From d3ee8728a41635702ca056859c0c7b0cc5359b84 Mon Sep 17 00:00:00 2001 From: Marshall Cottrell Date: Tue, 30 Jul 2024 18:18:55 -0400 Subject: [PATCH] chore!: update to SonarQube 10, migrate to upstream chart, add `unicorn` CGR flavor (#100) ## Description ## Related Issue Fixes #82 Fixes #96 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Checklist before merging - [ ] Test, docs, adr added or updated as needed - [ ] [Contributor Guide Steps](https://github.com/defenseunicorns/uds-package-sonarqube/blob/main/CONTRIBUTING.md#developer-workflow) followed --------- Co-authored-by: Wayne Starr Release-As: v10.6.0-uds.0 --- .github/workflows/commitlint.yaml | 2 +- .github/workflows/lint.yaml | 2 +- .github/workflows/tag-and-release.yaml | 10 ++++++---- .github/workflows/test.yaml | 19 ++++++++++++------ chart/templates/sonarqube-sso-secret.yaml | 4 ++-- common/zarf.yaml | 10 ++++++---- renovate.json | 7 ------- tasks.yaml | 10 +++++----- tasks/publish.yaml | 8 ++++---- tasks/test.yaml | 2 +- tests/auth.setup.ts | 4 +--- tests/sonarqube.test.ts | 12 +++++++----- values/common-values.yaml | 24 ++++++++--------------- values/registry1-values.yaml | 16 ++++++++++++++- values/unicorn-values.yaml | 9 +++++++++ values/upstream-values.yaml | 2 +- zarf.yaml | 20 +++++++++++++++++-- 17 files changed, 98 insertions(+), 63 deletions(-) create mode 100644 values/unicorn-values.yaml diff --git a/.github/workflows/commitlint.yaml b/.github/workflows/commitlint.yaml index 35017ed..6c55a9a 100644 --- a/.github/workflows/commitlint.yaml +++ b/.github/workflows/commitlint.yaml @@ -8,4 +8,4 @@ on: jobs: validate: name: Validate - uses: defenseunicorns/uds-common/.github/workflows/commitlint.yaml@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0 + uses: defenseunicorns/uds-common/.github/workflows/commitlint.yaml@e7c0643d3f9d74ce49c7386b48964d2be646d726 # v0.10.0 diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index b214c49..83357f7 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -20,7 +20,7 @@ jobs: fetch-depth: 0 - name: Environment setup - uses: defenseunicorns/uds-common/.github/actions/setup@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0 + uses: defenseunicorns/uds-common/.github/actions/setup@e7c0643d3f9d74ce49c7386b48964d2be646d726 # v0.10.0 with: registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} diff --git a/.github/workflows/tag-and-release.yaml b/.github/workflows/tag-and-release.yaml index e728360..f02ca25 100644 --- a/.github/workflows/tag-and-release.yaml +++ b/.github/workflows/tag-and-release.yaml @@ -25,7 +25,7 @@ jobs: runs-on: ${{ matrix.architecture == 'arm64' && 'uds-swf-ubuntu-arm64-4-core' || 'ubuntu-latest' }} strategy: matrix: - flavor: [upstream, registry1] + flavor: [upstream, unicorn, registry1] architecture: [amd64, arm64] exclude: - flavor: registry1 @@ -35,26 +35,28 @@ jobs: permissions: contents: read packages: write + id-token: write steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Environment setup - uses: defenseunicorns/uds-common/.github/actions/setup@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0 + uses: defenseunicorns/uds-common/.github/actions/setup@e7c0643d3f9d74ce49c7386b48964d2be646d726 # v0.10.0 with: registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} ghToken: ${{ secrets.GITHUB_TOKEN }} + chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }} - name: Publish Package run: uds run -f tasks/publish.yaml package --set FLAVOR=${{ matrix.flavor }} --no-progress - name: Debug Output if: ${{ always() }} - uses: defenseunicorns/uds-common/.github/actions/debug-output@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0 + uses: defenseunicorns/uds-common/.github/actions/debug-output@e7c0643d3f9d74ce49c7386b48964d2be646d726 # v0.10.0 - name: Save logs if: always() - uses: defenseunicorns/uds-common/.github/actions/save-logs@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0 + uses: defenseunicorns/uds-common/.github/actions/save-logs@e7c0643d3f9d74ce49c7386b48964d2be646d726 # v0.10.0 