WPB-23896: Handle SonarQube yaml alerts

changelog.d/0-release-notes/WPB-23896

@@ -0,0 +1 @@
+Helm charts updates, specifying resources limit/requests.

changelog.d/5-internal/WPB-23896

@@ -0,0 +1 @@
+Fixed SonarQube Helm template formatting and RBAC issues in charts/.

charts/backoffice/templates/tests/stern-integration.yaml

@@ -8,6 +8,7 @@ metadata:
     app: stern-integration
     release: {{ .Release.Name }}
 spec:
+  automountServiceAccountToken: false
   volumes:
     - name: "stern-integration"
       configMap:
@@ -53,6 +54,8 @@ spec:
       requests:
         memory: "128Mi"
         cpu: "1"
+      limits:
+        memory: "256Mi"
     env:
     - name: TEST_XML
       value: /tmp/result.xml

charts/cassandra-migrations/templates/cassandra-certs.yaml

@@ -15,7 +15,7 @@ metadata:
 type: Opaque
 data:
   ca.pem: {{ include "tlsCaBrig" . | b64enc | quote }}
-{{- end}}
+{{- end }}
 {{- if ne (trim (include "tlsCaGalley" .)) "" }}
 ---
 apiVersion: v1
@@ -34,7 +34,7 @@ metadata:
 type: Opaque
 data:
   ca.pem: {{ include "tlsCaGalley" . | b64enc | quote }}
-{{- end}}
+{{- end }}
 {{- if ne (trim (include "tlsCaGundeck" .)) "" }}
 ---
 apiVersion: v1
@@ -53,7 +53,7 @@ metadata:
 type: Opaque
 data:
   ca.pem: {{ include "tlsCaGundeck" . | b64enc | quote }}
-{{- end}}
+{{- end }}
 {{- if ne (trim (include "tlsCaSpar" .)) "" }}
 ---
 apiVersion: v1
@@ -72,4 +72,4 @@ metadata:
 type: Opaque
 data:
   ca.pem: {{ include "tlsCaSpar" . | b64enc | quote }}
-{{- end}}
+{{- end }}

charts/elasticsearch-index/templates/elasticsearch-ca-secret.yaml

@@ -2,7 +2,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: "{{ include "fullname" .}}-ca"
+  name: "{{ include "fullname" . }}-ca"
   labels:
     app: elasticsearch-index
     chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}

charts/k8ssandra-test-cluster/templates/check-cluster-job.yaml

@@ -9,6 +9,7 @@ metadata:
 spec:
   template:
     spec:
+      automountServiceAccountToken: false
       containers:
       - name: cassandra
         image: cassandra:4.1.10

charts/nginx-ingress-services/templates/issuer.yaml

@@ -3,7 +3,7 @@ apiVersion: cert-manager.io/v1
 {{- if or (eq .Values.tls.issuer.kind "Issuer") (eq .Values.tls.issuer.kind "ClusterIssuer") }}
 kind: "{{ .Values.tls.issuer.kind }}"
 {{- else }}
-{{- fail (cat ".tls.issuer.kind can only be one of Issuer or ClusterIssuer, got: " .tls.issuer.kind )}}
+{{- fail (cat ".tls.issuer.kind can only be one of Issuer or ClusterIssuer, got: " .tls.issuer.kind ) }}
 {{- end }}
 metadata:
   name: {{ include "nginx-ingress-services.getIssuerName" . | quote }}
@@ -28,5 +28,5 @@ spec:
       - http01:
           ingress:
             class: nginx
-{{- end }}
 {{- end -}}
+{{- end }}

