "-e", - "/tmp/scripts/install_plugins.sh"] - volumeMounts: - - mountPath: {{ .Values.sonarqubeFolder }}/extensions/plugins - name: sonarqube - subPath: extensions/plugins - - name: install-plugins - mountPath: /tmp/scripts/ - {{- if .Values.plugins.netrcCreds }} - - name: plugins-netrc-file - mountPath: /root - {{- end }} - {{- if $securityContext := (default .Values.initContainers.securityContext .Values.plugins.securityContext) }} - securityContext: -{{ toYaml $securityContext | indent 12 }} - {{- end }} - resources: -{{ toYaml (default .Values.initContainers.resources .Values.plugins.resource) | indent 12 }} - env: - - name: http_proxy - value: {{ default "" .Values.plugins.httpProxy }} - - name: https_proxy - value: {{ default "" .Values.plugins.httpsProxy }} - - name: no_proxy - value: {{ default "" .Values.plugins.noProxy }} - {{- with .Values.env }} - {{- . | toYaml | trim | nindent 12 }} - {{- end }} - {{- end }} - containers: - {{- if .Values.extraContainers }} - {{- toYaml .Values.extraContainers | nindent 8 }} - {{- end }} - - name: {{ .Chart.Name }} - image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ tpl .Values.image.tag . }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - ports: - - name: http - containerPort: {{ .Values.service.internalPort }} - protocol: TCP - {{- if .Values.prometheusExporter.enabled }} - - name: monitoring-web - containerPort: {{ .Values.prometheusExporter.webBeanPort }} - protocol: TCP - - name: monitoring-ce - containerPort: {{ .Values.prometheusExporter.ceBeanPort }} - protocol: TCP - {{- end }} - resources: -{{ toYaml (default .Values.resources .Values.resource) | indent 12 }} - env: - {{- with .Values.env }} - {{- . | toYaml | trim | nindent 12 }} - {{- end }} - - name: SONAR_HELM_CHART_VERSION - value: {{ .Chart.Version | replace "+" "_" }} - - name: SONAR_WEB_JAVAOPTS - value: {{ template "sonarqube.jvmOpts" . }} - - name: SONAR_CE_JAVAOPTS - value: {{ template "sonarqube.jvmCEOpts" . }} - - name: SONAR_WEB_CONTEXT - value: {{ include "sonarqube.webcontext" . }} - - name: SONAR_JDBC_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "jdbc.secret" . }} - key: {{ template "jdbc.secretPasswordKey" . }} - - name: SONAR_WEB_SYSTEMPASSCODE - valueFrom: - secretKeyRef: - {{- if and .Values.monitoringPasscodeSecretName .Values.monitoringPasscodeSecretKey }} - name: {{ .Values.monitoringPasscodeSecretName }} - key: {{ .Values.monitoringPasscodeSecretKey }} - {{- else }} - name: {{ template "sonarqube.fullname" . }}-monitoring-passcode - key: SONAR_WEB_SYSTEMPASSCODE - {{- end }} - envFrom: - - configMapRef: - name: {{ template "sonarqube.fullname" . }}-jdbc-config -{{- range .Values.extraConfig.secrets }} - - secretRef: - name: {{ . }} -{{- end }} -{{- range .Values.extraConfig.configmaps }} - - configMapRef: - name: {{ . }} -{{- end }} - livenessProbe: - exec: - command: - - sh - - -c - - | - host="$(hostname -i || echo '127.0.0.1')" - wget --no-proxy --quiet -O /dev/null --timeout={{ .Values.livenessProbe.timeoutSeconds }} --header="X-Sonar-Passcode: $SONAR_WEB_SYSTEMPASSCODE" "http://${host}:{{ .Values.service.internalPort }}{{ .Values.livenessProbe.sonarWebContext | default (include "sonarqube.webcontext" .) }}api/system/liveness" - initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.livenessProbe.periodSeconds }} - failureThreshold: {{ .Values.livenessProbe.failureThreshold }} - timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} - readinessProbe: - exec: - command: - - sh - - -c - - | - #!/bin/bash - # A Sonarqube container is considered ready if the status is UP, DB_MIGRATION_NEEDED or DB_MIGRATION_RUNNING - # status about migration are added to prevent the node to be kill while sonarqube is upgrading the database. - host="$(hostname -i || echo '127.0.0.1')" - if wget --no-proxy -qO- http://${host}:{{ .Values.service.internalPort }}{{ .Values.readinessProbe.sonarWebContext | default (include "sonarqube.webcontext" .) }}api/system/status | grep -q -e '"status":"UP"' -e '"status":"DB_MIGRATION_NEEDED"' -e '"status":"DB_MIGRATION_RUNNING"'; then - exit 0 - fi - exit 1 - initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.readinessProbe.periodSeconds }} - failureThreshold: {{ .Values.readinessProbe.failureThreshold }} - timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} - startupProbe: - httpGet: - scheme: HTTP - path: {{ .Values.startupProbe.sonarWebContext | default (include "sonarqube.webcontext" .) }}api/system/status - port: http - initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.startupProbe.periodSeconds }} - failureThreshold: {{ .Values.startupProbe.failureThreshold }} - timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }} - {{- if .Values.containerSecurityContext }} - securityContext: -{{- toYaml .Values.containerSecurityContext | nindent 12 }} - {{- end }} - volumeMounts: -{{- if .Values.persistence.mounts }} -{{ toYaml .Values.persistence.mounts | indent 12 }} -{{- end }} -{{- if .Values.extraVolumeMounts }} -{{- .Values.extraVolumeMounts | toYaml | nindent 12 }} -{{- end }} - {{- if or .Values.sonarProperties .Values.sonarSecretProperties .Values.sonarSecretKey (not .Values.elasticsearch.bootstrapChecks) }} - - mountPath: {{ .Values.sonarqubeFolder }}/conf/ - name: concat-dir - {{- end }} - {{- if .Values.sonarSecretKey }} - - mountPath: {{ .Values.sonarqubeFolder }}/secret/ - name: secret - {{- end }} - {{- if .Values.caCerts.enabled }} - - mountPath: {{ .Values.sonarqubeFolder }}/certs - name: sonarqube - subPath: certs - {{- end }} - - mountPath: {{ .Values.sonarqubeFolder }}/data - name: sonarqube - subPath: data - {{- if .Values.persistence.enabled }} - - mountPath: {{ .Values.sonarqubeFolder }}/extensions - name: sonarqube - subPath: extensions - {{- else if .Values.plugins.install }} - - mountPath: {{ .Values.sonarqubeFolder }}/extensions/plugins - name: sonarqube - subPath: extensions/plugins - {{- end }} - - mountPath: {{ .Values.sonarqubeFolder }}/temp - name: sonarqube - subPath: temp - - mountPath: {{ .Values.sonarqubeFolder }}/logs - name: sonarqube - subPath: logs - - mountPath: /tmp - name: tmp-dir - {{- if .Values.prometheusExporter.enabled }} - - mountPath: {{ .Values.sonarqubeFolder }}/conf/prometheus-config.yaml - subPath: prometheus-config.yaml - name: prometheus-config - - mountPath: {{ .Values.sonarqubeFolder }}/conf/prometheus-ce-config.yaml - subPath: prometheus-ce-config.yaml - name: prometheus-ce-config - {{- end }} - {{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName }} - {{- end }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} - {{- end }} - {{- if .Values.hostAliases }} - hostAliases: -{{ toYaml .Values.hostAliases | indent 8 }} - {{- end }} - {{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 8 }} - {{- end }} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 8 }} - {{- end }} - serviceAccountName: {{ template "sonarqube.serviceAccountName" . }} - volumes: -{{- if .Values.extraVolumes }} -{{- .Values.extraVolumes | toYaml | nindent 6 }} -{{- end }} -{{- if .Values.persistence.volumes }} -{{ tpl (toYaml .Values.persistence.volumes | indent 6) . }} -{{- end }} - {{- if or .Values.sonarProperties .Values.sonarSecretKey ( not .Values.elasticsearch.bootstrapChecks) }} - - name: config - configMap: - name: {{ template "sonarqube.fullname" . }}-config - items: - - key: sonar.properties - path: sonar.properties - {{- end }} - {{- if .Values.sonarSecretProperties }} - - name: secret-config - secret: - secretName: {{ .Values.sonarSecretProperties }} - items: - - key: secret.properties - path: secret.properties - {{- end }} - {{- if .Values.sonarSecretKey }} - - name: secret - secret: - secretName: {{ .Values.sonarSecretKey }} - items: - - key: sonar-secret.txt - path: sonar-secret.txt - {{- end }} - {{- if .Values.caCerts.enabled }} - - name: ca-certs - secret: - secretName: {{ .Values.caCerts.secret }} - {{- end }} - {{- if .Values.plugins.netrcCreds }} - - name: plugins-netrc-file - secret: - secretName: {{ .Values.plugins.netrcCreds }} - items: - - key: netrc - path: .netrc - {{- end }} - - name: init-sysctl - configMap: - name: {{ template "sonarqube.fullname" . }}-init-sysctl - items: - - key: init_sysctl.sh - path: init_sysctl.sh - - name: install-plugins - configMap: - name: {{ template "sonarqube.fullname" . }}-install-plugins - items: - - key: install_plugins.sh - path: install_plugins.sh - {{- if .Values.prometheusExporter.enabled }} - - name: prometheus-config - configMap: - name: {{ template "sonarqube.fullname" . }}-prometheus-config - items: - - key: prometheus-config.yaml - path: prometheus-config.yaml - - name: prometheus-ce-config - configMap: - name: {{ template "sonarqube.fullname" . }}-prometheus-ce-config - items: - - key: prometheus-ce-config.yaml - path: prometheus-ce-config.yaml - {{- end }} - - name: sonarqube - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ if .Values.persistence.existingClaim }}{{ .Values.persistence.existingClaim }}{{- else }}{{ template "sonarqube.fullname" . }}{{- end }} - {{- else }} - emptyDir: {{- toYaml .Values.emptyDir | nindent 10 }} - {{- end }} - - name : tmp-dir - emptyDir: {{- toYaml .Values.emptyDir | nindent 10 }} - {{- if or .Values.sonarProperties .Values.sonarSecretProperties .Values.sonarSecretKey ( not .Values.elasticsearch.bootstrapChecks) }} - - name : concat-dir - emptyDir: {{- toYaml .Values.emptyDir | nindent 10 -}} - {{- end }} + matchLabels: {{- include "sonarqube.selectorLabels" . | nindent 6 }} + {{- with .Values.deploymentStrategy }} + strategy: {{- toYaml . | nindent 4 }} + {{- end }} + template: {{- include "sonarqube.pod" . | nindent 4 }} {{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/templates/http-route.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/templates/http-route.yaml new file mode 100644 index 000000000..4bc12ad3a --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/templates/http-route.yaml @@ -0,0 +1,35 @@ +{{- if .Values.httproute.enabled -}} +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: {{ template "sonarqube.fullname" . }}-http-route + labels: + {{- include "sonarqube.labels" . | nindent 4 }} + {{- with .Values.httproute.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + parentRefs: + - name: {{ .Values.httproute.gateway }} + {{- if .Values.httproute.gatewayNamespace }} + namespace: {{ .Values.httproute.gatewayNamespace }} + {{- end }} + hostnames: + {{- with .Values.httproute.hostnames }} + {{ toYaml . }} + {{- end }} + rules: + {{- if .Values.httproute.rules -}} + {{- with .Values.httproute.rules -}} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- else }} + - matches: + - path: + type: PathPrefix + value: {{ include "sonarqube.webcontext" . }} + backendRefs: + - name: {{ include "sonarqube.fullname" . }} + port: {{ .Values.service.externalPort }} + {{- end }} +{{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/templates/ingress.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/templates/ingress.yaml index 438c346d4..ffa605447 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/templates/ingress.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/templates/ingress.yaml @@ -6,22 +6,24 @@ kind: Ingress metadata: name: {{ template "sonarqube.fullname" . }} labels: - app: {{ template "sonarqube.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -{{- if .Values.ingress.labels }} -{{ .Values.ingress.labels | toYaml | trimSuffix "\n"| indent 4 -}} -{{- end}} -{{- if .Values.ingress.annotations}} + {{- include "sonarqube.labels" . | nindent 4 }} + {{- with .Values.ingress.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if or .Values.ingress.annotations (.Values.nginx).enabled (index .Values "ingress-nginx" "enabled") }} annotations: {{- range $key, $value := .Values.ingress.annotations }} {{ $key }}: {{ $value | quote }} {{- end }} -{{- end }} + {{- if and (or (.Values.nginx).enabled (index .Values "ingress-nginx" "enabled")) (not (hasKey (.Values.ingress.annotations) "nginx.ingress.kubernetes.io/proxy-body-size")) }} + nginx.ingress.kubernetes.io/proxy-body-size: "64m" + {{- end -}} + {{- end }} spec: {{- if .Values.ingress.ingressClassName }} ingressClassName: {{ .Values.ingress.ingressClassName }} + {{- else if or (.Values.nginx).enabled (index .Values "ingress-nginx" "enabled") }} + ingressClassName: "nginx" {{- end }} rules: {{- range .Values.ingress.hosts }} @@ -36,8 +38,7 @@ spec: path: {{ .path | default (include "sonarqube.webcontext" $) }} pathType: {{ default "ImplementationSpecific" .pathType }} {{- end }} - {{- if .Values.ingress.tls }} - tls: -{{ toYaml .Values.ingress.tls | indent 4 }} + {{- with .Values.ingress.tls }} + tls: {{- toYaml . | nindent 4 }} {{- end -}} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/templates/init-fs.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/templates/init-fs.yaml index bb5026ff6..2a94f7bc9 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/templates/init-fs.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/templates/init-fs.yaml @@ -1,14 +1,21 @@ +{{- if and .Values.persistence.enabled .Values.initFs.enabled (not .Values.OpenShift.enabled) }} apiVersion: v1 kind: ConfigMap metadata: name: {{ template "sonarqube.fullname" . }}-init-fs - labels: - app: {{ template "sonarqube.