SONAR-21453 Update the security contexts to use root as group ID

.cirrus.yaml

@@ -85,13 +85,10 @@ chart_testing_task:
     - export DOCKER_HOST=tcp://localhost:2375
     - ./.cirrus/wait_for_kind.sh
   script:
-    - helm repo add clustersecret https://charts.clustersecret.io/
-    - helm install clustersecret clustersecret/cluster-secret -n clustersecret --create-namespace
-    - DOCKER_CONFIG=$(kubectl create secret docker-registry unused --docker-username=${DOCKER_USERNAME} --docker-password=${DOCKER_PASSWORD} --dry-run -o json | jq '.data.".dockerconfigjson"')
-    - sed -i "s|DOCKER_CONFIG_JSON|${DOCKER_CONFIG}|g" .cirrus/docker_hub_test_pull_secret.yaml
-    - kubectl apply -f .cirrus/docker_hub_test_pull_secret.yaml
+    - kubectl create namespace test
+    - kubectl create secret docker-registry pullsecret --namespace test --docker-username=${DOCKER_USERNAME} --docker-password=${DOCKER_PASSWORD}
     - ct lint --config test.yaml --all
-    - ct install --config test.yaml --all
+    - ct install --namespace test --config test.yaml --all
   artifacthub_lint_script:
     - ah lint
   depends_on:

charts/sonarqube-dce/CHANGELOG.md

@@ -7,6 +7,7 @@ All changes to this chart will be documented in this file.
 * Run the initSysctl init-container as root to prevent 'permission denied' issues
 * Add revisionHistoryLimit configuration for SonarQube application Deployment ReplicaSets
 * Introduce `ApplicationNodes.podDisruptionBudget` and `searchNodes.podDisruptionBudget` and deprecate `ApplicationNodes.podDistributionBudget` and `searchNodes.podDistributionBudget`.
+* Update the security contexts to use root as group ID
 
 ## [10.3.0]
 * Upgrade SonarQube to 10.3.0

charts/sonarqube-dce/Chart.yaml

@@ -37,6 +37,8 @@ annotations:
       description: "Add revisionHistoryLimit configuration for SonarQube application Deployment ReplicaSets"
     - kind: deprecated
       description: "Introduce `ApplicationNodes.podDisruptionBudget` and `searchNodes.podDisruptionBudget` and deprecate `ApplicationNodes.podDistributionBudget` and `searchNodes.podDistributionBudget`."
+    - kind: changed
+      description: "Update the security contexts to use root as group ID"
   artifacthub.io/links: |
     - name: support
       url: https://community.sonarsource.com/

charts/sonarqube-dce/README.md

@@ -90,7 +90,7 @@ This is achieved by setting this SecurityContext as default on **most** containe
 allowPrivilegeEscalation: false
 runAsNonRoot: true
 runAsUser: 1000
-runAsGroup: 1000
+runAsGroup: 0
 seccompProfile:
   type: RuntimeDefault
 capabilities:
@@ -193,7 +193,7 @@ The following table lists the configurable parameters of the SonarQube chart and
 | `searchNodes.replicaCount`                                | Replica count of the Search Nodes                                                     | `3`                                                                    |
 | `searchNodes.podDisruptionBudget`                         | PodDisruptionBudget for the Search Nodes                                              | `minAvailable: 2`                                                      |
 | `searchNodes.podDistributionBudget`                       | (DEPRECATED typo) PodDisruptionBudget for the Search Nodes                            | `minAvailable: 2`                                                      |
-| `searchNodes.securityContext.fsGroup`                     | Group applied to mounted directories/files on search nodes                            | `1000`                                                                 |
+| `searchNodes.securityContext.fsGroup`                     | Group applied to mounted directories/files on search nodes                            | `0`                                                                 |
 | `searchNodes.containerSecurityContext`                    | SecurityContext for search container in sonarqube pod                                 | [Restricted podSecurityStandard](#kubernetes---pod-security-standards) |
 | `searchNodes.readinessProbe.initialDelaySeconds`          | ReadinessProbe initial delay for Search Node checking                                 | `60`                                                                   |
 | `searchNodes.readinessProbe.periodSeconds`                | ReadinessProbe period between checking Search Node                                    | `30`                                                                   |
@@ -217,7 +217,7 @@ The following table lists the configurable parameters of the SonarQube chart and
 | `searchNodes.persistence.accessMode`                      | Volumes access mode to be set                                                         | `ReadWriteOnce`                                                        |
 | `searchNodes.persistence.size`                            | Size of the PVC                                                                       | `5G`                                                                   |
 | `searchNodes.persistence.uid`                             | UID used for init-fs container                                                        | `1000`                                                                 |
-| `searchNodes.persistence.guid`                            | GUID used for init-fs container                                                       | `1000`                                                                 |
+| `searchNodes.persistence.guid`                            | GUID used for init-fs container                                                       | `0`                                                                 |
 | `searchNodes.extraContainers`                             | Array of extra containers to run alongside                                            | `[]`                                                                   |
 
