Merge branch 'chart-release' into 'main'

BB-1128 - Refactor Sonarqube

See merge request !10

chart/templates/deployment.yaml

+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "sonarqube.fullname" . }}
+  labels:
+    app: {{ template "sonarqube.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+    app.kubernetes.io/name: {{ template "sonarqube.name" . }}-{{ template "sonarqube.fullname" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/part-of: sonarqube
+    app.kubernetes.io/component: {{ template "sonarqube.fullname" . }}
+    app.kubernetes.io/version: {{ .Values.image.tag | quote }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app: {{ template "sonarqube.name" . }}
+      release: {{ .Release.Name }}
+{{- if .Values.deploymentStrategy }}
+  strategy:
+{{ toYaml .Values.deploymentStrategy | indent 4 }}
+{{- end }}
+  template:
+    metadata:
+      labels:
+        app: {{ template "sonarqube.name" . }}
+        release: {{ .Release.Name }}
+{{- with .Values.podLabels }}
+{{ toYaml . | indent 8 }}
+{{- end }}
+      annotations:
+        checksum/init-sysctl: {{ include (print $.Template.BasePath "/init-sysctl.yaml") . | sha256sum }}
+        checksum/plugins: {{ include (print $.Template.BasePath "/install-plugins.yaml") . | sha256sum }}
+        checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }}
+        checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+{{- if .Values.annotations}}
+      {{- range $key, $value := .Values.annotations }}
+        {{ $key }}: {{ $value | quote }}
+      {{- end }}
+{{- end }}
+    spec:
+    {{- if .Values.schedulerName }}
+      schedulerName: {{ .Values.schedulerName }}
+    {{- end }}
+    {{- if .Values.serviceAccount.create }}
+    {{- if .Values.serviceAccount.name }}
+      serviceAccountName: {{ .Values.serviceAccount.name }}
+    {{- else }}
+      serviceAccountName: {{ include "sonarqube.fullname" . }}
+    {{- end }}
+    {{- end }}
+      securityContext:
+{{ toYaml .Values.securityContext | indent 8 }}
+      {{- if .Values.image.pullSecret }}
+      imagePullSecrets:
+        - name: {{ .Values.image.pullSecret }}
+      {{- end }}
+      initContainers:
+      {{- if .Values.caCerts }}
+        - name: ca-certs
+          image: {{ default "adoptopenjdk/openjdk11:alpine" .Values.caCerts.image }}
+          imagePullPolicy: {{ .Values.image.pullPolicy  }}
+          command: ["sh"]
+          args: ["-c", "cp -f \"${JAVA_HOME}/lib/security/cacerts\" /tmp/certs/cacerts; if [ \"$(ls /tmp/secrets/ca-certs)\" ]; then for f in /tmp/secrets/ca-certs/*; do keytool -importcert -file \"${f}\" -alias \"$(basename \"${f}\")\" -keystore /tmp/certs/cacerts -storepass changeit -trustcacerts -noprompt; done; fi;"]
+          {{- if $securityContext := .Values.initContainers.securityContext }}
+          securityContext:
+{{ toYaml $securityContext | indent 12 }}
+          {{- end }}
+          resources:
+{{ toYaml .Values.initContainers.resources | indent 12 }}
+          volumeMounts:
+            - mountPath: /tmp/certs
+              name: sonarqube
+              subPath: certs
+            - mountPath: /tmp/secrets/ca-certs
+              name: ca-certs
+          {{- with .Values.env }}
+          env:
+            {{- . | toYaml | trim | nindent 12 }}
+          {{- end }}
+      {{- end }}
+      {{- if or .Values.initSysctl.enabled .Values.elasticsearch.configureNode }}
+        - name: init-sysctl
+          image: {{ default "busybox:1.32" .Values.initSysctl.image }}
+          imagePullPolicy: {{ .Values.image.pullPolicy  }}
+          {{- if $securityContext := (default .Values.initContainers.securityContext .Values.initSysctl.securityContext) }}
+          securityContext:
+{{ toYaml $securityContext | indent 12 }}
+          {{- end }}
+          resources:
+{{ toYaml (default .Values.initContainers.resources .Values.initSysctl.resources) | indent 12 }}
+          command: ["sh",
+            "-e",
+            "/tmp/scripts/init_sysctl.sh"]
+          volumeMounts:
+            - name: init-sysctl
+              mountPath: /tmp/scripts/
+          {{- with .Values.env }}
+          env:
+            {{- . | toYaml | trim | nindent 12 }}
+          {{- end }}
+      {{- end }}
+      {{- if .Values.plugins.install }}
+        - name: install-plugins
+          image: {{ default "rjkernick/alpine-wget:latest" .Values.plugins.image }}
+          imagePullPolicy: {{ .Values.image.pullPolicy  }}
+          command: ["sh",
+            "-e",
+            "/tmp/scripts/install_plugins.sh"]
+          volumeMounts:
+            - mountPath: {{ .Values.sonarqubeFolder }}/extensions/downloads
+              name: sonarqube
