add sonarqube

2026-04-27 21:52:01 +07:00
parent 142dd15922
commit e42544c877
256 changed files with 12484 additions and 0 deletions
--- a/manifest/sonarqube/charts/ingress-nginx/tests/admission-webhooks/cert-manager_test.yaml
+++ b/manifest/sonarqube/charts/ingress-nginx/tests/admission-webhooks/cert-manager_test.yaml
@@ -0,0 +1,34 @@
+suite: Admission Webhooks > CertManager
+templates:
+  - admission-webhooks/cert-manager.yaml
+
+tests:
+  - it: should not create a Certificate if `controller.admissionWebhooks.certManager.enabled` is false
+    set:
+      controller.admissionWebhooks.certManager.enabled: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should create a Certificate if `controller.admissionWebhooks.certManager.enabled` is true
+    set:
+      controller.admissionWebhooks.certManager.enabled: true
+      controller.admissionWebhooks.certManager.issuerRef: ingress-nginx-issuer
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Certificate
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-ingress-nginx-admission
+
+  - it: should create a Certificate with `revisionHistoryLimit` if `controller.admissionWebhooks.certManager.admissionCert.revisionHistoryLimit` is set
+    set:
+      controller.admissionWebhooks.certManager.enabled: true
+      controller.admissionWebhooks.certManager.issuerRef: ingress-nginx-issuer
+      controller.admissionWebhooks.certManager.admissionCert.revisionHistoryLimit: 3
+    asserts:
+      - equal:
+          path: spec.revisionHistoryLimit
+          value: 3
--- a/manifest/sonarqube/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrole_test.yaml
+++ b/manifest/sonarqube/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrole_test.yaml
@@ -0,0 +1,11 @@
+suite: Admission Webhooks > Patch Job > ClusterRole
+templates:
+  - admission-webhooks/job-patch/clusterrole.yaml
+
+tests:
+  - it: should not create a ClusterRole if `controller.admissionWebhooks.patch.rbac.create` is false
+    set:
+      controller.admissionWebhooks.patch.rbac.create: false
+    asserts:
+      - hasDocuments:
+          count: 0
--- a/manifest/sonarqube/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrolebinding_test.yaml
+++ b/manifest/sonarqube/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrolebinding_test.yaml
@@ -0,0 +1,11 @@
+suite: Admission Webhooks > Patch Job > ClusterRoleBinding
+templates:
+  - admission-webhooks/job-patch/clusterrolebinding.yaml
+
+tests:
+  - it: should not create a ClusterRoleBinding if `controller.admissionWebhooks.patch.rbac.create` is false
+    set:
+      controller.admissionWebhooks.patch.rbac.create: false
+    asserts:
+      - hasDocuments:
+          count: 0
--- a/manifest/sonarqube/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-createSecret_test.yaml
+++ b/manifest/sonarqube/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-createSecret_test.yaml
@@ -0,0 +1,78 @@
+suite: Admission Webhooks > Patch Job > Create Secret Job
+templates:
+  - admission-webhooks/job-patch/job-createSecret.yaml
+
+tests:
+  - it: should create a Job with token auto-mounting disabled if `controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken` is false
+    set:
+      controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken: false
+    asserts:
+      - equal:
+          path: spec.template.spec.automountServiceAccountToken
+          value: false
+
+  - it: should create a Job with `activeDeadlineSeconds` if `controller.admissionWebhooks.createSecretJob.activeDeadlineSeconds ` is set
+    set:
+      controller.admissionWebhooks.createSecretJob.activeDeadlineSeconds: 1
+    asserts:
+      - equal:
+          path: spec.activeDeadlineSeconds
+          value: 1
+
+  - it: should create a Job with custom volumes and volume mounts if `controller.admissionWebhooks.createSecretJob.volumes` and `controller.admissionWebhooks.createSecretJob.volumeMounts` are set
+    set:
+      controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken: false
+      controller.admissionWebhooks.createSecretJob.volumeMounts:
+        - name: kube-api-access
+          mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+          readOnly: true
+      controller.admissionWebhooks.createSecretJob.volumes:
+        - name: kube-api-access
+          projected:
+            defaultMode: 0444
+            sources:
+              - serviceAccountToken:
+                  path: token
