543 lines
18 KiB
YAML
543 lines
18 KiB
YAML
# Default values for sonarqube.
|
|
# This is a YAML-formatted file.
|
|
# Declare variables to be passed into your templates.
|
|
|
|
# If the deployment Type is set to Deployment sonarqube is deployed as a replica set.
|
|
deploymentType: "StatefulSet"
|
|
|
|
# There should not be more than 1 sonarqube instance connected to the same database. Please set this value to 1 or 0 (in case you need to scale down programmatically).
|
|
replicaCount: 1
|
|
|
|
# This will use the default deployment strategy unless it is overriden
|
|
deploymentStrategy: {}
|
|
# Uncomment this to scheduler pods on priority
|
|
# priorityClassName: "high-priority"
|
|
|
|
## Use an alternate scheduler, e.g. "stork".
|
|
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
|
|
##
|
|
# schedulerName:
|
|
|
|
## Is this deployment for OpenShift? If so, we help with SCCs
|
|
OpenShift:
|
|
enabled: false
|
|
createSCC: true
|
|
|
|
edition: "community"
|
|
|
|
image:
|
|
repository: sonarqube
|
|
tag: 10.2.1-{{ .Values.edition }}
|
|
pullPolicy: IfNotPresent
|
|
# If using a private repository, the imagePullSecrets to use
|
|
# pullSecrets:
|
|
# - name: my-repo-secret
|
|
|
|
# Set security context for sonarqube pod
|
|
securityContext:
|
|
fsGroup: 1000
|
|
|
|
# Set security context for sonarqube container
|
|
containerSecurityContext:
|
|
# Sonarqube dockerfile creates sonarqube user as UID and GID 1000
|
|
runAsUser: 1000
|
|
|
|
# Settings to configure elasticsearch host requirements
|
|
elasticsearch:
|
|
# DEPRECATED: Use initSysctl.enabled instead
|
|
configureNode: true
|
|
bootstrapChecks: true
|
|
|
|
service:
|
|
type: ClusterIP
|
|
externalPort: 9000
|
|
internalPort: 9000
|
|
labels:
|
|
annotations: {}
|
|
# May be used in example for internal load balancing in GCP:
|
|
# cloud.google.com/load-balancer-type: Internal
|
|
# loadBalancerSourceRanges:
|
|
# - 0.0.0.0/0
|
|
# loadBalancerIP: 1.2.3.4
|
|
|
|
# Optionally create Network Policies
|
|
networkPolicy:
|
|
enabled: false
|
|
|
|
# If you plan on using the jmx exporter, you need to define where the traffic is coming from
|
|
prometheusNamespace: "monitoring"
|
|
|
|
# If you are using a external database and enable network Policies to be created
|
|
# you will need to explicitly allow egress traffic to your database
|
|
# expects https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#networkpolicyspec-v1-networking-k8s-io
|
|
# additionalNetworkPolicys:
|
|
|
|
# will be used as default for ingress path and probes path, will be injected in .Values.env as SONAR_WEB_CONTEXT
|
|
# if .Values.env.SONAR_WEB_CONTEXT is set, this value will be ignored
|
|
sonarWebContext: ""
|
|
|
|
# also install the nginx ingress helm chart
|
|
nginx:
|
|
enabled: false
|
|
|
|
ingress:
|
|
enabled: false
|
|
# Used to create an Ingress record.
|
|
hosts:
|
|
- name: sonarqube.your-org.com
|
|
# Different clouds or configurations might need /* as the default path
|
|
# path: /
|
|
# For additional control over serviceName and servicePort
|
|
# serviceName: someService
|
|
# servicePort: somePort
|
|
# the pathType can be one of the following values: Exact|Prefix|ImplementationSpecific(default)
|
|
# pathType: ImplementationSpecific
|
|
annotations:
|
|
# kubernetes.io/tls-acme: "true"
|
|
# This property allows for reports up to a certain size to be uploaded to SonarQube
|
|
nginx.ingress.kubernetes.io/proxy-body-size: "64m"
|
|
|
|
# Set the ingressClassName on the ingress record
|
|
# ingressClassName: nginx
|
|
|
|
# Additional labels for Ingress manifest file
|
|
# labels:
|
|
# traffic-type: external
|
|
# traffic-type: internal
|
|
tls: []
|
|
# Secrets must be manually created in the namespace. To generate a self-signed certificate (and private key) and then create the secret in the cluster please refer to official documentation available at https://kubernetes.github.io/ingress-nginx/user-guide/tls/#tls-secrets
|
|
# - secretName: chart-example-tls
|
|
# hosts:
|
|
# - chart-example.local
|
|
|
|
route:
|
|
enabled: false
|
|
host: ""