+              subPath: extensions/downloads
+            - mountPath: {{ .Values.sonarqubeFolder }}/lib/common
+              name: sonarqube
+              subPath: lib/common
+            - name: install-plugins
+              mountPath: /tmp/scripts/
+            {{- if .Values.plugins.netrcCreds }}
+            - name: plugins-netrc-file
+              mountPath: /root
+            {{- end }}
+          {{- if $securityContext := .Values.initContainers.securityContext }}
+          securityContext:
+{{ toYaml $securityContext | indent 12 }}
+          {{- end }}
+          resources:
+{{ toYaml (default .Values.initContainers.resources .Values.plugins.resource) | indent 12 }}
+          {{- with .Values.env }}
+          env:
+            {{- . | toYaml | trim | nindent 12 }}
+          {{- end }}
+      {{- end }}
+      {{- if and .Values.sonarProperties .Values.sonarSecretProperties }}
+        - name: concat-properties
+          image: {{ default "busybox:1.32" .Values.initContainers.image }}
+          imagePullPolicy: {{ .Values.image.pullPolicy  }}
+          command: ["sh",
+            "-c",
+            "awk 1 /tmp/props/sonar.properties /tmp/props/secret.properties > /tmp/result/sonar.properties"]
+          volumeMounts:
+            - mountPath: /tmp/props/sonar.properties
+              name: config
+              subPath: sonar.properties
+            - mountPath: /tmp/props/secret.properties
+              name: secret-config
+              subPath: secret.properties
+            - mountPath: /tmp/result
+              name: concat-dir
+          {{- if $securityContext := .Values.initContainers.securityContext }}
+          securityContext:
+{{ toYaml $securityContext | indent 12 }}
+          {{- end }}
+          resources:
+{{ toYaml .Values.initContainers.resources | indent 12 }}
+          {{- with .Values.env }}
+          env:
+            {{- . | toYaml | trim | nindent 12 }}
+          {{- end }}
+      {{- end }}
+      {{- if .Values.postgresql.enabled }}      
+        - name: "wait-for-db"
+          image: {{ default "busybox:1.32" .Values.initContainers.image }}
+          imagePullPolicy: {{ .Values.image.pullPolicy  }}
+          resources:
+{{ toYaml .Values.initContainers.resources | indent 12 }}
+          command: ["/bin/sh", "-c", "for i in $(seq 1 200); do nc -z -w3 {{ .Release.Name}}-postgresql 5432 && exit 0 || sleep 2; done; exit 1"]
+      {{- end }}          
+      {{- if .Values.priorityClassName }}
+      priorityClassName: {{ .Values.priorityClassName }}
+      {{- end }}
+    {{- if .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
+    {{- end }}
+    {{- if .Values.hostAliases }}
+      hostAliases:
+{{ toYaml .Values.hostAliases | indent 8 }}
+    {{- end }}
+    {{- if .Values.tolerations }}
+      tolerations:
+{{ toYaml .Values.tolerations | indent 8 }}
+    {{- end }}
+    {{- if .Values.affinity }}
+      affinity:
+{{ toYaml .Values.affinity | indent 8 }}
+    {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.internalPort }}
+              protocol: TCP
+          env:
+            {{- with .Values.env }}
+            {{- . | toYaml | trim | nindent 12 }}
+            {{- end }}
+            - name: SONAR_WEB_JAVAOPTS
+              {{- if .Values.caCerts }}
+              value: {{ printf "-Djavax.net.ssl.trustStore=%s/certs/cacerts %s" .Values.sonarqubeFolder .Values.jvmOpts | trim | quote }}
+              {{- else }}
+              value: "{{ .Values.jvmOpts }}"
+              {{- end }}
+            {{- if .Values.caCerts }}
+            - name: SONAR_CE_JAVAOPTS
+              value: {{ printf "-Djavax.net.ssl.trustStore=%s/certs/cacerts" .Values.sonarqubeFolder | trim | quote }}
+            {{- end }}
+            - name: SONAR_JDBC_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "postgresql.secret" . }}
+                  key: postgresql-password
+          envFrom:
+            - configMapRef:
+                name: {{ template "sonarqube.fullname" . }}-postgres-config
+{{- range .Values.extraConfig.secrets }}
+            - secretRef:
+                name: {{ . }}
+{{- end }}
+{{- range .Values.extraConfig.configmaps }}
+            - configMapRef:
+                name: {{ . }}
+{{- end }}
+          livenessProbe:
+            httpGet:
+              path: {{ .Values.livenessProbe.sonarWebContext }}api/system/status
+              port: http
+            initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
+          readinessProbe:
+            httpGet:
+              path: {{ .Values.readinessProbe.sonarWebContext }}api/system/status
+              port: http
+            initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+            failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
