From 4a779e0f61c20a7e2b7047845c40ea6b043f2773 Mon Sep 17 00:00:00 2001 From: Eric Wyles <23637493+ericwyles@users.noreply.github.com> Date: Fri, 29 Mar 2024 08:56:49 -0500 Subject: [PATCH 01/21] uds common 0.3.7 --- tasks.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tasks.yaml b/tasks.yaml index fea670b..7cfec55 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -2,11 +2,11 @@ includes: - cleanup: ./tasks/cleanup.yaml - dependencies: ./tasks/dependencies.yaml - test: ./tasks/test.yaml - - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.3.6/tasks/create.yaml - - lint: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.3.6/tasks/lint.yaml - - pull: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.3.6/tasks/pull.yaml - - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.3.6/tasks/deploy.yaml - - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.3.6/tasks/setup.yaml + - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.3.7/tasks/create.yaml + - lint: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.3.7/tasks/lint.yaml + - pull: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.3.7/tasks/pull.yaml + - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.3.7/tasks/deploy.yaml + - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.3.7/tasks/setup.yaml tasks: - name: default From a130f499d817849f453972f70ddded80ac2d623a Mon Sep 17 00:00:00 2001 From: Eric Wyles <23637493+ericwyles@users.noreply.github.com> Date: Thu, 4 Apr 2024 12:26:14 -0500 Subject: [PATCH 02/21] feat: keycloak integration using sso secret templating --- chart/templates/sonarqube-sso.yaml | 42 ++++++++++++++++++++++++++++++ tasks.yaml | 8 ++++++ values/common-values.yaml | 23 ++++++++-------- zarf.yaml | 2 +- 4 files changed, 63 insertions(+), 12 deletions(-) create mode 100644 chart/templates/sonarqube-sso.yaml diff --git a/chart/templates/sonarqube-sso.yaml b/chart/templates/sonarqube-sso.yaml new file mode 100644 index 0000000..f3c2ca8 --- /dev/null +++ b/chart/templates/sonarqube-sso.yaml @@ -0,0 +1,42 @@ +apiVersion: uds.dev/v1alpha1 +kind: Package +metadata: + name: sonarqube-sso + namespace: {{ .Release.Namespace }} +spec: + sso: + - name: Sonarqube Client + clientId: sonarqube-client + redirectUris: + - "https://sonarqube.uds.dev/oauth2/callback/saml" + protocol: saml + defaultClientScopes: [] + attributes: + saml.client.signature: "false" + protocolMappers: + - name: "Name" + protocol: "saml" + protocolMapper: "saml-user-property-mapper" + config: + user.attribute: "Username" + attribute.nameformat: "Basic" + attribute.name: "name" + - name: "Email" + protocol: "saml" + protocolMapper: "saml-user-property-mapper" + config: + user.attribute: "Email" + attribute.nameformat: "Basic" + attribute.name: "email" + - name: "Login" + protocol: "saml" + protocolMapper: "saml-user-property-mapper" + config: + user.attribute: "Username" + attribute.nameformat: "Basic" + attribute.name: "login" + + secretName: sonarqube-sso + secretTemplate: + secret.properties: | + sonar.auth.saml.certificate.secured: MIIClTCCAX0CBgGOpIl9cDANBgkqhkiG9w0BAQsFADAOMQwwCgYDVQQDDAN1ZHMwHhcNMjQwNDAzMTUxNTU3WhcNMzQwNDAzMTUxNzM3WjAOMQwwCgYDVQQDDAN1ZHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMdfKW4QCoeVgF99ftzFAIonKGwf3pNn+O3cjC+jMxiBMvfztMmyxYJ6PlXf66o2AObaCRfHKdj/SOAeoJnqzB0fNFtAbfYt5mgjXxK5B6V8VPPRLagShD1R26R6uL988sY2jyeCRaW7y0VhlAcpQqPecNgRHcnNtcNHsUazVutjnKe58k8XDtRSzYBhH6R+uD5VdH03xxADbcHbye7Kye+tMw6nn5JJCfNEzcmdQw6Uk+sL0gI6y29DTQ7mwzYxp/SAWIPP2ZsXj/tzmTcgkGUdlaMfQqhmNPd9xUZSLjbQWdMNyhOSiU853niv2KIGQyhEWGEGetwF84QkVVhaQVAgMBAAEwDQYJKoZIhvcNAQELBQADggEBADyWGD+kILVDmFEP+kl9JEZshKzRJtZ0jywyJCqdKwAkk1iwkO2f5B3a8hUDUrI3VqBD+OCWDqEo6TH5uBef1ShXstjOx5CcrtxPIDERF1uD3pkY95MddsooShUX2rMXTo/5gHRxw6UBm3iYApAqS2jus3w7EvVIkGxWq6x1tAnpdR3ZV1CMfQ8KyY6dkiLwGkGW56pd/8hBDXCx56wDhY3WoL7nKOo7BFVrpssZFR0BTjjNBZPBsjNMKI2vbWzHqgV0GaDK8+XAuivPMRBZbz3flDuO4bQ4IPJigV5lBavwS3sFRp45+cm/47xXrKlqNi4zB+3GW4wlvlXElOEiaRc= diff --git a/tasks.yaml b/tasks.yaml index 7cfec55..ba4b8b5 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -39,6 +39,14 @@ tasks: - task: dependencies:create - task: create:test-bundle + - name: test-package-app-only + description: Test the health of a SonarQube deployment + actions: + - task: create-sq-test-bundle + - task: deploy:test-bundle + - task: test:health-check + - task: test:ingress + # CI will execute the following (via uds-common/.github/actions/test) so they need to be here with these names - name: test-package diff --git a/values/common-values.yaml b/values/common-values.yaml index d404142..1a2fe97 100644 --- a/values/common-values.yaml +++ b/values/common-values.yaml @@ -4,17 +4,18 @@ OpenShift: edition: "community" sonarProperties: - sonar.auth.saml.enabled: ###ZARF_VAR_SONARQUBE_IDAM_ENABLED### - sonar.core.serverBaseURL: https://sonarqube.