1、部署postgres-sonar数据使用pvc存储。
apiVersion: apps/v1
kind: Deployment
metadata:
name: postgres-sonar
namespace: service-tools
labels:
app: postgres-sonar
spec:
replicas: 1
selector:
matchLabels:
app: postgres-sonar
template:
metadata:
labels:
app: postgres-sonar
spec:
containers:
- name: postgres-sonar
image: postgres:11.4
imagePullPolicy: IfNotPresent
ports:
- containerPort: 5432
env:
- name: POSTGRES_DB
value: "sonarDB"
- name: POSTGRES_USER
value: "sonarUser"
- name: POSTGRES_PASSWORD
value: "123456"
resources:
limits:
cpu: 1000m
memory: 2048Mi
requests:
cpu: 500m
memory: 1024Mi
volumeMounts:
- name: postgres-data
mountPath: /var/lib/postgresql/data
volumes:
- name: postgres-data
persistentVolumeClaim:
claimName: nas-service-tools-pvc
---
apiVersion: v1
kind: Service
metadata:
name: postgres-sonar
namespace: service-tools
labels:
app: postgres-sonar
spec:
clusterIP: None
ports:
- port: 5432
protocol: TCP
targetPort: 5432
selector:
app: postgres-sonar- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 23.
- 24.
- 25.
- 26.
- 27.
- 28.
- 29.
- 30.
- 31.
- 32.
- 33.
- 34.
- 35.
- 36.
- 37.
- 38.
- 39.
- 40.
- 41.
- 42.
- 43.
- 44.
- 45.
- 46.
- 47.
- 48.
- 49.
- 50.
- 51.
- 52.
- 53.
- 54.
- 55.
- 56.
- 57.
- 58.
- 59.
- 60.
2、部署SonarQube服务。
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: sonarqube
name: sonarqube
namespace: service-tools
spec:
replicas: 1
selector:
matchLabels:
app: sonarqube
template:
metadata:
labels:
app: sonarqube
spec:
containers:
- env:
- name: SONARQUBE_JDBC_USERNAME
value: sonarUser
- name: SONARQUBE_JDBC_PASSWORD
value: '123456'
- name: SONARQUBE_JDBC_URL
value: 'jdbc:postgresql://postgres-sonar:5432/sonarDB'
image: 'sonarqube:lts'
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /sessions/new
port: 9000
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 1
name: sonarqube
ports:
- containerPort: 9000
protocol: TCP
readinessProbe:
failureThreshold: 6
httpGet:
path: /sessions/new
port: 9000
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 1
resources:
limits:
cpu: '2'
memory: 2048M
requests:
cpu: '1'
memory: 1024M
volumeMounts:
- mountPath: /opt/sonarqube/conf
name: sonarqube-data
- mountPath: /opt/sonarqube/data
name: sonarqube-data
- mountPath: /opt/sonarqube/extensions
name: sonarqube-data
initContainers:
- command:
- sysctl
- '-w'
- vm.max_map_count=262144
image: 'busybox:latest'
imagePullPolicy: IfNotPresent
name: init-sysctl
resources: {}
securityContext:
privileged: true
volumes:
- name: sonarqube-data
persistentVolumeClaim:
claimName: nas-sq-service-tools-pvc
---
apiVersion: v1
kind: Service
metadata:
name: sonarqube
namespace: service-tools
labels:
app: sonarqube
spec:
selector:
app: sonarqube
ports:
- protocol: TCP
port: 80
targetPort: 9000
type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: sonarqube-alb-ingress
namespace: service-tools
spec:
ingressClassName: nginx-alb
rules:
- host: sonarqube.域名
http:
paths:
- backend:
service:
name: sonarqube
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- sonarqube.域名
secretName: 证书名-city-tls- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 23.
- 24.
- 25.
- 26.
- 27.
- 28.
- 29.
- 30.
- 31.
- 32.
- 33.
- 34.
- 35.
- 36.
- 37.
- 38.
- 39.
- 40.
- 41.
- 42.
- 43.
- 44.
- 45.
- 46.
- 47.
- 48.
- 49.
- 50.
- 51.
- 52.
- 53.
- 54.
- 55.
- 56.
- 57.
- 58.
- 59.
- 60.
- 61.
- 62.
- 63.
- 64.
- 65.
- 66.
- 67.
- 68.
- 69.
- 70.
- 71.
- 72.
- 73.
- 74.
- 75.
- 76.
- 77.
- 78.
- 79.
- 80.
- 81.
- 82.
- 83.
- 84.
- 85.
- 86.
- 87.
- 88.
- 89.
- 90.
- 91.
- 92.
- 93.
- 94.
- 95.
- 96.
- 97.
- 98.
- 99.
- 100.
- 101.
- 102.
- 103.
- 104.
- 105.
- 106.
- 107.
- 108.
- 109.
- 110.
- 111.
- 112.
- 113.
- 114.
- 115.
- 116.
- 117.
- 118.
- 119.
- 120.
3、通过域名登录SonarQube平台,默认账号密码:admin/admin
在应用中安装(Chinese Pack)中文插件包
4、通过下载sonar-scanner包,去审计代码。
https://binaries.sonarsource.com/?prefix=Distribution/sonar-scanner-cli/
下载完sonar-scanner包解压到指定文件夹,配置sonar-scanner.properties文件。
cat sonar-scanner/conf/sonar-scanner.properties
#Configure here general information about the environment, such as SonarQube server connection details for example
#No information about specific project should appear here
#----- Default SonarQube server
sonar.host.url=https://sonarqube.域名
#----- Default source code encoding
sonar.sourceEncoding=UTF-8- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
5、使用方案。
密钥生成
#sonarqube代码审计
/sonar-scanner/bin/sonar-scanner -Dsonar.login=生成的密钥 -Dsonar.projectname=${JOB_NAME} -Dsonar.projectKey=${JOB_NAME} -Dsoanr.sources=./ -Dsonar.java.binaries=./target/
#sonarqube代码审计
#sonarqube代码审计
/sonar-scanner/bin/sonar-scanner #sonar-scanner路径
-Dsonar.login=生成的密钥 #SonarQube平台生成的密钥
-Dsonar.projectname=${JOB_NAME}
-Dsonar.projectKey=${JOB_NAME}
-Dsoanr.sources=./ #代码的位置
-Dsonar.java.binaries=./target/ #编出包的位置- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.