在现有PostgreSQL数据库中安装Sonarqube掌舵图安全吗?
我必须安装一个sonarqube helm图表,并将postgresql持久性指向外部数据库。此数据库服务器已被使用,图表配置如下(出于安全原因更改了IP和密码)。我的想法是创建一个sonarDB数据库并安装图表。是安全还是有风险在现有PostgreSQL数据库中安装Sonarqube掌舵图安全吗?,postgresql,kubernetes-helm,Postgresql,Kubernetes Helm,我必须安装一个sonarqube helm图表,并将postgresql持久性指向外部数据库。此数据库服务器已被使用,图表配置如下(出于安全原因更改了IP和密码)。我的想法是创建一个sonarDB数据库并安装图表。是安全还是有风险 # Default values for sonarqube. # This is a YAML-formatted file. # Declare variables to be passed into your templates. replicaCount: 1
# Default values for sonarqube.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
# This will use the default deployment strategy unless it is overriden
deploymentStrategy: {}
image:
repository: sonarqube
tag: 7.9.1-community
# If using a private repository, the name of the imagePullSecret to use
# pullSecret: my-repo-secret
# Set security context for sonarqube pod
securityContext:
fsGroup: 999
# Settings to configure elasticsearch host requirements
elasticsearch:
configureNode: true
bootstrapChecks: true
service:
type: ClusterIP
externalPort: 9000
internalPort: 9000
labels:
annotations: {}
# May be used in example for internal load balancing in GCP:
# cloud.google.com/load-balancer-type: Internal
# loadBalancerSourceRanges:
# - 0.0.0.0/0
# loadBalancerIP: 1.2.3.4
ingress:
enabled: false
# Used to create an Ingress record.
hosts:
- name: sonar.organization.com
# default paths for "/" and "/*" will be added
path: /
# If a different path is defined, that path and {path}/* will be added to the ingress resource
# path: /sonarqube
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
# This property allows for reports up to a certain size to be uploaded to SonarQube
# nginx.ingress.kubernetes.io/proxy-body-size: "8m"
# Additional labels for Ingress manifest file
# labels:
# traffic-type: external
# traffic-type: internal
tls: []
# Secrets must be manually created in the namespace.
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
# Affinity for pod assignment
# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
affinity: {}
# Tolerations for pod assignment
# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
# Node labels for pod assignment
# Ref: https://kubernetes.io/docs/user-guide/node-selection/
nodeSelector: {}
# hostAliases allows the modification of the hosts file inside a container
hostAliases: []
# - ip: "192.168.1.10"
# hostnames:
# - "example.com"
# - "www.example.com"
readinessProbe:
initialDelaySeconds: 60
periodSeconds: 30
failureThreshold: 6
# If an ingress *path* other than the root (/) is defined, it should be reflected here
# A trailing "/" must be included
sonarWebContext: /
# sonarWebContext: /sonarqube/
livenessProbe:
initialDelaySeconds: 60
periodSeconds: 30
# If an ingress *path* other than the root (/) is defined, it should be reflected here
# A trailing "/" must be included
sonarWebContext: /
# sonarWebContext: /sonarqube/
# Set extra env variables. Like proxy settings.
extraEnv: {}
# If an ingress *path* is defined, it should be reflected here
# sonar.web.context: /sonarqube
# Set annotations for pods
annotations: {}
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
persistence:
enabled: false
## Set annotations on pvc
annotations: {}
## Specify an existing volume claim instead of creating a new one.
## When using this option all following options like storageClass, accessMode and size are ignored.
#existingClaim: gke-homolog-sonarqube
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
storageClass:
accessMode: ReadWriteOnce
size: 10Gi
# List of plugins to install.
# For example:
plugins:
install:
- "https://github.com/sleroy/sonar-slack-notifier-plugin/releases/download/2.5/cks-slack-notifier-2.5.jar"
- "https://repo1.maven.org/maven2/org/sonarsource/java/sonar-java-plugin/5.14.0.18788/sonar-java-plugin-5.14.0.18788.jar"
#plugins:
#install: []