with: suffix: ${{ matrix.flavor }}-${{ matrix.architecture }}-${{ github.run_id }}-${{ github.run_attempt }} diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index d306a57..5cabc7a 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -29,41 +29,48 @@ concurrency: permissions: contents: read + id-token: write jobs: run-test: name: ${{ matrix.type }} ${{ matrix.flavor }} - runs-on: ubuntu-latest + runs-on: uds-swf-ubuntu-big-boy-4-core timeout-minutes: 20 strategy: matrix: - flavor: [upstream, registry1] + flavor: [upstream, unicorn, registry1] type: [install, upgrade] + # do not run upgrade tests for unicorn + # TODO @marshall: remove after first unicorn release + exclude: + - flavor: unicorn + type: upgrade steps: - name: Checkout repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Environment setup - uses: defenseunicorns/uds-common/.github/actions/setup@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0 + uses: defenseunicorns/uds-common/.github/actions/setup@e7c0643d3f9d74ce49c7386b48964d2be646d726 # v0.10.0 with: registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} ghToken: ${{ secrets.GITHUB_TOKEN }} + chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }} - name: Test - uses: defenseunicorns/uds-common/.github/actions/test@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0 + uses: defenseunicorns/uds-common/.github/actions/test@e7c0643d3f9d74ce49c7386b48964d2be646d726 # v0.10.0 with: flavor: ${{ matrix.flavor }} type: ${{ matrix.type }} - name: Debug Output if: ${{ always() }} - uses: defenseunicorns/uds-common/.github/actions/debug-output@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0 + uses: defenseunicorns/uds-common/.github/actions/debug-output@e7c0643d3f9d74ce49c7386b48964d2be646d726 # v0.10.0 - name: Save logs if: always() - uses: defenseunicorns/uds-common/.github/actions/save-logs@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0 + uses: defenseunicorns/uds-common/.github/actions/save-logs@e7c0643d3f9d74ce49c7386b48964d2be646d726 # v0.10.0 with: suffix: ${{ matrix.type }}-${{ matrix.flavor }}-${{ github.run_id }}-${{ github.run_attempt }} diff --git a/chart/templates/sonarqube-sso-secret.yaml b/chart/templates/sonarqube-sso-secret.yaml index 8711237..8e9fe54 100644 --- a/chart/templates/sonarqube-sso-secret.yaml +++ b/chart/templates/sonarqube-sso-secret.yaml @@ -1,5 +1,5 @@ -# This secret will be used if sso is disabled, instead of the templated one in uds-package.yaml. -# Sonarqube needs to mount the secret and creating it this way avoids creating an unnecessary +# This secret will be used if sso is disabled, instead of the templated one in uds-package.yaml. +# Sonarqube needs to mount the secret and creating it this way avoids creating an unnecessary # client in the keycloak realm and unnecessary secret data in the cluster. {{- if not .Values.sso.enabled }} diff --git a/common/zarf.yaml b/common/zarf.yaml index d8732ee..f8b38d6 100644 --- a/common/zarf.yaml +++ b/common/zarf.yaml @@ -14,10 +14,8 @@ components: localPath: ../chart - name: sonarqube namespace: sonarqube - # see note in README.md about use of registry1 chart for both flavors - url: https://repo1.dso.mil/big-bang/product/packages/sonarqube.git - gitPath: chart - version: "8.0.4-bb.5" + url: https://SonarSource.github.io/helm-chart-sonarqube + version: 10.6.1 valuesFiles: - ../values/common-values.yaml actions: @@ -31,3 +29,7 @@ components: name: sonarqube namespace: sonarqube condition: "'{.status.phase}'=Ready" + - description: Perform DB migrations if necessary + cmd: | + STATUS=$(curl -XPOST -s "https://sonarqube.$ZARF_VAR_DOMAIN/api/system/migrate_db" | ./zarf tools yq '.state') + echo "SonarQube migration state: ${STATUS}" diff --git a/renovate.json b/renovate.json index 71e47c6..ac948b5 100644 --- a/renovate.json +++ b/renovate.json @@ -22,13 +22,6 @@ "labels": ["package-deps"], "commitMessageTopic": "package-deps", "matchDatasources": ["docker", "helm", "git-tags"] - }, - { - "groupName": "SonarQube Package Dependencies", - "labels": ["package-deps"], - "commitMessageTopic": "package-deps", - "matchPackageNames": ["https://repo1.dso.mil/big-bang/product/packages/sonarqube.git"], - "allowedVersions": "/^8.