Background:

The ci/ CD process should have been static scan of the code first and then scan the image. The steps are independent anyway. Sonarqube installation and integration, I estimate the practice of a good study!

Helm installation sonarqube

With reference to the official document: docs.sonarqube.org/8.9/setup/s…

Helm added repO warehouse

[root@k8s-master-01 helm]# helm repo add sonarqube https://SonarSource.github.io/helm-chart-sonarqube
[root@k8s-master-01 helm]# helm repo update
Copy the code

The Helm FETCH package is stored locally

[root@k8s-master-01 helm]# helm search repo sonarqube
[root@k8s-master-01 helm]# helm fetch sonarqube/sonarqube-lts
Copy the code

There’s no way. The wall’s cracked… Manually download ING, RZ last time to the server

Unzip the TGZ package and modify the value.yaml file

[root@k8s-master-01 helm]# tar ZXVF Sonarqube-LTS-1.0.20 +140.tgzCopy the code

Value. Yam modifies the storageclass

Helm Install installs Sonarqube into the kube-ops namespace

[root@k8s-master-01 sonarqube-lts]# helm install sonarqube -f values.yaml  . -n kube-ops
Copy the code

[root@k8s-master-01 anchore-engine1]# kubectl get svc -n kube-ops [root@k8s-master-01 anchore-engine1]# kubectl get pods  -n kube-opsCopy the code

Ingress external mapping

Ingress uses Traefik. For details, see Kubernetes 1.20.5 Installing Traefik in Tencent Cloud

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: sonarqube-sonarqube-lts
  namespace: kube-ops
  annotations:
    kubernetes.io/ingress.class: traefik  
    traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
  rules:
  - host: sonarqube.xxxx.com
    http:
     paths:
     - pathType: Prefix
       path: /
       backend:
          service:
            name:  sonarqube-sonarqube-lts
            port:
              number: 9000
Copy the code

Web login sonarqube authentication

Default user name password admin admin(I am masked), went to modify the password To change theChinese Language Pack(I think it is really bad to change it to Chinese. If it is not necessary, I think it is English.) You may not be able to download pod log from GitlabCan manually download kubectl cp plugin to the pod/opt/sonarqube/extensions/plugins directory, and then restart the service, restart the service can be operated in the webThe new version of the scan plugin for the default language seems to be installed: Of course, I still tried several times online installation success directly have restart server prompt, and then restart server!Log in again and successfully switch the language to Chinese

Jenkins integrated sonar

Reference: docs.sonarqube.org/latest/anal…

Create SonaQube account token

Save the token to Jenkins credentials

​

Install sonarqube Scanner in Jenkins.

Jenkins configured the Sonarqube server

Go to “Manage Jenkins> System Configuration”, scroll down to the SonarQube configuration section, click Add SonarQube, Add a server, and select credentials.

[root@k8s-master-01 anchore-engine1]# sonar: sonar- gitlab-plugin-4.1.0-snapshot.jar Sonarqube - sonarqube - LTS - 0: / opt/sonarqube/lib/extensions/sonar - gitlab - plugin - 4.1.0 - the SNAPSHOT. The jar - n kube - ops Defaulted container "sonarqube-lts" out of: sonarqube-lts, wait-for-db (init), init-sysctl (init), inject-prometheus-exporter (init) [root@k8s-master-01 anchore-engine1]# kubectl exec -it sonarqube-sonarqube-lts-0 bash -n kube-ops kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. Defaulted container "sonarqube-lts" out of: sonarqube-lts, wait-for-db (init), init-sysctl (init), Inject - Prometheus - exporter (init) bash - 5.0 $CD/opt/sonarqube/lib/extensions/bash - 5.0 $ls Sonar - csharp - plugin - 8.22.0.31243. Jar sonar - go - the plugin - 1.8.3.2219. Jar sonar - javascript - plugin - 7.4.4.15624. Jar Sonar - ruby - plugin - 1.8.3.2219. Jar sonar - CSS - plugin - 1.4.2.2002. Jar sonar - HTML - the plugin - 3.4.0.2754. Jar Sonar - kotlin plugin - 1.8.3.2219. Jar sonar scala plugin - 1.8.3.2219. Jar sonar - flex - plugin - 2.6.1.2564. Jar Sonar - jacoco - plugin - 1.1.1.1157. Jar sonar - PHP - plugin - 3.17.0.7439. Jar sonar - vbnet - plugin - 8.22.0.31243. Jar Sonar - gitlab - plugin - 4.1.0 - the SNAPSHOT. Jar sonar - Java - plugin - 6.15.1.26025. Jar sonar - python - plugin - 3.4.1.8066. Jar Sonar - XML - plugin - 2.2.0.2973. JarCopy the code

My Jenkins build node

My Jenkins is deployed in the Kubernetes cluster. The cluster crI uses Containerd…. So I used a separate server to install the Docker build node and used JNLP to start a JAR package! The host node name is build01. /data/ci/buildtools. Change your name to……

[root@k8s-node-06 buildtools]# pwd /data/ci/buildtools [root@k8s-node-06 buildtools]# wget https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.6.2.2472-linux.zip [root @ k8s - node - 06 Buildtools]# unzip sonar-scanner-cli-4.6.2.2472-linux.zip [root@k8s-node-06 buildtools]#mv Sonar - scanner - cli - 4.6.2.2472 - Linux. Zip sonar - scannerCopy the code