# initContainerImage: alpine:3.10.3
# deleteDefaultPlugins: true
#resources: {}
# We allow the plugins init container to have a separate resources declaration because
# the initContainer does not take as much resources.
# A custom sonar.properties file can be provided via dictionary.
# For example:
# sonarProperties:
# sonar.forceAuthentication: true
# sonar.security.realm: LDAP
# ldap.url: ldaps://organization.com
# Additional sonar properties to load from a secret with a key "secret.properties" (must be a string)
# sonarSecretProperties:
# Kubernetes secret that contains the encryption key for the sonarqube instance.
# The secret must contain the key 'sonar-secret.txt'.
# The 'sonar.secretKeyPath' property will be set automatically.
# sonarSecretKey: "settings-encryption-secret"
customCerts:
## Enable to override the default cacerts with your own one
enabled: false
secretName: my-cacerts
## Configuration value to select database type
## Option to use "postgresql" or "mysql" database type, by default "postgresql" is chosen
## Set the "enable" field to true of the database type you select (if you want to use internal database) and false of the one you don't select
#database:
# type: "postgresql"
## Configuration values for postgresql dependency
## ref: https://github.com/kubernetes/charts/blob/master/stable/postgresql/README.md
postgresql:
# Enable to deploy the PostgreSQL chart
enabled: false
# To use an external PostgreSQL instance, set enabled to false and uncomment
# the line below:
postgresServer: "11.31.76.3"
# To use an external secret for the password for an external PostgreSQL
# instance, set enabled to false and provide the name of the secret on the
# line below:
# postgresPasswordSecret: ""
postgresUser: "application"
postgresPassword: "pass123"
postgresDatabase: "sonarDB"
# Specify the TCP port that PostgreSQL should use
service:
port: 5432
## Configuration values for the mysql dependency
## ref: https://github.com/kubernetes/charts/blob/master/stable/mysql/README.md
##
mysql:
# Enable to deploy the mySQL chart
enabled: false
# To use an external mySQL instance, set enabled to false and uncomment
# the line below:
# mysqlServer: ""
# To use an external secret for the password for an external mySQL instance,
# set enabled to false and provide the name of the secret on the line below:
# mysqlPasswordSecret: ""
mysqlUser: "sonarUser"
mysqlPassword: "sonarPass"
mysqlDatabase: "sonarDB"
# mysqlParams:
# useSSL: "true"
# Specify the TCP port that mySQL should use
service:
port: 3306
#
# Additional labels to add to the pods:
# podLabels:
# key: value
podLabels: {}
# For compatibility with 8.0 replace by "/opt/sq"
sonarqubeFolder: /opt/sonarqube
sonarqube的默认值。
#这是一个YAML格式的文件。
#声明要传递到模板中的变量。
复制计数:1
#除非被覆盖,否则将使用默认部署策略
部署策略:{}
图片:
储存库:sonarqube
标签:7.9.1-社区