###ZARF_VAR_DOMAIN### - sonar.auth.saml.applicationId: ###ZARF_VAR_SONARQUBE_IDAM_CLIENT_ID### - sonar.auth.saml.providerName: ###ZARF_VAR_SONARQUBE_IDAM_PROVIDER_NAME### - sonar.auth.saml.providerId: ###ZARF_VAR_SONARQUBE_IDAM_REALM_URL### - sonar.auth.saml.loginUrl: ###ZARF_VAR_SONARQUBE_IDAM_REALM_URL###/protocol/saml - sonar.auth.saml.certificate.secured: ###ZARF_VAR_SONARQUBE_IDAM_SAML_CERT### - sonar.auth.saml.user.login: ###ZARF_VAR_SONARQUBE_IDAM_ATTR_LOGIN### - sonar.auth.saml.user.name: ###ZARF_VAR_SONARQUBE_IDAM_ATTR_NAME### - sonar.auth.saml.user.email: ###ZARF_VAR_SONARQUBE_IDAM_ATTR_EMAIL### - sonar.auth.saml.group.name: ###ZARF_VAR_SONARQUBE_IDAM_ATTR_GROUP### + sonar.auth.saml.enabled: true + sonar.core.serverBaseURL: https://sonarqube.uds.dev + sonar.auth.saml.applicationId: sonarqube + sonar.auth.saml.providerName: "Keycloak" + sonar.auth.saml.providerId: " https://sso.uds.dev/realms/uds" + sonar.auth.saml.loginUrl: "https://sso.uds.dev/realms/uds/protocol/saml" + sonar.auth.saml.user.login: login + sonar.auth.saml.user.name: name + sonar.auth.saml.user.email: email + +sonarSecretProperties: sonarqube-sso + monitoring: enabled: true diff --git a/zarf.yaml b/zarf.yaml index 576137a..3e54d3c 100644 --- a/zarf.yaml +++ b/zarf.yaml @@ -19,7 +19,7 @@ variables: - name: SONARQUBE_IDAM_CLIENT_ID default: "" - name: SONARQUBE_IDAM_PROVIDER_NAME - default: "" + default: "Keycloak" - name: SONARQUBE_IDAM_REALM_URL default: "" - name: SONARQUBE_IDAM_SAML_CERT From 75f8e0b1c8d02ed2f9c1e2e4b946ffe19ebdf680 Mon Sep 17 00:00:00 2001 From: Eric Wyles <23637493+ericwyles@users.noreply.github.com> Date: Fri, 5 Apr 2024 18:20:11 -0500 Subject: [PATCH 03/21] secret templating for the saml cert --- chart/templates/sonarqube-sso.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/chart/templates/sonarqube-sso.yaml b/chart/templates/sonarqube-sso.yaml index f3c2ca8..fe0b4f1 100644 --- a/chart/templates/sonarqube-sso.yaml +++ b/chart/templates/sonarqube-sso.yaml @@ -6,7 +6,7 @@ metadata: spec: sso: - name: Sonarqube Client - clientId: sonarqube-client + clientId: sonarqube redirectUris: - "https://sonarqube.uds.dev/oauth2/callback/saml" protocol: saml @@ -39,4 +39,4 @@ spec: secretName: sonarqube-sso secretTemplate: secret.properties: | - sonar.auth.saml.certificate.secured: MIIClTCCAX0CBgGOpIl9cDANBgkqhkiG9w0BAQsFADAOMQwwCgYDVQQDDAN1ZHMwHhcNMjQwNDAzMTUxNTU3WhcNMzQwNDAzMTUxNzM3WjAOMQwwCgYDVQQDDAN1ZHMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMdfKW4QCoeVgF99ftzFAIonKGwf3pNn+O3cjC+jMxiBMvfztMmyxYJ6PlXf66o2AObaCRfHKdj/SOAeoJnqzB0fNFtAbfYt5mgjXxK5B6V8VPPRLagShD1R26R6uL988sY2jyeCRaW7y0VhlAcpQqPecNgRHcnNtcNHsUazVutjnKe58k8XDtRSzYBhH6R+uD5VdH03xxADbcHbye7Kye+tMw6nn5JJCfNEzcmdQw6Uk+sL0gI6y29DTQ7mwzYxp/SAWIPP2ZsXj/tzmTcgkGUdlaMfQqhmNPd9xUZSLjbQWdMNyhOSiU853niv2KIGQyhEWGEGetwF84QkVVhaQVAgMBAAEwDQYJKoZIhvcNAQELBQADggEBADyWGD+kILVDmFEP+kl9JEZshKzRJtZ0jywyJCqdKwAkk1iwkO2f5B3a8hUDUrI3VqBD+OCWDqEo6TH5uBef1ShXstjOx5CcrtxPIDERF1uD3pkY95MddsooShUX2rMXTo/5gHRxw6UBm3iYApAqS2jus3w7EvVIkGxWq6x1tAnpdR3ZV1CMfQ8KyY6dkiLwGkGW56pd/8hBDXCx56wDhY3WoL7nKOo7BFVrpssZFR0BTjjNBZPBsjNMKI2vbWzHqgV0GaDK8+XAuivPMRBZbz3flDuO4bQ4IPJigV5lBavwS3sFRp45+cm/47xXrKlqNi4zB+3GW4wlvlXElOEiaRc= + sonar.auth.saml.certificate.secured: clientField(samlCertificate) From 8419aaced20e1258ab48f4828638959032107c12 Mon Sep 17 00:00:00 2001 From: Eric Wyles <23637493+ericwyles@users.noreply.github.com> Date: Sun, 21 Apr 2024 11:59:34 -0500 Subject: [PATCH 04/21] sso secret templating --- chart/templates/sonarqube-sso.yaml | 31 +++++++----------------------- 1 file changed, 7 insertions(+), 24 deletions(-) diff --git a/chart/templates/sonarqube-sso.yaml b/chart/templates/sonarqube-sso.yaml index fe0b4f1..a7d9fc7 100644 --- a/chart/templates/sonarqube-sso.yaml +++ b/chart/templates/sonarqube-sso.yaml @@ -10,33 +10,16 @@ spec: redirectUris: - "https://sonarqube.uds.dev/oauth2/callback/saml" protocol: saml - defaultClientScopes: [] + defaultClientScopes: + - "mapper-saml-email-email" + - "mapper-saml-username-login" + - "mapper-saml-username-name" + attributes: saml.client.signature: "false" - protocolMappers: - - name: "Name" - protocol: "saml" - protocolMapper: "saml-user-property-mapper" - config: - user.attribute: "Username" - attribute.nameformat: "Basic" - attribute.name: "name" - - name: "Email" - protocol: "saml" - protocolMapper: "saml-user-property-mapper" - config: - user.attribute: "Email" - attribute.nameformat: "Basic" - attribute.name: "email" - - name: "Login" - protocol: "saml" - protocolMapper: "saml-user-property-mapper" - config: - user.attribute: "Username" - attribute.nameformat: "Basic" - attribute.name: "login" secretName: sonarqube-sso secretTemplate: secret.properties: | - sonar.auth.saml.certificate.secured: clientField(samlCertificate) + sonar.auth.saml.certificate.secured: clientField(samlIdpCertificate) + From faf1d4a917ef74783fea682c37408ba5f3594129 Mon Sep 17 00:00:00 2001 From: Eric Wyles <23637493+ericwyles@users.noreply.github.com> Date: Thu, 25 Apr 2024 20:01:14 -0400 Subject: [PATCH 05/21] consolidate to uds-package template --- chart/templates/sonarqube-sso.yaml | 25 ------------------------- 1 file changed, 25 deletions(-) delete mode 100644 chart/templates/sonarqube-sso.yaml diff --git a/chart/templates/sonarqube-sso.yaml b/chart/templates/sonarqube-sso.yaml deleted file mode 100644 index a7d9fc7..0000000 --- a/chart/templates/sonarqube-sso.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: uds.dev/v1alpha1 -kind: Package -metadata: - name: sonarqube-sso - namespace: {{ .Release.Namespace }} -spec: - sso: - - name: Sonarqube Client - clientId: sonarqube - redirectUris: - - "https://sonarqube.uds.dev/oauth2/callback/saml" - protocol: saml - defaultClientScopes: - - "mapper-saml-email-email" - - "mapper-saml-username-login" - - "mapper-saml-username-name" - - attributes: - saml.client.signature: "false" - - secretName: sonarqube-sso - secretTemplate: - secret.properties: | - sonar.auth.saml.certificate.secured: clientField(samlIdpCertificate) - From 9c8ae30c6cccf5e26ad278481213aa41954d313f Mon Sep 17 00:00:00 2001 From: Eric Wyles <23637493+ericwyles@users.noreply.github.com> Date: Thu, 25 Apr 2024 20:02:06 -0400 Subject: [PATCH 06/21] consolidate to uds-package template --- chart/templates/uds-package.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml index d46e8d3..49bc3c3 100644 --- a/chart/templates/uds-package.yaml +++ b/chart/templates/uds-package.yaml @@ -18,3 +18,21 @@ spec: podLabels: app: sonarqube remoteGenerated: Anywhere + sso: + - name: Sonarqube Client + clientId: sonarqube + redirectUris: + - "https://sonarqube.uds.dev/oauth2/callback/saml" + protocol: saml + defaultClientScopes: + - "mapper-saml-email-email" + - "mapper-saml-username-login" + - "mapper-saml-username-name" + + attributes: + saml.client.signature: "false" + + secretName: sonarqube-sso + secretTemplate: + secret.properties: | + sonar.auth.saml.certificate.secured: clientField(samlIdpCertificate) \ No newline at end of file From d702885d39b573a1742fc5863dd7520cbd977fa3 Mon Sep 17 00:00:00 2001 From: Eric Wyles <23637493+ericwyles@users.noreply.github.com> Date: Thu, 25 Apr 2024 23:23:42 -0400 Subject: [PATCH 07/21] refactoring --- chart/templates/uds-package.yaml | 43 ++++++++++++++++++++------------ chart/values.yaml | 8 ++++++ tasks.yaml | 10 ++++---- values/common-values.yaml | 11 -------- zarf.yaml | 18 ------------- 5 files changed, 40 insertions(+), 50 deletions(-) diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml index 49bc3c3..f00242e 100644 --- a/chart/templates/uds-package.yaml +++ b/chart/templates/uds-package.yaml @@ -4,23 +4,10 @@ metadata: name: sonarqube namespace: {{ .Release.Namespace }} spec: - network: - expose: - - service: sonarqube-sonarqube - podLabels: - app: sonarqube - gateway: tenant - host: sonarqube - port: 9000 - allow: - # Todo: wide open for hitting in-cluster or external postgres - - direction: Egress - podLabels: - app: sonarqube - remoteGenerated: Anywhere + {{- if .Values.sso.enabled }} sso: - name: Sonarqube Client - clientId: sonarqube + clientId: uds-core-sonarqube redirectUris: - "https://sonarqube.uds.dev/oauth2/callback/saml" protocol: saml @@ -35,4 +22,28 @@ spec: secretName: sonarqube-sso secretTemplate: secret.properties: | - sonar.auth.saml.certificate.secured: clientField(samlIdpCertificate) \ No newline at end of file + sonar.auth.saml.enabled: {{ .Values.sso.enabled }} + sonar.core.serverBaseURL: https://sonarqube.