 ### App Nodes Configuration
@@ -238,7 +238,7 @@ The following table lists the configurable parameters of the SonarQube chart and
 | `ApplicationNodes.replicaCount`                                  | Replica count of the app Nodes                                                                                                                                                            | `2`                                                                    |
 | `ApplicationNodes.podDisruptionBudget`                           | PodDisruptionBudget for the App Nodes                                                                                                                                                     | `minAvailable: 1`                                                      |
 | `ApplicationNodes.podDistributionBudget`                         | (DEPRECATED typo) PodDisruptionBudget for the App Nodes                                                                                                                                   | `minAvailable: 1`                                                      |
-| `ApplicationNodes.securityContext.fsGroup`                       | Group applied to mounted directories/files on app nodes                                                                                                                                   | `1000`                                                                 |
+| `ApplicationNodes.securityContext.fsGroup`                       | Group applied to mounted directories/files on app nodes                                                                                                                                   | `0`                                                                 |
 | `ApplicationNodes.containerSecurityContext`                      | SecurityContext for app container in sonarqube pod                                                                                                                                        | [Restricted podSecurityStandard](#kubernetes---pod-security-standards) |
 | `ApplicationNodes.readinessProbe.initialDelaySeconds`            | ReadinessProbe initial delay for app Node checking                                                                                                                                        | `60`                                                                   |
 | `ApplicationNodes.readinessProbe.periodSeconds`                  | ReadinessProbe period between checking app Node                                                                                                                                           | `30`                                                                   |

charts/sonarqube-dce/ci/cirrus-values.yaml

@@ -4,12 +4,16 @@
 searchNodes:
   replicaCount: 1
   image:
+    repository: "sonarsource/sonarqube"
+    tag: "10.4.0-datacenter-search"
     pullSecrets:
       - name: pullsecret
 
 ApplicationNodes:
   replicaCount: 1
   jwtSecret: "mnGBJtmwRbIREqy3vSw6Cinoi2WEom9JH+iw/tXOJX4="
   image:
+    repository: "sonarsource/sonarqube"
+    tag: "10.4.0-datacenter-app"
     pullSecrets:
       - name: pullsecret

charts/sonarqube-dce/templates/NOTES.txt

@@ -17,6 +17,9 @@
   echo "Visit http://127.0.0.1:8080 to use your application"
   kubectl port-forward $POD_NAME 8080:{{ .Values.service.externalPort }} -n {{ .Release.Namespace }}
 {{- end }}
+WARNING: 
+         Please note that the SonarQube images run with a non-root user (uid=1000) belonging to the root group (guid=0). In this way, the chart can support arbitrary user ids as recommended in OpenShift.
+         Please visit https://docs.openshift.com/container-platform/4.14/openshift_images/create-images.html#use-uid_create-images for more information.
 {{ if .Values.postgresql.enabled }}
 WARNING: The embedded PostgreSQL is intended for evaluation only, it is DEPRECATED, and it will be REMOVED in a future release.
          Please visit https://artifacthub.io/packages/helm/sonarqube/sonarqube#production-use-case for more information.