#如果使用专用存储库,则为要使用的imagePullSecret的名称
#pullSecret:我的回购秘密
#为sonarqube吊舱设置安全上下文
securityContext:
财经事务组:999
#配置elasticsearch主机要求的设置
弹性搜索:
配置节点:true
bootstrapChecks:正确
服务:
类型:集群
外部端口:9000
内部端口:9000
标签:
注释:{}
#例如,可用于GCP中的内部负载平衡:
#cloud.google.com/load-balancer-type:Internal
#loadBalancerSourceRanges:
# - 0.0.0.0/0
#负载平衡器IP:1.2.3.4
进入:
已启用:false
#用于创建入口记录。
主持人:
-名称:sonar.organization.com
#将添加“/”和“/*”的默认路径
路径:/
#如果定义了不同的路径,则该路径和{path}/*将添加到入口资源中
#路径:/qube
注释:{}
#kubernetes.io/ingres.class:nginx
#kubernetes.io/tls-acme:“正确”
#此属性允许将达到一定大小的报告上载到SonarQube
#nginx.ingres.kubernetes.io/proxy-body-size:“8m”
#入口清单文件的附加标签
#标签:
#交通类型:外部
#交通类型:内部
tls:[]
#必须在命名空间中手动创建机密。
#-secretName:图表示例tls
#主持人:
#-chart-example.local
#pod分配亲和力
#参考:https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-抗亲和力
关联:{}
#pod分配的容忍度
#参考:https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
容忍:[]
#pod分配的节点标签
#参考:https://kubernetes.io/docs/user-guide/node-selection/
节点选择器:{}
#HostAlias允许修改容器中的主机文件
主机别名:[]
#-ip:“192.168.1.10”
#主机名:
#-“example.com”
#-“www.example.com”
readinessProbe:
初始延迟秒数:60
秒:30
故障保持:6
#如果定义了根(/)以外的入口*路径*,则应在此处反映
#必须包含尾随“/”
sonarWebContext:/
#sonarWebContext:/sonarqube/
livenessProbe:
初始延迟秒数:60
秒:30
#如果定义了根(/)以外的入口*路径*,则应在此处反映
#必须包含尾随“/”
sonarWebContext:/
#sonarWebContext:/sonarqube/
#设置额外的环境变量。比如代理设置。
外部环境:{}
#如果定义了入口*路径*,则应在此处反映
#sonar.web.context:/sonarqube
#为吊舱设置注释
注释:{}
资源:{}
#我们通常建议不要指定默认资源,并将其作为一种有意识的选择
#用户的选择。这也增加了图表在几乎没有任何资源的环境中运行的机会
#资源,如Minikube。如果确实要指定资源,请取消对以下内容的注释
#行,根据需要进行调整,并删除“resources:”后面的大括号。
#限制:
#中央处理器:100米
#内存:128英里
#要求:
#中央处理器:100米
#内存:128英里
坚持不懈:
已启用:false
##在pvc上设置注释
注释:{}
##指定现有的卷声明,而不是创建新的卷声明。
##使用此选项时,将忽略以下所有选项,如storageClass、accessMode和size。
#现有索赔:gke同系物sonarqube
##如果已定义,则storageClassName:
##如果设置为“-”,则storageClassName:”,这将禁用动态资源调配
##如果未定义(默认值)或设置为null,则不支持storageClassName规范
##设置,选择默认供应器。(AWS上的gp2,AWS上的标准
##GKE、AWS和OpenStack)
##
storageClass:
访问模式:ReadWriteOnce
尺寸:10Gi
#要安装的插件列表。
#例如:
插件:
安装:
- "https://github.com/sleroy/sonar-slack-notifier-plugin/releases/download/2.5/cks-slack-notifier-2.5.jar"
- "https://repo1.maven.org/maven2/org/sonarsource/java/sonar-java-plugin/5.14.0.18788/sonar-java-plugin-5.14.0.18788.jar"
#插件:
#安装:[]
#初始集装箱图像:阿尔卑斯山:3.10.3
#deleteDefaultPlugins:true
#资源:{}
#我们允许pluginsinit容器有一个单独的资源声明,因为
#initContainer不占用那么多资源。
#可以通过字典提供自定义sonar.properties文件。
#例如:
#声纳特性:
#sonar.forceAuthentication:正确
#sonar.security.realm:LDAP
#ldap.url:ldaps://organization.com
#要从密钥为“secret.properties”(必须是字符串)的密钥加载的其他声纳属性
#sonarSecretProperties:
#Kubernetes机密,包含sonarqube实例的加密密钥。
#密码必须包含密钥“sonar secret.txt”。
#“sonar.secretKeyPath”属性将自动设置。
#sonarSecretKey:“设置加密密钥”
海关证书:
##启用以使用自己的缓存覆盖默认缓存
已启用:false
秘名:我的卡塞特
##用于选择数据库类型的配置值
##选择使用“postgresql”或“mysql”数据库类型,默认情况下选择“postgresql”
##对于您选择的数据库类型(如果您想使用内部数据库),将“enable”字段设置为true,对于未选择的数据库类型,将其设置为false
#数据库:
#