{{ .Values.domain }} + sonar.auth.saml.applicationId: uds-core-sonarqube + sonar.auth.saml.providerName: Keycloak + sonar.auth.saml.providerId: https://sso.{{ .Values.domain }}/realms/uds + sonar.auth.saml.loginUrl: https://sso.{{ .Values.domain }}/realms/uds/protocol/saml + sonar.auth.saml.user.login: {{ .Values.sso.saml.user.login }} + sonar.auth.saml.user.name: {{ .Values.sso.saml.user.name }} + sonar.auth.saml.user.email: {{ .Values.sso.saml.user.email }} + sonar.auth.saml.certificate.secured: clientField(samlIdpCertificate) + {{- end }} + network: + expose: + - service: sonarqube-sonarqube + podLabels: + app: sonarqube + gateway: tenant + host: sonarqube + port: 9000 + allow: + # Todo: wide open for hitting in-cluster or external postgres + - direction: Egress + podLabels: + app: uds-core-sonarqube + remoteGenerated: Anywhere diff --git a/chart/values.yaml b/chart/values.yaml index e69de29..bdde185 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -0,0 +1,8 @@ +domain: "###ZARF_VAR_DOMAIN###" +sso: + enabled: true + saml: + user: + login: login + name: name + email: email diff --git a/tasks.yaml b/tasks.yaml index 1f2b4ac..7397c3b 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -2,11 +2,11 @@ includes: - cleanup: ./tasks/cleanup.yaml - dependencies: ./tasks/dependencies.yaml - test: ./tasks/test.yaml - - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.3.11/tasks/create.yaml - - lint: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.3.11/tasks/lint.yaml - - pull: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.3.11/tasks/pull.yaml - - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.3.11/tasks/deploy.yaml - - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.3.11/tasks/setup.yaml + - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.0/tasks/create.yaml + - lint: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.0/tasks/lint.yaml + - pull: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.0/tasks/pull.yaml + - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.0/tasks/deploy.yaml + - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.0/tasks/setup.yaml tasks: - name: default diff --git a/values/common-values.yaml b/values/common-values.yaml index 1a2fe97..f31fd34 100644 --- a/values/common-values.yaml +++ b/values/common-values.yaml @@ -3,17 +3,6 @@ OpenShift: edition: "community" -sonarProperties: - sonar.auth.saml.enabled: true - sonar.core.serverBaseURL: https://sonarqube.uds.dev - sonar.auth.saml.applicationId: sonarqube - sonar.auth.saml.providerName: "Keycloak" - sonar.auth.saml.providerId: " https://sso.uds.dev/realms/uds" - sonar.auth.saml.loginUrl: "https://sso.uds.dev/realms/uds/protocol/saml" - sonar.auth.saml.user.login: login - sonar.auth.saml.user.name: name - sonar.auth.saml.user.email: email - sonarSecretProperties: sonarqube-sso diff --git a/zarf.yaml b/zarf.yaml index 3e54d3c..b544685 100644 --- a/zarf.yaml +++ b/zarf.yaml @@ -14,24 +14,6 @@ variables: default: "false" - name: DOMAIN default: "uds.dev" - - name: SONARQUBE_IDAM_ENABLED - default: "false" - - name: SONARQUBE_IDAM_CLIENT_ID - default: "" - - name: SONARQUBE_IDAM_PROVIDER_NAME - default: "Keycloak" - - name: SONARQUBE_IDAM_REALM_URL - default: "" - - name: SONARQUBE_IDAM_SAML_CERT - default: "" - - name: SONARQUBE_IDAM_ATTR_LOGIN - default: "" - - name: SONARQUBE_IDAM_ATTR_NAME - default: "" - - name: SONARQUBE_IDAM_ATTR_EMAIL - default: "" - - name: SONARQUBE_IDAM_ATTR_GROUP - default: "" - name: SONARQUBE_DB_NAME default: "sonarqubedb" - name: SONARQUBE_DB_USERNAME From 8af116b73fd050bfaa780d9130224e23fe5792fe Mon Sep 17 00:00:00 2001 From: Eric Wyles <23637493+ericwyles@users.noreply.github.com> Date: Thu, 25 Apr 2024 23:25:00 -0400 Subject: [PATCH 08/21] fix copy pasta --- chart/templates/uds-package.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml index f00242e..427ce4f 100644 --- a/chart/templates/uds-package.yaml +++ b/chart/templates/uds-package.yaml @@ -45,5 +45,5 @@ spec: # Todo: wide open for hitting in-cluster or external postgres - direction: Egress podLabels: - app: uds-core-sonarqube + app: sonarqube remoteGenerated: Anywhere From b7f0ad00d3502b6d76ee21efcacbaaf0b0bd136b Mon Sep 17 00:00:00 2001 From: Eric Wyles <23637493+ericwyles@users.noreply.github.com> Date: Thu, 25 Apr 2024 23:26:15 -0400 Subject: [PATCH 09/21] renamed task --- tasks.