charts/sonarqube-dce/values.yaml

@@ -68,16 +68,16 @@ searchNodes:
 
   # Set security context for sonarqube search pods
   securityContext:
-    fsGroup: 1000
+    fsGroup: 0
 
   # Set security context for sonarqube search container
   containerSecurityContext:
-    # Sonarqube dockerfile creates sonarqube user as UID and GID 1000
+    # Sonarqube dockerfile creates sonarqube user as UID 1000 and GID 0
     # Those default are used to match pod security standard restricted as least privileged approach
     allowPrivilegeEscalation: false
     runAsNonRoot: true
     runAsUser: 1000
-    runAsGroup: 1000
+    runAsGroup: 0
     seccompProfile:
       type: RuntimeDefault
     capabilities:
@@ -128,7 +128,7 @@ searchNodes:
     accessMode: ReadWriteOnce
     size: 5Gi
     uid: 1000
-    guid: 1000
+    guid: 0
 
   ## Array of extra containers to run alongside the sonarqube search container
   ##
@@ -189,16 +189,16 @@ ApplicationNodes:
 
   # Set security context for sonarqube app pods
   securityContext:
-    fsGroup: 1000
+    fsGroup: 0
 
   # Set security context for sonarqube app container
   containerSecurityContext:
-    # Sonarqube dockerfile creates sonarqube user as UID and GID 1000
+    # Sonarqube dockerfile creates sonarqube user as UID 1000 and GID 0
     # Those default are used to match pod security standard restricted as least privileged approach
     allowPrivilegeEscalation: false
     runAsNonRoot: true
     runAsUser: 1000
-    runAsGroup: 1000
+    runAsGroup: 0
     seccompProfile:
       type: RuntimeDefault
     capabilities:
@@ -260,7 +260,7 @@ ApplicationNodes:
     # httpProxy: ""
     # httpsProxy: ""
     # noProxy: ""
-    # Setting the security context to the default sonarqube user 1000/1000
+    # Setting the security context to the default sonarqube user 1000/0
     # Reuse default initcontainers.securityContext that match restricted pod security standard
     # securityContext: {}
 
@@ -442,7 +442,7 @@ initContainers:
     allowPrivilegeEscalation: false
     runAsNonRoot: true
     runAsUser: 1000
-    runAsGroup: 1000
+    runAsGroup: 0
     seccompProfile:
       type: RuntimeDefault
     capabilities:

charts/sonarqube/CHANGELOG.md

@@ -6,6 +6,7 @@ All changes to this chart will be documented in this file.
 * Improve the description of deprecated `jvmOpts` and `jvmCeOpts` values
 * Run the initSysctl init-container as root to prevent 'permission denied' issues
 * Add revisionHistoryLimit configuration for SonarQube application Deployment ReplicaSets & StatefulSets
+* Update the security contexts to use root as group ID
 
 ## [10.3.0]
 * Upgrade SonarQube to 10.3.0

charts/sonarqube/Chart.yaml

@@ -40,6 +40,8 @@ annotations:
       description: "Run the initSysctl init-container as root to prevent 'permission denied' issues"
     - kind: changed
       description: "Add revisionHistoryLimit configuration for SonarQube application Deployment ReplicaSets & StatefulSets"
+    - kind: changed
+      description: "Update the security contexts to use root as group ID"
   artifacthub.io/containsSecurityUpdates: "false"
   artifacthub.io/images: |
     - name: sonarqube

charts/sonarqube/README.md

@@ -84,7 +84,7 @@ This is achieved by setting this SecurityContext as default on **most** containe
 allowPrivilegeEscalation: false
 runAsNonRoot: true
 runAsUser: 1000
-runAsGroup: 1000
+runAsGroup: 0
 seccompProfile:
   type: RuntimeDefault
 capabilities:
@@ -223,7 +223,7 @@ The following table lists the configurable parameters of the SonarQube chart and
 