charts/nginz/templates/configmap.yaml

@@ -1,11 +1,10 @@
+{{- $nginxConf := .Values.nginx_conf }}
 
-{{- $nginx_conf := .Values.nginx_conf }}
-
-{{- if hasKey $nginx_conf "external_env_domain" }}
-  {{- $external_env_domain := $nginx_conf.external_env_domain }}
-  {{- range $nginx_conf.additional_external_env_domains }}
-    {{- if eq $external_env_domain . }}
-      {{- fail (printf "Error: external_env_domain (%s) cannot be part of additional_external_env_domains list." $external_env_domain) }}
+{{- if hasKey $nginxConf "external_env_domain" }}
+  {{- $externalEnvDomain := $nginxConf.external_env_domain }}
+  {{- range $nginxConf.additional_external_env_domains }}
+    {{- if eq $externalEnvDomain . }}
+      {{- fail (printf "Error: external_env_domain (%s) cannot be part of additional_external_env_domains list." $externalEnvDomain) }}
     {{- end }}
   {{- end }}
 {{- end }}
@@ -26,46 +25,47 @@ kind: ConfigMap
 metadata:
   name: nginz-deeplink
 data:
-  {{- if and (hasKey .Values.nginx_conf "deeplink") (hasKey .Values.nginx_conf "external_env_domain") }}
-  {{- $backendURL := .Values.nginx_conf.deeplink.endpoints.backendURL }}
-  {{- $deeplink_json := $backendURL | replace "https://" "" | trimSuffix "/" | printf "%s-deeplink.json" }}
-  {{- $deeplink_html := $backendURL | replace "https://" "" | trimSuffix "/" | printf "%s-deeplink.html" }}
-  {{ $deeplink_json }}: |
+  {{- if and (hasKey $nginxConf "deeplink") (hasKey $nginxConf "external_env_domain") }}
+  {{- $deeplinkJson := $nginxConf.deeplink.endpoints.backendURL | replace "https://" "" | trimSuffix "/" | printf "%s-deeplink.json" }}
+  {{- $deeplinkHtml := $nginxConf.deeplink.endpoints.backendURL | replace "https://" "" | trimSuffix "/" | printf "%s-deeplink.html" }}
+  {{ $deeplinkJson }}: |
     {{- $deeplink := dict
       "endpoints" (dict
-        "backendURL" .Values.nginx_conf.deeplink.endpoints.backendURL
-        "backendWSURL" .Values.nginx_conf.deeplink.endpoints.backendWSURL
-        "blackListURL" .Values.nginx_conf.deeplink.endpoints.blackListURL
-        "teamsURL" .Values.nginx_conf.deeplink.endpoints.teamsURL
-        "accountsURL" .Values.nginx_conf.deeplink.endpoints.accountsURL
-        "websiteURL" .Values.nginx_conf.deeplink.endpoints.websiteURL
+        "backendURL" $nginxConf.deeplink.endpoints.backendURL
+        "backendWSURL" $nginxConf.deeplink.endpoints.backendWSURL
+        "blackListURL" $nginxConf.deeplink.endpoints.blackListURL
+        "teamsURL" $nginxConf.deeplink.endpoints.teamsURL
+        "accountsURL" $nginxConf.deeplink.endpoints.accountsURL
+        "websiteURL" $nginxConf.deeplink.endpoints.websiteURL
       )
-      "title" .Values.nginx_conf.deeplink.title
+      "title" $nginxConf.deeplink.title
     }}
-    {{- if hasKey .Values.nginx_conf.deeplink "apiProxy" }}
+    {{- if hasKey $nginxConf.deeplink "apiProxy" }}
     {{- $_ := set $deeplink "apiProxy" (dict
-      "host" .Values.nginx_conf.deeplink.apiProxy.host
-      "port" .Values.nginx_conf.deeplink.apiProxy.port
-      "needsAuthentication" .Values.nginx_conf.deeplink.apiProxy.needsAuthentication
+      "host" $nginxConf.deeplink.apiProxy.host
+      "port" $nginxConf.deeplink.apiProxy.port
+      "needsAuthentication" $nginxConf.deeplink.apiProxy.needsAuthentication
     ) }}
     {{- end }}
     {{ toJson $deeplink | indent 4 }}
-  {{ $deeplink_html }}: |
+  {{ $deeplinkHtml }}: |
     <html>
-      <head></head>
+      <head>
+        <title>Deeplink for {{ $nginxConf.deeplink.endpoints.backendURL }}</title>
+      </head>
       <body>
-        <a href="wire://access/?config={{ .Values.nginx_conf.deeplink.endpoints.backendURL }}/deeplink.json">Click here for access</a>
+        <a href="wire://access/?config={{ $nginxConf.deeplink.endpoints.backendURL }}/deeplink.json">Click here for access</a>
       </body>
     </html>
   {{- end }}
 