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} + labels: {{- include "sonarqube.labels" . | nindent 4 }} data: init_fs.sh: |- - {{- if .Values.persistence.enabled }} - chown -R {{ .Values.persistence.uid }}: {{ .Values.sonarqubeFolder }} + chown -R {{ .Values.persistence.uid }}:{{ .Values.persistence.guid }} {{ .Values.sonarqubeFolder }}/data + chown -R {{ .Values.persistence.uid }}:{{ .Values.persistence.guid }} {{ .Values.sonarqubeFolder }}/temp + chown -R {{ .Values.persistence.uid }}:{{ .Values.persistence.guid }} {{ .Values.sonarqubeFolder }}/logs + {{- if or .Values.plugins.install (and .Values.jdbcOverwrite.oracleJdbcDriver .Values.jdbcOverwrite.oracleJdbcDriver.url) }} + chown -R {{ .Values.persistence.uid }}:{{ .Values.persistence.guid }} {{ .Values.sonarqubeFolder }}/extensions {{- end }} + {{- if .Values.caCerts.enabled }} + chown -R {{ .Values.persistence.uid }}:{{ .Values.persistence.guid }} {{ .Values.sonarqubeFolder }}/certs + {{- end }} + {{- range .Values.persistence.mounts }} + chown -R {{ $.Values.persistence.uid }}:{{ $.Values.persistence.guid }} {{ .mountPath }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/templates/init-sysctl.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/templates/init-sysctl.yaml index b400ab42f..3b89df486 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/templates/init-sysctl.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/templates/init-sysctl.yaml @@ -1,37 +1,51 @@ +{{- if and .Values.initSysctl.enabled (not .Values.OpenShift.enabled) }} apiVersion: v1 kind: ConfigMap metadata: name: {{ template "sonarqube.fullname" . }}-init-sysctl - labels: - app: {{ template "sonarqube.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} + labels: {{- include "sonarqube.labels" . | nindent 4 }} data: init_sysctl.sh: |- + set -o errexit + set -o xtrace {{- if .Values.initSysctl.vmMaxMapCount }} - if [[ "$(sysctl -n vm.max_map_count)" -lt {{ .Values.initSysctl.vmMaxMapCount }} ]]; then - sysctl -w vm.max_map_count={{ .Values.initSysctl.vmMaxMapCount }} + vmMaxMapCount={{ .Values.initSysctl.vmMaxMapCount | int }} + if [[ "$(sysctl -n vm.max_map_count)" -lt $vmMaxMapCount ]]; then + sysctl -w vm.max_map_count=$vmMaxMapCount + if [[ "$(sysctl -n vm.max_map_count)" -lt $vmMaxMapCount ]]; then + echo "Failed to set initSysctl.vmMaxMapCount"; exit 1 + fi fi {{- end }} {{- if .Values.initSysctl.fsFileMax }} - if [[ "$(sysctl -n fs.file-max)" -lt {{ .Values.initSysctl.fsFileMax }} ]]; then - sysctl -w fs.file-max={{ .Values.initSysctl.fsFileMax }} + fsFileMax={{ .Values.initSysctl.fsFileMax | int }} + if [[ "$(sysctl -n fs.file-max)" -lt $fsFileMax ]]; then + sysctl -w fs.file-max=$fsFileMax + if [[ "$(sysctl -n fs.file-max)" -lt $fsFileMax ]]; then + echo "Failed to set initSysctl.fsFileMax"; exit 1 + fi fi {{- end }} {{- if .Values.initSysctl.nofile }} + nofile={{ .Values.initSysctl.nofile | int }} if [[ "$(ulimit -n)" != "unlimited" ]]; then - if [[ "$(ulimit -n)" -lt {{ .Values.initSysctl.nofile }} ]]; then - echo "ulimit -n {{ .Values.initSysctl.nofile }}" - ulimit -n {{ .Values.initSysctl.nofile }} + if [[ "$(ulimit -n)" -lt $nofile ]]; then + ulimit -n $nofile + if [[ "$(ulimit -n)" -lt $nofile ]]; then + echo "Failed to set initSysctl.nofile"; exit 1 + fi fi fi {{- end }} {{- if .Values.initSysctl.nproc }} + nproc={{ .Values.initSysctl.nproc | int }} if [[ "$(ulimit -u)" != "unlimited" ]]; then - if [[ "$(ulimit -u)" -lt {{ .Values.initSysctl.nproc }} ]]; then - echo "ulimit -u {{ .Values.initSysctl.nproc }}" - ulimit -u {{ .Values.initSysctl.nproc }} + if [[ "$(ulimit -u)" -lt $nproc ]]; then + ulimit -u $nproc + if [[ "$(ulimit -u)" -lt $nproc ]]; then + echo "Failed to set initSysctl.nproc"; exit 1 + fi fi fi {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/templates/install-oracle-jdbc-driver.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/templates/install-oracle-jdbc-driver.yaml new file mode 100644 index 000000000..b21113461 --- /dev/null +++ b/charts/sonarqube/sonarqube/charts/sonarqube/templates/install-oracle-jdbc-driver.yaml @@ -0,0 +1,12 @@ +{{- if and .Values.jdbcOverwrite.oracleJdbcDriver .Values.jdbcOverwrite.oracleJdbcDriver.url }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "sonarqube.fullname" . }}-install-oracle-jdbc-driver + labels: {{- include "sonarqube.labels" . | nindent 4 }} +data: + install_oracle_jdbc_driver.sh: |- + rm -f {{ .Values.sonarqubeFolder }}/extensions/jdbc-driver/oracle/* + cd {{ .Values.sonarqubeFolder }}/extensions/jdbc-driver/oracle + curl {{- if .Values.caCerts.enabled }} --cacert /tmp/secrets/ca-certs/* {{- end }} {{ if .Values.jdbcOverwrite.oracleJdbcDriver.netrcCreds }}--netrc-file /root/.netrc{{ end }} -fsSLO {{ .Values.jdbcOverwrite.oracleJdbcDriver.url }} +{{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/templates/install-plugins.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/templates/install-plugins.yaml index 073646c9c..99300fb5a 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/templates/install-plugins.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/templates/install-plugins.yaml @@ -2,11 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ template "sonarqube.fullname" . }}-install-plugins - labels: - app: {{ template "sonarqube.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} + labels: {{- include "sonarqube.labels" . | nindent 4 }} data: install_plugins.sh: |- {{- if .Values.plugins.install }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/templates/jdbc-config.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/templates/jdbc-config.yaml index 9c4f350c0..292d54c6b 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/templates/jdbc-config.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/templates/jdbc-config.yaml @@ -2,15 +2,11 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ template "sonarqube.fullname" . }}-jdbc-config - labels: - app: {{ template "sonarqube.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} + labels: {{- include "sonarqube.labels" . | nindent 4 }} data: SONAR_JDBC_USERNAME: {{ template "jdbc.username" . }} -{{- if .Values.jdbcOverwrite.enable }} + {{- if or .Values.jdbcOverwrite.enabled .Values.jdbcOverwrite.enable }} SONAR_JDBC_URL: {{ .Values.jdbcOverwrite.jdbcUrl | trim | quote }} -{{- else if and .Values.postgresql.service.port .Values.postgresql.postgresqlDatabase }} + {{- else if and .Values.postgresql.service.port .Values.postgresql.postgresqlDatabase }} SONAR_JDBC_URL: "jdbc:postgresql://{{ template "postgresql.hostname" . }}:{{- .Values.postgresql.service.port -}}/{{- .Values.postgresql.postgresqlDatabase -}}" -{{- end }} + {{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/templates/networkpolicy.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/templates/networkpolicy.yaml index c9952efa6..b7af66ff2 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/templates/networkpolicy.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/templates/networkpolicy.yaml @@ -4,11 +4,7 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: {{ template "sonarqube.fullname" . }}-network-policy - labels: - app: {{ template "sonarqube.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} + labels: {{- include "sonarqube.labels" . | nindent 4 }} spec: podSelector: matchLabels: @@ -24,7 +20,7 @@ spec: release: {{ .Release.Name }} ports: - port: {{ .Values.service.internalPort }} -{{ if .Values.prometheusExporter.enabled }} + {{ if .Values.prometheusExporter.enabled }} - from: - namespaceSelector: matchLabels: @@ -34,7 +30,7 @@ spec: protocol: TCP - port: {{ .Values.prometheusExporter.webBeanPort }} protocol: TCP -{{ end }} + {{ end }} egress: - to: - namespaceSelector: @@ -46,7 +42,7 @@ spec: ports: - port: 53 protocol: UDP -{{- if .Values.postgresql.enabled }} + {{- if .Values.postgresql.enabled }} - to: - podSelector: matchLabels: @@ -54,7 +50,7 @@ spec: ports: - port: 5432 protocol: TCP -{{- end }} + {{- end }} - to: - ipBlock: cidr: 0.0.0.0/0 @@ -66,11 +62,7 @@ kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: {{ template "sonarqube.fullname" . }}-database - labels: - app: {{ template "sonarqube.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} + labels: {{- include "sonarqube.labels" . | nindent 4 }} spec: podSelector: matchLabels: @@ -96,19 +88,21 @@ spec: protocol: UDP {{- end }} -{{- if and .Values.networkPolicy.enabled .Values.networkPolicy.additionalNetworkPolicys }} +{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.additionalNetworkPolicies .Values.networkPolicy.additionalNetworkPolicys) }} --- kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: {{ template "sonarqube.fullname" . }}-additional-network-policy - labels: - app: {{ template "sonarqube.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} + labels: {{- include "sonarqube.labels" . | nindent 4 }} spec: +{{- if.Values.networkPolicy.additionalNetworkPolicys -}} {{- with .Values.networkPolicy.additionalNetworkPolicys -}} {{ toYaml . | nindent 2 }} -{{- end }} +{{- end -}} +{{- else -}} +{{- with .Values.networkPolicy.additionalNetworkPolicies -}} +{{ toYaml . | nindent 2 }} +{{- end -}} +{{- end -}} {{- end -}} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/templates/prometheus-ce-config.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/templates/prometheus-ce-config.yaml index 442732383..7092fc86f 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/templates/prometheus-ce-config.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/templates/prometheus-ce-config.yaml @@ -3,12 +3,8 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ template "sonarqube.fullname" . }}-prometheus-ce-config - labels: - app: {{ template "sonarqube.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} + labels: {{- include "sonarqube.labels" . | nindent 4 }} data: prometheus-ce-config.yaml: |- -{{ .Values.prometheusExporter.ceConfig | default .Values.prometheusExporter.config | toYaml | indent 8 }} -{{- end }} \ No newline at end of file + {{- default .Values.prometheusExporter.config .Values.prometheusExporter.ceConfig | toYaml | nindent 4 }} +{{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/templates/prometheus-config.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/templates/prometheus-config.yaml index 84481d517..22497d652 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/templates/prometheus-config.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/templates/prometheus-config.yaml @@ -3,12 +3,8 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ template "sonarqube.fullname" . }}-prometheus-config - labels: - app: {{ template "sonarqube.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} + labels: {{- include "sonarqube.labels" . | nindent 4 }} data: prometheus-config.yaml: |- -{{ toYaml .Values.prometheusExporter.config | indent 8 }} -{{- end }} \ No newline at end of file + {{- toYaml .Values.prometheusExporter.config | nindent 4 }} +{{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/templates/prometheus-podmonitor.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/templates/prometheus-podmonitor.yaml index f76c43b47..8954afd23 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/templates/prometheus-podmonitor.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/templates/prometheus-podmonitor.yaml @@ -3,9 +3,16 @@ apiVersion: monitoring.coreos.com/v1 kind: PodMonitor metadata: name: {{ template "sonarqube.name" . }} + {{- if .Values.prometheusMonitoring.podMonitor.namespace }} namespace: {{ .Values.prometheusMonitoring.podMonitor.namespace | quote }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} labels: app: {{ template "sonarqube.name" . }} + {{- with .Values.prometheusMonitoring.podMonitor.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: {{- if .Values.prometheusMonitoring.podMonitor.jobLabel }} jobLabel: {{ .Values.prometheusMonitoring.podMonitor.jobLabel | quote }} @@ -18,7 +25,7 @@ spec: app: {{ template "sonarqube.name" . }} podMetricsEndpoints: - port: http - path: /api/monitoring/metrics + path: {{ include "sonarqube.webcontext" . }}api/monitoring/metrics scheme: http {{- if .Values.prometheusMonitoring.podMonitor.interval }} interval: {{ .Values.prometheusMonitoring.podMonitor.interval }} @@ -34,4 +41,28 @@ spec: name: {{ template "sonarqube.fullname" . }}-monitoring-passcode key: SONAR_WEB_SYSTEMPASSCODE {{- end }} -{{- end }} \ No newline at end of file + {{- if .Values.prometheusExporter.enabled }} + {{- if .Values.prometheusExporter.ceBeanPort }} + - port: monitoring-ce + path: / + scheme: http + {{- if .Values.prometheusMonitoring.podMonitor.interval }} + interval: {{ .Values.prometheusMonitoring.podMonitor.interval }} + {{- end }} + {{- if .Values.prometheusMonitoring.podMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.prometheusMonitoring.podMonitor.scrapeTimeout }} + {{- end }} + {{- end }} + {{- if .Values.prometheusExporter.webBeanPort }} + - port: monitoring-web + path: / + scheme: http + {{- if .Values.prometheusMonitoring.podMonitor.interval }} + interval: {{ .Values.prometheusMonitoring.podMonitor.interval }} + {{- end }} + {{- if .Values.prometheusMonitoring.podMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.prometheusMonitoring.podMonitor.scrapeTimeout }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/templates/pvc.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/templates/pvc.yaml index 554df9385..eda6f7e07 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/templates/pvc.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/templates/pvc.yaml @@ -3,28 +3,24 @@ kind: PersistentVolumeClaim apiVersion: v1 metadata: name: {{ template "sonarqube.fullname" . }} - labels: - app: {{ template "sonarqube.