chore!: update to SonarQube 10, migrate to upstream chart, add unicorn CGR flavor (#100)

## Description

## Related Issue

Fixes #82
Fixes #96

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [x] Other (security config, docs update, etc)

## Checklist before merging

- [ ] Test, docs, adr added or updated as needed
- [ ] [Contributor Guide
Steps](https://github.com/defenseunicorns/uds-package-sonarqube/blob/main/CONTRIBUTING.md#developer-workflow)
followed

---------

Co-authored-by: Wayne Starr <Racer159@users.noreply.github.com>
Release-As: v10.6.0-uds.0

Author: marshall007

.github/workflows/commitlint.yaml

@@ -8,4 +8,4 @@ on:
 jobs:
   validate:
     name: Validate
-    uses: defenseunicorns/uds-common/.github/workflows/commitlint.yaml@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0
+    uses: defenseunicorns/uds-common/.github/workflows/commitlint.yaml@e7c0643d3f9d74ce49c7386b48964d2be646d726 # v0.10.0

.github/workflows/lint.yaml

@@ -20,7 +20,7 @@ jobs:
           fetch-depth: 0
 
       - name: Environment setup
-        uses: defenseunicorns/uds-common/.github/actions/setup@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0
+        uses: defenseunicorns/uds-common/.github/actions/setup@e7c0643d3f9d74ce49c7386b48964d2be646d726 # v0.10.0
         with:
           registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
           registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}

.github/workflows/tag-and-release.yaml

@@ -25,7 +25,7 @@ jobs:
     runs-on: ${{ matrix.architecture == 'arm64' && 'uds-swf-ubuntu-arm64-4-core' || 'ubuntu-latest' }}
     strategy:
       matrix:
-        flavor: [upstream, registry1]
+        flavor: [upstream, unicorn, registry1]
         architecture: [amd64, arm64]
         exclude:
           - flavor: registry1
@@ -35,26 +35,28 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write
 
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Environment setup
-        uses: defenseunicorns/uds-common/.github/actions/setup@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0
+        uses: defenseunicorns/uds-common/.github/actions/setup@e7c0643d3f9d74ce49c7386b48964d2be646d726 # v0.10.0
         with:
           registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
           registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}
           ghToken: ${{ secrets.GITHUB_TOKEN }}
+          chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }}
 
       - name: Publish Package
         run: uds run -f tasks/publish.yaml package --set FLAVOR=${{ matrix.flavor }} --no-progress
 
       - name: Debug Output
         if: ${{ always() }}
-        uses: defenseunicorns/uds-common/.github/actions/debug-output@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0
+        uses: defenseunicorns/uds-common/.github/actions/debug-output@e7c0643d3f9d74ce49c7386b48964d2be646d726 # v0.10.0
 
       - name: Save logs
         if: always()
-        uses: defenseunicorns/uds-common/.github/actions/save-logs@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0
+        uses: defenseunicorns/uds-common/.github/actions/save-logs@e7c0643d3f9d74ce49c7386b48964d2be646d726 # v0.10.0
         with:
           suffix: ${{ matrix.flavor }}-${{ matrix.architecture }}-${{ github.run_id }}-${{ github.run_attempt }}

.github/workflows/test.yaml

@@ -29,41 +29,48 @@ concurrency:
 
 permissions:
   contents: read
+  id-token: write
 
 jobs:
   run-test:
     name: ${{ matrix.type }} ${{ matrix.flavor }}
-    runs-on: ubuntu-latest
+    runs-on: uds-swf-ubuntu-big-boy-4-core
     timeout-minutes: 20
     strategy:
       matrix:
-        flavor: [upstream, registry1]
+        flavor: [upstream, unicorn, registry1]
         type: [install, upgrade]
+        # do not run upgrade tests for unicorn
+        # TODO @marshall: remove after first unicorn release
+        exclude:
+          - flavor: unicorn
+            type: upgrade
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Environment setup
-        uses: defenseunicorns/uds-common/.github/actions/setup@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0
+        uses: defenseunicorns/uds-common/.github/actions/setup@e7c0643d3f9d74ce49c7386b48964d2be646d726 # v0.10.0
         with:
           registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
           registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}
           ghToken: ${{ secrets.GITHUB_TOKEN }}
+          chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }}
 
