Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-02-22 22:07:26 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/sonarqube] feat!: 🔒 💥 Improve security defaults (#24688)

Browse Source 
* [bitnami/sonarqube] feat!: 🔒 💥 Improve security defaults

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* Update README.md with readme-generator-for-helm

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

* fix: 🐛 Use sonarqube image that has proper permissions in ES folder

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

---------

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>
Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
2024-04-02 11:18:53 +02:00
committed by GitHub
parent dc4d75b148
commit 6647970351
6 changed files with 215 additions and 83 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.vib/sonarqube/vib-verify.json
View File

@@ -25,7 +25,7 @@
"target_platform": {
"target_platform_id": "{VIB_ENV_ALTERNATIVE_TARGET_PLATFORM}",
"size": {
"name": "S4"
"name": "L4"
}
}
},

8
bitnami/sonarqube/Chart.lock
View File

@@ -1,9 +1,9 @@
dependencies:
- name: postgresql
repository: oci://registry-1.docker.io/bitnamicharts
version: 13.4.6
version: 15.1.4
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
version: 2.18.0
digest: sha256:1f142fdaae061ed4aff5509bbcbde665afa535367c47959426374f5b8eaeb3ba
generated: "2024-03-05T15:44:16.583093062+01:00"
version: 2.19.0
digest: sha256:16674d4d43b5651357502f06b504f7554b47337d7446ecfdc14065b5b816efc0
generated: "2024-03-26T17:12:20.668897747+01:00"

4
bitnami/sonarqube/Chart.yaml
View File

@@ -17,7 +17,7 @@ dependencies:
- condition: postgresql.enabled
name: postgresql
repository: oci://registry-1.docker.io/bitnamicharts
version: 13.x.x
version: 15.x.x
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
tags:
@@ -37,4 +37,4 @@ maintainers:
name: sonarqube
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/sonarqube
version: 4.7.0
version: 5.0.0

