From 66479703518cabe0ffbb2baae25510e2dfc8dff7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20J=2E=20Salmer=C3=B3n-Garc=C3=ADa?= Date: Tue, 2 Apr 2024 11:18:53 +0200 Subject: [PATCH] [bitnami/sonarqube] feat!: :lock: :boom: Improve security defaults (#24688) * [bitnami/sonarqube] feat!: :lock: :boom: Improve security defaults Signed-off-by: Javier Salmeron Garcia * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers * fix: :bug: Use sonarqube image that has proper permissions in ES folder Signed-off-by: Javier Salmeron Garcia --------- Signed-off-by: Javier Salmeron Garcia Signed-off-by: Bitnami Containers Co-authored-by: Bitnami Containers --- .vib/sonarqube/vib-verify.json | 2 +- bitnami/sonarqube/Chart.lock | 8 +- bitnami/sonarqube/Chart.yaml | 4 +- bitnami/sonarqube/README.md | 153 ++++++++++++-------- bitnami/sonarqube/templates/deployment.yaml | 49 +++++++ bitnami/sonarqube/values.yaml | 82 +++++++++-- 6 files changed, 215 insertions(+), 83 deletions(-) diff --git a/.vib/sonarqube/vib-verify.json b/.vib/sonarqube/vib-verify.json index 7bc5b6a60c..80055fe334 100644 --- a/.vib/sonarqube/vib-verify.json +++ b/.vib/sonarqube/vib-verify.json @@ -25,7 +25,7 @@ "target_platform": { "target_platform_id": "{VIB_ENV_ALTERNATIVE_TARGET_PLATFORM}", "size": { - "name": "S4" + "name": "L4" } } }, diff --git a/bitnami/sonarqube/Chart.lock b/bitnami/sonarqube/Chart.lock index 975ad29c58..871fe221e8 100644 --- a/bitnami/sonarqube/Chart.lock +++ b/bitnami/sonarqube/Chart.lock @@ -1,9 +1,9 @@ dependencies: - name: postgresql repository: oci://registry-1.docker.io/bitnamicharts - version: 13.4.6 + version: 15.1.4 - name: common repository: oci://registry-1.docker.io/bitnamicharts - version: 2.18.0 -digest: sha256:1f142fdaae061ed4aff5509bbcbde665afa535367c47959426374f5b8eaeb3ba -generated: "2024-03-05T15:44:16.583093062+01:00" + version: 2.19.0 +digest: sha256:16674d4d43b5651357502f06b504f7554b47337d7446ecfdc14065b5b816efc0 +generated: "2024-03-26T17:12:20.668897747+01:00" diff --git a/bitnami/sonarqube/Chart.yaml b/bitnami/sonarqube/Chart.yaml index 1028b19511..88a7b57cdf 100644 --- a/bitnami/sonarqube/Chart.yaml +++ b/bitnami/sonarqube/Chart.yaml @@ -17,7 +17,7 @@ dependencies: - condition: postgresql.enabled name: postgresql repository: oci://registry-1.docker.io/bitnamicharts - version: 13.x.x + version: 15.x.x - name: common repository: oci://registry-1.docker.io/bitnamicharts tags: @@ -37,4 +37,4 @@ maintainers: name: sonarqube sources: - https://github.com/bitnami/charts/tree/main/bitnami/sonarqube -version: 4.7.0 +version: 5.0.0 diff --git a/bitnami/sonarqube/README.md b/bitnami/sonarqube/README.md index 4d01eafd9b..2cbf803998 100644 --- a/bitnami/sonarqube/README.md +++ b/bitnami/sonarqube/README.md @@ -335,7 +335,7 @@ As an alternative, this chart supports using an initContainer to change the owne | `customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | | `customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | | `customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `none` | +| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `xlarge` | | `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `podSecurityContext.enabled` | Enabled SonarQube™ pods' Security Context | `true` | | `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | @@ -343,11 +343,12 @@ As an alternative, this chart supports using an initContainer to change the owne | `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `podSecurityContext.fsGroup` | Set SonarQube™ pod's Security Context fsGroup | `1001` | | `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | | `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | -| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` | +| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | | `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | | `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | @@ -414,37 +415,52 @@ As an alternative, this chart supports using an initContainer to change the owne ### SonarQube caCerts provisioning parameters -| Name | Description | Value | -| ------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | -| `caCerts.enabled` | Enable the use of caCerts | `false` | -| `caCerts.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | -| `caCerts.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | -| `caCerts.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `caCerts.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | -| `caCerts.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | -| `caCerts.secret` | Name of the secret containing the certificates | `ca-certs-secret` | -| `caCerts.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if caCerts.resources is set (caCerts.resources is recommended for production). | `none` | -| `caCerts.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `caCerts.containerSecurityContext.enabled` | Enable container security context | `true` | -| `caCerts.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `caCerts.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` | +| Name | Description | Value | +| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | +| `caCerts.enabled` | Enable the use of caCerts | `false` | +| `caCerts.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | +| `caCerts.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | +| `caCerts.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `caCerts.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | +| `caCerts.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | +| `caCerts.secret` | Name of the secret containing the certificates | `ca-certs-secret` | +| `caCerts.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if caCerts.resources is set (caCerts.resources is recommended for production). | `none` | +| `caCerts.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `caCerts.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `caCerts.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `caCerts.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `caCerts.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `caCerts.