|
|
# Add tls section to secure traffic. TODO: extend this section with other secure route settings
|
|
# Comment this out if you want plain http route created.
|
|
tls:
|
|
termination: edge
|
|
|
|
annotations: {}
|
|
# See Openshift/OKD route annotation
|
|
# https://docs.openshift.com/container-platform/4.10/networking/routes/route-configuration.html#nw-route-specific-annotations_route-configuration
|
|
# haproxy.router.openshift.io/timeout: 1m
|
|
|
|
# Additional labels for Route manifest file
|
|
# labels:
|
|
# external: 'true'
|
|
|
|
# Affinity for pod assignment
|
|
# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
|
|
affinity: {}
|
|
|
|
# Tolerations for pod assignment
|
|
# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
|
|
# taint a node with the following command to mark it as not schedulable for new pods
|
|
# kubectl taint nodes <node> sonarqube=true:NoSchedule
|
|
# The following statement will tolerate this taint and as such reverse a node for sonarqube
|
|
tolerations: []
|
|
# - key: "sonarqube"
|
|
# operator: "Equal"
|
|
# value: "true"
|
|
# effect: "NoSchedule"
|
|
|
|
# Node labels for pod assignment
|
|
# Ref: https://kubernetes.io/docs/user-guide/node-selection/
|
|
# add a label to a node with the following command
|
|
# kubectl label node <node> sonarqube=true
|
|
nodeSelector: {}
|
|
# sonarqube: "true"
|
|
|
|
# hostAliases allows the modification of the hosts file inside a container
|
|
hostAliases: []
|
|
# - ip: "192.168.1.10"
|
|
# hostnames:
|
|
# - "example.com"
|
|
# - "www.example.com"
|
|
|
|
readinessProbe:
|
|
initialDelaySeconds: 60
|
|
periodSeconds: 30
|
|
failureThreshold: 6
|
|
# Note that timeoutSeconds was not respected before Kubernetes 1.20 for exec probes
|
|
timeoutSeconds: 1
|
|
# If an ingress *path* other than the root (/) is defined, it should be reflected here
|
|
# A trailing "/" must be included
|
|
# deprecated please use sonarWebContext at the value top level
|
|
# sonarWebContext: /
|
|
|
|
livenessProbe:
|
|
initialDelaySeconds: 60
|
|
periodSeconds: 30
|
|
failureThreshold: 6
|
|
# Note that timeoutSeconds was not respected before Kubernetes 1.20 for exec probes
|
|
timeoutSeconds: 1
|
|
# If an ingress *path* other than the root (/) is defined, it should be reflected here
|
|
# A trailing "/" must be included
|
|
# deprecated please use sonarWebContext at the value top level
|
|
# sonarWebContext: /
|
|
|
|
startupProbe:
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 10
|
|
failureThreshold: 24
|
|
# Note that timeoutSeconds was not respected before Kubernetes 1.20 for exec probes
|
|
timeoutSeconds: 1
|
|
# If an ingress *path* other than the root (/) is defined, it should be reflected here
|
|
# A trailing "/" must be included
|
|
# deprecated please use sonarWebContext at the value top level
|
|
# sonarWebContext: /
|
|
|
|
initContainers:
|
|
# image: busybox:1.32
|
|
# We allow the init containers to have a separate security context declaration because
|
|
# the initContainer may not require the same as SonarQube.
|
|
# securityContext: {}
|
|
# We allow the init containers to have a separate resources declaration because
|
|
# the initContainer does not take as much resources.
|
|
resources: {}
|
|
|
|
# Extra init containers to e.g. download required artifacts
|
|
extraInitContainers: {}
|
|
|
|
## Array of extra containers to run alongside the sonarqube container
|
|
##
|
|
## Example:
|
|
## - name: myapp-container
|
|
## image: busybox
|
|
## command: ['sh', '-c', 'echo Hello && sleep 3600']
|
|
##
|
|
extraContainers: []
|
|
|
|
## Provide a secret containing one or more certificate files in the keys that will be added to cacerts
|
|
## The cacerts file will be set via SONARQUBE_WEB_JVM_OPTS and SONAR_CE_JAVAOPTS
|
|
##
|
|
caCerts:
|
|
enabled: false
|
|
image: adoptopenjdk/openjdk11:alpine
|
|
secret: your-secret
|
|
|
|
initSysctl:
|
|
enabled: true
|
|
vmMaxMapCount: 524288
|
|
fsFileMax: 131072
|
|
nofile: 131072
|
|
nproc: 8192
|
|
# image: busybox:1.32
|
|
securityContext:
|
|
privileged: true
|
|
# resources: {}
|
|
|
|
initFs:
|
|
enabled: true
|
|
# image: busybox:1.32
|
|
securityContext:
|
|
privileged: true
|
|
|
|
prometheusExporter:
|
|
enabled: false
|
|
# jmx_prometheus_javaagent version to download from Maven Central
|
|
version: "0.17.2"
|
|
# Alternative full download URL for the jmx_prometheus_javaagent.jar (overrides prometheusExporter.version)
|
|
# downloadURL: ""
|
|
# if you need to ignore TLS certificates for whatever reason enable the following flag
|
|
noCheckCertificate: false
|
|
|
|
# Ports for the jmx prometheus agent to export metrics at
|
|
webBeanPort: 8000
|
|
ceBeanPort: 8001
|
|
|
|
config:
|
|
rules:
|
|
- pattern: ".*"
|
|
# Overrides config for the CE process Prometheus exporter (by default, the same rules are used for both the Web and CE processes).
|
|
# ceConfig:
|
|
# rules:
|
|
# - pattern: ".*"
|
|
# image: curlimages/curl:8.2.0
|
|
# For use behind a corporate proxy when downloading prometheus
|
|
# httpProxy: ""
|
|
# httpsProxy: ""
|
|
# noProxy: ""
|
|
# Setting the security context to the default sonarqube user 1000/1000
|
|
securityContext:
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
|
|
prometheusMonitoring:
|
|
# Generate a Prometheus Pod Monitor (https://github.com/coreos/prometheus-operator)
|
|
#
|
|
podMonitor:
|
|
# Create PodMonitor Resource for Prometheus scraping
|
|
enabled: false
|
|
# Specify a custom namespace where the PodMonitor will be created
|
|
namespace: "default"
|
|
# Specify the interval how often metrics should be scraped
|
|
interval: 30s
|
|
# Specify the timeout after a scrape is ended
|
|
# scrapeTimeout: ""
|
|
# Name of the label on target services that prometheus uses as job name
|
|
# jobLabel: ""
|
|
|
|
# List of plugins to install.
|
|
# For example:
|
|
# plugins:
|
|
# install:
|
|
# - "https://github.com/AmadeusITGroup/sonar-stash/releases/download/1.3.0/sonar-stash-plugin-1.3.0.jar"
|
|
# - "https://github.com/SonarSource/sonar-ldap/releases/download/2.2-RC3/sonar-ldap-plugin-2.2.0.601.jar"
|
|
#
|
|
plugins:
|
|
install: []
|
|
|
|
# For use behind a corporate proxy when downloading plugins
|
|
# httpProxy: ""
|
|
# httpsProxy: ""
|
|
# noProxy: ""
|
|
|
|
# image: curlimages/curl:8.2.0
|
|
# resources: {}
|
|
|
|
# .netrc secret file with a key "netrc" to use basic auth while downloading plugins
|
|
# netrcCreds: ""
|
|
|
|
# Set to true to not validate the server's certificate to download plugin
|
|
noCheckCertificate: false
|
|
securityContext:
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
|
|
## (DEPRECATED) Please use SONAR_WEB_JAVAOPTS or sonar.web.javaOpts
|
|
##
|
|
# jvmOpts: "-Djava.net.preferIPv4Stack=true"
|
|
jvmOpts: ""
|
|
|
|
## (DEPRECATED) Please use SONAR_CE_JAVAOPTS or sonar.ce.javaOpts
|
|
jvmCeOpts: ""
|
|
|
|
## a monitoring passcode needs to be defined in order to get reasonable probe results
|
|
# not setting the monitoring passcode will result in a deployment that will never be ready
|
|
monitoringPasscode: "define_it"