153
bitnami/sonarqube/README.md
View File

@@ -335,7 +335,7 @@ As an alternative, this chart supports using an initContainer to change the owne
| `customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
| `customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
| `customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `none` |
| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `xlarge` |
| `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `podSecurityContext.enabled` | Enabled SonarQube&trade; pods' Security Context | `true` |
| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
@@ -343,11 +343,12 @@ As an alternative, this chart supports using an initContainer to change the owne
| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `podSecurityContext.fsGroup` | Set SonarQube&trade; pod's Security Context fsGroup | `1001` |
| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` |
| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` |
| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
@@ -414,37 +415,52 @@ As an alternative, this chart supports using an initContainer to change the owne
### SonarQube caCerts provisioning parameters
| Name | Description | Value |
| ------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- |
| `caCerts.enabled` | Enable the use of caCerts | `false` |
| `caCerts.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` |
| `caCerts.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` |
| `caCerts.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `caCerts.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` |
| `caCerts.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` |
| `caCerts.secret` | Name of the secret containing the certificates | `ca-certs-secret` |
| `caCerts.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if caCerts.resources is set (caCerts.resources is recommended for production). | `none` |
| `caCerts.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `caCerts.containerSecurityContext.enabled` | Enable container security context | `true` |
| `caCerts.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `caCerts.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` |
| Name | Description | Value |
| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- |
| `caCerts.enabled` | Enable the use of caCerts | `false` |
| `caCerts.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` |
| `caCerts.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` |
| `caCerts.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `caCerts.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` |
| `caCerts.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` |
| `caCerts.secret` | Name of the secret containing the certificates | `ca-certs-secret` |
| `caCerts.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if caCerts.resources is set (caCerts.resources is recommended for production). | `none` |
| `caCerts.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `caCerts.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `caCerts.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `caCerts.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `caCerts.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
| `caCerts.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `caCerts.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `caCerts.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` |
| `caCerts.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` |
| `caCerts.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `caCerts.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
### SonarQube plugin provisioning parameters
| Name | Description | Value |
| ------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- |
| `plugins.install` | List of plugin URLS to download and install | `[]` |
| `plugins.netrcCreds` | .netrc secret file with a key "netrc" to use basic auth while downloading plugins | `""` |
| `plugins.noCheckCertificate` | Set to true to not validate the server's certificate to download plugin | `true` |
| `plugins.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` |
| `plugins.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` |
| `plugins.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `plugins.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` |
| `plugins.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` |
| `plugins.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if plugins.resources is set (plugins.resources is recommended for production). | `none` |
| `plugins.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `plugins.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `plugins.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` |
| Name | Description | Value |
| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- |
| `plugins.install` | List of plugin URLS to download and install | `[]` |
| `plugins.netrcCreds` | .netrc secret file with a key "netrc" to use basic auth while downloading plugins | `""` |
| `plugins.noCheckCertificate` | Set to true to not validate the server's certificate to download plugin | `true` |
| `plugins.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` |
| `plugins.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` |
| `plugins.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `plugins.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` |
| `plugins.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` |
| `plugins.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if plugins.resources is set (plugins.resources is recommended for production). | `none` |
| `plugins.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `plugins.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `plugins.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `plugins.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `plugins.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
| `plugins.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `plugins.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `plugins.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` |
| `plugins.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` |
| `plugins.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `plugins.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
### Persistence Parameters
@@ -465,7 +481,7 @@ As an alternative, this chart supports using an initContainer to change the owne
| `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` |
| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` |
| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` |
### Sysctl Image parameters
@@ -502,34 +518,40 @@ As an alternative, this chart supports using an initContainer to change the owne
### Metrics parameters
| Name | Description | Value |
| ----------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ |
| `metrics.jmx.enabled` | Whether or not to expose JMX metrics to Prometheus | `false` |
| `metrics.jmx.image.registry` | JMX exporter image registry | `REGISTRY_NAME` |
| `metrics.jmx.image.repository` | JMX exporter image repository | `REPOSITORY_NAME/jmx-exporter` |
| `metrics.jmx.image.digest` | JMX exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `metrics.jmx.image.pullPolicy` | JMX exporter image pull policy | `IfNotPresent` |
| `metrics.jmx.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `metrics.jmx.containerPorts.metrics` | JMX Exporter metrics container port | `10445` |
| `metrics.jmx.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.jmx.resources is set (metrics.jmx.resources is recommended for production). | `none` |
| `metrics.jmx.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `metrics.jmx.containerSecurityContext.enabled` | Enabled JMX Exporter containers' Security Context | `true` |
| `metrics.jmx.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `metrics.jmx.containerSecurityContext.runAsUser` | Set JMX Exporter containers' Security Context runAsUser | `1001` |
| `metrics.jmx.containerSecurityContext.runAsNonRoot` | Set JMX Exporter containers' Security Context runAsNonRoot | `true` |
| `metrics.jmx.whitelistObjectNames` | Allows setting which JMX objects you want to expose to via JMX stats to JMX Exporter | `[]` |
| `metrics.jmx.configuration` | Configuration file for JMX exporter | `""` |
| `metrics.jmx.service.ports.metrics` | JMX Exporter Prometheus port | `10443` |
| `metrics.jmx.service.annotations` | Annotations for the JMX Exporter Prometheus metrics service | `{}` |
| `metrics.serviceMonitor.enabled` | if `true`, creates a Prometheus Operator ServiceMonitor (requires `metrics.jmx.enabled` to be `true`) | `false` |
| `metrics.serviceMonitor.namespace` | Namespace in which Prometheus is running | `""` |
| `metrics.serviceMonitor.labels` | Extra labels for the ServiceMonitor | `{}` |
| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in Prometheus | `""` |
| `metrics.serviceMonitor.interval` | How frequently to scrape metrics | `""` |
| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` |
| `metrics.serviceMonitor.metricRelabelings` | Specify additional relabeling of metrics | `[]` |
| `metrics.serviceMonitor.relabelings` | Specify general relabeling | `[]` |
| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` |
| Name | Description | Value |
| --------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ |
| `metrics.jmx.enabled` | Whether or not to expose JMX metrics to Prometheus | `false` |
| `metrics.jmx.image.registry` | JMX exporter image registry | `REGISTRY_NAME` |
| `metrics.jmx.image.repository` | JMX exporter image repository | `REPOSITORY_NAME/jmx-exporter` |
| `metrics.jmx.image.digest` | JMX exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `metrics.jmx.image.pullPolicy` | JMX exporter image pull policy | `IfNotPresent` |
| `metrics.jmx.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `metrics.jmx.containerPorts.metrics` | JMX Exporter metrics container port | `10445` |
| `metrics.jmx.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.jmx.resources is set (metrics.jmx.resources is recommended for production). | `none` |
| `metrics.jmx.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `metrics.jmx.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
| `metrics.jmx.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` |
| `metrics.jmx.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` |
| `metrics.jmx.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` |
| `metrics.jmx.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` |
| `metrics.jmx.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` |
| `metrics.jmx.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` |
| `metrics.jmx.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` |
| `metrics.jmx.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `metrics.jmx.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `metrics.jmx.whitelistObjectNames` | Allows setting which JMX objects you want to expose to via JMX stats to JMX Exporter | `[]` |
| `metrics.jmx.configuration` | Configuration file for JMX exporter | `""` |
| `metrics.jmx.service.ports.metrics` | JMX Exporter Prometheus port | `10443` |
| `metrics.jmx.service.annotations` | Annotations for the JMX Exporter Prometheus metrics service | `{}` |
| `metrics.serviceMonitor.enabled` | if `true`, creates a Prometheus Operator ServiceMonitor (requires `metrics.jmx.enabled` to be `true`) | `false` |
| `metrics.serviceMonitor.namespace` | Namespace in which Prometheus is running | `""` |
| `metrics.serviceMonitor.labels` | Extra labels for the ServiceMonitor | `{}` |
| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in Prometheus | `""` |
| `metrics.serviceMonitor.interval` | How frequently to scrape metrics | `""` |
| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` |
| `metrics.serviceMonitor.metricRelabelings` | Specify additional relabeling of metrics | `[]` |
| `metrics.serviceMonitor.relabelings` | Specify general relabeling | `[]` |
| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` |
### PostgreSQL subchart settings
@@ -592,6 +614,17 @@ Find more information about how to deal with common errors related to Bitnami's
## Upgrading
### To 5.0.0
This major bump changes the following security defaults:
- `runAsGroup` is changed from `0` to `1001`
- `readOnlyRootFilesystem` is set to `true`
- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case).
- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`.
This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones.
### To 4.0.0
This major updates the PostgreSQL subchart to its newest major, 13.0.0. [Here](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#to-1300) you can find more information about the changes introduced in that version.