+          {{- if .Values.containerSecurityContext }}
+          securityContext:
+{{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+{{- if .Values.persistence.mounts }}
+{{ toYaml .Values.persistence.mounts | indent 12 }}
+{{- end }}
+            {{- if and .Values.sonarProperties .Values.sonarSecretProperties }}
+            - mountPath: {{ .Values.sonarqubeFolder }}/conf/
+              name: concat-dir
+            {{- else if or .Values.sonarProperties (not .Values.elasticsearch.bootstrapChecks) }}
+            - mountPath: {{ .Values.sonarqubeFolder }}/conf/
+              name: config
+            {{- end }}
+            {{- if .Values.sonarSecretKey }}
+            - mountPath: {{ .Values.sonarqubeFolder }}/secret/
+              name: secret
+            {{- end }}
+            {{- if .Values.caCerts }}
+            - mountPath: {{ .Values.sonarqubeFolder }}/certs
+              name: sonarqube
+              subPath: certs
+            {{- end }}
+            - mountPath: {{ .Values.sonarqubeFolder }}/data
+              name: sonarqube
+              subPath: data
+            {{- if .Values.plugins.install }}
+            - mountPath: {{ .Values.sonarqubeFolder }}/extensions/downloads
+              name: sonarqube
+              subPath: extensions/downloads
+            {{- end }}
+            {{- if .Values.plugins.lib }}
+            {{- range $index, $val := .Values.plugins.lib }}
+            - mountPath: {{ $.Values.sonarqubeFolder }}/lib/common/{{ $val }}
+              name: sonarqube
+              subPath: lib/common/{{ $val }}
+            {{- end }}
+            {{- end }}
+            - mountPath: {{ .Values.sonarqubeFolder }}/temp
+              name: sonarqube
+              subPath: temp
+            - mountPath: {{ .Values.sonarqubeFolder }}/logs
+              name: sonarqube
+              subPath: logs
+            - mountPath: /tmp
+              name: tmp-dir
+          resources:
+{{ toYaml .Values.resources | indent 12 }}
+    {{- if .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
+    {{- end }}
+    {{- if .Values.tolerations }}
+      tolerations:
+{{ toYaml .Values.tolerations | indent 8 }}
+    {{- end }}
+    {{- if .Values.affinity }}
+      affinity:
+{{ toYaml .Values.affinity | indent 8 }}
+    {{- end }}
+      volumes:
+{{- if .Values.persistence.volumes }}
+{{ tpl (toYaml .Values.persistence.volumes | indent 6) . }}
+{{- end }}
+      {{- if or .Values.sonarProperties (not .Values.elasticsearch.bootstrapChecks) }}
+      - name: config
+        configMap:
+          name: {{ template "sonarqube.fullname" . }}-config
+          items:
+          - key: sonar.properties
+            path: sonar.properties
+      {{- end }}
+      {{- if .Values.sonarSecretProperties }}
+      - name: secret-config
+        secret:
+          secretName: {{ .Values.sonarSecretProperties }}
+          items:
+          - key: secret.properties
+            path: secret.properties
+      {{- end }}
+      {{- if .Values.sonarSecretKey }}
+      - name: secret
+        secret:
+          secretName: {{ .Values.sonarSecretKey }}
+          items:
+          - key: sonar-secret.txt
+            path: sonar-secret.txt
+      {{- end }}
+      {{- if .Values.caCerts }}
+      - name: ca-certs
+        secret:
+          secretName: {{ .Values.caCerts.secret }}
+      {{- end }}
+      {{- if .Values.plugins.netrcCreds }}
+      - name: plugins-netrc-file
+        secret:
+          secretName: {{ .Values.plugins.netrcCreds }}
+          items:
+          - key: netrc
+            path: .netrc
+      {{- end }}
+      - name: init-sysctl
+        configMap:
+          name: {{ template "sonarqube.fullname" . }}-init-sysctl
+          items:
+            - key: init_sysctl.sh
+              path: init_sysctl.sh
+      - name: install-plugins
+        configMap:
+          name: {{ template "sonarqube.fullname" . }}-install-plugins
+          items:
+            - key: install_plugins.sh
+              path: install_plugins.sh
+      - name: sonarqube
+        {{- if .Values.persistence.enabled }}
+        persistentVolumeClaim:
+          claimName: {{ if .Values.persistence.existingClaim }}{{ .Values.persistence.existingClaim }}{{- else }}{{ template "sonarqube.fullname" . }}{{- end }}
+        {{- else }}
+        emptyDir: {{- toYaml .Values.emptyDir | nindent 10 }}
+        {{- end  }}
+      - name : tmp-dir
+        emptyDir: {{- toYaml .Values.emptyDir | nindent 10 }}
+        {{- if .Values.sonarSecretProperties }}
+      - name : concat-dir
+        emptyDir: {{- toYaml .Values.emptyDir | nindent 10 -}}
+        {{- end }}