+                  expirationSeconds: 3600
+              - configMap:
+                  name: kube-root-ca.crt
+                  items:
+                    - key: ca.crt
+                      path: ca.crt
+              - downwardAPI:
+                  items:
+                    - path: namespace
+                      fieldRef:
+                        apiVersion: v1
+                        fieldPath: metadata.namespace
+    asserts:
+      - equal:
+          path: spec.template.spec.automountServiceAccountToken
+          value: false
+      - equal:
+          path: spec.template.spec.containers[0].volumeMounts
+          value:
+            - name: kube-api-access
+              mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+              readOnly: true
+      - equal:
+          path: spec.template.spec.volumes
+          value:
+            - name: kube-api-access
+              projected:
+                defaultMode: 0444
+                sources:
+                  - serviceAccountToken:
+                      path: token
+                      expirationSeconds: 3600
+                  - configMap:
+                      name: kube-root-ca.crt
+                      items:
+                        - key: ca.crt
+                          path: ca.crt
+                  - downwardAPI:
+                      items:
+                        - path: namespace
+                          fieldRef:
+                            apiVersion: v1
+                            fieldPath: metadata.namespace
--- a/manifest/sonarqube/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-patchWebhook_test.yaml
+++ b/manifest/sonarqube/charts/ingress-nginx/tests/admission-webhooks/job-patch/job-patchWebhook_test.yaml
@@ -0,0 +1,78 @@
+suite: Admission Webhooks > Patch Job > Patch Webhook Job
+templates:
+  - admission-webhooks/job-patch/job-patchWebhook.yaml
+
+tests:
+  - it: should create a Job with token auto-mounting disabled if `controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken` is false
+    set:
+      controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken: false
+    asserts:
+      - equal:
+          path: spec.template.spec.automountServiceAccountToken
+          value: false
+
+  - it: should create a Job with `activeDeadlineSeconds` if `controller.admissionWebhooks.patchWebhookJob.activeDeadlineSeconds ` is set
+    set:
+      controller.admissionWebhooks.patchWebhookJob.activeDeadlineSeconds: 1
+    asserts:
+      - equal:
+          path: spec.activeDeadlineSeconds
+          value: 1
+
+  - it: should create a Job with custom volumes and volume mounts if `controller.admissionWebhooks.patchWebhookJob.volumes` and `controller.admissionWebhooks.patchWebhookJob.volumeMounts` are set
+    set:
+      controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken: false
+      controller.admissionWebhooks.patchWebhookJob.volumeMounts:
+        - name: kube-api-access
+          mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+          readOnly: true
+      controller.admissionWebhooks.patchWebhookJob.volumes:
+        - name: kube-api-access
+          projected:
+            defaultMode: 0444
+            sources:
+              - serviceAccountToken:
+                  path: token
+                  expirationSeconds: 3600
+              - configMap:
+                  name: kube-root-ca.crt
+                  items:
+                    - key: ca.crt
+                      path: ca.crt
+              - downwardAPI:
+                  items:
+                    - path: namespace
+                      fieldRef:
+                        apiVersion: v1
+                        fieldPath: metadata.namespace
+    asserts:
+      - equal:
+          path: spec.template.spec.automountServiceAccountToken
+          value: false
+      - equal:
+          path: spec.template.spec.containers[0].volumeMounts
+          value:
+            - name: kube-api-access
+              mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+              readOnly: true
+      - equal:
+          path: spec.template.spec.volumes
+          value:
+            - name: kube-api-access
+              projected:
+                defaultMode: 0444
+                sources:
+                  - serviceAccountToken:
+                      path: token
+                      expirationSeconds: 3600
+                  - configMap:
+                      name: kube-root-ca.crt
+                      items:
+                        - key: ca.crt
+                          path: ca.crt
+                  - downwardAPI:
+                      items:
+                        - path: namespace
+                          fieldRef:
+                            apiVersion: v1
+                            fieldPath: metadata.namespace
--- a/manifest/sonarqube/charts/ingress-nginx/tests/admission-webhooks/job-patch/role_test.yaml
+++ b/manifest/sonarqube/charts/ingress-nginx/tests/admission-webhooks/job-patch/role_test.yaml
@@ -0,0 +1,11 @@
+suite: Admission Webhooks > Patch Job > Role
+templates:
+  - admission-webhooks/job-patch/role.yaml
+
+tests:
+  - it: should not create a Role if `controller.admissionWebhooks.patch.rbac.create` is false
+    set:
+      controller.admissionWebhooks.patch.rbac.create: false
+    asserts:
+      - hasDocuments:
+          count: 0
--- a/manifest/sonarqube/charts/ingress-nginx/tests/admission-webhooks/job-patch/rolebinding_test.yaml
+++ b/manifest/sonarqube/charts/ingress-nginx/tests/admission-webhooks/job-patch/rolebinding_test.yaml
@@ -0,0 +1,11 @@
+suite: Admission Webhooks > Patch Job > RoleBinding
+templates:
+  - admission-webhooks/job-patch/rolebinding.yaml
+
+tests:
+  - it: should not create a RoleBinding if `controller.admissionWebhooks.patch.rbac.create` is false
+    set:
+      controller.admissionWebhooks.patch.rbac.create: false
+    asserts:
+      - hasDocuments:
+          count: 0
--- a/manifest/sonarqube/charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml
+++ b/manifest/sonarqube/charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml
@@ -0,0 +1,47 @@
+suite: Admission Webhooks > Patch Job > ServiceAccount
+templates:
+  - admission-webhooks/job-patch/serviceaccount.yaml
+
+tests:
+  - it: should not create a ServiceAccount if `controller.admissionWebhooks.patch.serviceAccount.create` is false
+    set:
+      controller.admissionWebhooks.patch.serviceAccount.create: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should create a ServiceAccount if `controller.admissionWebhooks.patch.serviceAccount.create` is true
+    set:
+      controller.admissionWebhooks.patch.serviceAccount.create: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ServiceAccount
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-ingress-nginx-admission
+
+  - it: should create a ServiceAccount with specified name if `controller.admissionWebhooks.patch.serviceAccount.name` is set
+    set:
+      controller.admissionWebhooks.patch.serviceAccount.name: ingress-nginx-admission-test-sa
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ServiceAccount
+      - equal:
+          path: metadata.name
+          value: ingress-nginx-admission-test-sa
+
+  - it: should create a ServiceAccount with token auto-mounting disabled if `controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken` is false
+    set:
+      controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken: false
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ServiceAccount
+      - equal:
+          path: automountServiceAccountToken
+          value: false
--- a/manifest/sonarqube/charts/ingress-nginx/tests/admission-webhooks/validating-webhook_test.yaml
+++ b/manifest/sonarqube/charts/ingress-nginx/tests/admission-webhooks/validating-webhook_test.yaml
@@ -0,0 +1,32 @@
+suite: Admission Webhooks > ValidatingWebhookConfiguration
+templates:
+  - admission-webhooks/validating-webhook.yaml
+
+tests:
+  - it: should not create a ValidatingWebhookConfiguration if `controller.admissionWebhooks.enabled` is false
+    set:
+      controller.admissionWebhooks.enabled: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should create a ValidatingWebhookConfiguration if `controller.admissionWebhooks.enabled` is true
+    set:
+      controller.admissionWebhooks.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ValidatingWebhookConfiguration
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-ingress-nginx-admission
+
+  - it: should create a ValidatingWebhookConfiguration with a custom port if `controller.admissionWebhooks.service.servicePort` is set
+    set:
+      controller.admissionWebhooks.enabled: true
+      controller.admissionWebhooks.service.servicePort: 9443
+    asserts:
+      - equal:
+          path: webhooks[0].clientConfig.service.port
+          value: 9443