       - name: Test
-        uses: defenseunicorns/uds-common/.github/actions/test@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0
+        uses: defenseunicorns/uds-common/.github/actions/test@e7c0643d3f9d74ce49c7386b48964d2be646d726 # v0.10.0
         with:
           flavor: ${{ matrix.flavor }}
           type: ${{ matrix.type }}
 
       - name: Debug Output
         if: ${{ always() }}
-        uses: defenseunicorns/uds-common/.github/actions/debug-output@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0
+        uses: defenseunicorns/uds-common/.github/actions/debug-output@e7c0643d3f9d74ce49c7386b48964d2be646d726 # v0.10.0
 
       - name: Save logs
         if: always()
-        uses: defenseunicorns/uds-common/.github/actions/save-logs@91515ef86914334356c35ffb4b2c2c5fb4d19174 # v0.9.0
+        uses: defenseunicorns/uds-common/.github/actions/save-logs@e7c0643d3f9d74ce49c7386b48964d2be646d726 # v0.10.0
         with:
           suffix: ${{ matrix.type }}-${{ matrix.flavor }}-${{ github.run_id }}-${{ github.run_attempt }}
 

chart/templates/sonarqube-sso-secret.yaml

@@ -1,5 +1,5 @@
-# This secret will be used if sso is disabled, instead of the templated one in uds-package.yaml. 
-# Sonarqube needs to mount the secret and creating it this way avoids creating an unnecessary 
+# This secret will be used if sso is disabled, instead of the templated one in uds-package.yaml.
+# Sonarqube needs to mount the secret and creating it this way avoids creating an unnecessary
 # client in the keycloak realm and unnecessary secret data in the cluster.
 {{- if not .Values.sso.enabled }}
 

common/zarf.yaml

@@ -14,10 +14,8 @@ components:
         localPath: ../chart
       - name: sonarqube
         namespace: sonarqube
-        # see note in README.md about use of registry1 chart for both flavors
-        url: https://repo1.dso.mil/big-bang/product/packages/sonarqube.git
-        gitPath: chart
-        version: "8.0.4-bb.5"
+        url: https://SonarSource.github.io/helm-chart-sonarqube
+        version: 10.6.1
         valuesFiles:
           - ../values/common-values.yaml
     actions:
@@ -31,3 +29,7 @@ components:
                 name: sonarqube
                 namespace: sonarqube
                 condition: "'{.status.phase}'=Ready"
+          - description: Perform DB migrations if necessary
+            cmd: |
+              STATUS=$(curl -XPOST -s "https://sonarqube.$ZARF_VAR_DOMAIN/api/system/migrate_db" | ./zarf tools yq '.state')
+              echo "SonarQube migration state: ${STATUS}"

renovate.json

@@ -22,13 +22,6 @@
       "labels": ["package-deps"],
       "commitMessageTopic": "package-deps",
       "matchDatasources": ["docker", "helm", "git-tags"]
-    },
-    {
-      "groupName": "SonarQube Package Dependencies",
-      "labels": ["package-deps"],
-      "commitMessageTopic": "package-deps",
-      "matchPackageNames": ["https://repo1.dso.mil/big-bang/product/packages/sonarqube.git"],
-      "allowedVersions": "/^8.+-bb.+/"
     }
   ]
 }