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `caCerts.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `caCerts.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `caCerts.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `caCerts.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `caCerts.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | ### SonarQube plugin provisioning parameters -| Name | Description | Value | -| ------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | -| `plugins.install` | List of plugin URLS to download and install | `[]` | -| `plugins.netrcCreds` | .netrc secret file with a key "netrc" to use basic auth while downloading plugins | `""` | -| `plugins.noCheckCertificate` | Set to true to not validate the server's certificate to download plugin | `true` | -| `plugins.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | -| `plugins.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | -| `plugins.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `plugins.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | -| `plugins.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | -| `plugins.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if plugins.resources is set (plugins.resources is recommended for production). | `none` | -| `plugins.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `plugins.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `plugins.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` | +| Name | Description | Value | +| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | +| `plugins.install` | List of plugin URLS to download and install | `[]` | +| `plugins.netrcCreds` | .netrc secret file with a key "netrc" to use basic auth while downloading plugins | `""` | +| `plugins.noCheckCertificate` | Set to true to not validate the server's certificate to download plugin | `true` | +| `plugins.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | +| `plugins.image.repository` | OS Shell + Utility image repository | `REPOSITORY_NAME/os-shell` | +| `plugins.image.digest` | OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `plugins.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | +| `plugins.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | +| `plugins.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if plugins.resources is set (plugins.resources is recommended for production). | `none` | +| `plugins.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `plugins.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `plugins.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `plugins.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `plugins.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `plugins.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `plugins.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `plugins.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `plugins.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `plugins.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `plugins.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | ### Persistence Parameters @@ -465,7 +481,7 @@ As an alternative, this chart supports using an initContainer to change the owne | `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | | `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `none` | | `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | | `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` | ### Sysctl Image parameters @@ -502,34 +518,40 @@ As an alternative, this chart supports using an initContainer to change the owne ### Metrics parameters -| Name | Description | Value | -| ----------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ | -| `metrics.jmx.enabled` | Whether or not to expose JMX metrics to Prometheus | `false` | -| `metrics.jmx.image.registry` | JMX exporter image registry | `REGISTRY_NAME` | -| `metrics.jmx.image.repository` | JMX exporter image repository | `REPOSITORY_NAME/jmx-exporter` | -| `metrics.jmx.image.digest` | JMX exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `metrics.jmx.image.pullPolicy` | JMX exporter image pull policy | `IfNotPresent` | -| `metrics.jmx.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `metrics.jmx.containerPorts.metrics` | JMX Exporter metrics container port | `10445` | -| `metrics.jmx.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.jmx.resources is set (metrics.jmx.resources is recommended for production). | `none` | -| `metrics.jmx.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | -| `metrics.jmx.containerSecurityContext.enabled` | Enabled JMX Exporter containers' Security Context | `true` | -| `metrics.jmx.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | -| `metrics.jmx.containerSecurityContext.runAsUser` | Set JMX Exporter containers' Security Context runAsUser | `1001` | -| `metrics.jmx.containerSecurityContext.runAsNonRoot` | Set JMX Exporter containers' Security Context runAsNonRoot | `true` | -| `metrics.jmx.whitelistObjectNames` | Allows setting which JMX objects you want to expose to via JMX stats to JMX Exporter | `[]` | -| `metrics.jmx.configuration` | Configuration file for JMX exporter | `""` | -| `metrics.jmx.service.ports.metrics` | JMX Exporter Prometheus port | `10443` | -| `metrics.jmx.service.annotations` | Annotations for the JMX Exporter Prometheus metrics service | `{}` | -| `metrics.serviceMonitor.enabled` | if `true`, creates a Prometheus Operator ServiceMonitor (requires `metrics.jmx.enabled` to be `true`) | `false` | -| `metrics.serviceMonitor.namespace` | Namespace in which Prometheus is running | `""` | -| `metrics.serviceMonitor.labels` | Extra labels for the ServiceMonitor | `{}` | -| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in Prometheus | `""` | -| `metrics.serviceMonitor.interval` | How frequently to scrape metrics | `""` | -| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` | -| `metrics.serviceMonitor.metricRelabelings` | Specify additional relabeling of metrics | `[]` | -| `metrics.serviceMonitor.relabelings` | Specify general relabeling | `[]` | -| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` | +| Name | Description | Value | +| --------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ | +| `metrics.jmx.enabled` | Whether or not to expose JMX metrics to Prometheus | `false` | +| `metrics.jmx.image.registry` | JMX exporter image registry | `REGISTRY_NAME` | +| `metrics.jmx.image.repository` | JMX exporter image repository | `REPOSITORY_NAME/jmx-exporter` | +| `metrics.jmx.image.digest` | JMX exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `metrics.jmx.image.pullPolicy` | JMX exporter image pull policy | `IfNotPresent` | +| `metrics.jmx.