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/tasks.yaml b/tasks.yaml index 7397c3b..935d934 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -39,13 +39,11 @@ tasks: - task: dependencies:create - task: create:test-bundle - - name: test-package-app-only - description: Test the health of a SonarQube deployment + - name: dev + description: Create and deploy the bundle against an existing cluster actions: - task: create-sq-test-bundle - task: deploy:test-bundle - - task: test:health-check - - task: test:ingress # CI will execute the following (via uds-common/.github/actions/test) so they need to be here with these names From 5083f6f715f5dfc60ca3c851e3be54f2c6838fb3 Mon Sep 17 00:00:00 2001 From: Eric Wyles <23637493+ericwyles@users.noreply.github.com> Date: Fri, 26 Apr 2024 16:14:43 -0400 Subject: [PATCH 10/21] moved some more things to variables --- chart/templates/uds-package.yaml | 11 +++++------ chart/values.yaml | 2 ++ values/common-values.yaml | 14 ++++++++++++-- 3 files changed, 19 insertions(+), 8 deletions(-) diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml index 427ce4f..9b60b24 100644 --- a/chart/templates/uds-package.yaml +++ b/chart/templates/uds-package.yaml @@ -4,12 +4,11 @@ metadata: name: sonarqube namespace: {{ .Release.Namespace }} spec: - {{- if .Values.sso.enabled }} sso: - name: Sonarqube Client - clientId: uds-core-sonarqube + clientId: {{ .Values.sso.clientId }} redirectUris: - - "https://sonarqube.uds.dev/oauth2/callback/saml" + - "https://sonarqube.{{ .Values.domain }}/oauth2/callback/saml" protocol: saml defaultClientScopes: - "mapper-saml-email-email" @@ -20,19 +19,19 @@ spec: saml.client.signature: "false" secretName: sonarqube-sso + # This secret template configures the sonarqube saml support documented here: https://docs.sonarsource.com/sonarqube/latest/instance-administration/authentication/saml/overview/ secretTemplate: secret.properties: | sonar.auth.saml.enabled: {{ .Values.sso.enabled }} sonar.core.serverBaseURL: https://sonarqube.{{ .Values.domain }} - sonar.auth.saml.applicationId: uds-core-sonarqube - sonar.auth.saml.providerName: Keycloak + sonar.auth.saml.applicationId: {{ .Values.sso.clientId }} + sonar.auth.saml.providerName: {{ .Values.sso.saml.providerName }} sonar.auth.saml.providerId: https://sso.{{ .Values.domain }}/realms/uds sonar.auth.saml.loginUrl: https://sso.{{ .Values.domain }}/realms/uds/protocol/saml sonar.auth.saml.user.login: {{ .Values.sso.saml.user.login }} sonar.auth.saml.user.name: {{ .Values.sso.saml.user.name }} sonar.auth.saml.user.email: {{ .Values.sso.saml.user.email }} sonar.auth.saml.certificate.secured: clientField(samlIdpCertificate) - {{- end }} network: expose: - service: sonarqube-sonarqube diff --git a/chart/values.yaml b/chart/values.yaml index bdde185..007a488 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -1,7 +1,9 @@ domain: "###ZARF_VAR_DOMAIN###" sso: enabled: true + clientId: uds-core-sonarqube saml: + providerName: Keycloak # This is displayed on the login screen ("Log in with ") user: login: login name: name diff --git a/values/common-values.yaml b/values/common-values.yaml index f31fd34..47663d1 100644 --- a/values/common-values.yaml +++ b/values/common-values.yaml @@ -3,9 +3,10 @@ OpenShift: edition: "community" +# Name of the secret from which to load additional properties: https://community.sonarsource.com/t/additional-sonar-properties-to-load-from-a-secret/73748 +# This secret will be created by the uds operator based on the sso spec defined in chart/templates/uds-package.yaml sonarSecretProperties: sonarqube-sso - monitoring: enabled: true @@ -33,4 +34,13 @@ postgresql: service: port: 5432 -domain: ###ZARF_VAR_DOMAIN### +# upstream chart has some more reasonable resources, been testing with these +# resources: +# limits: +# cpu: 800m +# memory: 6144M +# ephemeral-storage: 512000M +# requests: +# cpu: 400m +# memory: 2048M +# ephemeral-storage: 1536M From fefb429e535ca9de43587704ca8c4dd27d082035 Mon Sep 17 00:00:00 2001 From: Eric Wyles <23637493+ericwyles@users.noreply.github.com> Date: Mon, 29 Apr 2024 13:10:26 -0500 Subject: [PATCH 11/21] cleaning up --- values/common-values.yaml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/values/common-values.yaml