+-bb.+/" } ] } diff --git a/tasks.yaml b/tasks.yaml index f74b2eb..96ff84e 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -2,11 +2,11 @@ includes: - cleanup: ./tasks/cleanup.yaml - dependencies: ./tasks/dependencies.yaml - test: ./tasks/test.yaml - - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.9.0/tasks/create.yaml - - lint: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.9.0/tasks/lint.yaml - - pull: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.9.0/tasks/pull.yaml - - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.9.0/tasks/deploy.yaml - - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.9.0/tasks/setup.yaml + - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.10.0/tasks/create.yaml + - lint: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.10.0/tasks/lint.yaml + - pull: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.10.0/tasks/pull.yaml + - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.10.0/tasks/deploy.yaml + - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.10.0/tasks/setup.yaml tasks: - name: default diff --git a/tasks/publish.yaml b/tasks/publish.yaml index 945c511..3ef4887 100644 --- a/tasks/publish.yaml +++ b/tasks/publish.yaml @@ -1,8 +1,8 @@ includes: - - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.9.0/tasks/create.yaml - - publish: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.9.0/tasks/publish.yaml - - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.9.0/tasks/setup.yaml - - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.9.0/tasks/deploy.yaml + - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.10.0/tasks/create.yaml + - publish: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.10.0/tasks/publish.yaml + - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.10.0/tasks/setup.yaml + - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.10.0/tasks/deploy.yaml - dependencies: ./dependencies.yaml - test: ./test.yaml diff --git a/tasks/test.yaml b/tasks/test.yaml index c4e070b..3ac3963 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -23,7 +23,7 @@ tasks: cmd: | STATUS=$(curl -s 'https://sonarqube.uds.dev/api/system/status' | ./uds zarf tools yq '.status') echo "SonarQube system status: ${STATUS}" - if [ $STATUS != "UP" ]; then + if [ "$STATUS" != "UP" ]; then sleep 10 exit 1 fi diff --git a/tests/auth.setup.ts b/tests/auth.setup.ts index 283f242..1af1536 100644 --- a/tests/auth.setup.ts +++ b/tests/auth.setup.ts @@ -4,7 +4,7 @@ import { authFile } from './playwright.config'; setup('authenticate', async ({ page, context }) => { await page.goto('/sessions/new'); - await page.locator('.identity-provider-link').click(); + await page.getByRole('button', { name: 'Log in with Keycloak' }).click(); await page.getByLabel('Username or email').fill('doug'); await page.getByLabel('Password').fill('unicorn123!@#UN'); @@ -23,6 +23,4 @@ setup('authenticate', async ({ page, context }) => { expect(keycloakCookie?.domain).toContain("sso."); await page.context().storageState({ path: authFile }); - - await expect(page).toHaveURL('/projects'); }) diff --git a/tests/sonarqube.test.ts b/tests/sonarqube.test.ts index 9a7a5c1..c71b9b4 100644 --- a/tests/sonarqube.test.ts +++ b/tests/sonarqube.test.ts @@ -5,15 +5,17 @@ function randomProjectName() { } test('create a project', async ({ page }) => { - await page.goto('/projects/create'); + await page.goto('/projects/create?mode=manual'); const projectName = randomProjectName(); - await page.getByRole('button', { name: 'Manually' }).click(); await page.getByLabel('Project display name*').fill(projectName); - await page.getByRole('button', { name: 'Set Up' }).click(); + await page.getByRole('button', { name: 'Next' }).click(); - await expect(page).toHaveURL(`/dashboard?id=${projectName}`); + await page.getByLabel('Use the global setting').check(); + await page.getByRole('button', { name: 