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `metrics.jmx.containerPorts.metrics` | JMX Exporter metrics container port | `10445` | +| `metrics.jmx.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.jmx.resources is set (metrics.jmx.resources is recommended for production). | `none` | +| `metrics.jmx.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `metrics.jmx.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `metrics.jmx.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `metrics.jmx.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `metrics.jmx.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `metrics.jmx.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `metrics.jmx.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `metrics.jmx.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `metrics.jmx.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `metrics.jmx.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `metrics.jmx.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `metrics.jmx.whitelistObjectNames` | Allows setting which JMX objects you want to expose to via JMX stats to JMX Exporter | `[]` | +| `metrics.jmx.configuration` | Configuration file for JMX exporter | `""` | +| `metrics.jmx.service.ports.metrics` | JMX Exporter Prometheus port | `10443` | +| `metrics.jmx.service.annotations` | Annotations for the JMX Exporter Prometheus metrics service | `{}` | +| `metrics.serviceMonitor.enabled` | if `true`, creates a Prometheus Operator ServiceMonitor (requires `metrics.jmx.enabled` to be `true`) | `false` | +| `metrics.serviceMonitor.namespace` | Namespace in which Prometheus is running | `""` | +| `metrics.serviceMonitor.labels` | Extra labels for the ServiceMonitor | `{}` | +| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in Prometheus | `""` | +| `metrics.serviceMonitor.interval` | How frequently to scrape metrics | `""` | +| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.metricRelabelings` | Specify additional relabeling of metrics | `[]` | +| `metrics.serviceMonitor.relabelings` | Specify general relabeling | `[]` | +| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` | ### PostgreSQL subchart settings @@ -592,6 +614,17 @@ Find more information about how to deal with common errors related to Bitnami's ## Upgrading +### To 5.0.0 + +This major bump changes the following security defaults: + +- `runAsGroup` is changed from `0` to `1001` +- `readOnlyRootFilesystem` is set to `true` +- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). +- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. + +This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. + ### To 4.0.0 This major updates the PostgreSQL subchart to its newest major, 13.0.0. [Here](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#to-1300) you can find more information about the changes introduced in that version. diff --git a/bitnami/sonarqube/templates/deployment.yaml b/bitnami/sonarqube/templates/deployment.yaml index 4d9e87bcdd..73e391df07 100644 --- a/bitnami/sonarqube/templates/deployment.yaml +++ b/bitnami/sonarqube/templates/deployment.yaml @@ -78,6 +78,9 @@ spec: - name: provisioning mountPath: {{ .Values.provisioningFolder }}/extensions/plugins/ subPath: extensions/plugins + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- if .Values.plugins.resources }} resources: {{- toYaml .Values.plugins.resources | nindent 12 }} {{- else if ne .Values.plugins.resourcesPreset "none" }} @@ -99,6 +102,9 @@ spec: subPath: certs - mountPath: /tmp/secrets/ca-certs name: ca-certs + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- if .Values.caCerts.resources }} resources: {{- toYaml .Values.caCerts.resources | nindent 12 }} {{- else if ne .Values.caCerts.resourcesPreset "none" }} @@ -150,7 +156,39 @@ spec: - name: sonarqube mountPath: /bitnami/sonarqube subPath: data + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir {{- end }} + - name: prepare-base-dir + image: {{ include "sonarqube.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} + {{- end }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + command: + - /bin/bash + args: + - -ec + - | + #!/bin/bash + + . /opt/bitnami/scripts/liblog.sh + + info "Copying base dir to empty dir" + # In order to not break the application functionality (such as upgrades or plugins) we need + # to make the base directory writable, so we need to copy it to an empty dir volume + cp -r --preserve=mode /opt/bitnami/sonarqube /emptydir/app-base-dir + + info "Copy operation completed" + volumeMounts: + - name: empty-dir + mountPath: /emptydir {{- if .Values.initContainers }} {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} {{- end }} @@ -367,6 +405,12 @@ spec: lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /opt/bitnami/sonarqube + subPath: app-base-dir + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - mountPath: /bitnami/sonarqube name: sonarqube {{- if or .Values.plugins.install .Values.caCerts.enabled }} @@ -405,6 +449,9 @@ spec: resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.jmx.resourcesPreset) | nindent 12 }} {{- end }} volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir - name: jmx-config mountPath: /etc/jmx {{- end }} @@ -412,6 +459,8 @@ spec: {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }} {{- end }} volumes: + - name: empty-dir + emptyDir: {} {{- if or .Values.plugins.install .Values.caCerts.enabled }} - name: provisioning