b/values/common-values.yaml index 47663d1..3c56a04 100644 --- a/values/common-values.yaml +++ b/values/common-values.yaml @@ -33,14 +33,3 @@ postgresql: postgresqlDatabase: ###ZARF_VAR_SONARQUBE_DB_NAME### service: port: 5432 - -# upstream chart has some more reasonable resources, been testing with these -# resources: -# limits: -# cpu: 800m -# memory: 6144M -# ephemeral-storage: 512000M -# requests: -# cpu: 400m -# memory: 2048M -# ephemeral-storage: 1536M From ff8effc145a338250a58a1c20dc1c287927058a6 Mon Sep 17 00:00:00 2001 From: Eric Wyles <23637493+ericwyles@users.noreply.github.com> Date: Tue, 30 Apr 2024 09:08:00 -0500 Subject: [PATCH 12/21] update login name --- chart/templates/uds-package.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml index 9b60b24..e316bb9 100644 --- a/chart/templates/uds-package.yaml +++ b/chart/templates/uds-package.yaml @@ -5,7 +5,7 @@ metadata: namespace: {{ .Release.Namespace }} spec: sso: - - name: Sonarqube Client + - name: SonarQube Login clientId: {{ .Values.sso.clientId }} redirectUris: - "https://sonarqube.{{ .Values.domain }}/oauth2/callback/saml" From 0b504c873663f0419a8b37c4261e6ac02c33b317 Mon Sep 17 00:00:00 2001 From: Eric Wyles <23637493+ericwyles@users.noreply.github.com> Date: Tue, 30 Apr 2024 09:26:58 -0500 Subject: [PATCH 13/21] wording --- chart/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chart/values.yaml b/chart/values.yaml index 007a488..c1f713a 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -3,7 +3,7 @@ sso: enabled: true clientId: uds-core-sonarqube saml: - providerName: Keycloak # This is displayed on the login screen ("Log in with ") + providerName: Keycloak # This is displayed on the SonarQube landing screen ("Log in with ") user: login: login name: name From 2841aebce0575973c6c2c5f72b646692bd4bca8b Mon Sep 17 00:00:00 2001 From: Eric Wyles <23637493+ericwyles@users.noreply.github.com> Date: Tue, 30 Apr 2024 10:05:41 -0500 Subject: [PATCH 14/21] refactoring --- chart/templates/uds-package.yaml | 4 ++-- chart/values.yaml | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml index e316bb9..0083001 100644 --- a/chart/templates/uds-package.yaml +++ b/chart/templates/uds-package.yaml @@ -6,7 +6,7 @@ metadata: spec: sso: - name: SonarQube Login - clientId: {{ .Values.sso.clientId }} + clientId: uds-swf-sonarqube redirectUris: - "https://sonarqube.{{ .Values.domain }}/oauth2/callback/saml" protocol: saml @@ -24,7 +24,7 @@ spec: secret.properties: | sonar.auth.saml.enabled: {{ .Values.sso.enabled }} sonar.core.serverBaseURL: https://sonarqube.{{ .Values.domain }} - sonar.auth.saml.applicationId: {{ .Values.sso.clientId }} + sonar.auth.saml.applicationId: clientField(clientId) sonar.auth.saml.providerName: {{ .Values.sso.saml.providerName }} sonar.auth.saml.providerId: https://sso.{{ .Values.domain }}/realms/uds sonar.auth.saml.loginUrl: https://sso.{{ .Values.domain }}/realms/uds/protocol/saml diff --git a/chart/values.yaml b/chart/values.yaml index c1f713a..e2f81a4 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -1,7 +1,6 @@ domain: "###ZARF_VAR_DOMAIN###" sso: enabled: true - clientId: uds-core-sonarqube saml: providerName: Keycloak # This is displayed on the SonarQube landing screen ("Log in with ") user: From 7c5b2a71ada459fd77f2d8fe2deeaa84ba73d129 Mon Sep 17 00:00:00 2001 From: Eric Wyles <23637493+ericwyles@users.noreply.github.com> Date: Tue, 30 Apr 2024 10:15:51 -0500 Subject: [PATCH 15/21] refactoring --- chart/templates/uds-package.yaml | 6 +++--- chart/values.yaml | 5 +---- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml index 0083001..e730bf3 100644 --- a/chart/templates/uds-package.yaml +++ b/chart/templates/uds-package.yaml @@ -28,9 +28,9 @@ spec: sonar.auth.saml.providerName: {{ .Values.sso.saml.providerName }} sonar.auth.saml.providerId: https://sso.{{ .Values.domain }}/realms/uds sonar.auth.saml.loginUrl: https://sso.