'Create project' }).click(); - await expect(page.getByRole('heading', { level: 1 })).toContainText(projectName); + await expect(page).toHaveURL(`/tutorials?id=${projectName}`); + + await expect(page.getByRole('heading', { level: 1 })).toContainText('Analysis Method'); }); diff --git a/values/common-values.yaml b/values/common-values.yaml index 3c56a04..2954478 100644 --- a/values/common-values.yaml +++ b/values/common-values.yaml @@ -1,23 +1,22 @@ -OpenShift: - enabled: false - edition: "community" # Name of the secret from which to load additional properties: https://community.sonarsource.com/t/additional-sonar-properties-to-load-from-a-secret/73748 # This secret will be created by the uds operator based on the sso spec defined in chart/templates/uds-package.yaml sonarSecretProperties: sonarqube-sso -monitoring: - enabled: true +prometheusExporter: + enabled: false + +prometheusMonitoring: + podMonitor: + enabled: false initSysctl: enabled: false -elasticsearch: - configureNode: false - jdbcOverwrite: - enable: true + enable: true # DEPRECATED: use `jdbcOverwrite.enabled` in v10.7.0 + enabled: true jdbcUrl: jdbc:postgresql://###ZARF_VAR_SONARQUBE_DB_ENDPOINT###:5432/###ZARF_VAR_SONARQUBE_DB_NAME### jdbcUsername: ###ZARF_VAR_SONARQUBE_DB_USERNAME### jdbcPassword: null @@ -26,10 +25,3 @@ jdbcOverwrite: postgresql: enabled: false - postgresqlServer: ###ZARF_VAR_SONARQUBE_DB_ENDPOINT### - existingSecret: "sonarqube-postgres" - existingSecretPasswordKey: "password" - postgresqlUsername: ###ZARF_VAR_SONARQUBE_DB_USERNAME### - postgresqlDatabase: ###ZARF_VAR_SONARQUBE_DB_NAME### - service: - port: 5432 diff --git a/values/registry1-values.yaml b/values/registry1-values.yaml index 47fa9d5..b05e37e 100644 --- a/values/registry1-values.yaml +++ b/values/registry1-values.yaml @@ -1,9 +1,23 @@ image: repository: registry1.dso.mil/ironbank/sonarsource/sonarqube/sonarqube - tag: 9.9.5-community + tag: 10.6.0-community initContainers: image: registry1.dso.mil/ironbank/big-bang/base:2.1.0 prometheusExporter: image: registry1.dso.mil/ironbank/big-bang/base:2.1.0 + +# wget used by default probes not available in registry1 images +livenessProbe: + exec: null + httpGet: + path: / + scheme: HTTP + port: 9000 +readinessProbe: + exec: null + httpGet: + path: /api/system/status + scheme: HTTP + port: 9000 diff --git a/values/unicorn-values.yaml b/values/unicorn-values.yaml new file mode 100644 index 0000000..f989b91 --- /dev/null +++ b/values/unicorn-values.yaml @@ -0,0 +1,9 @@ +image: + repository: cgr.dev/du-uds-defenseunicorns/sonarqube + tag: 10.6.0 + +initContainers: + image: cgr.dev/du-uds-defenseunicorns/busybox-fips:1.36 + +prometheusExporter: + image: cgr.dev/du-uds-defenseunicorns/curl-fips:8-dev diff --git a/values/upstream-values.yaml b/values/upstream-values.yaml index 553a068..3b07dfd 100644 --- a/values/upstream-values.yaml +++ b/values/upstream-values.yaml @@ -1,6 +1,6 @@ image: repository: sonarqube - tag: 9.9.5-community + tag: 10.6.0-community initContainers: image: busybox:1.36 diff --git a/zarf.yaml b/zarf.yaml index 263a935..6510493 100644 --- a/zarf.yaml +++ b/zarf.yaml @@ -35,7 +35,7 @@ components: - values/registry1-values.yaml images: - "registry1.dso.mil/ironbank/big-bang/base:2.1.0" - - "registry1.dso.mil/ironbank/sonarsource/sonarqube/sonarqube:9.9.5-community" + - "registry1.dso.mil/ironbank/sonarsource/sonarqube/sonarqube:10.6.0-community" # Note: upstream flavor is experimental - name: sonarqube @@ -50,6 +50,22 @@ components: valuesFiles: - values/upstream-values.yaml images: - - "sonarqube:9.9.5-community" + - "sonarqube:10.6.0-community" - "curlimages/curl:8.8.0" - "busybox:1.36" + + - name: sonarqube + required: true + description: "Deploy sonarqube" + import: + path: common + only: + flavor: unicorn + charts: + - name: sonarqube + valuesFiles: + - values/unicorn-values.yaml + images: + - "cgr.dev/du-uds-defenseunicorns/sonarqube:10.6.0" + - "cgr.dev/du-uds-defenseunicorns/curl-fips:8-dev" + - "cgr.dev/du-uds-defenseunicorns/busybox-fips:1.36"