tasks.yaml

@@ -2,11 +2,11 @@ includes:
   - cleanup: ./tasks/cleanup.yaml
   - dependencies: ./tasks/dependencies.yaml
   - test: ./tasks/test.yaml
-  - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.9.0/tasks/create.yaml
-  - lint: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.9.0/tasks/lint.yaml
-  - pull: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.9.0/tasks/pull.yaml
-  - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.9.0/tasks/deploy.yaml
-  - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.9.0/tasks/setup.yaml
+  - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.10.0/tasks/create.yaml
+  - lint: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.10.0/tasks/lint.yaml
+  - pull: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.10.0/tasks/pull.yaml
+  - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.10.0/tasks/deploy.yaml
+  - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.10.0/tasks/setup.yaml
 
 tasks:
   - name: default

tasks/publish.yaml

@@ -1,8 +1,8 @@
 includes:
-  - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.9.0/tasks/create.yaml
-  - publish: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.9.0/tasks/publish.yaml
-  - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.9.0/tasks/setup.yaml
-  - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.9.0/tasks/deploy.yaml
+  - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.10.0/tasks/create.yaml
+  - publish: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.10.0/tasks/publish.yaml
+  - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.10.0/tasks/setup.yaml
+  - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.10.0/tasks/deploy.yaml
   - dependencies: ./dependencies.yaml
   - test: ./test.yaml
 

tasks/test.yaml

@@ -23,7 +23,7 @@ tasks:
         cmd: |
           STATUS=$(curl -s 'https://sonarqube.uds.dev/api/system/status' | ./uds zarf tools yq '.status')
           echo "SonarQube system status: ${STATUS}"
-          if [ $STATUS != "UP" ]; then
+          if [ "$STATUS" != "UP" ]; then
             sleep 10
             exit 1
           fi

tests/auth.setup.ts

@@ -4,7 +4,7 @@ import { authFile } from './playwright.config';
 setup('authenticate', async ({ page, context }) => {
   await page.goto('/sessions/new');
 
-  await page.locator('.identity-provider-link').click();
+  await page.getByRole('button', { name: 'Log in with Keycloak' }).click();
   await page.getByLabel('Username or email').fill('doug');
   await page.getByLabel('Password').fill('unicorn123!@#UN');
 
@@ -23,6 +23,4 @@ setup('authenticate', async ({ page, context }) => {
   expect(keycloakCookie?.domain).toContain("sso.");
 
   await page.context().storageState({ path: authFile });
-
-  await expect(page).toHaveURL('/projects');
 })

tests/sonarqube.test.ts

@@ -5,15 +5,17 @@ function randomProjectName() {
 }
 
 test('create a project', async ({ page }) => {
-  await page.goto('/projects/create');
+  await page.goto('/projects/create?mode=manual');
 
   const projectName = randomProjectName();
 
-  await page.getByRole('button', { name: 'Manually' }).click();
   await page.getByLabel('Project display name*').fill(projectName);
-  await page.getByRole('button', { name: 'Set Up' }).click();
+  await page.getByRole('button', { name: 'Next' }).click();
 
-  await expect(page).toHaveURL(`/dashboard?id=${projectName}`);
+  await page.getByLabel('Use the global setting').check();
+  await page.getByRole('button', { name: 'Create project' }).click();
 
-  await expect(page.getByRole('heading', { level: 1 })).toContainText(projectName);
+  await expect(page).toHaveURL(`/tutorials?id=${projectName}`);
+
+  await expect(page.getByRole('heading', { level: 1 })).toContainText('Analysis Method');
 });

values/common-values.yaml

@@ -1,23 +1,22 @@
-OpenShift:
-  enabled: false
-
 edition: "community"
 
 # Name of the secret from which to load additional properties: https://community.sonarsource.com/t/additional-sonar-properties-to-load-from-a-secret/73748
 # This secret will be created by the uds operator based on the sso spec defined in chart/templates/uds-package.yaml
 sonarSecretProperties: sonarqube-sso
 
