1、部署postgres-sonar数据使用pvc存储。
apiVersion: apps/v1
kind: Deployment
metadata:
name: postgres-sonar
namespace: service-tools
labels:
app: postgres-sonar
spec:
replicas: 1
selector:
matchLabels:
app: postgres-sonar
template:
metadata:
labels:
app: postgres-sonar
spec:
containers:
- name: postgres-sonar
image: postgres:11.4
imagePullPolicy: IfNotPresent
ports:
- containerPort: 5432
env:
- name: POSTGRES_DB
value: "sonarDB"
- name: POSTGRES_USER
value: "sonarUser"
- name: POSTGRES_PASSWORD
value: "123456"
resources:
limits:
cpu: 1000m
memory: 2048Mi
requests:
cpu: 500m
memory: 1024Mi
volumeMounts:
- name: postgres-data
mountPath: /var/lib/postgresql/data
volumes:
- name: postgres-data
persistentVolumeClaim:
claimName: nas-service-tools-pvc
---
apiVersion: v1
kind: Service
metadata:
name: postgres-sonar
namespace: service-tools
labels:
app: postgres-sonar
spec:
clusterIP: None
ports:
- port: 5432
protocol: TCP
targetPort: 5432
selector:
app: postgres-sonar
2、部署SonarQube服务。
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: sonarqube
name: sonarqube
namespace: service-tools
spec:
replicas: 1
selector:
matchLabels:
app: sonarqube
template:
metadata:
labels:
app: sonarqube
spec:
containers:
- env:
- name: SONARQUBE_JDBC_USERNAME
value: sonarUser
- name: SONARQUBE_JDBC_PASSWORD
value: '123456'
- name: SONARQUBE_JDBC_URL
value: 'jdbc:postgresql://postgres-sonar:5432/sonarDB'
image: 'sonarqube:lts'
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /sessions/new
port: 9000
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 1
name: sonarqube
ports:
- containerPort: 9000
protocol: TCP
readinessProbe:
failureThreshold: 6
httpGet:
path: /sessions/new
port: 9000
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 1
resources:
limits:
cpu: '2'
memory: 2048M
requests:
cpu: '1'
memory: 1024M
volumeMounts:
- mountPath: /opt/sonarqube/conf
name: sonarqube-data
- mountPath: /opt/sonarqube/data
name: sonarqube-data
- mountPath: /opt/sonarqube/extensions
name: sonarqube-data
initContainers:
- command:
- sysctl
- '-w'
- vm.max_map_count=262144
image: 'busybox:latest'
imagePullPolicy: IfNotPresent
name: init-sysctl
resources: {}
securityContext:
privileged: true
volumes:
- name: sonarqube-data
persistentVolumeClaim:
claimName: nas-sq-service-tools-pvc
---
apiVersion: v1
kind: Service
metadata:
name: sonarqube
namespace: service-tools
labels:
app: sonarqube
spec:
selector:
app: sonarqube
ports:
- protocol: TCP
port: 80
targetPort: 9000
type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: sonarqube-alb-ingress
namespace: service-tools
spec:
ingressClassName: nginx-alb
rules:
- host: sonarqube.域名
http:
paths:
- backend:
service:
name: sonarqube
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- sonarqube.域名
secretName: 证书名-city-tls
3、通过域名登录SonarQube平台,默认账号密码:admin/admin
在应用中安装(Chinese Pack)中文插件包
4、通过下载sonar-scanner包,去审计代码。
https://binaries.sonarsource.com/?prefix=Distribution/sonar-scanner-cli/
下载完sonar-scanner包解压到指定文件夹,配置sonar-scanner.properties文件。
cat sonar-scanner/conf/sonar-scanner.properties
#Configure here general information about the environment, such as SonarQube server connection details for example
#No information about specific project should appear here
#----- Default SonarQube server
sonar.host.url=https://sonarqube.域名
#----- Default source code encoding
sonar.sourceEncoding=UTF-8
5、使用方案。
密钥生成
#sonarqube代码审计
/sonar-scanner/bin/sonar-scanner -Dsonar.login=生成的密钥 -Dsonar.projectname=${JOB_NAME} -Dsonar.projectKey=${JOB_NAME} -Dsoanr.sources=./ -Dsonar.java.binaries=./target/
#sonarqube代码审计
#sonarqube代码审计
/sonar-scanner/bin/sonar-scanner #sonar-scanner路径
-Dsonar.login=生成的密钥 #SonarQube平台生成的密钥
-Dsonar.projectname=${JOB_NAME}
-Dsonar.projectKey=${JOB_NAME}
-Dsoanr.sources=./ #代码的位置
-Dsonar.java.binaries=./target/ #编出包的位置