-  {{- if (hasKey $nginx_conf "additional_external_env_domains") }}
-    {{- range $domain, $config := $nginx_conf.multi_ingress_deeplink }}
-      {{- if (has $domain $nginx_conf.additional_external_env_domains) }}
+  {{- if (hasKey $nginxConf "additional_external_env_domains") }}
+    {{- range $domain, $config := $nginxConf.multi_ingress_deeplink }}
+      {{- if (has $domain $nginxConf.additional_external_env_domains) }}
         {{- $backendURL := $config.endpoints.backendURL }}
-  {{- $deeplink_json := $backendURL | replace "https://" "" | trimSuffix "/" | printf "%s-deeplink.json" }}
-  {{- $deeplink_html := $backendURL | replace "https://" "" | trimSuffix "/" | printf "%s-deeplink.html" }}
-  {{ $deeplink_json }}: |
+  {{- $deeplinkJson := $backendURL | replace "https://" "" | trimSuffix "/" | printf "%s-deeplink.json" }}
+  {{- $deeplinkHtml := $backendURL | replace "https://" "" | trimSuffix "/" | printf "%s-deeplink.html" }}
+  {{ $deeplinkJson }}: |
     {{- $deeplink := dict
       "endpoints" (dict
         "backendURL" $config.endpoints.backendURL
@@ -86,7 +86,7 @@ data:
     {{- end }}
     {{ toJson $deeplink | indent 4 }}
     {{ printf "\n" }}
-  {{ $deeplink_html }}: |
+  {{ $deeplinkHtml }}: |
     <html>
       <head>
         <title>Deeplink for {{ $domain }}</title>

charts/openldap/templates/openldap.yaml

@@ -8,6 +8,7 @@ metadata:
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
 spec:
+  automountServiceAccountToken: false
   topologySpreadConstraints:
     - maxSkew: 1
       topologyKey: "kubernetes.io/hostname"

charts/outlook-addin/templates/deployment.yaml

@@ -15,6 +15,7 @@ spec:
       labels:
         app: {{ include "outlook.fullname" . }}
     spec:
+      automountServiceAccountToken: false
       topologySpreadConstraints:
         - maxSkew: 1
           topologyKey: "kubernetes.io/hostname"
@@ -45,3 +46,9 @@ spec:
             httpGet:
               path: /
               port: http
+          resources:
+            requests:
+              memory: "64Mi"
+              cpu: "10m"
+            limits:
+              memory: "256Mi"

charts/wire-server/templates/background-worker/configmap.yaml

@@ -104,10 +104,10 @@ data:
     migrateConversationCodes: {{ .migrateConversationCodes }}
     migrateTeamFeatures: {{ .migrateTeamFeatures }}
     migrateConversationsOptions:
-{{toYaml .migrateConversationsOptions | indent 6 }}
+{{ toYaml .migrateConversationsOptions | indent 6 }}
 
     backendNotificationPusher:
-{{toYaml .backendNotificationPusher | indent 6 }}
+{{ toYaml .backendNotificationPusher | indent 6 }}
     {{- with .backgroundJobs }}
     backgroundJobs:
 {{ toYaml . | indent 6 }}

charts/wire-server/templates/brig/tests/brig-integration.yaml

@@ -48,12 +48,12 @@ spec:
     - name: elasticsearch-ca
       secret:
         secretName: {{ include "brig.elasticsearchTlsSecretName" .Values.brig.config }}
-    {{- end}}
+    {{- end }}
     {{- if eq (include "useCassandraTLS" .Values.brig.config.cassandra) "true" }}
     - name: "brig-cassandra"
       secret:
         secretName: {{ (include "brig.tlsSecretRef" .Values.brig.config | fromYaml).name }}
-    {{- end}}
+    {{- end }}
     {{- if .Values.brig.config.rabbitmq.tlsCaSecretRef }}
     - name: "rabbitmq-ca"
       secret:
@@ -119,7 +119,7 @@ spec:
     {{- if eq (include "brig.configureElasticSearchCa" .Values.brig.config) "true" }}
     - name: elasticsearch-ca
       mountPath: "/etc/wire/brig/elasticsearch-ca"
-    {{- end}}
+    {{- end }}
     {{- if eq (include "useCassandraTLS" .Values.brig.config.cassandra) "true" }}
     - name: "brig-cassandra"
       mountPath: "/etc/wire/brig/cassandra"