emptyDir: {} diff --git a/bitnami/sonarqube/values.yaml b/bitnami/sonarqube/values.yaml index 3ab6532dc6..a10aa1fa79 100644 --- a/bitnami/sonarqube/values.yaml +++ b/bitnami/sonarqube/values.yaml @@ -82,7 +82,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/sonarqube - tag: 10.4.1-debian-12-r0 + tag: 10.4.1-debian-12-r1 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -310,7 +310,7 @@ customStartupProbe: {} ## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 ## -resourcesPreset: "none" +resourcesPreset: "xlarge" ## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) ## Example: ## resources: @@ -341,6 +341,7 @@ podSecurityContext: ## @param containerSecurityContext.enabled Enabled containers' Security Context ## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup ## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param containerSecurityContext.privileged Set container's Security Context privileged ## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem @@ -350,11 +351,12 @@ podSecurityContext: ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 + runAsGroup: 1001 runAsNonRoot: true privileged: false - readOnlyRootFilesystem: false + readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: ["ALL"] @@ -736,17 +738,33 @@ caCerts: resources: {} ## Init container Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container - ## @param caCerts.containerSecurityContext.enabled Enable container security context + ## @param caCerts.containerSecurityContext.enabled Enabled containers' Security Context ## @param caCerts.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container - ## @param caCerts.containerSecurityContext.runAsUser Set init container's Security Context runAsUser + ## @param caCerts.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param caCerts.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param caCerts.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param caCerts.containerSecurityContext.privileged Set container's Security Context privileged + ## @param caCerts.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param caCerts.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param caCerts.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param caCerts.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## NOTE: when runAsUser is set to special value "auto", init container will try to chown the ## data folder to auto-determined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` ## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed) ## containerSecurityContext: enabled: true - seLinuxOptions: null - runAsUser: 0 + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" ## @section SonarQube plugin provisioning parameters ## plugins: @@ -806,15 +824,33 @@ plugins: resources: {} ## Init container Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param plugins.containerSecurityContext.enabled Enabled containers' Security Context ## @param plugins.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container - ## @param plugins.containerSecurityContext.runAsUser Set init container's Security Context runAsUser + ## @param plugins.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param plugins.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param plugins.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param plugins.containerSecurityContext.privileged Set container's Security Context privileged + ## @param plugins.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param plugins.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param plugins.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param plugins.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## NOTE: when runAsUser is set to special value "auto", init container will try to chown the ## data folder to auto-determined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` ## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed) ## containerSecurityContext: - seLinuxOptions: null - runAsUser: 0 + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" ## @section Persistence Parameters ## @@ -904,7 +940,7 @@ volumePermissions: ## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed) ## containerSecurityContext: - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 0 ## @section Sysctl Image parameters ## @@ -1061,16 +1097,30 @@ metrics: resources: {} ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod - ## @param metrics.jmx.containerSecurityContext.enabled Enabled JMX Exporter containers' Security Context + ## @param metrics.jmx.containerSecurityContext.enabled Enabled containers' Security Context ## @param metrics.jmx.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container - ## @param metrics.jmx.containerSecurityContext.runAsUser Set JMX Exporter containers' Security Context runAsUser - ## @param metrics.jmx.containerSecurityContext.runAsNonRoot Set JMX Exporter containers' Security Context runAsNonRoot + ## @param metrics.jmx.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param metrics.jmx.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param metrics.jmx.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param metrics.jmx.containerSecurityContext.privileged Set container's Security Context privileged + ## @param metrics.jmx.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param metrics.jmx.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param metrics.jmx.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param metrics.jmx.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile ## containerSecurityContext: enabled: true - seLinuxOptions: null + seLinuxOptions: {} runAsUser: 1001 + runAsGroup: 1001 runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" ## @param metrics.jmx.whitelistObjectNames [array] Allows setting which JMX objects you want to expose to via JMX stats to JMX Exporter ## Only whitelisted values will be exposed via JMX Exporter. They must also be exposed via Rules. To expose all metrics ## (warning its crazy excessive and they aren't formatted in a prometheus style) (1) `whitelistObjectNames: []`