{{ .Values.domain }}/realms/uds/protocol/saml - sonar.auth.saml.user.login: {{ .Values.sso.saml.user.login }} - sonar.auth.saml.user.name: {{ .Values.sso.saml.user.name }} - sonar.auth.saml.user.email: {{ .Values.sso.saml.user.email }} + sonar.auth.saml.user.login: login + sonar.auth.saml.user.name: name + sonar.auth.saml.user.email: email sonar.auth.saml.certificate.secured: clientField(samlIdpCertificate) network: expose: diff --git a/chart/values.yaml b/chart/values.yaml index e2f81a4..79379a9 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -3,7 +3,4 @@ sso: enabled: true saml: providerName: Keycloak # This is displayed on the SonarQube landing screen ("Log in with ") - user: - login: login - name: name - email: email + From f1af10306c1080dbc855dd1b98abb3b5c6e7bdcb Mon Sep 17 00:00:00 2001 From: Eric Wyles <23637493+ericwyles@users.noreply.github.com> Date: Tue, 30 Apr 2024 10:26:22 -0500 Subject: [PATCH 16/21] lint --- chart/values.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/chart/values.yaml b/chart/values.yaml index 79379a9..9e686ed 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -3,4 +3,3 @@ sso: enabled: true saml: providerName: Keycloak # This is displayed on the SonarQube landing screen ("Log in with ") - From a71c6e88c820d60e1b1aa974e2bb0bfcac9d2480 Mon Sep 17 00:00:00 2001 From: Eric Wyles <23637493+ericwyles@users.noreply.github.com> Date: Tue, 30 Apr 2024 12:30:00 -0500 Subject: [PATCH 17/21] skip secret and client generation if sso is not enabled --- chart/templates/sonarqube-sso-secret.yaml | 16 ++++++++++++++++ chart/templates/uds-package.yaml | 4 +++- chart/values.yaml | 1 + values/common-values.yaml | 2 +- zarf.yaml | 2 ++ 5 files changed, 23 insertions(+), 2 deletions(-) create mode 100644 chart/templates/sonarqube-sso-secret.yaml diff --git a/chart/templates/sonarqube-sso-secret.yaml b/chart/templates/sonarqube-sso-secret.yaml new file mode 100644 index 0000000..1b30523 --- /dev/null +++ b/chart/templates/sonarqube-sso-secret.yaml @@ -0,0 +1,16 @@ +# This secret will be used if sso is disabled, instead of the templated one in uds-package.yaml. +# Sonarqube needs to mount the secret and creating it this way avoids creating an unnecessary +# client in the keycloak realm and unnecessary secret data in the cluster. +{{- if not .Values.sso.enabled }} + +apiVersion: v1 +kind: Secret +metadata: + name: "###ZARF_VAR_SONARQUBE_SSO_SECRET_NAME###" + namespace: {{ .Release.Namespace }} +type: "Opaque" +stringData: + secret.properties: | + sonar.auth.saml.enabled: {{ .Values.sso.enabled }} + +{{- end }} diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml index e730bf3..0779eae 100644 --- a/chart/templates/uds-package.yaml +++ b/chart/templates/uds-package.yaml @@ -4,6 +4,7 @@ metadata: name: sonarqube namespace: {{ .Release.Namespace }} spec: + {{- if .Values.sso.enabled }} sso: - name: SonarQube Login clientId: uds-swf-sonarqube @@ -18,7 +19,7 @@ spec: attributes: saml.client.signature: "false" - secretName: sonarqube-sso + secretName: {{ .Values.sso.secretName }} # This secret template configures the sonarqube saml support documented here: https://docs.sonarsource.com/sonarqube/latest/instance-administration/authentication/saml/overview/ secretTemplate: secret.properties: | @@ -32,6 +33,7 @@ spec: sonar.auth.saml.user.name: name sonar.auth.saml.user.email: email sonar.auth.saml.certificate.secured: clientField(samlIdpCertificate) + {{- end }} network: expose: - service: sonarqube-sonarqube diff --git a/chart/values.yaml b/chart/values.yaml index 9e686ed..1bd29dc 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -1,5 +1,6 @@ domain: "###ZARF_VAR_DOMAIN###" sso: enabled: true + secretName: "###ZARF_VAR_SONARQUBE_SSO_SECRET_NAME###" saml: providerName: Keycloak # This is displayed on the SonarQube landing screen ("Log in with ") diff --git a/values/common-values.yaml b/values/common-values.yaml index 3c56a04..e736e37 100644 --- a/values/common-values.yaml +++ b/values/common-values.yaml @@ -5,7 +5,7 @@ edition: "community" # Name of the secret from which to load additional properties: https://community.sonarsource.com/t/additional-sonar-properties-to-load-from-a-secret/73748 # This secret will be created by the uds operator based on the sso spec defined in chart/templates/uds-package.yaml -sonarSecretProperties: sonarqube-sso +sonarSecretProperties: "###ZARF_VAR_SONARQUBE_SSO_SECRET_NAME###" monitoring: enabled: true diff --git a/zarf.yaml b/zarf.yaml index b544685..946d17c 100644 --- a/zarf.yaml +++ b/zarf.yaml @@ -20,6 +20,8 @@ variables: default: "sonarqube" - name: SONARQUBE_DB_ENDPOINT default: "postgres" + - name: SONARQUBE_SSO_SECRET_NAME + default: "sonarqube-sso" components: - name: sonarqube From b29f394e6b3aeb80563955e5f26aab41820daf21 Mon Sep 17 00:00:00 2001 From: Eric Wyles <23637493+ericwyles@users.noreply.github.com> Date: Tue, 30 Apr 2024 12:36:14 -0500 Subject: [PATCH 18/21] refactor --- chart/templates/sonarqube-sso-secret.