From 58df11b6247a280d1de359cbc21c0b92be1259c4 Mon Sep 17 00:00:00 2001 From: Denis Patrakeev Date: Tue, 25 Feb 2025 19:22:19 +0300 Subject: [PATCH] [DO-1600] Deploy gitea-sonarqube-staging in new k8s (!50) [DO-1600] Co-authored-by: denis.patrakeev Reviewed-on: https://git.avroid.tech/K8s/k8s-configs/pulls/50 --- .../helm-aggregator/values.yaml | 2 + .../argocd-apps-vault-service-account.yaml | 13 ++ .../argocd-apps-avroid-staging.yaml | 59 ++++++++ .../argocd-apps-gitea-sonarqube-bot-app.yaml | 51 +++++++ ...ps-gitea-sonarqube-bot-network-policy.yaml | 45 ++++++ .../gitea-sonarqube-bot/values-ovveride.yaml | 143 ++++++++++++++++++ 6 files changed, 313 insertions(+) create mode 100644 clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/.rbac/argocd-apps-vault-service-account.yaml create mode 100644 clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/argocd-apps-avroid-staging.yaml create mode 100644 clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot/argocd-apps-gitea-sonarqube-bot-app.yaml create mode 100644 clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot/argocd-apps-gitea-sonarqube-bot-network-policy.yaml create mode 100644 clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot/values-ovveride.yaml diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/automations-tools/helm-aggregator/values.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/automations-tools/helm-aggregator/values.yaml index 94d5603..ed4c6fb 100644 --- a/clusters/k8s-avroid-office.prod.local/namespaces/automations-tools/helm-aggregator/values.yaml +++ b/clusters/k8s-avroid-office.prod.local/namespaces/automations-tools/helm-aggregator/values.yaml @@ -48,3 +48,5 @@ config: | url: https://stevehipwell.github.io/helm-charts - name: aquasecurity url: https://aquasecurity.github.io/helm-charts + - name: justusbunsi/gitea-sonarqube-bot + url: https://codeberg.org/justusbunsi/gitea-sonarqube-bot/raw/branch/charts/ diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/.rbac/argocd-apps-vault-service-account.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/.rbac/argocd-apps-vault-service-account.yaml new file mode 100644 index 0000000..af36998 --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/.rbac/argocd-apps-vault-service-account.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: serviceaccount + app.kubernetes.io/instance: vault-sa + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: vault-operator + app.kubernetes.io/part-of: vault-operator + app.kubernetes.io/managed-by: argocd + name: vault + namespace: avroid-staging diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/argocd-apps-avroid-staging.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/argocd-apps-avroid-staging.yaml new file mode 100644 index 0000000..ae0b286 --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/argocd-apps-avroid-staging.yaml @@ -0,0 +1,59 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: avroid-staging + labels: + name: avroid-staging + app.kubernetes.io/managed-by: argocd + annotations: + argocd.argoproj.io/sync-wave: "-1" + scheduler.alpha.kubernetes.io/node-selector: node-role.kubernetes.io/worker= +--- +apiVersion: v1 +kind: ResourceQuota +metadata: + name: avroid-staging + namespace: avroid-staging + labels: + app.kubernetes.io/managed-by: argocd +spec: + hard: + requests.cpu: "2" + requests.memory: "6Gi" + requests.storage: "100Gi" + limits.cpu: "8" + limits.memory: 16Gi + configmaps: "200" + resourcequotas: "1" + secrets: "100" + services: "100" + pods: "50" + persistentvolumeclaims: "20" +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: avroid-staging-common + namespace: avroid-staging + labels: + app.kubernetes.io/managed-by: argocd +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: [] + egress: + - to: + - ipBlock: + # office-balancer.avroid.tech + cidr: 10.2.16.2/32 + ports: + - port: 443 + protocol: TCP + - ports: + - port: 53 + protocol: TCP + - port: 53 + protocol: UDP diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot/argocd-apps-gitea-sonarqube-bot-app.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot/argocd-apps-gitea-sonarqube-bot-app.yaml new file mode 100644 index 0000000..9276a51 --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot/argocd-apps-gitea-sonarqube-bot-app.yaml @@ -0,0 +1,51 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: gitea-sonarqube-bot + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: gitea-sonarqube-bot + destination: + server: https://kubernetes.default.svc + namespace: avroid-staging + sources: + - repoURL: https://git.avroid.tech/K8s/k8s-configs.git + targetRevision: master + ref: values + - repoURL: https://nexus.avroid.tech/repository/devops-helm-proxy-helm/ + chart: "justusbunsi/gitea-sonarqube-bot/gitea-sonarqube-bot/gitea-sonarqube-bot" + targetRevision: v0.3.4 + helm: + valueFiles: + - $values/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot/values-ovveride.yaml + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - ApplyOutOfSyncOnly=true + - CreateNamespace=true +--- +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: gitea-sonarqube-bot + namespace: argocd + # Finalizer that ensures that project is not deleted until it is not referenced by any application + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + sourceRepos: + - https://git.avroid.tech/K8s/k8s-configs.git + - https://nexus.avroid.tech/repository/devops-helm-proxy-helm/ + # Only permit applications to deploy to the guestbook namespace in the same cluster + destinations: + - namespace: avroid-staging + server: https://kubernetes.default.svc + # Deny all cluster-scoped resources from being created, except for Namespace + clusterResourceWhitelist: + - group: '' + kind: Namespace diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot/argocd-apps-gitea-sonarqube-bot-network-policy.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot/argocd-apps-gitea-sonarqube-bot-network-policy.yaml new file mode 100644 index 0000000..ce68dbf --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot/argocd-apps-gitea-sonarqube-bot-network-policy.yaml @@ -0,0 +1,45 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: gitea-sonarqube-bot-in + namespace: avroid-staging + labels: + app.kubernetes.io/managed-by: argocd +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: gitea-sonarqube-bot + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: ingress-nginx + - ports: + - port: 3000 + protocol: TCP +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: gitea-sonarqube-bot-out + namespace: avroid-staging + labels: + app.kubernetes.io/managed-by: argocd +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: gitea-sonarqube-bot + policyTypes: + - Egress + ingress: [] + egress: + - to: + - ipBlock: + # office-balancer.avroid.tech + cidr: 10.2.16.2/32 + ports: + - port: 443 + protocol: TCP diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot/values-ovveride.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot/values-ovveride.yaml new file mode 100644 index 0000000..ababcd0 --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/avroid-staging/security/gitea-sonarqube-bot/values-ovveride.yaml @@ -0,0 +1,143 @@ +## @section Common parameters + +## @param replicaCount Number of replicas for the bot +replicaCount: 2 + +## ref: https://hub.docker.com/r/justusbunsi/gitea-sonarqube-bot/tags/ +## @param image.repository Image repository +## @param image.pullPolicy Image pull policy +## @param image.tag Image tag (Overrides the image tag whose default is the chart `appVersion`) +image: + repository: harbor.avroid.tech/devops/gitea-sonarqube-bot + tag: "avr-v0.3.4" + +## @param imagePullSecrets Specify docker-registry secret names as an array +imagePullSecrets: + - name: harbor-registry-secret + +## We usually recommend not to specify default resources and to leave this as a conscious +## choice for the user. This also increases chances charts run on environments with little +## resources, such as Minikube. If you do want to specify resources, uncomment the following +## lines, adjust them as necessary, and remove the curly braces after 'resources:'. +## @param resources.limits The resources limits for the container +## @param resources.requests The requested resources for the container +resources: + limits: + cpu: 50m + memory: 64Mi + requests: + cpu: 100m + memory: 128Mi + +## @param nodeSelector Node labels for pod assignment. Evaluated as a template. +## ref: https://kubernetes.io/docs/user-guide/node-selection/ +nodeSelector: + node-role.kubernetes.io/worker: "" + +## @section App parameters + +app: + ## @param app.configLocationOverride Override the default location of the configuration file (`/home/bot/config/config.yaml`). **Available since Chart version `0.2.0`. Requires at least image tag `v0.2.0`**. (See values file for details) + ## Setting this will also change the mount point for `.Values.app.configuration` to the directory part of the override value. + configLocationOverride: "" + + ## This object represents the [config.yaml](https://codeberg.org/justusbunsi/gitea-sonarqube-bot/src/branch/main/config/config.example.yaml) provided to the application. + configuration: + ## Gitea related configuration. Necessary for adding/updating comments on repository pull requests + gitea: + ## @param app.configuration.gitea.url Endpoint of your Gitea instance. Must be expandable by '/api/v1' to form the API base path as shown in Swagger UI. + url: "https://git-staging.avroid.tech" + + ## Created access token for the user that shall be used as bot account. + ## User needs "Read project" permissions with access to "Pull Requests" + ## @param app.configuration.gitea.token.value Gitea token as plain text. Can be replaced with `file` key containing path to file. + token: + value: "vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.gitea.token.value" + # # or