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ .Release.Name }}" - heritage: "{{ .Release.Service }}" -{{ if .Values.persistence.annotations}} + labels: {{- include "sonarqube.labels" . | nindent 4 }} + {{- if .Values.persistence.annotations }} annotations: {{- range $key, $value := .Values.persistence.annotations }} {{ $key }}: {{ $value | quote }} {{- end }} -{{- end }} + {{- end }} spec: accessModes: - {{ .Values.persistence.accessMode | quote }} resources: requests: storage: {{ .Values.persistence.size | quote }} -{{- if .Values.persistence.storageClass }} -{{- if (eq "-" .Values.persistence.storageClass) }} + {{- if .Values.persistence.storageClass }} + {{- if (eq "-" .Values.persistence.storageClass) }} storageClassName: "" -{{- else }} + {{- else }} storageClassName: "{{ .Values.persistence.storageClass }}" -{{- end }} -{{- end }} + {{- end }} + {{- end }} {{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/templates/route.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/templates/route.yaml index 93d506512..c4dcd32ae 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/templates/route.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/templates/route.yaml @@ -1,34 +1,32 @@ -{{- if .Values.route.enabled -}} -{{- $serviceName := include "sonarqube.fullname" . -}} +{{- if and .Values.OpenShift.route.enabled .Values.OpenShift.enabled -}} kind: Route apiVersion: route.openshift.io/v1 metadata: name: {{ template "sonarqube.fullname" . }} labels: - app: {{ template "sonarqube.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -{{- if .Values.route.labels }} -{{ .Values.route.labels | toYaml | trimSuffix "\n"| indent 4 -}} -{{- end}} -{{- if .Values.route.annotations}} - annotations: - {{- range $key, $value := .Values.route.annotations }} - {{ $key }}: {{ $value | quote }} + {{- include "sonarqube.labels" . | nindent 4 }} + {{- with .Values.OpenShift.route.labels }} + {{- toYaml . | nindent 4 }} {{- end }} -{{- end }} + {{- with .Values.OpenShift.route.annotations }} + annotations: {{- toYaml . | nindent 4 }} + {{- end }} spec: -{{- if .Values.route.host }} - host: {{ .Values.route.host }} -{{- end }} + {{- with .Values.OpenShift.route.host }} + host: {{ . }} + {{- end }} + {{- with .Values.OpenShift.route.path }} + path: {{ . }} + {{- end }} to: kind: Service - name: {{ default $serviceName .serviceName }} + name: {{ include "sonarqube.fullname" . }} port: targetPort: http - {{- if .Values.route.tls }} - tls: -{{ toYaml .Values.route.tls | indent 4 }} + {{- with .Values.OpenShift.route.tls }} + tls: {{- toYaml . | nindent 4 }} + {{- end -}} + {{- with .Values.OpenShift.route.wildcardPolicy }} + wildcardPolicy: {{ . }} {{- end -}} {{- end -}} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/templates/secret.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/templates/secret.yaml index 9ac2a2d96..7ab0d441d 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/templates/secret.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/templates/secret.yaml @@ -1,64 +1,52 @@ +{{ $accountDeprecation := fromYaml (include "accountDeprecation" . ) }} +{{ $_ := set .Values "account" $accountDeprecation }} --- -{{- if not (or .Values.postgresql.enabled .Values.postgresql.existingSecret .Values.jdbcOverwrite.jdbcSecretName)}} +{{- if not (or .Values.postgresql.enabled .Values.postgresql.existingSecret .Values.jdbcOverwrite.jdbcSecretName) }} apiVersion: v1 kind: Secret metadata: name: {{ template "sonarqube.fullname" . }} - labels: - app: {{ template "sonarqube.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} + labels: {{- include "sonarqube.labels" . | nindent 4 }} type: Opaque data: {{ template "jdbc.secretPasswordKey" . }}: {{ template "jdbc.internalSecretPasswd" . }} {{- end }} --- -{{- if .Values.monitoringPasscode}} +{{- if and .Values.monitoringPasscode (not .Values.monitoringPasscodeSecretName) (not .Values.monitoringPasscodeSecretKey) }} apiVersion: v1 kind: Secret metadata: name: {{ template "sonarqube.fullname" . }}-monitoring-passcode - labels: - app: {{ template "sonarqube.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} + labels: {{- include "sonarqube.labels" . | nindent 4 }} type: Opaque data: SONAR_WEB_SYSTEMPASSCODE: {{ .Values.monitoringPasscode | b64enc | quote }} {{- end }} --- -{{- if and .Values.monitoringPasscode .Values.prometheusMonitoring.podMonitor.enabled}} +{{- if .Values.account }} +{{- if or .Values.account.adminPassword .Values.account.newPassword }} apiVersion: v1 kind: Secret metadata: - name: {{ template "sonarqube.fullname" . }}-monitoring-passcode - namespace: {{.Values.prometheusMonitoring.podMonitor.namespace}} - labels: - app: {{ template "sonarqube.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} + name: {{ template "sonarqube.fullname" . }}-admin-password + labels: {{- include "sonarqube.labels" . | nindent 4 }} type: Opaque -data: - SONAR_WEB_SYSTEMPASSCODE: {{ .Values.monitoringPasscode | b64enc | quote }} +stringData: + password: {{ .Values.account.adminPassword | default .Values.account.newPassword | urlquery | quote }} + currentPassword: {{ .Values.account.currentAdminPassword | default .Values.account.currentPassword | urlquery | quote }} +{{- end }} {{- end }} --- -{{- if .Values.account }} -{{- if .Values.account.adminPassword }} apiVersion: v1 kind: Secret metadata: - name: {{ template "sonarqube.fullname" . }}-admin-password - labels: - app: {{ template "sonarqube.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} + name: {{ template "sonarqube.fullname" . }}-http-proxies + labels: {{- include "sonarqube.labels" . | nindent 4 }} type: Opaque stringData: - password: {{ .Values.account.adminPassword | urlquery | quote }} - currentPassword: {{ default "admin" .Values.account.currentAdminPassword | urlquery | quote }} -{{- end }} -{{- end }} + PLUGINS-HTTP-PROXY: {{ default .Values.httpProxy .Values.plugins.httpProxy | quote }} + PLUGINS-HTTPS-PROXY: {{ default .Values.httpsProxy .Values.plugins.httpsProxy | quote }} + PLUGINS-NO-PROXY: {{ default .Values.noProxy .Values.plugins.noProxy | quote }} + PROMETHEUS-EXPORTER-HTTP-PROXY: {{ default .Values.httpProxy .Values.prometheusExporter.httpProxy | quote }} + PROMETHEUS-EXPORTER-HTTPS-PROXY: {{ default .Values.httpsProxy .Values.prometheusExporter.httpsProxy | quote }} + PROMETHEUS-EXPORTER-NO-PROXY: {{ default .Values.noProxy .Values.prometheusExporter.noProxy | quote }} \ No newline at end of file diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/templates/service.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/templates/service.yaml index 3824edf5e..a01065b55 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/templates/service.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/templates/service.yaml @@ -3,19 +3,16 @@ kind: Service metadata: name: {{ template "sonarqube.fullname" . }} labels: - app: {{ template "sonarqube.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - {{- range $key, $value := .Values.service.labels }} + {{- include "sonarqube.labels" . | nindent 4 }} + {{- range $key, $value := .Values.service.labels }} {{ $key }}: {{ $value | quote }} - {{- end }} -{{ if .Values.service.annotations}} + {{- end }} + {{- if .Values.service.annotations }} annotations: {{- range $key, $value := .Values.service.annotations }} {{ $key }}: {{ $value | quote }} {{- end }} -{{- end }} + {{- end }} spec: type: {{ .Values.service.type }} ports: @@ -29,14 +26,14 @@ spec: selector: app: {{ template "sonarqube.name" . }} release: {{ .Release.Name }} - {{- if eq .Values.service.type "LoadBalancer"}} + {{- if eq .Values.service.type "LoadBalancer" }} {{- if .Values.service.loadBalancerSourceRanges }} loadBalancerSourceRanges: {{- range .Values.service.loadBalancerSourceRanges }} - {{ . }} {{- end }} {{- end -}} - {{- if .Values.service.loadBalancerIP}} - loadBalancerIP: {{.Values.service.loadBalancerIP}} + {{- if .Values.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} {{- end }} {{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/templates/serviceaccount.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/templates/serviceaccount.yaml index 2e05ebeff..e491e04c9 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/templates/serviceaccount.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/templates/serviceaccount.yaml @@ -3,14 +3,10 @@ apiVersion: v1 kind: ServiceAccount metadata: -{{- if .Values.serviceAccount.name }} - name: {{ .Values.serviceAccount.name }} -{{- else }} - name: {{ include "sonarqube.fullname" . }} -{{- end }} -{{- if .Values.serviceAccount.annotations }} - annotations: -{{ toYaml .Values.serviceAccount.annotations | indent 4 }} -{{- end }} -automountServiceAccountToken: {{ .Values.serviceAccount.automountToken | default "false" }} + name: {{ include "sonarqube.serviceAccountName" . }} + {{- with .Values.serviceAccount.annotations }} + annotations: {{- toYaml . | nindent 4 }} + {{- end }} + labels: {{- include "sonarqube.labels" . | nindent 4 }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountToken }} {{- end -}} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/templates/sonarqube-sts.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/templates/sonarqube-sts.yaml index 8ad76950b..b5b1733b3 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/templates/sonarqube-sts.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/templates/sonarqube-sts.yaml @@ -1,531 +1,14 @@ -{{- if eq .Values.deploymentType "StatefulSet"}} +{{- if eq .Values.deploymentType "StatefulSet" -}} apiVersion: apps/v1 kind: StatefulSet metadata: name: {{ template "sonarqube.fullname" . }} - labels: - app: {{ template "sonarqube.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - app.kubernetes.io/name: {{ template "sonarqube.name" . }}-{{ template "sonarqube.fullname" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/part-of: sonarqube - app.kubernetes.io/component: {{ template "sonarqube.fullname" . }} - app.kubernetes.io/version: {{ tpl .Values.image.tag . | quote }} + labels: {{- include "sonarqube.workloadLabels" . | nindent 4 }} spec: replicas: {{ .Values.replicaCount }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} serviceName: {{ template "sonarqube.fullname" . }} selector: - matchLabels: - app: {{ template "sonarqube.name" . }} - release: {{ .Release.Name }} - template: - metadata: - labels: - app: {{ template "sonarqube.name" . }} - release: {{ .Release.Name }} -{{- with .Values.podLabels }} -{{ toYaml . | indent 8 }} -{{- end }} - annotations: - checksum/init-sysctl: {{ include (print $.Template.BasePath "/init-sysctl.yaml") . | sha256sum }} - checksum/init-fs: {{ include (print $.Template.BasePath "/init-fs.yaml") . | sha256sum }} - checksum/plugins: {{ include (print $.Template.BasePath "/install-plugins.yaml") . | sha256sum }} - checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }} - checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} -{{- if .Values.prometheusExporter.enabled }} - checksum/prometheus-config: {{ include (print $.Template.BasePath "/prometheus-config.yaml") . | sha256sum }} - checksum/prometheus-ce-config: {{ include (print $.Template.BasePath "/prometheus-ce-config.yaml") . | sha256sum }} -{{- end }} -{{- if .Values.annotations}} - {{- range $key, $value := .Values.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} -{{- end }} - spec: - {{- if .Values.schedulerName }} - schedulerName: {{ .Values.schedulerName }} - {{- end }} - securityContext: -{{ toYaml .Values.securityContext | indent 8 }} - {{- if or .Values.image.pullSecrets .Values.image.pullSecret }} - imagePullSecrets: - {{- if .Values.image.pullSecret }} - - name: {{ .Values.image.pullSecret }} - {{- end }} - {{- if .Values.image.pullSecrets}} -{{ toYaml .Values.image.pullSecrets | indent 8 }} - {{- end }} - {{- end }} - initContainers: - {{- if .Values.extraInitContainers }} -{{ toYaml .Values.extraInitContainers | indent 8 }} - {{- end }} - {{- if .Values.postgresql.enabled }} - - name: "wait-for-db" - image: {{ default "docker.m.daocloud.io" .Values.initContainers.registry }}/{{ default "library/busybox" .Values.initContainers.repository }}:{{ default "1.32" .Values.initContainers.tag }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if $securityContext := .Values.initContainers.securityContext }} - securityContext: -{{ toYaml $securityContext | indent 12 }} - {{- end }} - resources: -{{ toYaml .Values.initContainers.resources | indent 12 }} - command: ["/bin/sh", "-c", "for i in $(seq 1 200); do nc -z -w3 {{ .Release.Name}}-postgresql 5432 && exit 0 || sleep 2; done; exit 1"] - {{- end }} - {{- if .Values.caCerts.enabled }} - - name: ca-certs - image: {{ default "docker.m.daocloud.io" .Values.caCerts.registry }}/{{ default "adoptopenjdk/openjdk11" .Values.caCerts.repository }}:{{ default "alpine" .Values.caCerts.tag }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: ["sh"] - args: ["-c", "cp -f \"${JAVA_HOME}/lib/security/cacerts\" /tmp/certs/cacerts; if [ \"$(ls /tmp/secrets/ca-certs)\" ]; then for f in /tmp/secrets/ca-certs/*; do keytool -importcert -file \"${f}\" -alias \"$(basename \"${f}\")\" -keystore /tmp/certs/cacerts -storepass changeit -trustcacerts -noprompt; done; fi;"] - {{- if $securityContext := .Values.initContainers.securityContext }} - securityContext: -{{ toYaml $securityContext | indent 12 }} - {{- end }} - resources: -{{ toYaml .Values.initContainers.resources | indent 12 }} - volumeMounts: - - mountPath: /tmp/certs - name: sonarqube - subPath: certs - - mountPath: /tmp/secrets/ca-certs - name: ca-certs - {{- with .Values.env }} - env: - {{- . | toYaml | trim | nindent 12 }} - {{- end }} - {{- end }} - {{- if or .Values.initSysctl.enabled .Values.elasticsearch.configureNode }} - - name: init-sysctl - image: {{ default "docker.m.daocloud.io" .Values.initSysctl.registry }}/{{ default "library/busybox" .Values.initSysctl.repository }}:{{ default "1.32" .Values.initSysctl.tag }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if $securityContext := (default .Values.initContainers.securityContext .Values.initSysctl.securityContext) }} - securityContext: -{{ toYaml $securityContext | indent 12 }} - {{- end }} - resources: -{{ toYaml (default .Values.initContainers.resources .Values.initSysctl.resources) | indent 12 }} - command: ["sh", - "-e", - "/tmp/scripts/init_sysctl.sh"] - volumeMounts: - - name: init-sysctl - mountPath: /tmp/scripts/ - {{- with .Values.env }} - env: - {{- . | toYaml | trim | nindent 12 }} - {{- end }} - {{- end }} - - {{- if or .Values.sonarProperties .Values.sonarSecretProperties .Values.sonarSecretKey (not .Values.elasticsearch.bootstrapChecks) }} - - name: concat-properties - image: {{ default "docker.m.daocloud.io" .Values.initContainers.registry }}/{{ default "library/busybox" .Values.initContainers.repository }}:{{ default "1.32" .Values.initContainers.tag }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: - - sh - - -c - - | - #!