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chart/templates/sonarqube-sso-secret.yaml b/chart/templates/sonarqube-sso-secret.yaml index 1b30523..8711237 100644 --- a/chart/templates/sonarqube-sso-secret.yaml +++ b/chart/templates/sonarqube-sso-secret.yaml @@ -6,7 +6,7 @@ apiVersion: v1 kind: Secret metadata: - name: "###ZARF_VAR_SONARQUBE_SSO_SECRET_NAME###" + name: {{ .Values.sso.secretName }} namespace: {{ .Release.Namespace }} type: "Opaque" stringData: From 9a18f0485ec55012f2ea870241230ffb429ee74e Mon Sep 17 00:00:00 2001 From: Eric Wyles <23637493+ericwyles@users.noreply.github.com> Date: Tue, 30 Apr 2024 13:13:48 -0500 Subject: [PATCH 19/21] zarf constant --- chart/values.yaml | 4 ++-- zarf.yaml | 6 ++++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/chart/values.yaml b/chart/values.yaml index 1bd29dc..9924f92 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -1,6 +1,6 @@ domain: "###ZARF_VAR_DOMAIN###" sso: - enabled: true - secretName: "###ZARF_VAR_SONARQUBE_SSO_SECRET_NAME###" + enabled: false + secretName: "###ZARF_CONST_SONARQUBE_SSO_SECRET_NAME###" saml: providerName: Keycloak # This is displayed on the SonarQube landing screen ("Log in with ") diff --git a/zarf.yaml b/zarf.yaml index 946d17c..311e95e 100644 --- a/zarf.yaml +++ b/zarf.yaml @@ -7,6 +7,10 @@ metadata: version: "8.0.3-uds.6" # x-release-please-end +constants: + - name: SONARQUBE_SSO_SECRET_NAME + default: "sonarqube-sso" + variables: - name: SONARQUBE_DEPENDS_ON default: "[]" @@ -20,8 +24,6 @@ variables: default: "sonarqube" - name: SONARQUBE_DB_ENDPOINT default: "postgres" - - name: SONARQUBE_SSO_SECRET_NAME - default: "sonarqube-sso" components: - name: sonarqube From d74acdbc9c13eaedd0ccede3b9a5d51f4fd54be8 Mon Sep 17 00:00:00 2001 From: Eric Wyles <23637493+ericwyles@users.noreply.github.com> Date: Tue, 30 Apr 2024 14:22:13 -0500 Subject: [PATCH 20/21] missed a spot --- values/common-values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/values/common-values.yaml b/values/common-values.yaml index e736e37..52bdc61 100644 --- a/values/common-values.yaml +++ b/values/common-values.yaml @@ -5,7 +5,7 @@ edition: "community" # Name of the secret from which to load additional properties: https://community.sonarsource.com/t/additional-sonar-properties-to-load-from-a-secret/73748 # This secret will be created by the uds operator based on the sso spec defined in chart/templates/uds-package.yaml -sonarSecretProperties: "###ZARF_VAR_SONARQUBE_SSO_SECRET_NAME###" +sonarSecretProperties: "###ZARF_CONST_SONARQUBE_SSO_SECRET_NAME###" monitoring: enabled: true From 1e9c39861ad6a6aac82e237c0a955c852db36b2a Mon Sep 17 00:00:00 2001 From: Eric Wyles <23637493+ericwyles@users.noreply.github.com> Date: Tue, 30 Apr 2024 15:00:20 -0500 Subject: [PATCH 21/21] refactor --- chart/values.yaml | 4 ++-- values/common-values.yaml | 2 +- zarf.yaml | 4 ---- 3 files changed, 3 insertions(+), 7 deletions(-) diff --git a/chart/values.yaml b/chart/values.yaml index 9924f92..d6efbc5 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -1,6 +1,6 @@ domain: "###ZARF_VAR_DOMAIN###" sso: - enabled: false - secretName: "###ZARF_CONST_SONARQUBE_SSO_SECRET_NAME###" + enabled: true + secretName: sonarqube-sso saml: providerName: Keycloak # This is displayed on the SonarQube landing screen ("Log in with ") diff --git a/values/common-values.yaml b/values/common-values.yaml index 52bdc61..3c56a04 100644 --- a/values/common-values.yaml +++ b/values/common-values.yaml @@ -5,7 +5,7 @@ edition: "community" # Name of the secret from which to load additional properties: https://community.sonarsource.com/t/additional-sonar-properties-to-load-from-a-secret/73748 # This secret will be created by the uds operator based on the sso spec defined in chart/templates/uds-package.yaml -sonarSecretProperties: "###ZARF_CONST_SONARQUBE_SSO_SECRET_NAME###" +sonarSecretProperties: sonarqube-sso monitoring: enabled: true diff --git a/zarf.yaml b/zarf.yaml index 311e95e..b544685 100644 --- a/zarf.yaml +++ b/zarf.yaml @@ -7,10 +7,6 @@ metadata: version: "8.0.3-uds.6" # x-release-please-end -constants: - - name: SONARQUBE_SSO_SECRET_NAME - default: "sonarqube-sso" - variables: - name: SONARQUBE_DEPENDS_ON default: "[]"