chart/templates/ingress.yaml

+{{- if .Values.ingress.enabled -}}
+{{- $serviceName := include "sonarqube.fullname" . -}}
+{{- $servicePort := .Values.service.externalPort -}}
+{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }}
+apiVersion: networking.k8s.io/v1beta1
+{{ else }}
+apiVersion: extensions/v1beta1
+{{ end -}}
+kind: Ingress
+metadata:
+  name: {{ template "sonarqube.fullname" . }}
+  labels:
+    app: {{ template "sonarqube.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+{{- if .Values.ingress.labels }}
+{{ .Values.ingress.labels | toYaml | trimSuffix "\n"| indent 4 -}}
+{{- end}}
+{{- if .Values.ingress.annotations}}
+  annotations:
+    {{- range $key, $value := .Values.ingress.annotations }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+{{- end }}
+spec:
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .name }}
+      http:
+        paths:
+          - path: {{ .path}}
+            backend:
+              serviceName: {{ default $serviceName .serviceName }}
+              servicePort: {{ default $servicePort .servicePort }}
+    {{- end -}}
+  {{- if .Values.ingress.tls }}
+  tls:
+{{ toYaml .Values.ingress.tls | indent 4 }}
+  {{- end -}}
+{{- end -}}

chart/templates/init-sysctl.yaml

+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "sonarqube.fullname" . }}-init-sysctl
+  labels:
+    app: {{ template "sonarqube.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+data:
+  init_sysctl.sh: |-
+    {{- if .Values.initSysctl.vmMaxMapCount }}
+    if [[ "$(sysctl -n vm.max_map_count)" -lt {{ .Values.initSysctl.vmMaxMapCount }} ]]; then
+      sysctl -w vm.max_map_count={{ .Values.initSysctl.vmMaxMapCount }}
+    fi
+    {{- end }}
+    {{- if .Values.initSysctl.fsFileMax }}
+    if [[ "$(sysctl -n fs.file-max)" -lt {{ .Values.initSysctl.fsFileMax }} ]]; then
+      sysctl -w fs.file-max={{ .Values.initSysctl.fsFileMax }}
+    fi
+    {{- end }}
+    {{- if .Values.initSysctl.nofile }}
+    if [[ "$(ulimit -n)" != "unlimited" ]]; then
+      if [[ "$(ulimit -n)" -lt {{ .Values.initSysctl.nofile }} ]]; then
+        echo "ulimit -n {{ .Values.initSysctl.nofile }}"
+        ulimit -n {{ .Values.initSysctl.nofile }}
+      fi
+    fi
+    {{- end }}
+    {{- if .Values.initSysctl.nproc }}
+    if [[ "$(ulimit -u)" != "unlimited" ]]; then
+      if [[ "$(ulimit -u)" -lt {{ .Values.initSysctl.nproc }} ]]; then
+        echo "ulimit -u {{ .Values.initSysctl.nproc }}"
+        ulimit -u {{ .Values.initSysctl.nproc }}
+      fi
+    fi
+    {{- end }}

chart/templates/install-plugins.yaml

+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "sonarqube.fullname" . }}-install-plugins
+  labels:
+    app: {{ template "sonarqube.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+data:
+  install_plugins.sh: |-
+    {{- if .Values.plugins.httpProxy }}
+    export http_proxy={{ .Values.plugins.httpProxy }}
+    {{- end }}
+    {{- if .Values.plugins.httpsProxy }}
+    export https_proxy={{ .Values.plugins.httpsProxy }}
+    {{- end }}
+    {{- if .Values.plugins.noProxy }}
+    export no_proxy={{ .Values.plugins.noProxy }}
+    {{- end }}
+    {{- if .Values.plugins.install }}
+      [ -e {{ .Values.sonarqubeFolder }}/extensions/downloads/* ] && rm {{ .Values.sonarqubeFolder }}/extensions/downloads/*
+      {{ range $index, $val := .Values.plugins.install }}
+      echo {{ $val | quote }} >> {{ $.Values.sonarqubeFolder }}/extensions/downloads/list{{ end }}
+      cat {{ .Values.sonarqubeFolder }}/extensions/downloads/list | xargs -n 1 -P 8 wget --directory-prefix {{ .Values.sonarqubeFolder }}/extensions/downloads --no-verbose
+      rm {{ .Values.sonarqubeFolder }}/extensions/downloads/list
+    {{- end }}
+    {{- if .Values.plugins.lib }}
+    {{- range $index, $val := .Values.plugins.lib }}
+      cp -f {{ $.Values.sonarqubeFolder }}/extensions/downloads/{{ $val }} {{ $.Values.sonarqubeFolder }}/lib/common/{{ $val }}
+    {{- end }}
+    {{- end }}

chart/templates/postgres-config.yaml

+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "sonarqube.fullname" . }}-postgres-config
+  labels:
+    app: {{ template "sonarqube.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+data:
+{{- if .Values.postgresql.postgresqlUsername }}
+  SONAR_JDBC_USERNAME: {{ .Values.postgresql.postgresqlUsername | quote }}
+{{- end }}
+{{- if .Values.jdbcUrlOverride }}
+  SONAR_JDBC_URL: "{{- .Values.jdbcUrlOverride -}}"
+{{- else if and .Values.postgresql.service.port .Values.postgresql.postgresqlDatabase }}
+  SONAR_JDBC_URL: "jdbc:{{- .Values.jdbcDatabaseType -}}://{{ template "postgresql.hostname" . }}:{{- .Values.postgresql.service.port -}}/{{- .Values.postgresql.postgresqlDatabase -}}"
+{{- end }}

chart/templates/pvc.yaml

+{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ template "sonarqube.fullname" . }}
+  labels:
+    app: {{ template "sonarqube.name" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+{{ if .Values.persistence.annotations}}
+  annotations:
+    {{- range $key, $value := .Values.persistence.annotations }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+{{- end }}
+spec:
+  accessModes:
+    - {{ .Values.persistence.accessMode | quote }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.size | quote }}
+{{- if .Values.persistence.storageClass }}
+{{- if (eq "-" .Values.persistence.storageClass) }}
+  storageClassName: ""
+{{- else }}
+  storageClassName: "{{ .Values.persistence.storageClass }}"
+{{- end }}
+{{- end }}
+{{- end }}