|
|
# Alternatively, you can define the passcode loading it from an existing secret specifying the right key
|
|
# monitoringPasscodeSecretName: "pass-secret-name"
|
|
# monitoringPasscodeSecretKey: "pass-key"
|
|
|
|
## Environment variables to attach to the pods
|
|
##
|
|
# env:
|
|
# # If you use a different ingress path from /, you have to add it here as the value of SONAR_WEB_CONTEXT
|
|
# - name: SONAR_WEB_CONTEXT
|
|
# value: /sonarqube
|
|
# - name: VARIABLE
|
|
# value: my-value
|
|
|
|
# Set annotations for pods
|
|
annotations: {}
|
|
|
|
## We usually don't make specific ressource recommandations, as they are heavily dependend on
|
|
## The usage of SonarQube and the surrounding infrastructure.
|
|
## Adjust these values to your needs, but make sure that the memory limit is never under 4 GB
|
|
resources:
|
|
limits:
|
|
cpu: 800m
|
|
memory: 4Gi
|
|
requests:
|
|
cpu: 400m
|
|
memory: 2Gi
|
|
|
|
persistence:
|
|
enabled: false
|
|
## Set annotations on pvc
|
|
annotations: {}
|
|
|
|
## Specify an existing volume claim instead of creating a new one.
|
|
## When using this option all following options like storageClass, accessMode and size are ignored.
|
|
# existingClaim:
|
|
|
|
## If defined, storageClassName: <storageClass>
|
|
## If set to "-", storageClassName: "", which disables dynamic provisioning
|
|
## If undefined (the default) or set to null, no storageClassName spec is
|
|
## set, choosing the default provisioner. (gp2 on AWS, standard on
|
|
## GKE, AWS & OpenStack)
|
|
##
|
|
storageClass:
|
|
accessMode: ReadWriteOnce
|
|
size: 5Gi
|
|
uid: 1000
|
|
|
|
## Specify extra volumes. Refer to ".spec.volumes" specification : https://kubernetes.io/fr/docs/concepts/storage/volumes/
|
|
volumes: []
|
|
## Specify extra mounts. Refer to ".spec.containers.volumeMounts" specification : https://kubernetes.io/fr/docs/concepts/storage/volumes/
|
|
mounts: []
|
|
|
|
# In case you want to specify different resources for emptyDir than {}
|
|
emptyDir: {}
|
|
# Example of resouces that might be used:
|
|
# medium: Memory
|
|
# sizeLimit: 16Mi
|
|
|
|
# A custom sonar.properties file can be provided via dictionary.
|
|
# For example:
|
|
# sonarProperties:
|
|
# sonar.forceAuthentication: true
|
|
# sonar.security.realm: LDAP
|
|
# ldap.url: ldaps://organization.com
|
|
|
|
# Additional sonar properties to load from a secret with a key "secret.properties" (must be a string)
|
|
# sonarSecretProperties:
|
|
|
|
# Kubernetes secret that contains the encryption key for the sonarqube instance.
|
|
# The secret must contain the key 'sonar-secret.txt'.
|
|
# The 'sonar.secretKeyPath' property will be set automatically.
|
|
# sonarSecretKey: "settings-encryption-secret"
|
|
|
|
## Override JDBC values
|
|
## for external Databases
|
|
jdbcOverwrite:
|
|
# If enable the JDBC Overwrite, make sure to set `postgresql.enabled=false`
|
|
enable: false
|
|
# The JDBC url of the external DB
|
|
jdbcUrl: "jdbc:postgresql://myPostgress/myDatabase?socketTimeout=1500"
|
|
# The DB user that should be used for the JDBC connection
|
|
jdbcUsername: "sonarUser"
|
|
# Use this if you don't mind the DB password getting stored in plain text within the values file
|
|
jdbcPassword: "sonarPass"
|
|
## Alternatively, use a pre-existing k8s secret containing the DB password
|
|
# jdbcSecretName: "sonarqube-jdbc"
|
|
## and the secretValueKey of the password found within that secret
|
|
# jdbcSecretPasswordKey: "jdbc-password"
|
|
|
|
## Configuration values for postgresql dependency
|
|
## ref: https://github.com/bitnami/charts/blob/master/bitnami/postgresql/README.md
|
|
postgresql:
|
|
# Enable to deploy the bitnami PostgreSQL chart
|
|
enabled: true
|
|
## postgresql Chart global settings
|
|
# global:
|
|
# imageRegistry: ''
|
|
# imagePullSecrets: ''
|
|
## bitnami/postgres image tag
|
|
# image:
|
|
# tag: 11.7.0-debian-10-r9
|
|
# existingSecret Name of existing secret to use for PostgreSQL passwords
|
|
# The secret has to contain the keys postgresql-password which is the password for postgresqlUsername when it is
|
|
# different of postgres, postgresql-postgres-password which will override postgresqlPassword,
|
|
# postgresql-replication-password which will override replication.password and postgresql-ldap-password which will be
|
|
# used to authenticate on LDAP. The value is evaluated as a template.
|
|
# existingSecret: ""
|
|
#
|
|
# The bitnami chart enforces the key to be "postgresql-password". This value is only here for historic purposes
|
|
# existingSecretPasswordKey: "postgresql-password"
|
|
postgresqlUsername: "sonarUser"
|
|
postgresqlPassword: "sonarPass"
|
|
postgresqlDatabase: "sonarDB"
|
|
# Specify the TCP port that PostgreSQL should use
|
|
service:
|
|
port: 5432
|
|
resources:
|
|
limits:
|
|
cpu: 2
|
|
memory: 2Gi
|
|
requests:
|
|
cpu: 100m
|
|
memory: 200Mi
|
|
persistence:
|
|
enabled: true
|
|
accessMode: ReadWriteOnce
|
|
size: 20Gi
|
|
storageClass:
|
|
securityContext:
|
|
# For standard Kubernetes deployment, set enabled=true
|
|
# If using OpenShift, enabled=false for restricted SCC and enabled=true for anyuid/nonroot SCC
|
|
enabled: true
|
|
# fsGroup specification below are not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully.
|
|
# postgresql dockerfile sets user as 1001
|
|
fsGroup: 1001
|
|
containerSecurityContext:
|
|
# For standard Kubernetes deployment, set enabled=true
|
|
# If using OpenShift, enabled=false for restricted SCC and enabled=true for anyuid/nonroot SCC
|
|
enabled: true
|
|
# runAsUser specification below are not applied if enabled=false. enabled=false is the required setting for OpenShift "restricted SCC" to work successfully.
|
|
# postgresql dockerfile sets user as 1001
|
|
runAsUser: 1001
|
|
volumePermissions:
|
|
# For standard Kubernetes deployment, set enabled=false
|
|
# For OpenShift, set enabled=true and ensure to set volumepermissions.securitycontext.runAsUser below.
|
|
enabled: false
|
|
# if using restricted SCC set runAsUser: "auto" and if running under anyuid/nonroot SCC - runAsUser needs to match runAsUser above
|
|
securityContext:
|
|
runAsUser: 0
|
|
shmVolume:
|
|
chmod:
|
|
enabled: false
|
|
serviceAccount:
|
|
## If enabled = true, and name is not set, postgreSQL will create a serviceAccount
|
|
enabled: false
|
|
# name:
|
|
|
|
# Additional labels to add to the pods:
|
|
# podLabels:
|
|
# key: value
|
|
podLabels: {}
|
|
# For compatibility with 8.0 replace by "/opt/sq"
|
|
# For compatibility with 8.2, leave the default. They changed it back to /opt/sonarqube
|
|
sonarqubeFolder: /opt/sonarqube
|
|
|
|
tests:
|
|
image: ""
|
|
enabled: true
|
|
resources: {}
|
|
|
|
# For OpenShift set create=true to ensure service account is created.
|
|
serviceAccount:
|
|
create: false
|
|
# name:
|
|
# automountToken: false # default
|
|
## Annotations for the Service Account
|
|
annotations: {}
|
|
|
|
# extraConfig is used to load Environment Variables from Secrets and ConfigMaps
|
|
# which may have been written by other tools, such as external orchestrators.
|
|
#
|
|
# These Secrets/ConfigMaps are expected to contain Key/Value pairs, such as:
|
|
#
|
|
# apiVersion: v1
|
|
# kind: ConfigMap
|
|
# metadata:
|
|
# name: external-sonarqube-opts
|
|
# data:
|
|
# SONARQUBE_JDBC_USERNAME: foo
|
|
# SONARQUBE_JDBC_URL: jdbc:postgresql://db.example.com:5432/sonar
|
|
#
|
|
# These vars can then be injected into the environment by uncommenting the following:
|
|
#
|
|
# extraConfig:
|
|
# configmaps:
|
|
# - external-sonarqube-opts
|
|
|
|
extraConfig:
|
|
secrets: []
|
|
configmaps: []
|
|
|
|
# account:
|
|
# The values can be set to define the current and the (new) custom admin passwords at the startup (the username will remain "admin")
|
|
# adminPassword: admin
|
|
# currentAdminPassword: admin
|
|
# The above values can be also provided by a secret that contains "password" and "currentPassword" as keys. You can generate such a secret in your cluster
|
|
# using "kubectl create secret generic admin-password-secret-name --from-literal=password=admin --from-literal=currentPassword=admin"
|
|
# adminPasswordSecretName: ""
|
|
# securityContext: {}
|
|
# resources:
|
|
# limits:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
# requests:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
# curlContainerImage: curlimages/curl:8.2.0
|
|
# adminJobAnnotations: {}
|
|
# deprecated please use sonarWebContext at the value top level
|
|
# sonarWebContext: /
|
|
|
|
terminationGracePeriodSeconds: 60
|