49
bitnami/sonarqube/templates/deployment.yaml
View File

@@ -78,6 +78,9 @@ spec:
- name: provisioning
mountPath: {{ .Values.provisioningFolder }}/extensions/plugins/
subPath: extensions/plugins
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if .Values.plugins.resources }}
resources: {{- toYaml .Values.plugins.resources | nindent 12 }}
{{- else if ne .Values.plugins.resourcesPreset "none" }}
@@ -99,6 +102,9 @@ spec:
subPath: certs
- mountPath: /tmp/secrets/ca-certs
name: ca-certs
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if .Values.caCerts.resources }}
resources: {{- toYaml .Values.caCerts.resources | nindent 12 }}
{{- else if ne .Values.caCerts.resourcesPreset "none" }}
@@ -150,7 +156,39 @@ spec:
- name: sonarqube
mountPath: /bitnami/sonarqube
subPath: data
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- end }}
- name: prepare-base-dir
image: {{ include "sonarqube.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.resources }}
resources: {{- toYaml .Values.resources | nindent 12 }}
{{- else if ne .Values.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }}
{{- end }}
{{- if .Values.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
command:
- /bin/bash
args:
- -ec
- |
#!/bin/bash
. /opt/bitnami/scripts/liblog.sh
info "Copying base dir to empty dir"
# In order to not break the application functionality (such as upgrades or plugins) we need
# to make the base directory writable, so we need to copy it to an empty dir volume
cp -r --preserve=mode /opt/bitnami/sonarqube /emptydir/app-base-dir
info "Copy operation completed"
volumeMounts:
- name: empty-dir
mountPath: /emptydir
{{- if .Values.initContainers }}
{{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }}
{{- end }}
@@ -367,6 +405,12 @@ spec:
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /opt/bitnami/sonarqube
subPath: app-base-dir
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- mountPath: /bitnami/sonarqube
name: sonarqube
{{- if or .Values.plugins.install .Values.caCerts.enabled }}
@@ -405,6 +449,9 @@ spec:
resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.jmx.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: jmx-config
mountPath: /etc/jmx
{{- end }}
@@ -412,6 +459,8 @@ spec:
{{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: empty-dir
emptyDir: {}
{{- if or .Values.plugins.install .Values.caCerts.enabled }}
- name: provisioning
emptyDir: {}