chart/templates/secret.yaml

+{{- if eq (include "postgresql.useInternalSecret" .) "true" -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "sonarqube.fullname" . }}
+  labels:
+    app: {{ template "sonarqube.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+type: Opaque
+data:
+  postgresql-password: {{ .Values.postgresql.postgresqlPassword | b64enc | quote }}
+{{- end -}}

chart/templates/service.yaml

+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "sonarqube.fullname" . }}
+  labels:
+    app: {{ template "sonarqube.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  {{- range $key, $value := .Values.service.labels }}
+    {{ $key }}: {{ $value | quote }}
+  {{- end }}
+{{ if .Values.service.annotations}}
+  annotations:
+    {{- range $key, $value := .Values.service.annotations }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+{{- end }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.externalPort }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app: {{ template "sonarqube.name" . }}
+    release: {{ .Release.Name }}
+  {{- if eq .Values.service.type "LoadBalancer"}}
+  {{- if .Values.service.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+  {{- range .Values.service.loadBalancerSourceRanges }}
+  - {{ . }}
+  {{- end }}
+  {{- end -}}
+  {{- if .Values.service.loadBalancerIP}}
+  loadBalancerIP: {{.Values.service.loadBalancerIP}}
+  {{- end }}
+  {{- end }}

chart/templates/serviceaccount.yaml

+{{- if .Values.serviceAccount.create -}}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+{{- if .Values.serviceAccount.name }}
+  name: {{ .Values.serviceAccount.name }}
+{{- else  }}
+  name: {{ include "sonarqube.fullname" . }}
+{{- end }}
+{{- if .Values.serviceAccount.annotations }}
+  annotations:
+{{ toYaml .Values.serviceAccount.annotations | indent 4 }}
+{{- end }}
+{{- end -}}

chart/templates/sonarqube-scc.yaml

+{{- if and (.Values.OpenShift.enabled) (.Values.OpenShift.createSCC) }}
+
+# This SCC allows any user ID but restricts capabilties and host access
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  annotations:
+    kubernetes.io/description: "allows pod to run as root, privileged and run sysctl"
+    "helm.sh/hook": pre-install
+  name: {{ .Release.Name }}-privileged-scc
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegedContainer: true
+allowPrivilegeEscalation: true
+allowedCapabilities: []
+allowedFlexVolumes: []
+allowedUnsafeSysctls: []
+defaultAddCapabilities: []
+defaultAllowPrivilegeEscalation: true
+fsGroup:
+  type: RunAsAny
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+- KILL
+- MKNOD
+- SETUID
+- SETGID
+runAsUser:
+  type: RunAsAny
+# This can be customized for your host machine
+seLinuxContext:
+  type: MustRunAs
+# seLinuxOptions:
+#   level:
+#   user:
+#   role:
+#   type:
+supplementalGroups:
+  type: RunAsAny
+# This can be customized for your host machine
+volumes:
+- configMap
+- downwardAPI
+- emptyDir
+- persistentVolumeClaim
+- projected
+- secret
+# If you want a priority on your SCC -- set for a value more than 0
+priority: 11
+users:
+{{- if .Values.serviceAccount.name }}
+- system:serviceaccount:{{ .Release.Namespace }}:{{ .Release.Name }}-{{ .Values.serviceAccount.name }}
+{{- else  }}
+- system:serviceaccount:{{ .Release.Namespace }}:{{ .Release.Name }}-sonarqube
+{{- end }}
+{{- if .Values.postgresql.securityContext.enabled }}
+- system:serviceaccount:{{ .Release.Namespace }}:{{ .Release.Name }}-postgresql
+{{- end }}
+
+{{- end }}

chart/templates/tests/sonarqube-test.yaml

+{{- if .Values.tests.enabled -}}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ .Release.Name }}-ui-test"
+  annotations:
+    "helm.sh/hook": test-success
+  labels:
+    app: {{ template "sonarqube.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  initContainers:
+    - name: "bats"
+      image: "bats/bats:1.2.1"
+      imagePullPolicy: {{ .Values.image.pullPolicy }}
+      command: ["bash", "-c"]
+      args:
+        - |-
+          set -ex
+          cp -R /opt/bats /tools/bats/
+      volumeMounts:
+        - mountPath: /tools
+          name: tools
+  containers:
+    - name: {{ .Release.Name }}-ui-test
+      image: {{ default "bitnami/minideb-extras" .Values.tests.image }}
+      imagePullPolicy: {{ .Values.image.pullPolicy }}
+      command: [
+        "/tools/bats/bin/bats",
+        "--tap",
+        "/tests/run.sh"]
+      volumeMounts:
+      - mountPath: /tests
+        name: tests
+        readOnly: true
+      - mountPath: /tools
+        name: tools
+  volumes:
+  - name: tests
+    configMap:
+      name: {{ template "sonarqube.fullname" . }}-tests
+  - name: tools
+    emptyDir: {{ toYaml .Values.emptyDir | nindent 6 }}
+  restartPolicy: Never
+{{- end -}}

