From 306bc8211bfaca5ac6359be244a4066fbf85b972 Mon Sep 17 00:00:00 2001 From: Wayne Starr Date: Wed, 31 Jul 2024 12:51:05 -0600 Subject: [PATCH] docs: add `configuration.md` file for network/database (#104) ## Description This adds a `configuration.md` file describing network and database config settings. ## Related Issue Fixes #95 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [X] Other (security config, docs update, etc) ## Checklist before merging - [X] Test, docs, adr added or updated as needed - [X] [Contributor Guide Steps](https://github.com/defenseunicorns/uds-package-sonarqube/blob/main/CONTRIBUTING.md#developer-workflow) followed --- docs/DEVELOPMENT_MAINTENANCE.md | 36 ---------------------------- docs/configuration.md | 42 +++++++++++++++++++++++++++++++++ docs/idam.md | 19 --------------- 3 files changed, 42 insertions(+), 55 deletions(-) delete mode 100644 docs/DEVELOPMENT_MAINTENANCE.md create mode 100644 docs/configuration.md delete mode 100644 docs/idam.md diff --git a/docs/DEVELOPMENT_MAINTENANCE.md b/docs/DEVELOPMENT_MAINTENANCE.md deleted file mode 100644 index 3325ac4..0000000 --- a/docs/DEVELOPMENT_MAINTENANCE.md +++ /dev/null @@ -1,36 +0,0 @@ -# UDS SonarQube Package - -This package is pulling in the [bigbang sonarqube chart](https://repo1.dso.mil/big-bang/product/packages/sonarqube) - -## How to upgrade this capability - -WIP - -## How to test this capability on your own cluster - -WIP - -## Creating Releases - -This project uses [release-please-action](https://github.com/google-github-actions/release-please-action) for versioning and releasing OCI packages. - -### How should I write my commits? - -Release Please assumes you are using [Conventional Commit messages](https://www.conventionalcommits.org/). - -The most important prefixes you should have in mind are: - -- `fix:` which represents bug fixes, and correlates to a [SemVer](https://semver.org/) - patch. -- `feat:` which represents a new feature, and correlates to a SemVer minor. -- `feat!:`, or `fix!:`, `refactor!:`, etc., which represent a breaking change - (indicated by the `!`) and will result in a SemVer major. - -When changes are merged to the `main` branch, the Release Please will evaluate all commits since the previous release to calculate what changes are included and will create another PR to increase the version and tag a new release (per the Release Please design [documentation](https://github.com/googleapis/release-please/blob/main/docs/design.md#lifecycle-of-a-release)). This will also automatically generate changelog entries based on these commits. - -> TIP: Merging a PR should be done via a branch **"Squash and merge"**; this means that the commit message seen on this PR merge is what Release Please will use to determine a version bump. - -When the auto generated Release Please PR is merged the following steps will automatically happen. - -1) A new release will be created and tagged -1) New artifact(s) will be published to the OCI registry diff --git a/docs/configuration.md b/docs/configuration.md new file mode 100644 index 0000000..d4c346f --- /dev/null +++ b/docs/configuration.md @@ -0,0 +1,42 @@ +# Configuration + +SonarQube in this package is configured through the upstream [SonarQube chart](https://github.com/SonarSource/helm-chart-sonarqube) as well as a UDS configuration chart that supports the following: + +## Networking + +Network policies are controlled via the `uds-sonarqube-config` chart in accordance with the [common patterns for networking within UDS Software Factory](https://github.com/defenseunicorns/uds-software-factory/blob/main/docs/networking.md). SonarQube interacts with Postgresql externally and supports the following keys: + +- `postgres`: sets network policies for accessing a Postgres database from the SonarQube pod +- `custom`: sets custom network policies for the SonarQube namespace - this allows for custom integrations with other services + +## Database + +SonarQube uses Postgres as its backing database service and supports the [common database providers within UDS Software Factory](https://github.com/defenseunicorns/uds-software-factory/blob/main/docs/database.md). + +### Manual Database Connection + +If you are using the [UDS Postgres Operator](https://github.com/defenseunicorns/uds-package-postgres-operator/) or another external database that uses usernames/passwords you can use the following Helm overrides to configure it: + +#### `uds-sonarqube-config` chart: + +> [!IMPORTANT] +> The `postgres.password` setting is not applicable when using the UDS Postgres Operator package or when supplying a secret manually! + +- `postgres.password` - provides a password to generate a secret to pass to SonarQube + + +#### `sonarqube` chart: + +> [!IMPORTANT] +> The `jdbcOverwrite.jdbcSecretName` and `jdbcOverwrite.jdbcSecretPasswordKey` settings are not applicable when providing a password to the `uds-sonarqube-config` chart manually. + +- `jdbcOverwrite.jdbcUsername` - provides the username to use when connecting to the database (i.e. `sonarqube.sonarqube`) +- `jdbcOverwrite.jdbcSecretName` - provides the secret that contains the database password (defaults to `sonarqube-postgres`) +- `jdbcOverwrite.jdbcSecretPasswordKey` - provides the secret key that contains the database password (defaults to `password`) +- `jdbcOverwrite.jdbcUrl` - provides the endpoint, port and database name to use (i.e. `jdbc:postgresql://pg-cluster.postgres.svc.cluster.local:5432/sonarqubedb`) + +### IAM Roles for Service Accounts + +The Software Factory team has not yet tested IRSA with AWS RDS - there is an open issue linked below with further linked issues to test this that could act as a starting point to implement: + +https://github.com/defenseunicorns/uds-software-factory/issues/45 diff --git a/docs/idam.md b/docs/idam.md deleted file mode 100644 index 67894df..0000000 --- a/docs/idam.md +++ /dev/null @@ -1,19 +0,0 @@ -# IDAM integration with uds-package-sonarqube - -The sonarqube package is preconfigured to work with an IDAM solution, but IDAM is disabled by default. - -## IDAM Variables - -These Zarf variables are mapped to sonarqube helm chart values that are documented [here.](https://docs.sonarsource.com/sonarqube/latest/instance-administration/authentication/saml/overview/#settings) - -| Key | Type | Default | Description | -|----------------------------------------|:------:|:-------:|-----------------------------------------------| -| SONARQUBE_IDAM_ENABLED | bool | `false` | Enables/disables IDAM | -| SONARQUBE_IDAM_CLIENT_ID | string | `""` | The ID of the client used to auth | -| SONARQUBE_IDAM_PROVIDER_NAME | string | `""` | Name of the identity provider | -| SONARQUBE_IDAM_REALM_URL | string | `""` | The URL for the realm used for auth | -| SONARQUBE_IDAM_SAML_CERT | string | `""` | The SAML certificate from keycloak | -| SONARQUBE_IDAM_ATTR_LOGIN | string | `""` | The IDAM attribute to map login to | -| SONARQUBE_IDAM_ATTR_NAME | string | `""` | The IDAM attribute to map name to | -| SONARQUBE_IDAM_ATTR_EMAIL | string | `""` | The IDAM attribute to map email to | -| SONARQUBE_IDAM_ATTR_GROUP | string | `""` | The IDAM attribute to map groups to, optional |