 | Parameter                  | Description                                    | Default                                                                |
 | -------------------------- | ---------------------------------------------- | ---------------------------------------------------------------------- |
-| `securityContext.fsGroup`  | Group applied to mounted directories/files     | `1000`                                                                 |
+| `securityContext.fsGroup`  | Group applied to mounted directories/files     | `0`                                                                 |
 | `containerSecurityContext` | SecurityContext for container in sonarqube pod | [Restricted podSecurityStandard](#kubernetes---pod-security-standards) |
 
 ### Elasticsearch
@@ -395,7 +395,7 @@ The following table lists the configurable parameters of the SonarQube chart and
 | `persistence.volumes`       | Specify extra volumes. Refer to ".spec.volumes" specification                | `[]`            |
 | `persistence.mounts`        | Specify extra mounts. Refer to ".spec.containers.volumeMounts" specification | `[]`            |
 | `persistence.uid`           | UID used for init-fs container                                               | `1000`          |
-| `persistence.guid`          | GUID used for init-fs container                                              | `1000`          |
+| `persistence.guid`          | GUID used for init-fs container                                              | `0`          |
 | `emptyDir`                  | Configuration of resources for `emptyDir`                                    | `{}`            |
 
 ### JDBC Overwrite

charts/sonarqube/ci/cirrus-values.yaml

@@ -1,3 +1,5 @@
 image:
   pullSecrets:
     - name: pullsecret
+  repository: "sonarsource/sonarqube"
+  tag: "10.4.0-community"

charts/sonarqube/templates/NOTES.txt

@@ -20,6 +20,9 @@
   echo "Visit http://127.0.0.1:8080 to use your application"
   kubectl port-forward $POD_NAME 8080:{{ .Values.service.externalPort }} -n {{ .Release.Namespace }}
 {{- end }}
+WARNING: 
+         Please note that the SonarQube image runs with a non-root user (uid=1000) belonging to the root group (guid=0). In this way, the chart can support arbitrary user ids as recommended in OpenShift.
+         Please visit https://docs.openshift.com/container-platform/4.14/openshift_images/create-images.html#use-uid_create-images for more information.
 {{ if .Values.postgresql.enabled }}
 WARNING: The embedded PostgreSQL is intended for evaluation only, it is DEPRECATED, and it will be REMOVED in a future release.
          Please visit https://artifacthub.io/packages/helm/sonarqube/sonarqube#production-use-case for more information.

charts/sonarqube/values.yaml

@@ -38,16 +38,16 @@ image:
 
 # Set security context for sonarqube pod
 securityContext:
-  fsGroup: 1000
+  fsGroup: 0
 
 # Set security context for sonarqube container
 containerSecurityContext:
-  # Sonarqube dockerfile creates sonarqube user as UID and GID 1000
+  # Sonarqube dockerfile creates sonarqube user as UID and GID 0
   # Those default are used to match pod security standard restricted as least privileged approach
   allowPrivilegeEscalation: false
   runAsNonRoot: true
   runAsUser: 1000
-  runAsGroup: 1000
+  runAsGroup: 0
   seccompProfile:
     type: RuntimeDefault
   capabilities:
@@ -207,7 +207,7 @@ initContainers:
     allowPrivilegeEscalation: false
     runAsNonRoot: true
     runAsUser: 1000
-    runAsGroup: 1000
+    runAsGroup: 0
     seccompProfile:
       type: RuntimeDefault
     capabilities:
@@ -390,7 +390,7 @@ persistence:
   accessMode: ReadWriteOnce
   size: 5Gi
   uid: 1000
-  guid: 1000
+  guid: 0
 
   ## Specify extra volumes. Refer to ".spec.volumes" specification : https://kubernetes.io/fr/docs/concepts/storage/volumes/
   volumes: []