chart/templates/tests/test-config.yaml

+{{- if .Values.tests.enabled -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "sonarqube.fullname" . }}-tests
+  labels:
+    app: {{ template "sonarqube.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+data:
+  run.sh: |-
+    @test "Testing Sonarqube UI is accessible" {
+      curl --connect-timeout 5 --retry 12 --retry-delay 1 --retry-max-time 60 {{ template "sonarqube.fullname" . }}:{{ .Values.service.internalPort }}/api/system/status
+    }
+{{- end -}}

chart/templates/virtualservice.yaml

+{{- if .Values.istio.enabled -}}
+{{- $serviceName := include "sonarqube.fullname" . -}}
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: {{ template "sonarqube.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/part-of: sonarqube
+spec:
+  gateways:
+    - istio-system/main
+  hosts:
+    - "sonarqube.{{ .Values.hostname }}"
+  http:
+    - route:
+        - destination:
+            port:
+              number: {{ .Values.service.externalPort }}
+            host: {{ $serviceName }}
+{{- end }}

chart/values.yaml

+# Default values for sonarqube.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+replicaCount: 1
+
+ # This will use the default deployment strategy unless it is overriden
+deploymentStrategy: {}
+# Uncomment this to scheduler pods on priority
+# priorityClassName: "high-priority"
+
+## Use an alternate scheduler, e.g. "stork".
+## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
+##
+# schedulerName:
+
+## Is this deployment for OpenShift? If so, we help with SCCs
+OpenShift:
+  enabled: false
+  createSCC: true
+
+image:
+  repository: registry1.dso.mil/ironbank/sonarsource/sonarqube/sonarqube8-community
+  tag: 8.6-community
+  pullPolicy: IfNotPresent
+  # If using a private repository, the name of the imagePullSecret to use
+  pullSecret: []
+
+# Set security context for sonarqube pod
+securityContext:
+  fsGroup: 1000
+
+# Set security context for sonarqube container
+containerSecurityContext:
+  # Sonarqube dockerfile creates sonarqube user as UID and GID 1000
+  runAsUser: 1000
+
+# Settings to configure elasticsearch host requirements
+elasticsearch:
+  # DEPRECATED: Use initSysctl.enabled instead
+  configureNode: true
+  bootstrapChecks: true
+
+service:
+  type: ClusterIP
+  externalPort: 9000
+  internalPort: 9000
+  labels:
+  annotations: {}
+  # May be used in example for internal load balancing in GCP:
+  # cloud.google.com/load-balancer-type: Internal
+  # loadBalancerSourceRanges:
+  #   - 0.0.0.0/0
+  # loadBalancerIP: 1.2.3.4
+ingress:
+  enabled: false
+  # Used to create an Ingress record.
+  hosts:
+    - name: sonar.example.com
+      # Different clouds or configurations might need /* as the default path
+      path: /
+      # For additional control over serviceName and servicePort
+      # serviceName: someService
+      # servicePort: somePort
+  annotations: {}
+  # kubernetes.io/ingress.class: nginx
+  # kubernetes.io/tls-acme: "true"
+  # This property allows for reports up to a certain size to be uploaded to SonarQube
+  # nginx.ingress.kubernetes.io/proxy-body-size: "8m"
+
+# Additional labels for Ingress manifest file
+  # labels:
+  #  traffic-type: external
+  #  traffic-type: internal
+  tls: []
+  # Secrets must be manually created in the namespace.
+  # - secretName: chart-example-tls
+  #   hosts:
+  #     - chart-example.local
+
+# Affinity for pod assignment
+# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+affinity: {}
+
+# Tolerations for pod assignment
+# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+tolerations: []
+
+# Node labels for pod assignment
+# Ref: https://kubernetes.io/docs/user-guide/node-selection/
+nodeSelector: {}
+
+# hostAliases allows the modification of the hosts file inside a container
+hostAliases: []
+# - ip: "192.168.1.10"
+#   hostnames:
+#   - "example.com"
+#   - "www.example.com"
+
+readinessProbe:
+  initialDelaySeconds: 60
+  periodSeconds: 30
+  failureThreshold: 6
+  # If an ingress *path* other than the root (/) is defined, it should be reflected here
+  # A trailing "/" must be included
+  sonarWebContext: /
+  # sonarWebContext: /sonarqube/
+livenessProbe:
+  initialDelaySeconds: 60
+  periodSeconds: 30
+  # If an ingress *path* other than the root (/) is defined, it should be reflected here
+  # A trailing "/" must be included
+  sonarWebContext: /
+  # sonarWebContext: /sonarqube/
+  # If an ingress *path* is defined, it should be reflected here
+  # sonar.web.context: /sonarqube
+
+initContainers:
+  # image: busybox:1.32
+  # We allow the init containers to have a separate security context declaration because
+  # the initContainer may not require the same as SonarQube.
+  # securityContext: {}
+  # We allow the init containers to have a separate resources declaration because
+  # the initContainer does not take as much resources.
+  resources: {}
+
+## Provide a secret containing one or more certificate files in the keys that will be added to cacerts
+## The cacerts file will be set via SONARQUBE_WEB_JVM_OPTS and SONAR_CE_JAVAOPTS
+##
+# caCerts:
+  # image: adoptopenjdk/openjdk11:alpine
+  # secret: my-secret
+
+initSysctl:
+  enabled: true
+  vmMaxMapCount: 524288
+  fsFileMax: 131072
+  nofile: 131072
+  nproc: 8192
+  # image: busybox:1.32
+  securityContext:
+    privileged: true
+  # resources: {}
+
+# List of plugins to install.
+# For example:
+# plugins:
+#  install:
+#    - "https://github.com/AmadeusITGroup/sonar-stash/releases/download/1.3.0/sonar-stash-plugin-1.3.0.jar"
+#    - "https://github.com/SonarSource/sonar-ldap/releases/download/2.2-RC3/sonar-ldap-plugin-2.2.0.601.jar"
+plugins:
+  install: []
+  lib: []
+
+  # For use behind a corporate proxy when downloading plugins
+  # httpProxy: ""
+  # httpsProxy: ""
+  # noProxy: ""
+
+  # image: rjkernick/alpine-wget:latest
+  # resources: {}
+
+  # .netrc secret file with a key "netrc" to use basic auth while downloading plugins
+  # netrcCreds: ""
+
+## Values to add to SONARQUBE_WEB_JVM_OPTS
+##
+# jvmOpts: "-Djava.net.preferIPv4Stack=true"