path to file containing the plain text secret + # file: /bot/secrets/gitea/user-token + + ## If the sent webhook has a signature header, the bot validates the request payload. If the value does not match, the + ## request will be ignored. + ## The bot looks for `X-Gitea-Signature` header containing the sha256 hmac hash of the plain text secret. If the header + ## exists and no webhookSecret is defined here, the bot will ignore the request, because it cannot be validated. + ## @param app.configuration.gitea.webhook.secret Secret for signature header (in plaintext) + ## @extra app.configuration.gitea.webhook.secretFile Path to file containing the plain text secret. Alternative to inline `app.configuration.gitea.webhook.secret` + webhook: + secret: "vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.gitea.webhook.secret" + # # or path to file containing the plain text secret + # secretFile: /bot/secrets/gitea/webhook-secret + + ## SonarQube related configuration. Necessary for requesting data from the API and processing the webhook. + sonarqube: + ## @param app.configuration.sonarqube.url Endpoint of your SonarQube instance. Must be expandable by '/api' to form the API base path. + url: "https://sonarqube-staging.avroid.tech" + + ## Created access token for the user that shall be used as bot account. + ## User needs "Browse on project" permissions + ## @param app.configuration.sonarqube.token.value SonarQube token as plain text. Can be replaced with `file` key containing path to file. + token: + value: "vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.sonarqube.token.value" + # # or path to file containing the plain text secret + # file: /bot/secrets/sonarqube/user-token + + ## If the sent webhook has a signature header, the bot validates the request payload. If the value does not match, the + ## request will be ignored. + ## The bot looks for `X-Sonar-Webhook-HMAC-SHA256` header containing the sha256 hmac hash of the plain text secret. + ## If the header exists and no webhookSecret is defined here, the bot will ignore the request, because it cannot be + ## validated. + ## @param app.configuration.sonarqube.webhook.secret Secret for signature header (in plaintext) + ## @extra app.configuration.sonarqube.webhook.secretFile Path to file containing the plain text secret. Alternative to inline `app.configuration.sonarqube.webhook.secret` + webhook: + secret: "vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.sonarqube.webhook.secret" + # # or path to file containing the plain text secret + # secretFile: /bot/secrets/sonarqube/webhook-secret + + ## List of project mappings to take care of. Webhooks for other projects will be ignored. + ## At least one must be configured. Otherwise, all webhooks (no matter which source) because the bot cannot map on its own. + ## @param app.configuration.projects[0].sonarqube.key Project key inside SonarQube + ## @param app.configuration.projects[0].gitea.owner Repository owner inside Gitea + ## @param app.configuration.projects[0].gitea.name Repository name inside Gitea + projects: + - sonarqube: + key: example:example_sast + ## A repository specification contains the owner name and the repository name itself. The owner can be the name of a + ## real account or an organization in which the repository is located. + gitea: + owner: DevSec + name: sast-demo + + ## Define pull request names from SonarScanner analysis. Default pattern matches the Jenkins Gitea plugin schema. + ## @param app.configuration.namingPattern.regex Regular expression that MUST HAVE exactly ONE GROUP that matches the integer part of the PR. That integer part is identical to the pull request ID in Gitea. + ## @param app.configuration.namingPattern.template Valid Go format string. It MUST have one integer placeholder which will be replaced by the pull request ID. See: https://pkg.go.dev/fmt#hdr-Printing + namingPattern: + regex: "^PR-(\\d+)$" + urlregex: "^http\.*&pullRequest=PR-(\\d+)\.*$" + template: "PR-%d" + + bitbucket: + webhook: + secret: "vault:team-devops/data/accounts/bots/sonarqube/avroid.tech/gitea-sonarqube-bot-staging#app.configuration.bitbucket.webhook.secret" + +## ref: https://kubernetes.io/docs/user-guide/ingress/ +ingress: + + ## @param ingress.enabled Enable ingress controller resource + enabled: true + + ## @param ingress.className IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster. + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + className: "nginx" + + ## @param ingress.annotations Additional annotations for the Ingress resource. + annotations: + kubernetes.io/ingress.class: nginx + + ## @param ingress.hosts[0].host Host for the ingress resource + ## @param ingress.hosts[0].paths[0].path The path to the bot endpoint + ## @param ingress.hosts[0].paths[0].pathType Ingress path type + hosts: + - host: gitea-sonarqube-bot-staging.avroid.tech + paths: + - path: / + pathType: ImplementationSpecific