/bin/sh - if [ -f /tmp/props/sonar.properties ]; then - cat /tmp/props/sonar.properties > /tmp/result/sonar.properties - fi - if [ -f /tmp/props/secret.properties ]; then - cat /tmp/props/secret.properties > /tmp/result/sonar.properties - fi - if [ -f /tmp/props/sonar.properties -a -f /tmp/props/secret.properties ]; then - awk 1 /tmp/props/sonar.properties /tmp/props/secret.properties > /tmp/result/sonar.properties - fi - volumeMounts: - {{- if or .Values.sonarProperties .Values.sonarSecretKey (not .Values.elasticsearch.bootstrapChecks) }} - - mountPath: /tmp/props/sonar.properties - name: config - subPath: sonar.properties - {{- end }} - {{- if .Values.sonarSecretProperties }} - - mountPath: /tmp/props/secret.properties - name: secret-config - subPath: secret.properties - {{- end }} - - mountPath: /tmp/result - name: concat-dir - {{- if $securityContext := .Values.initContainers.securityContext }} - securityContext: -{{ toYaml $securityContext | indent 12 }} - {{- end }} - resources: -{{ toYaml .Values.initContainers.resources | indent 12 }} - {{- with .Values.env }} - env: - {{- . | toYaml | trim | nindent 12 }} - {{- end }} - {{- end }} - - {{- if .Values.prometheusExporter.enabled }} - - name: inject-prometheus-exporter - image: {{ default "docker.m.daocloud.io" .Values.prometheusExporter.registry }}/{{ default "curlimages/curl" .Values.prometheusExporter.repository }}:{{ default "8.2.0" .Values.prometheusExporter.tag }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if $securityContext := (default .Values.initContainers.securityContext .Values.prometheusExporter.securityContext) }} - securityContext: -{{ toYaml $securityContext | indent 12 }} - {{- end }} - resources: -{{ toYaml (default .Values.initContainers.resources .Values.prometheusExporter.resources) | indent 12 }} - command: ["/bin/sh","-c"] - args: ["curl -s '{{ template "prometheusExporter.downloadURL" . }}' {{ if $.Values.prometheusExporter.noCheckCertificate }}--insecure{{ end }} --output /data/jmx_prometheus_javaagent.jar -v"] - volumeMounts: - - mountPath: /data - name: sonarqube - subPath: data - env: - - name: http_proxy - value: {{ default "" .Values.prometheusExporter.httpProxy }} - - name: https_proxy - value: {{ default "" .Values.prometheusExporter.httpsProxy }} - - name: no_proxy - value: {{ default "" .Values.prometheusExporter.noProxy }} - {{- with .Values.env }} - {{- . | toYaml | trim | nindent 12 }} - {{- end }} - {{- end }} - {{- if and .Values.persistence.enabled .Values.initFs.enabled }} - - name: init-fs - image: {{ default "docker.m.daocloud.io" .Values.initFs.registry }}/{{ default "library/busybox" .Values.initFs.repository }}:{{ default "1.32" .Values.initFs.tag }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - {{- if $securityContext := (default .Values.initContainers.securityContext .Values.initFs.securityContext) }} - securityContext: -{{ toYaml $securityContext | indent 12 }} - {{- end }} - resources: -{{ toYaml (default .Values.initContainers.resources .Values.initFs.resources) | indent 12 }} - command: ["sh", - "-e", - "/tmp/scripts/init_fs.sh"] - volumeMounts: - - name: init-fs - mountPath: /tmp/scripts/ -{{- if .Values.persistence.mounts }} -{{ toYaml .Values.persistence.mounts | indent 12 }} -{{- end }} - {{- if .Values.caCerts.enabled }} - - mountPath: {{ .Values.sonarqubeFolder }}/certs - name: sonarqube - subPath: certs - {{- end }} - - mountPath: {{ .Values.sonarqubeFolder }}/data - name: sonarqube - subPath: data - {{- if .Values.persistence.enabled }} - - mountPath: {{ .Values.sonarqubeFolder }}/extensions - name: sonarqube - subPath: extensions - {{- else if .Values.plugins.install }} - - mountPath: {{ .Values.sonarqubeFolder }}/extensions/plugins - name: sonarqube - subPath: extensions/plugins - {{- end }} - - mountPath: {{ .Values.sonarqubeFolder }}/temp - name: sonarqube - subPath: temp - - mountPath: {{ .Values.sonarqubeFolder }}/logs - name: sonarqube - subPath: logs - - mountPath: /tmp - name: tmp-dir - {{- end }} - {{- if .Values.plugins.install }} - - name: install-plugins - image: {{ default "docker.m.daocloud.io" .Values.plugins.registry }}/{{ default "curlimages/curl" .Values.plugins.repository }}:{{ default "8.2.0" .Values.plugins.tag }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: ["sh", - "-e", - "/tmp/scripts/install_plugins.sh"] - volumeMounts: - - mountPath: {{ .Values.sonarqubeFolder }}/extensions/plugins - name: sonarqube - subPath: extensions/plugins - - name: install-plugins - mountPath: /tmp/scripts/ - {{- if .Values.plugins.netrcCreds }} - - name: plugins-netrc-file - mountPath: /root - {{- end }} - {{- if $securityContext := (default .Values.initContainers.securityContext .Values.plugins.securityContext) }} - securityContext: -{{ toYaml $securityContext | indent 12 }} - {{- end }} - resources: -{{ toYaml (default .Values.initContainers.resources .Values.plugins.resource) | indent 12 }} - env: - - name: http_proxy - value: {{ default "" .Values.plugins.httpProxy }} - - name: https_proxy - value: {{ default "" .Values.plugins.httpsProxy }} - - name: no_proxy - value: {{ default "" .Values.plugins.noProxy }} - {{- with .Values.env }} - {{- . | toYaml | trim | nindent 12 }} - {{- end }} - {{- end }} - containers: - {{- if .Values.extraContainers }} - {{- toYaml .Values.extraContainers | nindent 8 }} - {{- end }} - - name: {{ .Chart.Name }} - image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ tpl .Values.image.tag . }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - ports: - - name: http - containerPort: {{ .Values.service.internalPort }} - protocol: TCP - {{- if .Values.prometheusExporter.enabled }} - - name: monitoring-web - containerPort: {{ .Values.prometheusExporter.webBeanPort }} - protocol: TCP - - name: monitoring-ce - containerPort: {{ .Values.prometheusExporter.ceBeanPort }} - protocol: TCP - {{- end }} - resources: -{{ toYaml (default .Values.resources .Values.resource) | indent 12 }} - env: - {{- with .Values.env }} - {{- . | toYaml | trim | nindent 12 }} - {{- end }} - - name: SONAR_HELM_CHART_VERSION - value: {{ .Chart.Version | replace "+" "_" }} - - name: SONAR_WEB_JAVAOPTS - value: {{ template "sonarqube.jvmOpts" . }} - - name: SONAR_WEB_CONTEXT - value: {{ include "sonarqube.webcontext" . }} - - name: SONAR_CE_JAVAOPTS - value: {{ template "sonarqube.jvmCEOpts" . }} - - name: SONAR_JDBC_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "jdbc.secret" . }} - key: {{ template "jdbc.secretPasswordKey" . }} - - name: SONAR_WEB_SYSTEMPASSCODE - valueFrom: - secretKeyRef: - {{- if and .Values.monitoringPasscodeSecretName .Values.monitoringPasscodeSecretKey }} - name: {{ .Values.monitoringPasscodeSecretName }} - key: {{ .Values.monitoringPasscodeSecretKey }} - {{- else }} - name: {{ template "sonarqube.fullname" . }}-monitoring-passcode - key: SONAR_WEB_SYSTEMPASSCODE - {{- end }} - envFrom: - - configMapRef: - name: {{ template "sonarqube.fullname" . }}-jdbc-config -{{- range .Values.extraConfig.secrets }} - - secretRef: - name: {{ . }} -{{- end }} -{{- range .Values.extraConfig.configmaps }} - - configMapRef: - name: {{ . }} -{{- end }} - livenessProbe: - exec: - command: - - sh - - -c - - | - host="$(hostname -i || echo '127.0.0.1')" - wget --no-proxy --quiet -O /dev/null --timeout={{ .Values.livenessProbe.timeoutSeconds }} --header="X-Sonar-Passcode: $SONAR_WEB_SYSTEMPASSCODE" "http://${host}:{{ .Values.service.internalPort }}{{ .Values.livenessProbe.sonarWebContext | default (include "sonarqube.webcontext" .) }}api/system/liveness" - initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.livenessProbe.periodSeconds }} - failureThreshold: {{ .Values.livenessProbe.failureThreshold }} - timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} - readinessProbe: - exec: - command: - - sh - - -c - - | - #!/bin/bash - # A Sonarqube container is considered ready if the status is UP, DB_MIGRATION_NEEDED or DB_MIGRATION_RUNNING - # status about migration are added to prevent the node to be kill while sonarqube is upgrading the database. - host="$(hostname -i || echo '127.0.0.1')" - if wget --no-proxy -qO- http://${host}:{{ .Values.service.internalPort }}{{ .Values.readinessProbe.sonarWebContext | default (include "sonarqube.webcontext" .) }}api/system/status | grep -q -e '"status":"UP"' -e '"status":"DB_MIGRATION_NEEDED"' -e '"status":"DB_MIGRATION_RUNNING"'; then - exit 0 - fi - exit 1 - initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.readinessProbe.periodSeconds }} - failureThreshold: {{ .Values.readinessProbe.failureThreshold }} - timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} - startupProbe: - httpGet: - scheme: HTTP - path: {{ .Values.startupProbe.sonarWebContext | default (include "sonarqube.webcontext" .) }}api/system/status - port: http - initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.startupProbe.periodSeconds }} - failureThreshold: {{ .Values.startupProbe.failureThreshold }} - timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }} - {{- if .Values.containerSecurityContext }} - securityContext: -{{- toYaml .Values.containerSecurityContext | nindent 12 }} - {{- end }} - volumeMounts: -{{- if .Values.persistence.mounts }} -{{ toYaml .Values.persistence.mounts | indent 12 }} -{{- end }} -{{- if .Values.extraVolumeMounts }} -{{- .Values.extraVolumeMounts | toYaml | nindent 12 }} -{{- end }} - {{- if or .Values.sonarProperties .Values.sonarSecretProperties .Values.sonarSecretKey (not .Values.elasticsearch.bootstrapChecks) }} - - mountPath: {{ .Values.sonarqubeFolder }}/conf/ - name: concat-dir - {{- end }} - {{- if .Values.sonarSecretKey }} - - mountPath: {{ .Values.sonarqubeFolder }}/secret/ - name: secret - {{- end }} - {{- if .Values.caCerts.enabled }} - - mountPath: {{ .Values.sonarqubeFolder }}/certs - name: sonarqube - subPath: certs - {{- end }} - - mountPath: {{ .Values.sonarqubeFolder }}/data - name: sonarqube - subPath: data - {{- if .Values.persistence.enabled }} - - mountPath: {{ .Values.sonarqubeFolder }}/extensions - name: sonarqube - subPath: extensions - {{- else if .Values.plugins.install }} - - mountPath: {{ .Values.sonarqubeFolder }}/extensions/plugins - name: sonarqube - subPath: extensions/plugins - {{- end }} - - mountPath: {{ .Values.sonarqubeFolder }}/temp - name: sonarqube - subPath: temp - - mountPath: {{ .Values.sonarqubeFolder }}/logs - name: sonarqube - subPath: logs - - mountPath: /tmp - name: tmp-dir - {{- if .Values.prometheusExporter.enabled }} - - mountPath: {{ .Values.sonarqubeFolder }}/conf/prometheus-config.yaml - subPath: prometheus-config.yaml - name: prometheus-config - - mountPath: {{ .Values.sonarqubeFolder }}/conf/prometheus-ce-config.yaml - subPath: prometheus-ce-config.yaml - name: prometheus-ce-config - {{- end }} - {{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName }} - {{- end }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} - {{- end }} - {{- if .Values.hostAliases }} - hostAliases: -{{ toYaml .Values.hostAliases | indent 8 }} - {{- end }} - {{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 8 }} - {{- end }} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 8 }} - {{- end }} - serviceAccountName: {{ template "sonarqube.serviceAccountName" . }} - volumes: -{{- if .Values.persistence.volumes }} -{{ tpl (toYaml .Values.persistence.volumes | indent 6) . }} -{{- end }} -{{- if .Values.extraVolumes }} -{{- .Values.extraVolumes | toYaml | nindent 6 }} -{{- end }} - {{- if or .Values.sonarProperties .Values.sonarSecretKey ( not .Values.elasticsearch.bootstrapChecks) }} - - name: config - configMap: - name: {{ template "sonarqube.fullname" . }}-config - items: - - key: sonar.properties - path: sonar.properties - {{- end }} - {{- if .Values.sonarSecretProperties }} - - name: secret-config - secret: - secretName: {{ .Values.sonarSecretProperties }} - items: - - key: secret.properties - path: secret.properties - {{- end }} - {{- if .Values.sonarSecretKey }} - - name: secret - secret: - secretName: {{ .Values.sonarSecretKey }} - items: - - key: sonar-secret.txt - path: sonar-secret.txt - {{- end }} - {{- if .Values.caCerts.enabled }} - - name: ca-certs - secret: - secretName: {{ .Values.caCerts.secret }} - {{- end }} - {{- if .Values.plugins.netrcCreds }} - - name: plugins-netrc-file - secret: - secretName: {{ .Values.plugins.netrcCreds }} - items: - - key: netrc - path: .netrc - {{- end }} - - name: init-sysctl - configMap: - name: {{ template "sonarqube.fullname" . }}-init-sysctl - items: - - key: init_sysctl.sh - path: init_sysctl.sh - - name: init-fs - configMap: - name: {{ template "sonarqube.fullname" . }}-init-fs - items: - - key: init_fs.sh - path: init_fs.sh - - name: install-plugins - configMap: - name: {{ template "sonarqube.fullname" . }}-install-plugins - items: - - key: install_plugins.sh - path: install_plugins.sh - {{- if .Values.prometheusExporter.enabled }} - - name: prometheus-config - configMap: - name: {{ template "sonarqube.fullname" . }}-prometheus-config - items: - - key: prometheus-config.yaml - path: prometheus-config.yaml - - name: prometheus-ce-config - configMap: - name: {{ template "sonarqube.fullname" . }}-prometheus-ce-config - items: - - key: prometheus-ce-config.yaml - path: prometheus-ce-config.yaml - {{- end }} - - name: sonarqube - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ if .Values.persistence.existingClaim }}{{ .Values.persistence.existingClaim }}{{- else }}{{ template "sonarqube.fullname" . }}{{- end }} - {{- else }} - emptyDir: {{- toYaml .Values.emptyDir | nindent 10 }} - {{- end }} - - name : tmp-dir - emptyDir: {{- toYaml .Values.emptyDir | nindent 10 }} - {{- if or .Values.sonarProperties .Values.sonarSecretProperties .Values.sonarSecretKey ( not .Values.elasticsearch.bootstrapChecks) }} - - name : concat-dir - emptyDir: {{- toYaml .Values.emptyDir | nindent 10 -}} - {{- end }} + matchLabels: {{- include "sonarqube.selectorLabels" . | nindent 6 }} + template: {{- include "sonarqube.pod" . | nindent 4 }} {{- end }} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/templates/tests/sonarqube-test.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/templates/tests/sonarqube-test.yaml index 63f68bd17..a47ff4808 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/templates/tests/sonarqube-test.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/templates/tests/sonarqube-test.yaml @@ -5,24 +5,21 @@ metadata: name: "{{ .Release.Name }}-ui-test" annotations: "helm.sh/hook": test-success - labels: - app: {{ template "sonarqube.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} + labels: {{- include "sonarqube.labels" . | nindent 4 }} spec: + automountServiceAccountToken: false {{- if or .Values.image.pullSecrets .Values.image.pullSecret }} imagePullSecrets: {{- if .Values.image.pullSecret }} - name: {{ .Values.image.pullSecret }} - {{- end}} - {{- if .Values.image.pullSecrets}} -{{ toYaml .Values.image.pullSecrets | indent 4 }} - {{- end}} + {{- end }} + {{- with .Values.image.pullSecrets }} + {{- toYaml . | nindent 4 }} + {{- end }} {{- end }} containers: - name: {{ .Release.Name }}-ui-test - image: {{ default "docker.m.daocloud.io" .Values.image.registry }}/{{ default "library/sonarqube" .Values.image.repository }}:{{ default "10.2.0-community" .Values.image.tag }} + image: {{ .Values.tests.image | default (include "sonarqube.image" .) | quote }} imagePullPolicy: {{ .Values.image.pullPolicy }} command: ['wget'] args: [ @@ -34,7 +31,8 @@ spec: '-qO-', '{{ template "sonarqube.fullname" . }}:{{ .Values.service.internalPort }}/api/system/status' ] - resources: -{{ toYaml .Values.tests.resources | indent 8 }} + {{- with .Values.tests.resources }} + resources: {{- toYaml . | nindent 8 }} + {{- end }} restartPolicy: Never {{- end -}} diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/values.schema.json b/charts/sonarqube/sonarqube/charts/sonarqube/values.schema.json index cedf4eb92..9af8e8afb 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/values.schema.json +++ b/charts/sonarqube/sonarqube/charts/sonarqube/values.schema.json @@ -4,6 +4,98 @@ "replicaCount" ], "properties": { + "edition": { + "type": "string", + "enum": ["community", "developer", "enterprise"], + "properties": { + "community": { + "type": "string", + "deprecated": true, + "$comment": "(DEPRECATED) Please use `community.enabled` instead" + } + } + }, + "persistence": { + "type": "object", + "properties": { + "volumes": { + "type": "array", + "deprecated": true, + "$comment": "(DEPRECATED) Please use `extraVolumes` instead" + }, + "mounts": { + "type": "array", + "deprecated": true, + "$comment": "(DEPRECATED) Please use `extraVolumeMounts` instead" + } + } + }, + "networkPolicy": { + "type": "object", + "properties": { + "additionalNetworkPolicys": { + "type": "object", + "deprecated": true, + "$comment": "(DEPRECATED) Please use `networkPolicy.additionalNetworkPolicies` instead" + } + } + }, + "OpenShift": + { + "type": "object", + "properties": { + "createSCC": { + "type": "boolean", + "deprecated": true, + "$comment": "(DEPRECATED) custom SCC are no longer required, the chart is compatible with default restricted SCCv2" + } + } + }, + "jdbcOverwrite": { + "type": "object", + "properties": { + "enable": { + "type": "boolean", + "deprecated": true, + "$comment": "(DEPRECATED) Please use `jdbcOverwrite.enabled` instead" + }, + "jdbcPassword": { + "type": "string", + "deprecated": true, + "$comment": "(DEPRECATED) Please use `jdbcOverwrite.jdbcSecretName` along with `jdbcOverwrite.jdbcSecretPasswordKey` instead" + } + } + }, + "prometheusMonitoring": { + "type": "object", + "properties": { + "podMonitor": { + "type": "object", + "properties": { + "namespace": { + "type": "string", + "deprecated": true, + "$comment": "(DEPRECATED) This value should not be set, as the PodMonitor's namespace has to match the Release Namespace" + } + } + } + } + }, + "nginx": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "deprecated": true, + "$comment": "(DEPRECATED) Please use `ingress-nginx.enabled` instead" + } + } + }, + "postgresql": { + "type": "object", + "deprecated": true, + "$comment": "(DEPRECATED) Please use an external database instead of the embedded one. Please visit https://artifacthub.io/packages/helm/sonarqube/sonarqube#production-use-case for more information" + }, "replicaCount": { "type": "integer", "enum": [0, 1] @@ -50,13 +142,68 @@ }, "account": { "type": "object", + "deprecated": true, + "$comment": "(DEPRECATED) Please use `setAdminPassword` instead", "properties": { + "adminPassword": { + "type": "string", + "deprecated": true, + "$comment": "(DEPRECATED) please use `setAdminPassword.newPassword` at the value top level" + }, + "currentAdminPassword": { + "type": "string", + "deprecated": true, + "$comment": "(DEPRECATED) please use `setAdminPassword.currentPassword` at the value top level" + }, + "adminPasswordSecretName": { + "type": "string", + "deprecated": true, + "$comment": "(DEPRECATED) please use `setAdminPassword.passwordSecretName` at the value top level" + }, "sonarWebContext": { "type": "string", "deprecated": true, "$comment": "(DEPRECATED) please use sonarWebContext at the value top level" } } + }, + "deploymentType": { + "type": "string", + "deprecated": true, + "$comment": "(DEPRECATED) this option will be removed in the next major release" + }, + "curlContainerImage": + { + "type": "string", + "deprecated": true, + "$comment": "(DEPRECATED) please use `setAdminPassword.image` at the value top level" + }, + "adminJobAnnotations": + { + "type": "object", + "deprecated": true, + "$comment": "(DEPRECATED) please use `setAdminPassword.annotations` at the value top level" + }, + "sonarqubeFolder": + { + "type": "string", + "deprecated": true, + "$comment": "(DEPRECATED) This value will is no longer required and will be dropped in future releases" + }, + "terminationGracePeriodSeconds": { + "type": "integer", + "deprecated": true, + "$comment": "(DEPRECATED) This value is not used in the templates" + }, + "deploymentStrategy": { + "type": "object", + "properties": { + "type": { + "type": "string", + "deprecated": true, + "$comment": "(DEPRECATED) This will be removed in future releases and set to `Recreate`" + } + } } } - } \ No newline at end of file + } diff --git a/charts/sonarqube/sonarqube/charts/sonarqube/values.yaml b/charts/sonarqube/sonarqube/charts/sonarqube/values.yaml index c9d26e320..c75520f20 100644 --- a/charts/sonarqube/sonarqube/charts/sonarqube/values.yaml +++ b/charts/sonarqube/sonarqube/charts/sonarqube/values.yaml @@ -1,15 +1,20 @@ -# Default values for sonarqube. +# Default values for SonarQube. # This is a YAML-formatted file. # Declare variables to be passed into your templates. -# If the deployment Type is set to Deployment sonarqube is deployed as a replica set. +# (DEPRECATED) If the deployment Type is set to Deployment SonarQube is deployed as a replica set. +# This will be removed in a future release. deploymentType: "StatefulSet" -# There should not be more than 1 sonarqube instance connected to the same database. Please set this value to 1 or 0 (in case you need to scale down programmatically). +# There should not be more than 1 SonarQube instance connected to the same database. Please set this value to 1 or 0 (in case you need to scale down programmatically). replicaCount: 1 -# This will use the default deployment strategy unless it is overriden -deploymentStrategy: {} +# How many revisions to retain (Deployment ReplicaSets or StatefulSets) +revisionHistoryLimit: 10 + +# (DEPRECATED) This will use the default deployment strategy unless it is overridden +deploymentStrategy: + type: Recreate # Uncomment this to scheduler pods on priority # priorityClassName: "high-priority" @@ -18,34 +23,72 @@ deploymentStrategy: {} ## # schedulerName: -## Is this deployment for OpenShift? If so, we help with SCCs +## OpenShift specific configuration OpenShift: enabled: false - createSCC: true - + # (Deprecated) this parameter should not be needed anymore, we support Openshift SCCv2 by default when Openshift.enabled=true + createSCC: false + route: + enabled: false + host: "sonarqube.your-org.com" + path: "/" + # Add tls section to secure traffic. + tls: + termination: edge + # certificate: + # key: + # caCertificate: + # insecureEdgeTerminationPolicy: Redirect + wildcardPolicy: None + annotations: {} + # See Openshift/OKD route annotation + # https://docs.openshift.com/container-platform/4.10/networking/routes/route-configuration.html#nw-route-specific-annotations_route-configuration + # haproxy.router.openshift.io/timeout: 1m + # Additional labels for Route manifest file + # labels: + # external: 'true' + +# (DEPRECATED) The "community" value as the default of "edition" is deprecated and will be removed in the next release (in favor of an empty value). Please set "community" to "true", if you want to use SonarQube Community Build. edition: "community" +# Set the chart to use the latest released SonarQube Community Build +community: + enabled: true + buildNumber: "24.12.0.100206" + image: repository: sonarqube - tag: 10.2.0-{{ .Values.edition }} + # (DEPRECATED) The "image.tag" parameter will be set to be empty as default. + tag: 10.8.0-{{ .Values.edition }} pullPolicy: IfNotPresent # If using a private repository, the imagePullSecrets to use # pullSecrets: # - name: my-repo-secret -# Set security context for sonarqube pod +# Set security context for sonarqube pod. +# The current section contains the default values set in a generic Kubernetes cluster. If you are using OpenShift, you should not set any specific fsGroup. securityContext: - fsGroup: 1000 + fsGroup: 0 -# Set security context for sonarqube container +# Set security context for sonarqube container. +# The current section contains the default values set in a generic Kubernetes cluster. If you are using OpenShift, you should not set any specific UID or GID to be used for the execution. containerSecurityContext: - # Sonarqube dockerfile creates sonarqube user as UID and GID 1000 +# Sonarqube dockerfile creates sonarqube user as UID and GID 0 +# Those default are used to match pod security standard restricted as least privileged approach + allowPrivilegeEscalation: false + runAsNonRoot: true runAsUser: 1000 + runAsGroup: 0 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: ["ALL"] +# readOnlyRootFilesystem: true # Settings to configure elasticsearch host requirements elasticsearch: - # DEPRECATED: Use initSysctl.enabled instead - configureNode: true + # (DEPRECATED) Use initSysctl.enabled instead + configureNode: false bootstrapChecks: true service: @@ -60,6 +103,14 @@ service: # - 0.0.0.0/0 # loadBalancerIP: 1.2.3.4 +# Those proxy settings will be propagated to the install-plugin and prometheus-exporter init containers +# if httpProxySecret is set the other one will be ignored +# the secret should contain exactly the keys http_proxy, https_proxy and no_proxy +httpProxySecret: "" +httpProxy: "" +httpsProxy: "" +noProxy: "" + # Optionally create Network Policies networkPolicy: enabled: false @@ -69,17 +120,45 @@ networkPolicy: # If you are using a external database and enable network Policies to be created # you will need to explicitly allow egress traffic to your database - # expects https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#networkpolicyspec-v1-networking-k8s-io + # (DEPRECATED) please use additionalNetworkPolicies instead # additionalNetworkPolicys: + # expects