+jvmOpts: ""
+
+## Environment variables to attach to the pods
+##
+# env:
+#   - name: VARIABLE
+#     value: my-value
+
+# Set annotations for pods
+annotations: {}
+
+resources: {}
+# We usually recommend not to specify default resources and to leave this as a conscious
+# choice for the user. This also increases chances charts run on environments with little
+# resources, such as Minikube. If you do want to specify resources, uncomment the following
+# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+# limits:
+#  cpu: 100m
+#  memory: 128Mi
+# requests:
+#  cpu: 100m
+#  memory: 128Mi
+persistence:
+  enabled: false
+  ## Set annotations on pvc
+  annotations: {}
+
+  ## Specify an existing volume claim instead of creating a new one.
+  ## When using this option all following options like storageClass, accessMode and size are ignored.
+  # existingClaim:
+
+  ## If defined, storageClassName: <storageClass>
+  ## If set to "-", storageClassName: "", which disables dynamic provisioning
+  ## If undefined (the default) or set to null, no storageClassName spec is
+  ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
+  ##   GKE, AWS & OpenStack)
+  ##
+  storageClass:
+  accessMode: ReadWriteOnce
+  size: 10Gi
+
+  ## Specify extra volumes. Refer to ".spec.volumes" specification : https://kubernetes.io/fr/docs/concepts/storage/volumes/
+  volumes: []
+  ## Specify extra mounts. Refer to ".spec.containers.volumeMounts" specification : https://kubernetes.io/fr/docs/concepts/storage/volumes/
+  mounts: []
+
+# In case you want to specify different resources for emptyDir than {}
+emptyDir: {}
+  # Example of resouces that might be used:
+  # medium: Memory
+  # sizeLimit: 16Mi
+
+# A custom sonar.properties file can be provided via dictionary.
+# For example:
+sonarProperties:
+  sonar.forceAuthentication: true
+# SAML SSO config
+#  sonar.core.serverBaseURL:
+#  sonar.auth.saml.enabled: false
+#  sonar.auth.saml.applicationId:
+#  sonar.auth.saml.providerName:
+#  sonar.auth.saml.providerId:
+#  sonar.auth.saml.loginUrl:
+#  sonar.auth.saml.certificate.secured:
+#  sonar.auth.saml.user.login:
+#  sonar.auth.saml.user.name:
+#  sonar.auth.saml.user.email:
+#  sonar.auth.saml.group.name:
+
+# Additional sonar properties to load from a secret with a key "secret.properties" (must be a string)
+# sonarSecretProperties:
+
+# Kubernetes secret that contains the encryption key for the sonarqube instance.
+# The secret must contain the key 'sonar-secret.txt'.
+# The 'sonar.secretKeyPath' property will be set automatically.
+# sonarSecretKey: "settings-encryption-secret"
+
+## JDBC Database Type; by default postgresql. To use a different Database type, adjust
+jdbcDatabaseType: postgresql
+
+## Override JDBC URL
+# jdbcUrlOverride: "jdbc:postgresql://myPostgress/myDatabase;socketTimeout=1500"
+
+## Configuration values for postgresql dependency
+## ref: https://github.com/kubernetes/charts/blob/master/stable/postgresql/README.md
+postgresql:
+  # Enable to deploy the PostgreSQL chart
+  enabled: true
+  # To use an external PostgreSQL instance, set enabled to false and uncomment
+  # the line below:
+  # postgresqlServer: ""
+  # To use an external secret for the password for an external PostgreSQL
+  # instance, set enabled to false and provide the name of the secret on the
+  # line below:
+  # existingSecret: ""
+  postgresqlUsername: "sonarUser"
+  postgresqlPassword: "sonarPass"
+  postgresqlDatabase: "sonarDB"
+  # Specify the TCP port that PostgreSQL should use
+  service:
+    port: 5432
+  resources:
+    limits:
+      cpu: 2
+      memory: 2Gi
+    requests:
+      cpu: 100m
+      memory: 200Mi
+  persistence:
+    enabled: true
+    accessMode: ReadWriteOnce
+    size: 20Gi
+    storageClass:
+  securityContext:
+    # For standard Kubernetes deployment, set enabled=true
+    # If using OpenShift, enabled=false for restricted SCC and enabled=true for anyuid/nonroot SCC
+    enabled: true
+    # fsGroup and runAsUser specifications below are not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully.
+    # postgresql dockerfile sets user as 1001
+    fsGroup: 1001
+    runAsUser: 1001
+  volumePermissions:
+    # For standard Kubernetes deployment, set enabled=false
+    # For OpenShift, set enabled=true and ensure to set volumepermissions.securitycontext.runAsUser below.
+    enabled: false
+    # if using restricted SCC set runAsUser: "auto" and if running under anyuid/nonroot SCC - runAsUser needs to match runAsUser above
+    securityContext:
+      runAsUser: 0
+  shmVolume:
+    chmod:
+      enabled: false
+  serviceAccount:
+    ## If enabled = true, and name is not set, postgreSQL will create a serviceAccount
+    enabled: false
+#    name:
+
+# Additional labels to add to the pods:
+# podLabels:
+#   key: value
+podLabels: {}
+# For compatibility with 8.0 replace by "/opt/sq"
+# For compatibility with 8.2, leave the default. They changed it back to /opt/sonarqube
+sonarqubeFolder: /opt/sonarqube
+
+tests:
+  enabled: true
+  # image: bitnami/minideb-extras
+
+serviceAccount:
+  create: false
+  # name:
+  ## Annotations for the Service Account
+  annotations: {}
+
+# extraConfig is used to load Environment Variables from Secrets and ConfigMaps
+# which may have been written by other tools, such as external orchestrators.
+#
+# These Secrets/ConfigMaps are expected to contain Key/Value pairs, such as:
+#
+# apiVersion: v1
+# kind: ConfigMap
+# metadata:
+#   name: external-sonarqube-opts
+# data:
+#   SONARQUBE_JDBC_USERNAME: foo
+#   SONARQUBE_JDBC_URL: jdbc:postgresql://db.example.com:5432/sonar
+#
+# These vars can then be injected into the environment by uncommenting the following:
+#
+# extraConfig:
+#   configmaps:
+#     - external-sonarqube-opts
+
+extraConfig:
+  secrets: []
+  configmaps: []
+
+# account:
+#   adminPassword: admin
+#   currentAdminPassword: admin
+# curlContainerImage: curlimages/curl:latest
+
+terminationGracePeriodSeconds: 60
+
+# Big Bang Additions
+hostname: bigbang.dev
+istio:
+  enabled: true