Add /etc/profile to the environment

vim /etc/profile

export SONAR_SCANNER_HOME=/data/ci/buildtools/sonar-scanner
export PATH=$SONAR_SCANNER_HOME/bin:$PATH

source /etc/profile 
Copy the code

For sonar-scanner the default JDK is 11 and the code is java8…. It is necessary to modify…….Use_embedded_jre =true Changed to falseNote: of course, the premise of my server server early installed Java8, after all Jenkins ran up early…… To configure Java in /etc/profile

sonar pipeline demo

Make a Java demo

Warehouse and test code in GitLab

landingstart.spring.io/Generate a jar package:Download to local upload to your own GitLab repository:Gitlab.xxxx.com/devops/devo… Threw an additional Jenkinsfile, of course, you can also directly Jenkins Pipeline script

def buildTools = ["maven": "/usr/local/maven/", "sonar" : "/data/ci/buildtools/sonar-scanner/"] pipeline { agent { label "build01" } options { skipDefaultCheckout true } stages { Stage ("GetCode"){steps{script{println(" download code --> branch: ${env. BranchName}") Checkout ([$class: 'GitSCM', branches: [[name: "${env.branchName}"]], extensions: [], userRemoteConfigs: [[credentialsId: 'gitlab-admin-user', url: "${env.gitHttpURL}"]]]) } } } stage("Build"){ steps { script { //sh "/usr/local/maven/bin/mvn clean package" sh "${buildTools["maven"]}/bin/mvn clean package" } } } stage("SonarScanForPlugin"){ steps{ script{ withSonarQubeEnv("sonarqube-1"){ def sonarDate = sh returnStdout: true, script: 'date +%Y%m%d%H%M%S' sonarDate = sonarDate - "\n" sh """ ${buildTools["sonar"]}/bin/sonar-scanner \ -Dsonar.projectKey=${JOB_NAME} \ -Dsonar.projectName=${JOB_NAME} \ -Dsonar.projectVersion=${sonarDate} \ -Dsonar.ws.timeout=30 \ -Dsonar.projectDescription="my test project" \ -Dsonar.links.homepage=http://www.baidu.com \ -Dsonar.sources=src \ -Dsonar.sourceEncoding=UTF-8 \ -Dsonar.java.binaries=target/classes \ -Dsonar.java.test.binaries=target/test-classes \ -Dsonar.java.surefire.report=target/surefire-reports \ #echo \$PATH """  } } } } stage("UnitTest"){ steps{ script{ sh "${buildTools["maven"]}/bin/mvn test" } } post { success { script{ junit 'target/surefire-reports/*.xml' } } } } } post { always { script{ echo "always......" } } success { script { echo "success....." }}}}Copy the code

About Jenkins job

Jenkinsfile is parameterized, and the gitLab branch is called main instead of Master. Also note:

Build tasks

After the completion of the build, I found a problem: Jenkins configured the sonarqube server during the process of writing the Intranet address within the cluster. And so the sonar connection point can not jump, so I will sonarqube server configuration finally set to the public address: ​

There is nothing too big to see in the blank demo so let’s run through it. Follow-up integration to see how to optimize, because their own projects are also aggregated projects to see how to play!

PHP project

Most of my other projects are IN PHP. There are 7-8 sub-projects under this warehouse pit. What I usually do is parametric build. Here’s one for the test

def buildTools = ["maven": "/usr/local/maven/", "sonar" : "/data/ci/buildtools/sonar-scanner/"] pipeline { agent { label "build01" } stages { stage("GetCode"){ agent { label "Build01"} steps{script{println(" download code --> Branch: ${env. BranchName}") Checkout ([$class: 'GitSCM', Branches: [[name: "${env.branchName}"]], doGenerateSubmoduleConfigurations: false, extensions: [[$class: 'CloneOption', depth: 1, noTags: false, reference: '', shallow: true]], submoduleCfg: [], userRemoteConfigs: [[credentialsId: 'xxxxx', url: "${env.gitHttpURL}"]]]) } } } stage("SonarScanForPlugin"){ agent { label "build01" } when { environment name: 'xxxx', value: 'true' } steps{ script{ withSonarQubeEnv("sonarqube-1"){ def sonarDate = sh returnStdout: true, script: 'date +%Y%m%d%H%M%S' sonarDate = sonarDate - "\n" sh """ cd xxxx/html ${buildTools["sonar"]}/bin/sonar-scanner \ -Dsonar.projectKey=${JOB_NAME}-xxxxx \ -Dsonar.projectName=${JOB_NAME}-xxxx \ -Dsonar.projectVersion=${sonarDate} \ -Dsonar.ws.timeout=30 \ -Dsonar.language=php \ -Dsonar.projectDescription="my php project" \ -Dsonar.sources=. \ -Dsonar.sourceEncoding=UTF-8 \ #echo \$PATH """ } } } } stage('docker build laya-maker') { agent { label "build01" } when { environment name: 'xxxx', value: 'true' } steps { sh " cd laya-maker&&docker build -t ccr.ccs.tencentyun.com/xxxxx/xxxx:$data ." withCredentials([usernamePassword(credentialsId: 'xxxxx', passwordVariable: 'dockerPassword', usernameVariable: 'dockerUser')]) { sh "docker login -u ${dockerUser} -p ${dockerPassword} ccr.ccs.tencentyun.com" sh "docker push ccr.ccs.tencentyun.com/xxxxx/xxxx:$data" } } } } }Copy the code

The operation basically looks like this:A little confused hahaha.A glance at a bug is basically negligible. Have time to study how to use it in depth!

Let’s talk about something exciting

Method = {requestmethod.get, requestmethod.post}) , some time ago boring to see others write Java code security for this is not standard…… Please forgive us wild….. Can not go down…….

Conclusion:

This article focuses on installation and configuration. Combat to in-depth study, also hope that small partners can share more combat examples let me learn……