https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#networkpolicyspec-v1-networking-k8s-io + # additionalNetworkPolicies: # will be used as default for ingress path and probes path, will be injected in .Values.env as SONAR_WEB_CONTEXT # if .Values.env.SONAR_WEB_CONTEXT is set, this value will be ignored sonarWebContext: "" -# also install the nginx ingress helm chart -nginx: +# (DEPRECATED) please use ingress-nginx instead +# nginx: +# enabled: false + +# Install the nginx ingress helm chart +ingress-nginx: enabled: false + # You can add here any values from the official nginx ingress chart + # controller: + # replicaCount: 3 + +httproute: + enabled: false + # gateway: my-gateway + # gatewayNamespace: my-gateway-namespace # optional + # labels: + # somelabel: somevalue + # hostnames: + # - sonarqube.your-org.com + # The rules are optional, by default we will create one with the SonarWebContext prefix and the SonarQube service values + # rules: + # - matches: + # - path: + # type: PathPrefix + # value: /bar + # backendRefs: + # - name: my-service1 + # port: 8080 + ingress: enabled: false # Used to create an Ingress record. @@ -92,10 +171,8 @@ ingress: # servicePort: somePort # the pathType can be one of the following values: Exact|Prefix|ImplementationSpecific(default) # pathType: ImplementationSpecific - annotations: + annotations: {} # kubernetes.io/tls-acme: "true" - # This property allows for reports up to a certain size to be uploaded to SonarQube - nginx.ingress.kubernetes.io/proxy-body-size: "64m" # Set the ingressClassName on the ingress record # ingressClassName: nginx @@ -110,23 +187,6 @@ ingress: # hosts: # - chart-example.local -route: - enabled: false - host: "" - # Add tls section to secure traffic. TODO: extend this section with other secure route settings - # Comment this out if you want plain http route created. - tls: - termination: edge - - annotations: {} - # See Openshift/OKD route annotation - # https://docs.openshift.com/container-platform/4.10/networking/routes/route-configuration.html#nw-route-specific-annotations_route-configuration - # haproxy.router.openshift.io/timeout: 1m - - # Additional labels for Route manifest file - # labels: - # external: 'true' - # Affinity for pod assignment # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity affinity: {} @@ -157,6 +217,18 @@ hostAliases: [] # - "www.example.com" readinessProbe: + exec: + command: + - sh + - -c + - | + #!/bin/bash + # A Sonarqube container is considered ready if the status is UP, DB_MIGRATION_NEEDED or DB_MIGRATION_RUNNING + # status about migration are added to prevent the node to be kill while SonarQube is upgrading the database. + if wget --no-proxy -qO- http://localhost:{{ .Values.service.internalPort }}{{ .Values.readinessProbe.sonarWebContext | default (include "sonarqube.webcontext" .) }}api/system/status | grep -q -e '"status":"UP"' -e '"status":"DB_MIGRATION_NEEDED"' -e '"status":"DB_MIGRATION_RUNNING"'; then + exit 0 + fi + exit 1 initialDelaySeconds: 60 periodSeconds: 30 failureThreshold: 6 @@ -168,6 +240,12 @@ readinessProbe: # sonarWebContext: / livenessProbe: + exec: + command: + - sh + - -c + - | + wget --no-proxy --quiet -O /dev/null --timeout={{ .Values.livenessProbe.timeoutSeconds }} --header="X-Sonar-Passcode: $SONAR_WEB_SYSTEMPASSCODE" "http://localhost:{{ .Values.service.internalPort }}{{ .Values.livenessProbe.sonarWebContext | default (include "sonarqube.webcontext" .) }}api/system/liveness" initialDelaySeconds: 60 periodSeconds: 30 failureThreshold: 6 @@ -190,10 +268,23 @@ startupProbe: # sonarWebContext: / initContainers: - # image: busybox:1.32 + # all initContainers use SonarQube image by default, but you can override it by setting the image field (ex image: ubuntu:24.04) + # image: + # Set the security context for the init containers + # The current section contains the default values set in a generic Kubernetes cluster. If you are using OpenShift, you should not set any specific UID or GID to be used for the execution. # We allow the init containers to have a separate security context declaration because # the initContainer may not require the same as SonarQube. - # securityContext: {} + # Those default are used to match pod security standard restricted as least privileged approach + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 0 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: ["ALL"] + readOnlyRootFilesystem: true # We allow the init containers to have a separate resources declaration because # the initContainer does not take as much resources. resources: {} @@ -201,7 +292,7 @@ initContainers: # Extra init containers to e.g. download required artifacts extraInitContainers: {} -## Array of extra containers to run alongside the sonarqube container +## Array of extra containers to run alongside the SonarQube container ## ## Example: ## - name: myapp-container @@ -209,14 +300,22 @@ extraInitContainers: {} ## command: ['sh', '-c', 'echo Hello && sleep 3600'] ## extraContainers: [] +extraVolumes: [] +extraVolumeMounts: [] ## Provide a secret containing one or more certificate files in the keys that will be added to cacerts ## The cacerts file will be set via SONARQUBE_WEB_JVM_OPTS and SONAR_CE_JAVAOPTS ## caCerts: enabled: false - image: adoptopenjdk/openjdk11:alpine - secret: your-secret + # image: + # secret: your-secret-name + + # Optionally, you can store your certificate in a ConfigMap and use it as: + # configMap: + # name: my-custom-cacerts-certificate + # key: key + # path: my-certificate.crt initSysctl: enabled: true @@ -224,16 +323,33 @@ initSysctl: fsFileMax: 131072 nofile: 131072 nproc: 8192 - # image: busybox:1.32 + # all initContainers use SonarQube image by default, but you can override it by setting the image field (ex image: ubuntu:24.04) + # image: securityContext: + # Compatible with podSecurity standard privileged privileged: true + # if run without root permissions, error "sysctl: permission denied on key xxx, ignoring" + runAsUser: 0 + readOnlyRootFilesystem: true # resources: {} +# This should not be required anymore, used to chown/chmod folder created by faulty CSI driver that are not applying properly POSIX fsgroup. initFs: enabled: true - # image: busybox:1.32 + # all initContainers use SonarQube image by default, but you can override it by setting the image field (ex image: ubuntu:24.04) + # image: + # Compatible with podSecurity standard baseline. securityContext: - privileged: true + privileged: false + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 0 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: ["ALL"] + add: ["CHOWN"] + readOnlyRootFilesystem: true prometheusExporter: enabled: false @@ -255,15 +371,13 @@ prometheusExporter: # ceConfig: # rules: # - pattern: ".*" - # image: curlimages/curl:8.2.0 + # image: curlimages/curl:8.2.1 # For use behind a corporate proxy when downloading prometheus # httpProxy: "" # httpsProxy: "" # noProxy: "" - # Setting the security context to the default sonarqube user 1000/1000 - securityContext: - runAsUser: 1000 - runAsGroup: 1000 + # Reuse default initcontainers.securityContext that match restricted pod security standard + # securityContext: {} prometheusMonitoring: # Generate a Prometheus Pod Monitor (https://github.com/coreos/prometheus-operator) @@ -271,14 +385,17 @@ prometheusMonitoring: podMonitor: # Create PodMonitor Resource for Prometheus scraping enabled: false - # Specify a custom namespace where the PodMonitor will be created - namespace: "default" + # (DEPRECATED) Specify a custom namespace where the PodMonitor will be created. + # This value should not be set, as the PodMonitor's namespace has to match the Release Namespace. + # namespace: "default" # Specify the interval how often metrics should be scraped interval: 30s # Specify the timeout after a scrape is ended # scrapeTimeout: "" # Name of the label on target services that prometheus uses as job name # jobLabel: "" + # Additional labels to add to the PodMonitor + # labels: {} # List of plugins to install. # For example: @@ -295,7 +412,7 @@ plugins: # httpsProxy: "" # noProxy: "" - # image: curlimages/curl:8.2.0 + # image: curlimages/curl:8.2.1 # resources: {} # .netrc secret file with a key "netrc" to use basic auth while downloading plugins @@ -303,16 +420,13 @@ plugins: # Set to true to not validate the server's certificate to download plugin noCheckCertificate: false - securityContext: - runAsUser: 1000 - runAsGroup: 1000 + # Reuse default initcontainers.securityContext that match restricted pod security standard + # securityContext: {} -## (DEPRECATED) Please use SONAR_WEB_JAVAOPTS or sonar.web.javaOpts -## -# jvmOpts: "-Djava.net.preferIPv4Stack=true" +## (DEPRECATED) The following value sets SONAR_WEB_JAVAOPTS (e.g., jvmOpts: "-Djava.net.preferIPv4Stack=true"). However, this is deprecated, please set SONAR_WEB_JAVAOPTS or sonar.web.javaOpts directly instead. jvmOpts: "" -## (DEPRECATED) Please use SONAR_CE_JAVAOPTS or sonar.ce.javaOpts +## (DEPRECATED) The following value sets SONAR_CE_JAVAOPTS. However, this is deprecated, please set SONAR_CE_JAVAOPTS or sonar.ce.javaOpts directly instead. jvmCeOpts: "" ## a monitoring passcode needs to be defined in order to get reasonable probe results @@ -334,16 +448,19 @@ monitoringPasscode: "define_it" # Set annotations for pods annotations: {} -## We usually don't make specific ressource recommandations, as they are heavily dependend on -## The usage of SonarQube and the surrounding infrastructure. -## Adjust these values to your needs, but make sure that the memory limit is never under 4 GB +## We usually don't make specific resource recommendations, as they are heavily dependant on +## the usage of SonarQube and the surrounding infrastructure. +## Those default are based on the default Web -Xmx1G -Xms128m and CE -Xmx2G -Xms128m and Search -Xmx2G -Xms2G settings of SQ sub processes +## Adjust these values to your needs, you can find more details on the main README of the chart. resources: limits: cpu: 800m - memory: 4Gi + memory: 6144M + ephemeral-storage: 512000M requests: cpu: 400m - memory: 2Gi + memory: 2048M + ephemeral-storage: 1536M persistence: enabled: false @@ -364,9 +481,12 @@ persistence: accessMode: ReadWriteOnce size: 5Gi uid: 1000 + guid: 0 + ## DEPRECATED please use root level extraVolumes value ## Specify extra volumes. Refer to ".spec.volumes" specification : https://kubernetes.io/fr/docs/concepts/storage/volumes/ volumes: [] + ## DEPRECATED please use root level extraVolumeMounts value ## Specify extra mounts. Refer to ".spec.containers.volumeMounts" specification : https://kubernetes.io/fr/docs/concepts/storage/volumes/ mounts: [] @@ -386,7 +506,7 @@ emptyDir: {} # Additional sonar properties to load from a secret with a key "secret.properties" (must be a string) # sonarSecretProperties: -# Kubernetes secret that contains the encryption key for the sonarqube instance. +# Kubernetes secret that contains the encryption key for the SonarQube instance. # The secret must contain the key 'sonar-secret.txt'. # The 'sonar.secretKeyPath' property will be set automatically. # sonarSecretKey: "settings-encryption-secret" @@ -394,20 +514,28 @@ emptyDir: {} ## Override JDBC values ## for external Databases jdbcOverwrite: + # (DEPRECATED) Please use jdbcOverwrite.enabled instead + # enable: false # If enable the JDBC Overwrite, make sure to set `postgresql.enabled=false` - enable: false + enabled: false # The JDBC url of the external DB - jdbcUrl: "jdbc:postgresql://myPostgress/myDatabase?socketTimeout=1500" + jdbcUrl: "jdbc:postgresql://myPostgress/myDatabase" # The DB user that should be used for the JDBC connection jdbcUsername: "sonarUser" # Use this if you don't mind the DB password getting stored in plain text within the values file + # (DEPRECATED) Please use `jdbcOverwrite.jdbcSecretName` along with `jdbcOverwrite.jdbcSecretPasswordKey` instead jdbcPassword: "sonarPass" ## Alternatively, use a pre-existing k8s secret containing the DB password # jdbcSecretName: "sonarqube-jdbc" ## and the secretValueKey of the password found within that secret # jdbcSecretPasswordKey: "jdbc-password" + # To install the oracle JDBC driver, set the following URL (in this example, we set the URL for the Oracle 11 driver. Please update it to your target driver URL.). + # If downloading the driver requires authentication, please set the .netrc secret file with a key "netrc" to use basic auth. + # oracleJdbcDriver: + # url: "https://download.oracle.com/otn-pub/otn_software/jdbc/2113/ojdbc11.jar" + # netrcCreds: "" -## Configuration values for postgresql dependency +## (DEPRECATED) Configuration values for postgresql dependency ## ref: https://github.com/bitnami/charts/blob/master/bitnami/postgresql/README.md postgresql: # Enable to deploy the bitnami PostgreSQL chart @@ -447,22 +575,22 @@ postgresql: size: 20Gi storageClass: securityContext: - # For standard Kubernetes deployment, set enabled=true - # If using OpenShift, enabled=false for restricted SCC and enabled=true for anyuid/nonroot SCC enabled: true # fsGroup specification below are not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. # postgresql dockerfile sets user as 1001 fsGroup: 1001 containerSecurityContext: - # For standard Kubernetes deployment, set enabled=true - # If using OpenShift, enabled=false for restricted SCC and enabled=true for anyuid/nonroot SCC enabled: true # runAsUser specification below are not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. - # postgresql