82
bitnami/sonarqube/values.yaml
View File

@@ -82,7 +82,7 @@ diagnosticMode:
image:
registry: docker.io
repository: bitnami/sonarqube
tag: 10.4.1-debian-12-r0
tag: 10.4.1-debian-12-r1
digest: ""
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
@@ -310,7 +310,7 @@ customStartupProbe: {}
## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
resourcesPreset: "xlarge"
## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
@@ -341,6 +341,7 @@ podSecurityContext:
## @param containerSecurityContext.enabled Enabled containers' Security Context
## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param containerSecurityContext.privileged Set container's Security Context privileged
## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
@@ -350,11 +351,12 @@ podSecurityContext:
##
containerSecurityContext:
enabled: true
seLinuxOptions: null
seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
@@ -736,17 +738,33 @@ caCerts:
resources: {}
## Init container Container Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param caCerts.containerSecurityContext.enabled Enable container security context
## @param caCerts.containerSecurityContext.enabled Enabled containers' Security Context
## @param caCerts.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param caCerts.containerSecurityContext.runAsUser Set init container's Security Context runAsUser
## @param caCerts.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param caCerts.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
## @param caCerts.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param caCerts.containerSecurityContext.privileged Set container's Security Context privileged
## @param caCerts.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
## @param caCerts.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
## @param caCerts.containerSecurityContext.capabilities.drop List of capabilities to be dropped
## @param caCerts.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
## NOTE: when runAsUser is set to special value "auto", init container will try to chown the
## data folder to auto-determined user&group, using commands: `id -u`:`id -G | cut -d" " -f2`
## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed)
##
containerSecurityContext:
enabled: true
seLinuxOptions: null
runAsUser: 0
seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
seccompProfile:
type: "RuntimeDefault"
## @section SonarQube plugin provisioning parameters
##
plugins:
@@ -806,15 +824,33 @@ plugins:
resources: {}
## Init container Container Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param plugins.containerSecurityContext.enabled Enabled containers' Security Context
## @param plugins.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param plugins.containerSecurityContext.runAsUser Set init container's Security Context runAsUser
## @param plugins.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param plugins.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
## @param plugins.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param plugins.containerSecurityContext.privileged Set container's Security Context privileged
## @param plugins.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
## @param plugins.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
## @param plugins.containerSecurityContext.capabilities.drop List of capabilities to be dropped
## @param plugins.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
## NOTE: when runAsUser is set to special value "auto", init container will try to chown the
## data folder to auto-determined user&group, using commands: `id -u`:`id -G | cut -d" " -f2`
## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed)
##
containerSecurityContext:
seLinuxOptions: null
runAsUser: 0
enabled: true
seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
seccompProfile:
type: "RuntimeDefault"
## @section Persistence Parameters
##
@@ -904,7 +940,7 @@ volumePermissions:
## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed)
##
containerSecurityContext:
seLinuxOptions: null
seLinuxOptions: {}
runAsUser: 0
## @section Sysctl Image parameters
##
@@ -1061,16 +1097,30 @@ metrics:
resources: {}
## Configure Container Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param metrics.jmx.containerSecurityContext.enabled Enabled JMX Exporter containers' Security Context
## @param metrics.jmx.containerSecurityContext.enabled Enabled containers' Security Context
## @param metrics.jmx.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param metrics.jmx.containerSecurityContext.runAsUser Set JMX Exporter containers' Security Context runAsUser
## @param metrics.jmx.containerSecurityContext.runAsNonRoot Set JMX Exporter containers' Security Context runAsNonRoot
## @param metrics.jmx.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param metrics.jmx.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
## @param metrics.jmx.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param metrics.jmx.containerSecurityContext.privileged Set container's Security Context privileged
## @param metrics.jmx.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
## @param metrics.jmx.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
## @param metrics.jmx.containerSecurityContext.capabilities.drop List of capabilities to be dropped
## @param metrics.jmx.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
##
containerSecurityContext:
enabled: true
seLinuxOptions: null
seLinuxOptions: {}
runAsUser: 1001
runAsGroup: 1001
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
seccompProfile:
type: "RuntimeDefault"
## @param metrics.jmx.whitelistObjectNames [array] Allows setting which JMX objects you want to expose to via JMX stats to JMX Exporter
## Only whitelisted values will be exposed via JMX Exporter. They must also be exposed via Rules. To expose all metrics
## (warning its crazy excessive and they aren't formatted in a prometheus style) (1) `whitelistObjectNames: []`