deployment/integrations/istio/kustomization.yaml

-apiVersion: kustomize.config.k8s.io/v1alpha1
-kind: Component
-
-resources:
-  - virtual-service.yaml

deployment/integrations/istio/virtual-service.yaml

-apiVersion: networking.istio.io/v1alpha3
-kind: VirtualService
-metadata:
-  name: sonarqube
-spec:
-  hosts:
-  - "sonarqube.dev.dsop.io"
-  gateways:
-  - istio-ingressgateway.istio-system.svc.cluster.local
-  http:
-  - match:
-    - uri:
-        prefix: /
-    route:
-    - destination:
-        host: sonarqube.sonarqube.svc.cluster.local
-        port:
-          number: 9000

deployment/integrations/rds/db-provisioner.yaml

-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: ensure-sonarqube-rds-db
-  annotations:
-    argocd.argoproj.io/hook: Sync
-    argocd.argoproj.io/hook-delete-policy: HookSucceeded
-spec:
-  template:
-    metadata:
-      name: ensure-sonarqube-rds-db
-      annotations:
-        sidecar.istio.io/inject: 'false'
-    spec:
-      containers:
-        - name: psql
-          image: "bitnami/postgresql"
-          command:
-            - /bin/bash
-            - -exc
-            - |
-              psql -tc "SELECT 1 FROM pg_database WHERE datname = '$DB_NAME'" | grep -q 1 || psql -c "CREATE DATABASE $DB_NAME"
-              psql -tc "SELECT 1 FROM pg_roles WHERE rolname = '$APP_DB_USER'" | grep -q 1 && psql -c "ALTER USER $APP_DB_USER WITH PASSWORD '$APP_DB_PASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $DB_NAME TO $APP_DB_USER;" | grep -q GRANT || psql -c "CREATE USER $APP_DB_USER WITH PASSWORD '$APP_DB_PASSWORD'; GRANT ALL PRIVILEGES ON DATABASE $DB_NAME TO $APP_DB_USER;"
-          env:
-            - name: DB_NAME
-              value: sonarqube
-          envFrom:
-            - secretRef:
-                name: db-credentials
-            - secretRef:
-                name: app-db-credentials
-      restartPolicy: OnFailure
\ No newline at end of file

deployment/integrations/rds/kustomization.yaml

-apiVersion: kustomize.config.k8s.io/v1alpha1
-kind: Component
-
-resources:
-  - db-provisioner.yaml
-images:
-  - name: bitnami/postgresql
-    newName: registry.dsop.io/platform-one/apps/sonarqube/postgres12-ib
-    newTag: 12.3-ib
\ No newline at end of file