dockerfile sets user as 1001 + # postgresql dockerfile sets user as 1001, the rest aim at making it compatible with restricted pod security standard. runAsUser: 1001 + allowPrivilegeEscalation: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: ["ALL"] volumePermissions: - # For standard Kubernetes deployment, set enabled=false - # For OpenShift, set enabled=true and ensure to set volumepermissions.securitycontext.runAsUser below. enabled: false # if using restricted SCC set runAsUser: "auto" and if running under anyuid/nonroot SCC - runAsUser needs to match runAsUser above securityContext: @@ -479,20 +607,27 @@ postgresql: # podLabels: # key: value podLabels: {} -# For compatibility with 8.0 replace by "/opt/sq" -# For compatibility with 8.2, leave the default. They changed it back to /opt/sonarqube +# (DEPRECATED) this field will be removed, as it needs to match the SonarQube image folder structure, considering we have one chart version per docker image version this field is not needed anymore. sonarqubeFolder: /opt/sonarqube tests: image: "" enabled: true - resources: {} + resources: + requests: + cpu: 500m + memory: 200M + ephemeral-storage: 100M + limits: + cpu: 500m + memory: 200M + ephemeral-storage: 1000M # For OpenShift set create=true to ensure service account is created. serviceAccount: create: false # name: - # automountToken: false # default + automountToken: false ## Annotations for the Service Account annotations: {} @@ -519,13 +654,35 @@ extraConfig: secrets: [] configmaps: [] +# setAdminPassword: +# The values can be set to define the current and the (new) custom admin passwords at the startup (the username will remain "admin") +# newPassword: AdminAdmin_12$ +# currentPassword: admin +# The above values can be also provided by a secret that contains "password" and "currentPassword" as keys. You can generate such a secret in your cluster +# using "kubectl create secret generic admin-password-secret-name --from-literal=password=admin --from-literal=currentPassword=admin" +# passwordSecretName: "" +# Reuse default initcontainers.securityContext that match restricted pod security standard +# securityContext: {} +# resources: +# limits: +# cpu: 100m +# memory: 128Mi +# requests: +# cpu: 100m +# memory: 128Mi +# image: +# annotations: {} + + +# (DEPRECATED) please use setAdminPassword instead # account: # The values can be set to define the current and the (new) custom admin passwords at the startup (the username will remain "admin") -# adminPassword: admin +# adminPassword: AdminAdmin_12$ # currentAdminPassword: admin # The above values can be also provided by a secret that contains "password" and "currentPassword" as keys. You can generate such a secret in your cluster # using "kubectl create secret generic admin-password-secret-name --from-literal=password=admin --from-literal=currentPassword=admin" # adminPasswordSecretName: "" +# Reuse default initcontainers.securityContext that match restricted pod security standard # securityContext: {} # resources: # limits: @@ -534,9 +691,12 @@ extraConfig: # requests: # cpu: 100m # memory: 128Mi -# curlContainerImage: curlimages/curl:8.2.0 +# (DEPRECATED) please use setAdminPassword.image instead +# curlContainerImage: curlimages/curl:8.2.1 +# (DEPRECATED) please use setAdminPassword.annotations instead # adminJobAnnotations: {} # deprecated please use sonarWebContext at the value top level # sonarWebContext: / +# (DEPRECATED) This value is not used in the templates. terminationGracePeriodSeconds: 60 diff --git a/charts/sonarqube/sonarqube/values.yaml b/charts/sonarqube/sonarqube/values.yaml index dbc3d85cd..b1b47c16b 100644 --- a/charts/sonarqube/sonarqube/values.yaml +++ b/charts/sonarqube/sonarqube/values.yaml @@ -1,15 +1,19 @@ # child values sonarqube: - # Default values for sonarqube. + # Default values for SonarQube. # This is a YAML-formatted file. # Declare variables to be passed into your templates. - # If the deployment Type is set to Deployment sonarqube is deployed as a replica set. + # (DEPRECATED) If the deployment Type is set to Deployment SonarQube is deployed as a replica set. + # This will be removed in a future release. deploymentType: "StatefulSet" - # There should not be more than 1 sonarqube instance connected to the same database. Please set this value to 1 or 0 (in case you need to scale down programmatically). + # There should not be more than 1 SonarQube instance connected to the same database. Please set this value to 1 or 0 (in case you need to scale down programmatically). replicaCount: 1 - # This will use the default deployment strategy unless it is overriden - deploymentStrategy: {} + # How many revisions to retain (Deployment ReplicaSets or StatefulSets) + revisionHistoryLimit: 10 + # (DEPRECATED) This will use the default deployment strategy unless it is overridden + deploymentStrategy: + type: Recreate # Uncomment this to scheduler pods on priority # priorityClassName: "high-priority" @@ -18,13 +22,39 @@ sonarqube: ## # schedulerName: - ## Is this deployment for OpenShift? If so, we help with SCCs + ## OpenShift specific configuration OpenShift: enabled: false - createSCC: true + # (Deprecated) this parameter should not be needed anymore, we support Openshift SCCv2 by default when Openshift.enabled=true + createSCC: false + route: + enabled: false + host: "sonarqube.your-org.com" + path: "/" + # Add tls section to secure traffic. + tls: + termination: edge + # certificate: + # key: + # caCertificate: + # insecureEdgeTerminationPolicy: Redirect + wildcardPolicy: None + annotations: {} + # See Openshift/OKD route annotation + # https://docs.openshift.com/container-platform/4.10/networking/routes/route-configuration.html#nw-route-specific-annotations_route-configuration + # haproxy.router.openshift.io/timeout: 1m + # Additional labels for Route manifest file + # labels: + # external: 'true' + # (DEPRECATED) The "community" value as the default of "edition" is deprecated and will be removed in the next release (in favor of an empty value). Please set "community" to "true", if you want to use SonarQube Community Build. edition: "community" + # Set the chart to use the latest released SonarQube Community Build + community: + enabled: true + buildNumber: "24.12.0.100206" image: repository: library/sonarqube + # (DEPRECATED) The "image.tag" parameter will be set to be empty as default. tag: 10.2.0-community pullPolicy: IfNotPresent # If using a private repository, the imagePullSecrets to use @@ -32,17 +62,29 @@ sonarqube: # - name: my-repo-secret registry: docker.m.daocloud.io - # Set security context for sonarqube pod + # Set security context for sonarqube pod. + # The current section contains the default values set in a generic Kubernetes cluster. If you are using OpenShift, you should not set any specific fsGroup. securityContext: - fsGroup: 1000 - # Set security context for sonarqube container + fsGroup: 0 + # Set security context for sonarqube container. + # The current section contains the default values set in a generic Kubernetes cluster. If you are using OpenShift, you should not set any specific UID or GID to be used for the execution. containerSecurityContext: - # Sonarqube dockerfile creates sonarqube user as UID and GID 1000 + # Sonarqube dockerfile creates sonarqube user as UID and GID 0 + # Those default are used to match pod security standard restricted as least privileged approach + allowPrivilegeEscalation: false + runAsNonRoot: true runAsUser: 1000 + runAsGroup: 0 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: ["ALL"] + # readOnlyRootFilesystem: true + # Settings to configure elasticsearch host requirements elasticsearch: - # DEPRECATED: Use initSysctl.enabled instead - configureNode: true + # (DEPRECATED) Use initSysctl.enabled instead + configureNode: false bootstrapChecks: true service: type: ClusterIP @@ -55,6 +97,13 @@ sonarqube: # loadBalancerSourceRanges: # - 0.0.0.0/0 # loadBalancerIP: 1.2.3.4 + # Those proxy settings will be propagated to the install-plugin and prometheus-exporter init containers + # if httpProxySecret is set the other one will be ignored + # the secret should contain exactly the keys http_proxy, https_proxy and no_proxy + httpProxySecret: "" + httpProxy: "" + httpsProxy: "" + noProxy: "" # Optionally create Network Policies networkPolicy: enabled: false @@ -62,14 +111,48 @@ sonarqube: prometheusNamespace: "monitoring" # If you are using a external database and enable network Policies to be created # you will need to explicitly allow egress traffic to your database - # expects https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#networkpolicyspec-v1-networking-k8s-io + # (DEPRECATED) please use additionalNetworkPolicies instead # additionalNetworkPolicys: + # expects https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#networkpolicyspec-v1-networking-k8s-io + # additionalNetworkPolicies: # will be used as default for ingress path and probes path, will be injected in .Values.env as SONAR_WEB_CONTEXT # if .Values.env.SONAR_WEB_CONTEXT is set, this value will be ignored sonarWebContext: "" - # also install the nginx ingress helm chart - nginx: + # (DEPRECATED) please use ingress-nginx instead + # nginx: + # enabled: false + + # Install the nginx ingress helm chart + ingress-nginx: + enabled: false + # You can add here any values from the official nginx ingress chart + # controller: + # replicaCount: 3 + + controller: + image: + registry: k8s.m.daocloud.io + admissionWebhooks: + patch: + image: + registry: k8s.m.daocloud.io + httproute: enabled: false + # gateway: my-gateway + # gatewayNamespace: my-gateway-namespace # optional + # labels: + # somelabel: somevalue + # hostnames: + # - sonarqube.your-org.com + # The rules are optional, by default we will create one with the SonarWebContext prefix and the SonarQube service values + # rules: + # - matches: + # - path: + # type: PathPrefix + # value: /bar + # backendRefs: + # - name: my-service1 + # port: 8080 ingress: enabled: false # Used to create an Ingress record. @@ -82,14 +165,11 @@ sonarqube: # servicePort: somePort # the pathType can be one of the following values: Exact|Prefix|ImplementationSpecific(default) # pathType: ImplementationSpecific - annotations: - # kubernetes.io/tls-acme: "true" - # This property allows for reports up to a certain size to be uploaded to SonarQube - nginx.ingress.kubernetes.io/proxy-body-size: "64m" - # Set the ingressClassName on the ingress record - # ingressClassName: nginx - # Additional labels for Ingress manifest file + annotations: {} + # Set the ingressClassName on the ingress record + # ingressClassName: nginx + # Additional labels for Ingress manifest file # labels: # traffic-type: external # traffic-type: internal @@ -98,21 +178,6 @@ sonarqube: # - secretName: chart-example-tls # hosts: # - chart-example.local - route: - enabled: false - host: "" - # Add tls section to secure traffic. TODO: extend this section with other secure route settings - # Comment this out if you want plain http route created. - tls: - termination: edge - annotations: {} - # See Openshift/OKD route annotation - # https://docs.openshift.com/container-platform/4.10/networking/routes/route-configuration.html#nw-route-specific-annotations_route-configuration - # haproxy.router.openshift.io/timeout: 1m - # Additional labels for Route manifest file - # labels: - # external: 'true' - # Affinity for pod assignment # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity affinity: {} @@ -142,6 +207,18 @@ sonarqube: # - "www.example.com" readinessProbe: + exec: + command: + - sh + - -c + - | + #!