-monitoring:
-  enabled: true
+prometheusExporter:
+  enabled: false
+
+prometheusMonitoring:
+  podMonitor:
+    enabled: false
 
 initSysctl:
   enabled: false
 
-elasticsearch:
-  configureNode: false
-
 jdbcOverwrite:
-  enable: true
+  enable: true # DEPRECATED: use `jdbcOverwrite.enabled` in v10.7.0
+  enabled: true
   jdbcUrl: jdbc:postgresql://###ZARF_VAR_SONARQUBE_DB_ENDPOINT###:5432/###ZARF_VAR_SONARQUBE_DB_NAME###
   jdbcUsername: ###ZARF_VAR_SONARQUBE_DB_USERNAME###
   jdbcPassword: null
@@ -26,10 +25,3 @@ jdbcOverwrite:
 
 postgresql:
   enabled: false
-  postgresqlServer: ###ZARF_VAR_SONARQUBE_DB_ENDPOINT###
-  existingSecret: "sonarqube-postgres"
-  existingSecretPasswordKey: "password"
-  postgresqlUsername: ###ZARF_VAR_SONARQUBE_DB_USERNAME###
-  postgresqlDatabase: ###ZARF_VAR_SONARQUBE_DB_NAME###
-  service:
-    port: 5432

values/registry1-values.yaml

@@ -1,9 +1,23 @@
 image:
   repository: registry1.dso.mil/ironbank/sonarsource/sonarqube/sonarqube
-  tag: 9.9.5-community
+  tag: 10.6.0-community
 
 initContainers:
   image: registry1.dso.mil/ironbank/big-bang/base:2.1.0
 
 prometheusExporter:
   image: registry1.dso.mil/ironbank/big-bang/base:2.1.0
+
+# wget used by default probes not available in registry1 images
+livenessProbe:
+  exec: null
+  httpGet:
+    path: /
+    scheme: HTTP
+    port: 9000
+readinessProbe:
+  exec: null
+  httpGet:
+    path: /api/system/status
+    scheme: HTTP
+    port: 9000

values/unicorn-values.yaml

@@ -0,0 +1,9 @@
+image:
+  repository: cgr.dev/du-uds-defenseunicorns/sonarqube
+  tag: 10.6.0
+
+initContainers:
+  image: cgr.dev/du-uds-defenseunicorns/busybox-fips:1.36
+
+prometheusExporter:
+  image: cgr.dev/du-uds-defenseunicorns/curl-fips:8-dev

values/upstream-values.yaml

@@ -1,6 +1,6 @@
 image:
   repository: sonarqube
-  tag: 9.9.5-community
+  tag: 10.6.0-community
 
 initContainers:
   image: busybox:1.36

zarf.yaml

@@ -35,7 +35,7 @@ components:
           - values/registry1-values.yaml
     images:
       - "registry1.dso.mil/ironbank/big-bang/base:2.1.0"
-      - "registry1.dso.mil/ironbank/sonarsource/sonarqube/sonarqube:9.9.5-community"
+      - "registry1.dso.mil/ironbank/sonarsource/sonarqube/sonarqube:10.6.0-community"
 
   # Note: upstream flavor is experimental
   - name: sonarqube
@@ -50,6 +50,22 @@ components:
         valuesFiles:
           - values/upstream-values.yaml
     images:
-      - "sonarqube:9.9.5-community"
+      - "sonarqube:10.6.0-community"
       - "curlimages/curl:8.8.0"
       - "busybox:1.36"
+
+  - name: sonarqube
+    required: true
+    description: "Deploy sonarqube"
+    import:
+      path: common
+    only:
+      flavor: unicorn
+    charts:
+      - name: sonarqube
+        valuesFiles:
+          - values/unicorn-values.yaml
+    images:
+      - "cgr.dev/du-uds-defenseunicorns/sonarqube:10.6.0"
+      - "cgr.dev/du-uds-defenseunicorns/curl-fips:8-dev"
+      - "cgr.dev/du-uds-defenseunicorns/busybox-fips:1.36"