charts/wire-server/templates/cargohold/deployment.yaml

@@ -28,6 +28,7 @@ spec:
         checksum/secret: {{ include (print .Template.BasePath "/cargohold/secret.yaml") . | sha256sum }}
     spec:
       serviceAccountName: {{ .Values.cargohold.serviceAccount.name }}
+      automountServiceAccountToken: false
       topologySpreadConstraints:
         - maxSkew: 1
           topologyKey: "kubernetes.io/hostname"

charts/wire-server/templates/galley/configmap.yaml

@@ -85,7 +85,7 @@ data:
       {{- else if .settings.multiIngress }}
       multiIngress: {{- toYaml .settings.multiIngress | nindent 8 }}
       {{- else }}
-      {{ fail "Either settings.conversationCodeURI or settings.multiIngress have to be set"}}
+      {{ fail "Either settings.conversationCodeURI or settings.multiIngress have to be set" }}
       {{- end }}
       {{- if (and .settings.conversationCodeURI .settings.multiIngress) }}
       {{ fail "settings.conversationCodeURI and settings.multiIngress are mutually exclusive" }}

charts/wire-server/templates/gundeck/configmap.yaml

@@ -48,7 +48,7 @@ data:
       enableTls: {{ .redis.enableTls }}
       insecureSkipVerifyTls: {{ .redis.insecureSkipVerifyTls }}
       {{- if eq (include "gundeck.configureRedisCa" .) "true" }}
-      tlsCa: /etc/wire/gundeck/redis-ca/{{ include "gundeck.redisTlsSecretKey" .}}
+      tlsCa: /etc/wire/gundeck/redis-ca/{{ include "gundeck.redisTlsSecretKey" . }}
       {{- end }}
 
     {{- if .redisAdditionalWrite }}
@@ -59,7 +59,7 @@ data:
       enableTls: {{ .redisAdditionalWrite.enableTls }}
       insecureSkipVerifyTls: {{ .redisAdditionalWrite.insecureSkipVerifyTls }}
       {{- if eq (include "gundeck.configureAdditionalRedisCa" .) "true" }}
-      tlsCa: /etc/wire/gundeck/additional-redis-ca/{{ include "gundeck.additionalRedisTlsSecretKey" .}}
+      tlsCa: /etc/wire/gundeck/additional-redis-ca/{{ include "gundeck.additionalRedisTlsSecretKey" . }}
       {{- end }}
     {{- end }}
 

charts/wire-server/templates/gundeck/deployment.yaml

@@ -49,7 +49,7 @@ spec:
         - name: "gundeck-cassandra"
           secret:
             secretName: {{ (include "gundeck.tlsSecretRef" .Values.gundeck.config | fromYaml).name }}
-        {{- end}}
+        {{- end }}
         {{- if eq (include "gundeck.configureRedisCa" .Values.gundeck.config) "true" }}
         - name: "redis-ca"
           secret:

charts/wire-server/templates/gundeck/tests/gundeck-integration.yaml

@@ -17,7 +17,7 @@ spec:
     - name: "gundeck-cassandra"
       secret:
         secretName: {{ (include "gundeck.tlsSecretRef" .Values.gundeck.config | fromYaml).name }}
-    {{- end}}
+    {{- end }}
     {{- if eq (include "gundeck.configureRedisCa" .Values.gundeck.config) "true" }}
     - name: "redis-ca"
       secret:

charts/wire-server/templates/spar/tests/spar-integration.yaml

@@ -20,7 +20,7 @@ spec:
     - name: "spar-cassandra"
       secret:
         secretName: {{ (include "spar.tlsSecretRef" .Values.spar.config | fromYaml).name }}
-    {{- end}}
+    {{- end }}
   containers:
   - name: integration
     image: "{{ .Values.spar.image.repository }}-integration:{{ .Values.spar.image.tag }}"