/bin/bash + # A Sonarqube container is considered ready if the status is UP, DB_MIGRATION_NEEDED or DB_MIGRATION_RUNNING + # status about migration are added to prevent the node to be kill while SonarQube is upgrading the database. + if wget --no-proxy -qO- http://localhost:{{ .Values.service.internalPort }}{{ .Values.readinessProbe.sonarWebContext | default (include "sonarqube.webcontext" .) }}api/system/status | grep -q -e '"status":"UP"' -e '"status":"DB_MIGRATION_NEEDED"' -e '"status":"DB_MIGRATION_RUNNING"'; then + exit 0 + fi + exit 1 initialDelaySeconds: 60 periodSeconds: 30 failureThreshold: 6 @@ -152,6 +229,12 @@ sonarqube: # deprecated please use sonarWebContext at the value top level # sonarWebContext: / livenessProbe: + exec: + command: + - sh + - -c + - | + wget --no-proxy --quiet -O /dev/null --timeout={{ .Values.livenessProbe.timeoutSeconds }} --header="X-Sonar-Passcode: $SONAR_WEB_SYSTEMPASSCODE" "http://localhost:{{ .Values.service.internalPort }}{{ .Values.livenessProbe.sonarWebContext | default (include "sonarqube.webcontext" .) }}api/system/liveness" initialDelaySeconds: 60 periodSeconds: 30 failureThreshold: 6 @@ -172,10 +255,23 @@ sonarqube: # deprecated please use sonarWebContext at the value top level # sonarWebContext: / initContainers: - # image: busybox:1.32 + # all initContainers use SonarQube image by default, but you can override it by setting the image field (ex image: ubuntu:24.04) + # image: + # Set the security context for the init containers + # The current section contains the default values set in a generic Kubernetes cluster. If you are using OpenShift, you should not set any specific UID or GID to be used for the execution. # We allow the init containers to have a separate security context declaration because # the initContainer may not require the same as SonarQube. - # securityContext: {} + # Those default are used to match pod security standard restricted as least privileged approach + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 0 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: ["ALL"] + readOnlyRootFilesystem: true # We allow the init containers to have a separate resources declaration because # the initContainer does not take as much resources. resources: {} @@ -184,7 +280,7 @@ sonarqube: tag: "1.32" # Extra init containers to e.g. download required artifacts extraInitContainers: {} - ## Array of extra containers to run alongside the sonarqube container + ## Array of extra containers to run alongside the SonarQube container ## ## Example: ## - name: myapp-container @@ -192,35 +288,61 @@ sonarqube: ## command: ['sh', '-c', 'echo Hello && sleep 3600'] ## extraContainers: [] + extraVolumes: [] + extraVolumeMounts: [] ## Provide a secret containing one or more certificate files in the keys that will be added to cacerts ## The cacerts file will be set via SONARQUBE_WEB_JVM_OPTS and SONAR_CE_JAVAOPTS ## caCerts: enabled: false - image: adoptopenjdk/openjdk11:alpine - secret: your-secret + # image: + # secret: your-secret-name + registry: docker.m.daocloud.io repository: adoptopenjdk/openjdk11 tag: alpine + # Optionally, you can store your certificate in a ConfigMap and use it as: + # configMap: + # name: my-custom-cacerts-certificate + # key: key + # path: my-certificate.crt + initSysctl: enabled: true vmMaxMapCount: 524288 fsFileMax: 131072 nofile: 131072 nproc: 8192 - # image: busybox:1.32 + # all initContainers use SonarQube image by default, but you can override it by setting the image field (ex image: ubuntu:24.04) + # image: securityContext: + # Compatible with podSecurity standard privileged privileged: true + # if run without root permissions, error "sysctl: permission denied on key xxx, ignoring" + runAsUser: 0 + readOnlyRootFilesystem: true # resources: {} registry: docker.m.daocloud.io repository: library/busybox tag: "1.32" + # This should not be required anymore, used to chown/chmod folder created by faulty CSI driver that are not applying properly POSIX fsgroup. initFs: enabled: true - # image: busybox:1.32 + # all initContainers use SonarQube image by default, but you can override it by setting the image field (ex image: ubuntu:24.04) + # image: + # Compatible with podSecurity standard baseline. securityContext: - privileged: true + privileged: false + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 0 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: ["ALL"] + add: ["CHOWN"] + readOnlyRootFilesystem: true registry: docker.m.daocloud.io repository: library/busybox tag: "1.32" @@ -242,15 +364,14 @@ sonarqube: # ceConfig: # rules: # - pattern: ".*" - # image: curlimages/curl:8.2.0 + # image: curlimages/curl:8.2.1 # For use behind a corporate proxy when downloading prometheus # httpProxy: "" # httpsProxy: "" # noProxy: "" - # Setting the security context to the default sonarqube user 1000/1000 - securityContext: - runAsUser: 1000 - runAsGroup: 1000 + # Reuse default initcontainers.securityContext that match restricted pod security standard + # securityContext: {} + registry: docker.m.daocloud.io repository: curlimages/curl tag: 8.2.0 @@ -260,14 +381,17 @@ sonarqube: podMonitor: # Create PodMonitor Resource for Prometheus scraping enabled: false - # Specify a custom namespace where the PodMonitor will be created - namespace: "default" + # (DEPRECATED) Specify a custom namespace where the PodMonitor will be created. + # This value should not be set, as the PodMonitor's namespace has to match the Release Namespace. + # namespace: "default" # Specify the interval how often metrics should be scraped interval: 30s # Specify the timeout after a scrape is ended # scrapeTimeout: "" # Name of the label on target services that prometheus uses as job name # jobLabel: "" + # Additional labels to add to the PodMonitor + # labels: {} # List of plugins to install. # For example: # plugins: @@ -282,7 +406,7 @@ sonarqube: # httpsProxy: "" # noProxy: "" - # image: curlimages/curl:8.2.0 + # image: curlimages/curl:8.2.1 # resources: {} # .netrc secret file with a key "netrc" to use basic auth while downloading plugins @@ -290,17 +414,15 @@ sonarqube: # Set to true to not validate the server's certificate to download plugin noCheckCertificate: false - securityContext: - runAsUser: 1000 - runAsGroup: 1000 + # Reuse default initcontainers.securityContext that match restricted pod security standard + # securityContext: {} + registry: docker.m.daocloud.io repository: curlimages/curl tag: 8.2.0 - ## (DEPRECATED) Please use SONAR_WEB_JAVAOPTS or sonar.web.javaOpts - ## - # jvmOpts: "-Djava.net.preferIPv4Stack=true" + ## (DEPRECATED) The following value sets SONAR_WEB_JAVAOPTS (e.g., jvmOpts: "-Djava.net.preferIPv4Stack=true"). However, this is deprecated, please set SONAR_WEB_JAVAOPTS or sonar.web.javaOpts directly instead. jvmOpts: "" - ## (DEPRECATED) Please use SONAR_CE_JAVAOPTS or sonar.ce.javaOpts + ## (DEPRECATED) The following value sets SONAR_CE_JAVAOPTS. However, this is deprecated, please set SONAR_CE_JAVAOPTS or sonar.ce.javaOpts directly instead. jvmCeOpts: "" ## a monitoring passcode needs to be defined in order to get reasonable probe results # not setting the monitoring passcode will result in a deployment that will never be ready @@ -320,16 +442,19 @@ sonarqube: # Set annotations for pods annotations: {} - ## We usually don't make specific ressource recommandations, as they are heavily dependend on - ## The usage of SonarQube and the surrounding infrastructure. - ## Adjust these values to your needs, but make sure that the memory limit is never under 4 GB + ## We usually don't make specific resource recommendations, as they are heavily dependant on + ## the usage of SonarQube and the surrounding infrastructure. + ## Those default are based on the default Web -Xmx1G -Xms128m and CE -Xmx2G -Xms128m and Search -Xmx2G -Xms2G settings of SQ sub processes + ## Adjust these values to your needs, you can find more details on the main README of the chart. resources: limits: cpu: 800m - memory: 4Gi + memory: 6144M + ephemeral-storage: 512000M requests: cpu: 400m - memory: 2Gi + memory: 2048M + ephemeral-storage: 1536M persistence: enabled: false ## Set annotations on pvc @@ -348,8 +473,11 @@ sonarqube: accessMode: ReadWriteOnce size: 5Gi uid: 1000 + guid: 0 + ## DEPRECATED please use root level extraVolumes value ## Specify extra volumes. Refer to ".spec.volumes" specification : https://kubernetes.io/fr/docs/concepts/storage/volumes/ volumes: [] + ## DEPRECATED please use root level extraVolumeMounts value ## Specify extra mounts. Refer to ".spec.containers.volumeMounts" specification : https://kubernetes.io/fr/docs/concepts/storage/volumes/ mounts: [] # In case you want to specify different resources for emptyDir than {} @@ -368,7 +496,7 @@ sonarqube: # Additional sonar properties to load from a secret with a key "secret.properties" (must be a string) # sonarSecretProperties: - # Kubernetes secret that contains the encryption key for the sonarqube instance. + # Kubernetes secret that contains the encryption key for the SonarQube instance. # The secret must contain the key 'sonar-secret.txt'. # The 'sonar.secretKeyPath' property will be set automatically. # sonarSecretKey: "settings-encryption-secret" @@ -376,19 +504,27 @@ sonarqube: ## Override JDBC values ## for external Databases jdbcOverwrite: + # (DEPRECATED) Please use jdbcOverwrite.enabled instead + # enable: false # If enable the JDBC Overwrite, make sure to set `postgresql.enabled=false` - enable: false + enabled: false # The JDBC url of the external DB - jdbcUrl: "jdbc:postgresql://myPostgress/myDatabase?socketTimeout=1500" + jdbcUrl: "jdbc:postgresql://myPostgress/myDatabase" # The DB user that should be used for the JDBC connection jdbcUsername: "sonarUser" # Use this if you don't mind the DB password getting stored in plain text within the values file + # (DEPRECATED) Please use `jdbcOverwrite.jdbcSecretName` along with `jdbcOverwrite.jdbcSecretPasswordKey` instead jdbcPassword: "sonarPass" ## Alternatively, use a pre-existing k8s secret containing the DB password # jdbcSecretName: "sonarqube-jdbc" ## and the secretValueKey of the password found within that secret # jdbcSecretPasswordKey: "jdbc-password" - ## Configuration values for postgresql dependency + # To install the oracle JDBC driver, set the following URL (in this example, we set the URL for the Oracle 11 driver. Please update it to your target driver URL.). + # If downloading the driver requires authentication, please set the .netrc secret file with a key "netrc" to use basic auth. + # oracleJdbcDriver: + # url: "https://download.oracle.com/otn-pub/otn_software/jdbc/2113/ojdbc11.jar" + # netrcCreds: "" + ## (DEPRECATED) Configuration values for postgresql dependency ## ref: https://github.com/bitnami/charts/blob/master/bitnami/postgresql/README.md postgresql: # Enable to deploy the bitnami PostgreSQL chart @@ -428,22 +564,22 @@ sonarqube: size: 20Gi storageClass: "" securityContext: - # For standard Kubernetes deployment, set enabled=true - # If using OpenShift, enabled=false for restricted SCC and enabled=true for anyuid/nonroot SCC enabled: true # fsGroup specification below are not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. # postgresql dockerfile sets user as 1001 fsGroup: 1001 containerSecurityContext: - # For standard Kubernetes deployment, set enabled=true - # If using OpenShift, enabled=false for restricted SCC and enabled=true for anyuid/nonroot SCC enabled: true # runAsUser specification below are not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully. - # postgresql dockerfile sets user as 1001 + # postgresql dockerfile sets user as 1001, the rest aim at making it compatible with restricted pod security standard. runAsUser: 1001 + allowPrivilegeEscalation: false + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: ["ALL"] volumePermissions: - # For standard Kubernetes deployment, set enabled=false - # For OpenShift, set enabled=true and ensure to set volumepermissions.securitycontext.runAsUser below. enabled: false # if using restricted SCC set runAsUser: "auto" and if running under anyuid/nonroot SCC - runAsUser needs to match runAsUser above securityContext: @@ -466,18 +602,25 @@ sonarqube: # podLabels: # key: value podLabels: {} - # For compatibility with 8.0 replace by "/opt/sq" - # For compatibility with 8.2, leave the default. They changed it back to /opt/sonarqube + # (DEPRECATED) this field will be removed, as it needs to match the SonarQube image folder structure, considering we have one chart version per docker image version this field is not needed anymore. sonarqubeFolder: /opt/sonarqube tests: image: "" enabled: true - resources: {} + resources: + requests: + cpu: 500m + memory: 200M + ephemeral-storage: 100M + limits: + cpu: 500m + memory: 200M + ephemeral-storage: 1000M # For OpenShift set create=true to ensure service account is created. serviceAccount: create: false # name: - # automountToken: false # default + automountToken: false ## Annotations for the Service Account annotations: {} # extraConfig is used to load Environment Variables from Secrets and ConfigMaps @@ -501,13 +644,34 @@ sonarqube: extraConfig: secrets: [] configmaps: [] + # setAdminPassword: + # The values can be set to define the current and the (new) custom admin passwords at the startup (the username will remain "admin") + # newPassword: AdminAdmin_12$ + # currentPassword: admin + # The above values can be also provided by a secret that contains "password" and "currentPassword" as keys. You can generate such a secret in your cluster + # using "kubectl create secret generic admin-password-secret-name --from-literal=password=admin --from-literal=currentPassword=admin" + # passwordSecretName: "" + # Reuse default initcontainers.securityContext that match restricted pod security standard + # securityContext: {} + # resources: + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + # image: + # annotations: {} + + # (DEPRECATED) please use setAdminPassword instead # account: # The values can be set to define the current and the (new) custom admin passwords at the startup (the username will remain "admin") - # adminPassword: admin + # adminPassword: AdminAdmin_12$ # currentAdminPassword: admin # The above values can be also provided by a secret that contains "password" and "currentPassword" as keys. You can generate such a secret in your cluster # using "kubectl create secret generic admin-password-secret-name --from-literal=password=admin --from-literal=currentPassword=admin" # adminPasswordSecretName: "" + # Reuse default initcontainers.securityContext that match restricted pod security standard # securityContext: {} # resources: # limits: @@ -516,16 +680,12 @@ sonarqube: # requests: # cpu: 100m # memory: 128Mi - # curlContainerImage: curlimages/curl:8.2.0 + # (DEPRECATED) please use setAdminPassword.image instead + # curlContainerImage: curlimages/curl:8.2.1 + # (DEPRECATED) please use setAdminPassword.annotations instead # adminJobAnnotations: {} # deprecated please use sonarWebContext at the value top level # sonarWebContext: / + + # (DEPRECATED) This value is not used in the templates. terminationGracePeriodSeconds: 60 - ingress-nginx: - controller: - image: - registry: k8s.m.daocloud.io - admissionWebhooks: - patch: - image: - registry: k8s.m.daocloud.io